This is a Windows Toolkit written exclusively in PowerShell version 5.1 (see note about compatibility with pwsh.exe) with no external modules.
The purpose of this toolkit is to provide a simple replication of many common networking and basic sysadmin tools which can be used in a stock windows environment without administrator permissions.
- TCP Client/Listener - These allow for two-way communication either as a listener or client with a chat like UI
- UDP Transmitter/Receiver - Similar to the TCP Transmitter/Receiver this currently only allows for one-way communication
- WIP - allow for two-way communciation
- TCP Scanner - TCP full-connect scanner that uses multiple tcp sockets attempting asynchronous connections
- ICMP Scanner - ICMP ping sweep scanner that pings multiple hosts simultaneously
- Basic Shortcuts - The program currently has shortcuts for the following programs:
- mstsc.exe (Default RDP connector on windows)
- cmd.exe (user and runas)
- powershell.exe (user and runas)
- Enter-PSSession (user and runas)
- pwsh.exe (user and runas)
- Utilities
- Current_Users.ps1 - a script that shows all active users, their sessions, and their oldest process
- All_Users.ps1 - a script to show all user's who have established an account on the machine
- SystemInfo.ps1 - a script that runs the "systeminfo" command and then opens up a notepad with the results
- Get_Strings.ps1 - a script that parses any file for valid ASCII strings of a specified length and then returns a notepad with the results
- Get_Strings.ps1 - a script to constantly query all users and their sessions (when run as admin this can detect runas processes and windows service accounts)
- View_Login.ps1 - a script to parse security event logs for all successful and failed login attempts by a user
- Remote_Shell.ps1 - a script that provides a more advanced powershell remoting (as opposed to Enter-PSSession) with prefab commands and other integrated tools
- WIP - AD_Lookup.ps1 - This script is currently non-functional, eventually this will be integrated into the Domain_Computer_Query.html and Domain_User_Query.html pages to allow for queries done through the web form
| Name | powershell.exe (v5.1) | pwsh.exe (v7.5) | Notes |
|---|---|---|---|
| powershell_web_server.ps1 | ✅ | ✅ | |
| AD Tools | These tools are still WIP | ||
| All_Users.ps1 | ✅ | ✅ | |
| Current_Users.ps1 | ✅ | ✅ | Running as a user is only allowed with version 7.5 |
| Data_Convert.ps1 | ✅ | ✅ | |
| Get_Strings.ps1 | ✅ | ✅ | |
| ICMP_Scanner.ps1 | ✅ | ✅ | |
| Remote_Shell.ps1 | ✅ | ✅ | |
| System_Info.ps1 | ✅ | ✅ | |
| TCP_Client.ps1 | ✅ | ✅ | |
| TCP_Receiver.ps1 | ✅ | ✅ | |
| TCP_Scanner.ps1 | ✅ | ✅ | |
| UDP_Receiver.ps1 | ✅ | ✅ | |
| UDP_Transmitter.ps1 | ✅ | ✅ | |
| View_Login.ps1 | ✅ | ✅ | Significantly slower in version 5.1 (or earlier) |
Generally email filters will restrict sending .ps1 files, furthermore certain web filters will prevent downloading .ps1 files.
For filtering done ONLY by extension use the following script to append .txt to each of the powershell scripts to evade filters:
Get-ChildItem -Recurse | Where-Object { $_.FullName -match "\.ps1$" } | ForEach-Object { Rename-Item -Path $_.FullName -NewName $_.Name.Replace(".ps1",".ps1.txt") }
Then to remove the .txt extension run:
Get-ChildItem -Recurse | Where-Object { $_.FullName -match "\.ps1.txt$" } | ForEach-Object { Rename-Item -Path $_.FullName -NewName $_.Name.Replace(".ps1.txt",".ps1") }
The setup of this tool is very straight forward and can be broken up into three parts:
- Step 1: Download the latest release (.zip)
- Step 2: See "Escaping Email and Web Filters" for removing the ".txt" ending on the scripts
- Step 3: Starting the program may require you to bypass execution policy (this disables all non-signed scripts by default) to ignore this use the following command:
Powershell.exe -ExecutionPolicy Bypass .\powershell_web_server.ps1
- Step 4 (optional): create an easy to use shortcut. If you would like to easily start the program you can create a shortcut with the following "Target":
conhost.exe powershell.exe -ExecutionPolicy Bypass C:\Path\to\the\script\powershell_web_server.ps1
or
conhost.exe pwsh.exe -ExecutionPolicy Bypass C:\Path\to\the\script\powershell_web_server.ps1