Exploitation
When you find a vulnerability, Windows has some specific ways to exploit it that differ from Linux
Shells
Powershell encoded Reverse
A reverse shell sends a connection back to an attacker, from which they can execute commands on the target interactively. In PowerShell, this can be done by creating a TCP socket, receiving a command, and then sending back the output.
A short implementation of this is revshells.com - PowerShell #3 (Base64). It uses the following payload and replaces the $IP
and $PORT
with your server:
This CyberChef recipe can be used to convert the above command into an encoded payload, looking way less like a reverse shell and containing fewer special characters:
For testing or forensics, here is also a CyberChef recipe that decodes an encoded payload.
MSFVenom (.exe
)
.exe
)The Metasploit Framework has a collection of tools that work together, one of which is msfvenom
. This command generates payloads in various formats that do certain things, often resulting in a shell for the attacker. You can list them all, but here are some of the most useful ones:
windows/shell_reverse_tcp
-> This is one of the only shells that doesn't require MSF, all it does is spawn an interactive CMD shell and connect back to your port, which may be a simple netcat listener usingnc -lnvp 1337
.windows/shell/reverse_tcp
-> The staged variant of the above, which requires MSF to send a second stage actually containing the shell functionality.windows/meterpreter_reverse_https
-> A fancier shell that sends a 'meterpreter' payload, which only MSF can handle. This has some more features and the_https
variant even encrypts all traffic going back and forth making it hard to analyze.
Generate payloads using the msfvenom
command, and -p
to choose them by name. After this, you can fill in variables like LHOST
and LPORT
to tell the payload where your listener will be, and finally use -f
to choose a format and -o
where to place it.
For the last two, you require setting up a matching handler in msfconsole
:
See Metasploit to learn more about how to use the Metasploit framework to find and run exploits.
Download + IEX PowerCat
If your payload needs to be small, a solution is just to download the whole payload later, and evaluate it. These are known as "staged payloads" and one way to do this is by using powercat. This is a PowerShell script that can let you easily create a reverse shell. Simply download powercat.ps1 and host it yourself if the target does not have an internet connection. Then all that's left is to download and evaluate the script to connect with a simple command:
After this payload fires, you should get a request on your HTTP server from the target downloading your file, and a little later a reverse shell on your 2nd listener as well.
Fully Interactive Shell
A nice small addition you can add to your reverse shell listener is rlwrap
, which wraps the nc
listener using readline allowing you to use arrow keys for command history and editing:
The next level is tab completion, which requires a special shell on the target machine that connects to a netcat listener with stty
set up. The following script can make such a clean connection:
Forcing Authentication to Relay
When a client authenticates with a service using NTLM, a challenge-response mechanism is used to verify if the user knows their password without sending it over the network. If a victim authenticates with a malicious server set up by the attacker, the response to a challenge the attacker gives is based on the user's password and no other unknown factors. That means we can also then brute-force the associated password offline.
We can force such an authentication by, for example, making them request a share like \\10.10.10.10\share
, or a file on a share with \\10.10.10.10\share\file
. This will then make an authentication to your IP address, which you can abuse.
Requesting an IP address will force NTLM authentication, using a hostname chooses Kerberos instead!
Using a tool like Responder you can send them a challenge, which they will solve and give you back the answer allowing the password to be brute-forced:
The long Hash value can then be put into a file to be cracked with tools like Hashcat:
Web tricks
Due to some Windows quirks, the actions that websites perform behind the scenes might behave differently than on Linux. This chapter collects a few of these tricks that can often be abused because developers forget about them.
Slashes (/
vs \
)
/
vs \
)Directory Traversal vulnerabilities are quite common, where you use the special ..
sequence in a path to go up one directory, and then access a file/folder that's outside the regular allowed area. On Linux this is often done like so:
Because of this most path accesses block or replace /
characters from the string. On Windows systems, this is not enough, however, as the main directory separator is a backslash (\
) instead.
Pretty often the Windows APIs even allow interchangeable use of them, resulting in payloads containing mixed forward and backward shashes.
A good fuzzing list containing many of these techniques can be found here:
https://github.com/1N3/IntruderPayloads/blob/master/FuzzLists/traversal.txt
ISS Short filenames (SFNs, 8.3 filenames)
Back in the DOS versions of Windows, filenames could only first 8 characters as their name and 3 characters as their extension. No more. Because of Windows's backward compatibility standards, all files actually still follow this rule. But nowadays longer filenames are allowed with just an alias stored as an 8.3 short filename (SFN) if it doesn't fit, for example:
An Internet Information Services (IIS) webserver running on the machine might actually interpret these SFNs and give you back the content of the larger file. This can be incredibly useful for directory/filename brute-forcing because any giant path can be found this way by just guessing its short name. Read the following article to understand how we can efficiently guess these names:
Tools such as shortscan implement clever techniques to find all possible short filenames and print if the service is vulnerable:
Last updated