RedTrooperFM - Empire Module Wiki

February 2, 2018 ยท View on GitHub

A one page Wiki for all your Empire RTFM needs...

Will I am your Father

Index




powershell

Back to Index




powershell - code_execution


invoke_dllinjection

Description:

Uses PowerSploit's Invoke-DLLInjection to inject a Dll into the process ID of your choosing.

Author:

@mattifestation

Options:

ParamDescriptionRequiredDefault
AgentAgent to run module on.True
DllName of the dll to inject. This can be an absolute or relative path.True
ProcessIDProcess ID of the process you want to inject a Dll into.True

Comments:

https://github.com/mattifestation/PowerSploit/blob/master/CodeExecution/Invoke-DllInjection.ps1

Attributes:

AttributeValue
Needs AdminFalse
Opsec SafeTrue
BackgroundFalse
Categorycode_execution
Languagepowershell
Min Version2
Out Extension

View Source Code

Back to Index




invoke_metasploitpayload

Description:

Spawns a new, hidden PowerShell window that downloadsand executes a Metasploit payload. This relies on theexploit/multi/scripts/web_delivery metasploit module.

Author:

@jaredhaight

Options:

ParamDescriptionRequiredDefault
AgentAgent to run Metasploit payload on.True
URLURL from the Metasploit web_delivery moduleTrue

Comments:

https://github.com/jaredhaight/Invoke-MetasploitPayload/

Attributes:

AttributeValue
Needs AdminFalse
Opsec SafeTrue
BackgroundFalse
Categorycode_execution
Languagepowershell
Min Version2
Out Extension

View Source Code

Back to Index




invoke_ntsd

Description:

Use NT Symbolic Debugger to execute Empire launcher code

Author:

james fitts

Options:

ParamDescriptionRequiredDefault
AgentAgent to run module on.True
ArchArchitecture the system is on.Truex64
BinPathBinary to set NTSD to debug.TrueC:\Windows\System32\calc.exe
ListenerListener to use.True
ProxyProxy to use for request (default, none, or other).Falsedefault
ProxyCredsProxy credentials ([domain]username:password) to use for request (default, none, or other).Falsedefault
UploadPathPath to drop dll (C:\Users\Administrator\Desktop).False
UserAgentUser-agent string to use for the staging request (default, none, or other).Falsedefault

Comments:

Attributes:

AttributeValue
Needs AdminFalse
Opsec SafeFalse
BackgroundTrue
Categorycode_execution
Languagepowershell
Min Version2
Out Extension

View Source Code

Back to Index




invoke_reflectivepeinjection

Description:

Uses PowerSploit's Invoke-ReflectivePEInjection to reflectively load a DLL/EXE in to the PowerShell process or reflectively load a DLL in to a remote process.

Author:

@JosephBialek

Options:

ParamDescriptionRequiredDefault
AgentAgent to run module on.True
ComputerNameOptional an array of computernames to run the script on.False
DllPath(Attacker) local path for the PE/DLL to load.False
ExeArgsOptional arguments to pass to the executable being reflectively loaded.False
ForceASLROptional, will force the use of ASLR on the PE being loaded even if the PE indicates it doesn't support ASLR.TrueFalse
PEUrlA URL containing a DLL/EXE to load and execute.False
ProcIdProcess ID of the process you want to inject a Dll into.False

Comments:

https://github.com/mattifestation/PowerSploit/blob/master/CodeExecution/Invoke-ReflectivePEInjection.ps1

Attributes:

AttributeValue
Needs AdminFalse
Opsec SafeTrue
BackgroundFalse
Categorycode_execution
Languagepowershell
Min Version2
Out Extension

View Source Code

Back to Index




invoke_shellcode

Description:

Uses PowerSploit's Invoke--Shellcode to inject shellcode into the process ID of your choosing or within the context of the running PowerShell process. If you're injecting custom shellcode, make sure it's in the correct format and matches the architecture of the process you're injecting into.

Author:

@mattifestation

Options:

ParamDescriptionRequiredDefault
AgentAgent to run module on.True
LhostLocal host handler for the meterpreter shell.False
ListenerMeterpreter/Beacon listener name.False
LportLocal port of the host handler.False
PayloadMetasploit payload to inject (reverse_http[s]).Falsereverse_https
ProcessIDProcess ID of the process you want to inject shellcode into.False
ShellcodeCustom shellcode to inject, 0xaa,0xab,... format.False

Comments:

http://www.exploit-monday.com

https://github.com/mattifestation/PowerSploit/blob/master/CodeExecution/Invoke-Shellcode.ps1

Attributes:

AttributeValue
Needs AdminFalse
Opsec SafeTrue
BackgroundTrue
Categorycode_execution
Languagepowershell
Min Version2
Out Extension

View Source Code

Back to Index




invoke_shellcodemsil

Description:

Execute shellcode within the context of the running PowerShell process without making any Win32 function calls. Warning: This script has no way to validate that your shellcode is 32 vs. 64-bit!Note: Your shellcode must end in a ret (0xC3) and maintain proper stack alignment or PowerShell will crash!

Author:

@mattifestation

Options:

ParamDescriptionRequiredDefault
AgentAgent to run module on.True
ShellcodeShellcode to inject, 0x00,0x0a,... format.True

Comments:

http://www.exploit-monday.com

https://github.com/mattifestation/PowerSploit/blob/master/CodeExecution/Invoke-ShellcodeMSIL.ps1

Attributes:

AttributeValue
Needs AdminFalse
Opsec SafeTrue
BackgroundFalse
Categorycode_execution
Languagepowershell
Min Version2
Out Extension

View Source Code

Back to Index




powershell - collection


browser_data

Description:

Search through browser history or bookmarks

Author:

@424f424f

Options:

ParamDescriptionRequiredDefault
AgentAgent to run module on.True
BrowserWhich browser to dump data from. IE, Chrome, Firefox, All.FalseAll
DataTypeSpecify to search history or bookmarks. History, Bookmarks.FalseAll
SearchSpecific a term to search for.False
UserNameUsername on the host to search.False

Comments:

Attributes:

AttributeValue
Needs AdminFalse
Opsec SafeTrue
BackgroundTrue
Categorycollection
Languagepowershell
Min Version2
Out Extension

View Source Code

Back to Index




ChromeDump

Description:

This module will decrypt passwords saved in chrome and display them in the console.

Author:

@xorrior

Options:

ParamDescriptionRequiredDefault
AgentAgent to run the module on.True
OutFileFile path to write the results to.False

Comments:

https://github.com/xorrior/RandomPS-Scripts/blob/master/Get-ChromeDump.ps1

Attributes:

AttributeValue
Needs AdminFalse
Opsec SafeFalse
BackgroundTrue
Categorycollection
Languagepowershell
Min Version2
Out Extension

View Source Code

Back to Index




clipboard_monitor

Description:

Monitors the clipboard on a specified interval for changes to copied text.

Author:

@harmj0y

Options:

ParamDescriptionRequiredDefault
AgentAgent to run module on.True
CollectionLimitSpecifies the interval in minutes to capture clipboard text. Defaults to indefinite collection.False
PollIntervalInterval (in seconds) to check the clipboard for changes, defaults to 15 seconds.True15

Comments:

http://brianreiter.org/2010/09/03/copy-and-paste-with-clipboard-from-powershell/

Attributes:

AttributeValue
Needs AdminFalse
Opsec SafeTrue
BackgroundTrue
Categorycollection
Languagepowershell
Min Version2
Out Extension

View Source Code

Back to Index




file_finder

Description:

Finds sensitive files on the domain.

Author:

@harmj0y

Options:

ParamDescriptionRequiredDefault
AgentAgent to run module on.True
CheckWriteAccessSwitch. Only returns files the current user has write access to.False
ComputerFilterHost filter name to query AD for, wildcards accepted.False
ComputerNameHosts to enumerate.False
CreationTimeOnly return files with a CreationDate greater than this date value.False
DelayDelay between enumerating hosts, defaults to 0.False
DomainDomain to query for machines.False
ExcludeHiddenSwitch. Exclude hidden files and folders from the search results.False
FreshEXESSwitch. Find .EXEs accessed in the last week.False
LastAccessTimeOnly return files with a LastAccessTime greater than this date value.False
NoPingSwitch. Don't ping each host to ensure it's up before enumerating.False
OfficeDocsSwitch. Return only office documents.False
SearchSYSVOLSwitch. Search for login scripts on the SYSVOL of the primary DCs for each specified domain.False
ShareListList of '\HOST\shares' (on the target) to search through.False
TermsComma-separated terms to search for (overrides defaults).False
ThreadsThe maximum concurrent threads to execute.False

Comments:

https://github.com/PowerShellMafia/PowerSploit/blob/dev/Recon/

Attributes:

AttributeValue
Needs AdminFalse
Opsec SafeTrue
BackgroundTrue
Categorycollection
Languagepowershell
Min Version2
Out Extension

View Source Code

Back to Index




find_interesting_file

Description:

Finds sensitive files on the domain.

Author:

@harmj0y

Options:

ParamDescriptionRequiredDefault
AgentAgent to run module on.True
CheckWriteAccessSwitch. Only returns files the current user has write access to.False
CreationTimeOnly return files with a CreationDate greater than this date value.False
ExcludeHiddenSwitch. Exclude hidden files and folders from the search results.False
FreshEXESSwitch. Find .EXEs accessed in the last week.False
LastAccessTimeOnly return files with a LastAccessTime greater than this date value.False
OfficeDocsSwitch. Return only office documents.False
PathUNC/local path to recursively search.True
TermsComma-separated terms to search for (overrides defaults).False

Comments:

https://github.com/PowerShellMafia/PowerSploit/blob/dev/Recon/

Attributes:

AttributeValue
Needs AdminFalse
Opsec SafeTrue
BackgroundTrue
Categorycollection
Languagepowershell
Min Version2
Out Extension

View Source Code

Back to Index




FoxDump

Description:

This module will dump any saved passwords from Firefox to the console. This should work for any versionof Firefox above version 32. This will only be successful if the master password is blank or has not been set.

Author:

@xorrior

Options:

ParamDescriptionRequiredDefault
AgentAgent to run the module on.True
OutFilePath to Output FileFalse

Comments:

https://github.com/xorrior/RandomPS-Scripts/blob/master/Get-FoxDump.ps1

http://xakfor.net/threads/c-firefox-36-password-cookie-recovery.12192/

Attributes:

AttributeValue
Needs AdminFalse
Opsec SafeTrue
BackgroundTrue
Categorycollection
Languagepowershell
Min Version2
Out Extension

View Source Code

Back to Index




get_indexed_item

Description:

Gets files which have been indexed by Windows desktop search.

Author:

@James O'Neill

Options:

ParamDescriptionRequiredDefault
AgentAgent to run module on.True
TermsTerms to query the search indexer for.Truepassword,pass,sensitive,admin,login,secret,creds,credentials

Comments:

https://gallery.technet.microsoft.com/scriptcenter/Get-IndexedItem-PowerShell-5bca2dae

Attributes:

AttributeValue
Needs AdminFalse
Opsec SafeTrue
BackgroundFalse
Categorycollection
Languagepowershell
Min Version2
Out Extension

View Source Code

Back to Index




get_sql_column_sample_data

Description:

Returns column information from target SQL Servers. Supports search by keywords, sampling data, and validating credit card numbers.

Author:

@_nullbind, @0xbadjuju

Options:

ParamDescriptionRequiredDefault
AgentAgent to run module on.True
CheckAllCheck all systems retrieved by Get-SQLInstanceDomain.False
InstanceSQL Server instance to connection to.False
NoDefaultsDon't select tables from default databases.False
PasswordSQL Server or domain account password to authenticate with.False
UsernameSQL Server or domain account to authenticate with.False

Comments:

https://github.com/NetSPI/PowerUpSQL/blob/master/PowerUpSQL.ps1

Attributes:

AttributeValue
Needs AdminFalse
Opsec SafeTrue
BackgroundTrue
Categorycollection
Languagepowershell
Min Version2
Out Extension

View Source Code

Back to Index




get_sql_query

Description:

Executes a query on target SQL servers.

Author:

@_nullbind, @0xbadjuju

Options:

ParamDescriptionRequiredDefault
AgentAgent to run module on.True
InstanceSQL Server instance to connection to.False
PasswordSQL Server or domain account password to authenticate with.False
QueryQuery to be executed on the SQL Server.True
UsernameSQL Server or domain account to authenticate with.False

Comments:

https://github.com/NetSPI/PowerUpSQL/blob/master/PowerUpSQL.ps1

Attributes:

AttributeValue
Needs AdminFalse
Opsec SafeTrue
BackgroundTrue
Categorycollection
Languagepowershell
Min Version2
Out Extension

View Source Code

Back to Index




inveigh

Description:

Inveigh is a Windows PowerShell LLMNR/mDNS/NBNS spoofer/man-in-the-middle tool. Note that this module exposes only a subset of Inveigh's parameters. Inveigh can be used through Empire's scriptimport and scriptcmd if additional parameters are needed.

Author:

Kevin Robertson

Options:

ParamDescriptionRequiredDefault
AgentAgent to run module on.True
ConsoleOutput(Low/Medium/Y) Default = Y: Enable/Disable real time console output. Medium and Low can be used to reduce output.False
ConsoleStatusInterval in minutes for displaying all unique captured hashes and credentials. This will display a clean list of captures in Empire.False
ConsoleUnique(Y/N) Default = Y: Enable/Disable displaying challenge/response hashes for only unique IP, domain/hostname, and username combinations.False
ElevatedPrivilege(Auto/Y/N) Default = Auto: Set the privilege mode. Auto will determine if Inveigh is running with elevated privilege. If so, options that require elevated privilege can be used.False
HTTP(Y/N) Default = Y: Enable/Disable HTTP challenge/response capture.False
HTTPAuth(Anonymous/Basic/NTLM/NTLMNoESS) HTTP listener authentication type. This setting does not apply to wpad.dat requests.False
HTTPContentTypeContent type for HTTP/Proxy responses. Does not apply to EXEs and wpad.dat. Set to "application/hta" for HTA files or when using HTA code with HTTPResponse.False
HTTPResponseContent to serve as the default HTTP/Proxy response. This response will not be used for wpad.dat requests. Use PowerShell escape characters and newlines where necessary. This paramater will be wrapped in double quotes by this module.False
Inspect(Switch) Inspect LLMNR, mDNS, and NBNS traffic only.False
IPLocal IP address for listening and packet sniffing. This IP address will also be used for LLMNR/mDNS/NBNS spoofing if the SpooferIP parameter is not set.False
LLMNR(Y/N) Default = Y: Enable/Disable LLMNR spoofer.False
mDNS(Y/N) Enable/Disable mDNS spoofer.False
mDNSTypes(QU,QM) Default = QU: Comma separated list of mDNS types to spoof. Note that QM will send the response to 224.0.0.251.False
NBNS(Y/N) Enable/Disable NBNS spoofer.False
NBNSTypesDefault = 00,20: Comma separated list of NBNS types to spoof.False
Proxy(Y/N) Enable/Disable Inveigh's proxy server authentication capture.False
ProxyPortDefault = 8492: TCP port for the Inveigh's proxy listener.False
RunCountNumber of NTLMv1/NTLMv2 captures to perform before auto-exiting.False
RunTimeRun time duration in minutes.True
SMB(Y/N) Default = Y: Enable/Disable SMB challenge/response capture.False
SpooferHostsIgnoreComma separated list of requested hostnames to ignore when spoofing.False
SpooferHostsReplyComma separated list of requested hostnames to respond to when spoofing.False
SpooferIPResponse IP address for spoofing. This parameter is only necessary when redirecting victims to a system other than the Inveigh host.False
SpooferIPsIgnoreComma separated list of source IP addresses to ignore when spoofing.False
SpooferIPsReplyComma separated list of source IP addresses to respond to when spoofing.False
SpooferLearning(Y/N) Enable/Disable LLMNR/NBNS valid host learning.False
SpooferLearningDelayTime in minutes that Inveigh will delay spoofing while valid hosts are being blacklisted through SpooferLearning.False
SpooferRepeat(Y/N) Default = Y: Enable/Disable repeated LLMNR/NBNS spoofs to a victim system after one user challenge/response has been captured.False
WPADAuth(Anonymous/Basic/NTLM/NTLMNoESS) HTTP listener authentication type for wpad.dat requests.False

Comments:

https://github.com/Kevin-Robertson/Inveigh

Attributes:

AttributeValue
Needs AdminFalse
Opsec SafeTrue
BackgroundTrue
Categorycollection
Languagepowershell
Min Version2
Out Extension

View Source Code

Back to Index




keylogger

Description:

Logs keys pressed, time and the active window (when changed) to the keystrokes.txt file. This file is located in the agents downloads directory Empire/downloads//keystrokes.txt.

Author:

@obscuresec, @mattifestation, @harmj0y

Options:

ParamDescriptionRequiredDefault
AgentAgent to run module on.True

Comments:

https://github.com/mattifestation/PowerSploit/blob/master/Exfiltration/Get-Keystrokes.ps1

Attributes:

AttributeValue
Needs AdminFalse
Opsec SafeTrue
BackgroundTrue
Categorycollection
Languagepowershell
Min Version2
Out Extension

View Source Code

Back to Index




minidump

Description:

Generates a full-memory minidump of a process.

Author:

@mattifestation

Options:

ParamDescriptionRequiredDefault
AgentAgent to run module on.True
DumpFilePathSpecifies the folder path where dump files will be written. Defaults to the current user directory.False
ProcessIdSpecifies the process ID for which a dump will be generated.False
ProcessNameSpecifies the process name for which a dump will be generated.False

Comments:

https://github.com/mattifestation/PowerSploit/blob/master/Exfiltration/Out-Minidump.ps1

Attributes:

AttributeValue
Needs AdminTrue
Opsec SafeFalse
BackgroundTrue
Categorycollection
Languagepowershell
Min Version2
Out Extension

View Source Code

Back to Index




netripper

Description:

Injects NetRipper into targeted processes, which uses API hooking in order to intercept network traffic and encryption related functions from a low privileged user, being able to capture both plain-text traffic and encrypted traffic before encryption/after decryption.

Author:

Ionut Popescu (@NytroRST), @mattifestation, @harmj0y

Options:

ParamDescriptionRequiredDefault
AgentAgent to run module on.True
AllDataSwitch. Log all data instead of just plaintext.False
DatalimitData limit capture per request.False4096
LogLocationFolder location to log sniffed data to.FalseTEMP
ProcessIDSpecific process ID to inject the NetRipper dll into.False
ProcessNameInject the NetRipper dll into all processes with the given name (i.e. putty).False
SearchStringsStrings to search for in traffic.Trueuser,login,pass,database,config

Comments:

https://github.com/NytroRST/NetRipper/

Attributes:

AttributeValue
Needs AdminFalse
Opsec SafeFalse
BackgroundTrue
Categorycollection
Languagepowershell
Min Version2
Out Extension

View Source Code

Back to Index




ninjacopy

Description:

Copies a file from an NTFS partitioned volume by reading the raw volume and parsing the NTFS structures.

Author:

@JosephBialek

Options:

ParamDescriptionRequiredDefault
AgentAgent to run module on.True
ComputerNameAn array of computernames to run the script on.False
LocalDestinationA file path to copy the file to on the local computer.False
PathThe full path of the file to copy (example: c:\windows\ntds\ntds.dit)True
RemoteDestinationA file path to copy the file to on the remote computer. If this isn't used, LocalDestination must be specified.False

Comments:

https://github.com/mattifestation/PowerSploit/blob/master/Exfiltration/Invoke-NinjaCopy.ps1

https://clymb3r.wordpress.com/2013/06/13/using-powershell-to-copy-ntds-dit-registry-hives-bypass-sacls-dacls-file-locks/

Attributes:

AttributeValue
Needs AdminTrue
Opsec SafeFalse
BackgroundTrue
Categorycollection
Languagepowershell
Min Version2
Out Extension

View Source Code

Back to Index




packet_capture

Description:

Starts a packet capture on a host using netsh.

Author:

@obscuresec, @mattifestation

Options:

ParamDescriptionRequiredDefault
AgentAgent to run module on.True
MaxSizeMaximum size of capture file. Blank for no limit.True100MB
PersistentSwitch. Persist capture across reboots.False
StopTraceSwitch. Stop trace capture.False
TraceFileFile to log the capture out to.TrueC:\capture.etl

Comments:

http://obscuresecurity.blogspot.com/p/presentation-slides.html

http://blogs.msdn.com/b/canberrapfe/archive/2012/03/31/capture-a-network-trace-without-installing-anything-works-for-shutdown-and-restart-too.aspx

Attributes:

AttributeValue
Needs AdminTrue
Opsec SafeFalse
BackgroundFalse
Categorycollection
Languagepowershell
Min Version2
Out Extension

View Source Code

Back to Index




prompt

Description:

Prompts the current user to enter their credentials in a forms box and returns the results.

Author:

greg.fossk, @harmj0y, @enigma0x3

Options:

ParamDescriptionRequiredDefault
AgentAgent to run module on.True
IconTypeCritical, Question, Exclamation, or InformationTrueCritical
MsgTextMessage text to display if not waiting for a process create.TrueLost contact with the Domain Controller.
TitleTitle of the message box to display if not waiting for a process create.TrueERROR - 0xA801B720

Comments:

http://blog.logrhythm.com/security/do-you-trust-your-computer/https://enigma0x3.wordpress.com/2015/01/21/phishing-for-credentials-if-you-want-it-just-ask/

Attributes:

AttributeValue
Needs AdminFalse
Opsec SafeFalse
BackgroundFalse
Categorycollection
Languagepowershell
Min Version2
Out Extension

View Source Code

Back to Index




screenshot

Description:

Takes a screenshot of the current desktop and returns the output as a .PNG.

Author:

@obscuresec, @harmj0y

Options:

ParamDescriptionRequiredDefault
AgentAgent to run module on.True
RatioJPEG Compression ratio: 1 to 100.False

Comments:

https://github.com/mattifestation/PowerSploit/blob/master/Exfiltration/Get-TimedScreenshot.ps1

Attributes:

AttributeValue
Needs AdminFalse
Opsec SafeTrue
BackgroundFalse
Categorycollection
Languagepowershell
Min Version2
Out Extensionpng

View Source Code

Back to Index




vaults/add_keepass_config_trigger

Description:

This module adds a KeePass exfiltration trigger to all KeePass configs found by Find-KeePassConfig.

Author:

@tifkin_, @harmj0y

Options:

ParamDescriptionRequiredDefault
Action'ExportDatabase' (export opened databases to ExportPath)orโ€ฒExfilDataCopiedโ€ฒ(exportcopieddatatoExportPath) or 'ExfilDataCopied' (export copied data to ExportPath).TrueExportDatabase
AgentAgent to run the module on.True
ExportPathThe path to export data to, defaults to %APPDATA%\KeePass\False
TriggerNameThe name for the trigger.TrueDebug

Comments:

https://github.com/adaptivethreat/KeeThief

Attributes:

AttributeValue
Needs AdminFalse
Opsec SafeFalse
BackgroundTrue
Categorycollection
Languagepowershell
Min Version2
Out Extension

View Source Code

Back to Index




vaults/find_keepass_config

Description:

This module finds and parses any KeePass.config.xml (2.X) and KeePass.ini (1.X) files.

Author:

@tifkin_, @harmj0y

Options:

ParamDescriptionRequiredDefault
AgentAgent to run the module on.True

Comments:

https://github.com/adaptivethreat/KeeThief

Attributes:

AttributeValue
Needs AdminFalse
Opsec SafeTrue
BackgroundTrue
Categorycollection
Languagepowershell
Min Version2
Out Extension

View Source Code

Back to Index




vaults/get_keepass_config_trigger

Description:

This module extracts out the trigger specifications from a KeePass 2.X configuration XML file.

Author:

@tifkin_, @harmj0y

Options:

ParamDescriptionRequiredDefault
AgentAgent to run the module on.True

Comments:

https://github.com/adaptivethreat/KeeThief

Attributes:

AttributeValue
Needs AdminFalse
Opsec SafeTrue
BackgroundTrue
Categorycollection
Languagepowershell
Min Version2
Out Extension

View Source Code

Back to Index




vaults/keethief

Description:

This module retrieves database mastey key information for unlocked KeePass database.

Author:

@tifkin_, @harmj0y

Options:

ParamDescriptionRequiredDefault
AgentAgent to run the module on.True

Comments:

https://github.com/adaptivethreat/KeeThief

Attributes:

AttributeValue
Needs AdminFalse
Opsec SafeTrue
BackgroundTrue
Categorycollection
Languagepowershell
Min Version2
Out Extension

View Source Code

Back to Index




vaults/remove_keepass_config_trigger

Description:

This module removes all triggers from all KeePass configs found by Find-KeePassConfig.

Author:

@tifkin_, @harmj0y

Options:

ParamDescriptionRequiredDefault
AgentAgent to run the module on.True

Comments:

https://github.com/adaptivethreat/KeeThief

Attributes:

AttributeValue
Needs AdminFalse
Opsec SafeFalse
BackgroundTrue
Categorycollection
Languagepowershell
Min Version2
Out Extension

View Source Code

Back to Index




WebcamRecorder

Description:

This module uses the DirectX.Capture and DShowNET .NET assemblies to capture video from a webcam.

Author:

@xorrior

Options:

ParamDescriptionRequiredDefault
AgentAgent to run the module on.True
OutPathTemporary save path for the .avi file. Defaults to the current users APPDATA\roaming directoryFalse
RecordTimeLength of time to record in seconds. Defaults to 5.False

Comments:

comment

https://github.com/xorrior/RandomPS-Scripts/blob/master/Start-WebcamRecorder.ps1

Attributes:

AttributeValue
Needs AdminFalse
Opsec SafeFalse
BackgroundFalse
Categorycollection
Languagepowershell
Min Version2
Out Extensionavi

View Source Code

Back to Index




powershell - credentials


credential_injection

Description:

Runs PowerSploit's Invoke-CredentialInjection to create logons with clear-text credentials without triggering a suspicious Event ID 4648 (Explicit Credential Logon).

Author:

@JosephBialek

Options:

ParamDescriptionRequiredDefault
AgentAgent to run module on.True
AuthPackageauthentication package to use (Kerberos or Msv1_0)FalseKerberos
CredIDCredID from the store to use.False
DomainNameThe domain name of the user account.False
ExistingWinLogonSwitch. Use an existing WinLogon.exe processFalse
LogonTypeLogon type of the injected logon (Interactive, RemoteInteractive, or NetworkCleartext)FalseRemoteInteractive
NewWinLogonSwitch. Create a new WinLogon.exe process.False
PasswordPassword of the user.False
UserNameUsername to log in with.False

Comments:

https://github.com/PowerShellMafia/PowerSploit/blob/master/Exfiltration/Invoke-CredentialInjection.ps1

Attributes:

AttributeValue
Needs AdminTrue
Opsec SafeTrue
BackgroundFalse
Categorycredentials
Languagepowershell
Min Version2
Out Extension

View Source Code

Back to Index




enum_cred_store

Description:

Dumps plaintext credentials from the Windows Credential Manager for the current interactive user.

Author:

BeetleChunks

Options:

ParamDescriptionRequiredDefault
AgentAgent to run module on.True

Comments:

The powershell used is based on JimmyJoeBob Alooba's CredMan script. https://gallery.technet.microsoft.com/scriptcenter/PowerShell-Credentials-d44c3cde

Attributes:

AttributeValue
Needs AdminFalse
Opsec SafeTrue
BackgroundTrue
Categorycredentials
Languagepowershell
Min Version2
Out Extension

View Source Code

Back to Index




invoke_kerberoast

Description:

Requests kerberos tickets for all users with a non-null service principal name (SPN) and extracts them into a format ready for John or Hashcat.

Author:

@harmj0y, @machosec

Options:

ParamDescriptionRequiredDefault
AdminCountKerberoast privileged accounts protected by AdminSDHolder.False
AgentAgent to run module on.True
DomainSpecifies the domain to use for the query, defaults to the current domain.False
IdentitySpecific SamAccountName, DistinguishedName, SID, or GUID to kerberoast.False
LDAPFilterSpecifies an LDAP query string that is used to filter Active Directory objects.False
OutputFormatEither 'John' for John the Ripper style hash formatting, or 'Hashcat' for Hashcat format.FalseJohn
SearchBaseThe LDAP source to search through, e.g. "LDAP://OU=secret,DC=testlab,DC=local".False
SearchScopeSpecifies the scope to search under, Base/OneLevel/Subtree (default of Subtree).False
ServerSpecifies an Active Directory server (domain controller) to bind to.False

Comments:

https://github.com/PowerShellMafia/PowerSploit/blob/dev/Recon/

https://gist.github.com/HarmJ0y/53a837fce877e32e18d78acbb08c8fe9

Attributes:

AttributeValue
Needs AdminFalse
Opsec SafeTrue
BackgroundTrue
Categorycredentials
Languagepowershell
Min Version2
Out Extension

View Source Code

Back to Index




mimikatz/cache

Description:

Runs PowerSploit's Invoke-Mimikatz function to extract MSCache(v2) hashes.

Author:

@JosephBialek, @gentilkiwi

Options:

ParamDescriptionRequiredDefault
AgentAgent to run module on.True

Comments:

http://clymb3r.wordpress.com/

http://blog.gentilkiwi.com

https://github.com/gentilkiwi/mimikatz/wiki/module-~-lsadump#lsa

Attributes:

AttributeValue
Needs AdminTrue
Opsec SafeTrue
BackgroundTrue
Categorycredentials
Languagepowershell
Min Version2
Out Extension

View Source Code

Back to Index




mimikatz/certs

Description:

Runs PowerSploit's Invoke-Mimikatz function to extract all certificates to the local directory.

Author:

@JosephBialek, @gentilkiwi

Options:

ParamDescriptionRequiredDefault
AgentAgent to run module on.True

Comments:

http://clymb3r.wordpress.com/

http://blog.gentilkiwi.com

Attributes:

AttributeValue
Needs AdminTrue
Opsec SafeTrue
BackgroundTrue
Categorycredentials
Languagepowershell
Min Version2
Out Extension

View Source Code

Back to Index




mimikatz/command

Description:

Runs PowerSploit's Invoke-Mimikatz function with a custom command.

Author:

@JosephBialek, @gentilkiwi

Options:

ParamDescriptionRequiredDefault
AgentAgent to run module on.True
CommandCustom Invoke-Mimikatz command to run.True

Comments:

http://clymb3r.wordpress.com/

http://blog.gentilkiwi.com

Attributes:

AttributeValue
Needs AdminTrue
Opsec SafeTrue
BackgroundTrue
Categorycredentials
Languagepowershell
Min Version2
Out Extension

View Source Code

Back to Index




mimikatz/dcsync

Description:

Runs PowerSploit's Invoke-Mimikatz function to extract a given account password through Mimikatz's lsadump::dcsync module. This doesn't need code execution on a given DC, but needs to be run from a user context with DA equivalent privileges.

Author:

@gentilkiwi, Vincent Le Toux, @JosephBialek

Options:

ParamDescriptionRequiredDefault
AgentAgent to run module on.True
dcSpecified (fqdn) domain controller to pull replication data from.False
domainSpecified (fqdn) domain to pull for the primary domain/DC.False
userUsername to extract the hash for (domain\username format).True

Comments:

http://blog.gentilkiwi.com

http://clymb3r.wordpress.com/

Attributes:

AttributeValue
Needs AdminFalse
Opsec SafeTrue
BackgroundTrue
Categorycredentials
Languagepowershell
Min Version2
Out Extension

View Source Code

Back to Index




mimikatz/dcsync_hashdump

Description:

Runs PowerSploit's Invoke-Mimikatz function to collect all domain hashes using Mimikatz'slsadump::dcsync module. This doesn't need code execution on a given DC, but needs to be run froma user context with DA equivalent privileges.

Author:

@gentilkiwi, Vincent Le Toux, @JosephBialek, @harmj0y, @monoxgas

Options:

ParamDescriptionRequiredDefault
ActiveSwitch. Only collect hashes for accounts marked as active. Default is TrueFalse
AgentAgent to run module on.True
ComputersSwitch. Include machine hashes in the dumpFalse
DomainSpecified (fqdn) domain to pull for the primary domain/DC.False
ForestSwitch. Pop the big daddy (forest) as well.False

Comments:

http://blog.gentilkiwi.com

http://clymb3r.wordpress.com/

Attributes:

AttributeValue
Needs AdminFalse
Opsec SafeTrue
BackgroundTrue
Categorycredentials
Languagepowershell
Min Version2
Out Extension

View Source Code

Back to Index




mimikatz/extract_tickets

Description:

Runs PowerSploit's Invoke-Mimikatz function to extract kerberos tickets from memory in base64-encoded form.

Author:

@JosephBialek, @gentilkiwi

Options:

ParamDescriptionRequiredDefault
AgentAgent to run module on.True

Comments:

http://clymb3r.wordpress.com/

http://blog.gentilkiwi.com

Attributes:

AttributeValue
Needs AdminFalse
Opsec SafeTrue
BackgroundTrue
Categorycredentials
Languagepowershell
Min Version2
Out Extension

View Source Code

Back to Index




mimikatz/golden_ticket

Description:

Runs PowerSploit's Invoke-Mimikatz function to generate a golden ticket and inject it into memory.

Author:

@JosephBialek, @gentilkiwi

Options:

ParamDescriptionRequiredDefault
AgentAgent to run module on.True
CredIDCredID from the store to use for ticket creation.False
domainThe fully qualified domain name.False
endinLifetime of the ticket (in minutes). Default to 10 years.False
groupsOptional comma separated group IDs for the ticket.False
idid to impersonate, defaults to 500.False
krbtgtkrbtgt NTLM hash for the specified domainFalse
sidThe SID of the specified domain.False
sidsExternal SIDs to add as sidhistory to the ticket.False
userUsername to impersonate.True

Comments:

http://clymb3r.wordpress.com/

http://blog.gentilkiwi.com

https://github.com/gentilkiwi/mimikatz/wiki/module-~-kerberos

Attributes:

AttributeValue
Needs AdminFalse
Opsec SafeTrue
BackgroundTrue
Categorycredentials
Languagepowershell
Min Version2
Out Extension

View Source Code

Back to Index




mimikatz/logonpasswords

Description:

Runs PowerSploit's Invoke-Mimikatz function to extract plaintext credentials from memory.

Author:

@JosephBialek, @gentilkiwi

Options:

ParamDescriptionRequiredDefault
AgentAgent to run module on.True

Comments:

http://clymb3r.wordpress.com/

http://blog.gentilkiwi.com

Attributes:

AttributeValue
Needs AdminTrue
Opsec SafeTrue
BackgroundTrue
Categorycredentials
Languagepowershell
Min Version2
Out Extension

View Source Code

Back to Index




mimikatz/lsadump

Description:

Runs PowerSploit's Invoke-Mimikatz function to extract a particular user hash from memory. Useful on domain controllers.

Author:

@JosephBialek, @gentilkiwi

Options:

ParamDescriptionRequiredDefault
AgentAgent to run module on.True
UsernameUsername to extract the hash for, blank for all local passwords.False

Comments:

http://clymb3r.wordpress.com/

http://blog.gentilkiwi.com

https://github.com/gentilkiwi/mimikatz/wiki/module-~-lsadump#lsa

Attributes:

AttributeValue
Needs AdminTrue
Opsec SafeTrue
BackgroundTrue
Categorycredentials
Languagepowershell
Min Version2
Out Extension

View Source Code

Back to Index




mimikatz/mimitokens

Description:

Runs PowerSploit's Invoke-Mimikatz function to list or enumerate tokens.

Author:

@JosephBialek, @gentilkiwi

Options:

ParamDescriptionRequiredDefault
adminSwitch. List/elevate local admin tokens.False
AgentAgent to run module on.True
domainadminSwitch. List/elevate domain admin tokens.False
elevateSwitch. Elevate instead of listing tokens.False
idToken ID to list/elevate the token of.False
listSwitch. List current tokens on the machine.FalseTrue
revertSwitch. Revert process token.False
userUser name to list/elevate the token of.False

Comments:

http://clymb3r.wordpress.com/

http://blog.gentilkiwi.com

Attributes:

AttributeValue
Needs AdminTrue
Opsec SafeTrue
BackgroundFalse
Categorycredentials
Languagepowershell
Min Version2
Out Extension

View Source Code

Back to Index




mimikatz/pth

Description:

Runs PowerSploit's Invoke-Mimikatz function to execute sekurlsa::pth to create a new process. with a specific user's hash. Use credentials/tokens to steal the token afterwards.

Author:

@JosephBialek, @gentilkiwi

Options:

ParamDescriptionRequiredDefault
AgentAgent to run module on.True
CredIDCredID from the store to use for ticket creation.False
domainThe fully qualified domain name.False
ntlmThe NTLM hash to use.False
userUsername to impersonate.False

Comments:

http://clymb3r.wordpress.com/

http://blog.gentilkiwi.com

http://blog.cobaltstrike.com/2015/05/21/how-to-pass-the-hash-with-mimikatz/

Attributes:

AttributeValue
Needs AdminTrue
Opsec SafeTrue
BackgroundTrue
Categorycredentials
Languagepowershell
Min Version2
Out Extension

View Source Code

Back to Index




mimikatz/purge

Description:

Runs PowerSploit's Invoke-Mimikatz function to purge all current kerberos tickets from memory.

Author:

@JosephBialek, @gentilkiwi

Options:

ParamDescriptionRequiredDefault
AgentAgent to run module on.True

Comments:

http://clymb3r.wordpress.com/

http://blog.gentilkiwi.com

https://github.com/gentilkiwi/mimikatz/wiki/module-~-kerberos

Attributes:

AttributeValue
Needs AdminFalse
Opsec SafeTrue
BackgroundTrue
Categorycredentials
Languagepowershell
Min Version2
Out Extension

View Source Code

Back to Index




mimikatz/sam

Description:

Runs PowerSploit's Invoke-Mimikatz function to extract hashes from the Security Account Managers (SAM) database.

Author:

@JosephBialek, @gentilkiwi

Options:

ParamDescriptionRequiredDefault
AgentAgent to run module on.True

Comments:

http://clymb3r.wordpress.com/

http://blog.gentilkiwi.com

https://github.com/gentilkiwi/mimikatz/wiki/module-~-lsadump#lsa

Attributes:

AttributeValue
Needs AdminTrue
Opsec SafeTrue
BackgroundTrue
Categorycredentials
Languagepowershell
Min Version2
Out Extension

View Source Code

Back to Index




mimikatz/silver_ticket

Description:

Runs PowerSploit's Invoke-Mimikatz function to generate a silver ticket for a server/service and inject it into memory.

Author:

@JosephBialek, @gentilkiwi

Options:

ParamDescriptionRequiredDefault
AgentAgent to run module on.True
CredIDCredID from the store to use for ticket creation.False
domainThe fully qualified domain name.False
groupsOptional comma separated group IDs for the ticket.False
idid to impersonate, defaults to 500.False
rc4target machine rc4/NTLM hashFalse
serviceservice to forge the ticket for (cifs, HOST, etc.)Truecifs
sidThe SID of the specified domain.False
targetThe fully qualified domain name of the target machine.False
userUsername to impersonate.TrueAdministrator

Comments:

http://clymb3r.wordpress.com/

http://blog.gentilkiwi.com

https://github.com/gentilkiwi/mimikatz/wiki/module-~-kerberos

Attributes:

AttributeValue
Needs AdminFalse
Opsec SafeTrue
BackgroundTrue
Categorycredentials
Languagepowershell
Min Version2
Out Extension

View Source Code

Back to Index




mimikatz/trust_keys

Description:

Runs PowerSploit's Invoke-Mimikatz function to extract domain trust keys from a domain controller.

Author:

@JosephBialek, @gentilkiwi

Options:

ParamDescriptionRequiredDefault
AgentAgent to run module on.True
MethodMethod to extract keys ("sekurlsa" or "lsadump")Truelsadump

Comments:

http://clymb3r.wordpress.com/

http://blog.gentilkiwi.com

Attributes:

AttributeValue
Needs AdminTrue
Opsec SafeTrue
BackgroundTrue
Categorycredentials
Languagepowershell
Min Version2
Out Extension

View Source Code

Back to Index




powerdump

Description:

Dumps hashes from the local system using Posh-SecMod's Invoke-PowerDump

Author:

DarkOperator, winfang, Kathy Peters, ReL1K

Options:

ParamDescriptionRequiredDefault
AgentAgent to run module on.True

Comments:

https://github.com/darkoperator/Posh-SecMod/blob/master/PostExploitation/PostExploitation.psm1

Attributes:

AttributeValue
Needs AdminTrue
Opsec SafeTrue
BackgroundTrue
Categorycredentials
Languagepowershell
Min Version2
Out Extension

View Source Code

Back to Index




sessiongopher

Description:

Extract saved sessions & passwords for WinSCP, PuTTY, SuperPuTTY, FileZilla, RDP, .ppk files, .rdp files, .sdtid files

Author:

@arvanaghi, created at FireEye

Options:

ParamDescriptionRequiredDefault
AgentAgent to run module on.True
AllDomainSwitch. Run against all computers on domain. Uses current security context, unless -u and -p arguments provided. Uses WMI.False
iLProvide path to a .txt file on the remote host containing hosts separated by newlines to run remotely against. Uses WMI.False
oSwitch. Drops a folder of all output in .csvs on remote host.False
pPassword for user account (if -u argument provided).False
TargetProvide a single host to run remotely against. Uses WMI.False
ThoroughSwitch. Searches entire filesystem for .ppk, .rdp, .sdtid files. Not recommended to use with -AllDomain due to time.False
uUser account (e.g. corp.com\jerry) for when using -Target, -iL, or -AllDomain. If not provided, uses current security context.False

Comments:

Twitter: @arvanaghi |

https://arvanaghi.com |

https://github.com/fireeye/SessionGopher

Attributes:

AttributeValue
Needs AdminFalse
Opsec SafeTrue
BackgroundFalse
Categorycredentials
Languagepowershell
Min Version2
Out Extension

View Source Code

Back to Index




tokens

Description:

Runs PowerSploit's Invoke-TokenManipulation to enumerate Logon Tokens available and uses them to create new processes. Similar to Incognito's functionality. Note: if you select ImpersonateUser or CreateProcess, you must specify one of Username, ProcessID, Process, or ThreadId.

Author:

@JosephBialek

Options:

ParamDescriptionRequiredDefault
AgentAgent to run module on.True
CreateProcessSpecify a process to create instead of impersonating the user.False
ImpersonateUserSwitch. Will impersonate an alternate users logon token in the PowerShell thread.False
NoUISwitch. Use if creating a process which doesn't need a UI.False
ProcessProcess name to impersonate token of.False
ProcessArgsArguments for a spawned process.False
ProcessIDProcessID to impersonate token of.False
RevToSelfSwitch. Revert to original token.False
ShowAllSwitch. Enumerate all tokens.False
ThreadIdThread to impersonate token of.False
UsernameUsername to impersonate token of.False
WhoAmISwitch. Displays current credentials.False

Comments:

http://clymb3r.wordpress.com/2013/11/03/powershell-and-token-impersonation/

Attributes:

AttributeValue
Needs AdminFalse
Opsec SafeTrue
BackgroundFalse
Categorycredentials
Languagepowershell
Min Version2
Out Extension

View Source Code

Back to Index




vault_credential

Description:

Runs PowerSploit's Get-VaultCredential to display Windows vault credential objects including cleartext web credentials.

Author:

@mattifestation

Options:

ParamDescriptionRequiredDefault
AgentAgent to run module on.True

Comments:

https://github.com/mattifestation/PowerSploit/blob/master/Exfiltration/Get-VaultCredential.ps1

Attributes:

AttributeValue
Needs AdminTrue
Opsec SafeTrue
BackgroundTrue
Categorycredentials
Languagepowershell
Min Version2
Out Extension

View Source Code

Back to Index




powershell - exfiltration


egresscheck

Description:

This module will generate traffic on a provided range of ports and supports both TCP and UDP. Useful to identify direct egress channels.

Author:

Stuart Morgan stuart.morgan@mwrinfosecurity.com

Options:

ParamDescriptionRequiredDefault
AgentAgent to generate the source traffic onTrue
delayDelay, in milliseconds, between ports being testedTrue50
ipTarget IP AddressTrue
portrangeThe range of ports to connect on. This can be a comma separated list or dash-separated ranges.True22-25,53,80,443,445,3306,3389
protocolThe protocol to use. This can be TCP or UDPTrueTCP

Comments:

https://github.com/stufus/egresscheck-framework

Attributes:

AttributeValue
Needs AdminFalse
Opsec SafeFalse
BackgroundFalse
Categoryexfiltration
Languagepowershell
Min Version2
Out Extension

View Source Code

Back to Index




exfil_dropbox

Description:

Upload a file to dropbox

Author:

kdick@tevora.com, Laurent Kempe

Options:

ParamDescriptionRequiredDefault
AgentAgent to useTrue
ApiKeyYour dropbox api keyTrue
SourceFilePath/path/to/fileTrue
TargetFilePath/path/to/dropbox/fileTrue

Comments:

Uploads specified file to dropbox

Ported to powershell2 from script by Laurent Kempe: http://laurentkempe.com/2016/04/07/Upload-files-to-DropBox-from-PowerShell/

Use forward slashes for the TargetFilePath

Attributes:

AttributeValue
Needs AdminFalse
Opsec SafeTrue
BackgroundFalse
Categoryexfiltration
Languagepowershell
Min Version2
Out Extension

View Source Code

Back to Index




powershell - exploitation


exploit_eternalblue

Description:

Port of MS17_010 Metasploit module to powershell. Exploits targeted system and executes specified shellcode. Windows 7 and 2008 R2 supported. Potential for a BSOD

Author:

Sean Dillon <sean.dillon [at] risksense.com>, Dylan Davis <dylan.davis [at] risksense.com>Equation Group, kdick@tevora.com (e0x70i)

Options:

ParamDescriptionRequiredDefault
AgentAgent to run module on.True
InitialGroomsNumber of Initial GroomsTrue12
MaxAttemptsNumber of times to try exploit (increment grooms by 5 each time)True1
ShellcodeCustom shellcode to inject, 0xaa,0xab,... format.True
TargetIP or Hostname of targetTrue

Comments:

https://github.com/RiskSense-Ops/MS17-010

https://www.rapid7.com/db/modules/exploit/windows/smb/ms17_010_eternalblue

http://threat.tevora.com/eternal-blues/

Attributes:

AttributeValue
Needs AdminFalse
Opsec SafeFalse
BackgroundFalse
Categoryexploitation
Languagepowershell
Min Version2
Out Extension

View Source Code

Back to Index




exploit_jboss

Description:

Exploit vulnerable JBoss Services.

Author:

@424f424f

Options:

ParamDescriptionRequiredDefault
AgentAgent to run module on.True
AppNameApplication name the WAR file deploys to. Empire defaults to "launcher".True
JMXConsoleSwitch. Service to ExploitTrue
PortSpecify the port to use.True
RhostSpecify the host to exploit.True
UseSSLForce SSL useage.False
WarFileRemote URL [http://IP:PORT/f.war] to your own WarFile to deploy.True

Comments:

Requires WAR file that is not provided.

Attributes:

AttributeValue
Needs AdminFalse
Opsec SafeFalse
BackgroundTrue
Categoryexploitation
Languagepowershell
Min Version2
Out Extension

View Source Code

Back to Index




exploit_jenkins

Description:

Run command on unauthenticated Jenkins Script consoles.

Author:

@luxcupitor

Options:

ParamDescriptionRequiredDefault
AgentAgent to run module on.True
Cmdcommand to run on remote jenkins script console.Truewhoami
PortSpecify the port to use.True8080
RhostSpecify the host to exploit.True

Comments:

Pass a command to run. If windows, you may have to prepend "cmd /c ".

Attributes:

AttributeValue
Needs AdminFalse
Opsec SafeFalse
BackgroundTrue
Categoryexploitation
Languagepowershell
Min Version2
Out Extension

View Source Code

Back to Index




powershell - lateral_movement


inveigh_relay

Description:

Inveigh's SMB relay function. This module can be used to relay incoming HTTP/Proxy NTLMv1/NTLMv2 authentication requests to an SMB target. If the authentication is successfully relayed and the account has the correct privilege, a specified command or Empire launcher will be executed on the target PSExec style. This module works best while also running collection/inveigh with HTTP disabled. Note that this module exposes only a subset of Inveigh Relay's parameters. Inveigh Relay can be used through Empire's scriptimport and scriptcmd if additional parameters are needed.

Author:

Kevin Robertson

Options:

ParamDescriptionRequiredDefault
AgentAgent to run module on.True
CommandCommand to execute on relay target. Do not wrap in quotes and use PowerShell escape characters and newlines where necessary.False
ConsoleOutput(Low/Medium/Y) Default = Y: Enable/Disable real time console output. Medium and Low can be used to reduce output.False
ConsoleStatusInterval in minutes for displaying all unique captured hashes and credentials. This will display a clean list of captures in Empire.False
ConsoleUnique(Y/N) Default = Y: Enable/Disable displaying challenge/response hashes for only unique IP, domain/hostname, and username combinations.False
HTTP(Y/N) Default = Y: Enable/Disable HTTP challenge/response capture/relay.False
ListenerListener to use.False
Proxy(Y/N) Default = N: Enable/Disable Inveigh's proxy server authentication capture/relay.False
ProxyCredsProxy credentials ([domain]username:password) to use for request (default, none, or other).Falsedefault
ProxyPortDefault = 8492: TCP port for Inveigh's proxy listener.False
Proxy_Proxy to use for request (default, none, or other).Falsedefault
RunTimeRun time duration in minutes.True
ServiceDefault = 20 character random: Name of the service to create and delete on the target.False
SMB1(Switch) Force SMB1.False
TargetIP address or hostname of system to target for relay.True
UserAgentUser-agent string to use for the staging request (default, none, or other).Falsedefault
UsernamesComma separated list of usernames to use for relay attacks. Accepts both username and domain\username format.False
WPADAuth(Anonymous/NTLM) HTTP listener authentication type for wpad.dat requests.False

Comments:

https://github.com/Kevin-Robertson/Inveigh

Attributes:

AttributeValue
Needs AdminFalse
Opsec SafeFalse
BackgroundTrue
Categorylateral_movement
Languagepowershell
Min Version2
Out Extension

View Source Code

Back to Index




invoke_dcom

Description:

Executes a stager on remote hosts using DCOM.

Author:

@rvrsh3ll

Options:

ParamDescriptionRequiredDefault
AgentAgent to run module on.True
ComputerNameHost[s] to execute the stager on, comma separated.True
CredIDCredID from the store to use.False
ListenerListener to use.True
MethodCOM method to use.TrueShellWindows
ProxyProxy to use for request (default, none, or other).Falsedefault
ProxyCredsProxy credentials ([domain]username:password) to use for request (default, none, or other).Falsedefault
UserAgentUser-agent string to use for the staging request (default, none, or other).Falsedefault

Comments:

Attributes:

AttributeValue
Needs AdminFalse
Opsec SafeTrue
BackgroundFalse
Categorylateral_movement
Languagepowershell
Min Version2
Out Extension

View Source Code

Back to Index




invoke_executemsbuild

Description:

This module utilizes WMI and MSBuild to compile and execute an xml file containing an Empire launcher

Author:

@xorrior

Options:

ParamDescriptionRequiredDefault
AgentAgent to grab a screenshot from.True
ComputerNameHost to targetTrue
CredIDCredID from the store to use.False
DriveLetterDrive letter to use when mounting the share locallyFalse
FilePathDesired location to copy the xml file on the targetFalse
ListenerListener to use.True
PasswordPassword if executing with credentialsFalse
ProxyProxy to use for request (default, none, or other).Falsedefault
ProxyCredsProxy credentials ([domain]username:password) to use for request (default, none, or other).Falsedefault
UserAgentUser-agent string to use for the staging request (default, none, or other).Falsedefault
UserNameUserName if executing with credentialsFalse

Comments:

Inspired by @subtee

http://subt0x10.blogspot.com/2016/09/bypassing-application-whitelisting.html

Attributes:

AttributeValue
Needs AdminFalse
Opsec SafeFalse
BackgroundFalse
Categorylateral_movement
Languagepowershell
Min Version2
Out Extension

View Source Code

Back to Index




invoke_psexec

Description:

Executes a stager on remote hosts using PsExec type functionality.

Author:

@harmj0y

Options:

ParamDescriptionRequiredDefault
AgentAgent to run module on.True
CommandCustom command to execute on remote hosts.False
ComputerNameHost[s] to execute the stager on, comma separated.True
ListenerListener to use.False
ProxyProxy to use for request (default, none, or other).Falsedefault
ProxyCredsProxy credentials ([domain]username:password) to use for request (default, none, or other).Falsedefault
ResultFileName of the file to write the results to on agent machine.False
ServiceNameThe name of the service to create.TrueUpdater
UserAgentUser-agent string to use for the staging request (default, none, or other).Falsedefault

Comments:

https://github.com/rapid7/metasploit-framework/blob/master/tools/psexec.rb

Attributes:

AttributeValue
Needs AdminFalse
Opsec SafeFalse
BackgroundTrue
Categorylateral_movement
Languagepowershell
Min Version2
Out Extension

View Source Code

Back to Index




invoke_psremoting

Description:

Executes a stager on remote hosts using PSRemoting.

Author:

@harmj0y

Options:

ParamDescriptionRequiredDefault
AgentAgent to run module on.True
ComputerNameHost[s] to execute the stager on, comma separated.True
CredIDCredID from the store to use.False
ListenerListener to use.True
PasswordPassword to use to execute command.False
ProxyProxy to use for request (default, none, or other).Falsedefault
ProxyCredsProxy credentials ([domain]username:password) to use for request (default, none, or other).Falsedefault
UserAgentUser-agent string to use for the staging request (default, none, or other).Falsedefault
UserName[domain]username to use to execute command.False

Comments:

Attributes:

AttributeValue
Needs AdminFalse
Opsec SafeTrue
BackgroundFalse
Categorylateral_movement
Languagepowershell
Min Version2
Out Extension

View Source Code

Back to Index




invoke_sqloscmd

Description:

Executes a command or stager on remote hosts using xp_cmdshell.

Author:

@nullbind, @0xbadjuju

Options:

ParamDescriptionRequiredDefault
AgentAgent to run module on.True
CommandCustom command to execute on remote hosts.False
CredIDCredID from the store to use.False
InstanceHost[s] to execute the stager on, comma separated.True
ListenerListener to use.False
PasswordPassword to use to execute command.False
ProxyProxy to use for request (default, none, or other).Falsedefault
ProxyCredsProxy credentials ([domain]username:password) to use for request (default, none, or other).Falsedefault
UserAgentUser-agent string to use for the staging request (default, none, or other).Falsedefault
UserName[domain]username to use to execute command.False

Comments:

Attributes:

AttributeValue
Needs AdminFalse
Opsec SafeTrue
BackgroundTrue
Categorylateral_movement
Languagepowershell
Min Version2
Out Extension

View Source Code

Back to Index




invoke_sshcommand

Description:

Executes a command on a remote host via SSH.

Author:

@424f424f

Options:

ParamDescriptionRequiredDefault
AgentAgent to run module on.True
CommandThe command to run on the remote host.True
CredIDCredID from the store to use.False
IPAddress of the target server.True
PasswordThe password to login with.False
UsernameThe username to login with.False

Comments:

Open Source is the Best Source

Attributes:

AttributeValue
Needs AdminFalse
Opsec SafeTrue
BackgroundTrue
Categorylateral_movement
Languagepowershell
Min Version2
Out Extension

View Source Code

Back to Index




invoke_wmi

Description:

Executes a stager on remote hosts using WMI.

Author:

@harmj0y

Options:

ParamDescriptionRequiredDefault
AgentAgent to run module on.True
ComputerNameHost[s] to execute the stager on, comma separated.True
CredIDCredID from the store to use.False
ListenerListener to use.True
PasswordPassword to use to execute command.False
ProxyProxy to use for request (default, none, or other).Falsedefault
ProxyCredsProxy credentials ([domain]username:password) to use for request (default, none, or other).Falsedefault
UserAgentUser-agent string to use for the staging request (default, none, or other).Falsedefault
UserName[domain]username to use to execute command.False

Comments:

Attributes:

AttributeValue
Needs AdminFalse
Opsec SafeTrue
BackgroundFalse
Categorylateral_movement
Languagepowershell
Min Version2
Out Extension

View Source Code

Back to Index




invoke_wmi_debugger

Description:

Uses WMI to set the debugger for a target binary on a remote machine to be cmd.exe or a stager.

Author:

@harmj0y

Options:

ParamDescriptionRequiredDefault
AgentAgent to run module on.True
BinaryBinary to set for the debugger.FalseC:\Windows\System32\cmd.exe
CleanupSwitch. Disable the debugger for the specified TargetBinary.False
ComputerNameHost[s] to execute the stager on, comma separated.True
CredIDCredID from the store to use.False
ListenerListener to use.False
PasswordPassword to use to execute command.False
RegPathRegistry location to store the script code. Last element is the key name.FalseHKLM:Software\Microsoft\Network\debug
TargetBinaryTarget binary to set the debugger for (sethc.exe, Utilman.exe, osk.exe, Narrator.exe, or Magnify.exe)Truesethc.exe
UserName[domain]username to use to execute command.False

Comments:

Attributes:

AttributeValue
Needs AdminFalse
Opsec SafeFalse
BackgroundFalse
Categorylateral_movement
Languagepowershell
Min Version2
Out Extension

View Source Code

Back to Index




jenkins_script_console

Description:

Exploit unauthenticated Jenkins Script consoles.

Author:

@luxcupitor

Options:

ParamDescriptionRequiredDefault
AgentAgent to run module on.True
ListenerListener to use.True
PortSpecify the port to use.True8080
ProxyProxy to use for request (default, none, or other).Falsedefault
ProxyCredsProxy credentials ([domain]username:password) to use for request (default, none, or other).Falsedefault
RhostSpecify the remote jenkins server to exploit.True
UserAgentUser-agent string to use for the staging request (default, none, or other).Falsedefault

Comments:

Deploys an Empire agent to a windows Jenkins server with unauthenticated access to script console.

Attributes:

AttributeValue
Needs AdminFalse
Opsec SafeFalse
BackgroundTrue
Categorylateral_movement
Languagepowershell
Min Version2
Out Extension

View Source Code

Back to Index




new_gpo_immediate_task

Description:

Builds an 'Immediate' schtask to push out through a specified GPO.

Author:

@harmj0y

Options:

ParamDescriptionRequiredDefault
AgentAgent to run module on.True
DomainThe domain to query for the GPOs, defaults to the current domain.False
DomainControllerDomain controller to reflect LDAP queries through.False
GPODisplayNameThe GPO display name to build the task for.False
GPOnameThe GPO name to build the task for.False
ListenerListener to use.True
ProxyProxy to use for request (default, none, or other).Falsedefault
ProxyCredsProxy credentials ([domain]username:password) to use for request (default, none, or other).Falsedefault
RemoveSwitch. Remove the immediate schtask.Falsedefault
TaskAuthorName for the schtask to create.TrueNT AUTHORITY\System
TaskDescriptionName for the schtask to create.FalseDebugging functionality.
TaskNameName for the schtask to create.TrueDebug
UserAgentUser-agent string to use for the staging request (default, none, or other).Falsedefault

Comments:

https://github.com/PowerShellMafia/PowerSploit/blob/dev/Recon/

Attributes:

AttributeValue
Needs AdminFalse
Opsec SafeTrue
BackgroundTrue
Categorylateral_movement
Languagepowershell
Min Version2
Out Extension

View Source Code

Back to Index




powershell - management


disable_rdp

Description:

Disables RDP on the remote machine.

Author:

@harmj0y

Options:

ParamDescriptionRequiredDefault
AgentAgent to run module on.True

Comments:

Attributes:

AttributeValue
Needs AdminTrue
Opsec SafeFalse
BackgroundFalse
Categorymanagement
Languagepowershell
Min Version2
Out Extension

View Source Code

Back to Index




downgrade_account

Description:

Set reversible encryption on a given domain account and then force the password to be set on next user login.

Author:

@harmj0y

Options:

ParamDescriptionRequiredDefault
AgentAgent to run module on.True
DomainThe domain to query for objects, defaults to the current domain.False
NameThe name of the domain object you're manipulating.False
RepairSwitch. Unset the reversible encryption flag and force password reset flag.False
SamAccountNameThe SamAccountName of the domain object you're manipulating.False

Comments:

Attributes:

AttributeValue
Needs AdminFalse
Opsec SafeTrue
BackgroundTrue
Categorymanagement
Languagepowershell
Min Version2
Out Extension

View Source Code

Back to Index




enable_multi_rdp

Description:

[!] WARNING: Experimental! Runs PowerSploit's Invoke-Mimikatz function to patch the Windows terminal service to allow multiple users to establish simultaneous RDP connections.

Author:

@gentilkiwi, @JosephBialek

Options:

ParamDescriptionRequiredDefault
AgentAgent to run module on.True

Comments:

http://blog.gentilkiwi.com

http://clymb3r.wordpress.com/

Attributes:

AttributeValue
Needs AdminTrue
Opsec SafeFalse
BackgroundTrue
Categorymanagement
Languagepowershell
Min Version2
Out Extension

View Source Code

Back to Index




enable_rdp

Description:

Enables RDP on the remote machine and adds a firewall exception.

Author:

@harmj0y

Options:

ParamDescriptionRequiredDefault
AgentAgent to run module on.True

Comments:

Attributes:

AttributeValue
Needs AdminTrue
Opsec SafeFalse
BackgroundFalse
Categorymanagement
Languagepowershell
Min Version2
Out Extension

View Source Code

Back to Index




get_domain_sid

Description:

Returns the SID for the current of specified domain.

Author:

@harmj0y

Options:

ParamDescriptionRequiredDefault
AgentAgent to run module on.True
DomainDomain to resolve SID for, defaults to the current domain.False

Comments:

Attributes:

AttributeValue
Needs AdminFalse
Opsec SafeTrue
BackgroundTrue
Categorymanagement
Languagepowershell
Min Version2
Out Extension

View Source Code

Back to Index




honeyhash

Description:

Inject artificial credentials into LSASS.

Author:

@mattifestation

Options:

ParamDescriptionRequiredDefault
AgentAgent to run module on.True
DomainSpecifies the fake domain.True
PasswordSpecifies the fake password.True
UserNameSpecifies the fake user name.True

Comments:

https://isc.sans.edu/diary/Detecting+Mimikatz+Use+On+Your+Network/19311/

Attributes:

AttributeValue
Needs AdminTrue
Opsec SafeTrue
BackgroundFalse
Categorymanagement
Languagepowershell
Min Version2
Out Extension

View Source Code

Back to Index




invoke_script

Description:

Run a custom script. Useful for mass-taskings or script autoruns.

Author:

@harmj0y

Options:

ParamDescriptionRequiredDefault
AgentAgent to run module on.True
ScriptCmdScript command (Invoke-X) from file to run, along with any specified arguments.True
ScriptPathFull path to the PowerShell script.ps1 to run (on attacker machine)False

Comments:

Attributes:

AttributeValue
Needs AdminFalse
Opsec SafeTrue
BackgroundTrue
Categorymanagement
Languagepowershell
Min Version2
Out Extension

View Source Code

Back to Index




lock

Description:

Locks the workstation's display.

Author:

@harmj0y

Options:

ParamDescriptionRequiredDefault
AgentAgent to run module on.True

Comments:

http://poshcode.org/1640

Attributes:

AttributeValue
Needs AdminFalse
Opsec SafeFalse
BackgroundFalse
Categorymanagement
Languagepowershell
Min Version2
Out Extension

View Source Code

Back to Index




logoff

Description:

Logs the current user (or all users) off the machine.

Author:

@harmj0y

Options:

ParamDescriptionRequiredDefault
AgentAgent to run module on.True
AllUsersSwitch. Log off all current users.False

Comments:

Attributes:

AttributeValue
Needs AdminFalse
Opsec SafeFalse
BackgroundFalse
Categorymanagement
Languagepowershell
Min Version2
Out Extension

View Source Code

Back to Index




mailraider/disable_security

Description:

This function checks for the ObjectModelGuard, PromptOOMSend, and AdminSecurityMode registry keys for Outlook security. This function must be run in an administrative context in order to set the values for the registry keys.

Author:

@xorrior

Options:

ParamDescriptionRequiredDefault
AdminPasswordOptional AdminPassword credentials to use for registry changes.False
AdminUserOptional AdminUser credentials to use for registry changes.False
AgentAgent to run module on.True
ResetSwitch. Reset security settings to default values.False
VersionThe version of Microsoft Outlook.True

Comments:

https://github.com/xorrior/EmailRaider

http://www.xorrior.com/phishing-on-the-inside/

Attributes:

AttributeValue
Needs AdminFalse
Opsec SafeTrue
BackgroundTrue
Categorymanagement
Languagepowershell
Min Version2
Out Extension

View Source Code

Back to Index




mailraider/get_emailitems

Description:

Returns all of the items for the specified folder.

Author:

@xorrior

Options:

ParamDescriptionRequiredDefault
AgentAgent to run module on.True
FolderNameThe Name of the Outlook Default Folder.TrueInbox
MaxEmailsMaximum number of emails to grab.True100

Comments:

https://github.com/xorrior/EmailRaider

http://www.xorrior.com/phishing-on-the-inside/

Attributes:

AttributeValue
Needs AdminFalse
Opsec SafeTrue
BackgroundTrue
Categorymanagement
Languagepowershell
Min Version2
Out Extension

View Source Code

Back to Index




mailraider/get_subfolders

Description:

Returns a list of all the folders in the specified top level folder.

Author:

@xorrior

Options:

ParamDescriptionRequiredDefault
AgentAgent to run module on.True
DefaultFolderFolder to search in.TrueInbox

Comments:

https://github.com/xorrior/EmailRaider

http://www.xorrior.com/phishing-on-the-inside/

Attributes:

AttributeValue
Needs AdminFalse
Opsec SafeTrue
BackgroundTrue
Categorymanagement
Languagepowershell
Min Version2
Out Extension

View Source Code

Back to Index




Description:

Searches the given Outlook folder for items (Emails, Contacts, Tasks, Notes, etc. Depending on the folder) and returns any matches found.

Author:

@xorrior

Options:

ParamDescriptionRequiredDefault
AgentAgent to run module on.True
DefaultFolderFolder to search in.TrueInbox
FilePath to results file (instead of stdout).False
KeywordsKeyword/s to search for.True
MaxResultsMaximum number of results to return.False100
MaxSearchMaximum number of emails to search through.False
MaxThreadsMaximum number of threads to use when searching.True15

Comments:

https://github.com/xorrior/EmailRaider

http://www.xorrior.com/phishing-on-the-inside/

Attributes:

AttributeValue
Needs AdminFalse
Opsec SafeTrue
BackgroundTrue
Categorymanagement
Languagepowershell
Min Version2
Out Extension

View Source Code

Back to Index




mailraider/search_gal

Description:

returns any exchange users that match the specified search criteria. Searchable fields are FirstName, LastName, JobTitle, Email-Address, and Department.

Author:

@xorrior

Options:

ParamDescriptionRequiredDefault
AgentAgent to run module on.True
DeptDepartment to search for.False
EmailEMail address to search for.False
FullNameFull Name to search for.TrueInbox
JobTitleJob Title to search for.True
MaxThreadsMaximum number of threads to use when searching.True15

Comments:

https://github.com/xorrior/EmailRaider

http://www.xorrior.com/phishing-on-the-inside/

Attributes:

AttributeValue
Needs AdminFalse
Opsec SafeTrue
BackgroundTrue
Categorymanagement
Languagepowershell
Min Version2
Out Extension

View Source Code

Back to Index




mailraider/send_mail

Description:

Sends emails using a custom or default template to specified target email addresses.

Author:

@xorrior

Options:

ParamDescriptionRequiredDefault
AgentAgent to run module on.True
AttachmentFull path to the file to use as a payload.False
BodyBody of the email.False
SubjectSubject of the email.False
TargetListList of email addresses read from a file.False
TargetsArray of target email addresses. If Targets or TargetList parameter are not specified, a list of 100 email addresses will be randomly selected from the Global Address List.False
TemplateFull path to the template html file.False
URLURL to include in the email.False

Comments:

https://github.com/xorrior/EmailRaider

http://www.xorrior.com/phishing-on-the-inside/

Attributes:

AttributeValue
Needs AdminFalse
Opsec SafeFalse
BackgroundTrue
Categorymanagement
Languagepowershell
Min Version2
Out Extension

View Source Code

Back to Index




mailraider/view_email

Description:

Selects the specified folder and then outputs the email item at the specified index.

Author:

@xorrior

Options:

ParamDescriptionRequiredDefault
AgentAgent to run module on.True
FolderNameThe Name of the Outlook Default Folder.TrueInbox
IndexIndex of the Email item within the selected folder to display.True0

Comments:

https://github.com/xorrior/EmailRaider

http://www.xorrior.com/phishing-on-the-inside/

Attributes:

AttributeValue
Needs AdminFalse
Opsec SafeTrue
BackgroundTrue
Categorymanagement
Languagepowershell
Min Version2
Out Extension

View Source Code

Back to Index




psinject

Description:

Utilizes Powershell to to inject a Stephen Fewer formed ReflectivePick which executes PS codefrom memory in a remote process

Author:

@harmj0y, @sixdub, leechristensen (@tifkin_)

Options:

ParamDescriptionRequiredDefault
AgentAgent to run module on.True
ListenerListener to use.True
ProcIdProcessID to inject into.False
ProcNameProcess name to inject into.False
ProxyProxy to use for request (default, none, or other).Falsedefault
ProxyCredsProxy credentials ([domain]username:password) to use for request (default, none, or other).Falsedefault
UserAgentUser-agent string to use for the staging request (default, none, or other).Falsedefault

Comments:

http://sixdub.net

Attributes:

AttributeValue
Needs AdminFalse
Opsec SafeTrue
BackgroundTrue
Categorymanagement
Languagepowershell
Min Version2
Out Extension

View Source Code

Back to Index




reflective_inject

Description:

Utilizes Powershell to to inject a Stephen Fewer formed ReflectivePick which executes PS codefrom memory in a remote process

Author:

@harmj0y, @sixdub, leechristensen (@tifkin_), james fitts

Options:

ParamDescriptionRequiredDefault
AgentAgent to run module on.True
ArchArchitecture of the .dll to generate (x64 or x86).Falsex64
ListenerListener to use.True
ProcNameProcess name to inject into. (I.E calc, chrome, powershell)False
ProxyProxy to use for request (default, none, or other).Falsedefault
ProxyCredsProxy credentials ([domain]username:password) to use for request (default, none, or other).Falsedefault
UploadPathPath to drop dll (C:\Users\Administrator\Desktop).False
UserAgentUser-agent string to use for the staging request (default, none, or other).Falsedefault

Comments:

http://sixdub.net

Attributes:

AttributeValue
Needs AdminFalse
Opsec SafeFalse
BackgroundTrue
Categorymanagement
Languagepowershell
Min Version2
Out Extension

View Source Code

Back to Index




restart

Description:

Restarts the specified machine.

Author:

@harmj0y

Options:

ParamDescriptionRequiredDefault
AgentAgent to run module on.True

Comments:

Attributes:

AttributeValue
Needs AdminFalse
Opsec SafeFalse
BackgroundFalse
Categorymanagement
Languagepowershell
Min Version2
Out Extension

View Source Code

Back to Index




runas

Description:

Runas knockoff. Will bypass GPO path restrictions.

Author:

rvrsh3ll (@424f424f)

Options:

ParamDescriptionRequiredDefault
AgentAgent to run module on.True
ArgumentsOptional arguments for the supplied binary.False
CmdCommand to run.Truenotepad.exe
CredIDCredID from the store to use.False
DomainOptional domain.False
PasswordPassword for the specified username.False
ShowWindowSwitch. Show the window for the created process instead of hiding it.False
UserNameUsername to run the command as.False

Comments:

https://github.com/rvrsh3ll/Misc-Powershell-Scripts/blob/master/RunAs.ps1

Attributes:

AttributeValue
Needs AdminFalse
Opsec SafeTrue
BackgroundFalse
Categorymanagement
Languagepowershell
Min Version2
Out Extension

View Source Code

Back to Index




sid_to_user

Description:

Converts a specified domain sid to a user.

Author:

@harmj0y

Options:

ParamDescriptionRequiredDefault
AgentAgent to run module on.True
SIDDomain SID to translate.True

Comments:

Attributes:

AttributeValue
Needs AdminFalse
Opsec SafeTrue
BackgroundFalse
Categorymanagement
Languagepowershell
Min Version2
Out Extension

View Source Code

Back to Index




spawn

Description:

Spawns a new agent in a new powershell.exe process.

Author:

@harmj0y

Options:

ParamDescriptionRequiredDefault
AgentAgent to run module on.True
ListenerListener to use.True
ProxyProxy to use for request (default, none, or other).Falsedefault
ProxyCredsProxy credentials ([domain]username:password) to use for request (default, none, or other).Falsedefault
SysWow64Switch. Spawn a SysWow64 (32-bit) powershell.exe.False
UserAgentUser-agent string to use for the staging request (default, none, or other).Falsedefault

Comments:

Attributes:

AttributeValue
Needs AdminFalse
Opsec SafeTrue
BackgroundFalse
Categorymanagement
Languagepowershell
Min Version2
Out Extension

View Source Code

Back to Index




spawnas

Description:

Spawn an agent with the specified logon credentials.

Author:

rvrsh3ll (@424f424f), @harmj0y

Options:

ParamDescriptionRequiredDefault
AgentAgent to run module on.True
CredIDCredID from the store to use.False
DomainOptional domain.False
ListenerListener to use.True
PasswordPassword for the specified username.False
ProxyProxy to use for request (default, none, or other).Falsedefault
ProxyCredsProxy credentials ([domain]username:password) to use for request (default, none, or other).Falsedefault
UserAgentUser-agent string to use for the staging request (default, none, or other).Falsedefault
UserNameUsername to run the command as.False

Comments:

https://github.com/rvrsh3ll/Misc-Powershell-Scripts/blob/master/RunAs.ps1

Attributes:

AttributeValue
Needs AdminFalse
Opsec SafeFalse
BackgroundFalse
Categorymanagement
Languagepowershell
Min Version2
Out Extension

View Source Code

Back to Index




switch_listener

Description:

Overwrites the listener controller logic with the agent with the logic from generate_comms() for the specified listener.

Author:

@harmj0y

Options:

ParamDescriptionRequiredDefault
AgentAgent to run module on.True
ListenerListener to switch agent comms to.True

Comments:

Attributes:

AttributeValue
Needs AdminFalse
Opsec SafeTrue
BackgroundFalse
Categorymanagement
Languagepowershell
Min Version2
Out Extension

View Source Code

Back to Index




timestomp

Description:

Executes time-stomp like functionality by invoking Set-MacAttribute.

Author:

@obscuresec

Options:

ParamDescriptionRequiredDefault
AccessedSet accessed time (01/03/2006 12:12 pm).False
AgentAgent to run module on.True
AllSet all MAC attributes to value (01/03/2006 12:12 pm).False
CreatedSet created time (01/03/2006 12:12 pm).False
FilePathFile path to modify.True
ModifiedSet modified time (01/03/2006 12:12 pm).False
OldFileOld file path to clone MAC from.False

Comments:

http://obscuresecurity.blogspot.com/2014/05/touch.html

Attributes:

AttributeValue
Needs AdminFalse
Opsec SafeTrue
BackgroundFalse
Categorymanagement
Languagepowershell
Min Version2
Out Extension

View Source Code

Back to Index




user_to_sid

Description:

Converts a specified domain\user to a domain sid.

Author:

@harmj0y

Options:

ParamDescriptionRequiredDefault
AgentAgent to run module on.True
DomainDomain name for translation.True
UserUsername for translation.True

Comments:

Attributes:

AttributeValue
Needs AdminFalse
Opsec SafeTrue
BackgroundFalse
Categorymanagement
Languagepowershell
Min Version2
Out Extension

View Source Code

Back to Index




vnc

Description:

Invoke-Vnc executes a VNC agent in-memory and initiates a reverse connection, or binds to a specified port. Password authentication is supported.

Author:

@n00py

Options:

ParamDescriptionRequiredDefault
AgentAgent to run module on.True
ConTypeConnection type, choose "bind" or "reverse".Truebind
IpAddressIP Address to use for reverse connection.False
PasswordPassword to use.Truepassword
PortPort to Use.True5900

Comments:

https://github.com/artkond/Invoke-Vnc

Attributes:

AttributeValue
Needs AdminFalse
Opsec SafeTrue
BackgroundTrue
Categorymanagement
Languagepowershell
Min Version2
Out Extension

View Source Code

Back to Index




wdigest_downgrade

Description:

Sets wdigest on the machine to explicitly use logon credentials. Counters kb2871997.

Author:

@harmj0y

Options:

ParamDescriptionRequiredDefault
AgentAgent to run module on.True
CleanupSwitch. Disable the registry key.False
NoLockSwitch. Don't lock the workstation after registry change.False

Comments:

https://www.trustedsec.com/april-2015/dumping-wdigest-creds-with-meterpreter-mimikatzkiwi-in-windows-8-1/

Attributes:

AttributeValue
Needs AdminTrue
Opsec SafeFalse
BackgroundFalse
Categorymanagement
Languagepowershell
Min Version2
Out Extension

View Source Code

Back to Index




zipfolder

Description:

Zips up a target folder for later exfiltration.

Author:

@harmj0y

Options:

ParamDescriptionRequiredDefault
AgentAgent to run module on.True
FolderFolder path to zip.True
ZipFileNameZip name/path to create.True

Comments:

Attributes:

AttributeValue
Needs AdminFalse
Opsec SafeTrue
BackgroundFalse
Categorymanagement
Languagepowershell
Min Version2
Out Extension

View Source Code

Back to Index




powershell - persistence


elevated/registry

Description:

Persist a stager (or script) via the HKLM:SOFTWARE\Microsoft\Windows\CurrentVersion\Run registry key. This has an easy detection/removal rating.

Author:

@mattifestation, @harmj0y

Options:

ParamDescriptionRequiredDefault
ADSPathAlternate-data-stream location to store the script code.False
AgentAgent to run module on.True
CleanupSwitch. Cleanup the trigger and any script from specified location.False
ExtFileUse an external file for the payload instead of a stager.False
KeyNameKey name for the run trigger.TrueUpdater
ListenerListener to use.False
ProxyProxy to use for request (default, none, or other).Falsedefault
ProxyCredsProxy credentials ([domain]username:password) to use for request (default, none, or other).Falsedefault
RegPathRegistry location to store the script code. Last element is the key name.FalseHKLM:SOFTWARE\Microsoft\Windows\CurrentVersion\Debug
UserAgentUser-agent string to use for the staging request (default, none, or other).Falsedefault

Comments:

https://github.com/mattifestation/PowerSploit/blob/master/Persistence/Persistence.psm1

Attributes:

AttributeValue
Needs AdminTrue
Opsec SafeFalse
BackgroundFalse
Categorypersistence
Languagepowershell
Min Version2
Out Extension

View Source Code

Back to Index




elevated/schtasks

Description:

Persist a stager (or script) using schtasks running as SYSTEM. This has a moderate detection/removal rating.

Author:

@mattifestation, @harmj0y

Options:

ParamDescriptionRequiredDefault
ADSPathAlternate-data-stream location to store the script code.False
AgentAgent to run module on.True
CleanupSwitch. Cleanup the trigger and any script from specified location.False
DailyTimeDaily time to trigger the script (HH:mm).False09:00
ExtFileUse an external file for the payload instead of a stager.False
IdleTimeUser idle time (in minutes) to trigger script.False
ListenerListener to use.False
OnLogonSwitch. Trigger script on user logon.False
ProxyProxy to use for request (default, none, or other).Falsedefault
ProxyCredsProxy credentials ([domain]username:password) to use for request (default, none, or other).Falsedefault
RegPathRegistry location to store the script code. Last element is the key name.FalseHKLM:\Software\Microsoft\Network\debug
TaskNameName to use for the schtask.TrueUpdater
UserAgentUser-agent string to use for the staging request (default, none, or other).Falsedefault

Comments:

https://github.com/mattifestation/PowerSploit/blob/master/Persistence/Persistence.psm1

Attributes:

AttributeValue
Needs AdminTrue
Opsec SafeFalse
BackgroundFalse
Categorypersistence
Languagepowershell
Min Version2
Out Extension

View Source Code

Back to Index




elevated/wmi

Description:

Persist a stager (or script) using a permanent WMI subscription. This has a difficult detection/removal rating.

Author:

@mattifestation, @harmj0y

Options:

ParamDescriptionRequiredDefault
AgentAgent to run module on.True
AtStartupSwitch. Trigger script (within 5 minutes) of system startup.FalseTrue
CleanupSwitch. Cleanup the trigger and any script from specified location.False
DailyTimeDaily time to trigger the script (HH:mm).False
ExtFileUse an external file for the payload instead of a stager.False
ListenerListener to use.False
ProxyProxy to use for request (default, none, or other).Falsedefault
ProxyCredsProxy credentials ([domain]username:password) to use for request (default, none, or other).Falsedefault
SubNameName to use for the event subscription.TrueUpdater
UserAgentUser-agent string to use for the staging request (default, none, or other).Falsedefault

Comments:

https://github.com/mattifestation/PowerSploit/blob/master/Persistence/Persistence.psm1

Attributes:

AttributeValue
Needs AdminTrue
Opsec SafeFalse
BackgroundFalse
Categorypersistence
Languagepowershell
Min Version2
Out Extension

View Source Code

Back to Index




elevated/wmi_updater

Description:

Persist a stager (or script) using a permanent WMI subscription. This has a difficult detection/removal rating.

Author:

@mattifestation, @harmj0y, @tristandostaler

Options:

ParamDescriptionRequiredDefault
AgentAgent to run module on.True
AtStartupSwitch. Trigger script (within 5 minutes) of system startup.FalseTrue
CleanupSwitch. Cleanup the trigger and any script from specified location.False
DailyTimeDaily time to trigger the script (HH:mm).False
ExtFileUse an external file for the payload instead of a stager.False
LauncherLauncher string.Truepowershell -noP -sta -w 1 -enc
SubNameName to use for the event subscription.TrueAutoUpdater
WebFileThe location of the launcher.bat file to fetch over the network/webTruehttp://127.0.0.1/launcher.bat

Comments:

https://github.com/mattifestation/PowerSploit/blob/master/Persistence/Persistence.psm1

Attributes:

AttributeValue
Needs AdminTrue
Opsec SafeFalse
BackgroundFalse
Categorypersistence
Languagepowershell
Min Version2
Out Extension

View Source Code

Back to Index




misc/add_netuser

Description:

Adds a domain user or a local user to the current (or remote) machine, if permissions allow,

Author:

@harmj0y

Options:

ParamDescriptionRequiredDefault
AgentAgent to run module on.True
ComputerNameHostname to add the local user to.Falselocalhost
DomainSpecified domain to add the user to.False
GroupNameGroup to optionally add the user to.FalseAdministrators
PasswordThe password to set for the added user.FalsePassword123!
UserNameThe username to add.Falsebackdoor

Comments:

https://github.com/PowerShellMafia/PowerSploit/blob/dev/Recon/

Attributes:

AttributeValue
Needs AdminFalse
Opsec SafeTrue
BackgroundTrue
Categorypersistence
Languagepowershell
Min Version2
Out Extension

View Source Code

Back to Index




misc/add_sid_history

Description:

Runs PowerSploit's Invoke-Mimikatz function to execute misc::addsid to add sid history for a user. ONLY APPLICABLE ON DOMAIN CONTROLLERS!

Author:

@JosephBialek, @gentilkiwi

Options:

ParamDescriptionRequiredDefault
AgentAgent to run module on.True
GroupsGroups/users to add to the sidhistory of the target user (COMMA-separated).True
UserUser to add sidhistory for.True

Comments:

http://clymb3r.wordpress.com/

http://blog.gentilkiwi.com

Attributes:

AttributeValue
Needs AdminTrue
Opsec SafeFalse
BackgroundTrue
Categorypersistence
Languagepowershell
Min Version2
Out Extension

View Source Code

Back to Index




misc/debugger

Description:

Sets the debugger for a specified target binary to be cmd.exe, another binary of your choice, or a listern stager. This can be launched from the ease-of-access center (ctrl+U).

Author:

@harmj0y

Options:

ParamDescriptionRequiredDefault
AgentAgent to run module on.True
CleanupSwitch. Disable the Utilman.exe debugger.False
ListenerListener to use.False
RegPathRegistry location to store the script code. Last element is the key name.FalseHKLM:Software\Microsoft\Network\debug
TargetBinaryTarget binary to set the debugger for (sethc.exe, Utilman.exe, osk.exe, Narrator.exe, or Magnify.exe)Truesethc.exe
TriggerBinaryBinary to set for the debugger.FalseC:\Windows\System32\cmd.exe

Comments:

Attributes:

AttributeValue
Needs AdminTrue
Opsec SafeFalse
BackgroundFalse
Categorypersistence
Languagepowershell
Min Version2
Out Extension

View Source Code

Back to Index




misc/disable_machine_acct_change

Description:

Disables the machine account for the target system from changing its password automatically.

Author:

@harmj0y

Options:

ParamDescriptionRequiredDefault
AgentAgent to run module on.True
CleanUpSwitch. Re-enable machine password changes.False

Comments:

Attributes:

AttributeValue
Needs AdminTrue
Opsec SafeTrue
BackgroundFalse
Categorypersistence
Languagepowershell
Min Version2
Out Extension

View Source Code

Back to Index




misc/get_ssps

Description:

Enumerates all loaded security packages (SSPs).

Author:

@mattifestation

Options:

ParamDescriptionRequiredDefault
AgentAgent to run module on.True

Comments:

https://github.com/mattifestation/PowerSploit/blob/master/Persistence/Persistence.psm1

Attributes:

AttributeValue
Needs AdminFalse
Opsec SafeTrue
BackgroundTrue
Categorypersistence
Languagepowershell
Min Version2
Out Extension

View Source Code

Back to Index




misc/install_ssp

Description:

Installs a security support provider (SSP) dll.

Author:

@mattifestation

Options:

ParamDescriptionRequiredDefault
AgentAgent to run module on.True
PathPath of the SSP .dll (on the target machine) to install.True

Comments:

https://github.com/mattifestation/PowerSploit/blob/master/Persistence/Persistence.psm1

Attributes:

AttributeValue
Needs AdminTrue
Opsec SafeFalse
BackgroundTrue
Categorypersistence
Languagepowershell
Min Version2
Out Extension

View Source Code

Back to Index




misc/memssp

Description:

Runs PowerSploit's Invoke-Mimikatz function to execute misc::memssp to log all authentication events to C:\Windows\System32\mimisla.log.

Author:

@JosephBialek, @gentilkiwi

Options:

ParamDescriptionRequiredDefault
AgentAgent to run module on.True

Comments:

http://clymb3r.wordpress.com/

http://blog.gentilkiwi.com

Attributes:

AttributeValue
Needs AdminTrue
Opsec SafeFalse
BackgroundTrue
Categorypersistence
Languagepowershell
Min Version2
Out Extension

View Source Code

Back to Index




misc/skeleton_key

Description:

Runs PowerSploit's Invoke-Mimikatz function to execute misc::skeleton to implant a skeleton key w/ password 'mimikatz'. ONLY APPLICABLE ON DOMAIN CONTROLLERS!

Author:

@JosephBialek, @gentilkiwi

Options:

ParamDescriptionRequiredDefault
AgentAgent to run module on.True

Comments:

http://clymb3r.wordpress.com/

http://blog.gentilkiwi.com

Attributes:

AttributeValue
Needs AdminTrue
Opsec SafeTrue
BackgroundTrue
Categorypersistence
Languagepowershell
Min Version2
Out Extension

View Source Code

Back to Index




powerbreach/deaduser

Description:

Backup backdoor for a backdoor user.

Author:

@sixdub

Options:

ParamDescriptionRequiredDefault
AgentAgent to run module on.True
DomainSwitch. Check the current domain for the user account.False
ListenerListener to use.True
OutFileOutput the backdoor to a file instead of tasking to an agent.False
SleepTime (in seconds) to sleep between checks.True30
TimeoutTime (in seconds) to run the backdoor. Defaults to 0 (run forever).True0
UsernameUser account to check for existence.True

Comments:

http://sixdub.net

Attributes:

AttributeValue
Needs AdminFalse
Opsec SafeTrue
BackgroundFalse
Categorypersistence
Languagepowershell
Min Version2
Out Extension

View Source Code

Back to Index




powerbreach/eventlog

Description:

Starts the event-loop backdoor.

Author:

@sixdub

Options:

ParamDescriptionRequiredDefault
AgentAgent to run module on.True
ListenerListener to use.True
OutFileOutput the backdoor to a file instead of tasking to an agent.False
SleepTime (in seconds) to sleep between checks.True30
TimeoutTime (in seconds) to run the backdoor. Defaults to 0 (run forever).True0
TriggerThe unique value to look for in every event packet.TrueHACKER

Comments:

http://sixdub.net

Attributes:

AttributeValue
Needs AdminTrue
Opsec SafeTrue
BackgroundFalse
Categorypersistence
Languagepowershell
Min Version2
Out Extension

View Source Code

Back to Index




powerbreach/resolver

Description:

Starts the Resolver Backdoor.

Author:

@sixdub

Options:

ParamDescriptionRequiredDefault
AgentAgent to run module on.True
HostnameHostname to routinely check for a trigger.True
ListenerListener to use.True
OutFileOutput the backdoor to a file instead of tasking to an agent.False
SleepTime (in seconds) to sleep between checks.True30
TimeoutTime (in seconds) to run the backdoor. Defaults to 0 (run forever).True0
TriggerThe IP Address that the backdoor is looking for.True127.0.0.1

Comments:

http://sixdub.net

Attributes:

AttributeValue
Needs AdminFalse
Opsec SafeTrue
BackgroundFalse
Categorypersistence
Languagepowershell
Min Version2
Out Extension

View Source Code

Back to Index




userland/backdoor_lnk

Description:

Backdoor a specified .LNK file with a version that launches the original binary and then an Empire stager.

Author:

@harmj0y

Options:

ParamDescriptionRequiredDefault
AgentAgent to run module on.True
CleanupSwitch. Restore the original .LNK settings.False
ExtFileUse an external file for the payload instead of a stager.False
ListenerListener to use.True
LNKPathFull path to the .LNK to backdoor.True
ProxyProxy to use for request (default, none, or other).Falsedefault
ProxyCredsProxy credentials ([domain]username:password) to use for request (default, none, or other).Falsedefault
RegPathRegistry location to store the script code. Last element is the key name.TrueHKCU:\Software\Microsoft\Windows\debug
UserAgentUser-agent string to use for the staging request (default, none, or other).Falsedefault

Comments:

http://windowsitpro.com/powershell/working-shortcuts-windows-powershell

http://www.labofapenetrationtester.com/2014/11/powershell-for-client-side-attacks.html

https://github.com/samratashok/nishang

http://blog.trendmicro.com/trendlabs-security-intelligence/black-magic-windows-powershell-used-again-in-new-attack/

Attributes:

AttributeValue
Needs AdminFalse
Opsec SafeFalse
BackgroundTrue
Categorypersistence
Languagepowershell
Min Version2
Out Extension

View Source Code

Back to Index




userland/registry

Description:

Persist a stager (or script) via the HKCU:SOFTWARE\Microsoft\Windows\CurrentVersion\Run registry key. This has an easy detection/removal rating.

Author:

@mattifestation, @harmj0y, @enigma0x3

Options:

ParamDescriptionRequiredDefault
ADSPathAlternate-data-stream location to store the script code.False
AgentAgent to run module on.True
CleanupSwitch. Cleanup the trigger and any script from specified location.False
EventLogIDStore the script in the Application event log under the specified EventID. The ID needs to be unique/rare!False
ExtFileUse an external file for the payload instead of a stager.False
KeyNameKey name for the run trigger.TrueUpdater
ListenerListener to use.False
ProxyProxy to use for request (default, none, or other).Falsedefault
ProxyCredsProxy credentials ([domain]username:password) to use for request (default, none, or other).Falsedefault
RegPathRegistry location to store the script code. Last element is the key name.FalseHKCU:Software\Microsoft\Windows\CurrentVersion\Debug
UserAgentUser-agent string to use for the staging request (default, none, or other).Falsedefault

Comments:

https://github.com/mattifestation/PowerSploit/blob/master/Persistence/Persistence.psm1

Attributes:

AttributeValue
Needs AdminFalse
Opsec SafeFalse
BackgroundFalse
Categorypersistence
Languagepowershell
Min Version2
Out Extension

View Source Code

Back to Index




userland/schtasks

Description:

Persist a stager (or script) using schtasks. This has a moderate detection/removal rating.

Author:

@mattifestation, @harmj0y

Options:

ParamDescriptionRequiredDefault
ADSPathAlternate-data-stream location to store the script code.False
AgentAgent to run module on.True
CleanupSwitch. Cleanup the trigger and any script from specified location.False
DailyTimeDaily time to trigger the script (HH:mm).False09:00
ExtFileUse an external file for the payload instead of a stager.False
IdleTimeUser idle time (in minutes) to trigger script.False
ListenerListener to use.False
ProxyProxy to use for request (default, none, or other).Falsedefault
ProxyCredsProxy credentials ([domain]username:password) to use for request (default, none, or other).Falsedefault
RegPathRegistry location to store the script code. Last element is the key name.FalseHKCU:\Software\Microsoft\Windows\CurrentVersion\debug
TaskNameName to use for the schtask.TrueUpdater
UserAgentUser-agent string to use for the staging request (default, none, or other).Falsedefault

Comments:

https://github.com/mattifestation/PowerSploit/blob/master/Persistence/Persistence.psm1

Attributes:

AttributeValue
Needs AdminFalse
Opsec SafeFalse
BackgroundFalse
Categorypersistence
Languagepowershell
Min Version2
Out Extension

View Source Code

Back to Index




powershell - privesc


ask

Description:

Leverages Start-Process' -Verb runAs option inside a YES-Required loop to prompt the user for a high integrity context before running the agent code. UAC will report Powershell is requesting Administrator privileges. Because this does not use the BypassUAC DLLs, it should not trigger any AV alerts.

Author:

Jack64

Options:

ParamDescriptionRequiredDefault
AgentAgent to run module on.True
ListenerListener to use.True
ProxyProxy to use for request (default, none, or other).Falsedefault
ProxyCredsProxy credentials ([domain]username:password) to use for request (default, none, or other).Falsedefault
UserAgentUser-agent string to use for the staging request (default, none, or other).Falsedefault

Comments:

https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/local/ask.rb

Attributes:

AttributeValue
Needs AdminFalse
Opsec SafeFalse
BackgroundTrue
Categoryprivesc
Languagepowershell
Min Version2
Out Extension

View Source Code

Back to Index




bypassuac

Description:

Runs a BypassUAC attack to escape from a medium integrity process to a high integrity process. This attack was originally discovered by Leo Davidson. Empire uses components of MSF's bypassuac injection implementation as well as an adapted version of PowerSploit's Invoke--Shellcode.ps1 script for backend lifting.

Author:

Leo Davidson, @meatballs__, @TheColonial, @mattifestation, @harmyj0y, @sixdub

Options:

ParamDescriptionRequiredDefault
AgentAgent to run module on.True
ListenerListener to use.True
ProxyProxy to use for request (default, none, or other).Falsedefault
ProxyCredsProxy credentials ([domain]username:password) to use for request (default, none, or other).Falsedefault
UserAgentUser-agent string to use for the staging request (default, none, or other).Falsedefault

Comments:

https://github.com/mattifestation/PowerSploit/blob/master/CodeExecution/Invoke--Shellcode.ps1

https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/local/bypassuac_injection.rb

https://github.com/rapid7/metasploit-framework/tree/master/external/source/exploits/bypassuac_injection/dll/src

http://www.pretentiousname.com/

Attributes:

AttributeValue
Needs AdminFalse
Opsec SafeFalse
BackgroundTrue
Categoryprivesc
Languagepowershell
Min Version2
Out Extension

View Source Code

Back to Index




bypassuac_env

Description:

Bypasses UAC (even with Always Notify level set) by by performing an registry modification of the "windir" value in "Environment" based on James Forshaw findings(https://tyranidslair.blogspot.cz/2017/05/exploiting-environment-variables-in.html)

Author:

Petr Medonos

Options:

ParamDescriptionRequiredDefault
AgentAgent to run module on.True
ListenerListener to use.True
ProxyProxy to use for request (default, none, or other).Falsedefault
ProxyCredsProxy credentials ([domain]username:password) to use for request (default, none, or other).Falsedefault
UserAgentUser-agent string to use for the staging request (default, none, or other).Falsedefault

Comments:

https://tyranidslair.blogspot.cz/2017/05/exploiting-environment-variables-in.html

Attributes:

AttributeValue
Needs AdminFalse
Opsec SafeFalse
BackgroundTrue
Categoryprivesc
Languagepowershell
Min Version2
Out Extension

View Source Code

Back to Index




bypassuac_eventvwr

Description:

Bypasses UAC by performing an image hijack on the .msc file extension and starting eventvwr.exe. No files are dropped to disk, making this opsec safe.

Author:

@enigma0x3

Options:

ParamDescriptionRequiredDefault
AgentAgent to run module on.True
ListenerListener to use.True
ProxyProxy to use for request (default, none, or other).Falsedefault
ProxyCredsProxy credentials ([domain]username:password) to use for request (default, none, or other).Falsedefault
UserAgentUser-agent string to use for the staging request (default, none, or other).Falsedefault

Comments:

https://enigma0x3.net/2016/08/15/fileless-uac-bypass-using-eventvwr-exe-and-registry-hijacking/

Attributes:

AttributeValue
Needs AdminFalse
Opsec SafeTrue
BackgroundTrue
Categoryprivesc
Languagepowershell
Min Version2
Out Extension

View Source Code

Back to Index




bypassuac_fodhelper

Description:

Bypasses UAC by performing an registry modification for FodHelper (based onhttps://winscripting.blog/2017/05/12/first-entry-welcome-and-uac-bypass/)

Author:

Petr Medonos

Options:

ParamDescriptionRequiredDefault
AgentAgent to run module on.True
ListenerListener to use.True
ProxyProxy to use for request (default, none, or other).Falsedefault
ProxyCredsProxy credentials ([domain]username:password) to use for request (default, none, or other).Falsedefault
UserAgentUser-agent string to use for the staging request (default, none, or other).Falsedefault

Comments:

https://winscripting.blog/2017/05/12/first-entry-welcome-and-uac-bypass/

Attributes:

AttributeValue
Needs AdminFalse
Opsec SafeFalse
BackgroundTrue
Categoryprivesc
Languagepowershell
Min Version2
Out Extension

View Source Code

Back to Index




bypassuac_sdctlbypass

Description:

Bypasses UAC by performing an registry modification for sdclt (based onhttps://enigma0x3.net/2017/03/17/fileless-uac-bypass-using-sdclt-exe/)

Author:

Petr Medonos

Options:

ParamDescriptionRequiredDefault
AgentAgent to run module on.True
ListenerListener to use.True
ProxyProxy to use for request (default, none, or other).Falsedefault
ProxyCredsProxy credentials ([domain]username:password) to use for request (default, none, or other).Falsedefault
UserAgentUser-agent string to use for the staging request (default, none, or other).Falsedefault

Comments:

https://enigma0x3.net/2017/03/17/fileless-uac-bypass-using-sdclt-exe/

Attributes:

AttributeValue
Needs AdminFalse
Opsec SafeFalse
BackgroundTrue
Categoryprivesc
Languagepowershell
Min Version2
Out Extension

View Source Code

Back to Index




bypassuac_tokenmanipulation

Description:

Bypass UAC module based on the script released by Matt Nelson @enigma0x3 at Derbycon 2017

Author:

@enigma0x3,@424f424f

Options:

ParamDescriptionRequiredDefault
AgentAgent to elevate from.True
HostHost or IP where stager is served.True
PortPort to connect to where stager is servedTrue
ProxyProxy to use for request (default, none, or other).Falsedefault
ProxyCredsProxy credentials ([domain]username:password) to use for request (default, none, or other).Falsedefault
StagerStager file that you have hosted.Trueupdate.php
UserAgentUserAgent for staging processFalseMozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko

Comments:

comment

https://raw.githubusercontent.com/enigma0x3/Misc-PowerShell-Stuff/master/Invoke-TokenDuplication.ps1

Attributes:

AttributeValue
Needs AdminFalse
Opsec SafeTrue
BackgroundFalse
Categoryprivesc
Languagepowershell
Min Version2
Out Extension

View Source Code

Back to Index




bypassuac_wscript

Description:

Drops wscript.exe and a custom manifest into C:\Windows\ and then proceeds to execute VBScript using the wscript executablewith the new manifest. The VBScript executed by C:\Windows\wscript.exe will run elevated.

Author:

@enigma0x3, @harmyj0y, Vozzie

Options:

ParamDescriptionRequiredDefault
AgentAgent to run module on.True
ListenerListener to use.True
ProxyProxy to use for request (default, none, or other).Falsedefault
ProxyCredsProxy credentials ([domain]username:password) to use for request (default, none, or other).Falsedefault
UserAgentUser-agent string to use for the staging request (default, none, or other).Falsedefault

Comments:

http://seclist.us/uac-bypass-vulnerability-in-the-windows-script-host.html

https://github.com/Vozzie/uacscript

Attributes:

AttributeValue
Needs AdminFalse
Opsec SafeFalse
BackgroundTrue
Categoryprivesc
Languagepowershell
Min Version2
Out Extension

View Source Code

Back to Index




getsystem

Description:

Gets SYSTEM privileges with one of two methods.

Author:

@harmj0y, @mattifestation

Options:

ParamDescriptionRequiredDefault
AgentAgent to run module on.True
PipeNameOptional pipe name to used for 'NamedPipe' impersonation.False
RevToSelfSwitch. Reverts the current thread privileges.False
ServiceNameOptional service name to used for 'NamedPipe' impersonation.False
TechniqueTechnique to use, 'NamedPipe' for service named pipe impersonation or 'Token' for adjust token privs.FalseNamedPipe
WhoAmISwitch. Display the credentials for the current PowerShell thread.False

Comments:

https://github.com/rapid7/meterpreter/blob/2a891a79001fc43cb25475cc43bced9449e7dc37/source/extensions/priv/server/elevate/namedpipe.c

https://github.com/obscuresec/shmoocon/blob/master/Invoke-TwitterBot

http://blog.cobaltstrike.com/2014/04/02/what-happens-when-i-type-getsystem/

http://clymb3r.wordpress.com/2013/11/03/powershell-and-token-impersonation/

Attributes:

AttributeValue
Needs AdminTrue
Opsec SafeFalse
BackgroundFalse
Categoryprivesc
Languagepowershell
Min Version2
Out Extension

View Source Code

Back to Index




gpp

Description:

Retrieves the plaintext password and other information for accounts pushed through Group Policy Preferences.

Author:

@obscuresec

Options:

ParamDescriptionRequiredDefault
AgentAgent to run module on.True

Comments:

https://github.com/mattifestation/PowerSploit/blob/master/Exfiltration/Get-GPPPassword.ps1

Attributes:

AttributeValue
Needs AdminFalse
Opsec SafeTrue
BackgroundTrue
Categoryprivesc
Languagepowershell
Min Version2
Out Extension

View Source Code

Back to Index




mcafee_sitelist

Description:

Retrieves the plaintext passwords for found McAfee's SiteList.xml files.

Author:

@harmj0y, @funoverip

Options:

ParamDescriptionRequiredDefault
AgentAgent to run module on.True

Comments:

https://github.com/funoverip/mcafee-sitelist-pwd-decryption/

Attributes:

AttributeValue
Needs AdminFalse
Opsec SafeTrue
BackgroundTrue
Categoryprivesc
Languagepowershell
Min Version2
Out Extension

View Source Code

Back to Index




ms16-032

Description:

Spawns a new Listener as SYSTEM by leveraging the MS16-032 local exploit. Note: ~1/6 times the exploit won't work, may need to retry.

Author:

@FuzzySec, @leoloobeek

Options:

ParamDescriptionRequiredDefault
AgentAgent to run module on.True
ListenerListener to use.True
ProxyProxy to use for request (default, none, or other).Falsedefault
ProxyCredsProxy credentials ([domain]username:password) to use for request (default, none, or other).Falsedefault
UserAgentUser-agent string to use for the staging request (default, none, or other).Falsedefault

Comments:

Credit to James Forshaw (@tiraniddo) for exploit discovery and

to Ruben Boonen (@FuzzySec) for PowerShell PoC

https://googleprojectzero.blogspot.co.uk/2016/03/exploiting-leaked-thread-handle.html

https://github.com/FuzzySecurity/PowerShell-Suite/blob/master/Invoke-MS16-032.ps1

Attributes:

AttributeValue
Needs AdminFalse
Opsec SafeFalse
BackgroundTrue
Categoryprivesc
Languagepowershell
Min Version2
Out Extension

View Source Code

Back to Index




ms16-135

Description:

Spawns a new Listener as SYSTEM by leveraging the MS16-135 local exploit. This exploit is for x64 only and only works on unlocked session. Note: the exploit performs fast windows switching, victim's desktop may flash. A named pipe is also created. Thus, opsec is not guaranteed

Author:

@TinySecEx, @FuzzySec, ThePirateWhoSmellsOfSunflowers (github)

Options:

ParamDescriptionRequiredDefault
AgentAgent to run module on.True
ListenerListener to use.True
ProxyProxy to use for request (default, none, or other).Falsedefault
ProxyCredsProxy credentials ([domain]username:password) to use for request (default, none, or other).Falsedefault
UserAgentUser-agent string to use for the staging request (default, none, or other).Falsedefault

Comments:

Credit to TinySec (@TinySecEx) for the initial PoC and

to Ruben Boonen (@FuzzySec) for PowerShell PoC

https://github.com/tinysec/public/tree/master/CVE-2016-7255

https://github.com/FuzzySecurity/PSKernel-Primitives/tree/master/Sample-Exploits/MS16-135

https://security.googleblog.com/2016/10/disclosing-vulnerabilities-to-protect.html

Attributes:

AttributeValue
Needs AdminFalse
Opsec SafeFalse
BackgroundTrue
Categoryprivesc
Languagepowershell
Min Version2
Out Extension

View Source Code

Back to Index




powerup/allchecks

Description:

Runs all current checks for Windows privesc vectors.

Author:

@harmj0y

Options:

ParamDescriptionRequiredDefault
AgentAgent to run module on.True

Comments:

https://github.com/PowerShellEmpire/PowerTools/tree/master/PowerUp

Attributes:

AttributeValue
Needs AdminFalse
Opsec SafeTrue
BackgroundTrue
Categoryprivesc
Languagepowershell
Min Version2
Out Extension

View Source Code

Back to Index




powerup/find_dllhijack

Description:

Finds generic .DLL hijacking opportunities.

Author:

@harmj0y

Options:

ParamDescriptionRequiredDefault
AgentAgent to run module on.True
ExcludeOwnedSwitch. Exclude processes the current user owns.False
ExcludeProgramFilesSwitch. Exclude paths from C:\Program Files* and C:\Program Files (x86)*False
ExcludeWindowsSwitch. Exclude paths from C:\Windows* instead of just C:\Windows\System32*False

Comments:

https://github.com/PowerShellEmpire/PowerTools/tree/master/PowerUp

Attributes:

AttributeValue
Needs AdminFalse
Opsec SafeTrue
BackgroundTrue
Categoryprivesc
Languagepowershell
Min Version2
Out Extension

View Source Code

Back to Index




powerup/service_exe_restore

Description:

Restore a backed up service binary.

Author:

@harmj0y

Options:

ParamDescriptionRequiredDefault
AgentAgent to run module on.True
BackupPathThe service name to manipulate.False
ServiceNameThe service name to manipulate.True

Comments:

https://github.com/PowerShellEmpire/PowerTools/tree/master/PowerUp

Attributes:

AttributeValue
Needs AdminFalse
Opsec SafeFalse
BackgroundTrue
Categoryprivesc
Languagepowershell
Min Version2
Out Extension

View Source Code

Back to Index




powerup/service_exe_stager

Description:

Backs up a service's binary and replaces the original with a binary that launches a stager.bat.

Author:

@harmj0y

Options:

ParamDescriptionRequiredDefault
AgentAgent to run module on.True
DeleteSwitch. Have the launcher.bat delete itself after running.FalseTrue
ListenerListener to use.True
ProxyProxy to use for request (default, none, or other).Falsedefault
ProxyCredsProxy credentials ([domain]username:password) to use for request (default, none, or other).Falsedefault
ServiceNameThe service name to manipulate.True
UserAgentUser-agent string to use for the staging request (default, none, or other).Falsedefault

Comments:

https://github.com/PowerShellEmpire/PowerTools/tree/master/PowerUp

Attributes:

AttributeValue
Needs AdminFalse
Opsec SafeFalse
BackgroundTrue
Categoryprivesc
Languagepowershell
Min Version2
Out Extension

View Source Code

Back to Index




powerup/service_exe_useradd

Description:

Backs up a service's binary and replaces the original with a binary that creates/adds a local administrator.

Author:

@harmj0y

Options:

ParamDescriptionRequiredDefault
AgentAgent to run module on.True
LocalGroupLocal group to add the user to.FalseAdministrators
PasswordPassword to set for the added user.FalsePassword123!
ServiceNameThe service name to manipulate.True
UserNameThe username to add.Falsejohn

Comments:

https://github.com/PowerShellEmpire/PowerTools/tree/master/PowerUp

Attributes:

AttributeValue
Needs AdminFalse
Opsec SafeFalse
BackgroundTrue
Categoryprivesc
Languagepowershell
Min Version2
Out Extension

View Source Code

Back to Index




powerup/service_stager

Description:

Modifies a target service to execute an Empire stager.

Author:

@harmj0y

Options:

ParamDescriptionRequiredDefault
AgentAgent to run module on.True
ListenerListener to use.True
ProxyProxy to use for request (default, none, or other).Falsedefault
ProxyCredsProxy credentials ([domain]username:password) to use for request (default, none, or other).Falsedefault
ServiceNameThe service name to manipulate.True
UserAgentUser-agent string to use for the staging request (default, none, or other).Falsedefault

Comments:

https://github.com/PowerShellEmpire/PowerTools/tree/master/PowerUp

Attributes:

AttributeValue
Needs AdminFalse
Opsec SafeFalse
BackgroundTrue
Categoryprivesc
Languagepowershell
Min Version2
Out Extension

View Source Code

Back to Index




powerup/service_useradd

Description:

Modifies a target service to create a local user and add it to the local administrators.

Author:

@harmj0y

Options:

ParamDescriptionRequiredDefault
AgentAgent to run module on.True
LocalGroupLocal group to add the user to.FalseAdministrators
PasswordPassword to set for the added user.FalsePassword123!
ServiceNameThe service name to manipulate.True
UserNameThe username to add.Falsejohn

Comments:

https://github.com/PowerShellEmpire/PowerTools/tree/master/PowerUp

Attributes:

AttributeValue
Needs AdminFalse
Opsec SafeFalse
BackgroundTrue
Categoryprivesc
Languagepowershell
Min Version2
Out Extension

View Source Code

Back to Index




powerup/write_dllhijacker

Description:

Writes out a hijackable .dll to the specified path along with a stager.bat that's called by the .dll. wlbsctrl.dll works well for Windows 7. The machine will need to be restarted for the privesc to work.

Author:

leechristensen (@tifkin_), @harmj0y

Options:

ParamDescriptionRequiredDefault
AgentAgent to run module on.True
DllPathThe output path for the hijackable .dll.True
ListenerListener to use.True
ProxyProxy to use for request (default, none, or other).Falsedefault
ProxyCredsProxy credentials ([domain]username:password) to use for request (default, none, or other).Falsedefault
UserAgentUser-agent string to use for the staging request (default, none, or other).Falsedefault

Comments:

https://github.com/PowerShellEmpire/PowerTools/tree/master/PowerUp

Attributes:

AttributeValue
Needs AdminFalse
Opsec SafeFalse
BackgroundTrue
Categoryprivesc
Languagepowershell
Min Version2
Out Extension

View Source Code

Back to Index




tater

Description:

Tater is a PowerShell implementation of the Hot Potato Windows Privilege Escalation exploit from @breenmachine and @foxglovesec.

Author:

Kevin Robertson

Options:

ParamDescriptionRequiredDefault
AgentAgent to run module on.True
CommandCommand to execute during privilege escalation. Do not wrap in quotes and use PowerShell character escapes where necessary.True
ExhaustUDPEnable/Disable UDP port exhaustion to force all DNS lookups to fail in order to fallback to NBNS resolution (Y/N).FalseN
HostnameHostname to spoof. WPAD.DOMAIN.TLD may be required by Windows Server 2008.FalseWPAD
HTTPPortTCP port for the HTTP listener.False80
IPSpecific local IP address for NBNS spoofer.False
NBNSEnable/Disable NBNS bruteforce spoofing (Y/N).FalseY
NBNSLimitEnable/Disable NBNS bruteforce spoofer limiting to stop NBNS spoofing while hostname is resolving correctly (Y/N).FalseY
RunTimeRun time duration in minutes.False
SpooferIPIP address included in NBNS response. This is needed when using two hosts to get around an in-use port 80 on the privesc target.False
TaskDeleteEnable/Disable scheduled task deletion for trigger 2. If enabled, a random string will be added to the taskname to avoid failures after multiple trigger 2 runs.FalseY
TasknameScheduled task name to use with trigger 2. If you observe that Tater does not work after multiple trigger 2 runs, try changing the taskname.FalseEmpire
TriggerTrigger type to use in order to trigger HTTP to SMB relay. 0 = None, 1 = Windows Defender Signature Update, 2 = Windows 10 Webclient/Scheduled TaskFalse1
WPADDirectHostsComma separated list of hosts to include as direct in the wpad.dat file. Note that localhost is always listed as direct. Add the Empire host to avoid catching Empire HTTP traffic.False
WPADPortProxy server port to be included in the wpad.dat file.False80

Comments:

https://github.com/Kevin-Robertson/Tater

Attributes:

AttributeValue
Needs AdminFalse
Opsec SafeFalse
BackgroundTrue
Categoryprivesc
Languagepowershell
Min Version2
Out Extension

View Source Code

Back to Index




powershell - recon


find_fruit

Description:

Searches a network range for potentially vulnerable web services.

Author:

@424f424f

Options:

ParamDescriptionRequiredDefault
AgentAgent to run module on.True
FoundOnlySwitch. Show only found sitesFalseTrue
PathSpecify the path to a dictionary file.False
PortSpecify the port to scan.False
RhostsSpecify the CIDR range or host to scan.True
ShowAllSwitch. Show all results (default is to only show 200s).False
ThreadsThe maximum concurrent threads to execute.False10
TimeoutSet timeout for each connection in millisecondsFalse50
UseSSLForce SSL useage.False

Comments:

Inspired by mattifestation Get-HttpStatus in PowerSploit

Attributes:

AttributeValue
Needs AdminFalse
Opsec SafeTrue
BackgroundTrue
Categoryrecon
Languagepowershell
Min Version2
Out Extension

View Source Code

Back to Index




get_sql_server_login_default_pw

Description:

Based on the instance name, test if SQL Server is configured with default passwords.

Author:

@_nullbind, @0xbadjuju

Options:

ParamDescriptionRequiredDefault
AgentAgent to run module on.True
CheckAllCheck all systems retrieved by Get-SQLInstanceDomain.False
InstanceSQL Server instance to connection to.False
PasswordSQL Server or domain account password to authenticate with. Only used for CheckAllFalse
UsernameSQL Server or domain account to authenticate with. Only used for CheckAllFalse

Comments:

https://github.com/NetSPI/PowerUpSQL/blob/master/PowerUpSQL.ps1

https://github.com/pwnwiki/pwnwiki.github.io/blob/master/tech/db/mssql.md

Attributes:

AttributeValue
Needs AdminFalse
Opsec SafeTrue
BackgroundTrue
Categoryrecon
Languagepowershell
Min Version2
Out Extension

View Source Code

Back to Index




http_login

Description:

Tests credentials against Basic Authentication.

Author:

@424f424f

Options:

ParamDescriptionRequiredDefault
AgentAgent to run module on.True
DictionarySet the password dictionary file.False
DirectorySpecify the path to authentication (e.g. /manager/html)False
NoPingSwitch. Disable ping check.False
PasswordSet the password to test.False
PortSpecify the port to scan.False
RhostsSpecify the CIDR range or host to scan.True
ThreadsThe maximum concurrent threads to execute.False
UsernameSet the username to test.False
UseSSLForce SSL useage.False

Comments:

http://www.rvrsh3ll.net

Attributes:

AttributeValue
Needs AdminFalse
Opsec SafeTrue
BackgroundTrue
Categoryrecon
Languagepowershell
Min Version2
Out Extension

View Source Code

Back to Index




powershell - situational_awareness


host/antivirusproduct

Description:

Get antivirus product information.

Author:

@mh4x0f, Jan Egil Ring

Options:

ParamDescriptionRequiredDefault
AgentAgent to run module on.True
ComputerNameComputername to run the module on, defaults to localhost.False

Comments:

http://blog.powershell.no/2011/06/12/use-windows-powershell-to-get-antivirus-product-information/

Attributes:

AttributeValue
Needs AdminFalse
Opsec SafeTrue
BackgroundTrue
Categorysituational_awareness
Languagepowershell
Min Version2
Out Extension

View Source Code

Back to Index




host/computerdetails

Description:

Enumerates useful information on the system. By default, all checks are run.

Author:

@JosephBialek

Options:

ParamDescriptionRequiredDefault
4624Switch. Only return 4624 logon information (logons to this machine).False
4648Switch. Only return 4648 logon information (RDP to another machine).False
AgentAgent to run module on.True
AppLockerSwitch. Only return AppLocker logs.False
LimitLimit the number of event log entries returned. Defaults to 100False100
PSScriptsSwitch. Only return PowerShell scripts run from operational log.False
SavedRDPSwitch. Only return saved RDP connections.False

Comments:

https://github.com/mattifestation/PowerSploit/blob/master/Recon/Get-ComputerDetails.ps1

Attributes:

AttributeValue
Needs AdminTrue
Opsec SafeTrue
BackgroundTrue
Categorysituational_awareness
Languagepowershell
Min Version2
Out Extension

View Source Code

Back to Index




host/dnsserver

Description:

Enumerates the DNS Servers used by a system.

Author:

DarkOperator

Options:

ParamDescriptionRequiredDefault
AgentAgent to run module on.True

Comments:

https://github.com/darkoperator/Posh-SecMod/blob/master/Discovery/Discovery.psm1

Attributes:

AttributeValue
Needs AdminFalse
Opsec SafeTrue
BackgroundFalse
Categorysituational_awareness
Languagepowershell
Min Version2
Out Extension

View Source Code

Back to Index




host/findtrusteddocuments

Description:

This module will enumerate the appropriate registry keys to determine what, if any, trusted documents exist on the host. It will also enumerate trusted locations.

Author:

@jamcut

Options:

ParamDescriptionRequiredDefault
AgentAgent to enumerate trusted documents from.True

Comments:

Original .ps1 file

https://github.com/jamcut/one-offs/blob/master/Find-TrustedDocuments.ps1

Attributes:

AttributeValue
Needs AdminFalse
Opsec SafeTrue
BackgroundFalse
Categorysituational_awareness
Languagepowershell
Min Version2
Out Extension

View Source Code

Back to Index




host/get_pathacl

Description:

Enumerates the ACL for a given file path.

Author:

@harmj0y

Options:

ParamDescriptionRequiredDefault
AgentAgent to run module on.True
PathThe local/remote (UNC) path to enumerate the ACLs for.True

Comments:

https://github.com/PowerShellMafia/PowerSploit/blob/dev/Recon/

Attributes:

AttributeValue
Needs AdminFalse
Opsec SafeTrue
BackgroundTrue
Categorysituational_awareness
Languagepowershell
Min Version2
Out Extension

View Source Code

Back to Index




host/get_proxy

Description:

Enumerates the proxy server and WPAD conents for the current user. Part of PowerView.

Author:

@harmj0y

Options:

ParamDescriptionRequiredDefault
AgentAgent to run module on.True
ComputerNameThe computername to enumerate proxy settings on.False

Comments:

https://github.com/PowerShellMafia/PowerSploit/blob/dev/Recon/

Attributes:

AttributeValue
Needs AdminFalse
Opsec SafeTrue
BackgroundTrue
Categorysituational_awareness
Languagepowershell
Min Version2
Out Extension

View Source Code

Back to Index




host/get_uaclevel

Description:

Enumerates UAC level

Author:

Petr Medonos

Options:

ParamDescriptionRequiredDefault
AgentAgent to run module on.True

Comments:

https://gallery.technet.microsoft.com/How-to-switch-UAC-level-0ac3ea11

Attributes:

AttributeValue
Needs AdminFalse
Opsec SafeTrue
BackgroundFalse
Categorysituational_awareness
Languagepowershell
Min Version2
Out Extension

View Source Code

Back to Index




host/monitortcpconnections

Description:

Monitors hosts for TCP connections to a specified domain name or IPv4 address. Useful for session hijacking and finding users interacting with sensitive services.

Author:

@erikbarzdukas

Options:

ParamDescriptionRequiredDefault
AgentAgent to monitor from.True
CheckIntervalInterval in seconds to check for the connectionTrue15
TargetDomainDomain name or IPv4 address of target service.True

Comments:

Based on code from Tim Ferrell.

Attributes:

AttributeValue
Needs AdminFalse
Opsec SafeTrue
BackgroundTrue
Categorysituational_awareness
Languagepowershell
Min Version2
Out Extension

View Source Code

Back to Index




host/paranoia

Description:

Continuously check running processes for the presence of suspicious users, members of groups, process names, and for any processes running off of USB drives.

Author:

pasv

Options:

ParamDescriptionRequiredDefault
AgentAgent to deploy Paranoia on.True
WatchGroupsAD Groups to watch out for (Default is 'Domain Admins')False
WatchProcessesProcess names to watch out for. Default list is already appended.False
WatchUsersUsers to watch out for in the form of domain\user, domain\user2, localuserFalse

Comments:

http://shell.fishing/code/Invoke-Paranoia.ps1

Attributes:

AttributeValue
Needs AdminTrue
Opsec SafeTrue
BackgroundTrue
Categorysituational_awareness
Languagepowershell
Min Version2
Out Extension

View Source Code

Back to Index




host/winenum

Description:

Collects revelant information about a host and the current user context.

Author:

@xorrior

Options:

ParamDescriptionRequiredDefault
AgentAgent to run module on.True
KeywordsArray of keywords to use in file searches.False
UserNameUserName to enumerate. Defaults to the current user context.False

Comments:

https://github.com/xorrior/RandomPS-Scripts/blob/master/Invoke-WindowsEnum.ps1

Attributes:

AttributeValue
Needs AdminFalse
Opsec SafeTrue
BackgroundTrue
Categorysituational_awareness
Languagepowershell
Min Version2
Out Extension

View Source Code

Back to Index




network/arpscan

Description:

Performs an ARP scan against a given range of IPv4 IP Addresses.

Author:

DarkOperator

Options:

ParamDescriptionRequiredDefault
AgentAgent to run module on.True
CIDRCIDR to ARP scan.False
RangeRange to ARP scan.False

Comments:

https://github.com/darkoperator/Posh-SecMod/blob/master/Discovery/Discovery.psm1

Attributes:

AttributeValue
Needs AdminFalse
Opsec SafeTrue
BackgroundTrue
Categorysituational_awareness
Languagepowershell
Min Version2
Out Extension

View Source Code

Back to Index




network/bloodhound

Description:

Execute BloodHound data collection.

Author:

@harmj0y, @_wald0, @cptjesus

Options:

ParamDescriptionRequiredDefault
AgentAgent to run module on.True
CollectionMethodThe method to collect data. 'Group', 'ComputerOnly', 'LocalGroup', 'GPOLocalGroup', 'Session', 'LoggedOn', 'Trusts, 'Stealth', or 'Default'.TrueDefault
ComputerADSpathThe LDAP source to search through for computers, e.g. "LDAP://OU=secret,DC=testlab,DC=local"False
ComputerNameArray of one or more computers to enumerateFalse
CSVFolderThe CSV folder to use for output, defaults to the current folder location.False$(Get-Location)
CSVPrefixA prefix for all CSV files.False
DomainThe domain to use for the query, defaults to the current domain.False
DomainControllerDomain controller to reflect LDAP queries through.False
GlobalCatalogThe global catalog location to resolve user memberships from.False
SearchForestSwitch. Search all domains in the forest.False
SkipGCDeconflictionSwitch. Skip global catalog enumeration for session deconflictionFalse
ThreadsThe maximum concurrent threads to execute.True20
ThrottleThe number of cypher queries to queue up for neo4j RESTful API ingestion.True1000
URIThe BloodHound neo4j URL location (http://host:port/)False
UserADSPathThe LDAP source to search through for users/groups, e.g. "LDAP://OU=secret,DC=testlab,DC=local"False
UserPassThe "user:password" for the BloodHound neo4j instanceFalse

Comments:

https://bit.ly/getbloodhound

Attributes:

AttributeValue
Needs AdminFalse
Opsec SafeFalse
BackgroundTrue
Categorysituational_awareness
Languagepowershell
Min Version2
Out Extension

View Source Code

Back to Index




network/get_exploitable_system

Description:

Queries Active Directory for systems likely vulnerable to various Metasploit exploits.

Author:

Scott Sutherland (@_nullbind)

Options:

ParamDescriptionRequiredDefault
AgentAgent to run module on.True
ComputerNameReturn computers with a specific name, wildcards accepted.False
DomainThe domain to query for computers, defaults to the current domain.False
FilterA customized ldap filter string to use, e.g. "(description=admin)"False
OperatingSystemReturn computers with a specific operating system, wildcards accepted.False
PingSwitch. Ping each host to ensure it's up before enumerating.False
SPNReturn computers with a specific service principal name, wildcards accepted.False

Comments:

https://github.com/nullbind/Powershellery/blob/master/Stable-ish/ADS/Get-ExploitableSystems.psm1

Attributes:

AttributeValue
Needs AdminFalse
Opsec SafeTrue
BackgroundTrue
Categorysituational_awareness
Languagepowershell
Min Version2
Out Extension

View Source Code

Back to Index




network/get_spn

Description:

Displays Service Principal Names (SPN) for domain accounts based on SPN service name, domain account, or domain group via LDAP queries.

Author:

@_nullbind

Options:

ParamDescriptionRequiredDefault
AgentAgent to run module on.True
SearchSearch string for group, username, or service name. Wildcards accepted.FalseMSSQL*
Type'group', 'user', or 'service'Falseservice

Comments:

https://raw.githubusercontent.com/nullbind/Powershellery/master/Stable-ish/Get-SPN/Get-SPN.psm1

Attributes:

AttributeValue
Needs AdminFalse
Opsec SafeTrue
BackgroundTrue
Categorysituational_awareness
Languagepowershell
Min Version2
Out Extension

View Source Code

Back to Index




network/get_sql_instance_domain

Description:

Returns a list of SQL Server instances discovered by querying a domain controller for systems with registered MSSQL service principal names. The function will default to the current user's domain and logon server, but an alternative domain controller can be provided. UDP scanning of management servers is optional.

Author:

@_nullbind, @0xbadjuju

Options:

ParamDescriptionRequiredDefault
AgentAgent to run module on.True
CheckMgmtPerforms UDP scan of servers managing SQL Server clusters.FalseFalse
ComputerNameComputer name to filter for.False
DomainControllerDomain controller for Domain and Site that you want to query against.False
DomainServiceAccountDomain account to filter for.False
PasswordSQL Server or domain account password to authenticate with.False
UDPTimeOutTimeout in seconds for UDP scans of management servers. Longer timeout = more accurate.False3
UsernameSQL Server or domain account to authenticate with.False

Comments:

https://github.com/NetSPI/PowerUpSQL/blob/master/PowerUpSQL.ps1

Attributes:

AttributeValue
Needs AdminFalse
Opsec SafeTrue
BackgroundTrue
Categorysituational_awareness
Languagepowershell
Min Version2
Out Extension

View Source Code

Back to Index




network/get_sql_server_info

Description:

Returns basic server and user information from target SQL Servers.

Author:

@_nullbind, @0xbadjuju

Options:

ParamDescriptionRequiredDefault
AgentAgent to run module on.True
CheckAllCheck all systems retrieved by Get-SQLInstanceDomainFalse
InstanceSQL Server instance to connection to.False
PasswordSQL Server or domain account password to authenticate with.False
UsernameSQL Server or domain account to authenticate with.False

Comments:

https://github.com/NetSPI/PowerUpSQL/blob/master/PowerUpSQL.ps1

Attributes:

AttributeValue
Needs AdminFalse
Opsec SafeTrue
BackgroundTrue
Categorysituational_awareness
Languagepowershell
Min Version2
Out Extension

View Source Code

Back to Index




network/portscan

Description:

Does a simple port scan using regular sockets, based (pretty) loosely on nmap.

Author:

Rich Lundeen

Options:

ParamDescriptionRequiredDefault
AgentAgent to run module on.True
AllformatsOutOutput file of all formats.False
ExcludeHostsExclude thsee comma separated hosts.False
GrepOutGreppable (.gnmap) output file.False
HostFileInput hosts from file (on the target)False
HostsHosts to scan.False
OpenSwitch. Only show hosts with open ports.FalseTrue
PingOnlySwitch. Ping only, don't scan for ports.False
PortsComma separated ports to scan for.False
ReadableOutReadable (.nmap) output file.False
SkipDiscoverySwitch. Treat all hosts as online.False
TopPortsScan for X top ports, default 50.False
XmlOut.XML output file.False

Comments:

https://github.com/mattifestation/PowerSploit/blob/master/Recon/Invoke-Portscan.ps1

Attributes:

AttributeValue
Needs AdminFalse
Opsec SafeTrue
BackgroundTrue
Categorysituational_awareness
Languagepowershell
Min Version2
Out Extension

View Source Code

Back to Index




network/powerview/find_computer_field

Description:

Searches computer object fields for a given word (default pass). Default field being searched is 'description'. Part of PowerView.

Author:

@obscuresec, @harmj0y

Options:

ParamDescriptionRequiredDefault
AgentAgent to run module on.True
DomainThe domain to use for the query, defaults to the current domain.False
DomainControllerDomain controller to reflect LDAP queries through.False
SearchFieldField to search in, default of "description".False
SearchTermTerm to search for, default of "pass".False

Comments:

http://obscuresecurity.blogspot.com/2014/04/ADSISearcher.html

https://github.com/PowerShellMafia/PowerSploit/blob/dev/Recon/

Attributes:

AttributeValue
Needs AdminFalse
Opsec SafeTrue
BackgroundTrue
Categorysituational_awareness
Languagepowershell
Min Version2
Out Extension

View Source Code

Back to Index




network/powerview/find_foreign_group

Description:

Enumerates all the members of a given domain's groups and finds users that are not in the queried domain. Part of PowerView.

Author:

@harmj0y

Options:

ParamDescriptionRequiredDefault
AgentAgent to run module on.True
DomainThe domain to use for the query, defaults to the current domain.False
DomainControllerDomain controller to reflect LDAP queries through.False
GroupNameGroupname to filter results for, wildcards accepted.False

Comments:

https://github.com/PowerShellMafia/PowerSploit/blob/dev/Recon/

Attributes:

AttributeValue
Needs AdminFalse
Opsec SafeTrue
BackgroundTrue
Categorysituational_awareness
Languagepowershell
Min Version2
Out Extension

View Source Code

Back to Index




network/powerview/find_foreign_user

Description:

Enumerates users who are in groups outside of their principal domain. Part of PowerView.

Author:

@harmj0y

Options:

ParamDescriptionRequiredDefault
AgentAgent to run module on.True
DomainThe domain to use for the query, defaults to the current domain.False
DomainControllerDomain controller to reflect LDAP queries through.False
UserNameUsername to filter results for, wildcards accepted.False

Comments:

https://github.com/PowerShellMafia/PowerSploit/blob/dev/Recon/

Attributes:

AttributeValue
Needs AdminFalse
Opsec SafeTrue
BackgroundTrue
Categorysituational_awareness
Languagepowershell
Min Version2
Out Extension

View Source Code

Back to Index




network/powerview/find_gpo_computer_admin

Description:

Takes a computer (or GPO) object and determines what users/groups have administrative access over it. Part of PowerView.

Author:

@harmj0y

Options:

ParamDescriptionRequiredDefault
AgentAgent to run module on.True
ComputerNameThe computer to determine local administrative access to.False
DomainThe domain to use for the query, defaults to the current domain.False
DomainControllerDomain controller to reflect LDAP queries through.False
LocalGroupThe local group to check access against, "Administrators", "RDP/Remote Desktop Users", or a custom SID. Defaults to "Administrators".False
OUNameOU name to determine who has local adminisrtative acess to computers within it.False
RecurseSwitch. If a returned member is a group, recurse and get all members.False

Comments:

https://github.com/PowerShellMafia/PowerSploit/blob/dev/Recon/

Attributes:

AttributeValue
Needs AdminFalse
Opsec SafeTrue
BackgroundTrue
Categorysituational_awareness
Languagepowershell
Min Version2
Out Extension

View Source Code

Back to Index




network/powerview/find_gpo_location

Description:

Takes a user/group name and optional domain, and determines the computers in the domain the user/group has local admin (or RDP) rights to. Part of PowerView.

Author:

@harmj0y

Options:

ParamDescriptionRequiredDefault
AgentAgent to run module on.True
DomainThe domain to use for the query, defaults to the current domain.False
DomainControllerDomain controller to reflect LDAP queries through.False
GroupNameA (single) group name name to query for access.False
LocalGroupThe local group to check access against, "Administrators", "RDP/Remote Desktop Users", or a custom SID. Defaults to "Administrators".False
UserNameA (single) user name name to query for access.False

Comments:

https://github.com/PowerShellMafia/PowerSploit/blob/dev/Recon/

Attributes:

AttributeValue
Needs AdminFalse
Opsec SafeTrue
BackgroundTrue
Categorysituational_awareness
Languagepowershell
Min Version2
Out Extension

View Source Code

Back to Index




network/powerview/find_localadmin_access

Description:

Finds machines on the local domain where the current user has local administrator access. Part of PowerView.

Author:

@harmj0y

Options:

ParamDescriptionRequiredDefault
AgentAgent to run module on.True
ComputerFilterHost filter name to query AD for, wildcards accepted.False
ComputerNameHosts to enumerate, comma separated.False
DelayDelay between enumerating hosts, defaults to 0.False
DomainThe domain to use for the query, defaults to the current domain.False
DomainControllerDomain controller to reflect LDAP queries through.False
NoPingDon't ping each host to ensure it's up before enumerating.False
ThreadsThe maximum concurrent threads to execute.False

Comments:

https://github.com/PowerShellMafia/PowerSploit/blob/dev/Recon/

Attributes:

AttributeValue
Needs AdminFalse
Opsec SafeTrue
BackgroundTrue
Categorysituational_awareness
Languagepowershell
Min Version2
Out Extension

View Source Code

Back to Index




network/powerview/find_managed_security_group

Description:

This function retrieves all security groups in the domain and identifies ones that have a manager set. It also determines whether the manager has the ability to add or remove members from the group. Part of PowerView.

Author:

@ukstufus

Options:

ParamDescriptionRequiredDefault
AgentAgent to run module on.True

Comments:

https://github.com/PowerShellMafia/PowerSploit/blob/dev/Recon/https://github.com/PowerShellEmpire/Empire/pull/119

Attributes:

AttributeValue
Needs AdminFalse
Opsec SafeTrue
BackgroundTrue
Categorysituational_awareness
Languagepowershell
Min Version2
Out Extension

View Source Code

Back to Index




network/powerview/find_user_field

Description:

Searches user object fields for a given word (default pass). Default field being searched is 'description'. Part of PowerView.

Author:

@obscuresec, @harmj0y

Options:

ParamDescriptionRequiredDefault
AgentAgent to run module on.True
DomainThe domain to use for the query, defaults to the current domain.False
DomainControllerDomain controller to reflect LDAP queries through.False
SearchFieldField to search in, default of "description".False
SearchTermTerm to search for, default of "pass".False

Comments:

http://obscuresecurity.blogspot.com/2014/04/ADSISearcher.html

https://github.com/PowerShellMafia/PowerSploit/blob/dev/Recon/

Attributes:

AttributeValue
Needs AdminFalse
Opsec SafeTrue
BackgroundTrue
Categorysituational_awareness
Languagepowershell
Min Version2
Out Extension

View Source Code

Back to Index




network/powerview/get_cached_rdpconnection

Description:

Uses remote registry functionality to query all entries for the Windows Remote Desktop Connection Client" on a machine. Part of PowerView.

Author:

@harmj0y

Options:

ParamDescriptionRequiredDefault
AgentAgent to run module on.True
ComputerNameThe hostname or IP to query for local group users.Falselocalhost
RemotePasswordThe password to use for the WMI call on a remote system.False
RemoteUserNameThe "domain\username" to use for the WMI call on the remote system.False

Comments:

https://github.com/PowerShellMafia/PowerSploit/blob/dev/Recon/

Attributes:

AttributeValue
Needs AdminFalse
Opsec SafeTrue
BackgroundTrue
Categorysituational_awareness
Languagepowershell
Min Version2
Out Extension

View Source Code

Back to Index




network/powerview/get_computer

Description:

Queries the domain for current computer objects. Part of PowerView.

Author:

@harmj0y

Options:

ParamDescriptionRequiredDefault
AgentAgent to run module on.True
ComputerNameReturn computers with a specific name, wildcards accepted.False
DomainThe domain to use for the query, defaults to the current domain.False
DomainControllerDomain controller to reflect LDAP queries through.False
FilterA customized ldap filter string to use, e.g. "(description=admin)"False
FullDataSwitch. Return full computer objects instead of just system names (the default).False
OperatingSystemReturn computers with a specific operating system, wildcards accepted.False
PingSwitch. Ping each host to ensure it's up before enumerating.False
PrintersSwitch. Return only printers.False
SPNReturn computers with a specific service principal name, wildcards accepted.False
UnconstrainedSwitch. Return computer objects that have unconstrained delegation.False

Comments:

https://github.com/PowerShellMafia/PowerSploit/blob/dev/Recon/

Attributes:

AttributeValue
Needs AdminFalse
Opsec SafeTrue
BackgroundTrue
Categorysituational_awareness
Languagepowershell
Min Version2
Out Extension

View Source Code

Back to Index




network/powerview/get_dfs_share

Description:

Returns a list of all fault-tolerant distributed file systems for a given domain. Part of PowerView.

Author:

@meatballs__

Options:

ParamDescriptionRequiredDefault
AgentAgent to run module on.True
DomainThe domain whose trusts to enumerate, defaults to the current domain.False
DomainControllerDomain controller to reflect LDAP queries through.False

Comments:

https://github.com/PowerShellMafia/PowerSploit/blob/dev/Recon/

Attributes:

AttributeValue
Needs AdminFalse
Opsec SafeTrue
BackgroundTrue
Categorysituational_awareness
Languagepowershell
Min Version2
Out Extension

View Source Code

Back to Index




network/powerview/get_domain_controller

Description:

Returns the domain controllers for the current domain or the specified domain. Part of PowerView.

Author:

@harmj0y

Options:

ParamDescriptionRequiredDefault
AgentAgent to run module on.True
DomainThe domain to query for domain controllers.False
DomainControllerDomain controller to reflect LDAP queries through.False
LDAPSwitch. Use LDAP queries to determine the domain controllers.False

Comments:

https://github.com/PowerShellMafia/PowerSploit/blob/dev/Recon/

Attributes:

AttributeValue
Needs AdminFalse
Opsec SafeTrue
BackgroundTrue
Categorysituational_awareness
Languagepowershell
Min Version2
Out Extension

View Source Code

Back to Index




network/powerview/get_domain_policy

Description:

Returns the default domain or DC policy for a given domain or domain controller. Part of PowerView.

Author:

@harmj0y, @DisK0nn3cT, @OrOneEqualsOne

Options:

ParamDescriptionRequiredDefault
AgentAgent to run module on.True
DomainThe domain to query for default policies, defaults to the current domain.False
DomainControllerDomain controller to reflect LDAP queries through.False
ExpandObjectExpand a specific object from the domain policy. For example 'System Access', entered without quotesFalse
FullDataSwitch. Return full subnet objects instead of just object names (the default).False
ResolveSidsSwitch. Resolve Sids from a DC policy to object names.False
SourceExtract Domain or DC (domain controller) policies.TrueDomain

Comments:

https://github.com/PowerShellMafia/PowerSploit/blob/dev/Recon/

Attributes:

AttributeValue
Needs AdminFalse
Opsec SafeTrue
BackgroundTrue
Categorysituational_awareness
Languagepowershell
Min Version2
Out Extension

View Source Code

Back to Index




network/powerview/get_domain_trust

Description:

Return all domain trusts for the current domain or a specified domain. Part of PowerView.

Author:

@harmj0y

Options:

ParamDescriptionRequiredDefault
AgentAgent to run module on.True
DomainThe domain whose trusts to enumerate, defaults to the current domain.False
DomainControllerDomain controller to reflect LDAP queries through.False
LDAPSwitch. Use LDAP queries to enumerate the trusts instead of direct domain connections.False

Comments:

https://github.com/PowerShellMafia/PowerSploit/blob/dev/Recon/

Attributes:

AttributeValue
Needs AdminFalse
Opsec SafeTrue
BackgroundTrue
Categorysituational_awareness
Languagepowershell
Min Version2
Out Extension

View Source Code

Back to Index




network/powerview/get_fileserver

Description:

Returns a list of all file servers extracted from user homedirectory, scriptpath, and profilepath fields. Part of PowerView.

Author:

@harmj0y

Options:

ParamDescriptionRequiredDefault
AgentAgent to run module on.True
DomainThe domain whose trusts to enumerate, defaults to the current domain.False
DomainControllerDomain controller to reflect LDAP queries through.False

Comments:

https://github.com/PowerShellMafia/PowerSploit/blob/dev/Recon/

Attributes:

AttributeValue
Needs AdminFalse
Opsec SafeTrue
BackgroundTrue
Categorysituational_awareness
Languagepowershell
Min Version2
Out Extension

View Source Code

Back to Index




network/powerview/get_forest

Description:

Return information about a given forest, including the root domain and SID. Part of PowerView.

Author:

@harmj0y

Options:

ParamDescriptionRequiredDefault
AgentAgent to run module on.True
ForestThe forest name to query domain for, defaults to the current forest.False

Comments:

https://github.com/PowerShellMafia/PowerSploit/blob/dev/Recon/

Attributes:

AttributeValue
Needs AdminFalse
Opsec SafeTrue
BackgroundTrue
Categorysituational_awareness
Languagepowershell
Min Version2
Out Extension

View Source Code

Back to Index




network/powerview/get_forest_domain

Description:

Return all domains for a given forest. Part of PowerView.

Author:

@harmj0y

Options:

ParamDescriptionRequiredDefault
AgentAgent to run module on.True
ForestThe forest name to query domain for, defaults to the current forest.False

Comments:

https://github.com/PowerShellMafia/PowerSploit/blob/dev/Recon/

Attributes:

AttributeValue
Needs AdminFalse
Opsec SafeTrue
BackgroundTrue
Categorysituational_awareness
Languagepowershell
Min Version2
Out Extension

View Source Code

Back to Index




network/powerview/get_gpo

Description:

Gets a list of all current GPOs in a domain. Part of PowerView.

Author:

@harmj0y

Options:

ParamDescriptionRequiredDefault
ADSpathThe LDAP source to search through.False
AgentAgent to run module on.True
ComputerNameReturn all GPO objects applied to a given computer (FQDN).False
DisplayNameThe GPO display name to query for, wildcards accepted.False
DomainThe domain to use for the query, defaults to the current domain.False
DomainControllerDomain controller to reflect LDAP queries through.False
GPOnameThe GPO name to query for, wildcards accepted.False

Comments:

https://github.com/PowerShellMafia/PowerSploit/blob/dev/Recon/

Attributes:

AttributeValue
Needs AdminFalse
Opsec SafeTrue
BackgroundTrue
Categorysituational_awareness
Languagepowershell
Min Version2
Out Extension

View Source Code

Back to Index




network/powerview/get_gpo_computer

Description:

Takes a GPO GUID and returns the computers the GPO is applied to. Part of PowerView.

Author:

@harmj0y

Options:

ParamDescriptionRequiredDefault
AgentAgent to run module on.True
DomainThe domain to use for the query, defaults to the current domain.False
DomainControllerDomain controller to reflect LDAP queries through.False
GUIDThe GUID of the GPO to enumerate.True

Comments:

https://github.com/PowerShellMafia/PowerSploit/blob/dev/Recon/

Attributes:

AttributeValue
Needs AdminFalse
Opsec SafeTrue
BackgroundTrue
Categorysituational_awareness
Languagepowershell
Min Version2
Out Extension

View Source Code

Back to Index




network/powerview/get_group

Description:

Gets a list of all current groups in a domain, or all the groups a given user/group object belongs to. Part of PowerView.

Author:

@harmj0y

Options:

ParamDescriptionRequiredDefault
AdminCountSwitch. Return groups with adminCount=1 (i.e. privileged groups).False
AgentAgent to run module on.True
DomainThe domain to use for the query, defaults to the current domain.False
DomainControllerDomain controller to reflect LDAP queries through.False
FilterA customized ldap filter string to use, e.g. "(description=admin)"False
FullDataReturn full group objects instead of just object names (the default).False
GroupNameThe group name to query for, wildcards accepted.False
SIDThe group SID to query for.False
UserNameThe user name (or group name) to query for all effective groups of.False

Comments:

https://github.com/PowerShellMafia/PowerSploit/blob/dev/Recon/

Attributes:

AttributeValue
Needs AdminFalse
Opsec SafeTrue
BackgroundTrue
Categorysituational_awareness
Languagepowershell
Min Version2
Out Extension

View Source Code

Back to Index




network/powerview/get_group_member

Description:

Returns the members of a given group, with the option to "Recurse" to find all effective group members. Part of PowerView.

Author:

@harmj0y

Options:

ParamDescriptionRequiredDefault
AgentAgent to run module on.True
DomainThe domain to use for the query, defaults to the current domain.False
DomainControllerDomain controller to reflect LDAP queries through.False
FilterA customized ldap filter string to use, e.g. "(description=admin)"False
FullDataReturn full group objects instead of just object names (the default).False
GroupNameThe group name to query for users.False"Domain Admins"
RecurseSwitch. If the group member is a group, recursively try to query its members as well.False
SIDThe Group SID to query for users.False
UseMatchingRuleSwitch. Use LDAP_MATCHING_RULE_IN_CHAIN in the LDAP search query when -Recurse is specified.False

Comments:

https://github.com/PowerShellMafia/PowerSploit/blob/dev/Recon/

Attributes:

AttributeValue
Needs AdminFalse
Opsec SafeTrue
BackgroundTrue
Categorysituational_awareness
Languagepowershell
Min Version2
Out Extension

View Source Code

Back to Index




network/powerview/get_localgroup

Description:

Returns a list of all current users in a specified local group on a local or remote machine. Part of PowerView.

Author:

@harmj0y

Options:

ParamDescriptionRequiredDefault
AgentAgent to run module on.True
APISwitch. Use API calls instead of the WinNT service provider. Less information, but the results are faster.False
ComputerNameThe hostname or IP to query for local group users.Falselocalhost
GroupNameThe local group name to query for users, defaults to "Administrators".FalseAdministrators
ListGroupsSwitch. List all the local groups instead of their members.False
RecurseSwitch. If the local member member is a domain group, recursively try to resolve its members to get a list of domain users who can access this machine.False

Comments:

https://github.com/PowerShellMafia/PowerSploit/blob/dev/Recon/

Attributes:

AttributeValue
Needs AdminFalse
Opsec SafeTrue
BackgroundTrue
Categorysituational_awareness
Languagepowershell
Min Version2
Out Extension

View Source Code

Back to Index




network/powerview/get_loggedon

Description:

Execute the NetWkstaUserEnum Win32API call to query a given host for actively logged on users. Part of PowerView.

Author:

@harmj0y

Options:

ParamDescriptionRequiredDefault
AgentAgent to run module on.True
ComputerNameThe hostname or IP to query for local group users.Falselocalhost

Comments:

https://github.com/PowerShellMafia/PowerSploit/blob/dev/Recon/

Attributes:

AttributeValue
Needs AdminFalse
Opsec SafeTrue
BackgroundTrue
Categorysituational_awareness
Languagepowershell
Min Version2
Out Extension

View Source Code

Back to Index




network/powerview/get_object_acl

Description:

Returns the ACLs associated with a specific active directory object. Part of PowerView. WARNING: specify a specific object, otherwise a huge amount of data will be returned.

Author:

@harmj0y, @pyrotek3

Options:

ParamDescriptionRequiredDefault
ADSpathThe LDAP source to search through, e.g. "LDAP://OU=secret,DC=testlab,DC=local"False
ADSprefixPrefix to set for the searcher (like "CN=Sites,CN=Configuration")False
AgentAgent to run module on.True
DistinguishedNameObject distinguished name to filter for.False
DomainThe domain to use for the query, defaults to the current domain.False
DomainControllerDomain controller to reflect LDAP queries through.False
FilterA customized ldap filter string to use, e.g. "(description=admin)"False
NameObject Name to filter for.False
ResolveGUIDsSwitch. Resolve GUIDs to their display names.FalseTrue
RightsFilterOnly return results with the associated rights, "All", "ResetPassword","ChangePassword","WriteMembers"False
SamAccountNameObject SamAccountName to filter for.False

Comments:

https://github.com/PowerShellMafia/PowerSploit/blob/dev/Recon/

Attributes:

AttributeValue
Needs AdminFalse
Opsec SafeTrue
BackgroundTrue
Categorysituational_awareness
Languagepowershell
Min Version2
Out Extension

View Source Code

Back to Index




network/powerview/get_ou

Description:

Gets a list of all current OUs in a domain. Part of PowerView.

Author:

@harmj0y

Options:

ParamDescriptionRequiredDefault
ADSpathThe LDAP source to search through.False
AgentAgent to run module on.True
DomainThe domain to use for the query, defaults to the current domain.False
DomainControllerDomain controller to reflect LDAP queries through.False
FullDataSwitch. Return full OU objects instead of just object names (the default).False
GUIDOnly return OUs with the specified GUID in their gplink property.False
OUNameThe OU name to query for, wildcards accepted.False

Comments:

https://github.com/PowerShellMafia/PowerSploit/blob/dev/Recon/

Attributes:

AttributeValue
Needs AdminFalse
Opsec SafeTrue
BackgroundTrue
Categorysituational_awareness
Languagepowershell
Min Version2
Out Extension

View Source Code

Back to Index




network/powerview/get_rdp_session

Description:

Query a given RDP remote service for active sessions and originating IPs (replacement for qwinsta). Note: needs admin rights on the remote server you're querying

Author:

@harmj0y

Options:

ParamDescriptionRequiredDefault
AgentAgent to run module on.True
ComputerNameThe hostname to query for active RDP sessions.Truelocalhost

Comments:

https://github.com/PowerShellMafia/PowerSploit/blob/dev/Recon/

Attributes:

AttributeValue
Needs AdminFalse
Opsec SafeTrue
BackgroundTrue
Categorysituational_awareness
Languagepowershell
Min Version2
Out Extension

View Source Code

Back to Index




network/powerview/get_session

Description:

Execute the NetSessionEnum Win32API call to query a given host for active sessions on the host. Part of PowerView.

Author:

@harmj0y

Options:

ParamDescriptionRequiredDefault
AgentAgent to run module on.True
ComputerNameThe hostname or IP to query for local group users.Falselocalhost

Comments:

https://github.com/PowerShellMafia/PowerSploit/blob/dev/Recon/

Attributes:

AttributeValue
Needs AdminFalse
Opsec SafeTrue
BackgroundTrue
Categorysituational_awareness
Languagepowershell
Min Version2
Out Extension

View Source Code

Back to Index




network/powerview/get_site

Description:

Gets a list of all current sites in a domain. Part of PowerView.

Author:

@harmj0y

Options:

ParamDescriptionRequiredDefault
ADSpathThe LDAP source to search through.False
AgentAgent to run module on.True
DomainThe domain to use for the query, defaults to the current domain.False
DomainControllerDomain controller to reflect LDAP queries through.False
FullDataSwitch. Return full site objects instead of just object names (the default).False
GUIDOnly return site with the specified GUID in their gplink property.False
SiteNameSite filter string, wildcards accepted.False

Comments:

https://github.com/PowerShellMafia/PowerSploit/blob/dev/Recon/

Attributes:

AttributeValue
Needs AdminFalse
Opsec SafeTrue
BackgroundTrue
Categorysituational_awareness
Languagepowershell
Min Version2
Out Extension

View Source Code

Back to Index




network/powerview/get_subnet

Description:

Gets a list of all current subnets in a domain. Part of PowerView.

Author:

@harmj0y

Options:

ParamDescriptionRequiredDefault
ADSpathThe LDAP source to search through.False
AgentAgent to run module on.True
DomainThe domain to use for the query, defaults to the current domain.False
DomainControllerDomain controller to reflect LDAP queries through.False
FullDataSwitch. Return full subnet objects instead of just object names (the default).False
SiteNameOnly return subnets from the specified SiteName.False

Comments:

https://github.com/PowerShellMafia/PowerSploit/blob/dev/Recon/

Attributes:

AttributeValue
Needs AdminFalse
Opsec SafeTrue
BackgroundTrue
Categorysituational_awareness
Languagepowershell
Min Version2
Out Extension

View Source Code

Back to Index




network/powerview/get_user

Description:

Query information for a given user or users in the specified domain. Part of PowerView.

Author:

@harmj0y

Options:

ParamDescriptionRequiredDefault
AdminCountSwitch. Return users with adminCount=1 (i.e. privileged users).False
ADSpathThe LDAP source to search through, e.g. "LDAP://OU=secret,DC=testlab,DC=local"False
AgentAgent to run module on.True
AllowDelegationSwitch. Return user accounts that are not marked as 'sensitive and not allowed for delegation'.False
DomainThe domain to use for the query, defaults to the current domain.False
DomainControllerDomain controller to reflect LDAP queries through.False
FilterA customized ldap filter string to use, e.g. "(description=admin)"False
SPNSwitch. Only return user objects with non-null service principal names.False
UserNameUsername filter string, wildcards accepted.False

Comments:

https://github.com/PowerShellMafia/PowerSploit/blob/dev/Recon/

Attributes:

AttributeValue
Needs AdminFalse
Opsec SafeTrue
BackgroundTrue
Categorysituational_awareness
Languagepowershell
Min Version2
Out Extension

View Source Code

Back to Index




network/powerview/map_domain_trust

Description:

Maps all reachable domain trusts with .CSV output. Part of PowerView.

Author:

@harmj0y

Options:

ParamDescriptionRequiredDefault
AgentAgent to run module on.True
DomainControllerDomain controller to reflect LDAP queries through.False
LDAPSwitch. Use LDAP for domain queries (less accurate).False

Comments:

https://github.com/PowerShellMafia/PowerSploit/blob/dev/Recon/

Attributes:

AttributeValue
Needs AdminFalse
Opsec SafeTrue
BackgroundTrue
Categorysituational_awareness
Languagepowershell
Min Version2
Out Extension

View Source Code

Back to Index




network/powerview/process_hunter

Description:

Query the process lists of remote machines, searching for processes with a specific name or owned by a specific user. Part of PowerView.

Author:

@harmj0y

Options:

ParamDescriptionRequiredDefault
AgentAgent to run module on.True
ComputerFilterHost filter name to query AD for, wildcards accepted.False
ComputerNameHosts to enumerate.False
DelayDelay between enumerating hosts, defaults to 0.False
DomainThe domain to use for the query, defaults to the current domain.False
DomainControllerDomain controller to reflect LDAP queries through.False
GroupNameGroup name to query for target users.False
NoPingDon't ping each host to ensure it's up before enumerating.False
ProcessNameThe name of the process to hunt, or a comma separated list of names.False
StopOnSuccessSwitch. Stop hunting after finding after finding a target user.False
TargetServerHunt for users who are effective local admins on a target server.False
ThreadsThe maximum concurrent threads to execute.False
UserFilterA customized ldap filter string to use for user enumeration, e.g. "(description=admin)"False
UserNameSpecific username to search for.False

Comments:

https://github.com/PowerShellMafia/PowerSploit/blob/dev/Recon/

Attributes:

AttributeValue
Needs AdminFalse
Opsec SafeTrue
BackgroundTrue
Categorysituational_awareness
Languagepowershell
Min Version2
Out Extension

View Source Code

Back to Index




network/powerview/set_ad_object

Description:

Takes a SID, name, or SamAccountName to query for a specified domain object, and then sets a specified "PropertyName" to a specified "PropertyValue". Part of PowerView.

Author:

@harmj0y

Options:

ParamDescriptionRequiredDefault
AgentAgent to run module on.True
ClearValueSwitch. Clear the value of PropertyName.False
DomainThe domain to query for objects, defaults to the current domain.False
NameThe name of the domain object you're querying for.False
PropertyNameThe property name to set.False
PropertyValueThe value to set for PropertyName.False
PropertyXorValueInteger calue to binary xor (-bxor) with the current int value.False
SamAccountNameThe SamAccountName of the domain object you're querying forFalse
SIDThe SID of the domain object you're querying for.False

Comments:

https://github.com/PowerShellMafia/PowerSploit/blob/dev/Recon/

Attributes:

AttributeValue
Needs AdminFalse
Opsec SafeTrue
BackgroundTrue
Categorysituational_awareness
Languagepowershell
Min Version2
Out Extension

View Source Code

Back to Index




network/powerview/share_finder

Description:

Finds shares on machines in the domain. Part of PowerView.

Author:

@harmj0y

Options:

ParamDescriptionRequiredDefault
AgentAgent to run module on.True
CheckShareAccessSwitch. Only display found shares that the local user has access to.False
ComputerFilterHost filter name to query AD for, wildcards accepted.False
ComputerNameHosts to enumerate.False
DelayDelay between enumerating hosts, defaults to 0.False
DomainThe domain to use for the query, defaults to the current domain.False
DomainControllerDomain controller to reflect LDAP queries through.False
NoPingDon't ping each host to ensure it's up before enumerating.False
ThreadsThe maximum concurrent threads to execute.False

Comments:

https://github.com/PowerShellMafia/PowerSploit/blob/dev/Recon/

Attributes:

AttributeValue
Needs AdminFalse
Opsec SafeTrue
BackgroundTrue
Categorysituational_awareness
Languagepowershell
Min Version2
Out Extension

View Source Code

Back to Index




network/powerview/user_hunter

Description:

Finds which machines users of a specified group are logged into. Part of PowerView.

Author:

@harmj0y

Options:

ParamDescriptionRequiredDefault
AgentAgent to run module on.True
CheckAccessSwitch. Check if the current user has local admin access to found machines.False
ComputerFilterHost filter name to query AD for, wildcards accepted.False
ComputerNameHosts to enumerate.False
DelayDelay between enumerating hosts, defaults to 0.False
DomainThe domain to use for the query, defaults to the current domain.False
DomainControllerDomain controller to reflect LDAP queries through.False
GroupNameGroup name to query for target users.False
NoPingDon't ping each host to ensure it's up before enumerating.False
ShowAllSwitch. Return all user location results without filtering.False
StealthSwitch. Only enumerate sessions from connonly used target servers.False
StopOnSuccessSwitch. Stop hunting after finding after finding a target user.False
TargetServerHunt for users who are effective local admins on a target server.False
ThreadsThe maximum concurrent threads to execute.False
UserFilterA customized ldap filter string to use for user enumeration, e.g. "(description=admin)"False
UserNameSpecific username to search for.False

Comments:

https://github.com/PowerShellMafia/PowerSploit/blob/dev/Recon/

Attributes:

AttributeValue
Needs AdminFalse
Opsec SafeTrue
BackgroundTrue
Categorysituational_awareness
Languagepowershell
Min Version2
Out Extension

View Source Code

Back to Index




network/reverse_dns

Description:

Performs a DNS Reverse Lookup of a given IPv4 IP Range.

Author:

DarkOperator

Options:

ParamDescriptionRequiredDefault
AgentAgent to run module on.True
CIDRCIDR to perform reverse DNS on.False
RangeRange to perform reverse DNS on.False

Comments:

https://github.com/darkoperator/Posh-SecMod/blob/master/Discovery/Discovery.psm1

Attributes:

AttributeValue
Needs AdminFalse
Opsec SafeTrue
BackgroundTrue
Categorysituational_awareness
Languagepowershell
Min Version2
Out Extension

View Source Code

Back to Index




network/smbautobrute

Description:

Runs an SMB brute against a list of usernames/passwords. Will check the DCs to interrogate the bad password count of the users and will keep bruting until either a valid credential is discoverd or the bad password count reaches one below the threshold. Run "shell net accounts" on a valid agent to determine the lockout threshold. VERY noisy! Generates a ton of traffic on the DCs.

Author:

@curi0usJack

Options:

ParamDescriptionRequiredDefault
AgentAgent to run smbautobrute from.True
DelayAmount of time to wait (in milliseconds) between attempts. Default 100.False
LockoutThresholdThe max number of bad password attempts until the account locks. Autobrute will try till one less than this setting.True
PasswordListComma separated list of passwords to test. Wrap in double quotes.True
ShowVerboseShow failed attempts & skipped accounts in addition to success.False
StopOnSuccessQuit running after the first successful authentication.False
UserListFile of users to brute (on the target), one per line. If not specified, autobrute will query a list of users with badpwdcount < LockoutThreshold - 1 for each password brute. Wrap path in double quotes.False

Comments:

Attributes:

AttributeValue
Needs AdminFalse
Opsec SafeFalse
BackgroundTrue
Categorysituational_awareness
Languagepowershell
Min Version2
Out Extension

View Source Code

Back to Index




network/smbscanner

Description:

Tests a username/password combination across a number of machines.

Author:

@obscuresec, @harmj0y

Options:

ParamDescriptionRequiredDefault
AgentAgent to run module on.True
ComputerNameComma-separated hostnames to try username/password combinations against. Otherwise enumerate the domain for machines.False
CredIDCredID from the store to use.False
NoPingSwitch. Don't ping hosts before enumeration.False
PasswordPassword to test.True
UserName[domain]username to test.True

Comments:

https://gist.github.com/obscuresec/df5f652c7e7088e2412c

Attributes:

AttributeValue
Needs AdminFalse
Opsec SafeFalse
BackgroundTrue
Categorysituational_awareness
Languagepowershell
Min Version2
Out Extension

View Source Code

Back to Index




powershell - trollsploit


beeptune

Description:

Play Various Beep Tunes (at Loopable Interval)

Author:

@SadProcessor

Options:

ParamDescriptionRequiredDefault
AgentAgent to run module on.True
LoopSwitch Endless Loop -> True/FalseFalseFalse
SleepSleep between loops -> 1 to 3600 secFalse1
TuneSelect Tune -> Vador/Sergei/Rick/Mario/TomFalseVador

Comments:

No Comments

Attributes:

AttributeValue
Needs AdminFalse
Opsec SafeFalse
BackgroundTrue
Categorytrollsploit
Languagepowershell
Min Version2
Out Extension

View Source Code

Back to Index




get_schwifty

Description:

Play's a hidden version of Rick and Morty Get Schwifty video while maxing out a computer's volume.

Author:

@424f424f

Options:

ParamDescriptionRequiredDefault
AgentAgent to run module on.True
VideoURLOther YouTube video URL to play instead of Get Schwifty.False

Comments:

https://github.com/obscuresec/shmoocon/blob/master/Invoke-TwitterBot

Attributes:

AttributeValue
Needs AdminFalse
Opsec SafeFalse
BackgroundTrue
Categorytrollsploit
Languagepowershell
Min Version2
Out Extension

View Source Code

Back to Index




message

Description:

Displays a specified message to the user.

Author:

@harmj0y

Options:

ParamDescriptionRequiredDefault
AgentAgent to run module on.True
IconTypeCritical, Question, Exclamation, or InformationTrueCritical
MsgTextMessage text to display.TrueLost contact with the Domain Controller.
TitleTitle of the message box to display.TrueERROR - 0xA801B720

Comments:

http://blog.logrhythm.com/security/do-you-trust-your-computer/

Attributes:

AttributeValue
Needs AdminFalse
Opsec SafeFalse
BackgroundTrue
Categorytrollsploit
Languagepowershell
Min Version2
Out Extension

View Source Code

Back to Index




process_killer

Description:

Kills any process starting with a particular name.

Author:

@harmj0y

Options:

ParamDescriptionRequiredDefault
AgentAgent to run module on.True
ProcessNameProcess name to kill on starting (wildcards accepted).True
SilentSwitch. Don't output kill messages.False
SleepTime to sleep between checks.True1

Comments:

Attributes:

AttributeValue
Needs AdminFalse
Opsec SafeFalse
BackgroundTrue
Categorytrollsploit
Languagepowershell
Min Version2
Out Extension

View Source Code

Back to Index




rick_ascii

Description:

Spawns a a new powershell.exe process that runs Lee Holmes' ASCII Rick Roll.

Author:

@lee_holmes, @harmj0y

Options:

ParamDescriptionRequiredDefault
AgentAgent to run module on.True

Comments:

http://www.leeholmes.com/blog/2011/04/01/powershell-and-html5/

Attributes:

AttributeValue
Needs AdminFalse
Opsec SafeFalse
BackgroundFalse
Categorytrollsploit
Languagepowershell
Min Version2
Out Extension

View Source Code

Back to Index




rick_astley

Description:

Runs @SadProcessor's beeping rickroll.

Author:

@SadProcessor, @harmj0y

Options:

ParamDescriptionRequiredDefault
AgentAgent to run module on.True

Comments:

https://gist.github.com/SadProcessor/3e413f9542b01ee90979

Attributes:

AttributeValue
Needs AdminFalse
Opsec SafeFalse
BackgroundTrue
Categorytrollsploit
Languagepowershell
Min Version2
Out Extension

View Source Code

Back to Index




thunderstruck

Description:

Play's a hidden version of AC/DC's Thunderstruck video while maxing out a computer's volume.

Author:

@obscuresec

Options:

ParamDescriptionRequiredDefault
AgentAgent to run module on.True
VideoURLOther YouTube video URL to play instead of Thunderstruck.False

Comments:

https://github.com/obscuresec/shmoocon/blob/master/Invoke-TwitterBot

Attributes:

AttributeValue
Needs AdminFalse
Opsec SafeFalse
BackgroundTrue
Categorytrollsploit
Languagepowershell
Min Version2
Out Extension

View Source Code

Back to Index




voicetroll

Description:

Reads text aloud via synthesized voice on target.

Author:

@424f424f

Options:

ParamDescriptionRequiredDefault
AgentAgent to run module on.True
VoiceTextText to synthesize on target.True

Comments:

http://www.instructables.com/id/Make-your-computer-talk-with-powershell/

Attributes:

AttributeValue
Needs AdminFalse
Opsec SafeFalse
BackgroundTrue
Categorytrollsploit
Languagepowershell
Min Version2
Out Extension

View Source Code

Back to Index




wallpaper

Description:

Uploads a .jpg image to the target and sets it as the desktop wallpaper.

Author:

@harmj0y

Options:

ParamDescriptionRequiredDefault
AgentAgent to run module on.True
LocalImagePathLocal image path to set the agent wallpaper as.True

Comments:

https://social.technet.microsoft.com/forums/scriptcenter/en-US/9af1769e-197f-4ef3-933f-83cb8f065afb/background-change

Attributes:

AttributeValue
Needs AdminFalse
Opsec SafeFalse
BackgroundFalse
Categorytrollsploit
Languagepowershell
Min Version2
Out Extension

View Source Code

Back to Index




wlmdr

Description:

Displays a balloon reminder in the taskbar.

Author:

@benichmt1

Options:

ParamDescriptionRequiredDefault
AgentAgent to run module on.True
IconTypeCritical, Exclamation, Information, Key, or NoneTrueKey
MessageMessage text to display.TrueYou are using a pirated version of Microsoft Windows.
TitleTitle of the message box to display.TrueWindows Explorer

Comments:

Attributes:

AttributeValue
Needs AdminFalse
Opsec SafeFalse
BackgroundTrue
Categorytrollsploit
Languagepowershell
Min Version2
Out Extension

View Source Code

Back to Index






python

Back to Index




python - collection


linux/hashdump

Description:

Extracts the /etc/passwd and /etc/shadow, unshadowing the result.

Author:

@harmj0y

Options:

ParamDescriptionRequiredDefault
AgentAgent to execute module on.True

Comments:

Attributes:

AttributeValue
Needs AdminTrue
Opsec SafeTrue
BackgroundFalse
Categorycollection
Languagepython
Min Version2.6
Out Extension

View Source Code

Back to Index




linux/keylogger

Description:

Logs keystrokes to the specified file. Ruby based and heavily adapted from MSF's osx/capture/keylog_recorder. Kill the resulting PID when keylogging is finished and download the specified LogFile.

Author:

joev, @harmj0y

Options:

ParamDescriptionRequiredDefault
AgentAgent to keylog.True
LogFileText file to log keystrokes out to.True/tmp/debug.db

Comments:

https://github.com/amoffat/pykeylogger

Attributes:

AttributeValue
Needs AdminFalse
Opsec SafeFalse
BackgroundFalse
Categorycollection
Languagepython
Min Version2.6
Out Extension

View Source Code

Back to Index




linux/mimipenguin

Description:

Port of huntergregal mimipenguin. Harvest's current user's cleartext credentials.

Author:

@rvrsh3ll

Options:

ParamDescriptionRequiredDefault
AgentAgent to execute module on.True

Comments:

Attributes:

AttributeValue
Needs AdminTrue
Opsec SafeTrue
BackgroundFalse
Categorycollection
Languagepython
Min Version2.6
Out Extension

View Source Code

Back to Index




linux/pillage_user

Description:

Pillages the current user for their bash_history, ssh known hosts, recent folders, etc.

Author:

@harmj0y

Options:

ParamDescriptionRequiredDefault
AgentAgent to execute module on.True
AllUsersSwitch. Run for all users (needs root privileges!)FalseFalse
SleepSwitch. Sleep the agent's normal interval between downloads, otherwise use one blast.FalseTrue

Comments:

Attributes:

AttributeValue
Needs AdminFalse
Opsec SafeTrue
BackgroundFalse
Categorycollection
Languagepython
Min Version2.6
Out Extension

View Source Code

Back to Index




linux/sniffer

Description:

This module will sniff all interfaces on the target, and write in pcap format.

Author:

@Killswitch_GUI

Options:

ParamDescriptionRequiredDefault
AgentAgent to run sniffer on.True
InMemoryStore binary data in memory, never drop to disk (WARNING: set MaxSize).FalseTrue
IpFilterSet IP to filter on (dst & src).False0
MaxPacketsSet max packets to capture.True100
MaxSizeSet max file size to save to disk/memory (MB).True1
PortFilterSet port to filter on (dst & src).False0
SavePathPath of the file to save (Not used if InMemory is True.True/tmp/debug.pcap

Comments:

For full comments and code: https://gist.github.com/killswitch-GUI/314e79581f2619a18d94c81d53e5466f

Attributes:

AttributeValue
Needs AdminTrue
Opsec SafeFalse
BackgroundFalse
Categorycollection
Languagepython
Min Version2.6
Out Extensionpcap

View Source Code

Back to Index




linux/xkeylogger

Description:

X userland keylogger based on pupy

Author:

Nikaiw

Options:

ParamDescriptionRequiredDefault
AgentAgent to keylog.True

Comments:

WIP, might miss some keys, can't kill agent sometimes

Attributes:

AttributeValue
Needs AdminFalse
Opsec SafeTrue
BackgroundTrue
Categorycollection
Languagepython
Min Version2.6
Out Extension

View Source Code

Back to Index




osx/browser_dump

Description:

This module will dump browser history from Safari and Chrome.

Author:

@424f424f

Options:

ParamDescriptionRequiredDefault
AgentAgent to keylog.True
NumberNumber of URLs to return.True3

Comments:

https://gist.github.com/dropmeaword/9372cbeb29e8390521c2

Attributes:

AttributeValue
Needs AdminFalse
Opsec SafeTrue
BackgroundFalse
Categorycollection
Languagepython
Min Version2.6
Out Extension

View Source Code

Back to Index




osx/clipboard

Description:

This module will write log output of clipboard to stdout (or disk).

Author:

@424f424f

Options:

ParamDescriptionRequiredDefault
AgentAgent to grab clipboard from.True
MonitorTimeOptional for how long you would like to monitor clipboard in (s).True0
OutFileOptional file to save the clipboard output to.False

Comments:

Attributes:

AttributeValue
Needs AdminFalse
Opsec SafeTrue
BackgroundFalse
Categorycollection
Languagepython
Min Version2.6
Out Extension

View Source Code

Back to Index




osx/hashdump

Description:

Extracts found user hashes out of /var/db/dslocal/nodes/Default/users/*.plist

Author:

@harmj0y

Options:

ParamDescriptionRequiredDefault
AgentAgent to execute module on.True

Comments:

http://apple.stackexchange.com/questions/186893/os-x-10-9-where-are-password-hashes-stored

Attributes:

AttributeValue
Needs AdminTrue
Opsec SafeTrue
BackgroundFalse
Categorycollection
Languagepython
Min Version2.6
Out Extension

View Source Code

Back to Index




osx/imessage_dump

Description:

This module will enumerate the entire chat and IMessage SQL Database.

Author:

Alex Rymdeko-Harvey, @Killswitch-GUI

Options:

ParamDescriptionRequiredDefault
AgentAgent to run from.True
DebugEnable a find keyword to search for within the iMessage Database.TrueFalse
MessagesThe number of messages to enumerate from most recent.True10
SearchEnable a find keyword to search for within the iMessage Database.False

Comments:

Using SQLite3 iMessage has a decent standard to correlate users to messages and isnt encrypted.

Attributes:

AttributeValue
Needs AdminFalse
Opsec SafeTrue
BackgroundFalse
Categorycollection
Languagepython
Min Version2.6
Out Extension

View Source Code

Back to Index




osx/kerberosdump

Description:

This module will dump ccache kerberostickets to the specified directory

Author:

@424f424f,@gentilkiwi

Options:

ParamDescriptionRequiredDefault
AgentAgent to grab a tickets from.True

Comments:

Thanks to @gentilkiwi for pointing this out!

Attributes:

AttributeValue
Needs AdminFalse
Opsec SafeFalse
BackgroundFalse
Categorycollection
Languagepython
Min Version2.6
Out Extension

View Source Code

Back to Index




osx/keychaindump

Description:

Searches for keychain candidates and attempts to decrypt the user's keychain.

Author:

Juuso Salonen

Options:

ParamDescriptionRequiredDefault
AgentAgent to execute module on.True
KeyChainManual location of keychain to decrypt, otherwise default.False
TempDirTemporary directory to drop the keychaindump binary.True/tmp/

Comments:

https://github.com/juuso/keychaindump

Attributes:

AttributeValue
Needs AdminTrue
Opsec SafeFalse
BackgroundFalse
Categorycollection
Languagepython
Min Version2.6
Out Extension

View Source Code

Back to Index




osx/keychaindump_chainbreaker

Description:

A keychain dump module that allows for decryption via known password.

Author:

@n0fate, @Killswitch-GUI

Options:

ParamDescriptionRequiredDefault
AgentAgent to execute module on.True
KeyChainManual location of keychain to decrypt, otherwise default.True/Users/USERNAME/Library/Keychains/login.keychain
MasterKeyMaster key candidate used in memory to decrypt keychain (recovered via mem-dump).False
PasswordKnown user password to attempt to decrypt the Keychain.True

Comments:

https://github.com/n0fate/chainbreaker

Attributes:

AttributeValue
Needs AdminFalse
Opsec SafeFalse
BackgroundFalse
Categorycollection
Languagepython
Min Version2.6
Out Extension

View Source Code

Back to Index




osx/keylogger

Description:

Logs keystrokes to the specified file. Ruby based and heavily adapted from MSF's osx/capture/keylog_recorder. Kill the resulting PID when keylogging is finished and download the specified LogFile.

Author:

joev, @harmj0y

Options:

ParamDescriptionRequiredDefault
AgentAgent to keylog.True
LogFileText file to log keystrokes out to.True/tmp/debug.db

Comments:

https://github.com/gojhonny/metasploit-framework/blob/master/modules/post/osx/capture/keylog_recorder.rb

Attributes:

AttributeValue
Needs AdminFalse
Opsec SafeFalse
BackgroundFalse
Categorycollection
Languagepython
Min Version2.6
Out Extension

View Source Code

Back to Index




osx/native_screenshot

Description:

Takes a screenshot of an OSX desktop using the Python Quartz libraries and returns the data.

Author:

@xorrior

Options:

ParamDescriptionRequiredDefault
AgentAgent to execute module on.True

Comments:

Attributes:

AttributeValue
Needs AdminFalse
Opsec SafeTrue
BackgroundFalse
Categorycollection
Languagepython
Min Version2.6
Out Extensionpng

View Source Code

Back to Index




osx/pillage_user

Description:

Pillages the current user for their keychain, bash_history, ssh known hosts, recent folders, etc. For logon.keychain, use https://github.com/n0fate/chainbreaker .For other .plist files, check https://davidkoepi.wordpress.com/2013/07/06/macforensics5/

Author:

@harmj0y

Options:

ParamDescriptionRequiredDefault
AgentAgent to execute module on.True
AllUsersSwitch. Run for all users (needs root privileges!)FalseFalse
SleepSwitch. Sleep the agent's normal interval between downloads, otherwise use one blast.FalseTrue

Comments:

https://davidkoepi.wordpress.com/2013/07/06/macforensics5/

Attributes:

AttributeValue
Needs AdminFalse
Opsec SafeTrue
BackgroundFalse
Categorycollection
Languagepython
Min Version2.6
Out Extension

View Source Code

Back to Index




osx/prompt

Description:

Launches a specified application with an prompt for credentials with osascript.

Author:

@FuzzyNop, @harmj0y

Options:

ParamDescriptionRequiredDefault
AgentAgent to execute module on.True
AppNameThe name of the application to launch.TrueApp Store
ListAppsSwitch. List applications suitable for launching.False
SandboxModeSwitch. Launch a sandbox safe promptFalse

Comments:

https://github.com/fuzzynop/FiveOnceInYourLife

Attributes:

AttributeValue
Needs AdminFalse
Opsec SafeFalse
BackgroundFalse
Categorycollection
Languagepython
Min Version2.6
Out Extension

View Source Code

Back to Index




osx/screensaver_alleyoop

Description:

Launches a screensaver with a prompt for credentials with osascript. This locks the user out until the password can unlock the user keychain. This allows you to prevent Sudo/su failed logon attempts. (credentials till I get them!)

Author:

@FuzzyNop, @harmj0y, @enigma0x3, @Killswitch-GUI

Options:

ParamDescriptionRequiredDefault
AgentAgent to execute module on.True
ExitCountExit Screensaver after # of attemptsTrue15
VerboseAgent to execute module on.TrueFalse

Comments:

https://github.com/fuzzynop/FiveOnceInYourLife

https://github.com/enigma0x3/Invoke-LoginPrompt

Attributes:

AttributeValue
Needs AdminFalse
Opsec SafeFalse
BackgroundFalse
Categorycollection
Languagepython
Min Version2.6
Out Extension

View Source Code

Back to Index




osx/screenshot

Description:

Takes a screenshot of an OSX desktop using screencapture and returns the data.

Author:

@harmj0y

Options:

ParamDescriptionRequiredDefault
AgentAgent to execute module on.True
SavePathPath of the temporary screenshot file to save.True/tmp/out.png

Comments:

Attributes:

AttributeValue
Needs AdminFalse
Opsec SafeFalse
BackgroundFalse
Categorycollection
Languagepython
Min Version2.6
Out Extensionpng

View Source Code

Back to Index




osx/search_email

Description:

Searches for Mail .emlx messages, optionally only returning messages with the specified SeachTerm.

Author:

@harmj0y

Options:

ParamDescriptionRequiredDefault
AgentAgent to execute module on.True
SearchTermTerm to grep for in email messages.False

Comments:

https://davidkoepi.wordpress.com/2013/07/06/macforensics5/

Attributes:

AttributeValue
Needs AdminFalse
Opsec SafeTrue
BackgroundFalse
Categorycollection
Languagepython
Min Version2.6
Out Extension

View Source Code

Back to Index




osx/sniffer

Description:

This module will do a full network stack capture.

Author:

Alex Rymdeko-Harvey, @Killswitch-GUI

Options:

ParamDescriptionRequiredDefault
AgentAgent to run from.True
CaptureInterfaceSet interface name ie. en0 (Auto resolve by default)False
DebugEnable to get verbose message status (Dont enable OutputExtension for this).TrueFalse
LibcDylibPath of the std C Dylib (Defualt)True/usr/lib/libSystem.B.dylib
MaxPacketsSet max packets to capture.True100
PcapDylibPath of the Pcap Dylib (Defualt)True/usr/lib/libpcap.A.dylib
SavePathPath of the file to saveTrue/tmp/debug.pcap

Comments:

Using libpcap.dylib we can perform full pcap on a remote host.

Attributes:

AttributeValue
Needs AdminTrue
Opsec SafeFalse
BackgroundFalse
Categorycollection
Languagepython
Min Version2.6
Out Extensionpcap

View Source Code

Back to Index




osx/webcam

Description:

Takes a picture of a person through OSX's webcam with an ImageSnap binary.

Author:

@harmj0y

Options:

ParamDescriptionRequiredDefault
AgentAgent to execute module on.True
TempDirTemporary directory to drop the ImageSnap binary and picture.True/tmp/

Comments:

http://iharder.sourceforge.net/current/macosx/imagesnap/

Attributes:

AttributeValue
Needs AdminFalse
Opsec SafeFalse
BackgroundFalse
Categorycollection
Languagepython
Min Version2.6
Out Extensionpng

View Source Code

Back to Index




python - exploit


web/jboss_jmx

Description:

Exploit JBoss java serialization flaw. Requires upload of ysoserial payload.

Author:

@424f424f

Options:

ParamDescriptionRequiredDefault
AgentAgent to execute on.True
PayloadPath to ysoserial payload.True
URLURL to JMXInvokerTruehttp://127.0.0.1:8080/invoker/JMXInvokerServlet

Comments:

Generate Payload with https://github.com/frohoff/ysoserial

Attributes:

AttributeValue
Needs AdminFalse
Opsec SafeFalse
BackgroundFalse
Categoryexploit
Languagepython
Min Version2.6
Out Extension

View Source Code

Back to Index




python - lateral_movement


multi/ssh_command

Description:

This module will send a command via ssh.

Author:

@424f424f

Options:

ParamDescriptionRequiredDefault
AgentAgent to use ssh from.True
CommandCommandTrueid
Loginuser@127.0.0.1True
PasswordPasswordTrue

Comments:

http://stackoverflow.com/questions/17118239/how-to-give-subprocess-a-password-and-get-stdout-at-the-same-time

Attributes:

AttributeValue
Needs AdminFalse
Opsec SafeTrue
BackgroundFalse
Categorylateral_movement
Languagepython
Min Version2.6
Out Extension

View Source Code

Back to Index




multi/ssh_launcher

Description:

This module will send an launcher via ssh.

Author:

@424f424f

Options:

ParamDescriptionRequiredDefault
AgentAgent to use ssh from.True
ListenerListener to use.True
Loginuser@127.0.0.1True
PasswordPasswordTrue
SafeChecksSwitch. Checks for LittleSnitch or a SandBox, exit the staging process if true. Defaults to True.TrueTrue
UserAgentUser-agent string to use for the staging request (default, none, or other).Falsedefault

Comments:

http://stackoverflow.com/questions/17118239/how-to-give-subprocess-a-password-and-get-stdout-at-the-same-time

Attributes:

AttributeValue
Needs AdminFalse
Opsec SafeTrue
BackgroundFalse
Categorylateral_movement
Languagepython
Min Version2.6
Out Extension

View Source Code

Back to Index




python - management


multi/kerberos_inject

Description:

Generates a kerberos keytab and injects it into the current runspace.

Author:

@424f424f

Options:

ParamDescriptionRequiredDefault
AgentAgent to execute module on.True
HashNTLM Hash for the principal.True
KeytabKeytab file to create.Trueuser.keytab
PrincipalThe service principal name. user@HACKME.COMTrue

Comments:

Thanks to @passingthehash for bringing this up.

Attributes:

AttributeValue
Needs AdminFalse
Opsec SafeFalse
BackgroundFalse
Categorymanagement
Languagepython
Min Version2.6
Out Extension

View Source Code

Back to Index




multi/socks

Description:

Extend a SOCKSv5 proxy into your target network

Author:

@klustic

Options:

ParamDescriptionRequiredDefault
AgentAgent to proxy throughTrue
HOSTHost running the AlmondRocks serverTrue
NoSSLDisable SSL (NOT RECOMMENDED!)Falsefalse
PORTAlmondRocks server portTrue

Comments:

Modified from: https://github.com/klustic/AlmondRocks

Use the server found in that Github repo with this module.

Attributes:

AttributeValue
Needs AdminFalse
Opsec SafeTrue
BackgroundTrue
Categorymanagement
Languagepython
Min Version2.7
Out Extension

View Source Code

Back to Index




multi/spawn

Description:

Spawns a new Empire agent.

Author:

@harmj0y

Options:

ParamDescriptionRequiredDefault
AgentAgent to execute module on.True
ListenerListener to use.True
UserAgentUser-agent string to use for the staging request (default, none, or other).Falsedefault

Comments:

Attributes:

AttributeValue
Needs AdminFalse
Opsec SafeTrue
BackgroundFalse
Categorymanagement
Languagepython
Min Version2.6
Out Extension

View Source Code

Back to Index




osx/screen_sharing

Description:

Enables ScreenSharing to allow you to connect to the host via VNC.

Author:

@n00py

Options:

ParamDescriptionRequiredDefault
AgentAgent to execute module on.True
PasswordUser password for sudo.True
VNCpassPassword to use for VNCTrue

Comments:

https://www.unix-ninja.com/p/Enabling_macOS_screen_sharing_VNC_via_command_line

Attributes:

AttributeValue
Needs AdminFalse
Opsec SafeTrue
BackgroundFalse
Categorymanagement
Languagepython
Min Version2.6
Out Extension

View Source Code

Back to Index




osx/shellcodeinject64

Description:

Inject shellcode into a x64 bit process

Author:

@xorrior, @midnite_runr

Options:

ParamDescriptionRequiredDefault
AgentAgent to run the module onTrue
PIDProcess IDTrue
Shellcodelocal path to bin file containing x64 shellcodeTrue

Comments:

comment

https://github.com/secretsquirrel/osx_mach_stuff/blob/master/inject.c

Attributes:

AttributeValue
Needs AdminTrue
Opsec SafeTrue
BackgroundFalse
Categorymanagement
Languagepython
Min Version2.6
Out Extension

View Source Code

Back to Index




python - persistence


multi/crontab

Description:

This module establishes persistence via crontab

Author:

@424f424f

Options:

ParamDescriptionRequiredDefault
AgentAgent to grab a screenshot from.True
FileNameFile name for the launcher.True
HourHour to callback. 24hr format.False
HourlyHourly persistence.False
RemoveRemove Persistence. True/FalseFalse

Comments:

Attributes:

AttributeValue
Needs AdminFalse
Opsec SafeFalse
BackgroundFalse
Categorypersistence
Languagepython
Min Version2.6
Out Extension

View Source Code

Back to Index




osx/CreateHijacker

Description:

Configures and Empire dylib for use in a Dylib hijack, given the path to a legitimate dylib of a vulnerable application. The architecture of the dylib must match the target application. The configured dylib will be copied local to the hijackerPath

Author:

@patrickwardle,@xorrior

Options:

ParamDescriptionRequiredDefault
AgentAgent to execute module on.True
ArchArch: x86/x64Truex86
LegitimateDylibPathFull path to the legitimate dylib of the vulnerable applicationTrue
ListenerListener to use.True
SafeChecksSwitch. Checks for LittleSnitch or a SandBox, exit the staging process if true. Defaults to True.TrueTrue
UserAgentUser-agent string to use for the staging request (default, none, or other).Falsedefault
VulnerableRPATHFull path to where the hijacker should be planted. This will be the RPATH in the Hijack Scanner module.True

Comments:

comment

https://www.virusbulletin.com/virusbulletin/2015/03/dylib-hijacking-os-x

Attributes:

AttributeValue
Needs AdminTrue
Opsec SafeFalse
BackgroundFalse
Categorypersistence
Languagepython
Min Version2.6
Out Extension

View Source Code

Back to Index




osx/launchdaemonexecutable

Description:

Installs an Empire launchDaemon.

Author:

@xorrior

Options:

ParamDescriptionRequiredDefault
AgentAgent to execute module on.True
DaemonLocationThe full path of where the Empire launch daemon should be located.True
DaemonNameName of the Launch Daemon to install. Name will also be used for the plist file.Truecom.proxy.initialize
ListenerListener to use.True
SafeChecksSwitch. Checks for LittleSnitch or a SandBox, exit the staging process if true. Defaults to True.TrueTrue
UserAgentUser-agent string to use for the staging request (default, none, or other).Falsedefault

Comments:

Attributes:

AttributeValue
Needs AdminTrue
Opsec SafeFalse
BackgroundFalse
Categorypersistence
Languagepython
Min Version2.6
Out Extension

View Source Code

Back to Index




osx/loginhook

Description:

Installs Empire agent via LoginHook.

Author:

@Killswitch-GUI

Options:

ParamDescriptionRequiredDefault
AgentAgent to execute module on.True
LoginHookScriptFull path of the script to be executed/True/Users/Username/Desktop/kill-me.sh
PasswordUser password for sudo.True

Comments:

https://support.apple.com/de-at/HT2420

Attributes:

AttributeValue
Needs AdminFalse
Opsec SafeFalse
BackgroundFalse
Categorypersistence
Languagepython
Min Version2.6
Out Extension

View Source Code

Back to Index




osx/mail

Description:

Installs a mail rule that will execute an AppleScript stager when a trigger word is present in the Subject of an incoming mail.

Author:

@n00py

Options:

ParamDescriptionRequiredDefault
AgentAgent to execute module on.True
ListenerListener to use.True
RuleNameName of the Rule.TrueSpam Filter
SafeChecksSwitch. Checks for LittleSnitch or a SandBox, exit the staging process if true. Defaults to True.TrueTrue
TriggerThe trigger word.True
UserAgentUser-agent string to use for the staging request (default, none, or other).Falsedefault

Comments:

https://github.com/n00py/MailPersist

Attributes:

AttributeValue
Needs AdminFalse
Opsec SafeFalse
BackgroundFalse
Categorypersistence
Languagepython
Min Version2.6
Out Extension

View Source Code

Back to Index




osx/RemoveDaemon

Description:

Remove an Empire Launch Daemon.

Author:

@xorrior

Options:

ParamDescriptionRequiredDefault
AgentAgent to execute module on.True
PlistPathFull path to the plist file to remove.True
ProgramPathFull path to the bash script/ binary file to remove.True

Comments:

Attributes:

AttributeValue
Needs AdminTrue
Opsec SafeTrue
BackgroundFalse
Categorypersistence
Languagepython
Min Version2.6
Out Extension

View Source Code

Back to Index




python - privesc


linux/linux_priv_checker

Description:

This script is intended to be executed locally ona Linux box to enumerate basic system info, and search for commonprivilege escalation vectors with pure python.

Author:

@Killswitch_GUI, @SecuritySift

Options:

ParamDescriptionRequiredDefault
AgentAgent to run on.True

Comments:

For full comments and code: www.securitysift.com/download/linuxprivchecker.py

Attributes:

AttributeValue
Needs AdminFalse
Opsec SafeTrue
BackgroundFalse
Categoryprivesc
Languagepython
Min Version2.6
Out Extension

View Source Code

Back to Index




linux/unix_privesc_check

Description:

This script is intended to be executed locally ona Linux box to enumerate basic system info, and search for commonprivilege escalation vectors with a all in one shell script.

Author:

@Killswitch_GUI, @pentestmonkey

Options:

ParamDescriptionRequiredDefault
AgentAgent to run on.True
IpIP to curl script from (Default is local webserver inside agent).True127.0.0.1
PortPort to setup server and curl from (Default is 8089).True8089
PrivSettingSetting to run unix-privesc-check with (standard or detailed).Truestandard
ServeCountValue to set GET request count of webserver (Can be helpful if multiple agents, only host webserver once).True1

Comments:

For full comments and code: http://pentestmonkey.net/tools/audit/unix-privesc-check

Attributes:

AttributeValue
Needs AdminFalse
Opsec SafeTrue
BackgroundFalse
Categoryprivesc
Languagepython
Min Version2.6
Out Extension

View Source Code

Back to Index




multi/bashdoor

Description:

Creates an alias in the .bash_profile to cause the sudo command to execute a stager and pass through the origional command back to sudo

Author:

@n00py

Options:

ParamDescriptionRequiredDefault
AgentAgent to execute module on.True
ListenerListener to use.True
SafeChecksSwitch. Checks for LittleSnitch or a SandBox, exit the staging process if true. Defaults to True.TrueTrue
UserAgentUser-agent string to use for the staging request (default, none, or other).Falsedefault

Comments:

Attributes:

AttributeValue
Needs AdminFalse
Opsec SafeFalse
BackgroundFalse
Categoryprivesc
Languagepython
Min Version2.6
Out Extension

View Source Code

Back to Index




multi/sudo_spawn

Description:

Spawns a new Empire agent using sudo.

Author:

@harmj0y

Options:

ParamDescriptionRequiredDefault
AgentAgent to execute module on.True
ListenerListener to use.True
PasswordUser password for sudo.True
SafeChecksEnable SafeChecks.TrueTrue
UserAgentUser-agent string to use for the staging request (default, none, or other).Falsedefault

Comments:

Attributes:

AttributeValue
Needs AdminFalse
Opsec SafeTrue
BackgroundFalse
Categoryprivesc
Languagepython
Min Version2.6
Out Extension

View Source Code

Back to Index




osx/dyld_print_to_file

Description:

This modules takes advantage of the environment variable DYLD_PRINT_TO_FILE in order to escalate privileges on all versions Mac OS X YosemiteWARNING: In order for this exploit to be performed files will be overwritten and deleted. This can set off endpoint protection systems and as of initial development, minimal testing has been performed.

Author:

@checky_funtime

Options:

ParamDescriptionRequiredDefault
AgentAgent used to Privesc fromTrue
FileNameThe filename to use when the temporary file is dropped to disk.Trueerror.log
ListenerListener to use.True
SafeChecksSwitch. Checks for LittleSnitch or a SandBox, exit the staging process if true. Defaults to True.TrueTrue
UserAgentUser-agent string to use for the staging request (default, none, or other).Falsedefault
WriteablePathFull path to where the file should be written. Defaults to /tmp/.True/tmp/

Comments:

References:

https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/osx/local/dyld_print_to_file_root.rb

http://www.sektioneins.com/en/blog/15-07-07-dyld_print_to_file_lpe.html

Attributes:

AttributeValue
Needs AdminFalse
Opsec SafeFalse
BackgroundFalse
Categoryprivesc
Languagepython
Min Version2.6
Out Extension

View Source Code

Back to Index




osx/piggyback

Description:

Spawns a new Empire agent using an existing sudo session. This works up until El Capitan.

Author:

@n00py

Options:

ParamDescriptionRequiredDefault
AgentAgent to execute module on.True
ListenerListener to use.True
SafeChecksSwitch. Checks for LittleSnitch or a SandBox, exit the staging process if true. Defaults to True.TrueTrue
UserAgentUser-agent string to use for the staging request (default, none, or other).Falsedefault

Comments:

Inspired by OS X Incident Response by Jason Bradley

Attributes:

AttributeValue
Needs AdminFalse
Opsec SafeFalse
BackgroundFalse
Categoryprivesc
Languagepython
Min Version2.6
Out Extension

View Source Code

Back to Index




windows/get_gpppasswords

Description:

This module will attempt to pull group policy preference passwords from SYSVOL

Author:

@424f424f

Options:

ParamDescriptionRequiredDefault
AgentAgent to run on.True
BindDNuser@penlab.localTrue
LDAPAddressLDAP IP/HostnameTrue
passwordPassword to connect to LDAPFalse

Comments:

Attributes:

AttributeValue
Needs AdminFalse
Opsec SafeTrue
BackgroundFalse
Categoryprivesc
Languagepython
Min Version2.6
Out Extension

View Source Code

Back to Index




python - situational_awareness


host/multi/SuidGuidSearch

Description:

This module can be used to identify suid or guid bit set on files.

Author:

@424f424f

Options:

ParamDescriptionRequiredDefault
AgentAgent to run the module on.True
PathPath to start the search from. Default is /True/

Comments:

Attributes:

AttributeValue
Needs AdminFalse
Opsec SafeTrue
BackgroundTrue
Categorysituational_awareness
Languagepython
Min Version2.6
Out Extension

View Source Code

Back to Index




host/multi/WorldWriteableFileSearch

Description:

This module can be used to identify world writeable files.

Author:

@424f424f

Options:

ParamDescriptionRequiredDefault
AgentAgent to run the module on.True
PathPath to start the search from. Default is /True/

Comments:

Attributes:

AttributeValue
Needs AdminFalse
Opsec SafeTrue
BackgroundTrue
Categorysituational_awareness
Languagepython
Min Version2.6
Out Extension

View Source Code

Back to Index




host/osx/HijackScanner

Description:

This module can be used to identify applications vulnerable to dylib hijacking on a target system. This has been modified from the original to remove the dependancy for the macholib library.

Author:

@patrickwardle, @xorrior

Options:

ParamDescriptionRequiredDefault
AgentAgent to run the module on.True
LoadedProcessesScan only loaded process executablesTrueFalse
PathScan all binaries recursively, in a specific path.False

Comments:

Heavily adapted from @patrickwardle's script: https://github.com/synack/DylibHijack/blob/master/scan.py

Attributes:

AttributeValue
Needs AdminFalse
Opsec SafeTrue
BackgroundFalse
Categorysituational_awareness
Languagepython
Min Version2.6
Out Extension

View Source Code

Back to Index




host/osx/situational_awareness

Description:

This module will enumerate the basic items needed for OP.

Author:

Alex Rymdeko-Harvey, @Killswitch-GUI

Options:

ParamDescriptionRequiredDefault
AgentAgent to run from.True
DebugEnable a find keyword to search for within the iMessage Database.TrueFalse
HistoryCountThe number of messages to enumerate from most recent.True10

Comments:

Attributes:

AttributeValue
Needs AdminFalse
Opsec SafeTrue
BackgroundFalse
Categorysituational_awareness
Languagepython
Min Version2.6
Out Extension

View Source Code

Back to Index




network/active_directory/dscl_get_groupmembers

Description:

This module will use the current user context to query active directory for a list of users in a group.

Author:

@424f424f

Options:

ParamDescriptionRequiredDefault
AgentAgent to run on.True
GroupGroupTrue

Comments:

Attributes:

AttributeValue
Needs AdminFalse
Opsec SafeTrue
BackgroundFalse
Categorysituational_awareness
Languagepython
Min Version2.6
Out Extension

View Source Code

Back to Index




network/active_directory/dscl_get_groups

Description:

This module will use the current user context to query active directory for a list of Groups.

Author:

@424f424f

Options:

ParamDescriptionRequiredDefault
AgentAgent to run on.True
DomainDomainTrue

Comments:

Attributes:

AttributeValue
Needs AdminFalse
Opsec SafeTrue
BackgroundFalse
Categorysituational_awareness
Languagepython
Min Version2.6
Out Extension

View Source Code

Back to Index




network/active_directory/dscl_get_users

Description:

This module will use the current user context to query active directory for a list of users.

Author:

@424f424f

Options:

ParamDescriptionRequiredDefault
AgentAgent to run on.True
DomainDomainTrue

Comments:

Attributes:

AttributeValue
Needs AdminFalse
Opsec SafeTrue
BackgroundFalse
Categorysituational_awareness
Languagepython
Min Version2.6
Out Extension

View Source Code

Back to Index




network/active_directory/get_computers

Description:

This module will list all computer objects from active directory

Author:

@424f424f

Options:

ParamDescriptionRequiredDefault
AgentAgent to run on.True
BindDNuser@penlab.localTrue
LDAPAddressLDAP IP/HostnameTrue
PasswordPassword to connect to LDAPFalse

Comments:

Attributes:

AttributeValue
Needs AdminFalse
Opsec SafeTrue
BackgroundFalse
Categorysituational_awareness
Languagepython
Min Version2.6
Out Extension

View Source Code

Back to Index




network/active_directory/get_domaincontrollers

Description:

This module will list all domain controllers from active directory

Author:

@424f424f

Options:

ParamDescriptionRequiredDefault
AgentAgent to run on.True
BindDNuser@penlab.localTrue
LDAPAddressLDAP IP/HostnameTrue
PasswordPassword to connect to LDAPFalse

Comments:

Attributes:

AttributeValue
Needs AdminFalse
Opsec SafeTrue
BackgroundFalse
Categorysituational_awareness
Languagepython
Min Version2.6
Out Extension

View Source Code

Back to Index




network/active_directory/get_fileservers

Description:

This module will list file servers

Author:

@424f424f

Options:

ParamDescriptionRequiredDefault
AgentAgent to run on.True
BindDNuser@penlab.localTrue
LDAPAddressLDAP IP/HostnameTrue
PasswordPassword to connect to LDAPFalse

Comments:

Attributes:

AttributeValue
Needs AdminFalse
Opsec SafeTrue
BackgroundFalse
Categorysituational_awareness
Languagepython
Min Version2.6
Out Extension

View Source Code

Back to Index




network/active_directory/get_groupmembers

Description:

This module will return a list of group members

Author:

@424f424f

Options:

ParamDescriptionRequiredDefault
AgentAgent to run on.True
BindDNuser@penlab.localTrue
groupnameGroup to check which users are a member ofFalseDomain Admins
LDAPAddressLDAP IP/HostnameTrue
PasswordPassword to connect to LDAPFalse

Comments:

Attributes:

AttributeValue
Needs AdminFalse
Opsec SafeTrue
BackgroundFalse
Categorysituational_awareness
Languagepython
Min Version2.6
Out Extension

View Source Code

Back to Index




network/active_directory/get_groupmemberships

Description:

This module check what groups a user is member of

Author:

@424f424f

Options:

ParamDescriptionRequiredDefault
AgentAgent to run on.True
BindDNuser@penlab.localTrue
LDAPAddressLDAP IP/HostnameTrue
PasswordPassword to connect to LDAPFalse
userUser to check group memberships ofFalse

Comments:

Attributes:

AttributeValue
Needs AdminFalse
Opsec SafeTrue
BackgroundFalse
Categorysituational_awareness
Languagepython
Min Version2.6
Out Extension

View Source Code

Back to Index




network/active_directory/get_groups

Description:

This module will list all groups in active directory

Author:

@424f424f

Options:

ParamDescriptionRequiredDefault
AgentAgent to grab run on.True
BindDNuser@penlab.localTrue
LDAPAddressLDAP IP/HostnameTrue
PasswordPassword to connect to LDAPFalse

Comments:

Attributes:

AttributeValue
Needs AdminFalse
Opsec SafeTrue
BackgroundFalse
Categorysituational_awareness
Languagepython
Min Version2.6
Out Extension

View Source Code

Back to Index




network/active_directory/get_ous

Description:

This module will list all OUs from active directory

Author:

@424f424f

Options:

ParamDescriptionRequiredDefault
AgentAgent to grab run on.True
BindDNuser@penlab.localTrue
LDAPAddressLDAP IP/HostnameTrue
PasswordPassword to connect to LDAPFalse

Comments:

Attributes:

AttributeValue
Needs AdminFalse
Opsec SafeTrue
BackgroundFalse
Categorysituational_awareness
Languagepython
Min Version2.6
Out Extension

View Source Code

Back to Index




network/active_directory/get_userinformation

Description:

This module will return the user profile specified

Author:

@424f424f

Options:

ParamDescriptionRequiredDefault
AgentAgent to run on.True
BindDNuser@penlab.localTrue
LDAPAddressLDAP IP/HostnameTrue
PasswordPassword to connect to LDAPFalse
userUser to check group memberships ofFalse

Comments:

Attributes:

AttributeValue
Needs AdminFalse
Opsec SafeTrue
BackgroundFalse
Categorysituational_awareness
Languagepython
Min Version2.6
Out Extension

View Source Code

Back to Index




network/active_directory/get_users

Description:

This module list users found in Active Directory

Author:

@424f424f

Options:

ParamDescriptionRequiredDefault
AgentAgent to grab run on.True
BindDNuser@penlab.localTrue
LDAPAddressLDAP IP/HostnameTrue
PasswordPassword to connect to LDAPFalse

Comments:

Attributes:

AttributeValue
Needs AdminFalse
Opsec SafeTrue
BackgroundFalse
Categorysituational_awareness
Languagepython
Min Version2.6
Out Extension

View Source Code

Back to Index




network/dcos/chronos_api_add_job

Description:

Add a Chronos job using the HTTP API service for the Chronos Framework

Author:

@TweekFawkes

Options:

ParamDescriptionRequiredDefault
AgentAgent to execute module on.True
CommandThe command to run.Trueid
DescriptionThe description of the job.TrueScheduled Job 001
LastSuccessThe last successful run for the job (optional).False
NameThe name of the chronos job.TruescheduledJob001
OwnerThe owner of the job.Trueadmin@example.com
OwnerNameThe owner name of the job.Trueadmin
PortThe port to connect to.True8080
ScheduleThe schedule for the job.TrueR/2016-07-15T00:08:35Z/PT24H
TargetFQDN, domain name, or hostname to lookup on the remote target.Truechronos.mesos

Comments:

Docs: https://mesos.github.io/chronos/docs/api.html

Attributes:

AttributeValue
Needs AdminFalse
Opsec SafeTrue
BackgroundTrue
Categorysituational_awareness
Languagepython
Min Version2.6
Out Extension

View Source Code

Back to Index




network/dcos/chronos_api_delete_job

Description:

Delete a Chronos job using the HTTP API service for the Chronos Framework

Author:

@TweekFawkes

Options:

ParamDescriptionRequiredDefault
AgentAgent to execute module on.True
NameThe name of the chronos job.TruescheduledJob001
PortThe port to connect to.True8080
TargetFQDN, domain name, or hostname to lookup on the remote target.Truechronos.mesos

Comments:

Docs: https://mesos.github.io/chronos/docs/api.html

urllib2 DELETE method credits to: http://stackoverflow.com/questions/21243834/doing-put-using-python-urllib2

Attributes:

AttributeValue
Needs AdminFalse
Opsec SafeTrue
BackgroundTrue
Categorysituational_awareness
Languagepython
Min Version2.6
Out Extension

View Source Code

Back to Index




network/dcos/chronos_api_start_job

Description:

Start a Chronos job using the HTTP API service for the Chronos Framework

Author:

@TweekFawkes

Options:

ParamDescriptionRequiredDefault
AgentAgent to execute module on.True
NameThe name of the chronos job.TruescheduledJob001
PortThe port to connect to.True8080
TargetFQDN, domain name, or hostname to lookup on the remote target.Truechronos.mesos

Comments:

Docs: https://mesos.github.io/chronos/docs/api.html

urllib2 PUT method credits to: http://stackoverflow.com/questions/21243834/doing-put-using-python-urllib2

Attributes:

AttributeValue
Needs AdminFalse
Opsec SafeTrue
BackgroundTrue
Categorysituational_awareness
Languagepython
Min Version2.6
Out Extension

View Source Code

Back to Index




network/dcos/etcd_crawler

Description:

Pull keys and values from an etcd configuration store

Author:

@scottjpack, @TweekFawkes

Options:

ParamDescriptionRequiredDefault
AgentAgent to execute module on.True
DepthHow far into the ETCD hierarchy to recurse. 0 for root keys only, "-1" for no limitationTrue-1
PortThe etcd client communication port, typically 2379 or 1026.True1026
TargetFQDN, domain name, or hostname to lookup on the remote target.Trueetcd.mesos

Comments:

Docs: https://coreos.com/etcd/docs/latest/api.html

Attributes:

AttributeValue
Needs AdminFalse
Opsec SafeTrue
BackgroundTrue
Categorysituational_awareness
Languagepython
Min Version2.6
Out Extension

View Source Code

Back to Index




network/dcos/marathon_api_create_start_app

Description:

Create and Start a Marathon App using Marathon's REST API

Author:

@TweekFawkes

Options:

ParamDescriptionRequiredDefault
AgentAgent to execute module on.True
CmdThe command to run.Trueenv && sleep 300
CPUsThe number of CPUs to assign to the app.True1
DiskThe Disk Space (MiB) to assign to the app.True0
IDThe id of the marathon app.Trueapp001
InstancesThe number of instances to assign to the app.True1
MemThe Memory (MiB) to assign to the app.True128
PortThe port to connect to.True8080
TargetFQDN, domain name, or hostname to lookup on the remote target.Truemarathon.mesos

Comments:

Marathon REST API documentation version 2.0: https://mesosphere.github.io/marathon/docs/generated/api.html

Marathon REST API: https://mesosphere.github.io/marathon/docs/rest-api.html

Marathon REST API: https://open.mesosphere.com/advanced-course/marathon-rest-api/

Attributes:

AttributeValue
Needs AdminFalse
Opsec SafeTrue
BackgroundTrue
Categorysituational_awareness
Languagepython
Min Version2.6
Out Extension

View Source Code

Back to Index




network/dcos/marathon_api_delete_app

Description:

Delete a Marathon App using Marathon's REST API

Author:

@TweekFawkes

Options:

ParamDescriptionRequiredDefault
AgentAgent to execute module on.True
IDThe id of the marathon app.Trueapp001
PortThe port to connect to.True8080
TargetFQDN, domain name, or hostname to lookup on the remote target.Truemarathon.mesos

Comments:

Marathon REST API documentation version 2.0: https://mesosphere.github.io/marathon/docs/generated/api.html

Marathon REST API: https://mesosphere.github.io/marathon/docs/rest-api.html

Marathon REST API: https://open.mesosphere.com/advanced-course/marathon-rest-api/

Attributes:

AttributeValue
Needs AdminFalse
Opsec SafeTrue
BackgroundTrue
Categorysituational_awareness
Languagepython
Min Version2.6
Out Extension

View Source Code

Back to Index




network/find_fruit

Description:

Searches for low-hanging web applications.

Author:

@424f424f

Options:

ParamDescriptionRequiredDefault
AgentAgent to execute module on.True
PortThe port to scan on.True8080
SSLTrue/False to force SSLFalseFalse
TargetIP Address or CIDR to scan.True

Comments:

CIDR Parser credits to http://bibing.us.es/proyectos/abreproy/12106/fichero/ARCHIVOS%252Fservidor_xmlrpc%252Fcidr.py

Attributes:

AttributeValue
Needs AdminFalse
Opsec SafeTrue
BackgroundTrue
Categorysituational_awareness
Languagepython
Min Version2.6
Out Extension

View Source Code

Back to Index




network/gethostbyname

Description:

Uses Python's socket.gethostbyname("example.com") function to resolve host names on a remote agent.

Author:

@TweekFawkes

Options:

ParamDescriptionRequiredDefault
AgentAgent to execute module on.True
TargetFQDN, domain name, or hostname to lookup using the remote target.True

Comments:

none

Attributes:

AttributeValue
Needs AdminFalse
Opsec SafeTrue
BackgroundTrue
Categorysituational_awareness
Languagepython
Min Version2.6
Out Extension

View Source Code

Back to Index




network/http_rest_api

Description:

Interacts with a HTTP REST API and returns the results back to the screen.

Author:

@TweekFawkes, @scottjpack

Options:

ParamDescriptionRequiredDefault
AgentAgent to execute module on.True
PathThe path.True/v1/version
PortThe port to connect to.True8123
ProtocolProtocol or Scheme to use.Truehttp
RequMethodThe HTTP request method to use.TrueGET
TargetFQDN, domain name, or hostname of the remote target.Truemaster.mesos

Comments:

Docs: https://mesos.github.io/chronos/docs/api.html

urllib2 DELETE method credits to: http://stackoverflow.com/questions/21243834/doing-put-using-python-urllib2

Attributes:

AttributeValue
Needs AdminFalse
Opsec SafeTrue
BackgroundTrue
Categorysituational_awareness
Languagepython
Min Version2.6
Out Extension

View Source Code

Back to Index




network/port_scan

Description:

Simple Port Scanner.

Author:

@424f424f

Options:

ParamDescriptionRequiredDefault
AgentAgent to execute module on.True
PortThe port to scan for.True8080
TargetTargets to scan in single, range 0-255 or CIDR format.True

Comments:

CIDR Parser credits to http://bibing.us.es/proyectos/abreproy/12106/fichero/ARCHIVOS%252Fservidor_xmlrpc%252Fcidr.py

Attributes:

AttributeValue
Needs AdminFalse
Opsec SafeTrue
BackgroundTrue
Categorysituational_awareness
Languagepython
Min Version2.6
Out Extension

View Source Code

Back to Index




network/smb_mount

Description:

This module will attempt mount an smb share and execute a command on it.

Author:

@424f424f

Options:

ParamDescriptionRequiredDefault
AgentAgent to run on.True
CommandCommand to run.True
DomainDomainFalse
MountPointDirectory to mount on target.True
PasswordPasswordFalse
ShareNameShare to mount. e.g. 192.168.1.1/c$True
UserNameUsernameTrue

Comments:

Attributes:

AttributeValue
Needs AdminFalse
Opsec SafeFalse
BackgroundFalse
Categorysituational_awareness
Languagepython
Min Version2.6
Out Extension

View Source Code

Back to Index




python - trollsploit


osx/change_background

Description:

Change the login message for the user.

Author:

@424f424f

Options:

ParamDescriptionRequiredDefault
AgentAgent to run on.True
DesktopTrue/False to change the desktop background.FalseFalse
ImageLocation of the image to use.True
LoginTrue/False to change the login background.FalseFalse

Comments:

Attributes:

AttributeValue
Needs AdminFalse
Opsec SafeFalse
BackgroundFalse
Categorytrollsploit
Languagepython
Min Version2.6
Out Extension

View Source Code

Back to Index




osx/login_message

Description:

Change the login message for the user.

Author:

@424f424f

Options:

ParamDescriptionRequiredDefault
AgentAgent to run on.True
MessageMessage to displayFalse
RemoveTrue/False to remove login message.TrueFalse

Comments:

Attributes:

AttributeValue
Needs AdminTrue
Opsec SafeFalse
BackgroundFalse
Categorytrollsploit
Languagepython
Min Version2.6
Out Extension

View Source Code

Back to Index




osx/say

Description:

Performs text to speech using "say".

Author:

@harmj0y

Options:

ParamDescriptionRequiredDefault
AgentAgent to execute module on.True
TextThe text to speak.True
VoiceThe voice to use.Truealex

Comments:

Attributes:

AttributeValue
Needs AdminFalse
Opsec SafeFalse
BackgroundFalse
Categorytrollsploit
Languagepython
Min Version2.6
Out Extension

View Source Code

Back to Index




osx/thunderstruck

Description:

Open Safari in the background and play Thunderstruck.

Author:

@424f424f

Options:

ParamDescriptionRequiredDefault
AgentAgent to run on.True

Comments:

Attributes:

AttributeValue
Needs AdminFalse
Opsec SafeFalse
BackgroundFalse
Categorytrollsploit
Languagepython
Min Version2.6
Out Extension

View Source Code

Back to Index





Generated on Friday, February 2, 2018 6:50:03 PM