WHP — пакет взлома Microsoft Windows

 M$ Windows Hacking Pack
===========

Tools here are from different sources. The repo is generally licensed with WTFPL, but some content may be not (eg. sysinternals).
"pes" means "PE Scambled". It's useful sometimes.

Remote Exploits
===========

Windows 2000 / XP SP1
MS05-039 Microsoft Plug and Play Service Overflow, Works with SSDP too
http://www.rapid7.com/db/modules/exploit/windows/smb/ms05_039_pnp

Windows XP/NT (beofre SP2)
MS03-026  Microsoft RPC DCOM Interface Overflow (kaht2.zip)
http://www.securityfocus.com/bid/8205/exploit

Windows XP (SP2 and SP3) (can be used also for priv esc)
MS08-067 Remote Stack Overflow Vulnerability Exploit (srvscv)
https://www.exploit-db.com/exploits/7104/

Windows Windows 7 and Server 2008 R2 (x64) All Service Packs
MS17-010 aka "Eternal Blue"
https://github.com/RiskSense-Ops/MS17-010

Windows Server 2016 (DoS, may lead to exec)
"Fuzzing SMB" video, showing the crash: https://www.youtube.com/watch?v=yDae5-lIQb8

Privilege Escalation
===========

First, if you have meterpreter, it may be a good idea to try "getsystem".

srvcheck3.exe
=====
Privilege escalation for Windows XP SP2 and before
This can exploit vulnerable services. http://seclists.org/fulldisclosure/2006/Feb/231
Example: srvcheck3.exe -m upnphost -H 127.0.0.1 -c "cmd.exe /c c:\Inetpub\wwwroot\shell.exe"

KiTrap0D.tar
=====
Privilege escalation for Microsoft Windows NT/2000/XP/2003/Vista/2008/7
MS10-015 / CVE-2010-0232 / https://www.exploit-db.com/exploits/11199/

Other ways of exploits listed
=====
Windows XP/2003
MS11-080  → Local Privilege Escalation Exploit  Afd.sys
https://www.exploit-db.com/exploits/18176/

Windows Vista/7
CVE: 2010-4398  Elevation of Privileges (UAC Bypass)
http://www.securityfocus.com/bid/45045/exploit

Windows 8.1 (and before)
MS14-058 → TrackPopupMenu Privilege Escalation
https://www.exploit-db.com/exploits/37064/

Windows 8.1 (and before)
MS15-051 Win32k LPE vulnerability used in APT attack "taihou32"
https://www.exploit-db.com/exploits/37049/

Windows 10 (and before)
Hot Potato (nbns spoof + wpad + smb ntlm)


Windows 10 (and before)
Link/URL based exploitation of NetNTLM hashes. Eg. sending link file in email or dropping on file share.
Technique presented here: https://www.youtube.com/watch?v=cuF_Ibo-mmM

Windows XP SP2 (and before)
srvcheck3.exe - upnp service or SSDPSRV service

Windows XP/2003
MS11-080  → Local Privilege Escalation Exploit  Afd.sys
https://www.exploit-db.com/exploits/18176/

Windows Vista/7
CVE: 2010-4398  Elevation of Privileges (UAC Bypass)
http://www.securityfocus.com/bid/45045/exploit

Windows 8.1 (and before)
MS14-058 → TrackPopupMenu Privilege Escalation
https://www.exploit-db.com/exploits/37064/

Windows 8.1 (and before)
MS15-051 Win32k LPE vulnerability used in APT attack "taihou32"
https://www.exploit-db.com

Windows NT/2K/XP/2K3/Vista/2K8/7/8
KiTrap0D - EPATHOBJ Local Ring Exploit
https://www.exploit-db.com/exploits/11199/

Windows 10 (and before)
Hot Potato (nbns spoof + wpad + smb ntlm)


Windows XP (and after)
.lnk exploit for receiving NetNTLM hashes remotely.
Backup files if contain sam Windows/system32/config/SAM /WINDOWS/repair/SAM regedit.exe HKEY_LOCAL_MACHINE -> SAM Tools to get the SAM database if locked: pwdump, samdump, samdump2, Cain&Abel Otherwise just copy. Dump SAM through shadow volume If it can be created the database could be copied from this. Vista command: vssadmin create shadow Server 2008 command: diskshadow Windows Credentials Editor WCE / Windows Credentials Editor can recover password hashes from LSASS - http://www.ampliasecurity.com/research/wcefaq.html WCE supports Windows XP, Windows 2003, Vista, Windows 7 and Windows 2008 (all SPs, 32bit and 64bit versions). Mimikatz dumping mimikatz # privilege::debug mimikatz # sekurlsa::logonpasswords mimikatz # lsadump::sam Cachedump aka In-memory attacks for SAM hashes / Cached Domain Credentials fgdump.exe (contains pwdump and cachedump, can read from memory) SAM dump (hive) "A hive is a logical group of keys, subkeys, and values in the registry that has a set of supporting files containing backups of its data." Dump SAM, then spray hashes keimpx (try hashes with different users, against domain accounts) http://code.google.com/p/keimpx/ LSA dumping (memory) / Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows XP LSAdump2, LSASecretsDump, pwdumpx, gsecdump or Cain & Abel https://github.com/CoreSecurity/impacket http://packetstormsecurity.org/files/view/10457/lsadump2.zip http://www.nirsoft.net/utils/lsa_secrets_dump.html http://packetstormsecurity.org/files/view/62371/PWDumpX14.zip PassTheHash (before Windows 8.1) pth-winexe --user=pc.local/Administrator%aad3b435b51404eeaad3b435b514t234e:1321ae011e02ab0k26e4edc5012deac8 //10.1.1.1 cmd PassTheTicket (Kerberos) mimikatz can do it Duplicate Access Tokens (if admin access token can be used, it's win) http://sourceforge.net/projects/incognito/ Token "Kidnapping" MS 09-12, Churrasco.bin shell.bin (runs shell.bin with nt system authority) http://carnal0wnage.attackresearch.com/2010/05/playing-with-ms09-012-windows-local.html Other notablelo tools psexec, smbshell, metasploit’s psexec, etc https://github.com/BloodHoundAD/BloodHound - It allows to visualize connections in an AD domain and find fast escalation ways. To Be Added =========== - http://www.nirsoft.net/ --> Stuff for dumping passwords - openvpn - evilgrade Hashes (SHA256) and VirusTotal scans =========== 8ee65368afcd98ea660f5161f9cbe0c4c08863018f28e5eb024d8db58b234333  AwesomerShell.tar 7487ec568b6e2547ef30957610e60df3089d916f043b02da1167959dd9e0c051  KiTrap0D.tar 96f17857f3eb28a7d93dad930bc099a3cb65a9a2afb37069bfd1ba5ec5964389  LICENSE.t

 

¯\_(ツ)_/¯

Примечание: Информация для исследования, обучения или проведения аудита. Применение в корыстных целях карается законодательством РФ.

 

cryptoparty

Cryptography is typically bypassed, not penetrated.

Добавить комментарий

Ваш e-mail не будет опубликован. Обязательные поля помечены *