scipag
diff --git a/‎Invoke-MimikatzNetwork.ps1
Lines changed: 3 additions & 3 deletions b/‎Invoke-MimikatzNetwork.ps1
Lines changed: 3 additions & 3 deletions
diff --git a/‎PowerShellUtilities.psd1
176 Bytes b/‎PowerShellUtilities.psd1
176 Bytes
diff --git a/‎Select-MimikatzDomainAccounts.ps1
Lines changed: 141 additions & 0 deletions b/‎Select-MimikatzDomainAccounts.ps1
Lines changed: 141 additions & 0 deletions
diff --git a/‎Select-MimikatzLocalAccounts.ps1
Lines changed: 113 additions & 0 deletions b/‎Select-MimikatzLocalAccounts.ps1
Lines changed: 113 additions & 0 deletions
diff --git a/‎Select-MimikatzPasswords.ps1
Lines changed: 0 additions & 102 deletions b/‎Select-MimikatzPasswords.ps1
Lines changed: 0 additions & 102 deletions
@@ -8,8 +8,8 @@
     Optional Dependencies: None
 #>
 
-#Requires -Version 2
-Set-StrictMode -Version 2
+#Requires -Version 5
+Set-StrictMode -Version 5
 
 function Invoke-MimikatzNetwork {
 <#
@@ -56,4 +56,4 @@ function Invoke-MimikatzNetwork {
         $EndMessage = "[*] $Time - $ComputerName done"
         $EndMessage | Tee-Object -Append -FilePath $Protocol
     }
-}
+}
@@ -0,0 +1,141 @@
+<#
+    ScipUtilities provides various utility commandlets.
+
+    Author: Eleanore Young, Michael Schneider, scip AG
+    License: MIT
+    Copyright: 2017 Eleanore Young, Michael Schneider, scip AG
+    Required Dependencies: None
+    Optional Dependencies: None
+#>
+
+#Requires -Version 5
+Set-StrictMode -Version 5
+
+function New-DomainAccountEntry {
+    [CmdletBinding()]
+    Param (
+        [ValidateNotNullOrEmpty()]
+        [String]
+        $Domain,
+
+        [ValidateNotNullOrEmpty()]
+        [String]
+        $Username,
+
+        [AllowEmptyString()]
+        [String]
+        $Password,
+
+        [AllowEmptyString()]
+        [String]
+        $NtlmHash,
+
+        [AllowEmptyString()]
+        [String]
+        $Sha1Hash
+    )
+
+    New-Object -TypeName PSObject -Prop @{
+        'Domain' = $Domain.ToUpper();
+        'Username' = $Username;
+        'Password' = $Password;
+        'NTLM' = $NtlmHash;
+        'SHA1' = $Sha1Hash;
+    }
+}
+
+
+function Select-MimikatzDomainAccounts {
+<#
+    .SYNOPSIS
+    Extract passwords or password hashes from Mimikatz log files. Developed for Mimikatz version 2.0 alpha.
+
+    .PARAMETER Path
+    Choose the path or GLOB pattern that tells the function which files to search.
+
+    .PARAMETER HashcatSelect
+    Choose to look for either passwords or hashes (ntlm and sha1).
+
+    .PARAMETER OutputTo
+    Output the results either to the console, to a format parseable in hashcat, or to CSV.
+#>
+    [CmdletBinding()]
+    Param (
+        [ValidateNotNullOrEmpty()]
+        [String]
+        $Path = "*.log",
+
+        [ValidateSet("console", "hashcat", "csv")]
+        [String]
+        $OutputTo = "console",
+
+        [ValidateSet("ntlm", "sha1")]
+        [String]
+        $HashcatSelect = "ntlm"
+    )
+
+    $DomainPasswordRegex = "\s+\*\s+Username\s+:\s+(?<username>[-_a-zA-Z0-9]+)[\r\n]+\s+\*\s+Domain\s+:\s+(?<domain>[a-zA-Z0-9]+)[\r\n]+\s+\*\s+Password\s+:\s+(?<password>(?!\(null\)).*)[\r\n]+"
+    $DomainHashRegex = "\s+\*\s+Username\s+:\s+(?<username>[-_a-zA-Z0-9]+)[\r\n]+\s+\*\s+Domain\s+:\s+(?<domain>[a-zA-Z0-9]+)[\r\n]+(\s+\*\sFlags\s+:\s+.*[\r\n]+)?\s+\*\s+NTLM\s+:\s+(?<ntlm>[0-9a-fA-F]+)[\r\n]+\s+\*\sSHA1\s+:\s+(?<sha1>[0-9a-fA-F]+)[\r\n]+"
+
+    $DomainAccounts = @{}
+    Foreach ($LogFile in Get-ChildItem -Recurse $Path) {
+        $Content = Get-Content -Raw -Path $LogFile
+
+        $DomainPasswordMatches = Select-String -InputObject $Content -AllMatches -Pattern $DomainPasswordRegex
+        if ($DomainPasswordMatches -ne $null) {
+            Foreach ($Match in $DomainPasswordMatches.Matches) {
+                $g = $Match.Groups
+                $Username = $g["username"].Value
+                if (!$DomainAccounts.ContainsKey($Username)) {
+                    $SearchEntry = New-DomainAccountEntry -Domain $g["domain"].Value -Username $Username -Password $g["password"].Value
+                    $DomainAccounts.Add($Username, $SearchEntry)
+                } else {
+                    $SearchEntry = $DomainAccounts.Get_Item($Username)
+                    $SearchEntry.Password = $g["password"].Value
+                    $DomainAccounts.Set_Item($Username, $SearchEntry)
+                }
+            }
+        } 
+
+        $DomainHashMatches = Select-String -InputObject $Content -AllMatches -Pattern $DomainHashRegex
+        if ($DomainHashMatches -ne $null) {
+            Foreach ($Match in $DomainHashMatches.Matches) {
+                $g = $Match.Groups
+                $Username = $g["username"].Value
+                if (!$DomainAccounts.ContainsKey($Username)) {
+                    $SearchEntry = New-DomainAccountEntry -Domain $g["domain"].Value -Username $Username -NtlmHash $g["ntlm"].Value -Sha1Hash $g["sha1"].Value
+                    $DomainAccounts.Add($Username, $SearchEntry)
+                } else {
+                    $SearchEntry = $DomainAccounts.Get_Item($Username)
+                    $SearchEntry.NTLM = $g["ntlm"].Value
+                    $SearchEntry.SHA1 = $g["sha1"].Value
+                    $DomainAccounts.Set_Item($Username, $SearchEntry)
+                }
+            }
+        }
+    }
+    
+    if ($DomainAccounts.Count -eq 0) {
+        Write-Warning "Could not find any domain accounts."
+    } else {
+        $DomainAccounts = ($DomainAccounts.Values | Sort-Object -Property Username)
+    }
+
+    if ($OutputTo -eq "csv") {
+        $DomainAccounts | ConvertTo-Csv -NoTypeInformation
+    } elseif ($OutputTo -eq "hashcat") {
+        if ($HashcatSelect -eq "ntlm") {
+            Foreach ($Entry in $DomainAccounts) {
+                $Entry.Username + ":" + $Entry.NTLM
+            }
+        } elseif ($HashcatSelect -eq "sha1") {
+            Foreach ($Entry in $DomainAccounts) {
+                $Entry.Username + ":" + $Entry.SHA1
+            }
+        } else {
+            throw "Format '$HashcatSelect' doesn't make sense for hashcat output."
+        }
+    } else {
+        $DomainAccounts | Format-Table
+    }
+}
@@ -0,0 +1,113 @@
+<#
+    ScipUtilities provides various utility commandlets.
+
+    Author: Eleanore Young, Michael Schneider, scip AG
+    License: MIT
+    Copyright: 2017 Eleanore Young, Michael Schneider, scip AG
+    Required Dependencies: None
+    Optional Dependencies: None
+#>
+
+#Requires -Version 5
+Set-StrictMode -Version 5
+
+function New-LocalAccountEntry {
+    [CmdletBinding()]
+    Param (
+        [ValidateNotNullOrEmpty()]
+        [String]
+        $Hostname,
+
+        [ValidateNotNullOrEmpty()]
+        [String]
+        $Username,
+
+        [AllowEmptyString()]
+        [String]
+        $LmHash,
+
+        [AllowEmptyString()]
+        [String]
+        $NtlmHash
+    )
+
+    New-Object -TypeName PSObject -Prop @{
+        'Hostname' = $Hostname;
+        'Username' = $Username;
+        'LM' = $LmHash;
+        'NTLM' = $NtlmHash;
+    }
+}
+
+function Select-MimikatzLocalAccounts {
+<#
+    .SYNOPSIS
+    Extract passwords or password hashes from Mimikatz log files. Developed for Mimikatz version 2.0 alpha.
+
+    .PARAMETER Path
+    Choose the path or GLOB pattern that tells the function which files to search.
+
+    .PARAMETER HashcatSelect
+    Choose to look for either passwords or hashes (ntlm and sha1).
+
+    .PARAMETER OutputTo
+    Output the results either to the console, to a format parseable in hashcat, or to CSV.
+#>
+    [CmdletBinding()]
+    Param (
+        [ValidateNotNullOrEmpty()]
+        [String]
+        $Path = "*.log",
+
+        [ValidateSet("console", "hashcat", "csv")]
+        [String]
+        $OutputTo = "console",
+
+        [ValidateSet("ntlm", "lm")]
+        [String]
+        $HashcatSelect = "ntlm"
+    )
+
+    $LocalHashRegex = "lsadump::sam[\r\n]+Domain\s+:\s+(?<host>[-_a-zA-Z0-9]+)[\r\n]+SysKey.*[\r\n]+Local\sSID.*[\r\n]+SAMKey.*[\r\n]+(?:RID.*[\r\n]*User\s+:\s+(?<username>[-_a-zA-Z0-9]+)[\r\n]+LM\s+:\s+(?<lm>[0-9a-fA-F]*)[\r\n]+NTLM\s+:\s+(?<ntlm>[0-9a-fA-F]*)[\r\n]+)+"
+
+    $LocalAccounts = New-Object System.Collections.Generic.List[System.Object]
+    Foreach ($LogFile in Get-ChildItem -Recurse $Path) {
+        $Content = Get-Content -Raw -Path $LogFile
+
+        $LocalHashMatches = Select-String -InputObject $Content -AllMatches -Pattern $LocalHashRegex
+        if ($LocalHashMatches -ne $null) {
+            Foreach ($Match in $LocalHashMatches.Matches) {
+                $Hostname = $Match.Groups["host"].Value
+                For ($i=0; $i -lt $Match.Groups["username"].Captures.Count; $i++) {
+                    $Username = $Match.Groups["username"].Captures[$i].Value
+                    $LmHash = $Match.Groups["lm"].Captures[$i].Value
+                    $NtlmHash = $Match.Groups["ntlm"].Captures[$i].Value
+                    $SearchEntry = New-LocalAccountEntry -Hostname $Hostname -Username $Username -LmHash $LmHash -NtlmHash $NtlmHash
+                    $LocalAccounts.Add($SearchEntry)
+                }
+            }
+        }
+    }
+    
+    if ($LocalAccounts.Count -eq 0) {
+        Write-Warning "Could not find any local accounts with password hashes."
+    }
+
+    if ($OutputTo -eq "csv") {
+        $LocalAccounts | ConvertTo-Csv -NoTypeInformation
+    } elseif ($OutputTo -eq "hashcat") {
+        if ($HashcatSelect -eq "ntlm") {
+            Foreach ($Entry in $LocalAccounts) {
+                $Entry.Username + ":" + $Entry.NTLM
+            }
+        } elseif ($HashcatSelect -eq "lm") {
+            Foreach ($Entry in $LocalAccounts) {
+                $Entry.Username + ":" + $Entry.LM
+            }
+        } else {
+            throw "Format '$HashcatSelect' doesn't make sense for hashcat output."
+        }
+    } else {
+        $LocalAccounts | Format-Table
+    }
+}