Sometimes you don’t always need a Meterpreter shell. Depending on the intent, Netcat might be all you need. The benefit being that Windows Defender still doesn’t see Netcat as a threat. Meaning, you could get a reverse shell.
Let say you got a shell on a Windows machine, what can you do?
Quite a lot if you think about it. When you work day to day, how often are you being prompted for Admin credentials?
Certainly not for general use or things like mapping drives, copying files, downloading files and running basic diagnostics. Because of this, they can be used against us. It could also be the stepping stones for privilege escalation.
Let’s start with some basics…
I’m doing it on the system itself, simply because it’s easier to read.
You might want to first check if you have the correct machine or who the shell is running under. Whoami and hostname will help with this. If the account is domain joined, whoami will show the domain instead of the device (local).
Adding /groups will query the domain controller and display all groups the account is assigned to. If the account is local, it will display local Windows groups only.
To show the account privilege, use the /priv. You want to know what you’re working with.
Or if you want the lot, simply go with the whoami /all
There may be more users provisioned on the system. To list these, run net users. You could also use wmic useraccount…
Once you have your users, you can get a bit more information on them. Simply add the username at the end:
As you can see, Jerry is an admin on this device whilst Tom is just a user.
The accounts listed above might not be the only ones provisioned on the device. We can use net localgroup [groupname] to check. If I wanted to check the local administrators, we can run: net localgroup administrators
Use net accounts to check the local policies for things like account lockout threshold. Below shows ‘never’ so can be easily brute forced.
If domain joined, add /domain to the end.
If the device itself is on the domain, you can also query the DC depending on the restrictions in place. By default, all AD user accounts have a least read access to active directory.
Using net group … can help you identify further domain administrators and more targets. It can also be very useful when mapping out the domain.
Below are a few default AD groups to query:
net group “domain admins” /domain
net group “domain users” /domain
net group “domain controllers” /domain
net group “domain computers” /domain
Now let’s get focus on the device we have a shell on. Run the following to find out networking information.
Find out about local drivers:
Querying services is very handy. Finding applications that have vulnerabilities might allow you to further exploit the machine and escalate those privileges (Meterpreter). Check the Exploit DB for any applications found: https://www.exploit-db.com/
This goes the same for Program files:
When using dir, you can add /s to list subfolders. /b will list only the names. Put the two together and you can filter on file formats such as exes, ps1, txt, bat etc…
Let’s not forget %appdata% and %local appdata%
Scheduled tasks are always handy. You need admin access if you want to modify them. That doesn’t mean that you can replace the file it targets though. There is a chance that you could also change behavior, if a task runs based on conditions (Item level target). You can use /fo list or table to make it easier to read.
Custom programs could expose credentials in the registry key if written poorly. Running the following could help you identify any mistakes.
Before you start running or downloading applications or payloads, it’s always worth checking the firewall. Netsh firewall will work for older version but has been replaced with advfirewall.
If you want to learn more about the domain or user, running a DNS dump could help you find some useful information.
If your aim is to download further applications, scripts or payloads, it’s worth checking out the AV. If you have managed to run netcat on the system, it will most likely be Microsoft Defender.
Remember that unless a certain registry key is set, Windows Defender will still function. So even if it seems disabled, it could still run scheduled scans.
To check, we can run get-mpcomputerstatus. This is a Powershell command. Simply run powershell in your cmd prompt and it will change your shell.
Because of the common blame from poor vendor support, the user may have been persuaded to exclude certain files or paths. To find these run the following:
If you did manage to find a path that is excluded from AV scans, you have hit the jackpot. This means that you can download your payloads into the folder without the AV picking it up.
If it isn’t malicious though, you could always download it into a hidden folder. Running the following will create a folder and hide it (No admin required).
attrib +h “examplefolder”
These are just a few examples on what can be done with low level privilege. I will cover privilege escalation in the second part.
The last thing I will mention is copying files. If you wanted to copy or “acquire” certain files, you could use robocopy or drive mappings to move the files.
Map drive: net use x: \\computer name\sharename /user username password
Remembering to delete afterwards: net use x: /delete
Be careful on which side you setup the share though as this may flag. Admin rights are required, and the UAC will alert the user if ran in a netcat shell. That goes the same for any commands above. If ran with admin rights, the UAC prompt will appear on the victim’s machine which may alert them.
If you wanted to turn it off, here are some registry keys you can set. You will need to turn notifications off first as disabling UAC will notify the user. You will also need to run this as admin, so could be included in the initial payload? Potentially part of a modified installation file?
HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\Windows\Explorer DisableNotificationcenter 1
Set-ItemProperty -Path HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System -Name EnableLUA -Value 0
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Notifications\Settings\Windows.SystemToast.SecurityAndMaintenance\Enabled = 0
There is also something called Windows Quit Hours which disables these notifications during the set time frame. Could be very useful.