Running commands in Windows
Penetration testing of systems requires a penetration tester to know a large number of different tools: from commonplace text editors to standard intrusion detection systems. One of the important stages of a penetration test is to run commands on the side of the host being tested to fulfill its own needs. Since there are quite a few ways to do this, the article will tell you about several methods for running commands in the infrastructure where the Windows operating system is running. Several tools and methods of using them will be presented. There are also a few things to consider when using each method to run commands.
How to run a command on the system
Windows is one of the most popular platforms used all over the world, and for many users it is the only understandable interface for working with a computer. As you know, this system has a rather complex structure that can be depicted using an abstract representation of the main elements.
Picture taken from here…
This complex structure can make it difficult for users to discover the optimal functionality that the operating system provides for their day-to-day tasks. Let’s say we need to run a command for configuration or to collect data about the system. What interfaces can you use?
By default, the Windows operating system has a number of ready-made shells for executing commands. They are all executed as separate executable files. A small list is given below:
cmd.exe– command line interpreterpowershell.exe– a tool for expanding the capabilities of the command line. Used to automate administrator tasks. Provides access to the .Net platform and allows you to execute commands in the programming language of the same nameat.exe– a tool for running commands on a schedule. Becomes available if the scheduling service is running.wmic.exe– utility for collecting data from operating system management and diagnostics instrumentationpsexec.exe– utility for launching applications and processes on a remote or local systemwscript.exe– server for executing scripts in the OS (vbscript, js)cscript.exe– runs a script for the command line
All of the files listed above are indeed found in any Windows system, starting at least with Windows 7. But psexec.exe is not one of them. This is a tool that initially could only be found among Sysinternals tools… Today psexeс has a large number of variations, rewritten in various programming languages.
In addition to ready-made commands and interpreters in Windows, there are also sets of functions that can be provided by various subsystems, for example WinRM, WMI, Windows Service Control Manager API…
Features of running commands
All commands that are executed by the Windows operating system can be divided into several groups according to various criteria. Let us define the following groups for our study:
running commands locally
remote command launch
running commands with the same privileges
running commands using someone else’s privileges
Let’s distribute all the already described methods of running commands in the OS:
Run with the same privileges locally and remotely:
*script.exewmic.execmd.exepowershell.exe
Run with elevated privileges locally and remotely:
Practical check
All command data was collected from the Windows OS documentation. For the test, we will use the following stand:
Vbox as a virtual environment
Windows Server 2019 Evaluation as a System for Deploying AD Services
Kali Linux as an attack system
set of scripts Impaсket to access command execution subsystems
IOXIDResolver.py – tool for getting NetBIOS system name and list of network interfaces
All machines are connected to a host-only network. The protection mechanisms (FireWall, Defender) are disabled on the Windows Server machine.
For primary access to the system, we will use the Zerologon vulnerability. A description and tools for exploiting the vulnerability can be found online. We’ll leave this as homework for the reader.
Step 1 – getting information about the network interfaces and the netBIOS of the server name:
Step 2 and 3 – launching the Zerologon exploit, getting the user’s hash:
Step 4 – to execute commands in the system, we will use Administrator and its hash. For other users, you can perform the same operations. We suggest the reader to complete them independently.
Now you can use the received hash and username to run commands on the system. We will use Impacket scripts to run the command. These scripts are specially designed to be able to run commands on the target system using proprietary Windows protocols.
We are interested in the following scripts:
psexec.py
smbexec.py
wmiexec.py
atexec.py
To check the privileges, each running script will run in interactive or semi-interactive mode. The test command will be – whoami… It will just show whose privileges the script is currently using to run commands.
Launching psexec.py – the script repeats the work of the tool of the same name. A feature of the launch is the use of the impersonalization mechanism. For the method to work, the user must have access to the system’s shared directories. Due to this, the script will be able to create a service that will launch cmd.exe on behalf of the System user:
Launching smbexec.py – essentially uses the same method as psexec.py, only when you run each command, a new service starts on the target system.
Run wmiexec.py – runs on behalf of the same user whose credentials were used. Requests are processed asynchronously and may take a long time.
Running atexec.py is coupled with the configuration of the target system. If the dependent service is not running on the target system, then commands cannot be executed.
Thus, it is possible to run commands in Windows OS remotely. The considered methods most effectively allow for data collection and penetration testing.
That’s all. On the eve of the start of the course “Pentest. Practice of Penetration Testing”, we invite everyone to free demo tutorial, in which we will get acquainted with the tools for researching AD. We will use the received data for privilege escalation and promotion in the network.
