Ftrsec

Fabarsenal


 <#
.SYNOPSIS
/!\ DO NOT USE THIS SCRIPT IN A WINDOWS IN PRODUCTION IN YOUR COMPANY, THIS SCRIPT IS DESIGNED FOR SANDBOX
This script automates the setup of a Windows Attacker sandbox, including:
- Creating a RAM drive
- Removing unnecessary packages
- Disabling telemetry and tracking
- Installing software via Chocolatey
- Setting up Firefox extensions
- Install git attack tools, uncompress and merge them in one folder
- Disabe Windows Defender
- Setup a Powershell profile to spawn in this folder
.DESCRIPTION
The script is divided into functions for better modularity and scalability. Each function performs a specific task, and the main execution is at the end of the script.
.NOTES
Ensure you run this script with elevated privileges.
#>
# Set execution policy
Set-ExecutionPolicy Unrestricted -Scope CurrentUser -Force
# Global Variables
$DriveLetter = 'X:'
$baseURL = "https://addons.mozilla.org/fr/firefox/addon/"
$extensions = @(
"ublock-origin",
"bitwarden-password-manager",
"wappalyzer",
"multi-account-containers",
"epubreader",
"traduzir-paginas-web"
)
function Install-ImDisk {
$DriveLetter = 'X:'
# Uncomment the below lines if you want to download and install ImDisk
#Invoke-WebRequest -URI 'https://downloads.sourceforge.net/project/imdisk-toolkit/20220826/ImDiskTk-x64.zip' -OutFile C:\Users\Fabien\Downloads\imdisk.zip
#Expand-Archive -Path C:\Users\Fabien\Downloads\imdisk.zip -DestinationPath C:\Users\Fabien\Downloads\ -Verbose -Force
#C:\Users\Fabien\Downloads\ImDiskTk20220826\install.bat /silent
#imdisk -a -s 4192M -m $DriveLetter -p "/fs:ntfs /q /y"
}
function Clear-UnwantedPackages {
<#
.SYNOPSIS
Removes unwanted packages from the system.
#>
$packages = Get-AppXPackage -AllUsers | Where-Object NonRemovable -EQ $false
foreach ($package in $packages) {
try {
$package | Remove-AppxPackage -ErrorAction Stop
} catch {
Write-Host ("The package '" + $package.Name + "' can't be removed.") -ForegroundColor Green
}
}
}
function Disable-TelemetryAndServices {
$services = @() # Define your services here
foreach($service in $services) {
if (Get-Service $service) {
Write-Host "Disable service '$service'"
Set-Service $service -StartupType Disabled
}
}
$path = "HKLM:\Software\Policies\Microsoft\Windows\DataCollection"
if (!(Test-Path $path)) { 
New-Item -Path $path	
}
Write-Host "Configure telemetry"
Set-ItemProperty -Path $path -Name AllowTelemetry -Value "0" -Type "DWord"
$path = "HKLM:\Software\Policies\Microsoft\Windows\DeliveryOptimization"
if (Test-Path $path) {
Write-Host "Configure delivery optimization"
Set-ItemProperty -Path $path -Name DODownloadMode -Value "0" -Type "DWord"
}
Write-Host "Disable scheduled tasks"
$tasks = @() # Define your tasks here
foreach($task in $tasks) {
$taskdetail = Get-ScheduledTask $task -ErrorAction SilentlyContinue
if ($taskdetail) {	
Disable-ScheduledTask $taskdetail
}
}
$path = "HKLM:\SOFTWARE\Policies\Microsoft\Windows\OneDrive"
if (!(Test-Path $path)) {
New-Item -Path $path
}
Write-Host "Disable OneDrive for file sync"
Set-ItemProperty -Path $path -Name DisableFileSyncNGSC -Value "1"
}
function Install-Packages {
<#
.SYNOPSIS
Installs various software packages using Chocolatey.
#>
Set-ExecutionPolicy Bypass -Scope Process -Force; [System.Net.ServicePointManager]::SecurityProtocol = [System.Net.ServicePointManager]::SecurityProtocol -bor 3072; iex ((New-Object System.Net.WebClient).DownloadString('https://community.chocolatey.org/install.ps1'))
choco feature enable -n allowGlobalConfirmation
choco install python --pre
choco install firefox
$FirefoxPath = "C:\Program Files\Mozilla Firefox\firefox.exe"
Set-DefaultBrowser -Value $FirefoxPath
choco install git.install
choco install rsat /AD /CS
choco install wireshark 
choco install wsl2 --params "/Version:2 /Retry:true"
choco install firefox-nightly --pre 
choco install openssh
choco install notepadplusplus
choco install vscode
& "C:\Program Files\Microsoft VS Code\bin\code" --install-extension hashicorp.terraform
& "C:\Program Files\Microsoft VS Code\bin\code" --install-extension Kelvin.vscode-sshfs
& "C:\Program Files\Microsoft VS Code\Code.exe" --install-extension eamodio.gitlens
& "C:\Program Files\Microsoft VS Code\Code.exe" --install-extension ms-vscode-remote.remote-wsl
& "C:\Program Files\Microsoft VS Code\Code.exe" --install-extension ms-python.python
& "C:\Program Files\Microsoft VS Code\Code.exe" --install-extension ms-vscode.powershell
dism.exe /online /enable-feature /featurename:Microsoft-Windows-Subsystem-Linux /all /norestart
wsl --install -d debian
wsl --install -d kali-linux
}
function Setup-Language {
Install-Language en-US
Set-SystemPreferredUILanguage en-US
Set-WinUserLanguageList en-US -Force
Set-WinSystemLocale en-US
Set-timezone "Romance standard time"
}
function Install-FirefoxExtensions {
$baseURL = "https://addons.mozilla.org/fr/firefox/addon/"
$extensions = @(
"ublock-origin",
"bitwarden-password-manager",
"wappalyzer",
"multi-account-containers",
"epubreader",
"traduzir-paginas-web"
)
function Get-XpiLink {
param (
[string]$extensionURL
)
$response = Invoke-WebRequest -Uri $extensionURL
$xpiLink = $response.Links | Where-Object { $_.href -like "*.xpi" } | Select-Object -ExpandProperty href -First 1
return $xpiLink
}
function OpenInFirefox {
param (
[string]$xpiLink
)
Start-Process -FilePath "firefox.exe" -ArgumentList $xpiLink
}
foreach ($extension in $extensions) {
$url = $baseURL + $extension
$xpiLink = Get-XpiLink -extensionURL $url
OpenInFirefox -xpiLink $xpiLink
}
}
function Setup-Darkmode {
Set-ItemProperty -Path HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Themes\Personalize -Name AppsUseLightTheme -Value 0 -Type Dword -Force
Set-ItemProperty -Path HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Themes\Personalize -Name SystemUsesLightTheme -Value 0 -Type Dword -Force
}
# Function to disable Windows Defender permanently
function Disable-WindowsDefender {
Write-Host "Disabling Windows Defender..."
# Disable real-time protection
Set-MpPreference -DisableRealtimeMonitoring $true
# Disable Windows Defender services
Stop-Service -Name WinDefend -Force
Set-Service -Name WinDefend -StartupType Disabled
# Disable Windows Defender scheduled tasks
schtasks /Change /TN "\Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /Disable
schtasks /Change /TN "\Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /Disable
schtasks /Change /TN "\Microsoft\Windows\Windows Defender\Windows Defender Cleanup" /Disable
schtasks /Change /TN "\Microsoft\Windows\Windows Defender\Windows Defender Verification" /Disable
Write-Host "Windows Defender has been disabled."
}
function Github-FabArsenal {
# Refresh the environment to recognize Git
$env:Path = [System.Environment]::GetEnvironmentVariable("Path","Machine")
[System.Environment]::SetEnvironmentVariable("Path", $env:Path + ";C:\Program Files\Git\bin", "Machine")
[System.Environment]::SetEnvironmentVariable("Path", $env:Path + ";C:\Program Files\Git\cmd", "Machine")
$env:Path = [System.Environment]::GetEnvironmentVariable("Path","Machine")
# Define the paths
$destinationPath = "$HOME\Documents\FabArsenal"
$repo1 = "https://github.com/ParrotSec/mimikatz.git"
$repo2 = "https://github.com/r3motecontrol/Ghostpack-CompiledBinaries.git"
$repo3 = "https://github.com/fortra/impacket.git"
# Create the destination directory
if (-Not (Test-Path -Path $destinationPath)) {
New-Item -ItemType Directory -Path $destinationPath
}
# Create subdirectories for each repo within the destination directory
$repoPath1 = "$destinationPath\Repo1"
$repoPath2 = "$destinationPath\Repo2"
$repoPath3 = "$destinationPath\Repo3"
# Clone the repositories into their respective directories
git clone $repo1 $repoPath1
git clone $repo2 $repoPath2
git clone $repo3 $repoPath3
# Copy the specific contents to the destination directory
Copy-Item -Path "$repoPath1\x64\*" -Destination $destinationPath -Recurse -Force
Copy-Item -Path "$repoPath2\*" -Destination $destinationPath -Recurse -Force
Copy-Item -Path "$repoPath3\examples\*" -Destination $destinationPath -Recurse -Force
# Clean up cloned repo subdirectories
Remove-Item -Path $repoPath1 -Recurse -Force
Remove-Item -Path $repoPath2 -Recurse -Force
Remove-Item -Path $repoPath3 -Recurse -Force
Write-Host "Repositories have been merged into $destinationPath"
}
function Set-Profile {
param (
[string]$destinationPath
)
# Set the execution policy to RemoteSigned
Set-ExecutionPolicy -ExecutionPolicy RemoteSigned -Scope CurrentUser -Force
# Determine the correct profile folder based on the PowerShell version
if ($PSVersionTable.PSEdition -eq "Core") {
$profileFolder = "$HOME\Documents\PowerShell"
} else {
$profileFolder = "$HOME\Documents\WindowsPowerShell"
}
# Ensure the profile folder exists
if (!(Test-Path -Path $profileFolder)) {
New-Item -ItemType Directory -Path $profileFolder -Force
Write-Host "Profile directory created at $profileFolder"
}
# Define the profile path
$profilePath = "$profileFolder\profile.ps1"
# Ensure the profile script exists
if (!(Test-Path -Path $profilePath)) {
New-Item -ItemType File -Path $profilePath -Force
Write-Host "Profile script created at $profilePath"
} else {
Write-Host "Profile script already exists at $profilePath"
}
# Add command to profile script to change directory to the specified destination path
$changeDirCommand = "Set-Location -Path `"$destinationPath`""
$profileContent = Get-Content -Path $profilePath -Raw
if ($profileContent -notcontains $changeDirCommand) {
Add-Content -Path $profilePath -Value "`n$changeDirCommand`n"
Write-Host "PowerShell profile updated to start in $destinationPath"
} else {
Write-Host "PowerShell profile already contains the change directory command"
}
}
# Example usage:
# Main Execution Block
Install-ImDisk
Clear-UnwantedPackages
Disable-TelemetryAndServices
Install-Packages
Install-FirefoxExtensions
Setup-Language
Setup-Darkmode
Disable-WindowsDefender
Github-FabArsenal
Set-Profile -destinationPath "$HOME\Documents\FabArsenal" 


Once the first code has been applied you can apply the second code to make a port forwarding to your KALI VM for your C2 (I advice you to install sliver on it as it’s free):
https://www.it-connect.fr/wsl-2-port-forwarding-comment-acceder-a-sa-machine-virtuelle-a-distance/


# Récupérer l'adresse IP de la machine Linux WSL
$remoteport = bash.exe -c "ifconfig eth0 | grep 'inet '"
$found = $remoteport -match '\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}';
if( $found ){
$remoteport = $matches[0];
} else{
echo "Le script va se fermer car l'adresse IP de la machine WSL 2 est introuvable.";
exit;
}
# Tous les ports forwarder vers votre machine WSL 2
$ports=@(80,443,3390);
# Adresse IP sur laquelle écouter au niveau de la machine Windows 10
$addr='0.0.0.0';
$ports_a = $ports -join ",";
# Supprimer la règle de pare-feu "WSL 2 Firewall Unlock"
iex "Remove-NetFireWallRule -DisplayName 'WSL 2 Firewall Unlock' ";
# Créer les règles de pare-feu (flux entrant et sortant) avec chacun des ports de $ports
iex "New-NetFireWallRule -DisplayName 'WSL 2 Firewall Unlock' -Direction Outbound -LocalPort $ports_a -Action Allow -Protocol TCP";
iex "New-NetFireWallRule -DisplayName 'WSL 2 Firewall Unlock' -Direction Inbound -LocalPort $ports_a -Action Allow -Protocol TCP";
# Créer les règles de redirection de ports pour chacun des ports ($ports)
for( $i = 0; $i -lt $ports.length; $i++ ){
$port = $ports[$i];
iex "netsh interface portproxy delete v4tov4 listenport=$port listenaddress=$addr";
iex "netsh interface portproxy add v4tov4 listenport=$port listenaddress=$addr connectport=$port connectaddress=$remoteport";
}

Laisser un commentaire