Jump to content
Hak5 Forums
Sign in to follow this  
MrSnowMonster

Anyone who can help make my script more effective or faster?

Recommended Posts

My Slydoor payload also has a similar .ps1 script however it does most of what you have there in far less lines. If I took away all the commenting, echos etc. it would be about 7 lines of grabbing info and writing it to the Bunny. It uses the Get-WmiObject method in Powershell. You can grab computer system data, disk drives and logical disk drives from it.

E.g.

Get-WmiObject -Class Win32_ComputerSystem | Out-File $BunnyLootFolder -Encoding ASCII
Get-WmiObject -Class Win32_DiskDrive | Out-File $BunnyLootFolder -Append -Encoding ASCII
Get-WmiObject -Class Win32_LogicalDisk | Out-File $BunnyLootFolder -Append -Encoding ASCII

 

Share this post


Link to post
Share on other sites
10 hours ago, MrSnowMonster said:

https://github.com/hak5/bashbunny-payloads/tree/master/payloads/library/recon/InfoGrabber

It has been a while since my script was updated so if anyone want to want to help make it more effective or make it faster it would be much appreciated :D

Applauds....

That is some sexy Powershell.  I have very little to offer but have some.

If you want to make sure your script works in all versions of Powershell (like version 2), avoid CIM classes.  I like them too in Powershell 4 and 5 but 2 doesn't know them.  Sticking to wmi will avoid this.

On line 9 in your run.ps1 file you can get some performance, if there are a lot of disks, by using a query.  The more you do on the left of the pipe, the more wmi filters and less Powershell has to filter after the pipe.  Wmi filters faster and will return less.  Example replacing line 9 and appending onward.

$wmiQuery = "Select DeviceID from Win32_LogicalDisk Where VolumeName = '$($VolumeName)'"
$BackupDrive = (get-wmiobject -query $wmiQuery).DeviceID

On line 33 of same file if you are trying to get the parent path, there is a command for that.

$TARGETDIR = Split-Path $TARGETDIR -Parent

In info.ps1 file I just see refactoring needing to be done.  You are hitting the wmi class of the same classes too many times.  That can slow you down.  I see networkadapterconfiguration about 3-4 times in there.  Just pull it all into a variable and then sort out all the parts you need from that variable like just do a full pull of the networkadapterconfiguration..no pipe filters.  In the next lines, filter that one variable that holds all the adapters of their parts and when done throw it away.  Same goes for physicalmemory.

That is what I can see from a glance.

  • Upvote 2

Share this post


Link to post
Share on other sites
51 minutes ago, PoSHMagiC0de said:

Applauds....

That is some sexy Powershell.  I have very little to offer but have some.

If you want to make sure your script works in all versions of Powershell (like version 2), avoid CIM classes.  I like them too in Powershell 4 and 5 but 2 doesn't know them.  Sticking to wmi will avoid this.

On line 9 in your run.ps1 file you can get some performance, if there are a lot of disks, by using a query.  The more you do on the left of the pipe, the more wmi filters and less Powershell has to filter after the pipe.  Wmi filters faster and will return less.  Example replacing line 9 and appending onward.


$wmiQuery = "Select DeviceID from Win32_LogicalDisk Where VolumeName = '$($VolumeName)'"
$BackupDrive = (get-wmiobject -query $wmiQuery).DeviceID

On line 33 of same file if you are trying to get the parent path, there is a command for that.


$TARGETDIR = Split-Path $TARGETDIR -Parent

In info.ps1 file I just see refactoring needing to be done.  You are hitting the wmi class of the same classes too many times.  That can slow you down.  I see networkadapterconfiguration about 3-4 times in there.  Just pull it all into a variable and then sort out all the parts you need from that variable like just do a full pull of the networkadapterconfiguration..no pipe filters.  In the next lines, filter that one variable that holds all the adapters of their parts and when done throw it away.  Same goes for physicalmemory.

That is what I can see from a glance.

+1.

Share this post


Link to post
Share on other sites
14 hours ago, PoSHMagiC0de said:

Applauds....

That is some sexy Powershell.  I have very little to offer but have some.

If you want to make sure your script works in all versions of Powershell (like version 2), avoid CIM classes.  I like them too in Powershell 4 and 5 but 2 doesn't know them.  Sticking to wmi will avoid this.

On line 9 in your run.ps1 file you can get some performance, if there are a lot of disks, by using a query.  The more you do on the left of the pipe, the more wmi filters and less Powershell has to filter after the pipe.  Wmi filters faster and will return less.  Example replacing line 9 and appending onward.


$wmiQuery = "Select DeviceID from Win32_LogicalDisk Where VolumeName = '$($VolumeName)'"
$BackupDrive = (get-wmiobject -query $wmiQuery).DeviceID

On line 33 of same file if you are trying to get the parent path, there is a command for that.


$TARGETDIR = Split-Path $TARGETDIR -Parent

In info.ps1 file I just see refactoring needing to be done.  You are hitting the wmi class of the same classes too many times.  That can slow you down.  I see networkadapterconfiguration about 3-4 times in there.  Just pull it all into a variable and then sort out all the parts you need from that variable like just do a full pull of the networkadapterconfiguration..no pipe filters.  In the next lines, filter that one variable that holds all the adapters of their parts and when done throw it away.  Same goes for physicalmemory.

That is what I can see from a glance.

Thank you for replying will try to change it up a bit when my exams are over :P

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

Sign in to follow this  

  • Recently Browsing   0 members

    No registered users viewing this page.

×