M$ Windows Hacking Pack =========== Tools here are from different sources. The repo is generally licensed with WTFPL, but some content may be not (eg. sysinternals). "pes" means "PE Scambled". It's useful sometimes. Remote Exploits =========== Windows 2000 / XP SP1 MS05-039 Microsoft Plug and Play Service Overflow, Works with SSDP too http://www.rapid7.com/db/modules/exploit/windows/smb/ms05_039_pnp Windows XP/NT (beofre SP2) MS03-026 Microsoft RPC DCOM Interface Overflow (kaht2.zip) http://www.securityfocus.com/bid/8205/exploit Windows XP (SP2 and SP3) (can be used also for priv esc) MS08-067 Remote Stack Overflow Vulnerability Exploit (srvscv) https://www.exploit-db.com/exploits/7104/ Windows Windows 7 and Server 2008 R2 (x64) All Service Packs MS17-010 aka "Eternal Blue" https://github.com/RiskSense-Ops/MS17-010 Windows Server 2016 (DoS, may lead to exec) "Fuzzing SMB" video, showing the crash: https://www.youtube.com/watch?v=yDae5-lIQb8 Privilege Escalation =========== First, if you have meterpreter, it may be a good idea to try "getsystem". srvcheck3.exe ===== Privilege escalation for Windows XP SP2 and before This can exploit vulnerable services. http://seclists.org/fulldisclosure/2006/Feb/231 Example: srvcheck3.exe -m upnphost -H 127.0.0.1 -c "cmd.exe /c c:\Inetpub\wwwroot\shell.exe" KiTrap0D.tar ===== Privilege escalation for Microsoft Windows NT/2000/XP/2003/Vista/2008/7 MS10-015 / CVE-2010-0232 / https://www.exploit-db.com/exploits/11199/ Other ways of exploits listed ===== Windows XP/2003 MS11-080 → Local Privilege Escalation Exploit Afd.sys https://www.exploit-db.com/exploits/18176/ Windows Vista/7 CVE: 2010-4398 Elevation of Privileges (UAC Bypass) http://www.securityfocus.com/bid/45045/exploit Windows 8.1 (and before) MS14-058 → TrackPopupMenu Privilege Escalation https://www.exploit-db.com/exploits/37064/ Windows 8.1 (and before) MS15-051 Win32k LPE vulnerability used in APT attack "taihou32" https://www.exploit-db.com/exploits/37049/ Windows 10 (and before) Hot Potato (nbns spoof + wpad + smb ntlm) Hot Potato – Windows Privilege Escalation Windows 10 (and before) Link/URL based exploitation of NetNTLM hashes. Eg. sending link file in email or dropping on file share. Technique presented here: https://www.youtube.com/watch?v=cuF_Ibo-mmM Windows XP SP2 (and before) srvcheck3.exe - upnp service or SSDPSRV service Windows XP/2003 MS11-080 → Local Privilege Escalation Exploit Afd.sys https://www.exploit-db.com/exploits/18176/ Windows Vista/7 CVE: 2010-4398 Elevation of Privileges (UAC Bypass) http://www.securityfocus.com/bid/45045/exploit Windows 8.1 (and before) MS14-058 → TrackPopupMenu Privilege Escalation https://www.exploit-db.com/exploits/37064/ Windows 8.1 (and before) MS15-051 Win32k LPE vulnerability used in APT attack "taihou32" https://www.exploit-db.com Windows NT/2K/XP/2K3/Vista/2K8/7/8 KiTrap0D - EPATHOBJ Local Ring Exploit https://www.exploit-db.com/exploits/11199/ Windows 10 (and before) Hot Potato (nbns spoof + wpad + smb ntlm) Hot Potato – Windows Privilege Escalation Windows XP (and after) .lnk exploit for receiving NetNTLM hashes remotely. Backup files if contain sam Windows/system32/config/SAM /WINDOWS/repair/SAM regedit.exe HKEY_LOCAL_MACHINE -> SAM Tools to get the SAM database if locked: pwdump, samdump, samdump2, Cain&Abel Otherwise just copy. Dump SAM through shadow volume If it can be created the database could be copied from this. Vista command: vssadmin create shadow Server 2008 command: diskshadow Windows Credentials Editor WCE / Windows Credentials Editor can recover password hashes from LSASS - http://www.ampliasecurity.com/research/wcefaq.html WCE supports Windows XP, Windows 2003, Vista, Windows 7 and Windows 2008 (all SPs, 32bit and 64bit versions). Mimikatz dumping mimikatz # privilege::debug mimikatz # sekurlsa::logonpasswords mimikatz # lsadump::sam Cachedump aka In-memory attacks for SAM hashes / Cached Domain Credentials fgdump.exe (contains pwdump and cachedump, can read from memory) SAM dump (hive) "A hive is a logical group of keys, subkeys, and values in the registry that has a set of supporting files containing backups of its data." Dump SAM, then spray hashes keimpx (try hashes with different users, against domain accounts) http://code.google.com/p/keimpx/ LSA dumping (memory) / Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows XP LSAdump2, LSASecretsDump, pwdumpx, gsecdump or Cain & Abel https://github.com/CoreSecurity/impacket http://packetstormsecurity.org/files/view/10457/lsadump2.zip http://www.nirsoft.net/utils/lsa_secrets_dump.html http://packetstormsecurity.org/files/view/62371/PWDumpX14.zip PassTheHash (before Windows 8.1) pth-winexe --user=pc.local/Administrator%aad3b435b51404eeaad3b435b514t234e:1321ae011e02ab0k26e4edc5012deac8 //10.1.1.1 cmd PassTheTicket (Kerberos) mimikatz can do it Duplicate Access Tokens (if admin access token can be used, it's win) http://sourceforge.net/projects/incognito/ Token "Kidnapping" MS 09-12, Churrasco.bin shell.bin (runs shell.bin with nt system authority) http://carnal0wnage.attackresearch.com/2010/05/playing-with-ms09-012-windows-local.html Other notablelo tools psexec, smbshell, metasploit’s psexec, etc https://github.com/BloodHoundAD/BloodHound - It allows to visualize connections in an AD domain and find fast escalation ways. To Be Added =========== - http://www.nirsoft.net/ --> Stuff for dumping passwords - openvpn - evilgrade Hashes (SHA256) and VirusTotal scans =========== 8ee65368afcd98ea660f5161f9cbe0c4c08863018f28e5eb024d8db58b234333 AwesomerShell.tar 7487ec568b6e2547ef30957610e60df3089d916f043b02da1167959dd9e0c051 KiTrap0D.tar 96f17857f3eb28a7d93dad930bc099a3cb65a9a2afb37069bfd1ba5ec5964389 LICENSE.t
¯\_(ツ)_/¯
Примечание: Информация для исследования, обучения или проведения аудита. Применение в корыстных целях карается законодательством РФ.