auth.ps1

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
# Helpers

$sslverificationcode = @"
        using System.Net.Security;
        using System.Security.Cryptography.X509Certificates;
        public static class TrustEverything
        {
                private static bool ValidationCallback(object sender, X509Certificate certificate, X509Chain chain,
                        SslPolicyErrors sslPolicyErrors) { return true; }
                public static void SetCallback() { System.Net.ServicePointManager.ServerCertificateValidationCallback = ValidationCallback; }
                public static void UnsetCallback() { System.Net.ServicePointManager.ServerCertificateValidationCallback = null; }
        }
"@


function _DisableSSLVerification {
    Write-Verbose "Disabling SSL Verification!"
    if (-not ([System.Management.Automation.PSTypeName]"TrustEverything").Type) {
        Add-Type -TypeDefinition $sslverificationcode
    }
    [TrustEverything]::SetCallback()
}

#Get Login Token (required) -- NOTE: Depreciated in the SaaS version
function New-ICToken {
    [cmdletbinding()]
    param(
        [parameter(Mandatory=$true)]
        [ValidateNotNullOrEmpty()]
        [String]
        $HuntServer = "https://localhost:443",

        [parameter(Mandatory=$true)]
        [System.Management.Automation.PSCredential]
        $Credential
    )

    [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
    _DisableSSLVerification

    if ($HuntServer -notlike "https://*") {
        $Global:HuntServerAddress = "https://" + $HuntServer
    } else {
        $Global:HuntServerAddress = $HuntServer
    }
  $url = "$Global:HuntServerAddress/api/users/login"

    if (-NOT $Credential) {
        # Default Credentials
        Write-Verbose "No Credentials provided"
        $Credential = Get-Credential
    }



    $data = @{
        username = $Credential.GetNetworkCredential().username
        password = $Credential.GetNetworkCredential().password
    }
    $i = $data | ConvertTo-JSON
    Write-Host "Requesting new Token from $Global:HuntServerAddress using account $($Credential.username)"
    Write-Verbose "Credentials and Hunt Server Address are stored in global variables for use in all IC cmdlets"

    try {
        $response = Invoke-RestMethod $url -Method POST -Body $i -ContentType 'application/json'
    } catch {
        Write-Warning "Error: $_"
        return "ERROR: $($_.Exception.Message)"
    }
    if ($response -match "Error") {
        Write-Warning "Error: Unauthorized"
        return "ERROR: $($_.Exception.Message)"
    } else {
        # Set Token to global variable
        $Global:ICToken = $response.id
        Write-Verbose 'New token saved to global variable: $Global:ICToken'
        $response
    }
}


# Generate an API token in the web console's profile or admin section.
function Set-ICToken {
    [cmdletbinding()]
    param(
        [parameter(Mandatory=$true)]
        [ValidateNotNullOrEmpty()]
        [String]$HuntServer = "https://localhost:443",

        [parameter(Mandatory=$true)]
        [ValidateNotNullorEmpty()]
        [String]$Token,

        [String]$Proxy,
        [String]$ProxyUser,
        [String]$ProxyPass,

        [Switch]$DisableSSLVerification
    )

    if ($DisableSSLVerification) {
        _DisableSSLVerification
    }
    [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12

    if ($HuntServer -notlike "https://*") {
        $Global:HuntServerAddress = "https://" + $HuntServer
    } else {
        $Global:HuntServerAddress = $HuntServer
    }

    # Set Token to global variable
    if ($Token.length -eq 64) {
            $Global:ICToken = $Token
    } else {
        Write-Warning "That token won't work. Must be a 64 character string generated within your profile or admin panel within Infocyte HUNT's web console"
        return
    }
    Write-Host "Setting Auth Token for $HuntServer to $Token"

    if ($Proxy) {
            $Global:Proxy = $Proxy
            if ($ProxyUser -AND $ProxyPass) {
                $pw = ConvertTo-SecureString $ProxyPass -AsPlainText -Force
                $Global:ProxyCredential = New-Object System.Management.Automation.PSCredential ($ProxyUser, $pw)
            }
    }
    Write-Verbose "Token, Hunt Server Address, and Proxy settings are stored in global variables for use in all IC cmdlets"

}