DEV Community: rootshellace

3 PowerShell commands to use in hacking

rootshellace — Wed, 10 Jan 2024 17:27:08 +0000

Sometimes, when you get access to a vulnerable machine, you might want to immediately run some predefined popular scripts, written in languages as Python. But you might have the surprise to not have it installed. This is why it’s important to be used to the command line, like PowerShell or Bash.

Today, I will present you 3 cmdlets which can help in hacking. We make the assumption that you obtained an admin shell on the target machine. Let’s see how we can use PowerShell!

● Set-NetFirewallProfile

We will use this cmdlet to disable the firewall on the Windows machine where we obtained admin permissions. But first, we should see its status.

To perform this, we will use a similar command, Get-NetFirewallProfile, to retrieve the values for Domain, Private and Public. You can simply run it without any other parameters and you will get the result. I added some things for a better formatted output.

Get-NetFirewallProfile | Select-Object Name, Enabled | Format-Table

On your screen, you should see a similar outcome:

Name    Enabled
----    -------
Domain     True
Private    True
Public     True

This means you have your firewall enabled for all 3. Now, let’s change it. We must add 2 parameters: Profile and Enabled. The first is to know which one you want to set, and the second one is for the status. So, in case we need to disable the public firewall, we will execute:

Set-NetFirewallProfile -Profile Public -Enabled False

● Set-ItemProperty

For our next example, we will alter the value of a specific registry key. This cmdlet can be used for various things; however, in this case, I am going to show how to disable UAC (User Access Control). Keep in mind that this procedure requires a computer restart to take effect.

The key’s name is EnableLUA. Normally, its expected value is 1. To get UAC deactivated, it must be changed to 0.

Three parameters are required in this situation: Path, Name and Value. Our registry key is found in a specific path (check it on your computer! 😉), for the other two, I think you already know what it takes 😄.

Set-ItemProperty -Path HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System -Name EnableLUA -Value 0

Once it’s executed, only a restart stands between you and the desired effect.

● Add-MpPreference

Our final instance will show us how to add an exception in Windows Defender. This is quite simple, we only need one parameter, the path we want to exclude from scanning. Let’s consider a case where you want to ignore directory C:\MyPrivateTools. Just run:

Add-MpPreference -ExclusionPath C:\MyPrivateTools

That’s it! As simple as that! If, after a while, you change your mind and want this exception removed, you must execute:

Remove-MpPreference -ExclusionPath C:\MyPrivateTools

In case you want to see a demo on how these 3 cmdlets are executed and what is their effect, for instance, allowing you to run malicious programs, check my video below! 👇

● Disclaimer

This article is for educational purposes only. Attacking targets without prior mutual consent is illegal. I take no responsibility for any misuse or damage caused due to the usage of the information provided here.

If you got here, I want to thank you for the time you took to read my article. I hope you enjoyed it and also learned something from it. Why not take a look at some of my other articles? Or, maybe, watch one of my YouTube videos?

Alternate Data Streams - Good or Bad?

rootshellace — Fri, 08 Dec 2023 15:09:14 +0000

Some people might say it’s good, others would consider it a bad thing. Well, as many elements in this world, it depends on its usage.

● What is an ADS?

Imagine you have a pair of jeans, and it has a pocket in your front-left size. You go to a tailor and he creates another one in the same place, but on the inside. The new one is attached to the existing compartment, but when it was created, the original wasn’t changed in any way. The shape, capacity or content remained the same.

If somebody looks at your jeans, he will only see the front pocket, but he won’t notice the one on the inside, unless he already knows about its existence.

Now, let’s try to correlate the terms. Assuming we have a file, pizza_recipe.txt, we could say it represents the pair of jeans. The front pocket would be the content of the file, basically, ingredients and instructions for pizza. This is considered the default stream. However, you might want to add a secret item. For instance, having another file, secret.txt, attached to the original, where you say “add extra mozzarella”. Your secret pocket would be secret.txt, and its content, the data in this document.

Each file comes with a default data stream, $DATA. This is illustrated by the actual data the file incorporates. In our previous example, it is the recipe itself. MFT (Master File Table) contains a list of all streams a file has, as well as their location on the disk. Comparing to our case, we could consider MFT as our brain, because it knows about the hidden pocket and its location.

● How are they created?

Before we begin with this part, I must mention one thing. Alternate Data Streams are specific to NTFS file system. If you copy a file which contains ADSs to a different type of file system, those ADSs will be lost.

I will use the previous example and explain how to perform this action with PowerShell. However, this is not the only way to do it.

First, we will create the standard file, in the current directory. In our case, pizza_recipe.txt.

Set-Content -Value "Dough, toppings, bake" -Path .\pizza_recipe.txt

To read the content of this newly created document, we will use the command below:

Get-Content -Path .\pizza_recipe.txt

Now, we will create the ADS. The command is almost the same with the one used initially to create the normal file, the only difference being an extra parameter.

Set-Content -Value "Mozzarella" -Path .\pizza_recipe.txt -Stream secret.txt

Next, to read the content of the ADS, just add Stream parameter to the command used earlier.

Get-Content -Path .\pizza_recipe.txt -Stream secret.txt

Below, you can see a screenshot with all these commands executed and the corresponding result:

● What are they used for?

The initial purpose for NTFS ADS was to be compatible with the file system from Apple.

Anyway, this is not the only purpose. Sometimes, specific data is contained in an alternate data stream. I downloaded a simple .jpg photo from the internet, which has some info in an ADS.

As you can see above, that photo has 2 streams: the default one, $DATA, and an extra ADS, called Zone.Identifier. If we take a look at the content inside, we are able to see what kind of info it retains. A value for HostUrl and another one for ReferrerUrl are available.

The previously presented example is harmless, its purpose is legitimate. But it’s not the unique usage. It can also be applied in steganography. Who says only secrets with extra mozzarella can be added there? It can include passwords, sensitive files, and so on. Is steganography good or bad? As I mentioned in the beginning of this article, it depends on how it’s used.

However, not only text files can be embedded in alternate data streams. Other type of files might be carried as well. Photos, videos, or even executables. Well, a such situation can lead to the dark side. Malicious software can be incorporated in an ADS and bad things can happen, having various consequences.

In my new video about ADS, among some info about this topic, I made a demo on how I create a backdoor by abusing alternate data streams. Don’t miss it!

● How to identify alternate data streams?

To detect the presence of an ADS, there are several possibilities. You can use standard Windows tools or external specialized software. Let’s see a couple of them.

1) Run dir command in cmd, with /r option

We can see in this screenshot that both streams were detected when the command was executed with /r flag.

2) Run Get-Item cmdlet in PowerShell, with -Stream parameter

Here, I extended a bit the command, just to format the output in a nicer way. However, it is enough to run only the first part to get the info you want. In this case also, both streams were found.

3) Use streams tool from SysinternalsSuite

Using this software, all the hidden streams are revealed. The default stream is not shown.

● Disclaimer