PowerSploit

3.0.0.0

PowerSploit is a collection of Microsoft PowerShell modules that can be used to aid penetration testers and red team operator during all phases of an engagement.

Installation Options

Copy and Paste the following command to install this package using PowerShellGet More Info

Install-Module -Name PowerSploit

You can deploy this package directly to Azure Automation. Note that deploying packages with dependencies will deloy all the dependencies to Azure Automation. Learn More

Manually download the .nupkg file to your system's default download location. Note that the file won't be unpacked, and won't include any dependencies. Learn More

Author(s)

Matthew Graeber

Copyright

BSD 3-Clause

Owners

Tags

security pentesting redteam offense

Functions

Add-NetUser Add-ObjectAcl Add-Persistence Convert-NameToSid Convert-NT4toCanonical Convert-SidToName Copy-ClonedFile Find-AVSignature Find-ComputerField Find-DLLHijack Find-ForeignGroup Find-ForeignUser Find-GPOComputerAdmin Find-GPOLocation Find-InterestingFile Find-LocalAdminAccess Find-PathHijack Find-UserField Get-ADObject Get-ApplicationHost Get-CachedRDPConnection Get-ComputerDetails Get-ComputerProperty Get-DFSshare Get-DomainPolicy Get-ExploitableSystem Get-GPPPassword Get-HttpStatus Get-Keystrokes Get-LastLoggedOn Get-NetComputer Get-NetDomain Get-NetDomainController Get-NetDomainTrust Get-NetFileServer Get-NetForest Get-NetForestCatalog Get-NetForestDomain Get-NetForestTrust Get-NetGPO Get-NetGPOGroup Get-NetGroup Get-NetGroupMember Get-NetLocalGroup Get-NetLoggedon Get-NetOU Get-NetProcess Get-NetRDPSession Get-NetSession Get-NetShare Get-NetSite Get-NetSubnet Get-NetUser Get-ObjectAcl Get-PathAcl Get-Proxy Get-RegAlwaysInstallElevated Get-RegAutoLogon Get-SecurityPackages Get-ServiceDetail Get-ServiceFilePermission Get-ServicePermission Get-ServiceUnquoted Get-TimedScreenshot Get-UnattendedInstallFile Get-UserEvent Get-UserProperty Get-VaultCredential Get-VolumeShadowCopy Get-VulnAutoRun Get-VulnSchTask Get-Webconfig Install-ServiceBinary Install-SSP Invoke-ACLScanner Invoke-AllChecks Invoke-CheckLocalAdminAccess Invoke-CredentialInjection Invoke-DllInjection Invoke-EnumerateLocalAdmin Invoke-EventHunter Invoke-FileFinder Invoke-MapDomainTrust Invoke-Mimikatz Invoke-NinjaCopy Invoke-Portscan Invoke-ProcessHunter Invoke-ReflectivePEInjection Invoke-ReverseDnsLookup Invoke-ServiceAbuse Invoke-ShareFinder Invoke-Shellcode Invoke-TokenManipulation Invoke-UserHunter Invoke-WmiCommand Mount-VolumeShadowCopy New-ElevatedPersistenceOption New-UserPersistenceOption New-VolumeShadowCopy Out-CompressedDll Out-EncodedCommand Out-EncryptedScript Out-Minidump Remove-Comments Remove-VolumeShadowCopy Restore-ServiceBinary Set-ADObject Set-CriticalProcess Set-MacAttribute Set-MasterBootRecord Write-HijackDll Write-ServiceBinary Write-UserAddMSI

Dependencies

This module has no dependencies.

Release Notes

Features added:
* PowerView and PowerUp!!! Moving forward this will be the home of these projects. Thank you @harmj0y for all the work that went in to integration and test writing!
* Pester tests for PowerUp, PowerView, and the CodeExecution module. Full test coverage is desired but cannot be done in the interest of time, at the moment. Moving forward, all new code must be accompanied with Pester tests.
* PowerSploit includes a .sln now for those who opt to develop PowerSploit in Visual Studio with the PowerShell Tools extension.

Enhancements:
* Invoke-Mimikatz: It now uses the latest build of mimikatz 2.0 alpha (as of 12/14/2015)
* Everything was normalized to ASCII for a consistent weaponization experience. A Pester test was written to ensure consistent, module-wide ASCII encoding.
* I removed all versioning comments from functions. Versioning is to be maintained at the module level now.
* Get-Keystrokes: Added a -PollingInterval parameter

Features/functionality removed:
* Invoke-ShellcodeMSIL was removed. This was only ever designed as a PoC capability. Invoke-Shellcode and New-FunctionDelegate (in PowerShellArsenal) more than cover the functionality offered by Invoke-ShellcodeMSIL.
* Invoke-Shellcode was modified. Metasploit integration was removed. See my blog post (http://www.exploit-monday.com/2015/12/offensive-tool-design-and-weaponization.html) which describes this rationale. The file hosting Invoke-Shellcode is no longer Invoke--Shellcode.ps1. I'm over my rage fit revolving around people downloading and executing code directly from GitHub repos.
* Invoke-ReflectivePEInjection: Removed the -PEPath and -PEUrl parameters. It now only accepts a PE as a byte array.

Bug fixes:
* Invoke-ReflectivePEInjection:
 * Fixed a casting bug which was throwing errors.
 * Added an option to not zero out the MZ signature. Clearing the PE signature prevents a PE from being loaded twice or more in succession.
 * It was failing when trying to resolve NtCreateThreadEx which is not exported by ntdll.dll in Windows XP.
* Invoke-Mimikatz:
 * Invoke-Mimikatz was failing in Windows XP due to the embedded powerkatz.dll importing ntdll!_vscwprintf which doesn't exist in Windows XP. It now works fine in Win XP.
* Invoke-WmiCommand - Fixed some Windows XP and PowerShell v2 compatibility issues
* Out-EncryptedScript - Hopefully fixed some decrypted output inconsistencies
* Add-Persistence - Fixed a bug where sometimes the persisted payload was garbled in the profile script
* Invoke-DllInjection - Fixed logic bug that would manifest itself in Windows XP.

Version History

Version Downloads Last updated
3.0.0.0 (current version) 4,501 12/19/2015
1.0.0.0 363 7/10/2014