infosecn1nja
/
PoshC2_Python
mirror of https://github.com/infosecn1nja/PoshC2_Python.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
PoshC2_Python/Modules/SharpHound.ps1

505 lines
863 KiB
PowerShell
Raw Normal View History

Update Bloodhound modules
2019-03-12 13:16:42 +00:00
function Invoke-BloodHound{
<#
.SYNOPSIS
Runs the BloodHound C# Ingestor using reflection. The assembly is stored in this file.
.DESCRIPTION
Using reflection and assembly.load, load the compiled BloodHound C# ingestor into memory
and run it without touching disk. Parameters are converted to the equivalent CLI arguments
for the SharpHound executable and passed in via reflection. The appropriate function
calls are made in order to ensure that assembly dependencies are loaded properly.
.PARAMETER CollectionMethod
Specifies the CollectionMethod being used. Possible value are:
Group - Collect group membership information
LocalGroup - Collect local group information for computers
LocalAdmin - Collect local admin users for computers
RDP - Collect remote desktop users for computers
DCOM - Collect distributed COM users for computers
Session - Collect session information for computers
SessionLoop - Continuously collect session information until killed
Trusts - Enumerate domain trust data
ACL - Collect ACL (Access Control List) data
Container - Collect GPO/OU Data
ComputerOnly - Collects Local Admin and Session data
GPOLocalGroup - Collects Local Admin information using GPO (Group Policy Objects)
LoggedOn - Collects session information using privileged methods (needs admin!)
ObjectProps - Collects node property information for users and computers
Default - Collects Group Membership, Local Admin, Sessions, and Domain Trusts
DcOnly - Collects Group Membership, ACLs, ObjectProps, Trusts, Containers, and GPO Admins
All - Collect all data except GPOLocalGroup and LoggedOn
This can be a list of comma seperated valued as well to run multiple collection methods!
.PARAMETER Domain
Specifies the domain to enumerate. If not specified, will enumerate the current
domain your user context specifies.
.PARAMETER SearchForest
Expands data collection to include all domains in the forest.
.PARAMETER LdapFilter
Append this ldap filter to the search filter to further filter the results enumerated
.PARAMETER Stealth
Use stealth collection options, will sacrifice data quality in favor of much reduced
network impact
.PARAMETER SkipGCDeconfliction
Skip's Global Catalog deconfliction during session enumeration. This option
can result in more inaccuracy in data.
.PARAMETER ComputerFile
A file containing a list of computers to enumerate. This option can only be used with the following Collection Methods:
Session, SessionLoop, LocalGroup, ComputerOnly, LoggedOn
.PARAMETER ExcludeDC
Exclude domain controllers from session queries. Useful for ATA environments which detect this behavior
.PARAMETER OU
Limit enumeration to this OU. Takes a DistinguishedName.
Ex. OU=Domain Controllers,DC=testlab,DC=local
.PARAMETER DomainController
Specify which Domain Controller to request data from. Defaults to closest DC using Site Names
.PARAMETER LdapPort
Override the port used to connect to LDAP
.PARAMETER SecureLdap
Uses LDAPs instead of unencrypted LDAP on port 636
.PARAMETER IgnoreLdapCert
Ignores the certificate for LDAP
.PARAMETER LDAPUser
User to connect to LDAP with
.PARAMETER LDAPPass
Password for user you are connecting to LDAP with
.PARAMETER DisableKerbSigning
Disables Kerberos Signing on requests.
.PARAMETER Threads
Specifies the number of threads to use during enumeration (Default 20)
.PARAMETER PingTimeout
Specifies timeout for ping requests to computers in milliseconds (Default 750)
.PARAMETER SkipPing
Skip all ping checks for computers. This option will most likely be slower as
API calls will be made to all computers regardless of being up
Use this option if ping is disabled on the network for some reason
.PARAMETER LoopDelay
Amount of time to wait between session enumeration loops in minutes. This option
should be used in conjunction with the SessionLoop enumeration method.
(Default 300 seconds)
.PARAMETER MaxLoopTime
Length of time to run looped session collection. Format: 0d0h0m0s or any variation of this format.
Use in conjunction with -c SessionLoop
Default will loop for two hours
.PARAMETER Throttle
Time in milliseconds to throttle after each request to a computer
.Parameter Jitter
Percentage jitter to apply to throttle
.PARAMETER JSONFolder
Folder to export JSONs too (Defaults to current directory)
.PARAMETER JSONPrefix
Prefix to add to your JSON Files (Default "")
.PARAMETER NoZip
Don't compress JSON files and remove them from disk
.PARAMETER EncryptZip
Add a random password to the zip file
.PARAMETER ZipFileName
Change the filename for the zip file
.PARAMETER RandomFilenames
Randomize output filenames
.PARAMETER PrettyJson
Output pretty JSON at the cost of file size
.PARAMETER CacheFile
Filename for the cache used by bloodhound. (Default BloodHound.bin)
.PARAMETER Invalidate
Invalidate the cache and build a new one
.PARAMETER SaveCache
Whether to save the cache file. Set this to false to disable writing it to disk
.PARAMETER Interval
Interval to display progress during enumeration in milliseconds (Default 30000)
.PARAMETER Verbose
Enable verbose output mode. Will print a lot!
.EXAMPLE
PS C:\> Invoke-BloodHound
Executes the default collection options and exports JSONs to the current directory, compresses the data to a zip file,
and then removes the JSON files from disk
.EXAMPLE
PS C:\> Invoke-BloodHound -CollectionMethod SessionLoop -LoopDelay 60 -MaxLoopTime 10
Executes session collection in a loop. Will wait 1 minute after each run to continue collection
and will continue running for 10 minutes after which the script will exit
.EXAMPLE
PS C:\> Invoke-BloodHound -CollectionMethod All
Runs ACL, ObjectProps, Container, and Default collection methods, compresses the data to a zip file,
and then removes the JSON files from disk
.EXAMPLE (Opsec!)
PS C:\> Invoke-BloodHound -CollectionMethod DCOnly --NoSaveCache --RandomFilenames --EncryptZip
Run LDAP only collection methods (Groups, Trusts, ObjectProps, ACL, Containers, GPO Admins) without outputting the cache file to disk.
Randomizes filenames of the JSON files and the zip file and adds a password to the zip file
#>
param(
[String[]]
$CollectionMethod = [string[]] @('Default'),
[Switch]
$SearchForest,
[String]
$Domain,
[String]
$LdapFilter,
[Switch]
$Stealth,
[Switch]
$SkipGCDeconfliction,
[Switch]
$ExcludeDC,
[String]
$ComputerFile,
[String]
$OU,
[string]
$DomainController,
[int]
$LdapPort,
[Switch]
$SecureLdap,
[Switch]
$IgnoreLdapCert,
[String]
$LDAPUser,
[String]
$LDAPPass,
[Switch]
$DisableKerbSigning,
[ValidateRange(1,50)]
[Int]
$Threads = 10,
[ValidateRange(50,1500)]
[int]
$PingTimeout = 250,
[Switch]
$SkipPing,
[ValidateRange(1,50000000)]
[int]
$LoopDelay,
[ValidatePattern('[0-9]+[smdh]')]
[string]
$MaxLoopTime,
[ValidateRange(0,100)]
[int]
$Jitter,
[int]
$Throttle,
[ValidateScript({ Test-Path -Path $_ })]
[String]
$JSONFolder = $(Get-Location),
[ValidateNotNullOrEmpty()]
[String]
$JSONPrefix,
[Switch]
$NoZip,
[Switch]
$EncryptZip,
[String]
$ZipFileName,
[Switch]
$RandomFilenames,
[Switch]
$PrettyJson,
[String]
[ValidateNotNullOrEmpty()]
$CacheFile,
[Switch]
$Invalidate,
[Switch]
$NoSaveCache,
[ValidateRange(500,60000)]
[int]
$StatusInterval,
[Switch]
$Verbose
)
$vars = New-Object System.Collections.Generic.List[System.Object]
$vars.Add("-c")
foreach ($cmethod in $CollectionMethod){
$vars.Add($cmethod);
}
if ($Domain){
$vars.Add("-d");
$vars.Add($Domain);
}
if ($SearchForest){
$vars.Add("-s");
}
if ($Stealth){
$vars.Add("--Stealth")
}
if ($SkipGCDeconfliction){
$vars.Add("--SkipGCDeconfliction")
}
if ($ExcludeDC){
$vars.Add("--ExcludeDC")
}
if ($ComputerFile){
$vars.Add("--ComputerFile");
$vars.Add($ComputerFile);
}
if ($OU){
$vars.Add("--OU");
$vars.Add($OU);
}
if ($DomainController){
$vars.Add("--DomainController");
$vars.Add($DomainController);
}
if ($LdapPort){
$vars.Add("--LdapPort");
$vars.Add($LdapPort);
}
if ($SecureLdap){
$vars.Add("--SecureLdap");
}
if ($IgnoreLdapCert){
$vars.Add("--IgnoreLdapCert");
}
if ($LDAPUser){
$vars.Add("--LDAPUser");
$vars.Add($LDAPUser);
}
if ($LDAPPass){
$vars.Add("--LDAPPass");
$vars.Add($LDAPPass);
}
if ($DisableKerbSigning){
$vars.Add("--DisableKerbSigning");
}
if ($Threads){
$vars.Add("-t")
$vars.Add($Threads)
}
if ($PingTimeout){
$vars.Add("--PingTimeout")
$vars.Add($PingTimeout)
}
if ($SkipPing){
$vars.Add("--SkipPing");
}
if ($LoopDelay){
$vars.Add("--LoopDelay")
$vars.Add($LoopDelay)
}
if ($MaxLoopTime){
$vars.Add("--MaxLoopTime")
$vars.Add($MaxLoopTime)
}
if ($Throttle){
$vars.Add("--Throttle");
$vars.Add($Throttle);
}
if ($Jitter){
$vars.Add("--Jitter");
$vars.Add($Jitter);
}
if ($JSONFolder){
$vars.Add("--JSONFolder");
$vars.Add($JSONFolder);
}
if ($JSONPrefix){
$vars.Add("--JSONPrefix");
$vars.Add($JSONPrefix);
}
if ($NoZip){
$vars.Add("--NoZip");
}
if ($EncryptZip){
$vars.Add("--EncryptZip");
}
if ($ZipFileName){
$vars.Add("--ZipFileName");
$vars.Add($ZipFileName);
}
if ($RandomFilenames){
$vars.Add("--RandomFilenames");
}
if ($PrettyJson){
$vars.Add("--PrettyJson");
}
if ($CacheFile){
$vars.Add("--CacheFile");
$vars.Add($CacheFile);
}
if ($Invalidate){
$vars.Add("--Invalidate");
}
if ($NoSaveCache){
$vars.Add("--NoSaveCache");
}
if ($LdapFilter){
$vars.Add("--LdapFilter");
$vars.Add($LdapFilter);
}
if ($Verbose){
$vars.Add("-v")
}
if ($StatusInterval){
$vars.Add("--StatusInterval")
$vars.Add($StatusInterval)
}
$passed = [string[]]$vars.ToArray()
$EncodedCompressedFile = '7H0JfBvF9f9qJe1KK8n2SrJkO4edw0ZYcoCEw7bIyX0mgQAJBMwdEiBLV6EhUWzCFaAkoYVyhXI0XL1b2lJKw1mOcpVCKVCOGHpQSgstpbQlUJL/+76ZWa1kB9Jf2/+nn36aT6yd+c71Zva9N2/OPejIz2pBTdNC9Ldli6Z9XxP/pmmf/G8l/dW1/qBO+270x2O+Hzjwx2PmnLKw1HaG6yxwjzu97YTjFi92lrQdf1Kbe+bitoWL2/aceWjb6c6JJ01IJKzxMo9Ze2nagYGg9t3Rp85X+b6m6YFYIEKBMU1rEdhih9xtKsY04dYF3ZpWeWr3xxjHv6A27QJNa+D/laf34H8jKd+ZXBlK1zRMJW+MaXF6rFgc00ZuQ5t4/4i+iM8bIf++Pv+EJSedtYSeS2bKes2q0O3L4tgJbsk9AZ4mH42HxKriTaP/E9yTTnMoYlzSzHktGhJvRi2ZsxwRB7TpWlj7uW1pN88PaAHyH61pRkMgoD3aEN3marfkGnTN6GwZMOmddI7WV/Jzol4KU2Y54jSj83k9R8RZerCfGiik62U8nDMoSDpXyqhWv4EIOQOpKO8ROwa1r9KTaLP1MsJy9Nqtwsky3SqK1zVPhlB5lqUb2RzFzvcHkJHy6H5P0O8JSY8OD+UQGpxuFAzDoUpYr+ilCGjirIRTrziDFSdnUorCiSw6tUAD2rZD22OhZmmyHqd49WDSLyLSC4FOSbsF2qk1UFQWLZEnj+73BP2ekN8TZg9B+UGrQnunoKFF2+NoQUOKaJgr31nIpYLOyBHrWF0jQ27C84wKuVnPMzrfKYgIhh2KYnUK+iq+oM8XTs/OdKKM45mvUE9OmtQ4vFAfMrjQ0ncDmjE7q/LyByeqgoO1wVlfcAiliTodNkydRmy1Tq2VKtWRv6NSJ+UN+r29oq2DIVHJK93tKaeg20O/oVw9QblxzMUykpcoLPwNSDTF89oczPxgaG9o0FeaPdAJ7gmKehrBWenNwc6BFPiBf2N6tm0lccyipJbUzVwDOH5a5GniGj2XBgGN9HMLvIlgtFwAM2UImR3J5Kg4Q+Y+S5CWTYUGSx2Dmt46ckimM4bNNBUO2uFtyXYkZSsDg+nZIjwtgjOdNmSClenO2uRPacEAi8LF2tRHhXsCy9HKTqlBZuE5oGeyDr04y2mC7sg6zXC3gLoRaNYROwa0Xo37AVt3RiFwNH5a0XT5mOG0IeoY+jGcsXj1bw/axpkkCoGYWTBMKSWalFVby+boh+VE9/S27oxD2e4e9L6d8XA67Qwc5AFBp4OReR4ScrbjmDn+3R60pnYMay3EdsQHdukeYmFKcAJ4kqpmxHSHyLDiunuOghKRLj3dGclR1kYqNEClhaJOHgzSbpjuDRTNDuUKqm2cOylHIV3OXXB2DszcphQJX4qDvRQ9X6Gam13BdN42s2uoYQPtmdbx1+W6KCwV1t2bFJUpwza6TrBDA3hfWWcCSsvZ4aQByTBSpm12TbXD7oZK4V5QvmMrAZQmVp0FNQSVIynOehTbYWcDUx7tvRFvyr0PZLUgVcSOuC/AR82dL3QauktdmiC5qiVEls0BrxEo3ZiAP90+H5NudlW6I7x04w07JKMcUYkSdU+FZ0e0EddIxTm7Eme9YOOgsxPYlWIp/0T6zTiTUPbOYKdtiHgmicUI4ruQRi9HMzwZkWnMzBqyAgJVCUlOdqEHB8Qy8XzKjBiRSqnrI9m58YiIM/HXZifk5DRwipe3uwZ1qaZJYBW6qIfa3WDi2mNdceNMFNYeL+TyCTNT2tWrYSSR242eUacbKX0Bae5jFkj5LJEittrdL6KMXqiadvcOn/sxn3uj514JcZIp/1RBD66gYd1DZ3J/PmJHU5utsX1n59rAD80UpSmd1jPODuR1iqx02gxnd87A45vcZFAO8WaX1EQ/r+qoNaWDWrTC3qKvHi0Mps4r9dJ45DIGRU6nInNTCF5NXBjITYXGPArktQz0ScXJz4MHjoCBsRYGhqFzuZ2fFtiNwBrcBZSTzlpUhLLOu1DpvNI0GDKz2aaZDuchFUvnUHbOgHNOBT2MjTZQHFx5hHIb/UeysZfbBe55cAsiVpD/tNweSHg457EnnPMrzqO5zUHTUZKmerKMiWdW05++OYNfZy80ZDMCIkMDCjEuqvwydySes6BnhM/5Onrtvgx1tY/ouruU2iPj7I1XhU6G/e7ZYIJ94D0HXigr9iq79Cp6RtnOOdRvqehkuAZz+yKv/cAUgyd0BFtPTAZye6OTPcR82q7uZOGN65Hyuehiu6H7o13hdCo8WIw6+0PjhiLlc2Dd+LWlxuqxywhaeT1oUX8uaDBEf0sKKSxsUOrNtLox2gnoYyE3JEdgMFsnijSmiPpq1kdP11WTBW8saJbJmgvNNsvH8Sthe+s2yiMGu4Ubcjk4Ss92BruobZty7SBrv9HiOb21QTi629DdC3ehDaMx4W7jtyrcaX6Rwh0RGeUD2S7K2vf+Inow14mxgV6eIxv9ANnoMsSSIYZzoGgKeldhbZHG4yS7dBCroGAb9cFaOu2QzFsx05mJnroMZnRmga3SQfcCCBtLCEmskYkPwmQgmbD8ojvY2DFMTCI5ArtiJGTa0KbuJWQa/2bP1hrxLqBPYHcSx9junZRBUOQAYzJYOoT5JtqRToU2Hh6AeqG3a6Vzc1DVuPshCkRMem0c4hyGariTgtoZZiUfvQz5M5M6xntGIekeSuGRSnik0708KHPS3Y1I7P4FADisKcvdQHvG3UTQ+nQ6m4OeS2Nkls9R5fOJaKE7KjQbrJS4OypUlb0sPuLEPU/EZA8VPD3kFXxdCAUHwkMKNsMfUzCHsob9xwpOhL22s0NKRhq0aLMWFTJiam8RQtxvZ6y6kLtdWHXaI4nBZsBaMwtjs5YwqYQ0xvK2KCZYF0oGnAi40C1SQmP1LkpRc5lGwTTZ/Op0aURwRsi9IYw3XxlG8FsI+t5COJTO1NY/HumKu1+t1MN9TLkjuSzrj0LaoyfqfI9MC8dC/7GJ4kUr1ETRSUdzCO9EvT/FelZTdSHRirJsk2htE13tXaGOdD7MNMTYbDO58LjpfD8Ak7ZQJ7OORpigSJRHc53vtm4ukb402vX+z1Bwe7B/LR6h/s/iEe6/DI+6UP9qfob7P89Po/9i6CQkni0S3yAS3yQS3yIS3yYTf1Em/rJMfL3s1w3tigDPD9n0fqF+rcHmDrfZ8EQSQp1OGRsdCGJXckiQ7FCuBw1d8Q7DmQuJnAe+0MvzpQQeyUoqIuN+Gu0ar7jzTcJ9GUow2y7AxES4bQX1oQkzmsmUqBe0SvNhWGQyIzKlo1HAMdw1iHRfQn7ThPtWuHd2DyIqmb4KWolrcMdS6kMWph2yTedYcpJFehyQsIh4JYhpsMNZ53gE0pMGLFaF0MI+drjZOVGGneSFfR5heZnZwO1o7q5sx8C3yLHZoEoYpZNRk5UIcRZw8oxzCitgbi1KuRCam8TTNpRthH+WpTUL3RngfsxmXkUaZxFbXynDORXNTn3taWii0ysG1+s1Bpewt+Jaa74yP3MtPZN+PsgMwwfhwbMMsPbHvfSja1662fYQaZ/SYvUWE1HR0KFKQxf0KOkj2dQh0dQyo6hojqivT+e2yIi2CGnncS9PdNeFqgknf4Xy+OCx4rU3hOrCPLarC7vXGdLOycGwae8a2cGmT50wNtyvG9Lk4XwawnXhYChccsidLZ2BurY7pDQs03FBITo9RV8sJugbrZdh+PE4RNlyotYns3Wa2xWduUBOBJIplUBJBXGWQF/qaa5aoUkESy/XR0RgHPKsa9TFa2nY6WeiwYFbkDLLWcq6usnkiYEl1GkF4jS+8fIwBau8NmibPEtAetSICo4xKjZ6RhvfK+YJUBZlopG5ZAe7IlwcKY9MsHQWmmwZ8l3OWLgjTTaa0Vnh5dZWLSzeX5DpzSCP9i6jw72T2pxePaxvgzqTMvOQSSYllbCCK5DwlxBD5jEYgJzCdPrxKsyK3IzWWrpFWdDxxINatrYsoe4DwkygsnT3xxSQ8TpijODWB4ftiHiSYgTPYXA2hunr
$DeflatedStream = New-Object IO.Compression.DeflateStream([IO.MemoryStream][Convert]::FromBase64String($EncodedCompressedFile),[IO.Compression.CompressionMode]::Decompress)
$UncompressedFileBytes = New-Object Byte[](748544)
$DeflatedStream.Read($UncompressedFileBytes, 0, 748544) | Out-Null
$Assembly = [Reflection.Assembly]::Load($UncompressedFileBytes)
$BindingFlags = [Reflection.BindingFlags] "Public,Static"
$a = @()
$Assembly.GetType("Costura.AssemblyLoader", $false).GetMethod("Attach", $BindingFlags).Invoke($Null, @())
$Assembly.GetType("Sharphound2.Sharphound").GetMethod("InvokeBloodHound").Invoke($Null, @(,$passed))
}