Windows

From Segfault
Jump to navigation Jump to search

3rd party programs

Cygwin

TBD

Netcat

Someone was kind enough to upload Netcat for Windows!

$ nc -h
[v1.11 NT www.vulnwatch.org/netcat/]
connect to somewhere:   nc [-options] hostname port[s] [ports] ...
listen for inbound:     nc -l -p port [options] [hostname] [port]
options:
        -d              detach from console, background mode

        -e prog         inbound program to exec [dangerous!!]
        -g gateway      source-routing hop point[s], up to 8
        -G num          source-routing pointer: 4, 8, 12, ...
        -h              this cruft
        -i secs         delay interval for lines sent, ports scanned
        -l              listen mode, for inbound connects
        -L              listen harder, re-listen on socket close
        -n              numeric-only IP addresses, no DNS
        -o file         hex dump of traffic
        -p port         local port number
        -r              randomize local and remote ports
        -s addr         local source address
        -t              answer TELNET negotiation
        -u              UDP mode
        -v              verbose [use twice to be more verbose]
        -w secs         timeout for connects and final net reads
        -z              zero-I/O mode [used for scanning]
port numbers can be individual or ranges: m-n [inclusive]

PortQry

PortQry[1] can be used as a #Netcat substitute.

Scan a single port:

PortQry.exe -n alice -p tcp -e 80

Scan several ports:

PortQry.exe -n alice -p tcp -o 80,443

Scan a range:

PortQry.exe -n alice -p tcp -r 512:1024

rinetd

Together with Disable445Feature.zip[2] we can do magic things.

$ type Disable445Feature.ps1
Function Disable445Feature
{
    $netBTParametersPath = "HKLM:\SYSTEM\CurrentControlSet\Services\NetBT\Parameters"
    IF(Test-Path -Path $netBTParametersPath) {
        Set-ItemProperty -Path $netBTParametersPath -Name "SMBDeviceEnabled" -Value 0
    }
    Set-Service lanmanserver -StartupType Disabled
    Stop-Service lanmanserver -Force
}

Disable445Feature

Once disabled, our local port 445 should be free to be used with rinetd:

$ type config.txt
127.0.0.1 445 10.0.0.1 445

$ rinetd.exe -c config.txt

$ netstat -an | find "445"
 TCP    127.0.0.1:445          0.0.0.0:0              LISTENING

Now shares can be mounted from localhost!

Sysinternals Suite

The Sysinternals Suite comes with another set of useful tools:

 $ pslist -m explorer
 Process memory detail for WINXP:
 Name                Pid      VM      WS    Priv Priv Pk   Faults   NonP Page
 explorer           1312  103744   22772   13416   14872    40934     14  107

Without any additional tools, all we have is dir, but that's not really useful, as we cannot print directory names and sizes on the same line:

$ dir /o:s /s "c:\Program Files" | find "bytes" | sort
             75 File(s)     70,783,134 bytes
             81 File(s)      6,992,256 bytes
             88 File(s)        899,425 bytes
             89 File(s)        907,053 bytes
            127 File(s)    119,764,510 bytes
           3291 Dir(s)  77,508,915,200 bytes free
           3647 File(s)  2,336,559,490 bytes

With du this looks a bit better:

$ du -nobanner -v c:\ | sort
Processing...
[...]
  3,676,260  c:\Windows\WinSxS
  3,916,391  c:\Users\dummy
  3,919,139  c:\Users
  5,263,591  c:\Windows\System32
 17,144,086  c:\Windows
Directories:  96243
Files:        340178
Size on disk: 26,900,548,576 bytes
Size:         29,744,207,359 bytes

But PowerShell of course is here to help:[3]

> $totalsize = [long]0
> Get-ChildItem -File -Recurse -Force -ErrorAction SilentlyContinue | % {$totalsize += $_.Length}
> $totalsize / 1024 / 1024 / 1024
55.0684367781505

UnxUtils

unxutils provide GNU utilities for Win32 systems. But it was last updated in 2014, so better use Cygwin if really necessary.

Wipe

SDelete can do many things. Overwriting free disk space with zeros for example:

sdelete -z c:

cipher.exe can do something similar ("overwrite deleted data on a volume"):

cipher /w:c:

Miscellaneous

Checksums

With fciv only available[4] until Windows XP and Windows Server 2003, we can use certutil[5] to do the job:

$ certutil -hashfile -? | find "algo"
Hash algorithms: MD2 MD4 MD5 SHA1 SHA256 SHA384 SHA512

$ certutil -hashfile foo.txt SHA256
SHA256 hash of foo.txt:
4b9d687ac625690fd026ed4b236dad1cac90ef69e7ad256cc42766a065b50026
CertUtil: -hashfile command completed successfully.

Control Panels

 runas /user:Administrator cmd.exe
 
 sysdm.cpl                   # System Properties
 firewall.cpl                # Windows Firewall

Disk Management

Trying to shrink a volume only allows us to shrink it by a certain amount, although more (free) disk space would be available. The Application log in the system event viewer shows:

A volume shrink analysis was initiated on volume Windows (C:).
This event log entry details information about the last unmovable file that could limit the maximum number of reclaimable bytes.

Diagnostic details:
- The last unmovable file appears to be: \System Volume Information\[...]
- The last cluster of the file is: 0x788ecaf
- Shrink potential target (LCN address): 0x1a8842b
- The NTFS file flags are: ---AD
- Shrink phase: <analysis>

To find more details about this file please use the 
"fsutil volume querycluster \\?\Volume{d66eabaf-6574-4b9d-ac48-309125edfbc8} 0x788ecaf" command.

To free these unmovable objects we need to:

  • (temporarily) disable the paging file[6]
  • disable system protection (which will in effect delete the system's shadow copies[7])


See also: Q. I'm trying to shrink an NTFS volume, but the shrink value possible is far less than my free space. What's wrong?

EFI boot loader

Booted into Windows to apply some firmware updates and it altered the boot order. So Windows would still boot, but the GRUB menu was gone and there was no way to boot into Linux again. Use bcdedit[8] to point to the correct path again:

bcdedit /set {bootmgr} path \EFI\fedora\grubx64.efi

With that, the GRUB menu was restored.

Environment Variables

PATH=%PATH%;%ProgramFiles%\UnxUtils\usr\local\wbin;%ProgramFiles%\Windows Resource Kits\Tools;%ProgramFiles%\SysinternalsSuite
PROMPT=%COMPUTERNAME%# 
DIRCMD=/a/ogn/p

Filesystem Links

Hardlinks can be created with fsutil:

fsutil hardlink create %systemroot%\foo.exe "%programfiles%\application\this-app.exe"

Symbolic links for directories can be created via junction:

junction %systemroot%\target "%programfiles%\source"

Windows Vista introduced support symbolic links for files and directories via mklink:

runas /user:administrator mklink %systemroot%\target.exe "%programfiles%\source.exe"

Note:

  • Be careful with junctions - when deleting the target directory, the (content of the) source directory is also deleted! That's what you get when hardlinking directories.
  • mklink needs explicit permissions to create symbolic links! Sometimes a dedicated administrator shell is necessary:
$ runas /user:administrator cmd
Enter the password for administrator:
Attempting to start cmd as user "LOCALHOST\administrator" ...

Hibernation

From an administrator shell:

powercfg.exe /hibernate off

This will also remove the (large) hiberfil.sys file.

Minimized Applications

start /min %systemroot%\system32\taskmgr.exe
takeown /f directory_name /r /d y
icacls directory_name /grant administrators:F /t
 0 - Title text is truncated
 1 - Title text wraps to the next line

Runas

The basic usage of runas is:

runas /noprofile /user:admin "some\program.exe"

In some Windows versions, the Run as... right-click option is disabled for .bat and .cmd files. To enable those, use the following registry snippet:[9]

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\batfile\shell\runas\command]
@="\"%1\" %*"

[HKEY_CLASSES_ROOT\cmdfile\shell\runas\command]
@="\"%1\" %*"

Note: runas will still ask for a password, namely the password for the specified /user: above. We could create an auxiliary admin user with a different name (and member of the "Administrators" group), but that still is no substitute for SUID or sudo approaches.

UTC System Time

To configure Windows to use UTC instead of local time[10], a registry key must be set:

reg add "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\TimeZoneInformation" /v RealTimeIsUniversal /d 1 /t REG_QWORD /f

Windows Build

From within Windows:

$ systeminfo | findstr /B /C:"OS Name" /C:"OS Version"
OS Name:                   Microsoft Windows 10 Pro
OS Version:                10.0.19043 N/A Build 19043

Or, via wmic:

$ wmic os get  BuildNumber,Version /value
BuildNumber=19043
Version=10.0.19043

Even ver still works:

$ ver
Microsoft Windows [Version 10.0.19043.1348]

Display the Windows version and build without running Windows, i.e. from a Linux machine with the Windows disk mounted:[11][12]

$ iconv -f UTF-16 -t UTF-8 < some.log | grep -Po 'Data.OsBuild.{40}'
Data.OsBuild": 18362, "Data.OsBuildRevision": 476, "

$ hivexget /mnt/disk/Windows/System32/config/SOFTWARE 'Microsoft\Windows NT\CurrentVersion' | grep -Ew 'ProductName|CurrentBuild'
"CurrentBuild"="18362"
"ProductName"="Windows 10 Pro"

$ cat /mnt/disk/ProgramData/Microsoft/Diagnosis/osver.txt 
10.0.18362

See also

Links

References