PowerSploit
PowerSploit is a collection of Microsoft PowerShell modules that can be used to aid reverse engineers, forensic analysts, and penetration testers during all phases of an assessment. PowerSploit is comprised of the following modules and scripts:
CodeExecution
Execute code on a target machine.
Invoke-DllInjection
Injects a Dll into the process ID of your choosing.
Invoke-ReflectivePEInjection
Reflectively loads a Windows PE file (DLL/EXE) in to the powershell process, or reflectively injects a DLL in to a remote process.
Invoke-Shellcode
Injects shellcode into the process ID of your choosing or within PowerShell locally.
Invoke-ShellcodeMSIL
Execute shellcode within the context of the running PowerShell process without making any Win32 function calls.
Watch-BlueScreen
Cause a blue screen to occur (Windows 7 and below).
ScriptModification
Modify and/or prepare scripts for execution on a compromised machine.
Out-EncodedCommand
Compresses, Base-64 encodes, and generates command-line output for a PowerShell payload script.
Out-CompressedDll
Compresses, Base-64 encodes, and outputs generated code to load a managed dll in memory.
Out-EncryptedScript
Encrypts text files/scripts.
Remove-Comments
Strips comments and extra whitespace from a script.
Persistence
Add persistence capabilities to a PowerShell script
New-UserPersistenceOptions
Configure user-level persistence options for the Add-Persistence function.
New-ElevatedPersistenceOptions
Configure elevated persistence options for the Add-Persistence function.
Add-Persistence
Add persistence capabilities to a script.
PETools
Parse/manipulate Windows portable executables.
Get-PEHeader
An in-memory and on-disk PE parsing utility.
Get-ObjDump
Displays information about one or more Windows object files.
Get-LibSymbols
Displays symbolic information from Windows lib files.
Get-DllLoadPath
Returns the path from which Windows will load a Dll for the given executable.
Capstone
A PowerShell binding for the Capstone Engine disassembly framework.
Get-CSDisassembly
Disassembles a byte array using the Capstone Engine disassembly framework.
ReverseEngineering
Tools to aid in reverse engineering.
Get-PEB
Returns the process environment block (PEB) of a process.
Get-ILDisassembly
Disassembles a raw MSIL byte array passed in from a MethodInfo object in a manner similar to that of Ildasm.
Get-NtSystemInformation
A utility that calls and parses the output of the ntdll!NtQuerySystemInformation function. This utility can be used to query internal OS information that is typically not made visible to a user.
Get-StructFromMemory
Marshals data from an unmanaged block of memory in an arbitrary process to a newly allocated managed object of the specified type.
Get-Member
A proxy function used to extend the built-in Get-Member cmdlet. It adds the '-Private' parameter allowing you to display non-public .NET members
New-Object
A proxy function for New-Object that accepts a CLSID with the -ComObject parameter.
Get-Strings
Dumps strings from files in both Unicode and Ascii. This cmdlet replicates the functionality of strings.exe from Sysinternals.
ConvertTo-String
Converts the bytes of a file to a string that has a 1-to-1 mapping back to the file's original bytes. ConvertTo-String is useful for performing binary regular expressions.
Get-MethodAddress
Get the unmanaged function address of a .NET method.
Register-ProcessModuleTrace
Starts a trace of loaded process modules
Get-ProcessModuleTrace
Displays the process modules that have been loaded since the call to Register-ProcessModuleTrace
Unregister-ProcessModuleTrace
Stops the running process module trace
AntivirusBypass
AV doesn't stand a chance against PowerShell!
Find-AVSignature
Locates single Byte AV signatures utilizing the same method as DSplit from "class101".
Exfiltration
All your data belong to me!
Invoke-TokenManipulation
Lists available logon tokens. Creates processes with other users logon tokens, and impersonates logon tokens in the current thread.
Inject-LogonCredentials
Create logons with clear-text credentials without triggering a suspicious Event ID 4648 (Explicit Credential Logon).
Invoke-NinjaCopy
Copies a file from an NTFS partitioned volume by reading the raw volume and parsing the NTFS structures.
Invoke-Mimikatz
Reflectively loads Mimikatz 1.0 in memory using PowerShell. Can be used to dump credentials without writing anything to disk. Can be used for any functionality provided with Mimikatz.
Get-Keystrokes
Logs keys pressed, time and the active window.
Get-GPPPassword
Retrieves the plaintext password and other information for accounts pushed through Group Policy Preferences.
Get-TimedScreenshot
A function that takes screenshots at a regular interval and saves them to a folder.
Out-Minidump
Generates a full-memory minidump of a process.
Recon
Tools to aid in the reconnaissance phase of a penetration test.
Invoke-Portscan
Does a simple port scan using regular sockets, based (pretty) loosely on nmap.
Get-HttpStatus
Returns the HTTP Status Codes and full URL for specified paths when provided with a dictionary file.
Invoke-ReverseDnsLookup
Scans an IP address range for DNS PTR records. This script is useful for performing DNS reconnaissance prior to conducting an authorized penetration test.