Public/Start-AS2GoDemo.ps1
|
<# .SYNOPSIS Starts the AS2Go demo workflow. .DESCRIPTION Runs the Attack Scenario To Go (AS2Go) demo sequence and optionally skips selected phases or user interactions. Use switches to run unattended, continue from a previous stage, or bypass specific attack steps. .PARAMETER UnAttended Runs the workflow without interactive prompts where possible. .PARAMETER Continue Continues from the previously stored stage instead of starting from the beginning. .PARAMETER EnableLogging Enables module logging output. .PARAMETER SkipImages Skips image display steps. .PARAMETER SkipClearHost Prevents screen clearing between major stages. .PARAMETER SkipPopup Skips popup messages. .PARAMETER SkipPasswordSpray Skips the password spray phase. .PARAMETER SkipCompromisedAccount Skips compromised account selection/confirmation. .PARAMETER SkipPwSpayWithRubeus Skips password spray execution with Rubeus. .PARAMETER SkipReconnaissance Skips the reconnaissance phase. .PARAMETER SkipPrivilegeEscalation Skips the privilege escalation phase. .PARAMETER SkipSensitiveDataAccess Skips the sensitive data access phase. .PARAMETER SkipDataExfiltration Skips the data exfiltration phase. .PARAMETER SkipDomainPersistence Skips the domain persistence phase. .PARAMETER SkipForgeAuthCertificates Skips the certificate forging phase. .PARAMETER SkipKerberoastingAttack Skips the Kerberoasting phase. .PARAMETER DeveloperMode Enables developer/demo output for troubleshooting and testing. .PARAMETER Simulation Runs in simulation mode. .EXAMPLE PS> Start-AS2GoDemo Starts the demo interactively from the beginning. .EXAMPLE PS> Start-AS2GoDemo -Continue -EnableLogging -SkipImages Continues from the last stage and enables logging while skipping images. .EXAMPLE PS> Start-AS2GoDemo -UnAttended -SkipPasswordSpray -SkipReconnaissance Runs unattended and skips selected phases. .NOTES Use Get-Help Start-2GoDemo -Full to view this help content. #> Function Start-2GoDemo { Param ( [switch]$UnAttended, [switch]$Continue, [Switch]$EnableLogging, [switch]$SkipImages, [switch]$SkipClearHost, [switch]$SkipPopup, [switch]$SkipPasswordSpray, [switch]$SkipCompromisedAccount, [switch]$SkipPwSpayWithRubeus, [switch]$SkipReconnaissance, [switch]$SkipPrivilegeEscalation, [switch]$SkipSensitiveDataAccess, [switch]$SkipDataExfiltration, [switch]$SkipDomainPersistence, [switch]$SkipForgeAuthCertificates, [switch]$SkipKerberoastingAttack, [switch]$DeveloperMode, [switch]$Simulation ) #[bool]$showStep = $true # show the steps in an image #[bool]$skipstep = $false # show the steps in an image $SkipPopup = $true Write-Log -Message "." Write-Log -Message "." Write-Log -Message "<< -- UniversalTime [UTC]" Write-Log -Message " " Write-Log -Message "##################################################################" Write-Log -Message "# #" Write-Log -Message " Starting Module $ASModuleName [Version $($ASModuleManifest.Version)] " Write-Log -Message "# #" Write-Log -Message "##################################################################" Write-Log -Message " " Write-Log -Message " >> Using PowerShell version $($PSVersionTable.PSVersion.tostring())" Write-Log -Message " " Write-Log -Message "Victim PC run on Windows $Script:WinVersion" # clean-up AS2Go Folder New-Item -Path $Script:DefautCleanUpFolder -ItemType Directory -ErrorAction Ignore | Out-Null try { Get-ChildItem ??-*.* | Move-Item -Destination $Script:DefautCleanUpFolder -Force | Out-Null Write-Log -Message " >> Cleaned up AS2Go working folder, moved old files to $($Script:DefautCleanUpFolder)" } catch { } Invoke-Output -T Header -M "Attack Scenario to GO - along the kill-chain (AS2Go)" $MoAD = Confirm-PoSHModuleAvailabliy -PSModule "ActiveDirectory" $MoGPO = Confirm-PoSHModuleAvailabliy -PSModule "GroupPolicy" # check the correct directory and requirements $Script:ASTools = Get-KeyValue -key "Tools" $FileVersionM = Get-FileVersion -fullname "$($Script:ASTools)\mimikatz.exe" $FileVersionP = Get-FileVersion -fullname "$($Script:ASTools)\PsExec.exe" $FileVersionR = Get-FileVersion -fullname "$($Script:ASTools)\Rubeus.exe" $FileVersionN = Get-FileVersion -fullname "$($Script:ASTools)\NetSess.exe" $FileVersionC = Get-FileVersion -fullname "$($Script:ASTools)\Certify.exe" #$FileVersionO = Get-FileVersion -fullname "C:\Program Files\OpenSSL-Win64\bin\openssl.exe" if ($MoGPO -eq "failed" -or $MoAD -eq "failed" -or $FileVersionM -eq "failed" -or $FileVersionP -eq "failed" -or $FileVersionR -eq "failed" -or $FileVersionN -eq "failed" -or $FileVersionC -eq "failed" -or $FileVersionO -eq "failed") { [bool]$PreCheckFailed = $true } If ($PreCheckFailed -eq $true) { Write-host "`n [>] Please acknowledge the warning(s) by pressing ENTER ... " -ForegroundColor $Script:FGCWarning -NoNewline $confirmed = Read-Host Write-Log -Message " >> Confirmed the warning with - $confirmed" } $demo = Get-KeyValue -key "DemoTitle" Update-WindowTitle -NewTitle $demo # If (-not $SkipClearHost){Clear-Host} Set-NewColorSchema -NewStage $PtT $laststage = Get-KeyValue -key "LastStage" If ($UnAttended) { if ($Continue) { $Begin = $no } else { $Begin = $yes } } else { if ($Continue) { $StartValue = $no } else { $StartValue = $yes } $question = "Starts the attack scenario from the beginning? Default " $Begin = Get-Answer -question $question -defaultValue $StartValue } If ($Begin -eq $yes) { Set-KeyValue -key "LastStage" -NewValue $Script:Phase50 Set-NewColorSchema -NewStage $Script:InitialStart If (-not $SkipClearHost) { Clear-Host } Write-Host "____________________________________________________________________`n" Write-Host " $ASModuleName Version $($ASModuleManifest.Version) " Write-Host " " Write-Host " Attack Scenario to Go | along the kill-chain " -ForegroundColor yellow Write-Host " " Write-Host " created by Holger Zimmermann | last update $ASModuleLastUpdate " Write-Host " " Write-Host " Used tools & requirements: " Write-Host " " Write-Host " ● PoSH modules: ActiveDirectory & GroupPolicy " Write-Host " " Write-Host " ● NetSess.exe $FileVersionN " Write-Host " ● Mimikatz.exe $FileVersionM " Write-Host " " Write-Host " ● Rubeus.exe $FileVersionR " Write-Host " ● Certify.exe $FileVersionC " Write-Host " " Write-Host " ● PsExec.exe $FileVersionP " Write-Host "____________________________________________________________________`n" $TimeStamp = (Get-Date).toString("yyyy-MM-dd HH:mm:ss") $lastVictim = Get-KeyValue -key "LastVictim" $lastRun = Get-KeyValue -key "LastStart" $lastDuration = Get-KeyValue -key "LastDuration" Write-Host "`n Current Date & Time: $TimeStamp" Write-Host "" Write-Host " Last Run: " -NoNewline Write-Host $lastRun -NoNewline -ForegroundColor $Script:FGCHighLight Write-Host " | " -NoNewline Write-Host $lastDuration -NoNewline -ForegroundColor $Script:FGCHighLight Write-Host " | Last Victim: " -NoNewline Write-Host "[$lastVictim]" -ForegroundColor $Script:FGCHighLight Write-Host "`n" #Update AS2Go.json config file Set-KeyValue -key "LastStart" -NewValue $TimeStamp If ($DeveloperMode) { Invoke-Output -T Header -M "Auf geht es" Invoke-Output CodeSnippet "`$pwd" Invoke-Output Error "Fehler 40" Invoke-Output Warning "bghkdfgl" $answer = Invoke-Output Input "Wie viel Bier" Invoke-Output Info $answer Invoke-Output Success "Super!" Invoke-Output TextMaker "Nicht so viel" "Bier!" return } If ($UnAttended -eq $false) { pause } ################################################################################ ###### ##### ###### Setting update ##### ###### ##### ################################################################################ If (-not $SkipClearHost) { Clear-Host } If ($UnAttended -eq $false) { Get-AS2GoSettings } ################################################################################ ###### ##### ###### Attack Phase - Brute Force Account ##### ###### ##### ################################################################################ #region Attack Phase - Brute Force Account If ($SkipPasswordSpray ) { Write-Log -Message "Skipped Attack Phase - Brute Force Account" } else { Invoke-Phase04BruteForceAttack -EnableLogging:$EnableLogging -SkipImages:$SkipImages -SkipClearHost:$SkipClearHost -UnAttended:$UnAttended -AS2GODemo -Simulation:$Simulation } } else { $Script:PrivledgeAccount = $yes Set-NewColorSchema -NewStage $PtH #read values from AS2Go.json config file } #read values from AS2Go.json config file Get-AS2GoSettings -ReadOnly $UseCase = Get-KeyValue -key "usecase" If (-not $SkipClearHost) { Clear-Host } If ($Begin -eq $yes) { $MyInfo = " In this demo, I use the following three user accounts " $MyFGC = $Script:FGCHighLight } else { $MyInfo = " Still using these three (3) user accounts " $MyFGC = "Darkblue" If ($DeveloperMode) { [bool]$SkipImages = $true [bool]$skipstep = $True Write-Host "" Write-Warning " Running AS2Go in Developer Mode!`n" Write-Log -Message "Running AS2Go in Developer Mode" } } Update-WindowTitle -NewTitle "Used Accounts" Invoke-Output -T Header -M $MyInfo $Global:ASVictim = $env:UserName if ($Global:ASVictim -match "^VI-|^HD-|^DA-") { $suffix = $Global:ASVictim.Substring(3) If (($UnAttended -ne $true) -and ($SkipPopup -ne $true)) { $question = " -> Enter or confirm your account suffix! Default " $suffix = Get-Answer -question $question -defaultValue $suffix } $Global:ASVictim = "VI-$suffix" $Global:ASHelpDeskUser = "HD-$suffix" $Global:ASDomainAdmin = "DA-$suffix" } else { $Global:ASVictim = $env:UserName } #If (-not $SkipClearHost){Clear-Host} Write-Host "" Write-Host " Compromised Account -- " -NoNewline Write-Host $Global:ASVictim -ForegroundColor $fgcC -NoNewline Write-Host " | Tier 2 Account" if ($Global:ASHelpDeskUser) { Write-Host " Helpdesk User -- $Global:ASHelpDeskUser | Tier 1 Account" } if ($Global:ASDomainAdmin) { Write-Host " Domain Admin -- $Global:ASDomainAdmin | Tier 0 Account" } If ($Begin -eq $yes) { $infoV = Get-ComputerInformation -computer $Script:ASVictimMaschine $infoS = Get-ComputerInformation -computer $Script:ASSAW $infoD = Get-ComputerInformation -computer $Script:ASDC Write-Host "" Write-Host " Victim Maschine -- $infoV | Tier 2 Maschine" Write-Host " Admin Maschine -- $infoS | Tier 0 Maschine" Write-Host " Domain Controller -- $infoD | Tier 0 Maschine" try { Write-Output $Global:ASHelpDeskUser | Set-Clipboard } catch { Write-Output $Global:ASHelpDeskUser | clip } If (($UnAttended -ne $true) -and ($SkipPopup -ne $true)) { $wshell = New-Object -ComObject Wscript.Shell $Output = $wshell.Popup("Do NOT forget to simulate helpdesk support by ""$Global:ASHelpDeskUser"" on your Victim PC!", 0, "Simulate helpdesk support on Victim PC - hd.cmd", 0 + 64) } } else { If (($UnAttended -ne $true) -and ($SkipPopup -ne $true)) { $wshell = New-Object -ComObject Wscript.Shell $Output = $wshell.Popup("Do NOT forget to simulate domain activities by ""$Global:ASDomainAdmin"" on your Admin PC!", 0, "Simulate domain activities on Admin PC", 0 + 64) } } Write-Host "" Set-KeyValue -key "LastVictim" -NewValue $Global:ASVictim If (($UnAttended -ne $true) -and ($SkipPopup -ne $true)) { Start-Sleep 2 } else { Pause } # only for PosH Script testing hozi MyDebugHelp If ($DeveloperMode) { # function to test #Restart-VictimMachines Write-host "START Run directy" -ForegroundColor Red #Restart-VictimMachines #write-host $mydebug #Invoke-Command -ScriptBlock {.\certify.exe find /vulnerable} Write-host "END Run directy" -ForegroundColor Red Write-Log -Message "Running dedicated function from Developer Mode section" pause } #endregion Attack Phase - Brute Force Account ################################################################################ ###### ##### ###### Attack Phase - COMPROMISED User Account ##### ###### ##### ################################################################################ #region Attack Phase - COMPROMISED User Account Update-WindowTitle -NewTitle $Script:Phase05 #Set-KeyValue -key "LastStage" -NewValue $Script:Phase06 If (-not $SkipImages) { Show-Phases -Phase "phase_000.html" } Do { If ($SkipCompromisedAccount) { break } If (-not $SkipClearHost) { Clear-Host } Invoke-Output -T Header -M "Attack Phase - COMPROMISED User Account" If ($UnAttended) { $answer = $Script:PrivledgeAccount } else { $question = "Was this a PRIVLEDGE(!) Account?`n Enter [Y] to confirm or [N] for a non-sensitive user! Default " $answer = Get-Answer -question $question -defaultValue $Script:PrivledgeAccount } If ($answer -eq $yes) { Write-Log -Message "Starting with a PRIVLEDGE(!) COMPROMISED User Account" $UserPic = "phase_008.html" $Account = "PRIVLEDGE(!) Compromised " $Script:PrivledgeAccount = $yes $PrivilegeEscalation = $PtT $reconnaissance = $yes Set-NewColorSchema -NewStage $PtH #Color Schema for the next command #$fgcS = "Black" # Switch #$fgcC = "Darkblue" # Command #$fgcF = "Black" #$fgcV = "DarkMagenta" # Value #$fgcH = "Darkblue" } else { Write-Log -Message "Starting with a non-sensitive COMPROMISED User Account" $UserPic = "phase_005.html" $Account = "non-sensitive Compromised" $Script:PrivledgeAccount = $no $PrivilegeEscalation = $PtH $reconnaissance = $no Set-NewColorSchema -NewStage $Script:InitialStart } #Pause If (-not $SkipImages) { Show-Phases -Phase $UserPic } Start-NetSess -server $Script:ASDC If (-not $SkipClearHost) { Clear-Host } Write-Host "____________________________________________________________________`n" Write-Host " Starting with $Account User Account " Write-Host "____________________________________________________________________`n" $currentUser = $Global:ASVictim $currentUser = $env:UserName Write-Host -NoNewline " Command: " Write-Highlight -Text ("Get-ADUser ", "-Identity ", "$currentUser") -Color $fgcC, $fgcS, $fgcV If ($UnAttended) { If ($UseRUBEUS) { $answer = $yes }else { $answer = $no } } else { $question = "Would you like to run this step - Y or N? Default " $answer = Get-Answer -question $question -defaultValue $Yes } If ($answer -eq $yes) { Write-Host "`n`n" $error.Clear() Try { $attributes = @("AccountExpirationDate", "CannotChangePassword", "CanonicalName", "cn", "Created", "Department", "Description", "DisplayName", "EmployeeNumber", "Enabled", "Country", "l", "Manager", "MemberOf", "MobilePhone", "userAccountControl", "UserPrincipalName", "LastBadPasswordAttempt", "title") get-aduser -Identity $currentUser -Properties $attributes | Format-List | Out-String -ErrorAction Stop } catch { $message = $_ Write-Host " "$message.CategoryInfo.Reason:" " -NoNewline $message.Exception Write-Host "" Write-host " Account restrictions are preventing this user from signing in." -ForegroundColor $fgcH Write-HosT " Probably helpdesk user '$Global:ASHelpDeskUser' is member of the 'Protected Users' Group!`n`n" -ForegroundColor $fgcH pause #Stop-AS2GoDemo } Write-Host "" Pause If (-not $SkipClearHost) { Clear-Host } Write-Host "____________________________________________________________________`n" Write-Host " Displays a list of currently cached Kerberos tickets " Write-Host "____________________________________________________________________`n" Write-Host "" Write-Host -NoNewline " Command: " Write-Highlight -Text ('klist') -Color $fgcC Write-Host "" If ($UnAttended) { Start-Sleep 1 } else { Pause } Write-Host "" klist If ($UnAttended) { Start-Sleep 1 } else { Pause } If (-not $SkipClearHost) { Clear-Host } } elseIf ($answer -eq $exit) { Stop-AS2GoDemo } else { } # If ($skipstep) {break} Invoke-Output -T Header -M "??? REPEAT | Attack Phase - COMPROMISED User Account ???" If ($UnAttended) { $repeat = $no } else { $question = "Do you need to update more settings - Y or N? Default " $repeat = Get-Answer -question $question -defaultValue $no } } Until ($repeat -eq $no) #endregion Attack Phase - COMPROMISED User Account ################################################################################ ###### ##### ###### Attack Phase - RECONNAISSANCE ##### ###### ##### ################################################################################ #region Attack Phase - RECONNAISSANCE If ($SkipReconnaissance) { Write-Log -Message "Skipped Attack Phase - RECONNAISSANCE" } else { Invoke-Phase06Reconnaissance -EnableLogging:$EnableLogging -SkipImages:$SkipImages -SkipClearHost:$SkipClearHost -UnAttended:$UnAttended -AS2GODemo } #endregion Attack Phase RECONNAISSANCE ################################################################################ ###### ##### ###### Attack Phase - Privilege Escalation ##### ###### ##### ################################################################################ #https://www.beyondtrust.com/blog/entry/privilege-escalation-attack-defense-explained #https://www.microsoft.com/en-us/security/blog/2019/05/09/detecting-credential-theft-through-memory-access-modelling-with-microsoft-defender-atp/ #region Attack Phase - Privilege Escalation If ($SkipPrivilegeEscalation) { Write-Log -Message "Skipped Attack Phase - Privilege Escalation" } else { Invoke-Phase07PrivilegeEscalation -EnableLogging:$EnableLogging -SkipImages:$SkipImages -SkipClearHost:$SkipClearHost -UnAttended:$UnAttended -AS2GODemo } #endregion Attack Phase - Privilege Escalation ################################################################################ ###### ##### ###### Attack Phase - RECONNAISSANCE ##### ###### ##### ################################################################################ #region Attack Phase - RECONNAISSANCE If ($SkipReconnaissance) { Write-Log -Message "Skipped Attack Phase - RECONNAISSANCE Priviledged" } else { Invoke-Phase09ReconnaissancePriviledged -EnableLogging:$EnableLogging -SkipImages:$SkipImages -SkipClearHost:$SkipClearHost -UnAttended:$UnAttended -AS2GODemo } #endregion Attack Phase RECONNAISSANCE ################################################################################ ###### ##### ###### Attack Phase - ACCESS SENSITIVE DATA ##### ###### ##### ################################################################################ #region Attack Phase - ACCESS SENSITIVE DATA If ($SkipSensitiveDataAccess) { Write-Log -Message "Skipped Attack Phase - ACCESS SENSITIVE DATA " } else { Invoke-Phase10AccessSensitiveData -EnableLogging:$EnableLogging -SkipImages:$SkipImages -SkipClearHost:$SkipClearHost -UnAttended:$UnAttended -AS2GODemo Invoke-Phase11ExfiltrateSensitiveData -EnableLogging:$EnableLogging -SkipImages:$SkipImages -SkipClearHost:$SkipClearHost -UnAttended:$UnAttended -AS2GODemo } #endregion Attack Phase - ACCESS SENSITIVE DATA ################################################################################ ###### ##### ###### Attack Phase - DOMAIN COMPROMISED AND PERSISTENCE ##### ###### ##### ################################################################################ #region Attack Phase - DOMAIN COMPROMISED AND PERSISTENCE If ($SkipDomainPersistence) { Write-Log -Message "Skipped Attack Phase - DOMAIN COMPROMISED AND PERSISTENCE" } else { Invoke-Phase12DomainCompromisePersistence -EnableLogging:$EnableLogging -SkipImages:$SkipImages -SkipClearHost:$SkipClearHost -UnAttended:$UnAttended -AS2GODemo } #endregion Attack Phase - DOMAIN COMPROMISED AND PERSISTENCE ################################################################################ ###### ##### ###### CLEAN UP ##### ###### ##### ################################################################################ Stop-AS2GoDemo <# Ideen enter-pssession -ComputerName Ch01-DSP-MGMT try { #https://www.hackingarticles.in/credential-dumping-wdigest/ $UseLogonCredential = Get-ItemPropertyValue -Name UseLogonCredential -Path HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest Write-Host $UseLogonCredential } catch { Write-Host Get-ItemPropertyValue : Property UseLogonCredential does not exist at path -ForegroundColor yellow } try { $UseLogonCredential = Get-ItemPropertyValue -Name UseLogonCredential -Path HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest } catch { Write-Host Get-ItemPropertyValue : Property UseLogonCredential does not exist at path -ForegroundColor yellow } Get-ChildItem ??-*.* | Move-Item -Destination .\Clean-up -Force #> } |