Closed a7t0fwa7 closed 3 years ago
Hey,
The parameters are correct if you want to use Domainreconmodules.
DomainReconmodules will most likely run a very long time with theese parameters depending on the domain size, especially the search for network shares takes much time here. Take a look at the code, the WinPwn
function calls the Domainreconmodules
function and Domainreconmodules
calls different sub-functions like generaldomaininfo
, shareenumeration
, powerSQL
, printercheck
and so on with the corresponding parameters:
So you could also use them as standalone functions depending on what you want to do:
powerSQL -noninteractive
- PowerUPSQL Checks
snaffler -noninteractive -consoleoutput
- snaffler without questions and with consoleoutput
generaldomaininfo -noninteractive -consoleoutput
- All those text file information which is normally generated in the Domainrecon Folder
Your error messages look like some of the scripts used by Domainreconmodules
have problems in your environment, but i didn´t see theese messages so far anywhere. Didn´t use the Offline version in combination with PowerShdll
so till now.
You could try all the subfunctions of generaldomainInfo
and tell me which one of it has this problem.
Greetings
Ah excellent will definitely give it a try and let you know which parameters could potentially present issues. Thanks again for your great help. Yes I thought you would be interested in knowing the pre-conditions on how WinPwn is being used i am engaged in a locked down environment at the moment so was interested in seeing how WinPwn would behave. Cheers
Ok buddy,
Seems that Powershdll doesn't handle the console output properly so you actually need to push all the WInPwn output to a file and only then can i go through the findings
`PS H:\Desktop2019>WinPwn -noninteractive -consoleoutput -Privesc >WinPwn_Privesc_output.txt`
otherwise i get this below
PS H:\Desktop2019>WinPwn -noninteractive -Privesc
A positional parameter cannot be found that accepts argument 'proxy.redacted.local:80'.
PS H:\Desktop2019>WinPwn -noninteractive -consoleoutput -Privesc
Cannot find drive. A drive with the name 'blahblahblah' does not exist.
Will continue to test on target while i can and update.
Cheers
I am interested in how WinPwn
is used and i am interested in how it behaves in different situations, this could also happen to me sometime. I just tried to replicate this using PowerShdll
but i can´t even load WinPwn
in its runspace. You could also try other open source alternatives like MsBuildshell, just replace the AMSI Bypass Namespace and Class name with random names. There are several projects like PowerLessShell
, nopowershell
Stracciatella
and more. You will get the output from other tools including error messages in the MsBuildShell.
Awesome thanks mate. Definitely will try the alternatives. Just as a heads up and interesting thing to note, i also used PowerSharpPack and found that the PowerSharpPack.ps1 gets flagged by AMSI but lets all the other binaries through LOL.
Thats because i didn´t change the AMSITrigger there so far, it´s explained in one of my blog posts here:
https://s3cur3th1ssh1t.github.io/Bypass_AMSI_by_manual_modification/
I switched all scripts to gzip compression yesterday so at this time they are not flagged but they will get flagged in the near future again ;-)
Tried out MSBuildSell and it works great on my lab test machine, but as soon as i attempt to run it on my target for some reason there seems to be build errors occuring. Mind you i am launching this via PowerShdll. So tomorrow will test out by launching commands from a batch script and see if that works. Will keep you posted
Excellent blog posts mate. Thank you for awesome contributions.
If you encounter new behaviours feel free to reopen.
Hey man I am back with a few queries :+1:
So basically i am running WinPwn on a JUMP Server that has both CMD and PS disabled. I am running WinPwn via PowerShdll.
I don't have Internet Access so using Offline_WinPwn
So my query is that i get error messages when i attempt to run the following commands:
However when i try to run the same command without the -consoleoutput parameter i get
Any ideas as to why this is occurring? i presume that PowerShdll is not providing verbose error messages so it is kind of hard to understand what is occurring.
However when i run WinPwn -PowerSharpPack -consoleoutput -noninteractive
I manage to get the output in full.
I would like to know if you have a cheatsheet I could use to run WinPwn in -consoleoutput -noninteractive mode with a list of parameters we can pass because the help menu seems to contian only a few examples of usage if i am not mistaken.
Cheers