-
Notifications
You must be signed in to change notification settings - Fork 8
/
Copy pathRECON IR.ps1
161 lines (138 loc) · 8.81 KB
/
RECON IR.ps1
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
Set-Variable -Name ErrorActionPreference -Value SilentlyContinue
echo '-------------------------';
echo "[+] INFO: CPU Usage TOP 20"
echo '-------------------------';
Get-Process | Sort CPU -descending | Select -first 20 -Property ID, ProcessName, Description, CPU
echo '-------------------------';
echo "[+] INFO: Installed Software"
echo '-------------------------';
Get-WmiObject -Class Win32_Product | Where-Object { $_.Vendor -notmatch 'Palo|Levi|Adobe|Microsoft|dell|cybersafe|displaylink|VPSX|python|mimecast|forcepoint|google|crowdstrike|Oracle|cisco|ServiceNow|Asmedia' } | Select-Object -ExpandProperty Name
echo '-------------------------';
echo "[+] INFO: Showing Default Chrome Plugins"
echo '-------------------------';
$UserPaths = (Get-WmiObject win32_userprofile | Where-Object localpath -notmatch 'Windows').localpath
foreach ($Path in $UserPaths) {
# Google Chrome extension path
$ExtPath = $Path + '\' + '\AppData\Local\Google\Chrome\User Data\Default\Extensions'
if (Test-Path $ExtPath) {
# Username
$Username = $Path | Split-Path -Leaf
# Extension folders
$ExtFolders = Get-Childitem $ExtPath | Where-Object Name -ne 'Temp'
foreach ($Folder in $ExtFolders) {
# Extension version folders
$VerFolders = Get-Childitem $Folder.FullName
foreach ($Version in $VerFolders) {
# Check for json manifest
if (Test-Path -Path ($Version.FullName + '\manifest.json')) {
$Manifest = Get-Content ($Version.FullName + '\manifest.json') | ConvertFrom-Json
# If extension name looks like an App name
if ($Manifest.name -like '__MSG*') {
$AppId = ($Manifest.name -replace '__MSG_','').Trim('_')
# Check locales folders for additional json
@('\_locales\en_US\', '\_locales\en\') | ForEach-Object {
if (Test-Path -Path ($Version.Fullname + $_ + 'messages.json')) {
$AppManifest = Get-Content ($Version.Fullname + $_ +
'messages.json') | ConvertFrom-Json
# Check json for potential app names and save the first one found
@($AppManifest.appName.message, $AppManifest.extName.message,
$AppManifest.extensionName.message, $AppManifest.app_name.message,
$AppManifest.application_title.message, $AppManifest.$AppId.message) |
ForEach-Object {
if (($_) -and (-not($ExtName))) {
$ExtName = $_
}
}
}
}
}
else {
# Capture extension name
$ExtName = $Manifest.name
}
# Output formatted string
Write-Output (($Path | Split-Path -Leaf) + ": " + [string] $ExtName +
" v" + $Manifest.version + " (" + $Folder.name + ")") |Select-String -Pattern "(aapocclcgogkmnckokdopfmhonfmgoek|aohghmighlieiainnegkcijnfilokake|apdfllckaahabafndbhieahigkjlhalf|blpcfgokakmgnkcojhhkbfbldkacnbeo|felcaaldnbdncclmgdcncolpebgiejap|ghbmnnjooekpmoecnnnilnnbdlolhkhi|nmmhkkegccagdldgiimedpiccmgmieda|pjkljhegncpnkpknbcohdijeoejaedia|pkedcjkdefgpdelpbcmbmeomcjbeemfm)" -NotMatch
# Reset extension name for next lookup
if ($ExtName) {
Remove-Variable -Name ExtName
}
}
}
}
}
}
echo '-------------------------';
echo "[+] INFO: Getting External IP"
echo '-------------------------';
Invoke-WebRequest -Uri "http://ifconfig.io" -UseBasicParsing
echo '-------------------------';
echo "[+] INFO: Getting netstat info"
echo '-------------------------';
#OLD get-nettcpconnection | select local*,remote*,state,@{Name="Process";Expression={(Get-Process -Id $_.OwningProcess).Path}} |Select-String -Pattern "(0.0.0.0|127.0.0.1|chrome|RemoteAddress=::;|outlook|msedge|SearchUI|SystemSettings|teams|vpnagent|onedrive)" -NotMatch
Get-NetTCPConnection | Where-Object { $_.State -eq 'ESTABLISHED' -and $_.RemoteAddress -notmatch '^10\.|^192\.168\.|^127\.|\b:\b|::|^172\.' } |Sort-Object -Unique -Property RemoteAddress |foreach-object {
$PROC_PATH = (Get-Process -Id $_.OwningProcess).Path
if ($PROC_PATH -notmatch 'Teams|chrome|outlook') {
$REMOTEIP = $_.RemoteAddress
$LocalPort = $_.LocalPort
$WHOIS = ((Invoke-Restmethod "http://whois.arin.net/rest/ip/$REMOTEIP" -ErrorAction stop ).net.orgRef.name)
#(Invoke-Restmethod "http://whois.arin.net/rest/ip/$REMOTEIP" -ErrorAction stop ).net.orgRef.name
Write-Output "$REMOTEIP,$LocalPort,$WHOIS,$PROC_PATH"
}
}
(Get-ChildItem -Path "C:\Users\*").name |ForEach-Object {
echo '-------------------------';
echo "[+] INFO: Displaying recent files for all users .lnk targets and Arguments "
echo '-------------------------';
Get-ChildItem -Path "C:\Users\$_\AppData\Roaming\Microsoft\Windows\Recent" -Filter *.lnk -Recurse -ErrorAction SilentlyContinue -Force |ForEach-Object {
$WScript = New-Object -ComObject WScript.Shell
$WScript.CreateShortcut($_.FullName).TargetPath
$WScript.CreateShortcut($_.FullName).Arguments
}
}| sort -Unique | Select-String -Pattern 'WINDOWS|Teams|program files' -NotMatch
echo '-------------------------';
echo "[+] INFO: Dumping Recycle Bin only 3 paths deep"
echo '-------------------------';
(Get-ChildItem -Path 'C:\$Recycle.Bin' -Force -Recurse -depth 3 ) | select * | ForEach-Object {
if (($_).Name -match '\$I') {
$VarMeta = "$((Get-Content ($_).FullName) -replace '.*\u0001.','' -replace '\u0000','')"
Clear-Variable -Name varPath
}
if (($_).Name -match 'S-.-.-.'){
$VarUser = "$((New-Object System.Security.Principal.SecurityIdentifier(($_).BaseName)).Translate([System.Security.Principal.NTAccount]).value)"
}
if (($_).Name -match '\$R'){
Clear-Variable -Name varPath
} else {
$varPath = "$($_.FullName)"
Write-Output "$($VarUser)`t$($VarMeta)`t$($varPath)"
Clear-Variable -Name varPath,VarMeta
}
}
Set-Variable -Name ErrorActionPreference -Value SilentlyContinue
New-Item -Path "C:\windows\Temp\ftech_temp" -ItemType Directory -Force -ErrorAction SilentlyContinue
Remove-Item -Path "C:\windows\Temp\ftech_temp\report.csv" -Force
Invoke-WebRequest -Uri "https://www.nirsoft.net/utils/browsinghistoryview-x64.zip" -OutFile "C:\windows\Temp\ftech_temp\browsinghistoryview-x64.zip"
Expand-Archive "C:\windows\Temp\ftech_temp\browsinghistoryview-x64.zip" -DestinationPath "C:\windows\Temp\ftech_temp" -Force
echo "[+] INFO: Fetching Latest 6 Users Chrome,Edge History"
Get-ChildItem -Directory -Path "C:\Users\$_" -ErrorAction SilentlyContinue -Force | Sort LastWriteTime -Descending | Select-Object -First 6 | ForEach-Object {
if (($_).Name -notmatch 'public|default|\$'){
echo '-------------------------';
echo "[+] INFO: Displaying History for $_ MSEdge/Chrome "
echo '-------------------------';
Start-Process -FilePath "C:\windows\Temp\ftech_temp\BrowsingHistoryView.exe" -ArgumentList " /HistorySource 4 /HistorySourceFolder `"C:\users\$_\`" /VisitTimeFilterType 3 /VisitTimeFilterValue 2 /LoadIE 1 /LoadFirefox 1 /LoadChrome 1 /scomma `"C:\windows\Temp\ftech_temp\report.csv`" /sort `"Visit Time`"" -Wait -Verbose -WindowStyle Hidden
$CSV = Import-Csv -Path "C:\windows\Temp\ftech_temp\report.csv"
$some = $CSV | Group-Object -Property Title
$some | ForEach-Object {
$VarTitle = $_.Group.Title | Select-Object -First 1 -Unique
$VarURL = $_.Group.URL.PadRight(100).Substring(0,100).TrimEnd() | Select-Object -First 1 -Unique
Write-Output "$VarTitle,$VarURL"
} | Select-String -Pattern "(newell|crowdstrike|pingidentity)" -NotMatch
}
}
echo '-------------------------';
echo "[+] INFO: Displaying 100 Uniq Event logs Security,Application,System,Setup,ForwardedEvents, Windows PowerShell "
echo '-------------------------';
Write-Output Security,Application,System,Setup,ForwardedEvents,"Windows PowerShell" | foreach-object {
Get-EventLog -LogName $_ | Select-Object -Last 100 | Sort-Object -Unique| Format-Table -AutoSize
}