Powershell * WMI

WMI Events

Extrinsic events: https://github.com/KurtDeGreeff/PlayPowershell PS C:\Users\victim6\Downloads\PlayPowershell-master\PlayPowershell-master> . .\Get-WMINamespace.ps1 PS C:\Users\victim6\Downloads\PlayPowershell-master\PlayPowershell-master> $namespaces = Get-WMINamespace PS C:\Users\victim6\Downloads\PlayPowershell-master\PlayPowershell-master> foreach ($ns in $namespaces) {get-wmiobject -namespace $ns -list | where {$_._SUPERCLASS -eq ‘ ExtrinsicEvent’} PS C:\Users\victim6\Downloads\PlayPowershell-master\PlayPowershell-master> Get-WmiObject -class win32_perfFormattedData_PerfOS_System PS C:\Users\victim6\Downloads\new\new\tool\tool\nishang-master\nishang-master> cd .\Utility\ PS C:\Users\victim6\Downloads\new\new\tool\tool\nishang-master\nishang-master\Utility> . .\Add-Persistence.ps1 PS C:\Users\victim6\Downloads\new\new\tool\tool\nishang-master\nishang-master\Utility> help Add-Persistence –examples PS C:\Users\victim6\Downloads\new\new\tool\tool> cd .\nishang-master\ PS C:\Users\victim6\Downloads\new\new\tool\tool\nishang-master> cd .\nishang-master\ PS…

Vulnerable Machine Writeup * VULNHUB

HA INFINITY (VULNHUB)

LINK: https://drive.google.com/file/d/1kLXbHgdx92YRJLdRnf_EVZWEulA0MYYo/view root@kali:~/Downloads# nmap -A 192.168.222.145 Starting Nmap 7.80 ( https://nmap.org ) at 2019-10-21 16:04 GMT Nmap scan report for 192.168.222.145 Host is up (0.00021s latency). Not shown: 996 closed ports PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 2048 84:d2:2e:c4:f7:21:12:54:05:ac:82:c4:05:f2:32:29 (RSA) | 256 f7:9d:0f:23:ec:d6:de:ed:2b:b2:11:bf:ea:68:3d:b9…

Powershell * WMI

WMI Blue Team tools

WMIMON -> tool to monitor WMI activities : https://github.com/luctalpe/WMIMon Realtime event tracelog(ETL) consumer for WMI-activity log. PS C:\Users\victim6\Downloads\WMIMon-master\WMIMon-master\Downloads\WMIMon_Binaries> .\WMIMon.exe On another PS session: PS C:\Users\victim6\Downloads\new\new\tool\tool\nishang-master\nishang-master\Backdoors> Invoke-WmiMethod -Class win32_process -name create -ArgumentList calc.exe -ComputerName 192.168.222.130 On previous PS session we can see the connection on it. PS C:\Users\victim6\Downloads\new\new\tool\tool\nishang-master\nishang-master\Backdoors> Get-WmiObject -class win32_computersystem WMI_Monitor: tool to log WMI…

Vulnerable Machine Writeup * VULNHUB

SUNSET DAWN (VULNHUB)

LINK: https://download.vulnhub.com/sunset/dawn.zip root@kali:~# nmap -A 192.168.1.165 port : 80 , 139 , 445 , 3306 Enumeration : on browser http://192.168.1.165 root@kali:~# dirb http://192.168.1.165/ we get /logs/ now on browser http://192.168.1.165/logs/ we get management.log now on terminal root@kali:~# cd Downloads root@kali:~# cat management.log root@kali:~# enum4linux -a 192.168.1.165 root@kali:~# smbclient //192.168.1.165/ITDEPT smb: \> ls smb: \> ls…