PowerShell Red Team: PowerShell functions for Red Team to collect data from a machine

PowerShell Red Team Enum

Collection of PowerShell functions a Red Teamer may use to collect data from a machine or gain access to a target. I added ps1 files for the commands that are included in the RedTeamEnum module. This will allow you to easily find and use only one command if that is all you want. If you want the entire module performs the following actions after downloading the RedTeamEnum directory and contents to your device.

C:\PS> robocopy .\RedTeamEnum $env:USERPROFILE\Documents\WindowsPowerShell\Modules\RedTeamEnum *

# This will copy the module to a location that allows you to easily import it. If you are using OneDrive sync you may need to use $env:USERPROFILE\OneDrive\Documents\WindowsPowerShell\Modules\RedTeamEnum instead.



C:\PS> Import-Module -Name RedTeamEnum -Verbose

# This will import all the commands in the module. 



C:\PS> Get-Command -Module RedTeamEnum

# This will list all the commands in the module.

• Convert-Base64.psm1 is a function as the name states for encoding and/or decoding text into the Base64 format.

• Convert-SID.ps1 is a function that converts SID values to usernames and usernames to SID values

• Test-BruteZipPassword is a function that uses a password file to brute force a password protected zip file using 7zip

• Test-BruteForceCredentials is a function that uses WinRM to brute force a user’s password.

• Get-LdapInfo is a function I am very proud of for performing general LDAP queries. Although only two properties will show in the output, all of the properties associated with objects can be seen by piping to Select-Object -Property * or using the -Detailed switch parameter.

• Get-NetworkShareInfo is a cmdlet that is used to retrieve information and/or brute force discover network shares available on a remote or local machine

• Test-PrivEsc is a function that can be used for finding whether WSUS updates over HTTP are vulnerable to PrivEsc, Clear Text credentials are stored in common places, AlwaysInstallElevated is vulnerable to PrivEsc, Unquoted Service Paths exist, and enum of possible weak write permissions for services.

• Get-InitialEnum is a function for enumerating the basics of a Windows Operating System to help better display possible weaknesses.

• Start-SimpleHTTPServer is a function used to host an HTTP server for downloading files. It is meant to be similar to the pythons SimpleHTTPServer module. Directories are not traversable through the webserver. The files that will be hosted for download will be from the current directory you are in when issuing this command.

• Invoke-PortScan.ps1 is a function for scanning all possible TCP ports on a target. I will improve in future by including UDP as well as the ability to define a port range. This one is honestly not even worth using because it is very slow. Threading is a weak area of mine and I plan to work on that with this one.

• Invoke-PingSweep is a function used for performing a ping sweep of a subnet range.

• Invoke-UseCreds is a function I created to simplify the process of using obtained credentials during a pen test. I use -Passwd instead of -Password because that parameter when defined should be configured as a secure string which is not the case when entering a value into that filed with this function. It gets converted to a secure string after you set that value.

• Invoke-FodHelperBypass is a function that tests whether or not the UAC bypass will work before executing it to elevate privileges. This of course needs to be run by a member of the local administrator group as this bypass elevates the privileges of the shell you are in. You can define the program to run which will allow you to execute generate msfvenom payloads as well as cmd or powershell or just issuing commands.

• Invoke-InMemoryPayload is used for AV Evasion using an In-Memory injection. This will require the runner to generate a msfvenom payload using a command similar to the example below, and entering the “[Byte[]] $buf” variable into the Invoke-InMemoryPayloads “ShellCode” parameter.

Start a listener, use that value in the “ShellCode” parameter, and run the command to gain your shell. This will also require certain memory protections to not be enabled. NOTE: Take note there are NOT ANY DOUBLE QUOTES around the ShellCode variables value. This is because it is expecting a byte array.

Copyright (c) 2019 Robert H. Osborne

Source: https://github.com/tobor88/