Exploits for Windows

Windows exploits are typically targeted toward listening services of the operating system. Here is a list that targets the SMB service that runs on port 445 of Windows:

• Eternalblue – MS17-010
• MS08-67
• MS03-026

The following are some tools often used by pen testers:

•  PsExec:

 PsExec is a tool included in the Sysinternals toolkit; it is used for remote management and is a popular tool among pen testers, system admins, and hackers. The PsExec binary is usually copied to the $admin share on the machine, then it uses remote management to create a service on the remote machine. Keep in mind that PsExec requires admin privileges on the remote machine:

1. Download Sysinternals
2. Open the PowerShell prompt
3. Type cd <Sysinternals directory>
4. Type .\PSexec \\<IP addr of remote machine> -u <user> -p <password> <cmd>

The following screenshot depicts the output obtained:

• Impacket: A collection of Python classes for working with network protocols.

The initial setup can be done as follows:

1. Open the Terminal
2. Type cd /tmp
3. Type git clone https://github.com/CoreSecurity/impacket.git
4. Type pip install 

Use the following commands to enable PSexec, WMI, and SMBexec on Impacket:

• PSexec:

psexec.py <username>:<password>@<ip addr> powershell

The output of the preceding command is shown in the following screenshot:

• WMI:

wmiexec.py <username>:<password>@<ip addr> powershell

The output of the preceding command is shown in the following screenshot:

• SMBexec:

wmiexec.py <username>:<password>@<ip addr>

The output of the preceding command is shown in the following screenshot:?

• PS-Remoting:

To enable PS-Remoting on a target machine, perform the following steps:

1. Open PowerShell as administrator on the target machine
2. Type the following: powershell -NoProfile -ExecutionPolicy Bypass -Command "iex ((new-object net.webclient).DownloadString('https://raw.githubusercontent.com/ansible/ansible/devel/examples/scripts/ConfigureRemotingForAnsible.ps1'))"
3. Enable PS-Remoting
4. Type winrm set winrm/config/client/auth '@{Basic="true"}'
5. Type winrm set winrm/config/service/auth '@{Basic="true"}'
6. Type winrm set winrm/config/service '@{AllowUnencrypted="true"}'

To enable PS-Remoting into a target machine, perform the following steps:

1. Open PowerShell.
2. Type $options=New-PSSessionOption -SkipCACheck -SkipCNCheck
3. Type $cred = Get-Credential. This will prompt you for credentials.
4. Type Enter-PSSession -ComputerName <hostname> -UseSSL -SessionOption $options -Credential $cred.

You will get to see the configuration details, as shown in the following screenshot:

In a similar manner, we will also see how to enable WMI on remote target and use WMI to access a remote target

• WMI: Enabling WMI on a remote target can be done by open PowerShell as Administrator and run the following command:

netsh firewall set service RemoteAdmin enable

To use WMI to access a remote target can be done by open PowerShell, type the following command and observe the output as shown in the following screenshot:

wmic /node:<target IP addr> /user:<username> process call create "cmd.exe /c <command>"