בס״ד
⫷ HacKingPro ⫸
⫷ TryHackMe | KoTH ⫸
⫷ Privilege-Escalation⫸
⫷ ScanPro | Linfo | Diablo ⫸
⫷ Offensive-Security | PenTest ⫸
⫷ Goals | Studies | HacKing | AnyTeam ⫸
- This cheat sheet contains common enumeration and attack methods for Windows Active Directory with the use of powershell.
- This cheat sheet contains common enumeration and attack methods for Windows Active Directory.
- This repository contains a general methodology in the Active Directory environment.
- It is offered with a selection of quick commands from the most efficient tools based on Powershell, C, .Net 3.5 and .Net 4.5.
- This repository provides a few techniques and scripts regarding the impact of Microsoft Exchange deployment on Active Directory security.
- This is a side project of AD-Control-Paths, an AD permissions auditing project to which I recently added some Exchange-related modules.
Awesome tools to play with Windows !
List of tools used for exploiting Windows:
- Exploitation : Windows Software Exploitation
- hacking-team-windows-kernel-lpe : Previously-0day exploit from the Hacking Team leak, written by Eugene Ching/Qavar.
- mimikatz : A little tool to play with Windows security - extract plaintexts passwords, hash, PIN code and kerberos tickets from memory.
- Pazuzu : Reflective DLL to run binaries from memory
- Potato : Privilege Escalation on Windows 7,8,10, Server 2008, Server 2012
- UACME : Defeating Windows User Account Control
- Windows-Exploit-Suggester : This tool compares a targets patch levels against the Microsoft vulnerability database in order to detect potential missing patches on the target. It also notifies the user if there are public exploits and Metasploit modules available for the missing bulletins.
- afot : Automation Forensics Tool for Windows
- Invoke-LoginPrompt : Invokes a Windows Security Login Prompt and outputs the clear text password
- PowerShellArsenal : A PowerShell Module Dedicated to Reverse Engineering
- Winpayloads : Undetectable Windows Payload Generation
- BloodHound : Six Degrees of Domain Admin
- Empire : Empire is a PowerShell and Python post-exploitation agent
- Generate-Macro : Powershell script will generate a malicious Microsoft Office document with a specified payload and persistence method
- Invoke-AltDSBackdoor : This script will obtain persistence on a Windows 7+ machine under both Standard and Administrative accounts by using two Alternate Data Streams
- Old-Powershell-payload-Excel-Delivery : This version touches disk for registry persistence
- PSRecon : PSRecon gathers data from a remote Windows host using PowerShell (v2 or later), organizes the data into folders, hashes all extracted data, hashes PowerShell and various system properties, and sends the data off to the security team
- PowerShell-Suite : Some useful scripts in powershell
- PowerSploit : A PowerShell Post-Exploitation Framework
- PowerTools : A collection of PowerShell projects with a focus on offensive operations
- Powershell-C2 : A PowerShell script to maintain persistance on a Windows machine
- Powershell-Payload-Excel-Delivery : Uses Invoke-Shellcode to execute a payload and persist on the system
- mimikittenz : A post-exploitation powershell tool for extracting juicy info from memory.
PrintSpoofer exploit that can be used to escalate service user permissions on Windows Server 2016, Server 2019, and Windows 10.
To escalate privileges, the service account must have SeImpersonate privileges. To execute:
PrintSpoofer.exe -i -c cmdWith appropriate privileges this should grant system user shell access.
redteam | Red Team Scripts by d0nkeys (ex SnadoTeam)
- code-execution
- credentials
- detection
- handlers
- keyloggers
- lateral-movement
- persistence
- privilege-escalation
- scanners
- shells
- situational-awareness
- stealth
- ADAT is a small tool used to assist CTF players and Penetration testers with easy commands to run against an Active Directory Domain Controller.
- This tool is is best utilized using a set of known credentials against the host.
Phant0m | Windows Event Log Killer
- Svchost is essential in the implementation of so-called shared service processes, where a number of services can share a process in order to reduce resource consumption.
- Grouping multiple services into a single process conserves computing resources, and this consideration was of particular concern to NT designers because creating Windows processes takes more time and consumes more memory than in other operating systems, e.g. in the Unix family.
- This means briefly that; On Windows operating systems, svchost.exe manages the services and services are actually running under svchost.exe’s as threads.
- Phant0m targets the Event Log service and finding the process responsible for the Event Log service, it detects and kills the threads responsible for the Event Log service.
- Thus, while the Event Log service appears to be running in the system (because Phant0m didn't kill process), it does not actually run (because Phant0m killed threads) and the system does not collect logs.
- SpookFlare has a different perspective to bypass security measures and it gives you the opportunity to bypass the endpoint countermeasures at the client-side detection and network-side detection.
SpookFlare is a loader/dropper generator for Meterpreter, Empire, Koadic etc.
SpookFlare has obfuscation, encoding, run-time code compilation and character substitution features.
So you can bypass the countermeasures of the target systems like a boss until they "learn" the technique and behavior of SpookFlare payloads.
- Obfuscation
- Encoding
- Run-time Code Compiling
- Character Substitution
- Patched Meterpreter Stage Support
- Blocked powershell.exe Bypass
Winpayloads Undetectable Windows Payload Generation with extras Running on Python2.7
RedSnarf is a pen-testing / red-teaming tool for Windows environments
BloodyAD Framework
- PayloadsAllTheThings - Windows Privilege Escalation
- Priv2Admin - Abusing Windows Privileges
- RogueWinRM Exploit
- Potatoes
- Decoder's Blog
- Token Kidnapping
- Hacktricks - Windows Local Privilege Escalation
Microsoft-Activation-Scripts Microsoft Activation Scripts (MAS):
A collection of scripts for activating Microsoft products using HWID / KMS38 / Online KMS activation methods with a focus on open-source code, fewer antivirus detection and user-friendliness.
Ghostpack-CompiledBinaries Compiled Binaries for Ghostpack (.NET v4.0)
SharpCollection Nightly builds of common C# offensive tools, fresh from their respective master branches built and released in a CDI fashion using Azure DevOps release pipelines.
nishang Nishang - Offensive PowerShell for red team, penetration testing and offensive security.
- Compatible to Linux and Windows client systems
- Load in memory Powershell scripts
- Load in memory dll files bypassing some AVs
- Load in memory C# (C Sharp) assemblies bypassing some AVs
- Load x64 payloads generated with awesome [donut] technique
- Dynamic AMSI Bypass to avoid AV signatures
- Pass-the-hash support
- Kerberos auth support
- SSL and certificates support
- Upload and download files showing progress bar
- List remote machine services without privileges
- Command History
- WinRM command completion
- Local files/directories completion
- Remote path (files/directories) completion (can be disabled optionally)
- Colorization on prompt and output messages (can be disabled optionally)
- Optional logging feature
- Docker support (prebuilt images available at [Dockerhub])
- Trap capturing to avoid accidental shell exit on Ctrl+C