Infiltrating Windows
Table of Contents
Footprinting Windows
Identifying a Windows Machine:
TTL counter of ICMP Packets -> either 32 or 128 (most common around 128)
> ping 192.168.86.39
PING 192.168.86.39 (192.168.86.39): 56 data bytes
64 bytes from 192.168.86.39: icmp_seq=0 ttl=128 time=102.920 ms
64 bytes from 192.168.86.39: icmp_seq=1 ttl=128 time=9.164 ms
64 bytes from 192.168.86.39: icmp_seq=2 ttl=128 time=14.223 ms
64 bytes from 192.168.86.39: icmp_seq=3 ttl=128 time=11.265 ms
or run an NMAP OS detection scan
sudo nmap -v -O IP
if there are only a little results, add the -Pn and -A flag.
After that, do an nmap banner grabbing scan
sudo nmap -v --script banner.nse IP
Payload Types
- DDL (Dynamic Linking Library) library file in Windows provide shared code and data. Injecting a malicious DLL or hijacking a vulnerable library on the host can elevate our privileges to SYSTEM and/or bypass User Account Controls
- Batch files are text-based DOS scripts used by sys admin to complete multiple tasks through CLI. These files end with
.bat - VBScript is typically used as a client-side scripting language in webservers to enable dynamic web pages. VBS is dated and disabled by most modern web browsers but lives on in the context of Phishing and other attacks aimed at having users perform an action such as enabling the loading of Macros in an excel document or clicking on a cell to have the Windows scripting engine execute a piece of code
- MSI
.MSIfiles serve as an installation database for the Windows Installer. When install new application, installer will look for .msi file to understand components required. We can craft a payload as an .msi file. Once we have it on the host, we can runmsiexecto execute our file, which will provide us with further access, such as an elevated reverse shell. - PowerShell
Payload Generation
| Resource | Description |
|---|---|
MSFVenom & Metasploit-Framework | Source MSF is an extremely versatile tool for any pentester's toolkit. It serves as a way to enumerate hosts, generate payloads, utilize public and custom exploits, and perform post-exploitation actions once on the host. Think of it as a swiss-army knife. |
Payloads All The Things | Source Here, you can find many different resources and cheat sheets for payload generation and general methodology. |
Mythic C2 Framework | Source The Mythic C2 framework is an alternative option to Metasploit as a Command and Control Framework and toolbox for unique payload generation. |
Nishang | Source Nishang is a framework collection of Offensive PowerShell implants and scripts. It includes many utilities that can be useful to any pentester. |
Darkarmour | Source Darkarmour is a tool to generate and utilize obfuscated binaries for use against Windows hosts. |
Payload Transfer and Execution:
Impacket: Impacket is a toolset built-in Python that provides us a way to interact with network protocols directly. Some of the most exciting tools we care about in Impacket deal withpsexec,smbclient,wmi, Kerberos, and the ability to stand up an SMB server.- Payloads All The Things: is a great resource to find quick oneliners to help transfer files across hosts expediently.
SMB: SMB can provide an easy to exploit route to transfer files between hosts. This can be especially useful when the victim hosts are domain joined and utilize shares to host data. We, as attackers, can use these SMB file shares along with C$ and admin$ to host and transfer our payloads and even exfiltrate data over the links.Remote execution via MSF: Built into many of the exploit modules in Metasploit is a function that will build, stage, and execute the payloads automatically.Other Protocols: When looking at a host, protocols such as FTP, TFTP, HTTP/S, and more can provide you with a way to upload files to the host. Enumerate and pay attention to the functions that are open and available for use.