Awesome

בס״ד

<div align="center"> <h2 align="center"><a href="https://github.com/Anlominus">⚜️ Aภl๏miuภuຮ ⚜️</a></h2> <img align="center" width="100" src="https://user-images.githubusercontent.com/51442719/172729066-1293d382-4a31-4f03-8c23-ab0ea5f611a0.png">

</div>

`Privilege-Escalation` ~> `Windows-PrivEsc`

Tools | Cheat Sheets | Notes | Checklists

</div>

Cheat Sheets

Cheat-Sheet---Active-Directory

This cheat sheet contains common enumeration and attack methods for Windows Active Directory with the use of powershell.

Active Directory Exploitation Cheat Sheet

This cheat sheet contains common enumeration and attack methods for Windows Active Directory.

Active Directory Cheat Sheet

This repository contains a general methodology in the Active Directory environment.
It is offered with a selection of quick commands from the most efficient tools based on Powershell, C, .Net 3.5 and .Net 4.5.

Exchange-AD-Privesc

This repository provides a few techniques and scripts regarding the impact of Microsoft Exchange deployment on Active Directory security.
This is a side project of AD-Control-Paths, an AD permissions auditing project to which I recently added some Exchange-related modules.

Tools

Windows

Awesome tools to play with Windows !

List of tools used for exploiting Windows:

Exploitation : Windows Software Exploitation
hacking-team-windows-kernel-lpe : Previously-0day exploit from the Hacking Team leak, written by Eugene Ching/Qavar.
mimikatz : A little tool to play with Windows security - extract plaintexts passwords, hash, PIN code and kerberos tickets from memory.
Pazuzu : Reflective DLL to run binaries from memory
Potato : Privilege Escalation on Windows 7,8,10, Server 2008, Server 2012
UACME : Defeating Windows User Account Control
Windows-Exploit-Suggester : This tool compares a targets patch levels against the Microsoft vulnerability database in order to detect potential missing patches on the target. It also notifies the user if there are public exploits and Metasploit modules available for the missing bulletins.

Misc

afot : Automation Forensics Tool for Windows
Invoke-LoginPrompt : Invokes a Windows Security Login Prompt and outputs the clear text password
PowerShellArsenal : A PowerShell Module Dedicated to Reverse Engineering
Winpayloads : Undetectable Windows Payload Generation

PowerShell

BloodHound : Six Degrees of Domain Admin
Empire : Empire is a PowerShell and Python post-exploitation agent
Generate-Macro : Powershell script will generate a malicious Microsoft Office document with a specified payload and persistence method
Invoke-AltDSBackdoor : This script will obtain persistence on a Windows 7+ machine under both Standard and Administrative accounts by using two Alternate Data Streams
Old-Powershell-payload-Excel-Delivery : This version touches disk for registry persistence
PSRecon : PSRecon gathers data from a remote Windows host using PowerShell (v2 or later), organizes the data into folders, hashes all extracted data, hashes PowerShell and various system properties, and sends the data off to the security team
PowerShell-Suite : Some useful scripts in powershell
PowerSploit : A PowerShell Post-Exploitation Framework
PowerTools : A collection of PowerShell projects with a focus on offensive operations
Powershell-C2 : A PowerShell script to maintain persistance on a Windows machine
Powershell-Payload-Excel-Delivery : Uses Invoke-Shellcode to execute a payload and persist on the system
mimikittenz : A post-exploitation powershell tool for extracting juicy info from memory.

PrintSpoofer.exe

PrintSpoofer exploit that can be used to escalate service user permissions on Windows Server 2016, Server 2019, and Windows 10.

To escalate privileges, the service account must have SeImpersonate privileges. To execute:

PrintSpoofer.exe -i -c cmd

With appropriate privileges this should grant system user shell access.

redteam | Red Team Scripts by d0nkeys (ex SnadoTeam)

ActiveDirectoryAttackTool

ADAT is a small tool used to assist CTF players and Penetration testers with easy commands to run against an Active Directory Domain Controller.
This tool is is best utilized using a set of known credentials against the host.

Phant0m | Windows Event Log Killer

Svchost is essential in the implementation of so-called shared service processes, where a number of services can share a process in order to reduce resource consumption.
Grouping multiple services into a single process conserves computing resources, and this consideration was of particular concern to NT designers because creating Windows processes takes more time and consumes more memory than in other operating systems, e.g. in the Unix family.
<br>
This means briefly that; On Windows operating systems, svchost.exe manages the services and services are actually running under svchost.exe’s as threads.
Phant0m targets the Event Log service and finding the process responsible for the Event Log service, it detects and kills the threads responsible for the Event Log service.
Thus, while the Event Log service appears to be running in the system (because Phant0m didn't kill process), it does not actually run (because Phant0m killed threads) and the system does not collect logs.

SpookFlare

Loader, dropper generator with multiple features for bypassing client-side and network-side countermeasures.

SpookFlare has a different perspective to bypass security measures and it gives you the opportunity to bypass the endpoint countermeasures at the client-side detection and network-side detection. <br> SpookFlare is a loader/dropper generator for Meterpreter, Empire, Koadic etc. <br> SpookFlare has obfuscation, encoding, run-time code compilation and character substitution features. <br> So you can bypass the countermeasures of the target systems like a boss until they "learn" the technique and behavior of SpookFlare payloads. <br> <br>

Obfuscation

Encoding

Run-time Code Compiling

Character Substitution

Patched Meterpreter Stage Support

Blocked powershell.exe Bypass

Winpayloads Undetectable Windows Payload Generation with extras Running on Python2.7

RedSnarf is a pen-testing / red-teaming tool for Windows environments

RedSnarf is a pen-testing / red-teaming tool by Ed Williams for retrieving hashes and credentials from Windows workstations, servers and domain controllers using OpSec Safe Techniques.

BloodyAD Framework

BloodyAD is an Active Directory Privilege Escalation Framework, it can be used manually using bloodyAD.py or automatically by combining pathgen.py and autobloody.py.

CheeseTools

Self-developed tools for Lateral Movement/Code Execution

Microsoft-Activation-Scripts Microsoft Activation Scripts (MAS):

A collection of scripts for activating Microsoft products using HWID / KMS38 / Online KMS activation methods with a focus on open-source code, fewer antivirus detection and user-friendliness.

Ghostpack-CompiledBinaries Compiled Binaries for Ghostpack (.NET v4.0)

SharpCollection Nightly builds of common C# offensive tools, fresh from their respective master branches built and released in a CDI fashion using Azure DevOps release pipelines.

nishang Nishang - Offensive PowerShell for red team, penetration testing and offensive security.

Evil-WinRM

The ultimate WinRM shell for hacking/pentesting

Features

Compatible to Linux and Windows client systems
Load in memory Powershell scripts
Load in memory dll files bypassing some AVs
Load in memory C# (C Sharp) assemblies bypassing some AVs
Load x64 payloads generated with awesome [donut] technique
Dynamic AMSI Bypass to avoid AV signatures
Pass-the-hash support
Kerberos auth support
SSL and certificates support
Upload and download files showing progress bar
List remote machine services without privileges
Command History
WinRM command completion
Local files/directories completion
Remote path (files/directories) completion (can be disabled optionally)
Colorization on prompt and output messages (can be disabled optionally)
Optional logging feature
Docker support (prebuilt images available at [Dockerhub])
Trap capturing to avoid accidental shell exit on Ctrl+C