Add new SMB module to get the PowerShell history on all the users #341
Conversation
357384n
requested review from
zblurx,
Marshall-Hallenbeck,
NeffIsBack and
mpgn
as code owners
|
Thanks for the PR! |
First commit Signed-off-by: Sébastien Miguel <43112303+357384n@users.noreply.github.com>
Add export feature and some keywords Signed-off-by: Sébastien Miguel <43112303+357384n@users.noreply.github.com>
Add the path to output file in the output Signed-off-by: Sébastien Miguel <43112303+357384n@users.noreply.github.com>
add description to module option Signed-off-by: Sébastien Miguel <43112303+357384n@users.noreply.github.com>
Marshall-Hallenbeck
force-pushed
the
main
branch
from
a297835 to
5ccf0d3
Compare
NeffIsBack
added
reviewed code
Merged from NetExec PR Pennyw0rth#341 Custom changes from original submission: - moved powershell history command and sensitive keywords to Class-level constants - added reusable handle_error func to centralize error logging - refactored export logic to use NXC_PATH - added validation for connection to check if it's None before executing PowerShell command. Avoids downstream issues if connection is invalid. - improved options parsing so boolean comparisons are case-insensitive - removed analyze_history loop and replaced with list comprehension - removed execute_command method, which was a wrapper for connection.execute(). connection.execute() is now called directly in get_powershell_history. Signed-off-by: Mercury0 <mfox05@gmail.com>
|
@357384n do you have a twitter handle i could mention in a post? |
Hey @NeffIsBack, I don't sorry, hope it can be usefull for others during some pentest :) |
No problem, i will mention your name anyway :) |
|
Hey guys! I watched this module and realized that it is doing a powershell command execution. It doesn't matter in most env's but wouldn't it be better to crawl directories and files via simple smb commands ? Otherwise we should definitely set the opsec attribute to false (for what it's worth). Great module anyway!! |
|
See #444 |
Hey,
I've added a pretty basic module to get the Powershell History of all the users on specified targets. Once get it the module will check some keywords that could contain credentials and display them.
You also can export the entire Powershell History with the following option: -o export=enable.
If you do that a file like {IP}.powershell_history.txt will be writen in your current path.
Running the module:
By default the export option is disable but can be very interesting during a pentest so if you want to manually analyze them juste do like below: