Windows processes

Windows Post Exploitation Cmdlets Execution (PowerShell)

Presence

This section focuses on information gathering about the victim host and the network that it’s attached to.

System

shows-all-current-environmental-variables-macos

WMI

Networking

Users

Configs

Finding important files

Files to pull

Remote system access

Software

Auto­Start directories


Persistance

This section focuses on gaining a foothold to re­gain, or re­obtain access to a system through means of authentication, backdoors, etc..

Download

Compress or expand ZIP archive

Reg command exit

Deleting logs

Uninstalling software „Antivirus“

Invasive or altering commands

Adquisición de datos volátiles

Posh-SecModule

This module is a PowerShell v3 only module at the moment. The module is a collection of functions that I have found usefull in my day to day work as a security professional. The functions are broken in to functionality:

  • Discovery: Perform network discovery.
  • Parse: Parsers for Nmap, DNSRecon and other type of output files from security tools.
  • PostExploitation: Functions to help in performing post exploitation tasks.
  • Registry: Collection of functions for manipulating the registry in remote hosts using WMI.
  • Nessus: Collection of assemblies and functions for automating the Nessus Vulnerability Scanner.
  • Utilities: General purpose functions.
  • Audit: Functions that may be usful when performing audit of systems.
  • Database: Functions that are useful when interacting with databases.
  • Shodan: Functions for doing discovery using Shodan using a valid API key.
  • VirusTotal: Functions for Interacting with Virus Total using a valid API key.
  • Metasploit: Functions for automating Metasploit Framework and the comercial version using the XMLRPC API.

Download:

iex (New-Object Net.WebClient).DownloadString(„https://gist.github.com/darkoperator/6404266/raw/982cae410fc41f6c64e69d91fc3dda777554f241/gistfile1.ps1“)

More information:

https://github.com/darkoperator/Posh-SecMod

 

File System Security PowerShell Module 3.2.3

Source are available on CodePlex

https://ntfssecurity.codeplex.com/

Download

https://gallery.technet.microsoft.com/scriptcenter/1abd77a5-9c0b-4a2b-acef-90dbb2b84e85/file/48905/1/NTFSSecurity%201.3.zip

Introduction

Managing permissions with PowerShell is only a bit easier than in VBS or the command line as there are no cmdlets for most day-to-day tasks like getting a permission report or adding permission to an item. PowerShell only offers Get-Acl and Set-Acl but everything in between getting and setting the ACL is missing. This module closes the gap.

Documentation

For documentation plese refer to:

Comments, feature requests and bug reports are very welcome: raandree@live.com

Installation

Just create the folder „NTFSSecurity“ in one of the standard module folders and copy the files attached in there. The standard module folders are in the environment variable %PSModulePath%, for example C:\Users\\Documents\WindowsPowerShell\Modules.
For example, all the files in the zip file have to be in „C:\Users\raandree\Documents\WindowsPowerShell\Modules\NTFSSecurity“. If you did this then the module should be listed in „Get-Module -ListAvailable“ and can be imported using „Import-Module NTFSSecurity“.

Description

The module provides 10 cmdlets to manage permissions on the file system, like adding and removing ACEs, setting the inheritance, getting the current permissions or even get the effective permissions for a certain user.
The available cmdlets are listed below with a short description. More information can be retreived in the PowerShell using Get-Help.

The name / SID translation is done by the Security2 class:
Security2 1.2.zip

All cmdlets have at least one parameter that supports the pipeline. They all can work with pipeline input coming from Get-ChildItem but some do more with what comes form the pipeline. For excample you can remove permission by piping what Get-Ace returns to Remove-Ace:

The pipeline support can also be used to backup and restore permissions of one or many items:

All cmdlets can handle SIDs and also SamAccountNames. The output contains always both unless a SID is not resolvable.

The types.ps1xml file is extending the common objects with some useful information and the format.ps1xml file formats all the output in almost the same way like the Get-ChildItem output.

By implementing the [Process Privilege http://processprivileges.codeplex.com/] project the cmdlets can activate the required privileges for setting the ownership for example.

Add-Ace

Adds a specific ace to the current object. This can be done in just one line:

Get-Ace

Gives you a list of all permissions . normally you are interested not in the inherited permissions so the switch ExcludeInherited can be useful

Filtering works with Where-Object

Get-OrphanedAce

Lists all permissions that can no longer be resolved. This normally happens if the account is no longer available so the permissions show up as a SID and not as an account name.
To remove all non-resolvable or orphaned permissions you can use the following line. But be very careful with that as maybe the account is not resolvable due to a network problem.

Remove-Ace

Removes the permission for a certain account. As the pipeline is supported it takes also

Get-EffectivePermissions

Shows the permissions an account actually has on a file or folder. If no parameter is specified it shows the effective permissions for the current user. However you can supply a user by using the SID or account name

Get-Inheritance

Shows if inheritance is blocked

Enable-Inheritance

It can be a problem if certain files or folders on a volume have inheritance disabled. Making sure that inheritance is enabled can be done using this cmdlets:

Disable-Inheritance

See Enable-Inheritance

Get-Owner

Shows the owner of a file or folder

Set-Owner

Sets the owner to a specific account like:

More information

https://gallery.technet.microsoft.com/scriptcenter/1abd77a5-9c0b-4a2b-acef-90dbb2b84e85

Extraer el apartado ‘Tendencias: Global’ dentro de la web ‘Búsqueda de Twitter’ (versión 05-07-2015)

 

Windows PowerShell aliases

 

THC-Hydra

Number one of the biggest security holes are passwords, as every password security study shows.

Hydra is a parallized login cracker which supports numerous protocols to attack. New modules are easy to add, beside that, it is flexible and very fast.

Hydra was tested to compile on Linux, Windows/Cygwin, Solaris 11, FreeBSD 8.1, OpenBSD, OSX, QNX/Blackberry, and is made available under GPLv3 with a special OpenSSL license expansion.

Currently this tool supports:
Asterisk, AFP, Cisco AAA, Cisco auth, Cisco enable, CVS, Firebird, FTP, HTTP-FORM-GET, HTTP-FORM-POST, HTTP-GET, HTTP-HEAD, HTTP-PROXY, HTTPS-FORM-GET, HTTPS-FORM-POST, HTTPS-GET, HTTPS-HEAD, HTTP-Proxy, ICQ, IMAP, IRC, LDAP, MS-SQL, MYSQL, NCP, NNTP, Oracle Listener, Oracle SID, Oracle, PC-Anywhere, PCNFS, POP3, POSTGRES, RDP, Rexec, Rlogin, Rsh, S7-300, SAP/R3, SIP, SMB, SMTP, SMTP Enum, SNMP, SOCKS5, SSH (v1 and v2), Subversion, Teamspeak (TS2), Telnet, VMware-Auth, VNC and XMPP.

For HTTP, POP3, IMAP and SMTP, several login mechanisms like plain and MD5 digest etc. are supported.

This tool is a proof of concept code, to give researchers and security consultants the possiblity to show how easy it would be to gain unauthorized access from remote to a system.

The program was written van Hauser and is additiionally supported by David Maciejak.

hydra_pass

hydra_start

Download

https://www.thc.org/thc-hydra/

Examples

General usage and options:

http://www.aldeid.com/wiki/Thc-hydra
http://resources.infosecinstitute.com/online-dictionary-attack-with-hydra/

HTTP basic auth:

https://www.owasp.org/index.php/Testing_for_Brute_Force_%28OWASP-AT-004%29
http://www.sillychicken.co.nz/Security/how-to-brute-force-your-router-in-windows.html

HTTP form based auth:

http://www.art0.org/security/performing-a-dictionary-attack-on-an-http-login-form-using-hydra
http://insidetrust.blogspot.com/2011/08/using-hydra-to-dictionary-attack-web.html
http://www.sillychicken.co.nz/Security/how-to-brute-force-http-forms-in-windows.html
https://www.owasp.org/index.php/Testing_for_Brute_Force_%28OWASP-AT-004%29

Multiple protocols:

http://wiki.bywire.org/Hydra
http://www.attackvector.org/brute-force-with-thc-hydra/
http://www.madirish.net/content/hydra-brute-force-utility

Telnet:

http://www.theprohack.com/2009/04/basics-of-cracking-ftp-and-telnet.html
http://www.adeptus-mechanicus.com/codex/bflog/bflog.html