Skip to content

windows

Jump to bottom Edit New page
Rob Fuller edited this page Sep 6, 2012 · 6 revisions

Windows Post Exploitation Command List

Persistence

Create a service

src:

desc:

Binary Planting:

src:

desc:

Binary Planting: Fxsst.dll

src: http://www.room362.com/blog/2011/6/27/fxsstdll-persistence-the-evil-fax-machine.html

desc: Drop malicious fxsst.dll into %SYSDRIVE%\Windows - it's auto loaded by Explorer (each login), real fxsst.dll is in System32 but load order dominates

Presence

Current User

Other Users

Current System

Access to CIFS/SMB Shares

A number of commands built into windows support UNC (

server
share) paths.

Pivoting

Domain Enumeration

Using shares to pivot

  1. DLL-Hijacking
  2. Binding/Planting

Port scanning

TCP Ports to scan and why

  1. Copy paste-able list 80,443,1433
    1. # 80, 443 - obvious HTTP(S) ports, usually internally this means printers, but you could find a Intranet page or 2
  2. 1433 - Default MSSQL port, if you find a "MSSQL Express" installation, there is a good chance this is

UDP Ports to scan and why

  1. Copy paste-able list 53
  1. 53 - finding an internal DNS server is usually a gold mine since it's rarely secured against DNZ zone transfers

Batch scripting Post Exploitation

  1. discovery
  1. portscanning
  1. AV,FW,ReverseShell in One shot!

PowerShell Post Exploitation

  1. discovery
  1. portscanning
Add a custom footer

Resources

Clone this wiki locally