Weird behaviour observed when using PowerShdll about winpwn HOT 9 CLOSED

Excellent blog posts mate. Thank you for awesome contributions.

from winpwn.

Hey,

The parameters are correct if you want to use Domainreconmodules.

DomainReconmodules will most likely run a very long time with theese parameters depending on the domain size, especially the search for network shares takes much time here. Take a look at the code, the WinPwn function calls the Domainreconmodules function and Domainreconmodules calls different sub-functions like generaldomaininfo, shareenumeration, powerSQL, printercheck and so on with the corresponding parameters:

So you could also use them as standalone functions depending on what you want to do:

powerSQL -noninteractive - PowerUPSQL Checks

snaffler -noninteractive -consoleoutput - snaffler without questions and with consoleoutput

generaldomaininfo -noninteractive -consoleoutput - All those text file information which is normally generated in the Domainrecon Folder

Your error messages look like some of the scripts used by Domainreconmodules have problems in your environment, but i didn´t see theese messages so far anywhere. Didn´t use the Offline version in combination with PowerShdll so till now.

You could try all the subfunctions of generaldomainInfo and tell me which one of it has this problem.

Greetings

from winpwn.

Ah excellent will definitely give it a try and let you know which parameters could potentially present issues. Thanks again for your great help.
Yes I thought you would be interested in knowing the pre-conditions on how WinPwn is being used i am engaged in a locked down environment at the moment so was interested in seeing how WinPwn would behave.
Cheers

from winpwn.

Ok buddy,

Seems that Powershdll doesn't handle the console output properly so you actually need to push all the WInPwn output to a file and only then can i go through the findings

`PS H:\Desktop2019>WinPwn -noninteractive -consoleoutput -Privesc >WinPwn_Privesc_output.txt`

otherwise i get this below

PS H:\Desktop2019>WinPwn -noninteractive -Privesc
A positional parameter cannot be found that accepts argument 'proxy.redacted.local:80'.

PS H:\Desktop2019>WinPwn -noninteractive -consoleoutput -Privesc 
Cannot find drive. A drive with the name 'blahblahblah' does not exist.

Will continue to test on target while i can and update.

Cheers

from winpwn.

I am interested in how WinPwn is used and i am interested in how it behaves in different situations, this could also happen to me sometime. I just tried to replicate this using PowerShdll but i can´t even load WinPwn in its runspace. You could also try other open source alternatives like MsBuildshell, just replace the AMSI Bypass Namespace and Class name with random names. There are several projects like PowerLessShell, nopowershell Stracciatella and more. You will get the output from other tools including error messages in the MsBuildShell.

from winpwn.

Awesome thanks mate. Definitely will try the alternatives. Just as a heads up and interesting thing to note, i also used PowerSharpPack and found that the PowerSharpPack.ps1 gets flagged by AMSI but lets all the other binaries through LOL.

from winpwn.

Thats because i didn´t change the AMSITrigger there so far, it´s explained in one of my blog posts here:

https://s3cur3th1ssh1t.github.io/Bypass_AMSI_by_manual_modification/

I switched all scripts to gzip compression yesterday so at this time they are not flagged but they will get flagged in the near future again ;-)

from winpwn.

Tried out MSBuildSell and it works great on my lab test machine, but as soon as i attempt to run it on my target for some reason there seems to be build errors occuring. Mind you i am launching this via PowerShdll. So tomorrow will test out by launching commands from a batch script and see if that works. Will keep you posted

from winpwn.

If you encounter new behaviours feel free to reopen.

from winpwn.