WHP

by 51x

51x /WHP

Micro$oft Windows Hacking Pack

447 Stars 140 Forks Last release: Not found Do What The F*ck You Want To Public License 11 Commits 0 Releases

Available items

No Items, yet!

The developer of this repository has not created any items for sale yet. Need a bug fixed? Help with integration? A different license? Create a request here:

M$ Windows Hacking Pack

Tools here are from different sources. The repo is generally licensed with WTFPL, but some content may be not (eg. sysinternals). "pes" means "PE Scambled". It's useful sometimes.

Remote Exploits

Windows 2000 / XP SP1 MS05-039 Microsoft Plug and Play Service Overflow, Works with SSDP too http://www.rapid7.com/db/modules/exploit/windows/smb/ms05039pnp

Windows XP/NT (beofre SP2) MS03-026 Microsoft RPC DCOM Interface Overflow (kaht2.zip) http://www.securityfocus.com/bid/8205/exploit

Windows XP (SP2 and SP3) (can be used also for priv esc) MS08-067 Remote Stack Overflow Vulnerability Exploit (srvscv) https://www.exploit-db.com/exploits/7104/

Windows Windows 7 and Server 2008 R2 (x64) All Service Packs MS17-010 aka "Eternal Blue" https://github.com/RiskSense-Ops/MS17-010

Windows Server 2016 (DoS, may lead to exec) "Fuzzing SMB" video, showing the crash: https://www.youtube.com/watch?v=yDae5-lIQb8

Privilege Escalation

First, if you have meterpreter, it may be a good idea to try "getsystem".

srvcheck3.exe

Privilege escalation for Windows XP SP2 and before This can exploit vulnerable services. http://seclists.org/fulldisclosure/2006/Feb/231 Example: srvcheck3.exe -m upnphost -H 127.0.0.1 -c "cmd.exe /c c:\Inetpub\wwwroot\shell.exe"

KiTrap0D.tar

Privilege escalation for Microsoft Windows NT/2000/XP/2003/Vista/2008/7 MS10-015 / CVE-2010-0232 / https://www.exploit-db.com/exploits/11199/

Other ways of exploits listed

Windows XP/2003 MS11-080 → Local Privilege Escalation Exploit Afd.sys https://www.exploit-db.com/exploits/18176/

Windows Vista/7 CVE: 2010-4398 Elevation of Privileges (UAC Bypass) http://www.securityfocus.com/bid/45045/exploit

Windows 8.1 (and before) MS14-058 → TrackPopupMenu Privilege Escalation https://www.exploit-db.com/exploits/37064/

Windows 8.1 (and before) MS15-051 Win32k LPE vulnerability used in APT attack "taihou32" https://www.exploit-db.com/exploits/37049/

Windows 10 (and before) Hot Potato (nbns spoof + wpad + smb ntlm) http://foxglovesecurity.com/2016/01/16/hot-potato/

Windows 10 (and before) Link/URL based exploitation of NetNTLM hashes. Eg. sending link file in email or dropping on file share. Technique presented here: https://www.youtube.com/watch?v=cuF_Ibo-mmM

Windows XP SP2 (and before) srvcheck3.exe - upnp service or SSDPSRV service

Windows XP/2003 MS11-080 → Local Privilege Escalation Exploit Afd.sys https://www.exploit-db.com/exploits/18176/

Windows Vista/7 CVE: 2010-4398 Elevation of Privileges (UAC Bypass) http://www.securityfocus.com/bid/45045/exploit

Windows 8.1 (and before) MS14-058 → TrackPopupMenu Privilege Escalation https://www.exploit-db.com/exploits/37064/

Windows 8.1 (and before) MS15-051 Win32k LPE vulnerability used in APT attack "taihou32" https://www.exploit-db.com/exploits/37049/

Windows NT/2K/XP/2K3/Vista/2K8/7/8 KiTrap0D - EPATHOBJ Local Ring Exploit https://www.exploit-db.com/exploits/11199/

Windows 10 (and before) Hot Potato (nbns spoof + wpad + smb ntlm) http://foxglovesecurity.com/2016/01/16/hot-potato/

Windows XP (and after) .lnk exploit for receiving NetNTLM hashes remotely. https://www.youtube.com/watch?v=cuF_Ibo-mmM

Backup files if contain sam Windows/system32/config/SAM /WINDOWS/repair/SAM regedit.exe HKEYLOCALMACHINE -> SAM

Tools to get the SAM database if locked: pwdump, samdump, samdump2, Cain&Abel Otherwise just copy.

Dump SAM through shadow volume If it can be created the database could be copied from this. Vista command: vssadmin create shadow Server 2008 command: diskshadow

Windows Credentials Editor WCE / Windows Credentials Editor can recover password hashes from LSASS - http://www.ampliasecurity.com/research/wcefaq.html WCE supports Windows XP, Windows 2003, Vista, Windows 7 and Windows 2008 (all SPs, 32bit and 64bit versions).

Mimikatz dumping mimikatz # privilege::debug mimikatz # sekurlsa::logonpasswords mimikatz # lsadump::sam

Cachedump aka In-memory attacks for SAM hashes / Cached Domain Credentials fgdump.exe (contains pwdump and cachedump, can read from memory)

SAM dump (hive) "A hive is a logical group of keys, subkeys, and values in the registry that has a set of supporting files containing backups of its data."

Dump SAM, then spray hashes keimpx (try hashes with different users, against domain accounts) http://code.google.com/p/keimpx/

LSA dumping (memory) / Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows XP LSAdump2, LSASecretsDump, pwdumpx, gsecdump or Cain & Abel https://github.com/CoreSecurity/impacket http://packetstormsecurity.org/files/view/10457/lsadump2.zip http://www.nirsoft.net/utils/lsasecretsdump.html http://packetstormsecurity.org/files/view/62371/PWDumpX14.zip

PassTheHash (before Windows 8.1) pth-winexe --user=pc.local/Administrator%aad3b435b51404eeaad3b435b514t234e:1321ae011e02ab0k26e4edc5012deac8 //10.1.1.1 cmd

PassTheTicket (Kerberos) mimikatz can do it

Duplicate Access Tokens (if admin access token can be used, it's win) http://sourceforge.net/projects/incognito/

Token "Kidnapping" MS 09-12, Churrasco.bin shell.bin (runs shell.bin with nt system authority) http://carnal0wnage.attackresearch.com/2010/05/playing-with-ms09-012-windows-local.html

Other notablelo tools psexec, smbshell, metasploit’s psexec, etc https://github.com/BloodHoundAD/BloodHound - It allows to visualize connections in an AD domain and find fast escalation ways.

To Be Added

  • http://www.nirsoft.net/ --> Stuff for dumping passwords
  • openvpn
  • evilgrade

Hashes (SHA256) and VirusTotal scans

8ee65368afcd98ea660f5161f9cbe0c4c08863018f28e5eb024d8db58b234333 AwesomerShell.tar 7487ec568b6e2547ef30957610e60df3089d916f043b02da1167959dd9e0c051 KiTrap0D.tar 96f17857f3eb28a7d93dad930bc099a3cb65a9a2afb37069bfd1ba5ec5964389 LICENSE.txt b3991cbab99149f243735750690b52f38a4a9903a323c8c95d037a1957ec058e ncat.exe da24e2a2fefc4e53c22bc5ba1df278a0f644ada6e95f6bc602d75f5158a5932b ncatpes.exe be4211fe5c1a19ff393a2bcfa21dad8d0a687663263a63789552bda446d9421b nc.exe 56580f1eebdccfbc5ce6d75690600225738ddbe8d991a417e56032869b0f43c7 nmap-7.12-setup-gui.exe 0cb7c3d9c4a0ce86f44ab4d0db2de264b64abbb83ef453afe05f5fddf330a1c5 nmap-7.12-win32commandline.zip 976c216119d5627afc9ad29fd4f72e38de3711d65419fda6482bc795e0ebf654 plink.exe 952aa0bfb7ea58669fb50b945a09e9e69cd178739c5d1281a45ecfc54cc7f92f srvcheck3.exe ca5214e14ed5e879dd000a8a13895c474c89248386e9d337dd43f105a70f4170 PEScrambler.exe ef0f4bf2267b866a00b3e60c0e70f7f37cc5529fee417a625e502b3c93d215d9 SysinternalsSuite.zip 8e9bc40efd17a37a4ecf7ada7a3d739f343e207abe4e17f05a531baccc607336 windows-privesc-check.exe 6c367696e6cc8e6093426dbd19daf13b2375b0c078387ae6355519522d23b0fd windows-privesc-check.py ffe3808989bdfe986b17023e5d6583d49d644182e81234dc1db604e260ba76c9 fgdump.exe c36225d4515a92b905f8337acfd3d365cb813a2654e65067dbdba4fc58e7126a kaht2.zip 2951e49efbc9e18d4641c0061f10da021b4bca2bd51247fe80107cbd334c195d mimikatz2-1.zip 0682a92bc96a66cf3e3eca1e44296838b9baad4feef0c391fc48044e039e642a ms08-067exploit31874.py cc4b4eceb04142b9e0794be029302feb33cf58c6a0cd1fdca3ff611df9b83827 ms08-067exploit7132.py 950bbdde2cc92799675c138fd8dfb2b60f0c01759533bc1a6993559508bd131e Responder.tar 54bd6cccf4c74604eb9956ce167a3ea94a06fabf4954e691d020023f8827c448 samdump2.exe ece925f85dc15b816dacacbb92ad41045f0cc58c2e10c5d3b66723ae11cf65c8 wcegetlsasrvaddr.exe c6333c684762ed4b4129c7f9f49c88c33384b66dfb1f100e459ec6f18526dff7 wcev141betauniversal.exe ecbac2a6c0bf8dbc7bed2370ed098cd43a56b0d69a0db1d5715751270711f1d6 wcev142betax32.exe

5b3fda14e972d908896a605293f4634a72e2968278117410e12d8b3faf9a3976 sources/nc110.tgz 47ec6f337a386828005eeaa0535b9b31c3fb13f657ce7eb56bcaf7ce50f9fdf9 sources/rdp2tcp-0.1.tar.gz 33d109696d22b7e89f4eac6d07f4b4461551247ce2bfcbead09373ce39364f78 sources/srvcheck3.zip f706df25bb061a669b13ff76c121a8d72140406c7b0930bae5dcf713f9520a56 sources/3proxy-0.8.6.tar.gz 7e8cfbf10bcc91fa9b9a60d3335d4a52bd6d4b6ca888533dbdd2afc86bebb5cc sources/3proxy-0.9-devel.tgz dec12905822ea64676d0ec58b62c00631ef8ddde2c700ffe74bfcf9026f17d81 sources/fgdump-2.1.0.tar.bz2 352888e441be33ae6266cfac1a072d52cfaafd65cc33b07daa51600f1cd803ca sources/impacket_0-9-15.tar 21faf49ae9ff08054214675f18d813bcf042798c325d68ae8b2417a119b439f4 sources/keimpx-0.3-dev.tar 16136256911c31f7c56eef415b11e14c13abe89cface46df78033456194eddfd sources/mimikatz-2016-06.zip 602659af30c565750fa01650e0a223d26355b5df98f2fbc30e3a6c593ed4e526 sources/samdump2-3.0.0.tar.bz2

ncat.exe SHA256: b3991cbab99149f243735750690b52f38a4a9903a323c8c95d037a1957ec058e https://virustotal.com/en/file/b3991cbab99149f243735750690b52f38a4a9903a323c8c95d037a1957ec058e/analysis/1466258994/

ncat_pes.exe SHA256: da24e2a2fefc4e53c22bc5ba1df278a0f644ada6e95f6bc602d75f5158a5932b https://virustotal.com/en/file/da24e2a2fefc4e53c22bc5ba1df278a0f644ada6e95f6bc602d75f5158a5932b/analysis/1466259528/

nc110.tgz SHA256: 5b3fda14e972d908896a605293f4634a72e2968278117410e12d8b3faf9a3976 https://virustotal.com/en/file/5b3fda14e972d908896a605293f4634a72e2968278117410e12d8b3faf9a3976/analysis/1466258410/

rdp2tcp-0.1.tar.gz SHA256: 47ec6f337a386828005eeaa0535b9b31c3fb13f657ce7eb56bcaf7ce50f9fdf9 https://virustotal.com/en/file/47ec6f337a386828005eeaa0535b9b31c3fb13f657ce7eb56bcaf7ce50f9fdf9/analysis/1466271163/

We use cookies. If you continue to browse the site, you agree to the use of cookies. For more information on our use of cookies please see our Privacy Policy.