ADRecon and Powercat...

[mathurin1968]

Love this!

Playing around with this in a lab... any reason that adrecon.ps1 or powercat.ps1 wouldn't work?

I added it like this - "FileExclusionFilter": "" }, { "Name": "ADRecon", "Type": "GitHubItem", "URL": "https://github.com/sense-of-security/ADRecon/blob/master/ADRecon.ps1", "FileInclusionFilter": "*.ps1", "FileExclusionFilter": "" }, { "Name": "Powercat", "Type": "GitHubItem", "URL": "https://github.com/besimorhino/powercat/blob/master/powercat.ps1", "FileInclusionFilter": "*.ps1", "FileExclusionFilter": "" } ]

And they appear to be loaded... PS C:\Users\matt_\Documents\WindowsPowerShell\PowerShellArmoury> Get-PSArmoury Find-AVSignature.ps1 Invoke-DllInjection.ps1 Invoke-ReflectivePEInjection.ps1 Invoke-Shellcode.ps1 Invoke-WmiCommand.ps1 Get-GPPAutologon.ps1 Get-GPPPassword.ps1 Get-Keystrokes.ps1 Get-MicrophoneAudio.ps1 Get-TimedScreenshot.ps1 Get-VaultCredential.ps1 Invoke-CredentialInjection.ps1 Invoke-Mimikatz.ps1 Invoke-NinjaCopy.ps1 Invoke-TokenManipulation.ps1 Out-Minidump.ps1 VolumeShadowCopyTools.ps1 Get-System.ps1 PowerUp.ps1 Get-ComputerDetail.ps1 Get-HttpStatus.ps1 Invoke-CompareAttributesForClass.ps1 Invoke-Portscan.ps1 Invoke-ReverseDnsLookup.ps1 PowerView.ps1 Out-CompressedDll.ps1 Out-EncodedCommand.ps1 Out-EncryptedScript.ps1 Remove-Comment.ps1 Invoke-SMBClient.ps1 Invoke-SMBEnum.ps1 Invoke-SMBExec.ps1 Invoke-TheHash.ps1 Invoke-WMIExec.ps1 Inveigh-Relay.ps1 Inveigh.ps1 Invoke-DNSUpdate.ps1 Powermad.ps1 SharpHound.ps1 Invoke-Profiler.ps1 Invoke-Rubeus.ps1 ADRecon.ps1 powercat.ps1

But the PS session can't seem to find either adrecon or powercat...

https://github.com/besimorhino/powercat https://github.com/sense-of-security/ADRecon

[cfalta]

Hi, great to hear that you like PSArmoury :-)

Well there are two problems here. First, when using "GitHubItem" as a repository type, you need to supply the URL to the raw file. So in your case it would be:

https://raw.githubusercontent.com/besimorhino/powercat/master/powercat.ps1 https://raw.githubusercontent.com/sense-of-security/ADRecon/master/ADRecon.ps1

The reason is that "GitHubItem" as opposed to "GitHubRepo" does not find the files via the GitHub API. It just invokes a simple web download and adds the authentication token so you are not getting blocked if you run too many requests. Therefore, you have to provide the correct URL yourself. Try this with Powercat and it should work.

ADRecon on the other hand also has a second problem, since it is a plain script file and not a function. PSArmoury requires functions because the loader it generates simply decrypts the content and pipes it into invoke-expression. A simple workaround you can do yourself would be to download ADRecon manually and add a function header to the script file; then include it in the PSArmoury config with the "LocalFile" repository type and the local path (e.g. C:\temp\Adrecon.ps1) to the customized version you created. Not perfect, but it will work.

Hope this helps. Let me know, if there's anything else you like to know.

Regards, Christoph

[mathurin1968]

Cristoph, thank you so much for your response and explanation, it really means a lot! OK, got it working. Once I finish the class I'm in, I'll need to got back through your script and see how you worked all the magic behind the scenes, amazing work!

[cfalta]

No magic at all, but thanks ;-)