6 - Infiltrating Windows

# Fingerprinting Windows ```bash ping -c4 <target_ip> #if TTL=128, it's most likely a Windows host sudo nmap -v -O <target_ip> sudo nmap -v <target_ip> --script banner.nse ``` # Windows Compromise Walkthrough 1 - enumerate host 2 - search for and decide on exploit path 3 - select exploit and configure payload, then deliver payload 4 - identify the native shell # CMD-Prompt vs. PowerShell - CMD is the original MS-DOS shell built into Windows - does not keep a record of the commands used during the session - useful when using simple batch files, net commands, or MS-DOS native tools - also useful when execution polices may affect ability to run scripts - PowerShell expanded the capabilities of CMD while understanding the native MS-DOS commands utilized in CMD and a whole new set of commands based in .NET - keeps record of commands - protections such as `Execution Policy` and `User Account Control (UAC)` may inhibit ability to execute commands # Prominent Windows Vulns | **Vulnerability** | **Description** | | ----------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | `MS08-067` | MS08-067 was a critical patch pushed out to many different Windows revisions due to an SMB flaw. This flaw made it extremely easy to infiltrate a Windows host. It was so efficient that the Conficker worm was using it to infect every vulnerable host it came across. Even Stuxnet took advantage of this vulnerability. | | `EternalBlue` | MS17-010 is an exploit leaked in the Shadow Brokers dump from the NSA. This exploit was most notably used in the WannaCry ransomware and NotPetya cyber attacks. This attack took advantage of a flaw in the SMB v1 protocol allowing for code execution. EternalBlue is believed to have infected upwards of 200,000 hosts just in 2017 and is still a common way to find access into a vulnerable Windows host. | | `PrintNightmare` | A remote code execution vulnerability in the Windows Print Spooler. With valid credentials for that host or a low privilege shell, you can install a printer, add a driver that runs for you, and grants you system-level access to the host. This vulnerability has been ravaging companies through 2021. 0xdf wrote an awesome post on it [here](https://0xdf.gitlab.io/2021/07/08/playing-with-printnightmare.html). | | `BlueKeep` | CVE 2019-0708 is a vulnerability in Microsoft's RDP protocol that allows for Remote Code Execution. This vulnerability took advantage of a miss-called channel to gain code execution, affecting every Windows revision from Windows 2000 to Server 2008 R2. | | `Sigred` | CVE 2020-1350 utilized a flaw in how DNS reads SIG resource records. It is a bit more complicated than the other exploits on this list, but if done correctly, it will give the attacker Domain Admin privileges since it will affect the domain's DNS server which is commonly the primary Domain Controller. | | `SeriousSam` | CVE 2021-36934 exploits an issue with the way Windows handles permission on the `C:\Windows\system32\config` folder. Before fixing the issue, non-elevated users have access to the SAM database, among other files. This is not a huge issue since the files can't be accessed while in use by the pc, but this gets dangerous when looking at volume shadow copy backups. These same privilege mistakes exist on the backup files as well, allowing an attacker to read the SAM database, dumping credentials. | | `Zerologon` | CVE 2020-1472 is a critical vulnerability that exploits a cryptographic flaw in Microsoft’s Active Directory Netlogon Remote Protocol (MS-NRPC). It allows users to log on to servers using NT LAN Manager (NTLM) and even send account changes via the protocol. The attack can be a bit complex, but it is trivial to execute since an attacker would have to make around 256 guesses at a computer account password before finding what they need. This can happen in a matter of a few seconds. | # Windows File Types | Payload Type | Description | | ------------ | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | DLL (.dll) | a library file used in Microsoft operating systems to provide shared code and data that can be used by many different programs at once; injecting a malicious DLL or hijacking a vulnerable library on the host can elevate our privileges to SYSTEM and/or bypass User Account Controls | | Batch (.bat) | text-based DOS scripts utilized by system administrators to complete multiple tasks through the command-line interpreter; can use batch files to run commands on the host in an automated fashion | | VBS | lightweight scripting language based on Microsoft's Visual Basic, which is typically used as a client-side scripting language in webservers to enable dynamic web pages | | MSI | installation database for the Windows Installer; can run `msiexec` to execute a .msi payload with revshell | | PowerShell | both a shell environment and scripting language | # Tools for Payload Generation | Tool | **Description** | | ----------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | MSFVenom & MSF | [Source](https://github.com/rapid7/metasploit-framework) MSF is an extremely versatile tool for any pentester's toolkit. It serves as a way to enumerate hosts, generate payloads, utilize public and custom exploits, and perform post-exploitation actions once on the host. Think of it as a swiss-army knife. | | `Paylods All The Things | [Source](https://github.com/swisskyrepo/PayloadsAllTheThings) Here, you can find many different resources and cheat sheets for payload generation and general methodology. | | Mythic C2 Framework | [Source](https://github.com/its-a-feature/Mythic) The Mythic C2 framework is an alternative option to Metasploit as a Command and Control Framework and toolbox for unique payload generation. | | Nishang | [Source](https://github.com/samratashok/nishang) Nishang is a framework collection of Offensive PowerShell implants and scripts. It includes many utilities that can be useful to any pentester. | | Darkarmour | [Source](https://github.com/bats3c/darkarmour) Darkarmour is a tool to generate and utilize obfuscated binaries for use against Windows hosts. | # Payload Transfer & Execution | Tool | Description | | ------------------------ | ---------------------------------------------------------------------------------------------------------------------------------------- | | Impacket | toolset built in Python that provides us with a way to interact with network protocols directly such as psexec, smbclient, wmi, kerberos | | Payload All The Things | resource to find quick one-liners to help transfer files across hosts | | SMB | easy to exploit route to transfer files between hosts | | Remote Execution via MSF | most exploit modules in MSF have a function that will build, stage, and execute the payloads automatically | | Other | other protocols such as FTP, TFTP, HTTP/S, etc. provide ways to upload files to the host |