Kali Linux 2018:Assuring Security by Penetration Testing
上QQ阅读APP看书,第一时间看更新
上一章目录下一章

Exploits for Windows

Windows exploits are typically targeted toward listening services of the operating system. Here is a list that targets the SMB service that runs on port 445 of Windows:

  • Eternalblue – MS17-010
  • MS08-67
  • MS03-026

The following are some tools often used by pen testers:

  •  PsExec:

 PsExec is a tool included in the Sysinternals toolkit; it is used for remote management and is a popular tool among pen testers, system admins, and hackers. The PsExec binary is usually copied to the $admin share on the machine, then it uses remote management to create a service on the remote machine. Keep in mind that PsExec requires admin privileges on the remote machine:

  1. Download Sysinternals
  2. Open the PowerShell prompt
  3. Type cd <Sysinternals directory>
  4. Type .\PSexec \\<IP addr of remote machine> -u <user> -p <password> <cmd>

The following screenshot depicts the output obtained:

  • Impacket: A collection of Python classes for working with network protocols.

The initial setup can be done as follows:

  1. Open the Terminal
  2. Type cd /tmp
  3. Type git clone https://github.com/CoreSecurity/impacket.git
  4. Type pip install 

Use the following commands to enable PSexec, WMI, and SMBexec on Impacket:

  • PSexec:
psexec.py <username>:<password>@<ip addr> powershell

The output of the preceding command is shown in the following screenshot:

  • WMI:
wmiexec.py <username>:<password>@<ip addr> powershell

The output of the preceding command is shown in the following screenshot:

  • SMBexec:
wmiexec.py <username>:<password>@<ip addr>

The output of the preceding command is shown in the following screenshot:

  • PS-Remoting:

To enable PS-Remoting on a target machine, perform the following steps:

  1. Open PowerShell as administrator on the target machine
  2. Type the following: powershell -NoProfile -ExecutionPolicy Bypass -Command "iex ((new-object net.webclient).DownloadString('https://raw.githubusercontent.com/ansible/ansible/devel/examples/scripts/ConfigureRemotingForAnsible.ps1'))"
  3. Enable PS-Remoting
  4. Type winrm set winrm/config/client/auth '@{Basic="true"}'
  5. Type winrm set winrm/config/service/auth '@{Basic="true"}'
  6. Type winrm set winrm/config/service '@{AllowUnencrypted="true"}'


To enable PS-Remoting into a target machine, perform the following steps:

  1. Open PowerShell.
  2. Type $options=New-PSSessionOption -SkipCACheck -SkipCNCheck
  3. Type $cred = Get-Credential. This will prompt you for credentials.
  4. Type Enter-PSSession -ComputerName <hostname> -UseSSL -SessionOption $options -Credential $cred.

You will get to see the configuration details, as shown in the following screenshot:

In a similar manner, we will also see how to enable WMI on remote target and use WMI to access a remote target

  • WMI: Enabling WMI on a remote target can be done by open PowerShell as Administrator and run the following command:
netsh firewall set service RemoteAdmin enable


To use WMI to access a remote target can be done by open PowerShell, type the following command and observe the output as shown in the following screenshot:

wmic /node:<target IP addr> /user:<username> process call create "cmd.exe /c <command>"

上一章目录下一章