Tools here for Windows Hacking Pack are from different sources. The repo is generally licensed with WTFPL, but some content may be not (eg. sysinternals). “pes” means “PE Scambled”. It’s useful sometimes.
Remote Exploits For Windows Hacking Pack ========================================= Windows 2000 / XP SP1 MS05-039 Microsoft Plug and Play Service Overflow, Works with SSDP too http://www.rapid7.com/db/modules/exploit/windows/smb/ms05_039_pnp Windows XP/NT (beofre SP2) MS03-026 Microsoft RPC DCOM Interface Overflow (kaht2.zip) http://www.securityfocus.com/bid/8205/exploit Windows XP (SP2 and SP3) (can be used also for priv esc) MS08-067 Remote Stack Overflow Vulnerability Exploit (srvscv) https://www.exploit-db.com/exploits/7104/ Windows Windows 7 and Server 2008 R2 (x64) All Service Packs MS17-010 aka "Eternal Blue" https://github.com/RiskSense-Ops/MS17-010 Windows Server 2016 (DoS, may lead to exec) "Fuzzing SMB" video, showing the crash: https://www.youtube.com/watch?v=yDae5-lIQb8 Privilege Escalation ====================== First, if you have meterpreter, it may be a good idea to try "getsystem". srvcheck3.exe ================ Privilege escalation for Windows XP SP2 and before This can exploit vulnerable services. http://seclists.org/fulldisclosure/2006/Feb/231 Example: srvcheck3.exe -m upnphost -H 127.0.0.1 -c "cmd.exe /c c:\Inetpub\wwwroot\shell.exe" KiTrap0D.tar ============= Privilege escalation for Microsoft Windows NT/2000/XP/2003/Vista/2008/7 MS10-015 / CVE-2010-0232 / https://www.exploit-db.com/exploits/11199/ Other ways of exploits listed ============================== Windows XP/2003 MS11-080 → Local Privilege Escalation Exploit Afd.sys https://www.exploit-db.com/exploits/18176/ Windows Vista/7 CVE: 2010-4398 Elevation of Privileges (UAC Bypass) http://www.securityfocus.com/bid/45045/exploit Windows 8.1 (and before) MS14-058 → TrackPopupMenu Privilege Escalation https://www.exploit-db.com/exploits/37064/ Windows 8.1 (and before) MS15-051 Win32k LPE vulnerability used in APT attack "taihou32" https://www.exploit-db.com/exploits/37049/ Windows 10 (and before) Hot Potato (nbns spoof + wpad + smb ntlm) http://foxglovesecurity.com/2016/01/16/hot-potato/ Windows 10 (and before) Link/URL based exploitation of NetNTLM hashes. Eg. sending link file in email or dropping on file share. Technique presented here: https://www.youtube.com/watch?v=cuF_Ibo-mmM Windows XP SP2 (and before) srvcheck3.exe - upnp service or SSDPSRV service Windows XP/2003 MS11-080 → Local Privilege Escalation Exploit Afd.sys https://www.exploit-db.com/exploits/18176/ Windows Vista/7 CVE: 2010-4398 Elevation of Privileges (UAC Bypass) http://www.securityfocus.com/bid/45045/exploit Windows 8.1 (and before) MS14-058 → TrackPopupMenu Privilege Escalation https://www.exploit-db.com/exploits/37064/ Windows 8.1 (and before) MS15-051 Win32k LPE vulnerability used in APT attack "taihou32" https://www.exploit-db.com/exploits/37049/ Windows NT/2K/XP/2K3/Vista/2K8/7/8 KiTrap0D - EPATHOBJ Local Ring Exploit https://www.exploit-db.com/exploits/11199/ Windows 10 (and before) Hot Potato (nbns spoof + wpad + smb ntlm) http://foxglovesecurity.com/2016/01/16/hot-potato/ Windows XP (and after) .lnk exploit for receiving NetNTLM hashes remotely. https://www.youtube.com/watch?v=cuF_Ibo-mmM Backup files if contain sam Windows/system32/config/SAM /WINDOWS/repair/SAM regedit.exe HKEY_LOCAL_MACHINE -> SAM Tools to get the SAM database if locked: pwdump, samdump, samdump2, Cain&Abel Otherwise just copy. Dump SAM through shadow volume If it can be created the database could be copied from this. Vista command: vssadmin create shadow Server 2008 command: diskshadow Windows Credentials Editor WCE / Windows Credentials Editor can recover password hashes from LSASS - http://www.ampliasecurity.com/research/wcefaq.html WCE supports Windows XP, Windows 2003, Vista, Windows 7 and Windows 2008 (all SPs, 32bit and 64bit versions). Mimikatz dumping mimikatz # privilege::debug mimikatz # sekurlsa::logonpasswords mimikatz # lsadump::sam Cachedump aka In-memory attacks for SAM hashes / Cached Domain Credentials fgdump.exe (contains pwdump and cachedump, can read from memory) SAM dump (hive) "A hive is a logical group of keys, subkeys, and values in the registry that has a set of supporting files containing backups of its data." Dump SAM, then spray hashes keimpx (try hashes with different users, against domain accounts) http://code.google.com/p/keimpx/ LSA dumping (memory) / Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows XP LSAdump2, LSASecretsDump, pwdumpx, gsecdump or Cain & Abel https://github.com/CoreSecurity/impacket http://packetstormsecurity.org/files/view/10457/lsadump2.zip http://www.nirsoft.net/utils/lsa_secrets_dump.html http://packetstormsecurity.org/files/view/62371/PWDumpX14.zip PassTheHash (before Windows 8.1) pth-winexe --user=pc.local/Administrator%aad3b435b51404eeaad3b435b514t234e:1321ae011e02ab0k26e4edc5012deac8 //10.1.1.1 cmd PassTheTicket (Kerberos) mimikatz can do it Duplicate Access Tokens (if admin access token can be used, it's win) http://sourceforge.net/projects/incognito/ Token "Kidnapping" MS 09-12, Churrasco.bin shell.bin (runs shell.bin with nt system authority) http://carnal0wnage.attackresearch.com/2010/05/playing-with-ms09-012-windows-local.html Other notablelo tools psexec, smbshell, metasploit’s psexec, etc https://github.com/BloodHoundAD/BloodHound - It allows to visualize connections in an AD domain and find fast escalation ways. To Be Added ============== - http://www.nirsoft.net/ --> Stuff for dumping passwords - openvpn - evilgrade Hashes (SHA256) and VirusTotal scans ===================================== 8ee65368afcd98ea660f5161f9cbe0c4c08863018f28e5eb024d8db58b234333 AwesomerShell.tar 7487ec568b6e2547ef30957610e60df3089d916f043b02da1167959dd9e0c051 KiTrap0D.tar 96f17857f3eb28a7d93dad930bc099a3cb65a9a2afb37069bfd1ba5ec5964389 LICENSE.txt b3991cbab99149f243735750690b52f38a4a9903a323c8c95d037a1957ec058e ncat.exe da24e2a2fefc4e53c22bc5ba1df278a0f644ada6e95f6bc602d75f5158a5932b ncat_pes.exe be4211fe5c1a19ff393a2bcfa21dad8d0a687663263a63789552bda446d9421b nc.exe 56580f1eebdccfbc5ce6d75690600225738ddbe8d991a417e56032869b0f43c7 nmap-7.12-setup-gui.exe 0cb7c3d9c4a0ce86f44ab4d0db2de264b64abbb83ef453afe05f5fddf330a1c5 nmap-7.12-win32_commandline.zip 976c216119d5627afc9ad29fd4f72e38de3711d65419fda6482bc795e0ebf654 plink.exe 952aa0bfb7ea58669fb50b945a09e9e69cd178739c5d1281a45ecfc54cc7f92f srvcheck3.exe ca5214e14ed5e879dd000a8a13895c474c89248386e9d337dd43f105a70f4170 PEScrambler.exe ef0f4bf2267b866a00b3e60c0e70f7f37cc5529fee417a625e502b3c93d215d9 SysinternalsSuite.zip 8e9bc40efd17a37a4ecf7ada7a3d739f343e207abe4e17f05a531baccc607336 windows-privesc-check.exe 6c367696e6cc8e6093426dbd19daf13b2375b0c078387ae6355519522d23b0fd windows-privesc-check.py ffe3808989bdfe986b17023e5d6583d49d644182e81234dc1db604e260ba76c9 fgdump.exe c36225d4515a92b905f8337acfd3d365cb813a2654e65067dbdba4fc58e7126a kaht2.zip 2951e49efbc9e18d4641c0061f10da021b4bca2bd51247fe80107cbd334c195d mimikatz_2-1.zip 0682a92bc96a66cf3e3eca1e44296838b9baad4feef0c391fc48044e039e642a ms08-067_exploit_31874.py cc4b4eceb04142b9e0794be029302feb33cf58c6a0cd1fdca3ff611df9b83827 ms08-067_exploit_7132.py 950bbdde2cc92799675c138fd8dfb2b60f0c01759533bc1a6993559508bd131e Responder.tar 54bd6cccf4c74604eb9956ce167a3ea94a06fabf4954e691d020023f8827c448 samdump2.exe ece925f85dc15b816dacacbb92ad41045f0cc58c2e10c5d3b66723ae11cf65c8 wce_getlsasrvaddr.exe c6333c684762ed4b4129c7f9f49c88c33384b66dfb1f100e459ec6f18526dff7 wce_v1_41beta_universal.exe ecbac2a6c0bf8dbc7bed2370ed098cd43a56b0d69a0db1d5715751270711f1d6 wce_v1_42beta_x32.exe 5b3fda14e972d908896a605293f4634a72e2968278117410e12d8b3faf9a3976 sources/nc110.tgz 47ec6f337a386828005eeaa0535b9b31c3fb13f657ce7eb56bcaf7ce50f9fdf9 sources/rdp2tcp-0.1.tar.gz 33d109696d22b7e89f4eac6d07f4b4461551247ce2bfcbead09373ce39364f78 sources/srvcheck3.zip f706df25bb061a669b13ff76c121a8d72140406c7b0930bae5dcf713f9520a56 sources/3proxy-0.8.6.tar.gz 7e8cfbf10bcc91fa9b9a60d3335d4a52bd6d4b6ca888533dbdd2afc86bebb5cc sources/3proxy-0.9-devel.tgz dec12905822ea64676d0ec58b62c00631ef8ddde2c700ffe74bfcf9026f17d81 sources/fgdump-2.1.0.tar.bz2 352888e441be33ae6266cfac1a072d52cfaafd65cc33b07daa51600f1cd803ca sources/impacket_0-9-15.tar 21faf49ae9ff08054214675f18d813bcf042798c325d68ae8b2417a119b439f4 sources/keimpx-0.3-dev.tar 16136256911c31f7c56eef415b11e14c13abe89cface46df78033456194eddfd sources/mimikatz-2016-06.zip 602659af30c565750fa01650e0a223d26355b5df98f2fbc30e3a6c593ed4e526 sources/samdump2-3.0.0.tar.bz2 ncat.exe SHA256: b3991cbab99149f243735750690b52f38a4a9903a323c8c95d037a1957ec058e https://virustotal.com/en/file/b3991cbab99149f243735750690b52f38a4a9903a323c8c95d037a1957ec058e/analysis/1466258994/ ncat_pes.exe SHA256: da24e2a2fefc4e53c22bc5ba1df278a0f644ada6e95f6bc602d75f5158a5932b https://virustotal.com/en/file/da24e2a2fefc4e53c22bc5ba1df278a0f644ada6e95f6bc602d75f5158a5932b/analysis/1466259528/ nc110.tgz SHA256: 5b3fda14e972d908896a605293f4634a72e2968278117410e12d8b3faf9a3976 https://virustotal.com/en/file/5b3fda14e972d908896a605293f4634a72e2968278117410e12d8b3faf9a3976/analysis/1466258410/ rdp2tcp-0.1.tar.gz SHA256: 47ec6f337a386828005eeaa0535b9b31c3fb13f657ce7eb56bcaf7ce50f9fdf9 https://virustotal.com/en/file/47ec6f337a386828005eeaa0535b9b31c3fb13f657ce7eb56bcaf7ce50f9fdf9/analysis/1466271163/
Also Read Bad-PDF To Steal NTLM Hashes From Windows Machines
