Cardboard Iguana Security
spells
Abusing wildcard expansion in Bash
Access the Windows Registry using PowerShell
Add Windows users at the command line
Aircrack-NG
ARP scanning
ARP
AS-REP roasting with Impacket
AS-REP roasting With Rubeus
AS-REP roasting
Automate Netlify builds with IFTTT
Automatically stabilize a reverse shell with socat
Avoid dropping privileges with SUID Bash
awk
Backdoor Visual Basic Scripts
basenc
Bash reverse shell
Bash scripting
Bulk edit Windows permissions
Burp Suite
Bypass the PowerShell execution policy
Bypass Windows antivirus with C Sharp
Calculate a file hash on Windows with CertUtil
Call Mimikatz from a meterpreter shell
cat
cewl
Change a branch name in Git
Change an RSA key passphrase with OpenSSL
Cisco IOS
Common Windows user types
Compact VM disk images
Confirm the existence of a Gmail address
crackmapexec
Create a GPG key with SSH support
Create a zip bomb
CUPP
Day One to Obsidian conversion script
DCERPC
Debugging Bash scripts
Default CIFS shares
dig
dir
Disable AMSI
DRSUAPI
Easy reverse DNS lookups
enum4linux
Enumerate AD CS templates with CertUtil
Equivalent Windows and UNIX commands
Evil-WinRM
Exploit LD_LIBRARY_PATH
Exploit LD_PRELOAD
Exploit local Windows services
Exploit local Windows tasks
Exploit remote Windows services
Exploit remote Windows tasks
Exploit the Bash PS4 prompt
Exploit the Windows DLL search order
Exploit the Windows FoDHelper
Exploit the WinLogon initialization sequence
Exploit VBA scripts with msfvenom
Exploit weak etc-passwd permissions
Exploit weak etc-shadow permissions
Exploit Windows file associations
Exploit Windows HTML applications with msfvenom
Exploit Windows services
Exploit Windows shortcut files
Exploit Windows tasks
Export highlights and annotations from Kobo eReaders
Extract the webpage title from a URL
ffmpeg
Find and replace a single line in a large text file
Find executables with SUID capabilities
find
findstr
finger
Fix EXIF data on Google Photos exports
FTP
FTPS
fuff
gdb
Gemini compatible markdown
Get a shell from ViM
Get an SSL certificate
Get-FileHash
Get-WinEvent
Git on Windows
gobuster
Golden and silver ticket attacks
grep
Hashcat
HTML applications
HTTP
Hydra
icacls
ICMP
iftop
IIS configuration data
IMAP
Impacket
Invoke-Mimikatz
Invoke-WebRequest
iOS quirks
ipconfig
IPSec
IPv4
Java
John the Ripper
JSON Web Tokens
Kerberoasting with Impacket
Kerberoasting with Rubeus
Kerberoasting
Kerberos
Kerbrute
less
Load a shell with a simple executable
Local file inclusion attacks
Look up unicode symbols and emojis
MAC address
Magic numbers
man
Match files to packages in Debian-based operating systems
Match files to packages in Red Hat-based operating systems
Metasploit MS SQL modules
meterpreter
Mimikatz
MITRE ATTaCK emulation plans
more
MS SQL
msfconsole
msfvenom
MySQL
nano
nbtscan
net
netcat
netsh
netstat
NFS
Nikto
Nmap
Node.js
nslookup
NTLM hashes
Oracle SQL Server
OSI model
OWASP ZAP
Perl
PHP local file inclusion attacks
PHP
ping
Poison null byte attack
Poison null byte in PHP
Polkit
Pop a SYSTEM shell on the Windows login screen using sticky keys
Pop a SYSTEM shell on the Windows login screen using Utilman
POP3
Port scanning with Bash
POSIX process signals
Powercat
PowerShell reverse shell
PowerView
ps
Pull SSL certificates from an external server
Python
Quick-n-dirty Python web server
Quickly bypass ssh-agent
Quickly find the canonical path of a file
RCE via XXE in PHP
Read a file beginning with a dash
reg
RegEx metacharacters
Remotely install a Windows package with PowerShell
Remove duplicate lines in Bash
Retrieve AIX fileset information
Retrieve AIX system information
Rubeus
Ruby
Run a remote Windows command using PowerShell
Run commands directly with PowerShell
RunAs
Send a command using OpenSSL
Set the PATH in a session on UNIX-like operating systems
Set the PATH in a session on Windows
Set up WMI in PowerShell
Shell stabilization
SIP
smbclient
smbget
smbmap
SMTP
socat
SQL injection attacks
SQLMap
ss
SSH
sudo
systemctl
systeminfo
tar
TCP header flags
TCP headers
TCP window size
TCP
tcpdump
Telnet
The Harvester
tmux
Transfer files over FTP using netcat
UDP
unbuffer
Uniform resource locators
UNIX file descriptors
UNIX password hashes
UNIX permissions
Unquoted path handling in Windows
Upgrade PostgreSQL
Use a Raspberry Pi 4B as hacking accessory
Use an alternate SSH key with Git
Use Bash functions to backdoor executables
Use Burp Suite with Firefox
Use Burp Suite with mobile apps
Use curl and jq with web APIs
Use OpenSSL to encrypt and decrypt files
Use the Windows Firewall to relay ports
Use unsupported display resolutions with Samsung DeX
Use WinRM with PowerShell
Useful built-in commands for Linux reconnaissance
Useful built-in commands for Windows reconnaissance
Useful Linux reconnaissance scripts
Useful scripts for Windows reconnaissance
ViM
Visual Basic for Applications
wfuzz
whoami
Wi-Fi
Windows DLL search order
Windows event IDs
Windows event logs
Windows local service accounts
Windows logon scripts
Windows permissions
Windows reconnaissance with PowerShell
Windows Remote Management
Windows Run and RunOnce Registry keys
Windows Scripting Host
Windows SeBackup and SeRestore permissions
Windows SeImpersonate and SeAssignPrimaryToken permissions
Windows service ACLs
Windows services
Windows SeTakeOwnership permission
Windows Startup folder
Windows unattended installation data
winrs
Wireshark
wmic
Work with base64 encoding using PowerShell
Work with remote services using WMI and PowerShell
Work with remote tasks using WMI and PowerShell
Working with services in PowerShell
XFreeRDP
XSS attacks
Xterm
xxd
XXE attacks
youtube-dl
Cardboard Iguana Security
Cardboard Iguana Security

Windows Remote Management

Warning

By default, UAC restricts WinRM calls to domain admins and the default local "Administrator" account. Local Windows admins cannot call this service without first disabling UAC!

Tip

Admin-ish privileges (including privileges associated with the Backup Operators group) are stripped by default when using WinRM. To enable this access, we need to set the LocalAccountTokenFilterPolicy registry key to 1.

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /t REG_DWORD /v LocalAccountTokenFilterPolicy /d 1

Windows Remote Management (WinRM) is basically PowerShell-over-HTTP. It requires access to TCP 5985 (unencrypted) or TCP 5986 (encrypted).

WinRS

winrs

winrs

winrs.exe is an older application used to interact with WinRM.

winrs.exe -u:$TARGET_USER `
          -p:$TARGET_PASSWORD `
          -r:$TARGET_HOST $COMMAND

This interface has been largely deprecated in favor of using PowerShell, and may not even be present on recent versions of Windows.

PowerShell

Use WinRM with PowerShell

Use WinRM with PowerShell

Many large companies will enable PowerShell remoting on all machines in order to ease IT support burdens (by default, remoting is only enabled on domain controllers).

# Create PSCredential object for authentication.
#
$username = "$TARGET_USER";
$password = "$TARGET_PASSWORD";
$SECURE_PASSWORD = ConvertTo-SecureString "$TARGET_PASSWORD" `
                                          -AsPlainText -Force;
$CREDENTIAL_OBJECT = New-Object `
                   System.Management.Automation.PSCredential `
                   $TARGET_USER, $SECURE_PASSWORD;

# Enter an interactive PowerShell session on the $TARGET_HOST.
#
Enter-PSSession -ComputerName $TARGET_HOST `
                -Credential $CREDENTIAL_OBJECT

# Alternately, we can pass commands directly as "script
# blocks". Note that the $POWERSHELL_SCRIPT does not have
# access to any variables in the host script or session, as
# its sent to $TARGET_HOST for execution (though this can be
# worked around using the -ArgumentList parameter, if
# necessary).
#
Invoke-Command -ComputerName $TARGET_HOST `
               -Credential $CREDENTIAL_OBJECT `
               -ScriptBlock {
                    $POWERSHELL_SCRIPT
                }

Evil-WinRM

Evil-WinRM

Evil-WinRM 

evil-winrm -i $TARGET_HOST \
           -u $TARGET_USER \
           -H $TARGET_USER_NTLM_HASH

This requires that you already have the target user's NTLM hash, obviously.

Note that Evil-WinRM does have a built-in download command for transferring files, but it's sloooow...

Links to this page
Windows service ACLs
winrs
Windows Remote Management
Interactive graph
On this page
Windows Remote Management
WinRS
PowerShell
Evil-WinRM
Powered by Obsidian Publish