• Stars
    star
    130
  • Rank 277,575 (Top 6 %)
  • Language
    PowerShell
  • License
    BSD 3-Clause "New...
  • Created over 6 years ago
  • Updated about 6 years ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

The PowerThIEf, an Internet Explorer Post Exploitation library

Invoke-PowerThIEf 2018 Nettitude

An IE Post Exploitation Library released at Steelcon in Sheffield 7th July 2018.

Written by Rob Maslen @rbmaslen

Examples

Capturing credentials entered via LastPass

Migrating a PoshC2 implant into IExplore.exe

Extracting a "secret" from a page

Usage

First import the module using . .\Invoke-PowerThIEf.ps1 then use any of the following commands.

List all currently open browser windows/tabs

List URLs for all current IE browser sessions, result will contain the BrowserIndex used by other actions

Invoke-PowerThIEf -action ListUrls

Capturing credentials in transit

Automatically scan any windows or tabs for login forms and then record what gets posted. A notification will appear when some have arrived.

Invoke-PowerThIEf -action HookLoginForms 

List any creds that have been captured.

Invoke-PowerThIEf -action Creds 

Have IExplore.exe load a DLL of your choosing (must be x64)

Launch the DLL(x64) specified by the PathPayload param in IE's process

Invoke-PowerThIEf -action ExecPayload -PathPayload <path to the payload DLL(x64)>

Invoking JavaScript

Invoke JavaScript in all currently opened IE windows and tabs

Invoke-PowerThIEf -action InvokeJS -Script <JavaScript to run>

Invoke-PowerThIEf -action InvokeJS -Script 'alert(document.location.href);'

Invoke JavaScript in the selected IE window or tab.

Invoke-PowerThIEf -action InvokeJS -BrowserIndex <BrowserIndex> -Script\<JavaScript to run>

Dumping HTML

Dump HTML from all currently opened IE windows/tabs

Invoke-PowerThIEf -action DumpHtml

Dump HTML from the selected IE window or tab.

Invoke-PowerThIEf -action DumpHTML -BrowserIndex <BrowserIndex>

Dump HTML from all tags of <type> in the DOM of the selected IE window or tab. Use ListUrls to get the BrowserIndex to identify the Window/Tab

Invoke-PowerThIEf -action DumpHTML -BrowserIndex <BrowserIndex> -SelectorType tag -Selector <type>

Invoke-PowerThIEf -action DumpHTML -BrowserIndex <BrowserIndex> -SelectorType tag -Selector div

Dump HTML from any tag with the <id> found in the DOM of the selected IE window or tab. Use ListUrls to get the BrowserIndex to identify the Window/Tab

Invoke-PowerThIEf -action DumpHTML -BrowserIndex <BrowserIndex> -SelectorType id -Selector <id>

Invoke-PowerThIEf -action DumpHTML -BrowserIndex <BrowserIndex> -SelectorType id -Selector idfirstdiv

Dump HTML from any tag with the <name> found in the DOM of the selected IE window or tab. Use ListUrls to get the BrowserIndex to identify the Window/Tab

Invoke-PowerThIEf -action DumpHTML -BrowserIndex <BrowserIndex> -SelectorType name -Selector <name>

Invoke-PowerThIEf -action DumpHTML -BrowserIndex <BrowserIndex> -SelectorType name -Selector namefirstdiv

Showing/Hiding Windows

Set to visible all IE windows/tabs

Invoke-PowerThIEf -action ShowWindow

Set the selected window/tab to be visible.

Invoke-PowerThIEf -action ShowWindow -BrowserIndex <BrowserIndex>

Hide all currently opened IE windows/tabs

Invoke-PowerThIEf -action HideWindow

Hide the selected window/tab. Use ListUrls to get the BrowserIndex to identify the Window/Tab

Invoke-PowerThIEf -action HideWindow -BrowserIndex <BrowserIndex>

Navigating the browser

Navigate all currently opened IE windows/tabs to the <URL>

Invoke-PowerThIEf -action Navigate -NavigateUrl <URL> 

Navigate all currently opened IE windows/tabs to the <URL>. Use ListUrls to get the BrowserIndex to identify the Window/Tab

Invoke-PowerThIEf -action Navigate -BrowserIndex <BrowserIndex> -NavigateUrl <URL> 

Navigate all currently opened IE windows/tabs to the <URL>. Use ListUrls to get the BrowserIndex to identify the Window/Tab

Invoke-PowerThIEf -action Navigate -BrowserIndex <BrowserIndex> -NavigateUrl <URL> 

Background tabs

Open a new background tab in the window that the <BrowserIndex> is in.

Invoke-PowerThIEf -action NewBackgroundTab -BrowserIndex <BrowserIndex>

License

FreeBSD 3

More Repositories

1

PoshC2

A proxy aware C2 framework used to aid red teamers with post-exploitation and lateral movement.
PowerShell
1,767
star
2

xss_payloads

Exploitation for XSS
PHP
697
star
3

PoshC2_Old

Powershell C2 Server and Implants
PowerShell
574
star
4

SharpSocks

Tunnellable HTTP/HTTPS socks4a proxy written in C# and deployable via PowerShell
C#
472
star
5

SharpWSUS

C#
429
star
6

RunPE

C# Reflective loader for unmanaged binaries.
C#
416
star
7

SimplePELoader

In-Memory PE Loader
C++
366
star
8

Prowl

Python
275
star
9

ETWHash

C# POC to extract NetNTLMv1/v2 hashes from ETW provider
C#
248
star
10

MalSCCM

C#
241
star
11

scrounger

Mobile application testing toolkit
Python
237
star
12

ShellcodeMutator

Python
232
star
13

Aladdin

C#
212
star
14

Tartarus-TpAllocInject

C++
172
star
15

RunOF

C#
138
star
16

DLLInjection

DLL Injection Library & Tools
C++
70
star
17

SharpConflux

C#
63
star
18

zeropress

A dumb script for finding dumb coding errors in WordPress plugins
Python
55
star
19

CVE-2024-20356

This is a proof of concept for CVE-2024-20356, a Command Injection vulnerability in Cisco's CIMC.
Python
47
star
20

CVE-2024-25153

Proof-of-concept exploit for CVE-2024-25153.
Python
43
star
21

defensive-scripts

Defence Against the Dark Arts
34
star
22

InlineFunctionHooking

Windows Inline function hooking library targeted at MSVC
C
28
star
23

pwnlyoffice

Exploit ONLYOFFICE Implementations
JavaScript
24
star
24

PoshC2_IOCs

A list of IOCs applicable to PoshC2
YARA
23
star
25

SyscallsExtractor

C#
23
star
26

logparser

SQL scripts for querying event logs
21
star
27

yasha

Python
18
star
28

metasploit-modules

Modules created by Nettitude for Metasploit
Ruby
12
star
29

hyperv-driver-thread-detection-poc

hyperv-driver-thread-detection-poc
C#
11
star
30

PoshC2_Shellcode

Supporting projects for PoshC2
C
11
star
31

CVE-2022-23253-PoC

CVE-2022-23253 PoC
Python
5
star
32

PoshC2_Linux_Implant

C
4
star
33

PBind

PBind payloads for PoshC2
C#
2
star
34

secure-development-training

PHP
2
star
35

PoshC2_Core

C#
1
star
36

FComm

FComm payloads for PoshC2
C#
1
star