Commando VM: Windows for Hackers

Table of contents

1. What is Commando VM?

2. How to install Commando VM

3. Hot to install new packages in Commando VM

4. How to update programs in Commando VM

5. How to hack computers in Windows example

6. Windows hackers programs (Commando VM Tools)

List of references


What is Commando VM?

For penetration testers looking for a stable and supported Linux testing platform, the industry agrees that Kali is the go-to platform. However, if you’d prefer to use Windows as an operating system, you may have noticed that a worthy platform didn’t exist. As security researchers, every one of us has probably spent hours customizing a Windows working environment at least once and we all use the same tools, utilities, and techniques during customer engagements. Therefore, maintaining a custom environment while keeping all our tool sets up-to-date can be a monotonous chore for all. Recognizing that, we have created a Windows distribution focused on supporting penetration testers and red teamers.

Born from our popular FLARE VM that focuses on reverse engineering and malware analysis, the Complete Mandiant Offensive VM (“Commando VM”) comes with automated scripts to help each of you build your own penetration testing environment and ease the process of VM provisioning and deployment. This blog post aims to discuss the features of Commando VM, installation instructions, and an example use case of the platform. Head over to the Github to find Commando VM.

About Commando VM

Penetration testers commonly use their own variants of Windows machines when assessing Active Directory environments. Commando VM was designed specifically to be the go-to platform for performing these internal penetration tests. The benefits of using a Windows machine include native support for Windows and Active Directory, using your VM as a staging area for C2 frameworks, browsing shares more easily (and interactively), and using tools such as PowerView and BloodHound without having to worry about placing output files on client assets.

Commando VM uses Boxstarter, Chocolatey, and MyGet packages to install all of the software, and delivers many tools and utilities to support penetration testing. This list includes more than 140 tools, including:

  • Nmap
  • Wireshark
  • Covenant
  • Python
  • Go
  • Remote Server Administration Tools
  • Sysinternals
  • Mimikatz
  • Burp-Suite
  • x64dbg
  • Hashcat

With such versatility, Commando VM aims to be the de facto Windows machine for every penetration tester and red teamer. For the blue teamers reading this, don’t worry, we’ve got full blue team support as well! The versatile tool sets included in Commando VM provide blue teams with the tools necessary to audit their networks and improve their detection capabilities. With a library of offensive tools, it makes it easy for blue teams to keep up with offensive tooling and attack trends.

How to install Commando VM

Like FLARE VM, we recommend you use Commando VM in a virtual machine. This eases deployment and provides the ability to revert to a clean state prior to each engagement. We assume you have experience setting up and configuring your own virtualized environment. Start by creating a new virtual machine (VM) with these minimum specifications:

  • 60 GB of disk space
  • 2 GB memory

Next, perform a fresh installation of Windows. Commando VM is designed to be installed on Windows 7 Service Pack 1, or Windows 10, with Windows 10 allowing more features to be installed.

Once the Windows installation has completed, we recommend you install your specific VM guest tools (e.g., VMware Tools) to allow additional features such as copy/paste and screen resizing. From this point, all installation steps should be performed within your VM.

Make sure Windows is completely updated with the latest patches using the Windows Update utility. Note: you may have to check for updates again after a restart.

We recommend taking a snapshot of your VM at this point to have a clean instance of Windows before the install.

Go to the following URL and download the compressed Commando virtual machine repository to your virtual machine: https://github.com/fireeye/commando-vm/archive/master.zip

Unzip the downloaded archive to the root of the C drive, that is, the files should be on the path C:\commando-vm-master\:

Open the PowerShell console, to do this, click Win+x and select Windows PowerShell (admin) in the list that opens:

In the console, enter the command

cd C:\commando-vm-master\

Now we need to change the PowerShell execution policy to unrestricted, to do this, run the following command:

Set-ExecutionPolicy unrestricted

When prompted, enter Y.

Run at the command prompt:

./install.ps1

The script will ask the password of the current user – it is needed in order to automatically log into the system during reboots that are performed during installation. You can also pass the password in advance using the option ‘-password <current_password_password>’:

.\install.ps1 -password <пароль>

By the way, if your user does not have a password at all, then just press ENTER during the request.

At the very beginning, the program will do a dependency check:

[+] Checking if script is running as administrator..
        phenomenal cosmic powers
[+] Checking to make sure Operating System is compatible
        Майкрософт Windows 10 Pro supported
[+] Checking if host has been configured with updates
        updates appear to be in order
[+] Checking if host has enough disk space
        > 60 GB hard drive. looks good
[-] Do you need to take a snapshot before continuing? Y/N

The very last question asks if we want to take a snapshot of the system before continuing. Let me remind you that VirtualBox also allows you to take a snapshot of the system – you can take it before installing Commando VM or immediately after installing Commando VM tools. As for this request, it means a snapshot of the OS using the methods of the OS itself. If you need this, enter Y.

The rest of the installation process is fully automated. Depending on the speed of your Internet, the entire installation may take from 2 to 3 hours (in practice, I had to leave the computer turned on for the night, because by that time the installation had already been going on for about 6 hours). The virtual machine will restart several times due to the numerous software installation requirements.

The Commando VM installation process has begun:

Installing Commando VM is on the way:

After the installation is complete, the PowerShell prompt remains open, waiting for any key to be pressed before exiting.

Type ENTER to exit:

After the installation is complete, you will see the following working environment:

At this point, it is recommended that you restart your computer for the change to take effect. After rebooting, you will have a successfully installed Commando VM! It is recommended to turn off the virtual machine and take another snapshot of the system using virtualization software (that is, in VirtualBox, for example) in order to maintain the clean state of the virtual machine for use in future projects.

Hot to install new packages in Commando VM

Commando VM uses the Chocolatey Windows package manager. Therefore, installing new packages is easy. For example, enter the following command as Administrator to deploy Github Desktop on your system:

cinst github

How to update programs in Commando VM

Enter the following command to upgrade all packages to the latest versions:

cup all

Each package will be checked sequentially and if a new version is found, it will be updated. This takes some time, but much less than during installation.

How to hack computers in Windows example

Commando VM is built with the primary focus of supporting internal engagements. To showcase Commando VMs capabilities, we constructed an example Active Directory deployment. This test environment may be contrived; however, it represents misconfigurations commonly observed by Mandiant’s Red Team in real environments.

We get started with Commando VM by running network scans with Nmap.

Looking for low hanging fruit, we find a host machine running an interesting web server on TCP port 8080, a port commonly used for administrative purposes. Using Firefox, we can connect to the server via HTTP over TCP port 8080.

Let’s fire up Burp Suite’s Intruder and try brute-forcing the login. We navigate to our Wordlists directory in the Desktop folder and select an arbitrary password file from within SecLists.

After configuring Burp’s Intruder and analyzing the responses, we see that the password “admin” grants us access to the Jenkins console. Classic.

It’s well known that Jenkins servers come installed with a Script Console and run as NT AUTHORITY\SYSTEM on Windows systems by default. We can take advantage of this and gain privileged command execution.

Now that we have command execution, we have many options for the next step. For now, we will investigate the box and look for sensitive files. Through browsing user directories, we find a password file and a private SSH key.

Let’s try and validate these credentials against the Domain Controller using CredNinja.

Excellent, now that we know the credentials are valid, we can run CredNinja again to see what hosts the user might have local administrative permissions on.

It looks like we only have administrative permissions over the previous Jenkins host, 192.168.38.104. Not to worry though, now that we have valid domain credentials, we can begin reconnaissance activities against the domain. By executing 

runas /netonly /user:windomain.local\niso.sepersky cmd.exe

and entering the password, we will have an authenticated command prompt up and running.

The previous screenshot shows that we can successfully list the contents of the SYSVOL file share on the domain controller, confirming our domain access. Now we start up PowerShell and start share hunting with PowerView.

We are also curious about what groups and permissions are available to the user account compromised. Let’s use the Get-DomainUser module of the post-exploitation framework PowerView to retrieve user details from Active Directory. Note that Commando VM uses the “dev” branch of PowerView by default.

We also want to check for further access using the SSH key we found earlier. Looking at our port scans we identify one host with TCP port 22 open. Let’s use MobaXterm and see if we can SSH into that server.

We access the SSH server and also find an easy path to rooting the server. However, we weren’t able to escalate domain privileges with this access. Let’s get back to share hunting, starting with that hidden Software share we saw earlier. Using File Explorer, it’s easy to browse shares within the domain.

Using the output from PowerView’s Invoke-ShareFinder command, we begin digging through shares and hunting for sensitive information. After going through many files, we finally find a config.ini file with hardcoded credentials.

Using CredNinja, we validate these credentials against the domain controller and discover that we have local administrative privileges!

Let’s check group memberships for this user.

Lucky us, we’re a member of the “Domain Admins” group!

Windows hackers programs (Commando VM Tools)

Active Directory Tools

  • Remote Server Administration Tools (RSAT)
  • SQL Server Command Line Utilities
  • Sysinternals — Whether you’re an IT Pro or a developer, you’ll find Sysinternals utilities to help you manage, troubleshoot and diagnose your Windows systems and applications.

Command & Control

  • Covenant is a .NET command and control framework that aims to highlight the attack surface of .NET, make the use of offensive .NET tradecraft easier, and serve as a collaborative command and control platform for red teamers. Covenant is an ASP.NET Core, cross-platform application that includes a web-based interface that allows for multi-user collaboration.
  • PoshC2 is a proxy aware C2 framework that utilises Powershell and/or equivalent (System.Management.Automation.dll) to aid penetration testers with red teaming, post-exploitation and lateral movement. Powershell was chosen as the base implant language as it provides all of the functionality and rich features without needing to introduce multiple third party libraries to the framework.
  • WMImplant is a PowerShell based tool that is designed to act like a RAT. Its interface is that of a shell where any command that is supported is translated into a WMI-equivalent for use on a network/remote machine. WMImplant leverages WMI to both perform actions against targeted machines, but also as the C2 channel for issuing commands and receiving results. WMImplant will likely require local administrator permissions on the targeted machine.
  • WMIOps is a powershell script that uses WMI to perform a variety of actions on hosts, local or remote, within a Windows environment. It's designed primarily for use on penetration tests or red team engagements.

Developer Tools

  • Dep
  • Git
  • Go
  • Java
  • Python 2
  • Python 3 (default)
  • Ruby
  • Ruby Devkit
  • Visual Studio 2017 Build Tools (Windows 10)
  • Visual Studio Code

Evasion

  • CheckPlease — sandbox evasion modules written in PowerShell, Python, Go, Ruby, C, C#, Perl, and Rust.
  • Demiguise. The aim of this project is to generate .html files that contain an encrypted HTA file. The idea is that when your target visits the page, the key is fetched and the HTA is decrypted dynamically within the browser and pushed directly to the user. This is an evasion technique to get round content / file-type inspection implemented by some security-appliances. This tool is not designed to create awesome HTA content. There are many other tools/techniques that can help you with that. What it might help you with is getting your HTA into an environment in the first place, and (if you use environmental keying) to avoid it being sandboxed.
  • DefenderCheck. Identifies the bytes that Microsoft Defender flags on. Quick tool to help make evasion work a little bit easier. Takes a binary as input and splits it until it pinpoints that exact byte that Microsoft Defender will flag on, and then prints those offending bytes to the screen. This can be helpful when trying to identify the specific bad pieces of code in your tool/payload.
  • DotNetToJScript. A tool to create a JScript file which loads a .NET v2 assembly from memory.
  • Invoke-CradleCrafter is a PowerShell v2.0+ compatible PowerShell remote download cradle generator and obfuscator.
  • Invoke-DOSfuscation. Cmd.exe Command Obfuscation Generator & Detection Test Harness
  • Invoke-Obfuscation. Invoke-Obfuscation is a PowerShell v2.0+ compatible PowerShell command and script obfuscator.
  • Invoke-Phant0m. Windows Event Log Killer. This script walks thread stacks of Event Log Service process (specific svchost.exe) and identify Event Log Threads to kill Event Log Service Threads. So the system will not be able to collect logs and at the same time the Event Log Service will appear to be running.
  • Not PowerShell (nps). Not PowerShell
  • PS>Attack. A tool for building PS>Attack, an offensive PowerShell console that makes it easy for pentesters to use PowerShell. A tool that makes it easy to compile a custom version of PS>Attack, a portable powershell attack environment. What does the PS>Attack Build Tool do? The build tool downloads the latest version of PS>Attack and the latest versions of tools that is uses (PowerSploit, Powercat, Inveigh, etc), obfuscates them with @danielbohannon's Invoke-Obfuscation and then encrypts them with a custom key. It then replaces certain identifable strings within the PS>Attack source code with random strings and then compiles everything, producing a custom version of PS>Attack that's up to date and consists of unique file signatures, making it very difficult for Antivirus and Incident Response teams to find.
  • PSAmsi is a tool for auditing and defeating AMSI signatures. It's best utilized in a test environment to quickly create payloads you know will not be detected by a particular AntiMalware Provider, although it can be useful in certain situations outside of a test environment. When using outside of a test environment, be sure to understand how PSAmsi works, as it can generate AMSI alerts.
  • Pafishmacro. Pafish Macro is a Macro enabled Office Document to detect malware analysis systems and sandboxes. It uses evasion & detection techniques implemented by recent malicious documents found in the public. The VBS / VBA code is open source, you can study the code of all evasion tricks.
  • PowerLessShell. Run PowerShell command without invoking powershell.exe. PowerLessShell rely on MSBuild.exe to remotely execute PowerShell scripts and commands without spawning powershell.exe. You can also execute raw shellcode using the same approach. To add another layer of crap the payload will copy msbuild.exe to something random and build the payload using the randomly generated binary. You can provide -knownprocess switch to use known Windows process name instead of renaming MsBuild.exe to something random
  • PowerShdll. Run PowerShell with rundll32. Bypass software restrictions. Run PowerShell with dlls only. Does not require access to powershell.exe as it uses powershell automation dlls. PowerShdll can be run with: rundll32.exe, installutil.exe, regsvcs.exe, regasm.exe, regsvr32.exe or as a standalone executable.
  • StarFighters. A JavaScript and VBScript Based Empire Launcher, which runs within their own embedded PowerShell Host. Both Launchers run within their own embedded PowerShell Host, so we don't need PowerShell.exe. This might be usefull when a company is blocking PowerShell.exe and/or is using a Application Whitelisting solution, but does not block running JS/VBS files.

Exploitation

  • ADAPE-Script. Active Directory Assessment and Privilege Escalation Script
  • API Monitor is a free software that lets you monitor and control API calls made by applications and services. Its a powerful tool for seeing how applications and services work or for tracking down problems that you have in your own applications.
  • CrackMapExec. A swiss army knife for pentesting networks. CrackMapExec (a.k.a CME) is a post-exploitation tool that helps automate assessing the security of large Active Directory networks. Built with stealth in mind, CME follows the concept of "Living off the Land": abusing built-in Active Directory features/protocols to achieve it's functionality and allowing it to evade most endpoint protection/IDS/IPS solutions. CME makes heavy use of the Impacket library (developed by @asolino) and the PowerSploit Toolkit (developed by @mattifestation) for working with network protocols and performing a variety of post-exploitation techniques. Although meant to be used primarily for offensive purposes (e.g. red teams), CME can be used by blue teams as well to assess account privileges, find possible misconfigurations and simulate attack scenarios.
  • CrackMapExecWin. The great CrackMapExec tool compiled for Windows.
  • DAMP. The Discretionary ACL Modification Project: Persistence Through Host-based Security Descriptor Modification. This project contains several files that implement host-based security descriptor "backdoors" that facilitate the abuse of various remotely accessible services for arbitrary trustees/security principals. tl;dr - this grants users/groups (local, domain, or 'well-known' like 'Everyone') of an attacker's choosing the ability to perform specific administrative actions on a modified host without needing membership in the local administrators group. Note: to implement these backdoors, you need the right to change the security descriptor information for the targeted service, which in stock configurations nearly always means membership in the local administrators group.
  • EvilClippy. A cross-platform assistant for creating malicious MS Office documents. Can hide VBA macros, stomp VBA code (via P-Code) and confuse macro analysis tools. Runs on Linux, OSX and Windows.
  • Exchange-AD-Privesc. Exchange privilege escalations to Active Directory. This repository provides a few techniques and scripts regarding the impact of Microsoft Exchange deployment on Active Directory security.
  • FuzzySec's PowerShell-Suite. A collection of tools for solving various problems in PowerShell.
  • FuzzySec's Sharp-Suite. A collection of C # code examples.
  • Generate-Macro. This Powershell script will generate a malicious Microsoft Office document with a specified payload and persistence method. [!] This script will temporarily disable 2 macro security settings while creating the document. [!] The idea is to generate your malicious document on a development box you OWN and use that document to send to a target.
  • GhostPack
  • Rubeus is a C# toolset for raw Kerberos interaction and abuses. It is heavily adapted from Kekeo project and MakeMeEnterpriseAdmin project. Rubeus also uses a C# ASN.1 parsing/encoding library named DDer.
  • SafetyKatz is a combination of slightly modified version of @gentilkiwi's Mimikatz project and @subtee's .NET PE Loader. First, the MiniDumpWriteDump Win32 API call is used to create a minidump of LSASS to C:\Windows\Temp\debug.bin. Then @subtee's PELoader is used to load a customized version of Mimikatz that runs sekurlsa::logonpasswords and sekurlsa::ekeys on the minidump file, removing the file after execution is complete.
  • Seatbelt is a C# project that performs a number of security oriented host-survey "safety checks" relevant from both offensive and defensive security perspectives.
  • SharpDPAPI is a C# port of some Mimikatz DPAPI functionality.
  • SharpDump is a C# port of PowerSploit's Out-Minidump.ps1 functionality. The MiniDumpWriteDump Win32 API call is used to create a minidump for the process ID specified (LSASS by default) to C:\Windows\Temp\debug.out, GZipStream is used to compress the dump to C:\Windows\Temp\debug.bin (.gz format), and the original minidump file is deleted.
  • SharpRoast is a C# port of various PowerView's Kerberoasting functionality. This project has now been deprecated. Its functionality has been incorporated into Rubeus via the "kerberoast" action, which provides proper ASN.1 structure parsing.
  • SharpUp is a C# port of various PowerUp functionality. Currently, only the most common checks have been ported; no weaponization functions have yet been implemented.
  • SharpWMI is a C# implementation of various WMI functionality. This includes local/remote WMI queries, remote WMI process creation through win32_process, and remote execution of arbitrary VBS through WMI event subscriptions. Alternate credentials are also supported for remote methods.
  • GoFetch is a tool to automatically exercise an attack plan generated by the BloodHound application. GoFetch first loads a path of local admin users and computers generated by BloodHound and converts it to its own attack plan format. Once the attack plan is ready, GoFetch advances towards the destination according to plan step by step, by successively applying remote code execution techniques and compromising credentials with Mimikatz.
  • Impacket is a collection of Python classes for working with network protocols. Impacket is focused on providing low-level programmatic access to the packets and for some protocols (e.g. SMB1-3 and MSRPC) the protocol implementation itself. Packets can be constructed from scratch, as well as parsed from raw data, and the object oriented API makes it simple to work with deep hierarchies of protocols. The library provides a set of tools as examples of what can be done within the context of this library.
  • impacket-examples-windows
  • Invoke-ACLPwn is a tool that automates the discovery and pwnage of ACLs in Active Directory that are unsafe configured. Invoke-ACLpwn is designed to run with integrated credentials as well as with specified network credentials. The script works by creating an export of all ACLs in the domain with SharpHound as well as the group membership of the user account that the tool is running under. If the user does not already have writeDACL permissions on the domain object, the tool will enumerate all ACEs of the ACL of the domain. Every identity in an ACE has an ACL of its own, which is added to the enumeration queue. If the identity is a group and the group has members, every group member is added to the enumeration queue as well. It may take some time to calculate and parse every ACL, but could end up with a "chain" that leads to domain administrative privilges in the target domain.
  • Invoke-DCOM. Executes lateral movement through PowerPoint DCOM objects
  • Invoke-PSImage. Embeds a PowerShell script in the pixels of a PNG file and generates a oneliner to execute
  • Invoke-PowerThIEf. Internet Explorer Post Exploitation library.
  • Juicy Potato. A sugared version of RottenPotatoNG, with a bit of juice, i.e. another Local Privilege Escalation tool, from a Windows Service Accounts to NT AUTHORITY\SYSTEM.
  • Kali Binaries for Windows
  • LuckyStrike. A PowerShell based utility for the creation of malicious Office macro documents. To be used for pentesting or educational purposes only.
  • MetaTwin
  • The project is designed as a file resource cloner. Metadata, including digital signature, is extracted from one file and injected into another.
  • Metasploitit is a penetration testing platform with which you can find, exploit and confirm vulnerabilities.
  • Mr. Unikod3r's RedTeamPowershellScripts. Various PowerShell scripts that may be useful during red team exercise.
  • NetshHelperBeacon. Example DLL to load from Windows NetShell. Will pop calc and execute shellcode.
  • Nishang is Offensive PowerShell for red team, penetration testing and offensive security. Nishang is a framework and collection of scripts and payloads which enables usage of PowerShell for offensive security, penetration testing and red teaming. Nishang is useful during all phases of penetration testing.
  • Orca is a Windows Installer package editor provided as part of the Windows Installer SDK and designed to provide full access to the database tables that compose a Windows Installer package. While Orca provides powerful access to all features of the Windows Installer, it is not intended to replace a full-featured package-authoring environment.
  • PSReflect. Easily define in-memory enums, structs, and Win32 functions in PowerShell.
  • PowerLurk is a PowerShell toolset for building malicious WMI Event Subsriptions. The goal is to make WMI events easier to fire off during a penetration test or red team engagement.
  • PowerPriv. A Powershell implementation of PrivExchange designed to run under the current user's context. Useful for environments on which you cannot run python-based applications, have user credentials, or do not want to drop files to disk. Will cause the target exchange server system account to attempt to authenticate to a system of your choice.
  • PowerSploit. A PowerShell Post-Exploitation Framework. PowerSploit is a collection of Microsoft PowerShell modules that can be used to aid penetration testers during all phases of an assessment.
  • PowerUpSQL. A PowerShell Toolkit for Attacking SQL Server. PowerUpSQL includes functions that support SQL Server discovery, weak configuration auditing, privilege escalation on scale, and post exploitation actions such as OS command execution. It is intended to be used during internal penetration tests and red team engagements. However, PowerUpSQL also includes many functions that can be used by administrators to quickly inventory the SQL Servers in their ADS domain and perform common threat hunting tasks related to SQL Server.
  • PrivExchange. Exchange your privileges for Domain Admin privs by abusing Exchange.
  • RottenPotatoNG. New version of RottenPotato as a C++ DLL and standalone C++ binary - no need for meterpreter or other tools.
  • Ruler. A tool to abuse Exchange services. Ruler is a tool that allows you to interact with Exchange servers remotely, through either the MAPI/HTTP or RPC/HTTP protocol. The main aim is abuse the client-side Outlook features and gain a shell remotely.
  • SharpClipHistory is a .NET application written in C# that can be used to read the contents of a user's clipboard history in Windows 10 starting from the 1809 Build.
  • SharpExchangePriv. A C# implementation of PrivExchange.
  • SharpExec is an offensive security C# tool designed to aid with lateral movement.
  • SpoolSample. PoC tool to coerce Windows hosts authenticate to other machines via the MS-RPRN RPC interface. This is possible via other protocols as well.
  • SharpSploit is a .NET post-exploitation library written in C# that aims to highlight the attack surface of .NET and make the use of offensive .NET easier for red teamers.
  • UACME. Defeating Windows User Account Control by abusing built-in Windows AutoElevate backdoor.
  • vssown. Shadow copies management.
  • Vulcan is a tool to make it easy and fast to test various forms of injection. Single Visual Studio project that implements many injection techniques. This project was built to make it fast and easy to validate detection controls for injection techniques.

Information Gathering

  • ADACLScanner. A tool with GUI or command line used to create reports of access control lists (DACLs) and system access control lists (SACLs) in Active Directory.
  • ADExplorer. Search and manage users and groups in Windows AD.
  • ADOffline. Imports an LDAP file from Active Directory for SQL based offline reconnaissance.
  • ADRecon is a tool which gathers information about the Active Directory and generates a report which can provide a holistic picture of the current state of the target AD environment. ADRecon is a tool which extracts and combines various artifacts out of an AD environment. The information can be presented in a specially formatted Microsoft Excel report that includes summary views with metrics to facilitate analysis and provide a holistic picture of the current state of the target AD environment. The tool is useful to various classes of security professionals like auditors, DFIR, students, administrators, etc. It can also be an invaluable post-exploitation tool for a penetration tester.
  • BloodHound is a single page Javascript web application, built on top of Linkurious, compiled with Electron, with a Neo4j database fed by a PowerShell/C# ingestor. BloodHound uses graph theory to reveal the hidden and often unintended relationships within an Active Directory environment. Attacks can use BloodHound to easily identify highly complex attack paths that would otherwise be impossible to quickly identify. Defenders can use BloodHound to identify and eliminate those same attack paths. Both blue and red teams can use BloodHound to easily gain a deeper understanding of privilege relationships in an Active Directory environment.
  • dnsrecon. DNS Enumeration Script
  • FOCA. Tool to find metadata and hidden information in the documents.
  • Get-ReconInfo. Lists connections and relevant info about a system.
  • Gobuster is a tool used to brute-force: URIs (directories and files) in web sites; DNS subdomains (with wildcard support); virtual Host names on target web servers.
  • GoWitness is a website screenshot utility written in Golang, that uses Chrome Headless to generate screenshots of web interfaces using the command line.
  • NetRipper – smart traffic sniffing for penetration testers. NetRipper is a post exploitation tool targeting Windows systems which uses API hooking in order to intercept network traffic and encryption related functions from a low privileged user, being able to capture both plain-text traffic and encrypted traffic before encryption/after decryption.
  • Nmap (“Network Mapper”) is an open source tool for network exploration and security auditing. It was designed to rapidly scan large networks, although it works fine against single hosts. Nmap uses raw IP packets in novel ways to determine what hosts are available on the network, what services (application name and version) those hosts are offering, what operating systems (and OS versions) they are running, what type of packet filters/firewalls are in use, and dozens of other characteristics. While Nmap is commonly used for security audits, many systems and network administrators find it useful for routine tasks such as network inventory, managing service upgrade schedules, and monitoring host or service uptime.
  • PowerView. Creates an in-memory assembly and module. When defining custom enums, structs, and unmanaged functions, it is necessary to associate to an assembly module. This helper function creates an in-memory module that can be passed to the 'enum', 'struct', and Add-Win32Type functions.
  • Dev branch included
  • SharpHound. C# Rewrite of the BloodHound Ingestor.
  • SharpView. .NET port of PowerView.
  • SpoolerScanner. Check if the spooler (MS-RPRN) is remotely available with powershell/c#.
  • Watson. Enumerate missing KBs and suggest exploits for useful Privilege Escalation vulnerabilities.

Networking Tools

  • Citrix Receiver. As of August 2018, Citrix Workspace app has replaced Citrix Receiver. Citrix Workspace app is the easy-to-install client software that provides seamless, secure access to everything you need to get work done. With this free download, you easily and securely get instant access to all applications, desktops and data from any device, including smartphones, tablets, PCs and Macs.
  • OpenVPN is a free, open source program that implements VPN technology. This program has both a client and a server. It works on various operating systems, including Linux, Windows, Android.
  • ProxyCap enables you to redirect your computer's network connections through proxy servers. You can tell ProxyCap which applications will connect to the Internet through a proxy and under what circumstances. This is done through a user friendly interface, without the need to reconfigure any of your Internet clients. ProxyCap has native support for the SSH protocol, allowing you to specify a SSH server as the proxy server.
  • PuTTY: a free SSH and Telnet client
  • Telnet is a client for the protocol of the same name.
  • VMWare Horizon Client
  • VMWare vSphere Client
  • VNC-Viewer. VNC Server captures the desktop of the computer in real-time and sends it to VNC Viewer for display. VNC Viewer gathers your input (mouse, keyboard, or touch) and sends it for VNC Server to inject and actually achieve remote control.
  • WinSCP is an open source free SFTP client, FTP client, WebDAV client, S3 client and SCP client for Windows. Its main function is file transfer between a local and a remote computer. Beyond this, WinSCP offers scripting and basic file manager functionality.
  • WinDump is the Windows version of tcpdump, the command line network analyzer for UNIX. WinDump is fully compatible with tcpdump and can be used to watch, diagnose and save to disk network traffic according to various complex rules. It can run under Windows 95, 98, ME, NT, 2000, XP, 2003 and Vista. WinDump captures using the WinPcap library and drivers, which are freely downloadable from the WinPcap.org website. WinDump supports 802.11b/g wireless capture.
  • Wireshark is the world’s foremost and widely-used network protocol analyzer. It lets you see what’s happening on your network at a microscopic level and is the de facto (and often de jure) standard across many commercial and non-profit enterprises, government agencies, and educational institutions. Wireshark development thrives thanks to the volunteer contributions of networking experts around the globe and is the continuation of a project started by Gerald Combs in 1998.

Password Attacks

  • ASREPRoast. Project that retrieves crackable hashes from KRB5 AS-REP responses for users without kerberoast preauthentication enabled. This project has now been deprecated. Its functionality has been incorporated into Rubeus via the "asreproast" action, which utilizes a more minimal ASN.1 parsing library.
  • CredNinja. A multithreaded tool designed to identify if credentials are valid, invalid, or local admin valid credentials within a network at-scale via SMB, plus now with a user hunter This tool is intended for penetration testers who want to perform an engagement quickly and efficiently. While this tool can be used for more covert operations (including some additions below), it really shines when used at the scale of a large network. At the core of it, you provide it a list of credentials you have dumped (or hashes, it can pass-the-hash) and a list of systems on the domain (I suggest scanning for port 445 first, or you can use "--scan"). It will tell you if the credentials you dumped are valid on the domain, and if you have local administrator access to a host. See below for additional features, like user hunting and host detail enumeration.
  • DomainPasswordSpray is a tool written in PowerShell to perform a password spray attack against users of a domain. By default it will automatically generate the userlist from the domain. BE VERY CAREFUL NOT TO LOCKOUT ACCOUNTS!
  • DSInternals. Directory Services Internals (DSInternals) PowerShell Module and Framework.
  • Get-LAPSPasswords. Powershell function to pull the local admin passwords from LDAP, stored there by LAPS.
  • Hashcat is the world's fastest and most advanced password recovery utility, supporting five unique modes of attack
  • Internal-Monologue. Internal Monologue Attack: Retrieving NTLM Hashes without Touching LSASS
  • Inveigh is a PowerShell ADIDNS/LLMNR/NBNS/mDNS/DNS spoofer and man-in-the-middle tool designed to assist penetration testers/red teamers that find themselves limited to a Windows system.
  • Invoke-TheHash contains PowerShell functions for performing pass the hash WMI and SMB tasks. WMI and SMB connections are accessed through the .NET TCPClient. Authentication is performed by passing an NTLM hash into the NTLMv2 authentication protocol. Local administrator privilege is not required client-side.
  • KeeFarce allows for the extraction of KeePass 2.x password database information from memory. The cleartext information, including usernames, passwords, notes and url's are dumped into a CSV file in %AppData%.
  • KeeThief. Methods for attacking KeePass 2.X databases, including extracting of encryption key material from memory. Allows for the extraction of KeePass 2.X key material from memory, as well as the backdooring and enumeration of the KeePass trigger system.
  • LAPSToolkit. Tool to audit and attack LAPS environments. Functions written in PowerShell that leverage PowerView to audit and attack Active Directory environments that have deployed Microsoft's Local Administrator Password Solution (LAPS). It includes finding groups specifically delegated by sysadmins, finding users with "All Extended Rights" that can view passwords, and viewing all computers with LAPS enabled.
  • MailSniper is a penetration testing tool for searching through email in a Microsoft Exchange environment for specific terms (passwords, insider intel, network architecture information, etc.). It can be used as a non-administrative user to search their own email, or by an Exchange administrator to search the mailboxes of every user in a domain. MailSniper also includes additional modules for password spraying, enumerating users/domains, gathering the Global Address List from OWA and EWS, and checking mailbox permissions for every Exchange user at an organization.
  • Mimikatz. It's now well known to extract plaintexts passwords, hash, PIN code and kerberos tickets from memory. mimikatz can also perform pass-the-hash, pass-the-ticket or build Golden tickets.
  • Mimikittenz is a post-exploitation powershell tool that utilizes the Windows function ReadProcessMemory() in order to extract plain-text passwords from various target processes. mimikittenz can also easily extract other kinds of juicy info from target processes using regex patterns including but not limited to: TRACK2 (CreditCard) data from merchant/POS processes; PII data; Encryption Keys & All the other good stuff. Note: This tool is targeting running process memory address space, once a process is killed it's memory 'should' be cleaned up and inaccessible however there are some edge cases in which this does not happen.
  • RiskySPN. Detect and abuse risky SPNs. RiskySPNs is a collection of PowerShell scripts focused on detecting and abusing accounts associated with SPNs (Service Principal Name). This module can assist blue teams to identify potentially risky SPNs as well as red teams to escalate privileges by leveraging Kerberos and Active Directory.
  • SessionGopher is a PowerShell tool that uses WMI to extract saved session information for remote access tools such as WinSCP, PuTTY, SuperPuTTY, FileZilla, and Microsoft Remote Desktop. It can be run remotely or locally.

Reverse Engineering

  • dnSpy is a debugger and .NET assembly editor. You can use it to edit and debug assemblies even if you don't have any source code available.
  • Flare-Floss. FireEye Labs Obfuscated String Solver - Automatically extract obfuscated strings from malware.
  • ILSpy is the open-source .NET assembly browser and decompiler.
  • PEview provides a quick and easy way to view the structure and content of 32-bit Portable Executable (PE) and Component Object File Format (COFF) files. This PE/COFF file viewer displays header, section, directory, import table, export table, and resource information within EXE, DLL, OBJ, LIB, DBG, and other file types.
  • Windbg. The Windows Debugger (WinDbg) can be used to debug kernel-mode and user-mode code, to analyze crash dumps, and to examine the CPU registers while the code executes.
  • x64dbg. An open-source binary debugger for Windows, aimed at malware analysis and reverse engineering of executables you do not have the source code for.

Utilities

  • 7-Zip is a file archiver with a high compression ratio.
  • Acrobat Reader is the most reliable, free global standard document management system available.
  • AutoIt v3 is a freeware BASIC-like scripting language designed for automating the Windows GUI and general scripting. It uses a combination of simulated keystrokes, mouse movement and window/control manipulation in order to automate tasks in a way not possible or reliable with other languages (e.g. VBScript and SendKeys). AutoIt is also very small, self-contained and will run on all versions of Windows out-of-the-box with no annoying “runtimes” required!
  • Cmder is a console emulator in Windows.
  • CyberChef. The Cyber Swiss Army Knife - a web app for encryption, encoding, compression and data analysis. CyberChef is a simple, intuitive web app for carrying out all manner of "cyber" operations within a web browser. These operations include simple encoding like XOR or Base64, more complex encryption like AES, DES and Blowfish, creating binary and hexdumps, compression and decompression of data, calculating hashes and checksums, IPv6 and X.509 parsing, changing character encodings, and much more.
  • Explorer Suite is a freeware suite of tools including a PE editor called CFF Explorer and a process viewer. The PE editor has full support for PE32/64. Special fields description and modification (.NET supported), utilities, rebuilder, hex editor, import adder, signature scanner, signature manager, extension support, scripting, disassembler, dependency walker etc. First PE editor with support for .NET internal structures. Resource Editor (Windows Vista icons supported) capable of handling .NET manifest resources. The suite is available for x86 and x64.
  • GIMP is a cross-platform image editor available for GNU/Linux, OS X, Windows and more operating systems. Whether you are a graphic designer, photographer, illustrator, or scientist, GIMP provides you with sophisticated tools to get your job done. You can further enhance your productivity with GIMP thanks to many customization options and 3rd party plugins.
  • Greenshot is a light-weight screenshot software tool for Windows with the following key features: quickly create screenshots of a selected region, window or fullscreen; you can even capture complete (scrolling) web pages from Internet Explorer; easily annotate, highlight or obfuscate parts of the screenshot; export the screenshot in various ways: save to file, send to printer, copy to clipboard, attach to e-mail, send Office programs or upload to photo sites like Flickr or Picasa, and others; …and a lot more options simplyfying creation of and work with screenshots every day.
  • Hashcheck. The HashCheck Shell Extension makes it easy for anyone to calculate and verify checksums and hashes from Windows Explorer. In addition to integrating file checksumming functionality into Windows, HashCheck can also create and verify SFV files (and other forms of checksum files, such as .md5 files). It is fast and efficient, with a very light disk and memory footprint, and it is open-source.
  • HexChat is an IRC client based on XChat, but unlike XChat it’s completely free for both Windows and Unix-like systems. Since XChat is open source, it’s perfectly legal.
  • HxD is a carefully designed and fast hex editor which, additionally to raw disk editing and modifying of main memory (RAM), handles files of any size. The easy to use interface offers features such as searching and replacing, exporting, checksums/digests, insertion of byte patterns, a file shredder, concatenation or splitting of files, statistics and much more.
  • KeePass is a free open source password manager, which helps you to manage your passwords in a secure way. You can put all your passwords in one database, which is locked with one master key or a key file. So you only have to remember one single master password or select the key file to unlock the whole database. The databases are encrypted using the best and most secure encryption algorithms currently known (AES and Twofish).
  • MobaXterm. Enhanced terminal for Windows with X11 server, tabbed SSH client, network tools and much more. MobaXterm is your ultimate toolbox for remote computing. In a single Windows application, it provides loads of functions that are tailored for programmers, webmasters, IT administrators and pretty much all users who need to handle their remote jobs in a more simple fashion. MobaXterm provides all the important remote network tools (SSH, X11, RDP, VNC, FTP, MOSH, …) and Unix commands (bash, ls, cat, sed, grep, awk, rsync, …) to Windows desktop, in a single portable exe file which works out of the box.
  • Mozilla Thunderbird. Software made to make email easier. Thunderbird is a free email application that’s easy to set up and customize - and it’s loaded with great features!
  • Neo4j Community Edition
  • Notepad++ is a free source code editor and Notepad replacement that supports several languages. Running in the MS Windows environment, its use is governed by GPL License. Based on the powerful editing component Scintilla, Notepad++ is written in C++ and uses pure Win32 API and STL which ensures a higher execution speed and smaller program size.
  • Pidgin is an easy to use and free chat client used by millions. Connect to Google Talk, IRC, XMPP, and more chat networks all at once. Supported chat networks: Bonjour, Gadu-Gadu, Google Talk, Groupwise, IRC, SILC, SIMPLE, Sametime, XMPP, Zephyr.
  • Process Hacker 2 is a free, powerful, multi-purpose tool that helps you monitor system resources, debug software and detect malware.
  • DB Browser for SQLite (DB4S) is a high quality, visual, open source tool to create, design, and edit database files compatible with SQLite. DB4S is for users and developers who want to create, search, and edit databases. DB4S uses a familiar spreadsheet-like interface, and complicated SQL commands do not have to be learned.
  • Screentogif. Screen, webcam and sketchboard recorder with an integrated editor.
  • Shellcode Launcher. Shellcode launcher utility.
  • Sublime Text 3. A sophisticated text editor for code, markup and prose.
  • TortoiseSVN is an Apache Subversion (SVN) client, implemented as a Windows shell extension.
  • VLC Media Player. VLC is a free and open source cross-platform multimedia player and framework that plays most multimedia files as well as DVDs, Audio CDs, VCDs, and various streaming protocols.
  • Winrar. Compress, Encrypt, Package and Backup with only one utility
  • yEd Graph Tool. yEd is a powerful desktop application that can be used to quickly and effectively generate high-quality diagrams. Create diagrams manually, or import your external data for analysis. Our automatic layout algorithms arrange even large data sets with just the press of a button.

Vulnerability Analysis

  • AD Control Paths. Active Directory Control Paths auditing and graphing tools.
  • Egress-Assess is a tool used to test egress data detection capabilities.
  • Grouper2. Find vulnerabilities in AD Group Policy. Grouper2 is a tool for pentesters to help find security-related misconfigurations in Active Directory Group Policy. It dumps all the most interesting parts of group policy and then roots around in them for exploitable stuff.
  • NtdsAudit is an application to assist in auditing Active Directory databases. It provides some useful statistics relating to accounts and passwords. It can also be used to dump password hashes for later cracking.
  • PwndPasswordsNTLM. Quick binary search for NTLM hash dataset. Basic binary search on a sorted file containing NTLM hashes from Pwned Passwords or any set of NTLM hashes. Iterates line by line over an input file, conducts a binary search over the dataset to search for the hash in the current line. Outputs to file a list of users with breached passwords. Note: requires that the input file be in Hashcat format (Username:Hash).
  • zBang is a special risk assessment tool that detects potential privileged account threats in the scanned network. Organizations and red teamers can utilize zBang to identify potential attack vectors and improve the security posture of the network. The results can be analyzed with the graphic interface or by reviewing the raw output files.

Web Applications

  • Burp Suite. Web vulnerability scanner. Coverage of over 100 generic vulnerabilities, such as SQL injection and cross-site scripting (XSS), with great performance against all vulnerabilities in the OWASP top 10.
  • Fiddler. The free web debugging proxy for any browser, system or platform.
  •  
  • Firefox — a popular and functional web browser.
  • OWASP Zap. The OWASP Zed Attack Proxy (ZAP) is one of the world’s most popular free security tools and is actively maintained by hundreds of international volunteers*. It can help you automatically find security vulnerabilities in your web applications while you are developing and testing your applications. Its also a great tool for experienced pentesters to use for manual security testing.
  • Subdomain-Bruteforce. Subdomain bruteforce for windows is best used in conjunction with other tools - combining their results and dupekilling them. it uses async get requests to brute force subdomains and is pretty fast and accurate over p80/443.
  • Wfuzz has been created to facilitate the task in web applications assessments and it is based on a simple concept: it replaces any reference to the FUZZ keyword by the value of a given payload. A payload in Wfuzz is a source of data. This simple concept allows any input to be injected in any field of an HTTP request, allowing to perform complex web security attacks in different web application components such as: parameters, authentication, forms, directories/files, headers, etc.

Wordlists

  • FuzzDB. Dictionary of attack patterns and primitives for black-box application fault injection and resource discovery. FuzzDB was created to increase the likelihood of causing and identifying conditions of security interest through dynamic application security testing. It's the first and most comprehensive open dictionary of fault injection patterns, predictable resource locations, and regex for matching server responses.
  • PayloadsAllTheThings. A list of useful payloads and bypass for Web Application Security and Pentest/CTF
  • SecLists is the security tester's companion. It's a collection of multiple types of lists used during security assessments, collected in one place. List types include usernames, passwords, URLs, sensitive data patterns, fuzzing payloads, web shells, and many more. The goal is to enable a security tester to pull this repository onto a new testing box and have access to every type of list that may be needed.
  • Probable-Wordlists. Wordlists sorted by probability originally created for password generation and testing - make sure your passwords aren't popular!
  • RobotsDisallowed. A curated list of the most common and most interesting robots.txt disallowed directories. The RobotsDisallowed project is a harvest of the robots.txt disallowed directories of the world's top websites, specifically those of the Alexa 100K and the Majestic 100K. This list of Disallowed directories is a great way to supplement content discovery during a web security assessment or bug bounty.

Developer Tools

List of references

Recommended for you:

2 Comments to Commando VM: Windows for Hackers

  1. Anonymous says:

    I wonder what file manager you are using in the first image of this article

Leave a Reply

Your email address will not be published. Required fields are marked *