Manual Post Exploitation on Windows PC (System Command)

This article is about Post Exploitation on the Victim’s System using the Windows Command Line. When an Attacker gains a meterpreter session on a Remote PC, then he/she can enumerate a huge amount of information and make effective changes using the knowledge of the Windows Command Line.

Requirement

Attacker: Kali Linux

TarObtain: Window PC

To execute this, we will first Obtain the meterpreter session of the Remote PC which you can learn from here. After gaining the session, escalate its privileged to Administrator which you can learn from here.

Now to access windows command line, type ‘shell’ in the meterpreter shell.

Let’s Start!!

Obtain User Details and its Privileges

After gaining the meterpreter shell or windows command line, before doing any work. It is important to know the current user. This command is usually used to verify that the account that we were trying to access is the one we got. This can be simply done using the command whoami.

To increase our reach, we will an option in “whoami” command:

[/all]: To show all the details about the user.

As seen below we have username, SID and local group details

We also Obtain details about the privileges that are enabled or disabled to the user we are currently logged on.

Obtain the System Info

This command helps us enumerate lots of information regarding the system like hostname, domain, time zone and much more.

We can sort the basic system details such as (Manufacturer, Build, and Model) of the victim’s System using findstr.

As shown in the below screenshot we have the Boot Time, Manufacturer, Model, Type, Directory and Language of the Victim’s System.

We can obtain the location (as close as the country) of victim’s System using systeminfo.

Here we are using findstr with systeminfo to filter the systeminfo results.

As shown in the below screenshot we have the Time Zone (UTC+05:30), so we can say that the victim’s System is in “INDIA”.

Obtain Memory Details (Physical, Virtual, In Use, Free)

We can Obtain the basic memory details of the victim’s System using systeminfo.

Here we are using findstr with systeminfo to filter the systeminfo results.

As shown in the below screenshot we have the Total Physical Memory 3.5 GB out of which 1.6 GB is available, we are also Obtainting Virtual Memory Details.

Obtain the List System Drivers

We can display a list of all installed device drivers on the victim’s system and their properties through the command called driverquery.

 

Obtain the List of Kernel Drivers

We can the list of Kernel Drivers on the victim’s System using driverquery.

Here we are using findstr with driverquery to filter the driverquery results.

As seen below we have obtained a list of kernel drivers which can be used to get the direct exploits to the Victim’s System.

Obtain the List of File System Drivers

We can the list of File System Drivers on the victim’s System using driverquery.

Here we are using findstr with driverquery to filter the driverquery results.

Display Info about a Particular Service

We can obtain information about a particular service using sc command. Here we are using following options with sc command:

[query] to Obtain the names of a service.

Syntax: sc query [service name]

Obtain the list of Active Tasks

We can obtain information about running tasks using tasklist command.

This command shows the name of the task running along with the Process ID (PID), Session Name, Session Number and Memory Usage.

We can sort the output of tasklist according to the modules using the following options of tasklist command:

[/m]: To specify the Modules in Tasklist

But we will have to mention the module which is to be used to sort the Tasklist.

Syntax: tasklist /m [Module Name]

Here we can see all the tasks linked with ntdll.dll module.

Killing Tasks

We can kill tasks on the Victim’s System using a command called taskkill.

Taskkill requires either one of two things:

  1. Process Id
  2. Task Name

Here we are going to use [/f] option in taskkill, it enables the Taskkill to forcefully kill the tasks.

Killing the Tasks using the Process ID

Syntax: taskkill /f /pid [Process id of Task]

Killing the Tasks using the Task Name

Syntax: taskkill /f /im “[Task Name]”

Start or Stopping Services

We can start a service or some backdoor without the knowledge of the Victim using sc command.

Here we are using following options with sc command:

[start] to start a service.

Syntax:sc start [Service Name]

As you can see in the below image the service has started.

We can also stop a service using sc command.Here we are using following options with sc command:

[stop] to start a service.

Syntax:sc stop [Service Name]

As you can see in the below image the process Stopped

List all the logs on the System

We can obtain a list of all the logs on a system using wevtutil command. Here we are using following options with wevtutil command:

[el] to List log names.

Clear a specific logon the System

We can clear a specific log on a system using wevtutil command. Here we are using following options with wevtutil command:

[cl] to List log names.

Syntax: wevtutil cl [log name]

Find all the Hard Disk/Storage Partitions on a System

While penetration testing a Remote PC, knowledge of all the Hard Disk or Storage Devices and Partitions is essential so that we can sweep all the partitions and Storage Devices in hope to find data of any particular importance.

This can be done using fsutil command. Here we are using following options with fsutil command:

[fsinfo] to view file system info.

[drives] to list all drives.

As you can see below that the Victim System has 4 Hard Disk Partitions C, D, E and F

Delete all logs on a System

While penetration testing a remote pc, it is essential to remove the trace of youractivities, so we need to remove the evidence of our presence which can be found in log files.

The entire Log file has a .log extension so we are going to sweep the System Directory for files with extension .log and delete them with del command.

Note: Use this command with the path set to System Directory (In my case it is C:\)

Here we are using following options with del command:

[/a] to select files based on attributes.

[/s] to select System Files (/s is an attribute so it is to be used after /a)

[/q] to use Quiet Mode (It doesn’t ask if Ok to delete on global wildcards)

[/f] to force delete the read only files

Syntax:del [Directory]\*.log /a /s /q /f

As you can see in the below screenshot the process of detecting and deleting the files with .log extension has started.

Manage Local Users

While penetration testing a remote PC, it is important to obtain the list of Local Users so that attacker can gain infomation about the various users assigned to that particular system.

This can be done using net command. Here we are using following options to be used with net command:

[-user] to display the list of local users

It is always advantageous to add a user in the Local Groups so that attacker can perform certain tasks on that system.

This can be done using net command. Here we are using following options with net command:

Syntax:net user [logon_name] [password] /add

Many times, we come across a situation where we will have to perform certain administrative tasks, so we will add the user we created to the Administrative local group

Here we are using following options to be used with net command:

[-localgroup] to select the list of local groups

Syntax: net localgroup administrators [logon_name] /add

In the above example, I have added a user in the local administrators group named as hacker. We can verify using the “net user” command

Now, during the clean-up process it is important to delete the local user created.

This can be done using net commandHere we are using following options with net command:

Syntax: net user [logon_name] /del

Here you can see that I have used net command to add a user, making it a member of administrator local group and then deleting that user.

Display the List of all Scheduled Tasks

While penetration testing a remote PC, it is necessary to know the scheduled tasks to plan the attacks accordingly to further penetrate the Victim’s System. This can be done using schtasks.

We can sort schtasks so as to obtain a better readable format i.e. in a List Format.

Here we are using following options with schtasks command:

[/query]to display all scheduled tasks

[/fo] to specify the format of the Output (In this case we use List)

[/v] to use verbose mode

Author: Pavandeep Singh is an Ethical Hacker, Web Penetration Tester, Windows Command Line Expert and Researcher at hackingarticles.in. Contact here

Leave a Reply

Your email address will not be published. Required fields are marked *