metasploit-gs/data/post/powershell/SharpHound.ps1

function Invoke-BloodHound
{
    <#
    .SYNOPSIS
        Runs the BloodHound C# Ingestor using reflection. The assembly is stored in this file.
    .DESCRIPTION
        Using reflection and assembly.load, load the compiled BloodHound C# ingestor into memory
        and run it without touching disk. Parameters are converted to the equivalent CLI arguments
        for the SharpHound executable and passed in via reflection. The appropriate function
        calls are made in order to ensure that assembly dependencies are loaded properly.
    .PARAMETER CollectionMethod
        Specifies the CollectionMethod being used. Possible value are:
            Group - Collect group membership information
            LocalGroup - Collect local group information for computers
            LocalAdmin - Collect local admin users for computers
            RDP - Collect remote desktop users for computers
            DCOM - Collect distributed COM users for computers
            PSRemote - Collected members of the Remote Management Users group for computers
            Session - Collect session information for computers
            Trusts - Enumerate domain trust data
            ACL - Collect ACL (Access Control List) data
            Container - Collect GPO/OU Data
            ComputerOnly - Collects Local Group and Session data
            GPOLocalGroup - Collects Local Group information using GPO (Group Policy Objects)
            LoggedOn - Collects session information using privileged methods (needs admin!)
            ObjectProps - Collects node property information for users and computers
            SPNTargets - Collects SPN targets (currently only MSSQL)
            Default - Collects Group Membership, Local Admin, Sessions, Containers, ACLs and Domain Trusts
            DcOnly - Collects Group Membership, ACLs, ObjectProps, Trusts, Containers, and GPO Admins
            All - Collect all data
        This can be a list of comma seperated valued as well to run multiple collection methods!
    .PARAMETER Domain
        Specifies the domain to enumerate. If not specified, will enumerate the current
        domain your user context specifies.
    .PARAMETER SearchForest
        Search all trusted domains in the forest.
    .PARAMETER Stealth
        Use stealth collection options, will sacrifice data quality in favor of much reduced
        network impact
    .PARAMETER LdapFilter
        Append this ldap filter to the search filter to further filter the results enumerated
    .PARAMETER DistinguishedName
        DistinguishedName to start LDAP searches at. Equivalent to the old -Ou option
    .PARAMETER ComputerFile
        A file containing a list of computers to enumerate. This option can only be used with the following Collection Methods:
        Session, Session, LocalGroup, ComputerOnly, LoggedOn
    .PARAMETER OutputDirectory
        Folder to output files too
    .PARAMETER OutputPrefix
        Prefix to add to output files
    .PARAMETER CacheName
        Name for the cache file dropped to disk (default: unique hash generated per machine)
    .PARAMETER MemCache
        Don't write the cache file to disk. Caching will still be performed in memory.
    .PARAMETER RebuildCache
        Invalidate and rebuild the cache file
    .PARAMETER RandomFileNames
        Randomize file names completely
    .PARAMETER ZipFilename
        Name for the zip file output by data collection
    .PARAMETER NoZip
        Do NOT zip the json files
    .PARAMETER ZipPassword
        Encrypt the zip file with the specified password
    .PARAMETER TrackComputerCalls
        Write a CSV file with the results of each computer API call to disk
    .PARAMETER PrettyPrint
        Output "pretty" json with formatting for readability
    .PARAMETER LdapUsername
        Username for connecting to LDAP. Use this if you're using a non-domain account for connecting to computers
    .PARAMETER LdapPassword
        Password for connecting to LDAP. Use this if you're using a non-domain account for connecting to computers
    .PARAMETER DomainController
        Domain Controller to connect too. Specifiying this can result in data loss
    .PARAMETER LdapPort
        Port LDAP is running on. Defaults to 389/686 for LDAPS
    .PARAMETER SecureLDAP
        Connect to LDAPS (LDAP SSL) instead of regular LDAP
    .PARAMETER DisableCertVerification
        Disable certificate verification for secure LDAP
    .PARAMETER DisableSigning
        Disables keberos signing/sealing, making LDAP traffic viewable
    .PARAMETER SkipPortCheck
        Skip SMB port checks when connecting to computers
    .PARAMETER PortScanTimeout
        Timeout for port checks
    .PARAMETER SkipPasswordCheck
        Skip checking of PwdLastSet time for computer scanning
    .PARAMETER ExcludeDCs
        Exclude domain controllers from enumeration (usefult o avoid Microsoft ATP/ATA)
    .PARAMETER Throttle
        Throttle requests to computers (in milliseconds)
    .PARAMETER Jitter
        Add jitter to throttle
    .PARAMETER Threads
        Number of threads to run enumeration with (Default: 50)
    .PARAMETER SkipRegistryLoggedOn
        Disable remote registry check in LoggedOn collection
    .PARAMETER OverrideUserName
        Override username to filter for NetSessionEnum
    .PARAMETER RealDNSName
        Overrides the DNS name used for API calls
    .PARAMETER CollectAllProperties
        Collect all string LDAP properties on objects
    .PARAMETER Loop
        Perform looping for computer collection
    .PARAMETER LoopDuration
        Duration to perform looping (Default 02:00:00)
    .PARAMETER LoopInterval
        Interval to sleep between loops (Default 00:05:00)
    .PARAMETER StatusInterval
        Interval for displaying status in milliseconds
    .PARAMETER Verbosity
        Change verbosity of output. Default 2 (lower is more)
    .PARAMETER Help
        Display this help screen
    .PARAMETER Version
        Display version information
    .EXAMPLE
        PS C:\> Invoke-BloodHound
        Executes the default collection options and exports JSONs to the current directory, compresses the data to a zip file,
        and then removes the JSON files from disk
    .EXAMPLE
        PS C:\> Invoke-BloodHound -Loop -LoopInterval 00:01:00 -LoopDuration 00:10:00
        Executes session collection in a loop. Will wait 1 minute after each run to continue collection
        and will continue running for 10 minutes after which the script will exit
    .EXAMPLE
        PS C:\> Invoke-BloodHound -CollectionMethod All
        Runs ACL, ObjectProps, Container, and Default collection methods, compresses the data to a zip file,
        and then removes the JSON files from disk
    .EXAMPLE
        PS C:\> Invoke-BloodHound -CollectionMethod DCOnly -NoSaveCache -RandomizeFilenames -EncryptZip
        (Opsec!) Run LDAP only collection methods (Groups, Trusts, ObjectProps, ACL, Containers, GPO Admins) without outputting the cache file to disk.
        Randomizes filenames of the JSON files and the zip file and adds a password to the zip file
    #>
    [CmdletBinding(PositionalBinding = $false)]
    param(
        [Alias("c")]
        [String[]]
        $CollectionMethod = [String[]]@('Default'),
        [Alias("d")]
        [String]
        $Domain,
        [Alias("s")]
        [Switch]
        $SearchForest,
        [Switch]
        $Stealth,
        [String]
        $LdapFilter,
        [String]
        $DistinguishedName,
        [String]
        $ComputerFile,
        [ValidateScript({ Test-Path -Path $_ })]
        [String]
        $OutputDirectory = $( Get-Location ),
        [ValidateNotNullOrEmpty()]
        [String]
        $OutputPrefix,
        [String]
        $CacheName,
        [Switch]
        $MemCache,
        [Switch]
        $RebuildCache,
        [Switch]
        $RandomFilenames,
        [String]
        $ZipFilename,
        [Switch]
        $NoZip,
        [String]
        $ZipPassword,
        [Switch]
        $TrackComputerCalls,
        [Switch]
        $PrettyPrint,
        [String]
        $LdapUsername,
        [String]
        $LdapPassword,
        [string]
        $DomainController,
        [ValidateRange(0, 65535)]
        [Int]
        $LdapPort,
        [Switch]
        $SecureLdap,
        [Switch]
        $DisableCertVerification,
        [Switch]
        $DisableSigning,
        [Switch]
        $SkipPortCheck,
        [ValidateRange(50, 5000)]
        [Int]
        $PortCheckTimeout = 500,
        [Switch]
        $SkipPasswordCheck,
        [Switch]
        $ExcludeDCs,
        [Int]
        $Throttle,
        [ValidateRange(0, 100)]
        [Int]
        $Jitter,
        [Int]
        $Threads,
        [Switch]
        $SkipRegistryLoggedOn,
        [String]
        $OverrideUsername,
        [String]
        $RealDNSName,
        [Switch]
        $CollectAllProperties,
        [Switch]
        $Loop,
        [String]
        $LoopDuration,
        [String]
        $LoopInterval,
        [ValidateRange(500, 60000)]
        [Int]
        $StatusInterval,
        [Alias("v")]
        [ValidateRange(0, 5)]
        [Int]
        $Verbosity,
        [Alias("h")]
        [Switch]
        $Help,
        [Switch]
        $Version
    )
    $vars = New-Object System.Collections.Generic.List[System.Object]
    if ($CollectionMethod)
    {
        $vars.Add("--CollectionMethods");
        foreach ($cmethod in $CollectionMethod)
        {
            $vars.Add($cmethod);
        }
    }
    if ($Domain)
    {
        $vars.Add("--Domain");
        $vars.Add($Domain);
    }
    if ($SearchForest)
    {
        $vars.Add("--SearchForest")
    }
    if ($Stealth)
    {
        $vars.Add("--Stealth")
    }
    if ($LdapFilter)
    {
        $vars.Add("--LdapFilter");
        $vars.Add($LdapFilter);
    }
    if ($DistinguishedName)
    {
        $vars.Add("--DistinguishedName")
        $vars.Add($DistinguishedName)
    }
    if ($ComputerFile)
    {
        $vars.Add("--ComputerFile");
        $vars.Add($ComputerFile);
    }
    if ($OutputDirectory)
    {
        $vars.Add("--OutputDirectory");
        $vars.Add($OutputDirectory);
    }
    if ($OutputPrefix)
    {
        $vars.Add("--OutputPrefix");
        $vars.Add($OutputPrefix);
    }
    if ($CacheName)
    {
        $vars.Add("--CacheName");
        $vars.Add($CacheName);
    }
    if ($NoSaveCache)
    {
        $vars.Add("--MemCache");
    }
    if ($RebuildCache)
    {
        $vars.Add("--RebuildCache");
    }
    if ($RandomFilenames)
    {
        $vars.Add("--RandomFilenames");
    }
    if ($ZipFileName)
    {
        $vars.Add("--ZipFileName");
        $vars.Add($ZipFileName);
    }
    if ($NoZip)
    {
        $vars.Add("--NoZip");
    }
    if ($ZipPassword)
    {
        $vars.Add("--ZipPassword");
        $vars.Add($ZipPassword)
    }
    if ($TrackComputerCalls)
    {
        $vars.Add("--TrackComputerCalls")
    }
    if ($PrettyPrint)
    {
        $vars.Add("--PrettyPrint");
    }
    if ($LdapUsername)
    {
        $vars.Add("--LdapUsername");
        $vars.Add($LdapUsername);
    }
    if ($LdapPassword)
    {
        $vars.Add("--LdapPassword");
        $vars.Add($LdapPassword);
    }
    if ($DomainController)
    {
        $vars.Add("--DomainController");
        $vars.Add($DomainController);
    }
    if ($LdapPort)
    {
        $vars.Add("--LdapPort");
        $vars.Add($LdapPort);
    }
    if ($SecureLdap)
    {
        $vars.Add("--SecureLdap");
    }
    if ($DisableCertVerification)
    {
        $vars.Add("--DisableCertVerification")
    }
    if ($DisableSigning)
    {
        $vars.Add("--DisableSigning");
    }
    if ($SkipPortCheck)
    {
        $vars.Add("--SkipPortCheck");
    }
    if ($PortCheckTimeout)
    {
        $vars.Add("--PortCheckTimeout")
        $vars.Add($PortCheckTimeout)
    }
    if ($SkipPasswordCheck)
    {
        $vars.Add("--SkipPasswordCheck");
    }
    if ($ExcludeDCs)
    {
        $vars.Add("--ExcludeDCs")
    }
    if ($Throttle)
    {
        $vars.Add("--Throttle");
        $vars.Add($Throttle);
    }
    if ($Jitter -gt 0)
    {
        $vars.Add("--Jitter");
        $vars.Add($Jitter);
    }
    if ($Threads)
    {
        $vars.Add("--Threads")
        $vars.Add($Threads)
    }
    if ($SkipRegistryLoggedOn)
    {
        $vars.Add("--SkipRegistryLoggedOn")
    }
    if ($OverrideUserName)
    {
        $vars.Add("--OverrideUserName")
        $vars.Add($OverrideUsername)
    }
    if ($RealDNSName)
    {
        $vars.Add("--RealDNSName")
        $vars.Add($RealDNSName)
    }
    if ($CollectAllProperties)
    {
        $vars.Add("--CollectAllProperties")
    }
    if ($Loop)
    {
        $vars.Add("--Loop")
    }
    if ($LoopDuration)
    {
        $vars.Add("--LoopDuration")
        $vars.Add($LoopDuration)
    }
    if ($LoopInterval)
    {
        $vars.Add("--LoopInterval")
        $vars.Add($LoopInterval)
    }
    if ($StatusInterval)
    {
        $vars.Add("--StatusInterval")
        $vars.Add($StatusInterval)
    }
    if ($Verbosity)
    {
        $vars.Add("-v");
        $vars.Add($Verbosity);
    }
    if ($Help)
    {
        $vars.clear()
        $vars.Add("--Help");
    }
    if ($Version)
    {
        $vars.clear();
        $vars.Add("--Version");
    }
    $passed = [string[]]$vars.ToArray()
        $EncodedCompressedFile = 'zL0HWBPLFze82YRNo4WSUKRYwDUBsSKgYu9gQayo2DsuJlhD0Gvvvber2HsXe8feewN7w2v3Wq4K75yZ3WSD6PX+3/d5vs9Hsju/mT1z5sw5Z+rOxraeQkkpipKhv7w8itpJkX9VqX//NxT9OQfsdqa2Kc8W3imJOVs4vnsPU2Cyketm7JAU2KlDnz5cSmDHLoHGfn0Ce/QJrNmoaWAS17lLSScnVTGeRuNaFBUjkVIVvyzfI9C9RxWRqCWlKOqNC0X5EGySiytFBQopqpJ7mvAN/xghqr0rxuGflGo/kqJc8X/b1XohlBDdBnAT6Eqt0xZQyKqulCO6bHJ2pSJ+QybWf4g/hSioQOG6onDJlC4DU9B1xmsXUhYoK/0DifYljSZjJ3SPeUM8Ul7o+s7FnkX0v6SxS28OJXTkeca0VK7501XPz2ayC0kDvNGUA5Wa60yVc5VQEgrqgWI8tlJU9wbOv11sH/axhGL0lHsp2poZHfgBkbOgmpTRLOJLRUtZVAyGdmAj4GJCCqhiy8EtWxb9yjgZJDI5AFwGAXp/2owgmb4ILbXgGwQ4CIADDzACwPCAXADkPKAQAAUPKAVAyQMqAVDxgFoA1DzgKACOPOAkAE484CwAzjzgIgAuPOAqAK48oBEADQ+4CYAbD7gLgDsPeAiABw94CoAnD2gFQMsDOgHQ8YCXAHjxgLcAePOAjwD48ICvAPjyQCEBKMQDfgLgxwP+AoBvehqRLiSzqI5UE5DUJSyqHNVQCUSBzlRA+oICGjeKRZWkshRGEW4UbSmCr56WQHxNJTCLUhr4EItqTEX0rjjWZUpDs6hKmKBQ12BWiZTSWBwyRtWmUtFsCRTDQLxKH06zSIWYQJ8mFJWoR8+6l5JSY3kaUpVUxqGKVIU6SY2lEQEZ6wIUZMbyQM0Vx8iMVYRASCGaRWVguE0oxxAXFlWoKiiUCTbWQSlUDiGaNCiqsR4KMYQSzSK+mBA3crWPEXGJBBkgCBLfRNE6thq2GTeIr0+bkRnJQpXSYFpngVv9tJ+K2uQOd+A+oby+pWRUPQn2pRraDBJW0WYQuJoJacXoKt5FaeSsAeUV6pCFfAMKhEKgCwFZpIEqDmmdyslNympBIlVobZAK1xWttBSFC6kxKbZ/Q1Y2SNcMEU50KlxyPZEKSmhP/ik37CBUWUspITOSVUDnhNa9WaScqh6OBEmDQnBIO1WKLgoOKaWqZQH8VKJ1v+Inu8lvMJPt7S6jA3IJFfy4RsYWggh3e5j1w5pIUdUKEf8H3tMZia0Q+kO8w58knKSVsgEkMdTBZBSHNFFjKgK1z9DAqYoBzlQhUmmoRC9lzMWwPmmDGSaXCUL3pmAAHC2AK1hU7QaORbdqQzk5VwJEQJ5HZdCDVAwgDW87DF1CIApJWSXnSkKCo9kqeQgj58JQ4I6ekuDmpCZVdQSlorB9OFAchdtcDW2MRTrGlcZsyYI9DK66iYgvSZA2oNhCcN5IjY29hCRq2jhcuHeUh9ByPRPqogh1NCJzS5Zi29QzIU4MtjQptgK9Qhww0jRXlm8tVCxSWAPYroGtB61EOyGyPmilDQd7TgVNwj6hAvBkigBupJN66Fo5GoKlinkYdlKESpUhvowyUVnWSY5QLhJqQNlKpUDpFNqwa0wIA/Zk0BM6IXI5GJVBz5BwWa10UoibVEvIhSqkOvBiBj15Jjog19QIPBJt0YPptUbhaBAcbakCF6mlKpSxCM27In/SWupb0+Ya6OoiYWtCRaEek0qbK9F3FRpTSzBuWWuDv2StNk1TyBooJbZpSKBiAr6XlDG6sioqW06zcYgRa91qKNodxAPPSalM6DpYn1PLQ5zluoqoJ0VpVVlrwXI9SY66nhYDXGlzCVB7a5VwdYCTEIgK+I6TGuJoM4S5ulDxCiJsZairIQo9DDR0HQkpHFBWeM7flPWhFZbiOC9MR6fKDhVo8hSxwi4h5aE9cK5aFRSwMRSQAVlAGaGfuHcvKWMfoQCYQoiapxTGu1nIT+9jQqqjGkwJbZLaKo+A3LJetBnkjCVeVk1rCTWVQa7F9YtM1wwVbAGxQOeFbQ5qOI2vLzYWxNOQVF0jjOCqawz5g/wHS3A/DuXXCDuCgG+taiFtpirn62utxF60CeihQxYtgYpBLgueMVSkzXFg2xKuKUQjS7PEQ04B3/gUWY7i9DyVU1l7Mck4DDUDZWtO3KiWbYFu3GVuMrYlVCFqrVqB4GtgR49JKCyt4eLuQKdC2dxoNwdWCc5+A6YJkY50KlxyPZFT9rVmjmi1QZeoenl5ednR7gx4U8JUW2DKjVy5dgB5WOCe5MAm4tv26FfDsB3AE9f+H57Vsh1B8CSgIwGiM+AxXv1NRYO/BkUCPwICcrLWDdIFA22GiiO64A/K2ShfJWstIFykHoqA76ZOxLWbO0M0lnNqF1xRuZ7IAUvkbFfgW8lILSB+Q5yLhDZDAoyHurlI8qV0Zkg8SV6UJiEp2w0wKC/Di6C7kIjB/axOpF2ylQNVQ64najl9Fbwo2J6Ya742KehfGfiY3tiV43s5mwRiK+smBPugXxOHJSo3JfMmBbqH+lk4iRQnsYXgeX1tPiRzcJax/QCJEqcOxjwjXaRcrDx7lmGIjYqKgGRTBWSjR/6iibWGCyyJqCimwaTOoX5Rrw7GhxpaKmNTcV1xFpB8EWm/WtCs4TaO0XFpCPRgh+A2AAWHYsEiS/8DSA0zobphhkZCT2sYePY0uOVQ06caGgXeJU7qQudqEfcSbgRUzkhK6LvC8E4D/U5uFMJSECsSxDHyPoYQmtH7QRZjeKFWFLqDFfmOdiUBqMQDlQWgMg9EC0A0D1QRgCo8UFUAqvJANQGoxgPVBaA6D9QQgBo8UFMAavJALQGoxQO1BaA2D9QRgDo8UFcA6vJAPQGoxwP1BaA+DzQQgAY8ECMAMTwQKwCxPNBQABryQCMBaMQDjQWgMQ80EYAmPBAnAHE80FQAmvJAvADE80AzAWjGA80FoDkPtBCAFjzQUgBa8kArAWjFA60FoDUPJAhAAg+0EYA2PNBWANryQDsBaMcDiQKQyAPtBaA9D3QQgA480FEAOvJAJwHoZO2bMNRb1BS64f5YL+isoebOoCvpxIeQgzUYfPmAM0QJfcqQhdx4pP4ybbyDNk6lVUfUlsDgYJ7jBaSNNDsBxSl07ER0WQ6AU7Z/sNQ4H/UfdRMlmIIinZ0ETt9dlsXB0KG+u4OyFhoNUbNJ5xucO4XGDhQarFIwSQUMo04lhWyKQupLIW2jUMVSSIYUcrUU8i2UCf1BBxP6SIg6FQHEdO5MxEwghK6IISrAFd2MgJtAd8aQFlAV/Q4MhEEmuuECYdSLbroGgvtBN2290E/LQJi0QTeNAmE2CN3UDhxK4ZvKPugnIpBugkNhgS9M+CY48DGh6BeoIlEegXkkSq1FP4xpMvhMmcZBw7SPVwa4lpU66OLkupZqOTOpR5XNuXl5NNsXyTSyJGLINAVafbmsfoBrYoi7DK4d4jVy4xfoxE/FclTI6mPeE0O8dSjAh3CqohI+FYCudklc+SStxEmq2iWpyieZakvilRjiSaK9cNRFIUqjCHFDqE97QD1pAZVz04DH0l1N06EcSo3SWAsiZ0CTgmJnAqoyuLup2Flwq9YoNWoSi6DZ4PcfZTu7qXK1aIDpS4ZDUuNm2qZOGiV24OnsHGirjEdEUbL6ExgYdCMHxpB4nV6D9V+Cx4V1Ke8OlD+kpanhdOBSGk+yRVk79Z3BWtrRUhdprtYXsoeMUOt4BPqS4VLchZDlymAkoPKAhOwhmEdwQm0oexQMZwG0E+7I1pqAxiBbwzMBKqO7lEr24Zlk8MRAepDOhcrVNrW2RwuhTEFe0vQgb1moHM9dGNTG8lKY/pDj8i4iTSa25QWIlgdus8bDNEsVlAxGawZ2MUqUhppCWVCoLjitC/DLXEWsmZZAozgUYth0EBx+kF0KDTLmkafUF1Hy4jlFreAyzJUO3S23ylzGrYA2WCHjVsLVlb8aCB5alKd00o4nKdcDgTpuPfqV6kmIW4N+QmkIDkJ3aauAm
    $DeflatedStream = New-Object IO.Compression.DeflateStream([IO.MemoryStream][Convert]::FromBase64String($EncodedCompressedFile),[IO.Compression.CompressionMode]::Decompress)
    $UncompressedFileBytes = New-Object Byte[](1051648)
    $DeflatedStream.Read($UncompressedFileBytes, 0, 1051648) | Out-Null
    $Assembly = [Reflection.Assembly]::Load($UncompressedFileBytes)
    $BindingFlags = [Reflection.BindingFlags] "Public,Static"
    $a = @()
    $Assembly.GetType("Costura.AssemblyLoader", $false).GetMethod("Attach", $BindingFlags).Invoke($Null, @())
    $Assembly.GetType("Sharphound.Program").GetMethod("InvokeSharpHound").Invoke($Null, @(,$passed))
}