Helper Commands
Windows
Uninstall Windows Updates:
Run the following (update the list to contain valid KB numbers) to uninstall updates on a local system:
@ECHO OFF
SET list=3133977 3137061 3138612 3138901 3139923
for %%a in (%list%) do (
%windir%\syswow64\wusa.exe /uninstall /kb:%%a /quiet /norestart /log​
)Run-As Session
runas /user:burmat.local\nathan /netonly powershellGet Remote Host Windows Updates
Run the following (update the hosts list with valid hostnames) to get .CSV output of updates on remote systems:
@echo off
SET dFormat=_%date:~-4,4%%date:~-10,2%%date:~-7,2%
SET sCMDparams=qfe get Caption, Description, HotfixID, InstallDate, InstalledBy /format:csv
SET hosts=HOSTNAME1 HOSTNAME2
ECHO %dFormat%
ECHO .
FOR %%f in (%hosts%) DO (
ECHO Processing %%f
ECHO Output file: %%f_%dFormat%.csv
wmic /NODE:%%f /output:%%f_%dFormat%.csv %sCMDparams%
)
ECHO .
ECHO Remember to delete the first blank line
ECHO .
ECHO .
ECHO Finished.
ECHO .Send a Message to Remote Computer
msg susie /SERVER:WKST-ABC.burmat.co "Please call 123-456-7890 x369"Or you can launch it to all users on a given computer if you don't know the username. Enable verbose mode (/V) and wait for a callback (/W) to get a callback when the user closes it: msg * /V /W /SERVER:WKST-123 This is a test message
Restart Remote Machine (With Warning)
This script is better kept out in a public place and called with the a remote command utility to loop through a list of hostnames. You can just replace the %1 to hardcode a host if you want though.
@echo off
REM shutdown -m \\%1 /a
echo Start Checking %1
ping -n 1 -l 100 %1
IF %ERRORLEVEL%==1 GOTO BAD
shutdown -r -f -m \\%1 -t 300 -d up:125:1 -c "Please SAVE Your work. In 5 minutes, this machine will reboot for a policy updates (Msg time: %time%)"
GOTO GOOD
:BAD
ECHO %1,Failed,%date%,%time% >> BadPCs.txt
GOTO EXIT
:GOOD
ECHO %1,Good,%date%,%time% >> GoodPCs.txt
GOTO EXIT
:EXIT
echo Stop Checking %1Windows Firewall
Enable Network Discovery
netsh advfirewall firewall set rule "group=\"Network Discovery\"" new enable=YesEnable File and Printer Settings
netsh advfirewall firewall set rule "group=\"File and Printer Sharing\"" new enable=YesAllow All Inbound
netsh advfirewall firewall add rule name="Open the Gates" dir=in action=allow protocol=TCP localport=1-65535Allow All Output
netsh advfirewall firewall add rule name="Open the Gates" dir=out action=allow protocol=TCP localport=1-65535PowerShell
Remotely Log User Out
Invoke-Command -ComputerName 'SERVER01' -ScriptBlock { quser }
Invoke-Command -ComputerName 'SERVER01' -ScriptBlock { logoff 1 }Creating an SMB Share
New-SmbShare -Name "burmat" -Path "C:\tools" | Grant-SmbShareAccess -Account Everyone -AccessRight Full -ForceSending an Email
Leveraging an M365 mail relay:
Send-MailMessage -SmtpServer 'burmat-co.mail.protection.outlook.com' -To 'victim@company.com' -From 'informationsecurity@company.com' -Subject 'Test' -Body 'Mail relay test' -BodyAsHTMLRetrieve Exchange Version
((([ADSI]"LDAP://cn=Microsoft Exchange,cn=Services,cn=Configuration,DC=vcfcorp,DC=com")).Children).msExchProductIDUsers that have Reversible Encryption Enabled
Get-ADUser -Filter * -Properties * | Select-Object name,AllowReversiblePasswordEncryptionBase64 Encoding PowerShell
$string = 'Add-LocalGroupMember -Group "Administrators" -Member "burmat.co\jsmith"';
$b64 = [Convert]::ToBase64String([Text.Encoding]::Unicode.GetBytes($string));
Write-Output $string ' -- Converted Output:';
Write-Output $b64;
Write-Output $b64 | clip;
Write-Output "Copied to clipboard";Renaming Files to MD5 Value
# recursive *.txt lookup to rename to md5 value, removing duplicates
Get-ChildItem "C:\temp" -Filter "*.txt" | ForEach-Object {
$filepath = $_.FullName
$hashed = Get-FileHash $filepath -Algorithm MD5
$newpath = $(Split-Path $filepath) + "\" + $hashed.Hashed + ".txt"
Copy-Item -Path $filepath -Destination $newpath -Force
Remove-Item -Path $filepath -Force
}Getting PowerShell Versioning
$PSVersionTable.PSVersion
[Environment]::Is64BitProcess # x86 or x64Listing Recycle Bin Contents
(New-Object -ComObject Shell.Application).NameSpace(0x0a).Items() | Select-Object Name,Size,PathCreating a Bunch of Domain Users
1..10000 | ForEach-Object { New-ADUser -Name employee$_ -AccountPassword (ConvertTo-SecureString S3cur3PASS123 -AsPlainText -Force) -UserPrincipalName employee$_@$env:userdnsdomain -ChangePasswordAtLogon $False -Enabled $True}Keep a Computer Awake
while($true)
$Pos = [System.Windows.Forms.Cursor]::Position
[System.Windows.Forms.Cursor]::Position = New-Object System.Drawing.Point((($Pos.X) + 1) , $Pos.Y)
Start-Sleep -Seconds 60
}Enumerate Child Processes
The following will show you the children executed under the parent process ID provided
Get-WmiObject win32_process | where { $_.ParentProcessId -eq 2448 }DNS Reverse Lookup for Hostname List
Get-Content .\hostnames.txt | ForEach-Object { nslookup $_ } | Select-String "Address"AES Encrypt & Decrypt Text
Encrypting
using namespace System.Security.Cryptography
$t = 'text-that-should-be-encrypted';
$k = "burmat1234!";
$sha = New-Object SHA256Managed;
$aes = New-Object AesManaged;
$aes.Mode = [CipherMode]::CBC;
$aes.Padding = [PaddingMode]::Zeros;
$aes.BlockSize = 128;
$aes.KeySize = 256;
$aes.Key = $sha.ComputeHash([System.Text.Encoding]::UTF8.GetBytes($k));
$bytes = [System.Text.Encoding]::UTF8.GetBytes($t);
$crypt = $aes.CreateEncryptor();
$encbytes = $crypt.TransformFinalBlock($bytes,0,$bytes.Length);
$encbytes = $aes.IV + $encbytes;
$encrypted = [System.Convert]::ToBase64String($encbytes)
$aes.Dispose();
$sha.Dispose();
$encryptedDecrypting
using namespace System.Security.Cryptography
$encrypted = "75z5B42nn1Ig6JDw"
$k = "burmat1234!";
$sha = New-Object SHA256Managed
$aes = New-Object AesManaged
$aes.Mode = [CipherMode]::CBC
$aes.Padding = [PaddingMode]::Zeros
$aes.BlockSize = 128
$aes.KeySize = 256
$aes.Key = $sha.ComputeHash([System.Text.Encoding]::UTF8.GetBytes($k))
$encbytes = [System.Convert]::FromBase64String($encrypted)
$aes.IV = $encbytes[0..15]
$decryp = $aes.CreateDecryptor()
$bytes = $decryp.TransformFinalBlock($encbytes, 16, $encbytes.Length - 16)
$decypted = [System.Text.Encoding]::UTF8.GetString($bytes).Trim([char]0)
$aes.Dispose()
$decyptedLoading PowerShell ActiveDirectory Module Manually
No administrative access is required.
PowerShell Terminal Profile
In the works, goes in your ~/WindowsPowerShell directory.
Start-Transcript -OutputDirectory C:\WindowsPowerShell\TranscriptionLogs
#Set-ExecutionPolicy Bypass
Import-Module PSReadLine
Import-Module Get-ChildItemColor
Set-Alias -Name "python3" -Value "python"
Set-PSReadLineOption -HistoryNoDuplicates
Set-PSReadLineOption -HistorySearchCursorMovesToEnd
Set-PSReadLineOption -HistorySaveStyle SaveIncrementally
Set-PSReadLineOption -MaximumHistoryCount 4000
# History substring search
Set-PSReadLineKeyHandler -Key UpArrow -Function HistorySearchBackward
Set-PSReadLineKeyHandler -Key DownArrow -Function HistorySearchForward
# Tab completion
Set-PSReadLineKeyHandler -Chord 'Shift+Tab' -Function Complete
Set-PSReadLineKeyHandler -Key Tab -Function MenuComplete
function l {
Get-ChildItem -Force
}
function tools {
set-location "C:\Tools"
}
function projects {
Set-Location "C:\Projects"
}Bash
SMTP
## base64 the username and password and pass the values through telnet
# echo -n "username" | openssl enc -base64
dXNlcm5hbWU=
# echo -n "Welcome1" | openssl enc -base64
V2VsY29tZTE=
# openssl s_client -connect 169.133.88.123:25 -starttls smtp -quiet -crlf
<-- SNIP -->
250 XRDST
# AUTH LOGIN
334 VXNlcm5hbWU6
# Z2R1YXJ0ZUBoZXJzaGV5cy5jb20=
334 UGFzc3dvcmQ6
# V2VsY29tZTE=
535 5.7.3 Authentication unsuccessful << will be successful, if you are able to
# EHLO target.com
# MAIL FROM: victim@target.com
# RCPT TO: <outside@user.com> NOTIFY=success,failure
# DATA
# Subject: Test Email
body of the message
.
EXITComment / Uncomment Lines
When you need to comment out or uncomment out a line, sed makes it pretty easy. Just change the word pattern to something identifiable:
sed -i '/pattern/s/^/#/g' apache2.conf # comment
sed -i '/pattern/s/^#//g' apache2.conf # uncommentLoops
Reading a File
while read ip; do echo "$ip" done < affected_hosts.txtLoop an Array
l=( "one" "two" "three" ); for i in "${l[@]}"; do echo $i; done;Resolving Hostnames
cat hosts.txt | xargs -n1 -P100 dig +short +retry=3 | grep -E '^[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}' > ip_list.txtRudementary Port Scanner
for ip in {1..254}; do
for port in {22,80,443,3306,3389}; do
(echo >/dev/tcp/10.1.1.$ip/$port) &> /dev/null && echo "10.1.1.$ip:$port is open";
done;
done;Network Time Protocol (NTP)
Because setting the clock is fucking painful:
## set our time to match the system time of the DC:
curl -s --stderr - -v <http://sauna.htb> | grep "Date"
timedatectl set-timezone GMT
timedatectl set-time $(curl -s --stderr - -v <http://sauna.htb> | grep "Date" | cut -d ' ' -f 7)
timedatectl && echo "server time:\\n" && curl -s --stderr - -v <http://sauna.htb> | grep "Date"
Local time: Fri 2020-02-21 10:30:39 GMT
Universal time: Fri 2020-02-21 10:30:39 UTC
RTC time: Fri 2020-02-21 10:30:46
Time zone: GMT (GMT, +0000)
System clock synchronized: no
NTP service: inactive
RTC in local TZ: no
server time:
< Date: Fri, 21 Feb 2020 10:30:47 GMTNTP Mode 6 Check:
ntpq -c rv <IP>
If there is output, it is susceptible to this: https://scan.shadowserver.org/ntpversion/
DNS Host Discovery
for i in $(cat hosts.txt); do host $i; doneInstalling Ruby
apt-get install ruby-full
apt-get install git curl autoconf bison build-essential libssl-dev libyaml-dev libreadline6-dev zlib1g-dev libncurses5-dev libffi-dev libgdbm6 libgdbm-dev libdb-dev
curl -fsSL https://github.com/rbenv/rbenv-installer/raw/HEAD/bin/rbenv-installer | bash
echo 'export PATH="$HOME/.rbenv/bin:$PATH"' >> ~/.zshrc
echo 'eval "$(rbenv init -)"' >> ~/.zshrc
source ~/.zshrc
rbenv install -l
rbenv install 2.5.3Certificate Fingerprint
echo -n | openssl s_client -connect 107.154.75.199:443 2>/dev/null | openssl x509 -noout -fingerprint -sha1Last updated