Post-exploitation scripting (Part 1)


==>Windows Shell Commands
•Gathering Network Information
•Scripting Metasploit Meterpreter
•Database Post-Exploitation

Getting into a machine is only half the battle. Being able to take one asset, gather information, and use that information to gain further access to the network or other resources are skills that will turn a fair penetration tester into a good one. In this chapter, we will look at some basic shell scripting to help gather information once an exploit has been successful. We will also examine how to gain further access through Meterpreter scripting. Once we are done with network post-exploitation, we will use database vulnerabilities to mine data and get shell access.


Post-exploitation takes the access we have and attempts to extend and elevate that access. Understanding how network resources interact and how to pivot from one compromised machine to the next adds real value for our clients. Correctly identify vulnerable machines within the environment, and proving the vulnerabilities are exploitable, is good. But being able to gather information in support of demonstrating a significant business impact is better. Whether this is ensuring that customer data stays protected, critical Web infrastructure remains untouched, or assembly line processes continue to run, goal-oriented penetration testing helps fill a business need: making sure the business can continue to function. Without the data
and the skill to connect a found vulnerability to a serious business problem, we can’t hope to make this point within the scope of a penetration test.


Windows is still the most prevalent operating system platform deployed in corporate environments. Being able to navigate the Windows operating system from the command line is a requirement for corporate penetration testing. We want to be able to investigate running services, determine network information, and manipulate users.

User management

Being able to enumerate local and domain users and groups, as well as add users to the local machine and the domain, allows us to create a beachhead for further attack on the environment. We want to have a number of shell scripts easily accessible during our penetration test so that we can copy and paste these commands into shell sessions when we aren’t using a shell that supports local inclusion of scripts such as

Listing users and groups

There are many ways to get user lists in Windows. We will concentrate on the net and wmic commands. We will use these to work with users throughout. But, in this section, we will use them to query user information on the local machine and the domain. Using the net command, we will be able to manipulate users and groups, view network shares, and even manipulate services. In this chapter, we will concentrate on using this tool for user and group manipulation. If we have domain privileges, we can even use this command to manage domain users and groups. Let’s work on getting simple user lists. To list the users on the system, we will use the
net user command. As with most Windows commands, using the /? flag at the end of the command will display help information. Typing net user by itself returns information similar to Figure , showing the list of users on the local system. If we wanted to see the domain users, we could add the /domain flag, and it would list out
all the users in the domain. Pulling user lists is typically an important post-exploitation task. We can get
information about what users are on what systems. If we see multiple systems with a common user on them, that user is a prime target for password attacks so that we can gain access to many more workstations.
The net user command can also be used to pull information about a specific user. By issuing the command
net user  we can pull all the information about a user from the command line, including group membership.



User Account Information in WMIC


We can get similar information from the wmic command. WMIC is an abbreviation for the Windows Management Instrumentation Command-Line. The wmic command allows us to pull more specific information about the system than man other commands. For instance, if we wanted to know a user’s SID, an internal
identifier, we couldn’t tell that from the net user command, but Figure shows how WMIC can be used to provide that information. In this output, we have asked the Windows Management Instrumentation (WMI) interface to list the user accounts on the system. We specified the full directive to get as much information as possible about the accounts; otherwise, we would get the information in summary form.

WMIC is incredibly powerful. It can be used to query, create, and manipulate processes, users,
system information, print jobs, and more. It is worth spending a little time with the wmic command to become more familiar with it, as it will help us during penetration tests. It is also helpful during malware analysis and other tasks where we may be working with Trojaned binaries

We have seen how to get information about one user, but what if we wanted to get all the net user information about every user? With a for loop in the Windows command shell, we can combine wmic and net user to get extended information about all the users on the system.

for /F "skip=1" %i in ('wmic useraccount get name') do net user %i >> c:users.txt

This iterates through each user on the system obtained from wmic useraccountget name, and issues a net user command for that user. The output of wmicuseraccount get name is assigned to the %i variable. The skip=1 instruction tells the for loop to skip the first line. For each account name listed, the net user
command gets the information for the account, and the >> operator tells the output to be appended into the users.txt file. By appending to a file, we accomplish two things: the first is having a single file that we can download from the system with all the information we need, and the second is that only successful queries will be logged to the file. Any error messages or status information will be printed to the screen instead. This gives us a clean way to get all the users in the system so that we can download the information and review it later.
Now that we have some methods for listing users, let’s look at groups. Groups are even more important than users, as they let us know which users are more important than others. While this isn’t a value statement on the people involved, there are definitely accounts that are more interesting to us from a security standpoint than others. The net localgroup and net group commands will help us find these users.

The net localgroup command allows us to list and get information about groups local to the machine we are on, while the net group command is used to get information about groups in the domain. The net localgroup command works much like the net user command; if we don’t specify an argument it lists the groups on the
system, but ifwespecify a group name it will get information about the group specified. As with the net user command, a bit of scripting will help us out when we want to pull all the groups and their membership information and log it to a file.

for /F “delims=* tokens=1 skip=4” %i in (‘net localgroup’) do net
localgroup %i >> c:groups.txt

We can pull all the groups on the system, get their membership list, and log it all to a file. The net localgroup command puts an asterisk at the beginning of each group name. But when we query the group name we need to strip the * character.To do this, we add some additional options to the for loop.The delims keyword lets the for loop kno w how to split apart the output from net localgroup.We use the tokens keyword to get element 1 and skip let us skip the first four header lines. We iterate through each element of the net localgroup command and then issue the net localgroup command. Figure shows the output from our command.


Leave a Reply

Your email address will not be published. Required fields are marked *

Back to top button