metasploit-gs/data/post/powershell/SharpHound.ps1

function Invoke-BloodHound{
    <#
    .SYNOPSIS
        Runs the BloodHound C# Ingestor using reflection. The assembly is stored in this file.
    .DESCRIPTION
        Using reflection and assembly.load, load the compiled BloodHound C# ingestor into memory
        and run it without touching disk. Parameters are converted to the equivalent CLI arguments
        for the SharpHound executable and passed in via reflection. The appropriate function
        calls are made in order to ensure that assembly dependencies are loaded properly.
    .PARAMETER CollectionMethod
        Specifies the CollectionMethod being used. Possible value are:
            Group - Collect group membership information
            LocalGroup - Collect local group information for computers
            LocalAdmin - Collect local admin users for computers
            RDP - Collect remote desktop users for computers
            DCOM - Collect distributed COM users for computers
            PSRemote - Collected members of the Remote Management Users group for computers
            Session - Collect session information for computers
            SessionLoop - Continuously collect session information until killed
            Trusts - Enumerate domain trust data
            ACL - Collect ACL (Access Control List) data
            Container - Collect GPO/OU Data
            ComputerOnly - Collects Local Admin and Session data
            GPOLocalGroup - Collects Local Admin information using GPO (Group Policy Objects)
            LoggedOn - Collects session information using privileged methods (needs admin!)
            ObjectProps - Collects node property information for users and computers
            SPNTargets - Collects SPN targets (currently only MSSQL)
            Default - Collects Group Membership, Local Admin, Sessions, and Domain Trusts
            DcOnly - Collects Group Membership, ACLs, ObjectProps, Trusts, Containers, and GPO Admins
            All - Collect all data except GPOLocalGroup
        This can be a list of comma seperated valued as well to run multiple collection methods!
    .PARAMETER Stealth
        Use stealth collection options, will sacrifice data quality in favor of much reduced
        network impact
    .PARAMETER Domain
        Specifies the domain to enumerate. If not specified, will enumerate the current
        domain your user context specifies.
    .PARAMETER WindowsOnly
        Limits computer collection to systems that have an operatingssytem attribute that matches *Windows*
    .PARAMETER ComputerFile
        A file containing a list of computers to enumerate. This option can only be used with the following Collection Methods:
        Session, SessionLoop, LocalGroup, ComputerOnly, LoggedOn
    .PARAMETER LdapFilter
        Append this ldap filter to the search filter to further filter the results enumerated
    .PARAMETER SearchBase
        DistinguishedName to start LDAP searches at. Equivalent to the old --OU option
    .PARAMETER OutputDirectory
        Folder to output files too
    .PARAMETER OutputPrefix
        Prefix to add to output files
    .PARAMETER PrettyJSON
        Output "pretty" json with formatting for readability
    .PARAMETER CacheFilename
        Name for the cache file dropped to disk (default: unique hash generated per machine)
    .PARAMETER RandomFilenames
        Randomize file names completely
    .PARAMETER ZipFilename
        Name for the zip file output by data collection
    .PARAMETER NoSaveCache
        Don't write the cache file to disk. Caching will still be performed in memory.
    .PARAMETER EncryptZip
        Encrypt the zip file with a random password
    .PARAMETER NoZip
        Do NOT zip the json files
    .PARAMETER InvalidateCache
        Invalidate and rebuild the cache file
    .PARAMETER LdapFilter
        Append this ldap filter to the search filter to further filter the results enumerated
    .PARAMETER DomainController
        Domain Controller to connect too. Specifiying this can result in data loss
    .PARAMETER LdapPort
        Port LDAP is running on. Defaults to 389/686 for LDAPS
    .PARAMETER SecureLDAP
        Connect to LDAPS (LDAP SSL) instead of regular LDAP
    .PARAMETER DisableKerberosSigning
        Disables keberos signing/sealing, making LDAP traffic viewable
    .PARAMETER LdapUsername
        Username for connecting to LDAP. Use this if you're using a non-domain account for connecting to computers
    .PARAMETER LdapPassword
        Password for connecting to LDAP. Use this if you're using a non-domain account for connecting to computers
    .PARAMETER SkipPortScan
        Skip SMB port checks when connecting to computers
    .PARAMETER PortScanTimeout
        Timeout for SMB port checks
    .PARAMETER ExcludeDomainControllers
        Exclude domain controllers from enumeration (usefult o avoid Microsoft ATP/ATA)
    .PARAMETER Throttle
        Throttle requests to computers (in milliseconds)
    .PARAMETER Jitter
        Add jitter to throttle
    .PARAMETER OverrideUserName
        Override username to filter for NetSessionEnum
    .PARAMETER NoRegistryLoggedOn
        Disable remote registry check in LoggedOn collection
    .PARAMETER DumpComputerStatus
        Dumps error codes from attempts to connect to computers
    .PARAMETER RealDNSName
        Overrides the DNS name used for API calls
    .PARAMETER CollectAllProperties
        Collect all string LDAP properties on objects
    .PARAMETER StatusInterval
        Interval for displaying status in milliseconds
    .PARAMETER Loop
        Perform looping for computer collection
    .PARAMETER LoopDuration
        Duration to perform looping (Default 02:00:00)
    .PARAMETER LoopInterval
        Interval to sleep between loops (Default 00:05:00)
    .EXAMPLE
        PS C:\> Invoke-BloodHound
        Executes the default collection options and exports JSONs to the current directory, compresses the data to a zip file,
        and then removes the JSON files from disk
    .EXAMPLE
        PS C:\> Invoke-BloodHound -Loop -LoopInterval 00:01:00 -LoopDuration 00:10:00
        Executes session collection in a loop. Will wait 1 minute after each run to continue collection
        and will continue running for 10 minutes after which the script will exit
    .EXAMPLE
        PS C:\> Invoke-BloodHound -CollectionMethod All
        Runs ACL, ObjectProps, Container, and Default collection methods, compresses the data to a zip file,
        and then removes the JSON files from disk
    .EXAMPLE (Opsec!)
        PS C:\> Invoke-BloodHound -CollectionMethod DCOnly --NoSaveCache --RandomFilenames --EncryptZip
        Run LDAP only collection methods (Groups, Trusts, ObjectProps, ACL, Containers, GPO Admins) without outputting the cache file to disk.
        Randomizes filenames of the JSON files and the zip file and adds a password to the zip file
    #>
    param(
        [String[]]
        $CollectionMethod = [string[]] @('Default'),
        [Switch]
        $Stealth,
        [String]
        $Domain,
        [Switch]
        $WindowsOnly,
        [String]
        $ComputerFile,
        [ValidateScript({ Test-Path -Path $_ })]
        [String]
        $OutputDirectory = $(Get-Location),
        [ValidateNotNullOrEmpty()]
        [String]
        $OutputPrefix,
        [Switch]
        $PrettyJson,
        [String]
        $CacheFileName,
        [Switch]
        $RandomizeFilenames,
        [String]
        $ZipFilename,
        [Switch]
        $NoSaveCache,
        [Switch]
        $EncryptZip,
        [Switch]
        $InvalidateCache,
        [String]
        $LdapFilter,
        [string]
        $DomainController,
        [int]
        $LdapPort,
        [Switch]
        $SecureLdap,
        [Switch]
        $DisableKerbSigning,
        [String]
        $LdapUsername,
        [String]
        $LdapPassword,
        [Switch]
        $SkipPortScan,
        [ValidateRange(50,5000)]
        [int]
        $PortScanTimeout = 2000,
        [Switch]
        $ExcludeDomainControllers,
        [ValidateRange(0,100)]
        [int]
        $Jitter,
        [int]
        $Throttle,
        [String]
        $OverrideUsername,
        [Switch]
        $NoRegistryLoggedOn,
        [Switch]
        $DumpComputerStatus,
        [String]
        $RealDNSName,
        [Switch]
        $CollectAllProperties,
        [ValidateRange(500,60000)]
        [int]
        $StatusInterval,
        [Switch]
        $Loop,
        [String]
        $LoopDuration,
        [String]
        $LoopInterval
    )
    $vars = New-Object System.Collections.Generic.List[System.Object]
    $vars.Add("-c")
    foreach ($cmethod in $CollectionMethod){
        $vars.Add($cmethod);
    }
    if ($Domain){
        $vars.Add("--Domain");
        $vars.Add($Domain);
    }
    if ($Stealth){
        $vars.Add("--Stealth")
    }
    if ($WindowsOnly){
        $vars.Add("--WindowsOnly")
    }
    if ($ComputerFile){
        $vars.Add("--ComputerFile");
        $vars.Add($ComputerFile);
    }
    if ($OutputDirectory){
        $vars.Add("--OutputDirectory");
        $vars.Add($OutputDirectory);
    }
    if ($OutputPrefix){
        $vars.Add("--OutputPrefix");
        $vars.Add($OutputPrefix);
    }
    if ($PrettyJson){
        $vars.Add("--PrettyJson");
    }
    if ($CacheFileName){
        $vars.Add("--CacheFileName");
        $vars.Add($CacheFileName);
    }
     if ($RandomFilenames){
        $vars.Add("--RandomizeFilenames");
    }
    if ($ZipFileName){
        $vars.Add("--ZipFileName");
        $vars.Add($ZipFileName);
    }
    if ($NoSaveCache){
        $vars.Add("--NoSaveCache");
    }
    if ($EncryptZip){
        $vars.Add("--EncryptZip");
    }
    if ($NoZip){
        $vars.Add("--NoZip");
    }
    if ($InvalidateCache){
        $vars.Add("--InvalidateCache");
    }
    if ($LdapFilter){
        $vars.Add("--LdapFilter");
        $vars.Add($LdapFilter);
    }
    if ($DomainController){
        $vars.Add("--DomainController");
        $vars.Add($DomainController);
    }
    if ($LdapPort){
        $vars.Add("--LdapPort");
        $vars.Add($LdapPort);
    }
    if ($SecureLdap){
        $vars.Add("--SecureLdap");
    }
    if ($DisableKerberosSigning){
        $vars.Add("--DisableKerberosSigning");
    }
    if ($LdapUsername){
        $vars.Add("--LdapUsername");
        $vars.Add($LdapUsername);
    }
    if ($LdapPassword){
        $vars.Add("--LdapPassword");
        $vars.Add($LdapPassword);
    }
    if ($SkipPortScan){
        $vars.Add("--SkipPortScan");
    }
    if ($PortScanTimeout){
        $vars.Add("--PortScanTimeout")
        $vars.Add($PortScanTimeout)
    }
    if ($ExcludeDomainControllers){
        $vars.Add("--ExcludeDomainControllers")
    }
    if ($Throttle){
        $vars.Add("--Throttle");
        $vars.Add($Throttle);
    }
    if ($Jitter){
        $vars.Add("--Jitter");
        $vars.Add($Jitter);
    }
    if ($OverrideUserName){
        $vars.Add("--OverrideUserName")
        $vars.Add($OverrideUsername)
    }
    if ($NoRegistryLoggedOn){
        $vars.Add("--NoRegistryLoggedOn")
    }
    if ($DumpComputerStatus){
        $vars.Add("--DumpComputerStatus")
    }
    if ($RealDNSName){
        $vars.Add("--RealDNSName")
        $vars.Add($RealDNSName)
    }
    if ($CollectAllProperties){
        $vars.Add("--CollectAllProperties")
    }
    if ($StatusInterval){
        $vars.Add("--StatusInterval")
        $vars.Add($StatusInterval)
    }
    if ($Loop){
        $vars.Add("--Loop")
    }
    if ($LoopDuration){
        $vars.Add("--LoopDuration")
        $vars.Add($LoopDuration)
    }
    if ($LoopInterval){
        $vars.Add("--LoopInterval")
        $vars.Add($LoopInterval)
    }
    $passed = [string[]]$vars.ToArray()
        $EncodedCompressedFile = '5P0HeFzF9QaM353dvVtV7u56V8VIMljytXZXbtiWLHCj4wLGFGMDxpSATbmwa4eY1QoDMaHZ9Ga66QFCLwkQSgKEAAkJgYSAFUgjQIBAQhJS5O+8Z+Y2WTYkv/z/z/c8nx9r78w7c8+cOXNm5ky98xZfqAU1TQvR3+bNmvaoJv/N1L743xr6q239Tq32YOzlUY8G5r48av9jl5fbTipZx5SWndB25LITT7RWth1xdFtp1Ylty09s23WfhW0nWEcd3VVTEx+taOy7m6bNDQS1c+Yc9JJN921NBBKB8Zp2ZVLTmiQ28DC52+wYM6VbSL7xT3e4qmEc/4La4Ws1rZ7/u0/nwf/OJroL4XgqqUVzw2Ty7aRGKWu/fSipdX8JmTj/iL+oxxsl/54ef9fKo7+2EnQvV/lCXsUWJA7vKpVLR+L9nORRa6DnhqQv3kz631U6+niLIiYVz0zr/i3izR7K5lMPyzjgTWhh7dFUQivcFCDZCe3rJNbQ7IC25pXYl852k/kToemdTSYpFT36qVxCnS1iDT8PLNNDN0P4QbhVh0jnCjOsaXGRLQU07SQzhVCKFy9H6KcaxovTRIVeCgVDFsk03jlfVALwWsRXPGTFFSY8WEJhQQ+WBDbdIUWKEu/o3M9Pq9YGvcTqGJyuqIWsevZrzeOD2mh6mf4b5kPIz2v0U9hJlA1wDgqinIIzwM40nEF2ZuAEH6U65HkEec0s2BMmEdfjuknlHS/+Z6SO9JPSRAXCsxrArW420iORK1N9ikesZsQiUnkujNITeBMlwrKwtkMoe5Gw1ULeRdKPJK1W1490rTb4zye+A+YovOmwMJBULGxPnrc6A/XQsUu1M3MBVrr0eKGNY72z5fcC/bQX6ztYCUqjAsQVNCEuQ79HP7q5A+eteXxIO0pDHbff/TFkH+iUOWTuTGpk4lY7CEixJrwSiTQ0ZMsd5EpG9ay+frk1BhxnowU9apng18/7SPA5U6uZp8U15rlTKx4kqxv04GSN2yKjjTKzpg0qYY5FwnopT7nIWp2QfqSYNfPgbjrnU+8oHUeByYGeSOkEclgFClsVgxwRITkwSi/oumSmY9gXtSjR1SRv9dr0+ZI3/Fu0SMtBNVtEJYIatL0IViOyLlaiNhCVAFe/TpmPJfQueY3QSvptLheRB6sLzOfbI9Y4iEtPCXM8JDuBfsg9EYxNArAj69ZkaO6rA/FIQY9I5vVgdh3xGLCmcEJSD1LahF0kv83jw2hr0IYbQXMqxQlz6sgoq3fc6gb5HmZjTsSaBjbKIwKaXhO1esmTW0fpBNqzrYdca+1E/nQoZoSyG6x6ikKu3Aarllx6LGrtDEJURnlrhsvs3T5mlZ6O0g76muRv91eoNWk2qfmMB61ZyALJbLZ8VuK2MONKujE8pwjZdlTZd6Bq4YImVR1dhMzt0O6R/ge1m6kVonIxRM9l6LjM5wVqf9v6kz89Y3aW+NTboj+sTJn9d4inbffq6uLk4/W2tlNX5yd36G2P9i6L9z6GNrXtlSmnmL3Lo3AitPe3hHbProH/gcrqwuRmvW3kzqcUejdEbaj3dURp5Sj3TD+l2LsiaqfR24egEAe9NuuUcZOn621v9K/uApXZM0/p6u3kqIB6v4KobyThP+mJSlfvMRH7rd6Pydn9XQ5av/spE/F28MnKuN5xERvqnUyEuq/mKKP2PGVSb33UznLveSC8hoNqXqvsPJs1pO2Ji1ZPAzudF67uAcGrX6xM7Z3DIgDUm8Vbe/NbT/+o0tO7WLff6q1H0DgOevcnlV68vf8rlWm9y3Qb6p2FKEmOcuqrlZ16T9Lt5Hv3RdAnCfgvf/qY5eDhgkMCe4HK4z86ZI/eS7mwAPVmqLC7n+OoiSMHjuq9Sdhv9T5Dzu47OejYEz9dg7fHfu+YFb1PChvqfQFRzuYo/7Q+Pb33VA6CQvTuhqATOOjrteuuUFrxx8C6C6AVJ6z+9BvQilHlT8/s/VMAQb885dOzehNoCzm09wMQKDCB5wbPX4fkJ/37/PN7dwraUO8ScnbHOMrB2rr1vVOCdhq9P8fbH8Xh//74sy6BCCaMO+tiUEmF113U+w5zCqj3BET9Hke9RV93ce99wn6rd2cE3c5B70866zK8fdDEsy7trRc2xMx3r+Uo1clnXd77YsDOcu/v8fYKDnr87c9/pLSio7jyNrCjda68BQRz9euu7L2VCQLqfZea5u4d+a1L8itv7f1jyH6r968IauSgfPfKb+HtK6esvLv3zyEb6v03ovw1Bv9337z8272Xhe3kezeDnTc56OkPPn8NPETf/fynoLLPrz//ce9fZBUmqPcyRL2Xo179h89f7d0g7Ld6b0bQZRz07kef/5w188PPX++tFTbU24AoJY5y6p8+/0XvdhxU8+nnb/SOQdBBFCRKa9Fj7kJNzTQdOjibwYscMAiwyOCNDojmvruBwbsdkLMcZPAJB/wHwI+iAF9wwL8BfIPBNxzwLwC/z+B7DvgJwHsY/MwBPwK4gcGwsMEPAK5lcIQD/gHgSQy2O+DvAC5hcLID/hrg7gzu5oC/AjiBwQUO+BbAkQwe6oBvAIwweIIDvg7w0wjAqgO+CnATg+sc8BWAP2DwWgd8GeADDN7tgD8EeB2DTzjg8wDPYfBlB/w+wJUMbnLApwEuZfBjB/wuwL0ZpFGVAh8DOJnBtAM+CrCNwXYHfAhggsGpDng/678OcC8HvAfgOwwuccC7AL7E4AkOeAfARxg8zQFvBbiRwYsc8CaA6xi8zQFvAPg1Bp92wGsBHsngmw64AeB8Bj9zwCsA9jBYF7LBSwGOZnCsA14EsI7BXRxwPcB/hFlDHPA8gL9j8BQHPBvgKwxe5IBrAT7G4J0OeAbAWxl81gFPA3gRg79ywD6AfQx+7oCrAR7DYDpsg18FuB+DRQcsA9yZwT0c8CSAJoPLHPAEgGkGKw64AuBgCOBlDngMwPcYvMcBlwH8GYMvOOASgE8y+BsHPADgNxn8twPuA/AyBnO6De4FcA2DExxwF4DHMTjHAXcGeCCDRzvgVICz6CdYOo3AbJlGKfqC7omMXOtB2hi504PUMvIiIQ0K+VcQyCZPnPcZ+bcnzi8YiUVc5DlG2iPuWw8yspcH2cjI0Z63LmTkdEJyCuln5E4Pcjwjr3neWszIxx7KezLSGHWRKYxMirpvjWZklgdJMbLAg2iMHOpBPhJAVnmQtxhZ60F+yMhVHuRRRm7xILcy8o6Hw0sZ2eyJcwYjY2IuchIje3iQwxgpe5C5Mi0PMm0LxGTkxZibelYMlVhoC+TTAJDfeei8zUgg7iI/YqTVgzzOSN6DfJORHg9yJSMLPMhZjKzyICsZucKDHMHIIx5kX0be8CDTGfnEgxQYmZpwkSZGlnmQKCM3epC/Yrxd+pUH+S0j6aSL/JSRGR7kKUbWepBvMfKsB7mGkU88yLmMhGscJF8JliZ7vMcHSwd7vIeSsnm884Ollz3eGcHS3zze8VQra13vqGBpocebCpau9niDwcyC4L6ZwSBGeeaucqhMY1ahzdN4js8Q1m4YVe6Onz0wXM236Nae9gg5EeEJERHBdITObl0OO385YOircjRwTbqTDjye5/GnoXX20o+aJ9mbnjEnraC1NwiITKftn0O/r/DUAYap1lyee1iPGHp2A88pJCKFaMSap96LdMo8rCa6cYdu6UXKuKQdyiQHlg2EO+ixWPOGckpJe0AsU5LxJroJIpwSDEUY0SLZ8nxE3gc/GBcn5Rtq/sKUcxYNDVp4Ek+ntWjbz9TCO7L7MC1TkjjkQON3LTFUDpHsOuRwW8JYRYPZ5rjO/HUqmVI/gQkco7wv8uCnqFsLUNI+iv5Mr6rjPCphgh4pAGaft11GQyS3NZGhfEDzFKJZO1z5ZBTyKwdxUnJjFSLCbCet6xwauTBasMck0evl/cBJShvMTsEkzQS7kDozMl/3EA914AFTWjqEOLKTTCz79YLIduopnvvTC5GINRIJjkySWVlHMaD0NbFCQ6y0S53qmwv0fgzTRnoyv5coHQS8g3zpkBEqhkYm8zsaoZJVJ6ck8
    $DeflatedStream = New-Object IO.Compression.DeflateStream([IO.MemoryStream][Convert]::FromBase64String($EncodedCompressedFile),[IO.Compression.CompressionMode]::Decompress)
    $UncompressedFileBytes = New-Object Byte[](832512)
    $DeflatedStream.Read($UncompressedFileBytes, 0, 832512) | Out-Null
    $Assembly = [Reflection.Assembly]::Load($UncompressedFileBytes)
    $BindingFlags = [Reflection.BindingFlags] "Public,Static"
    $a = @()
    $Assembly.GetType("Costura.AssemblyLoader", $false).GetMethod("Attach", $BindingFlags).Invoke($Null, @())
    $Assembly.GetType("SharpHound3.SharpHound").GetMethod("InvokeSharpHound").Invoke($Null, @(,$passed))
}