Exploits for Windows
Windows exploits are typically targeted toward listening services of the operating system. Here is a list that targets the SMB service that runs on port 445 of Windows:
- Eternalblue – MS17-010
- MS08-67
- MS03-026
The following are some tools often used by pen testers:
- PsExec:
PsExec is a tool included in the Sysinternals toolkit; it is used for remote management and is a popular tool among pen testers, system admins, and hackers. The PsExec binary is usually copied to the $admin share on the machine, then it uses remote management to create a service on the remote machine. Keep in mind that PsExec requires admin privileges on the remote machine:
- Download Sysinternals
- Open the PowerShell prompt
- Type cd <Sysinternals directory>
- Type .\PSexec \\<IP addr of remote machine> -u <user> -p <password> <cmd>
The following screenshot depicts the output obtained:
- Impacket: A collection of Python classes for working with network protocols.
The initial setup can be done as follows:
- Open the Terminal
- Type cd /tmp
- Type git clone https://github.com/CoreSecurity/impacket.git
- Type pip install
Use the following commands to enable PSexec, WMI, and SMBexec on Impacket:
- PSexec:
psexec.py <username>:<password>@<ip addr> powershell
The output of the preceding command is shown in the following screenshot:
- WMI:
wmiexec.py <username>:<password>@<ip addr> powershell
The output of the preceding command is shown in the following screenshot:
- SMBexec:
wmiexec.py <username>:<password>@<ip addr>
The output of the preceding command is shown in the following screenshot:?
- PS-Remoting:
To enable PS-Remoting on a target machine, perform the following steps:
- Open PowerShell as administrator on the target machine
- Type the following: powershell -NoProfile -ExecutionPolicy Bypass -Command "iex ((new-object net.webclient).DownloadString('https://raw.githubusercontent.com/ansible/ansible/devel/examples/scripts/ConfigureRemotingForAnsible.ps1'))"
- Enable PS-Remoting
- Type winrm set winrm/config/client/auth '@{Basic="true"}'
- Type winrm set winrm/config/service/auth '@{Basic="true"}'
- Type winrm set winrm/config/service '@{AllowUnencrypted="true"}'
To enable PS-Remoting into a target machine, perform the following steps:
- Open PowerShell.
- Type $options=New-PSSessionOption -SkipCACheck -SkipCNCheck
- Type $cred = Get-Credential. This will prompt you for credentials.
- Type Enter-PSSession -ComputerName <hostname> -UseSSL -SessionOption $options -Credential $cred.
You will get to see the configuration details, as shown in the following screenshot:
In a similar manner, we will also see how to enable WMI on remote target and use WMI to access a remote target
- WMI: Enabling WMI on a remote target can be done by open PowerShell as Administrator and run the following command:
netsh firewall set service RemoteAdmin enable
To use WMI to access a remote target can be done by open PowerShell, type the following command and observe the output as shown in the following screenshot:
wmic /node:<target IP addr> /user:<username> process call create "cmd.exe /c <command>"
