- One Liners
- LINUX
- Network Commands
- Get information on ethernet adapters
- Port Redirect
- General
- Download the latest release from a Github repo
- WINDOWS SORCERY
- LolBins
- rundll32 | Run an arbitrary program with Mimikatz dll
- rundll32 | Show saved credentials by the Windows credentials manager
- Enumerate Ways a Website can leak HTTP Info
- Generic Spells
- Some weird Windows native “popup” :D
- Open Device Manager
- Get List of Local Users or Members of the Local Admin Group
- Network Spells
- Show clear text password locally for Wireless Lan Connection
- PortProxy - Port Redirection
- DNS Tricks | PowerShell
- Get Network Adapter info | PowerShell
- List Proxy info | PowerShell
- List LAN info | PowerShell
- Ping a Subnet | PowerShell
- Active Directory
- Get a user’s AD Group Membership
- Get AD ms-DS-MachineAccountQuota
- Enumerate Forest and Domain Trusts
- Get AD Account Details for account in a trusted Domain
- Enumerate all Domain Controllers
- Cryptographic & Encoding Functions
- Some General Encoding and Hash Functions | PowerShell
- Compute Hash with .NET Class
- Generic One-Liners
- Extract an archive without “Expand-Archive” | PowerShell
One Liners
You know you like them, always handy, these blokes pack a punch. I am compiling some of them here.
LINUX
Network Commands
Get information on ethernet adapters
get eth0 address
ip addr show | grep eth0 | grep inet | sed -e 's/ *inet *//g' -e 's/\/.*//g'
ip link add name X type bridge
ip link set X up
ip set eth0 master X
ip set eth1 master X
Port Redirect
# Note: you can find TCP sockets in /proc/net/tcp !
iptables -t nat -A PREROUTING -i eth0 -p tcp -m tcp -m multiport ! --dports 22,53,80,443 -j REDIRECT --to-port 80
General
Download the latest release from a Github repo
curl -s https://api.github.com/repos/jgm/pandoc/releases/latest \
| grep "browser_download_url.*deb" \
| cut -d '"' -f 4 \
| wget -qi -
WINDOWS SORCERY
LolBins
rundll32 | Run an arbitrary program with Mimikatz dll
rundll32 c:\path\mimilib.dll,start d:\some_path\stuff.exe
rundll32 | Show saved credentials by the Windows credentials manager
rundll32 keymgr.dll,KRShowKeyMgr
Enumerate Ways a Website can leak HTTP Info
Generic Spells
Some weird Windows native “popup” :D
::Ref: https://twitter.com/TekDefense/status/823204388982362118
wlrmdr.exe -s 60000 -f 1 -t "text" -m "more text" -a o
Open Device Manager
mmc devmgmt.msc
Get List of Local Users or Members of the Local Admin Group
# Powershell v2+
$Computer = “.”
$Computer = [ADSI](“WinNT://” + "." + “,computer”)
$LocalAdminGroup = $Computer.psbase.children.find(“Administrators”)
$LocalAdminGroupMembers = $LocalAdminGroup.psbase.invoke(“Members”) | %{ $_.GetType().InvokeMember(“Name”, ‘GetProperty’, $null, $_, $null) }
# Using Powershell v5+
Get-LocalGroupMember "Administrators"
# Using WMI
Get-WmiObject win32_groupuser -Computer localhost
Network Spells
A series of useful commands to gather network intelligence.
Show clear text password locally for Wireless Lan Connection
netsh wlan dump
netsh wlan show profiles key=clear name="BotConf2016"
netsh wlan show profiles name="BotConf2016" key=clear
PortProxy - Port Redirection
:: Redirect traffic from port 9000 to port 80 on a different IP
netsh interface portproxy add v4tov4 listenaddress=0.0.0.0 listenport=9000 connectaddress=192.168.3.30 connectport=80
:: Delete portproxy entry
netsh interface portproxy delete v4tov4 listenaddress=127.0.0.1 listenport=9000
DNS Tricks | PowerShell
# Resolve Hostnames and FQDN
[System.Net.DNS]::GetHostAddresses("quasarops.com")
[System.Net.DNS]::GetHostName("8.8.8.8")
[System.Net.Dns]::GetHostByAddress("10.0.0.1")
[System.Net.Dns]::Resolve("quasarops.com")
Get Network Adapter info | PowerShell
[System.Net.NetworkInformation.NetworkInterface]::GetAllNetworkInterfaces()
[System.Net.NetworkInformation.NetworkInterface]::GetIsNetworkAvailable()
List Proxy info | PowerShell
Get-ItemProperty "HKCU:\software\Microsoft\Windows\CurrentVersion\Internet Settings\"
Get-ItemProperty "HKCU:\software\Microsoft\Windows\CurrentVersion\Internet Settings\" "AutoConfigURL"
Get-ItemProperty "HKCU:\software\Microsoft\Windows\CurrentVersion\Internet Settings\" "ProxyServer"
Get-ChildItem -recurse 'HKCU:\software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\' | % { $_.GetValue("WpadDetectedURL") } | sort -Unique
List LAN info | PowerShell
wmic nicconfig where ipenabled=true call /?
wmic nicconfig where ipenabled=true call RenewDHCPLease
wmic nicconfig where ipenabled=true call ReleaseDHCPLease
wmic nicconfig where ipenabled=true list brief
wmic nicconfig where ipenabled=true get ipaddress,macaddress,dnsserversearchorder,dnshostname,defaultipgateway,dhcpserver,description /format:list
wmic nicconfig where ipenabled=true list full
Ping a Subnet | PowerShell
$ping = New-Object System.Net.Networkinformation.Ping
1..254 | % { $ping.send("192.168.100.$_") | select address, status }
for ( $i = 0; $i -le 256 ; $i++ ) { ping 192.168.0.$i }
Active Directory
Get a user’s AD Group Membership
# This will only return the names of the groups instead of the FQDN
(Get-ADUser SomeUserYeah -Properties MemberOf).MemberOf | % {$_.split("CN=")[1].split(",")[0]}
Get AD ms-DS-MachineAccountQuota
Useful to understand whether you can leverage this primitive for further mischief
Get-ADDomain | Get-ADObject -Properties 'ms-DS-MachineAccountQuota'
Enumerate Forest and Domain Trusts
NOTE: Good read about this –> http://www.harmj0y.net/blog/redteaming/a-guide-to-attacking-domain-trusts/
# With RSAT Module
Get-ADTrust -Filter *
# Without RSAT Module
## First Enumerate Domain Trusts
([System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain()).GetAllTrustRelationships()
## Then Enumerate Forest Trusts
([System.DirectoryServices.ActiveDirectory.Forest]::GetCurrentForest()).GetAllTrustRelationships()
# List all Domain Controllers in the Forest
[System.DirectoryServices.ActiveDirectory.Forest]::GetCurrentForest().Sites | % { $_.Servers } | select Domain,Name,SiteName
Get AD Account Details for account in a trusted Domain
Get-ADUser -Server 'some.domain.com' -Filter { SamAccountName -eq 'some_user' } -Properties *
Enumerate all Domain Controllers
([System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain()).FindAllDomainControllers()
Cryptographic & Encoding Functions
Some General Encoding and Hash Functions | PowerShell
# Convert from Base64
[Convert]::FromBase64String($data)
[Convert]::FromBase64String([System.Text.Encoding]::ASCII.GetBytes($data))
[Convert]::FromBase64String([System.Text.Encoding]::ASCII.GetBytes($data+"="))
[Convert]::FromBase64String([System.Text.Encoding]::ASCII.GetBytes($data+"=="))
# Convert to Base64
[Convert]::ToBase64String($bytes)
[Convert]::ToBase64String([System.Text.Encoding]::ASCII.GetBytes($data))
# Convert HEX to DEC
[System.Byte]::Parse("FA",[System.Globalization.NumberStyles]::HexNumber)
# Encode in HEX
[System.BitConverter]::ToString($(Get-Content .\data.bin -encoding Byte))
# Encode Hash in HEX
[System.BitConverter]::ToString(([System.Security.Cryptography.MD5]::Create()).ComputeHash([System.Text.Encoding]::UTF8.GetBytes("SOME-STRING")))
[System.BitConverter]::ToString(([System.Security.Cryptography.SHA1]::Create()).ComputeHash([System.Text.Encoding]::UTF8.GetBytes("SOME-STRING")))
[System.BitConverter]::ToString([System.Security.Cryptography.MD5CryptoServiceProvider]::new().ComputeHash([System.Text.UTF8Encoding]::new().GetBytes("")))
[System.Bitconverter]::ToString(([System.Security.Cryptography.SHA1]::Create()).ComputeHash([System.Text.Encoding]::UTF8.GetBytes("<[email protected]#$%^>")))
# Compute MD5 Hash
[System.Security.Cryptography.MD5CryptoServiceProvider]::new().ComputeHash([System.Text.UTF8Encoding]::new().GetBytes(""))
Compute Hash with .NET Class
([System.Security.Cryptography.SHA1]::Create()).ComputeHash([System.Text.Encoding]::UTF8.GetBytes("<[email protected]#$%^>"))
Generic One-Liners
Extract an archive without “Expand-Archive” | PowerShell
Add-Type -A System.IO.Compression.FileSystem;[IO.Compression.ZipFile]::ExtractToDirectory(src,dst)